The CyberWire Daily Briefing 10.24.12

Cyber Trends

Verizon DBIR Analysis: Opportunistic Attacks Crushing Certain Industries (Threatpost) Regardless of the market or industry, the majority of attacks are financially motivated. Even in data-rich environments such as health care, attackers are still after profits and exploit the same weaknesses and transaction processing systems that are vulnerable in other industries such as hotels and accommodations, food services and financial services. Verizon's latest Data Breach Investigations Report (DBIR) broke out data breach characteristics by those industries, and came to a stunningly simple conclusion: Attackers will seek out the easiest way in, take what they need and get out quickly

Verizon DBIR Analysis: Insiders Often Complicit in Breaches of Intellectual Property (Threatpost) Verizon has further dissected breach data from its annual Data Breach Investigations Report (DBIR) and built a profile of intellectual property theft that points to a disturbing combination of factors leading to successful infiltrations by cybercriminals, competitors, hacktivists and nation-state sponsored attackers

2012 Data Breach Investigations Report (Verizonbusiness) 2011 will almost certainly go down as a year of civil and cultural uprising. Citizens revolted, challenged, and even overthrew their governments in a domino effect that has since been coined the Arab Spring, though it stretched beyond a single season. Those disgruntled by what they perceived as the wealth-mongering 1%, occupied Wall Street along with other cities and venues across the globe

Cyber insecurity: Managing against the risk (FCW.com) Agencies such as the National Security Agency and the State, Commerce and Defense departments are acknowledged leaders in risk management, but overall, the government is behind the curve. A recent Ponemon Institute study of risk-based security

The new Cold War (SC Magazine UK) With the US and Israel accused of sending Stuxnet to sabotage Iran's nuclear capability, and China and Russia implicated in cyber attacks on the West - as well as censoring their own citizens - have we entered a new Cold War

IT specialists believe cyber crime will increase -- Kaspersky (BDlive) …the reality of cyber-criminal activity here, and makes us work harder on raising awareness of the necessity of protection measures and offering a robust line of consumer and corporate solutions in the region," said Vasily Dyagilev

Will CMOs Outspend CIOs? Wrong Question (InformationWeek) Instead of focusing on who controls those tech dollars, IT pros should focus on why companies need more tech in marketing and where they can fill those needs

Gartner: 2013 Tech Spending To Hit $3.7 Trillion (InformationWeek) CIOs need to spend on finding and building a pool of big data skills, Gartner execs say

Legislation, Policy and Regulation

Digital services dominate GPO's 5-year plan (Fierce Government IT) The Government Printing Office hopes to transform itself into a digital information platform and provider of secure credentials, according to the GPO's recently released 5-year strategic plan. This means GPO is shifting to a document lifecycle process that ensures digital versions of publications are permanently available online and printed only when required or otherwise necessary, according to the plan

Agile development requires agile oversight, says U.K. government office (Fierce Government IT) In a report published earlier this year, auditors note that the U.K. government intends for half of its major information technology projects to utilize Agile Development by April 2013. As a result, the average delivery time should go down by 20 percent in 2014

DHS realigns cyber office into five divisions (Federal News Radio) The Homeland Security Department's Office of Cybersecurity and Communications is expanding to five divisions from three and creating a performance-management office. DHS is reorganizing CS&C in light of its increased responsibilities and improved stature in the federal and private sector cyber communities."Our new structure will result in an organization more capable of agile operations; of forming stronger partnerships; and of professionally, efficiently, and effectively enhancing the security, resiliency, and reliability of the nation's cyber and communications infrastructure," wrote Mike Locatis, the assistant secretary of the Office of Cybersecurity and Communications, in an internal memo obtained by Federal News Radio. "This realignment also centralizes common support functions of budget, finance, and acquisitions, information management and human capital

UN sides with law enforcement over data retention (UN sides with law enforcement over data retention) The United Nations (UN) has acknowledged the benefits of data retention when it comes to combating online terrorism, and sided with law-enforcement agencies that are pushing for greater powers. In a report issued by the United Nations Office on Drugs and Crime (UNODC), titled The use of the internet for terrorist purposes (PDF), UNODC highlighted the way in which the internet is increasing the gap between terrorists and prosecutors."Potential terrorists use advanced communications technology, often involving the internet to reach a worldwide audience with relative anonymity and at a low cost. Just as internet use among regular, lawful citizens has increased in the past few years, terrorist organisations also make extensive use of this indispensable global network for many different purposes," UNODC executive director Yury Fedotov said at the launch of the report

Feinstein: Obama and Romney Both Wrong on Greatest Threat to America (Patch.com) Contrary to what Barack Obama and Mitt Romney said in Monday night's debate, the greatest threat to America is cyber-attack, says Sen. Dianne Feinstein. The 79-year-old senator--who visited San Diego on Tuesday--told a group of about 200 business and

Column: Cyber inaction may be our Achilles' heel (FederalNewsRadio) Every day, our defense and intelligence agencies are dealing with many of the same sophisticated cyber attacks that plague our private sector. The need to coordinate information and efforts becomes even more urgent as our…We still have larger

Cloud and BYOD Security Concerns Make Military and Intelligence Agencies (CIO) Citing security issues, IT leaders at Department of Defense and National Security Agency warn that BYOD policies and public clouds are a long way from taking hold in environments rife with classified information

Killer Apps: The Army wants to develop a new generation of cyber weapons (Foreign Policy) Rhett Hernandez, commander of Army Cyber Command during a speech at the Association of the U.S. Army's annual conference in Washington today. Translated into English, that means that he service will look at the specific cyber effects that it needs on

Rewrite of cyber circular aims to 'break some china' (FederalNewsRadio) With Congress in a stalemate over cyber legislation, a different path to updating the Federal Information Security Management Act (FISMA) is available. A group of former federal cyber experts is recommending three major changes to Office of Management and Budget Circular A-130. The goal is to codify continuous monitoring, the role of the Homeland Security Department in overseeing the operational aspects of FISMA and the definitions of national security systems and major IT systems

Products, Services, and Solutions

Platfora shows a whole new way to do business intelligence on big data (GigaOM) Analytics startup Platfora is finally showing off its next-generation business intelligence software to the world, combining Hadoop, in-memory processing and HTML5 into an impressive product. It's entering a competitive market full of large incumbents

Palantir, K2 Team Up on Review Analytics (Law Technology News) K2 Intelligence LLC, formed in 2009 by famed information investigator Jules Kroll, and Palantir Technologies Inc., a data analytics software provider opened in 2004 and partially funded by the U.S. Central Intelligence Agency venture capital arm, are working side by side to advance and simplify their recent expansions in the legal technology market

Free dual-engine malware scanner (Help Net Security) The free Emsisoft Emergency Kit 3.0 can detect and remove malware by simply starting it directly from a USB stick or CD without the need for installation. The kit comes with a dual-engine scanner

Microsoft legalizes collection of user info from its free services (Help Net Security) In a move that has not been noted by the great majority of Microsoft users, the Redmond giant has changed its Services Agreement on Friday in order to legalize the collection of all personal information

LANDesk delivers secure user management suite (Help Net Security) LANDesk Software announced LANDesk Secure User Management Suite, a solution aimed at helping IT professionals gain control of a mixed environment of users, devices and platforms, regardless of location

Apple Reveals iPad Mini, New Macs (InformationWeek) Apple shows off a rash of new hardware products ranging from iMacs and MacBooks to the long-awaited smaller tablet, the iPad Mini

Bring Your Own iPad mini? (InformationWeek) If the iPad would work for you as a BYOD device, the iPad mini is an easy choice to make. But you'll pay for the privilege. Saving money doesn't seem to be the point for Apple. $329 is a lot of money, but Apple doesn't play by everyone else's rules

Rackspace Adds Block Storage, Answers Amazon (InformationWeek) Cloud block storage will help Rackspace compete more directly with Amazon, says CTO. Rackspace users starting today will get what Amazon users are long accustomed to: the ability to order the amount of storage their cloud server needs instead of the amount the service provider assigns

Amazon Outage Takes Out Reddit, Pinterest (InformationWeek) Amazon's service dashboard reported the first service interruptions at just before noon PST [on October 22] with its Elastic Beanstock services down, followed by announcements of service interruptions of other services

Some Intel-Based Tablets Flunk Windows 8 Upgrade (InformationWeek) Many Windows 7 tablet buyers who assumed they could later upgrade to Windows 8 may be disappointed

Technologies, Techniques, and Standards

7 Costly IAM Mistakes (Dark Reading) Blunders that lead to costly identity and access management failures

To Measure Your Risks, Know Your Threats (Dark Reading) A Dark Reading retrospective on best practices and tools for developing risk management processes

Nowcasting: Big data predicts the present (IT World) Big data is the key ingredient for predicting the present, or nowcasting, as it's called. Conceptually, it seems silly to use resources to predict the present, but nowcasting can save lives and make companies money

After Five Years, SAFECode Sees Software Security Progress, But Challenges Remain (Threatpost) SafecodeSoftware security, code quality and the iea of building security into applications from the design phase forward have become touchstones for any conversation about how to improve the security of the Web and the general IT infrastructure. But it wasn't always thus. In fact, it wasn't too many years ago that the idea of software security took a back seat to the more traditional security disciplines. That's changed of late, and one of the groups that's been in the middle of the transformation is SAFECode, the industry organization comprising Microsoft, Adobe, SAP, EMC and others, that's designed to advance software security methods and practices

Cyber Security Awareness Month - Day 23: Character Encoding Standards - ASCII and Successors (Internet Storm Center) Let me preface this by saying that the "history" part of this ended up being way more complicated than we have space to cover in this story, I'll try to keep it brief. Back in the day, I remember the "PC DOS Tech Ref" manual (yes, I was there in 1981 to read this one. And yes, I still have my copy) - one of the many useful things in that manual was the by-now-very-familiar ASCII table, listing characters 1-127, which had been extended to include the next 128 characters, for an even 1-255 (1-FF in hex). I think this extension might have been for PC-DOS actually. I spent a lot of time using this, as it was handy in transcoding hex and binary data streams to characters (remember, this was before we had sniffers on PC DOS platforms)

Your Next Critical Security Project May Not Be What You Think (Infosec Island) Why do security 'solutions' fail to actually solve the problem that you made the investment of time and resources for? If we're honest with ourselves, we can easily look around the organization and find several projects that even though they are implementation-complete, are hardly "complete" as they sit. Too often after a catastrophic failure, or security incident we're pre-disposed to making hasty purchases to effectively stop the bleeding without considering what the full scope of what we're doing may be

Smart Grids: Digital Certificates and Encryption Play Key Role in Security (Security Week) The public infrastructure is one of the most valuable assets of the United States and its citizens. Communications networks, roads, bridges, tunnels, rail lines, and electric power are the backbone of the nation; the very fabric that helps to ensure our way of life. Damage to any of these infrastructures would be devastating, but damage to or failure of the electric power grid would be supremely tumultuous, as all of the other infrastructures that ensure the health of the nation rely upon electric power

4 Reasons Why Artificial Intelligence Fails in Automated Penetration Testing? (ivizsecurity) Formal Modeling and Automation is one of the things I love. I try to model everything and sometimes modeling helps and sometime it lands me in trouble. It helped me when I tried to model Penetration Testing and worked with my co-founder to design our first version of automated Penetration Testing Tool

The 25 worst passwords of 2012, and easy ways to avoid them (GCN) SplashData just released its annual list of the most common passwords stolen and posted by hackers, and if the list has a familiar look, its because most of the same passwords have appeared on past lists. In fact, this years top three -- "password," "123456," and "12345678" -- also finished one-two-three on SplashDatas 2011 list. The passwords below are not only the most common, they are also virtually useless at protecting an account

Catch, patch and match, cyber video warns (Ninemsn) Australia's most secretive intelligence agency has released a catchy new video warning of the perils of cyber attack. With music and graphics reminiscent of 1970s spy movies, the Defence Signals Directorate (DSD) warns government and industry are being

Cloud Security Alliance Guidance for Data Ownership and Control Best Practices (MarketWatch) The Cloud Security Alliance, the global not-for-profit organization that sets best practices for cloud security, has incorporated in recently-released implementation guidance issued by the Security

Marketplace

Obama: Sequestration 'Will Not Happen' (Govconwire) With nearly two-and-a-half months to go before the scheduled start date of sequestration cuts, President Barack Obama asserted during the final presidential debate Monday night that the cuts "will not happen." According to Federal News Radio's account of the debate, Obama said the budget his administration is considering focuses on maintaining current defense spending levels rather

Contractor Survival Tactics: Booz Allen Makes C4ISR Acquisition (govWin) At FIA, we are always keeping tabs on what's going in in the federal market, and I recently noticed that consulting firm Booz Allen Hamilton is making some interesting moves in order to remain competitive and continue its success in today's evolving

Northrop Grumman to cut up to 350 jobs (CapitalGazette.com) "The Department of Defense, for a number of years, has been stressing that companies need to be affordable," said Brandon Belote III, a spokesman for Northrop Grumman. "Cutting jobs is the last thing we like to do, but there are many cases where we're

'2013 is going to be ugly' for Microsoft as it shifts to Windows 8, Forrester predicts (IT World) As Microsoft launches Windows 8, and with it, an attempt to stabilize a precipitous decline in its share of operating systems for 'personal devices, 2013 is going to be a tough, very tough year, research firm Forrester said today

Raytheon Closes Wireless Cyber Buy, Looks to Access Emerging Markets (Govconwire) In the company's 11th cybersecurity-related acquisition in the past six years, Raytheon Co. (NYSE: RTN) has bought a South Carolina-based technology developer as it looks to expand its ability to provide defense, intelligence and commercial customers with wireless services. The Waltham, Mass.-based contractor did not disclose the terms of the deal and said it will

CGI Moving FTC Websites to Cloud Computing Infrastructure (ExecutiveBiz) CGI Federal will transition the Federal Trade Commission's public websites to a cloud computing infrastructure under a five-year, $3.5 million contract

ManTech Wins $152M Army C4ISR Task Order (Govconwire) ManTech International Corp. (NYSE: MANT) has won a task order under the strategic services sourcing prime contract for continued comprehensive IT support of C4ISR systems for the U.S. Army's communications-electronics command's software engineering center's field support division. According to a ManTech statement, the task order is for $151.9 million and has a period of 12 months

Two More Contracts for CACI (Zacks) CACI International shall also be providing its specialized technological services in the field of cloud technology, cyber security, service-oriented

Siemens Awarded Certification For Cyber Security Threat Protection (Dark Reading) Oct. 23, 2012 Wurldtech Security Technologies, leaders in protecting mission-critical connected devices from cyber security threats and Siemens, today announced that Siemens Infrastructure & Cities, Smart Grid Division, has obtained the Achilles Practices Certification, by passing strict industry benchmarks for device manufacturers security processes and practices. Based upon the standards set by the International Instrument Users Association (WIB), Achilles Practices Certification sets the bar for cyber security best practices in processes, practices, development, testing, commissioning, maintenance and support throughout the product lifecycle

Microstrategy Reorganizes C-level, Senior Leadership (Govconwire) Michael Saylor will remain chairman and chief executive at MicroStrategy Inc. (NASDAQ: MSTR) as the company rearranges its top management, according to a Washington Business Journal article. Saylor, who co-founded the company in 1989, will pass the title of president to Jonathan Klein, who serves as MicroStrategy's general counsel and chief legal officer

Research and Development

Hunting Botnets On A Bigger Scale (Dark Reading) Researchers build prototype botnet detection system that gathers a big-picture view of both known and unknown botnet activity

FTC Presents $50K Engineering Challenge: Block Illegal Robocallers (IEEE Spectrum) Prize for developing proposed technical solutions or functional solutions and proofs of concept

Security Patches, Mitigations, and Software Updates

Firefox 17 protects your privacy while enhancing the Facebook experience (Naked Security) The latest beta release of Mozilla's popular Firefox browser has introduced a new social media API. Can a web browser make it easier to use social media while protecing your privacy? Mozilla hopes so

CyanogenMod developers remove code that logged device screen-lock patterns (CSO) An unwanted line of code in the CyanogenMod Android firmware posed security risks by logging device screen-lock patterns

Adobe patches 6 critical security flaws in Shockwave (ZDNet) Adobe releases a new version of Shockwave, patching 6 critical security flaws

Cyber Attacks, Threats, and Vulnerabilities

In Cyberattack On Saudi Firm, U.S. Sees Iran Firing Back (New York Times) United States intelligence officials say the attacks real perpetrator was Iran, although they offered no specific evidence to support that claim. But the secretary of defense, Leon E. Panetta, in a recent speech warning of the dangers of computer attacks, cited the Aramco sabotage as a significant escalation of the cyber threat

US considers preemptive action to prevent 'Cyber Pearl Harbor' (Infosecurity Magazine) Spyware families are propagating, with the latest identified spawn being miniFlame, a "small and highly flexible malicious program" suitable for targeted, in-depth cyber espionage operations, according to Kaspersky Lab. Financial cybercrime a rising

Mounting Fears of 'Cyber-Pearl-Harbor', Escalating Attacks on Banks (The Market Oracle) Panetta added that digital attacks emanating from foreign soils could paralyse the country's power grid financial networks and transportation system saying that a cyber attack had the potential to "paralyse and shock the nation and create a profound

Gulf oil industry at risk of cyber attack (Financial Times) Rising regional political tensions and a flurry of recent cyber attacks have raised fears about the growing use of viruses to target critical national infrastructure in the Middle East

Who Is Hacking U.S. Banks? 8 Facts (InformationWeek) Hackers have labeled the bank website disruptions as grassroots-level reprisal for an anti-Islamic film. But is the Iranian government really backing the attacks?…A Muslim hacktivist group calling itself the Cyber fighters of Izz ad-din Al qassam continues to take credit for the campaign of website disruptions

.Gov, .Mil URL-Shortener Spam Attack Curtailed (Dark Reading) URL shorteners notoriously come with some risk as well as convenience, and attackers are now abusing the federal government's official link-shortening service, 1 usa.gov

Sopelka botnet drops Citadel, Feodo, and Tatanga crimeware variants (ZDNet) Security researchers from S21sec have published an analysis of the Sopelka botnet. Operating since May 2012, it is known to have launched five unique campaigns, three of which dropped crimeware variants from multiple families. Based on the researchers' data, the group behind the botnet managed to infect over 16,000 hosts, the majority of which were geolocated to Germany and Spain, the two countries topping the infection per countries chart. Just how easy is it to develop and manage such a botnet for the sake of monetizing the infected hosts, and cashing out in complete anonymity? In 2012, the process of developing and managing such a botnet is entirely automated, efficient, and most importantly - available as a service through a malicious underground Cybercrime-as-a-Service provider

Baddest Botnets of 2012 (CSO) According to security firm Kindsight, these are the Top Ten Worst Botnets this year. Botnets are networks of computers that have been compromised by malware. They're difficult to detect because they are controlled remotely by cybercriminals. Victim computers are often referred to as "bots" or "zombies" because they're carrying out a cybercriminal's orders without the victim's knowledge. In this slideshow, Kindsight Security Labs has identified the most dangerous botnets of 2012 based on their impacts this year

Offensive Facebook email leads to Blackhole malware attack (Naked Security) Facebook users are warned to be on their guard against unsolicited emails they might receive suggesting that someone has left an offensive comment about them on their wall

Malvertising on Yahoo Messenger hijacks browsers' start page (Help Net Security) Yahoo Messenger users who had the misfortune to follow the link in an advert for Vietnamese Internet directory website LaBan.vn and download the offered executable have been saddled with a persistent

Hackers steal customer data from Barnes & Noble keypads (CNet) Hackers broke into keypads at more than 60 Barnes & Noble bookstores and made off with the credit card information for customers who shopped at the stores as recently as last month. The company discovered the breach on September 14 but kept it quiet while the FBI attempted to track the hackers. Hackers broke into the point-of-sale terminals at 63 stores across the country, including locations in New York City, San Diego, Miami, and Chicago

How a Google Headhunter's E-Mail Unraveled a Massive Net Security Hole (Wired Threat Level) After a mathematician received a cold-call recruiting email from Google about a job, he thought it was a spoofed message or a possible test. After sending a spoofed message to Google CEO Larry Page, Zachary Harris figured out he'd stumbled

Report: Canada's cyber-security falling short (ITWorld Canada) For more perspective on the current report, I spoke to two researchers fromTrend Micro Inc., Tom Moss and Nart Villeneuve, about how serious they see the risks to our infrastructure. The danger is certainly present, they said, and government, just like

Cybersecurity Flaws at Department of Labor Continue the Trend of Government Cyber Failures (Heritage) A recent investigation into the Department of Labors (DOL) secure information systems revealed very serious cybersecurity flaws. Together with many other cybersecurity breaches and failures in the federal government, it is clear the government should not be put in charge of cybersecurity regulation of the private sector. The DOL failures included basic cybersecurity practices such as locking accounts after three failed attempts

Academia

Attacks on US Spark Need for More Cyber Security Degree Holders (U.S. News University) The cyber attacks reflect the nation's need to recruit more cyber security experts to protect the country's critical infrastructure. Tom Kellermann, vice president at Trend Micro and former member of President Barack Obama's cyber security commission

Campus community encouraged to understand role in protecting information (University of Delaware) Since 2004, EDUCAUSE, the National Cyber Security Alliance (NCSA) and other national organizations have declared October to be National Cyber Security Awareness Month (NSCAM), and the University of Delaware has joined in

Litigation, Investigation, and Enforcement

Europe Could Hit Microsoft With $7B+ Fine Over New Internet Explorer Antitrust Violations (TechCrunch) Looks like the European Commission is following through on what it's been reportedly planning to do for weeks: it has filed a formal complaint against Microsoft for antitrust violations related to Internet Explorer and giving consumers a clear way to choose another browser when using Microsoft's Windows operating system. The violation cost cost Microsoft billions in fines — the maximum penalty

China Cyber Threat: Huawei and American Policy Toward Chinese Companies (Heritage) On October 8, the House Permanent Select Committee on Intelligence released a report, U.S. National Security Issues Posed by Chinese Telecommunications Companies Huawei and ZTE. The report concluded that using telecommunications hardware and infrastructure from these two firms entails a risk to American economic and national security.While Congress and the Administration should favorably consider important aspects of the report, they must not use it as an excuse for protectionism. Telecom is one of the few industries where national security concerns are sharp

Huawei acts to clear its name (Guardian) The Chinese telecoms equipment firm Huawei, classified by several governments as a national security risk, has done a poor job of communicating about itself and in trying to dispel myths, the chairman of its Australian business has admitted. A US Congressional committee has urged firms to stop doing business with Huawei based on security concerns, while Australia blocked the company from tendering for contracts in its A$38bn high-speed broadband network."We sincerely hope that in Australia we do not allow sober debate on cyber-security to become distorted the way it has in the US," the Huawei Australia chairman, John Lord, said in a speech in Canberra, adding that the company proposed to set up a cyber-security evaluation centre in Australia. The centre would give complete access to its software source code and equipment

'Just trust us' - NSA to privacy advocates in court (RT) The US National Security Agency isn't outright rejecting claims that they've been conducting surveillance on everyone in the country, but they want Americans to at least give them the benefit of the doubt when it comes to their intensions

Feds Cite 'State Secrets' in Dragnet Surveillance Case -- Again (Wired) The Obama administration is again arguing that a lawsuit accusing the National Security Agency of vacuuming up Americans' electronic communications without warrants threatens national security and would expose state secrets if litigated.

Two analytics companies to settle charges for online user tracking (Help Net Security) A web analytics company has agreed to settle Federal Trade Commission charges that it violated federal law by using its web-tracking software that collected personal data without disclosing the extent

Design and Innovation

Mayfield Fund Backs Indian Incubator AngelPrime (TechCrunch) Mayfield Fund is announcing an Indian investment today, out of its Mayfield India fund. The venture firm is backing AngelPrime, a Bangalore-based incubator. The investment will be used as seed capital for the companies that AngelPrime plans to incubate over the next 3 years and to fund the operations of AngelPrime