The CyberWire Daily Briefing for 10.25.2012
After weak encryption was found in Google email, US-CERT warns that Domain Keys Identified Mail (DKIM) email is vulnerable to spoofing. Google, Microsoft, and Yahoo report they've remediated their DKIM vulnerabilities.
CheckPoint suggests Iran might not be the only actor behind the Izz ad-Din al-Qassam Cyber Fighters' "Operation Ababil," but most observers (especially in the US) continue to attribute the anti-banking campaign to the Islamic Republic. DDoS attacks use open DNS resolvers to "amplify" their attacks, which places affected organizations under serious stress.
Ordinary cyber criminals have not been idle. "Operation High Roller" attacked file transfer systems serving wealthy banking customers, an Ohio hospital suffers a data breach, and a phishing campaign exploits Twitter users. Law firms and corporate counsels find that e-discovery exposes them to identity theft.
Gartner tells its corporate audience it needs to "play offense" on cyber. As the US Congress looks for ways to finesse budget sequestration, insiders suggest that the days of a blank check for security are over. Lockheed Martin, Intel, AMD, Honeywell, and RSA found the Cyber Security Research Alliance, a not-for-profit devoted to attacking cyber "grand challenges."
Britain's GCHQ hopes to certify IA experts. The US Army pushes for more cyber offensive capability and offers Foreign Policy a look inside the 780th Military Intelligence Brigade. Australia prepares a major defense policy statement addressing cyber operations. Huawei looks for Australian friends in its ongoing espionage squabble with the US: the Chinese telecom manufacturer offers the Australian government full access to its source code.
Notes.
Today's issue includes events affecting Australia, China, European Union, Iran, Israel, Russia, Saudi Arabia, Switzerland, United Kingdom, and United States..
Cyber Attacks, Threats, and Vulnerabilities
US-CERT warns DKIM email open to spoofing (Register) You might think this is no big deal - after all the value of strong cryptography has been recognized for years. Unfortunately this problem has been found to affect some of the biggest names in the tech industry, including Google, Microsoft, Amazon
Weak crypto allowed spoofing emails from Google, PayPal domains (Help Net Security) Zach Harris, a Florida-based mathematician, discovered that Google and many other big Internet companies use weak cryptographic keys for certifying the emails sent from their corporate domains - a weak DKIM
Cyber-Security Chief on Wave of Web Attacks (CNBC) he man often credited as being the father of internet defense says it's still unclear where a recent wave of hacking attacks targeting the U.S. financial industry are coming from
Iran Cyber Attack Highlights Growing Threat, Experts Say (Huffington Post) In recent weeks, computer hackers have attacked a Saudi Arabian oil company, a Qatari natural gas company, and several American banks. The level of damage varied, but again and again, American officials placed the blame on the same source: Iran
Cyberspace the new frontier in Iran's war with foes (Reuters) The rules in cyberspace, experts say, remain far from clear. Washington announced last year it reserved the right to retaliate militarily for any cyber attack that caused death or damage, but in reality most believe the technology has far outpaced the
DDoS attacks against banks raise question: Is this cyberwar? (Computer World) It's been a month of crippling denial-of-service attacks on websites operated by U.S. banks and financial services firms. A terrorist organization called Al-Qassam takes credit online, but now the attacks are being blamed on Iran. Within the past month, crushing blasts of 65Gbps traffic, mainly from thousands of compromised Web servers, has targeted Bank of America, Wells Fargo, US Bank, JP Morgan Chase, Sun Trust, PNC Financial Services, Regions Financial and Capital One
The Cyber Attack on HSBC: What Happened (CFO) The Cyber Attack on HSBC: What Happened. "Denial of service" attacks like the recent launch against the global bank are a cyber threat that needs to be taken seriously – and not just by banks
Attackers Turn to Open DNS Resolvers to Amplify DDoS Attacks (Threatpost) Although DDoS attacks have been a serious problem for more than a decade now and security staffs have a good handle on how they're executed and how to handle them, attackers constantly adjust their tactics in order to defeat the best defenses available. One of the more recent tactics adopted by attackers is the use of open DNS resolvers to amplify their attacks, and this technique, while not novel, is beginning to cause serious problems for the organizations that come under these attacks
Operation High Roller Banked on Fast-Flux Botnet to Steal Millions (Threatpost) A fraud ring that attacked financial transfer systems in an attempt to get at wealthy high-end banking customers used a complicated web of malware and compromised servers in several countries to walk off with an estimated $78 million earlier this year. While the attacks targeted financial systems, the victims seem to be limited to companies involved in manufacturing, import-export businesses, and state or local governments
Nitol Infections Fall, But Malware Still Popping Up (Threatpost) Nitol botnetWhen Microsoft went after the Nitol botnet in September, one of the key details in the investigation was the fact that much of the botnet was built by pre-loading malware onto laptops during the manufacturing process in China. This was the clearest case yet of the phenomenon of certified pre-owned devices making their way through the supply chain and into the market. As it turns out, nearly half a million of those infected machines showed up here in the U.S
Warning: e-Discovery Missteps Can Open Up the Door to Identity Theft (pinewswire) Corporate legal departments and law firms that host and review data online bear a significant responsibility to ensure that personally identifiable information (PII) remains protected. According to the Social Security Administration, identity theft is one of the fastest growing crimes in America, and the Federal Trade Commission (FTC) estimates approximately nine million Americans have their identities stolen each year. Most of these crimes rely heavily on a single piece of information the Social Security number
Bogus Twitter DMs lead to iPad scam, surveys and phishing (Help Net Security) Yesterday's unveiling of the iPad Mini has not lead to a decrease in desirability of its bigger version, and the offer of a free device is still a very effective lure employed by online scammers
Sony PS3 hacked 'for good' - master keys revealed (Naked Security) Sony's PS3 has been hacked. This time, it looks as though it's been hacked for good. We explain why this is different from previous hacks, and treat to you to the war of words between the original hackers and the pirates who stole their work
CyanogenMod found logging Android unlock swipe gestures (Help Net Security) CyanogenMod, on of the most popular modified Android firmware on the market, has been found containing code that logs the swipe gestures used by the users to unlock their device
Aultman hHospital reports data breach (The Press News) Aultman Hospital recently learned that an unidentified third party gained unauthorized access to credit card and debit card information relating to some purchases at the hospital's gift shop between February and September 2012. No patient health information was affected. Upon learning of the security breach, Aultman Hospital took immediate steps to investigate and resolve the situation
McAfee: Avoiding the 9/11-Level Cyber Armageddon (IT Business Edge) While you'd typically write much of this off as vendor grandstanding given the DOD presentation of a few weeks back that flagged the coming 9/11 anticipated cyber attack, this all showcases that while a lot of firms and government groups are taking
Line blurs between insider, outsider attacks (CSO) The insiders strike again. But this time it's not the malicious insider, but insiders' access to corporate data, and it is for sale in the cybercrime underground. Security experts have been saying for years that while technology is a key element in protecting enterprises from online attacks, human insider carelessness, vulnerability or hostility can always trump it
Anonymous to launch Wikileaks clone TYLER (ZDNet) Support is gone for Assange -- and now a new safe haven for whistleblowers may be on the cards
Could Cyber Attacks Ruin Christmas for Retailers? (Fox Business) The reality is if they want it to get worse, it can get worse," said Dave Aitel, a former computer scientist at the National Security Agency. "I don't think people are really prepared mentally to what happens if Amazon goes down"
Security Patches, Mitigations, and Software Updates
Google, Microsoft and Yahoo fix serious email weakness (Computer World) Google, Microsoft and Yahoo have remedied a cryptographic weakness in their email systems that could allow an attacker to create a spoofed message that passes a mathematical security verification. The weakness affects DKIM, or DomainKeys Identified Mail, a security system used by major email senders. DKIM wraps a cryptographic signature around an email that verifies the domain name through which the message was sent, which helps more easily filter out spoofed messages from legitimate ones
Cyber Trends
IP theft attacks can hide on networks for years, unspotted by corporate victims, report claims (Naked Security) IP theft attacks can hide on networks for years, without the knowledge of corporate victims, report claims. Organizations in the financial services and public administration sectors are the primary targets of sophisticated attacks aimed at stealing intellectual property, with attacks involving both external and internal agents and lasting for months or years, according to a new report from Verizon.
Top Cybersecurity Accomplishments, 2006-2012 (Federal News Radio) Federal News Radio polled current and former federal cybersecurity experts for their opinion on what were the most significant cybersecurity accomplishments since 2006 to secure federal networks and improve public-private partnerships. The list below blends suggestions of more than 10 authorities on federal cybersecurity. The accomplishments are in no particular order
SANS Survey on the Security Practices of SCADA System Operators (The Herald) SANS Institute is asking those who work for SCADA and other control systems operators to take a 10-minute survey to reveal the level of awareness system operators have around cyber risk, their
83% of SMBs have no formal cyber-security plan (BizReport) The vast majority of small business owners in the US believe they are safe from cybercrime, yet just 17% have a formal cyber-security plan, according to a joint survey recently released by the National Cyber Security Alliance and security specialists
'Internet of Everything' will be platform of the future (Fierce Mobile IT) The highlight of the Gartner Symposium ITxpo so far has been the keynote address by John Chambers, chairman and chief executive officer of Cisco
Play Offense On Security In 2013: Gartner (InformationWeek) Enterprises can't count on defensive security strategies any more, Gartner execs tell IT leaders at Symposium/ITxpo conference
Marketplace
Defense Contractors Gird For 'Fiscal Cliff' (Washington Post) The nations largest defense contractors reported mixed financial results Wednesday as the companies continue to take steps to safeguard against possible federal budget cuts associated with the fiscal cliff
Shifting Mood May End Blank Check for US Security Efforts (New York Times) Michael V. Hayden, who led both the National Security Agency and the Central Intelligence Agency in the years after the Sept. 11 attacks, agrees that the time will come for security spending to be scaled back and believes that citizens need to decide
Reuters: Lawmakers Floating $55B Sequester Replacement Option (ExecutiveGov) A targeted $55 billion cut instead of the $109 billion slated to be cut from the federal budget under sequestration is an idea circulating around Congress, Capitol Hill aides told Reuters.
OMB touts PortfolioStat (Fierce Government IT) The Office of Management and Budget says it has caused $2.5 billion of savings and cost avoidances over a 3-year period through an oversight mechanism dubbed PortfolioStat. In an Oct. 24 blog post, OMB Acting Director Jeffrey Zients says PortfolioStat caused agencies to analyze baseline data regarding 13 types of commodity information technology spending and come up with ways to lower costs in those areas
DoD seeks MDM, app store (Fierce Mobile Government) DISA plan would support up to 262,500 devices. The Defense Information Systems Agency seeks a mobile device management solution and mobile application store that can be used across a range of Defense Department environments, according to a solicitation posted to FedBizOpps.gov on Oct. 22
DISA/DITCO Offer Potential 5 Year Contract for New App Store (Govconwire) The Defense Information Technology Contracting Organization, in conjunction with the Defense Information Systems Agency Program Executive Office - Mission Assurance are seeking proposals for the Department of Defense mobility, mobile device management-mobile application store. The contract is being offered on FedBizOpps.Gov. It is a firm-fixed-price contract and will include one base year and four six-month options
CACI Providing HUD Enterprise IT, Software Development (ExecutiveBiz) CACI International has won a $70 million task order to continue providing information technology and software development support to the U.S. Department of Housing and Urban Development, the company announced Wednesday
SAP, Antenna lead large mobile app developer pack (Fierce Mobile IT) Out of more than 100 mobile app developers examined by Gartner, only two, SAP and Antenna, were named as leaders in its 2012 Mobile Application Development Magic Quadrant report
Lockheed, Intel, others team up to tackle cyber challenges (Reuters) Five U.S. technology companies, including top weapons maker Lockheed Martin Corp and chip maker Intel, plan to team up to tackle "grand challenges" in cyberspace amid growing concerns about computer security. The non-profit
Kaspersky Lab climbs up the leader board on the Sunday Times Top Track 250 (Security Park) The company was responsible for the discovery of Flame, a highly sophisticated, malicious program which was being used as a cyber weapon to target entities in several countries. Eugene Kaspersky, co-founder and CEO of Kaspersky Lab, said, "It's great
Westinghouse, McAfee to equip nuclear plants with new cybersecurity systems (Tribune-Review) "But that being said, we have cybersecurity requirements today that take into account that there are other parts of the grid and the control systems for the grid that have to be protected against cyber attack." The McAfee systems detect and prevent
Salesforce.com Laying Off Radian6 Employees As Buddy Media Shows $20 Million Net Loss (TechCrunch) Two of Salesforce.com's most high profile "social media" acquisitions are showing signs of trouble. At Radian6, Salesforce.com is reported to be laying off "less than 100 people." And at Buddy Media, the company amended its 8-K, which shows $20 million in net losses for the first six months
Products, Services, and Solutions
Review: Malwarebytes Enterprise Edition (eSecurity Planet) Malwarebytes Enterprise Edition detects and removes malware, removing all traces after a system has been infected, a capability that is likely to be especially important to small businesses
Hadoop updates from Cloudera, MapR, Splunk (IT World) As organizations continue to evaluate Hadoop for large scale data analysis, Hadoop software vendors are refining their products for enterprise use, addressing concerns around reliability and expanded use
Does OpenStack need a Linus Torvalds? (IT World) OpenStack has been dubbed by some enthusiasts as the Linux of the cloud - an open source operating system for public or private clouds. But there's one stark difference between the two projects: OpenStack doesn't have a Linus Torvalds, the eccentric, outspoken, never-afraid-to-say-what-he-thinks figurehead of the Linux world
Lunarline Adds DIARMF to Services and Training Course Offerings (Sacramento Bee) Well-known cyber security company, Lunarline, is adding support to the Department of Defense's upcoming transition from the DoD Information Assurance Certification and Accreditation Process (DIACAP) to
TeamMentor: Secure software development knowledge base (Help Net Security) Security Innovation released TeamMentor 3.2, a SaaS product that provides guidance to help security and development teams create secure software out of the box, along with support for industry best practices
Protecting print devices from malware (Help Net Security) Xerox and McAfee revealed new protection against malware and viruses with the first networked multifunction printer to use McAfee Embedded Control software, a filtering method that allows only approved
Entrust IdentityGuard delivers mobile smart credentials (Help Net Security) To enable organizations to secure and leverage mobile devices in the wake of BYOD trends, Entrust extends its identity-based security platform with Entrust IdentityGuard Mobile Smart Credentials
Qualys Introduces Predictive Analytics Engine For Zero-Day And Microsoft Patch Tuesday Vulnerabilities (Dark Reading) QualysGuard Vulnerability Management will now feature vulnerability prediction capabilities within a new dashboard
BlackBerry bests iOS, Symbian, Windows Phone in security drill (Fierce Mobile IT) Research in Motion's (NASDAQ: RIMM) BlackBerry bested Apple's (NASDAQ: AAPL) iOS 5, Nokia's (NYSE: NOK) Symbian S60 and Microsoft's (NASDAQ: MSFT) Windows Phone 7 in 10 of 11 threat categories, according to a study by Strategy Analytics
Microsoft Releases Hadoop On Windows (InformationWeek) Microsoft makes big data play with HDInsight Server, first beta release of Hadoop distribution for Windows operating system
Technologies, Techniques, and Standards
With weak passwords continuing, blame turns to security pros (CSO Salted Hash) With 'Jesus' and '123456' topping SplashData's annual list of worst passwords, onus on IT to require stonger passwords, says expert
Cyber Security Awareness Month - Day 24 - A Standard for Information Security Incident Management - ISO 27035 (Internet Storm Center) Rob covered ISO 27005 in his 17 OCT diary, which covers information security risk management. I believe as handlers for the Internet Storm Center we'd be remiss in failing to cover an incident response standard for Cyber Security Awareness Month. ISO 27035 fits the bill perfectly
Most effective ways to stop insider threat (Help Net Security) Imperva examined the psychological, legal and technological tactics employed by leading organizations to mitigate insider threats, a class of enterprise risk perpetuated by a trusted person who has access
Should cloud providers be certified? (IT Pro) Peter Allwood, information and technology risk manager at Deloitte, insists that credibility is entering the certification market with the likes of the Cloud Security Alliance (CSA) collaborating with the International Organisation for Standardisation
Cloud Security Alliance guidance for data ownership (Help Net Security) The Cloud Security Alliance has incorporated in recently-released implementation guidance issued by the Security as a Service Working Group a set of recommendations for cloud end users to adopt encryption of data-in-use as a best practice
Academia
Govt challenges university hackers to break virtual businesses (ZDNet) Australia has a new cybersecurity competition following the nation's previous success in the Cyber Defence University Challenge, which was launched earlier this year. Building on the last challenge, the Department of Broadband, Communications and the Digital Economy (DBCDE) has teamed up with Telstra and Microsoft to establish the Cyber Security Challenge Australia 2013 (CySCA). Although the university title has been dropped from the challenge's name, it is still aimed at Australian undergraduates, in order to encourage them to build information security skills."CySCA 2013 reinforces the government's commitment to ensuring that Australia builds the ICT and cybersecurity skills base that it needs in order to grow both Australia's burgeoning digital economy and protect our online interests," said DBCDE deputy secretary Abul Rizvi in a statement
National High School Cyber Security Competition Draws 1,200+ Teams, Reaches All 50 States (Sacramento Bee) The Air Force Association announced today that CyberPatriotthe National High School Cyber Defense Competition--has drawn 1,225 teams as registration closed October 6th. The competition has teams representing all 50 states, the District of Columbia, Puerto Rico, Guam, U.S. Department of Defense Dependent Schools in both Europe and the Pacific, and Canada. Established by the Air Force Association (AFA), CyberPatriot is the nation's largest and fastest growing high school cyber security challenge
Legislation, Policy, and Regulation
GCHQ Launches Cyber Security Experts Certification Scheme (TechWeek Europe) Spy agency announces another scheme to find the cyber security stars of the future. The information assurance (IA) arm of GCHQ has launched a new scheme to certify the quality of cyber security professionals in the UK
Cyber Information Assurance and Critical Infrastructure Protection (ISN) Governments are pursuing public-private partnerships both to ensure continuity of services and to protect critical infrastructure from cyber-attacks. In today's podcast, we look at the current status of such partnerships as well as the challenges they
Army leaders promote need for offensive cyber capability (Nextgov) Rhett Hernandez, commander of Army Cyberspace Command at Fort Meade, Md., said cyber threats against Army networks today are "real, growing, sophisticated and evolving…they are changing the way we operate." The threats require sophisticated
Killer Apps: Inside one of US Cyber Command's offensive units (Foreign Policy) As the Army's contribution to U.S. Cyber Command, the 780th is responsible for hunting down enemy hackers, figuring out how they operate, and developing cyber weapons to use against a host of online targets. These soldiers work outside the Pentagon's
Obama to compromise on cybersecurity executive order (CSO) Another provision sought by privacy advocates would put the DHS, not the National Security Agency, in charge of the information-sharing network to distribute and "sanitized summaries of top-secret intelligence reports about known cyberthreats that
The ADF and cyber warfare (The Interpreter) Richard Addiscott is an information security consultant with BAE Systems Stratsec. The views expressed here are his own and do not represent the views of his employer. What is cyber warfare and what could it mean to the Australian Defence Force? I hope the 2013 Defence White Paper will address both question
OMB has authority to make federal cybersecurity more dynamic, says report (Fierce Government IT) The Office of Management and Budget could use existing authorities to make agency cybersecurity efforts more efficient and dynamic, says a report released Oct. 23 by the Center for Strategic and International Studies
Litigation, Investigation, and Law Enforcement
Huawei offers Australia 'unrestricted' access to hardware, source code (CNet) Huawei has offered to give the Australian government "unrestricted" access to the firm's software source code and hardware equipment in an effort to dispel security fears, months after the Chinese telecoms giant was barred from supplying infrastructure equipment for the country's national broadband network. The Australian government barred Huawei from bidding on contracts for the network earlier this year, saying it had a "a responsibility to do our utmost to protect [the network's] integrity and that of the information carried on it
The China Collision (Washington Post) The House Permanent Select Subcommittee on Intelligence issued a report Oct.?8 that was quite unusual. The chairman, Mike Rogers (R-Mich.), and ranking minority member, C.A. Dutch Ruppersberger (D-Md.), declared that two Chinese telecommunication giants are a threat to U.S. national security because of their ties to the Chinese government, Communist Party and military, and they called on U.S. firms not to buy their wares
Spies and Co. (New York Times) SUDDENLY, Washington is extremely concerned about Chinese espionage. Last month, the White House blocked a Chinese company from operating a wind farm near a sensitive Navy base in Oregon. Next, the House Intelligence Committee said two Chinese telecommunications firms were manufacturing equipment that could be used to spy on the United States
Samsung loses another big patent case to Apple, this time at ITC (Ars Technica) Ruling could result in some Samsung phones being banned from US market in 2013
Microsoft Agrees to Modify Windows 8 Following EU Complaint (Threatpost) Microsoft announced Wednesday it will tweak the release of its forthcoming Windows 8 operating system to comply with the European Commission, which argues that in its current state, the software fails to offer customers a browser choice screen to let them "easily choose their preferred web browser"
The European Commission isn't happy about the browser ballot pop-up in Windows 8 or Windows 7-SP1 (ComputerWorld) The EC says it's inadequate in the former and missing in the latter. Microsoft (NASDAQ:MSFT) faces possible huge fines as a result. However, there is at least some good news for Redmond
For a complete running list of events, please visit the Event Tracker.
Upcoming Events
TechExpo Cyber Security Careers (Columbia, Maryland, Nov 1, 2012) Profit from presentations by leading industry figures and networking opportunities designed for serious job-seekers.
Anatomy of an Attack (New York, New York, Nov 15, 2012) Join Sophos security experts in exploring how threats like malware, Trojans, worms and spyware actually work and what you can do to protect your company, even if you're on a tight budget.
ZeroNights (Moscow, Russia, Nov 19 - 20, 2012) ZeroNights is an international conference dedicated to the technical side of information security. The mission of the conference is to disseminate information about new attack methods, threats and defense tools. Another purpose is to create a communication venue for skilled professionals in the field of information security.
Passwords^12 (, Jan 1, 1970) Passwords^12 is a 3-day conference only about passwords & PIN codes. With an "all-star" cast of speakers, including Joan Daemen (AES/SHA3), Jens Steube (alias "atom", hashcat author), Colin Percival (CSO FreeBSD, inventor of scrypt), Simon Marechal (John the Ripper co-developer), Frank Stajano (Cambridge) and many more, this will be the premier event for everything and anything related to password security. Passwords^12 is the first and only conference of its kind, bringing together academic institutions, researchers and security professionals from around the world. It's a not-for-profit and non-commercial conference. No sales personnel, no marketing managers and deep technical talks.
BayThreat (Sunnyvale, California, Dec 7 - 8, 2012) The theme for BayThreat is a new spin on the dichotomy of attacking and defending in information security. We're calling out all of the attackers and defenders that are on the front lines of the battle.
25th Annual FIRST Conference (Bangkok, Thailand, Jun 16 - 21, 2013) The annual FIRST conference provides a setting for conference participants to attend a wide range of presentations delivered by leading experts in both the CSIRT field and from the global security community.