The CyberWire Daily Briefing 10.31.12

Cyber Trends

The SQL Injection Disconnection (Dark Reading) Hackers fixate on SQLi—CSOs, not so much. A new report out this week that examines the most talked-about topics within online hacker forums shows that there may be a huge disconnect between the vulnerabilities that hackers are most keen to exploit and the risk mitigation measures CSOs squirrel away cash to purchase. Most notably, SQL injection attacks this year rose to be tied for first place with DDoS attacks as the most commonly discussed vulnerabilities by hackers

Mobile Device Management Advice from Gartner (eSecurity Planet) Thanks to the BYOD phenomenon, Gartner expects 65 percent of enterprises to adopt a mobile device management (MDM) solution over the next five years. It may be too early to say "the era of the PC is ended," as Phil Redman, a research vice president at Gartner, recently did. Still, there is no question knowledge workers are transferring many of the tasks

THOMAS: Cyber security for the home (NC Times) When we think about cyber security we usually think about big businesses or government agencies, but securing your computers and information is important in your home, too. Hackers and thieves have a number of reasons to break into your computer, but the most common are to steal the information stored there and to use the resources of your computer to do their bidding. One of the things a hacker wants from your computer is information

Q3 malware costs advertisers $900,000 every day (ZDNet) What cyberattack threat levels have risen in Q3? Kindsight's Q3 malware report suggests that 13 percent of household networks were infected in Q3, and 6.5 percent of broadband networks are infected with high-level threats

Getting beyond the data warehouse, beyond Hadoop and beyond question (Fierce Big Data) Following the inspirational call to arms by Cloudera CEO Mike Olson at last week's Strata Conference & Hadoop World, speakers took to the stage to remind us of the technical challenges ahead

Legislation, Policy and Regulation

Govt to invest $200 mn in 4 yrs on cyber security infra (Zee News India) The government Tuesday said that it will invest around USD 200 million in next four years to strengthen cyber security infrastructure

Will the Third Worldwide Cyber Security Summit of Delhi Succeed? (CJNet India) Cyber security, like any other initiative, requires dedicated, actual and ground level work. If the actual work and will is missing, thousands of partnerships and conferences cannot bring any result. Of course, techno legal initiatives like National Cyber Security Database of India (NCSDI) and Cyber Security Research and Development Centre of India (CSRDCI) can be really helpful in bringing ground level and actual cyber security improvement and strengthening efforts in India

Showdown set on bid to give U.N. control of Internet (Al Arabiya) It is expected to be the mother of all cyber diplomatic battles. When delegates gather in Dubai in December for an obscure U.N. agency meeting, fighting is expected to be intense over proposals to rewrite global telecom rules to effectively give the United Nations control over the Internet. Russia, China and other countries back a move to place the Internet under the authority of the International Telecommunications Union, a U.N. agency that sets technical standards for global phone calls.U.S. officials say placing the Internet under U.N. control would undermine the freewheeling nature of cyberspace, which promotes open commerce and free expression, and could give a green light for some countries to crackdown on dissidents

Cyber attacks have changed, but Australia is doing something about it: SANS (ARN) Security group finds that Australian government agencies are proactive in dealing with security threats. Australia knows how to fix things and is doing something about it, at least when it comes to online security. That is according to SANS Institute research director, Alan Paller, after he recently caught up with the Defence Signals Directorate (DSD), an intelligence agency in the Australian Government Department of Defence

Canadians need to be more cyber aware, expert warns (Ottawa Citizen) Cyber attacks are skyrocketing primarily because average Canadians do not take computer security seriously enough, experts told an Ottawa security conference Tuesday

Minister Toews Reaffirms Harper Government's Commitment to Perimeter and Cyber Security (EINNews) Today, Public Safety Minister Vic Toews delivered a keynote address at SecureTech 2012, a conference focussing on current and emerging threats to security and public safety. The two main themes of this year's conference are perimeter and cyber security

Hopes for federal cybersecurity standards fading (CSO) Cybersecurity is clearly on the agenda of both Congress and President Obama. But it is just as clearly not at the top of their list. The prospects this year for federal cybersecurity standards governing private-sector operators of critical infrastructure, either through legislation or presidential executive order, are fading

Products, Services, and Solutions

Visa Planning to Step Up Credit Card Security For Retailers (switchcommerce) Visa is changing the game in its industry by overhauling credit card security. The current magnetic strip backing on credit cards dates back to the 1960s and 1970s. At that time, the technology was enough to prevent most would-be thieves from stealing someones information

F-Secure keeps your apps, plugins and OS up-to-date (Help Net Security) F-Secure has introduced Software Updater which offers patch management as a business security feature. Over 80% of the top 10 malware detected by F-Secure Labs are targeted against software weaknesses

Splunk Enterprise 5 released (Help Net Security) Splunk announced Splunk Enterprise 5, which includes added features to create a powerful platform for developers building big data applications

Interactive CERT map from ENISA (Help Net Security) ENISA has published a new interactive CERT map and Inventory of CERT's activities in Europe containing publicly listed teams and co-operation, support and standardisation activities

Cirro, Tableau partner and integrate analysis, BI (Fierce Big Data) Cirro and Tableau Software announced a strategic partnership today that will result in the integration of Cirro's big data access and analytics with Tableau's business intelligence software

Rugged Android device with secure communication (Help Net Security) Cummings Engineering, in partnership with Ascent Rugged Mobile, is launching SAIFE Defender, a commercial rugged Android device with secure digital communications. SAIFE Defender, a rugged mobile Android device with interoperable secure communications capabilities, is platform-neutral; field officers can communicate securely with each other even if they are using different devices, such as a BlackBerry, iPhone or Droid. Additionally, agencies dont have to invest in unique radio infrastructure but instead can securely leverage existing commercial carrier networks such as Verizon, AT&T, and others

Mobility management for Windows Phone 8 (Help Net Security) AirWatch unveils device and application management support for Windows Phone 8 devices. With the introduction of the Nokia Lumia 920 and Nokia Lumia 820, partnerships with important enterprise players like AirWatch will continue to make Nokia Lumia the most obvious choice for business, said David Mason, Global Head of Business Mobility, Nokia. Nokia Lumia brings innovative experiences that people love like wireless charging - so your phone is always charged - while Windows Phone 8 ensures IT administrators are confident the companys data is secure"

Microsoft responds to Office 2013 complaint on Surface tablet (SlashGear) A supposed member of the Microsoft Word team has gone to Hacker News to address a complaint about Office 2013?s processing speed on the company's new Surface tablet

ARM Launches New 64-Bit Processors (PC Magazine) Mobile processor giant ARM announced two new processor designs today, which will bring 64-bit computing power to phones and tablets and try to challenge Intel's dominance in the server space

Technologies, Techniques, and Standards

Is a Greater Risk of Data Loss the Trade-Off for Convenience? (Dark Reading) Ease of use aside, protecting customer data is never an afterthought

Security Monitoring On A Budget: Security Knowhow Needed (Dark Reading) Managed providers and simpler security-monitoring appliances can help small and medium businesses better understand their networks, but building in-house expertise is important

Calling Foul on the Political Football That is Do Not Track (Threatpost) It looks like it's time for a do-over for DNT. The oft-maligned specification has become—like many other standards efforts before it—a political football. Parties with interests on both sides of the issue have their own agendas, cannot agree on semantics and ignore, in this case, what should be the heart of the issue for users—a clear personal choice about browsing privacy

Cyber Security Awareness Month - Day 30 - DSD 35 mitigating controls (Internet Storm Center) Nearing the end of the month it would be remiss not to mention the DSD 35 mitigating strategies. Whilst not strictly a standard it provides guidance and The Defence Signals Directorate or DSD is an Australian government body that deals with many things called Cyber. Amongst other things they are responsible for providing guidance to Australian Government agencies and have produced the Information Security Manual (ISM) for years

ASP.NET Gets Better Cryptography (InfoQ) .NET 4.5 brings a lot of improvements in how Cryptography is handled within ASP.NET, with new APIs Protect and Unprotect and various under-the-hood changes. Levi Broderick explains the motivation, the changes and compatibility in a series of articles. ASP.NET needs two secret hash keys for crypto - decryption key and validation key - this pair is together called a machine key. The machine key is reused between different components. Levi's first article shows how this .NET 4.0 design can lead to security issues in one component have a much bigger impact on other components of the system as well

Marketplace

Increased China-US IT trade tensions likely short-term (ZDNet) The U.S. scrutiny over Huawei could see a spillover impact on other firms, but this is likely to be short-lived and American companies are unlikely to face retaliatory sanctions. The heightened scrutiny over Chinese telecoms equipment maker Huawei Technologies in recently could lead to more obstacles for other technology exports from China. However, any trade obstacles from the United States would likely be short-term and it may be business as usual within a year, according to industry watchers

Centers for Medicare & Medicaid Services Win 2012 National Cybersecurity Innovation Award (Sacramento Bee) The innovation: Deploying continuous automated monitoring to radically reduce the vulnerability of confidential citizen health data, with the added innovation of generating competition among contractors to improve security. The Centers for Medicare & Medicaid Services (CMS) has won a 2012 U.S. National Cybersecurity Innovation Award for using continuous automated monitoring to protect confidential citizen health data against theft and alteration

College Grads Flocking to Contractors (ExecutiveBiz) Government contractors or companies with a significant government contracting business make up more than a quarter of 100 companies that college graduates want to work for, according to a survey by Universum. The consulting company asked 59,643 recent college graduates from 318 universities across the country to pick their most desirable employer

DHS Drafts Solicitation for Cyber Security Tools and Services (govWin) In a draft solicitation issued mid-October 2012, the Department of Homeland Security (DHS) outlines 15 toolsets and 11 services areas for the new Continuous Diagnostic and Mitigation (CDM) program and for continuous monitoring as a service (CMaaS)

Federal Government Lacks Experts To Address Cyber Security Threats (Think Progress) The federal government faces a shortage of cyber security experts. That's according to an article published in FCW, a technology-focused publication. FCW interviewed federal officials regarding the government's ability to effectively beef up its cyber security program and found a unsettling trend: the government needs more tech experts. In some cases, according to a Department of Defense official, the government hasn't even figured out what to hire for

As Cyberthreats Rise, Army And Others Seek A Few Good Hackers (Miami Herald) As about 570 computer hackers and anti-hacking experts gather at a conference in Miami this week, a couple of key themes are emerging: The threat of cyber attacks on corporate and government sites is on an ominous rise. And there is a fortune to be made in battling the bad guys

Intelligence Spending Drop Reverses Trend (Bloomberg) The United States spent $75.4 billion on intelligence agencies and activities in the last fiscal year, down from $78.6 billion the previous year, according to figures released Tuesday by the federal government

SAP India maps India address directory (Fierce Big Data) SAP India has announced a partnership with MapmyIndia, to enhance the capabilities of its SAP Data Quality Solution. Through the partnership, SAP will use MapmyIndia's India Address Directory in order to help enterprises verify precision of data, profile, cleanse and standardize it

EMC to acquire Silver Tail Systems (Fierce Big Data) EMC Corporation (NYSE: EMC) has signed an agreement to acquire privately-held Silver Tail Systems, a leader in real-time web session intelligence and behavioral analysis. Silver Tail's big data approach to fighting cybercrime will help accelerate RSA's strategy to leverage data analytics and adaptive risk-based controls for broader consumer and enterprise security use cases

VMware, the bell tolls for thee, and Microsoft is ringing it (Network World) Survey results from VMworld indicate that Microsoft is becoming a threat to VMware's user base. VMworld is about a month behind us now and I've had a little more time to noodle on the joint survey I did with virtualization management vendor Xangati. There was a tremendous amount of energy at VMworld and the show floor was one of the biggest and busiest I've seen in a long time. This might give one the impression that the VMware franchise is impenetrable, but the survey shows differently

Navy Preparing Counter-Networks and Illicit Trafficking $5B Contracting Program (Govconwire) The Naval Air Warfare Center's new counter-networks and illicit trafficking program office is preparing a $5 billion contracting program that will provide operations support to its mission to stop smugglers and terrorists. According to a Washington Post article, the five-year contract calls for building hardware and software, managing training, conducting studies and analyses and other

General Dynamics IT Wins Contract from CMS Worth Potential $100M (Govconwire) General Dynamics' (NYSE: GD) information technology business unit has won a task order from the U.S. Health and Human Services department's Centers for Medicare and Medicaid Services, to support the medicare secondary payer program. According to General Dynamics, the task order falls under the CMS enterprise system development contract, valued at $100 million for its

FireEye Announces Membership in McAfee's Security Innovation Alliance (Marketwire) FireEye, Inc., the leader in stopping advanced cyber attacks, today announced that it has joined the McAfee

Research and Development

A surveillance system that can anticipate trouble (Help Net Security) Two researchers from the Psychology Department of the Carnegie Mellon University have managed to create a video surveillance system that not only follows human activity, but is also capable of predict.

Cyber Attacks, Threats, and Vulnerabilities

Whodunnit? Conflicting accounts on ARAMCO hack underscore difficulty of attribution (Naked Security) A recent report suggests that the devastating cyber attack that wiped out thousands of computers belonging to Saudi Arabia's national oil company was the work of a lone hacker - days after the US Secretary of Defense cited it as an example of a state sponsored attack. What do we really know

Israeli cops penetrated by army of fake generals with trojans (The Register) Israeli police departments were pulled offline last Thursday following the discovery of a Trojan especially targeted at law enforcement networks in the Jewish state. The malware was distributed using spammed messages, spoofed so that they appeared to come from the head of the Israel Defense Forces, Benny Gantz. The malicious emails contained the subject line "IDF strikes militants in Gaza Strip following rocket barrage", and a compressed .RAR file was attached

Israel Police pulled computers offline due to RAT infestation (Help Net Security) Trend Micro researchers have managed to get their hands on the malware that caused the Israeli Police Department to pull all of its systems offline last Thursday

Who let the cyber attack happen? (Post and Courier) The frustration in Judith Goldsmith's voice builds the more she talks about the South Carolina computer hacking crisis that's affected 3. 6 million in the Palmetto State. I was wondering if we'll ever really know who hacked or what the repercussions are going to mean, the 72-year-old West Ashley resident said Monday

Security breach prompts county to examine cyber-security (IslandPacket) News of a massive security breach affecting more than 3. 5 million S.C. taxpayers prompted Beaufort County officials to examine their own cyber-security. They said Tuesday that county taxpayer information -- including Social Security numbers and other personal data -- is safe from similar cyber attacks

S.C. governor's post-breach data encryption claims are off-base, analysts say (Computer World) Security analysts this week challenged South Carolina Governor Nikki Haley's defense of the state's information security practices in the wake of a data breach at the S.C. Department of Revenue that exposed the Social Security Numbers (SSNs) of 3. 6 million people. In a news conference Monday, Haley insisted that the state was following industry practices when it decided not to encrypt SSNs and other personal taxpayer information stored on state computers."The industry standard is that most SSNs are not encrypted," Haley said in response to a question from a reporter

Oops: E-Mail Marketer Left Walmart, US Bank and Others Open to Easy Spoofing (Wired Threat Level) Think you fixed your DKIM e-mail security problem by swapping out your weak key with a stronger one? According to one researcher, you may still be vulnerable if you use a third-party e-mailer who is using a weak key to

VM-aware viruses on the rise (Computer Weekly) Viruses targeting virtual machines (VM) are growing in numbers and will soon be the dominant force in the world of cyber crime. Speaking at this week's SNW Europe conference in Frankfurt, Joe Llewelyn, head of global sales training at Kaspersky Lab, warned of the increase and the trouble they could cause. A lot of the viruses we are now seeing are virtual machine aware, meaning they will work out if they are running on a VM, he said

EFF Raises Questions on Privacy Leaks in Ubuntu (Threatpost) EFF UbuntuThe EFF is warning users of Ubuntu's latest release that the open-source operating system sends their search queries to third parties, including Amazon, by default, and that some of their search results may be viewable by other users on the same network. The privacy leaks are present in Ubuntu 12.10 and the group says that Canonical, which runs the Ubuntu project, should disable the inclusion of online search results by default and make it clearer to users what is being done with their search queries and IP addresses

Lack of Abuse Detection Allows Cloud Computing Instances to Be Used Like Botnets, Study Says (CIO) Some cloud providers fail to detect and block malicious traffic originating from their networks, which provides cybercriminals with an opportunity to launch attacks in a botnet-like fashion, according to a report from Australian security consultancy firm Stratsec. Researchers from Stratsec, a subsidiary of British defense and aerospace giant BAE Systems, reached this conclusion after performing a series of experiments on the infrastructure of five "common," but unnamed, cloud providers. The experiments involved sending different types of malicious traffic from remotely controlled cloud instances (virtual machines) to a number of test servers running common services such as HTTP, FTP and SMTP.

ZeroAccess Botnet Cashing in on Click Fraud and Bitcoin Mining (Threatpost) A mid-year switch in communication protocol and distribution strategy is behind a spike in activity from the ZeroAccess botnet, a prolific and malicious ad click fraud network. Researchers at Kindsight Security Lab reported today that ZeroAccess accounts for 29 percent of home network infections in the third quarter, up significantly from previous measurements, said Kevin McNamee, security architect and Kindsight Security Labs director. At the middle of the year it changed from a TCP-based peer-to-peer botnet to one that uses UDP, McNamee said

Security researchers warn of flourishing cyber crime kit 'supermarkets' (v3) Cybercriminals are being given access to an increasingly diverse range of attack and infection tools and services, say researchers. Security firm Trend Micro said that a recent analysis of Russian crimeware markets has found that malware tools and services range from one-time packages which cost just pennies to sophisticated packages and services which cost purchasers thousands of dollars per month. The study noted that a number of components, including malware packages, rootkits, and exploits along with hacking services including account thefts, denial-of-service (DDoS) attacks and botnet rentals are available to cyber criminals looking to carry out attacks

Inside the black market for social network fraud (Help Net Security) In its analysis of a large hacker forum containing roughly 250,000 members, Imperva detected a black market for social network fraud

Shopping The Russian Cybercrime Underground (Dark Reading) Inside look at the wide range of hacking and related services being offered in the Russian-speaking cybercrime marketplace illustrates its maturity and popularity

How much is your UAE mobile phone number worth? (Emirates 24/7) 'My Number, My Identity' campaign sets off bidding war for phone numbers; etisalat, du warn of scams. With the Telecommunications Regulatory Authority's (TRA) 'My Number, My Identity' campaign flagging off in the background, many residents are now being offered a price for their mobile number

ICS-CERT warns of increasing threat to industrial control systems (The H) Attacks on industrial control systems are on the rise: the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) has issued a warning, which has been reiterated by the German Federal Office for Information Security (BSI). Special tools and search engines make attacks on systems and devices in infrastructures such as electricity grids simple even for inexperienced attackers

Phishing email hijacks Windows 8 launch (ZDnet) A new round of emails tries to dupe unsuspecting users to "update" to Windows 8 for free. Cybercriminals don't waste much time these days. Keep on top of trends and significant events, whether it is PayPal's changing terms and conditions, an overdue student loan or the launch of a new tech product -- any hook that cybercriminals can use will be exploited. The recent launch of Microsoft's Windows 8 operating system is no exception

More emails hacked as 'revenge' for education cuts (Sydney Morning Herald) Hacker's email raises minister's hackles. The hacking of the email account of the NSW director-general of education was not an isolated case in the department and insiders are apparently conducting a cyber campaign as "revenge" for education cuts and management decisions

Trouble for Borderlands 2 Players (Threatpost) Some XBOX Live users have violated the online gaming platform's code of conduct by using a malicious application that allowed them to permanently kill off the characters of other players in the popular 'Borderlands 2' video game

Hackers Threaten to Expose Anonymous Own3r (Softpedia) The controversial hacker known as Anonymous Own3r – who calls himself the "security leader of Anonymous" – has been threatened by the controversial Anonymous-affiliated Fawkes Security collective

3 terrifying, but true, security tales (PC Advisor) Just in time for Halloween, security expert Dr. Eric Cole shares scary stories about cybersecurity. While Halloween only comes around once a year, organizations are constantly encountering situations that are downright scary. In honor of Halloween we thought readers might get a thrill out of a few frightful, but true, cyber tales as experienced by cyber security expert and SANS Institute Instructor, Dr. Eric Cole.

Academia

U.S. National Security Agency Associate Directorate for Education and Training Wins the 2012 U.S. National Cybersecurity Innovation Award (gnom.es) The innovation: Improving the value and effectiveness of college cybersecurity education programs by developing a rigorous new academic standard for colleges seeking to be considered Centers of Academic Excellence capable of producing technically proficient cybersecurity talent, and enabling four colleges to prove they can meet that standard

DHS Proposes Cybersecurity Education to Begin in Kindergarten (The New American) In an effort to embolden the next generation of cyber professionals, the Department of Homeland Security (DHS) is devising an initiative to encourage and equip young Americans with knowledge and skills in the science of cybersecurity. Writing a blog entitled, "Inspiring the Next Generation of Cyber Professionals" DHS Secretary Janet Napolitano announced a plan to extend "the scope of cyber education" beyond the federal labor force through the National Initiative for Cybersecurity Education, targeting students from kindergarten all the way up to post-graduate school

How a University leveraged BYOD (Fierce CIO TechWatch) InformationWeek has an interesting report about how Long Island University began a pilot program to make use of the Apple (NASDAQ: AAPL) iPad in the fall of 2010. The initiative has reached out to 10,000 students and educators so far, and is worth studying for its parallels to the issues that an enterprise deployment will face

Litigation, Investigation, and Enforcement

How to report a computer crime: Unauthorised email account access (Naked Security) Do you know how to report a computer crime? Or even who you would report it to

Obey the law, or else. California cracks down on app developers for privacy (CNet) Attorney General Kamala Harris is notifying mobile-app developers and companies that they must get in line with California law and post privacy notices for users or else face steep fines. Making good on her promise, California Attorney General Kamala Harris has continued her crackdown on mobile-app developers and companies for not doing more to ensure users' privacy. She announced today that she'll be sending letters to 100 app developers and companies to formally notify them that they're violating California's privacy laws."Protecting the privacy of online consumers is a serious law enforcement matter," Harris said in a statement today

Bank phishing gang arrested after hotel swoop (TechWorld) UK police have arrested three men accused of being involved in large-scale Trojan phishing attacks against a range of banks. Picked up in a London hotel after an operation described as intelligence-led, the two unnamed Romanians and a Nigerian were arrested on 29 October on suspicion of money laundering and conspiracy to defraud, police said. The men are alleged to be behind the appearance of 2,000 bogus bank login pages that had been part of a campaign to steal account details

Warrantless Wiretapping and Transparency Uber Alles (The Real News) Shortly after the terrorist attacks of September 11, 2001, President George W. Bush authorized the NSA to secretly wiretap Americans' international communications without any warrant, suspicion of wrongdoing or court oversight at all. The Bush administration managed to keep this secret for years, until July 2008 when - with a perfectly straight face and on the heels of some noisy media attention - the president signed the FISA amendments into law. An hour later, the American Civil Liberties Union went to court on behalf of a large number of human rights groups, journalists and attorneys seeking to have the Supreme Court declare the law unconstitutional.

FBI rolls out round-the-clock cyber crime team (SC Magazine) "A key aim of the Next Generation Cyber Initiative has been to expand our ability to quickly define the attribution piece of a cyber attack to help determine an appropriate response," McFeely said in the statement. "The attribution piece is: Who is

Georgia turns the tables on Russian hacker (ZDNet) What happens when you're continually the target of cyberattacks? You hack the hacker. The Ministry of Justice of Georgia was fed up. Continual, persist cyberattacks that stole confidential information from various government agencies, parliament, banks and NGOs had carried on for months. The activity warranted an investigation, and so in March 2011, Georgia launched an investigation to find the perpetrators

The CyberWire Daily Briefing for 10.31.2012