The CyberWire Daily Briefing for 11.1.2012
US Secretary of Homeland Security Napolitano warns that US financial institutions are under sustained cyber attack. Iran denies involvement, and observers note the continuing difficulty of attribution. (The FBI is working on improved attribution techniques.)
South Carolina's data breach yields lessons in cyber security. Stolen credentials and spotty encryption were of course problems, but one lesson is the danger of communication failures between information security professionals and the executives they work for.
A new version of the Nuclear exploit kit takes black-market share from long-dominant Blackhole. Cyber gangs use hacker fora to recruit criminal talent. Security researchers name operators who permit open resolvers on their networks, thereby facilitating amplified denial-of-service attacks.
Cisco warns of a remote command execution vulnerability in Cisco Prime Data Center Network Manager. Java, patched or unpatched, continues to render systems vulnerable to compromise.
The deep packet inspection market is expected to reach $2B by 2016. We've heard much talk of NSA's interest in big data, but how big, exactly, does NSA think its data will get? A yottabyte, equivalent, says an analyst, to nine billion years of Blu-Ray movies. US agencies and companies continue to struggle with a tight cyber labor market—the talent is tough to vet.
Huawei seeks a rapprochement with its industry critics as the Chinese government continues to deny US espionage charges. Russia clamps down on its Internet and accuses the US of cyber-saber-rattling. Hacking back is a much-discussed defensive strategy, but anyone thinking of doing it should consult a lawyer first.
Notes.
Today's issue includes events affecting Australia, Canada, China, Ethiopia, European Union, Germany, Greece, Indonesia, Iran, NATO, Netherlands, New Zealand, Republic of Korea, Russia, Saudi Arabia, United Kingdom, and United States..
Cyber Attacks, Threats, and Vulnerabilities
'US financial institutions under attack by hackers' (Hindu Business Line) Without going into the details of such cyber-attack, Napolitano said this has involved some of the US's largest institutions. "We've also had our stock exchanges attacked over the last years. So I mean, we know they're there. There are vulnerabilities
Minister Denies Claims about Iran's Complicity in Cyber Attack on West (Fars News Agency) "This ministry's collaboration in cyber attack on the western networks is an illusion," Taqipour told reporters at the end of a cabinet meeting here in Tehran today, adding that Iran, itself, is a target of organized state-sponsored terrorism and cyber
Questions over virus are vital to cybersecurity (The National) There was no warning. On August 15, 30,000 or more computers in the offices of the Saudi Arabian Oil Co were suddenly wiped clean. The anonymous attacker left behind, as a calling card, the image of a burning US flag
'Cyber hurricane' hits state's tax department (Portland Press Herald) The hacking compromises information on 3.6 million tax returns filed in South Carolina since 1998
Fact-checking the state's response to the cyber-attack (Post and Courier) The hacking of the Department of Revenues computer system and the states response are evolving stories, Gov. Nikki Haley and other state officials have offered updates with new details every day since the security breach was announced Friday. Not every detail has been crystal clear, and some revelations announced seem to contradict others. The Post and Courier has been trying to keep track, checking the updates against each other and providing context
South Carolina Data Breach Casts Spotlight on Lack of Encryption, Stolen Credentials (Threatpost) South Carolina governor Nikki Haley said a mouthful this week when she spilled a dirty industry secret that Social Security numbers are generally not encrypted by state agencies. Reeling from a Department of Revenue data breach that leaked 3.6 million Social Security and credit card numbers as well as other personally identifiable information for more than three-fourths of the state's residents, Haley called encryption complicated and cumbersome technology
Lies We Tell Our CEOs About Database Security (Dark Reading) South Carolina government executives' response to breach shows how non-tech leadership often views security through a distorted lens
Hurricane Sandy spams lead to survey scams (Naked Security) As usual online scam artists have latched onto the interest in Hurricane Sandy to attempt to lure people into their traps. It is only spam and survey scams at the moment, but be on the lookout for further attacks
Bank of America customers under phishing attack (Help Net Security) Bank of America customers, beware - the old "account suspended" warning purportedly sent by your bank's Cardmember Services is hitting inboxes once again
City site falls prey to European cyber attack (Bluefield Daily Telegraph) Eastern European hackers cracked the website of this Northern Michigan city, causing it to repeatedly crash and using it as a platform to blast hundreds of thousands of email messages
'Austerity' Hackers Attack Finance Ministry in Athens, Greece (HispanicBusiness.com) The cyber attack at the General Accounting Office was made "to show solidarity with Greek peoples," said a statement posted briefly on the website signed by the hacker activist group Anonymous, according to reports. However, Greek police sources who
Hacker forums used to induct new criminals, report finds (TechWorld) Hacker forums have become a critical global channel through which aspiring criminals are inducted into the ranks of professional cybercrime, an analysis of some of the most popular discussion sites by security company Imperva has found. Hacker forums are often seen as sinister sideshows to the main story, little more than places cybercriminals go to let off steam, make contacts and do business. Imperva's Monitoring Hacker Forums report, which carried out a content analysis of 18 of the most popular forums frequented by up to 250,000 criminals from around the world, suggests that this might be only part of a more complex picture
Can the Nuclear exploit kit dethrone Blackhole? (Help Net Security) In a market dominated by the mega-popular Blackhole exploit kit (newly upgraded to version 2.0) and the somewhat less sought-after Eleonore and Phoenix exploit packs, can the developer of a fourth one
Cyber-Criminals Rent or Buy What They Need - It's Cheap! (PC Magazine) Underground forums offer cyber-criminals a diverse array of products and services to enhance their criminal enterprises. With prices falling, it's easier than ever to embark on the life of cyber-crime. So says the latest research paper from Trend Micro
Meet the network operators helping to fuel the spike in big DDoS attacks (Ars Technica) SoftLayer, GoDaddy, ATT, and iWeb make a list of top 10 most abused networks
Privacy experts criticize moves to sidestep IE10's default Do Not Track settings (CSO) Apache, Yahoo overriding tracking settings -- off by default -- in Microsoft's new Internet Explorer browser
Final Report on DigiNotar Hack Shows Total Compromise of CA Servers (Threatpost) The attacker who penetrated the Dutch CA DigiNotar last year had complete control of all eight of the company's certificate-issuing servers during the operation and he may also have issued some rogue certificates that have not yet been identified. The final report from a security company commissioned to investigate the DigiNotar attack shows that the compromise of the now-bankrupt certificate authority was much deeper than previously thought. In August 2011 indications began to emerge of a major compromise at a certificate authority in the Netherlands, previously unknown to most of the Internet's citizens, and the details quickly revealed that the attack would have serious ramifications.
Security Patches, Mitigations, and Software Updates
Cisco Patches Vulnerabilities in Data Center and Web Conferencing Products (Threatpost) Cisco is warning its customers about a remote command execution vulnerability in its Cisco Prime Data Center Network Manager.The product manages Ethernet and storage networks and troubleshoots for performance issues on Cisco products running NX-OS software. Versions prior to 6.1.1 are vulnerable to remote exploits on the underlying system that hosts the application, Cisco said
Patched your Java yet? (Internet Storm Center) Yes, there's some irony to this diary entry. In the past, I have been suggesting repeatedly that organizations who do not have an all-out requirement to keep a Java JRE runtime installed, should get rid of it. Yet, here I was, a couple of days ago, reviewing some SIEM events at a Community College where I help out with IT Security, when something caught my eye (URLs defanged to keep you from clicking)
Cyber Trends
Malware infects 13 percent of North American home networks (PC World) Some 13 percent of home networks in North America are infected with malware, half of them with "serious" threats, according to a report released Wednesday by a cyber-security company. However, that number is a one-percent decrease from the quarter that ended in June, according to Kindsight Security Labs, of Mountain View, California, in its third-quarter malware report
Quality of Experience demands to drive Deep Packet Inspection (DPI) market to reach $2 billion in 2016 (Telecom Lead Asia) Strategy Analytics said Deep Packet Inspection (DPI) market will reach $2 billion in 2016, driven by demand for better Quality of Experience. The telecom research firm said DPI expands its role as a core element of cost reduction, improved user experience, and new service delivery in mobile networks
Microsoft's worldwide threat assessment (Help Net Security) In this podcast recorded at RSA Conference Europe 2012, Tim Rains, the Director of Product Management at Microsoft's TWC group, talks about volume 13 of Microsoft's Security Intelligence Report
6 Lies About Big Data (InformationWeek) Our 2013 Big Data Survey shows we're not lacking facts, figures, or tools to wrangle them. So why do just 9% of respondents rate themselves as extremely effective users of data
Marketplace
US intel budget topped $75 billion in 2012 (Citizens for Legitimate Government) The National Intelligence Program (NIP) funds the CIA and other civilian agencies and provides some funding for the major military agencies such as the National Security Agency and Defense Intelligence Agency
The yotta is not enough (Boston.com) It's the amount of data that the National Security Agency thinks it will need to store the information it's gathering and processing in the name of intelligence. This guy estimates a yottabyte could store 9 billion years of Blu-ray-quality movies
US seeks patriotic computer geeks for help in cyber crisis (Reuters) In contrast, nearly a third chose the National Security Agency, according to the task force. Tony Sager, a task force member and former NSA senior official, said the military intelligence agency has a strong "brand" that opens doors for recruiters
US admits to lack of cybersecurity professionals as war drums beat louder (RT) In July, National Security Agency Director Gen. Keith Alexander made an unusual appearance at the annual DefCon hacker conference in Las Vegas in hopes of recruiting computer experts who would consider putting their coding skills to use for Uncle Sam
DHS is right to eye kindergartners, but don't forget the adults (CSO) An article about Ethiopian kids hacking OLPCs with zero instruction illustrates why DHS is right to focus on kindergarten as fertile ground for future cyber warriors. But the agency also needs to target adults who get passed over for being different
Hackers For National Security Taking 'Friendly' Fire (Readwrite Hack) Terrorists could easily sabotage large portions of the nation's critical infrastructure. Security is so weak in many industrial control systems that even an average hacker could shut down water and power plants, damage nuclear facilities and freeze automobile and aircraft assembly lines. The threat is so real that right or wrong, some security experts are publicly disclosing the weakest links to force action
Majority of U.S. Small Businesses Say Digital Literacy Essential Skillset (Sacramento Bee) "Small businesses are expressing a strong need for employees with basic skills and knowledge about how to use technology safely, securely, ethically and productively," said Michael Kaiser, executive director of the National Cyber Security Alliance
Pentagon Sees Further Use Of BlackBerry As Door Opens To Others (Reuters.com) The Pentagon on Wednesday said it would continue to support "large numbers" of BlackBerry phones made by Research in Motion Ltd even as it moves forward with plans that would allow the U.S. military to begin using Apple Inc's iPhone and other devices
EPA to migrate 25,000 users to email cloud (Fierce Government IT) The Environmental Protection Agency has contracted with Lockheed Martin and Microsoft to move about 25,000 employees to a cloud-based email service by early 2013, the companies say in a joint Oct. 31 announcement
Army Sends Contractors Survey Questions for New Procurement System (Govconwire) The U.S. Army's Contracting Command is asking contractors to fill out a questionnaire and a worksheet pertaining to a new procurement management system, according to an Oct. 29 FedBizOpps post. In March, the Army released a request for information announcing its pursuit of a new system, dubbed the Army Procurement EXecution program, to replace the
AF's senior scientist for Information Assurance returns for Cyber Systems Test Course (Edwards Air Force Base) Dr. Kamal Jabbour, the Air Force's senior scientist for Information Assurance, at the Air Force Research Laboratory's Information Directorate located in Rome, N.Y., returned to Edwards to teach the recently added Cyber Systems Test Course to United States Air Force Test Pilot School students Oct. 29-30
KEYW posts 3Q profit on higher revenues (Baltimore Sun) KEYW Holding Corp., a Hanover-based technology and cybersecurity firm that contracts with US intelligence agencies
Booz Allen Q2 net off 39% due to year-ago gains (MarketWatch) Booz Allen Hamilton Holding Corp.'s fiscal second-quarter earnings fell 39% amid ... defense, and intelligence--and we continue to add new contracts from
Vormetric Expands Operations in South Korea (CSO) Vormetric, Inc., the leader in enterprise encryption and key management, today announced that it is expanding operations in South Korea to meet growing demand for its data security products. The company also appointed Moon Hyung Lee to be Country Manager for Vormetric's expansion in South Korea
Huawei looks to German security researchers for help (CNet) The company says Felix Lindner's continued complaints about the security of its products have not been dismissed, and it would like his help. Huawei, the embattled Chinese telecom equipment company, is reaching out to a security researcher in Germany for a little help. The company's global security chief, John Suffolk, told Reuters in an interview published today that Huawei has dispatched engineers to Germany to meet with Felix "FX" Lindner and go over the security flaws he has found in a host of its products
Amazon, Equinix Data Centers Vs. Hurricane Sandy (InformationWeek) As Hurricane Sandy battered the Northeast, Amazon Web Services and Equinix data centers held up for most customers
Products, Services, and Solutions
Browsium offers enterprise-wide IE zero day kill switch (CSO) Browsium, a company that helped enterprises stave off Internet Explorer 6 compatibility disasters, is offering CIOs a leash to control the emergence of Chrome and Firefox in the enterprise or blacklist any browser with a zero day flaw. The Redmond
Secunia Vulnerability Intelligence Manager 4.0 released (Help Net Security) The Secunia VIM 4.0 covers more than 40,000 software systems and applications. Its provides intelligence about software vulnerabilities available to organizations, ensuring that security threats
Application Security updates its database scanning tool (Help Net Security) Application Security announced the latest release of its database scanning tool, AppDetectivePro. Expanded capabilities and a new user interface provide security, risk and IT audit professionals with
Technologies, Techniques, and Standards
Wired and Wireless Networks Compete—Cooperatively (IEEE Spectrum) For almost two centuries, wired networks have given birth to wireless ones, only to spawn new wired ones
An IEEE Standards Group Wants All Election Computer Systems To Speak The Same Language (IEEE Spectrum) A voting systems standard will allow the computers to talk to each other, and maybe even to iPads
Stop, Thief: Apple Patents Movement-Based Theft Detection System For iOS Devices (TechCrunch) An Apple patent application spotted Thursday by AppleInsider shows a system for detecting unusual motion via a portable gadget's accelerometer which would sound an alarm, making said device harder to steal. The system is a simple one, without the kind of sophisticated face detection we saw in a previous application, but it could be much more effective for curbing thefts at the moment they occur
Can the FBI Crack the Attribution Nut? (Bank Info Security) Bureau Unveils its Next Generation Cyber Initiative. Attribution - the ability to identify those who hack into a computer system - is among the hardest cybersecurity nuts to crack. But that isn't deterring the FBI, which says it has initiated a program to uncover and investigate web-based intrusion attacks
10 tips to keep data secure (FCW.com) According to a report in The New York Times, National Security Agency Director Gen. Keith Alexander has said the U.S. loses up to $338 billion in financial theft. Numbers from the Commerce Department also indicate $250 billion is lost every year in
Breach Response: A Better Approach - Connecticut Outlines Efforts to Improve Mitigation, Privacy Efforts (Govenment Information Security) Connecticut is working to improve its cyber incident response, including updating its breach notification law and enacting a privacy task force. On Oct. 1, a new provision to the state's breach notification law went into effect, requiring businesses and not for profits that experience a data breach to alert the Attorney General's office when they notify affected individuals. The state also recently launched a Privacy Task Force which helps to enforce the data breach notification law."Scarcely a month would go by without some significant event involving data breaches," said George Jepsen, Connecticut's attorney general, in an interview with Information Security Media Group's Eric Chabrow
Design and Innovation
Guest Opinion: Let's Go Back to Patenting the 'Solution,' Not the 'Problem' (Wired Business) We already know the patent system is broken. And it desperately needs to be fixed: Patents affect and will continue to affect nearly every technology business or product we use. So for the next few weeks, Wired is running a special
The DIY Renaissance: U.K. Accelerator Springboard Launches Dedicated Bootcamp For Hardware Startups (TechCrunch) Move over, software: the London and Cambridge, U.K.-based accelerator, Springboard, is launching a dedicated program for hardware startups, focusing on the Internet of Things. The new three-month accelerator bootcamp — called Springboard Internet of Things — is backed by program partners ARM, Unilever, Neul and Raspberry Pi
Legislation, Policy, and Regulation
Snooper's-charter plans are just misunderstood, sniffles tearful May (The Register) Home Secretary Theresa May appeared before peers and MPs in Westminster on Wednesday afternoon to face questions about her proposed communications data bill, which has been almost universally rejected by people outside the security services bubble. Her Hallowe'en session was the final one to provide evidence on the supposed merits of the draft legislation that could see British citizens' web activity much more heavily spied upon by spooks and police. The agents of the state would, of course, be acting to protect the public from the threat of terrorism and other criminality
Cyber security a top priority in Australia: Deloitte (ArNnet) Australian and Asia-Pacific financial services industry organisations have made information security governance their top security initiative, according to professional services firm, Deloittes 8th global financial services industry security survey. It showed Australia and Asia-Pacific led the world when it comes to prioritising governance on IT security and that they believe their expenditure on information security is on or above plan. The study surveyed more than 250 financial services organisations from 39 countries
The Kremlin's New Internet Surveillance Plan Goes Live Today (Wired) On the surface, its all about protecting Russian kids from internet pedophiles. In reality, the Kremlins new Single Register of banned websites, which goes into effect today, will wind up blocking all kinds of online political speech. And, thanks to the spread of new internet-monitoring technologies, the Register could well become a tool for spying on millions of Russians
USA starts anti-Russian drills, Russia hires nation's best hackers (Pravda) During the following month, NATO will hold military exercises to train joint actions of the members of the Alliance under conditions of a cyberwar. Reporters managed to find out that an "African country" will act as a conditional aggressor. In fact, U.S. military officials admit that it is Russia that will play the role of the cyber aggressor.
Feds need to add regulations to force Canadians to think about cyber-security (Canada.com) Last week, the government announced it would also share information on cyber-threats with the U.S. Department of Homeland Security. "There are plenty of things that neighbours can do, and ought to do, and the more collaboration of that sort that goes
UK govt agency to trawl social media sites for intelligence (TODAYonline) The technology being developed by GCHQ will draw comparisons with snooping tools allegedly used by its United States counterpart, the National Security Agency (NSA), which has access to monitoring software capable of sifting out information including
Indonesia's cyber defense strategy and its challenges (Jakarta Post) Although there has been no proof of a country being taken over physically by a cyber attack the disturbances created have shown it is something to worry about. Such an event may occur in Indonesia mainly because not many are aware of the critical
DHS Secretary Napolitano Uses Hurricane Sandy to Hype Cyber Threat (Forbes) In some of the most egregious examples, commentators have used the financial crisis and even the 2011 Japanese eathquake and tsunami as vehicles for promoting fear of cyber attack. This tendency to use an ongoing crisis to raise fears of hypothetical
Senate Likely To Revisit Cyber Bill When Congress Returns (Reuters.com) Senate Majority Leader Harry Reid hopes to reintroduce cyber security legislation opposed by business groups once lawmakers return after Tuesday's election, a Senate aide said, adding that a White House executive order might pave the way for a compromise on the bill
Rebuking a cyber-geddonist (CSO) In this guest post, Scot A Terban (@krypt3ia on Twitter) takes aim at Senator Joe Lieberman and his "Cyber 9-11" talk
International cybersecurity exercises grow in popularity (Fierce Government IT) While there is growing support for international cybersecurity exercises, more can be done to ensure such exercises are successful, according to a report published Oct. 25 by the European Network and Information Security Agency
Litigation, Investigation, and Law Enforcement
Companies Should Think About Hacking Back Legally, Attorney Says (Dark Reading) Fighting back against cybercriminals can be risky, but there are legal ways to do it, says Hacker Halted speaker
Google loses 'Melbourne Crime' defamation case, man feels 'vindicated' (Ars Technica) Milorad Trkulja had his image and name linked with Australian organized crime. An Australian court has ruled that a Melbourne man was defamed by Google. Why? Because the search giant had posted images linked to his name on Google Images, implying that he was a criminal. Milorad "Michael" Trkulja was victorious in a similar case against Yahoo in March 2012, where he won A$250,000 ($233,000). The Victoria Supreme Court's Justice David Beach is expected to rule on damages next week
Feds Say No Dice in Retrieving Your Data Seized in Megaupload Case (Wired) Federal prosecutors are proposing a process that would make it essentially impossible for former Megaupload users to recover their data following the governments seizure of the file-sharing services servers and domain names in January as part of its prosecution of a criminal copyright infringement indictment of Megauploads employees. Thats according to Julie Samuels, an Electronic Frontier Foundation attorney representing an Ohio man seeking the return of his high school sports footage
China slams US accusation of hacking (Zee News) China has criticised US intelligence agency's accusations of hacking by Chinese firms, saying it also falls victim to cyber crime, Xinhua reported. On Wednesday, Chinese Foreign Ministry spokesperson Hong Lei was asked during a press conference about accusations from an unspecified US source that Chinese firms had used hacking to steal commercial secrets. Hong said China has responded to hacking-related issues on many occasions, and that it is "grossly irresponsible" to allege that China steals information and conducts hacking online without evidence and investigation
Lawfare Goes To The Supreme Court (Wall Street Journal) Chief Justice John Roberts kept the Supreme Court open this week amid Hurricane Sandy to hear a single national security appeal, and rightly so. The High Court's decision could redefine the constitutional standing to sue and steal a major antiterror tool that has helped keep the country safe
California's mobile privacy crackdown praised (CSO) State's attorney has started notifying businesses that their apps are in violation of the state's Online Privacy Protection Act
Supreme Court hears oral argument in FISA Amendments Act standing suit (Fierce Government IT) Federal government top lawyer Donald Verrilli argued during Oct. 29 oral arguments before the Supreme Court that a group of lawyers, journalists and human rights researchers lack standing to challenge the constitutionality of the FISA Amendment Act
Huawei Hits Back At U.S. Security Investigation (InformationWeek) Executive dismisses U.S. report tying Huawei to security threats, saying it's a case of "Americans being Americans"
Cybersecurity and Attribution: Good News At Last? (Skating on Stilts) No, we're not suddenly turning into the Huffington Post. But trust me, this photo is directly relevant to the topic at hand: How the US should respond to massive state-sponsored cyberespionage
For a complete running list of events, please visit the Event Tracker.
Upcoming Events
TechExpo Cyber Security Careers (Columbia, Maryland, Nov 1, 2012) Profit from presentations by leading industry figures and networking opportunities designed for serious job-seekers.
Anatomy of an Attack (New York, New York, Nov 15, 2012) Join Sophos security experts in exploring how threats like malware, Trojans, worms and spyware actually work and what you can do to protect your company, even if you're on a tight budget.
ZeroNights (Moscow, Russia, Nov 19 - 20, 2012) ZeroNights is an international conference dedicated to the technical side of information security. The mission of the conference is to disseminate information about new attack methods, threats and defense tools. Another purpose is to create a communication venue for skilled professionals in the field of information security.
Digital Security Summit (Riyadh, Saudi Arabia, Dec 1 - 2, 2012) A major conference to discuss the growing threat to digital security in the Middle East, especially in Saudi Arabia.
Passwords^12 (, Jan 1, 1970) Passwords^12 is a 3-day conference only about passwords & PIN codes. With an "all-star" cast of speakers, including Joan Daemen (AES/SHA3), Jens Steube (alias "atom", hashcat author), Colin Percival (CSO FreeBSD, inventor of scrypt), Simon Marechal (John the Ripper co-developer), Frank Stajano (Cambridge) and many more, this will be the premier event for everything and anything related to password security. Passwords^12 is the first and only conference of its kind, bringing together academic institutions, researchers and security professionals from around the world. It's a not-for-profit and non-commercial conference. No sales personnel, no marketing managers and deep technical talks.
CIO Cloud Summit 2012 (, Jan 1, 1970) The CIO Cloud Summit will help C-level executives better understand the true capabilities of cloud computing and the transformational opportunities it can bring.
BayThreat (Sunnyvale, California, Dec 7 - 8, 2012) The theme for BayThreat is a new spin on the dichotomy of attacking and defending in information security. We're calling out all of the attackers and defenders that are on the front lines of the battle.
e-Crime Congress 2013 (London, England, Mar 12 - 13, 2013) The e-Crime Congress is designed to meet the needs of key stakeholders and decision makers who are responsible for designing and coordinating information security and risk management strategy, safeguarding digital assets and sensitive information, protecting customers, defending against internal or external threats and responding to incidents.
25th Annual FIRST Conference (Bangkok, Thailand, Jun 16 - 21, 2013) The annual FIRST conference provides a setting for conference participants to attend a wide range of presentations delivered by leading experts in both the CSIRT field and from the global security community.