The CyberWire Daily Briefing for 11.2.2012
Indian government websites are attacked by Algerian hacktivists thought to be affiliated with al Qaeda. The campaign apparently goes back to last January.
Several vulnerabilities make the news at week's end. VUPEN (a "controversial" bug-hunting exploit-seller) claims it has a zero-day exploit for Windows 8: it appears to be a sandbox bypass for IE10 with ASLR, DEP and anti-ROP mitigations enabled. Apache server status pages, when unprotected, expose hosted websites to exploitation. Security through isolation within public clouds is undermined by a new side-channel attack against virtual machines.
A ransomware campaign brandishes the Anonymous name in extortion threats. A leading British CCTV supplier suffers an SQL injection attack. Japanese banking customers continue to fall for phishing. More investigations of the cyber criminal underground appear, and the sophistication of the criminal-to-criminal marketplace is surprising. (One report includes an exploit price list.)
As South Carolina works to mitigate the effects of its Revenue Department breach, more observers accuse its IT managers of negligence. (Fiscal liability is capped at merely $600k.) Reactions of individuals and communities affected by the breach should interest policy-makers.
F-Secure expects governments to do more cyberwar muscle-flexing in the coming year. The US intelligence budget drops for the second year. Industry and government continue to find cyber talent scarce (US Homeland Security chief Napolitano moots formation of a "cyber reserve" to help).
Dark Reading offers advice on communicating risk to executives. NC State and IBM develop a natural-language processing tool that ensures developers meet users' needs for security policies.
Notes.
Today's issue includes events affecting Algeria, Australia, China, Finland, India, Israel, Jamaica, Japan, Malaysia, Russia, Saudi Arabia, United Kingdom, and United States..
Cyber Attacks, Threats, and Vulnerabilities
DRDO, PM's adviser websites come under cyber attack (Hindustan Times) Websites of key Indian government organisations, including an advisor to the prime minister and the defence establishment DRDO, reportedly came under cyber attacks on Wednesday night, leading to their shutdown for a while, government sources said on
Algerian hackers attack DRDO and five other Indian government websites (Digit) Back in March this year, the Indian government revealed its over 100 websites had suffered cyber attack in a span of three months
VUPEN Researchers Say They Have Zero-Day Windows 8 Exploit (Threatpost) Controversial bug hunters and exploit sellers VUPEN claimed to have cracked the low-level security enhancements featured in Windows 8, Microsoft's latest operating system. VUPEN CEO and head of research Chaouki Bekrar sent out a pair of ominous
Unprotected Apache server status pages put popular websites at risk (CSO) Potentially sensitive information is exposed that hackers can use to better plan their attacks against websites, researchers say
Researchers Develop Cross-VM Side Channel Attack (Dark Reading) A new attack vector shows that isolation in public clouds is not a perfect answer for security, researcher says. A group of researchers have developed a side-channel attack targeting virtual machines that could pose a threat to cloud computing environments. The attack is described in a paper entitled "Cross-VM Side Channels and Their Use to Extract Private Keys," was authored by University of North Carolina at Chapel Hill PhD. student Yinqian Zhang; UNC professor Michael K. Reiter; Thomas Ristenpart, an assistant professor at University of Wisconsin-Madison; and Ari Juels, chief scientist at EMC's RSA security division
More Than 25% Of Android Apps Know Too Much About You (Dark Reading) Free apps more likely to access personal information than paid apps, and 100,000 apps have access to potentially sensitive information, a pair of new reports say
Ransomware uses Anonymous name to extort money: Your files are encrypted, pay up to get them back (The Next Web) A new piece of malware is using the Anonymous name to extort money from its victims. This is surprising not only because ransomware typically uses claims of breaking the law and names law enforcement (such as the CIA or FBI) to scare victims, but also because this malware is unlikely to be supported by the hacktivist group. For the uninitiated, ransomware is malware which restricts access to the computer it infects, spamming the user with prompts that demand a ransom paid for the restriction to be removed
Verifi-cctv.com Uk Leading cctv supplier database hacked via SQLi (Cyberwarzone) An anonymous hacker has published an pastebin file that contains the database dump of the verifi-cctv. com website. The clients that have been affected need to change their equipment now as the equipment they use is not secured any more
Mizuho transfer laid to 'phishing' (Japan Times) Money is suspected to have been transferred illegally from the account of a Mizuho Bank customer who was banking online, one of a growing number of "phishing" scams in Japan, bank officials said Thursday. A customer saw several hundred thousand yen transferred to another account after following instructions on what is suspected to have been a fake page on the bank's website asking for the customer's password and personal identification code, they said. Earlier this week, some 2 million was illegally transferred from a man's account to another account after he followed similar instructions on the website of Sumitomo Mitsui Banking Corp., according to police
Russian Underground is just part of a global criminal network (SecurityAffairs) Trend Micro published a very interesting report on the Russian underground market, the document written by Max Goncharov analyzed the services and the products marketed by cyber criminals. The study is based on data obtained from the analysis of online forums and services attended by Russian hackers such as antichat. ru, xeka
Black market for personal information is vast and sophisticated (pinewswire) Your private information, from credit cards to your social security number is valuable to thieves. Theres a black market for your information and often time, its you left holding the bill. As a result of the breach at the state Revenue Department, more than 500 people called the Consumer Affairs Department on Monday now trying to protect that information
Bank Hacktivists' Next Steps (American Banker) Fans of the TV show Homeland know about the diversion tactic of a highly visible, yet preventable terrorist attack that draws attention away from the bad guy's real goal of inflicting harder-to-detect, broader harm. In the TV show, a U.S. Marine sniper who's been recruited by Middle Eastern terrorists shoots several people in the Vice President's entourage as they are about to enter CIA headquarters. The VP and top members of the National Security Council barely escape and are quickly taken to a safe room as televised chaos rages outside
Curtis Loftis Seeks SC Cyber Security Solutions (FITSNews) In the wake of an unprecedented breach of the Palmetto State's cyber security apparatus, S.C. State Treasurer Curtis Loftis is convening a panel of experts later this month in an effort to batten down the hatches and keep public information better
Centralized tech oversight urged for SC (The State) The state technology division provides network monitoring for free with a grant from the U.S. Department of Homeland Security…The technology group holds an annual conference each October to share cyber-security updates. About 300
Computer Expert Disputes Haley's Hacking Claim (WLTX.com) USC, Farkas said, is the only S.C. college or university accredited by the National Security Agency as a National Center of Academic Excellence in Information Assurance Education. And the Center has offered its expertise to state agencies, she said
Encryption: It's Complicated (Threatpost) Data breaches have become so common at this point that the mere fact that a government agency such as the South Carolina Department of Revenue loses several million Social Security numbers and credit card numbers isn't really that noteworthy. It's another day in the life of the Internet. But what is remarkable is that there are organizations out there that are not deploying encryption technologies to protect personally identifiable information because it's complicated
Info from 657000 SC businesses exposed in DOR cyber attack (Examiner.com) S.C. officials said Wednesday that information from up to 657,000 businesses was also exposed in the cyber attack on the Department of Revenue (DOR) computer system that was revealed Friday. Gov. Nikki Haley announced earlier that approximately 3.6
A week of worry for some Myrtle Beach area residents, businesses over cyber attack (MyrtleBeachOnline.com) For some Grand Strand residents and businesses, it's been a week of worry, anger and concern about how much worse news of the cyber-attack at the state revenue department will get. Grand Strand accountants and banks, keeping a
SC law limits payout in hacking lawsuit to $600K (Associated Press) One lawsuit already has been filed against South Carolina's revenue department over a hacking scandal that could affect millions of tax returns, and more litigation is expected - but even if the plaintiffs win, they could get just pennies apiece. The reason: State law limits the amount that public agencies can be ordered to pay for negligence
Security Patches, Mitigations, and Software Updates
Apple bumps iOS to 6.0.1, fixes an interesting set of bugs (Naked Security) If you have an Apple device that is capable of running iOS 6, you might have resisted upgrading it after hearing people complain about Apple's new mapping application
Cyber Trends
Phishing scams at an all time high (9 News) The Better Business Bureau says phishing scams are at an all time high. They are expected to be the number one scam reported to the BBB for a second year in a row. You have likely noticed the on your own email
SQL and DDOS attacks remain priority for hackers (IT Pro) SQL injection and DDoS attacks are still the main ways in which hackers aim to attack websites. Nearly one fifth of discussion volume (19 per cent) in a hacker forum comprising of 250,000 members, was dedicated to discussing SQL and DDOS attacks, according to data security firm, Imperva. SQL injections are currently the top priority for hackers, as security teams and businesses have failed to take precautions to protect themselves, the firm in its Monitoring Hacker Forums report
Governments To Show Public Demonstrations Of Cyber War Power (TechWeek Europe) As governments increasingly find themselves involved in cyber attacks, whether they are the perpetrators or the victims, they will start to flex their muscles more. Thats the view of Mikko Hypponen, chief research officer at F-Secure, who thinks the cyber arms race will closely resemble the nuclear arms race of the 20th century, where nations put on public displays of firepower to frighten enemies. There will be public demonstrations of cyber power just to get the deterrent, Hypponen says
Information security, a 'roadblock' to cloud adoption (Cloud Pro) A new report from the Cloud Security Alliance said that if infrastructure is under attack, a poorly architected solution means that the analysts and senior
Marketplace
Intelligence appropriation falls for second consecutive year (Fierce Government) The total intelligence appropriation was $75.4 billion in fiscal 2012--$3.2 billion less than its fiscal 2011 appropriation, according to newly released figures
Job Hunters Should Brush Up on Cybersecurity (BusinessNewsDaily) Research from the National Cyber Security Alliance and Symantec shows that more than half of all small- and medium-size business owners feel it is it is important for new hires to possess a strong proficiency in basic computer skills as it relates to
The Biggest Problem in Computer Security (Carnal Ownage) People tend to focus on various areas as being important for computer security such as memory corruption vulnerabilities, malware, anomaly detection, etc. However the lurking and most critical issue in my opinion is staffing. The truth is, there is no pool of candidates out there to draw from at a certain level in computer security. As an example, we do a lot of consulting, especially in the area of incident response, for oil & gas, avionics, finance, etc. When we go on site we find that we have to have the following skills
DoD, DIA Award 9 Contractors $750M Intelligence Training Contract (Govconwire) The U.S. Defense Department and the Defense Intelligence Agency's Virginia contracting activity has awarded nine companies spots on an intelligence training contract valued at $750 million over a five-year period
Greg Myers on Lockheed and Microsoft's EPA Cloud Transition Contract (GovconExecutive) Lockheed Martin and Microsoft, have been awarded a $9.8 million contract to migrate the Environmental Protection Agency to Microsoft's Office 365, which is a cloud-based collaboration and communication service
Huawei working hard on its image (Help Net Security) Chinese telecommunication equipment giant Huawei is working hard on proving to the Australian government that the use of their products will not pose a threat to national security
KEYW profit soars in third quarter (Bizjournals.com) KEYW Holding Corp.'s third-quarter profit soared more than 200 percent, topping expectations set by Wall Street. The Hanover-based cyber security firm
Sourcefire posts higher quarterly revenue (Reuters) Cyber security software maker Sourcefire Inc reported higher quarterly revenue
Sourcefire raises outlook as customers battle data leaks (Economic Times) The company's outlook is in sharp contrast to those from rivals Check Point Software Technologies Ltd and Fortinet Inc, who cut their forecast on economic uncertainty. Sourcefire, which makes software products that monitor network traffic for malicious
CACI sees continued growth despite US budget climate (Reuters) Defensive, offensive and intelligence work in cyberspace would be another high-growth area for the company, Allen said, citing increased concern about cyber attacks on U.S. networks. CACI also remained interested in targeted mergers and acquisitions
Credit Suisse Boosts Booz Allen Hamilton Holding Earnings (Jags Report) Analysts at Lazard downgraded shares of Booz Allen Hamilton Holding from a neutral rating ... and its agencies in the defense, intelligence, and civil markets
Mile2: Empowering Organizations To Win The Fight Against Cybercrime (Investment Underground) Anyone who reads the news knows that cybercrime has become one of the biggest problems facing business and government today. Today's cyber crooks are sophisticated, well organized, and increasingly equipped with many of the same tools available to intelligence agencies…Mile2, an IT security firm with offices in Florida, the United Kingdom, Malaysia, and Jamaica, is trying to help organizations combat this threat with certified penetration testing for IT personnel. In a penetration test, an IT professional attempts to detect such malicious attacks by looking for the signs of unauthorized entries
Accenture Promotes 18-Year Vet David Moskovitz to Lead Federal Business (Govconwire) Accenture (NYSE: ACN) has promoted 18-year company veteran David Moskovitz to chief executive of its federal business, effective immediately. The move comes nearly two months after John Goodman, managing director of the defense and intelligence business, was named to lead the federal business on an interim basis after then-chief executive Kay Kapoor resigned to pursue
Products, Services, and Solutions
Ubuntu pipes search queries to Amazon, worrying privacy experts (Naked Security) Revolution OS - or adware? An update to the popular Ubuntu Linux distribution will pass searches through Amazon.com's search engine. Now the Electronic Frontier Foundation calls that move a "major privacy problem"
Automate security policy management for business applications (Help Net Security) AlgoSec announced BusinessFlow, a new product that automates security policy management for business applications and provides the link between application connectivity requirements and the underlying
Secures data in dormant virtual machines (Help Net Security) PKWARE announced vZip, a software application that secures and reduces sensitive data within dormant virtual machines. With vZip, organizations eliminate costs related to non-compliance and data security
Security system for trust of data in the cloud (Help Net Security) Porticor introduced the latest release of its Virtual Private Data (VPD) system, which protects cloud data while stored and in use, delivering total security to cloud environments which previously were
RIM Seeks Carrier Approval For BlackBerry 10 (InformationWeek) Research In Motion has given BlackBerry 10 to more than 50 carriers around the world for certification
Technologies, Techniques, and Standards
3 Ways To Get Executives To Listen About Risk (Dark Reading) CEOs and executive board members can't make informed decisions about IT security risks when they don't truly understand them—here's how you better communicate what they need to hear
How Georgia doxed a Russian hacker (and why it matters) (Ars Technica) Caucasian conflagration has some wider lessons for online security
The shortcomings of anti-virus software (Internet Storm Center) No, this isn't about lousy detection rate. I think we're pretty much resigned to that, irrespective of the latest fancy marketing terms the industry uses to sell us the same failed concept. This is about the forensic quality, or rather lack thereof, of anti-virus
Hitting back at cyberattackers: Experts discuss pros and cons (CSO) The questions are being asked more often: When a cyberattack hits your network, is it right to launch a counter-attack of some type to try to at least identify the source if not stop it? Since the wheels of justice do indeed grind slowly, should frustrated IT professionals with security skills take matters into their own hands or hire others to do so
Stolen cellphone databases switched on by major US carriers (Naked Security) A friend was walking down a Manhattan sidewalk a year ago, staring into his iPhone in the now-ubiquitous, data-engrossed trance of a smartphone user. A group of teenagers walked up to him. One gently plucked the phone from my friend's hand and jogged away, leaving him blinking, thinking for a brief moment that it was all just a joke
How To Secure Data As Networks Get Faster (InformationWeek) Faster networks are coming, putting security monitoring systems to the test. For those charged with the design and implementation of enterprise IT networks, a vexing problem is that technology advances at uneven rates across the hardware ecosystem. When we hit a new tier of speed, first out of the gate usually come (very expensive) modules for high-end core switches and routers. Faster interfaces gradually trickle down to edge switches and server interface cards, and only later do affordable options come to network monitoring and security appliances
Why would the Australian Treasury need sentiment data? (Fierce Big Data) Australia's Federal Department of Treasury is considering how it might harness a big data service to plug real-time social media sentiment analysis into its forecasting and policy models. It is even considering a trial of technology from the Commonwealth Scientific and Industrial Research Organization, or CSIRO
Social media, Hurricane Sandy both leave a mess (Fierce Big Data) Organizations like Direct Relief and New York State's health information exchange network are leveraging data visualization tools and big data analytics to provide better access to medical records for hospitals that were forced by the hurricane this week to evacuate patients. Other effects from the mountains of data generated by people during the crisis were not so helpful
Agile Development lessons learned from Gov.uk (Fierce Government IT) When the United Kingdom developed a single website for all of its national government, it did so using Agile Development methods, the Cabinet Office's Government Digital Service says
Research and Development
New Tool Aims To Ensure Software Security Policies Reflect User Needs (Dark Reading) The research was supported by the National Science Foundation, the U.S. Army Research Office, NIST, and the National Security Agency Science of Security Lablet. -shipman-. Note to Editors: The study abstract follows. "Automated Extraction of Security
Academia
Department of Homeland Security's Science and Technology Directorate Awards $23.6 Million to Morgridge Institute for Research (Defense Professionals) Scientists at the Morgridge Institute for Research, Indiana University, the University of Illinois at Urbana-Champaign and the University of Wisconsin-Madison have received a $23.6 million grant as part of a Broad Agency Announcement (BAA 11-02) by the U.S. Department of Homeland Security Science and Technology Directorate to address threats arising from the development process of software used in technology ranging from the national power grid to medical devices
Legislation, Policy, and Regulation
GCHQ to trawl Facebook and Twitter for intelligence (Guardian) Facebook, Twitter, LinkedIn, Google+, Pinterest: all of them could be the source of valuable intelligence that the UK's intelligence agencies want to know about and now government eavesdropping and security agency GCHQ is developing new tools to sift through them for nuggets of useful data. The Cheltenham-based organisation is recruiting maths, physics and computing experts to devise groundbreaking algorithms that will automatically extract information from huge volumes of speech, text and image content gathered "across the full range of modern communications media". The secretive listening post plans to use the algorithms to help its surveillance systems make sense of human language, training its computers to automatically identify "valuable intelligence" within huge troves of intercepted data
City fire department implements new social media policy (Baltimore Sun) The Baltimore Fire Department has implemented a strict new social media policy for what firefighters can post on Twitter, Facebook and personal blogs drawing criticism that the department is trampling on First Amendment rights. Under the policy, department personnel can be reprimanded for anything they write online about their jobs that doesn't adhere to conduct rules, which require "good judgment" and "courtesy and respect to the public and to fellow employees." The policy also restricts them from sharing information about fire scenes. Fire Chief James S. Clack said the department crafted the policy to protect firefighters from getting into trouble for sharing sensitive information
Following Sandy, DHS seeks security 'Cyber Reserve' (CSO) Secretary Napolitano says a reserve of security pros is needed because a major cyberattack could make this week's hurricane damage look mild
Cyber rules of engagement still unfinished (FCW.com) A successful cyber attack could damage the nation's power grid and other critical infrastructure, but the rules of engagement needed to shape a military response are incomplete. For months, Defense Department officials have been at work establishing
The Secretary of Business (Human Events) Creating the Department of Homeland Security was supposed to improve communication among the many agencies tasked with national security... but here we are, over a month after a deadly attack on American soil that killed our ambassador to Libya, and the
Amid Recent Cyberattacks, Senate Poised to Revive Cybersecurity Bill (DailyTech) There is some base controversy about the fact that the administration's plan flows data through the U.S. Department of Homeland Security (DHS)…That bill is known as the The Cyber Intelligence Sharing and Protection Act (H.R. 3523)
Intelligence Gathering and Reform: the Case of the US (International Relations and Security Network) US intelligence reform remains a work in progress. While the re-orientation of the FBI and the creation of the National Counterterrorism Center represent progress, the same may not be true for the Department of Homeland Security and the position of Director of National Intelligence, argues Gregory F Treverton
Army ramps up cybersecurity skills training (Army Times) Assigned to Intelligence and Security Command, the 780th is under the operational control of Army Cyber Command, which is subordinate to U.S. Cyber Command. U.S. Cyber Command defends Defense Department networks and conducts full-spectrum
Burma loosens Internet censorship (Fierce Government IT) The government of Burma lifted bans on several previously-blocked websites such as foreign news and political websites, as a wave of liberalization sweeps across the historically oppressive country, according to recent Internet filtering tests by the Open Net Initiative
Litigation, Investigation, and Law Enforcement
Judge prods FBI over future Internet surveillance plans (CNet) Federal judge tells FBI to do more to comply with open government laws when disclosing what backdoors it wants Internet companies to create for government surveillance. A federal judge has rejected the FBI's attempts to withhold information about its efforts to require Internet companies to build in backdoors for government surveillance. CNET has learned that U.S. District Judge Richard Seeborg ruled on Tuesday that the government did not adequately respond to a Freedom of Information Act request from the Electronic Frontier Foundation
Megaupload Publishes Deal to Counter U.S. Extortion Claims (TorrentFreak) Megaupload has responded to U.S. Government claims that the company tried to extort the Department of Justice by offering it a deal. A perverse conception according to Megauploads legal team, and to prove this point the attorneys published the agreement that was proposed to the authorities. In the email Megaupload offered to drop the service requirement dispute in exchange for access to the companys assets
Apple's Non-Apology Annoys Judge (InformationWeek) Apple tried to pull a fast one on foe Samsung, but judges in the U.K. aren't going to let Apple get away with it. Earlier this year, Apple lost a court case to Samsung in the U.K
For a complete running list of events, please visit the Event Tracker.
Upcoming Events
Consortium for Cyber Security: 11 Developments Shaping the Future of Cybersecurity Practices in Industry and Government (, Jan 1, 1970) The Consortium for Cybersecurity Action (CCA), a newly-formed international consortium of government agencies and private organizations from around the world, will host a Conference Call to promote the most effective approaches to cybersecurity and support 11 key developments that are shaping events. The Conference Call is scheduled for Monday, November 5th at 11:00 a.m. EST. Dial-in instructions: Domestic (Dial-in): 877-268-9432 International (Dial-in): 817-755-8752 Conference Call ID# 63979758. The briefing will feature analysis by the world's top security experts of 11 major "headlines" about efforts to prevent and thwart cyber attacks. The experts will also discuss the most effective ways for organizations to implement the newly updated Critical Controls, a prioritized, risk-based set of information security measures to defend against myriad internal and external threats.
TechExpo Cyber Security Careers (Columbia, Maryland, Nov 1, 2012) Profit from presentations by leading industry figures and networking opportunities designed for serious job-seekers.
Anatomy of an Attack (New York, New York, Nov 15, 2012) Join Sophos security experts in exploring how threats like malware, Trojans, worms and spyware actually work and what you can do to protect your company, even if you're on a tight budget.
ZeroNights (Moscow, Russia, Nov 19 - 20, 2012) ZeroNights is an international conference dedicated to the technical side of information security. The mission of the conference is to disseminate information about new attack methods, threats and defense tools. Another purpose is to create a communication venue for skilled professionals in the field of information security.
Digital Security Summit (Riyadh, Saudi Arabia, Dec 1 - 2, 2012) A major conference to discuss the growing threat to digital security in the Middle East, especially in Saudi Arabia.
Passwords^12 (, Jan 1, 1970) Passwords^12 is a 3-day conference only about passwords & PIN codes. With an "all-star" cast of speakers, including Joan Daemen (AES/SHA3), Jens Steube (alias "atom", hashcat author), Colin Percival (CSO FreeBSD, inventor of scrypt), Simon Marechal (John the Ripper co-developer), Frank Stajano (Cambridge) and many more, this will be the premier event for everything and anything related to password security. Passwords^12 is the first and only conference of its kind, bringing together academic institutions, researchers and security professionals from around the world. It's a not-for-profit and non-commercial conference. No sales personnel, no marketing managers and deep technical talks.
CIO Cloud Summit 2012 (, Jan 1, 1970) The CIO Cloud Summit will help C-level executives better understand the true capabilities of cloud computing and the transformational opportunities it can bring.
BayThreat (Sunnyvale, California, Dec 7 - 8, 2012) The theme for BayThreat is a new spin on the dichotomy of attacking and defending in information security. We're calling out all of the attackers and defenders that are on the front lines of the battle.
e-Crime Congress 2013 (London, England, Mar 12 - 13, 2013) The e-Crime Congress is designed to meet the needs of key stakeholders and decision makers who are responsible for designing and coordinating information security and risk management strategy, safeguarding digital assets and sensitive information, protecting customers, defending against internal or external threats and responding to incidents.
25th Annual FIRST Conference (Bangkok, Thailand, Jun 16 - 21, 2013) The annual FIRST conference provides a setting for conference participants to attend a wide range of presentations delivered by leading experts in both the CSIRT field and from the global security community.