The CyberWire Daily Briefing for 11.8.2012
Adobe investigates reports of a zero-day exploit targeting its PDF Reader—a very attractive target for criminals. (For more on the crimeware economy, see Dark Reading's reports on Russian cyber mob pricing.)
Twitter warns users by email of account compromises—this email is real. Google suffered an unexplained service outage in much of Asia this morning. Scammers try to spook Internet users with fears of credit card fraud. Other phishers offer (implausibly) a $100 McDonald's gift card to Facebook users via a dodgy survey.
The image-stealing Trojan reported yesterday is uploading files to an Iraqi ftp server. (The exploit appears to be a criminal rather than an espionage operation.) South Carolina's data breach may now affect 200,000 additional taxpayers.
Lawyers are fingered as a source of cyber vulnerability. One criticism (that they inhibit information-sharing by warning clients of legal obstacles) seems unfair, the other (that law practices as a sector tend to be careless about cyber security) better grounded.
Cisco patches a TACACS+ Authentication Bypass vulnerability.
IBM sees service consolidation as a path to better security. Boeing announces layoff plans; other government contractors prepare to retrench as US budget sequestration approaches. Britain's GCHQ rolls out its public-private cyber security partnership: BAE's Detica will be a major contributor. The Air Force extends its NETCENTS I contract and increases the vehicle's ceiling tenfold.
An industry-academic consortium crowdsources Botnet hunting. The SANS Institute honors Australia's DIISRTE for its innovative approach to advanced persistent threats. Sophos tells you how to report a cyber crime.
Today's issue includes events affecting Australia, Azerbaijan, Canada, Ethiopia, Indonesia, Iraq, Kenya, Namibia, Nigeria, Russia, South Africa, Tanzania, Uganda, United Kingdom, United States, and and Zambia..
Cyber Attacks, Threats, and Vulnerabilities
Experts Warn of Zero-Day Exploit for Adobe Reader (Krebs on Security) Software vendor Adobe says it is investigating claims that instructions for exploiting a previously unknown critical security hole in the latest versions of its widely-used PDF Reader software are being sold in the cybercriminal underground
You Might Have Gotten An Email From Twitter About Your Account Being Compromised, It's Real (TechCrunch) Keep your eyes peeled Twitter users: Twitter is sending out emails to some of its users telling them it has reset their password and asking them to create a new one. If you can't log into your account that may be why. Lots of users are affected judging by the amount of people tweeting about password problems
Google services went down for 30 minutes in Asia this morning, CDN says (CSO) All of Google's service offerings went offline in some parts of the world during an unusual half-hour outage that mainly affected users in Asia, according to content delivery network provider CloudFlare. CloudFlare Network Engineer Tom Paseka wrote in an official blog post that the Google Apps services went down at about 2:30 a.m. UTC, and a quick investigation revealed that the search giant's public DNS server was offline as well
A million dollars, the Internet Crime Complaint Center and Naked Security - the ingredients for a scam (Naked Security) An email scam is using a Naked Security news story about the arrest of a gang of suspected credit card fraudsters, in an attempt to scam innocent internet users
'Free $100 McDonald's gift card' scam targeting Facebook users (Help Net Security) Facebook users are once again targeted with a rogue app / survey scam combo. The lure is a free McDonald's $100 gift card: Users who want to get the prize are first asked to install a rogue app
PixSteal-A Trojan Steals Images, Uploads to Iraqi FTP Server (Threatpost) A new Trojan has been identified that has the capability of stealing images from infected computers, setting the stage for anything from identity theft to blackmail
Researchers find Android hole that could affect millions (Fierce Mobile IT) The security of Android devices versus Apple's (NASDAQ: AAPL) iOS devices has been an ongoing issue for chief information officers and IT departments dealing with BYOD at their companies. Android security concerns were heightened last week by North Carolina State University researchers who showed how a vulnerability in Android platforms could be used to send fake SMS messages designed to trick the user into disclosing confidential information or subscribing to bogus premium services
Australian Pizza Hut customers served a deep dish of info leaks (Ars Technica) Pizza chain says names and contact info exposed, not credit cards
Western Area Power Administration desktops have high risk vulnerabilities, say auditors (Fierce Government IT) Auditors say nearly every computer tested for vulnerabilities at the Energy Department's Western Area Power Administration contained at least one high-risk vulnerability related to software updates or patches
200000 Additional South Carolina Taxpayers Could Be Affected By Cyber Attack (WJBF-TV) Additional South Carolina taxpayers could be impacted by the cyber attack that took place on the South Carolina Department of Revenue's computer system
Heist once again highlights e-banking vulnerabilities (CSO) Commercial customers need to heed warnings from cyber thefts in Missouri, Maine
Malware Tools Get Smarter To Nab Financial Data (Dark Reading) If you've got $3,931 burning a hole in your pocket, speak Russian, and want to invest in a crimeware toolkit, you're in luck
Russia's Bargain-Basement Cybercrime (Dark Reading) How much does it cost to infect 1,000 machines with malware? Russian services will do it for as little as $12. It sounds a little bit like one of those ads on late-night television: Email spamming -- 1 million messages for $10! Malware downloads -- as little as 1,000 downloads for $12! DDoS any website -- only $30! No, it's not an ad for a cheap local electronics shop -- these are actual prices for cybercrime services currently available from hackers in Russia
Killer Apps: The new cyber vulnerability: Your law firm (Foreign Policy) Keith Alexander, chief of US Cyber Command and the NSA, lamented this disparity in the private sector's cyber security standards today. "We have a problem
25 Tips to Prevent Law Firm Data Breaches (Wisconsin Lawyer) Another day, another data breach. Data breaches have proliferated with amazing speed. Here is the roundup of some of the largest victims in 2011 alone: Tricare, Nemours, Epsilon, WordPress, Sony, HB Gary, TripAdvisor, Citigroup, NASA, Lockheed Martin, and RSA Security
Are lawyers getting in the way of cloud-based security? (Network World) At Cloud Security Alliance Congress, some say lawyers too often are hindrance to better security. In an age where enterprises and their employees are being relentlessly targeted with malware-based phishing, denial-of-service and other attacks, the ability of the IT security staff to defend their networks and valuable corporate data faces yet one more obstacle, according to some: their own company lawyers
4 Long-Term Hacks That Rocked 2012 (Dark Reading) News of lengthy hacker incursions into enterprise databases and networks has been plentiful over the last year—here's a highlight reel
Security Patches, Mitigations, and Software Updates
Cisco TACACS+ Authentication Bypass (Internet Storm Center) Cisco has released a patch that addresses a TACACS+ Authentication Bypass vulnerability. Exploitation is likely very easy. If you are using Cisco ACS for authentication you should probably take note of this annoucment
Google Implements Do Not Track in Chrome 23 (Threatpost) Nearly two years after other browser vendors implemented it, Google on Tuesday finally released a version of Chrome that supports the Do Not Track functionality that helps users prevent Web sites from following their movements around the Web. Google's move to include the technology is a response to discussions with the White House earlier this year around privacy. Chrome 23, released on Tuesday, is the first stable version of the company's browser to include the DNT option, although it's been in the developer channel for a couple of months now
U.S. Cyber Commander: Threats Are Relentless, Education Is The Key (CRN) Everybody's being exploited," Alexander told attendees, listing major attacks from the past two years such as those of security intelligence firm Stratfor, integrator giant Lockheed Martin and security vendor RSA. "Intellectual property is the biggest
Mobile apps expose personal information (CSO) Mobile devices and applications have become an integral part of our lives but they can also expose personal information. An application privacy report by Juniper Networks' Mobile Threat Center (MTC) indicates that permissions and capabilities in apps could expose sensitive data
How to stay secure in a changing world (Help Net Security) In Sir Isaac Newton's time there were three laws of motion, which dominated the scientific view of the world. While he, and his scientific peers, might have had many different opinions, what they all
Security, IT integration top M2M customer concerns (Fierce Mobile IT) End-to-end security and integration with enterprise IT systems are the top two concerns about machine-to-machine wireless communications for corporate customers, according to a survey of M2M companies conducted by Beecham Research on behalf of enterprise software vendor Oracle
IBM Security Systems Fights Complexity with Consolidation (eSecurity Planet) A year ago, IBM consolidated its security efforts into one omnibus umbrella. Is this approach working? At the end of 2011, IBM embarked on a dramatic re-organization of its security assets in an effort to consolidate strategy and product offerings. The new IBM Security Systems division was formed around
Defense Stocks Tumble On Budget-Cut Fears (Yahoo.com) Defense stocks fell on Wednesday, as analysts predicted after the results of the presidential and congressional elections that military spending will remain tight, and there's no clear path toward avoiding automatic defense spending cuts set to kick in at the beginning of 2013
Boeing Says Cuts Save $1.6 Billion (Wall Street Journal) Boeing Co. announced plans to cut executive jobs and consolidate several divisions at its defense business that the company said would save $1.6 billion over the next two years
GCHQ lines up BAE and pals for 'Cyber Incident Response' (Register) The "Cyber Incident Response" scheme - launched today by CESG, the data security arm of GCHQ, and the Centre for the Protection of National Infrastructure (CPNI) - is targeted at the public sector and firms supporting the UK's key systems and businesses
BAE SYSTEMS PLC : BAE Systems Detica certified by GCHQ and CPNI (4-traders) BAE Systems Detica has been named by GCHQ's Information Assurance arm CESG, and the Centre for the Protection of National Infrastructure (CPNI) as one of only four companies (1.) on an important new scheme that will provide organisations facing cyber
Cloud Security Alliance Announces First Annual Ron Knode Service Award (PR Web) The Cloud Security Alliance (CSA) today announced the recipients of its first Ron Knode Service Award, a new annual award sponsored by the CSA recognizing excellence in volunteerism for six honorees from the Americas, Asia-Pacific and EMEA regions
Azerbaijan draws Symantec to organize a regional center for cyber security (Azerbaijan Business Center) Azerbaijan has felt its cyber security a "chip" in terms of information and communication technologies. Communications & IT Minister Ali Abbasov has stated that since 2013 the country will begin active measures to ensure cyber
Axway Announces Intent To Acquire Vordel (Dark Reading) Combined platform will provide companies with a consolidated approach to application and data integration needs across on-premise and cloud environments
Deloitte Acquires Health IT Data & Analytics Firm (ExecutiveBiz) Deloitte has acquired healthcare data and analytics specialist Recombinant Data and added the Massachusetts-based firm to its life sciences and health-care practice.
Gartner: RIM has 'huge challenge ahead' in enterprise (Fierce Mobile IT) Market research firm Gartner predicts that 1.2 billion smartphones and tablets will be purchased next year, up from 821 million this year. By 2016, two-thirds of the mobile workforce will own a smartphone, and 40 percent of the workforce will be mobile, according to the latest research from Gartner
HP bets big on Linux (IT World) HP has long been a contributor to Linux and open source software, but on Monday it ratcheted up its support another notch
Apple Eyes Dumping Intel For ARM (InformationWeek) Is Apple serious about shifting OS X and its computers from Intel's x86 architecture to ARM-based chips? Or is it just trying to win concessions from Intel?
AF NETCENTS I Contract Going Up $1.45B, Ceiling Now $10.4B (Govconwire) The Air Force's electronic systems center plans to increase the value of the branch's original Network-Centric Solutions contract by $1.45 billion, pushing the ceiling value to $10.45 billion, Nextgov reports. According to Bob Brewin's story, this action also extends the NETCENTS vehicle through September 2013. Awardees include: Booz Allen Hamilton (NYSE: BAH) General Dynamics
Products, Services, and Solutions
Avecto Launches Privilege Guard 3.6 With Windows 8 Compatibility And App Store Control (Dark Reading) Software includes privileged application control based on download source
How to prepare for Google algorithm changes (IT World) In an effort to improve search result quality and punish black-hat SEO, Google has been making big changes to its algorithms, and more updates are likely on the way soon. Here's how to prepare
BlackBerry 10 is FIPS certified in advance of platform's release (Computer World) After several federal agencies said they will stop using BlackBerry devices and switch to iPhones, Research In Motion took the unusual step today of announcing a tough security certification for BlackBerry 10 in advance of the device's launch next quarter. This is the first time that a BlackBerry product has been certified as meeting the Federal Information Processing Standard (FIPS) ahead of launch, RIM said in a statement. The certification means that U.S. government agencies around the globe will be able to deploy BlackBerry 10 smartphones and BlackBerry Enterprise Service 10 from the day of launch, set for sometime in the first quarter, RIM said
Seagate Backup Plus gets USB 3.0 (Help Net Security) Seagate introduced SuperSpeed USB 3.0 to Backup Plus storage for Mac. This new interface means faster transfer of data, so you can backup more quickly, up to 10x that of USB 2.0, via TimeMachine
Technologies, Techniques, and Standards
How Secure Is Your Data Center Network? (The Data Center Journal) The Cloud Security Alliance (CSA) recommends that you be aware of the software interfaces (usually called "application programming interfaces," or APIs) that allow your software to communicate and exchange data with the cloud provider
Hunting Botnets In The Cloud (Dark Reading) Combining cloud, crowdsourcing, and big data to find and quash botnets on a larger scale. Comparing botnet command-and-control (C&C) traffic or malware within an organization to activity seen in other parts of the Internet isn't new. It's just that some security analysts are increasingly going there to gather better intelligence that they can use to quell an infection or help take down a botnet
In Bounties They Trust, But Does Paying for Security Bugs Make a Safer Web? (Wired Threat Level) Ever since Mozilla launched its bug bounty program eight years ago to pay researchers for finding and disclosing security holes in its software, Google and others have followed suit with their own bug bounty programs, paying out millions of dollars
Portrait of a Full-Time Bug Hunter — Abdul-Aziz Hariri (Wired Threat Level) Abdul-Aziz Hariri earned more than enough to live on doing freelance bug hunting, during a period when he couldn't find a job. Hariri, a 27-year-old Lebanese-Canadian, began submitting bugs full-time after he emigrated from Lebanon to Canada in January 2010
Mobile phone theft on the rise - here's how to protect your data for free (Naked Security) Research released today has revealed that the theft of mobile phones is on the rise. This isn't just about losing an expensive phone - there's also the threat of losing your data and money. Learn how to better protect your phone
Help eliminate unquoted path vulnerabilities (Inernet Storm Center) Metasploit's "Service Trusted Path Privilege Escalation" exploit takes advantage of unquoted service paths vulnerability outline in CVE-2005-1185, CVE=2005-2938 and CVE-2000-1128. The vulnerability takes advantage of the way Windows parses directory paths to execute code
How IT Leaders Can Best Plan for Disaster (CSO) Hurricane Sandy left devastation in its wake, first pounding the Caribbean and then pummeling the Mid-Atlantic and Northeast regions of the U.S. People and businesses are now struggling to get back on their feet. As a CIO or IT leader, you need to ask yourself: Will your organization be prepared for the next disaster
Secure data-at-rest and data-in-motion on iOS and Android (Help Net Security) Companies are moving their core business operations to mobile apps. App developers are at the center of this transformation and must deliver great apps quickly while ensuring that business data remain
Design and Innovation
Australian Government's Department of Industry, Innovation, Science, Research and Tertiary Education Wins 2012 National Cybersecurity Innovation Award (IT News Online) The SANS Institute today announced that the Australian Government's Department of Industry, Innovation, Science, Research & Tertiary Education (DIISRTE) has won a 2012 U.S. National Cybersecurity Innovation Award for effectively eliminating targeted intrusions known as advanced persistent threat attacks using existing technologies
How Do You Survive The Innovation Hamster Wheel? (InformationWeek) This is how two tech leaders do it, and we'd like to hear more tactics from you
American children to become 'cyber-warriors' (Security Defense Agenda) The National Science Centre (NSC) has launched a new online game called 'Cyber Swarm Defenders' to help train young children to be able to avoid cyber-attack malware when surfing the internet
As hacker forums breed recruits, government stages cyber education counterattack (Government Computer News) ISSL, operated by the school's Information Assurance Center, a National Security Agency center for academic excellence in information, provides basic training, both for general security awareness and literacy to produce better stewards of sensitive data
Town & Gown: JSU continues to lead in cybersecurity (Jacksonville News) Recognized in 2008 by the National Security Agency (NSA) and the Department of Homeland Security (DHS) as a National Center of Academic Excellence in Information Assurance Education, Jacksonville State University has been keeping pace with this
Legislation, Policy, and Regulation
[UK] Government departments get go-ahead to use iPhones for sensitive data (ComputerWeekly) Government departments have been given the go-ahead to use iPhones to send and receive sensitive emails, as part of moves to broaden the number of approved public sector mobile devices beyond BlackBerrys. Under new guidelines, civil servants and ministers could use Apple devices for restricted information deemed to compromise the workings of government if released to third parties
Joining hands against cybercrime in Africa (SecurityAffairs) Concerned over rising threats online, Cyber security agents in Africa are taking a proactive step by collaborating with global network-security experts, to curb cybercriminal activities in the continent where they will share information and technical know how. Cyber security agents in Africa will gain an even better view of emerging cyber threats by working with experts who are mainly drawn from European countries and US. The partnership will also address the shortage of cyber security specialists in the fast growing continent of Africa, through joint seminars and discussions that will involve management teams in companies and other organizations
The 8 Missions That Should Dominate Obama's Technology Agenda (Wired Business) Now that the election is over, we hit up some of the smartest, hungriest folks in tech to get their wish-list for the next four years with Obama running the show
A Sample Security Agenda for Obama's Second Term (Threatpost) Intelligence agencies, the military and other groups inside the government regularly buy vulnerabilities from security researchers and use them for various purposes. But there are plenty of other buyers as well, including ... Stop trying to put all of
Military gears up to defend US against cyber-attack (abc7news.com) "If a cyber-attack crippled our power grid in this country, took down the financial systems, took down our government systems, that that would constitute an act of war," has Panetta said. Though she may not look like a drill sergeant, Irvine is tasked
Homeland Security Suggests 'Co-op' Approach To Cybersecurity (Mortgageorb) The U.S. Department of Homeland Security (DHS) is recommending that financial companies pool their infrastructure resources and work together to fight the increasing level of cybersecurity threats. According to a report in the technology trade
On cyber defense, U.S. 'stuck at the starting line' (FederalNewsRadio.com) Robert Joyce, NSA's deputy director for information assurance, said the agency has special insights into cyber vulnerabilities from inside the intelligence community, and it's already come a long way toward packaging that information into formats that
'Cyberdraft' Would Press-Gang Geeks Into Government Service (Fast Company) In August 2012, the Defense Department introduced extensive changes to their cyberwarfare rules of engagement that call for United States Cyber Command to
New ICE system permits officials to upload individuals' data from commercial databases (Fierce Government IT) Immigration and Customs Enforcement says it's rolling out a law enforcement system that allows Homeland Security Investigations officials to search, analyze and visualize data about individuals collected by the Homeland Security Department or bought from commercial sources
Litigation, Investigation, and Law Enforcement
Oracle hit with patent lawsuit over WebLogic Server (Computer World) Oracle is finding itself caught up in another Java-related patent lawsuit, but this time it's the one getting sued. Java middleware vendor Thought filed suit against Oracle on Oct. 31, claiming that WebLogic Server and other Oracle products infringe at a "massive scale" on a number of patents it holds. Using the open-source Java programming language, Thought created a "middleware mapping layer for saving object and table information and greatly simplified the task of persisting data," according to its complaint, which was filed in U.S. District Court for the Northern District of California
Pad Hack at Barnes & Noble Draws Lawsuits from Customers (Hot for Security) The point-of-sale keyboard hack at Barnes & Noble bookstores led to three class-action complaints for failure to protect customers personal financial data, including but not limited to credit and debit card information and person identification numbers. With 700 nationwide stores having used tampered devices, Barnes & Noble postponed the public announcement until an FBI investigation was launched in an attempt to pinpoint the cyber crooks. Jonathan Honor and Ray Clutts, from Illinois, filled class-action complaints against the retailer for not protecting their credit card data and not personally contacting and warning affected customers
National Security Wiretaps, or Just Plain Old Snooping? (Courthouse News Service) Aside from monitoring terror threats, the National Security Agency eavesdrops on the private communications of Americans for fun, a class says in the 6-year-old case against the federal wiretap program. The allegation appears in the latest
US cop awarded $1 million over randy officers' illegal use of license database as a private Facebook (Naked Security) A former police officer has been awarded $1,057,000 in settlement payments after she filed suits charging privacy invasion against fellow officers who illegally accessed her photo and address more than 500 times
How to report a computer crime: malware by email (Naked Security) If you have ever unwittingly downloaded malware as a result of opening an attachment in an email, did you report it to the police? Here's why you should, and how you should go about doing it
For a complete running list of events, please visit the Event Tracker.
TechExpo Cyber Security Careers (Columbia, Maryland, Nov 1, 2012) Profit from presentations by leading industry figures and networking opportunities designed for serious job-seekers.
Anatomy of an Attack (New York, New York, Nov 15, 2012) Join Sophos security experts in exploring how threats like malware, Trojans, worms and spyware actually work and what you can do to protect your company, even if you're on a tight budget.
ZeroNights (Moscow, Russia, Nov 19 - 20, 2012) ZeroNights is an international conference dedicated to the technical side of information security. The mission of the conference is to disseminate information about new attack methods, threats and defense tools. Another purpose is to create a communication venue for skilled professionals in the field of information security.
Digital Security Summit (Riyadh, Saudi Arabia, Dec 1 - 2, 2012) A major conference to discuss the growing threat to digital security in the Middle East, especially in Saudi Arabia.
Passwords^12 (, Jan 1, 1970) Passwords^12 is a 3-day conference only about passwords & PIN codes. With an "all-star" cast of speakers, including Joan Daemen (AES/SHA3), Jens Steube (alias "atom", hashcat author), Colin Percival (CSO FreeBSD, inventor of scrypt), Simon Marechal (John the Ripper co-developer), Frank Stajano (Cambridge) and many more, this will be the premier event for everything and anything related to password security. Passwords^12 is the first and only conference of its kind, bringing together academic institutions, researchers and security professionals from around the world. It's a not-for-profit and non-commercial conference. No sales personnel, no marketing managers and deep technical talks.
CIO Cloud Summit 2012 (, Jan 1, 1970) The CIO Cloud Summit will help C-level executives better understand the true capabilities of cloud computing and the transformational opportunities it can bring.
BayThreat (Sunnyvale, California, Dec 7 - 8, 2012) The theme for BayThreat is a new spin on the dichotomy of attacking and defending in information security. We're calling out all of the attackers and defenders that are on the front lines of the battle.
e-Crime Congress 2013 (London, England, Mar 12 - 13, 2013) The e-Crime Congress is designed to meet the needs of key stakeholders and decision makers who are responsible for designing and coordinating information security and risk management strategy, safeguarding digital assets and sensitive information, protecting customers, defending against internal or external threats and responding to incidents.
The Future of Cyber Security 2013 (London, England, UK, Mar 21, 2013) Cyber Security and the Citizen 2013 is a one-day conference and exhibition for senior decision-makers of central and local government organisations, NGOs and major private sector enterprises.
25th Annual FIRST Conference (Bangkok, Thailand, Jun 16 - 21, 2013) The annual FIRST conference provides a setting for conference participants to attend a wide range of presentations delivered by leading experts in both the CSIRT field and from the global security community.