The CyberWire Daily Briefing 11.14.12

Cyber Trends

Eugene Kaspersky: Clear Need to Define Cyberweapons and Cyberwar (Threatpost) The term cyberwar has become a catch-all used by politicians, talking heads and others to encompass just about any online threat, regardless of the attacker or the target. Among security professionals, however, the word has a specific connotation--an attack by one nation against another nation's infrastructure. Aside from the semantic issues, one of the major challenges for government agencies and security teams dealing with his problem is attribution and recognizing what constitutes an actual act of cyberwar. Stuxnet, Flame and their cousins may qualify, but more discussion is needed to help define the terms of these new conflicts, experts say

Gary McGraw on Cyberwar and the Folly of Hoarding Cyber-Rocks (Threatpost) Gary McGrawDennis Fisher talks with Gary McGraw of Cigital about some of the holes in the current thinking about cyberwar, why traditional military analogies don't hold up in cyberwar discussions and how better defense can make a difference. McGraw will be discussing his thoughts on cyberwar at King's College London this week

Russia Software Tycoon: US Cyber Tracing May Not Work (Wall Street Journal) "I'm afraid it's possible to design [a cyber attack] in such a way that" its source could remain hidden, Mr. Kaspersky told a small group of reporters over dinner at a steakhouse in Chicago, when asked about Mr. Panetta's remarks. Cyber attackers often

Cyber-attack: An act of war? (ITWorld Canada) Based on what we've seen, an attack on by an enemy country's on a government or military network isn't viewed as gravely as an enemy launching mortar shells at a command post. The latter would almost certainly lead to a shooting war, whereas the former

Zero-Day Exploits Provide an Inside Look at the Cybercriminal Black Market (McAfee) The Cyber Black Market: While it sounds like something out of a cheesy Hollywood movie, it is a real and thriving commercial hub built on the trade of hacking tools. Almost daily, reports surface that new zero-day exploits are being bought and sold in the underground marketplace, with price tags that typically range from $50,000 to $200,000. Our team at McAfee Labs pays close attention to these reports, because zero-day exploits are, by nature and by name, brand new never before seen in the wild

Social Media Q&A With Eugene Kaspersky (Threatpost) The security of social networks and the people who use them every day has become a serious concern for enterprises and consumers alike. Millions of people rely on networks such as Facebook and Twitter to communicate and connect with friends and colleagues and attacks against the networks themselves and the users on them undermines some of the trust people place in them. Eugene Kaspersky, CEO of Kaspersky Lab, recently answered questions on the security concerns surrounding social media and what people can do to protect themselves on these networks

Big Data will be Big Business in India (Quartz) Just over a decade ago, as the world panicked over what would happen when 1999 turned into the year 2000, India threw down the gauntlet, proving it could write software and manage big tech projects with the best of them. Now India is ready to prove that it's got the chops to tackle "big data"

Enterprises lack programs to secure third-party software (Help Net Security) Veracode data indicates that despite increasing security risks from third-party and externally developed software, few enterprises currently have formal testing programs in place

Faronics U.S. and U.K. Survey Reveals BYOD, Unstructured Data, Check and Credit Card Fraud Most Critical Threats (Financial Post) Faronics, a global leader in simplifying, securing and managing multi-user computer environments, today announced the results of its State of Cyber Security Readiness survey,which examines the cyber threat and data breach experiences of small and medium-sized businesses (SMBs). The research was completed by The Ponemon Institute

New Report Reveals 65 percent of Organizations Experience Three DDoS Attacks a Year, but Majority are Unprepared to Mitigate Attacks (Equities,com) Despite the increasing sophistication and severity of cyber attacks, a survey of more than 700 senior IT professionals reveals that organizations are surprisingly unarmed to deal with today's threat landscape. In a new report titled "Cyber Security on the Offense: A Study of IT Security Experts," the Ponemon Institute and Radware, (NASDAQ: RDWR), a leading provider of application delivery and application security solutions for virtual and cloud data centers, found that while 65 percent of organizations experienced an average of three distributed denial-of-service (DDoS) attacks in the past 12 months, less than half reported being vigilant in monitoring for attacks - much less putting into practice proactive and preventative measures to protect their organizations

The Future Of Hacktivism (newmatilda) After some high-profile arrests, hacker groups like Anonymous are changing the way they work. Asher Wolf interviews a former member of LulzSec about the future of hacktivism. On 5 November 2012, hackers under the banner of Anonymous led a hacking operation to mark Guy Fawkes Day

Forrester: Big data deniers must separate hype from reality (Fierce Big Data) Any technology trend that catches on too quickly will attract deniers who call it a fad or just the same old technology under a new name. Big data certainly has its detractors and deniers, with some criticizing the terminology itself and others disparaging the promises of great insights as either a pipe dream or a privacy nightmare. Forrester research says they should get over it: big data is the future

Legislation, Policy and Regulation

US-Canada Integrated Cybersecurity Agenda (Bay Area Indymedia) Merging cyber threat strategies would force Canada to further bring its security practices in line with American ones and under the reach of the Department of Homeland Security (DHS). On October 26, Public Safety Canada and the DHS released

China orders foreign companies to help with internet surveillance (The Verge) Thomas Parenty, a security specialist formerly of the US National Security Agency, told the Times that such hardware could make it easier for the Chinese government to spy on international corporations, noting that the boxes "would be able to intercept

Senate readies for fight over cybersecurity surveillance (CNET) "There is established a National Cybersecurity Council…The Council shall establish procedures under which each owner of critical cyber infrastructure shall report significant cyber incidents affecting critical cyber infrastructure

Still at the starting line in the cyberdefense race (GCN.com) With the presidential election behind us and the political status quo confirmed in Washington, the dangers in cyberspace continue to grow, says NSA Director and U.S. Cyber Command commander Gen. Keith B. Alexander. The nation's dependence on a

Far-reaching cyber law a legal necessity (The National) Last year, legal experts in the UAE warned that cyber crimes in the Emirates were increasing at such a pace that new laws were needed to catch offenders. The worry, judges warned then, was that weak legal frameworks were so full of loopholes that criminals could easy exploit them

Cybersecurity Legislation in the Lame Duck Session (Chemical Facility Security News) Michelle Kincaid has an interesting outlook on cybersecurity legislation potential in the lame duck session in her cybersecurity blog post. While I dont see anything in particular to disagree with, it is important to remember that political calculations change significantly in a lame duck session, making it much more difficult to successfully predict political outcomes. While most people focus on legislators that are on their way out, who may (or may not) vote on principle instead of political motives now that they may never face the voters again, there is a new crop of Senators that are now starting into their two year election cycle; many of them will now begin paying more attention to political posturing than principle

Products, Services, and Solutions

HiSoftware Releases Next Generation Of Solutions For NewsGator Social Compliance Monitoring (Dark Reading) Solution helps organizations better detect, document, and prevent privacy breaches and exposure of confidential information in their social environments

Panda Security Launches Panda Cloud Partner Center 2.2 (PR Newswire) Panda Security, the Cloud Security Company, today announced the release of its new 2.2 version of Panda Cloud Partner Center

F-Secure secures online banking transactions (Help Net Security) As cybercriminals continue to develop more and more sophisticated financial malware, F-Secure is using its security expertise to protect consumers' bank accounts. Banking Protection, a new feature of

GFI Software updates VIPRE Antivirus Business (Help Net Security) GFI Software launched the latest edition of VIPRE Business, which provides SMBs with access to a single solution for antivirus, patch management and Mobile Device Management (MDM)

Amazon Cloud Data Center Opens In Australia (InformationWeek) Amazon Web Services extends its reach around the world, offers full gamut of cloud services from new Sydney data center

SAP Takes Big Step Putting CRM On Hana (InformationWeek) Watch out Salesforce.com: SAP releases a Hana in-memory database upgrade capable of running core transactional applications, starting with a customer relationship package

Windows Defender helps Windows 8 stop common malware (Fierce CIO: TechWatch) Security vendor BitDefender ran 385 samples of malware most favored by cybercriminals on a Windows 8 system to test the Microsoft's (NASDAQ: MSFT) latest operating system. The company found that the pre-installed Windows Defender successfully filtered out all but 15 percent of them. The outcome is significantly different when Windows Defender was disabled however, resulting in 234 of the sample malware running without any problems

Technologies, Techniques, and Standards

5 Ways Small Businesses Can Improve Mobile Device Security (Dark Reading) SMBs needn't sacrifice flexibility for mobile security, but these tips can help them strike a better balance

Trojan Horses, Malware and Other Cyber Attack Tools are Just a Click Away (Washington Post) Ryan Linn's hacks into corporate networks have become almost a matter of routine. On one recent morning, he woke up at his home near the Research Triangle in eastern North Carolina and walked down to an extra bedroom that he uses as an office

Push notifications abuse hurts developers as well as users (Help Net Security) Push notifications allow app developers to share news with their users, and are a great way of presenting new apps and features. Unfortunately, they are also a great nuisance when they are misused

ONC releases draft Meaningful Use Stage 3 recommendations (Fierce Government IT) Eligible doctors, healthcare professionals and hospitals could receive financial incentives if they meaningfully use certified electronic health record technology in a more patient- and family-centered way, according to draft recommendations published by the Office of the National Coordinator for Health Information Technology

NIST issues IT supply chain risk management guide (Fierce Government IT) Historically, federal departments and agencies had no consistent or comprehensive methodology for recognizing supply chain compromises in their information technology products and services, says a recently published National Institute of Standards and Technology interagency report. The NIST document aims to remedy that by outlining repeatable and "commercially reasonable" supply chain assurance practices

Marketplace

Federal agencies, private firms fiercely compete in hiring cyber experts (Washington Post) Along the Baltimore-Washington Parkway, the concentration of government agencies and contractors brimming with computer geeks rivals any cyber defense area on the planet. And in this age of growing cyber threats, those firms are engaged in a cyber-hiring competition so fierce that one expert called it "fratricide on the parkway"

DHS aims to hire 600 cybersecurity pros -- if it can find them (CSO) Experts say Department of Homeland Security recruitment suffers from lack of understanding of talent pool. The Obama administration is hoping to make good on its promise to create new jobs -- in this case, 600 of them in cybersecurity. Department of Homeland Security (DHS) Secretary Janet Napolitano, acting on the recommendation of the Homeland Security Advisory Council's Task Force on Cyberskills, said at a Washington Post cybersecurity forum that DHS wants to hire at least 600 cyber experts, analysts, IT specialists and people who are familiar with coding

Accenture helps DHS scour social media for bio risks (Fierce Big Data) The U.S. Department of Homeland Security said late last week it will spend $3 million over the next year with Accenture on a pilot program for social media analytics to identify, predict and respond to national health emergencies such as an infectious disease outbreak or a biological attack

Governor O'Malley, Lt. Governor Brown, and Congressman Ruppersberger Inaugurate Tecore Networks New Headquarters in Hanover, MD. (Yahoo Finance) Building on 20 Years of innovation and success, Tecore moves to larger headquarters to accommodate continued growth and expansion with "Made-In-America" cellular solutions

Lockheed Wins $80M Contract to Support DoD Cyber Range Operations (Govconwire) Lockheed Martin Corp. (NYSE: LMT) has won an $80 million contract under the national cyber range program to support operations at a military test range that is about to become operational, according to NextGov. Dawn Lim writes that the five-year contract supports the cyber range housed in a "specially architected sensitive compartmented information facility with appropriate

Lockheed to cyber-armour its supply chain against 'the Adversary' (Register) Top Pentagon supplier Lockheed Martin says its computer networks are under increasing heavy fire from hackers, forcing it to beef up its supply chain's defences. Lockheed veep and chief information security officer Chandra McMahon said about a fifth of

Malware Analysis Researchers Announce New Startup (Dark Reading) Kirda, Kruegel, and Vigna were part of a team of international malware analysis experts that created Disclosure, a tool that expands the view of botnet

After Trying To Make Bug Tracking Fun, PlayNicely To Enter The Deadpool (TechCrunch) PlayNice.ly, the UK startup that set out to make bug tracking fun, is to enter the deadpool. In an email sent out to users, the company has announced that it is shutting down the service in the New year, and in the meantime has released a data export tool so that users can begin migrating away from PlayNice.ly

Salient Fed Buys App Software Developer, Gains Contract Spots (Govconwire) Salient Federal Solutions has acquired application software developer LIST Innovative Solutions Inc. and now covers 90 percent of its contract base with prime federal software or application development contracts. The Fairfax, Va.-based federal information technology and engineering contractor said it also added positions on blanket purchase agreements with the U.S. Office of Personnel Management and the Patent and Trademark Office through

Ciber Appoints Michael Casullo SVP and CIO (Govconwire) Ciber has appointed Michael Casullo senior vice president and chief information officer, according to a company release. Casullo has a three-decade career in the information technology industry, with a background which includes disaster recovery strategies, cloud computing, major application implementations and data center operations

Head Of HP Enterprise Security Takes Over As Vormetric CEO (Dark Reading) Alan Kessler has more than 20 years of management experience

SINOFSKY'S FINAL MEMO: I Wasn't Fired. I Quit. And I'm Ready To Compete With Microsoft (Business Insider) Last night, we got shocking news out of Microsoft. The man who saved Office, saved Vista, and launched Windows 8, Steven Sinofsky, is out of the company. Sinofsky was often described as Microsoft's CEO-in-waiting, so this was especially surprising news. In a memo to employees, Sinofsky says it was his decision to quit

Analysts divine traces of Windows 8 weakness, ego clash in Sinofsky exit (Coputerworld) Steven Sinofsky, Microsoft's top Windows executive, abruptly left the company Monday, a move that some analysts saw as an indictment of Windows 8. But other experts believe more was at play and that Microsoft will stick to the strategic trail

Post-defenestration Microsoft: It's the APIs, stupid. And Metro (The Register) Sinofsky, Microsoft's Caligula…The sudden departure of Steve Sinofsky from Microsoft leaves Redmond with its biggest crisis for years - and it needs to assure investors as a matter of urgency. He's achieved a huge amount of change, but he's also left a real mess, the full extent of which isn't appreciated by financial or technology sector analysts

Research and Development

Games may help train analysts to overcome bias (Phys.Org) "Biases are often difficult to identify, but it's important to recognize bias in decision theory and analysis," said Graham, who worked with Donald Kretz and B. J. Simpson, both cognitive scientists at Raytheon Intelligence and Information Systems

Security Patches, Mitigations, and Software Updates

Microsoft Security Bulletin Summary for November 2012 (Microsoft Security Tech Center) This bulletin summary lists security bulletins released for November 2012

Microsoft November 2012 Black Tuesday Update - Overview (Internet Storm Center) Note: Several of these patches apply to Windows 8 and Windows RT that were just released last month. Overview of the November 2012 Microsoft patches and their status

Cyber Attacks, Threats, and Vulnerabilities

New variant of Mac Trojan discovered, targeting Tibet (Naked Security) The malware threat on Macs is real, and should not be underestimated

Adobe investigates alleged customer data breach (CSO) The information, published on Tuesday on Pastebin, includes hashed passwords, names and email addressses

Skype users warned of serious security problem - accounts can be hijacked with ease (Naked Security) A serious security problem has been uncovered in Skype, which allows hackers to hijack accounts just by knowing users' email addresses. The Next Web describes how it managed to reproduce the attack, accessing the Skype accounts of staff by just knowing their email address, and then changing the passwords of their "victims" to lock them out. According to The Next Web:"The reason this works is simple, but it's still worrying

Samsung Galaxy S3 found storing passwords in plain text (Help Net Security) Samsung Galaxy S3, currently one of the most popular smartphones on the market, stores passwords in plain text. The culprit is actually Samsung's S-Memo app

CloudFlare users targeted by phishers (Help Net Security) Popular content delivery network and distributed domain name server service CloudFlare has issued a warning to its users about an ongoing phishing scam

Facebook Black? Beware widespread scam hitting social networkers (Naked Security) Want to change your Facebook from blue to black? Maybe it's time to exercise a little self-restraint, because scammers are hard at work tricking users into completing their money-making scams

Prolexic Keeps Revenues Flowing For Worldofwatches.Com By Mitigating DDoS Attacks (Paramus Post) Prolexic, the global leader in Distributed Denial of Service (DDoS) protection services, announced today that it has successfully mitigated two attacks against the popular e-commerce website www.worldofwatches.com

Anonymous Raids European Organization Over Ukrainian Elections (Security Week) Supporters of Anonymous have raided the Organization for Security and Co-operation in Europe (OSCE), accusing them of failing to hold up their end of a promise to keep an eye on the Ukrainian elections. The raid resulted in several hundred documents being leaked, most marked as classified or confidential, and covering everything from political memos and internal communications to phone records

Cyberespionage campaign hits Israeli, Palestinian targets (CSO) While the software tools were not sophisticated, the techniques used to trick email recipients were. A single attacker using advanced social engineering techniques waged a yearlong cyberespionage campaign against Israeli and Palestinian targets, a Norwegian security firm said on Monday. The attacker used the same infrastructure and malicious code in trying to penetrate computer systems, apparently to steal information, Norman ASA said. The identity and motivation of the attacker was not known

Academia

Waterfall Security Solutions Donation to Michigan Technological University (Sacramento Bee) Waterfall Security Solutions today announced a $234,000 cash and in-kind donation to Michigan Technological University, in support of Dr. Chee-Wooi Ten's research into the cyber-security of the North American power grid. In today's information age of

CYBER-CHARTERS: How districts are luring cyber students back (Lancaster Newspapers) Then Jonathan and his family found what they believed was an even better option: Lancaster-Lebanon Virtual Solutions. The cyber program run by Intermediate Unit 13 allows students in a number of local districts to take classes online while also

UMBC to launch Cyber Scholars program with Northrop Grumman gift (Washington Business Journal) University of Maryland, Baltimore County is creating a "Cyber Scholars" program with a $1 million grant from the Northrop Grumman Foundation, the Baltimore Business Journal reported

Litigation, Investigation, and Enforcement

Government requests to remove content from Google have nearly doubled, driven by Turkey (Quartz) Google received 1,791 requests from government agencies to remove content in the first six months of 2012, an 89% jump from the same period a year ago, according to the company. The spike is unusual; takedown requests from governments had been flat since Google began disclosing the data in 2009

Petraeus Case Raises Fears About Privacy in Digital Era (New York Times) The F.B.I. investigation that toppled the director of the C.I.A. and now threatens to tarnish the reputation of the top American commander in Afghanistan underscores a danger that civil libertarians have long warned about: that in policing the Web for crime

FBI Abuse Of The Surveillance State Is The Real Scandal Needing Investigation (Business Insider) Jane Harman - one of the most outspoken defenders of the illegal Bush National Security Agency (NSA) warrantless eavesdropping program - suddenly began sounding like an irate, life-long ACLU privacy activist when it was revealed that the NSA had

The Surveillance State Takes Friendly Fire (New Yorker) This struck me as funny, because several years earlier I had written a book about the National Security Agency during Hayden's tenure as its director, and his office had stonewalled my repeated requests for an interview. I clicked on his profile to see

Online Privacy Issue Is Also In Play In Petraeus Scandal (New York Times) The F.B.I. investigation that toppled the director of the C.I.A. and has now entangled the top American commander in Afghanistan underscores a danger that civil libertarians have long warned about: that in policing the Web for crime, espionage and sabotage, government investigators will unavoidably invade the private lives of Americans

Petraeus tripped up by trust in supposedly anonymous email account (Naked Security) The US's top spy guy, who resigned abruptly on Friday, conducted a romantic affair behind the thin sheet of a pseudonymous email account. It's a good reminder to us all that email headers often spill the beans, revealing IP addresses that lead to our webmail hosts and geolocation. It's a short hop from there to our identities

Keeping hackers out of personal email (Winnipeg Free Press) In light of the Gmail-related scandal involving former CIA chief David Petraeus, one has to wonder if, given the relative ease by which an intelligence agency — or just about anybody — can break into a private email account, government

Yes, the FBI and CIA can read your email. Here's how (ZDNet) The U.S. government -- and likely your own government, for that matter -- is either watching your online activity every minute of the day through

It's not that hard for authorities to get to your email (NBC News) Paula Broadwell is a trained intelligence officer who'd spent years working with some of the most secretive agencies in the world, according to her biography from her book publisher, Penquin. How were FBI agents able to hunt her

IBM sued over botched SAP project implementation (Fierce CIO: TechWatch) A chemical products manufacturer has taken the unusual step of suing IBM for a botched ERP--Enterprise Resource Planning--implementation, and publicizing the details via press release. In it, Avantor Performance Materials alleged that it suffered losses amounting to tens of millions of dollars after forking over $13 million in fees for a system built using the SAP platform that was "unable to perform properly." The failure was attributed to project mismanagement on the part of IBM

Design and Innovation

The Patent Problem Shackles Business Innovation (Wired Business) Without those assurances, there would arguably be no incentive to innovate; why invest money and effort on a breakthrough that anyone could then take and sell? Patents created a business environment that led to such landmark technologies as the cotton

National Security Agency's Information Assurance Directorate Wins 2012 National Cybersecurity Innovation Award (PR Newswire) The innovation: Combating common and damaging cyber attacks with convenient, transparent non-persistent desktop browsing technology from Invincea, Inc. The SANS Institute today announced that The National Security Agency's Information Assurance Directorate has won a 2012 U.S. National Cybersecurity Innovation Award for combating cyber attacks with an innovative non-persistent desktop browser