The CyberWire Daily Briefing 11.16.12

Cyber Trends

Symantec's Digital Information Index Reveals Half Of Business Information Resides Outside The Firewall (Dark Reading) Cloud and mobile computing driving information sprawl

Adequate Attack Data and Threat Information Sharing No Longer a Luxury (Threatpost) While some industry groups such as the Financial Services Information Sharing and Analysis Center (FS-ISAC) and cross-industry groups such as the Advanced Cyber Security Center (ACSC) facilitate the exchange of threat information, for the most part organizations are still hamstrung by legal constraints and other business factors that prevent an adequate flow of actionable information

Despite security concerns, enterprises place sensitive data in the cloud (Net-Security) One third of enterprises place highly sensitive data in the public cloud even though most are wary of the implications on security and other business processes, according to Forrester Consulting. Nearly half of respondents do not think their existing identity and access management (IAM) infrastructures will be able to support cloud applications and provide single sign-on (SSO). While most enterprises are concerned about exposing data to the cloud, nearly a third of them already place highly sensitive data like regulated financial (34%) and healthcare information (29%) in SaaS apps

European enterprises cautiously accepting BYOD (Net-Security) Results of the European edition of the ISACA IT Risk/Reward Barometer show slowly growing acceptance of BYOD in the workplace, with 28% of organisations freely allowing the use of personal mobile devices for work, compared with 34% in North America and 48% in Oceania. However, there has been a 20-percentage-point drop in enterprises that prohibit BYOD (down from 58% to 30%). More than half (54%) of IT professionals in Europe continue to report that the risk of BYOD outweighs the benefit, compared to 15% who say benefits are greater than risk and 31% who say that benefits and risk are balanced

Companies collecting personal info face financial risks (Net-Security) Many organizations lack the business behaviors and compliance practices necessary to adequately address growing consumer and regulatory concerns about data security and privacy, according to Edelman. The comprehensive study of 6,400 corporate privacy and security executives was conducted by the Ponemon Institute, a leading independent research organization. The analysis spans 29 countries around the world, and is believed to be one of the largest studies of its kind ever fielded

Attacks targeting government info, intellectual property grow more complex (GCN) Government -- in common with business sectors such as manufacturing, IT and technical services -- is being targeted by increasingly complex attacks with the intent of stealing data rather than money, according to the most recent snapshot from the Verizon Data Breach Investigation Report. Although the types of sensitive information held by government often differs from private sector intellectual property, government and the private sector share a lot in common as victims, according to Verizon analysts. While most financially motivated attacks are against targets of opportunity, when it comes to IP theft, the targeted nature of the attacks considerably changes how they are conceived and carried out, the report says

Security report: Enterprises place reckless trust in third-party software (ZDNet) Software security testing company Veracode's just-released Supplemental to its 2012 State of Software Security Report focuses on the software supply chain

90 percent say online privacy is threatened (Help Net Security) Ninety percent of U.S. consumers who use a mobile device for work activities feel their online privacy is threatened, but many persist in putting their privacy and security at risk

Mobile spam is impacting most U.S. adults (Help Net Security) Mobile spam has become prevalent, with the majority of U.S. adults who text reporting that they have received an unsolicited text message, according to a survey conducted online by Harris Interactive

Privacy scholars at the wall (Fierce Big Data) I went to a lecture last night put on by one of the Meetup groups I belong to. My family and friends think the group is some kind of subversive cult, which is an indication that I may need new friends--not much I can do about my family

Why Android's Dominance Is Bad (InformationWeek) Google's Android platform grabbed a commanding 72% share of the smartphone market during the third quarter. That needs to change

Petraeus Mission Impossible: Cloaking Email, Online Identities (InformationWeek) So-called security experts making basic information security errors isn't a new occurrence. Arguably, it even led to the rise of the Anonymous hacktivist collective

Legislation, Policy and Regulation

Harry Reid's Virus (Wall Street Journal) The House adopted on a bipartisan vote in April the Cyber Intelligence Sharing and Protection Act giving companies liability protection to encourage them to monitor their systems and report attacks to the National Security Agency and other federal

Political Gridlock Leaves US Facing Cyber Pearl Harbor (Businessweek) Last month, Obama signed a separate cybersecurity directive authorizing the National Security Agency and other military units to take more aggressive action to defeat attacks on government and private computer systems. An Oct. 4 Bloomberg Government

Blocked Leaks Bill More About Message Discipline Than National Security (ACLU) Sen. Ron Wyden (D-OR) deserves significant credit for placing a hold today on a draft intelligence spending bill that would place enormous new obstacles in the path of journalists trying to report on government illegality, fraud and waste in the intelligence community. Although it is true that national security sometimes requires secrecy, restrictions on freedom of the press would do little to benefit the national security while significantly insulating government wrongdoing from public scrutiny

Why Congress Hacked Up a Bill to Stop Hackers (Businessweek) On July 30, U.S. Army General Keith Alexander, the director of the secretive National Security Agency, which helps guard the government's computer networks, addressed a group of lawmakers in a packed room in the Capitol. He said the U.S. had evidence

Congress Kills Cybersecurity Bill, White House Action Expected (InformationWeek) …"government and military targets face repeated exploitation attempts by Chinese hackers," the report said, fingering China in cyber espionage and cyber attacks aimed at the Department of Defense, NASA and U.S.-based companies like Lockheed Martin

As CIA Chief Scandal Looms, Lawmakers Consider Tightening E-Mail Privacy (As CIA Chief Scandal Looms, Lawmakers Consider Tightening E-Mail Privacy) Recent intrusions by the FBI into e-mail correspondence between former CIA Director David Petraeus and his mistress and biographer, Paula Broadwell, have raised a lot of questions and concerns about the governments ability to access private e-mails. The current law covering access to e-mail gives the government the right to snoop without a court order on email thats older than 180 days, but requires a court order for missives that are newer than this, a fact that privacy activists have been trying to change for years. Now they might finally be getting closer to that wish

Kramer: U.S. will emphasize market liberalization in WCIT-12 (Fierce Government IT) A second tranche of U.S. proposals for the planned December treaty-writing conference of the International Telecommunication Union in Dubai emphasizes "the criticality of liberalized markets," said Amb. Terry Kramer, head of the U.S. conference delegation

Last attempt at Senate cybersecurity bill fails (Fierce Government IT) A last attempt this Congress to pass a cybersecurity bill in the Senate failed Nov. 14 when less than a supermajority of lawmakers voted to invoke cloture, a necessary step before the bill can come to the floor. Lawmakers voted 51-47 for cloture, but with Republican senators voting against, consideration of a cybersecurity measure will likely have to wait until a bill can be reintroduced following the Jan. 3 convening of the 113th Congress

Products, Services, and Solutions

OpenDNS Goes Mobile (Dark Reading) New service an alternative to the VPN. OpenDNS founder and CEO David Ulevitch says his company over the past few years has become more of a security company than a pure DNS resolution service provider

Japan Mobile Company Debuts Real-Time Voice Translation App (IEEE Spectrum) NTT DoCoMo app allows callers to converse without language barriers

Free Risk Indexing Tool Offers Start For Assessments (Dark Reading) Ponemon and Edelman hope to offer benchmark for organizations that want to know where their data privacy risk posture stands

Sony Mobile Chief Acknowledges Its Smartphones Suck, Promises An iPhone, Galaxy S III Competitor Soon (TechCrunch) Sony makes a lot of really nice things, but it has never taken smartphones seriously. That's to change if Sony Mobile's sales chief, Dennis van Schie, is to be believed

GlobalSign Releases Free SSL Configuration Checker (Softpedia) World-renowned SSL certificate provider GlobalSign has released a free online service the SSL Configuration Checker which allows organizations that rely on SSL for website security to assess their configurations. Numerous organizations utilize SSL to ensure that their customers information is protected against cybercriminal attacks. However, companies must also make sure that their SSL configurations are not faulty, and this is where the SSL Configuration Checker steps in

NETGEAR unveils new VDSL application firewall (Help Net Security) NETGEAR introduced the ProSecure UTM25S Unified Threat Management Firewall, which provides two modular slots that fit optional interface cards, enabling IT administrators to custom-tailor the firewall

Check Point unveils ThreatCloud Security Services (Help Net Security) Check Point has announced ThreatCloud Security Services, a set of new security service offerings to assist customers in protecting their organisation's networks from threats

Rackspace enhances Private Cloud software (Help Net Security) Rackspace announced new features and enhanced support offerings for the Rackspace Private Cloud. Since the OpenStack-powered Rackspace Private Cloud Software launched in August, thousands of organizations

NJVC to Spotlight Cloudcuity at Gartner Data Center Conference (DigitalJournal.com) NJVC Cyber Dashboard – An award-winning dashboard that enables the visualization of core devices across an organization's entire IT enterprise

ArmorHub's Web Security Service Scans For Vulnerabilities & Malware, Works Great For Startups As Well As Your Dad (TechCrunch) ArmorHub is today launching a web security service targeting startups, small-to-medium sized businesses, and most importantly, the layperson who knows that website security is something to be concerned about, but doesn't know how to monitor their site or what to do if an issue is found. The company is being bootstrapped by Evan Beard, previously the founder and CEO of eTacts

Newvem Brings Cloud Analytics To AWS To Help Businesses Not Just Save, But Actually Profit On The Cloud (TechCrunch) Over the last few years, Amazon Web Services (AWS) has emerged as one of the most popular cloud infrastructure solutions out there, managing an unusual feat for those of its ilk by appealing equally to both early stage startups and enterprise. While it provides access to next-gen computing and hosting services for cheap and scales like a champ, the onboarding process remains tough for startups and

New iMacs may be delayed due to welding issues (Ars Technica) A "commercial source" suggests Apple may not ship the new iMacs until 2013

Google Sheds Light on New Android App Scanner (Threatpost) Google has divulged more information about its forthcoming application verifier for the Android operating system. The feature is being rolled out over the air alongside the latest build of the OS, Jelly Bean 4.2, on Nexus 7 and Galaxy Nexus devices as of yesterday

Facebook Jobs App Takes On LinkedIn (InformationWeek) Facebook's new app is designed to connect job candidates with hiring employers. Should LinkedIn be worried

LucidWorks successfully betas search app development platform (Fierce Big Data) Disaster planning, deep web intelligence and search and discovery are a few of the applications built by companies using the LucidWorks enterprise-grade search development platform, which the company will make generally available next month

Microsoft Windows 8 Tablet Plans In Disarray (InformationWeek) Surface Pro and other systems that run Win8 on Intel's Clover Trail platform are missing in action at a key time -- creating a nasty enterprise tablet problem for Microsoft.

Technologies, Techniques, and Standards

Encryption of Data-in-Use to Harness the Power of the Cloud (SYS-CON Media) The not-for-profit Cloud Security Alliance notes in its most recent Email Security Implementation Guidance that it is critical that the customer - not the cloud service provider - be responsible for the security and encryption protection controls

Lack of network history delays resolution of security issues (Help Net Security) Endace released the findings from its survey that highlight the operational challenges being faced by IT teams as they come to terms with the latest high-speed, network-centric technologies

Shop Safer This Cyber Monday (Business 2 Community) Here is a list of steps from The Better Business Bureau and the National Cyber Security Alliance that you can take to protect yourself from fraud this Cyber

How one NYC data center survived Hurricane Sandy (Ars Technica) Lesson learned from 10 days on generator power: more weather-proofing needed

How to report a computer crime: SQL injection website attack (Naked Security) Do you know how to report a computer crime? Or even who you would report it to? So far, we've looked at unauthorised email account access and malware in our series of articles on how to report a computer crime. In this article, we'll look at an SQL injection attack

7 Cheap Cloud Storage Options (InformationWeek) You have a multitude of cloud storage choices beyond Dropbox, for enterprise and personal use. But make sure you understand the differences

Nine security controls to look for in cloud contracts (NetworkWorld) To help ease the concerns of cloud security, which Gartner says is still a chief inhibitor to enterprise public cloud adoption, buyers are looking to contracts and service-level agreements to mitigate their risks. But Gartner cloud security analyst Jay Heiser says SLAs are still "weak" and "unsatisfying" in terms of addressing security, business continuity and assessment of security controls."A lot of these things are getting a lot of attention, but we're seeing little consistency in the contracts," he says, especially in the infrastructure-as-a-service (IaaS) market. Software-as-a-service (SaaS) controls are "primitive, but improving."Below are some of the common and recommended security provisions in cloud contracts and how common and effective they are

10+ challenges facing the 'international' CIO (Tech Republic) CIOs and managers who are responsible for international IT encounter different kinds of technical, organizational, and people issues from those who have IT responsibilities only on the home front. Yet few of these international executives get formal training on how to conduct international business before they go abroad. There are numerous issues to consider and many are only peripherally related to technology

Marketplace

Change In U.S. Defense Strategy Could Ease Fiscal Challenge: Report (Reuters) A group of national security experts on Thursday proposed a new U.S. defense strategy they said could be safely implemented at different budget levels, enabling President Barack Obama to cut Pentagon spending by more than the $487 billion agreed to so far

Air Force scraps massive ERP project after racking up $1 billion in costs (IT World) The U.S. Air Force has decided to scrap a major ERP (enterprise resource planning) software project after spending $1 billion, concluding that finishing it would cost far too much more money for too little gain

Army Reserve Chief Jeffrey Talley Not Worried Over Sequestration (Govconwire) Army Lt. Gen. Jeffrey Talley, chief of the Army Reserve, told the Defense Writer's Group Wednesday he is not worried that sequestration will occur, American Forces Press Service reports. He said he is not worried because both Defense Secretary Leon Panetta and Army Secretary John McHugh told the departments to not plan for the cuts

Risks in Modernized e-File will delay retirement of legacy systems, says TIGTA (Fierce Government IT) The Internal Revenue Service may not be able to retire its legacy e-File system due to insufficient testing of the latest release of the Modernized e-File system, or MeF. Performance waivers and deferrals used in performance tests of MeF 7.0 remain unresolved, according to a Treasury Inspector General for Tax Administration report published Nov. 14 but dated Sept. 27

Profile: Michael Del Vecchio, OUSD-I Senior Cyber Adviser (ExecutiveGov) In 2005, he began his service as the National Security Agency's senior official assigned to the National Reconnaissance Office, where he also served as deputy director for NRO's signals intelligence acquisition and operations directorate, deputy chief

Online identity suppliers revealed for troubled Universal Credit (CSO) Department for Work and Pensions has selected seven providers, including the Post Office

Australian Computer Scientists to Develop Software for Multi-million-dollar US Program (Avionics Intelligence) Government will see a team of computer scientists from NICTA, Australia's Information and Communications Technology Research Centre of Excellence, develop a new breed of software to protect the critical systems in unmanned vehicles from cyber attack

TWD Acquires Federal Cloud, IT Services Contractor (Govconwire) TWD & Associates has acquired federal information technology contractor The Engle Group in a move to expand its offerings in IT service management, cloud computing and application development. McLean, Va-based Engle provides IT services to federal customers including the Justice, Department and Interior departments and "expands our reach into the civilian sector," said Larry Besterman

A Telling Gesture: Qualcomm Acquires Assets Of Digital Ultrasound Company, EPOS, To 'Differentiate' Next-Gen Snapdragon Chips (TechCrunch) Qualcomm Technologies, a subsidiary of mobile chipmaker Qualcomm, has announced it has acquired "certain assets" from Israeli company, EPOS Development, which develops low-cost, digital ultrasound positioning technologies for use in input systems such as pen, stylus and gesture recognition

Microsoft Names Julie Larson-Green to Lead Windows Operations (Govconwire) Microsoft Corp. has promoted Julie Larson-Green to lead all Windows software and hardware engineering, succeeding Windows and Windows Live president Steven Sinofsky. Larson-Green will lead all future Windows product development and future hardware opportunities, according to a company statement, "Leading Windows engineering is an incredible challenge and opportunity, and as I looked at the technical and

CounterTack Names New Chief Researcher (Dark Reading) Sean Bodmer has more than 16 years of security assurance experience

Fidelity Invests In Secure Software Development (Dark Reading) No code goes live at financial services firm until it has been fully vetted

Insight: Lockheed's F-35 logistics system revolutionary but risky (Reuters) One concern: Lockheed shored up political backing for the F-35 by choosing suppliers in nearly every U.S. state. But having such a large and widely dispersed group increases exposure to cyber attacks, said Ben Freeman, national security investigator

Thales sets research and Technology center (UPI.com) Thales Research and Technology Canada will concentrate on research for cybersecurity; information fusion with smart networks and sensors; intelligence

Sources: Cybersecurity Expert May Succeed Thales CEO (DefenseNews.com) Sogeti and Thales Communications & Security are corporate sponsors of a new chair in cyber defense and cybersecurity at France's Saint-Cyr Coetquidan

Sourcefire, Inc's CEO Presents at UBS Global Technology Conference-Transcript (Seeking Alpha) Unidentified Corporate Participant: I guess maybe the big question on everyone's mind has just been this expansion. You've had an amazing run in your core (Mark)et and now you've really laid a strategy to move outside and redraw the boundary

Norman AS Releases New Video That Explores Government Role in Cyber Security Policy (MarketWatch) Joe Weiss of Applied Control Solutions Notes the Absence of ICS Professionals from Policy Decisions

Antivirus startup linked to infamous Chinese hacker (CSO) Anvisoft, a Chinese antivirus startup, has been linked to an infamous hacker suspected of developing sophisticated malware used to siphon sensitive information from Defense Department contractors in 2006. Through some high-tech sleuthing on the Web, Brian Krebs, author of the KrebsonSecurity blog, found Anvisoft-connected IP addresses connected Anvisoft to registered to "tandailin" in Gaoxingu, China. Tan Dailin, a.k.a. Withered Rose, was the subject of Verisign's 2007 iDefense report, which described Dailin as the 20-year-old leader of a state-sponsored hacking team called NCPH, which stood for Network Crack Program Hacker

As AMD Explores Options, Intel Pain Looms (InformationWeek) Moore's Law is changing the rules of the game again. This time AMD and Intel could both be on the losing team

Research and Development

They Cracked This 250 Year-Old Code, And Found a Secret Society Inside (Wired Danger Room) For nearly 250 years, this book concealed the arcane rituals of an ancient order. But cracking the code only deepened the mystery

Stanford Physicists Take First Step Toward Quantum Cryptography (Patch.com) Quantum mechanics offers the potential to create absolutely secure telecommunications networks by harnessing a fundamental phenomenon of quantum particles. Now, a team of Stanford physicists has demonstrated a crucial first step in creating a quantum

Cyber Attacks, Threats, and Vulnerabilities

Anonymous Attacks Israeli Web Sites (New York Times) After Israel killed a top military commander of Hamas on Wednesday, Anonymous, the loose affiliation of hackers, retaliated with a series of attacks on Israeli Web sites. In a coordinated action that began at 3 a.m. New York time Thursday, hackers attacked Web sites belonging to the Israel Defense Forces, the prime ministers office, Israeli banks, airlines and security companies by flooding them with Web traffic, in a campaign they called #OpIsrael

Hamas Shoots Rockets at Tel Aviv, Tweeting Every Barrage (Wired Danger Room) On day two of the fight between Israel and Hamas, the Palestinian group hit back, launching its most sophisticated rockets and announcing every new barrage on social media

Israel Kills Hamas Leader, Instantly Posts It to YouTube (Wired Danger Room) The Israel Defense Forces didn't just kill Hamas's military leader on Wednesday. They killed him and then instantly posted the strike to YouTube. Then they tweeted a warning to all of his comrades

Attackers to Exploit Search Personalization, Supply Chains (Threatpost) Information systems and algorithms designed to personalize online search results will give attackers the ability to influence the information available to their victims in the coming years. Researchers, in turn, must seek ways to fortify these systems against malicious manipulation, according to the Emerging Cyber Threats Report 2013, a report released ahead of yesterday's Georgia Tech Cyber Security Summit 2012

Proof-of-concept malware can share USB smart card readers with attackers over Internet (CIO Magazine) Rascagneres is also the founder and leader of a malware analysis and engineering project called malware.lu, whose team designed this USB sharing malware

Opera homepage spotted redirecting visitors to Blackhole kit (Help Net Security) If you are an Opera user who hasn't changed the browser homepage or has visited Opera's Portal homepage (portal.opera.com) on Wednesday, you might want to check you computer for malware

Curiosity-piquing Twitter DM leads to double threat (Help Net Security) A double threat has been aimed at Twitter users as Direct Messages carrying a Facebook link and the question "what on earth could you be doing in our movie?" are currently doing rounds

Spoofed Better Business Bureau email leads to malware (Help Net Security) A massive spam campaign impersonating the Better Business Bureau is currently hitting inboxes around the world. The emails urges users to check out a report and to respond to the matter urgently

LinkedIn spam drives traffic to Toronto Drug Store (Naked Security) That email you just received from LinkedIn might be promoting a Thanksgiving sale of Viagra instead

TNS24 - a fake courier company website, used by online scammers (Naked Security) Beware of attractive strangers contacting you on Facebook, and requesting that you help finance a shipment of goods in your name…you might find yourself out of pocket, with little chance of redress

Cracked passwords from the alleged 'Egyptian hacker' Adobe breach (Naked Security) An allegedly Egyptian hacker going by the name ViruS_HimA has allegedly hacked into Adobe. According to himself, he's made off with a largish database of personally identifiable information. Wherever the data actually comes from, it reveals yet more poor password hygiene at both the client and the server…find out just how bad

Adobe suspends Connect user forum after apparent hack (ZDNet) Adobe has suspended a user forum where customers discuss its Connect videoconferencing product, after an apparent security breach in which credentials for members of the US military were leaked. The company said on Wednesday that the Connectusers. com forum was the only service to be compromised by the "unauthorised third party"

NASA breach update: Stolen laptop had data on 10,000 users (CSO) Breached unencrypted laptop puts personal data of NASA employees and contractors at risk, spokesman says

Academia

Building Tomorrow's Cyber Defenders (Virginia Connection Newspapers) "Northrop Grumman is the largest cybersecurity provider to the federal government," said corporate spokeswoman Marynoele Benson. "This camp was about network defense, so kids could understand how their computers can be infiltrated and how to protect

Big Data Education: 3 Steps Universities Must Take (InformationWeek) How can universities help meet the growing demand for data scientists? Consider this advice from a professor working in the trenches with tomorrow's analytics pros

Litigation, Investigation, and Enforcement

Maker of Airport Body Scanners Suspected of Falsifying Software Tests (Wired) A company that supplies controversial passenger-screening machines for U.S. airports is under suspicion for possibly manipulating tests on privacy software designed to prevent the machines from producing graphic body images. The Transportation Security Administration sent a letter Nov. 9 to the parent company of Rapiscan, the maker of backscatter machines, requesting information about the testing of the software to determine if there was malfeasance. The machines use backscatter radiation to detect objects concealed beneath clothes

Report Says $67.9 Billion In Defense Budget Is Idled Away (Boston Globe) Fishy is right, according to "Department of Everything," a wry but scathing new report commissioned by Senator Tom Coburn of Oklahoma that identified $67.9 billion in the defense budget during the next decade designated for projects that have little to do with defending the nation. That waste includes conducting nonmilitary research, running schools, grocery stores, and microbreweries, and maintaining unnecessary overhead and supplies

C.I.A. Investigates Petraeus Affair As Lawmakers Press Libya Attack Inquiry (New York Times) The Central Intelligence Agencys inspector general has started an investigation into the general conduct of David H. Petraeus, who resigned last week as the C.I.A.s director after admitting to having an affair with his biographer, Paula Broadwell

China: No. 1 Cyber Threat (Free Beacon) Chinese state-run cyber attacks pose most significant global cyber threat, congressional report says. China's government carried out numerous cyber attacks against United States government and private sector computers this year and has emerged as the most significant threat in cyberspace, according to a congressional commission report made public Wednesday

Major Data Breach in State Tax System (Courthouse News) South Carolina's cyber-security contractor, Trustwave, let hackers into the state tax system, compromising the personal information of 3.6 million South Carolinians, taxpayers claim in a federal class action

Data breach could cost businesses $330M, ex-FBI official says (Greenvilleonline) The ultimate cost to some South Carolina businesses from the data breach at the state Department of Revenue could top $330 million, a former high-ranking FBI official says. Chris Swecker, the former No. 3 official at the FBI, told GreenvilleOnline. com this morning that even if only 1 percent of the 650,000 businesses whose information was exposed in the massive data breach was used for financial gain, it could mean losses totaling $338 million, based on FBI historical experience with data fraud

Design and Innovation

CSC's Yogesh Khanna Wins 2012 'CTO Innovator Award' (Govconwire) Yogesh Khanna, vice president and chief technology officer for the North American public sector at Computer Sciences Corp. (NYSE: CSC), has won this year's CTO Innovator Award in the large company category. According to CSC, Khanna was was recognized for helping establish the company's data center consolidation and cloud computing go-to-market strategy and offerings