The CyberWire Daily Briefing 11.20.12

Cyber Trends

Despite Security Worries, Human Resources Allows Social Media At Work (Dark Reading) More than 60 percent of enterprises don't block Facebook, other sites; two-thirds don't monitor employee use

Urgently Needed: A Dumber, Tougher Grid (IEEE Spectrum) That's not to say a smarter grid will not also help. Since the hurricane and "nor'easter" that devastated the New Jersey and New York coasts two weeks ago, leaving millions without heat, gasoline and electricity, there has been a lot of loose talk about how a smarter grid might moderate the effects of such catastrophes in the future

Anticipating threats ineffective in enhancing security (ZDNet) Companies looking to predict cyberthreats to fend off attacks will not improve their IT systems' security robustness as the criminals responsible will evolve and develop their technologies accordingly. Speaking at a seminar here Monday, Bruce Schneier, chief security technology officer at BT, said technology has affected the balance of society and social mechanisms such as law and punishment, which help keep people in check so they will not commit crimes, online or otherwise. For instance, the Internet has given rise to anonymity and made it easier for cybercriminals to perpetrate their attacks without getting caught, Schneier observed

The Future Of Cyber Security (WOUB) On this edition of Conversations from Studio B, host Tom Hodson talks with with cyber communication security experts Danny OBrien and Andrew Lewman. OBrien is an Internet advocacy coordinator for the New York based Committee to Protect Journalists, and is a leading authority on cyber security threats. Lewman is the leader of the Tor project, which develops technology to allow journalists and others to scramble their communications when operating overseas

Security Wisdom Watch: National security edition (CSO Salted Hash) Risks to national security have dominated the headlines this past month. Let's review the more insidious examples

Panetta's Wrong About A Cyber 'Pearl Harbor' (ForeignPolicy.com) In recent months, the specter of a looming cyber "Pearl Harbor" has reappeared -- the phrase having first come into use in the 1990s. But it is the wrong metaphor

Generation Tech: Gifted but a long way from bad (Help Net Security) They have been described as technology's Generation Y or Generation Tech: an undisciplined, impulsive, entitled horde of twenty-something workers, seen as one of the biggest security challenges ever

How teens hide their online activity (Help Net Security) A European survey commissioned by McAfee has revealed an alarming disconnect between what teens are getting up to online, and what parents are aware of. Many UK teens are accessing inappropriate content

81% don't trust cloud security (Help Net Security) 81 percent of IT professionals express security concerns when moving data to the cloud, according to a recent survey by GreenSQL. The survey focused on one question: "What is your main security

Small businesses still underestimate cost of security breaches (ZDNet) That's just one of the high-level takeaways from the new State of Cyber Security Readiness survey by Ponemon Institute. Here's another: More than half of

CrowdStrike Wants UK Firms To Fight Cyber Crooks - But Is It 'Nuts'? (TechWeekEurope) When CrowdStrike CEO Shawn Henry calls on UK firms to fight back, is he inciting more cyber crime? The FBI's former cyber security chief was in London last

Legislation, Policy and Regulation

Congresswoman Crowdsourcing Domain-Seizure Bill on Reddit (Wired Threat Level) Rep. Zoe Lofgren (D-California) has taken to the social-news site Reddit to crowdsource legislation that would make it more difficult for U.S. authorities to seize domains facilitating copyright infringement

UK govt tells banks to hand over account data to customers (Finextra) The UK government has warned banks that it is prepared to legislate to force them to hand over current account and credit card data to customers who request it. The threat relates to the midata project, which is designed to give Brits more access to, and control over, the data that companies hold on them so that they can get greater insight into their own spending habits and improve buying decisions. Lloyds Banking Group, MasterCard and Visa are among the big firms in the finance, energy and telecoms sectors to voluntarily back the project, promising to give customers who ask for it their data in an electronic machine-readable standard format

Philippines to set up cybersecurity operations center (ZDNet) The Armed Forces of the Philippines (AFP) will be establishing an operations center to counter cybersecurity threats. According to Manila Standard Today news site on Monday, the military's project is dubbed the Command, Control, Communications, Computers, Intelligence, Surveillance, Target Acquisition and Reconnaissance (C4ISTAR), military spokesperson Arnulfo Burgos said in a statement. It is "envisioned by the Department of National Defense and the AFP for a comprehensive upgrading and acquisition of modern equipment and solutions, under the AFP modernization program for efficient and effective conduct of operations," he said

Republican Senator's Plan Trims The Fat At Pentagon (Washington Post) I want to generate support for Sen. Tom Coburn (R-Okla.) in his newest budget reduction effort targeting some of the low-hanging fruit at the Pentagon

Products, Services, and Solutions

Petraeus Fallout: 5 Gmail Security Facts (InformationWeek) Want to avoid a fall from grace? Then ensure you're not the chief of a spy agency who coordinates your extramarital affairs using a free webmail service. View this complementary article to learn about the top information security takeaway from the ongoing probe into the former director of the CIA, David Petraeus, who resigned after 14 months on the job

Why Facebook is full of it (IT World) Facebook says it's not deliberately throttling news feeds to sell more ads. Maybe that is true. But one way or another, they're lying to us

ITC: 'Plug-and-play' keeps company ahead of cyber threats (intelligentutility) Independent transmission owner ITC Holdings (NYSE:ITC) is "very aware" of cybersecurity, and the company has been diligent about guarding against cyber threats for nearly a decade, ITC vice-president of grid development Terry Harvill told TransmissionHub in an interview on trends that industry representatives will discuss at a panel session during TransForum East coming up in December. I dont think that it is unique to the transmission industry or utility industry that we face an ever growing threat of IT attacks, Harvill said. ITC is an independent electricity transmission company with high-voltage transmission systems in Michigans Lower Peninsula and parts of Iowa, Minnesota, Illinois, Missouri and Kansas through its subsidiaries ITCTransmission, Michigan Electric Transmission, ITC Midwest and ITC Great Plains

Raiffeisen Introduces PhotoTAN to Protect Customer Transactions Against Malware (Softpeida) European banks, which are said to have implemented far more advanced security mechanisms to protect their customers than the ones from the US, are trying to live up to their reputation. Swiss bank Raiffeisen has introduced a new security feature that relies on Cronto's Visual Transaction Signing Solution. Available for customers in Switzerland starting today, the CrontoSign is designed to protect online transactions against cyberattacks that rely on clever information-stealing Trojans such as ZeuS

Application traffic control now reaches network's edge (CSO) Xirrus' Application Control one of the first to take traffic policing, policy enforcement to the network perimeter, says analyst

Asahi Technologies Announces 24/7 Cyber Attack Surveillance to Help Online (PR Web) Internet merchants across the globe anticipate online sales to surge ahead this holiday season. Nevertheless, this growth provides cyber criminals a bigger opportunity to take advantage of online retailers and end users. Owing to the ardent need of a

Managed Services: 7 Blogs MSPmentor Didn't Write (MSPmentor) Interesting Move: Panda Security is leveraging CentraStage, a cloud-based remote monitoring and management (RMM) platform. This is a pretty big deal for

ForgeRock launches open source stack to secure applications and services (Help Net Security) ForgeRock announced availability of an open source stack to secure applications and services across enterprise, cloud, social and mobile environments

Brother to support iOS devices on cloud-based web conferencing service (Fierce Mobile IT) Brother is expanding its new cloud-based OmniJoin web conferencing service to support Apple's (NASDAQ: AAPL) iOS-based devices, such as the iPhone and iPad, Courtney Behrens, senior marketing manager at OmniJoin, told FierceMobileIT

Reports: Botched firmware update leading to bricked Wii U consoles (Ars Technica) Interrupting the roughly 5GB download can render the console useless

It's official: Windows 8 is a disappointment (Quartz) The new Microsoft operating system that all the reviewers called confusing isn't exactly winning over consumers either. Since its launch less than a month ago, Windows 8 has seen weaker sales than its predecessor Windows 7, an NDP Group report via AllThingD's John Packzkowski found. Sources inside Microsoft also say that the company doesn't like the early sales numbers it's seeing either,reports Paul Thurrott who runs a Supersite for Windows. "Microsoft has not met is internal projections for Windows 8 sales," he wrote. Microsoft blames the PC makers, says Thurrott. "My source cited to me the PC makers' 'inability to deliver,' a damning indictment that I think nicely explains why the firm felt it needed to start making its own PC and device hardware," he writes. But we suspect it has more to do with the newfangled tile look, which has users hesitant to switch away from the familiar Windows 7 start screen. Or maybe that's something that just takes getting used to, in which case we should expect a slow build for Windows 8?s impending smash success

LEAKED: MySpace's Master Plan To Raise $50 Million And Relaunch As A Spotify Killer (Business Insider) The parent company of MySpace is trying to raise $50 million in order to re-launch MySpace as a direct competitor to Spotify and Pandora in 2013

Technologies, Techniques, and Standards

Four Ways to Turn Insiders Into Assets (Dark Reading) Stop thinking about employees as threats and train them to make your company harder to attack. Jayson Street has few problems walking into businesses and getting access to sensitive company data. A vice president of information security for a bank by day, Street moonlights as a penetration tester at Stratagem 1 Solutions, a job at which he has yet to fail

Software 'glitches' are not acceptable. Learn from aviation (TechWorld) The term glitch is often used to describe an error in software, but the word itself undermines the severity of such errors, according to open source software company Adacore. Only this year, a so-called software glitch was responsible for a substantial IT failure at the Royal Bank of Scotland (RBS), which meant that millions of customers could not gain access to funds in their bank accounts. Events from the Wall Street Crash to Toyota's brake failings in 2009 have also been attributed to software glitches trivialising the problem and implying that it can be reasoned away

Total Information Assurance Framework For Modular Implementation (Blogger News Network) Subsequently as BS7799 evolved into ISO 27001 and new frameworks such as COBIT 5 have extended the "Information Security" concept to "Information Assurance" and added Authenticity and Non Repudiation as two other factors in defining Information

What's preferable: Exceptions or explicit error testing? (Ars Technica) A burning question from efficiency and security standpoints. Richard Keller asks: I often come across heated blog posts where the author uses the argument: "exceptions vs explicit error checking" to advocate his/her preferred language over some other language. The general consensus seems to be that languages that make use of exceptions are inherently better / cleaner than languages which rely heavily on error checking through explicit function calls. Is the use of exceptions considered better programming practice than explicit error checking, and if so, why

Marketplace

NHS anticipates move to G-Cloud for secure email services (Computer Weekly) The NHS Commissioning Board is looking to use multiple secure email providers via the governments G-Cloud framework. The move would be the largest deal yet to go through G-Cloud, pushing many millions of pounds through the framework. Around half a million users are currently on the secure email service NHSmail, which runs on Microsoft Exchange 2007

Defense Vendors Stockpile Cash Ahead Of Cliff (Bloomberg Government) Defense contractors led by Boeing Co. and Lockheed Martin Corp. are stashing more cash amid the threat of automatic federal budget cuts and expiring tax breaks

Honeywell Readies For Defense Cuts (Wall Street Journal) Honeywell International Inc. said Monday it expects the bulk of looming U.S. defense cuts to be implemented, and in a sharp break with rivals said it welcomes the reductions

Pentagon Propaganda Plan Is Source Of Controversy (USA Today) Senior officers at the Pentagon are being advised on countering Taliban propaganda by a marketing expert whose company once weeded out reporters who wrote negative stories in Afghanistan and helped the military deceive the enemy in Iraq, according to military documents and interview

DMI, ByteGrid Form Enterprise Data Center Partnership (ExecutiveBiz) Digital Management Inc. has signed an agreement with data center provider Bytegrid ... "Cyber threats, mobile device management, and the Federal Data Center

Commtouch Acquires eleven GmbH To Accelerate Launch Of Security-As-A-Service Solutions (Dark Reading) eleven also provides advanced on-premise email solutions and services

HP Misses, Q4 2012 Revenue Down 7% To $30B, $6.9B Net Loss, $8.8B Write-Down For Autonomy Acquisition (TechCrunch) HP's earnings for Q4 ending on October 31 show a gloomy quarter. Revenue is down 7 percent to $30 billion compared to Q4 2011. But the real problem comes from GAAP net income, with a net loss of $6.9 billion, or $3.49 per share, compared to a slim net profit of $0.2 billion for Q4 2011. Non-GAAP diluted earnings per share is at $1.16 compared to $1.17 year-over-year. Most of the bad news

Cisco ponies up $1.2 billion to beef up BYOD credentials (Fierce Mobile IT) Cisco (NASDAQ: CSCO) is paying $1.2 billion in cash and retention bonuses for Meraki, a cloud-based provider of mobile device management, mobile device security and Wi-Fi connectivity, to boost its BYOD credentials. Meraki's products support BYOD, guest networking, application control, WAN optimization, application firewalls and other networking services

Dell's Gale Buy Points To Cloud Focus (InformationWeek) Dell issued a dismal earnings report last week but hopes its Gale Technologies acquisition points to a more lucrative future

Intel CEO Otellini To Step Down (InformationWeek) Intel's Paul Otellini, president and CEO, is retiring as Intel stares down a post-PC era favoring mobile chips

How Intel's faith in x86 cost it the mobile market (Register) You can't fault departing Intel CEO Paul Otellini by claiming he didn't spot the way personal computing was becoming more mobile

eBay swings axe at Paypal (Channelbiz UK) 325 jobs to go in restructuring. eBay has announced that it is committing to a Q4 pre-tax restructuring charge of $15 mllion, relating to Paypal staff reductions. In other words, today it gave 325 employees the sack

Research and Development

New Neural Chip Mimics Brain Function (SIGNAL) Researchers working for the U.S. Army have developed and patented a neural computer chip that mimics human brain functions and could potentially be used for quantum computing

Scientists Find Cheaper Way to Ensure Internet Security (New York Times) Scientists at Toshiba and Cambridge University have perfected a technique that offers a less expensive way to ensure the security of the high-speed fiber optic cables that are the backbone of the modern Internet. The research, which will be published Tuesday in the science journal Physical Review X, describes a technique for making infinitesimally short time measurements needed to capture pulses of quantum light hidden in streams of billions of photons transmitted each second in data networks. Scientists used an advanced photodetector to extract weak photons from the torrents of light pulses carried by fiber optic cables, making it possible to safely distribute secret keys necessary to scramble data over distances up to 56 miles

Stanford's quantum entanglement device brings us one step closer to quantum cryptography (ExtremeTech) Researchers at Stanford University have taken another major step toward using quantum entanglement for communication, streamlining the process by which two particles can be forced into an entangled state. Once entangled, each should react to changes

Quantum cryptography done on standard broadband fibre (BBC News) The "uncrackable codes" made by exploiting the branch of physics called quantum mechanics have been sent down kilometres of standard broadband fibre. This "quantum key distribution" has until now needed a dedicated fibre separate from that used to

Security Patches, Mitigations, and Software Updates

Adobe Patches DoS Flaw in ColdFusion 10 (Threatpost) ColdFusion patchAdobe has addressed a denial-of-service vulnerability in the ColdFusion platform and an update is available. ColdFusion is Adobe's platform and application server used by developers to build Web applications

Nintendo's fixes Wii U network after claims of accidental hack (Naked Security) Just hours after the US launch of Nintendo's latest game console, the Wii U, a video game fan claims that he accidentally "hacked" into the console's online component - the Miiverse

Cyber Attacks, Threats, and Vulnerabilities

Israel Wages Cyber War With Hamas as Civilians Take Up Computers (Bloomberg) With companies like Check Point Software Technologies Ltd. (CHKP) and soldiers who exit intelligence units, Israel is aiming to become a leader in cyber

Israeli MSN, Skype, Live and Groupon Sites Hacked (Updated) (Softpedia) Pakistani hackers are also contributing to Operation Israel (OpIsrael). Theyve hacked and defaced a number of three Israeli sites apparently belonging to Microsoft, and the official website of Groupon

Bangladeshi Hackers Deface 20 Israeli Websites in Support for the People of Palestine (Softpedia) Operation Israel, or OpIsrael, is a hacktivist campaign supported by groups from all over the world. One of them is the Bangladesh Grey Hat Hackers (BGHH), who has defaced a number of 20 Israeli websites. This adds to the millions of cyberattacks launched against Israeli cyberspace over the past days

Israeli Official: Anonymous' Massive Cyber Attack Campaign Has Been A Flop (Huffington Post) A concerted effort of millions of attempts to cripple Israeli websites during the Gaza conflict has failed, Israel's finance minister said Monday, claiming that the only site that was successfully hacked was back up within minutes

Anonymous escalates its 'cyberwar' against Israel (CNet) Anonymous' hacking campaign against Israel to protest its attacks on Gaza escalated today with the release of a list of thousands of individuals who supposedly donated to a pro-Israel organization. The collective posted a Pastebin document that it said featured names -- and in some cases home addresses and e-mail addresses -- of donors for the Unity Coalition for Israel, which claims to represent "the largest network of pro-Israel groups in the world." The document appears to be quite old: one of the military e-mail addresses belonged to Douglas Feith, the U.S. undersecretary for defense under Bush, who left that job in 2005

When Virtual-States Attack Nation-States (AOL Government) Sources familiar with the turn of events in Israel say that now the Israeli government has confirmed publicly that a massive cyber attack targeting them is underway. This raises a number of questions. How will a nation-state, such as Israel, respond to

Malware uses Google Docs as proxy to command and control server (CSO) Backdoor.Makadocs variant uses Google Drive Viewer feature to receive instructions from its real command and control server. Security researchers from antivirus vendor Symantec have uncovered a piece of malware that uses Google Docs, which is now part of Google Drive, as a bridge when communicating with attackers in order to hide the malicious traffic

Windows 8 Malware Using Google Docs to Target Brazilians (Threatpost) New malware targeting Windows 8 appears to be using Google Docs as a proxy server instead of directly connecting to a command and control (C&C) server. According to research done by Symantec and discussed in the company's Security Response blog late last week, a Trojan, Backdoor.Makadocs, targets Windows 8 - along with Windows Server 2012 - yet doesn't use any of the software's particular functions as an exploit vector

Blackhole exploits lead a black month for malware (Help Net Security) In October, GFI Software threat researchers uncovered a large number of Blackhole exploits disguised as Windows licenses (just prior to the release of Windows 8), Facebook account verification emails

Cyber-criminals hit primary school (Northern Star) A Byron Bay primary school has been the latest victim of sophisticated cyber crime in which their server was digitally "kidnapped" and held for ransom. Two weeks ago Byron Community Primary School's server was hacked. All data became inaccessible and vital daily tasks such as updating roles, recording financial transactions, and entering health records were impossible

Phishing Malware Combo Targets Twitter with Spurious Obama Story (SPAMfighter News) Security experts at Panda Security, describing the attack, state the scammers use the disgraceful missive for duping end-users so they'll proceed to follow

FreeBSD infrastructure breached, third-party packages potentially affected (Help Net Security) The FreeBSD team has announced over the weekend that two machines within the FreeBSD.org cluster have been compromised and have been consequently pulled offline for analysis. "These machines were

Fake tsunami news report leads to malware (Help Net Security) Fake news about celebrity deaths and impending natural disasters are often employed by online scammers and malware peddlers aiming to trick users into clicking on malicious links without thinking

Fake Apple apps appear on Android Google Play store (Naked Security) The Google Play store is NOT offering you genuine versions of iMovie, Keynote, Garage Band and other popular Apple products

Belgium - phishing fraudsters plunder hundreds of bank accounts (Wordpress) Flemish banks are currently being pummeled by a massive phishing attack. Over hundred Belgians have already been cleaned out of all money on their bank accounts. Fraudsters committed the crimes using email phishing and telephone calls to get hold of bank account numbers and pin data

Academia

What's The Big Idea? Pentagon Agency Backs Student Tinkerers To Find Out (NPR.org) At Analy High School in Sebastopol, Calif., three students are taking apart a bicycle that generates electricity. Another student is calibrating a laser cutter. They're all working in a cavernous building that once held the school's metal and electronics shop. Let's just say it has been updated

Litigation, Investigation, and Enforcement

Experian defends database security practices in face of investigations (Naked Security) Data brokers are on the hot seat as the Irish regulators begin an investigation into Experian's security methods and the US Congress demands more transparency into what's collected and how it's handled

Moneygram pays $100m to settle wire fraud charges (Finextra) Moneygram has agreed to pay $100 million to settle US charges that it criminally aided and abetted wire fraud and failed to maintain an effective anti-money laundering programme. The Department of Justice says that between 2004 and 2009, the firm violated the law by processing thousands of transactions for its agents "known to be involved" in a scam defrauding American citizens. The scams - which generally targeted the elderly and other vulnerable groups - included posing as victims' relatives in urgent need of money and falsely promising victims large cash prizes

Judge approves $22.5M Google fine for violating Safari privacy (Naked Security) A U.S. federal judge in San Francisco approved a legal settlement between the U.S. Federal Trade Commission (FTC) and Google on Friday to the tune of $22. 5M USD, declaring that Google mislead consumers about the privacy protections offered in its Safari web browser. Federal Judge Susan Illston gave her blessing to the settlement in a ruling on Friday, declaring the agreement "fair, adequate and reasonable." the Associated Press reported

Chinese Telecom Firms Pose a Threat to US National Security (U.S. News & World Report) A recent report of the U.S. National Counterintelligence Executive proclaimed that "Chinese actors are the world's most active and persistent perpetrators of economic espionage." And according to Keith Alexander, director of the National Security

Design and Innovation

Is Technology Innovation Too Incremental? (InformationWeek) Two prominent big thinkers think it is. But I'm not buying their unsupported arguments