The CyberWire Daily Briefing 10.03.12

Cyber Attacks, Threats, and Vulnerabilities

What is your phone saying behind your back? (Naked Security) Do you always turn WiFi off on your smartphone before leaving the house or work? You might think there's no harm in having WiFi turned on but not connected to a network, but that's not necessarily the case

Proof of concept Android malware creates 3D maps of your home (Naked Security) Researchers have created a malicious mobile phone application that uses phone and other sensors to create 3D visual maps of the owner's home and other spaces

Anonymous Message to Philippines internet E-Martial Law (Cyberwarzone) Anonymous Philippines just released an new video after the internet law went active in the Phillippines. Watch the video here. The Cybercrime Prevention Act of 2012 poses serious threats to Internet freedom, the right to privacy and other essential civil liberties including the freedom of speech, expression, and the press

Islamist Cyber Fighters Vow More Attacks Against US Targets (NewsMax.com) Keith B. Alexander, chief of the U.S. Cyber Command (also head of the National Security Agency), since it was launched two years ago, said the cyber threat has grown in 10 years "from exploitation to disruption to destruction of computer networks"

Swedish raid prompts new cyber attack threat (The Local.se) Swedish police raided the Stockholm offices of PRQ on Monday afternoon, the same day that a cyber attack paralyzed the websites of several Swedish government agencies, businesses, and media outlets. While it remains unclear who may have been

City of Tulsa Cyber Attack Was Penetration Test, Not Hack (eSecurity Planet) The City of Tulsa, Oklahoma last week began notifying residents that their personal data may have been accessed -- but it now turns out that the attack was a penetration test by a company the city had hired. "City officials didn't realize that the

Security Losses Remain Within Range Of Acceptable (Dark Reading) Not a single breach among the many in the past two weeks did enough damage to trigger an alarm. Catastrophic denial-of-service attacks by a foreign power against our largest financial institutions. An actively exploited 0day vulnerability in the world's most-used Web browser. The infiltration of one of technology's largest consumer and enterprise software vendors, resulting in the hijacking of their infrastructure to distribute digitally signed malicious software. The deep compromise of a major supplier of control software to utilities providers -- one with remote access to its customers control systems. New vulnerabilities in Java affecting all major platforms. The release of a tool that, for $20, can rapidly crack one of the most popular types of virtual private networks. The breach of an extremely common open-source Web application tool's servers and insertion of back doors. All in two weeks

SecTor: Old Security Vulnerabilities Live On (eSecurity Planet) Security researcher identifies security vulnerabilities from the 1990s that still persist today. The more things change, the more things stay the same. At the SecTor security conference in Toronto, Jamie Gamble, security researcher at Accuvant, detailed how old security issues that first

Online Criminals' Best Friends: Malnets (InformationWeek) The number of large malnets--server-side infrastructure used to infect PCs and sometimes to control botnets--tracked by security firm Blue Coat has tripled this year.

DHS Issued False 'Water Pump Hack' Report; Called It a 'Success' (Wired Threat Level) While DHS was busy accusing an Illinois fusion center last year of spreading false rumors about a water pump that was supposedly hacked by Russians, the department had been irresponsibly spreading the same false information privately in a report to

Cyber Trends

Institutions face growing cyberattacks and hacktivism, often the precursors of financial crime (ACFCS) When 56k modems were still considered cutting-edge technology, Wells Fargo customers were already dialing up to access their accounts through the web. The fourth-largest financial institution in the US was the first to roll out online banking in 1995. Now, it has 21 million online customers and 8

Should you give up e-mail? (Fox New) According to a survey of U.S. consumers released this week by the National Cyber Security Alliance (NCSA) roughly 90 percent of people admit that they feel vulnerable to hackers and malware online. The report, which coincides with October, or National

One in three companies take compliance risks (Help Net Security) Despite having corporate security and compliance policies and solutions in place, there is a widespread lack of confidence in their effectiveness. According to a DataMation survey, 84% of respondents

Machine-To-Machine Analytics: Next Big Data Challenge? (InformationWeek) Data storage is the tricky issue right now, but M2M data will soon test enterprises even further, says Hitachi executive

Marketplace

Public safety broadband network will rely on existing commercial infrastructure (Fierce Government IT) The network architecture should be premised to the extent possible on using "existing radio access network and core network infrastructure installed by commercial mobile operators," a FirstNet notice of inquiry states

Information Security: Race with No Finish Line (GovInfoSecurity.com) Markell highlights some of the initiatives underway in Delaware, including a cyber challenge camp to attract young people to the field of information security, as well as the state progressing to the next phase of a cybersecurity community training

Sheriff's Office provides daily cyber safety tips on Twitter during October (FoxReno.com) To remind the public about the importance of cyber safety, the Department of Homeland Security has designated October as National Cyber Security Awareness Month. To help Washoe County residents protect themselves, their families and their finances

Cyber Day SA (San Antonio Express) The plan is a three-prong approach to ensure the city is prepared in the event of a cyber attack or mishap that affects the local infrastructure. The collaborative initiative between local public and private sector leadership seeks to increase citizen

DISA picks new CIO (Federal Computer Week) The Defense Information Systems Agency has made changes in two posts key to the agency's IT operations. David Bennett, pictured at left, has been named the new CIO of DISA, according to an Oct. 2 announcement from the Defense Department. Bennett previously served as the agency's vice component acquisition executive. Bennett was preceded as CIO by Henry Sienkiewicz, who served in the position since May 2010. Sienkiewicz has been named as DISA's vice chief information assurance executive

2 Senators Upset About Sequestration Advice (Washington Times) Two top Republicans said this week that the Obama administration may not have had the legal authority to tell defense companies that taxpayers will pick up their legal bills if the companies are sued because of layoffs resulting from pending defense cuts

Report: Ashton Carter Memo Says Not to Assume Sequestration Will Happen (GovConWire) Deputy Defense Secretary Ashton Carter has told military departments and acquisition personnel to operate under current policy without assuming sequestration cuts will occur, according to an internal memo obtained by Bloomberg

HMRC deploys Becrypt off-the-shelf encryption (ComputerWeekly) HM Revenue and Customs (HMRC) is implementing disk encryption as part of a laptop refresh programme following a pilot rollout using 300 laptops. HMRC will use Becrypt Disk protect, which has been certified by the CESG, the UK Government's National Technical Authority for Information Assurance (IA). According to HMRC, the pilot demonstrated that Becrypt would provide simplified faster deployment and centralised management

Data Scientist Jobs Hiding Under Less Sexy Titles (InformationWeek) Big data's hottest job title, data scientist, remains rare in online postings. Job seekers can use other keywords to find 'hidden' big data jobs

Hanover cyber-intelligence company soaking up techies with Top Secret security clearance (Baltimore Sun) KEYW Holding Corp. is making good on an ambitious plan to grow, organically and through acquisitions, into a company that can respond quickly to the needs

Government contractors seeking commercial opportunities in cyber (Washington Business Journal) Booz Allen Hamilton Inc. is among the contractors seeking to use its federal cybersecurity work as a bridge to commercial opportunities in the sector

Booz Allen Hamilton celebrates the opening of its new office in ABu Dhabi (AME Info) Mike McConnell, former US Director of National Intelligence and current Vice Chairman of Booz Allen Hamilton, led the Harnessing Cyber Strength in the

PAE's Tina Dolph Discusses Lockheed Executive Development Program, Finance Background and More (Govconwire) Tina Dolph is the president of PAE's global security & development business unit where she is responsible for 3,000 employees, currently conducting a litany of development projects throughout the world. In her Q&A with ExecutiveBiz, Dolph covers an array of topics concerning her leadership role at the company…The 20-year industry-vet has a background in finance and along with many other PAE executives, is a former Lockheed Martin executive where she attended the Executive Assessment and Development Program in 2010

Motorola Mobility suddenly drops bid to ban sale of Macs, iOS devices (Ars Technica) Apple and Google-owned Motorola have no settlement, but ITC case is likely over

T-Mobile in talks to acquire MetroPCS (Ars Technica) If fourth, fifth biggest carriers do merge, they'd still be smaller than Sprint

Cyber security win for Macquarie Telecom (The Australian) Macquarie Telecom has been awarded a five-year, multimillion dollar contract to supply cyber security services to the Department of Agriculture, Fisheries and Forestry and 11 other federal agencies. Macquarie Telecom's managing director of hosting, Aidan Tudehope, said the deal would underpin a new $14 million investment in the telcos Canberra facilities to improve network capacity, and software and product development. That investment will see Macquaries capital expenditure for fiscal 2013 increase to $48 million from previous guidance of $34 million

Nokia Confirms It's Looking At HQ Sale, May Lease It Back, No Plans To Leave Finland (TechCrunch) As beleaguered handset maker Nokia continues to downsize its operations to conserve cash, the handset maker is looking to sell its global headquarters in Espoo, Finland for a price of up to $387 million (?300 million). The news was first reported by the Finnish-language Helsingen Sanomat, with the real-estate price estimate coming from Ilta-Sanomat. A Nokia spokesperson has confirmed to TechCrunch that it is evaluating this option, but that it may end up leasing back the same building, and in any case has no plans to leave Finland in the process

Ancestry.com Acquires Photo Digitization And Sharing Service 1000memories (TechCrunch) 1000memories, the San Francisco-based startup which offers web and mobile applications for storing, organizing, sharing, and most importantly, digitizing, your print photographs, has been acquired. Given the company's focus on preserving family memories, it's not too surprising who the new owner is: Ancestry.com. And fortunately for current users of the service, the deal doesn't mean a shutdown of 1000memories' website or apps, but rather more resources to continue their development.

$45 Billion Later, Larry Ellison Says No Major Acquisitions For Next Few Years (TechCrunch) Larry Ellison said today that Oracle does not plan to do any acquisitions in the next few years but would not rule one out down the road. He made the remarks in a CNBC interview at OracleOpenWorld in San Francisco. Ellison was also asked about a successor to the company he has run for the past three decades. He only said there are several who could take his place.

Products, Services, and Solutions

New BeyondTrust Release Of Free Vulnerability Assessment Tool (Dark Reading) Retina Community expands support for "horizontal IT" for up to 256 IPs

Bit9 Delivers Three Industry Firsts In The Fight Against Advanced Threats And Malware (Dark Reading) Version 7.0 of the Bit9 solution enables IT organizations to create policies that leverage the trust ratings in Bit9's cloud-based Global Software Registry

U.K. To Get First 4G Network On October 30; EE's LTE Will Kick Off In 10 Cities, 16 By Year's End (TechCrunch) The U.K.'s first LTE network -- run by EE (formerly Everything Everywhere) the parent company of the Orange and T-Mobile carriers -- will go live on October 30, EE's CEO Olaf Swantee has confirmed. The network was announced early last month -- with a launch scheduled for "the coming weeks"

Amazon Web Services adds free version of database in the cloud (IT World) Amazon Web Services has expanded its free service tier to include its Relational Database Service (RDS), the company said on Tuesday

Oracle finally releases pricing for cloud software offerings (IT World) Oracle has finally answered a big question hovering over its emerging family of cloud services: What do they cost

Windows 8 in the enterprise: Fragmentation and deployment (ZDNet) The more information that comes to light about Windows 8, the more the dreaded "F" word comes to mind. When you think of fragmentation in the mobile space the first thing you think of is the Android platform. Volumes have been written about the forks in Android that are enough to drive enterprises batty. So many versions, so many different devices to support, it's enough to give fits to IT folks tasked with making BYOD work

Microsoft co-founder dings Windows 8 as 'puzzling, confusing' (IT World) Microsoft co-founder Paul Allen on Tuesday called Windows 8 'puzzling' and 'confusing initially,' but assured users that they would eventually learn to like the new OS

Free USSD exploit blocker app (Help Net Security) Avira released a free security app for Android phone users to protect them from remote USSD attacks. The Avira USSD Exploit Blocker app is available on Google Play. "Most malware writers are motivated

Adobe Acrobat XI Stresses Collaboration Options (InformationWeek) Adobe wants to give PDFs a new image. Latest version of Acrobat strives to improve productivity through digital workflows

Microsoft Guides Help You Build BYOD Test Lab (InformationWeek) Wondering how to implement your own BYOD or consumerization-of-IT strategy? Here's how to do it, at least the Microsoft way, in a test lab. Microsoft offers background materials and instructions for a safe and efficient BYOD/CoIT setup using Windows Server 2008 R2

Technologies, Techniques, and Standards

The Pros And Cons Of Application Sandboxing (Dark Reading) Successes by Adobe, Google, and Apple to reduce privileges through sandboxing has reduced exploits in their software, but the technique is far from perfect

Turning Tables: ID'ing The Hacker Behind The Keyboard (Dark Reading) How naming names of hackers and pinpointing the beneficiaries of cyberspying and cybercrime attacks translate into a new kind of defense

The Ant Internet (IEEE Spectrum) Before researchers developed the Internet, ants developed the Anternet, a surprisingly similar communications network

PCI Security Standard: Mobile Payment Acceptance Security Guidelines (Internet Storm Center) What would Cyber Security Awareness Month with a Standards theme be without discussing some semblance of PCI-related content? Carefully avoiding the debate over the benefits and drawback of PCI DSS, I'll instead focus on a recent read with a quick summary of PCI Mobile Payment Acceptance Security Guidelines for Developers. This guideline hit my radar on 14 SEP courtesy of Ian's Dragon News Bytes and was intriguing as I had just published Mobile application security best practices in a BYOD world a couple of weeks earlier in Information Security

Design and Innovation

Appcelerator Launches "Innovation Fund" To Help Startups Speed Up Mobile App Development (TechCrunch) Appcelerator is all about speeding the development of rich, native mobile apps. One way it does this is with Titanium, its next-gen mobile app development platform. But now it's looking to accelerate app development by helping other startups focused on features, capabilities, or verticals that it's not focused on itself. With that in mind, the startup is introducing the Appcelerator Innovation Fund, through which it will invest in and provide support to promising startups who build apps based on its

Research and Development

Sandia builds massive Android network to study security, more (CSO) National laboratory's MegaDroid to be released as open source

NIST Selects Winner Of Secure Hash Algorithm (SHA-3) Competition (Dark Reading) Winning algorithm beat out 63 other submissions

Authentication Implications in Uniquely Identifiable Graphics Cards (Threatpost) Researchers working on the "physically unclonable functions found in standard PC components (PUFFIN) project" announced last week that widely used graphics processors could be the next step in online authentication

Legislation, Policy and Regulation

Trade group: Expect big push for online sales tax (IT World) Steve DelBianco is worried that the U.S. Congress will soon pass a law allowing states to collect sales taxes from most online sellers

Japan rolls out stiff fines and jail times for illegal downloads (Naked Security) Japan has changed its copyright law to criminalize downloaders for the first time, raising what were previously civil penalties to criminal penalties of up to two years prison time or fines of up to 2 million yen

Utilities open to cybersecurity dialogue (Nextgov) A group of electric companies says it is not opposed to working with the federal government to secure power-grid computer networks, as long as regulators dont proscribe new burdensome and inflexible rules. Senate Commerce Committee Chairman Jay Rockefeller, D-W. Va., helped sponsor legislation that would have created more government oversight of certain critical networks, including those that control electric grids

India may take the lead in Budapest cyber space security dialogue (The Hindu) The Government has begun efforts to put in place a comprehensive cyber security strategy as Indian representatives head to Budapest for the Cyber Space Conference this week. In the last few months, National Security Adviser Shivshankar Menon has slowly built a case for the Government to get its house in order. Three areas of focus are revitalising the Computer Emergency Response Team (CERT-IN), the creation of a professional body that certifies security of networks and cyber defence of critical information infrastructure networks that may be vulnerable to foreign governments or non-State actors

De Lima vows not to abuse anti-cybercrime powers (Abs-CbnNews) Justice Secretary Leila De Lima assured the public that government, especially the Department of Justice (DOJ), will not abuse its authority in the implementation of Republic Act (RA) No. 10175, also known as the Cybercrime Prevention Act. The law, assailed before the Supreme Court (SC) by various sectors for being "patently unconstitutional," takes effect beginning Wednesday. De Lima said the law's Implementing Rules and Regulations (IRR) will be crafted to "harmonize and clarify" questioned provisions of the law, such as the provisions on libel and the 'takedown powers' of the DOJ on websites

US Leaders Cite Partnership as Key to Cybersecurity (Equities.com) As the cyber threat intensifies over time from exploitation to disruption to destruction, responsible U.S. agencies and industries can fight back using cooperation and transparency, the commander of U.S. Cyber Command said here yesterday

DHS 'fusion centers' portrayed as pools of ineptitude, civil liberties intrusions (Washington Post) An initiative aimed at improving intelligence sharing has done little to make the country more secure, despite as much as $1.4 billion in federal spending, according to a two-year examination by Senate investigators

Killer Apps: What type of cybersecurity information does the government want? (Foreign Policy) U.S. government officials this week laid out exactly what type of information they want to be able to collect in order to defend banks, utilities, transportation companies and other "critical infrastructure" providers against cyber attack

Litigation, Investigation, and Enforcement

Edmonds 16-Year-Old Arrested in Cyber-Threat at Sammamish School (Patch) Police arrested a 16-year-old former Skyline High School student at his home in Edmonds Tuesday morning for allegedly threatening to bring a semi-automatic weapon to the school and shoot students in the commons, after receiving tips from Skyline students."I want to thank our public for coming forward and to our detectives," with tips that led to the arrest, Sammamish Police Chief Nate Elledge told reporters at a press conference at Sammamish City Hall

Microsoft Reaches Settlement with Site Linked to Nitol Botnet (Threatpost) Microsoft announced today it's reached a settlement with the operator of a Chinese Web site whose domain and sub-domains hosted more than 500 kinds of malware, including the Nitol botnet found on brand new computers. In a lawsuit filed two weeks ago by the software giant, Microsoft alleged the domain 3322. org hosted Nitol, which was found being preloaded onto computers during an investigation into supply chain security last August

Scareware defendant fined $163M in FTC suit (Computer World) A U.S. judge has imposed a judgment of $163. 2 million against a defendant accused by the U.S. Federal Trade Commission of being part of an operation that sold software to people it tricked into thinking their computers were infected with malicious software. Judge Richard Bennett of U.S. District Court for the District of Maryland ordered defendant Kristy Ross, vice president of Business Development for Ukraine-based Innovative Marketing, in a Sept. 24 ruling

Government Asks Court to Toss Wiretap Claims (Courthouse News Service) Two lawsuits have been filed in recent years, claiming the National Security Agency, under the current direction of Director Keith Alexander and the president of the United States, have orchestrated a program of indiscriminate surveillance of US

World spies in NZ only days before Dotcom bolt (Stuff.co.nz) It is believed he was joined by representatives from the US Central Intelligence Agency, National Security Agency, Britain's Communications Headquarters, Canada's Communications Security Establishment and the Australian Secret Intelligence Service

Police raids controversial Swedish web host, Pirate Bay site is down (Help Net Security) The Pirate Bay's website is unreachable and has been down for over a day now, prompting speculation that Monday's police raid of the premises of Stockholm-based web host PeRiQuito (PRQ) might have some