The CyberWire Daily Briefing for 10.3.2012
Researchers give smartphone users new reasons to worry: leaving WiFi on can expose a phone to data leakage, even when it's not connected to a network, and proof-of-concept Android malware uses a phone to create 3D maps of private spaces.
The Philippines enact new cyber crime legislation, and Anonymous pledges to fight what it calls "e-martial law." The Islamist hacktivists who claim responsibility for last week's anti-banking campaign promise more attacks against US targets. (For all the furor surrounding those attacks, the damage appears to have been tolerable.) Sweden's raids on Pirate Bay appear to have provoked a hacking backlash.
We've seen local governments take an increasingly active cyber security role. This week Tulsa shows the risks inherent in that role: the city forgot it had engaged penetration testers, saw the testers' activity, and began warning citizens their personal data had been exposed. (May Reno and San Antonio have better luck with upcoming cyber exercises.)
Hacktivism is increasingly a precursor to financial crime. A DataMation survey finds one-third of companies take compliance risks. The Defense Department has hinted it will pick up contractors' legal fees if sequestration produces layoffs that prompt lawsuits. "Data scientist" is the hot job in the labor market, but recruiters find qualified candidates hard to spot. Booz Allen and KEY-W continue their push from government into commercial cyber work.
US cyber policymakers continue to advocate public-private partnership. The Department of Homeland Security receives harsh bipartisan criticism in a Senate report on fusion center failures: "pools of ineptitude."
Cyber Attacks, Threats, and Vulnerabilities
What is your phone saying behind your back? (Naked Security) Do you always turn WiFi off on your smartphone before leaving the house or work? You might think there's no harm in having WiFi turned on but not connected to a network, but that's not necessarily the case
Proof of concept Android malware creates 3D maps of your home (Naked Security) Researchers have created a malicious mobile phone application that uses phone and other sensors to create 3D visual maps of the owner's home and other spaces
Anonymous Message to Philippines internet E-Martial Law (Cyberwarzone) Anonymous Philippines just released an new video after the internet law went active in the Phillippines. Watch the video here. The Cybercrime Prevention Act of 2012 poses serious threats to Internet freedom, the right to privacy and other essential civil liberties including the freedom of speech, expression, and the press
Islamist Cyber Fighters Vow More Attacks Against US Targets (NewsMax.com) Keith B. Alexander, chief of the U.S. Cyber Command (also head of the National Security Agency), since it was launched two years ago, said the cyber threat has grown in 10 years "from exploitation to disruption to destruction of computer networks"
Swedish raid prompts new cyber attack threat (The Local.se) Swedish police raided the Stockholm offices of PRQ on Monday afternoon, the same day that a cyber attack paralyzed the websites of several Swedish government agencies, businesses, and media outlets. While it remains unclear who may have been
City of Tulsa Cyber Attack Was Penetration Test, Not Hack (eSecurity Planet) The City of Tulsa, Oklahoma last week began notifying residents that their personal data may have been accessed -- but it now turns out that the attack was a penetration test by a company the city had hired. "City officials didn't realize that the
Security Losses Remain Within Range Of Acceptable (Dark Reading) Not a single breach among the many in the past two weeks did enough damage to trigger an alarm. Catastrophic denial-of-service attacks by a foreign power against our largest financial institutions. An actively exploited 0day vulnerability in the world's most-used Web browser. The infiltration of one of technology's largest consumer and enterprise software vendors, resulting in the hijacking of their infrastructure to distribute digitally signed malicious software. The deep compromise of a major supplier of control software to utilities providers -- one with remote access to its customers control systems. New vulnerabilities in Java affecting all major platforms. The release of a tool that, for $20, can rapidly crack one of the most popular types of virtual private networks. The breach of an extremely common open-source Web application tool's servers and insertion of back doors. All in two weeks
SecTor: Old Security Vulnerabilities Live On (eSecurity Planet) Security researcher identifies security vulnerabilities from the 1990s that still persist today. The more things change, the more things stay the same. At the SecTor security conference in Toronto, Jamie Gamble, security researcher at Accuvant, detailed how old security issues that first
Online Criminals' Best Friends: Malnets (InformationWeek) The number of large malnets--server-side infrastructure used to infect PCs and sometimes to control botnets--tracked by security firm Blue Coat has tripled this year.
DHS Issued False 'Water Pump Hack' Report; Called It a 'Success' (Wired Threat Level) While DHS was busy accusing an Illinois fusion center last year of spreading false rumors about a water pump that was supposedly hacked by Russians, the department had been irresponsibly spreading the same false information privately in a report to
Cyber Trends
Institutions face growing cyberattacks and hacktivism, often the precursors of financial crime (ACFCS) When 56k modems were still considered cutting-edge technology, Wells Fargo customers were already dialing up to access their accounts through the web. The fourth-largest financial institution in the US was the first to roll out online banking in 1995. Now, it has 21 million online customers and 8
Should you give up e-mail? (Fox New) According to a survey of U.S. consumers released this week by the National Cyber Security Alliance (NCSA) roughly 90 percent of people admit that they feel vulnerable to hackers and malware online. The report, which coincides with October, or National
One in three companies take compliance risks (Help Net Security) Despite having corporate security and compliance policies and solutions in place, there is a widespread lack of confidence in their effectiveness. According to a DataMation survey, 84% of respondents
Machine-To-Machine Analytics: Next Big Data Challenge? (InformationWeek) Data storage is the tricky issue right now, but M2M data will soon test enterprises even further, says Hitachi executive
Marketplace
Public safety broadband network will rely on existing commercial infrastructure (Fierce Government IT) The network architecture should be premised to the extent possible on using "existing radio access network and core network infrastructure installed by commercial mobile operators," a FirstNet notice of inquiry states
Information Security: Race with No Finish Line (GovInfoSecurity.com) Markell highlights some of the initiatives underway in Delaware, including a cyber challenge camp to attract young people to the field of information security, as well as the state progressing to the next phase of a cybersecurity community training
Sheriff's Office provides daily cyber safety tips on Twitter during October (FoxReno.com) To remind the public about the importance of cyber safety, the Department of Homeland Security has designated October as National Cyber Security Awareness Month. To help Washoe County residents protect themselves, their families and their finances
Cyber Day SA (San Antonio Express) The plan is a three-prong approach to ensure the city is prepared in the event of a cyber attack or mishap that affects the local infrastructure. The collaborative initiative between local public and private sector leadership seeks to increase citizen
DISA picks new CIO (Federal Computer Week) The Defense Information Systems Agency has made changes in two posts key to the agency's IT operations. David Bennett, pictured at left, has been named the new CIO of DISA, according to an Oct. 2 announcement from the Defense Department. Bennett previously served as the agency's vice component acquisition executive. Bennett was preceded as CIO by Henry Sienkiewicz, who served in the position since May 2010. Sienkiewicz has been named as DISA's vice chief information assurance executive
2 Senators Upset About Sequestration Advice (Washington Times) Two top Republicans said this week that the Obama administration may not have had the legal authority to tell defense companies that taxpayers will pick up their legal bills if the companies are sued because of layoffs resulting from pending defense cuts
Report: Ashton Carter Memo Says Not to Assume Sequestration Will Happen (GovConWire) Deputy Defense Secretary Ashton Carter has told military departments and acquisition personnel to operate under current policy without assuming sequestration cuts will occur, according to an internal memo obtained by Bloomberg
HMRC deploys Becrypt off-the-shelf encryption (ComputerWeekly) HM Revenue and Customs (HMRC) is implementing disk encryption as part of a laptop refresh programme following a pilot rollout using 300 laptops. HMRC will use Becrypt Disk protect, which has been certified by the CESG, the UK Government's National Technical Authority for Information Assurance (IA). According to HMRC, the pilot demonstrated that Becrypt would provide simplified faster deployment and centralised management
Data Scientist Jobs Hiding Under Less Sexy Titles (InformationWeek) Big data's hottest job title, data scientist, remains rare in online postings. Job seekers can use other keywords to find 'hidden' big data jobs
Hanover cyber-intelligence company soaking up techies with Top Secret security clearance (Baltimore Sun) KEYW Holding Corp. is making good on an ambitious plan to grow, organically and through acquisitions, into a company that can respond quickly to the needs
Government contractors seeking commercial opportunities in cyber (Washington Business Journal) Booz Allen Hamilton Inc. is among the contractors seeking to use its federal cybersecurity work as a bridge to commercial opportunities in the sector
Booz Allen Hamilton celebrates the opening of its new office in ABu Dhabi (AME Info) Mike McConnell, former US Director of National Intelligence and current Vice Chairman of Booz Allen Hamilton, led the Harnessing Cyber Strength in the
PAE's Tina Dolph Discusses Lockheed Executive Development Program, Finance Background and More (Govconwire) Tina Dolph is the president of PAE's global security & development business unit where she is responsible for 3,000 employees, currently conducting a litany of development projects throughout the world. In her Q&A with ExecutiveBiz, Dolph covers an array of topics concerning her leadership role at the company…The 20-year industry-vet has a background in finance and along with many other PAE executives, is a former Lockheed Martin executive where she attended the Executive Assessment and Development Program in 2010
Motorola Mobility suddenly drops bid to ban sale of Macs, iOS devices (Ars Technica) Apple and Google-owned Motorola have no settlement, but ITC case is likely over
T-Mobile in talks to acquire MetroPCS (Ars Technica) If fourth, fifth biggest carriers do merge, they'd still be smaller than Sprint
Cyber security win for Macquarie Telecom (The Australian) Macquarie Telecom has been awarded a five-year, multimillion dollar contract to supply cyber security services to the Department of Agriculture, Fisheries and Forestry and 11 other federal agencies. Macquarie Telecom's managing director of hosting, Aidan Tudehope, said the deal would underpin a new $14 million investment in the telcos Canberra facilities to improve network capacity, and software and product development. That investment will see Macquaries capital expenditure for fiscal 2013 increase to $48 million from previous guidance of $34 million
Nokia Confirms It's Looking At HQ Sale, May Lease It Back, No Plans To Leave Finland (TechCrunch) As beleaguered handset maker Nokia continues to downsize its operations to conserve cash, the handset maker is looking to sell its global headquarters in Espoo, Finland for a price of up to $387 million (?300 million). The news was first reported by the Finnish-language Helsingen Sanomat, with the real-estate price estimate coming from Ilta-Sanomat. A Nokia spokesperson has confirmed to TechCrunch that it is evaluating this option, but that it may end up leasing back the same building, and in any case has no plans to leave Finland in the process
Ancestry.com Acquires Photo Digitization And Sharing Service 1000memories (TechCrunch) 1000memories, the San Francisco-based startup which offers web and mobile applications for storing, organizing, sharing, and most importantly, digitizing, your print photographs, has been acquired. Given the company's focus on preserving family memories, it's not too surprising who the new owner is: Ancestry.com. And fortunately for current users of the service, the deal doesn't mean a shutdown of 1000memories' website or apps, but rather more resources to continue their development.
$45 Billion Later, Larry Ellison Says No Major Acquisitions For Next Few Years (TechCrunch) Larry Ellison said today that Oracle does not plan to do any acquisitions in the next few years but would not rule one out down the road. He made the remarks in a CNBC interview at OracleOpenWorld in San Francisco. Ellison was also asked about a successor to the company he has run for the past three decades. He only said there are several who could take his place.
Products, Services, and Solutions
New BeyondTrust Release Of Free Vulnerability Assessment Tool (Dark Reading) Retina Community expands support for "horizontal IT" for up to 256 IPs
Bit9 Delivers Three Industry Firsts In The Fight Against Advanced Threats And Malware (Dark Reading) Version 7.0 of the Bit9 solution enables IT organizations to create policies that leverage the trust ratings in Bit9's cloud-based Global Software Registry
U.K. To Get First 4G Network On October 30; EE's LTE Will Kick Off In 10 Cities, 16 By Year's End (TechCrunch) The U.K.'s first LTE network -- run by EE (formerly Everything Everywhere) the parent company of the Orange and T-Mobile carriers -- will go live on October 30, EE's CEO Olaf Swantee has confirmed. The network was announced early last month -- with a launch scheduled for "the coming weeks"
Amazon Web Services adds free version of database in the cloud (IT World) Amazon Web Services has expanded its free service tier to include its Relational Database Service (RDS), the company said on Tuesday
Oracle finally releases pricing for cloud software offerings (IT World) Oracle has finally answered a big question hovering over its emerging family of cloud services: What do they cost
Windows 8 in the enterprise: Fragmentation and deployment (ZDNet) The more information that comes to light about Windows 8, the more the dreaded "F" word comes to mind. When you think of fragmentation in the mobile space the first thing you think of is the Android platform. Volumes have been written about the forks in Android that are enough to drive enterprises batty. So many versions, so many different devices to support, it's enough to give fits to IT folks tasked with making BYOD work
Microsoft co-founder dings Windows 8 as 'puzzling, confusing' (IT World) Microsoft co-founder Paul Allen on Tuesday called Windows 8 'puzzling' and 'confusing initially,' but assured users that they would eventually learn to like the new OS
Free USSD exploit blocker app (Help Net Security) Avira released a free security app for Android phone users to protect them from remote USSD attacks. The Avira USSD Exploit Blocker app is available on Google Play. "Most malware writers are motivated
Adobe Acrobat XI Stresses Collaboration Options (InformationWeek) Adobe wants to give PDFs a new image. Latest version of Acrobat strives to improve productivity through digital workflows
Microsoft Guides Help You Build BYOD Test Lab (InformationWeek) Wondering how to implement your own BYOD or consumerization-of-IT strategy? Here's how to do it, at least the Microsoft way, in a test lab. Microsoft offers background materials and instructions for a safe and efficient BYOD/CoIT setup using Windows Server 2008 R2
Technologies, Techniques, and Standards
The Pros And Cons Of Application Sandboxing (Dark Reading) Successes by Adobe, Google, and Apple to reduce privileges through sandboxing has reduced exploits in their software, but the technique is far from perfect
Turning Tables: ID'ing The Hacker Behind The Keyboard (Dark Reading) How naming names of hackers and pinpointing the beneficiaries of cyberspying and cybercrime attacks translate into a new kind of defense
The Ant Internet (IEEE Spectrum) Before researchers developed the Internet, ants developed the Anternet, a surprisingly similar communications network
PCI Security Standard: Mobile Payment Acceptance Security Guidelines (Internet Storm Center) What would Cyber Security Awareness Month with a Standards theme be without discussing some semblance of PCI-related content? Carefully avoiding the debate over the benefits and drawback of PCI DSS, I'll instead focus on a recent read with a quick summary of PCI Mobile Payment Acceptance Security Guidelines for Developers. This guideline hit my radar on 14 SEP courtesy of Ian's Dragon News Bytes and was intriguing as I had just published Mobile application security best practices in a BYOD world a couple of weeks earlier in Information Security
Design and Innovation
Appcelerator Launches "Innovation Fund" To Help Startups Speed Up Mobile App Development (TechCrunch) Appcelerator is all about speeding the development of rich, native mobile apps. One way it does this is with Titanium, its next-gen mobile app development platform. But now it's looking to accelerate app development by helping other startups focused on features, capabilities, or verticals that it's not focused on itself. With that in mind, the startup is introducing the Appcelerator Innovation Fund, through which it will invest in and provide support to promising startups who build apps based on its
Research and Development
Sandia builds massive Android network to study security, more (CSO) National laboratory's MegaDroid to be released as open source
NIST Selects Winner Of Secure Hash Algorithm (SHA-3) Competition (Dark Reading) Winning algorithm beat out 63 other submissions
Authentication Implications in Uniquely Identifiable Graphics Cards (Threatpost) Researchers working on the "physically unclonable functions found in standard PC components (PUFFIN) project" announced last week that widely used graphics processors could be the next step in online authentication
Legislation, Policy, and Regulation
Trade group: Expect big push for online sales tax (IT World) Steve DelBianco is worried that the U.S. Congress will soon pass a law allowing states to collect sales taxes from most online sellers
Japan rolls out stiff fines and jail times for illegal downloads (Naked Security) Japan has changed its copyright law to criminalize downloaders for the first time, raising what were previously civil penalties to criminal penalties of up to two years prison time or fines of up to 2 million yen
Utilities open to cybersecurity dialogue (Nextgov) A group of electric companies says it is not opposed to working with the federal government to secure power-grid computer networks, as long as regulators dont proscribe new burdensome and inflexible rules. Senate Commerce Committee Chairman Jay Rockefeller, D-W. Va., helped sponsor legislation that would have created more government oversight of certain critical networks, including those that control electric grids
India may take the lead in Budapest cyber space security dialogue (The Hindu) The Government has begun efforts to put in place a comprehensive cyber security strategy as Indian representatives head to Budapest for the Cyber Space Conference this week. In the last few months, National Security Adviser Shivshankar Menon has slowly built a case for the Government to get its house in order. Three areas of focus are revitalising the Computer Emergency Response Team (CERT-IN), the creation of a professional body that certifies security of networks and cyber defence of critical information infrastructure networks that may be vulnerable to foreign governments or non-State actors
De Lima vows not to abuse anti-cybercrime powers (Abs-CbnNews) Justice Secretary Leila De Lima assured the public that government, especially the Department of Justice (DOJ), will not abuse its authority in the implementation of Republic Act (RA) No. 10175, also known as the Cybercrime Prevention Act. The law, assailed before the Supreme Court (SC) by various sectors for being "patently unconstitutional," takes effect beginning Wednesday. De Lima said the law's Implementing Rules and Regulations (IRR) will be crafted to "harmonize and clarify" questioned provisions of the law, such as the provisions on libel and the 'takedown powers' of the DOJ on websites
US Leaders Cite Partnership as Key to Cybersecurity (Equities.com) As the cyber threat intensifies over time from exploitation to disruption to destruction, responsible U.S. agencies and industries can fight back using cooperation and transparency, the commander of U.S. Cyber Command said here yesterday
DHS 'fusion centers' portrayed as pools of ineptitude, civil liberties intrusions (Washington Post) An initiative aimed at improving intelligence sharing has done little to make the country more secure, despite as much as $1.4 billion in federal spending, according to a two-year examination by Senate investigators
Killer Apps: What type of cybersecurity information does the government want? (Foreign Policy) U.S. government officials this week laid out exactly what type of information they want to be able to collect in order to defend banks, utilities, transportation companies and other "critical infrastructure" providers against cyber attack
Litigation, Investigation, and Law Enforcement
Edmonds 16-Year-Old Arrested in Cyber-Threat at Sammamish School (Patch) Police arrested a 16-year-old former Skyline High School student at his home in Edmonds Tuesday morning for allegedly threatening to bring a semi-automatic weapon to the school and shoot students in the commons, after receiving tips from Skyline students."I want to thank our public for coming forward and to our detectives," with tips that led to the arrest, Sammamish Police Chief Nate Elledge told reporters at a press conference at Sammamish City Hall
Microsoft Reaches Settlement with Site Linked to Nitol Botnet (Threatpost) Microsoft announced today it's reached a settlement with the operator of a Chinese Web site whose domain and sub-domains hosted more than 500 kinds of malware, including the Nitol botnet found on brand new computers. In a lawsuit filed two weeks ago by the software giant, Microsoft alleged the domain 3322. org hosted Nitol, which was found being preloaded onto computers during an investigation into supply chain security last August
Scareware defendant fined $163M in FTC suit (Computer World) A U.S. judge has imposed a judgment of $163. 2 million against a defendant accused by the U.S. Federal Trade Commission of being part of an operation that sold software to people it tricked into thinking their computers were infected with malicious software. Judge Richard Bennett of U.S. District Court for the District of Maryland ordered defendant Kristy Ross, vice president of Business Development for Ukraine-based Innovative Marketing, in a Sept. 24 ruling
Government Asks Court to Toss Wiretap Claims (Courthouse News Service) Two lawsuits have been filed in recent years, claiming the National Security Agency, under the current direction of Director Keith Alexander and the president of the United States, have orchestrated a program of indiscriminate surveillance of US
World spies in NZ only days before Dotcom bolt (Stuff.co.nz) It is believed he was joined by representatives from the US Central Intelligence Agency, National Security Agency, Britain's Communications Headquarters, Canada's Communications Security Establishment and the Australian Secret Intelligence Service
Police raids controversial Swedish web host, Pirate Bay site is down (Help Net Security) The Pirate Bay's website is unreachable and has been down for over a day now, prompting speculation that Monday's police raid of the premises of Stockholm-based web host PeRiQuito (PRQ) might have some
For a complete running list of events, please visit the Event Tracker.
Newly Noted Events
Gigaom Structure Europe (, Jan 1, 1970) This conference will feature "a deep dive into the cloud"…
Interested in National Cyber Security Awareness Month? (, Jan 1, 1970) National Cyber Security Awareness Month, held in October, encourages people to do their part to make their online lives safe and secure…
8th Cyber Security and Information Intelligence Research Workshop (, Jan 1, 1970) This workshop will "discuss and publish novel theoretical and empirical research focused on one or more of the Federal Cybersecurity themes."
THOTCON 0x4 (, Jan 1, 1970) A small, non-commercial hacking conference.
Upcoming Events
Cyber Maryland 2012 (Baltimore, Maryland, Oct 16 - 17, 2012) "Designed for information security insiders, business innovators and aspiring professionals, this two-day conference features national thought leaders, showcases business opportunities and provides outstanding networking. CyberMaryland 2012 is for technology companies, business leaders, students, emerging professionals, policy makers, elected officials, business services and entrepreneurs in public and private enterprise."
National Cyber Security Hall of Fame (Baltimore, Maryland, Oct 17, 2012) Baltimore welcomes the US cyber security community to honor the members of the National Cyber Security Hall of Fame innaugural class.
National Cyber Security Hall of Fame Inaugural Award Ceremony (Baltimore, Maryland, USA, Oct 17, 2012) Created to honor those who've created the cyber security industry, the National Cyber Security Hall of Fame celebrates its inaugural class this month.
Cyber Security: A National Imperative (Washington, DC, Oct 29, 2012) Lockheed Martin is hosting a panel discussion on Cyber Security: A National Imperative – An in-depth view of Cyber Security from the world's leading defense contractor on Monday, Oct. 29, 11:00am at the National Press Club.
TechExpo Cyber Security Careers (Columbia, Maryland, Nov 1, 2012) Profit from presentations by leading industry figures and networking opportunities designed for serious job-seekers.
E2 Innovate Conference & Expo (Santa Clara, California, Nov 14 - 15, 2012) E2 Innovate, formerly Enterprise 2.0, brings strategic business professionals together with industry influencers and next-gen enterprise technologies.
Anatomy of an Attack (New York, New York, Nov 15, 2012) Join Sophos security experts in exploring how threats like malware, Trojans, worms and spyware actually work and what you can do to protect your company, even if you're on a tight budget.