The CyberWire Daily Briefing 12.14.12

Cyber Trends

Survey: Threat Intelligence Reports Play Key Role In Security Strategies (Dark Reading) Turns out most enterprises consider the security threat intelligence reports that blanket the industry these days as key resources. Some 83 percent of organizations said they use threat intell reports to help shape their security strategies, and 78 percent said they use the reports as ammunition in their security budget processes, according to a survey conducted by managed security services provider Solutionary

Fortinet: Top 6 threat predictions for 2013 (CSO) Network security firm Fortinet has revealed FortiGuard Labs' 2013 threat predictions, highlighting six threats to watch out for next year

Smart TV hack highlights risk of 'The Internet of Everything' (CSO) As the use of smart connected devices expands, so do threats because while they may not look like computers, they are

5 cloud myths that will be debunked in 2013 (Help Net Security) There are a lot of common misconceptions and myths related to cloud computing. Many think of the cloud as less secure and reliable than on premise solutions, when in reality the opposite is actually

Lieberman Software Survey Finds Cloud Gurus Reject Cloud for Their Own Use - But Still Love It for Work (Virtual Strategy) A survey released by Lieberman Software Corporation today reveals that half (51%) of IT experts whose job roles focus on the cloud don't trust the cloud for any of their personal data such as contact lists, music, photos or Webmail. In addition, 86% of IT experts polled don't trust the cloud for their organization's more sensitive data

Study: Most Employees Cavalier About BYOD Security (Government Technology) According to a study (pdf) by the Cloud Security Alliance, nearly 80 percent of companies report having a policy that addresses mobile devices

Government Report Warns of 'Persistent, Pervasive' Economic Espionage Attacks on U.S. (Threatpost) Attempts by foreign governments, individuals and government-associated groups to steal intellectual property, state secrets and other sensitive data from U.S. companies and government agencies are ratcheting up and government officials say the threat has become especially "persistent, pervasive, and insidious" in the last couple of years. Much of the threat is coming from China and other countries in East Asia, and officials say they expect economic espionage activity from that region to continue to focus on the theft of IT, aerospace and military technologies

Utilities' cyber survey may be model for other industries (Federal Times) A White House effort to improve the cybersecurity of the nation's commercial power grid could soon be expanded to other critical sectors, such as transportation and water. The Energy and Homeland Security departments kicked off the initiative, known as the Electricity Sector Cybersecurity Capability Maturity Model, this year as an effort to assess and improve the security of thousands of utility companies

Report: Security Growing — Slowly (Industrial Safety and Security Source) Even after all the reported attacks and threats, utilities still view security as a cost center and remain challenged to allocate security funding beyond compliance minimums. But there is progress, according to Pike Research's Smart Grid Industrial Control System Security report on the smart grid

Legislation, Policy and Regulation

Senate committee votes to ban 'stalker apps' (Ars Technica) GOP senators may look to ban tracking apps but give leeway to other services

US targets 'notorious markets,' both online and physical, in year-end list (Ars Technica) United States Trade Representative removes Taobao, but targets others worldwide

Tweeters 'could be military targets' (Sydney Morning Herald) Social media users who use tweets and online posts to comment on a military operation could be regarded as legitimate military targets. Australian army Land Warfare Studies Centre analyst Chloe Diggins on Thursday said a recent social media war between Israel and Hamas raised complex ethical questions about who was a combatant and therefore a legitimate military target. A key question was whether such comments constituted an act of war."If that's the case, this might mean that those using social media in support of military operations are now legitimate targets," she wrote in a blog for the Australian Strategic Policy Institute

Defense Contractors Don't Want to Say When They've Been Hacked (Mother Jones) In 2009, it came to light that hackers had successfully broken into the most expensive Pentagon weapons program of all time, the F-35 fighter jet, by gaining access to computers allegedly belonging to the defense contractor BAE Systems (the contractor part came out later). There had "never been anything like it," one unnamed official told the Wall Street Journal. The intruders were later confirmed to be Chinese spies, and lo and behold, in 2012 China rolled out a stealth fighter that looked suspiciously like the F-35

Vint Cerf: The Internet doesn't need the ITU's help (IT World) Work under way to draft new regulations at the World Conference on International Telecommunications (WCIT) in Dubai this week could harm the Internet, warned Internet pioneer and Google executive Vint Cerf

Why the ITU is the wrong place to set Internet standards (Ars Technica) UN body won't "take over" the Internet—but it could hold back its progress. There has been a lot of heated rhetoric about the World Conference on International Telecommunications (WCIT), which is wrapping up its meeting in Dubai this week. Last week, the US Congress unanimously declared its opposition to giving the UN body increased control over the Internet. Congress is prone to making melodramatic gestures, but even more sober-minded entities such as Google and Mozilla seem to agree that WCIT is a danger to the open Internet

ITU Director General 'Surprised' By U.S. Dissent On New Telecoms Treaty, Says Internet And Content Issues Are Not In There (TechCrunch) The director general of the International Telecommunication Union today spoke of his surprise and disappointment with the US, UK and other nations walking out of a vote to approve a new UN telecoms treaty, the first update to international regulation of the industry in 24 years. The treaty has been charged with controversy over questions of how it would approach Internet provisioning and freedom

Australia, US refuse to sign internet treaty (Sydney Morning Herald) An attempt by governments to establish a worldwide policy for oversight of the internet collapsed after many Western countries said a compromise plan gave too much power to United Nations and other officials. Delegates from Australia, the US, UK and other countries took the floor on the second-last day of a UN conference in Dubai to reject revisions to a treaty governing international phone calls and data traffic."It's with a heavy heart and a sense of missed opportunities that the US must communicate that it's not able to sign the agreement in the current form," said Terry Kramer, the US ambassador to the gathering of the UN's International Telecommunication Union

US, UK and Canada refuse to sign UN internet treaty (BBC News) The US, UK and Canada say they will not sign an international communications treaty under discussion in Dubai. The three countries had objected to calls for all states to have equal rights to the governance of the internet

Deputy PM blocks U.K. communications surveillance bill (Fierce Government IT) Britain's Deputy Prime Minister Nick Clegg has put the kibosh on a draft Communications Data Bill that would have given police and intelligence services the power to monitor all email and internet use in the UK, according to the BBC. Although the British Home Office said the legislation was needed "without delay" to combat crime and terrorism, Clegg has called for a "fundamental rethink" of the proposed law and said he would block the bill while seeking an alternative "balance between security and liberty"

Products, Services, and Solutions

Total Defense Launches Cloud Security Solution (Dark Reading) Delivers multilayered protection through integration three security technologies

ALU's Kindsight Introduces New Mobile Security Features, Expands Protection (Dark Reading) Kindsight Mobile Security alerts subscribers when mobile malware is detected in the network and shows them which infected apps to remove

Oracle Melds Audit, Database Firewall Security (eSecurity Planet) Databases are among the most attacked technologies on Earth. Oracle, the largest database vendor on Earth, is fighting back. Oracle is aiming to make it easier for enterprises to secure databases with a new product announced this week. The Oracle Audit Vault and Database Firewall 12c is an evolution of two separate product families

Free Local Admin Discovery Tool First Step In Locking Down Admin Rights (Dark Reading) Viewfinity tool discovers who has local admin and application rights

Webroot Accelerates Global Reach With Addition Of Managed Service Provider Program (Dark Reading) Integrates Webroot SecureAnywhere with LabTech RMM

Six free/open source databases with commercial-quality features (IT World) Microsoft, Oracle offer impressive free versions of their commercial offerings, but MariaDB wins our test

Technologies, Techniques, and Standards

The Trouble With Security Metrics (Dark Reading) Security practitioner Doug Landoll is passionate about risk assessments and security measurements. Author of The Security Risk Assessment Handbook and CEO of a risk consultancy for SMBs, Assero Security, Landoll believes the industry engages in far too many theatrical risk assessments for the sake of audits. These assessments never return solid measurements of risk because the collection methods are faulty, he says. As organizations seek to meet risks head on, they need better visibility into which security initiatives work, which don't and which need improvement

Securing a tablet for web browsing in six easy steps (Naked Security) Taking your tablet online can make you vulnerable to an assortment of internet dangers, including identity theft and hackers. This is especially true if you're taking advantage of a public hotspot rather than your home network. Follow these simple steps to ensure safe and secure browsing no matter where you are

Counter-terrorism tools used to spot staff fraud (CNBC) JPMorgan Chase has turned to technology used for countering terrorism to spot fraud risk among its own employees and to tackle problems such as deciding how much to charge when selling property behind troubled mortgages. The technology involves crunching vast amounts of data to identify hard-to-detect patterns in markets or individual behavior that could reveal risks or openings to make money. Other banks are also turning to "big data", the name given to using large bodies of information, to identify potential rogue traders who might land them with massive losses, according to experts in the field

The DOE reaches out to utilities with cybersecurity model (Intelligent Utility) Theres an old joke with an equally archaic punchline that quips about the U.S. government never getting a thing done, how every project takes forever. At least in the case of a cybersecurity model, the U.S. government has definitely proven that joke completely and utterly wrong. The Electricity Subsector Cybersecurity Capability Maturity Model (ES-C2M2) hasnt been in the works for a decade

How To Decommission BYOD Mobile Devices (Byte) Mobile connected devices are the most sought after gifts this holiday season — even beating out money, peace and happiness — according to a recent study by the Consumer Electronics Association. But in the midst of the unmitigated joy the latest tablets and smartphones will bring comes a message of caution: when it comes time for out with the old, in with the new, BYOD workers need to deal with the data still sitting on discarded devices

What if Tomorrow Was the Day? (Internet Storm Center) If you knew your network was going to be attacked tomorrow, what specific actions would you take today? Treat yourself to lunch at your desk as you consider the following suggestions. Look for opportunities to improve your detection capabilities. In your security lab, try changing operating system and application configurations to see if your current policies are able to detect and alert on these actions. If not, create new alerts that are labeled with the action you used to generate these events. This a great foundation to actively seek the activity that you are currently missing

It Takes Intelligence to Close the Identity and Access Management Gap (BankTech) The challenge for banks has always been ensuring the right people have the right access to the right resources and do the right things with them -- this is identity and access management (IAM). The first wave of solutions in the early 2000s automated provisioning with a focus on efficiency. Organizations could on-board new employees more quickly while using fewer IT staff to do it

Embracing Advanced Security Technologies (Industrial Safety and Security Source) The provisionally-approved CIP V5 standards address a wider spectrum of cyber-security technologies than previous versions addressed. In particular, the draft V5 standards address and encourage the use of hardware-enforced unidirectional communications technologies, and application control/whitelisting technologies.

Ozone Widget Framework to be on GitHub now by year's end (Fierce Government IT) Military open source advocates say that code for a National Security Agency-led framework for lightweight application development should be posted on GitHub by the end of this calendar year

A walking tour: 33 questions to ask about your company's security (CSO) Get away from the office, look around, and get a fresh perspective on protecting employees, assets, and data

Marketplace

Hong Kong Police invests HK$9M in cyber security center (CSO) The Hong Kong Police recently launched the Cyber Security Center to provide round-the-clock services, with an investment of HK$9 million in hardware and software for the new facility

SpyPhone: Pentagon Spooks Want New Tools for Mobile 'Exploitation' (Wired Danger Room) The Pentagon's spies are getting geekier. They're looking for better tools to collect and sift through data from captured cellphones, tablets, hard drives and other devices

Army Technology Acquisition Stumbles Despite Best Efforts (SIGNAL) In many cases, haste makes waste as the U.S. Army wrestles with the inherent contradictions that emerged as it tries to speed new information technologies to warfighters

Bloomberg: Chuck Hagel the Frontrunner for Defense Secretary (Executive Gov) Former Sen. Chuck Hagel (R-Neb.) is the likely nominee to succeed Leon Panetta as defense secretary, Bloomberg News reports on its Twitter feed

Oracle adds big data to utility play with DataRaker buy (Fierce Big Data) Oracle (NASDAQ: ORCL) announced today that it is acquiring DataRaker, which provides a cloud-based analytics platform that allows utilities to leverage large amounts of data. DataRaker focuses on electric, gas and water utilities, and analyzes data for these companies to help improve their customer satisfaction, as well as their operational efficiency. The move will help Oracle's utilities arm beef up it's big data analysis

Roy: Big data reveals gaps in standards and federal human capital (Fierce Government IT) The advent of big data has revealed gaps in technology standards and the federal government's ability to take advantage of it, said Donna Roy, executive director of the information sharing environment office within the Homeland Security Department. "The biggest gap at the federal level is in the recruiting and in the business case around staffing up the human support cadre," Roy said while speaking Dec. 13 at a morning AFCEA-Bethesda event

CIO Council identifies mobile security concerns (Fierce Government IT) Encryption gaps and rising costs may compromise security as federal agencies continue to adopt mobile technology, says the Federal Chief Information Officers Council. In a report dated Dec. 11, the CIO Council says that agencies are moving ahead with the implementation of mobile device strategies despite increased risks and outlines areas of concern that agencies should review

Michael Dell: Our Transformation Is Complete (InformationWeek) Dell CEO goes one-on-one with InformationWeek to discuss his company's future in software, services, servers, tablets and PCs -- but not smartphones

Juniper Networks to Acquire Contrail Networks for $176M (Govconwire) Juniper Networks Inc. (NYSE:JNPR) has agreed to purchase networking and software technology developer Contrail Systems Inc. for approximately $176 million in cash and stock, according to a Fox Business article. The acquisition is meant to enhance Juniper's software networking capabilities and the deal is expected to close before the end of the year

Raytheon Acquires SafeNet Inc. - Analyst Blog (NASDAQ) Raytheon Company ( RTN ) has completed the acquisition of Government Solutions business of SafeNet Inc. for an undisclosed amount. The need for acquiring a privately held data security firm comes in the light of supporting the U.S. government's growing need for protected and encrypted data

Parsons Names 15-Year IT Vet Timothy Potier CISO (Govconwire) Parsons Corp. has appointed 15-year information technology industry veteran Timothy Potier vice president and chief information security officer, the company announced Thursday

KPMG Names 30-Year Tech Vet Harry Moseley CIO (Govconwire) KPMG LLC has appointed 30-year technology industry veteran Harry Moseley to succeed the retiring Richard Anderson as chief information officer, effective Monday. The firm said Moseley will work the firm's management committee and business leaders on the technology platform including internal support and client-facing technology services. He will also lead the information technology services group

Selling flak jackets in the cyberwars (Sydney Morning Herald) When the Israeli army and Hamas trade virtual blows in cyberspace, or when hacker groups like Anonymous rise from the digital ether, or when WikiLeaks dumps a trove of classified documents, some see a lawless internet. But Matthew Prince, chief executive at CloudFlare, a little-known internet start-up that serves some of the web's most controversial characters, sees a business opportunity. Founded in 2010, CloudFlare markets itself as an internet intermediary that shields websites from distributed denial-of-service, or DDoS, attacks, the crude but effective weapon that hackers use to bludgeon websites until they go dark

Long Shadow Of Stuxnet Inspires Custom Anti-Malware Project (Dark Reading) Global maritime SCADA player forced to take the malware problem into its own hands for its offshore drilling, subsea, and merchant marine customers. Another sign of how Stuxnet is reshaping the SCADA security world: one major global supplier and integrator in offshore drilling, subsea and merchant marine operations pushed for the creation of a custom malware protection solution that better fits operationally sensitive critical infrastructure environments. Kongsberg Maritime's customers in the process control industry, haunted by the harsh wakeup call of Stuxnet, have been calling for strong anti-malware protection that doesn't disrupt their operations. "Our customers have always been concerned about cybersecurity, but after Stuxnet there's been a lot more focus and determination about this," says Bjornar Eilertsen, product advisor at Kongsberg Maritime

Security Patches, Mitigations, and Software Updates

Apple Patches Nine Vulnerabilities in QuickTime 7.7.3 Update (Threatpost) Apple shipped fixes for nine vulnerabilities in its QuickTime multimedia platform. The QuickTime 7.7.3 update resolves bugs for Windows 7, Vista, and XP service pack 2 and later

Persistent Input Validation Zero Day Patched by PayPal (Threatpost) PayPal patched a zero-day vulnerability this week in its core content management system. Researchers at Vulnerability Laboratory in Germany reported the flaw in June and withheld disclosure of the details until this week when PayPal released a fix. Benjamin Kunz Mejri, a frequent PayPal bug hunter, said his team discovered a persistent input validation vulnerability in the address book module's search function that would allow an attacker to remotely inject malicious script on the application side

Apple Addresses New SMS Trojan in Malware Lists (Threatpost) Apple has made updates to its malware definitions to address yesterday's news of a new OS X Trojan, SMSSend.3666, that was disguising itself as legitimate software and confounding Russian users

Cyber Attacks, Threats, and Vulnerabilities

Threatened Cyber Attack on Banks 'Credible,' McAfee Says (Bloomberg) A cyber fraud campaign targeting U.S. brokerages and banks is a "credible threat," and at least 500 accounts are vulnerable after

DDoS attacks against US banks peaked at 60 Gbps (CSO) Banks are likely to be better protected against this wave of attacks, Arbor Networks researchers say. Some of the distributed denial-of-service (DDoS) attacks that targeted the websites of U.S. financial institutions this week have peaked at 60 Gbps, according to researchers from DDoS mitigation provider Arbor Networks

Recent DDOS Attacks Have Made Organizations Increase Mitigation Controls, Expert Says (Softpedia) Since Izz ad-Din al-Qassam Cyber Fighters re-initiated their operations against US financial institutions, security solutions providers have started notifying their customers about the emerging threats. Solutionary, a leading pure-play managed security services provider, is also warning its customers about the risks posed by the latest threats. Weve reached out to Solutionary experts to find out if theres anything that targeted organizations could do to completely mitigate distributed denial-of-service (DDOS) attacks such as the ones launched by the Izz ad-Din al-Qassam Cyber Fighters

ExploitHub confirms breach (Help Net Security) ExploitHub.com, the well-known online marketplace where one can buy exploit code for disclosed vulnerabilities, has confirmed that its web application server was compromised, but that no confidential

Buffer Overflow Bugs Found in Informix database Servers (Threatpost) Several versions of the popular Informix database server from IBM contain two buffer overflow vulnerabilities that could lead to remote code execution. The problems affect eight different versions of the server and are present on Informix installations on all supported platforms

Backdoor Found at NDIS Level (Industrial Safety and Security Source) It is one thing to have a piece of malware that can focus on targeted attacks, but it is quite another to have it also be nearly invisible. That is just what a variant of the Exforel backdoor malware, VirTool:WinNT/Exforel.A, is able to do, said researchers at Microsoft's Malware Protection Center. That is what makes it different from other malicious elements of this kind because the backdoor opens up at the Network Driver Interface Specification (NDIS) level

Internet Explorer flaw gives ad trackers a sneaky edge -- for now (CSO) The security company Spider.io has found advertising analytics companies are using the flaw to measure ad views

Microsoft: Most PCs running pirated Windows in China have security issues (CSO) Microsoft finds widespread piracy in PCs sold in China, warns consumers in new campaign

Windows 8 apps hackable and crackable, just like iOS and Android (Ars Technica) Earlier in the week a blog post by Nokia engineer (and former Microsoft employee) Justin Angel highlighted a number of issues with applications from the Windows Store that enabled, among other things, the unauthorized conversion of trial apps into full versions, the modification of the prices of in-app purchases, and removal of embedded advertisements. Soon after publishing his post, Angel's blog was knocked offline in a flood of traffic; at the time of writing it remains unavailable, returning 503 error messages instead of content

Botnet operators in FBI bust show little talent, expert says (CSO) The operation exemplifies how deep technical knowledge is not needed to run a lucrative botnet

Security Researcher Compromises Cisco VoIP Phones With Vulnerability (Dark Reading) Grad student demonstrates how phones can be turned into listening devices by attackers

FBI Memo: Hackers Breached Heating System via Backdoor (Wired Threat LEvel) Hackers broke into the industrial control system of a New Jersey air conditioning company earlier this year, using a backdoor vulnerability in the system, according to an FBI memo made public this week

Firefighting and Terrorism: Arson by Cyber Attack (FireEngineering.com) As if fire investigations were not complex enough and the pursuit of arson charges against a suspect were not already extremely challenging, indications are that things are getting worse. A new method of committing the crime of arson has been brought

Beware of fancy infographics–spammers may be lurking behind them (IT World) Infographics are the latest trick for suckering you into signing up for spammy Web sites. Here's a story about one of them

Litigation, Investigation, and Enforcement

Connecticut Federal Jury Finds Romanian National Guilty of Participating in Internet Phishing Scheme (7thspace) A federal jury in New Haven has found Bogdan Boceanu, 29, a citizen of Romania, guilty of conspiracy offenses stemming from his participation in an extensive Internet phishing scheme, announced David B Fein, United States Attorney for the District of Connecticut, and Kimberly K Mertz, Special Agent in Charge of the FBI in New Haven. The trial began on December 6 and the jury returned its verdict today. Boceanu is the 10th Romanian citizen convicted as a result of this long-term investigation

UK cops: How we sniffed out convicted AnonOps admin 'Nerdo' (The Register) Analysis of IRC logs and open source intelligence played a key role in the successful police prosecution that led up the conviction of a member of Anonymous for conspiracy to launch denial of service attacks against PayPal and other firms. Christopher "Nerdo" Weatherhead, 22, was convicted on one count of conspiracy to impair the operation of computers following a guilty verdict by a jury at Southwark Crown court last week. Weatherhead, 22, was studying at Northampton University when he allegedly took part in "Operation Payback", the DDoS campaign launched by the hacktivists in defence of whistle-blowing site WikiLeaks

State Secrets Front and Center in Dragnet Surveillance Case (Wired Threat Level) A federal judge on Friday is to hold the first hearing following an appellate court's decision reinstating allegations the government is siphoning Americans' communications from telecoms to the National Security Agency without warrants

'Non-Harmful' Phone Spoofing OK, Appeals Court Says (Wired Threat Level) A federal appeals court is nullifying a Mississippi law that forbids phone spoofing of any type, ruling that Congress has authorized so-called "non-harmful" spoofing. Spoofing, misrepresenting the originating telephone caller's identification to the call recipient, was outlawed entirely in Mississippi under the 2010 Caller ID Anti-Spoofing Act (ASA), punishable by up to a year in prison

UPDATE: Apple's iPhone found to infringe Sony, Nokia patents (IT World) A federal jury in Delaware has found Apple's iPhone infringes on three patents held by MobileMedia, a patent-holding company formed by Sony, Nokia and MPEG LA

Japan police offers first-ever reward for wanted hacker (CSO) Japan's National Police Agency has posted a US$36,000 reward for a case in which it wrongly arrested men with hacked PCs

Design and Innovation

SINet moves east: opening Maryland satelite office in downtown Baltimore (Work Downtown Baltimore) San Francisco-based SINet--the Security Innovation Network--will soon expand their respected cyber security organization with an office in downtown Baltimore at the Cyber Technology and Innovation Center

The CyberWire Daily Briefing for 12.14.2012