The CyberWire Daily Briefing for 12.27.2012
Iran's curious, retracted almost as soon as made, claims that the country's infrastructure suffered a late December cyber attack appear to be definitively retracted. Still, whether the attack occurred or not, the Islamic Republic is pretty sure the US and Israel are behind it.
Some versions of Internet Explorer are reported vulnerable to arbitrary code execution. Amazon's customer service may be systemically vulnerable to social engineering, but in ways that trouble the company more than its customers. Last month's University of Michigan Health Systems data breach is ascribed to a third party's violation of data storage policies. Online gamers in the Republic of Korea are targeted by malware that "cheats, steals, and siphons off sensitive personal and financial data."
IEEE Spectrum sees an incipient Internet Cold War in this month's failure of the ITU to reach agreement on Web governance: the US, the EU, Canada, and Australia have one governance model, but China, Russia, Brazil (surprisingly), and the developing world want quite another.
The SANS Institute points out how difficult it is to actually destroy data. Even the most aggressive attempts to do so can usually be at least partially reversed in forensic analysis.
US President Obama again moots a cyber security executive order, but he faces opposition in the House of Representatives, which warns him against imposition of "top-down" standards.
The brobdingnagian Kim Dotcom returns to the news as New Zealand editorialists hail him as a hero (albeit an irritating one) for his (albeit self-interested) exposure of official corruption.
Notes.
Today's issue includes events affecting Brazil, Canada, China, European Union, Germany, India, Iran, Israel, Republic of Korea, New Zealand, Russia, United Kingdom, United Nations, and United States..
Cyber Attacks, Threats, and Vulnerabilities
Iran Retracts Reports of New Stuxnet-Like Attacks Against Utilities (Threatpost) Iranian officials are retracting Christmas day reports that malware resembling Stuxnet had been used to attack manufacturing facilities including a power utility in southern Iran
Iran Suggests Attacks On Computer Systems Came From The U.S. And Israel (New York Times) News of the latest cyberattacks came as Western economic sanctions on Iran have been tightening, while diplomatic negotiations aimed at resolving the nuclear dispute have remained basically stalled since June. There are expectations that a resumption of those negotiations will be announced soon, possibly next month
Confusion over alleged Stuxnet attack in Iran (h-online) A spokesperson for the Iranian government has denied reports of a Stuxnet attack on industrial targets in Iran. Citing Iran's semi-official news agency ISNA as their source, Western media have quoted a representative of Iran's civil defence organisation as stating that an attack had been repulsed with the help of hackers working for the government. It is alleged that, some months ago, a Stuxnet-like piece of malware was infiltrated into a number of industrial targets, including an electricity supplier in the Hormozgan province
Zero Day Initiative Advisory 12-193 (Packet Storm) This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Microsoft Internet Explorer. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the way Internet Explorer handles repeated calls to insertAdjacentText. When the size of the element reaches a certain threshold Internet Explorer fails to correctly relocate key elements. An initialized variable in one of the function can cause memory corruption. This can lead to remote code execution under the context of the program
Amazon hack highlights customer service security weakness (CSO) Amazon, the nation's largest online retailer, apparently still has some rather porous security protocols. A flaw discovered last week by Chris Cardinal, managing partner at the Web development company Synapse Studios, is apparently doing more harm to the e-commerce giant than its customers -- at least so far. That makes it less of a public relations nightmare than the flaw that last summer resulted in a hacker securing the digital identity of Wired reporter Mat Honan and then erasing his cloud accounts and taking control of his Twitter feed
University of Michigan Health Systems Admits Patient Data Stolen (Threatpost) Some 4,000 University of Michigan Health Systems patients had their medical data compromised last month when hospital equipment was stolen from a vendor's vehicle. That medication management provider, Mountain View, Calif.-based Omnicell, admits it violated both its own and UMHS hospitals' data storage policies when it left patients' demographics, medication regimes and admissions records on an unsecured device that was stolen from an Omnicell employee's car on Nov. 14
Malware Spies on, Cheats at Korean Card Games (Threatpost) Three pieces of spyware are deploying as many methods to infect and monitor players of Korean card game applications in order to cheat, steal, and siphon off sensitive personal and financial data
Spammers Using Fake YouTube Notifications to Peddle Drugs (Threatpost) Spammers are attempting to deceive unsuspecting users into clicking on fake YouTube links that lead to a counterfeit drug website, according to a report yesterday from security firm Webroot
Signed malware and Bring your own Application, listed among top threats for 2013 by McAfee (InformationWeek) In the wake of rising threats, it is important for everyone to be geared with new cyber challenges that would arise in the New Year. McAfee Indias Jagdish Mahapatra shares his top 10 enterprise security predictions. Targeted Attacks: 2012 saw an increased growth in targeted attacks that proved successful in disrupting service and fraudulently obtaining significant amounts of intellectual property
Security Patches, Mitigations, and Software Updates
Botched Software Update To Networking Gear Caused One Of GitHub's All-Time Worst Outages (TechCrunch) A botched software update to networking gear caused one of GitHub's all-time worst outages last weekend, the second major disruption that customers of the the popular social coding platform have suffered through in the past several weeks
Google Begins Blocking Silent Extension Installations with Chrome 25 (Threatpost) Google announced late last week it would begin halting the silent installation of extensions on its flagship Chrome browser
Cyber Trends
The Only Security Prediction that Matters (Dark Reading) In this silly season of year-end predictions, we need to collectively revisit the only prediction that will matter next year
The 5 Coolest Hacks Of 2012 (Dark Reading) Nothing was sacred -- the nation's airspace, home power meters, videoconferences, and, in an ironic twist, popular cybercrime tools
Is This the Start of an Internet Cold War? (IEEE Spectrum) The International Telecommunication Union's global treaty conference on telecommunications in Dubai earlier this month may have inadvertently given the term "digital divide" a new definition. The term, generally used to describe the haves and have-nots in the information society, also aptly defines the growing rift that the Dubai talks revealed between two groups of nations with fundamentally opposing views on how the Internet should be governed. And that fissure, many now warn, could lead to a digital version of the Cold War
Computers: It's Time to Start Over (IEEE Spectrum) Computer scientist Robert Watson, putting security first, wants to design with a "clean slate." If you think about it, it's weird. Everything about computer security has changed in the past 20 years, but computers themselves haven't. It's the world around them that has. An article to be published in the February 2013 issue of Communications of the ACM sums up the situation pretty succinctly
The promise of big data: Analytics for all (IT World) As big data sources -- everything from social networks to operations -- touch more people inside the enterprise, more workers will need analytics to get value from the data
New Gadget + the Internet = New Threat (TrendLabs) Nowadays, we no longer use just our computers to connect to the Internet. We have our smartphones and our tablets that pretty much put the Internet right into our pockets. We are so connected to it, to the point that even gadgets that used to be "offline" can now be connected to the web. Gadgets such as media centers, game consoles, TVs, home automation systems, surveillance cameras, digital cameras, and the like are now Internet-enabled, making it easier than ever to connect. Very convenient, yes, but now we face this very important question: how safe is it to connect these devices to the Internet?
Top 10 risks found by your auditor (Help Net Security) KirkpatrickPrice offers a list of the most common risks they find. 1. No formal policies and procedures Formal guidelines of policies and procedures help provide your employees with clarity of
Only 8 percent of UK organizations have BYOD policies in place (Help Net Security) As enhanced efficiency, employee productivity and the reduced burden on IT teams continue to drive adoption of Bring Your Own Device (BYOD), a recent survey of more than 500 IT decision makers
Marketplace
Furloughs Not Expected For Civilian Defense Workforce (Dayton Daily News) Job furloughs for the civilian defense workforce won't be used right away if a deal is not struck this week to avert the fiscal cliff, but the Pentagon's top leader said temporary layoffs later might be unavoidable
Budget Ax Creeps Closer To Reality For Federal Workers (Washington Post) Federal employees have been skeptical for months that the biggest cuts to government spending in history could really happen. But with the "fiscal cliff" a week away, workers are now growing increasingly alarmed that their jobs and their missions could be on the line
Defense Industry Seeks Relief As Fiscal Cliff Draws Near (Bloomberg.com) The defense industry is urging Congress to delay the fight over taxes and focus on avoiding the automatic budget cuts that begin in six days
Red Hat to Acquire Enterprise Cloud Mgmt Firm ManageIQ for $104M (The New New Internet) Red Hat has entered into a definitive agreement to acquire ManageIQ for approximately $104 million in cash, according to a TechWeekEurope U.K. article.
Lockheed Acquires Assets of UAV Software Developer CDL Systems (Govconwire) Lockheed Martin [NYSE: LMT] has acquired substantial assets of Alberta, Canada-based software engineering firm CDL Systems Ltd., according to a company statement. Terms of the agreement were not disclosed and are not material to Lockheed. "This transaction provides us a common software solution with significant in-theater experience that furthers our ability to meet our customers'
Products, Services, and Solutions
Google's Mobile Future Is Now (TechCrunch) Google Now may be one of Google's most underrated new products of 2012, but I think it will turn out to be Google's killer mobile product in the long run. It's the one tool that brings together virtually everything Google knows about you and where you are and then turns all of this information into a useful dashboard on your phone. No other Google product (with the possible exception of some of
How to get the key features of Live Mesh, now that Microsoft is getting rid of it (IT World) Microsoft is shutting down its syncing and remote desktop tool, Live Mesh. Here are some good alternatives
FCC Web Tool Offers Tips for Smartphone Security (Mobile Enterprise) The "Smartphone Security Checker" is a free, easy-to-use tool that creates a…The National Cyber Security Alliance, CTIA-The Wireless Association
Technologies, Techniques, and Standards
Don't Throw Your DAM Money Away (Dark Reading) Make the most out of database activity monitoring through better tuning
Defeating cyber criminals (BBC) Cyber criminals beware; Technology experts have gathered in Dublin to work out plans that will undermine the criminals who roam cyberspace. The technology experts who work at the 'coal-face' of cyber crime discuss how much they know about their adversaries, how they plan to monitor their nefarious activities and infiltrate the gangs
How Linux reads your fingerprints, helps national security (TechRadar) Gunnar Hellekson has many awesome-sounding job titles. He's the chief technology strategist for Red Hat's US Public Sector group, where he works with government departments to show them how open source can meet their needs, and with systems integrators to show them what they can do to provide the government with what it needs. He's co-chair of Open Source for America, which campaigns for software that has been funded by the tax-payer to be open sourced, so that all Americans can benefit from it
Forensics: When is Data Truly Lost? (Healthcare Information Security) Before embarking on the tragic Newtown, Conn., shootings, Adam Lanza reportedly destroyed his computer. But is the machine's data also destroyed? Rob Lee, forensics expert and educator from SANS Institute, points out how difficult it is to truly destroy computer data
Design and Innovation
Better For Companies: Slow And Steady Or Fast And Furious? (TechCrunch) This year was a pretty amazing one in technology: Many startups were funded and acquired, and there were some real advancements made in the way that we communicate on a daily basis. I'd definitely call 2012 a major win, but it's been interesting to watch how companies operate to reach their goals and hit moving targets
Legislation, Policy, and Regulation
China may require real name registration for internet access (Reuters) China may require internet users to register with their real names when signing up to network providers, state media said on Tuesday, extending a policy already in force with microblogs in a bid to curb what officials call rumors and vulgarity. A law being discussed this week would mean people would have to present their government-issued identity cards when signing contracts for fixed line and mobile internet access, state-run newspapers said."The law should escort the development of the internet to protect people's interest," Communist Party mouthpiece the People's Daily said in a front page commentary, echoing similar calls carried in state media over the past week."Only that way can our internet be healthier, more cultured and safer
Obama may issue cyber security order in early January (SC Magazine) A cyber security executive order could be issued by President Obama as soon as early 2013, according to White House sources. James Lewis, director of the technology and public policy program at the Center for Strategic and International Studies, told global affairs blog The Hill on Friday that the action wouldn't likely occur after the holiday season. It'd be reasonable to say that releasing the executive order now would irritate Congress and might create an unnecessary burden for reaching a deal on the fiscal issues, Lewis told The Hill's Jennifer Martinez
GOP Reps Urge Obama Not to Issue Executive Order - 46 House Republicans Sign Letter Opposing Top-Down Standards (Govenment Information Security) A letter signed by 46 Republican members of the House of Representatives, dated Dec. 21, cautions President Obama from issuing an executive order on cybersecurity. That order, which could be issued in the coming weeks, would establish a process in which the federal government and industry develop security standards that the mostly private owners of the nation's critical IT infrastructure could voluntarily adopt. The letter - written by Reps. Marsha Blackburn, R-Tenn., and Steve Scalise, R-La., and signed by 44 of their colleagues - says the executive order would issue top-down standards in such a non-transparent fashion and set a dangerous precedent."Imposing a backdoor regulatory framework through executive order will not solve our cybersecurity challenges," the letter states
Union Government Decided Setting up 5-Year Project for Cyber Security of Critical Sectors (Jagran Josh) The union government decided to set up five-year project for restoring the overall cyber security structure of critical sectors of India. This was decided in light of increasing number of cyber attacks as well as security threats that the Internet offers. In 2011, India suffered 13000 cyber incidents
Too Many Secrets (Washington Post) A new report offers the government good ideas toward learning how to share
Litigation, Investigation, and Law Enforcement
Journalists' Addresses Posted In Revenge For Newspaper's Google Map Of Gun Permit Owners (TechCrunch) A week after the Newtown massacre, The Journal News published an interactive Google Map with the names and addresses of gun permit owners in select New York cities. The bold move has escalated into a transparency arms race, after a Connecticut lawyer posted the phone number and addresses of the Journal's staff, including a Google Maps satellite Image of the Publisher's home
New Zealand's largest paper calls Kim Dotcom 'good for this country' (Ars Technica) Dotcom comes with drama, but he helped expose political scandal in the country
University wins record $1.17 billion verdict against Marvell Semiconductor (Ars Technica) Carnegie Mellon latest school to play 'patent roulette' at court
Britons must be tried in Britain, extradition campaigners say (Telegraph) Mr McKinnon, who won a 10-year battle against extradition and computer hacking charges, said Theresa May, the home secretary, must ensure her reforms include a presumption in favour of a prosecution in British courts for alleged offences committed in the UK. Mrs May has pledged to bring in a forum bar for extradition, enabling courts to decide whether a person should stand trial in the UK or abroad. But Michael Caplan QC, an extradition lawyer at Kingsley Napley LLP, said there were very real concerns that the forum amendment proposed by Mrs May could fail in its purpose of protecting British citizens from unnecessary and disproportionate extradition
For a complete running list of events, please visit the Event Tracker.
Upcoming Events
tmforum Big Data Analytics Summit (Amsterdam, Netherlands, Jan 29 - 30, 2012) Bringing together leading service providers, market analysts and all of the big names in Big Data, this forward-looking, education-packed two-day Summit combines keynote perspectives, case studies, debates, panels, interactive sessions and networking opportunities that maximize every participant's opportunity to network and generate ideas that can be implemented immediately.
ATMiA US Conference 2013 (Scottsdale, Arizona, US, Feb 19 - 21, 2013) A conference devoted to the design of ATMs, and the future of the ATM industry.
#BSidesBOS (Cambridge, Massachusetts, USA, Feb 23, 2013) Each BSides is a community-driven framework for building events for and by information security community members. The goal is to expand the spectrum of conversation beyond the traditional confines of space and time. It creates opportunities for individuals to both present and participate in an intimate atmosphere that encourages collaboration. It is an intense event with discussions, demos, and interaction from participants. It is where conversations for the next-big-thing are happening..
TechMentor Orlando 2013 (Orland, Florida, USA, Mar 4 - 8, 2013) Celebrating 15 years of educational events for the IT community, TechMentor is returning to Orlando, Florida, March 4-8, for 5 days of information-packed sessions and workshops. Surrounded by your fellow IT professionals, you will receive immediately usable education that will keep you relevant in the workforce. TechMentor track topics include:Windows PowerShell and AutomationCisco and Networking Infrastructure Windows Server Management Windows Client Management Cloud and Virtualization Identity, Access Management and Security Performance Tuning and Troubleshooting Mobility and BYOD Messaging and Collaboration.
e-Crime Congress 2013 (London, England, Mar 12 - 13, 2013) The e-Crime Congress is designed to meet the needs of key stakeholders and decision makers who are responsible for designing and coordinating information security and risk management strategy, safeguarding digital assets and sensitive information, protecting customers, defending against internal or external threats and responding to incidents.
IT Security Entrepreneurs' Forum (ITSEF 2013) (Palo Alto, California, USA, Mar 19 - 20, 2013) Supported by the U.S. Department of Homeland Security, Office of Science and Technology, ITSEF 2013 aims to connect the ecosystem of the entrepreneur: industry, government, and academia. The conference will advance innovation, lead change and build trusted global collaboration models between the public and private sectors to defeat Cybersecurity threats.
The Future of Cyber Security 2013 (London, England, UK, Mar 21, 2013) Cyber Security and the Citizen 2013 is a one-day conference and exhibition for senior decision-makers of central and local government organisations, NGOs and major private sector enterprises.
Cloud Connect Silicon Valley (Santa Clara, California, USA, Apr 2 - 5, 2013) Cloud Connect returns to Silicon Valley, April 2-5, 2013, for four days of lectures, panels, tutorials and roundtable discussions on a comprehensive selection of cloud topics taught by leading industry experts.
InfoSec World Conference & Expo 2013 (Orlando, Florida, USA, Apr 15 - 17, 2013) With the primary objective of providing top-notch education to all levels of information security and IT auditing professionals, InfoSec World delivers practical sessions that give you the tools to strengthen your security without restricting your business.
25th Annual FIRST Conference (Bangkok, Thailand, Jun 16 - 21, 2013) The annual FIRST conference provides a setting for conference participants to attend a wide range of presentations delivered by leading experts in both the CSIRT field and from the global security community.