The CyberWire Daily Briefing 01.17.13

Cyber Trends

Big Data Will Play Key Role In Security's Future, Study Says (Dark Reading) 'Intelligence-driven security' will enable enterprises to deeply analyze security data and assess risk more accurately, RSA report says

Security stories to watch: Patches for Java, IE, and SCADA-pocalypse! (IT World) The patches are out for both Java and Internet Explorer, but this is hardly the end of the story - or the hand wringing. Also: a SCADA-pocalypse! If you work in IT security, this week started off with a bang, as Oracle and Microsoft released critical, out-of-cycle patches to fix serious and exploitable holes in their software. The patches put an end to the haranguing each company was getting from security experts, but it certainly isn't the end of the story - or the hand wringing for organizations already wary of attack

Another Notch In 'Cyber Threat' Rhetoric's Belt: Former UK Head Of Cyber Security Brings 'AIDS Epidemic' Into The Mix (Techdirt) Well, we've seen the always-impending cyberdoom compared to all sorts of horrendous events by legislators and security agencies. The perpetually-just-over-the-horizon cyberattacks have been given catchy names like "cyber-Pearl Harbor" and "cyber-9/11" in an attempt to scare up some support for terrible legislation and expansions of power. The UK's former head of cyber security has taken a slightly different tack, avoiding the terrorist imagery in favor of something even more dubious

Canada infrastructure vulnerable to cyber attack, RCMP report (SC Magazine) Canada remains vulnerable to cyber attacks by "terrorist groups [which] have expressed interest in developing the capabilities for computer-based attacks against Canada's critical infrastructure." The warning was contained in the annual departmental

Company bosses slacking on hacking (Help Net Security) Company bosses across the UK have a complacent attitude toward cybercrime and are inviting criminal attacks due to their sloppy approach to internet security, reveals new research from Swivel Secure

TODAY'S SPOTLIGHT... Enterprises uninformed about BYOD security risks, says Frost survey (Fierce Mobile IT) Information security managers believe that enterprises must do more to understand the security implications of the BYOD trend, according to a survey conducted by Frost & Sullivan on behalf of IT security trade group (ISC)2. More than half of the companies surveyed said they allow employees and business partners to connect to their networks, according to the survey results published by ComputerWeekly. A full 78 percent of the 12,000 information security professionals surveyed expressed concern about the security risks associated with BYOD. The biggest concerns include application security and cloud-based systems

Juniper: Mobile wearable device use in enterprise on the rise (Fierce Mobile IT) Enterprises will increasingly use mobile wearable devices for various applications, including warehouse management, according to Juniper Research in a new report. Enterprise wearables include mobile devices such as terminal devices, scanners, display devices, as well as tracking devices used for logistics, factory management and production houses, Nitin Bhas, a Juniper analyst and author of the report, told FierceMobileIT

Mobile technology will be most disruptive enterprise force, predict 2,000 CIOs (Fierce Mobile IT) Mobile technology will be the most disruptive technological force in the enterprise in the coming years, according to a survey of more the 2,000 chief information officers that was conducted by Gartner in the fourth quarter of 2012

BYOD: Sleepless nights ahead for CIOs, IT personnel (Fierce Mobile IT) Recently, Gartner polled an impressive number of chief information officers, 2,053 to be exact, to find out what their business and technology priorities and concerns are for the coming year. While mobile technology ranked second in terms of technology priorities, it ranked first in terms of how disruptive it will be to the enterprise. No doubt this concern about disruption stems from the flood of personally owned mobile devices into the workplace, whether approved by CIOs or not

Rand: American involvement in a cyber crisis is inevitable but manageable (Fierce Government IT) The United States will likely find itself in a cyber crisis owing to the fact that cybercrimes and espionage continue to rise and the risks from cyberspace are growing, according to a recently-released Rand Corporation monograph prepared for the Air Force. Crises are less likely to "emanate from the unavoidable features of cyberspace" than from "each side's fear, putatively exaggerated, of what may result from its failure to respond," the report says

Legislation, Policy and Regulation

Ridiculously redacted interpretation of FISA snooping law released (Naked Security) US privacy organization EFF invites you to click on thumbnails of the summaries it managed to pry out of the government, but let's save your finger muscles the workout with this summaries summary: ------------------------------

Surveillance Strategy Is Privileged and Confidential, FBI Says (Wired) The President Barack Obama administrations surveillance strategy in the wake of the Supreme Courts decision that the installation of a GPS tracker on a vehicle amounted to a search under the Fourth Amendment remains privileged and confidential, the Justice Department claims in newly released memos. What has been made public is that, following the high courts Jan. 23 decision, the Federal Bureau of Investigation pulled the plug on some 3,000 GPS trackers. The bureaus general counsel, Andrew Weissmann, acknowledged that fact while speaking at a legal symposium at the University of San Francisco last year

German government's surveillance software unsettles a nation that prizes privacy (Quartz) Germans take their privacy seriously and have coined a term—glaeserner Buerger, or "the glass citizen"—to describe a dystopic future in which Germans are surveilled around the clock. The news that that Bundeskriminalamt (BKA), Germany's version of the FBI, is testing software by a controversial surveillance firm is sure to raise the glass citizen image yet again

'Aaron's Law' would partly de-fang Computer Fraud and Abuse Act (Naked Security) Rep. Zoe Lofgren on Tuesday night proposed legislation that would dial back the ferocity of the charges that were used against internet activist Aaron Swartz, who died last week

I support 'Aaron's Law' -- for now (CSO) Congresswoman Zoe Lofgren proposes an amendment to the computer fraud law in honor of Aaron Swartz. I support it, though not unconditionally

It's cyber war…send for Dad's Army (Telegraph) A new Home Guard is being recruited to defend the nation's computer networks. There is a classic Dad's Army scene where Captain Mainwaring and his troops are marching down a country road and come across two stranded nuns. "Look at those poor nuns, sir. Their car has broken down," comes a voice from the front

Products, Services, and Solutions

ObjectRocket Launches Premium MongoDB Cloud Service (Dark Reading) Leverages AWS Direct Connect to provide low latency and free bandwidth to AWS customers

Five notable new features in Fedora Linux 18 'Spherical Cow' (IT World) After numerous delays along the way, the final version of Fedora Linux 18 "Spherical Cow" made its long-awaited debut on Tuesday

Survalent Technology Commissions New SCADA System Greenfield Power and Light, Indiana (SFGate) Survalent Technology, the most trusted provider of smart grid solutions for the control room, announced today that it has commissioned a new Supervisory Control and Data Acquisition (SCADA) system for Greenfield Power and Light, Indiana. Greenfield Power and Light provides electrical service to residential and commercial customers within the Greenfield city limits. They are a member of the Indiana Municipal Power Agency (IMPA) and the Indiana Municipal Electric Association (Ind MEA)

ESET NOD32 Antivirus 6 and ESET Smart Security 6 released (Help Net Security) ESET released new versions of its flagship products. Enhancements to both products include advancements in threat detection, more thorough cleaning of infected systems, and an improved user experience

Mobile Security for Android combats mobile threats (Help Net Security) Commtouch announced Mobile Security for Android, an OEM solution that offers cloud-assisted antivirus and Web security services delivered through a client SDK.

Microsoft advances the Cloud OS (Help Net Security) Microsoft announced new solutions to help enterprise customers manage hybrid cloud services and connected devices. System Center 2012 SP1, the enhanced Windows Intune, Windows Azure services for Windows Server and other new offerings deliver against the Microsoft Cloud OS vision to provide customers and partners with the platform to address their top IT challenges

BlackBerry 10 specs leak: The biggest thing to happen to BlackBerry since BlackBerry (Emirates 24/7) The (unofficial) word is out: leaked specs of the upcoming first BlackBerry 10 device – the BlackBerry Z10 all-touch-screen phone – reveal that Research in Motion (RIM) might have its fortunes reversed (they were in reverse motion for a long time) once the phone hits Dubai – and five other markets – on January 30, 2013

Librestream, Livecast top ABI enterprise video collaboration list (Fierce Mobile IT) Librestream and Livecast topped the list of vendors supplying enterprise mobile video collaboration for business operations support examined by ABI Research

Microsoft Enhances System Center For Hybrid Cloud Work (InformationWeek) With System Center's new service pack and Windows Server 2012, an IT administrator can create Hyper-V virtual machines and deploy them to internal data center, remote hosting service provider or public cloud, such as a Windows Azure site

Meet Facebook's Graph Search Tool (InformationWeek) Facebook downplays Google as competitor as it launches "internal" search tool that helps you find people, photos, places and interests inside Facebook using established privacy settings

Facebook Graph Search Makes Privacy Seem Selfish (TechCrunch) The subtle impact of Facebook Graph Search is that when you share openly, you share for the benefit of mankind. And when you don't, or share to just a few people, you're robbing the world of your knowledge, recommendations, and content. The question for each of us now is whether we prioritize our contribution or our privacy

Graph Search Just Made Me a Facebook Addict (Wired Business) Now that I'm data mining my friends via Facebook's new search engine, I suddenly want to feed the beast with my own likes and checkins

Technologies, Techniques, and Standards

Deception Is Futile When Big Brother's Lie Detector Turns Its Eyes on You (Wired Threat Level) A new high-tech lie detector system aims to put the simple polygraph out to pasture. It uses a microphone, video camera and infrared technology to detect when you're being deceptive

'Rogue clouds' giving IT staffs nightmares (IT World) Cloud computing is increasingly being adopted by companies around the world, but IT managers say "rogue cloud implementations" in which business managers sign up for services without getting IT approval is among their biggest challenges

Cloud security key to BYOD, (ISC)2 study shows (Computer Weekly) Businesses welcome bring your own device (BYOD) policies for the operational cost savings and user experience, according to the (ISC)2 2013 Global Information Security Workforce Study. At the same time, the study conducted on behalf of the (ISC)2 Foundation by the analyst firm Frost & Sullivan shows that information security managers admit companies must do more to understand the security of the technologies behind the trend, particularly cloud-based systems and applications. BYOD is a prevalent practice, according to selected results released at a press conference previewing the Infosecurity Europe 2013 conference at Earls Court in London from 23 to 25 April

Safeguarding data-filled devices requires sophisticated tools (Defense Systems) Military data security initiatives are typically defensive strategies designed to protect information at and beyond the network perimeter. Yet such efforts omit a crucial vulnerabilitysensitive data at rest. Data at rest refers to any type of information stored inside a computer device, such as network servers, smart phones, tablet systems and various forms of removable storage, while excluding data that is traversing a network or temporarily residing in computer memory to be read or updated

How to keep yourself from getting cyber-stalked (New Castle News) Michael Kaiser who is the executive director of the National Cyber Security Alliance (NCSA) says cyber-stalking is nothing that consumers should take

The Underdog Operating Systems Set to Shake Up the Smartphone Scene (Technology Review) Apple's iOS and Google's Android rule the fast-growing smartphone market, but upcoming operating systems want to muscle in on their turf. The mobile operating system has become a key component of a successful computing "ecosystem." A version of Ubuntu Linux designed for smartphones could appeal to some manufacturers and carriers. The next time you go shopping for a smartphone, you might see some unfamiliar software on the screens lining store shelves

Mobile Business Intelligence: Here At Last? (InformationWeek) Tech and market conditions have finally aligned to make on-the-go BI a reality, say analysts

Intel CTO: Smart Sensors, Wearable Tech Coming Soon (InformationWeek) Touchscreen Ultrabooks might be cutting edge today, but Intel CTO Justin Rattner says it's nothing compared to the next generation of smart sensors and wearable technology just around the corner

Marketplace

F-35 Software: DoD's Chief Tester Not Impressed (IEEE Spectrum) Last September, U.S. Air Force Maj. Gen. Christopher Bogdan, the then incoming director of the troubled F-35 program, said that he was not optimistic that all the program's current problems—especially those related to software, which has long been a sore point (pdf)—would be fixed in time to meet the services' planned initial operational capabilities, beginning with the Marine Cops in about 2 years. The 2012 Annual Report (pdf) on major defense acquisitions, by the Department of Defense's Director of Operational Test and Evaluation, J. Michael Gilmore, isn't likely to increase Bogdan's optimism any

Navy CIO abruptly cancels IT conference scheduled for end of month (Fierce Government IT) The Navy Department chief information officer has canceled a planned information technology conference less than two weeks before it was due to start Jan. 28-30 in San Diego. Navy announced the cancelation in a posting on the DoN CIO website, stating the action was taken "in response to DoD and DoN guidance." Until this week, the plan was for the DoN CIO to host the DON IT Conference at the same time and location as the 2013 AFCEA West conference. Defense and Navy officials will continue to speak at the military association's event, the DON announcement says. Navy personnel may still go to it, it adds, provided they don't incur travel costs

After bumpy start, VA says paperless claims transition will be smooth (Fierce Government IT) The Veterans Affairs Department has begun a nationwide transition to paperless processing of disability claims at regional offices and says it has addressed previous problems and slowdowns within the system

CRGT Subsidiary to Provide EPA IT Systems Support (Govconwire) CRGT's Guident subsidiary has won five task orders to provide U.S. Environmental Protection Agency information technology systems development and migration services, Guident said Wednesday. The Herndon, Va.-based data analytics provider will also provide the agency design and other related IT support services for up to five years. "Guident has been supporting numerous offices within the

Dish bests Sprint's offer to acquire Clearwire (Fierce Mobile IT) Dish Network's bid to steal Clearwire out from under Sprint Nextel (NYSE: S) could signal the satellite TV provider's interest in partnering with the terrestrial broadband wireless provider. Dish has offered to pay $3.30 per share to acquire Clearwire, more than the $2.97 per share Sprint has offered. Dish also offered to buy spectrum from Clearwire for $2.2 billion

Intel and Facebook collaborate on future data center rack technologies (Help Net Security) Intel and Facebook aim to define the next generation of rack technologies used to power the world's largest data centers. As part of the collaboration, the companies also unveiled a mechanical prototype

Nokia Cuts 300 Jobs, Outsources Up To 820 More To HCL And Tata To 'Align IT With Its Business Focus' (TechCrunch) Here's the cloud to Nokia's silver lining statement the other day of better than expected handset sales: it is cutting IT 300 jobs, and outsourcing 820 more, with Indian outsourcing giants HCL and Tata Consultancy Services picking up the reins for the latter. The news was announced this morning by the company as it gears up to report Q1 results January 24

Behrman Capital acquires Cyber security provider Tresys Technology (Government Security News) Behrman Capital, a private equity investment firm on Jan. 9 acquired Tresys Technology, a provider of Cyber security products, services and solutions to government and commercial customers. Financial terms of the transaction weren't disclosed

Former PwC Consulting CEO Takes Reins At Anti-malware Startup TaaSERA (Dark Reading) C. Scott Hartz has joined as CEO

HP Names Former VA Healthcare COO Laura Miller a Public Sector Principal (Govconwire) Laura Miller, a former chief operating officer for the Department of Veterans Affairs' healthcare system, has joined HP Enterprise Services (NYSE: HPQ) as healthcare client principal for the U.S. public sector. The company said the 30-year public health veteran will work with clients such as the VA, the Military Health System and the Department of Health and Human Services

Vistronix Names EVP John Hassoun Corporate President (Govconwire) Vistronix has promoted John Hassoun from the executive vice president ranks to corporate president, the company said Monday. Hassoun will report to CEO Deepak Hathiramani and be responsible for the company's business units and corporate support functions. Hassoun, who joined the company in July 2012 as corporate development EVP, will also oversee the integration of

Catapult Names L-3 Vet Brian Murphy Enterprise Systems Business Development Lead (Govconwire) Catapult Technology has appointed L-3 Communications veteran Brian Murphy director of business development for the enterprise systems team, Catapult said Monday. The company said Murphy will be responsible for acquiring new business in the defense sector, identifying opportunities and leading proposal development. He will also be responsible for building relationships with team partners as part

Northrop Names 32-Year Vet Ruth Bishop Mission Assurance Sector VP (Govconwire) Northrop Grumman (NYSE: NOC) has appointed Ruth Bishop sector vice president of quality, safety and mission assurance within the technical services sector, effective Jan. 26. Bishop, a 32-year company veteran, will oversee sector-wide mission assurance and Six Sigma functions and be responsible for measuring productivity, the company said. She will also be responsible for predicting

Research and Development

Technical paper: Deeper inside the Blackhole exploit kit (Naked Security) For those interested in exploit kits and how they work, Gabor Szappanos has published the second (and concluding) part of his technical paper looking at the Blackhole kit. Recommended reading for all those that want a little more detail as to how one of the most prolific and widely used crimeware kits actually works

Security Patches, Mitigations, and Software Updates

Chrome 25 to Support Unprefixed Content Security Policy (Threatpost) Google is continuing to introduce new security technologies in its Chrome browser, and the latest addition on the horizon is support for unprefixed Content Security Policy, a behind-the-scenes improvement designed to prevent malicious script injections. The technology is included in the beta of Chrome 25, which was released earlier this week, and will soon find its way into the stable channel

Novell Patches Vulnerability in eDirectory Product (Threatpost) Novell has fixed a vulnerability in its eDirectory service that could affect users who run the program on some Linux and WIndows platforms. The problem, a stack buffer overflow (CVE-2012-0432) is remotely exploitable and can be done without authentication, according to an alert issued yesterday by David Klein on the Full Disclosure mailing lists

Oracle Critical Patch Update Advisory-January 2013 (Oracle) A Critical Patch Update (CPU) is a collection of patches for multiple security vulnerabilities. Critical Patch Update patches are usually cumulative, but each advisory describes only the security fixes added since the previous Critical Patch Update advisory. Thus, prior Critical Patch Update advisories should be reviewed for information regarding earlier published security fixes

Cyber Attacks, Threats, and Vulnerabilities

Red October, RBN and too many questions still unresolved (Security Affairs) The recently discovered cyber espionage campaign Red October has shocked world wide security community, the principal questions raised are:Who is behind the attacks? How is possible that for so long time the campaign went undetected? Which is the role of AV company in these operations

Surprised? Old Java exploit helped spread Red October spyware (The Register) Unpatched Java installations may have helped spread the malware responsible for the recently uncovered "Red October" cyber-spying campaign, researchers at Seculert have revealed. Kaspersky Labs first disclosed the existence of Red October on Monday, claiming that the program had been responsible for attacks on systems in Eastern European countries, former Soviet republics, and Central Asian nations over the last five years. The primary vectors used to install the malware were emails containing attached documents that exploited vulnerabilities in Microsoft Word and Excel

Incapsula Security Firm Analyze Reality Behind Recent U.S. Cyber Attacks (HackRead) If you remember our article on a wave of DDoS attacks on several American banks, this news is the continual of that news and would be releasing some of the shocking aspects regarding the attacks. Here, we would like to add that these attacks were launched by a hacking group by the name of Izz ad-Din al-Qassam in protest to a video which breaches the Islamic code of law. The hacker is now saying such attacks would keep coming and wouldn't stop until the removal of that video content

Banks fighting cyberattacks unlikely to get government relief soon (CSO) Outside of reaching a diplomatic solution, options available to the government would not stop the attacks quickly, say security experts. Banks seeking help from the U.S. government in battling a campaign of cyberattacks that defense officials say is being led by the Iranian government are unlikely to get much relief without a diplomatic solution, security experts say

Another Java Zero-Day Vulnerability Hits Black Market (InformationWeek) Call it malware cash and carry: Less than 24 hours after Oracle Sunday released a security update that addresses two critical zero-day vulnerabilities in Java that are being actively exploited by attackers, an online vulnerability seller began offering

Yet ANOTHER Java zero-day claimed - but this time you're laughing, right? (Naked Security) The value the seller is placing on this exploit sounds a bit low to me: he's expecting total earnings of just $10,000 for a reliable, working and current Java zero-day. (I don't mean to sound as though I think cybercriminality is glib and workaday

New zero-day Java exploit selling in online forum for $5000 (TechSpot) Earlier this week Oracle rushed out a fix for a critical bug in Java that was reportedly being widely exploited by malicious sites to remotely execute code on a victim's machine. Well, it only took one day after the patch arrived for a different and

Thailands' Ministry of Culture Hacked by Bad Piggies Team (Softpedia) On Wednesday, hackers from the Bad Piggies Team breached and defaced the official website of Thailands Ministry of Culture (m-culture. go. th)

South Korea Accuses North Korea of Cyberattacks on Newspaper, Transition Team (Softpedia) South Korean officials are accusing North Korea of being behind the cyberattack against the website of the JoongAng Ilbo newspaper and the servers that handle the press rooms at the presidential transition team. Earlier this month, we learned that South Korea was busy training hackers to protect the country against cyberattacks. As it turns out, this is for a very good reason

N.Korea's GPS Jamming Is Terrorism Pure and Simple (Chosun) North Korea has been sending GPS jamming signals since April 28, wreaking havoc with civilian aviation and fishing fleets. Over the last 12 days, 624 passenger planes operated by Korean Air and Asiana Airlines, and 49 foreign carriers were affected by GPS jamming and one U.S. military aircraft on the way from Beijing to Yokohama also experienced disruption. There were four close calls where passenger jets approaching Incheon and Gimpo airports abruptly shifted course when their GPS malfunctioned and landed only after circling the airports

Okara Police Hacked, personal information leaked for #OpSlaughterHouse (HackRead) Thank to CWN for reporting, the official website of Okara District Police (okarapolice.com) Pakistan was hacked by @ThisISGame0ver for #OpSlaughterHouse. The hacker breached the site and leaked personal information of Police officers online, the details contains login details of website administrator's usernames, address, contact details, phone numbers, plain text and encrypted passwords. After looking into the passwords set by the admin for a police site; it shows what a terrible and poor security the site has, as the passwords and usernames are as same as their names. For example: Username: Usman and password is Usman as well.

Elion Denies Cyber Attack to Blame for Extensive Outages (Estonian Public Broadcasting) Director of technology for Elion, Kalev Reiljan, said the failure that caused cascading problems at the telecommunication company and digital services provider was a perfect storm of an outage and not caused by cyber attack. "I can completely, definitively and categorically say that this was not due to an external influence," he told ETV

Precision Bouncer List Phishing Kits Keep Targets Inside the Ropes (Threatpost) Just when you thought phishers had exhausted all avenues of innovation, a new tactic has emerged in attacks against financial institutions bringing the level of targeting and geo-filtering to precise new levels. Dubbed bouncer list phishing by RSA Security, these attack kits are built off stolen email lists that are filtered for particular targets, such as a regional bank

Bouncer kit perfect for laser-focused phishing campaigns (Help Net Security) Researchers have unearthed a new type of phishing kit that allows crooks to target specific users and keep away others in order to keep the scheme hidden from knowing eyes and security firms for as long as it's possible

Log audit reveals developer outsourced his job to China (Help Net Security) Log analysis can reveal a lot of security mistakes and fails, but a lot of security sins, too. Take for example the incident recently shared by Verizon's Risk Team: called in by a critical infrastructure company to investigate what seemed to be a breach of its networks by the hands of Chinese-based hackers, they ended up discovering a complex scam perpetrated by one of the company's most respected employees

Notre Dame on imaginary girlfriend fiasco: Manti Te'o was 'victim of hoax' (Raw Story) It was one of the most celebrated stories of heroism in US sport: the college football star who fought through the grief over the death of his girlfriend as he helped his team get to the championship game

Facebook Graph Search is an awesome tool for phishing attacks (CSO) Graph Search makes it easier for cyber criminals to gather relevant details that can be used to target phishing attacks more effectively. Facebook shook the tech world's foundation a bit with the announcement of Graph Search capability. Users are anxious for a chance to play with the new feature, and attackers are looking forward to this potent new weapon, er, tool as well. In a nutshell, Facebook Graph Search is a search engine that allows you to find things based on relationships and context--basically drawing from the limitless pool of Likes, tags, and check-ins posted by a billion Facebook members

How Twitter users can fake a verified account - and how you can tell the difference (Naked Security) Verified accounts on Twitter can help you tell the difference between a real celebrity's account, and those of imposters and over-enthusiastic fans. In this way, you can tell the real @britneyspears apart from the likes of @britney_spears and @britneyspear. A Naked Security reader got in touch this morning asking us how on earth a fictional character (Percy Jackson) had managed to get his Twitter account verified:"How is an RP account verified by Twitter?"We took a look, and sure enough there's a blue verified badge beside @PerseusJackscn's name

A shock in the dark: Flashlight app tracks your location (NBC News) The element of surprise causes hard feelings when it comes to privacy violations, and mobile phone apps are ambushing consumers far too often, according to researchers at Carnegie Mellon University. Researchers at the school's Human-Computer Interaction Institute studied both the data gathered by the 100 most popular programs in Google's Android app store, and how surprised users were when told what the apps were doing. On Tuesday they released a list of the 10 worst offenders in terms of transparency

90 percent of passwords can be cracked in seconds (Infosecurity Magazine) More than 90% of user-generated passwords can be made vulnerable to hacking in a matter of seconds, according to new research from Deloitte. The consulting firm's Canadian Technology, Media & Telecommunications (TMT) Predictions 2013 report covers a range of technology predictions, including the outlook for subscription TV services and 4K televisions, but the vulnerabilities in todays password practices top the list of things to consider in 2013. The problem, researchers said, is that everything that we thought to be true must be reconsidered given advances in technology."Passwords containing at least eight characters, one number, mixed-case letters and non-alphanumeric symbols were once believed to be robust, said Duncan Stewart, a director of research for the report

Heads-Up - Security Researchers Expose X-ray Machine Bug (Dark Reading) A pair of researchers best known for poking holes in industrial control systems (ICS) products found that medical devices suffer similar security woes after they were able to easily hack into a Philips x-ray machine. Terry McCorkle and Billy Rios, both of Cylance, here today demonstrated how a rudimentary fuzzer they wrote basically gave them privileged user status on the XPER x-ray machine. The machine has inherently weak remote authentication

For Industrial, Medical Systems: Bugs Run In The Family (Security Ledger) On the surface, the kinds of industrial control systems that run a power plant or factory floor are very different from, say, a drug infusion pump sitting bedside in a hospital intensive care unit. But two security researchers say that many of these systems have two important things in common: theyre manufactured by the same company, and contain many of the same critical software security problems. In a presentation at gathering of industrial control security experts in Florida, researchers Billy Rios and Terry McCorkle said an informal audit of medical devices from major manufacturers, including Philips showed that medical devices have many of the same kinds of software security holes found in industrial control system (ICS) software from the same firms

Whistleblower sheds light on global zero day exploits market (TechEye) The result of their fattening labour are zero-day exploits, bits of custom code specifically tailored to exploit software flaws which have not been made public yet. While they may sound scary to the average user, they are also a vital resource for

Internet Mercenary Gives A Peek Into His Shadowy World (Business Insider) "As technology advances, the effect that zero-day exploits will have is going to become more physical and more real," [Desautels] says. "The software becomes a weapon. And if you don't have controls and regulations around weapons, you're really open to

Litigation, Investigation, and Enforcement

U.S. Attorney Carmen Ortiz Issues Statement About Her Office's Handling Of Case Against Aaron Swartz (TechCrunch) After accusations of overzealous prosecution and a whitehouse.gov petition with nearly 40,000 signatures calling for her removal, U.S. Attorney Carmen Ortiz has issued a statement about the suicide of Aaron Swartz. In it, Ortiz defended her office's handling of the case, saying its conduct was "appropriate" and that it would not have sought a decades-long prison sentence

US rebuffed in effort to get copies of Canadian Megaupload servers (Ars Technica) An Ontario judge has refused a US request for unfettered access to the data on Megaupload servers hosted in Canada. The ruling is another sign that overseas courts are not giving US officials the degree of deference they've grown accustomed to in this case under US law. Megaupload once had servers around the world, but they were shut down in a coordinated raid on January 19, 2012

Garda member to lead operations at new EU cybercrime centre (Silicon Republic) A detective inspector with An Garda Sochna has been appointed head of operations for Europols newly established European Cyber Crime Centre in The Hague. Det Insp Paul Gillen is currently head of the Computer Crime Investigation Unit at the Garda Bureau of Fraud Investigation. He will take extended leave without pay from the Garda in order to take up his five-year contract, starting in February

Manning Accusers Must Prove Intent To Aid Enemy (Washington Post) A military judge ruled Wednesday that prosecutors will have to prove that Army Pfc. Bradley Manning knew he was providing information to the enemy when he disclosed hundreds of thousands of cables to WikiLeaks, the anti-secrecy group

Design and Innovation

Google's Larry Page on Why Moon Shots Matter (Wired Business) Larry Page lives by the gospel of 10x. Most companies would be happy to improve a product by 10 percent. Not the CEO and cofounder of Google. The way Page sees it, a 10 percent improvement means that you're basically

The CyberWire Daily Briefing for 1.17.2013