The CyberWire Daily Briefing for 6.19.2013
PRISM has driven it from the front page, but remember that Anonymous promises big things tomorrow from #opPetrol. If the hacktivists' recent track record holds, #opPetrol will fizzle, but we shall see.
Flash implementations of Chrome are vulnerable to camjacking (IE10 may be similarly affected). The Carberp banking Trojan's source code is now offered on the black market; analysts see a leading indicator of a financial malware surge. More than a fifth of the most popular WordPress plugins are vulnerable to commonplace web attacks.
"Justin Bieber" joins "PRISM" as prime phishbait. Three Purdue students keylog their professors in an attempt to change grades.
Oracle issued its June security patches yesterday. The forty fixes include several rated "critical." BlackBerry has also issued a critical security advisory for its Z10 phone.
India sees itself as "an IT superpower," but one protected by only 556 cyber security experts. Leaving aside the specious precision of "556," India does seem to lag comparably advanced countries in this regard.
US tech companies fear the reputational damage abroad that reports of cooperation with NSA surveillance are inflicting. (Google, citing the First Amendment, goes to court to restore trust in its transparency.) It's difficult for international observers, given the cyber espionage odium the US Government attached to Huawei and ZTE, to regard this as anything but sauce for the gander.
Congress continues NSA surveillance hearings. The agency offers swiftly disputed claims of counterterrorism success. Japanese media compare GCHQ G20 surveillance to US codebreaking during 1920s' naval disarmament talks.
Notes.
Today's issue includes events affecting Australia, Canada, China, European Union, Finland, France, Germany, India, Iran, Japan, South Africa, United Kingdom, and United States..
Cyber Attacks, Threats, and Vulnerabilities
#Anonymous #opPetrol will hit petroleum industry on the 20th of June 2013 (Cyberwarzone) It is known as black gold. Anonymous has published a new operation that will attack the Petroleum industry on the 20th of June. The operation seems to have an Islamic mindset as the operation founders are not happy with the fact that the currency that is being used to exchange the petroleum is based on the Dollar currency
Chrome Vulnerable to Camjacking (Infosecurity Magazine) Camjacking is clickjacking aimed at taking over the PC's webcam - and although Adobe fixed the Flash vulnerability that allows it back in 2011, it lives on in the Flash implementations of Chrome and (not verified) IE10
Source code for Carberp financial malware is for sale at a very low price, researchers say (CSO) This will likely result in other banking Trojan programs being created, researchers from Group-IB said
The security of WordPress plugins (Help Net Security) Checkmarx's research lab identified that more than 20% of the 50 most popular WordPress plugins are vulnerable to common Web attacks, such as SQL Injection. Furthermore, a concentrated research
Malicious Website Uses Justin Bieber As Bait (Nebulae News) The anti spyware tool, Panda Security from PandaLabs, has uncovered more than 200 fake web addresses using they name 'Justin Biber' as bait to attract users
Purdue Students Charged with Hacking to Change Grades (eSecurity Planet) Three students allegedly installed keylogging devices in their professors' keyboards in order to determine their account passwords
Tor to blame for its users being unable to access Facebook (SC Magazine) Reports emerged Tuesday morning that the anonymity software Tor was blocking users from connecting to Facebook. It turns out the social networking site wasn't purposely barring access for Tor users, but flagging the service due to malicious activity on its network
BlackBerry in SA safe from spies (TechCentral) There was no "backdoor pipeline" to BlackBerry South Africa's platform, the company said on Tuesday following reports that the UK government had been monitoring e-mails and phone calls
Apple end-to-end encryption far from bulletproof (CSO) Apple won't provide experts with details of encryption architecture, so what it means by 'cannot decrypt"' data is unclear, expert says
Security Patches, Mitigations, and Software Updates
BlackBerry issues 'critical' security warning for Z10 phones (ZDNet) BlackBerry has issued a security advisory notice to those who have bought its flagship Z10
Oracle releases latest round of Java security patches (ZDNet) Oracle releases latest round of Java security patches. Summary: Oracle has released critical patch updates containing 40 security fixes across Java SE products
Oracle to release massive Java SE update (FierceCIO: TechWatch) Oracle is scheduled to release fixes for 40 security vulnerabilities in a Critical Patch Update for Java SE today. These affect multiple versions of Java ranging from JRE 5.0 to the latest Java 7 update 21. A staggering 37 are remotely exploitable without authentication, which means that a remote attacker may break into a vulnerable system from over a network without needing a username or password
Cyber Trends
Why Huawei wants Nokia: Smartphones aren't as dominant as you think (Quartz) When the Financial Times reported that the world's number three manufacturer of smartphones, China's Huawei, might consider acquiring Nokia, that icon of the mobile phone revolution that has fallen on hard times, it was a bit of a head-scratcher. Why would a company making Android smartphones want to acquire the wreckage of the business it's disrupting? It would be like Henry Ford using proceeds from the Model T to buy a buggy whip company
An IT superpower, India has just 556 cyber security experts (The Hindu) China shows the way. For instance, in 2010, China's Central Military Commission approved "Information Support and Safeguarding Base" to serve as People's Liberation Army cyber command to address potential cyber threats and safeguard national security
Is accessing work apps on the move destructive? (Help Net Security) There's a lack of mobile working policies can lead to destructive consequences for businesses, according to Ping Identity. On a regular basis, 44% of employees access up to five applications via
Key obstacles to effective IT security strategies (Help Net Security) Drawing on data gathered from a total of 3,037 individuals - 1,944 technicians and 1,093 executives - in the United States, Canada, United Kingdom, Australia, Germany France and Japan, a Ponemon Institute
Businesses not fully implementing infosec programs (Help Net Security) Many U.S. small businesses are taking a passive approach when it comes to protecting their data leaving themselves vulnerable to data loss and possible financial and reputational damage
Marketplace
The Tech Company Lawyers Who Stand Between You and Government Snoops (Bloomberg Businessweek) The in-house legal teams at Silicon Valley companies are usually associated with intellectual property disputes, anti-trade spats, and the maneuvering around initial public offerings. Yet the latest revelations about Prism, the U.S. National Security Agency's digital-snooping program, make it clear that the top lawyers inside the tech giants have spent years fielding significant numbers of surveillance requests from U.S. government agents, putting them on the murky frontiers of national security law
Spying for the NSA is Bad for U.S. Business (Bloomberg Businessweek) The National Security Administration (NSA) dealt a blow to Google (GOOG), Facebook (FB), Microsoft (MSFT) and other U.S. corporations. In addition to forcing them to engage in the PRISM spy program, the agency made it difficult for these companies to defend their reputations by limiting disclosures of their involvement
I Would Have Hired Edward Snowden (Slate) A former Google and Microsoft engineer explains why elitist, arrogant rebels often make the best employees
Google says 'Shhh, don't say big, just say data' (FierceBigData) Vendors are still comfortable with saying "big data" in public these days, but many of their business customers would rather not utter the term aloud
Microsoft Wins $412M DISA Badge, Cardholder Support IDIQ (GovConWire) Microsoft (NASDAQ: MSFT) has won a potential $412,240,000 contract to provide software developers and product teams to the Defense Department for blue badge and cardholder support. The Defense Information Systems Agency awarded the indefinite delivery/indefinite quantity contract, which includes one base year and four option years, the Defense Department said Monday
Unisys to Move Interior Dept's Financial, Business Mgmt System Into Cloud (GovConWire) Unisys (NYSE: UIS) has won a potential $44 million contract to move the Interior Department's financial and business management system into a cloud computing environment. DOI's FBMS is based on SAPSimplified Acquisition Procedures / Special Application Program's enterprise resource planning software, which the department uses to account for its revenue and expenditures, Unisys said Tuesday
BrightPlanet® Hires Experienced Intelligence Professional as Deep Web Consultant (PRWeb) BrightPlanet Corporation is pleased to announce the addition of Christopher Hickey to the BrightPlanet team. Hickey brings a wealth of experience in the intelligence community and will serve as a Deep Web consultant with special focus on state and federal law enforcement and intelligence organizations
McAfee Appoints Bill Rielly to Lead Worldwide Small and Medium Business Segment (Daily Finance) McAfee today announced the appointment of Bill Rielly as senior vice president for small and medium-sized business (SMB). Rielly joins McAfee from Apple where he led the worldwide SMB segment for the Apple Online Store. Rielly was selected for his exceptional combination of hands-on SMB expertise and experience driving growth across the globe
Products, Services, and Solutions
Cumulus launches a Linux distro for data center bare metal (VentureBeat) Cumulus Networks, a company that's been in stealth mode for roughly three years, has emerged to launch Cumulus, a Linux distribution that aims to make networking invisible
How do I keep the Spooks out of my inbox? (TrendLabs Countermeasures) Note: The answer to this question is FREE and it's at the end of this post. Digitally signing an email is a way of assuring the recipient that the content, while not encrypted, has not been modified in transit, it's effectively a personal cryptographic certification of the content and attributes of the mail
Risk I/O Integrates Real-Time Attack Data (SecurityWeek) Risk I/O, a vulnerability intelligence platform designed to help organizations efficiently report and mitigate security vulnerabilities, on Wednesday announced that it now analyzes real-time, global attack data alongside security vulnerabilities
Microsoft releases Enhanced Mitigation Experience Toolkit 4.0 (Help Net Security) Microsoft has announced the release of version 4.0 of its popular Enhanced Mitigation Experience Toolkit (EMET), a free utility that helps prevent memory corruption vulnerabilities in software from
Free anti-spam software for the Mac (Help Net Security) Cloudmark announced the latest version of Cloudmark DesktopOne for Mac, an anti-spam solution that users can use to filter email to eliminate messaging threats, protecting them against spam, phishing
F-Secure advances fight against exploits (Help Net Security) Exploitation of software vulnerabilities has become one of the most popular ways to gain access to users' machines, but F-Secure is reinforcing its exploit defenses with enhanced proactive protection
CyanogenMod founder aims to thwart data-grabbing apps (Help Net Security) There's some very good news for users of CyanogenMod, one of the most popular modified Android firmware on the market: its founder and main developer Steve Kondik (aka Cyanogen) has announced that he
Stonesoft Receives Enterprise Firewall Certification From ICSA Labs (MarketWatch) The cyber security expert Stonesoft has obtained the ICSA Labs Enterprise Firewall Certification for Stonesoft
eview: FireMon Security Manager with Risk Analyzer and Policy Planner (SC Magazine) The FireMon Security Manager with Risk Analyzer and Policy Planner modules offers comprehensive network security management, including firewall and router risk analysis, policy compliance auditing, change management and risk analysis. This product features tools that allow administrators and security professionals to analyze the entire network infrastructure through visualization. This provides an easy and intuitive way to see where possible risks and weak points may be found in the network so that they can be assessed quickly before they become a bigger problem. This solution also offers fully integrated change management and rule cleanup capabilities, as well as remediation recommendations and ongoing change monitoring
CrowdStrike Falcon Traces Attacks Back To Hackers (InformationWeek) Startup that encourages playing offense on security launches cloud-based service to help businesses identify adversaries, mitigate attacks and pursue responses
How to detect hidden administrator apps on Android (Help Net Security) Following the discovery of a new Android Trojan that uses several errors and vulnerabilities in the Android OS to make analysis harder for researchers and to remain hidden from users and practically inexpugnable from the device, Trend Micro has created a tool that helps users find and remove this and other similar malicious software
Technologies, Techniques, and Standards
WinLink Check-In (Internet Storm Center) This weekend (June 22-23) the Amateur Radio Relay League and Radio Amateurs of Canada and holding their annual Field Day exercise in North America. Amateur radio operators participate in an emergency preparedness exercise where they deploy their equipment outside the comfort of their home radio shacks and many operate on alternative/emergency power sources. Each year around this time, I realize that I've forgotten that this is coming up, and I hurriedly assemble my kit at the last minute and I try to fit in more than I can accomplish on my own. In other words, it's a realistic drill for me
How prepared is your company for a cyber-attack? (The Guardian) Sadly, in my experience this is when most companies realise they are ill-prepared to deal with a cyber-attack. I have seen companies struggle to come to terms with the loss of intellectual property (IP), funds, a fall in share value, and their
Strategies for health IT success from risk managers (FierceHealthIT) Debating the role of becoming an expert in health IT, risk managers across hospital systems in the U.S. shared their tips for health IT success in a recent report published by Plymouth Meeting, Pa.-based nonprofit research firm ECRI Institute
How secure are your USB ports? (FierceCIO: TechWatch) It is widely known that the infamous Stuxnet malware was transported into a protected Iranian network using a USB flash drive. And now, it appears that whistle-blower Edward Snowden also used the humble USB flash drive to single-handedly exfiltrate top-secret information past the various security measures of the National Security Agency. You can read more about it here
The Attribution Revolution (Foreign Policy) A five-point plan to cripple foreign cyberattacks on the United States. The Obama-Xi summit in Sunnylands ended without any Chinese concessions on cyber-espionage. This came as no surprise; cyber spying has been an indispensable accelerant for China's military and economic rise. And though Beijing may someday agree that international law governs cyberspace, that won't help the victims of espionage, which is not regulated by international law. So if negotiation won't work, what will? Not a strategy that relies entirely on defense. That's like trying to end street crime by requiring pedestrians to wear body armor
Privacy Concerns: Big Data's Biggest Barrier? (InformationWeek) Businesses must be up front with consumers about what data they're using and why. Opting out should be easier, too
Design and Innovation
Google director: Early adoption is for rich chumps (Ars Technica) New technology isn't good until it's cheap
The secret to viral success is there is no secret to viral success (Quartz) It's an indication of our great fortune, our great decadence, or both, that when you type the word "viral" in a Google search bar, the first result isn't an influenza or meningitis—it's videos
Research and Development
Iran develops first national computer operating system (Cyberwarzone) The University of Tehran has developed the first national computer operating system in Iran, ISNA news agency reported
Legislation, Policy, and Regulation
Yoroku: Gentleman then and now (Mainichi) In 1929, then U.S. Secretary of State Henry Stimson shut down the State Department's cryptanalysis operations, saying, "Gentlemen do not read each other's mail." He changed his mind soon afterwards, however, and served as secretary of war in World War II
Congress Delves Into Clearance Screening (Wall Street Journal) Edward Snowden's privileged access to America's most closely held secrets has triggered a new push in Congress to overhaul what many see as an antiquated, Cold War-era security-clearance process ill-suited to detect a new generation of tech-savvy dissidents
The NSA Hearing, by the Numbers (Wired) A federal hearing today on NSA surveillance programs leaked by former NSA contractor Edward Snowden produced some interesting numbers about the scope of the data collections and other issues. We've produced a roundup below of some of the interesting stats
Moves to limit contractor access to secrets meets resistance (Reuters, via WKZO) Industry executives and some corners of the U.S. intelligence community are pushing back against possible legislative moves to curb contractors' access to classified information. Following leaks by former National Security Agency
Details On Spying, Not More Assurances (New York Times) Battered by weeks of criticism about surveillance abuses, President Obama has embarked on a reassurance offensive. The spy programs have been used narrowly, he said on PBSs Charlie Rose program on Monday, and have been effective in stopping several terror plots
Congress Wields Its Rubber Stamp (Washington Post) The Founders created a system of checks and balances. Those overseeing the nation's spying have switched to a system of cheers and bouquets. This was the impression given by members of the House intelligence committee as they held an open-to-the-public hearing Tuesday on the National Security Agency's snooping into Americans' phone and Internet records
NSA's Programs Keep America Safe (USA Today) The gross distortion of two vital National Security Agency (NSA) programs is dangerous and unfortunate
Why You Should Worry About Government's Data Grabs (USA Today) Less than two weeks after news broke that the government has been secretly seizing millions of phone and Internet records, polls show about half of the public approves of the vacuum-cleaner approach to keeping them safe from terrorism. Tuesday's House hearing on the National Security Agency programs did nothing to disturb that foolishly compliant attitude
Officials: Dozens Of Plots Derailed (Washington Post) The U.S. government's sweeping surveillance programs have disrupted more than 50 terrorist plots in the United States and abroad, including a plan to bomb the New York Stock Exchange, senior government officials testified Tuesday
More Than 50 Attacks Said to Be Prevented by NSA Programs (Bloomberg) Intelligence-gathering efforts by the U.S. have prevented more than 50 terrorist attacks in more than 20 countries and were done legally, National Security Agency Director Keith Alexander said
In Coded E-Mails, Clues That Helped Authorities Foil Attacks (Washington Post) In recent days, U.S. intelligence and law enforcement officials, as well as congressional officials, have pointed to the authority that allowed them to target the Yahoo account - Section 702 of the Foreign Intelligence Surveillance Act (FISA) - as a critical tool in identifying and disrupting terrorist plots here and abroad. But some critics of NSA surveillance suggested that the collection of data under a program called PRISM was not essential to Zazi's capture because the British first obtained the critical e-mail address
NSA Disruption of Stock Exchange Bomb Plot Disputed (Wired) Did the government really disrupt a bomb plot targeting the New York Stock Exchange? The FBI deputy director said that today in a Spygate hearing where the government for the first time said the secret spy techniques publicly disclosed
Has U.S. started an Internet war? (CNN) Today, the United States is conducting offensive cyberwar actions around the world. More than passively eavesdropping, we're penetrating and damaging foreign networks for both espionage and to ready them for attack. We're creating custom-designed Internet weapons, pre-targeted and ready to be "fired" against some piece of another country's electronic infrastructure on a moment's notice
In Defense of the NSA (Hoover Institution) Its wiretapping program has been derided as an intolerable invasion of individual privacy rights, but it has benefits for national security
No Simple Answers on Security and Freedom (Real Clear Politics) Years ago, the government snooped on my phone calls. It happened in Soviet Russia, where, at 16, I already knew it was dangerous to have politically risky conversations even near the telephone, let alone on it. Shortly after my parents sought permission to emigrate in 1979, we received startling accidental proof that Big Brother was listening. While on the phone with a friend, my mother suddenly heard mysterious clicks--followed by a playback of her own conversation. Moments later a strange voice asked, "Are you recording?", and then the sound was cut off
Legislator reintroduces bill to create FDA Office of Mobile Health (FierceMobileHealthIT) Rep. Mike Honda (D-Calif.) has reintroduced a legislative bill calling on Congress to establish and fund an Office of Wireless Health at the U.S. Food and Drug Administration, according to an announcement from the congressman
New regulation for ENISA, the EU cybersecurity agency (Help Net Security) EU cybersecurity agency ENISA has received a new Regulation, granting it a seven year mandate with an expanded set of duties
EU's Cybersecurity Strategy gets harsh criticism from data protection advocate (Naked Security) A top EU data privacy advocate has criticised the European Union's plans to combat cybercrime, saying they don't provide enough protection for personal data. He's also suggested that too little attention has been paid to existing regulations and agencies
Litigation, Investigation, and Law Enforcement
SC agrees to hear PIL on US surveillance of internet data from India (Times of India) The Supreme Court on Wednesday agreed to give an urgent hearing to a PIL on the issue of US National Security Agency snooping on internet data from India and seeking to initiate action against internet companies for allowing the agency to
Justice Department Fought to Conceal NSA's Role in Terror Case From Defense Lawyers (Wired) When a senior FBI official told Congress the role the NSA's secret surveillance apparatus played in a San Diego terror financing case today, nobody was more surprised to hear it than the defense attorney who fought a long and futile
Google asks to make surveillance orders public, citing First Amendment (CSO) The company has asked the US surveillance court to rule that it has free speech rights to publish data about requests
Google Fights Spying Gag Order, But Key Details Would Be Missing Even If Successful (TechCrunch) As it promised it would, Google is fighting the government's gag order on releasing how many users are monitored by the National Security Agency. Unlike Facebook and Microsoft, Google and Twitter publicly rejected a government deal to disclose the total number of spying warrants for user data, which would include (but not detail) the number of requests coming from the controversial Foreign
Alexander: Snowden got call-tracking order during training (Politico) Alexander told reporters after a House Intelligence Committee hearing that the man who's acknowledged being the source of the recent leaks, Booz Allen Hamilton information technology specialist Edward Snowden, had access to the Foreign Intelligence
Whistleblowers and the economy of esteem (The Economist) Edward Snowden, the erstwhile IT guy who worked for the National Security Agency (NSA) and is responsible for the Powerpoint heard 'round the world, is (a) a hero (b) a narcissist (c) a traitor (d) courageous (e) all of the above
TOS, app permissions are not good cover from big data lawsuits (FireceBigData) To date, the courts have mostly been supportive of terms-of-service, or TOS, agreements even though most acknowledge that the majority of private citizens don't read them or don't understand them. This brings some feeling of relief to companies everywhere but most especially to those currently spoon-feeding big data to the government (and to more agencies than just the NSA)
For a complete running list of events, please visit the Event Tracker.
Upcoming Events
25th Annual FIRST Conference (Bangkok, Thailand, Jun 16 - 21, 2013) The annual FIRST conference provides a setting for conference participants to attend a wide range of presentations delivered by leading experts in both the CSIRT field and from the global security community.
Hack in Paris (Paris, France, Jun 17 - 21, 2013) This five day event will examine forensics, malware analysis, and corporate hacking techniques, and what could be better, it is held at the Euro Disney conference center outside of Paris. It has attracted a stellar lineup of speakers and promises to be a very technical event with heavy emphasis on training. This is its second year.
NASA National Capital Region Industry Days (Washington, DC, USA, Jun 25 - 27, 2013) This dedicated Information Technology Expo - sponsored by the Office of the Chief Information Officer - will serve as a focal point for NASA personnel to learn about the latest products and advances in the marketplace.
AFCEA International Cyber Symposium 2013 (Baltimore, Maryland, USA, Jun 25 - 27, 2013) Cyber threats and challenges grow every day. Successfully defending our networks requires a team approach. With this in mind, the Cyber symposium will engage the key players, including the U. S. Government, the International Community, Industry and Academia, to discuss the development of robust cyberspace capabilities and partnerships. The AFCEA International Cyber Symposium 2013 focuses on the critical missions of U.S. Cyber Command and the interface with Army Cyber Command, Marine Corps Forces Cyber Command, 10th U.S. Fleet Cyber Command, 24th Air Force Cyber, Department of Homeland Security, U.S. Coast Guard, DoD-CIO, National Security Agency (NSA), Defense Information Systems Agency (DISA), Defense Advanced Research Projects Agency (DARPA), Academia, Industry partners. The operational theme " Defining Full Spectrum Global Cyberspace Operations" will explore the operational security of DoD and Industry Networks, Cyber Operations with Joint and Coalition partners, and discuss the training and development of the cyber workforce.
ShakaCon (Honolulu, Hawaii, USA, Jun 25 - 28, 2013) This is the fifth year this "laid back security conference in paradise" is being held. Some solid presentations and training on malware analysis and penetration testing. After all, what could be better than "sun, surf, and C Shells?" There are intensive training classes on hacking mobile apps and even lock picking (the set of tools is included in the class registration).
Northern Virginia Technology Council: Security Threats: What Keeps You Awake at Night? (McLean, Virginia, USA, Jun 27, 2013) It's no secret that cybersecurity events are increasing in frequency and intensity. Many of these events are severe and pose significant risk to us as individuals, to our businesses, as well as our economy and national security. We've seen many reports in the press recently of well-funded nation states attempting to pilfer our networks in search of intellectual property. Every day bad guys are trying to gain access to our credit card information and other forms of personal information to steal our money and identities while others brazenly attempt to take over our data and systems and hold them for ransom. How is this happening? What can we do to protect ourselves? This conference addresses these issues.
American Technology Awards Technology and Government Dinner (Washington, DC, USA, Jun 30, 2013) TechAmerica Foundation hosts its Eleventh Annual Technology and Government Dinner at the Ronald Reagan Building in Washington DC. The dinner continues to serve as the premier Washington, DC technology networking event bringing hundreds of tech industry, congressional, and government leaders together at one venue to celebrate the partnership between industry and government.