The CyberWire Daily Briefing 07.11.13

Cyber Trends

Facebook's Mark Zuckerberg says privacy is no longer a 'social norm' (The Telegraph) Facebook founder Mark Zuckerberg has denounced privacy as a 'social norm' of the past as social networking's popularity continues to grow

"Enormous increase" in cyber attacks against energy, says DHS (Smart Grid News) A new report from the Department of Homeland Security claims the energy sector is seeing a major increase in the number of cyber attacks. There were 111 cyber incidents during the first half of 2013. That compares to 81 incidents for all of 2012. This

NATO cyber defense center fights tide of hacking attempts (Reuters) "The worst case scenario of a cyber attack for us could be loss of life…If intelligence doesn't get through about an ambush, if notification doesn't get through about a security situation, then our troops' lives are at risk," West said

Cyber Attack Risk Highest Ever, Warn MPs (Sky News) The threat to the UK from cyber-attack is now at its highest-ever level and is "disturbing in its scale and complexity", according to MPs. The assessment was made by the Intelligence and Security Committee (ISC) in its annual report on the UK's three

U.K. Ministry of Defence hit by cyberattack, data stolen (ZDNet) The latest annual report from the U.K. Parliament's Intelligence and Security Committee (ISC) has disclosed that the U.K.'s Ministry of Defence suffered a cyberattack in which data was stolen. Despite heavy redactions to protect sources and budgets from prying eyes, the admission was buried halfway through the document in a section detailing how the U.K. government can and is protecting itself against foreign cyberthreats and attacks

Foreign messaging services complicate government spying (CSO) Privacy concerns sparked by leaks about massive U.S. surveillance programs has spurred encrypted messaging services overseas that could complicate government spying efforts, experts say

12 trends in privacy and security (Help Net Security) First identified as an industry issue a decade ago, data breaches are now part of the consumer vocabulary. Data breaches have evolved from credit card fraud with financial consequences to medical

Enterprises need help with M2M implementation, says IHS (FierceMobileIT) Enterprises are increasingly turning to service providers to help with deployment of cellular machine-to-machine communications systems, as well as development of applications to integrate M2M with other corporate systems

BYOD is going to cost you, experts warn (FierceMobileIT) BYOD programs have a lot of hidden costs that IT departments often do not consider. For example, an enterprise could incur significant costs if it tries to support all versions of operating systems being used by BYOD employees, Craig Merrick, managing consultant for mobile business solutions at Fujitsu, told Total Telecom at its Network Management Show held last week in London

Wall Street doesn't want outside law firms to allow BYOD (FierceMobileIT) Top financial services firms on Wall Street do not want their outside law firms allowing their staffs to bring their own mobile devices to work, according to a panel discussion of in-house attorneys at these financial firms

A Changing Threat Landscape — Hardware Security (Infosecurity Magazine) Over the last week or so I have been working with colleagues and some of our specialist partners on putting together a presentation to an industry special interest group. One of the aforementioned presentations looked at hardware security and the potential for hidden threats at the hardware layer. Security threats from hardware and relatively new trends in today's malware targeting attacks at hardware, rather than software, was something I had not looked at in detail before. As a result, I read several articles relating to this and for me it looks like a big unknown to the overall IT and Information Security world

Legislation, Policy and Regulation

The Future of US Cyber Command (ISN) The US military's cyber arms have had many institutional homes over the last 20 years — the latest being US Cyber Command. Today, the Atlantic Council's Jason Healey explores the possible next-step option — breaking Cyber Command away from its

Fine Print: Just how open will the debate over surveillance be? (Washington Post) One result of former National Security Agency contract worker Edward Snowden's recent release of highly classified NSA documents: Tuesday saw what a participant called the necessary start of a public "wide-open debate" about the government's

Backlash inevitable as no one likes being spied upon (The National) Since Edward Snowden, a contractor with Booz Allen Hamilton, leaked documents revealing that the United States National Security Agency is collecting data on vast numbers of Americans, much of the debate in the US has focused on whether this is a breach of the American law. However, there has been little outrage with the NSA's surveillance of the communications of non-Americans

Latin American nations fuming over NSA spying allegations (Reuters) A leading Brazilian newspaper reported on Tuesday that the U.S. National Security Agency targeted most Latin American countries with spying programs that monitored Internet traffic, especially in Colombia, Venezuela, Brazil and Mexico. Citing documents

Chinese State Media Accuse U.S. of Cyber Double Standards (CNS News) As U.S. and Chinese officials continue high-level talks in Washington, Chinese state media are reiterating Beijing's contention that recent revelations of widespread National Security Agency surveillance have undercut U.S. accusations of Chinese cyber-attacks

Differences On Cybertheft Complicate China Talks (New York Times) Vice President Joseph R. Biden Jr. opened annual strategic talks with senior Chinese leaders here on Wednesday by repeating the United States accusation that the electronic theft of American intellectual property could undermine the relationship between the worlds two largest economies

Lawmakers: Testimony Hurts Oversight Of Spying (Washington Post) Lawmakers tasked with overseeing national security policy say a pattern of misleading testimony by senior Obama administration officials has weakened Congress's ability to rein in government surveillance

Intelligence and Security Committee of Parliament Annual Report 2012–2013 (House of Commons) The Intelligence and Security Committee of Parliament (ISC) is a statutory committee of Parliament that has repsonsibility for oversight of the UK intelligence community

No more disconnection penalty for French file sharers (Help Net Security) HADOPI, the French "three strikes" law for promoting the distribution and protection of creative works on the Internet, has been changed and can no longer be used to disconnect file sharers from the

CFPB doesn't collect data on individual Americans (FierceGovIT) The Consumer Financial Protection Bureau does not collect data on individual Americans, a CFPB official told a July 9 House panel, repeating variations of that same statement to Republican lawmakers who asked variations of the same question over CFPB data collection practices

Biden Urges End to 'Outright' Theft Through Hacking by China (SecurityWeek) US Vice President Joe Biden urged China on Wednesday to end its "outright" theft through hacking and to improve human rights as the world's two largest economies waded into some of their thorniest disputes

German Chancellor Angela Merkel Defends Secret Surveillance for Security (SecurityWeek) German Chancellor Angela Merkel on Wednesday defended the role of secret services in keeping populations safe, but also said she only learnt of the US-run PRISM surveillance program through media reports

SSNs Exposed In Most Data Breaches In California (Dark Reading) State Attorney General calls for adoption of encryption in 'leading edge' data breach report. More than half of Californians whose personal information was exposed in data breaches last year wouldn't be a statistic if the breached companies had used encryption

Products, Services, and Solutions

Barracuda Web Application Firewall Provides Security-As-A-Service For Windows Azure (Dark Reading) Barracuda Networks Inc., a leading provider of security and storage solutions, today announced deeper integration of the Barracuda Web Application Firewall within Windows Azure. The Barracuda Web Application Firewall is one of the first Web Application Firewalls (WAF) available that is integrated into Windows Azure and can be deployed as a single instance or as part of a scalable security platform. This announcement further strengthens the relationship between Microsoft and Barracuda, first announced in February 2013

INTERPOL And Morpho Sign Strategic Biometric Partnership (Dark Reading) Partnership covers the supply of automated biometric identification systems. A partnership agreement will see Morpho (Safran) provide INTERPOL with a range of innovative biometric solutions and other technical support to enhance global security. The partnership covers the supply of automated biometric identification systems to INTERPOL, provision of state-of-the-art security solutions for the future INTERPOL Global Complex for Innovation (IGCI), as well as collaboration on the subject of border security

BullGuard Launches Free Online Virus Scan To Detect Latest Threats (Dark Reading) BullGuard Virus Scan scan systems for active viruses and ensure users are protected against the latest threats

Becrypt becomes first and only UK software encryption supplier to be listed in NATO Information Assurance Product Catalogue (ResponseSource) ecrypt, a leading supplier of cyber security solutions to Governments and industry, has become the first and only UK supplier of encryption software technology to be listed in the prestigious NATO Information Assurance

Product Comparison Test For Zero-Day Attacks (Australian Techworld) In this comparison test, AV-Test looks at the performance of competing security solutions on which product could best pro-actively protect an organisation's capacity from so called zero day attacks. Click to download the results! AV-Test Institute is a

Technologies, Techniques, and Standards

Six Tips: How To Protect Yourself From Mobile Attacks (Dark Reading) Android is by far the most popular operating system for mobile devices such as smartphones or tablet PCs. But that status also means opportunities for cyber criminals: in 2012 alone, the amount of malware specifically targeting Android users jumped from 17,000 to more than 214,000 samples each month. And malware is no longer being smuggled into the system via app downloads only; mobile e-mail use also offers an easy target. One particularly popular trend is to send links via hacked e-mail accounts leading to seemingly secure mobile Web sites. These sites, though, automatically forward users to subpages that use invisible iframes to scan the precise version of the operating system being used, introduce updates, and enable long-term access to sensitive user data (these are so called multifunction Trojans)

The Five Most Common Security Pitfalls In Software Development (Dark Reading) How can software developers build more secure applications? Here are five pitfalls to avoid

Cloud security is important, but what does it really mean? (VentureBeat) Cloud computing is one of the most valuable innovations for business, providing cheap, virtual services that once required expensive, local hardware. We place almost everything in the cloud, but what do we really know about its security? How do we protect ourselves and our privacy from being compromised

The hot new technology in Big Data is decades-old: SQL (Ars Technica) Despite the growth of "NoSQL" databases over the past few years, SQL is going nowhere. In fact, it seems Structured Query Language is in ascendance in a realm that once seemed bent on excluding it: "Big Data"

How elite security ninjas choose and safeguard their passwords (Ars Technica) There are many ways to manage your digital keys. Here's how five experts do it

Commerce Dept.'s NIST Leans on Industry to Build Cyber Framework (Main Justice) In response, a February cybersecurity Executive Order tasked NIST with building the cybersecurity framework, which will be implemented in collaboration with the Department of Homeland Security. Compliance with NIST's framework is voluntary and the

How to get better bug reports from users without resorting to threats, bribes or tears (IT World) Software developers weigh in on the best ways to get users to give them the information they need to fix problems

Russian security agency to buy typewriters to avoid surveillance (Moscow News) Russia's Federal Protection Service (FSO), the Kremlin agency that protects state officials like the president and the prime minister, has ordered 20 typewriters in an apparent bid to avoid leaks and surveillance like those revealed by NSA whistleblower Edward Snowden

How to avoid the Spamhaus' blacklist to maintain email deliverability (SC Magazine) I get a lot of questions about Spamhaus. I mean a lot. Seriously. But it's cool. Spamhaus seems shrouded in mystery, and our Return Path service team wants to be sure that they are giving the best advice to clients to ensure they are following best practices and not mistaken for spammers

NIST preparing new special publication on multi-organization computer security response (FierceGovIT) How multiple computer security incident response teams should coordinate to handle a cyber incident larger than any single organization will be the subject of a new National Institute of Standards and Technology special publication

IBM And Big Data Disruption: Insider's View (InformationWeek) IBM's Bob Picciano, general manager of Information Management, talks up five big data use cases, Hadoop-driven change; slams SAP Hana, NoSQL databases

Marketplace

DEF CON To Feds: We Need Some Time Apart (Krebs on Security) One of the more time-honored traditions at DEF CON — the massive hacker convention held each year in Las Vegas — is "Spot-the-Fed," a playful and mostly harmless contest to out undercover government agents who attend the show. But that game might be a bit tougher when the conference rolls around again next month: In an apparent reaction to recent revelations about far-reaching U.S. government surveillance programs, DEF CON organizers are asking feds to just stay away

Tired of helping the CIA? Quit FB, Venezuela min urges (Moneycontrol.com) Edward Snowden, a former US National Security Agency contractor who is stuck in a Moscow airport while seeking to avoid capture by the United States, last month leaked details about American intelligence agencies obtaining information from popular

Edward Snowden Inspires European Youths to Train as Spies (Daily Beast) Young people in Europe see Edward Snowden as a hero, not a traitor, and their fury at U.S. snooping has them signing up to spy for their own countries. Call it the Snowden effect. A growing number of aspiring secret agents have been clamoring to join European secret service agencies in recent weeks. But it's not about the promise of a life of international intrigue. The surge in applicants is pegged to fighting back against American snoops

Experts: Japan's New Cyber Unit Understaffed, Lacks Skills (Defense News) While security analysts hailed the upcoming establishment of Japan's first combined Cyber Defense Unit (CDU), they say the newly minted corps' funding and expertise is inadequate to meet the country's broader cybersecurity needs

U.S. Air Force Sees No Wrongdoing By Booz Allen In Snowden Matter (Reuters) The U.S. Air Force said it sees no evidence that a defense contractor that employed Edward Snowden is responsible for his disclosure of classified U.S. information, a finding that allows the company to continue doing business with the Pentagon

Pirate Bay founder raising money for new encrypted messaging app (Help Net Security) Peter Sunde, one of the Pirate Bay co-founders, is looking to enter the encrypted messaging market. Spurred by the recent revelations about the US government's PRISM surveillance program, he intends

Blue Coat may be selling monitoring technology to additional repressive regimes (SC Magazine) A cyber and human rights research institution has released a report questioning a security vendor's distribution of products containing web monitoring capabilities

Army Selects 4 on Foreign Military Sales Mgmt Consulting IDIQ (GovConWire) Four companies have won positions on a U.S. Army foreign military sales contract to provide administrative and general management consulting services in 10 countries. The Army will determine performance location and funds with each individual task order under the indefinite-delivery/indefinite-quantity contract, the Defense Department said Tuesday

Ballmer unveils broad Microsoft reorganization (IT World) Microsoft CEO Steve Ballmer unveiled what he termed is a "far-reaching realignment" of the company designed to help Microsoft innnovate faster and operate in a more coherent and holistic manner as it faces a variety of challenges from rivals big and small

Research and Development

Chatbot hunts for pedophiles (Gizmag) For a number of years now, police forces around the world have enlisted officers to pose as kids in online chat rooms, in an attempt to draw out pedophiles and track them down. Researchers at Spain's University of Deusto are now hoping to free those cops up for other duties, and to catch more offenders, via a chatbot that they've created. Its name is Negobot, and it plays the part of a 14 year-old girl

Data Storage That Could Outlast the Human Race (Slashdot) Researchers develop technique for recording up to 360TB of data on a glass disk that should be readable in a million years. Just in case you haven't been keeping up with the latest in five-dimensional digital data storage using femtocell-laser inscription, here's an update: it works

Security Patches, Mitigations, and Software Updates

HP Issues Fix for Backdoor Vulnerability in StoreOnce Systems (SecurityWeek) HP's security response team has released a fix to address the backdoor vulnerability in its StoreOnce backup systems disclosed late last month by an independent security researcher

Cyber Attacks, Threats, and Vulnerabilities

HP admits to backdoors in storage products (The Register) Hewlett-Packard has agreed that there is an undocumented administrative account in its StoreVirtual products, and is promising a patch by 17 July

Attackers Targeting MS13-055 IE Vulnerability (Threatpost) Attackers are using an Internet Explorer vulnerability, which Microsoft patched yesterday, in targeted attacks that also employ a malicious Flash file installed through a drive-by download launched by compromised Web pages. The exploit that's being used is capable of bypassing both ASLR and DEP. The attacks are exploiting a memory corruption vulnerability in IE (CVE-2013-3163)

Microsoft reports hackings exploiting bug reported by Google researcher (Cyberwarzone) Microsoft said hackers have attacked some computers by exploiting a bug in Windows first disclosed two months ago by a Google researcher, who came under fire at the time for publicizing the flaw without going to the software company first

Google researcher's outing of Windows vulnerability may have led to cyber forays (CSO) Microsoft detects targeted attacks after Windows flaw made public

An Outbreak: Backdoor Simda! (Cyberwarzone) Backdoor Simda is known for about 3 years. Recently a new major outbreak occurred. The new variant of the backdoor is downloaded from certain sites containing video

Anatomy of a security hole - Google's "Android Master Key" debacle explained (Naked Security) This month's "computer security elephant in the room" story is the news of a gaping security hole in Android application security. Paul Ducklin gives you a visual explanation of what the problem is all about, and offers some simple advice

.NL Registrar Compromise (Internet Storm Center) Based on a note on the website of SIDN [1], as SQL injection vulnerability was used to compromisse the site and place malicious files in the document root. SIDN is the registrar for the .NL country level domain (Netherlands). As a result of the breach, updates to the zone file are suspended. There is no word as to any affects to the zone files, or if the attackers where able to manipulate them

Generic TLDs Threaten Name Collisions, Information Leakage (Dark Reading) Security problems could ensue if common internal TLDs--such as .corp and .exchange--are allowed to be registered. As the Internet Corporation for Assigned Names and Numbers (ICANN) continues its march toward the eventual approval of hundreds, if not more than a thousand, generic top-level domains (gTLDs), security experts warn that some of the proposed names could weaken network security at many companies

Fake Expedia Itinerary Confirmations Deliver Malware (eSecurity Planet) An attached ZIP file installs malware capable of stealing sensitive information from the infected computer and sending it to a remote server

Websolutions Hacked by Rex Mundi (eSecurity Planet) The hackers are threatening to publish user data if they're not paid 'a reasonable amount of money' by next Friday

Irish Anti-Abortion Group Hacked (eSecurity Planet) The site's home page was replaced with a statement calling it a 'hate-filled truth-distorting website.' The Irish Times reports that the Web site of the Irish anti-abortion organization Youth Defense was recently hacked and defaced

IRS exposes 'Holy Grail of personal information' online (CSO) Identity theft is big business. Attackers use a variety of tools and techniques to extract tidbits of information that can be used to infiltrate a person's digital life, or assume their identity

Searchable IRS Database Exposes Applicant SSNs (Threatpost) The Social Security Numbers of tens of thousands of Americans ended up in a searchable public database that provides access to the tax filing applications of Section 527 political organizations on the Internal Revenue Service's website

Roy's Restaurants Hit By Security Breach (eSecurity Planet) The company says its customers' credit card information may have been exposed. Restaurant company Roy's Holdings, which runs six restaurants in Hawaii, recently began notifying an undisclosed number of customers that their credit card information may have been compromised after an employee's desktop PC was infected with malware

Facebook scam packs double whammy (Help Net Security) A new phishing / malware delivery scam is doing rounds on Facebook, warns ThreatTrack's Chris Boyd. The lure is a message saying "I'm serious guys If you people don't stop posting this of me I will

Phone Makers Are Still Opening Security Holes By Spying On Phones (StorefrontBacktalk) A security researcher in Seattle has identified yet another program running in the background of some smartphones in the name of collecting quality of service information. This time the phone is Motorola's (NASDAQ:GOOG) Droid X2, and the program collects data that includes some user passwords--the researcher confirmed that his YouTube password was slurped up--which then are sent back to Motorola over an unencrypted connection

Malware writers: Don't screw up (SC Magazine) Remember the Wet Bandits in the movie Home Alone? Marv, one of a pair of bumbling burglars, thought it would be a cool move to leave a faucet running in each of the houses they burglarized, like a calling card. The downside was that, when the police finally nabbed them, it was obvious exactly which houses the Wet Bandits had hit

Cyber Crime Origin: Russia as a Nursery (Soft2Secure) It's common knowledge that most of the contemporary computer threats come from countries which do not apply appropriate effort to nip malware developers/releasers. A good or rather the most striking example of such kind is Russia, notorious for mass-spreading of malware, especially such types as ransomware, fake antispyware

Academia

A Lecture on Web Application Hacking (video) (SC Magazine) A Florida State University lecture on web application hacking

No US College In Top 10 For ACM International Programming Contest 2013 (Slashdot) "The annual ACM International Collegiate Programming Contest finished up last week for 2013, but for the first time since its inception in the 1970s, no U.S. college placed in the top 10. Through 1989, a U.S. college won first place every year, but there hasn't been one in first place since 1997. The U.S. college that has won most frequently throughout the contest's history, Stanford, hasn't won since 1991. The 2013 top 10 consists entirely of colleges from Eastern Europe, East Asia, and India"

14 Reasons Law Schools Must Teach Tech (InformationWeek) As technology reshapes both the way law firms run and the law itself, law schools must also morph, says noted legal scholar. Legal education's inability to adapt to technology is undermining law schools around the country, argued noted legal scholar Oliver R. Goodenough in a talk Tuesday at Harvard's Berkman Center for The Internet and Society

Ohio State students react to National Security Agency program leaks (OSU - The Lantern) Ohio State students are reacting to the recent United States National Security Agency leaks in various ways. About a month ago, Edward Snowden leaked confidential information he had collected as an employee of government contractor Booz Allen Hamilton

UMUC Wins $250M to Educate Military Personnel Overseas (GovConWire) The Pentagon has awarded the University of Maryland University College a contract renewal worth more than $250 million to continue educating military personnel and their families based in Europe. UMUC has provided higher education programs

Litigation, Investigation, and Enforcement

U.S. promises to guarantee hacker Calovskis' human rights if Latvia extradites him (The Baltic Course) he Justice Ministry has received a letter from the U.S. Department of Justice, in which the U.S. promises to guarantee the human rights of Latvian cyber-crimes suspect Deniss Calovskis if he is extradited to the United States

Snowden fallout for U.S. has been massive (Baltimore Sun) Edward Snowden has wrought more damage on the United States than any private individual in recent memory. It's not just the theft and publication of classified material. That was bad enough because those disclosures make the U.S. look hypocritical and deceitful. The revelations are infuriating America's allies and rivals alike. But the 30-year-old's fervid attempts to find asylum are also setting off escalating rounds of anger and recrimination -- all of that aimed at Washington, too

How the West Enabled Snowden's Bid for Latin American Asylum (Time) Let's say, as Bolivian President Evo Morales insists, that the U.S. did urge European officials to deny Morales their air space on his flight home from Moscow last week because fugitive NSA leaker Edward Snowden was rumored (falsely) to be onboard. If that's true — and we may never know, since U.S. officials aren't commenting — did the Obama Administration just make it easier for Snowden to win political asylum in Latin America

Snowden in Moscow: What Russian Authorities Might Be Doing With the NSA Whistle-Blower (Time) In the summer of 1985, KGB colonel Oleg Gordievsky was called back to Moscow from the Soviet embassy in London, where he was serving as a resident spy. As a pretext, his commanders told him that he was going to receive an award for his service. But in fact the KGB suspected him of being a double agent — which he was — and they were looking to interrogate him. So upon his arrival, his KGB colleagues, still concealing their suspicions, took him to a comfortable country estate in the suburbs of the Russian capital, much like the one where Gordievsky and other former spies believe Edward Snowden, the NSA whistle-blower, has spent the past few weeks

WikiLeaks Leaking Cash After Snowden-Inspired Surge Slows (Bloomberg) Wikileaks is leaking cash. Donations to the European anti-secrecy website initially surged after it offered financial support for Edward Snowden, the former U.S. National Security Agency contractor who revealed secrets about American surveillance, the group's sponsor says. Contributions since have slid, according to the Hamburg-based Wau Holland Foundation, main collector of funds for WikiLeaks

Homeland Security chair: FBI not cooperating with probe (Boston Herald) The FBI is stonewalling a congressional investigation into intelligence failures, the chairman of the House Homeland Security Committee complained today at a hearing looking into the Boston Marathon bombings and several other domestic terrorism

Hearings announced for EU Parliament inquiry into alleged spying (Help Net Security) The Civil Liberties Committee inquiry will gather information and evidence to investigate alleged surveillance activities by the US authorities and EU countries. It will then assess the impact of these

Yahoo wants Fisa objections revealed (The Guardian) In a court filing first reported by San Jose Mercury News the company argues the release would demonstrate that Yahoo "objected strenuously" in a key 2008 case after the National Security Agency (NSA) demanded Yahoo customers' information. In June

Google, Microsoft Seek Help in Lifting FISA Gag Order (Threatpost) Google and Microsoft have locked arms with a number of civil liberties advocates in filing a brief with the secret Foreign Intelligence Surveillance Court hoping to lift a gag order preventing the two tech giants from releasing information on their role in the NSA's surveillance activities

Soldier's Lawyers Rest Case With A Defense Of WikiLeaks' Journalistic Role (New York Times) The defense in the court-martial of Pfc. Bradley Manning rested its case Wednesday with a Harvard law professor testifying that WikiLeaks performed a legitimate journalistic function when Private Manning gave it vast archives of secret government files

Design and Innovation

Sprint, IBM Team To Make Cars Smarter (InformationWeek) Sprint says its Velocity Service Bus, based on IBM's MessageSight mobile data appliance, will enable new uses for auto-generated data in apps. Our cars are already tied back to the manufacturer through sensor data and tenuous reporting systems and mobile links, such as Chrysler UConnect or Ford Sync or Cadillac User Entertainment (CUE). What if all of the auto's sensors, gauges and location information could be tied into more general purpose services

The CyberWire Daily Briefing for 7.11.2013