The CyberWire Daily Briefing for 7.12.2013
New cyber threats expose the limitations of legacy approaches to cyber defense: Android apps are shown vulnerable to modification in ways that don't break their digital signatures. New APT attacks camouflage themselves by using trusted cloud services as vectors. Finally, criminal organizations have begun making defense prohibitively expensive by increasing victims' analytical labor.
Legacy protective measures remain important, particularly against commodity criminal malware (witness repurposed spam and ten-dollar denial-of-service offers) but sophisticated obfuscation enables capable attackers (a growing crowd) to evade signature-based defenses.
Effective defense increasingly requires highly skilled reverse engineers, who are both relatively scarce and pricey. The future seems to lie with automating detection, analysis, and reverse engineering: compare other disruptive technological advances that make expertise available to non-experts. (Probably better for an enterprise to improve its analytical game in-house than hire those "cyber mercenaries" the UK is warning about, too.)
There are those who would forgo defense for counterattack, and tools for active defense are appearing.
Forbes questions big data's security utility—it likens the big-data approach to finding a needle-in-a-haystack by adding more hay.
PRISM fallout at week's end includes reports of cooperation with surveillance by Microsoft and Telstra. Yahoo wants FISA records opened to show its good-faith efforts to protect customers' privacy. DEFCON disinvites "Feds," which draws a decidedly mixed industry reaction. (Feds remain welcome at Black Hat.)
As US-China talks continue, US President Obama expresses "disappointment" with China's failure to extradite Snowden. Estonia's President Hendrik tells the EU, in effect, to get over PRISM.
Notes.
Today's issue includes events affecting Australia, China, Egypt, Estonia, European Union, France, Germany, Pakistan, Russia, United Kingdom, and United States..
Cyber Attacks, Threats, and Vulnerabilities
Researchers find another Android attack that can get past signature checks (CSO) The vulnerability allows attackers to modify legitimate Android apps without breaking their digital signatures. A second vulnerability that can be exploited to modify legitimate Android apps without breaking their digital signatures has been identified and publicly documented. Technical details about the vulnerability were published Wednesday by a security researcher in a Chinese language blog post. The flaw is different from the so-called "masterkey" vulnerability announced last Wednesday by researchers from mobile security firm Bluebox Security, though both allows attackers to inject malicious code into digitally signed Android application packages (APKs) without breaking their signatures
Dropbox, WordPress Used As Cloud Cover In New APT Attacks (Dark Reading) Cyberespionage group behind hacks of The New York Times and other media outlets discovered using popular services as camouflage. The cyberespionage gang out of China who recently hacked into media outlet networks is now using Dropbox and WordPress in its attacks rather than via traditional email phishing attacks and server compromise, new research has found
Attackers Focus On Increasing Defenders' Time To Analysis (Dark Reading) The malware whose analysis Geffner will present at the conference comes from a mass customized attack, likely created by a criminal organization
New commercially available mass FTP-based proxy-supporting doorway/malicious script uploading application spotted in the wild (Webroot Threat Blog) For many years now, cybercriminals have been efficiency abusing both legitimate compromised and automatically registered FTP accounts (using CAPTCHA outsourcing) in an attempt to monetize the process by uploading cybercrime-friendly 'doorways' or plain simple malicious scripts to be used later on in their campaigns
Fake 'iGO4 Private Car Insurance Policy Amendment Certificate' themed emails lead to malware (Webroot Threat Blog) In a clear demonstration of low QA (Quality Assurance) applied to an ongoing malicious spam campaign, the cybercriminals behind the recently profiled 'Cybercriminals spamvertise tens of thousands of fake 'Your Booking Reservation at Westminster Hotel' themed emails, serve malware' campaign, have launched yet another spam campaign
Commercial DDoS Services Proliferate, Are Responsible For Many Recent Attacks (Dark Reading) Customers can DDoS a website for as little as $10, Vigilant by Deloitte speaker will tell Black Hat audience
Macau Government E-mail Accounts Hacked (eSecurity Planet) Thirty-four e-mail accounts at telecom provider CTM were hacked, including government accounts
North Carolina High School Acknowledges Data Breach (eSecurity Planet) 456 students' names, addresses, phone numbers, course enrollments, grades, identification numbers and other transcript data were exposed
Egyptian Government Web Sites Hacked by Anonymous (eSecurity Planet) The sites were defaced with a statement in support of deposed president Mohamed Morsi
6 Pakistani Ministry Websites Hacked by Afghan Cyber Army (HackRead) A group of hackers claiming to have roots in Afghanistan going with the handle of Afghan Cyber Army has hacked and defaced six high profile ministries of government of Pakistan. Hackers left their deface page along with a message against Pakistan against alleged involvement of Pakistani authorities in recent suicide bombings in Kabul, Afghanistan
Report: Email account of former CIO of intelligence agency hacked (SC Magazine) The former deputy CIO tasked with managing the U.S. Department of Defense's foreign military intelligence efforts has had his personal email account hacked, according to Gawker. Roy Apseloff, who before retiring last month also carried the title of vice deputy director for information management for the Defense Intelligence Agency (DIA), was reportedly exposed by "Guccifer," a hacker who has claimed to have previously hijacked the email accounts of the Bush family in February
Telltale signs of ATM skimming (IT World) ATM skimming schemes involve installing fraudulent equipment that criminals use to steal credit and debit card numbers and PINs. Industry estimates calculate that ATM fraud costs banks and consumers billions of dollars annually. Here are a few things to look for the next time you need
California agency takes 6 months to notify victims about financial information breach (FierceITSecurity) The California Department of Consumer Affairs' Bureau of Automotive Repair took six months to notify victims about a breach that exposed their financial information to a hacker
Telstra signed deal that would have allowed US spying (The Guardian) Australian company agreed to allow US government to store information on communications between US and other countries
How Microsoft handed the NSA access to encrypted messages (The Guardian) Microsoft has collaborated closely with US intelligence services to allow users' communications to be intercepted, including helping the National Security Agency to circumvent the company's own encryption
Security Patches, Mitigations, and Software Updates
Is it Time to Add Vulnerability Wednesday? (TrendLabs Security Intelligence Blog) By now, you've likely seen Google's announcement that they now support a seven-day timeline for disclosure of critical vulnerabilities. Our CTO Raimund Genes believes that seven days is pretty aggressive and that rushing patches often leads to painful collateral damage
Cyber Trends
Free 'Active Defense' Tools Emerge (Dark Reading) Ammunition for fighting back against cyberattackers in subtle yet disruptive ways is becoming available in open source
U.K. spies: Nations are hiring cybermercenaries (USA Today) A British intelligence report says that other nations are hiring hackers to launch attacks against their enemies, a trend it described as particularly worrying
Security metrics are too complicated for senior executives (Help Net Security) Tripwire announced the results of research on the state of risk-based security management with the Ponemon Institute. Key findings include:75% of respondents say metrics are "important" or
Infographic: Is your information safe? (Help Net Security) ID Experts released an infographic that provides a snapshot of identity theft and data breach over the last decade. Click on the image below to see the large version
Study: 73 percent believe SANS controls guidance worth adopting (SC Magazine) A high percentage of security professionals polled say they plan to adopt relatively new security controls that were conceived by the government to curb data theft at organizations
Cybersecurity of World Aviation a Major Focus of AIAA AVIATION 2013 (Wall Street Journal) Leading cybersecurity experts will speak at AIAA AVIATION 2013, being held August 12--14 at the Hyatt Regency Century Plaza, Los Angeles, Calif. Hosted by the American Institute of Aeronautics and Astronautics, the conference will address the risk of the evolving cyber threats to the world's $2.2 trillion commercial aviation enterprise…The panel discussion "The Connectivity and Cyber Security Challenge," at 1:30 p.m. on August 13, will discuss the challenges presented in aviation security systems, resources against cyber attack, and how players in the enterprise can move to safeguard their vital systems now, rather than after a successful cyber attack. Panelists will be: Paul Kurtz, chief strategy officer, CyberPoint International; Michael K. Sinnett, vice president and chief project engineer, 787 program, The Boeing Company; Dominic Nessi, deputy executive director and chief information officer, Los Angeles World Airports; Larry Castro, managing director, Chertoff Group, LLC; and Peter Andres, vice president, corporate security, Deutsche Lufthansa AG
What your insurance company is doing with your private data (FierceBigData) One of the scariest bugaboos feared lurking under the big data bed is what insurers will do when they find out what you've really been up to. Maybe they'll increase your premiums or cancel your policy if they discover how many Big Macs you bought this week. Or maybe you bought three glasses of wine with dinner or a case of beer for the weekend. How much booze is too much in the eyes of your insurer anyway
Marketplace
OpenStack's Hong Kong summit could be effort to keep China from going rogue (IT World) Fragmentation is often a threat with technologies that take off in China. The OpenStack Foundation may have good reason to host its next summit in Hong Kong, and not just because OpenStack is growing in popularity in China. The foundation could hope that basing the summit in Hong Kong might draw contributors into the fold so that they don't splinter
Hackers Back Away From Relationship With The Feds (Washington Times) DefCon, the biggest annual U.S. conference for computer hackers, last year featured the director of the National Security Agency as its keynote speaker and his agency operated a kiosk, where it handed out tchotchkes, brochures and job applications. DefCon founder Jeff Moss says law enforcement and intelligence officials should stay away this year
Secure Ideas will not be presenting at DEF CON this year (Secure Ideas Blog) James Jardine and I were accepted to present at DEF CON 21 in Las Vegas this year on attacking SharePoint. For 21 years DEF CON has been a very respected organization and the opportunity to present is only given to a small number of people. We were honored to be chosen to speak there again and hope to be able to in the future
Is DEF CON right to ask the feds to stay away? [POLL] (Naked Security) The founder of the DEF CON hacker conference has announced that members of the U.S. federal government will not be welcome to attend this year's event
As DefCon asks Feds to take "time-out," Black Hat welcomes NSA chief (Ars Technica) General Keith Alexander, the Director of the NSA and Commander of the DOD's US Cyber Command, has been announced as the keynote speaker at the upcoming Black Hat USA security conference at Caesar's Palace in Las Vegas. The announcement
Microsoft Reorganization Signals Big Challenges Ahead (InformationWeek) Microsoft CEO Steve Ballmer now has the pieces in place, but will renaming divisions and shuffling executives bring a legitimate payoff
Here are the Microsoft execs who benefit most from today's huge reorg (VentureBeat) Microsoft's biggest corporate restructuring ever, announced this morning by CEO Steve Ballmer, has put the company's fate in the hands of a few executives. (If this were Game of Thrones, they'd be the people on the Small Council table deciding the affairs of the kingdom.
Report Indicates More Extensive Cooperation By Microsoft On Surveillance (New York Times) Microsoft has collaborated with the National Security Agency more extensively than it previously acknowledged, providing the spy agency with up-to-date access to its customer data whenever the company changes its encryption and related software technology, according to a new report based on disclosures by the former N.S.A. contractor Edward J. Snowden
Booz VP McConnell: Snowden has done 'irrevocable damage' (Federal Times) Former Booz Allen Hamilton employee Edward Snowden has done "irrevocable damage" that will blunt the ability of the U.S. to stop terrorism, the consulting giant's vice president and former director of national intelligence Mike McConnell told a
Law Enforcement Cooperation And Trend Micro (TrendLabs Security Intelligence Blog) Recently, Trend Micro and INTERPOL announced that Trend Micro will help train law enforcement personnel from participating countries all over the world to help them cope with today's cybercrime threats. We are honored to help INTERPOL in its fight against cybercrime; this is completely in line with our vision of creating "A World Safe for Exchanging Digital Information"
Yahoo says release of secret FISA court order will prove it resisted directives (CSO) Yahoo has asked the FISA court to release its order and other documents related to a 2008 decision
Billionaire Icahn Says He'll Sweeten Dell Offer With Warrant (Bloomberg) Billionaire Investor Carl Icahn, who holds an 8.7 percent stake in Dell Inc., has been agitating for months to try to force Dell Chairman Michael Dell and buyout partner Silver Lake Management LLC to sweeten their proposal. Billionaire investor Carl Icahn, in a bid to force Michael Dell to sweeten his $24.4 billion buyout proposal for Dell Inc. (DELL), said he'll increase his offer for the PC maker by this morning by adding a warrant
CSC and HP team up to define the new state needed for comprehensive enterprise cybersecurity (ZDNet) CSC Global Cybersecurity, in a strategic partnership with HP, is helping companies and governments better understand and adapt to the tough cybersecurity landscape
Products, Services, and Solutions
SaaS enhanced mobile device security (Help Net Security) Sophos announced Sophos Mobile Control 3.5, the latest version of its mobile device management (MDM) solution. Available both on-premise and as-a-service, Sophos Mobile Control enables small
Bluebox releases free scanner for Android "master key" bug (Help Net Security) Bluebox Security, the mobile security startup that's "working to save the world from information thievery", has made a name for itself by finding and revealing the existence of an vulnerability that
EMC releases array of new products (Help Net Security) EMC announced new hardware and software products that enable customers to deploy new Protection Storage Architectures that address today's and tomorrow's data protection challenges
Metaforic released secure cryptography solution WhiteBox (Help Net Security) Metaforic announced the general release of WhiteBox, a secure cryptography solution for mobile financial, conditional access, BYOD and embedded communications and payments
Oceus Unveils Mobile Network Mgmt Software Update (The New New Internet) Oceus Networks has updated its network management software portfolio for customers that aim to securely manage wireless infrastructure in remote and hostile areas or emergency response situations
Intelligent Decisions, Wave Form Cloud and Cybersecurity Team (The New New Internet) Intelligent Decisions has partnered with Wave Systems Corp. to develop an identity and access management product intended to help government customers protect data and detect malware
Secunia to Help Microsoft Customers Protect IT Infrastructures (Softpedia) On Thursday, IT security solutions provider Secunia joined Microsoft's Technology Center Alliance Program and became the Redmond giant's first vulnerability
Blue Coat Adds Real-time Support for Hebrew to WebPulse Collaborative Defense (BWWGeeksWorld) WebPulse now supports 19 languages in real time and recognizes 50, allowing it to deliver comprehensive Web and threat intelligence to the Blue Coat® Cloud Service, ProxySG® appliances and PacketShaper® appliances. WebPulse unites a globally
Opt out of PRISM, the NSA's global data surveillance program. (PRISM-Break) Stop the American government from spying on you by encrypting your communications and ending your reliance on proprietary services
Technologies, Techniques, and Standards
Practical IT: How to plan against threats to your business (Naked Security) How can you make sure your business is proactively protecting against threats? Ross McKerchar takes a look
UC Berkeley Study Confirms Browser Security Warnings Proving Effective (Threatpost) Research into browser security warnings demonstrates that users heed malware or phishing alerts more than anticipated
Building Threat Intelligence to Detect APTs in Lateral Movement (TrendMicro Security Intelligence Blog) A later stage of advanced persistent threats (APT) attacks is the "lateral movement" stage, where attackers typically use legitimate computer features to move within the network undetected. This takes place after the initial breach and the establishment of command-and-control links back to the attacker. We earlier discussed the steps in an APT attack in the infographic, Connecting the APT Dots
'Social listening' can prevent misinformation in disaster, says FEMA official (FierceGovIT) In the same way two people would have a conversation, social media requires listening and responding in turn, said Shayne Adamski, senior manager of digital engagement at the Federal Emergency Management Agency
Fixing infosec 1: Eric Cowperthwaite on building better business connections (FierceITSecurity) Is IT security failing at its mission to keep enterprise data safe? It's a debatable question--but it would be much harder to make a successful argument that IT security is winning the fight to keep information and systems secure. Bugs and breaches abound; effective employee communication is a challenge; IT risk management is still immature
Mandiant CEO Kevin Mandia On Security After Uncovering China's Hacking U.S. Businesses (Benzinga) Kevin Mandia made the cover of Fortune Magazine for uncovering major hacks on major U.S. corporations by the Chinese government. China's hacking program is extremely extensive, grounded in attacking America's economy by acquiring trade information
Design and Innovation
It Just Got a Whole Lot Easier to Fund Your Startup (Wired) New rules from the SEC blow the venture capital process wide open, allowing startups to seek out money in a public fashion for the first time. Slowly but surely, the startup funding pipeline is transforming from old boys club into
Academia
Student Teams From The UK, Portugal And Austria Win Microsoft's Imagine Cup 2013 And $50K Each (TechCrunch) Microsoft's Imagine Cup 2013 student technology competition in St. Petersburg Russia just ended with a high-energy awards gala hosted by Dr. Who's Matt Smith. This year, Microsoft awarded three main prizes of $50,000 each to the winners in the World Citizenship, Games and Innovation categories, which were won by teams from the UK, Portugal and Austria
Legislation, Policy, and Regulation
Better late than never: Russia to get cyber troops (RBTH Asia) He said the new service's key tasks would include monitoring and processing information coming from the outside, as well as countering cyber threats, "in other words, something along the lines of the United States Army Cyber Command." Officers
The NSA's Surveillance Is Unconstitutional (Wall Street Journal) Due largely to unauthorized leaks, we now know that the National Security Agency has seized from private companies voluminous data
Little appetite in DC to attack leak-besieged intelligence chief, despite 'erroneous' remark (Washington Post) As the director of national intelligence, James Clapper has told Congress that the regime of Moammar Gadhafi would likely prevail in Libya, that Egypt's Muslim Brotherhood party was "largely secular" and that the National Security Agency doesn't collect data on millions of Americans
Reconciling Privacy and Security Post-Snowden (Time) The Privacy and Civil Liberties Oversight Board, an independent federal agency examining whether U.S. intelligence gathering is too intrusive, held a public workshop on Tuesday in Washington with experts, academics and advocacy organizations. The purpose: to respond to revelations of the government's controversial collection of phone and Internet records, and to recommend what, if any, changes should be made
Intelligence: The Practical Case Against The NSA's Big Data (Forbes) "We should soon be able to keep track of most activities on the surface of the earth, day or night, in good weather or bad." Those words weren't written yesterday by someone at the NSA. They were written by Stansfield Turner, a former head of the CIA, in 1986. They show that electronic tracking – and the hubris that accompanies the possession of high technology – have always been part of the US Intelligence Community
Could The US Government Go Dark? Digital Defense And The White House (Business2Community) During a targeted cyber attack, government agencies go dark. Mission-critical data is inaccessible. Personal information of millions of U.S. citizens is exposed. Communications are cut off. The White House is literally and figuratively in the dark. It's like something out of a summer movie blockbuster, but could it happen in real life? It's not so far-fetched
Estonia says Europe overreacted to US cyber spying (Cyberwarzone) Europeans have overreacted to allegations that the United States had been snooping on them and vacuuming up huge amounts of phone and Internet data, cyber-savvy Estonia said in an interview published Thursday
Litigation, Investigation, and Law Enforcement
US 'Very Disappointed' with China on Snowden (SecurityWeek) The United States told China it was upset it did not hand over US intelligence leaker Edward Snowden after he fled to Hong Kong, saying that the decision had undermined relations. President Barack Obama, meeting senior Chinese officials who were in Washington for annual wide-ranging talks, "expressed his disappointment and concern" over the Snowden case, the White House said in a statement Thursday
US 'blocks my asylum': Snowden human rights activists to airport meeting (Russia Today) Edward Snowden will meet with human rights organizations in Moscow's Sheremetyevo Airport, say airport officials. He will reportedly speak about the US witch hunt against him that he believes is putting other passengers at risk
Review Of Snowden Said To Focus On Foreign Espionage (Washington Post) A National Security Agency internal review of damage caused by the former contractor Edward Snowden has focused on a particular area of concern: the possibility that he gained access to sensitive files that outline espionage operations against Chinese leaders and other critical targets, according to people familiar with aspects of the assessment.
Federal Background Checks Faked by Some Investigators (Businessweek) The investigators who conduct background checks on prospective government hires requiring a security clearance—like the one National Security Agency leaker Edward Snowden had—are supposed to cast a wide net. They comb through an applicant's
French lawsuit targets NSA, FBI, tech firms over Prism (Reuters) Two French human rights groups filed a legal complaint on Thursday targeting the U.S. National Security Agency, the FBI and seven technology companies they say may have helped the United States snoop on French citizens' emails and
Two cases could disrupt FTC's data security authority (SC Magazine) It is commonly said that all businesses should expect to be breached at one point or another. And after that, the Federal Trade Commission (FTC) could come knocking. But hotelier Wyndham Worldwide and medical testing provider LabMD are two companies that are pushing back against separate investigations launched by the consumer protection agency, which asserts that the two companies experienced data breaches that exposed sensitive client information. The results of the cases could decide whether the FTC can continue to punish companies that have been breached
Twitter hands over data in French anti-Semitism case (Straits Times) Twitter said on Friday it had handed over data to French authorities to help identify the authors of anti-Semitic tweets following a complaint from a Jewish students' group
German cybercops working to keep the Internet safe with digital forensics (ForensicFocus) Criminals value the unlimited freedom and anonymity that they get on the Internet. But cybercops and digital forensic experts are working to change that
For a complete running list of events, please visit the Event Tracker.
Upcoming Events
Third Annual SINET™Innovation Summit (New York, New York, USA, Aug 6, 2013) SINET™, the premiere community builder and innovation catalyst for the Cybersecurity industry hosts their third annual Innovation Summit at Columbia University on August 6th. SINET programs are where the business of Cybersecurity takes place. The networking will be high level and robust with a shared mission of protecting our nation's critical infrastructures. Dawn Meyerriecks, CIA Deputy Director for Science and Technology, will deliver the closing keynote. The CyberWire will provide special coverage of this event.
SANS CyberCon Fall 2013 (Online, Sep 9 - 14, 2013) With sequestration still in place, organizations are finding themselves with training budgets, but drastically reduced travel budgets. This one-of-a-kind online training event brings SANS' top instructors teaching SANS' top courses to those who can't travel.
London Summer 2013 (London, England, UK, Jul 9 - 16, 2013) SANS London Summer takes place at the London Marriott Hotel Kensington and gives security professionals the opportunity to take one of four of SANS most popular 6-day courses and the 2-day "Securing The Human" course.
3rd Cybersecurity Framework for Critical Infrastructure Workshop (San Diego, California, USA, Jul 10 - 12, 2013) NIST is inviting cybersecurity experts, industry and academia from across the nation to attend one of its regional workshops at UC San Diego to identify, refine and guide the many interrelated considerations, challenges and efforts needed to build this framework.
Mobility Solutions for the Federal Market (Falls Church, Virginia, USA, Jul 16, 2013) With the improvements in mobile technology, smart phones and tablets, DOD, DHS and Civilian agencies have an opportunity to improve their service delivery models and the programs that serve their constituents. In order to accomplish this, Agencies across all branches of government must understand how and where mobile technology can be leveraged, where it's already being successfully leveraged to improve service delivery, and identify the areas of improvement necessary within their agency or program to ensure today's workforce is leveraging mobile technology to help their agency accomplish their goals. Join us at this highly interactive July 16th Potomac Officers Club Mobility Summit where our speakers will be addressing strategic issues.
2013 World Comp (Las Vegas, Nevada, USA, Jul 22 - 23, 2013) 2200 leading researchers, academics, and executives from government, academia and industry will come together at this annual event which facilitates communication among researchers in different fields of computer science, computer engineering, and applied computing.
Black Hat 2013 (Las Vegas, Nevada, USA, Jul 27 - Aug 1, 2013) Black Hat USA is a major international security conference, featuring learning, networking, and skill-building. Sessions include training, briefings, technical presentations, and more.
SECRYPT 2013 (Reykjavik, Iceland, Jul 29 - 31, 2013) The 10th International Conference on Security and Cryptography (SECRYPT 2013) will take place from 29 to 31 July 2013 in Reykjavik, Iceland…The conference will focus on information systems and network security, including applications within the scope of knowledge society in general and information systems development in particular, especially in the context of e-business, internet and global enterprises. It will bring together researchers, mathematicians, engineers and practitioners interested in security aspects related to information and communication.