The CyberWire Daily Briefing 08.12.13

Cyber Trends

Lost In Translation: Hackers Hacking Consumer Devices (Dark Reading) New grassroots movement aims to fill the gap between security researchers and the consumer industries that are the subject of their hacking projects

Cyber attacks: drilling down into the financial system's newest threat (Financial News) A white paper from the Depository Trust and Clearing Corporation, one of the world's largest post-trade services operators, identified cyber attacks as one of the

Organizations ignore social media when it comes to business continuity planning (CSO) New study finds while many organizations are incorporating business continuity management into their risk program, they are still failing to use social media channels as part of their plan

Firewalls and firefights (The Economist) A new breed of internet-security firms are encouraging companies to fight back against computer hackers. "If someone is shooting at you, the last thing you should focus on is the calibre of the bullet," says George Kurtz, the boss of CrowdStrike, a young tech company. Seated at a coffee table at Black Hat, a conference for the cyber-security industry held in Las Vegas recently, Mr Kurtz is expounding on the fundamental flaw he sees in the way many firms deal with cyber-intrusions. Most, he says, spend too much time trying to work out what hit them and far too little trying to understand the motivations of their attackers and how to counter future assaults

A byte for a byte (The Economist) Letting companies strike back at computer hackers is a bad idea. Security experts like to say that there are now two types of company: those which know they have been hacked and those which have been hacked without realising it. An annual study of 56 large American firms found that they suffered 102 successful cyber-attacks a week between them in 2012, a 42% rise on the year before. Rising numbers of online attacks are stoking a debate about how best to combat cyber-crooks. One emerging school of thought holds that companies should be allowed to defend themselves more aggressively by "hacking back"--using hacker-like techniques to recover stolen intellectual property and frustrate their assailants

Passcodes Pervasive On BYOD — But Not Strong (Dark Reading) 85 percent of enterprise smartphones and tablets require passcode-protection on smartphones and tablets, but only 7 percent employ secure ones. It's a classic balance-of-security-and-convenience story: an overwhelming majority of businesses today force their employees to passcode-protect their mobile devices, but most only with simple and less secure PINs

Enterprises are feeling the 'need for speed' in network firewalls (FierceITSecurity) Enterprises are being driven to buy faster firewalls in order to keep pace with network upgrades, according to a survey by Infonetics Research. More than three-quarters of the 104 large enterprises in North America surveyed said that upgrading to high-speed network interfaces on security appliances was the number one driver for investing in high-end firewalls

Legislation, Policy and Regulation

Scope of NSA Internet surveillance even larger than already known (FierceGovernmentIT) The scope of Internet surveillance conducted by the National Security Agency is even larger than already revealed through leaks from former intelligence community contractor Edward Snowden, the New York Times is reporting

NSA cites case as success of phone data-collection program (Washington Post) Under pressure from Congress, senior intelligence officials have offered it as their primary example of the unique value of a National Security Agency program

NSA Data Collection Only For National Security (Forbes) The National Security Agency (NSA) has come under intense criticism in recent months for collecting Americans' phone and Internet data. This week, the New

DEA, NSA Teamwork: 6 Privacy Worries (InformationWeek) Government agents investigating criminal cases reportedly are tapping into NSA-furnished intelligence. Legal experts cry foul. A secretive U.S. Drug Enforcement Agency unit is taking information gathered by intelligence agencies and using it to prosecute Americans, sometimes for minor offenses, according to a Reuters report. Furthermore, DEA agents have been instructed to obfuscate how they came into possession of the information and reverse-engineer the evidence trail to make it appear as if the information was obtained through other means, Reuters reported

Don't Call It A Cold War (Philadelphia Inquirer) Canceling the meeting with Putin doesnt mean Obama isnt interested in improving relations with Russia. Secretary of State John Kerry and Defense Secretary Chuck Hagel still planned to sit down with their Russian counterparts today to discuss Syria, Iran, Afghanistan, and Snowden

Breaking Through Limits On Spying (New York Times) Apparently no espionage tool that Congress gives the National Security Agency is big enough or intrusive enough to satisfy the agencys inexhaustible appetite for delving into the communications of Americans

War By Wordplay (Washington Post) Well, it makes a difference, first, because truth is a virtue. Second, because if you keep lying to the American people, they may seriously question whether anything you say for example, about the benign nature of NSA surveillance is not another self-serving lie. And third, because leading a country through yet another long twilight struggle requires not just honesty but clarity

Piercing The Confusion Around Phone Program (Washington Post) The program that collects metadata has been referred to in shorthand as the 215 program after the section in the law that governs it. It is a search for a needle in a haystack of unimaginable proportions, and administration officials can point to few successes

NSA's Need To Keep Database Questioned (Washington Post) Critics say court orders could secure phone data one case at a time

Pentagon 'Information Operations' Chief Moves On (USA Today) The Pentagon's point man for "information operations," Austin Branch, is moving on to the National Counter Terrorism Center. Branch has led military's IO effort -- referred to by some as propaganda -- during a period of rapid expansion and, of late, criticism from Capitol Hill. He will be replaced by Mike Banaszewski, who is chief of staff for the deputy assistant secretary of Defense for Special Operations and Counter Terrorism, according to Navy Cmdr. Amy Derrick-Frost, a Pentagon spokeswoman

Ethiopia needs cyber security law urgently: experts (Sodere) Ethiopia was urged to speed up its proposed laws on cyber security to upgrade its banking Information technology (IT) infrastructure, and to fully utilize its IT potential

Products, Services, and Solutions

Maltego Gets More 'Teeth' (Dark Reading) New features in Maltego, an open-source intelligence tool for defenders, allow penetration testers and attackers to gather data on vulnerable systems and manage botnets

SafeNet Partners With Senetas to Protect Data in Motion (PRNewswire) "SafeNet's technical and commercial expertise with our products, its own vast…Senetas has experience in the vulnerabilities and risks of cyber-attacks, data

Statement by Tailored Solutions and Consulting (TSC) on FBI's iGuardian Platform for Cyber Threat Reporting (SFGate) While U.S. Executive Order 13636 represents a new policy emphasis on public and private sector coordination on cyber threats, the FBI's recent launch of iGuardian is a complementary initiative dedicated to the mutual benefit of government and industry. It is a mechanism designed to expedite and augment the cyber security dialogue between private industry and the FBI. It also extends to private industry actors that are not officially designated as critical infrastructure, which is the primary scope of E.O. 13636. More importantly, however, it demonstrates the FBI's commitment to establishing cyber programs that create value for participating US businesses

Norman Shark Announces Malware Analyzer G2 v4.0 and Updated Network Threat Discovery (Dark Reading) Now Featuring 32-bit and 64-bit Support for Windows 7 and 8, Leads the Automated Malware Analysis Market

Cicada Security Technology Inc. Delivers Technology to Eliminate Data Exposure from Computer Theft or Tamper (PRWeb) Preventing the Next Big Data Breach by Closing the Security Blind Spot Exploited by Manning and Snowden

Google introduces Android app for remote wipe, locating lost devices (SC Magazine) A new app called "Android Device Manager" will help users locate or remotely wipe their lost or stolen phones

General Dynamics Launches Online Community to Match Advanced Technical Capabilities with Evolving Customer Requirements (General Dynamics Advanced Information Systems) GDNexus is an online portal where users collaborate to help customers reduce risk and accelerate time-to-mission by leveraging proven technologies from a diverse supplier base

Technologies, Techniques, and Standards

Achieving Security Compliance In Small And Midsize Businesses (Dark Reading) How can smaller businesses meet compliance requirements with limited resources? Here are some tips

Digital Certificate Dangers, and How to Fight Them (eSecurity Planet) While digital certificates play a vital security role, they also present security risks. A certificate management system is a good way to mitigate many of those risks

Building a panopticon: The evolution of the NSA's XKeyscore (Ars Technica) How the NSA went from off-the-shelf to a homegrown "Google for packets."

Security intelligence through configuration auditing (Help Net Security) Modern systems have a multitude of configuration elements that, ideally, meet the IT business requirements of the organization. The danger of having poorly configured systems in place is real

Security Metrics Are Undervalued, Misunderstood (CIO Insight) Keeping your corporate network secure is arguably the most important aspect of any CIO's job. But a new study from risk-based security compliance company Tripwire seems to indicate that determining the metrics for security and conveying to the business side what it takes to keep a company safe is quite difficult. And when security and its importance cannot be conveyed to the business side, security itself suffers. "Chief Information Security Officers talk about the importance of leveraging metrics as a way to influence business leadership and build a risk management practice within their companies," says Rekha Shenoy, vice president of marketing at Tripwire

Google, Mozilla Lead Web's Mobile Renaissance (InformationWeek) Google and Mozilla are blurring the distinction between Web apps and native apps. That could have profound implications for Apple and Microsoft

Marketplace

Security-Cleared Pros Don't Like Leaks — Or Wait Times (Nextgov) There is broad consensus among security-cleared professionals that the disclosures of Edward Snowden, the former National Security Agency contractor now

Cyber-crime and punishment: how to spot security winners (CityWire) Euro Stars AA-rated duo Yves Kramer and Frédéric Dupraz co-run the Pictet-Security fund, which is designed to tap worldwide companies dedicated to the maintaining the health, security and freedom of individuals, companies and governments

Go Long Cyber Security Companies (Seeking Alpha) We've seen one of the most groundbreaking intelligence scandals in history. Leaked to sources such as the Guardian, whistleblower Edward Snowden released a trove of files showing the NSA among others is not only spying on Americans, they are also monitoring conferences such as political negotiations, foreign diplomatic offices, and more

Snowden's e–mail provider is closing, cannot legally say why (Washington Post) The e-mail service used by National Security Agency (NSA) leaker Edward Snowden is suspending operations. And they can't tell us why -- although this cryptic post heavily suggests it has something to do with a government request for information

Secure webmail service Lavabit suspends operation, citing legal issues (Naked Security) If you're interested in webmail security, you've probably heard of Lavabit. It's a boutique webmail provider based in Texas, USA

To Our Customers [re: Silent Mail] (Silent Circle) We designed our phone, video, and text services (Silent Phone and Silent Text) to be completely end-to-end secure with all cryptography done on the clients and our exposure to your data to be nil. The reasons are obvious -- the less of your information we have, the better it is for you and for us

Cybersecurity Pros in High Demand, Highly Paid and Highly Selective (PC Advisor) Experts in cybersecurity are among the most sought-after professionals in the tech sector, with demand for workers in that field outpacing other IT jobs by a wide margin

U.S. NSA To Cut System Administrators By 90 Pct To Limit Data Access (Reuters) The U.S. National Security Agency, hit by disclosures of classified data by former contractor Edward Snowden, said Thursday it intends to eliminate about 90 percent of its system administrators to reduce the number of people with access to secret information

NSA Will Replace Potential Snowdens with Computers (Nextgov) The NSA will eliminate 90 percent of the system administrators who maintain the agency's networks, according to the agency's director Keith Alexander. Speaking on Thursday to a cybersecurity conference, the NSA chief said that most of the current work done by staff and contractor system administrators — Snowden's old job — could be replicated by automated technology

It's now or never for old sysadmins to learn new tricks (The Register) Watch out for your jobs, says Trevor Pott. In most fields of human endeavour the complete invalidation of a person's formal training and skillset generally takes decades, if not generations

The InsideIQ Building Automation Alliance Partners with Cylance (AutomatedBuildings) "Long time InsideIQ member McKenney's, Inc. of Atlanta partnered with Cylance to bring to market an advanced understanding of physical, social and cyber

BlackBerry 'mulls going private' to fix problems amid turnaround blues (ZDNet) The smartphone maker is considering pulling out of the stock market and going private in a bid to fix its problems. It could be just what the company needs to secure further investment for its BlackBerry 10 platform. Or, it could pave the way to a split-up and sell-off

Big Mike shoots email to Dell staff: My backers and I are your best bet (The Register) Founder tries to drum up support for takeover bid

Defense Contractors Aren't Ready to Comply with Anti–Counterfeit Rule (Nextgov) Many contractors admit they will be unable to immediately comply with a rule, taking effect by March 2014, that would require contractors to either develop a new system for detecting counterfeit electronic parts or forego payment. The Pentagon is under pressure to address congressional concerns about the risk of weapons systems failing if adversaries or sloppy suppliers slip in unauthorized components. That's because the deadline for carrying out a 2011 defense authorization law calling for anti-counterfeit regulations was almost two years ago

Building a Cybersecurity Startup in Maryland (Light Point Security Blog) I was invited to speak last week at Technically Baltimore's event on Growing Maryland's Cybersecurity Industry. They invited a series of speakers to give 4 - 5 minute lightning talks on a variety of topics that explore the growing cybersecurity industry in Maryland. The goal was to discuss how we can grow Maryland's cybersecurity industry to create more jobs

Cyber Standouts: Light Point Security LLC (Baltimore Business Journal) Light Point Security featured as Cyber Standout

Finding Maryland's Next Cyber Security Darling (Baltimore Business Journal) Maryland may have sold its shares of Sourcefire Inc. years ago, but the state still stands to win big from the Columbia cyber security firm's $2.7 billion sale

Cyber Standouts: Finding Maryland's Next Sourcefire (Baltimore Business Journal) Success of Columbia cyber security firm Sourcefire Inc. is a sign of the potential for companies in Maryland's cyber industry

Big Data Market Sees CSC Buy Infochimps, NICE Buy Causata (eWeek) "Infochimps and CSC share leadership values of intellectual honesty and…for the U.S. Government Intelligence Community (IC) and the Department of Defense

Harris Corporation Awarded U.S. Air Force NETCENTS-2 (DailyFinance) Harris IT Services designs, deploys, operates and maintains secure communications…and Cyber Security/Information Assurance -- on time and on budget

Research and Development

The future of big data: cognitive computing (FierceBigData) The holy grail in big data is context plus causation. Companies and governments alike seek information that reveals relationships, causes of action, and is steeped in meaningful context

Security Patches, Mitigations, and Software Updates

Cisco Releases Security Advisory (US-CERT) Cisco has released a security advisory to address a vulnerability in the Cisco TelePresence System. This vulnerability may allow a remote attacker to access the web server via a user account created with default credentials, which gives the attacker full administrative rights to the system

OpenX Releases Security Update (US-CERT) OpenX has released an important security update for OpenX Source, the open source ad serving product. The downloadable ZIP archive of OpenX Source 2.8.10 was compromised to include a backdoor that would allow an attacker to upload and execute arbitrary PHP code. Compromised OpenX Source ad servers could be used in combination with various types of drive-by download, watering hole, and phishing attacks on web browsers and plug-ins

Microsoft to Clean Up After Oracle's Patch Mess Again Next Week (CIO) Slates eight security updates for next week, including critical fixes to Exchange likely stemming from Oracle's Outside In technology

Cyber Attacks, Threats, and Vulnerabilities

The Convenient Timing of Iran–Linked Hacker Operations (Analysis Intelligence) We enjoy revealing patterns in cyber activity on this blog, as you might recall from our hacker workday research. And whether or not you believe the al-Qassam Cyber Fighters (QCF) are tied to the Iranian government, its ramping up phase 4 of Operation Ababil calls for a novel look at alleged associations with Tehran

Android "Master Key" vulnerability — more malware exploits code verification bypass (Naked Security) Researchers at SophosLabs have come across samples of Android malware exploiting the so-called "Master Key" vulnerability

'Hack Facebook' works great — on YOU, not your intended victim (Naked Security) Hack not lest ye be hacked yourself, says researcher Josh Long. The "Facebook Hacking Site" actually leads hacker-wannabes into receiving premium SMS texts that jack up their phone bills and may also collect login details, he's found

Zscaler finds a 'big number' of Google Play apps with overly aggressive adware (CSO) One or more antivirus vendors flagged 22% of 8,000 popular apps as having issues

BANKER Malware Found Hosted on Google Code (TrendLabs Security Intelligence Blog) Google Code is Google's official open source site meant for developers to host their program's source code and related files, mostly in text format. However, using our sourcing system in Brazil, we were able to capture a malware written in Java that downloads BANKER malware from a recently created project called "flashplayerwindows". Of course, this bogus project has nothing to do with Adobe

Compromised Accounts Tweeting Links to Malware (Symantec) It is not uncommon to see social media accounts, specifically Twitter accounts, directing users to malicious sites such as the ones hosting Android.Opfake, an issue we blogged about last year. Recently, we discovered that the accounts of innocent users were being compromised to tweet these types of malicious links to their followers

Fake 'Apple Store Gift Card' themed emails serve client-side exploits and malware (Webroot Threat Blog) Apple Store users, beware! A currently ongoing malicious spam campaign is attempting to trick users into thinking that they've successfully received a legitimate 'Gift Card' worth $200. What's particularly interesting about this campaign is that the cybercriminal(s) behind it are mixing the infection vectors by relying on both a malicious attachment and a link to the same malware found in the malicious emails. Users can become infected by either executing the attachment or by clicking on the client-side exploits serving link found in the emails

Daily Mail's new motto: All the personal news that's fit to disclose (FierceITSecurity) The U.K. Daily Mail newspaper appears to have been doling out personal information along with the daily news and conservative commentary, according to a report by The Register

The Mother of All Suspicious Files (explainxkcd) The save dialogue shows a download from 65.222.202.53, an IP address that hosted JavaScript malware during a recent attack on the TOR anonymity network, with a very long file title. Many of the extensions used inside there indicate executable code; multiple file extensions are sometimes used to disguise a trojan program as a document

Breaking Down the China Chopper Web Shell — Part I (FireEye) China Chopper: The Little Malware That Could. China Chopper is a slick little web shell that does not get enough exposure and credit for its stealth. Other than a good blog post from security researcher Keith Tyler, we could find little useful information on China Chopper when we ran across it during an incident response engagement. So to contribute something new to the public knowledge base -- especially for those who happen to find the China Chopper server-side payload on one of their Web servers -- we studied the components, capabilities, payload attributes, and the detection rate of this 4 kilobyte menace

Breaking Down the China Chopper Web Shell — Part II (FireEye) In Part I of this series, I described China Chopper's easy-to-use interface and advanced features -- all the more remarkable considering the Web shell's tiny size: 73 bytes for the aspx version, 4 kilobytes on disk. In this post, I'll explain China Chopper's platform versatility, delivery mechanisms, traffic patterns, and detection. My hope is that armed with this information, you can eradicate this pest from your environment

One-stop-shop for spammers offers DKIM-verified SMTP servers, harvested email databases and training to potential customers (Webroot Threat Blog) In a series of blog posts, we've been highlighting the ease, automation, and sophistication of today's customer-ized managed spam 'solutions', setting up the foundations for a successful fraudulent or purely malicious spam campaign, like the ones we intercept and protect against on a daily basis

Cisco TelePresence hole — I always feel like somebody's watching me (FierceITSecurity) Cisco (NASDAQ: CSCO) is warning about a security hole in its TelePresence immersive videoconference system that could enable an attacker to remotely gain control of the system. An attacker could exploit the hole created when default credentials are used to create a user account, the firm warned in a security advisory

SAP's Backdoor (Positive Research Center) SAP security research is one of my basic duties in Positive Technologies. Moreover, I had to think of what I would speak about to the participants of our PHDays III forum. Thus, I came to the following subject of research: how to hide a user with the SAP_ALL profile (i.e. all possible authorizations) in the system. If a malicious user manages to log in to the system and get the authorization to create users and assign privileges to them, then his next most probable step is to create a new account for himself, of course with all authorizations in the system. However, this user is listed in the results of internal checks and external audits, and there is zero chance that a user with SAP_ALL authorizations will not arouse any interest

Academia

Training the next generation of cyber security warriors (University of Hawai'i) Teachers from ?Aiea, ?Iolani, Kaimuk?, Leilehua, McKinley, Mid-Pacific and Sacred Hearts Academy spent four intense days participating in a CyberPatriot Boot Camp, the first of its kind at Honolulu Community College. They learned the basics of cyber security including understanding the anatomy of a cyber attack, cryptography, digital forensics

Cyber still largely missing from military graduate programs (FierceGovernmentIT) Although the Defense Department has acknowledged that future military conflicts will have a cyber component, graduate programs at military academies still lack adequate information technology and cybersecurity curriculum

The kids code alright: Inside Young Rewired State's Festival of Code (ITProPortal) I had a relatively privileged upbringing when it comes to technology. Way back in the prehistoric 90s, my school had dedicated IT classes and we learnt a number of key skills. Mavis Beacon helped me become a reasonably adept typist and I acquired an average level of competency with Microsoft applications like Word, Excel and PowerPoint. I even stuck my head into basic HTML and built an Angelfire page dedicated to the New England Patriots. Coupled with a fondness of Sierra's fantasy RPGs and the advent of Sid Meier's early strategy games, you the makings of a veritable geek

Litigation, Investigation, and Enforcement

Young Android Users At Risk, Won't Someone Think of the Children? (PC Magazine) While the Bitdefender report also sounds a warning about younger Android users seeking out adult content (read: porn), becoming victims to sexual predators

Witness In Manning Case Says Leaks Could Help Al Qaeda (New York Times) A prosecution witness in the sentencing phase of the court-martial of Pfc. Bradley Manning told a military judge on Thursday that Al Qaeda could have used WikiLeaks disclosures, including classified United States government materials provided by Private Manning, to encourage attacks in the West, in testimony meant to show the harm done by his actions

Ukrainian Carder in $5 Million Ring Sentenced to 14–Plus Years in Prison (Wired) Between 14 and 40 years in state prison following a 10-week trial in New York. State sentences, unlike federal, offer parole, and the parole board would determine the exact sentence once his case comes up for review

Hackers switch to new digital currency after Liberty Reserve (Reuters) Three months after a team of international law enforcement officials raided the digital currency firm Liberty Reserve, cyber experts say criminals are increasingly turning to another online currency called Perfect Money

Employee fired for emailing health data to herself (SC Magazine) Emailing protected health information (PHI) to a personal email address cost one Rocky Mountain Spine Clinic employee her job last week

E–Reader Coalition Seeks Waiver of Disabled Access Requirements (Telecom Law Monitor) On August 1, 2013, the Federal Communications Commission ("FCC" or "Commission") released a Public Notice seeking comment by September 3, 2013 on a petition for waiver from the disabled access requirements filed by a coalition of e-reader manufacturers (Amazon, Kobo and Sony Electronics). In late 2011, the FCC released a Report and Order implementing provisions of the Twenty-First Century Communications and Video Accessibility Act of 2010 ("CVAA") to ensure that people with disabilities have access to advanced communications services ("ACS")

UK ISPs might not have to block websites under Digital Economy Act rules for much longer (TNW) UK ISP subscribers may not have to suffer being blocked from accessing certain websites, like The Pirate Bay and KAT.ph, following an unexpected about-turn from the government which has proposed dropping the clauses that regulate the blocks

Design and Innovation

Fail Week: When Mark Suster Believed His Own Startup's Hype, And Everything Came Crashing Down (TechCrunch) To very loosely paraphrase Tolstoy, all successes are alike, but each epic failure fails in its own unique way. But here in the tech industry, we don't discuss failure stories nearly as much as success stories — and that's a shame, because even the biggest winners in the world of entrepreneurship have had their fair share of missteps

The CyberWire Daily Briefing for 8.12.2013