
The CyberWire Daily Briefing for 8.16.2013
The Syrian Electronic Army (SEA) successfully attacks US media outlets, including the Washington Post. The SEA (generally believed to operate on behalf of the Assad regime with significant Iranian support) used spoofed Outlook pages in a phishing campaign that compromised Outbrain as a way into media accounts.
The Chinese government continues its pressure on Tibetan sites, and TechWeek Europe alleges that cyber security researchers inadvertently aid the repression through ill-conceived honeypots.
North Korea conducts information operations against the South through what observers call an "army of trolls." Pakistani hackers continue to riot against Indian sites.
The US Department of Energy acknowledges a data breach (personal information compromised), and the New York Times recovers from what it calls (in the face of mild skepticism) an IT error as opposed to a cyber attack. Those who follow SCADA security will read with interest news of a glitch that opened a Florida prison's cells.
Obfuscation through feigned ineptitude cloaks a clever exploit kit targeting cyber security researchers.
Malware sandboxing appears to have plateaued in effectiveness. Researchers cast about for automated, non-signature-based approaches to malware detection.
China announces plans to investigate IBM, Oracle, and EMC as security risks. Understandable skittishness post-Snowden apart, the Chinese government is happy to retaliate against US strictures on Huawei and Lenovo. The US and China will inevitably grope toward a security modus vivendi.
The US Intelligence Community remains in domestic and international hot water over electronic surveillance, with new allegations of NSA privacy violations. The President's IAB shrinks surprisingly.
Notes.
Today's issue includes events affecting Australia, China, Germany, India, Iran, Ireland, Israel, Republic of Korea, Democratic People's Republic of Korea, Pakistan, South Africa, Syria, United Kingdom, and United States..
Cyber Attacks, Threats, and Vulnerabilities
Washington Post Hacked By Syrian Electronic Army (Dark Reading) The Syrian Electronic Army is taking credit for hacks of the Washington Post and other U.S. media targets earlier this week. In a blog posted Thursday, Washington Post Managing Editor Emilio Garcia-Ruiz wrote: "A few days ago, The Syrian Electronic Army, allegedly, subjected Post newsroom employees to a sophisticated phishing attack to gain password information
Washington Post Site Hacked After Successful Phishing Campaign (Krebs on Security) The Washington Post acknowledged today that a sophisticated phishing attack against its newsroom reporters led to the hacking of its Web site, which was seeded with code that redirected readers to the Web site of the Syrian Electronic Army hacker group. According to information obtained by KrebsOnSecurity, the hack began with a phishing campaign launched over the weekend that ultimately hooked one of the paper's lead sports writers
Oh, those crazy Syrian hackers: Now Wash Post, CNN, Time vandalised (The Register) Gawd darn it, can't anyone secure their websites? Syrian hacktivists claim they are the vandals responsible for scribbling over the websites of CNN, Time mag and The Washington Post yesterday. But these latest boasts by the Syrian Electronic Army (SEA) are somewhat misleading, according to computer security experts who say that the hacking crew actually ransacked Outbrain - a marketing biz used by WashingtonPost.com, Time.com and plenty of others to provided links to related articles and stuff online
The Dangers External Services Present To Your Website (Securi) Today the Washington Post reported that they were victims of hack, orchestrated by the Syrian Electronic Army. This attack is interesting because it sheds light into the anatomy of attacks that appear sophisticated, but is something we're seeing on a daily basis
How Outbrain got hacked by the Syrian Electronic Army (Graham Cluley) Popular websites like CNN, The Washington Post and Time magazine were impacted by the hack, and the New York Times escaped by the skin of its teeth
Tibetans Under Cyber Attack — And The Security Industry Isn't Helping (TechWeek Europe) Tibetans are pummelled with cyber attacks, but the security industry is not helping, and may even be hindering, TechWeek hears. Cyber Repression: Every month or so, a report on the layest malware attack aimed at Tibetans will emerge. But the reality is the frequency and range of Internet-based assaults on the people of Tibet, as well as their families, friends and associates, are far greater than people know
NORKS build TROLL ARMY to tear down S Korean surfers (The Register) No we're not too hungry to concentrate on posting propaganda… North Korea has tasked 200 agents with the job of posting negative comments online, often using stolen online identities, in a bid to undermine the morale of their neighbours in the South
6000 Indian Websites including Consulate General of India, Hong Kong hacked by Pakistani Hacker Dr@cula (Hack Read) A Pakistani hacker going with the handle of Dr@cula has hacked and defaced 6000 Indian websites including the official website of Consulate General of India, Hong Kong in a massive cyber attack
Department of Energy Hacked Again (Wall Street Journal) The United States Department of Energy notified employees via an email Wednesday that hackers gained personal information, such as names and social security numbers, of 14,000 current and former agency employees as the result of a hack that occurred in late July. This is the second attack this year that involved a breach of employee data
New York Times Website Access Being Restored After Outage (CBR) The failure was due to a maintenance update and not a cyber attack, says newspaper. The New York Times said access to its website is being fully restored after falling offline for about two hours on Wednesday
Prison Computer 'Glitch' Blamed for Opening Cell Doors in Maximum-Security Wing (Wired) Florida prison officials say a computer "glitch" may be to blame for opening all of the doors at a maximum security wing simultaneously, setting prisoners free and allowing gang members to pursue a rival with weapons. But a surveillance video
Don't Underestimate Directory Traversal Attacks (Dark Reading) About as simple to fix as they are to exploit, directory traversal vulnerabilities stand as a persistent threat in the application environment. And yet it is one which many developers and even security teams are unaware can lead attackers to gain valuable information about how a system is organized, to get access to sensitive files on the application server or even to easily leverage to start other attacks on that server or the rest of the network
Cybercriminals use Google Cloud Messaging service to control malware on Android devices (CSO) Kaspersky Lab researchers identified Android malware threats that receive commands from attackers through the Google Cloud Messaging service
Where RFI attacks fall in the security threat landscape (Help Net Security) New research from Incapsula yielded a few interesting facts about RFI attacks. The data for the report was collected by monitoring billions of web sessions over a 6-month period
Carpet-bombing the Internet with computing clusters (FierceITSecurity) A security researcher presenting at Def Con said that a single attacker could use distributed computing infrastructure - not a botnet, but an intentionally created attack cluster--to "carpet-bomb" the Internet
Bulletproof TDS/Doorways/Pharma/Spam/Warez hosting service operates in the open since 2009 (Webroot Threat Blog) Operating in the open since 2009, a bulletproof hosting provider continues offering services for white, grey, and black projects, as they like to describe them, and has been directly contributing to the epidemic growth of cybercrime to the present day through its cybercriminal-friendly services
Personalized Exploit Kit Targets Researchers (Krebs on Security) As documented time and again on this blog, cybercrooks are often sloppy or lazy enough to leave behind important clues about who and where they are. But from time to time, cheeky crooks will dream up a trap designed to look like they're being sloppy when in fact they're trying to trick security researchers into being sloppy and infecting their computers with malware
Cracking Crypto Just Got a Little Easier (Threatpost) It's been a brutal month for crypto. Starting with the Black Hat conference, researchers, engineers and hackers have been unveiling new weaknesses and attacks in different cryptographic implementations that threaten the security of communication and commerce on the Web
Aussie ATM criminals embrace 3D printers for cashpoint crimes (Naked Security) As you can probably imagine, it didn't take long for controversial uses to emerge for 3D printers, and one of the most newsworthy was the idea of "printing" parts for firearms. Now, crooks in Sydney are printing their own ATM skimming devices
Security Patches, Mitigations, and Software Updates
Google to encrypt Cloud Storage data by default (CSO) Users can choose if they want to hold the encryption keys themselves. Google said Thursday it will by default encrypt data warehoused in its Cloud Storage service. The server-side encryption is now active for all new data written to Cloud Storage, and older data will be encrypted in the coming months, wrote Dave Barth, a Google product manager, in a blog post
Cyber Trends
The Increasing Failure Of Malware Sandboxing (Dark Reading) The past three years have seen many organizations adopt and deploy in-house dynamic sandboxing technologies tasked to detect and block specific classes of malware. Most advocates of the approach will point to malware samples that were detected via the sandbox, but missed by conventional antivirus signature systems, and seek to justify the investment through these simple metrics
Medical Hacking Poses a Terrifying Threat, in Theory (FreeNewsPos) In the world of hypothetical cybercrime, not much is scarier than the hacked medical device. Compromised pacemakers played a central role last year in an episode of Homeland and provided a macabre sidenote to this year's Black Hat conference for hackers
South Africa Cyber Threat Barometer (Wolf Pack) A scalpel in the right hands can save lives. In the wrong hands it can cause serious damage. Information is no different. Today it is the lifeblood that connects people, organisations and nations around the globe. Increasingly information traverses within cyber arteries powered by information and communication technologies (ICTs)
TESPOK cybersecurity report identifies banks, VOIP as top targets (CIO East Africa) Voice Over Internet Protocol is the biggest security threat facing enterprises in Kenya. William Makatiani, Director - Serianu Limited, says that from analysis of threats on traffic passing through the Kenya Internet Exchange Point (KIXP), firms were losing a lot of money through illegal use of VOIP. He was presenting at the launch of the first quarterly security report by the Telecommunications Service Providers Association of Kenya (TESPOK) held last week Thursday
Data breaches — over half are due to carelessness, says ICO (Naked Security) The UK Information Commissioner's Office (ICO) has announced that the majority of data breaches in the first quarter of 2013 were due to carelessness in the way that the information was handled
The big data bang and the disruptions it will bring in the next 5 years (FierceBigData) Frank Konkel wrote an excellent post in FCW on how ingrained big data will be in federal operations over the next five to ten years, and the disruptions that will bring in how government agencies work. It's a compelling read that is well worth your time
Marketplace
NSA to set up new outpost in North Carolina, IBM to build super security lab (CicSource) Earlier this week, CivSource reported on $6 billion in awards made by the Department of Homeland Security (DHS) to 17 Big IT vendors for cybersecurity. Now, the NSA has announced that it will also be opening a new out post in North Carolina, and IBM made a strategic acquisition of Israeli company Trusteer in its effort to build a super security lab
In Snowden's wake, China will probe IBM, Oracle, and EMC for security threats (Quartz) The NSA surveillance scandal is about to become a major headache for some US tech firms, as the Chinese government prepares to probe IBM, Oracle, and EMC over "security issues," according to the official Shanghai Securities News
Department of Homeland Security seeks big data vendors (FierceBigData) Uncle Sam wants you, big data vendors, to help guide his future big data expenditures. Apparently, the Department of Homeland Security has plans to make big data analysis an even bigger part of its mission in the near future and it wants to know what products are commercially available. But no, you can't just cold call them and make an appointment to pitch your wares. First you must compete for a presentation slot
NSA's Prism Could Cost U.S. Cloud Companies $45 Billion (InformationWeek) Losses may total between $35 billion and $45 billion in next three years due to lost business stemming from disclosure of NSA monitoring, new research predicts
IBM's Cloud Business: Ex–Employee Divulges Shortfalls (InformationWeek) Confidential IBM documents reveal the company's struggles to meet its cloud forecasts, as the SEC and Wall Street cast a skeptical eye
IBM acquires Israel's Trusteer, Apple reportedly buys Matcha (Jerusalem Post) IBM says acquisition would bring together over 200 employees from the two companies for a cyber-security lab in Israel. The Israeli market saw acquisitions from two of the world's leading technology companies, as IBM announced its acquisition of cyber-security firm Trusteer and Apple reportedly snatched up TV application Matcha
Products, Services, and Solutions
Trsst Is A Secure Twitter For The Post–Snowden Internet (TechCrunch) In a world where tweeting is the new texting, there are some folks out there who want to broadcast their thoughts – but with an acceptable level of security. That's where Trsst comes in. It is, in short, an encrypted messaging platform that turns your short messages into a p2p style collaboration system
Haivision First to Achieve Common Criteria Certification for Video (IT Business Net) Haivision's Common Criteria certification allows customers to meet U.S. federal government and international information assurance and security requiremen
Microsoft COO: We Have 'The Most Secure Platform On The Planet' (CRN) Microsoft apps are more secure than third party apps, according to a Secunia report cited recently by Microsoft COO Kevin Turner, and borne out through
Technologies, Techniques, and Standards
Data visualization: Beneficial but perilous (IT World) With more data visualization tools readily available, more kinds of people — not just data scientists or trained data analysts — are able to create data visualizations. That opens up the potential for the creation of misleading data visualizations
How to totally screw up privacy, while pretending to do privacy (CSO) Security and privacy aren't new. Security professionals have been beating the same drum for a decade, and yet security continues to be an afterthought for many organizations and developers, and the actual goal is frequently obscured by smoke and mirrors attempts to achieve it
What to expect with PCI DSS 3.0 (Help Net Security) The PCI Security Standards Council (PCI SSC) published PCI Data Security Standard (PCI DSS) and Payment Application Data Security Standard (PA-DSS) 3.0 change highlights
Error 451 — Unavailable for Legal Reasons (Infosecurity Magazine) The Open Rights Group has launched a campaign for the adoption of a new HTTP 400 range status code: Error 451, designed to indicate that access to a page or website is unavailable by court order
How companies can use big data without inciting public backlash (FierceBigData) Many big data users are reluctant to reveal how they are collecting and using data on consumers in general and customers in particular. Such timidity is understandable, given that the public has been roughly awakened to the realities of what such data collection means in terms of their privacy--and it's certainly not happy about it
Gmail Is Not A Privacy Problem (InformationWeek) Is there really informed consent among Gmail users? The real privacy issue is we're all getting by on a lot of trust
How to get the most out of the firewalls you've already got (FierceITSecurity) You have firewalls. Everybody has firewalls--and as reported earlier this month, Infonetics Research finds companies are plowing more money into keeping them up to speed
Finding security clues in your network data (FierceITSecurity) In this Fixing Infosec series, we're asking experts this question: If IT security is losing the battle to keep enterprise data safe, what one thing can be done to dramatically improve data security? In this installment we turned to Jay Jacobs, a long-time information security practitioner. Jacobs is now a principal at Verizon Business and vice president of the Society of Information Risk Analysts. His advice is simple in theory, but difficult for most organizations in practice: for companies to collect and make better use of IT security clues within the data they already have
Research and Development
How Bad is it? — A Branching Activity Model to Estimate the Impact of Information Security Breaches (SSRN) This paper proposes an analysis framework and model for estimating the impact of information security breach episodes. Previous methods either lack empirical grounding or are not sufficiently rigorous, general or flexible. There has also been no consistent model that serves theoretical and empirical research, and also professional practice. The proposed framework adopts an ex ante decision frame consistent with rational economic decision-making, and measures breach consequences via the anticipated costs of recovery and restoration by all affected stakeholders. The proposed branching activity model is an event tree whose structure and branching conditions can be estimated using probabilistic inference from evidence – 'Indicators of Impact.' This approach can facilitate reliable model estimation when evidence is imperfect, incomplete, ambiguous, or contradictory. The proposed method should be especially useful for modeling consequences that extend beyond the breached organization, including cascading consequences in critical infrastructures. Monte Carlo methods can be used to estimate the distribution of aggregate measures of impact such as total cost. Non-economic aggregate measures of impact can also be estimated. The feasibility of the proposed framework and model is demonstrated through case studies of several publicly disclosed breach episodes
Malware bites and how to stop it (ECN) Antivirus software running on your computer has one big weak point - if a new virus is released before the antivirus provider knows about it or before the next scheduled antivirus software update, your system can be infected. Such zero-day infections are common
Researchers Seek Better Ways To Track Malware's Family Tree (Dark Reading) Following a program's evolution back to the author may not yet be a reality, but computer scientists are searching for more accurate measures of the relationships between software versions. Using basic features of software programs, researchers from Carnegie Mellon University have been able to organize related code into family trees, connecting initial versions to subsequent updates, using techniques that could allow malware analysts to more quickly triage unknown threats
Legislation, Policy, and Regulation
German government intros eight-point security program to circumvent NSA spying (VentureBeat) "Germany is a country of freedom." That's the inspiring title Chancellor Angela Merkel is using to push an eight-point program aiming to protect online privacy through German parliament
The Morning Download: National Agendas Cloud Web's Future (Wall Street Journal) The backlash to the National Security Agency's surveillance of electronic communications continued Wednesday, as the German government said it will build up
Audit: NSA Repeatedly Broke Privacy Rules (Washington Post) The National Security Agency has broken privacy rules or overstepped its legal authority thousands of times each year since Congress granted the agency broad new powers in 2008, according to an internal audit and other top-secret documents
Spying Blind (Foreign Policy) The National Security Agency has an intelligence problem: It won't admit how dumb it is. The Obama administration's claim that the NSA is not spying on Americans rests on a fundamental assertion: That the intelligence agency is so good at distinguishing between innocent people and evildoers, and is so tightly overseen by Congress and the courts, that it doesn't routinely collect the communications of Americans en masse
NSA still in hot water (CBS News) The National Security Agency has had a challenging summer, and it appears things are about to get more difficult. A debate has raged all summer
Lies, Damned Lies, And The NSA (TechCrunch) Today the Washington Post reported documents demonstrating that the NSA breaks privacy laws "thousands of times" each year. Consider this the conclusion of what was the last-ditch argument put forth to defend the NSA: Yes, they have the capability to abrogate your Constitutional rights, but there is no evidence of abuse! Wrong. We now have proof that the NSA both wittingly and unwittingly
Obama upends intel panel (Politico) The White House dismissed the bulk of President Barack Obama's premier panel of outside intelligence advisers earlier this year, leaving the blue-ribbon commission largely vacant as the public furor built over the National Security Agency's widespread tracking of Americans' telephone calls
Cloud Panel Calls for Transparency While Warning Against Over-Reaction (Virtualization Review) Well before Edward Snowden leaked classified information that disclosed, among other things, the PRISM surveillance operation led by the U.S. government's National Security Agency (NSA), the Cloud Security Alliance (CSA) had established mechanisms for service providers to disclose their data-protection practices
Threshold for kinetic response to cyber higher than for physical attack, says paper (FierceGovIT) The nature of cyber attacks makes it likely that the threshold for triggering a military response to one will be higher than a kinetic equivalent, says Columbia national security law professor Matthew Waxman in a paper published by the Naval War College
Auditors praise DHS classification management (FiercGovIT) Auditors find that Homeland Security Department components are doing a good job implementing a 2009 executive order against over classification and subsequent law that specifically requires the homeland security secretary to develop strategy against over classification
Can DHS Be Trusted to Protect Gov't IT? (GovInfoSecurity) Bruce McConnell, who just stepped down as one of the federal government's top cybersecurity policymakers, says he understands why some lawmakers don't trust DHS with significant authority to safeguard government IT
Death By A Million Regulations (InformationWeek) It is long past time to assess the consequences of the endless laws, codes, rules, licenses and guidelines governing just about every human activity
After a remarkable year, Major Gen. Lynn relinquishes command (Sierra Vista Herald) Cyber protection is so important, the commander of NETCOM is also the deputy commander of Army Cyber Command, he said. As for his not so new assignment
Litigation, Investigation, and Law Enforcement
Manning tells court he's 'sorry' for U.S. secrets breach to WikiLeaks (Reuters) U.S. soldier Bradley Manning on Wednesday told a military court "I'm sorry" for giving war logs and diplomatic secrets to the WikiLeaks website three years ago, the biggest breach of classified data in the nation's history
Snowden Downloaded NSA Secrets While Working For Dell, Sources Say (Reuters) Former intelligence contractor Edward Snowden began downloading documents describing the U.S. government's electronic spying programs while he was working for Dell Inc in April 2012, almost a year earlier than previously reported, according to U.S. officials and other sources familiar with the matter
Court: Ability To Police U.S. Spying Program Limited (Washington Post) The leader of the secret court that is supposed to provide critical oversight of the governments vast spying programs said that its ability do so is limited and that it must trust the government to report when it improperly spies on Americans
Federal court finds no Fourth Amendment protection for cell phone call records (FierceGovIT) A federal appeals court ruled July 30 in a 2-1 ruling that historical cell phone call records aren't protected by the Fourth Amendment
Should we care if Google reads our emails? (Irish Times) Google automatically parses your private emails to better target you with ads. This act is the subject of a US class action
Ten Alleged Members of Identity Theft Ring Charged in Virginia (eSecurity Planet) Two members allegedly recruited women to steal personal data from their employers, then used that data to create fake IDs and open lines of credit
For a complete running list of events, please visit the Event Tracker.
Upcoming Events
Suits and Spooks NYC 2013 (New York, New York, Oct 5, 2013) Since the landscape is foggy, the threat actors numerous and hard to identify, and the attacks proliferating on a daily basis, the focus of the next Suits and Spooks conference will be to identify non-state aggressors in cyberspace. About twenty speakers will present briefings over two days on hackers, citizen militias, and other non-state entities operating in the Middle East, China, Russia, Pakistan, India, Iran, Africa, South America, the United States (yes - we have non-gov threat actors domestically), and other parts of the world. One of our panel moderators will be Joel Brenner (former National Counterintelligence Executive at the Office of the Director of National Intelligence and former Senior Counsel at the NSA).
National SCADA Conference (Melbourne, Victoria, Australia, Aug 15 - 16, 2013) The 12th Annual National SCADA Conference, Australia's largest and longest running SCADA conference, will bring together many of the luminaries of the Australian and International SCADA community to evaluate and find solutions for the increasing demands of the SCADA environment. The theme for 2013 will be delivering intelligence and improved performance to SCADA networks. The SCADA conference program will deliver fantastic first-hand knowledge from leading international and local SCADA experts with a great mix of burning SCADA issues, case studies, security and real world implementations together with practical advice. The networking opportunities provided coupled with the largest SCADA exhibition in the Southern Hemisphere ensure the National SCADA Conference is a must attend event for Australia's and New Zealand's SCADA Communit.
First International Conference on Cyber-Physical Systems, Networks, and Application (Taipei, Taiwan, Aug 19 - 20, 2013) CPSNA 2013 will focus on core challenges of cyber-physical systems. Given a tight integration of computation and the physical world, cyber-physical systems must compose robust systems, networks, and applications built upon predictable, analyzable, and certifiable models and abstractions. CPSNA 2013 will serve as a forum to discuss new ideas for such core challenges of cyber-physical systems.
SANS Thailand 201 (Bangkok, Thailand, Aug 19 - 31, 2013) SANS hands-on advanced Information Security training is coming to Thailand this August! SANS is bringing our Web App Penetration Testing course to the Crowne Plaza Bangkok Lumpini Park in Bangkok, Thailand.
2013 Cyber Security Division Transition to Practice (TTP) Technology Demonstration for Investors, Integrators, and IT Companies (I3) — West (San Jose, California, USA, Aug 22, 2013) This event will feature eight innovative cybersecurity technologies that have been developed at the Department of Energy National Laboratories and have the potential to strengthen and organization's cybersecurity posture. During this event cybersecurity professionals and technology investors from private industry will learn about these new technologies through presentations, demonstrations, and discussions with the research teams that produced these technologies. In addition, attendees will have an opportunity to schedule a private one-on-one discussion with the Researcher to discuss opportunities for commercializing the technologies and areas of interest to drive further cybersecurity research. Registration closes August 12.
Defense Logistics Agency Tech Expo (Fort Belvoir, Virginia, USA, Aug 20, 2013) Industry exhibitors are invited to showcase and discuss the latest information services and technology to the personnel at the McNamara HQ Complex.
Human Cyber Forensics Forum (Washington, DC, USA, Aug 21, 2013) This forum brings together subject matter experts to discover and share new means of recognizing the human indicators related to cyber intrusions, and the evolution of these human indicators in the coming decades.