The CyberWire Daily Briefing 08.20.13

Cyber Trends

Pacemakers Under Attack: When the Internet of Things Gets Sick (Silicon Angle) We're now in an era where everything can be and will be connected. From house appliances that you can remotely control with your smartphone via an app, to implantable medical devices that control your insulin injections, just about every electrical device known to man will soon be wired up to the web

Cyber attack could be next shock to UK banks, warns KPMG (ComputerWeekly) Cyber attack or disruption could cause the next systemic shock to the UK banking industry rather than a liquidity crunch, according to the latest report from business consultancy firm KPMG

Time to take mobile security seriously (ITWeb) Trend Micro's Threat Security Roundup highlights changing trends in the security landscape, including the growing threat of mobile devices

Advanced threats to drive growth in new product segment (Help Net Security) As hackers have shifted their ultimate goals from disruption and notoriety to financial and intellectual property theft, the tactics they use have changed accordingly. The malware used today is increasingly target specific and stealthy, often evading signature-based defenses

ENISA analyzes major security incidents in the EU (Help Net Security) The European Union Agency for Network and Information Security (ENISA) today issued a new report providing an overview of the major outage incidents in the EU in 2012

Legislation, Policy and Regulation

WSJ: Latest Snowden Leak Shines Positive Light on NSA (NewsMax) The latest leak from former National Security Agency contractor Edward Snowden actually shows the NSA is doing the right thing, according to a Wall Street Journal editorial

Why the NSA Should Be Moved Out of the Defense Department (U.S. News & World Report) In early 2008, I recommended that, "The National Security Agency (NSA) should be taken out of the Defense Department and report to the DNI"

Lawmakers, privacy advocates call for reforms at NSA (Washington Post) Some lawmakers called Friday for reforms and greater transparency in the surveillance operations of the National Security Agency following a report that the

Locked in LOC: Exploring Cyber Offensive Option for India (Ind=stitute for Defence Studies and Analyses) The recent incident of five Indian army soldiers being killed on the LOC by troops of the Pakistan army is a continuation of a sustained policy of the 'powers' in Pakistan. Over decades, relations between the two have swung from heightened tensions through nuclear posturing and coercive diplomacy to peace efforts through people-to-people contact, economic engagement and even cricket! So, under these now very similar and repeated circumstances what should be India's response? Are there realistic options between diplomacy and war? Probably the time has come to look at 'diplomacy plus' and 'war minus' solution

Russian Military Creating Cyber Warfare Branch (RIA Novosti) A separate branch dedicated to cyber warfare is being created in the Russian Armed Forces as the Internet could become a new "theater of war" in the near future, a senior Russian military R&D official said

Bitcoin now 'unit of account' in Germany (The Guardian) Germany's ministry of finance has recognised Bitcoin, meaning it will be able to tax users or creators of the virtual money

Phyllis Schneck Officially Named DHS Cyber Undersecretary (GovConWire) Phyllis Schneck, global public sector vice president and chief technology officer at McAfee, since 2009, has officially been appointed deputy homeland security undersecretary

FDA releases final guidance on wireless medical devices (FierceMobileHealthCare) The U.S. Food and Drug Administration has published final guidance to assist industry and FDA staff in identifying and appropriately addressing specific considerations related to the incorporation and integration of radio frequency (RF) wireless technology in medical devices

Products, Services, and Solutions

ZMAP 1.02 released (Internet Storm Center) The folks at ZMAP have released version 1.02 of their scanning tool

ZTE's Firefox OS sells out in the US and UK (ZDNet) There weren't many ZTE Open devices available in the first place, but they did sell out over a weekend

Microsoft shoehorns Skype into Outlook.com — we quickly kick the tyres (The Register) Phonecalls–in–webmail plugin unleashed on the web, what could possibly go wrong

Which Web browser crashes the most? (ZDNet) When it comes to crashing, just like with speed, Sauce Labs finds that not all Web browsers are created equally

LivesOn says death is no excuse to stop tweeting (Naked Security) The service has algorithms that will splice and dice the tweets from your live self, learn as it goes along how to sound something like pre–mortem you, and then take over, one assumes, when the zombie apocalypse renders your fingers a bit spongy

Chrome plugin aims to thwart user profiling efforts (Help Net Security) Inspired by a piece of fictional software described in Cory Doctorow's book Little Brother, developer Ben West created a browser plugin that should, in theory, make it difficult for advertisers and government agencies to create an accurate profile of an Internet user based on the websites he visits

VMware Analysis Tools: Small Step, Big Vision (InformationWeek) New Log File Analysis tools bring VMware's touted software-defined data center vision closer to reality; Cisco, EMC, other partners provide packs to translate product logs

Secunia Terminates Vulnerability Coordination Reward Program (Softpedia) IT security company Secunia has decided to discontinue its Secunia Vulnerability Coordination Reward Program (SVCRP). According to the company, the SVCRP has helped a large number of companies and researchers over the past two years. However, the program doesn't seem to be profitable for Secunia

TeleCommunication Systems Introduces ESP™ Cyber Solutions (MarketWatch) ESP™ Cyber Solutions for Public Safety draws from TCS' expertise in secure communication technology for wireless carriers and the military, as well as the

Children to have Linkedin profiles (BBC) Linkedin is dropping its minimum age for membership from 18 to 13. Children's profiles will have default settings making less of their personal information publicly visible, with more prominent links to safety information

Losing Our Childhood To LinkedIn (TechCrunch) What's scarier than a 14-year-old girl choosing her sexiest Facebook profile pic? Maybe a 14-year-old girl inflating her resume on LinkedIn. Childhood used to be a time of self-exploration, but the Internet is pushing kids to define themselves early and put that facade on display. While online tools could give ambitious youth a leg-up for the future, they force that future on some too soon

Technologies, Techniques, and Standards

A New 'Dawn' in Exchanges' War on Hackers (Wall Street Journal) When prices on some U.S. stocks suddenly zoomed one day last month and others unexpectedly plunged, stock-market officials set out to detect a possible computer glitch or a trading algorithm run amok

Trying To Hide Online Just Puts You On The Government Radar (Yahoo!) If you want to maintain your privacy online, it seems the only way to do it these days is to turn off your computer. All of the big tech companies are bound by the Patriot Act and receive National Security Letters (NSL's) from the government asking them to turn over user data when it's "relevant to an authorized investigation to protect against international terrorism or clandestine intelligence activities"

Is the cryptopocalypse nigh? (A Few Thoughts on Cryptographic Engineering) I've been traveling a bit over the past couple of weeks, so I haven't had much of a chance to keep up on blogging. One consequence is that I completely missed my chance to say something about, well, anything that happened at BlackHat or Def Con

Forge You: Do We Have To Trust Biometric Authentication (Kaspersky) Everyday millions of computers solve the same problem; these machines try to check if you are actually you and not some other person. The most popular tool to do that is password checking. But it's quite easy to steal a password as well as forget it. Problems with passwords highlight the need for another system of user identification. A very simple and appealing solution is biometric authentication, which allows a user to place his finger on top of a scanner, look at the camera or say a passphrase. Your fingers, your eyes and voice are always with you, right? And others people cannot imitate this. Unfortunately, this appealing idea has numerous cons and that is the reason why we don't still use fingerprints to login to Google or withdraw cash from an ATM

9 Online Security Tips from a Former Scotland Yard Detective (Tom's Guide) Concerns about online privacy have reached new heights since reports revealed that the U.S. National Security Agency has been monitoring millions of phone logs, email messages and social media accounts as part of several top-secret programs

Why Isn't DMARC Enough to Fight Phishing? (Malcovery Security) DMARC is the latest industry standard to attempt to solve the problem of phishing. In as much, it is an authentication methodology to newer technology based on some older standards that were poorly adopted. It's making its way and there are some early adopters of it, but until it is actually well-adopted, it is going to be difficult to get the full benefits of DMARC#8230

Next–Gen Firewalls Change The Rules Of Firewall Management (Dark Reading) Added layers of complexity create even more interdependencies and need for systematic change management approach. As enterprises increasingly incorporate next-generation firewalls into their security repertoires, they are gaining a greater potential for more precise control over applications and user behavior at the perimeter. But there's potential for something else as well: added complexity by way of the increased odds for misconfiguration and change management mishaps. The odds increase even further if firewall management is already a problem in their traditional firewall portfolios

2 minutes on: Interviewing for access (SC Magazine) Since former Booz Hamilton contractor Edward Snowden came clean as the source of leaked classified documents that revealed the National Security Agency's (NSA) mass secret surveillance program, there's been debate over whether to label him a hero or traitor - or something in between. One category, however, into which he more neatly falls is the insider threat. But he's no ordinary insider who was motivated to steal data after being on the job for a while. To the contrary, Snowden, who said he acted from his conscience to inform the public about the spying program, told the South China Morning Post that he had every intention to purloin the top-secret documents, even before he signed his acceptance letter

In–Memory fuzzing with Pin (Shell-Storm) In my previous blog post, I talked about the taint analysis and the pattern matching with Pin. In this short post, I will always talk about Pin, but this time about the In–Memory fuzzing

Marketplace

National Security Darling: Why Condoleezza Rice, David Petraeus and George Tenet Back Palantir (Forbes) For a company that's existed less than a decade, Palantir has cultivated some friends in high places. In our latest cover story, FORBES details the history of the Palo Alto, Calif.-based software company, which now provides some of the most powerful data-sifting tools for the likes of the NSA, the CIA and the FBI. Having developed a glowing reputation inside the Beltway, Palantir has risen from a lowly five-person startup to a massive company that has the support of former Secretary of State Condoleezza Rice (Jan. 2005–Jan.2009), former CIA director David Petraeus (Sep. 2011–Nov. 2012) and former Director of Central Intelligence George Tenet (July 1997–July 2004). Both Rice and Tenet are advisers to the company, while Petraeus considers himself a friend of Palantir CEO Alex Karp

China Video Tools for U.S. Help Spurs Spy Anxiety (Bloomberg) A manufacturer accused of being tied to the Chinese government has found a way to sell to U.S. agencies in an arrangement that's raising concerns from security officials and at least one lawmaker about spying

Bloomberg adds CyberPoint's Prescient to the conversation about securing technology products made overseas (CyberPoint) Fears, some well–founded, have been driving the conversation about whether or not to use technology products made in foreign countries, particularly those made in China. The unavoidable truth is, that we already use foreign-made technologies every day

Interior Cloud Storage Contract Could be Worth $10 Billion (Nextgov) A slate of contracts to provide cloud computing services to the Interior Department could add up to $10 billion and help the department save $100 million in information technology costs annually, officials have said

USCIS Plans Reverse Auction for General Dynamics Secure Phone (GovConWire) U.S. Citizenship and Immigration Services has issued a solicitation for a potential $25 million contract to acquire General Dynamics-built (NYSE: GD) secure phones

DISA Plans to Spend $239 Million on Network Widgets through 2015 (Nextgov) The Defense Information Systems Agency plans to spend $228.8 million on core gadgets and widgets over the next couple of years to keep its global networks humming, according to a post tucked away on the FedBizOpps website on Aug. 15 titled "DISA Hardware Requirements"

Ruckus positions Singapore as location analytics R&D center (ZDNet) Its 6th research and design facility will partly specialize in location-based services, building on last month's acquisition of technologies and talent from Singapore startup YFind. New integrated products expected by year-end

Facebook admits mistakes, but still won't pay out to researcher who hacked Zuckerberg's page (Graham Cluley) The frustrated researcher, who failed to get an adequate response from Facebook's security team and so hacked Mark Zuckerberg's page to get their attention, is not going to receive a bug bounty for his discovery the social network has confirmed

FireEye Appoints Kara Wilson as Chief Marketing Officer (Digital Journal) FireEye®, Inc., the leader in stopping today's new breed of cyber attacks, today announced the appointment of Kara Wilson as chief marketing officer (CMO), effective August 19. As CMO, Wilson will oversee global marketing and communications at FireEye

Linda Hudson to Retire From BAE (GovConWire) Linda Hudson Linda Hudson plans to retire as president and CEO of BAE Systems Inc., the British contractor's U.S. subsidiary, by the end of the first quarter of the company's 2014 fiscal year

Research and Development

Seemingly benign "Jekyll" app passes Apple review, then becomes "evil" (Ars Technica) Computer scientists say they found a way to sneak malicious programs into Apple's exclusive app store without being detected by the mandatory review process that's supposed to automatically flag such apps

Scanning the Internet in less than an hour (Help Net Security) Scanning the Internet used to be a task that took months, but a new tool created by a team of researchers from the University of Michigan can scan all (or most) of the allocated IPv4 addresses in less than 45 minutes by using a typical desktop computer with a gigabit Ethernet connection

Greystar: Fast and Accurate Detection of SMS Spam Numbers in Large Cellular Networks using Grey Phone Space (USENIX) In this paper, we present the design of Greystar, an innovative defense system for combating the growing SMS spam traffic in cellular networks. By exploiting the fact that most SMS spammers select targets randomly from the finite phone number space, Greystar monitors phone numbers from the grey phone space (which are associated with data only devices like laptop data cards and machine-to-machine communication devices like electricity meters) and employs a novel statistical model to detect spam numbers based on their footprints on the grey phone space

Security Patches, Mitigations, and Software Updates

Microsoft: Upgrade from Windows XP or risk infinite 'zero-days' (SC Magazine) Microsoft is intensifying its efforts to get users to scrap Windows XP, the 12-year-old operating system for which the software giant is ending support next April

LastPass bug leaks plain text passwords (Help Net Security) Users of popular password manager LastPass have been advised to update to the latest version of the software, which incorporates a patch for a recently discovered bug that could allow attackers to retrieve stored LastPass passwords

Microsoft reissues Windows server security patch (Graham Cluley) Last week, Microsoft pulled an important security patch it had issued for Active Directory Federation Services (AD FS), part of the Windows server software. The patch was supposed to fix a vulnerability in the software, which is commonly used to provide users with Single Sign-On access

Cyber Attacks, Threats, and Vulnerabilities

Anonymous Start Operation Bahrain Video (Cyberwarzone) Anonymous will attack various websites of the Bahrain Government websites

#OpGabon: Gabon's largest manganese alloy producer website defaced, data leaked by Anonymous (Hack Read) The online hackavist group Anonymous has hacked and defaced the official website of Gabon's top most manganese alloy producer for their ongoing operation going with the name of #OpGabon. As a result database and login details of 9 site users have been leaked online. Hackers left their official Anonymous

Bangladesh Ministry of Culture, Labor and Food Websites Hacked by Algerian and Saudi Hackers (Hack Read) In two different cyber attacks by two different hackers have targeted Bangladeshi government websites, as a result the official websites of Ministry of Cultural Affairs, Labour and Employment and two websites of Ministry of Food have been hacked and defaced. The website of ministry of Cultural Affairs was hacked by Algerian hacker going with the handle of Aghilas

In Another Recent Display of Cyber Politics, SEA Hackers Take on The Washington Post and Others (Digital Journal) Last week's reported site redirection hack attack on The Washington Post and others wasn't the first time the Syrian Electronic Army (the SEA) tangled with major news outlets, back in April they hijacked Associated Press (AP) Twitter accounts, and for a few brief moments, sparked a panic which prompted a scary $136 billion stock market death spin based on faked AP Tweets that the White House had been bombed and President Obama had been injured. "The ripple effects of any type of successful cyber attack on a prominent and trusted organization can be mind boggling, but the social engineering possibilities of a successful redirection attack can lead organizations of any size to very dark places if the attackers have a more sinister objective in mind," says Joe Caruso, CEO/CTO of Global Digital Forensics, a premiere cyber security solutions provider with years of experience in the trenches of the real-world cyber battlefield

Infosecurity Exclusive: Major Media Organizations Still Vulnerable Despite High Profile Hacks (Infosecurity Magazine) The media is a target. The four-month hack of the New York Times last year and the continuous attacks on the media by the Syrian Electronic Army culminating in the breach of the Washington Post last week all demonstrate this. One would expect that major media outlets would by now have ensured the security of their online presence. This simply has not happened

Pro–Islamic hacker claims to have compromised every Twitter account (Information Age) A hacktivist known as Mauritania Attacker has claimed to have compromised every account on Twitter by stealing a list of OAuth tokens. OAuth is an authorisation protocol that allows websites to share log–in credentials. The stolen tokens could be used to access Twitter accounts without need for a password

International hackers launch cyber attack on council website (Surrey Mirror) Cyber activists Anonymous hacked the Mole Valley District Council website on Sunday. The hacktivist collective Anonymous posted a sarcastic message defending the detention of Guardian journalist Glenn Greenwald's partner David Miranda at Heathrow airport last weekend

Ramnit Malware Uses HTML Injection in Attacks Against Steam Users (Softpedia) Researchers from Trusteer, the IT security firm recently acquired by IBM, have come across a new variant of the notorious Ramnit malware. This new configuration of the threat is being utilized to steal sensitive data from Steam users

Sirefef Malware Found Using Unicode Right-to-Left Override Technique (Threatpost) Old malware tricks never really die, they just get recycled and passed down to the next generation of attackers. The latest technique to get run through the wayback machine is the use of the right-to-left override character in Unicode, a tactic that enables malware authors to hide the real name of a malicious executable or, in a recent case, a registry key

UK Taxpayers Warned of Fake HMRC Emails That Spread ZeuS Malware (Softpedia) Bogus tax–themed emails are often used against internauts from US in an effort to trick them into handing over sensitive information, or to get them to install a piece of malware on their computers. However, experts warn that people from the UK should also be on the lookout for such malicious notifications

New Zeus variant creates bogus Instagram accounts (Help Net Security) If you are familiar with the results of a recently finished study regarding online content popularity that concluded that "likes" beget "likes", the fact that people are willing to pay good money for fake Twitter, Instagram and Facebook followers as well as "likes" and "retweets" will not come as a surprise

Can KINS Be The Next ZeuS? (Trend Labs Security Intelligence Blog) Malware targeting online banking sites naturally cause alarm among users, as they are designed to steal not only information but also money from its users. Thus it is no surprise that the surfacing of KINS, peddled as "professional-grade banking Trojan" in the underground market, raised concerns that it might become as successful as ZeuS/ZBOT had been in previous years

DIY automatic cybercrime-friendly 'redirectors generating' service spotted in the wild (Webroot Threat Blog) Redirectors are a popular tactic used by cybercriminal on their way to trick Web filtering solutions. And just as we've seen in virtually ever segment of the underground marketplace, demand always meets supply. A newly launched, DIY 'redirectors' generating service, aims to make it easier for cybercriminals to hide the true intentions of their campaign through the use of 'bulletproof redirector domains'. Let's take a peek inside the cybercriminal's interface, list all the currently active redirectors, as well as the actual pseudo-randomly generated redirection URLs

A Closer Look: Perkele Android Malware Kit (Krebs on Security) In March 2013 I wrote about Perkele, a crimeware kit designed to create malware for Android phones that can help defeat multi-factor authentication used by many banks. In this post, we'll take a closer look at this threat, examining the malware as it is presented to the would-be victim as well as several back-end networks set up by cybercrooks who have been using mobile bots to fleece banks and their customers

Can Your Printer Put Your Whole Network at Risk? (eSecurity Planet) It may not seem like a big deal if an attacker can hack into your printer. But attacks against embedded systems like printers can expose you to larger security risks

Officials investigate scope of Emory University breach (SC Magazine) Health information and Social Security numbers are among data that may have been compromised for faculty, staff and students in a data breach at Emory University in Atlanta

"Yes Scotland" Says One of Its Email Accounts Has Been Hacked (Softpedia) Yes Scotland — the organization representing the parties, individuals and companies that want a "yes" vote in the 2014 Scottish independence referendum — has filed a report with the police after one of its email accounts was allegedly breached by an unauthorized party

Lucrative business: cybercrime–as–a–service (Help Net Security) With news of the struggling high street becoming a regular occurrence, it is not surprising that increasingly small businesses are seeking opportunities online

Google's Four Minute Blackout Examined (InformationWeek) Google hasn't explained Friday's four-minute blackout of all Google services, but experts say a hack attack is not the likely cause

Academia

Hack to School: Beware the open school wi–fi (ZDNet) Like a lot of public wi–fi systems, the ones in schools are usually unencrypted and require a login. Don't confuse the login with security of the connection

Litigation, Investigation, and Enforcement

Prosecutor in Manning case calls for 60-year prison sentence (Los Angeles Times) The Army intelligence analyst displayed 'an extreme disregard' in leaking secrets, he says. Manning's defense requests a 'sentence that allows him to have a life'

At Sentencing Hearing, Lawyers For Manning Urge Leniency (New York Times) Defense lawyers on Monday made a last-minute personal plea to the military judge hearing his court-martial, asking her to be lenient in sentencing and to allow Private Manning a chance to rehabilitate himself. A prosecutor in the case urged a 60-year sentence for disclosing hundreds of thousands of documents to WikiLeaks

GCHQ agents smash up Guardian hard drives in bid to silence Prism leaks (ITProPortal) Those of us with a more sceptical world view have long rued the dwindling spectre of personal privacy and the sometimes real, sometimes perceived erosion of democratic values. There is no doubt that the latest twist in the Edward Snowden/Prism drama is camped very firmly on the tangible side of the fence

U.K. government thought destroying Guardian hard drives would stop Snowden stories (Washington Post) In a remarkable post, Guardian editor Alan Rusbridger describes how the British government raided the Guardian's offices in order to destroy hard drives containing information provided by NSA leaker Edward Snowden. The British government had been pressuring the Guardian to return or destroy the Snowden documents. Rusbridger says he tried to explain that destroying hard drives would be pointless

David Miranda detention: Will encryption keep Greenwald and PRISM secrets safe? (ITProPortal) The PRISM scandal took another twist at the beginning of the week, after it emerged that the partner of Guardian journalist Glenn Greenwald — who has worked closely with whistle blower Edward Snowden in exposing NSA and GCHQ spying — was detained by British authorities at Heathrow airport, with all his electronic devices taken away for examination

David Miranda, schedule 7 and the danger that all reporters now face (The Guardian) As the events in a Heathrow transit lounge — and the Guardian offices — have shown, the threat to journalism is real and growing

The Detention of David Miranda Raises Serious Issues (Infosecurity Magazine) Over the weekend David Miranda, partner of Glen Greenwald - the Guardian journalist who published the first of a series of reports detailing United States and British mass surveillance programs, based on documents obtained by Edward Snowden — was detained at Heathrow for just under 9 hours — the maximum allowed under Section 7 of the Terrorism Act. Miranda was in transit from Berlin to his home in Brazil. All of his electronic equipment was confiscated

Why does being a relative of Glenn Greenwald place you above the law? (The Telegraph) Should being a relative of Glenn Greenwald place you above the law? I ask the question because this morning many people are arguing Greenwald's partner David Miranda should, in effect, enjoy immunity from investigation solely because his spouse writes very lengthy articles for The Guardian

Information requests (Twitter Transparency Report) Information requests include worldwide government requests we've received for user account information, typically in connection with criminal investigations or cases

RSPCA has access to confidential police data and no one is checking what it does with it (Naked Security) UK police routinely pass on personal information they hold, including central criminal records and huge swathes of material held by local forces, to the RSPCA — a non–government body with no official requirement to reveal who it holds data about, what data it holds, how it stores it or for how long

EPA critic to NSA: Hey, want to share? (Politico) A conservative gadfly who has made a crusade of uncovering embarrassing emails at the Environmental Protection Agency wants to tap a new potential evidence trove: the National Security Agency's electronic snooping program. Attorney Chris Horner has filed a Freedom of Information Act request, asking the NSA to turn over any information it might have gleaned from former EPA Administrator Lisa Jackson's personal Verizon email account

Lavabit owner risks arrest for not complying with surveillance order (Help Net Security) The incessant revelations fueled by the documents leaked by NSA whistleblower Edward Snowden have made people reevaluate their expectations of privacy and their beliefs on what the US intelligence and law enforcement agencies are or are not able to do and what they actually do

Surveillance concerns bring an end to crusading site Groklaw (CNet) A legally informed Web site critical of lawsuits from the SCO Group, Apple, Oracle, and patent trolls shuts down because its founder says e-mail can't be protected from government scrutiny

Changing IP address to access public website ruled violation of US law (Ars Technica) CFAA forbids easy method of evading IP blocking used by 3taps (and Aaron Swartz). Changing your IP address or using proxy servers to access public websites you've been forbidden to visit is a violation of the Computer Fraud and Abuse Act (CFAA), a judge ruled Friday in a case involving Craigslist and 3taps

Design and Innovation

Innovation Is Executive Porn (InformationWeek) When it comes to both innovation and porn, there's a huge appetite for fantasy. When executives take off their glasses and pinch their eyes shut in that "I'm thoughtful" pose, they're picturing themselves in a black turtleneck