The CyberWire Daily Briefing 08.22.13

Cyber Trends

Five things radically changing what "enterprise" means (Ars Technica) Clouds and virtualization, sure, but what about shadow IT groups

When Chief Security Officers become Chief Risk Officers (SC Magazine) A discussion with a number of security industry leaders on the evolving role of the chief security officer

Consumers Threaten to Switch Banks Over Phishing Scams (The Financial Brand) 71% of U.S. adults would be at least somewhat likely to switch to a different bank if they became a victim of online banking fraud at their current bank

The Counter-productive Effect of the Cost of Cybercrime (Infosecurity Magazine) The cost of cybercrime is frequently used to justify the cost of security products and the implementation of new - and invariably more stringent - cyber laws. But what if those figures are wrong? Could it mean that industry, and government, gets its entire cybersecurity strategy wrong

Data Threats Spark Insurance Hunger (CFO) Ponemon, a nonprofit think tank focusing on privacy and data-security issues, defines the former term as "a cyber attack that infiltrates a company's networks or

System integrity steps up as an issue (FierceFinance) System integrity has been a big issue on Wall Street, as the dazzling technical complexity of all markets continues to advance. Unfortunately, controls and QA mechanisms have not kept pace. We've seen a laundry list of system snafus that have victimized the likes of Nasdaq, Facebook, BATS and of course Knight Capital. Recall that Knight Capital, thanks to a system bug that cropped up as part of the company's efforts to connect with a new NYSE retail liquidity program, ended up suffering a $440 million in less than an hour. It ultimately forced the firm to put itself up for sale, at a fraction of what it was previously worth

McAfee Threat Report finds significant new mobile malware concerns (CSO) It's that time again. No, don't check your calendar—it's not another Patch Tuesday already. It is however, time for the latest McAfee Threats Report, covering the second quarter of 2013. Mobile malware targeting Android is once again stealing the show, but now it seems to be more than just bluster

Legislation, Policy and Regulation

Don't use Windows 8 due to risk of 'back doors', warns German government (Computing) The German government has recommended that Federal Administration and other high profile public sector departments in the country do not use Windows 8 because, it warns, it contains security backdoors that cannot be controlled or trusted, and that may be easily accessible by the NSA

NSA scandal looms large in German election (Politico) It's election season in Germany and there's one campaign issue that won't go away: the NSA surveillance scandal. A month before the Sept. 22 federal elections here, which determine whether Chancellor Angela Merkel and her party will be reelected for a third term, the NSA scandal appears in headline after headline in German newspapers

Amid Uproar Over NSA's Surveillance, Malaysia Wants to Expand Its Spying Powers (Bloomberg) The spying scandal roiling the National Security Agency in the U.S. may turn out to provide great air cover for other countries wanting to expand electronic surveillance

'Boyfriend Tracker' app raises stir in Brazil (WKRN) Brazilians were outraged when they learned their country was a top target of the U.S. National Security Agency's overseas spying

Lawmakers, privacy groups rattled by latest NSA reveal (Politico) Congressional critics of government surveillance blasted the NSA and promised additional hearings after the Obama administration on Wednesday declassified documents that show thousands of Americans' emails had been scooped up

NSA's Surveillance Reach; Supreme Court Hasn't 'Gotten to' Email (Wall Street Journal) Roughly 75%: The National Security Agency, working with telecommunications companies, has built a surveillance system that can reach deep into the US

Buchanan calls for reform of National Security Agency (Bradenton Herald) In the wake of new revelations about the extent of the agency's surveillance activities, Rep. Vern Buchanan joined calls Wednesday for Congress to reform the

5 reasons the NSA scandal ain't all that (The Week) I really do think tribal feelings determine how you view the significance of Edward Snowden's revelations. It is almost impossible not take into account everything associated with the manner that they were released: the dramatic flight to Hong Kong, then Russia; the dramatic differences in press freedoms in the U.S. and U.K.; the detention of David Miranda and the destruction of hard drives inside the headquarters of a newspaper. No matter how hard we try, we can't help but fail to segregate our judgment of the NSA's actions. We want to side with the side we identify with: civil libertarians, journalism, or with the intelligence community, with policy-makers. We accept their assertions and their evidence more than we do the assertions of the "other" side, even though this type of controversy does not lend itself to binary divisions

US Director Of National Intelligence Launches Tumblr Site "IC On The Record" To Assuage Surveillance Concerns (TechCrunch) The U.S. office of National Intelligence launched a new site today to promote government transparency in the wake of the months-long scandals surrounding the National Security Agency's surveillance tactics

Welcome to IC ON THE RECORD (ODNI) In Congress and across the nation, Americans are engaged in a discussion about the value and appropriateness of the foreign surveillance authorities granted to the Intelligence Community. The discussion will ultimately lead us, as a nation, to make decisions about the future of some foreign surveillance-related laws and practices

GCHQ taps fibre-optic cables for secret access to world's communications (The Guardian) Britain's spy agency GCHQ has secretly gained access to the network of cables which carry the world's phone calls and internet traffic and has started to process vast streams of sensitive personal information which it is sharing with its American partner, the National Security Agency

International Internet governance treaties dubbed "folly" (FierceGovtIT) Dismissing as "folly" efforts to govern the Internet through international treaty, a draft essay argues that global debate mechanisms such as the Internet Governance Forum are a better way to regulate responsible Internet usage

Why the US should build a national internet system (Quartz) Earlier this month, The Daily Yonder, a well-named site about life in rural America, brought us this unsettling map of broadband availability, or lack thereof, in the country's remote counties

Defense Hires Cyber Chief For Industry Information–Sharing Program (NextGov) The U.S. military has tapped an IBM executive to encourage Pentagon contractors to come clean about network breaches that might compromise government data, Defense Department officials said on Wednesday

DoD to unite IT, building control systems along same cyber lines (Federal News Radio) The Defense Department is expanding the number and types of devices that are covered under its cybersecurity regulations. DoD's Chief Information Officer Teri Takai is expected to issue the new regulations in October

The NSA's phony national firewall proposal (ZDNet) According to an anonymously-sourced report in the New York Times, the NSA wants to build a firewall/IDS/IPS around the whole United States of America. The idea is completely ridiculous, impractical in the extreme, and perhaps just a ruse for other operations. Few government agencies have taken a reputation hit in recent times as big as that currently diminishing the National Security Agency (NSA). And while many in the tech industry were distrustful of the NSA before, there was at least an admiration for their prowess in cyberwarfare

Russia's FSB mulls ban on 'Tor' online anonymity network (Russia Today) The head of the Federal Security Service (FSB) has personally ordered preparations for laws that would block the Tor anonymity network from the entire Russian sector of the Internet, a Russian newspaper reported

Products, Services, and Solutions

New enterprise information management platform (Help Net Security) Actifio announced a product release expanding its scope as an application-defined copy data management platform. New features in Actifio 6.0 allow companies to manage data in ways that go beyond business resiliency applications - classic backup and business continuity use cases - to manage enterprise data access

Barracuda Web Filter 7.0 targets social media harassment (Help Net Security) Barracuda Networks released firmware version 7.0 for its Web Filter. Highlights of the new release include transparent inspection of SSL-encrypted traffic, proactive alerts for web policy violations

Motorola's new Moto X phone worries IT security pros (FierceMobileIT) The new Moto X smartphone, the flagship smartphone for Google's (NASDAQ: GOOG) Motorola Mobility unit, comes with all kinds of consumer friendly features, such as a personal digital assistant that can guess what information or services users want and an always-on microphone

Microsoft Windows Defender Stumbles In Malware Tests (InformationWeek) Microsoft's free anti-virus software came in last among 23 programs at catching known malware in an AV program shootout, says independent testing firm

Technologies, Techniques, and Standards

Dmitri Alperovitch on Offensive Security and Active Defense (Tripwire) Dmitri Alperovitch (@DmitriCyber) is the Co-Founder and CTO at CrowdStrike, and is leads the company's Intelligence, Research and Engineering teams, and previously was the Vice President of Threat Research for McAfee, where he spearheaded global Internet threat intelligence analysis

Security tips for the connected family (Help Net Security) With more than half of families purchasing electronics this back-to-school shopping season, students are using more technology than ever to make the grade

When it comes to trouble shooting and threat detection, NetFlow wins over packet capture (NetworkWorld) This vendor-written tech primer has been edited by Network World to eliminate product promotion, but readers should note it will likely favor the submitter's approach. With Internet connections to cloud services growing rapidly and cyber attacks becoming craftier and more sinister, the need for improved traffic visibility is in high demand. In the past, both layer 7 application awareness and malware detection capabilities have been major separators when choosing between flow capture and packet capture for traffic analysis, but today the decision is most often NetFlow in lieu of packet capture

PCI 3.0 Pushes Security, Not Just Requirements (StorefrontBacktalk) If you want to get a handle on PCI version 3.0, one place to start is compensating controls. You know the idea: You can't meet the letter of some PCI requirement, so you come up with an alternative security measure that your QSA confirms will produce the same result. Instead of having to twist your systems in knots over a requirement, you focus on making your systems secure. And that, in a nutshell, is what the new version of the PCI Data Security Standard is trying to do too

Extracting data from damaged mobile devices (Forensic Focus) For the last few years we have successfully extracted data from various mobile device, such as cell phones, smartphones, tablets, etc. Among devices to be examined, we came across defective mobile devices (damaged mechanically, by fire or due to being stored in harsh or hostile environmental conditions) from which digital evidence should also be extracted. We have developed several approaches to examining damaged mobile devices which we would like to share with our colleagues

Marketplace

China: When Trade Trumps Information Security (IDGConnect) As the world's second-largest economy and one of its largest consumers of technology, China has a staggeringly powerful position at the centre of global trade. There's something about a market of over one billion consumers which tends to make governments and private enterprises pretty nervous about offending Beijing in any way... there's always the chance that retribution could be brutally swift and irreversible

IBM Services And Software Selected For Department Of Homeland Security's Cybersecurity Initiative (Wall Street Journal) IBM (NYSE: IBM) today announced its industry leading security software and services offering will be part of the Department of Homeland Security's (DHS) Continuous Diagnostics and Mitigation (CDM) program

Kratos Awarded Department of Homeland Security "Continuous Monitoring as a Service" Blanket Purchase Agreement (MarketWatch) Veteran Security Leader and Former CISO for the Nuclear Regulatory Commission to Lead Efforts on Behalf of Kratos

Lockheed Martin Wins Role to Provide Cyber Security Services to Government Agencies (4-Traders) Lockheed Martin [NYSE: LMT] has been authorized as a provider of cyber security information technology (IT) services and tools for a Department of Homeland Security (DHS) program to defend federal and other government IT networks from threats

Lunarline Wins FAA Information Security and Privacy Contract (Sacramento Bee) Lunarline is a leading cyber security and privacy provider to the US Federal Government, as well as private industry. Our unique approach to

SAIC names new leader for intelligence group (Washington Technology) The NSS is part of SAIC that will help form Leidos once SAIC splits into two new companies … His background includes active duty as a Navy intelligence officer

CyberMaryland 2013 to celebrate National Cyber Security Awareness Month (Maryland Biz News) Governor Martin O'Malley announced on Tuesday that during National Cybersecurity Awareness Month in October 2013, Maryland will host CyberMaryland 2013, a multi-faceted conference, competition, TECHEXPO cyber hiring event and awards celebration designed to showcase industry innovations, recognize cyber pioneers and groom the next generation of cyber experts. Scheduled October 8 and 9 at the Baltimore Convention Center, CyberMaryland 2013 will connect educators, innovators, employers, and students and further demonstrate the state's leadership in cybersecurity and information technology. Sponsoring CyberMaryland 2013 is Science Applications International Corporation (SAIC)), Maryland's Department of Business and Economic Development (DBED), and the University of Maryland, Baltimore County (UMBC)

Research and Development

Google Exploring Location–Dependent Security Settings For Smartphone Unlock (TechCrunch) Google has a patent application published today (via Engadget) that would make the standard system of unlocking a device much more intelligent, using a smartphone's built-in sensor to change your security settings on a sliding basis depending on where the phone finds itself. This would allow a user to make it easier to unlock a phone while in the comfort of their own home, while making it more

'Intelligent agents' putting the smart in artificial intelligence (ZDNet) Machines and systems equipped with their own values and objectives are bringing a new level of sophistication to a range of applications across defence, customer service and gaming. Expect "intelligent agents" -- artificial Intelligence (AI) systems equipped with their own sets of beliefs and life goals -- to increasingly feature across areas as diverse as logistics, manufacturing, entertainment, gaming, and defence

Bank of America Assigned Patent [for personal encryption device] (Hispanic Business) Bank of America, Charlotte, N.C., has been assigned a patent (8,516,609) developed by Richard John Woodward, Warrington, United Kingdom, and Amanda Jane Adams, Flint, United Kingdom, for a personal encryption device

Security Patches, Mitigations, and Software Updates

Google Releases Google Chrome 29.0.1547.57 (US-CERT) Google has released Google Chrome 29.0.1547.57 for Windows, Mac, Linux, and Chrome Frame to address multiple vulnerabilities. These vulnerabilities could allow a remote attacker to cause a denial of service condition, conduct a directory traversal attack, or obtain sensitive information

Cisco patches serious vulnerabilities in Unified Communications Manager (ComputerWorld) The vulnerabilities can be exploited by attackers to execute arbitrary commands or disrupt telephony-related services, Cisco said

Cyber Attacks, Threats, and Vulnerabilities

Chinese Ransomlock Malware Changes Windows Login Credentials (Symantec) Although ransomware has become an international problem, we rarely see Chinese versions. Recently, Symantec Security Response noticed a new type of ransomlock malware that not only originates from China but also uses a new ransom technique to force users into paying to have their computers unlocked

Android Malware goes SMTP (F-Secure) Before we get to thinking that nothing is new under the Android malware sun, we get a small, but quite interesting surprise. An android malware that connects to SMTP servers to send an email

Attackers home in on Steam gamers with help of Ramnit Trojan (SC Magazine) Users of the popular video game distribution service Steam are being targeted by a Trojan that steals their login credentials and defeats the service's password encryption mechanism by using HTML injection

Psst. Your Browser Knows All Your Secrets. (Internet Storm Center) This is a "guest diary" submitted by Sally Vandeven. We will gladly forward any responses or please use our comment/forum section to comment publically. Sally is currently enrolled in the SANS Masters Program. I got to wondering one day how difficult it would be to find the crypto keys used by my browser and a web server for TLS sessions. I figured it would involve a memory dump, volatility, trial and error and maybe a little bit of luck. So I started looking around and like so many things in life…all you have to do is ask. Really. Just ask your browser to give you the secrets and it will! As icing on the cake, Wireshark will read in those secrets and decrypt the data for you. Here's a quick rundown of the steps

Random NSFW Tumblr Posts Not Caused by Hack, Site Confirms (Softpedia) Tumblr has explained the strange issues that have been plaguing users earlier today. People have reported seeing weird entries in their dashboard feeds from people they don't even follow. Some of the content was heavily NSFW, giving plenty of users a nasty surprise…Fortunately, the issue has been identified, the Yahoo-owned site has said, and Tumblr has explained that the problem was strictly on their part, i.e. there was no hack or anything nefarious going on

Hacktivists boast of English Defence League KO after website downed (The Register) Hacktivists linked to Anonymous have claimed responsibility for knocking shouty anti-Islam group the English Defence League's website offline

Hacks continue as FBI claims to have dismantled Anonymous (Global Post) The FBI is claiming to have dismantled the hacker organization Anonymous. But shortly after an official's statements were published in the press, Anons dumped large amounts of data that appears to have been stolen from FBI servers

Exclusive: Anonymous Calls Bulls#%t on FBI's Claims of Victory (RYOT) Keith Alexander warned of the looming capability of the organization to cause mass power outages via cyber attack. Anonymous, at the time, responded via

Anonymous: Sorry, FBI, you don't scare us (CyberWarZone) The FBI is declaring victory over Anonymous in a series of statements claiming the hacker collective is no longer able to carry out large, successful operations because most of its "largest players" have been arrested or detained by US law enforcement authorities. "The movement is still there, and they're still yacking on Twitter and posting things, but you don't hear about these guys coming forward with those large breaches," Austin P. Berglas, assistant special agent in charge of the FBI's cyber division, told the Huffington Post

How Hacktivists Have Targeted Major Media Outlets (Dark Reading) From the Washington Post and CNN to the Twitter feeds of the Associated Press and Reuters, hacktivists have news outlets…and their social-media presence…in their crosshairs. Global conflicts have increasingly led tech-savvy protesters and loyalists to express their views online by hacking, and while many groups have focused on attempting to damage or deface government websites, others have focused on getting the word out by attacking the media

DDoS Attacks Used As Cover For Other Crimes (Akamai Blog) Protecting customers from DDoS attacks is an Akamai InfoSec specialty. When we see DDoS attempts against our customers, the typical thinking is that someone is doing it to force sites into downtime, which can cost a business millions in lost online sales

Spammers Get Jamming on SoundCloud (ThreatTrack Security Labs) Spam related to watching content online has been around for a long time, and the last time we saw something pretty inventive in this area was back in June with the promise of free movies spammed to Slideshare. Today we're going to take a look at what spammers are up to in SoundCloud land. Spammers are doing their best to promote their "free movie / tv show" antics on the popular audio distribution platform like so

Jumping out of IE's sandbox with one clic (Threatpost) Software vendors often give intentionally vague and boring names to the updates they use to fix security vulnerabilities. The lamer the name, the less attention it may attract from attackers looking to reverse-engineer the patch. There was one patch in Microsoft's August Patch Tuesday release earlier this month that fit that bill, MS13-059, Cumulative Security Update for Internet Explorer. But hidden inside the big fix was a patch for a vulnerability that enabled a one-click escape of the IE sandbox

Email account hacked, phishing messages sent, traces obliterated (GData) When a Gmail account has been attacked, the victim will need to put everything straight again

Hacker reveals how devastating a cyberattack on the stock market could be (Daily Caller) Of all the horrifying scenarios that hackers could pull off -- from launching nukes to spoofing air traffic control -- the one that poses the biggest risk for Wall Street would be a cyber attack on equity markets. In the summer issue of hacker magazine 2600, pseudonymous writer "Eightkay" shows how such a scenario could pan out

Academia

Vt. senator, Norwich to talk cyber warfare grant (Sacramento Bee) U.S. Sen. Patrick Leahy and officials at Northfield's Norwich University are going to be talking about a contract to develop software to help combat cyber warfare

Litigation, Investigation, and Enforcement

Bradley Manning's Tough Sentence Shows White House's Uncompromising War On Data Leakers (TechCrunch) Wikileaks source Private Bradley Manning was slapped with a 35-year prison sentence today -- the largest sentence ever of its kind. "It's further indication that the Executive Branch is very serious about discouraging classified documents," Yale Law School professor Eugene Fidell tells me. "It struck me that it was a little on the high side, but within the range of

White House calls for warrantless searches of suspects' cellphones (The Verge) Obama administration urges Supreme Court to weigh in on controversial case

Manning to seek pardon from Obama (The Hill) Former Army intelligence analyst Pfc. Bradley Manning is planning to formally request a pardon from President Obama, his lawyer said Wednesday. Manning's attorney, David Coombs, told reporters at Fort Meade, Md., that Manning would apply for a presidential pardon after he was sentenced Wednesday to 35 years in prison on charges of espionage

Secret NSA court opinions declassified (Politico) The nations' top intelligence official is declassifying three secret U.S. court opinions showing how the National Security Agency scooped up as many as 56,000 emails annually over three years and other communications by Americans with no connection to terrorism, how it revealed the error to the court and changed how it gathered Internet communications

Court Eventually Stopped NSA From Collecting Millions Of Communications (TechCrunch) Two new fun facts today regarding America's surveillance state: the National Security Agency was collecting hundreds of millions of communications up until 2011, but a military court stopped them. In a recently declassified and heavily redacted court order, the Foreign Intelligence Surveillance Court (FISC) ruled that a potentially defunct mass email snooping program violated the 4th

US Admits Electronic Spying on Americans Was Illegal (SecurityWeek) The US government spied on electronic communications between Americans with no links to terror suspects until a judge ruled it illegal in 2011, officials acknowledged Wednesday

NSA used PRISM to collect more than 200 million internet communications a year as of 2011 (The Verge) According to a declassified order from the Foreign Intelligence Surveillance Court, as of 2011, the US National Security Agency was "acquiring" more than 250 million "internet communications" each year under Section 702 of the FISA Amendments Act (FAA) -- the statute that allows the NSA to collect the content of internet communications. The order states that the "vast majority" of these communications were obtained from internet service providers under PRISM, and that only nine percent of of the total internet communications acquired by the NSA were part of it's "upstream" collection practices, which pull data directly from telecommunications cables

NSA Program Found Unconstitutional Went On For 3 Years; Started Right After Telcos Got Immunity (TechDirt) A further delve into the latest NSA surveillance bombshell from the WSJ highlights the ridiculousness of the claims that there were "no violations" by the NSA over the years. We've been aware for a while that the FISC ruled a certain NSA program unconstitutional, but the details had been kept secret. It only came out that something was found unconstitutional a year ago, through the efforts of Senator Ron Wyden. Since then, people have been digging for more. The DOJ finally has agreed to release a redacted version of the FISC ruling after fighting it for a while, but as we wait, some more details have been coming out. Last week's Washington Post story about abuses claimed that this particular program wasn't reported to the FISC for "many months."

Privacy minefields lurk even in corporate-owned devices (FierceMobileIT) Some enterprises are rethinking BYOD and returning to policies that only permit corporate-owned mobile devices in the workplace in order to improve security and reduce legal liability

Retired sailor guilty of attempted espionage (Norfolk Virginian-Pilot) In about as much time as it took to eat a late lunch, a federal jury on Wednesday convicted a retired sailor from Virginia Beach of trying to pass classified information to Russian spies

Soca chief, Trevor Pearce, treated hacking committee 'with contempt' (The Independent) The head of the Serious Organised Crime Agency (Soca) is facing fresh questions over his evidence to Parliament after he provided MPs with contradictory statements over the unit's activities regarding corrupt private investigators

Investigation At Bloomberg Finds A Don't Ask, Don't Tell Newsroom Culture (Forbes) The news that some reporters at Bloomberg News used access to the company's clients' data in their reporting put the financial news giant under a microscope earlier this year. But was it the isolated and relatively harmless actions of a few or evidence of systemic rot? A three-month review of the organization's practices suggests it was mostly the former, but also describes a newsroom culture where a large number of reporters had a vague sense they were getting away with something shady

Design and Innovation

You, too, can get PRSM and learn to love the NSA (VentureBeat) It seems every app is building some new awesome way to share, but none of them come close to PRSM, the latest app to help you share your emails, photos, videos, phone calls, text messages, Google searches, and trips to the toilet

Linux Hackers Rebuild Internet From Silicon Valley Garage (Wired) Alex Polvi is living the great Silicon Valley archetype. Together with some old school friends, he's piecing together a tech revolution from inside a two-car Palo Alto garage

The CyberWire Daily Briefing for 8.22.2013