The CyberWire Daily Briefing 09.03.13

Cyber Trends

Our Newfound Fear of Risk (Schneier on Security) We're afraid of risk. It's a normal part of life, but we're increasingly unwilling to accept it at any level. So we turn to technology to protect us. The problem is that technological security measures aren't free. They cost money, of course, but they cost other things as well. They often don't provide the security they advertise, and — paradoxically — they often increase risk somewhere else. This problem is particularly stark when the risk involves another person: crime, terrorism, and so on. While technology has made us much safer against natural risks like accidents and disease, it works less well against man–made risks

Login and password troubles revealed (Help Net Security) Increasingly lengthy and complex log-in processes and web forms are driving consumers away from websites, according to Ping Identity. The study revealed that an overwhelming 80% of consumers had locked themselves out of websites because they couldn't remember their log-in details

The fanciful world of cyber warfare (Young Witness) The explosion was catastrophic. When the gas pipeline ruptured that day in Siberia in 1982, the detonation was so large that the North American Aerospace Defence Command headquarters, NORAD, initially thought it might have been a missile launch. Equivalent to three kilotonnes of TNT (or a small nuclear device), it was the largest non-nuclear explosion so far seen from space. Over 20 years later, a United States National Security Council staffer reported in his memoirs that the explosion was the result of an American sabotage operation. A Trojan horse computer virus had been embedded in the software that controlled the pressure and flow in the Siberian pipeline; in disrupting and manipulating the pressure, the virus placed stress on the pipes, ultimately leading to the massive explosion. It was, the staffer declared, the first-ever act of cyber warfare. Except it wasn't

MORGAN HOUSEL: So, if this scares you, don't invest (Herald Zeitung) There are a lot of things to worry about as an investor. Hackers aren't one of them. Last week, hacker magazine 2600 described what a potential cyber attack on global stock markets could look like. It wrote (via Business Insider)

India lacks security professionals despite being highly targeted by cyber criminals (CIOL) SANS Institute, a cooperative research and education organization, and the largest source for world-class information security training and security certification, has stressed the importance of repeatable and sustainable training programs that focus on combatting real-world attacks if India is to successfully secure its critical and most sensitive systems

60% of IT professionals believe cyber security is underfunded by organisations (ITProPortal) 60 per cent of IT professionals believe that not enough time or money is being spent by companies to develop cyber security policies, a new study by Kaspersky Lab has suggested

Legislation, Policy and Regulation

If you think the NSA is bad, try the Putin–controlled Chrome toolbar (ZDNet) I am not making this up. You can't make this stuff up. This is what the world is coming to. When I grew up the Russians were the Soviets and they were the bad guys. We were told we were about 20 minutes or so from mutually-assured destruction and that the Russians (er, Soviets) hated us for our freedoms. Eventually, things changed. The Soviet Union fell but many of the old guard remained in power. Vladimir Vladimirovich Putin is a good example. He spent 16 years in the KGB, mustering out with the title of Lieutenant Colonel (the same rank Ollie North had when he was playing games with Iran and the Contras)

It is wrong for internet privacy rights to overshadow cyber security issues — experts (Voice of Russia) As the world public spews torrents of outrage over the uncontrolled electronic surveillance by American secret services, a no less important debate — on national security in cyber space and the prevention of a large–scale cyber war — has been somehow pushed into the background

Brazil, Mexico summon US envoys over spy claims (Channel News Asia) Brazil and Mexico summoned US ambassadors on Monday to demand explanations over allegations that the National Security Agency spied on their

US-Brazil tensions flaring after report that NSA spying program targeted Brazil's president (Washington Post) The Brazilian government condemned a U.S. spy program that reportedly targeted the nation's leader, labeled it an "unacceptable invasion" of sovereignty and called Monday for international regulations to protect citizens and governments alike from cyber espionage. In a sign that fallout over the spy program is spreading, the newspaper Folha de S.Paulo reported that President Dilma Rousseff is considering canceling her October trip to the U.S., where she has been scheduled to be honored with a state dinner. Folha cited unidentified Rousseff aides. The president's office declined to comment

Report: U.S. Agency Spied on French Diplomats, al-Jazeera TV (Naharnet) The U.S. National Security Agency (NSA) spied on the internal communications of France's foreign ministry and diplomats and those of Qatar-based television station al-Jazeera, a German magazine said Sunday. Der Spiegel reported that in 2010 the NSA monitored the internal computer network of France's diplomats and that of the ministry itself by accessing so-called virtual private networks (VPN), a tool that generally offers a secure internet connection to users

NSA tops up exploit pool with $25m in 'grey market' vulnerabilities (CSO) The US National Security Agency (NSA) spent $25.1 million on software bugs from grey market vulnerability vendors in financial year 2013 as part of a larger offensive security program aimed at foreign networks, according to a recent report from Washington Post. Newly disclosed intelligence budget documents provided to the newspaper by former NSA contractor Edward Snowden revealed that US intelligence services are responsible for malware on tens of thousands of devices in foreign networks every year and the US government conducted 231 offensive cyber operations on foreign networks in 2011

Does Congress Have the Power to Enact A General Ban on the Use of Bugging Devices? (Volokh Conspiracy) Since 1968, federal law has prohibited the use of bugging devices — secret microphones — to record private conversations. Here's the relevant text: [A]ny person who…intentionally intercepts, endeavors to intercept, or procures any other person to intercept or endeavor to intercept, any…oral…communication [is guilty of a crime and commits a civil violation] [18 U.S.C. 2511(1)(a)]

Why Are We Spying on Israel? (Slate) The Washington Post's Barton Gellman has another blockbuster today from the mixed-up files of Mr. Edward J. Snowden, this one providing details of the top-secret $52.6 billion "black budget" for the 16 spy agencies that make up the U.S. intelligence community. Among other details, the report discusses the recent resurgence of the CIA and the intelligence community's new focus on "offensive cyber operations." It also includes this striking detail: Pakistan is described in detail as an "intractable target," and counterintelligence operations "are strategically focused against [the] priority targets of China, Russia, Iran, Cuba and Israel"

Washington Post: U.S. conducted counterintelligence operations on Israel (Ha'aretz) Top secret files leaked by Snowden show U.S. spy agencies devoted considerable attention not only to America's foes, but also to one of its closest allies

HHS drops 1-hour HIX breach notification rule (FierceHealthIT) HHS' final regulation on health insurance exchanges does not include a proposed mandate that healthcare organizations report all data breaches within one hour of discovery

Guarding new frontiers: Cyber defence body proposed (Express Tribune) Like terrorism and military aggression, cyber security must be treated as a major threat to the country, the Senate's panel on defence said on Saturday. The panel proposed creating an Inter Services Cyber Command (ISCC) under the office of Chairman Joints Chief of Staff Committee (CJCSC) to pre-empt any cyber attack

Cyber-spying fallout: Govt may restrict usage of Google's Gmail for employees (Economic Times) The government will soon ask all its employees to stop using Google's Gmail for official communication, a move intended to increase security of confidential government information after revelations of widespread cyber-spying by the US

Products, Services, and Solutions

This bracelet could replace your passwords, your car keys, and even your fingerprints (The Verge) Fingerprint readers. Face Unlock. Retinal scanners. They're all no better than your average password, at least the way Dr. Karl Martin sees it. "Your face, your iris — they're all physical features that can be stolen, that you leave everywhere." Luckily, Dr. Martin has a better idea. He's planning to use it to open everything from our phones to our front doors, and even move the car seat exactly how we want it. All we have to do is wear a bracelet

Balky carriers and slow OEMs step aside: Google is defragging Android (Ars Technica) Versions don't matter, because Google now controls the platform behind the platform

Snort IDS Sensor with Sguil New ISO Released (Internet Storm Center) The CD includes some new tools and updated scripts. It is available in two versions, 32-bit and 64-bit. The install.pdf document on how to install and configure the system is located in the rel_note directory

Leaked FinFisher presentation details toolkit's spying capabilities (Help Net Security) F-Secure's Mikko Hypponen has shared several interesting slides from a presentation that displays the wide range of capabilities offered by the FinFisher commercial spyware toolkit

Check Point stops cyber criminals in their tracks (TechDay) Check Point Software Technologies has announced the availability of Check Point R77, the latest release for its award-winning Software Blade Architecture. R77 offers over 50 product enhancements, including a new ThreatCloud Emulation Service, Check Point HyperSpect performance enhancing technology and Check Point Compliance Software Blade

Technologies, Techniques, and Standards

Quantitative Metrics and Risk Assessment: The Three Tenets Model of Cybersecurity (Technology Innovation Management Review) Progress in operational cybersecurity has been difficult to demonstrate. In spite of the considerable research and development investments made for more than 30 years, many government, industrial, financial, and consumer information systems continue to be successfully attacked and exploited on a routine basis. One of the main reasons that progress has been so meagre is that most technical cybersecurity solutions that have been proposed to-date have been point solutions that fail to address operational tradeoffs, implementation costs, and consequent adversary adaptations across the full spectrum of vulnerabilities

What to Look for When Evaluating Password Manager Software (CIO) Here are the significant issues that can distinguish one password manager product from another. You'll probably make a similar list of requirements as you do your own research for password managers

Security Awareness Programs: Better Than Nothing (Akamai) Yesterday's post about the SEA's phishing activities and DNS attacks included advice that companies continue to push for better security awareness among employees and customers. An old friend, Dave Marcus — director and chief architect of McAfee's Federal Advanced Program Group — disagreed

Proper Understanding of "Awareness" is Necessary to Improve Security Awareness (CSO) As the concept of "security awareness" makes an awkward shift from relegated compliance cost to front and center discussion on how to influence behavior change in organizations, it's important to consider what "awareness" is in order to improve our outcomes

Cloud Security: Why Auditors Are Part Of The Problem (InformationWeek) What your CISO says when asked about moving a server to the public cloud: "No way — we'll lose control of a mission–critical application." What she's really thinking: "No way — it'll make my life a living hell during security audits." And in fact, that's one of the few perfectly rational security–related reasons to shy away from the cloud

Government tests banks' resilience to cyber crime (Telegraph.co.uk) The current benchmarking is being compiled from information gathered during an industry-wide cyber attack exercise conducted last year. A follow-up drill is

10 ways to avoid a cyber attack (New Statesman) Today's business environment relies on digital technology to function. This brings great opportunity as well as risk. Business is undertaken more effectively and efficiently, but information flows can be intercepted and compromised. Whilst online crime has often been viewed as an issue facing larger businesses, smaller organisations are increasingly coming into focus as the next soft target (with their intellectual property and customer and payment databases)

Open Data Initiative: Providing Fresh Ideas on Securely Sharing Information (SIGNAL Magazine) Recently at the AFCEA International Cyber Security Summit in Bethesda, MD, Army Maj. Gen. John A. Davis, Senior Military Advisor for Cyber to the Under Secretary of Defense, said "Cyber partnerships such as those with the National Security Agency and the Defense Intelligence Agency and external partnerships such as those with industry, international allies and academia represent a transformation in the way DOD approaches cybersecurity." For years, the U.S. Defense Department, not surprisingly, took a "do it alone" posture when it came to sharing information and protecting its networks and communication infrastructures from security attacks

Five ways to get the most out of your sandbox (Help Net Security) There's been a lot of talk lately about the value of sandbox technology as part of a cybersecurity defense. While sandboxes are a valuable tool in the hands of a cybersecurity team to identify and analysis

Industry Cyber Guidelines Target 'Insider Threats' (Defense One) The Obama administration has released a draft of computer security protocols for companies that operate key systems, such as chemical plants and the electric grid. The document admittedly does not address privacy issues

NSA: NOBODY could stop Snowden — he was A SYSADMIN (The Register) Virtually unfettered access blew sensitive docs wide open. The US National Security Agency may have some of the most sophisticated cyber-surveillance programs in the world, but it was trivial for former NSA contractor Edward Snowden to walk off with sensitive data, sources say, owing to the agency's antiquated internal security

Cisco CTO Bret Hartman on how to secure BYOD, wearable tech (FierceCIO: TechWatch) BYOD and wearable gadgets are but a couple of the new trends that have emerged in recent years. As these devices make their way onto the corporate network, the inevitable question to security administrators and executives is how they, as well as emerging technologies such as software defined networking (SDN), impact enterprise security

Marketplace

The STEM Crisis Is a Myth (IEEE Spectrum) Forget the dire predictions of a looming shortfall of scientists, technologists, engineers, and mathematicians

Is There a U.S. IT Worker Shortage? (IEEE Spectrum) Someone who is a data scientist today is said by Harvard Business Review to have the sexist job alive. And if sexy isn't enough, how about being a savior of the economy? According to a 2011 report by consulting company McKinsey & Company, "Big Data" is "the next frontier for innovation, competition and productivity." That is, of course, if enough of those sexy data scientists can be found

Microsoft to acquire Nokia's mobile phone business (IT World) Two years after hitching its fate to Microsoft's Windows Phone software, a withered Nokia collapsed into the arms of the U.S. software giant, agreeing to sell its main handset business for 5.44 billion euros ($7.2 billion)

Finland to become Microsoft's mobile R&D hub after Nokia buyout (ZDNet) Microsoft's outgoing CEO Steve Ballmer claims there's no plans to move work from Europe to the US after its buyout of Nokia's devices and services business

Microsoft's Nokia acquisition: It was 'double down or quit' (ZDNet) In many respects, the Microsoft-Nokia deal rhymes with Google's Motorola purchase. The difference: Nokia controlled so much Windows Phone distribution that Microsoft had to buy it

Does its Nokia buy thwart or fuel a possible Microsoft break–up? (ZDNet) Does Microsoft's $7.2 billion purchase of Nokia's handset business make the idea of splitting Microsoft into separate devices and services organizations any easier or smarter

Sizing Up The Nokia That Remains, HERE Business A Bright Spot That Gains More Platform Freedom (TechCrunch) Nokia is divesting itself of its hardware division, selling that business mostly off to Microsoft in a deal worth around $7.2 billion announced today. But it will continue to operate its own software and services, including the revamped maps division that it branded HERE nearly a year ago, and expanded from geospacial services to additional lines of business including the in-car infotainment

The Biggest Merger in Over a Decade Is Poised to Happen (Slate) A big cross-border merger and acquisition is close to completion and at a price of $130 billion it's one of the largest on record. But unfortunately for business writers, it's also really boring. At stake is a proposal by Verizon to buy…Verizon Wireless

SafeNet CEO says no to IPO (Baltimore Business Journal) An IPO is likely going on the shelf for Belcamp cyber security firm SafeNet as the company's new leadership pursues cloud computing as a way to grow the

Loggly, A Splunk Competitor, Raises $10.5M For Cloud-Centric Approach To Log Management (TechCrunch) Loggly, the cloud-based log management service, has raised $10.5 million from new investors Cisco and Data Collective. Trinity Ventures, True Ventures and Matrix Partners also participated in the round, bringing the total investment to $20.9 million for the San Francisco company

Research and Development

The wireless network with a mile–wide range that the "internet of things" could be built on (Quartz) Robotics engineer Taylor Alexander needed to lift a nuclear cooling tower off its foundation using 19 high–strength steel cables, and the Android app that was supposed to accomplish it, for which he'd just paid a developer $20,000, was essentially worthless. Undaunted and on deadline—the tower needed a new foundation, and delays meant millions of dollars in losses—he re–wrote the app himself. That's when he discovered just how hard it is to connect to sensors via the standard long-distance industrial wireless protocol, known as Zigbee…The result is an in-the-works project called Flutter. It's what Taylor calls a "second network"—an alternative to Wi-Fi that can cover 100 times as great an area, with a range of 3,200 feet, using relatively little power, and is either the future of the way that all our connected devices will talk to each other or a reasonable prototype for it

The NSA's crypto "breakthrough" (The Economist) One difficulty of reporting on spy outfits like America's National Security Agency is the veil of secrecy they operate behind. This makes it hard to know exactly what they are and aren't capable of. It is also one reason why Edward Snowden's revelations have been so fascinating. They offer a glimpse--limited and incomplete, to be sure--behind the curtain, and help to constrain the bounds of just what such agencies can do

New breakthrough could bring quantum encryption to smartphones (ExtremeTech) Traditionally, quantum cryptography has been extremely difficult to get working, even in advanced quantum optics labs. To create a secure quantum encryption

Security Patches, Mitigations, and Software Updates

Multiple Cisco Security Notice (Internet Storm Center) "Cisco Adaptive Security Appliance (ASA) Software contains a vulnerability that could allow an unauthenticated, remote attacker to fill the connection table in the ASA preventing new connections to be established through the device"

Facebook flaw allows hackers to delete any photo (ZDNet) A bug bounty hunter has been rewarded with $12,500 after discovering the security flaw which left your photos fair game

Cyber Attacks, Threats, and Vulnerabilities

Marine Website Compromised With Pro-Assad Message (Yahoo.com) A Marine Corps spokesman says the Marines' recruiting website was tampered with and redirected temporarily, but no information was put at risk

Pentagon Planned to Secure Web Domains Before Syrians Hijacked Marine Corps Site (Nextgov) The Pentagon was in the process of hiring help to bolster the security of military website domains, just as Syrian hackers allegedly assaulted the Marine Corps' recruitment site on Labor Day

Hacked Email Of US Intelligence Colonel Shows Pentagon's Involvement In Chemical Attack In Syria (Hack Read) While the U.S is on the verge of attacking Syria for allegedly using chemical weapons on its people, a hacker going with the handle of '€Wagn3r' has came forward with bunch of email conversations between U.S military officials calling the chemical attack a "staged operation"

#OpFreeSyria: 443 Websites Hacked and Defaced by Team Hacker Argentino (Hack Read) Earlier today the Argentinian hackers from Team Hacker Argentino have hacked and defaced total 443 random websites from all over the world for #OpFreeSyria

Facebook Page of Syria's Largest Telecom Company SyriaTel Allegedly Hacked, spams graphical videos (Hack Read) An Algerian hacker going with the handle of Virus DX has hacked the official Facebook page of Syria's largest telecommunication company known as SyriaTel. After taking over the page which has 153,030 likes, the hacker changed its cover picture from SyriaTel official logo to his own cover pictures that shows Algerian flag with Anonymous group official logo saying 'Virus DX is here'

Syria's largest city just dropped off the Internet (Washington Post) While the U.S. government continues to weigh military intervention in Syria, it appears that Syria's largest city has gone dark on the Internet. Aleppo, a city in Northern Syria that has been the site of intense fighting between rebel forces and the Assad regime, and the surrounding area appear to have lost connectivity to the Internet as of last night

Syrian Electronic Army: If U.S. Attacks 'We Will Target All of It' (Mashable) The mysterious pro-Assad hacker group known as the Syrian Electronic Army was back in the spotlight this week, when it hijacked The New York Times and Twitter Internet domains. Following the attack, which was just the latest in a long string of successful hacks at the expense of Western media outlets, the purported official Twitter account of the hacking group tweeted a Gmail email address in response to a media request for contact

Could Syria launch a major cyberattack against the USA? (CIO) Should our leaders consider whether pro-Syrian forces might launch a cyberattack against US critical infrastructure in retaliation for military action? My view: American businesses should hope for the best, while preparing for the worst

Syrian Electronic Army a Credible Threat (ABC News) US officials prepare for increased cyber warfare as a result of potential…Here at home, the FBI and Department of Homeland Security are focusing on the…They sent out a classified intelligence bulletin to law enforcement agencies all over this

US beefs up security measures before possible military strike on Syria (CNN) The FBI and the Department of Homeland Security are warning of a higher risk of cyber attacks after months of similar disruptions by hackers known as the

Crippling Syrian cyber strike fear may make Obama re-consider military intervention: Report (Business Standard) Syria and its ally Iran have been building cyber attack capabilities for years and might even use them in a hot war for the first time, cyber security experts have warned. Former U.S. officials and cyber security scholars said Syria has a demonstrated cyber attack capability and could retaliate against anticipated Western military strikes against it

Cyber Likely Afterthought in Syria Intervention Plans (Defense News) As the US moves toward intervention in Syria, blossoming American cyber capabilities are getting a hard look as a solution to one of the more difficult military problems: the Syrian air defense network. But much of the uncertainty that has plagued the use of cyber — both the legal concerns and the lack of verification for the effectiveness of attacks — is likely to limit its use in a conflict

Syrian Electronic Army Is Not the Only Pro–Assad Hacker Group, Experts Warn (Softpedia) A few days ago, experts warned that a possible military attack by Western countries against Syria might lead to cyberattacks being launched by hackers that support the Assad regime. The first name that came to everyone's mind was the one of the Syrian Electronic Army. These hacktivists haven't demonstrated too much sophistication (they mostly rely on spear phishing)

Syrian Electronic Army Threatens Vice for Identifying Alleged Member (Softpedia) A couple of days ago, Brian Krebs and Vice Motherboard published articles in which they claimed to have identified two alleged members of the notorious Syrian Electronic Army. In the meantime, Krebs was contacted by Mohammed Osman, the man he identified as being a key member of the hacker group. Osman, who is said to be a web designer, denies being part of the Syrian Electronic Army. In addition, he claims that Muhammad Abed Al-Karim is one of his clients, not his new identity as Krebs determined

How the US Could Cyber Attack Syria, Too (Motherboard) Over the weekend, President Obama announced that he would seek Congressional approval for a strike on Syria, and immediately began a "lobbying blitz" to

Did the NY Times fail to ensure their suppliers were cyber secure? (IT Governance) A common mantra about cyber security is that your security is only as strong as the weakest link. But what happens when the weakest link is outside of your control? The Syrian Electronic Army (SEA) are reportedly to of hacked the New York Times website by attacking the company that registered the domain names for the New York Times, the Huffington Post UK and Twitter

TurkHackTeam celebrates Turkey's Victory Day by hacking 350 websites (Hack Read) The online Turkish hackavists from Turk Hack Team have hacked and defaced 250 random websites from all over the world in a collective attack to celebrate Turkey's 91st Victory day

Bangladesh Petroleum Corporation subsidiary website hacked and defaced by Indian hacker (Hack Read) A famous Indian hacker 'Yamraaj' known for his high profile hacks against Bangladeshi and Pakistani cyber space has now hacked and defaced the official website of Meghna Petroleum Limited, a subsidiary of Bangladesh petroleum corporation under the Ministry of Energy & Mineral Resources Division

Saudi hacker hacks and defaces websites of US embassy and UNESCO New Zealand (Hack Read) A Saudi hacker going with the handle of Dr.SHA6H has hacked and defaced the official website of United States Embassy in New Zealand and United Nations Educational, Scientific and Cultural Organization New Zealand UNESCO. The hacked United States Embassy site is actually its blog run by David Huebner, US ambassador to New Zealand

Washdyke business falls victim to cyber attack (Timaru Herald) Washingtons Exploration is not a multi-national corporation - yet somehow their website became the target of a bizarre hack. The Timaru-based drilling company's website,…was replaced with an image featuring a brandished AK-47, the slogan ''hacked by Team 755'', and what appears to be Arabic slogans

Cyber attack: Abu Dhabi nursery's website hacked (The National) An Abu Dhabi nursery's website was hacked this week in what was believed to be a random cyber attack. Instead of finding information about the

Hackers Attack RIA Novosti Bureau in Paris (RIA Novosti) Last month, two of RIA Novosti's Twitter accounts were subjected to a cyber attack. Hackers broke into Twitter accounts of the agency's International Multimedia

Energy Dept. Hack Details Emerge (InformationWeek) Exclusive: Unpatched ColdFusion server containing employee information was hacked; agency claims lack of budget to put proper fixes in place

US Army ignores shared PC login flaw, asks soldiers to keep quiet (Naked Security) A soldier was allegedly made to sign a non-disclosure agreement by the US Army after pointing out a security flaw which allowed accounts on shared PCs to be accessed without proper authentication

An Important "What If" of the NASDAQ Flash Freeze (Huffington Post) There was a collective holding of breath on Thursday when the NASDAQ suddenly shut down trading. Terse reports and statements that "technical problems" caused the halt raised the specter of an information technology meltdown or--worse yet--a deliberate, malicious event. Fortunately, as the day wore on trading resumed and at least, for now, it does not appear that the "flash freeze" was due to a cyber-attack. As the gaming of the event along with the forensic analyses moves ahead, however, it is worth contemplating some questions that would be asked if in fact the flash freeze was the result of a cyber-attack

Kentucky's online school portal attacked (Cincinnati.com) An aggressive cyber attack last week crashed Kentucky Department of Education's "parent portal," the part of its online Infinite Campus system that lets parents

Creative Banner Assemblies Acknowledges Security Breach (eSecurity Planet) 232 customers' names, addresses, phone numbers and unencrypted credit card numbers may have been accessed

UTHealth Admits Possible Breach of Patient Information (eSecurity Planet) 596 patients' names, birthdates and medical record numbers may have been accessed

Mobile Trojan Defeats Dual Authentication (GovInfoSecurity) Perkele Trojan ID'd in Attacks Against U.S., European Banks. A new cross-device mobile Trojan that already has targeted online-banking customers has been linked to the same group that waged the successful High Roller attacks last summer. So far, customers of several top-tier institutions in Northern Europe and a handful in the U.S. have been victimized. The attackers behind the malware are believed to be Russian

Citadel Makes a Comeback, Targets Japan Users (Trend Micro) Through investigation and collaboration between our researchers and engineers, we discovered a malicious online banking Trojan campaign targeting users in Japan, with the campaign itself ongoing since early June of this year. We've reported about such incidents in the past, including in our Q1 security roundup – and we believe this latest discovery shows that those previous attacks have been expanded and are a part of this particular campaign

Kelihos Botnet Taps Spam Blocklists To Hone Attacks (InformationWeek) Malware taps legitimate anti-spam services from the likes of SpamHaus and Sophos before turning PC into control proxy or spam relay

NetTraveler Variant Adds Java Exploits, Watering Hole Attacks to Bag of Tricks (Threatpost) A new version of NetTraveler has been spotted, this one using Java exploits and a watering hole attack to spy on and steal from diplomats, manufacturers, scientists and military contractors

Hackers eye new Java exploits that impacts users who haven't upgraded (SC Magazine) Attackers are always on the hunt for the most reliable exploits to add to crimeware kits - and it appears they currently are eyeing a number of "critical" bugs in Java that remain unpatched for many users. According to researchers, hackers have swapped out one such exploit from Neutrino, a popular underground exploit kit, in search of a more effective alternative

Symantec says that Cyber Crooks make ZeroAccess more Durable against External Attacks (Spamfighter) According to security firm Symantec, malware creators are continuously developing their formations with the creators of infamous ZeroAccess Trojan as no exception. In late June (2013), Symantec security researchers marked some important changes in the ZeroAccess P2P (peer-to-peer) communication protocol that made the threat increasingly robust and resilient in opposition to exterior manipulation

Watch out for Waterhole Web Attacks (eSecurity Planet) Just as lions look for gazelles with their defenses down at waterholes, hackers are spreading malware through websites popular with specific groups of users. As every kid who grew up watching "Wild Kingdom" knows, there are few places in the jungle more dangerous than a watering hole because of the hungry lions lurking there with hopes of picking off a gazelle

Academia

Inside Hack Reactor, The Coding Bootcamp That Wants To Be The CS Degree Of The Future (TechCrunch) At the same time that unemployment and low wages continue to plague the larger U.S. economy, Silicon Valley and the rest of the tech industry is having a hiring crisis — many tech companies just can't seem to find enough people with the coding skills needed to fill the relatively well-paying jobs of building the software and web products of the future. And even though there is no shortage of

BYOD security challenges are old mortarboard for universities (CSO) Businesses coping with security issues stemming from employee use of personal devices for company work are only experiencing what universities have grappled with for years. "Many of us in higher ed find it very funny when we see how BYOD has dominated so much of the security press lately," Mike Corn, chief privacy and security officer at the University of Illinois (UI) at Urbana-Champaign, said in an interview. "We view that with amusement because Bring Your Own Device has defined our environment almost since the beginning of personal computing." The magnitude of BYOD at a university the size of UI would likely give a corporate security administrator fits. Not only is there a large annual turnover rate — some 10,000 new students arrive on campus each year — but each has an average of 3.5 personal devices in tow

Litigation, Investigation, and Enforcement

Cyberextortion by US gov, or simple P2P security lapse by medical firm? (Naked Security) The ongoing data leak saga between medical firm LabMD and "The Man," in the form of the Federal Trade Commission (FTC) of the United States, has entered its next stage. This is a curious story that would be amusing were its import not so serious

Microsoft and Google to sue government over transparency (ZDNet) Negotiations between big tech companies and the government to disclose their cooperation have broken down. Things may change today

NSA warns of 4,000 possible security breaches as America's secret $56B 'black budget' leaks (National Post) A news account based on secret intelligence budget files provided by National Security Agency leaker Edward Snowden says that the surveillance agency warned in 2012 that it planned to investigate up to 4,000 reports of possible internal security breaches

UK says Snowden leaks hurt its national security, could expose spies (GlobalPost) Miranda's partner Glenn Greenwald has led the Guardian's coverage of leaks from Edward Snowden, a former contractor at the U.S. National Security Agency

David Miranda was carrying password for secret files on piece of paper (Telegraph) A journalist's partner who was detained carrying thousands of British intelligence documents through Heathrow airport was also holding the password to an encrypted file written on a piece of paper, the government has disclosed.In a written statement handed to the High Court in London, a senior Cabinet Office security adviser said it showed "very poor judgment" by David Miranda and other people associated with him

UK took three weeks to act over data at New York Times, says Guardian (The Guardian) Alan Rusbridger hits back at Downing Street's claims in high court that it 'urgently' needed access to leaked GCHQ files

Medical lab allegedly exposed consumer info on P2P network (Help Net Security) The Federal Trade Commission filed a complaint against medical testing laboratory LabMD claiming that in two separate incidents, LabMD collectively exposed the personal information of approximately

54 Individuals Accused of Being Involved in South African Cybercrime Ring (Softpedia) A total of 54 individuals suspected of being involved in a major South African cybercrime ring will appear on Tuesday before a judge. According to authorities, cited by City Press, the suspects allegedly made over 15 million ZAR ($1.45 million / €1.1 million) with the aid of stolen information

Leak of kids' social services info earns Aberdeen City Council £100k fine (Naked Security) Aberdeen City Council has been hit with a £100,000 fine after an employee took sensitive files home and accidentally uploaded them to a public website. The data included information on vulnerable children and details of alleged crimes

Cyber Insurer Sues Grocery Client, Says It Won't Pay Breach Claims (Dark Reading) Liberty Mutual says it isn't liable to pay cyber insurance claims filed by grocery chain Schnucks

Design and Innovation

A Research Agenda for Security Engineering (Technology Innovation Management Review) Despite nearly 30 years of research and application, the practice of information system security engineering has not yet begun to exhibit the traits of a rigorous scientific discipline. As cyberadversaries have become more mature, sophisticated, and disciplined in their tradecraft, the science of security engineering has not kept pace. The evidence of the erosion of our digital security — upon which society is increasingly dependent — appears in the news almost daily

Developing an Innovation Engine to Make Canada a Global Leader in Cybersecurity (Technology Innovation Management Review) An engine designed to convert innovation into a country's global leadership position in a specific product market is examined in this article, using Canada and cybersecurity as an example. Five entities are core to the innovation engine: an ecosystem, a project community, an external community, a platform, and a corporation. The ecosystem is the focus of innovation in firm-specific factors that determine outcomes in global competition; the project community is the focus of innovation in research and development; and the external community is the focus of innovation in resources produced and used by economic actors that operate outside of the focal product market. Strategic intent, governance, resource flows, and organizational agreements bind the five entities together. Operating the innovation engine in Canada is expected to improve the level and quality of prosperity, security, and capacity of Canadians, increase the number of Canadian-based companies that successfully compete globally in cybersecurity product markets, and better protect Canada's critical infrastructure

How Google can avoid becoming the next Microsoft, as told by an insider with knowledge of both (Quartz) The deeper you dig into the causes of Microsoft's decade of stagnation and the departure of CEO Steve Ballmer, the more apparent it is that the problems Microsoft faced affect all large companies, to one extent or another. Fortunately for the world (and unfortunately for Microsoft) the company's dysfunction drove away so many talented engineers and managers that they are practically climbing over one another to recount what went wrong in Redmond

The CyberWire Daily Briefing for 9.3.2013