The CyberWire Daily Briefing 09.11.13

Cyber Trends

Crackdown on Cybercriminals Equals Reduced Cybercrime in Russia (Infosecurity Magazine) The latest analysis from a major Russian security firm indicates that the Russian cybercrime market has contracted by 6% — down from $2,055 million in 2011 to $1,936 million in 2012

Telecom.IT: Romania is second in the world for the number of infected computers with viruses (ACT Media) Romania is second in the world after India as regards the number of computers infected with viruses, a press release of Bitdefender shows, which quotes the Quickscan data, the security scanner of the company which identifies the informatic active threats by the checking of the critical areas in the computers. According to the quoted source, the highest number of infected computers is in India (the infection rate is 14.48%), Romania (11.55%9, the US (5.43%), France (7.47%). The statistics show only infections on computers which have a security solution installed — paid or for free

Software Engineers Need a Crash Course in Ethics (Slate) When Irina Raicu first read about a new software program designed to take just a few details about a person, such as gender and hair color, whether or not the person has tattoos, and the number of minor offenses they've committed, and accurately predict how likely he or she would be to commit a felony, she got worried

Legislation, Policy and Regulation

Brazil to U.S.: Help us move past NSA controversy (WKZO) President Dilma Rousseff is eager to end a diplomatic crisis with Washington over revelations the National Security Agency spied on her and other Brazilians, but first she wants protection against additional leaks that could embarrass her government, a senior Brazilian official told Reuters

NSA's big data efforts need transparency, privacy advocates say (PCWorld) Recent revelations about the U.S. National Security Agency's massive data collection programs illustrates the need for a new privacy debate about the implications of big data, some privacy advocates said Tuesday. The increasing uses of big data in all kinds of organizations, particularly surveillance agencies, should prompt a debate about legitimate data collection and practices, said several speakers at a Washington, D.C., big data and privacy forum hosted by the Future of Privacy Forum and the Stanford Law School Center for Internet and Society

Poll: Public Doubts Rise on Surveillance, Privacy (ABC News) Following disclosures about the National Security Agency's massive surveillance programs, a majority of Americans believe the U.S. government is doing a poor job of protecting privacy rights, according to a new poll by the Associated Press-NORC Center for Public Affairs Research

The NSA Isn't Evil, It's Trying To Protect Us, Says PayPal's Max Levchin (TechCrunch) The NSA is designed to protect us from terrorism, so even if it oversteps its bounds, PayPal co-founder Max Levchin says we shouldn't hate it. That's diametrically opposed to the sentiment of many in the tech industry

Five In–Your–Face Thoughts in Defense of the NSA (Lawfare) The NSA has been somewhat less in the news the past few weeks, thanks largely to Syria. That's going to change in the coming days, when the latest tranche of declassified materials becomes public. The Justice Department conceded last week in a court filing in a FOIA case, the Electronic Frontier Foundation reports, that it will release: "[O]rders and opinions of the FISC issued from January 1, 2004, to June 6, 2011, that contain a significant legal interpretation of the government's authority or use of its authority under Section 215; and responsive 'significant documents, procedures, or legal analyses incorporated into FISC opinions or orders and treated as binding by the Department of Justice or the National Security Agency'"

How Aaron Swartz, 'The Irresistible Force,' Plus Darrell Issa And Ron Wyden, 'The Immovable Object,' Saved The Internet: Part I (Forbes) Two years ago, Hollywood, no kidding, masterminded a plot to, in effect, steal the Internet (by criminalizing certain conduct, booby trapping the Web in ways that few non-mega-corporations could cope with). There are signs, as perceptively flagged by the Electronic Frontier Foundation, that the perps are back at it. We should care

Information Sharing: Feds Cite Progress (InformationWeek) Government agencies are gaining ground in automating the exchange of information, says new report that highlights Boston Marathon bombing lessons. As organizers of the Boston Marathon prepared for last April's race, federal, state and local emergency and law enforcement officials were busy putting another set of preparations in place. Representatives from Boston's police, fire and emergency medical services, as well as from the FBI, the Department of Homeland Security, the Federal Aviation Administration and the Coast Guard, were at Massachusetts' State Emergency Operations Center in nearby Framingham, finalizing contingency plans for operating during a terrorist event

Social media and online security vital for UAE e-government services (The National) Government officials from across the GCC have heard from experts in social media and online security at a conference held this week in the capital. As local government aims to provide more services through online and mobile platforms, the importance of data security and positive interaction with the public were highlighted as key issues

Products, Services, and Solutions

Investigating the Security of the Firefox OS (TrendLabs Security Intelligence Blog) Firefox OS is Mozilla's foray into the mobile operating system field and promises a more adaptive mobile OS. But as mobile threats, in particular in the Android platform, has gained momentum, the question in everyone's mind is – how safe is it? About a month ago, Telefonica announced that it had launched the Firefox OS – Mozilla's mobile operating system – in Colombia and Venezuela. Separately, ZTE is also selling Firefox OS devices via their eBay store directly to end users

Cryptography Research and ALi Corporation Sign Architecture License Agreement for DPA Countermeasures (Wall Street Journal) Cryptography Research, Inc. (CRI), a division of Rambus Inc. (NASDAQ:RMBS), and ALi Corporation (3041 TT), a leading provider of set-top box (STB) system-on-chip (SoC) solutions, today announced they have signed an architecture license agreement for the use of Cryptography Research's differential power analysis (DPA) countermeasure patents and technologies in ALi's STB solutions. By licensing and integrating DPA countermeasures, ALi is securing its solutions against side-channel attacks at the SoC level. In addition, this license agreement extends to software developed by ALi customers when executed on licensed ALi STB chips

New cyber–security device launched (UPI) A government-grade, Layer 3 encryption device for preventing sophisticated cyber-attacks has been introduced by U.S. company Ultra Electronics, 3eTI. EtherGuard L3 is designed to prevent malware such as Stuxnet or "insider" attacks from targeting defense and industrial environments, as well as countering the inadequate security that exposes networks and critical-edge devices to exploitation

BAE Systems Detica Unveils IndustrialProtect To Protect Nations' Critical Infrastructure (Dark Reading) BAE Systems Detica today announces the launch of IndustrialProtect, a military-grade solution, to the marketplace. The solution is designed to protect the industrial control systems of organisations such as power plants, oil refineries or automated manufacturing plants from cyber attack, allowing them to both modernise their legacy systems as well as improve their security

Apple's iOS 7 gives security pros a lot to like (CSO) New mobile OS, launched with its iPhone 5S and 5C and a free update for iOS 6 users, should strengthen Apple's appeal in the enterprise

Appthority unveils app risk and policy management solution (Help Net Security) Appthority announced an all-in-one app risk management solution combining app reputation analysis with a new policy management functionality, enabling organizations to create custom app risk policies. Together with Appthority's app reputation service, the new policy functionality gives IT administrators control over mobile device management by providing both immediate app behavior insights as well as the ability to customize and directly enforce actions to neutralize app risk

HyTrust Appliance gets role-based monitoring (Help Net Security) HyTrust released HyTrust Appliance 3.5, which enables enterprises to virtualize mission-critical applications and deploy multi-tenant private clouds

AT&T Accelerates Cyber Security Push (Wall Street Journal) Security is serious business for AT&T. The company today announced an expanded set of managed security solutions (MSS) and new capabilities, including the industry's first all-in-one mobile security solution to be launched later this year. AT&T, which manages 24,000 security devices and one million seats for cloud-based security services, will discuss the expansion of its cyber security portfolio at the 15(th) Annual AT&T Cyber Security Conference in New York City

Secure mobile managed file transfer with MOVEit (Help Net Security) Ipswitch File Transfer released MOVEit 8.0 — a software package that enables mobile workers to transfer files as part of key business processes, while providing IT the security, visibility and control

AMA releases new doctors' toolkit to protect patient info, prevent non–healthcare related big data plundering (FierceBigDate) As the article in Salon points out in rich detail, "big data is making healthcare better, smarter and cheaper," but it also potentially puts a great deal of personal info at risk of a breach or plundering by non-healthcare related entities in their hunt for big data. The weakest link in the healthcare chain is at the physician level, as they tend not to have the technical prowess or resources that big healthcare institutions have at their disposal. To strengthen that weak link and take some of the stress off of doctors in complying with privacy regulations such as HIPAA, the American Medical Association has just released a new toolkit

SDC Systems Offers Cyber Security for Embedded Systems (Cambridge Wireless) SDC announces distribution deal with Cypherbridge Systems to supply cyber security solutions for embedded systems and devices

HP Introduces Data Privacy Services (Security Week) HP announced a new suite of IT services designed to help organizations protect and manage sensitive data while helping to reduce risk, improve life cycle data management, and manage compliance with new and existing federal regulatory requirements. Dubbed "HP Data Privacy Services", HP said it launched the new offering to help U.S.-based healthcare organizations align IT practices with the HIPAA Omnibus Rule

Technologies, Techniques, and Standards

New York Times provides new details about NSA backdoor in crypto spec (Ars Technica) The paper points a finger definitively at the long-suspected Dual_EC_DRBG algorithm. Today, the New York Times reported that an algorithm for generating random numbers, which was adopted in 2006 by the National Institute of Standards and Technology (NIST), contains a backdoor for the NSA. The news followed a NYT report from last week, which indicated that the National Security Agency (NSA) had circumvented widely used (but then-unnamed) encryption schemes by placing backdoors in the standards that are used to implement the encryption

Government Announces Steps to Restore Confidence on Encryption Standards (New York Times) The federal agency charged with recommending cybersecurity standards said Tuesday that it would reopen the public vetting process for an encryption standard, after reports that the National Security Agency had written the standard and could break it

NIST denies NSA tampering with encryption standards (CSO) The U.S. National Institute of Standards and Technology (NIST) has vigorously denied that the U.S. National Security Agency (NSA) tampered with NIST's process of vetting and choosing encryption algorithms. "NIST would not deliberately weaken a cryptographic standard," NIST said in a statement Tuesday. "We will continue in our mission to work with the cryptographic community to create the strongest possible encryption standards for the U.S. government and industry at large"

Keep Calm, Keep Encrypting — With A Few Caveats (Dark Reading) Encryption remains a key security tool despite newly leaked documents revealing the National Security Agency's efforts to bend crypto and software to its will in order to ease its intelligence-gathering capabilities, expert say. But these latest NSA revelations serve as a chilling wake-up call for enterprises to rethink how they lock down their data

How do you Know about your Know How? (RSA) Cliff Stoll's The Cuckoo's Egg was one of the major influences in my early career. The tale of a lone astronomer doggedly pursuing an accounting error on the mainframe to discover a nefarious hacker with international spook connections combined elements of things I loved: the hard-nosed detective embodied by Sam Spade, the international intrigue of James Bond, and the technology conundrums of the early networked world. Ok — Cliff Stoll isn't exactly Sam Spade or James Bond but you get the point. The story was a fascinating epic journey that led its protagonist to places he never expected. Other similar stories highlight the fundamental personality types associated with "hacker hunters": They are relentless, passionate and ultimately, take these security breaches personally

Getting Started with Rsyslog Filters (Internet Storm Center) syslog has some very useful features when building a centralized syslog system. If you are not currently centralizing your logs or have not organized them in an efferent way for analysis, this post will get you started in the right direction

Set the Rules for Kids Online But Don't Stop There… (Trend Micro Simply Security) Social media websites are very powerful tools, allowing people to connect with friends, family and complete strangers. They encourage the collaboration of ideas and are the new norm for the way children communicate to the world

7 IT mistakes that will get you fired (IT World) It's hard to get a good job in IT these days, but it's all too easy to lose one. There are lots of reasons for instant termination. Failure to fulfill your obligation to protect your employer's digital assets or abusing your vast powers for your own nefarious ends are two sure ways to end up on the unemployment line. You could be fired for opening your mouth at the wrong time or not opening your mouth at the right one. Spying on the boss, lying to your superiors, or being directly responsible for the loss of millions of dollars in downtime through your own negligence are all excellent ways to end up on the chopping block

Marketplace

GCHQ trawls internet for would–be code crackers (ITProPortal) Intellingence agency launches hunt for information security spooks of tomorrow. GCHQ has launched a hunt for the next generation of cyber security experts through its "Can You Find It?" campaign. The initiative, launched earlier today, is designed to help the UK security agency uncover people who can crack a series of cryptic puzzles, which are hosted on the Can You Find It? website, that will lead them to "the ultimate final answer"

NSA Set To Approve TPM For Government Use (Forbes) Speaking at the Trusted Computing Conference in Orlando Monday afternoon, Debora Plunkett, Director of Information Assurance for the NSA, announced that she is preparing to sign an Information Assurance Advisory that permits the purchase of Trusted Computing components for National Security Systems. This is great news for the small community that is the Trusted Computing Group and the vendors who have worked for over a decade to provide technology for hardware based cryptography, key repositories, self encrypting drives, and device authentication

Big data spending to reach $114 billion in 2018 (Help Net Security) Global spending on big data by organizations will exceed $31 billion in 2013, finds a new market forecast by ABI Research. The spending will grow at a CAGR of 29.6% over the next five years

Security SaaS market to increase at a 13.7 percent CAGR through 2016, says TechNavio (FierceITSecurity) The global security software-as-a-service (SaaS) market is forecast by TechNavio to increase at a 13.7 percent compound annual growth rate (CAGR) through 2016. Security SaaS products can provide firms with lower cost of ownership security solutions because they eliminate the cost of hardware, software, licenses and renewal fees, noted TechNavio

Defense Contractor Girds Itself For Spinoff (Wall Street Journal) SAIC Inc., one of the biggest U.S. defense contractors by revenue, is on track to complete a complicated breakup later this month

SAIC Board OKs Spinoff Plan, Sets Date for Split (GovConWire) Science Applications International Corp.'s (NYSE: SAI) board of directors has approved the company's plan to complete the spinoff of its services business after the market closes Sept. 27

Local company competes in Wall Street Journal's 'Startup of the Year' program (Baltimore Sun) In February 2010, Zuly Gonzalez and Beau Adkins founded Light Point Security in the basement of their Elkridge home. In November 2012, they moved the company into University of Maryland, Baltimore County's Cyber Incubator at the 71-acre bwtech@UMBC Research and Technology Park on the campus just off Interstate 95. Little did they know that as of Aug. 28, their company would be among the 10 finalists vying for the title of Wall Street Journal Startup of the Year

Air Force cryptography experts look to Mercury for embedded computing digital receivers (Military and Aerospace Electronics) U.S. Air Force cryptography experts needed a field-programmable-gate-array (FPGA)-based channelizer to support a broad range of digital receiver applications. They found their solution from Mercury Systems in Chelmsford, Mass

Small business wins $2.5M contract for information assurance services (Washington Technology) TISTA Science and Technology Corp. has won a $2.5 million contract to provide the Defense Logistics Agency with information assurance support services. This win comes on the heels of TISTA's first prime contract win at the beginning of September

Palo Alto Cyber View Boosts Check Point: Israel Overnight (Bloomberg) Check Point Software Technologies Ltd., the world's second-largest maker of network security gear, posted the biggest gain in almost two months after Palo Alto Networks Inc.'s revenue outlook beat estimates. Shares of the Tel Aviv-based company climbed 2.7 percent to $58.45. The Bloomberg Israel-US Equity Index of the most traded Israeli equities in New York added 1.6 percent. Allot Communications Ltd. (ALLT), the Israeli maker of technology used to track wireless traffic, led gains on the gauge. Mellanox Technologies Ltd. (MLNX), which makes equipment that speeds electronic data transfers, settled at a 2.7 percent discount to the Tel Aviv-listed shares, the widest gap on the index

Security Patches, Mitigations, and Software Updates

BlackBerry Patches Flash, WebKit and Libexif Flaws on Mobile Devices (Threatpost) BlackBerry issued four security advisories, patching vulnerabilities in the Z10 and Q10 smartphones and the PlayBook tablet

Update Flash, Shockwave ASAP! Adobe also patches Acrobat and Reader (ZDNet) Surprise updates to Adobe Flash Player and Shockwave Plaer address critical vulnerabilities at high risk of exploit. Less urgent, but still serious updates for Adobe Acrobat and Reader are also available. Adobe today released security updates for Flash Player, AIR, Shockwave Player, Acrobat and Reader. The updates for Flash Player and Shockwave Player on Windows and Mac address a vulnerability which Adobe classifies as Priority 1, which indicates that it is being exploited in the wild at a high risk of exploit. The updated versions of Flash Player on Windows and Mac are 11.8.800.168 and 11.7.700.242. Earlier 11.7 and 11.8 versions are vulnerable. Updates are also available for Flash Player on Linux and Android, as well as Adobe AIR and the Adobe AIR SDK. These are not as severe and updating is not as high a priority

Severe flaw in Outlook 2007/2010 patched (ZDNet) Microsoft has released 13 security updates for Internet Explorer, Outlook, SharePoint and Windows. 47 vulnerabilities in all are patched, but perhaps the scariest affects Outlook 2007 and 2010

September Patch Tuesday is out — one update lost en route, 13 patches left, 8 RCE, 4 critical (Naked Security) One of Microsoft's 14 promised patches for September failed to materialise. There's still plenty left over, though: IE gets a jumbo fix, as usual; SharePoint, FrontPage, Excel, Access, Outook and more get vital updates, too

Microsoft serves up 14 security bulletins for Patch Tuesday (FierceITSecurity) If it is the second Tuesday of the month, it must be Patch Tuesday. And Microsoft (NASDAQ: MSFT) is serving up a "heapin helpin" of security bulletins--14 to be exact. Four of the bulletins, which affect Windows, Internet Explorer, Office and Server Software, are rated by Redmond as "critical" and entail remote code execution holes that enable attackers to gain control of systems remotely without user permission

Cyber Attacks, Threats, and Vulnerabilities

Iranian Hackers Claim Breach of U.S. House of Representatives (eSecurity Planet) Members of the Iranian Digital Boys Underground Team recently published data that they claim was stolen via a spear phishing attack on the U.S. House of Representatives. On Pastebin, the group published five database entries for people who the hackers say are House employees and "important people from the USA." Each entry includes a first name, e-mail address, encrypted password, IP address, and a photo

Syrian Electronic Army Hacks FOX TV Hootsuite social media account (Hack Read) The Syrian Electronic Army is back in news by hacking the official Hootsuite account of FOX TV, used to post online content to different international FOX television networks around the world. The Twitter account used via Hootsuite were FX Australia and FOX TV United Kingdom were also compromised and used by the hackers to post pro-Syrian tweets. A hacker from Syrian Electronic Army going with the handle of

Dem warns Syria could retaliate with cyber attack (The Hill) The top Democrat on the House Homeland Security Committee on Tuesday warned that the United States could be hit with a massive cyber attack after striking Syria. Rep. Bennie Thompson (D-Miss.) used a hearing on the pending action towards Syria to press for Republican leaders in the lower chamber to quickly address what he said are the country's cyber vulnerabilities

Timing is an influential risk–factor for cyber attacks (Help Net Security) There are several dates throughout the year that are notorious for wreaking havoc on businesses via DDoS attacks, data breaches and even malware or botnet assaults. According to Radware, there are two types of dates that hackers target: ideological and business-relevant dates. Ideological dates refer to holidays and anniversaries that have a cultural, religious or secular tie to the adversary. High-risks times for the United States include September 11th, Memorial Day, Election Day and Independence Day. Business-relevant dates involve a period of time that companies are particularly vulnerable to attacks, such as Black Friday, Cyber Monday, or even regular business hours

Preparing for Notorious Cyber Attack Dates: Five Steps to Secure Your Network (IT Business Edge) Several dates throughout the year are notorious for wreaking havoc on businesses via denial of service (DoS) attacks, data breaches and even malware or botnet assaults. As anniversaries such as September 11th near, rumors about coordinated cyber attacks on American websites increase. Because of these potential risks, it's imperative that businesses tighten their network security measures in order to protect themselves from potential intrusion or disruption, which can result in profit-loss and tarnished user confidence

The "Kimsuky" Operation: A North Korean APT? (SecureList) For several months, we have been monitoring an ongoing cyber-espionage campaign against South Korean think-tanks. There are multiple reasons why this campaign is extraordinary in its execution and logistics. It all started one day when we encountered a somewhat unsophisticated spy program that communicated with its "master" via a public e-mail server. This approach is rather inherent to many amateur virus-writers and these malware attacks are mostly ignored

New OS X Malware: Another Tibet Variant Found (Intego) Things have been relatively quiet lately from the authors of the Tibet family of malware, but another variant was found last night on the Virus Total website, which is a site used by security researchers to share malware samples. Before last night, the last variant was found just over a year ago, and was already detected by Intego VirusBarrier's existing virus definitions as OSX/Tibet.C

Managed Malicious Java Applets Hosting Service Spotted in the Wild (Webroot Threat Blog) In a series of blog posts, we've been profiling the tactics and DIY tools of novice cybercriminals, whose malicious campaigns tend to largely rely on social engineering techniques, on their way to trick users into thinking that they've been exposed to a legitimate Java applet window. These very same malicious Java applets, continue representing a popular infection vector among novice cybercriminals, who remain the primary customers of the DIY tools/attack platforms that we've been profiling. In this post, I'll discuss a popular service, that's exclusively offering hosting services for malicious Java applets

How the Java Security Situation Quietly Got Much Worse (Trend Micro Simply Security) Critical developments in situations sometimes happen very quietly; so quietly that not many people notice at the time they happen. We've recently turned a bad corner like this in the Java security situation. And there's every reason to believe that this worsened situation is here to stay, and likely to get even worse before it gets better

New Backdoor Intercepts Keyboard Input (Dr. Web) Russian anti-virus company Doctor Web is warning users about the malignant program BackDoor.Saker.1, which is capable of bypassing the User Account Control (UAC). The program's main function is to execute directives from criminals and, most importantly, to intercept user keystrokes (keylogging)

JollyBot: Malware as a Service Evolves (Lookout) Lookout has identified JollyBot, a piece of Russian malware designed to hide inside innocent carrier applications in order to commit premium rate SMS fraud. Unlike traditional SMS fraud trojans where the malware author builds code, selects an innocent app and infects it himself, Jollybot is distributed by its authors as a service, similar to our recent findings on Dragon Lady. Once subscribed to this service, these affiliate customers are provided a toolkit or "SDK" in order for them to do all the heavy lifting. These affiliates choose which apps to infect, insert the SDK and distribute them – all the high risk parts of this criminal enterprise. Jollybot's authors can sit back and collect a revenue share from these affiliates as payment for their service

'Hand–of–Thief' Undergoing Construction to Become Commercially Viable (SPAMfighter) RSA the security company says that the banking Trojan for Linux computers known as "Hand-of-Thief," which security researchers found getting sold on illegitimate websites hosted in Russia during July-end 2013, is currently with little stealing abilities or none at all. Senior Security Researcher Yotam Gottesman of RSA said that the malware's stealing capabilities were extremely limited if none that gave it a prototype character meaning there was plentiful more work required to make it a significantly commercial banker Trojan

Ask.FM Threats Go Beyond Online Bullying (ThreatTrack Security Labs) Three weeks ago, Ilja and Mark Terebin, co-founders of social networking site Ask.fm, released a statement regarding some changes on the site's safety policy in an effort to curb the dramatic increase of cyberbullying occurrences within its platform. Ask.fm boasts at least 57 million registered users, majority of which are teens and tweens. The site's anonymity feature has sadly become the means for some users to deliberately target and verbally assault others

Fake AVG AV apps offered on Google Play (Help Net Security) However hard Google works to prevent malicious apps from being offered on Google Play, its official online Android market, some always get through. AVG researchers warn about app developers that take advantage of established brand names to lure people in downloading their malicious wares

New gTLD security implications (Help Net Security) The new gTLDs that are being implemented have a few security concerns already. One of the major concerns is Name Collision, which results from a single domain name being used in different places. An example of this would be a company that uses .corp in an internal domain name. Under the new gTLD processes, the .corp gTLD could be bought by a different company for their use on the internet. If that happens, when a user tries to go to internal locations on a company network using .corp, there is a chance that they could actually get data back from the now legitimate .corp servers on the Internet

Is BEAST still a threat? (Help Net Security) Yesterday I changed the SSL Labs rating criteria to stop penalizing sites that do not implement server-side mitigations for the BEAST attack. That means that we now consider this attack sufficiently mitigated client-side, but, there are still some things you should now

Simda (Microsoft Technet) This month's Microsoft Malicious Software Removal Tool (MSRT) release includes one new malware family - the high-volume banking trojan Win32/Simda. Simda is a multi-component malware family that includes trojan, backdoor, password-stealing, downloader and file-infector variants. It is very rare for a single malware family to possess all of these characteristics; Alureon and Sirefef are among the few families also in this category

Health, fitness apps sending user data to third parties (FierceMobileHealthCare) The top 20 most popular health, wellness and fitness apps, including WebMD Health, are actively sharing user data with as many as 70 third-party companies, according to a blog post from web analytics and privacy group Evidon

Shopping cart malware compromises credit card information (SC Magazine) Malware inserted by an unauthorized third party on a shopping cart system may have compromised personal data, including credit card information, for an undisclosed number of people who made purchases on websites belonging to the Outdoor Network, an online outdoor advertising agency

Boats.net, Partzilla.com Suffer Security Breach (eSecurity Planet) Outdoor Network, LLC recently began notifying an undisclosed number of customers that a recent breach of its Boats.net and Partzilla.com Web sites may have exposed their names, addresses, credit card numbers, expiration dates, and CVV codes

Thousands of social security numbers sent in email (USA Today) An employee error compromised thousands of people's personal information, including social security numbers, the Georgia Department of Labor said. A spreadsheet containing the names, Social Security numbers, telephone numbers and email addresses of 4,457 people who filed for unemployment in Georgia was emailed out to about 1,000 people

iPhone Fingerprint Authentication (Schneier on Security) When Apple bought AuthenTec for its biometrics technology -- reported as one of its most expensive purchases -- there was a lot of speculation about how the company would incorporate biometrics in its product line. Many speculate that the new Apple iPhone to be announced tomorrow will come with a fingerprint authentication system, and there are several ways it could work, such as swiping your finger over a slit-sized reader to have the phone recognize you

How to beat fingerprint scanners [VIDEO] (Graham Cluley) The announcement of the Touch ID fingerprint sensor in the new Apple iPhone 5S is all set to take biometric protection into the mainstream. But how well can fingerprint sensors be defeated? We've all seen biometric systems defeated in Hollywood action movies, but can it be done and just how easy it? Fortunately the guys at MythBusters have already answered that question

Study Finds One in Five Tweets Discloses the User's Location (eSecurity Planet) USC graduate student Chris Weidemann found that in many cases, users aren't aware that their updates are divulging location information

Academia

University apologizes for censoring crypto prof over anti–NSA post (Ars Technica) Andrew Douglas, interim dean of the Whiting School of Engineering at Johns Hopkins University, has apologized publicly today for asking one of his cryptography professors to remove a blog post critical of the National Security Agency's (NSA) newly revealed mass spying programs

Litigation, Investigation, and Enforcement

DNI Clapper Declassifies Intelligence Community Documents Regarding Collection Under Section 501 of the Foreign Intelligence Surveillance Act (FISA) (IC on the Record) In June of this year, President Obama directed me to declassify and make public as much information as possible about certain sensitive intelligence collection programs undertaken under the authority of the Foreign Intelligence Surveillance Act (FISA) while being mindful of the need to protect national security. Consistent with this directive, today I authorized the declassification and public release of a number of documents pertaining to the Government's collection of bulk telephony metadata under Section 501 of the FISA, as amended by Section 215 of the USA PATRIOT Act. These documents were properly classified, and their declassification is not done lightly. I have determined, however, that the harm to national security in these circumstances is outweighed by the public interest

Government Releases NSA Surveillance Docs and Previously Secret FISA Court Opinions In Response to EFF Lawsuit (Electronic Freedom Foundation) The Director of National Intelligence (DNI) just today released hundreds of pages of documents related to the government's secret interpretation of Patriot Act Section 215 and the NSA's (mis)use of its massive database of every American's phone records. The documents were released as a result of EFF's ongoing Freedom of Information Act lawsuit

NSA Broke Privacy Rules For 3 Years, Documents Say (Washington Post) The National Security Agency for almost three years searched a massive database of Americans' phone call records attempting to identify potential terrorists in violation of court-approved privacy rules, and the problem went unfixed because no one at the agency had a full technical understanding of how its system worked, according to new documents and senior government officials

NSA Illegally Gorged on U.S. Phone Records for Three Years (Wired) What happens when a secret U.S. court allows the National Security Agency access to a massive pipeline of U.S. phone call metadata, along with strict rules on how the spy agency can use the information? The NSA promptly violated those rules -- "since the earliest days" of the program's 2006 inception -- carrying out thousands of inquiries on phone numbers without any of the court-ordered screening designed to protect Americans from illegal government surveillance

Court Says Privacy Case Can Proceed vs. Google (New York Times) In a major legal setback for Google, a federal appeals court here said on Tuesday that a lawsuit accusing the Internet giant of illegal wiretapping could proceed. The ruling, which comes at a moment when online privacy is being hotly debated, has its origins in a much-publicized Google initiative, Street View, which tried to map the inhabited world

The Rest of the Snowden Files Should Be Destroyed (Slate) The leaks have done a lot of good. But a lot more damage could be done. Privacy is fundamental in an open democracy. Without privacy, there is no democracy. Security is also fundamental. Without security, there is no democracy, either. This creates a dilemma: A crucial public good is pitched against a core individual right. No society can maximize both at the same time. The consequence is that we, as a society, have to agree on a compromise, a balance

No warrant, no problem: US gov't uses travel alerts for warrantless electronics search (ZDNet) The ACLU has published documents showing the US government has been using "travel alerts" to nonconsensually take and search civilians' electronic devices since st least 2010. This form of search and seizure - and data copying - occurs even if the individual is not the subject of any investigation

Cybersecurity a top concern for general counsel (Inside Counsel) Part of the philosophy behind the Department of Homeland Security's "If You See Something, Say Something" campaign hinges on the idea that we are all collectively responsible for each other's safety. It's not just the responsibility of law enforcement to keep us secure, as it might have been in the past. This same paradigm shift is as true in the digital world as it is on the streets. Cybersecurity is no longer just the purview of IT departments, but rather the concern of entire organizations, from workers who bring their own devices to the office all the way up to the highest C-level executives, and this includes a crucial role for general counsel

Design and Innovation

Announcing The 54 Finalists In Our Innovation By Design Awards (Fast Company) In many ways, the word design is a misnomer. Truly innovative design reaches beyond aesthetics to encompass science, intuition, and emotion. It often asks us to stretch our imagination, to re-imagine what design means and can do

The CyberWire Daily Briefing for 9.11.2013