The CyberWire Daily Briefing for 9.12.2013
9/11 passed without significant cyber damage, although AnonGhost did succeed in defacing some Israeli sites, and the US FBI warns banks to look out for attacks that may trail the anniversary by a few days. Nothing new from the Syrian Electronic Army, either.
Tension between India and Pakistan finds expression in cyber rioting, with defacements of Indian websites in Bahrain and continuing discontent among Internet café habitués (described in journalese straight from Graham Greene).
Multiplayer online games are beginning to provide infrastructure for denial–of–service attacks, and these affect businesses quite uninterested in the games themselves.
Slashdot reports a vulnerability in Amazon Web Services exploitable via Windows flaws. Blue Coat offers a look at Pushdo evasion tactics.
Vodaphone suffers a major data breach to an insider. A US Army officer wonders how the chain–of–command failed to recognize another famous insider threat—Bradley Manning—despite ample indications of trouble.
Facebook's Zuckerberg and Yahoo's Meyer review (unfavorably) their interactions with the US Government over surveillance requests.
Reviews of the iPhone's new fingerprint feature are worth reading by anyone interested in password alternatives.
In the US, NIST reopens its encryption standard to review and comment, and "strongly recommends" that SP 800-90A's Dual_EC_DRBG no longer be used. British researchers report a "breakthrough" in multi–party computation with cryptographic implications.
An emerging consensus holds that privacy safeguards were too complex, the data too big, for US surveillance agencies to handle properly.
The US 9th Circuit rules that unencrypted Wi–Fi transmissions are protected from wiretapping: lawyer up before wardriving.
Notes.
Today's issue includes events affecting Australia, Bahrain, Brazil, Czech Republic, Finland, France, Germany, India, Israel, Pakistan, United Kingdom, and United States..
Cyber Attacks, Threats, and Vulnerabilities
Anonymous Hacktivists Bring Down Israeli Websites on 9/11 (Politix) Hacktivist group Anon Ghost has launched a major cyber attack on Israeli businesses and government websites for 9/11, reports the Washington Free Beacon. The Israeli Defense department website, israeldefense.co.il, has been down since early Wednesday morning. Businesses have had their pages hacked and replaced with Anon Ghost messages, like the screenshot above from the website Israel Live, and the site of tour group Birthright Israel. The hackers also published the names and credit card details of hundred of Israelis
FBI warns banks of 9/11 cyber-attack threat (Finextra) US banks could face a wave of distributed-denial-of-service (DDoS) hits today to mark the anniversary of the 11 September 2001 terrorist attacks, warns the FBI. At the end of last month the FBI issued an alert — summarised by the Massachusetts Bankers Association — warning banks to expect a two phase attack, dubbed #OpUSA, to take place this month, cumulating on the anniversary of 9/11
Kimsuky — an active North Korean campaign targeting South Korea (Infosecurity Magazine) Kimsuky - named after email addresses used as drop-points for stolen data - appears to originate in North Korea and target think tanks and policy research organizations in South Korea
Website of Passport & Visa Center, Indian Embassy in Bahrain Defaced by ZHC (HackRead) The online hacktavist group Z Company Hacking Crew (ZHC) has hacked and defaced the official website of Octic International that act as Indian Passport and Visa Center directly under the Indian embassy in Kingdom of Bahrain. Hackers left a deface page along with their famous message against Indian government and in support of Kashmir. The deface message was expressed in following words
In Pakistan, the Cyberwar has only just begun (Cyberwarzone) In a dingy Internet cafe, Abdullah gets round the censors with one click and logs onto YouTube, officially banned for a year and at the heart of Pakistan's cyberwar for control of the web. On September 17, 2012 Islamabad blocked access to the popular video-sharing website after it aired a trailer for a low-budget American film deemed offensive to Islam and the Prophet Mohammed
Multiplayer games and DoS attacks (Help Net Security) Prolexic, detailed the rampant problem of denial of service attacks within and from online gaming communities. The DDoS attacks, which can pack a powerful punch by the use of reflection and amplification (DrDoS) techniques, have been used against other gamers, gaming platforms and even third party targets such as financial services and other non-gaming businesses. The availability and accessibility of online gaming infrastructures and devices creates opportunities for malicious actors to launch DDoS attacks and steal login credentials. Denial of service attacks have a long tradition in the community, occur frequently and keep evolving
Are PHP SuperGlobal Parameters Really That Big A Deal? (Dark Reading) New report shows potential for PHP exploits, but others in the industry say patching PHP servers is the issue, not faulty parameters. A new report out this week from Imperva detailing the potential danger for attacks through vulnerable PHP SuperGlobal parameters suggests that organizations running PHP servers should ditch the use of these variables in application requests. But while other security experts agree that PHP security must be addressed to prevent serious breaches, they argue that the real problem is in server patching practices rather than the use of SuperGlobal variables
The Windows Flaw That Cracks Amazon Web Services (Slashdot) Some code tinkering allows you to copy data from Amazon Web Services (or another hosting provider) without the data's owner realizing what's going on. When Flint, Michigan started losing its economic battle a couple decades ago, it quickly deteriorated into a town filled with crime. Living in Michigan at the time, I heard plenty of weird and terrible stories about the goings-on in Flint--but the situation with the ATMs had to be one of the strangest
A Look at Evasion Techniques in the Pushdo Botnet (Blue Coat) We recently came across a compromised website pushing out a payload that belongs to the Pushdo botnet, a botnet reportedly controlled by a well-funded Eastern European Cybercrime group. This botnet has often been closely associated with the Cutwail spam botnet. In the past, the Cutwail group would spam out payloads for the Pushdo botnet, which in turn serves as an infrastructure to the highest bidder, and has been seen to be distributing popular malware like Zeus and Spyeye
37.58.73.42 / 95.156.228.69 / 195.210.43.42, anyone? (Internet Storm Center) It started with a pretty benign question from an ISC reader. But if the corresponding SQL query times out on our sensors, something is probably indeed going on…The IP addresses listed above have >30,000 domain names associated to them, all of the format as shown below
Avast Warns Android Users of Fake Mobile Security App (Softpedia) IT security company Avast is warning Android users about a bogus Avast Free Mobile Security application that's designed to trick them into handing over some money. The application in question, named "com.avastmenow," has an interface that's similar to the genuine Avast Free Mobile Security. However, the infection warnings it displays are actually bogus
JollyBot SMS Trojan offered for use to low–level crooks via affiliate network (Help Net Security) The current cybercrime market is all about Cybercrime-as-a-Service - knowledgeable individuals focus on their core competencies to offer services to those who have not the skills, patience or time to make what they want or need for their criminal exploits. Ideally, they also want to most of the risk to fall on their customers' back
Android scareware delivered via spoofed email notices (Help Net Security) A spam campaign targeting Android and PC users simultaneously has been recently spotted by FireEye researchers. The attacks starts with spoofed emails made to look like a wedding invitation or a "failed delivery" USPS notification
Spammers Use Fake WhatsApp Notification To Lead Users to Malware (Trend Micro) Cybercriminals are always on the heels of anything popular, anything that can hook users. In this spammed message, cybercriminals use WhatsApp, an instant messaging app available for iOS and Android. Do not be duped by this message as the sender (From field) is forged. The spammed message poses as a notification of a new voicemail and provides a link to play it. Users who click on the link are redirected to a malicious site that is in the Russian language
Hacked HootSuite Accounts Used to Advertise Scammy Diet Websites on Twitter (Information Security Buzz) Over the past few days, a large number of HootSuite accounts have been hacked and abused to spread links to shady miracle diet websites. The hacked HootSuite accounts, including ones of celebrities, are used to send out messages on Twitter that read something like this: "get a free groupon of pure garcinia cambogia, according to groupon this stuff is great to stay healthy! [link]"
EPIC Insurance Admits Security Breach (eSecurity Planet) Edgewood Partners Insurance Center (EPIC) recently began notifying an undisclosed number of people that their personal information may have been exposed when five laptops were stolen from its offices
Travel Security Firm International SOS Victimized By Cyber–Attack (Business Travel News) International SOS, which claims to be "the world's largest medical and security services company," suffered a cyber-attack on its traveler-tracking system. A source told BTN the incident took place Aug. 28. "We detected an unauthorized access in the U.S. to one of our systems, which hosts traveler information related to one of our information technology products," according to a company statement provided to BTN. "As soon as we were made aware of the incident, we immediately took steps to investigate and mitigate against further incidents, as well as notified the appropriate law enforcement authorities. We have proactively communicated to a limited group of clients whose travelers' data may have potentially been accessed. This incident remains under investigation and we are committed to providing further updates to our clients"
Insider Steals Data of 2 Million Vodafone Germany Customers (SecurityWeek) Vodafone Germany said on Thursday that an attacker with insider knowledge had stolen the personal data of two million of its customers from a server located in Germany. "This criminal attack appears to have been executed by an individual working inside Vodafone," the company said in a statement provided to SecurityWeek. "An individual has been identified by the police and their assets have been seized." The data accessed by the attacker includes customer names, addresses, gender, birth dates, bank account numbers and bank sort codes, the telecommunications giant said
Security Patches, Mitigations, and Software Updates
Java SE 7 Now Lets Administrators Control What Versions of Java Can Run Where (SecurityWeek) Oracle on Wednesday announced the availability of the Oracle Java Development Kit (JDK) 7 Update 40 (JDK 7u40), a release that gives system administrators more control over Java running on desktops, along with several other enhancements
Bloggers using WordPress told to update their software immediately (Graham Cluley) A brand new version of the incredibly popular WordPress blogging platform has been released, and webmasters are being urged to update their systems "immediately" because it fixes a number of security issues
Microsoft botches still more patches in latest Automatic Update (InfoWorld) No sooner did Microsoft release the latest round of Black Tuesday patches, than screams of agony began sounding all over the Internet. At this point, I've seen verified problems with KB 2817630, KB 2810009, KB 2760411, KB 2760588, and KB 2760583. Here's what we know at this point
Cyber Trends
4 Mobile Device Dangers That Are More Of A Threat Than Malware (Dark Reading) Worried about malware? Other threats should come to mind first for North American users, from losing the phone to inadvertently connecting to an insecure or rogue access point. From Trojan horses to viruses, botnets to ransomware, malicious software garners a great deal of attention from security vendors and the media. Yet, mobile users—especially those in North America—should worry more about other threats. While smartphones and tablets could be platforms for a whole new generation of malicious functionality, the ecosystems surrounding the most popular devices work well to limit their exposure to malware. The number of malware variants targeting the Android platform is certainly expanding--surpassing 275,000 as of the first quarter of 2013, according to security firm Juniper Networks—but few of the malicious programs have snuck into the mainstream application marketplaces. Instead, the top threats to organizations grab fewer headlines. While security experts continue to put malware as a significant threat, lost and stolen devices, insecure communications, and insecure application development affect many more users
An MI officer wonders: Just how did the chain of command let Manning happen? (Foreign Policy) Last Friday, Tom asked where Bradley Manning's chain of command was while he was smuggling large quantities of secret documents on "Lady Gaga CDs" from their Sensitive Compartmented Information Facility (SCIF) in Iraq in order to hand off to WikiLeaks. Great question
CW500 Club: BYOD best practice (ComputerWeekly) It is not a new phenomenon for workers to use their own devices as part of their job, but company schemes to encourage people to use their own devices are a relatively recent development. Smartphone sales have rocketed in recent years and workers now expect more than a BlackBerry as an option for mobile working. The iPhone is the epitome of the consumerisation of IT, with workers connecting to the corporate network with their phone and Apple's iPad is now the device of choice for many a senior executive
Shadow IT: Rogue Apps or Bring–Your–Own–Software? (McAfee) Among the business process disruptions wrought by the cloud is the ability for non-technical employees to make technology decisions. Thanks to self-service SaaS portals, Line of Business employees can bypass IT gatekeepers and decision-processes. Thanks to free or low-cost monthly subscriptions billed directly to a credit card, employees don't need corporate purchase orders. With cloud-based services, company infrastructure is left largely untouched, so the non-sanctioned cloud apps can easily escape notice
Marketplace
Cyber Is Defense Industry's New Battleground (NASDAQ) The Edward Snowden affair highlighted the issue of cyber security. It's also a key focus for the defence industry, says Scott McVicar from BAE Systems Detica
Building a cyber cluster from the ground up (Government Security News) In just six years, North Louisiana has created a fast-growing cyber cluster in a region historically dominated by manufacturing, oil and gas, and agricultural sectors. The catalyst for this rapid progress stems from the combined vision of local and state leaders to diversify the region's economic base and develop a knowledge-based workforce for the expanding cyber sector
SRA Wins $65M DHS Tech R&D BPA (GovConWire) SRA International has won a five-year, $65 million blanket purchase agreement to help the Department of Homeland Security research and develop technologies. The company will work with DHS' transportation security laboratory, which is responsible for managing work to research and develop technologies and certify new products based on the Transportation Security Administration's standards, SRA said Wednesday
Accenture to Update DHS Biometric Data Exchange (ExecutiveBiz) Accenture Federal Services won a $30 million contract with the Department of Homeland Security to further extend data sharing and web services for the U.S. biometric identification system
Cisco Launches Security Services Division (InformationWeek) New consulting, product implementation and support, and managed services division reflects industry push to provide broader information security services to customers
Lockheed Martin pursues tech deals in Britain, Australia (Chicago Tribune) U.S. defense company Lockheed Martin is looking to make more technology acquisitions in Britain and Australia after buying UK technology firm Amor Group. Lockheed's IT division, one of the biggest players in the U.S. cyber market where it provides services to the military and intelligence services, announced the Amor deal late on Wednesday and said there would be more to come
SnoopWall to America: Please Support National Cyber Security Awareness Month (NCSAM) (Sacramento Bee) SnoopWall the world's first counterveillance security software company, today proclaimed its strong public support for The National Cyber Security Awareness Month (NCSAM), an annual initiative to educate and encourage Americans to learn and do more to ensure individual and collective digital security and privacy
Here Are Some of America's Most Privacy Friendly Companies (Forbes) Recently I asked some leading privacy advocates for suggestions of companies they see as especially privacy friendly. It turns out it is rather difficult to define exactly what such a firm might look like. My simple definition would be a company that is transparent about what personal data it collects and what it does with such data. The firm should also give customers a real choice in how the data is used
Nokia Chairman Risto Siilasmaa Outlines Its Next Reinvention (TechCrunch) In a blog post, Nokia chairman and interim CEO Risto Siilasmaa gave more details about the company's plans now that it has exited the smartphones business. This marks the most recent reinvention for the 150-year-old company, which began as a paper mill in the 1860s and moved on to rubber products before morphing into an electronics maker. Without its Devices & Services division, which it sold
"The Government Blew It." Mark Zuckerberg and Marissa Mayer Talk NSA Surveillance (Fast Company) Two of technology's big beasts have revealed tension between the U.S. government and the tech sector since the NSA surveillance scandal emerged. Mark Zuckerberg and Marissa Mayer, whose firms—Yahoo, and Facebook—were both accused in documents leaked by Edward Snowden earlier this year as participating in the intelligence agency's PRISM program, appeared separately at a Techcrunch conference, where they were asked about the subject
Yahoo CEO Mayer: we faced jail if we revealed NSA surveillance secrets (The Guardian) Mark Zuckerberg joins Mayer in hitting back at critics of tech companies, saying US government did 'bad job' of balancing people's privacy and duty to protect
Products, Services, and Solutions
Column: Why fingerprints, other biometrics don't work (USA Today) Weak passwords are often blamed for many security breaches - but one of the biggest mistakes we can make is to replace them with biometrics. Over the past few years, there's been a lot of discussion from security firms, startups, big technology companies and privacy advocates about the need for technology to move beyond the password
The iPhone's Fingerprint Sensor May Finally Mean the End of the PIN (Wired) With its iPhone fingerprint sensor, Apple is paving the way for the day when we no longer rely on PINs — the digital equivalent of a child's bike lock — for security
Why the iPhone fingerprint reader is a good idea (Help Net Security) Two new iPhones have been announced. According to Apple's presentation, the most common way to secure a device is with a passcode and about half of smartphone users do not use a passcode. That is a lot of unsecured information. The new iPhone 5S will now have a fingerprint reader built in to the Home Button at the bottom
Apple's Fingerprinting Helps Security, But It's Not Enough (Storefront Backtalk) Apple (NASDAQ:AAPL) has discovered the fingerprint. OK, Apple actually discovered the fingerprint in 2008, when it began filing patents for biometric security. But after five years and the acquisition of biometric authentication vendor AuthenTec, on Tuesday (Sept. 10) Apple finally unveiled an iPhone that can be unlocked with a fingerprint. Very impressive, and something Apple views as crucial for its eventual foray into mobile payments. The only problem? It's really not enough
Why the NSA loves Google's Chromebook (Ars Technica) As Andrew Cunningham reported today, Intel and Google are announcing an upcoming onslaught of new Google Chromebooks based on Intel's Haswell architecture processors. The idea of a cloud-tethered notebook that can keep its owner connected over Wi–Fi and broadband all day long—in some cases for less than the price of a shiny new Apple iPhone—is going to be awfully appealing to many. And without a doubt, no one will be happier than the National Security Agency (NSA) and law enforcement. While Google's cloud computing has provided a platform for the company to grab a big chunk of the low-cost notebook market and upend Microsoft's Windows applecart, the recent NSA leaks by Edward Snowden have put the cloud under…a cloud
Free endpoint security inspection tool (Help Net Security) Promisec announced a free, downloadable and automated security inspection for up to 100 endpoints. The free inspection process (available here) produces results in about five minutes, with all data stored locally on the administrator's machine to assure privacy and confidentiality
Infinite Group, Inc. Completes Partnership Agreement with Webroot to Provide Cyber Security Solutions to SMB's (Digital Journal) Infinite Group, Inc. (IGI) has completed a partner agreement with Webroot, a leader in cloud-based security intelligence solutions, to provide endpoint protection for its small to medium sized business (SMB) customers. IGI is complimenting its SMB security essentials suite with Webroot SecureAnywhere(TM) security intelligent solutions to enable real-time protection for computer systems and mobile devices, even when they are not behind the corporate firewall
Dell SecureWorks Approved as a PCI Forensic Investigator (MarketWatch) The Dell SecureWorks Counter Threat Unit(TM) (CTU) constantly gathers intelligence about threats actors and TTP as it actively monitors the global cyber threat
Detect NSA's 'Funny Business' with TamperMonkey (Fortinet) In a post last week regarding the new 'hack' against Mega, MegaPWN, we talked about the implementation of a GreaseMonkey script to avoid being a victim of a hack on Mega servers. The script would mainly look for changes in the "crypto-magic" performing JavaScripts loaded from Mega. I decided to give it a try and wrote a TamperMonkey script (the Chrome equivalent of GreaseMonkey) called MEGACheck that runs everytime a user visits Mega, and performs the aforementioned integrity check
BitSight Technologies Launches Information Security Risk Rating Service (Dark Reading) BitSight Partner SecurityRating provides ratings on the information security health of a company's partner ecosystem
HyTrust Appliance 3.5 Announced; Reduces Operational Cloud Risk (Dark Reading) New features enable private clouds and virtualized data centers to prevent or contain damage caused by employees and outsiders misusing administrator privilege
Exostar Introduces Remote Identity Proofing Offering With Experian (Dark Reading) Exostar, whose cloud-based solutions enable secure, cost-effective business-to-business collaboration, today announced it has added a standards-compliant remote identity proofing option to its existing identity and access management solution suite. The new service offering allows organizations with large and/or geographically-dispersed communities of employees, partners, and other third-parties to
Wombat Security Technologies Unveils Integrated Anti–Phishing Assessment And Education Solution (Dark Reading) Training suite enables security officers to assess vulnerabilities via simulated phishing attacks. Wombat Security Technologies (Wombat), a leading provider of cyber security awareness and training solutions, today announced their anti-phishing training suite. The anti-phishing training suite enables security officers to assess vulnerabilities via simulated phishing attacks and provide in-depth anti-phishing education to change user behavior. It gives corporate security officers the ability to auto-enroll employees in follow-up training after they fall for a simulated attack. All of Wombat's training solutions utilize learning science principles to engage the user, deliver practical knowledge, and ensure employees retain information they are taught in brief 10-minute training sessions. When combining simulated phishing attacks with Wombat's interactive training, customers have experienced a greater than 80% reduction in employee susceptibility to attack
Technologies, Techniques, and Standards
NIST Opens Draft Special Publication 800-90A, Recommendation for Random Number Generation Using Deterministic Random Bit Generators, for Review and Comment (NIST Supplemental ITL Bulletin) The National Institute of Standards and Technology (NIST) first published specifications for random number generators (RNGs) in Federal Information Processing Standard (FIPS) 186-2, the Digital Signature Standard (DSS)…NIST works to publish the strongest cryptographic standards possible, and uses a transparent, public process to rigorously vet its standards and guidelines. If vulnerabilities are found, NIST works with the cryptographic community to address them as quickly as possible. In light of the concerns expressed regarding Dual_EC_DRBG, ITL is taking the following actions: Recommending against the use of SP 800-90A Dual Elliptic Curve Deterministic Random Bit Generation: NIST strongly recommends that, pending the resolution of the security concerns and the re-issuance of SP 800-90A, the Dual_EC_DRBG, as specified in the January 2012 version of SP 800-90A, no longer be used
Backdoored NIST standard revealed, will be reopened for review (Help Net Security) Following last week's revelation that the NSA has, among other things, influenced the US National Institute of Standards and Technology (NIST) to adopt an encryption standard that has been made by the NSA to include a weakness known only to them, the NYT has disclosed that the standard in question is the NIST Special Publication 800-90…Finally, in a gesture of good will and in the hopes to regain some of the trust they have lost from the security community, they have reopened the public comment period for Special Publication 800-90A and draft Special Publications 800-90B and 800-90C so that the public can peruse and comment on the standard for a second time
NSA has long–time role in developing computer security, creating tension with civilian coders (StarTribune) Years ago, back when computer users were dialing up the Internet, civilian government scientists already were expressing concerns about the National Security Agency's role in developing global communication standards, according to documents reviewed by The Associated Press. The records mirror new disclosures, based on classified files 24 years later, that the NSA sought to deliberately weaken Internet encryption in its effort to gather and analyze digital intelligence
How deep does NSA incursion at NIST go? (Federal Computer Week) FCW published an article Sept. 6 in which sources questioned the integrity and trustworthiness of the National Institute of Standards and Technology following the release of top-secret documents showing the National Security Agency weakened a set of encryption standards adopted for worldwide use in 2006. Readers expressed concern at the news, questioning whether the NSA's intervention was a one-time event or a frequent occurrence
On Backdoors and Encryption (CSIS) There is a general myth that the "geeks" defeated the Feds in the "crypto wars" of the 1990s, blocking efforts to prevent the sale and export of advanced encryption products. This is an article of faith with some people, particularly on the West Coast, and if you interview them you will get this story presented as an accurate account of what happened
Rudest man in Linuxdom rants about randomness — "We actually know what we are doing. You don't." (Naked Security) Linus Torvalds is a very clever man - he invented Linux, after all - but he seems to struggle with simple human decency. (He recently expressed the wish that the designers of some hardware he doesn't like might "die in some incredibly painful accident", and invited you to puncture the brake lines on their car as a way to make it so.) So it's hardly surprising that when he heard a cryptographic suggestion he thought was silly, he let rip like this
NSA Data Mining: How It Works (Popular Science) Most people were introduced to the arcane world of data mining when National Security Agency contractor Edward Snowden allegedly leaked classified documents that detail how the U.S. government uses the technique to track terrorists. The security breach revealed that the government gathers billions of pieces of data--phone calls, emails, photos, and videos--from Google, Facebook, Microsoft, and other communications giants, then combs through the information for leads on national security threats. The disclosure caused a global uproar over the sanctity of privacy, the need for security, and the perils of government secrecy. People rightfully have been concerned about where the government gets the data--from all of us--but equal attention has not been paid to what it actually does with it. Here's a guide to big-data mining, NSA-style
Seven Myths of Advanced Malware — Myth #2: Sandboxing Blocks Malware (McAfee) In my first post on the Seven Myths of Advanced Malware, I addressed the myth that "the challenge is, I can't find advanced malware." We decided that the myth is false, because you can find advanced malware, but simply finding malware doesn't fully solve the problem. The real problem is that you must block advanced malware and any damage must be remediated…Sandboxing is a great offline discovery tool that isolates unknown or suspicious files in a virtual environment where they can be examined in greater detail. The analysis is complex and it takes time to complete, so sandboxing is not a real-time technology. In fact, most sandboxes only analyze a copy of the file, while the original file is sent on its way to the target endpoint. So even if a suspicious file is found to be malicious, the actual file has already reached the endpoint and is doing its damage
7 Starter Steps For Security Analytics Success (Dark Reading) As organizations try to find better ways to improve their security practices, increasingly they're finding that the secrets to success are not written in runes in a faraway land. They actually exist right there in the enterprise, hiding away in log data, metadata, unstructured data, and plenty of other instrumentation data feeds pumping out information constantly for those willing to harvest and examine them
From iPhone to Access Point (Forensic Focus) A wireless Access Point (AP) is a device that allows wireless devices to connect to internet using Wi-Fi. With the remarkable increase in number of wireless devices the number of APs has also increased drastically to serve the Wi-Fi needs of these devices. We have APs at home, offices, airports, public hotspots. Any clue about the AP a device connected to could be an important piece of information for law enforcement or examiners. When a device connects to an AP it leaves evidence behind. This article is geared towards analyzing a file in iPhone that contains vital information about the Wi-Fi AP to which the device got connected
So you've lost your locked smartphone or tablet? Here's how to get it back… (ZDNet) You're locking your smartphone now? Good. But how can people get it back safely into your hands if you lose it? Here's a guide for iOS, Android, and Windows Phone users. A standout point for me in Tuesday's Apple announcement was that 50 percent of people lock their iPhones. I was surprised it was that high -- it seems every week I say to someone, "Dude, do you really not lock your phone?" My guess would have been closer to 20 percent
How to protect your Wi–Fi network from snoopers…including Google (ITWorld) A lawsuit against Google for snooping on Wi-Fi networks is moving forward, and it should raise this question for you: Just how safe is your own network against snoopers? If you've got a small wireless network you use for business or home, here's how you can protect yourself against break-ins and snoopers
17 things you should go ahead and cloud (InfoWorld) Some companies are already sky high in cloudy goodness, while others are still procrastinating. The following items should rise to the top of your cloud priority list
Do you believe in cloud? (ZDNet) How do you know you are getting promised cloud services? You don't, according to researchers. What is needed to verify cloud service level agreements? Is faith enough? Authors Sara Bouchenak, University of Grenoble, Gabriela Gheorghe, University of Luxembourg, Gregory Chockler, IBM Research UK, Nuno Santos, Max Planck Institute, Hana Chockler, IBM Research Haifa and Alexander Shraer, Google, discuss this in a recent paper Verifying Cloud Services: Present and Future
Research and Development
Breakthrough in MPC cryptography could make cloud computing more secure (Business Cloud) A recent breakthrough in multi-party computation (MPC) cryptography may result in a "sea change" in computing security according to Peter Scholl, a researcher in the Cryptography and Information Security group at the University of Bristol. The essential idea behind MPC, a subset of cryptography, is that it should enable two or more people to compute any function choosing secret inputs, without actually revealing the contents of those inputs to either party
Academia
The STEM Crisis is a Myth: An Ongoing Discussion (IEEE Spectrum) Our September 2013 story, "The STEM Crisis Is a Myth", generated an enormous amount of feedback. We've created a special section with further discussions of STEM education and employment as well as related resources and references
Army Looks To Schools To Find The Next Cyberwarriors (Capital Public Radio) Security experts say the U.S. has a dearth of professionals qualified to take on cyberthreats like attacks on power grids or defense systems. A school district in Alabama and the U.S. Army Cyber Command have teamed up to help prepare a new generation for cyberwarfare careers
The NSA sponsors 'cyber operations' training at universities. Here's what students learn. (Washington Post) Last week, Carnegie Mellon University in Pittsburgh became one of the latest -- and most prestigious -- schools to partner with the National Security Agency on a program designed to recruit young cyberspies. The NSA has run this "cyber operations" program since 2012, working with Northeastern University, Dakota State, the University of Tulsa and the Naval Postgraduate School to design curricula that match the agency's intelligence and infrastructure needs. (CMU, the Air Force Institute of Technology, Auburn and Mississippi State joined last week.) The purpose, says Carnegie Mellon's Dena Haritos Tsamitis, is to shift capabilities from "cyber defense" to "cyber offense." It's also to funnel the next generation of analysts and hackers directly to the NSA, CIA, Department of Homeland Security and other government agencies and contractors
Legislation, Policy, and Regulation
DNI Releases FISC Docs, but Legislators Say Much More Remains Hidden (Threatpost) The federal government has released hundreds of pages of documents, including orders and opinions from the secretive Foreign Intelligence Surveillance Court, related to the NSA's surveillance programs, but legislators who have been involved in the process say that there still are significant details of the agency's email and phone collection activities that remain secret. Senators Ron Wyden (D-Ore.) and Mark Udall (D-Colo.), who have been outspoken critics of the NSA and warned about the secret collection programs before this summer's public revelations, said that despite the release of new documents in response to a lawsuit by the EFF, much of the most important information remains classified
Even the US National Security Agency didn't understand the NSA (Herald Sun) Documents released overnight show that National Security Agency officials were unaware how their surveillance systems worked as it grew too big. The National Security Agency set it in motion in 2006 and the vast network of supercomputers, switches and wiretaps began gathering Americans' phone and Internet records by the millions, looking for signs of terrorism
The NSA: Too big to not fail (The Week) Lest anyone get the impression that the National Security Agency has time to do anything but aggressively violate Americans' rights, the Guardian fronted a story about a draft memorandum of understanding between the NSA and Israel's signals intelligence agency. Notwithstanding the context, or a close reading of what the MOU actually permits, which you can read about here, the story is useful because it points to one of the reasons why the NSA has a lot of trouble figuring out just what the hell it is doing with all of its nodes and devices and satellites and fiber lines and servers
More Mistakes at the N.S.A. (New York Times) A fresh trove of previously classified documents released on Tuesday provides further evidence -- as if any more were needed -- that the National Security Agency has frequently been unable to comprehend, let alone manage, its vast and continuing collection of Americans' telephone and Internet records. The documents, made available by the agency in response to lawsuits by two advocacy groups, revealed that in 2009 a judge on the Foreign Intelligence Surveillance Court severely reprimanded the agency for violating its own procedures for gathering and analyzing phone records, and then misrepresented those violations to the court
Chertoff: NSA surveillance vital to our safety (USA Today) The evolution of the intelligence community since 9/11 has helped protect Americans from al-Qaeda. In the aftermath of September 11, 2001, the intelligence community was criticized for failing to "connect the dots." Our investigation of the attack revealed connections among the 9/11 hijackers themselves as well as communications they had with known foreign terrorist locations overseas
Statement by Director of National Intelligence James R. Clapper on Allegations of Economic Espionage (Intelligence Community on the Record) It is not a secret that the Intelligence Community collects information about economic and financial matters, and terrorist financing. We collect this information for many important reasons: for one, it could provide the United States and our allies early warning of international financial crises which could negatively impact the global economy. It also could provide insight into other countries' economic policy or behavior which could affect global markets…What we do not do, as we have said many times, is use our foreign intelligence capabilities to steal the trade secrets of foreign companies on behalf of — or give intelligence we collect to — US companies to enhance their international competitiveness or increase their bottom line
Brazil Mulls Homegrown Network Parts to Ward Off Foreign Spies (Bloomberg) Brazil's government is considering developing locally made network equipment that phone companies would be required to use as a defense against foreign spies, Communications Minister Paulo Bernardo said. The measure would be designed to protect information privacy, in response to allegations that the U.S. National Security Agency used software to access communications between Brazil President Dilma Rousseff and staff members, Bernardo said yesterday in an interview in Brasilia
US not out of the woods over Brazil spying claims (Financial Times) Brazilian-US relations have long been dogged by vague mutual suspicions. There is a belief among Brazilian internet conspiracy theorists that the US covets the country's sparsely populated, resource-rich Amazon region — an area the size of the European Union — and is planning an invasion. This idea gained traction some years ago when a fake map, purportedly taken from a US school textbook, mysteriously appeared on the internet showing the Brazilian Amazon as an "international reserve". It has also been reinforced by hawkish Brazilian army officers over the years
[France's] PM 'orders smartphone crackdown' over spying (The Local) France's Prime Minister Jean-Marc Ayrault has banned government ministers and their staff from using their smartphones and tablets to transmit sensitive information, according to a media report on Tuesday. The move is apparently motivated by fears they could be spied on. According to L'Express newspaper the order was made in a note from the PM's office, which was handed to ministries after the summer break
4 ways to stop a cyber 9/11 (The Business Journals) The threat posed by cyber attacks on the United States is so significant that it dominated a Senate hearing on the Department of Homeland Security, held on the 12th anniversary of the 9/11 terrorist attacks on the World Trade Center and the Pentagon
Tech leaders: The Internet of the future will need D.C. assist (Politico) The "Internet of things" may frighten policymakers — but they're also critical to its success, tech leaders agreed Thursday. "The challenge for Washington is understanding when they can and can't be helpful in that process," said former Sen. John Sununu, inSPIRE STEM USA Coalition co-chairman, during POLITICO Pro's Technology Report: The Future of the Internet. "There is a role for doing what government can and should do to foster this environment"
Shield law broadens definition of 'journalist' (Politico) A new media shield law expected to pass committee on Thursday broadens the definition of "journalist" to include, among other things, any individual deemed appropriate by a federal judge. The new amendment is a step forward for independent and non-traditional media organizations who feared that the original bill would exclude them from protections granted to the traditional press corps, including protection from revealing information and sources except in extreme circumstances
Anonymous outs lawmakers' ties to intelligence contractors (Salon) OpNSA highlights, without hacking or DDoS attacks, ties between intelligence industry and Washington. For those paying even a modicum of attention to recent revelations about NSA surveillance, it's been well-established that a vast surveillance apparatus is supported by a network of government, intelligence industry, and Silicon Valley connections. With its new OpNSA, however, is attempting to highlight specific lawmakers as in the pocket of intelligence contractors with a campaign revealing specific campaign contributions. The information is already public, but has not garnered the attention that Anons behind OpNSA believe it deserves
Mass. Governor Says He Now Supports Repeal And Replace Of Tech Tax (CRN) After meeting with local businesses and industry groups, Massachusetts Gov. Deval Patrick announced Tuesday that he supports the repeal of the state's controversial tech tax — if it is replaced by an alternate source of revenue
Litigation, Investigation, and Law Enforcement
Lavabit's Owner Appeals Secret Surveillance Order That Led Him to Shutter Site (Wired) The Virginia judge who ordered secret surveillance on Edward Snowden's e-mail provider served on the secret Foreign Intelligence Surveillance Court during the period it approved some of the most controversial NSA surveillance programs to surface in Snowden's leaks
Former US military intelligence agent casts skeptical eye on latest NSA revelations (Daily Caller) A new report alleging the intelligence sharing practices between the National Security Agency and the Israeli government infringe upon American privacy rights has drawn fire for potentially misleading readers.The new Guardian report is the latest revelation gleaned from the secret intelligence documents former NSA contractor Edward Snowden provided to media outlets. The National Security Agency routinely shares raw intelligence data with the Israeli government's signal intelligence agency, the Israeli SIGINT National Unit (ISNU), the Guardian reported on Wednesday. That data, the publication reports, is presumed to also include information about U.S. persons, including American citizens. The report is misleading, drawing its conclusions from a potentially outdated document, contends freelance journalist Joshua Foust
Why did the Guardian destroy its Snowden files? (Volokh Conspiracy) I've been struck by an aspect of the Snowden affair that hasn't been covered so far -- the Guardian's troubling decision to destroy its UK trove of Snowden documents rather than let the UK government see them. Court filings in the UK tell the government's side of that story, and they don't make the Guardian look good. The filings make clear that the UK government wanted the documents back, and that it persuaded the newspaper that it could not keep the files in the UK. Why then did the Guardian choose to destroy them instead of returning them? Ordinarily, that would be an easy question; journalists don't disclose their sources
FISA — The Uncanny Valley of Article III (Volokh Conspiracy) I'm still working my way through all the FISA court material that was declassified today, and acquiring a new appreciation for how hard a journalist's job can be. But I've gotten far enough to start worrying, seriously, about the role we've given to the FISA court and what it does to the court and NSA
Did the FBI Lean On Microsoft for Access to Its Encryption Software? (Mashable) The NSA is reportedly not the only government agency asking tech companies for help in cracking technology to access user data. Sources say the FBI has a history of requesting digital backdoors, which are generally understood as a hidden vulnerability in a program that would, in theory, let the agency peek into suspects' computers and communications
Net neutrality is on trial in Washington. Here's what you need to know. (Washington Post) On Monday, network neutrality got its day in court. The United States Court of Appeals for the D.C. Circuit heard arguments from Verizon that the Federal Communications Commission had exceeded its authority by enacting network neutrality regulations
Google loses appeal in Wi-Fi data grab case (Naked Security) A US appeals court has upheld a previous decision from a district court that ruled Google violated wiretap laws when it collected personal data from unencrypted Wi-Fi networks in 2010
JOFFE V. GOOGLE, INC. (US 9th Circuit Court of Appeals) The panel affirmed the district court's order denying a otion to dismiss claims that Google, Inc., violated the Wiretap Act when, in the course of capturing its Street View photographs, it collected data from unencrypted Wi-Fi networks. The panel held that Google's data collection did not fall within a Wiretap exemption set forth in 18 U.S.C. Section 2511(2)(g)(i) because data transmitted over a Wi-Fi network is not an "electronic communication" that is "readily accessible to the general public"
It's not up to Google to stop child abuse, says expert (Naked Security) The former head of Britain's online child protection agency says the government's recent moves to protect children online are "nonsensical," that simply searching for a given term doesn't turn somebody into a paedophile
Heartland Lawsuit Revived By Appeals Court (Storefront Backtalk) Heartland Payment Systems can be sued by several card-issuing banks for negligence after all. On Tuesday (Sept. 3), a three-judge panel of the 5th U.S. Circuit Court of Appeals ruled that a federal court in Texas erred in March 2012 when it threw out the case on the basis of the economic loss doctrine. (Don't worry, we'll get to what that means.) That effectively ended the financial institutions' case against Heartland, which stemmed from the processor's now-legendary 2008 data breach
61–Year-Old Plano Man Who Hacked Into His Former Company Will Spend 5 Years in Prison (Dallas Observer) Despite what its name implies, Exel Transportation Services does not actually transport anything. It's what's called an intermodal marketing company; basically, it helps other companies ship things. Not the sexiest business to be in, but lucrative enough to convince Exel CEO Michael Musacchio to jump ship in 2004 after a dozen years with the company and, after the expiration of his non-compete agreement, launch a competing firm
For a complete running list of events, please visit the Event Tracker.
Upcoming Events
SANS CyberCon Fall 2013 (Online, Sep 9 - 14, 2013) With sequestration still in place, organizations are finding themselves with training budgets, but drastically reduced travel budgets. This one-of-a-kind online training event brings SANS' top instructors teaching SANS' top courses to those who can't travel.
GrrCon (Grand Rapids, Michigan, USA, Sep 12 - 13, 2013) Says IT World, "Another hacker conference, this time in Michigan. The schedule looks to be bawdy, brash and anything but dull, with hackers promising to "pwn" you before you leave town. There are also sessions on penetration testing tools and mobile hacking methods."
cybergamut Technical Tuesday: Malware Analysis for the Masses (Columbia, Maryland, USA, Sep 17, 2013) With malware becoming more prevalent, and the pool of capable reversers falling short of overall need, there is a greater need to provide quick and efficient malware analysis for network defense. With modern technology and tools, it's now possible for junior security analysts to gather detailed malware indicators to craft defense and alert signatures. More enticing, all of this can be done with free tools and applications, some written by this presenter.
GovConnects Business Breakfast: Surviving Sequestration (Elkridge, Maryland, USA, Sep 17, 2013) This Business Breakfast will feature presentations by seasoned professionals in the field of government contracting as they share best practices for dealing with current challenges of doing business in the time of sequestration, and answer CEOs' questions from legal and accounting perspectives. [Editors' note: this event is expected to be devoted essentially entirely to cyber contracting.]
Shaping the Future of Cybersecurity Education Workshop (Gaithersburg, Maryland, USA, Sep 17 - 19, 2013) The third annual Shaping the Future of Cybersecurity Education Workshop will be held at the National Institute of Standards and Technology (NIST) in Gaithersburg, MD and focus on "Navigating the National Cybersecurity Education Interstate Highway".
NovaSec! (McLean, Virginia, USA, Jun 13, 2013) NovaSec! is Northern Virginia's largest Cybersecurity and physical security networking event of the year. We are bringing together security professionals from commercial and government organizations with members of local Northern Virginia businesses and associations to allow participants to meet, interact on key issues and provide a unified forum to network with likeminded individual.
Strange Loop (, Jan 1, 1970) Meet us in St. Louis, Sept 18-20th, 2013, to make connections with the creators and users of the languages, libraries, tools, and techniques at the forefront of the industry. Find out where we're going…and where we're not. Topics include emerging languages, concurrent and distributed systems, new database technologies, front-end web, and mobile.
ISSA Cyber Security Forum at Ft Belvoir (Fort Belvoir, Virginia, USA, Sep 19, 2013) This event will allow personnel from Fort Belvoir the chance to learn about the latest cyber security trends, network with peers, discuss Army best practices and to view and demo some of the latest cyber security and information technology products/services available today. This is an excellent opportunity for exhibitors to network with key decision makers, cyber, technology, communications and contracting personnel from various commands and tenant units at Fort Belvoir.
CISO Executive Summit (Atlanta, Georgia, USA, Sep 19 - 20, 2013) Be on the forefront of a new global initiative where today's world-class leaders in information security will gather to navigate through international waters. Join these leaders as they follow the wind of change that is sweeping through the IS community motivating today's information guardians to develop a new way of thinking to ensure success in protecting their respective organizations. (At Hacker Halted USA.)
CCBC Leadership Seminar Luncheon: Cyber Awareness: What Employers Need To Know (Owings Mills, Maryland, USA, Sep 20, 2013) , no later than September 13, 2013.
2013 Cyber Security Summit (New York, New York, USA, Sep 25, 2013) The 2013 Cyber Security Summit connects executives responsible for protecting their company's critical infrastructure with innovative product, service and solution providers. The one day event, to be held September 25th at the Hilton in New York City, will showcase the latest tools and resources available to defend against cyber crime on both corporate and government levels. Keynote addresses and interactive panel discussions lead by notable security experts will highlight strategic priorities, risk factors, threats and provide inspirational guidance to prepare and protect from attacks.
4th Annual Cybersecurity Summit (Washington, DC, USA, Sep 25, 2013) GEN Keith Alexander, Commander of U.S. Cyber Command, Director of the NSA/Chief, Central Security Service and Dr. Pat Gallagher, Director, NIST are among the distinguished speakers confirmed to keynote at the 4th Annual Cybersecurity Summit on September 25, 2013 at the National Press Club in Washington, D.C.Michael Daniel, White House Cybersecurity Advisor, and Gen. Keith Alexander, Commander U.S. Cyber Command, and Director, NSA, are confirmed to keynote. Cybersecurity topics to be addressed include: the White House Cybersecurity Executive Order, the Cybersecurity Framework and New Emerging Standards for Critical Infrastructure, information sharing, mobile security and BYOD, legislative developments in cybersecurity, big data and cloud cybersecurity, continuous monitoring, cyber situational awareness, and the JIE rollout active defense and cyber warfare. Organized by Billington CyberSecurity™.