The CyberWire Daily Briefing 09.26.13

Summary

By The CyberWire Staff

In what has become a routine step for repressive regimes facing civil unrest, Sudan cuts Internet access as citizens riot over fuel subsidies.

India's Ministry of External Affairs is much more exercised than that country's IT Ministry over alleged US electronic surveillance of diplomatic missions.

Kaspersky outs what it describes as a "mercenary" crew of hackers—"Icefog"—active so far mainly in Japan and South Korea. Icefog has apparently been hired to attack points of the defense industrial supply chain with (paradoxically) "hit-and-run" APTs. Icefog servers have been discovered in China, Japan, Hong Kong, Taiwan, Korea and the United States.

The "SSNDOB" identity theft service Krebs uncovered recently operates botnets accessing major public record holders' servers. SSNDOB only began to draw attention when it was itself hacked this summer by UGNazi celeb-hunting script kiddies. Enough data have been exposed to prompt warnings of a surge in knowledge-based attacks.

Researchers warn switches and routers are easily hacked. The iOS Mailbox app suffers from Javascript problems, and a hole in Ruby on Rails can expose cookies.

Sophisticated exploit kits aren't needed to hit SCADA systems: spearphishing will do it.

John McAfee (still wanted in Belize) says he's returning to America with a solution to all Internet security problems. More plausible industry news includes start-up successes.

General Alexander resolutely calls for more information sharing and asks for industry help, but the Senate seems determined to clip NSA's (and FISA's) wings. Justice Scalia glumly predicts the matter will be resolved in the Supreme Court.

Notes.

Today's issue includes events affecting Afghanistan, Bangladesh, Bhutan, Brazil, China, European Union, India, Japan, Republic of Korea, Kuwait, Maldives, Mongolia, Myanmar, Nepal, Pakistan, Saudi Arabia, Sri Lanka, Sudan, Taiwan, United Kingdom, and United States..

Selected Reading

Cyber Trends

Secure cloud adoption is all about risk, says industry panel (ComputerWeekly) Always take a risk-based approach to cloud adoption, a panel has told security professionals at the (ISC)² Security Congress 2013 in Chicago. "This requires involving a company legal representative from the start, at the negotiation stage to ensure the business understands the risk it is taking on," said Ken Stavinoha, a solutions architect from Cisco

(ISC)² Congress 2013: Infosec Must Expand Testing to Keep Pace with Attackers (Infosec Magazine) At this week's (ISC)² Congress in Chicago, one consultant explained why most security technologies should not be trusted, and why those responsible for protecting information assets must branch out into other areas to develop an effective and comprehensive skills set to defend them

IBM's X–Force Team: Attackers Take Path Of Least Resistance (CRN) Custom malware and zero-day exploits are dangerous, but attackers are finding that they don't necessarily have to turn to advanced techniques to carry out targeted attack campaigns, according to an analysis conducted by IBM (NYSE:IBM)'s X-Force research team

Legislation, Policy and Regulation

Cutting the cord: Brazil's bold plan to combat the NSA (The Verge) President Dilma Rousseff wants to route internet traffic away from the US, but experts say it will do little to deter American espionage. Revelations about the American government's ongoing electronic surveillance have sent shockwaves across the globe, but few countries have reacted as boldly as Brazil, where lawmakers are currently considering a plan to cut ties — quite literally — with the US

NSA Fallout: EU to Suspend US Data Sharing Deal over SWIFT Hacking (Softpedia) The European Union is finally making its voice heard in a matter that called for immediate response a while back — NSA spying. The Union is threatening the United States to suspend or terminate the EU-US terrorist Finance Tracking Programme after reports indicated the NSA spied on SWIFT (Society for Worldwide Interbank Financial Telecommunication), International Business Times reports. "I am not satisfied with the answers I got so far," said Cecilia Malmström, EU's Home Affairs Commissioner, about the requests she made to the US authorities, mentioning there's need for more information and clarity

NSA chief seeks more data from private sector in sharing offer (CSO) While some experts welcome the move, another sees it as a Trojan horse for more access to Americans' communications. Gen. Keith Alexander, head of the embattled National Security Agency (NSA), says he is willing to share cyberattack information with the private sector — an offer seen as a Trojan horse by at least one expert. On Wednesday, Alexander told attendees of his keynote at the Billington Cybersecurity Summit that the NSA, the FBI, the Department of Homeland Security (DHS) and the CIA are ready to pass information back and forth with a select group of private organizations, provided they get the authorization from Congress

NSA chief Gen. Keith Alexander slams 'sensationalized' reporting (Politico) The leader of the embattled National Security Agency doubled down Wednesday against calls from Capitol Hill to restrict U.S. government surveillance programs — a campaign he attributed to "sensationalized" reporting and "media leaks." Gen. Keith Alexander instead emphasized the NSA isn't "listening to Americans' phone calls and reading their emails," and he urged technology and government leaders at a cybersecurity conference in Washington to help "get the facts out" and "get our nation to understand why we need these tools" in the wake of Edward Snowden's disclosures

NSA's Alexander Appeals for Threat Information Sharing (Threatpost) While Congress and the technology community are still debating and discussing the intelligence gathering capabilities of NSA revealed in recent months, the agency's director, Gen. Keith Alexander, is not just defending the use of these existing tools, but is pitching the idea of sharing some of the vast amounts of threat and vulnerability data the NSA and other agencies possess with organizations in the private sector

Fortune 500 and Government Leaders Reveal Cyberthreat Intelligence Sharing Landscape in New White Paper (Digital Journal) IID, making the Internet safe through shared intelligence, today announced the immediate availability of its white paper, "Sharing the Wealth, and the Burdens, of Threat Intelligence; Why Security Experts Must Unite Against Cyberattacks, and What's Stopping Them from Collaborating More Effectively." The white paper was developed based on interviews with executives and leaders from Microsoft, Georgetown University, the city of Seattle, FIRST (the Forum for Incident Response and Security Teams), a top-10 United States-based bank and more

Hacking The Threat Intelligence–Sharing Model (Dark Reading) A new report shines light on what's holding back more widespread, efficient sharing of attack intelligence among organizations. Threat intelligence-sharing among businesses, government agencies, and organizations is considered crucial for getting a jump on potential or active cyberattacks, and while the number of these exchanges is growing, much of the process remains mostly ad hoc, manual, and fraught with legal hurdle

Voluntary cyber incident reporting from the private sector better than mandatory, says report (FierceGovIT) Establishing voluntary mechanisms for private sector reporting of cybersecurity incidents is a better option than requiring mandatory reporting, concludes a Rand Corp. report commissioned by the European Parliament

Cyber Security Governance and the Theory of Public Goods (e-International Relations) Cooperation in cyber security is a difficult task even in the absence of national security considerations. Actions in cyberspace create numerous ambiguities, cause-effect relations span the whole globe and attribution of responsibility is often not possible. Once states participate in cyber security governance, however, collective action problems may become particularly severe. This article discusses international cooperation problems and institutional remedies by applying the theory of public goods. Its main conclusions are as follows: Whereas genuine free riding temptations pose only modest risks to cyber security governance, weak cyber defences create significant externalities and can therefore be understood as a global public bad. What may be required to improve this state of affairs is a future regime that combines 'sticks' and 'carrots' and, thus, changes state incentives

Senators to introduce comprehensive NSA and secret court reform bill (Ars Technica) "Secret courts were one of the reasons that we rebelled against the English." Sen. Ron Wyden (D-OR) and three other senators have taken up the charge of surveillance reform, announcing on Thursday afternoon their plans to introduce new legislation that would put a halt to the bulk metadata collection program and implement Foreign Intelligence Surveillance Court (FISC) reform, among other changes

'FISA is the Key to Connecting the Dots' (Threatpost) Faced with trying to accomplish its mission in an environment that suddenly has become quite hostile and inquisitive about its methods, the National Security Agency is becoming more and more public about the challenges that lie ahead and how the agency plans to address them. One of the key parts of this is a public

U.S. Senator asks if FBI can get iPhone 5S fingerprint data via Patriot Act (Hack Read) Since Senator. Al Franken has become of part of the United States Senate, he has been the Chairman of Senate Judiciary Subcommittee which deals with issues related to Privacy, Technology and the Law. He has been quite clear in his stance which has been to raise and address the questions related to surveillance and technology issues which he feels are unjust, improper or a simply questionable for some

Cybercom Activates National Mission Force Headquarters (American Forces Press Service) U.S. Cyber Command has activated the headquarters for its Cyber National Mission Force, the one of its three forces that would react to a cyber attack on the nation, Army Gen. Keith B. Alexander, Cybercom's commander, said at the National Press Club today

China's lifting of internet blockade denied by state media (Register) Party mouthpiece says Great Firewall will stay in Shanghai zone. Hopes that the Chinese government was about to relax its strict internet censorship regime in Shanghai appear to have been dashed after state-run media ran stories denying previous reports

Products, Services, and Solutions

Keeping tabs on civilian phones? There's more than one way to skin that cat. (Ars Technica) The National Security Agency's spying tactics are being intensely scrutinized following the recent leaks of secret documents. However, the NSA isn't the only US government agency using controversial surveillance methods. Monitoring citizens' cell phones without their knowledge is a booming business. From Arizona to California, Florida to Texas, state and federal authorities have been quietly investing millions of dollars acquiring clandestine mobile phone surveillance equipment in the past decade

ABC's of Cyber Coverage (Property Casualty 360°) A comprehensive, alphabetical guide to battling losses on e–turf. Cyber attack is a top concern for businesses in 2013, with 85 percent of corporate executives naming it their greatest risk, trumping loss of income (82 percent) and property damage (80 percent), according to a recent AIG survey…Here is an alphabetical guide to the types of coverage available for damages received on cyber turf, as described by the I.I.I

Radware and Brinkster Extend Cyber Security Coverage With Hybrid Attack Mitigation Solution (MarketWatch) Radware RDWR -2.42% , a leading provider of application delivery and application security solutions for virtual and cloud data centers, today announced that Brinkster, a leading provider of custom Cloud Infrastructure as a Service, is to launch a new Hybrid Attack Mitigation Service based on Radware's award winning network and application security technologies

Seccuris Announces Integrated Threat, Vulnerability, Asset and Log Management Capabilities With OneStone (Digital Journal) OneStone is a cloud-based information security service that provides organizations 24×7 visibility into security issues and risks across the enterprise. Developed by Seccuris, a leader in information assurance services, OneStone responds to the increased need of organizations to leverage limited resources cost-effectively while balancing operational risk management, IT security, and threat response

New chip promises iPhone encryption (Jane's) US-based KoolSpan claims to have developed the first hardware-based encryption system for Apple's iPhone

Watchful Software Announces RightsWATCH Release 5.0 (SYS-CON Media) Watchful Software, a leading provider of data–centric information security solutions, announced today the release of RightsWATCH Version 5.0. This newest version of the RightsWATCH data–centric suite extends the secure and seamless flow of information throughout an organization while automatically applying corporate security policies without users having to make decisions or do extra work. This ensures that classified information can be used by valid users anywhere even if they are outside of the secure network perimeter and using BYOD devices

Bitdefender offers protection for virtual setups (ITP.net) Cyber protection firm to concentrate on corporate solutions for virtualised infrastructures

New CSA Certification Tests Security of Cloud Services Providers (SecurityWeek) The Cloud Security Alliance (CSA) has teamed up with BSI, an organization that provides standard-based solutions and services, and has announced a new third party certification program designed to assess the security of cloud service providers

K–LOVE & KISSES 2014 — PART 2: ALPHA, BETA, ZETA. (Eugene Kaspersky: Nota Bene) Welcome back folks! What else new and interesting is to be found under the hood of KIS 2014, missioned to save your data from the cyber-swine? Today's guest star is ZETA Shield technology. ZETA Shield I think might be best described as a high-tech antivirus microscope for the detection and elimination of the most cunning of malware, which hides deep in the bowels of the inner recesses of complicated files. In short, this is our unique defense technology against future threats, one which can track down unknown cyber-contagion in the most unexpected places

Technologies, Techniques, and Standards

Protecting The Network From Bring–Your–Own Vulnerabilities (Dark Reading) The bring–your–own–device (BYOD) business model is here to stay, much to the chagrin of security professionals. The arguments for allowing employees to work with company data on their personal devices and bring those devices into the workplace are almost unassailable: Increased productivity, flexible working hours and a more agile business

Five Habits IT Security Professionals Need To Break (Dark Reading) If security professionals want to take their craft in new directions, then they need to stop thinking in old ways, experts said in a panel here Tuesday. In a panel, entitled "Cyber Security -- Where the Industry Is Headed Next Year and Beyond," seven industry leaders said security is sometimes stuck in a continuous loop because professionals continue to make the same mistakes and sometimes have trouble thinking in new ways

How do you monitor DNS? (Internet Storm Center) Personally, my "DNS Monitoring System" is a bunch of croned shell scripts and nagios, in desperate need of an overhaul. While working on a nice (maybe soon published) script to do this, I was wondering: What is everybody else using

Spear Phishing: How to Fight Back (Bank Info Security) Spear-phishing attacks aimed at bank employees are on the rise, and experts say community banks and credit unions are a favorite target for fraudsters. When banking institution employees are targeted with phishing e-mails, the goal is to obtain their credentials for accessing accounts or internal networks and systems, paving the way for fraud. Hitting employees is more fruitful than targeting consumers because compromising employee credentials can provide access to numerous accounts

Watering Hole Attacks: Protecting Yourself from the Latest Craze in Cyber Attacks (InfoSecurity Magazine) Cybercriminals are clever and know how to evolve – you've got to give them that. They've proven this once again with their latest cyber-attack strategy, the Watering Hole Attack, which leverages cloud services to help gain access to even the most secure and sophisticated enterprises and government agencies

NIST puts finishing touches on critical infrastructure cyber framework (Federal News Radio) The National Institute of Standards and Technology says it's the "end of the beginning" for the drafting of the nation's first-ever cybersecurity framework for protecting critical infrastructure. The agency says the document is essentially finished, and should be ready for release by its due date in a few weeks

Mobile malware threats are 'all hype,' says Twitter security researcher (FierceMobileIT) IT should implement encryption, VPNs, but not antivirus software. Mobile malware threats are "all hype," Twitter security researcher Charlie Miller told the Hacker Halted conference in Atlanta last week. Smartphone designers have learned the lessons from PC malware. "Some exploit mitigations were built in from day one. Apps run in a sandbox, they have to ask for permissions, which is not the case with desktops," Miller was quoted by Infosecurity Magazine as telling the conference

Exposing the security weaknesses we tend to overlook (SecureList) As security analysts we often get asked the question: "What threats and vulnerabilities do you expect we will see in the future?" This is a very interesting question but also an indication that the way we think about and discuss IT security is fundamentally wrong. Let us tell you why

'Internet Kill Switch' — Is this Technically Feasible in the US? (SecurityWeek) With the recent events in Egypt and the debate over proposed legislation, "Cyber Security and American Competitiveness Act of 2011", the term "Internet Kill Switch" has flashed into popular discussion. So what does the term mean, what does it look like, and can it be really be done

Marketplace

CSC Wins Cyber Operations Contract with U.S. Navy (MarketWatch) CSC is one of 13 companies awarded a cyber operations contract by the U.S. Navy for its Space and Naval Warfare System Command (SPAWAR) Systems Center Atlantic. The indefinite delivery/indefinite quantity contract, signed in the second quarter of CSC's fiscal year 2014, has a one-year base period and four optional years, bringing the estimated total contract value up to $900 million for all companies

NOVA wins $19M defense tech contract (Albuquerque News) NOVA Corp. has obtained a new contract with the Defense Information Systems Agency to help with the information technology operations of the agency's headquarters at Fort Meade, Md

Lockheed Martin Supports U.S. Department Of Commerce Cyber Security Trade Mission To Saudi Arabia And Kuwait (MarketWatch) Lockheed Martin LMT -0.22% joined a cyber security and critical infrastructure protection trade mission to Saudi Arabia and Kuwait led by the Department of Commerce. Headed by Under Secretary of Commerce for International Trade Francisco Sanchez, the goal of this trade mission is to introduce U.S. firms to high-level government officials and potential partners in the Middle Eastern market

H–P Fires Firm That Hired Alleged Shooter (Wall Street Journal) Hewlett-Packard Co. on Wednesday said it has ended its relationship with the subcontractor that employed the man accused of a deadly shooting spree at the Washington Navy Yard, citing the company's failure to act on the man's mental issues

John McAfee vows to make Internet 'impossible to hack' (San Jose Mercury News) Anti-virus software pioneer John McAfee, who buried himself in the sand to hide from police in Belize, faked a heart attack in a Guatemalan detention center and admits playing the "crazy card," says he's now ready for his next adventure: a return to Silicon Valley. At age 67, McAfee is promising to launch a new cybersecurity company that will make the Internet safer for everyone. "My new technology is going to provide a new type of Internet, a decentralized, floating and moving Internet that is impossible to hack, impossible to penetrate and vastly superior in terms of its facility and neutrality. It solves all of our security concerns," McAfee said in an interview with this newspaper

If Alibaba is really gone, what's the point of Hong Kong? (Quartz) The forthcoming IPO of Alibaba is much more than just a $14 billion funding orgy for one of the hottest technology companies in China. Alibaba's choice of a stock exchange to list its shares—in Hong Kong or, as seems increasingly likely, somewhere else—is a telltale indicator for the finance industry-beholden city

Considerations on the Expansion of AMS-IX to the US (Bits of Freedom) The board of the Dutch internet exchange AMS-IX proposed to its members to expand to the United States. The vote on this will take place on September 27. Bits of Freedom likes to provide the members with a few considerations when voting. One of the most significant worries brought forward by members is that the NSA by this expansion would be legally authorised to gain access to data handled on the Dutch AMS-IX. An advice of a US lawyer to the board of AMS-IX suggests that these concerns are not justified. This is broadly in line with messages we received from a friendly lawyer. The advice to AMS-IX's board is, however, not very clear on this point, and given the interests at stake, we deem it important to attract clearer advice from a US lawyer specialised in US intelligence services

We're not leaving the UK high street, BlackBerry insists (C/NET) BlackBerry says it isn't withdrawing from the UK high street, despite the ailing corporation's decision to shift focus to the world of business-related tech. Johnathan Young, BlackBerry's UK senior retail director, told CNET that the firm's consumer efforts (i.e, selling phones to ordinary shoppers, rather than big companies) would be "business as usual"

Blackberry's fire sale, and the phablet that could save it (ITPro) BlackBerry may have agreed a sale to its largest shareholder, but its largest phone yet could help save the brand

Motorola Hiring For New Engineering Office In Waterloo — BlackBerry's Loss Is Google's Gain (TechCrunch) Motorola is "ready to go on a hiring spree" in Waterloo, the home of BlackBerry HQ, according to a new report from the Financial Post. The Google-owned maker of smartphones already has an existing, small office in the heart of one of Canada's most important tech hubs, but plans to build a proper, full-fledged engineering team in the area

16 hot companies to watch (FCW) FCW's annual list of companies to watch emphasizes products and services that address the government's key challenges

WSJ Startup of the Year — Hot Seat: 'How Are You Going to Compete?' (Wall Street Journal) Former NSA employees and Light Point Security co-founders Zuly Gonzalez and Beau Adkins wade through a barrage of tough questions from Singularity University's Vivek Wadhwa. "How are you going to compete when there are major, major players out there?" asks Wadhwa

Light Point Security CEO To Moderate CyberMaryland 2013 Panel On Cybersecurity Innovation And Trends (Light Point Security Blog) CEO Beau Adkin will be moderating a panel at the CyberMaryland 2013 Conference on cybersecurity innovation and future trends

Encryption startup KoolSpan raises $9.4 million (Washington Business Journal) Mobile security startup KoolSpan Inc. pulls in a total $9.4 million in two separate raises led by Security Growth Partners and TWJ Capital

Cyber security firm RedOwl raises $2.7M (Baltimore Business Journal) RedOwl Analytics LLC has raised $2.75 million to help grow product development and to position the company for an equity raise next year

Disposable Phone Number App Burner Grabs $2 Million In Seed Funding (TechCrunch) Before the world was informed of the massive and invasive government spying programs run by the NSA and other countries, a mobile app called Burner appeared on the scene offering users disposable phone numbers which they could use to protect their privacy, or for other purposes. For example, the anonymity Burner provides makes sense for things like Craigslist postings or online dating, for when

America's Leading Cybersecurity Companies to Come Together to Mentor the Nation Around Cybersecurity (Marketwired) America's leading cybersecurity companies, agencies and organizations will join together with leading educators in Baltimore, Maryland on October 8, 2013 at 3:30pm to kick off Cybersecurity Ideation Day at CyberMaryland 2013. Cyber Ideation is a web-based interactive classroom experience where schools enable their students to "test drive" future careers in cybersecurity by living a day in the life of the nation's cybersecurity leaders

Research and Development

Processor made from carbon nanotubes runs multitasking OS (Ars Technica) Don't get too excited—it's only one-function computing at 1kHz. Features on silicon chips have continued to shrink, but they're coming close to hitting a wall where quantum effects will make controlling the flow of electrons a completely different challenge than the ones chip designers currently face. That's left many materials scientists considering other materials, such as carbon nanotubes. At 10nm in diameter, they're not much smaller than the features we're likely to be able to etch into silicon within the next few years. But the high conductivity of the nanotubes makes them relatively energy efficient

Using heartbeats as passwords to secure medical devices (Naked Security) It is time to start thinking of our hearts as random number generators. That's so they can serve as passwords to secure medical devices that are vulnerable to hacking, researchers at Rice University have proposed

Dark Wallet: a Radical Way to Bitcoin (New Yorker) Cody Wilson is a twenty-five-year-old former law student at the University of Texas at Austin. He is also the inventor of the Liberator, a gun made almost entirely from plastic pieces created with a 3-D printer; he uploaded to the Internet a blueprint that anyone could use to print such a gun

Security Patches, Mitigations, and Software Updates

Cisco Releases Semiannual Batch of Security Updates for IOS (SecurityWeek) Cisco released its semiannual IOS Software Security Advisory Bundled Publication on Wednesday. The latest release includes eight Security Advisories that address ten different (CVE) vulnerabilities in Cisco's IOS Software. Eight of the ten vulnerabilities addressed have a CVSS Base Score of 7.8, while two have a score of 7.1. Exploits of the individual vulnerabilities could result in a denial of service (DoS) condition, interface queue wedge, or a device reload, Cisco said

Cyber Attacks, Threats, and Vulnerabilities

Sudan goes offline as fuel riots spread across the capital Khartoum (The Next Web) As riots engulfed Sudan Capital Khartoum earlier today in the wake of the government's lifting of fuel subsidies, we've started to see reports emerge that authorities have cut itself off from the Internet

NSA Infiltrated Indian Missions In Washington And New York With Bugs Capable Of Copying Entire Computer Hard Drives: Report (International Business Times) The National Security Agency, or NSA, bugged the Indian embassy in Washington, D.C., and the country's permanent mission at the United Nations in New York with high-end equipment that could copy massive amounts of data and even entire hard drives, The Hindu newspaper reported on Tuesday, citing classified documents obtained by Edward Snowden

MEA's key units get hacked every 4–5 months (Times of India) While India has "feebly" protested against snooping by US National Security Agency (NSA), the fact remains that email addresses of 10 key desks of the Ministry of External Affairs get hacked every four to five month by foreign security and intelligence agencies

Icefog hit–and–run hackers uncovered in Asia (Register) Less persistent but more focused targeted attacks hit hundreds. Kaspersky Lab has uncovered a new APT campaign aimed at pilfering secrets from governments and supply chain industrial, military, media and technology companies in Japan and South Korea. Icefog features many of the key attributes of targeted attacks, including the spear phishing email lure to gain a foothold in the victim's network; the use of malware which exploits known vulnerabilities; and the nabbing of email credentials and system passwords to move laterally inside the organisation

Kaspersky Lab Uncovers New Cyber Hit–n–Run Op Called "Icefog" (Forbes) Since 2011, Kaspersky Lab has tracked a series of attacks that we link to a threat actor called 'Icefog'. We believe this is a relatively small group of attackers that are going after the supply chain -- targeting government institutions, military contractors, maritime and ship-building groups, telecom operators, satellite operators, industrial and high technology companies and mass media, mainly in South Korea and Japan. Multinational cybersecurity firm Kaspersky Lab said Thursday that it's discovered a group of "cyber-mercenaries" called "Icefog". Target: government and military institutions. Most of the victims have been in South Korea and Japan. But the Icefog campaign is coming to an American company near you, Kaspersky Lab security analysts said during the 4th Annual Billington Cybersecurity Summit in Washington DC today

Icefog: The Hacker Crew Trying to Break Into Your Weapons (Foreign Policy) A new cyber-theft ring from Asia is committing a string of smash and grab-style attacks against suppliers to major military contractors. This isn't just any hacker crew; its targeting of defense subcontractors means it could easily undermine the integrity of the world's weapons

Data–stealing botnets found in major public record holders' servers (Naked Security) A "small but very potent" botnet run by an identity theft service has tentacles reaching into computers at some of the country's largest consumer and business data aggregators, security journalist Brian Krebs has revealed following a seven-month investigation

Boffins: Internet transit a vulnerability (Register) Mirror, mirror on the port, is this something I can rort? If you think of an Internet exchange, you probably think of infrastructure that's well-protected, well-managed, and hard to compromise. The reality, however, might be different. According to research by Stanford University's Daniel Kharitonov, working with TraceVector's Oscar Ibatullin, there are enough vulnerabilities in routers and the like that the Internet exchange makes a target that's both attractive and exploitable. The attack they demonstrate in this paper on Arxiv can be mounted against common routers and switches, and "does not require extraordinary knowledge of networks or specialized programming skills"

Javascript Issue Plagues Mailbox App for iOS (Threatpost) A researcher reports that the popular Mailbox app for iOS automatically executes javascript embedded in HTML, putting users in line for abuse from spammers and phishers

Security Issue in Ruby on Rails Could Expose Cookies (Threatpost) Versions 2.0 to 4.0 of the popular open source web framework Ruby on Rails are vulnerable to a web security issue involving cookies that could make it much easier for someone to login to an app as another user

Spear phishing poses threat to industrial control systems (CSO) Hackers don't need Stuxnet or Flame to turn off a city's lights, say security experts. While the energy industry may fear the appearance of another Stuxnet on the systems they use to keep oil and gas flowing and the electric grid powered, an equally devastating attack could come from a much more mundane source: phishing

Anti–phishing vital in SCADA protection, says expert (ComputerWeekly) A high proportion of cyber attacks are enabled by an extremely customised and plausible phishing attacks, says Rohyt Belani, CEO of phishing awareness training firm PhishMe. According to security firm Mandiant, 99% of the security breaches it investigated in 2012 started with a targeted spear-phishing attack

'Get rich quick' scams hit Bitcoin (The Verge) There are riches to be made in the brave new world of virtual currency, but some deals are too good to be true

7 ways to beat fingerprint biometrics (IT World) Apple's embrace of finger scanning technology in the iPhone could be a breakthrough moment for biometrics. But finger scanners are no panacea. Here are 7 ways hackers have figured out to fool them

"I was invited to their friend's wedding!" Recycled Yahoo! IDs leak VERY private information (We Live Security) Yahoo! recently began recycling "inactive" user accounts, in an effort to woo new customers – but some customers who have acquired these "second-hand" email addresses say they are receiving a "bonus" of personal emails for to the old owners, some of which offer information that could be used in identity theft

Yahoo ID recycling scheme is potential security minefield (Help Net Security) Yahoo's recently announced email account / Yahoo ID recycling scheme was meant to free up inactive (and attractive) accounts so that they can be snapped up by another user. But while the idea initially had been thought by company executives as good move, the reality has proven to be harsher

Google Talk users complain of messages being sent to wrong recipients (update) (The Verge) Google appears to be experiencing some major issues with its chat service today. A large number of users have complained on Twitter and at Google's product forums that messages are being delivered to the wrong recipients on Google Talk. The problems appear to have started earlier today, and result in contacts incorrectly receiving communications that were supposed to be sent to others. Some Google Talk users are also reporting that users outside of their contact list are receiving the messages

Windhaven Investment Management Admits Data Breach (eSecurity Planet) Clients' names, account numbers, custodians and investment positions may have been accessed. Windhaven Investment Management recently began notifying an undisclosed number of clients that their account information may have been viewed by an unauthorized person or persons

Facebook and YouTube contain the most spam of all social networks (SC Magazine) Facebook and YouTube are the social networks most likely to serve you up a hot plate of spam, according to a report

Academia

UMd., Northrop Grumman launch cyber honors program (Baltimore Business Journal) Students searching for an in to Maryland's growing cyber security community are seeing their higher education options expand

Litigation, Investigation, and Enforcement

Antonin Scalia expects NSA wiretaps to end up in court (Politico) Supreme Court Justice Antonin Scalia says the courts will ultimately have to determine the legality of wiretapping by the National Security Agency. And he's not sure that's a good thing

Google Begs Court to Reconsider Ruling That Wi–Fi Sniffing Is Wiretapping (Wired) Google is asking a federal appeals court to reconsider a recent ruling finding Google potentially liable for wiretapping when it secretly intercepted data on open WiGoogle Begs Court to Reconsider Ruling That Wi–Fi Sniffing Is WiretappingFi routers. The search giant said the Sept. 10 decision by the 9th U.S. Circuit

London schoolboy secretly arrested over 'world's biggest cyber attack' (London Evening Standard) A London schoolboy has been secretly arrested over the "world's biggest cyber attack" as part of an international swoop against a suspected organised crime gang. The 16–year–old was detained by detectives at his home in south-west London after "significant sums of money" were found to be "flowing through his bank account". He was also logged on to what officials say were "various virtual systems and forums" and had his computers and mobiles seized as officers worked through the night to secure potential evidence

EPIC FOIA Request Reveals No Evidence of NSA Interference with Tor Network (EPIC) In response to a FOIA request to the BBG, EPIC has received 74 pages of documents that reveal no efforts by the NSA to undermine the security or reliability of the Tor network. Recent news reports show a concerted effort by the National Security Agency to compromise cryptographic standards set by the NIST as well as Android, iPhone, and BlackBerry encryption. The NSA and FBI have also targeted the communications of Tor users. EPIC will continue to pursue FOIA requests that shed light on the efforts of the intelligence community to undermine cryptographic standards. For more information, see EPIC v. BBG

Why iFingerprinting Makes You Legally Unsafe (Storefront Backtalk) The new iPhone 5s's biometric fingerprint scanner can actually put consumers (or merchants, for that matter) in a worse position legally than the previous four-digit PIN. In fact, the biometric can open the contents of a consumer's phone and any linked payment systems, accounts or systems—including contacts, email and documents—less legally protected than the simple passcode. This is because the law may treat the biometric (something you are) differently from a password (something you know)

Barclays employee fined £3,360 for illegally accessing customer data (V3) A former employee of Barclays Bank has been fined£3,360 after being found guilty of illegally accessing a customer's data. Jennifer Addo was sentenced at Croydon Magistrates Court and prosecuted under section 55 of the Data Protection Act (DPA). The court ordered her to pay a fine of £2,990 for 23 offences, £250 prosecution costs and a £120 victim surcharge

Fake reviews land SEO companies in hot water (Naked Security) I make yogurt, the made-up yogurt maker said, and I run a nice little yogurt shop in Brooklyn. So what happens? Lousy Yelp reviews! My reputation — no, the reputation of an entire yogurt-making dynasty! — is at stake

Design and Innovation

Hot Seat: 'How Are You Going to Compete?' (Wall Street Journal) Former NSA employees and Light Point Security co-founders Zuly Gonzalez and Beau Adkins wade through a barrage of tough questions from Singularity University's Vivek Wadhwa. "How are you going to compete when there are major, major players out there?" asks Wadhwa

Five Startups Have Got to Go: WSJ Editors Debate (Wall Street Journal) Tomorrow's a big day for WSJ Startup of the Year's Top 10: Five firms will go, leaving five to compete in the final weeks of the documentary series, which culminates Nov. 4. There were rifts and disagreements, but the editors behind WSJ Startup of the Year managed to make a decision. Watch the debate

Industry Events

For a complete running list of events, please visit the Event Tracker on the CyberWire website.

upcoming Events

NSU Hosts FBI Presentation on National Cyber Security Awareness (Fort Lauderdale, Florida, USA, October 3, 2013) GSCIS Hosts the Federal Bureau of Investigation (FBI) Special Agents special presentation on "National Cyber Security Awareness." RSVP at the link.

NSU's Raising Savvy Cyber Kids with Ben Halpert (Fort Lauderdale, Florida, USA, October 10, 2013) Ben Halpert is an award-winning author of several books for diverse audiences. The Savvy Cyber Kids At Home: The Family Gets A Computer (October, 2010) is a picture book that teaches the concepts of online safety and privacy to preschool children. The Savvy Cyber Kids At Home: The Defeat of the Cyber Bully (October, 2011) teaches children how to appropriately respond to a cyber bully before playing in the virtual world. All Savvy Cyber Kids books are available in English, Spanish, German, and French. For those in the business field, Ben has published Auditing Cloud Computing: A Security and Privacy Guide (July 2011) through John Wiley & Sons. RSVP at the link.

NSU Healthcare Cyber Security Summit (Fort Lauderdale, Florida, USA, October 17, 2013) In today's modern healthcare systems, data is everywhere, including sensitive patient data that needs to be secured and monitored. Join top healthcare security professionals from Nova Southeastern University, AccessData, and RSA to hear about current regulations that affect healthcare companies of all sizes, ways to protect sensitive data, and learn techniques to monitor access for suspicious activity. If you are responsible for the privacy or security of your company's healthcare data, you will benefit from presentations from these leading experts in the field. NSU's Chief Information Security and HIPAA Security Officer, John Christly, will examine the threats to the privacy and security of todays' modern healthcare operations. You will also hear from experts from AccessData and RSA on how to detect and prevent data breaches. RSVP at the link.

NSU's 12 Simple Cybersecurity Rules For Your Small Business (Fort Lauderdale, Florida, USA, October 24, 2013) In this presentation twelve simple and inexpensive techniques for protecting small businesses from cyber threats will be discussed. While complex and expensive solutions exist to improve the security of information technology most of these products are not designed for the specific needs of small businesses. The techniques that will be discussed in the presentation are designed to address the most common threats encountered by small businesses without requiring significant expertise and expense. RSVP at the link.

Information Security Conference (Charleston, West Virginia, USA, October 2, 2013) On October 2, the WVOT Office of Information Security and Controls, will be sponsoring a no-charge information and cyber security awareness event at the Charleston Civic Center. The agenda will offer an energizing morning of highly informative sessions. Free posters, calendars, bookmarks, and other security-themed items will be available. The event is open to the public, however registration priority will be given to public sector officials and employees.

The Monktoberfest (Portland, Maine, USA, October 4, 2013) Our speakers will explore how social trends can change the way we build and use technology, and how technology in turn can change the way we socialize.

Suits and Spooks NYC 2013 (New York, New York, October 5, 2013) Since the landscape is foggy, the threat actors numerous and hard to identify, and the attacks proliferating on a daily basis, the focus of the next Suits and Spooks conference will be to identify non-state aggressors in cyberspace. About twenty speakers will present briefings over two days on hackers, citizen militias, and other non-state entities operating in the Middle East, China, Russia, Pakistan, India, Iran, Africa, South America, the United States (yes - we have non-gov threat actors domestically), and other parts of the world. One of our panel moderators will be Joel Brenner (former National Counterintelligence Executive at the Office of the Director of National Intelligence and former Senior Counsel at the NSA).

Forensics and Incident Response Summit EU (Prague, Czech Republic, October 6 - 13, 2013) The Summit will focus on high quality and extremely relevant content as well as panel discussions in Digital Forensics and Incident Response. In addition, we encourage you to take every opportunity to make the most of this event from attending the Summit to registering for one or more of the post-summit training classes taught by SANS' top-rated instructors and course authors. Additional events such as DFIR Netwars, evening talks and the SANS Community Night will be taking place during that week too. This event promises to bring together the leading minds in digital forensics and incident response in the EU, as well as many other practitioners from a wide cross section of industries and company sizes. You will be able to share with all of them your challenges and find out new solutions that work, techniques and approaches you didn't even know existed.

CyberMaryland 2013 (Baltimore, Maryland, USA, October 8 - 9, 2013) Join cybersecurity leaders, luminaries and rising stars at CyberMaryland 2013. This two-day event at the epicenter of the nation's cybersecurity innovation and education, will create opportunities for networking and idea sharing amongst the many cyber leaders and professionals across the country, including: federal, state and local government agencies, academic institutions, cybersecurity entrepreneurs, and industry leaders of research and development. CyberMaryland 2013 will address the biggest challenges facing America, including future innovation to meet the security challenges facing our country; collaboration across industry, government and educational institutions; and the development of a generation of cyber-warriors. Surrounding all of these issues is a constantly evolving business framework to provide efficient and effective solutions in a time frame that anticipates and mitigates current and future threats.

2013 Maryland Cyber Challenge (Baltimore, Maryland, USA, October 8 - 9, 2013) Held in conjunction with Cyber Maryland and intended to let students and young professionals showcase their cybersecurity skills, Maryland Cyber Challenge offers competition in three divisions: high school, college, and professional. Orientation sessions for teams in each of three divisions -- high school, collegiate and industry and government professionals -- will be held at UMBC in July and August. Two qualifying rounds will be conducted online using SAIC's Cyber Network Exercise System.

AFCEA Hill AFB Technology & Cyber Security Expo (Ogden, Utah, USA, October 9, 2013) The purpose of this first-time event is to allow base personnel the opportunity to learn about the latest computer security trends, network with peers, share remediation strategies and to view and demo some of the latest cyber security and information technology products/services available today..

International Conference on Cyber–Enabled Distributed Computing and Knowledge Discovery (Shanghai, China, October 10 - 12, 2013) International Conference on Cyber-enabled distributed computing and knowledge discovery -promotes research and development of the cyber-related technology. It is unique and significant that spans through cyber-enabled data mining and knowledge discovery, distributed and parallel computing, cyber security, cloud computing, pervasive computing, mobile computing, Internet, wireless networks, cognitive systems, cyber information process, information discovery, e-health via cyber network, e-science, web technology, and network performance and tools. The research and development in these areas have received extensive attention in both the academia and industry to provide ubiquitous services for users. Various hardware and software designs, algorithms, protocols, simulations, and test-bed, and implementations are developed for distributed computing in an interconnected and distributed network environment. The purpose of CyberC is to provide a forum for presentation and discussion of innovative ideas, research results, applications and experience from around the world as well as highlight activities in the related areas.

VizSec 2013 (Atlanta, Georgia, USA, October 14, 2013) VizSec brings together researchers and practitioners in information visualization and security to address the specific needs of the cyber security community through new and insightful visualization techniques.

Hack-in-the-Box Security Conference 2013 (Kuala Lumpur, Malaysia, October 14 - 17, 2013) The 11th annual HITB Security Conference (16th/17th October) will be a triple track offering featuring keynotes by Andy Ellis, Chief Security Officer at Akamai and Joe Sullivan, Chief Security Officer at Facebook. This year's event also features all new 2-day training courses (14th/15th October) on a wide variety of topics including Android exploitation, extreme web hacking, infrastructure security, exploiting injection flaws and a special iOS security course by the world famous Evad3rs team. The full speaker list and conference agenda will be released after the Call for Papers closes on the 25th of July.

USDA Cyber Security Symposium and Expo 2013 (Washington, DC, USA, October 15, 2013) The Cybersecurity Expo, running in conjunction with the Summit, will allow exhibitors the opportunity to provide live demos and share information with government personnel and industry partners. Summit topics will focus on today's vulnerabilities, incidents, security lifecycle, risks and mitigations; it will also identify ways to work together and build a solid security foundation program to meet future challenges and trends in cyber security..

SNW Fall 2013 (Long Beach, California, USA, October 15 - 17, 2013) SNW is the world's largest independently produced conference series focused on the evolution of architecture for a new world of mobility, Big Data and business agility. Produced by Computerworld -- and co-owned by Computerworld and the Storage Networking Industry Association (SNIA) -- SNW remains unbiased and vendor agnostic. Unlike events focused on a specific vendor agenda and product portfolio, SNW provides a forum of open thought leadership and practical education that defines the spectrum of storage, data and infrastructure solutions available to a highly qualified audience of enterprise technology decision-makers.

Hexis Exchange (Athens, Greece, October 16 - 17, 2013) Attendees will have the opportunity to participate in a knowledge exchange of the latest enterprise security topics through expert led business and technology forums, hands-on sessions, and training. Such topics will include: emerging cybersecurity threats, big data management, advanced analytics, government regulation & compliance, and data retention challenges & solutions.

Cybersecurity Symposium: "Protect. Defend. Educate." (Linthicum, Maryland, USA, October 16 - 17, 2013) The Cybersecurity Symposium being held October 16-17, 2013, will deliver first-class training for government and industry security professionals while simultaneously offering high-level keynote speakers, essential networking opportunities, and an informative technology exposition. The Symposium sessions will have a special emphasis on security challenges facing today's security professionals and cyber awareness training for security professionals responsible for protecting sensitive and classified information from the ever increasing threats of mobile devices, espionage, terrorism, and cyber-attacks to ensure our national security. Register by August 31 to ensure the reduced early bird registration fee. This event is free for government employees and active-duty military personnel. Exhibit space and sponsorship opportunities are also available.

Nuclear Regulatory Commission Cyber Security Conference & Expo (Rockville, Maryland, USA, October 17, 2013) This one-day conference will consist of cyber sessions in the NRC Auditorium given by government and industry speakers. Exhibit tables will be set-up just outside the Auditorium and companies will have the opportunity to demo their latest technologies to NRC's IT personnel.

Securing the Internet of Things Summit (San Francisco, California, USA, October 21, 2013) The Internet of Things is still in its infancy and the security community has a chance to build in new approaches to security if we get started now. More secure embedded operating systems and applications, more scalable approaches to continuous monitoring and threat mitigation and new ways of detecting and blocking active threats are evolving and can be tremendously effective. SANS is looking to bring together community talent and ideas to develop new solutions, demonstrate security technology that already works and to provide a force multiplier to making the Internet of Things be more secure than the first phases of Internet evolution.

13th Industrial Control Systems Cyber Security Conference (Atlanta, Georgia, USA, October 21 - 22, 2013) Industrial Control Systems (ICS) operate the infrastructures of electric power, water, chemicals, manufacturing, transportation, defense, etc. and link the digital and physical worlds. Their cyber security presents challenges that are distinct from securing traditional IT systems. The conference is attended by control & operations engineers and their IT counterparts from critical infrastructure industries, by ICS and security vendors, and by universities. Run under the Chatham House rules of confidentiality, the conference discusses ICS cyber incident case studies, provides regulatory updates, discusses solutions in the form of policies and procedures, presents demonstrations of hacking ICS and ICS protocols, and provides a status of ICS security solution field demonstrations.

Cloud Connect (Chicago, Illinois, USA, October 21 - 23, 2013) Cloud Connect returns to Chicago October 21-23, 2013 with an all new program built around the leading cloud platforms. Cloud Connect provides the independent guidance IT professionals need to successfully build, operate and manage the cloud, and the tools to measure application performance and business metrics.

cybergmut Technical Tuesday: Cyber Security Strategy — Why We're Losing and What's Needed to Win (Columbia, Maryland, USA, October 22, 2013) CrowdStrike's Steve Chabinsky of CrowdStrike explains the situation. Everybody seems to be spending more on cybersecurity, but with questionable return on investment. In fact, the problem clearly is getting worse, and current strategies show no indication of reversing that trend. This non-technical presentation explores the typical cyber risk environment, considers the proper balance and likely effectiveness of threat deterrence, vulnerability mitigation, and consequence management to reduce cyber risk, and examines the current and evolving roles of government agencies and the private sector in addressing the problem. Backed by powerful, real-world examples of threat actor tactics, this presentation will help managers develop a better understanding of how their current security approach is most likely to succeed or fail over time, and what strategies are the most likely to shift the advantage to the good guys. cybergamut is co-hosting this event with the Maryland Chapter of InfraGard.

Cyber Security Seminar and IT Expo at Peterson AFB (Colorado Springs, Colorado, USA, October 22, 2013) The Cyber Security Seminar and IT Expo is a one-day event held on-site where industry vendors will have the opportunity to display their products to personnel attending briefings concerning the latest updates in Cyber Security Awareness. This is an excellent and unique opportunity to meet IT personnel from USNORTHCOM, NORAD, Army Space Command, USSPACECOM, and the 21st Space Wing all in one day.

Joint Federal Cyber Summit 2013 (Washington, DC, USA, October 23 - 24, 2013) This collaborative government wide event is truly one of a kind, with speakers and attendees anticipated to represent more than 10 federal government agencies. Information sharing will be accomplished through keynote speakers on both days, along with numerous targeted breakout sessions (including a session with a federal CISSO panel), hands on live demonstrations, and industry exhibits.

2013 ACT–IAC Executive Leadership Conference (Williamsburg, Virginia, USA, October 27 - 29, 2013) Advances in technology and massive increases in data available can both challenge and transform Government mission performance. ELC-2013 focuses on how to make this transformation a reality, in and for agencies. We will hear from nationally prominent speakers and work across government and industry to learn new ideas and techniques. Four mission-oriented tracks will focus on initiatives for driving results using data and the "Innovate, Deliver, Protect and Analyze" paradigm that is at the heart of the Government's strategic vision.

SAP NS2: National Security Solutions Summit (Falls Church, Virginia, USA, October 29, 2013) Join us for a day of learning and networking focused on how to advance U.S. national security and homeland security through I.T. innovation. Top-notch speakers will address the new challenges facing U.S. national security and critical infrastructure -- as well as powerful, affordable technologies that are available today to tackle those challenges while saving money and simplifying operations. Learn how your organization can run faster, smarter, leaner in the most secure environments -- with world-class, breakthrough solutions that are bold alternatives to business as usual.

Regional Cyber Security Forum & IT Day (CSFI) — Hawaii (Honolulu, Hawai'i, USA, October 30, 2013) 2013 marks the 10th anniversary of National Cyber Security Awareness Month and FBC will host the 1st Annual Cyber Security Forum & IT Day (CSFI) at Fort Shafter - Club Hale Ikena to coinside with the anniversary, and activities surrounding this month. The goal of CSFI is to raise cyber security awareness, and to promote best practices in cyber while allowing DoD personnel and industry partners the opportunity to share the most up to date remediation strategies. The event will feature four educational cyber sessions to go along with an exhibit hall..

NSA Hawaii — Cyber Security, Intelligence & IT Day (Honolulu, Hawai'i, USA, October 30, 2013) Be a part of the 1st Annual Cyber Security, Intelligence and IT Day set to take place at the new National Security Agency (NSA) Hawaii Rochefort facility. The event will be hosted by NS/CCS Hawaii Technology Directorate and will focus on Cyber Security, Big Data and Cloud Computing. There are other areas of interest listed below as well. This is an extremely unique opportunity to network with NSA personnel in Hawaii at their location. Educational sessions will be provided to attendees to coincide with government and industry exhibits.

Sponsor & Support

Grow your brand, generate leads, and fill your funnel.

With the industry’s largest B2B podcast network, popular newsletters, and influential readers and listens all over the world, companies trust the CyberWire to get the message out. Learn more.

The CyberWire Daily Briefing for 9.26.2013