The CyberWire Daily Briefing 09.27.13

Summary

By The CyberWire Staff

Sudan's Internet is back up. Hacktivists with Palestinian sympathies threaten to attack Israeli networks over the weekend, and an Iranian hacker for some reason defaces the website of New York University's Asian/Pacific/American Institute.

Icefog's "mercenaries" prompt concern about more smash-and-grab APTs.

Mailbox runs Javascript from emails on iPads and iPhones, but many disagree with researcher Spagnuolo's identification of this as a flaw.

As September's IE zero-day continues to be exploited, Kaspersky reports this obvious-but-important fact: vulnerabilities left unpatched will not be left unattacked.

Trojans remain more prevalent than other forms of malware.

Last month's big DDoS attack on China's DNS may have been the inadvertent work of a guy from Qingdao.

CAPTCHA-solving tools are noticed on the black market, and security researchers realize the commodity's been there for four years.

SSNDOB's infiltration of data brokers shakes knowledge-based authentication, which is quickly achieving a password-like obsolescence (as it retains a similar faute-de-mieux utility). This and other episodes also prompt a hard look at breach disclosure (Silent Circle, for one, claims most big organizations are seriously remiss here) and threat information sharing (most enterprises would like it, but few see any obvious way of doing it).

The US Senate questioned Intelligence Community leaders yesterday, and testimony by Messrs. Clapper, Alexander, and Cole is linked below. Legislation overhauling surveillance is under development, and however the final outcome for intelligence turns out, it's unlikely to restore the status quo ante.

Some Australian experts say hacking back is legal down under (but caveat lector, Oz.)

Notes.

Today's issue includes events affecting Australia, China, France, Germany, Iran, Israel, New Zealand, Sudan, Sweden, United Kingdom, and United States..

Selected Reading

Cyber Trends

Time for a Change in Security Thinking (Threatpost) Security, like a lot of other things, tends to go in phases. A new attack technique is developed, vendors respond with a new defensive technology and then attackers find a way to defeat it. It has always been that way. And right now, things seem to be in one of those periodic down cycles in which the attackers have the upper hand

Challenges faced by top CSOs (Help Net Security) (ISC)² released new data that outlines the chief challenges faced by top enterprise security executives and illustrates the broad range of complex — and sometimes conflicting — challenges faced by today's enterprise information security leaders

Security Staff Feel Largely Unprepared for Cyber–Espionage and APTs (InfoSecurity Magazine) Advanced persistent threats (APTs) are insidious, multi-pronged and stealthy — and aimed at siphoning off an organization's intellectual property. But when it comes to protecting those crown jewels, the thieves seem to be staying one step ahead of security departments

Industry leaders perceive numerous security threats to their data (Help Net Security) An overwhelming majority of business leaders believe their customers and clients worry about breaches of personal data held by their organizations. Unisys-sponsored research conducted by IDG Connect found that 91% of business decision makers surveyed were concerned about their customers' perceptions of their organization's ability to protect personal data, with 65% of decision makers reporting they believe customers are "very concerned"

Organizations fear their privacy activities are insufficient (Help Net Security) The perceived level of maturity attached to organizations' privacy activities has decreased since 2011, as many organizations deem their existing privacy activities to be inadequate, according to a survey by Gartner. The survey found that 43 percent of organizations have a comprehensive privacy management program in place, while 7 percent admitted to "doing the bare minimum" regarding privacy laws

Organizations are flying blind as they embrace cloud services (Help Net Security) Organizations lack the information to understand and mitigate a broader set of risks posed by the use of cloud services, according to Skyhigh Networks. "What we are seeing from this report is that there are no consistent policies in place to manage the security, compliance, governance, and legal risks of cloud services," said Rajiv Gupta, founder and CEO at Skyhigh Networks. "Our cloud usage analytics suggest that enterprises are taking action on the popular cloud services they know of and not on the cloud services that pose the greatest risk to their organization. Lack of visibility into the use and risk seem to be crux of the problem"

In 2020, Cyberthreats Get Physical and the Internet of Things Opens Gaping Security Holes (Infosecurity Magazine) From cloud-powered denial-of-service attacks and Big Data vulnerabilities to bio-hacks that defeat authentication systems like fingerprint recognition, we are on the cusp of a brave new world of cyber-attack exploits, Europol warns

Most CIOs grossly underestimate how many cloud apps their employees use (CITEWorld) Skyhigh Networks, the company that monitors the use of cloud services for businesses, released its first trend report about its customers. If you doubted how popular cloud services have become, this should be a real eye opener. The report shows the incredible growth of cloud services in businesses and just how clueless IT departments are about what employees are doing in the cloud

Chief Security Officers Get Down to Business (eSecurity Planet) These days the role of the chief security officer (CISO) is less about technology and more about managing business risk. As organizations see IT security within the larger context of risk management, so too is the role of the chief information security officer (CISO) taking on greater significance. Fewer and fewer CISOs have technical backgrounds, and many are moving to a more proactive footing where they seek to influence corporate strategy

39% of big data developers say government agencies are spying on our data (Venture Beat) Two out of five software engineers working on big data solutions say that government agencies are tracking the data they're collecting, creating, and analyzing. And if you only ask those who are confident they could tell if the government was indeed spying on their data, that number goes up to 59 percent. Which suggests they know — not just think — that governments are spying

Users want a seamless experience in public Wi–Fi (Help Net Security) With smartphone and tablet usage continuing to explode, operator-deployed Wi-Fi networks are playing an increasing role in keeping users connected on the go. A new study conducted in Europe on behalf of Wi-Fi Alliance indicates that advanced features such as seamless authentication, on-site enrollment of additional devices, and Wi-Fi roaming present operators with compelling opportunities to drive business value

Legislation, Policy and Regulation

Senators introduce reform initiative in light of aggressive NSA surveillance (SC Magazine) Extensive National Security Agency (NSA) surveillance has led four senators to introduce the Intelligence Oversight and Surveillance Act, a reform initiative designed to maintain privacy without impeding security. Senators Ron Wyden (D-Ore.), Mark Udall (D-Colo.), Richard Blumenthal (D-Conn.), and Rand Paul (R-Ky.) spoke live Wednesday about the proposal, which will amend the Foreign Intelligence Surveillance Act (FISA) and seek to improve the Foreign Intelligence Surveillance Court (FISC)

Senate pursues law to limit NSA surveillance (Fresno Bee) Chairwoman Dianne Feinstein says the Senate Intelligence Committee is drafting legislation to limit the National Security Agency's access to U.S. phone and email data in an effort to win back public trust following disclosures about widespread domestic surveillance

Remarks as delivered by James R. Clapper, Director of National Intelligence at an Open Hearing on Foreign Intelligence Surveillance Authorities (IC on the Record) Open Hearing on Foreign Intelligence Surveillance Authorities, U. S. Senate Select Committee on Intelligence. Chairman Feinstein, Vice Chairman Chambliss, and distinguished members of the Committee. Thank you for having us here today, to talk about the way ahead, occasioned by the dramatic revelations about intelligence collection programs since their unauthorized disclosure, and about the steps we're taking to make these programs more transparent, while still protecting our national security interests

Remarks as delivered by General Keith Alexander, Director of the National Security Agency (IC on the Record) Open Hearing on Foreign Intelligence Surveillance Authorities, U. S. Senate Select Committee on Intelligence. Chairman Feinstein, Vice Chairman Chambliss, distinguished members of the committee, I am privileged today to represent the work of the dedicated professionals at the National Security Agency, who employ the authorities provided by Congress, the courts and the executive branch to help defend this nation. If we are to have a serious debate about how NSA conducts its business, we need to step away from sensational headlines and focus on the facts

Remarks as delivered by Deputy Attorney General, James Cole (IC on the Record) Open Hearing on Foreign Intelligence Surveillance Authorities, U. S. Senate Select Committee on Intelligence. Thank you, Chairman Feinstein, Vice Chairman Chambliss, distinguished members of the committee, for inviting us here today to talk about NSA's 215 business records program and Section 702 of FISA. I'm going to try and be brief and just focus my opening remarks on the 215 program

NSA: Surveillance court says no upper limit on phone records collection (ComputerWorld) The agency intends to collect all US phone records and put them in a searchable database, director Keith Alexander says

U.S. officials dodge questions on scope of surveillance (Washington Post) U.S. officials declined to directly answer lawmakers' questions on Thursday about the full scope of the National Security Agency's collection of Americans' data, including whether it has ever sought to acquire large volumes of cellphone location information or other records. NSA Director Keith Alexander dodged questions by a senior member of the Senate Intelligence Committee about whether the agency has ever tried to augment its broad collection of virtually all Americans' phone-call records by gathering data that would indicate the callers' locations. He noted that intelligence officials had given a classified answer to the question

Sen. Ron Wyden: NSA 'repeatedly deceived the American people' (Guardian) About the Snowden disclosures, the Oregon Democrat told the NSA chief: 'the truth always manages to come out.' The Senate Intelligence Committee yesterday held a hearing, ostensibly to investigate various issues raised about the NSA's activities. What the hearing primarily achieved instead was to underscore what a farce the notion of Congressional oversight over the NSA is

NSA chief defends collecting Americans' data (Washington Post) The head of the National Security Agency delivered a vigorous defense Wednesday of his agency's collection of Americans' phone records for counterterrorism purposes, asserting that the program was helpful in investigations of the Boston Marathon bombing and the suspected plots against U.S. diplomatic outposts this summer

NSA Revelations Leave Encryption Experts In A Quandry (WCAI Cape and Islands NPR) The technology world is reeling. That's after press reports earlier this month that the National Security Agency may have weakened computer software. The reason, to make it easier for the government to read encrypted messages. The stories have upset many encryption experts, the very people who help scramble digital communications to keep those messages secure

'No problem' with NSA collaboration, says NIST director (FierceGovIT) National Institute of Standards and Technology Director Patrick Gallagher again defended his agency's collaboration with the National Security Agency over cybersecurity standards development

Shutting Down The US Government Likely Won't Slow The NSA's Surveillance Activities (TechCrunch) Shutting down the U.S. government wouldn't lead to the NSA halting its controversial, and broad surveillance efforts. Leaked documents by Edward Snowden recently detailed the financial cost of the NSA and other intelligence efforts. The CIA is the most expensive chunk of the U.S. "black budget," costing $14.7 billion. The NSA costs $10.8 billion

Action on Cybersecurity Likely Delayed Until 2014 (Roll Call) Some lawmakers want to see president's initiative first. Congress almost certainly won't pass any kind of major cybersecurity legislation in 2013, according to industry officials, lobbyists and others who track the issue

Panel warns of global disparities in IT security (FierceGovIT) Disparate approaches to cybersecurity could make the global cyber envirionment less secure overall, warned panelists during a Sept. 19 event hosted by the Brookings Institution in Washington, D.C. "There's, I think, a very real concern that as the cybersecurity threat grows, and we develop palsy responses, there may arise what I call cyber security ghettos," said Allan Friedman, Brookings fellow and research director of Brookings' center for technology innovation

"Too big, too powerful and too influential"—why British lawmakers are obsessed with Google (Quartz) The British Parliament today released a report called "Supporting the creative economy." The title is snoozy but the proceedings are explosive. Google is mentioned 235 times over 70 pages of the report's first volume (pdf), which runs to 422 pages (including witness testimony). In contrast, Apple is mentioned 55 times, Facebook 53 times and Amazon a mere 21. Indeed at one point, the chair of the committee that put the report together refers to "our favourite subject of Google." Here are some highlights

California's Internet Eraser Law: Nice Idea, but It Won't Work (Slate) On Monday the governor of California signed a bill stipulating that social media sites such as Facebook, Twitter, and Tumblr allow kids under 18 to permanently erase their posts. Starting in 2015, these platforms must equip California's teenage users with the ability to delete video, text, and photo content forever--unless that content was originally uploaded by a third party or is subpoenaed. The law aims to protect a group of people prone to bad decisions from self-sabotage via drunken selfie, ignorant rant, overuse of #YOLO, and other Internet fouls we oldsters can only imagine (until we Google the names on the resumes). As state Sen. Darrell Steinberg told the Los Angeles Times, the new law offers "groundbreaking protection for our kids who often act impetuously with postings of ill-advised pictures or messages before they think through the consequences"

Task force seeks to update New York state cyber crime laws (SC Magazine) A proposal released Tuesday addresses much needed updates to New York State's white collar laws, which have remained mostly unaltered since 1965. The recommendations will aid in the enforcement of cyber crime, which is defined as any crime in which a computer, smart phone or the internet is used to commit or conceal a crime, according to the proposal released by the New York State White Collar Crime Task Force

Products, Services, and Solutions

Google Returns to Larry and Sergey's Garage for Massive Search Revamp (Wired) If you've started to feel like Google understands you a little better, the company says that's because they've quietly rolled out the biggest revamp of search in years

Multifactor authentication available on Windows Azure (InfoWorld) Microsoft is pricing the service at $2 per month per user for unlimited authentications

Watchful Software updates its information protection solution (Help Net Security) Watchful Software released RightsWATCH 5.0, which extends the secure flow of information throughout an organization while automatically applying corporate security policies without users having to make decisions or do extra work. This ensures that classified information can be used by valid users anywhere even if they are outside of the secure network perimeter and using BYOD devices

Amazon.com released Fire OS 3.0 "Mojito" (Help Net Security) Amazon.com introduced Fire OS 3.0 "Mojito," the next generation of software and services that powers Kindle Fire tablets, with hundreds of updates and new features to give customers an OS experience with Android app compatibility

Deploy endpoint encryption technologies with Wave Cloud 2014 (Help Net Security) Wave Systems launched Wave Cloud 2014, a cloud-based service for enterprise-wide management of endpoint encryption. It includes management of Windows BitLocker and Mac FileVault in addition to self-encrypting drives (SEDs), enabling the service to handle the complete spectrum of embedded endpoint encryption technologies

CORE Impact Pro 2013 R2 gets enhanced web services capabilities (Help Net Security) CORE Security released CORE Impact Pro 2013 R2, that allows organizations to proactively test IT infrastructure and identify exactly where and how an organization's critical data can be breached

Technologies, Techniques, and Standards

Establishing The New Normal After A Breach (Dark Reading) Breach response shouldn't just be about notifications and systems clean–up — organizations can use their mistakes as learning aids to change processes and policies for lasting security success. As embarrassing and costly as a big data breach may be for an organization, many security professionals will tell you that this kind of incident may be good news in the long run for the risk posture of the business. Sometimes even after numerous warnings from security and risk advisors, the only way for senior managers to sit up and pay attention to a set of risks is to have an incident from that risk detailed blow by blow in the business press

The Ripple Effect: Containing Cryptolocker (Umbrella Security Labs) In the past, we have demonstrated use cases of massive data-driven algorithmic malware and botnet detections, given our unique visibility to the global DNS traffic. When dealing with cases of few infections and thus mostly low traffic volume (but not necessarily less impact!), making correlations and revealing patterns with little contextual information becomes both tricky and critical. Using the recent revival of the ransomware Cryptolocker, which victimized a few OpenDNS customers, we present a case study of a method that we call the Ripple Effect

How to avoid being one of the "73%" of WordPress sites vulnerable to attack (Naked Security) Researchers have concluded that 73% of the 40,000 most popular websites that use WordPress software are vulnerable to attack. But they admit they might be wrong. Even so, they still highlight an important security issue which isn't diminished one iota by their sketchiness

Cyber Resilience: Building a Defense Strategy that Works (InfoSecurity Magazine) The ISF's Steve Durbin discusses how organizations can converge cybersecurity and risk management strategies to help deal with unknown threats in cyberspace

Threat–Intel Sharing Services Emerge, But Challenges Remain (Dark Reading) A number of services to help companies analyze threats and share intelligence have popped up, but the services have to solve some key problems. Six years ago, when Mike Hamilton, the chief information security officer for the City of Seattle, wanted to collaborate with other local municipalities, the federal government and critical-infrastructure providers to exchange threat information, no platform existed through which to share threat intelligence

When Internet trolls attack: A view from the receiving end (CNET) One well-known science site recently turned off reader comments altogether due to trolls and spambots. The host of CNET TV show Rumor Has It, who has dealt with her share of online abuse, ponders the move

Marketplace

Future Air Force Contracts Likely Will Include Firm Price Caps (National Defense) The Air Force is considering placing price caps on major procurement programs — that when reached —will force Pentagon buyers to rethink requirements and make tradeoffs in favor of affordability, a senior civilian with the service said Sept. 26. Richard W. Lombardi, deputy assistant secretary for acquisition integration with the office of the assistant secretary of the Air Force for acquisition, said defense officials are giving more weight to long-term affordability as they lay out a series of spending plans that will be published in coming months…Another top priority is developing a viable strategy for acquisition of cyber-related systems and weapons, Lombardi said. The cyber-realm, which is under Air Force auspices, develops at such a high speed that the Pentagon's acquisition apparatus cannot keep pace, he said

Microsoft, Facebook and Mozilla hunt for developers at HackWEEKDAY (Help Net Security) This October, developers from around the globe have an opportunity to showcase their coding skills to an international audience at the HackWEEKDAY hackathon in Kuala Lumpur

Education and skills key to cyber security, says (ISC)² (ComputerWeekly) Information security professionals are making progress, but they are still losing the race against adversaries, according to Hord Tipton, executive director of security professional certification body (ISC)². But one of the biggest challenges is the lack of skilled people to help mitigate the security risks as businesses move into mobile and cloud computing

MITRE to Run Natl Security Engineering Center for $626M (GovConWire) MITRE Corp. has received a $626.2 million contract from the U.S. Army to help manage a federally funded research and development center focused on national defense and intelligence strategies

National Governors Association directs members to DHS continuous monitoring BPA (FierceGovIT) State governments can make use of the Homeland Security Department's continuous monitoring blanket purchase agreement and may want to do so in conjunction with managed security services available through the DHS-recognized Multi-State Information Sharing and Analysis Center, says a paper from the National Governors Association

Can China Protect Itself From NSA Spying? (Atlantic) Following Edward Snowden's revelations, Beijing has kickstarted its domestic cyber-security industry. But there's still a long way to go

Research and Development

'Viceroi' algorithm improves detection of click fraud (ComputerWorld) A group of researchers have devised an algorithm they say could help advertising networks better detect fraudulent clicks. Fraudsters have developed sophisticated ways to perpetrate click fraud, which involves using various methods to generate fake clicks on advertisements, defrauding advertisers. Digital marketing revenues are rapidly growing and exceeded US$36 billion in 2012 in the U.S., according to the Interactive Advertising Bureau

Assuring the integrity of voting using cryptography (Scientific American) American voters have no way of knowing that our votes have been counted, or counted correctly. We go to the polls and we punch buttons on a screen or fill out paper ballots and put them in a box, but we don't know if the electronic voting machine works correctly, if the ballot box made it to the election office, or if the ballots have been accurately tallied. The rise of electronic voting machines with secret, proprietary software has only made these problems worse

What Nanotube Computer Means To Moore's Law (InformationWeek) Stanford scientists have built a nanotube computer, an engineering feat that points to continuing advances in computational performance

Security Patches, Mitigations, and Software Updates

Apple releases iOS 7.0.2 — swiftly squashing two lockscreen bugs (Naked Security) Apple has quickly fixed two lockscreen bugs that it introduced with iOS 7. Well done, Cupertino! (To all hardcore Apple fans reading this: that's not irony. I really mean it.

Apple releases iOS 7.02, fixing lockscreen passcode flaw (Graham Cluley) Apple has just released a new version of iOS for iPhone and iPad users, which they claim will fix the various passcode flaws that have been embarrassing the company since the recent launch of iOS 7

Tumblr Fixes DOM XSS Bug (Industrial Safety and Security Source) There is a DOM-based cross-site scripting (XSS) vulnerability in Tumblr, a researcher found. If unfixed, the issue could end upexploited for spamming, spreading malware and phishing, said Portuguese security researcher David Sopas

Cyber Attacks, Threats, and Vulnerabilities

Sudan's Internet Back Up After A Day In The Dark (TechCrunch) The Republic of Sudan was digitally cut off from the world today, amid government protests. The government likely cut the cord to stem outrage over the termination of fuel subsidies, though they have yet to issue an official statement on the matter. "There are 4 physical routes from Sudan to the rest of the world. So, it is unlikely that all four cables were cut. Instead it is likely that

"Resistance Hackers" threaten cyber-attack against Israel on Saturday (Ahlul Bayt News Agency) A group of resistance hackers in the Gaza Strip has threatened to launch a cyber attack against Israeli websites on the 13th anniversary of al-Aqsa Intifada (the second Palestinian uprising) next Saturday

Website of Asian/Pacific/American Institute at NYU Hacked and Defaced (Softpedia) An Iranian hacker that uses the online moniker "le4derofh4ck" (Leader of Hack) has breached the systems of the New York University. As a result of the breach, he has managed to deface the official site of the Asian/Pacific/American Institute at New York University

Rise Of The 'Hit–And–Run' APT (Dark Reading) A new model of cyberespionage is emerging that relies on cybermercenaries hired to break in, steal information, and then leave — with specific targeted information. Yet another cyberespionage gang out of Asia has been discovered working on a for-hire basis as advanced persistent threat (APT)-type attackers shift gears toward a more focused, stealthy, "smash–and–grab" strategy using contracted hackers

Stealthy New Click-Fraud Malware Related to Tor Botnet (Threatpost) A malware family, likely developed by the same authors who built a massive botnet recently discovered on the Tor network, has been revived with a stealthy new click-fraud scam

"Mailbox" app on iPads and iPhones runs JavaScript from emails — vulnerability or feature? (Naked Security) Italian computer scientist Michele Spagnuolo recently wrote about what he considered a security issue in the popular iPhone and iPad email app "Mailbox." Not everyone agreed with him

Mailbox tries (and fails) to fix Javascript security hole (Graham Cluley) The researcher who rang alarm bells about a serious Javascript security hole in the popular Mailbox iPhone app, says that there is still a problem — even though the company itself believes it has resolved the issue

IE zero–day actively being exploited in the wild: Rapid7 (ZDNet) Criminals are actively abusing the zero-day vulnerability found in Internet Explorer, with exploit code now being found in the wild. Businesses running Internet Explorer should consider taking better precautions now that code to exploit a recently discovered zero-day vulnerability in the browser is making the rounds. According to Rapid7 senior engineering manager Ross Barrett, exploit code is now being widely distributed on the web. He said that earlier this week, he saw exploit code submitted to Virus Total and Scumware

Attackers can slip malicious code into many Android apps via open Wi–Fi (Ars Technica) Connect hijacking could put users at risk of data theft, SMS abuse, and more. A vulnerability affecting older versions of Google's Android operating system may make it possible for attackers to execute malicious code on end-user smartphones that use a wide variety of apps, researchers said

Cyber criminals continue to exploit known vulnerabilities: Kaspersky (ARN) Cyber criminals still make extensive use of known vulnerabilities, even as zero-day attacks continue to rise

Report: 8 Out of 10 Users Infected With A Trojan (Dark Reading) Trojans are king: They now account for more than three-quarters of all new malware created and 80 percent of all malware infections, according to new data published this week. Some 77 percent of all new malware is a Trojan, while worms make up 11.3 percent, and viruses, 10.3 percent, of new malware, PandaLabs found in its second quarter 2013 threat report. The story is much the same for malware infections, with 79.7 percent due to Trojans, 6.7 percent due to viruses, and 6.1 percent due to worms

Amateur hacker behind DDoS attack on China? (Help Net Security) When, in late August, China's Domain Name Service was targeted by a huge DDoS attack which ultimately lead to many websites being completely inaccessible for a period of time, the questions everybody wanted answered were: who did it, and why? According to the latest information made public by Wang Minghua, an operator with the National Computer Network Emergency Response Coordination Centre of China (CNCERT/CC), the attack seems to have been tied to by a single, amateur hacker from Qingdao in the Shandong province

Hack of major data brokers weakens bank authentication (CSO) LexisNexis, Dun & Bradstreet and Kroll Background America hacks raise more doubt on the effectiveness of knowledge-based authentication. The reported hack of major consumer and business data aggregators has intensified doubts of the reliability of knowledge-based authentication widely used in the financial services industry, analysts say

DIY commercial CAPTCHA–solving automatic email account registration tool available on the underground market since 2008 (Webroot Threat Blog) With low-waged employees of unethical 'data entry' companies having already set the foundations for an efficient and systematic abuse of all the major Web properties, it shouldn't be surprising that new market segments quickly emerged to capitalize on the business opportunities offered by the (commercialized) demise of CAPTCHA as an additional human/bot differentiation technique. One of these market segments is supplying automatic (email) account registration services to potential cybercriminals while on their way to either abuse them as WHOIS contact point for their malicious/fraudulent domains, or to directly embed automatically registered accounting data into their Web-based account spamming tools

Silent Circle claims major companies not declaring data breaches (Guardian) The company which shut its secure email over privacy concerns says corporate customers have admitted regular data breaches

Unanswered questions after the KVM hacks against Santander and Barclays bank (Graham Cluley) Neira Jones is a well-known name in the world of payment security and risk management, making her the ideal person to ask some difficult questions of banks targeted in the recent KVM (Keyboard video mouse) attacks. The last few weeks have seen headlines in the UK press about cybercriminal gangs targeting the likes of Santander and Barclays bank, using social engineering techniques to install KVMs (keyboard video mouse) to spy on staff computers and steal money

Major NZ retail chain hit by phishing attack (New Zealand Herald) NetSafe is warning businesses to be on the alert after a major retail chain was targeted by overseas cyber criminals in a well-planned phishing attack that attempted to convince store staff to install rogue software on their computers

Unique Vintage Admits Security Breach (eSecurity Planet) Customers' names, e-mail addresses, phone numbers and credit card numbers were accessed

Cybercriminals exploit most news within 22 hours (Help Net Security) Cybercriminals continue to respond with lightning speed when they see an opportunity to exploit a national or global news story to spread malware. In fact criminals are inventing "breaking news" that appears to relate to high-profile current events

The Coming Risk of Scam "Obamacare" Sites (Trend Micro Simply Security) In the United States on October 1, 2013 a major provision of the Affordable Care Act (also popularly known as "Obamacare") goes into effect. The Health Insurance Exchange will go live. These sites are where people will be able to sign up for health care coverage themselves rather than through their employer. One way people will be able to sign up for coverage after October 1 is online. But because of the way this online registration will work and the type of information people will have to enter to get health care coverage, there's a real risk of a perfect storm that can make this process a bonanza for identity thieves and cybercriminals. This could be the most significant new area for phishing and identity theft in the next year in the United States. It also can give established healthcare scammers a new field to look for victims

Dictatorship 101: Don't Shut Off the Internet for a Day (Slate) The Internet monitoring firm Renesys reports that Sudan's Internet is back up after a 24-hour complete blackout…According to the firm's analysis, the fact that different service providers in the country came down at different times "implies that this event was not caused by a single catastrophic technical failure, but strongly suggests a coordinated action to remove Sudan from the Internet." Add to that, the fact that the outage occurred during the country's worst protests in about two years, in which at least 24 have been killed

ARP Spoofing And Lateral Movement (TrendLabs Security Intelligence Blog) In targeted attacks, during the lateral movement stage attacks try to gain access to other computers on the same local area network (LAN). One useful tool to achieve this is ARP spoofing, which can be used to carry out a variety of attacks to steal information as well as plant backdoors on other machines. We recently came across a tool that automates ARP attacks, as well as using these kinds of attacks to inject IFRAMEs into websites, deliver fake software updates, and disrupt SSL connections

Academia

Forget Foreign Languages and Music. Teach Our Kids to Code (Wired) J. Paul Gibson began to teach programming classes for teens out of frustration. A computer scientist at the National University of Ireland, he had by 1998 become shocked at the ineptness of his students. "I was seeing 18- and 19-year-olds having trouble with basic programming concepts that I myself had learned when I was 12," recalls Gibson, who taught himself to code on a Sinclair ZX81. "I realized they hadn't seen any programming in school at all up to that point. So I thought maybe one of the problems we were having is that they were coming to it too late." As word of Gibson's classes spread, primary schools in the Dublin area sought his services too

Carnegie Mellon's Information Networking Institute Receives Federal Funding for Cybersecurity Scholarships (Digital Journal) Seventeen Carnegie Mellon University graduate students were recently awarded scholarships in cybersecurity from the National Science Foundation, the Department of Homeland Security's CyberCorps Scholarship for Service (SFS) Program and the Department of Defense's Information Assurance Scholarship Program (IASP). The SFS awards went to nine students in CMU's Information Networking Institute (INI) and six students at CMU's Heinz College. The IASP awards went to two INI students

Litigation, Investigation, and Enforcement

Inspector general: NSA spied on significant others (Politico) Some employees of the National Security Agency inappropriately used surveillance to snoop on significant others, the agency's inspector general says

Seymour Hersh on Obama, NSA and the 'pathetic' American media (Guardian) Seymour Hersh has got some extreme ideas on how to fix journalism — close down the news bureaus of NBC and ABC, sack 90% of editors in publishing and get back to the fundamental job of journalists which, he says, is to be an outsider

Edward Snowden's leaks are misguided — they risk exposing us to cyber–attacks (Guardian) Journalists are not best placed to identify security risks; we have to trust those who oversee the intelligence-gathering. Is Edward Snowden a hero or a criminal guilty of the most damaging espionage? It appears he is seen as both. Some will say he is a whistleblower who has fuelled the debate around the intercept of communications in cyberspace. But it was be no surprise to those who study the subject that a powerful search tool like Prism — and buffering software — is needed to find the communications of the terrorist or criminal among the billions of others

Ex–Spy Christopher Boyce on Snowden, WikiLeaks, and NSA Backdoors (Wired) A smart young dropout is welcomed into a promising career in the top secret world of U.S. defense contracting, but he's quickly shocked to discover the deception practiced by America's intelligence agencies at the highest levels. Disillusioned and outraged, he

Angry email users can take Google to court for keyword scanning, judge rules (The Verge) A group of email users can move forward with a class action lawsuit against Google for its Gmail keyword-scanning system, Judge Lucy Koh has declared. Earlier today, Koh filed a decision on Google's request to dismiss the case, which accuses it of violating anti-wiretapping laws by "reading" emails in order to display targeted advertisements. Though she agreed that aggrieved users couldn't legally bring a few of their claims to court, Google might still have run afoul of the California Invasion of Privacy Act and the federal Wiretap Act, and some of its far-reaching defenses stand little chance of success

Is hacking in self–defence legal? (Brisbane Times) In sport, sometimes the best defence is a good offence, but since hacking is considered illegal, organisations under a cyber attack only have defensive options. Or do they? A legal expert says retaliatory hacking might not be illegal in Australia. The general rule for penetration testers, or hackers who make a crust breaking into others' computers, is don't hack unless you've got consent

US government security background checks fumbled by investigators (Help Net Security) Edward Snowden's successful exfiltration of confidential NSA documents has proved that the background checks executed for government personnel in order to receive the needed security clearance are not foolproof. But how imperfect is this system? Reuters reporters have took it upon themselves to dig through court documents and press releases related to 21 cases in which US federal prosecutors convicted special agents and private contractors for making false statements that led to a person receiving the security clearance when it perhaps should not have

Payment Processors Are Government's Allies Against Fraud (American Banker) There is considerable confusion regarding the term "third party payment processors" and what they do

Why a Chinese Teenager Was Locked Up for His Tweets (Bloomberg) On Sept. 17, Yang Hui was summoned from his afternoon math class by his junior high school's vice-principal, according to an account the student provided to the state-owned Beijing News newspaper that was published on Tuesday. The 16-year-old quickly learned that he was in serious trouble. Three plainclothes and a uniformed police officer were waiting in the principal's office. They asked for his phone, interrogated him, conveyed him to the police station for further questioning and then locked him up in a local detention center. His apparent crime? He was re-tweeted

19–Year–Old Arrested for Hacking Miss Teen USA's Computer (Softpedia) The FBI has arrested Jared James Abrahams, a 19-year-old from Temacula, California, on suspicion of hacking into the computers of Miss Teen USA Cassidy Wolf and others. The man is said to have hacked the computers of several women to obtain compromising materials which he later used to blackmail them

Industry Events

For a complete running list of events, please visit the Event Tracker on the CyberWire website.

upcoming Events

Cyber Education Symposium (Arlington, Virginia, USA, November 19 - 20, 2013) Both the public and the private sectors suffer from a lack of highly trained and effective cyber security leaders. In response, the government, businesses, and academic institutions are all exploring ways to retrain the existing workforce and develop a new pool of cybersecurity professionals capable of meeting the needs of tomorrow. The Cyber Education Symposium offers a rare opportunity for the brightest minds in government (.gov), the private sector (.com), and the educational community (.edu) to convene and discuss trends and challenges in cybersecurity education. The Symposium will provide a forum to identify new ways of thinking about the problem, exchange best practices, and forge a pathway forward that leverages the full resources of our nation's leadership.

Information Security Conference (Charleston, West Virginia, USA, October 2, 2013) On October 2, the WVOT Office of Information Security and Controls, will be sponsoring a no-charge information and cyber security awareness event at the Charleston Civic Center. The agenda will offer an energizing morning of highly informative sessions. Free posters, calendars, bookmarks, and other security-themed items will be available. The event is open to the public, however registration priority will be given to public sector officials and employees.

NSU Hosts FBI Presentation on National Cyber Security Awareness (Fort Lauderdale, Florida, USA, October 3, 2013) GSCIS Hosts the Federal Bureau of Investigation (FBI) Special Agents special presentation on "National Cyber Security Awareness." RSVP at the link.

The Monktoberfest (Portland, Maine, USA, October 4, 2013) Our speakers will explore how social trends can change the way we build and use technology, and how technology in turn can change the way we socialize.

Suits and Spooks NYC 2013 (New York, New York, October 5, 2013) Since the landscape is foggy, the threat actors numerous and hard to identify, and the attacks proliferating on a daily basis, the focus of the next Suits and Spooks conference will be to identify non-state aggressors in cyberspace. About twenty speakers will present briefings over two days on hackers, citizen militias, and other non-state entities operating in the Middle East, China, Russia, Pakistan, India, Iran, Africa, South America, the United States (yes - we have non-gov threat actors domestically), and other parts of the world. One of our panel moderators will be Joel Brenner (former National Counterintelligence Executive at the Office of the Director of National Intelligence and former Senior Counsel at the NSA).

Forensics and Incident Response Summit EU (Prague, Czech Republic, October 6 - 13, 2013) The Summit will focus on high quality and extremely relevant content as well as panel discussions in Digital Forensics and Incident Response. In addition, we encourage you to take every opportunity to make the most of this event from attending the Summit to registering for one or more of the post-summit training classes taught by SANS' top-rated instructors and course authors. Additional events such as DFIR Netwars, evening talks and the SANS Community Night will be taking place during that week too. This event promises to bring together the leading minds in digital forensics and incident response in the EU, as well as many other practitioners from a wide cross section of industries and company sizes. You will be able to share with all of them your challenges and find out new solutions that work, techniques and approaches you didn't even know existed.

CyberMaryland 2013 (Baltimore, Maryland, USA, October 8 - 9, 2013) Join cybersecurity leaders, luminaries and rising stars at CyberMaryland 2013. This two-day event at the epicenter of the nation's cybersecurity innovation and education, will create opportunities for networking and idea sharing amongst the many cyber leaders and professionals across the country, including: federal, state and local government agencies, academic institutions, cybersecurity entrepreneurs, and industry leaders of research and development. CyberMaryland 2013 will address the biggest challenges facing America, including future innovation to meet the security challenges facing our country; collaboration across industry, government and educational institutions; and the development of a generation of cyber-warriors. Surrounding all of these issues is a constantly evolving business framework to provide efficient and effective solutions in a time frame that anticipates and mitigates current and future threats.

2013 Maryland Cyber Challenge (Baltimore, Maryland, USA, October 8 - 9, 2013) Held in conjunction with Cyber Maryland and intended to let students and young professionals showcase their cybersecurity skills, Maryland Cyber Challenge offers competition in three divisions: high school, college, and professional. Orientation sessions for teams in each of three divisions -- high school, collegiate and industry and government professionals -- will be held at UMBC in July and August. Two qualifying rounds will be conducted online using SAIC's Cyber Network Exercise System.

AFCEA Hill AFB Technology & Cyber Security Expo (Ogden, Utah, USA, October 9, 2013) The purpose of this first-time event is to allow base personnel the opportunity to learn about the latest computer security trends, network with peers, share remediation strategies and to view and demo some of the latest cyber security and information technology products/services available today..

NSU's Raising Savvy Cyber Kids with Ben Halpert (Fort Lauderdale, Florida, USA, October 10, 2013) Ben Halpert is an award-winning author of several books for diverse audiences. The Savvy Cyber Kids At Home: The Family Gets A Computer (October, 2010) is a picture book that teaches the concepts of online safety and privacy to preschool children. The Savvy Cyber Kids At Home: The Defeat of the Cyber Bully (October, 2011) teaches children how to appropriately respond to a cyber bully before playing in the virtual world. All Savvy Cyber Kids books are available in English, Spanish, German, and French. For those in the business field, Ben has published Auditing Cloud Computing: A Security and Privacy Guide (July 2011) through John Wiley & Sons. RSVP at the link.

International Conference on Cyber–Enabled Distributed Computing and Knowledge Discovery (Shanghai, China, October 10 - 12, 2013) International Conference on Cyber-enabled distributed computing and knowledge discovery -promotes research and development of the cyber-related technology. It is unique and significant that spans through cyber-enabled data mining and knowledge discovery, distributed and parallel computing, cyber security, cloud computing, pervasive computing, mobile computing, Internet, wireless networks, cognitive systems, cyber information process, information discovery, e-health via cyber network, e-science, web technology, and network performance and tools. The research and development in these areas have received extensive attention in both the academia and industry to provide ubiquitous services for users. Various hardware and software designs, algorithms, protocols, simulations, and test-bed, and implementations are developed for distributed computing in an interconnected and distributed network environment. The purpose of CyberC is to provide a forum for presentation and discussion of innovative ideas, research results, applications and experience from around the world as well as highlight activities in the related areas.

VizSec 2013 (Atlanta, Georgia, USA, October 14, 2013) VizSec brings together researchers and practitioners in information visualization and security to address the specific needs of the cyber security community through new and insightful visualization techniques.

Hack-in-the-Box Security Conference 2013 (Kuala Lumpur, Malaysia, October 14 - 17, 2013) The 11th annual HITB Security Conference (16th/17th October) will be a triple track offering featuring keynotes by Andy Ellis, Chief Security Officer at Akamai and Joe Sullivan, Chief Security Officer at Facebook. This year's event also features all new 2-day training courses (14th/15th October) on a wide variety of topics including Android exploitation, extreme web hacking, infrastructure security, exploiting injection flaws and a special iOS security course by the world famous Evad3rs team. The full speaker list and conference agenda will be released after the Call for Papers closes on the 25th of July.

USDA Cyber Security Symposium and Expo 2013 (Washington, DC, USA, October 15, 2013) The Cybersecurity Expo, running in conjunction with the Summit, will allow exhibitors the opportunity to provide live demos and share information with government personnel and industry partners. Summit topics will focus on today's vulnerabilities, incidents, security lifecycle, risks and mitigations; it will also identify ways to work together and build a solid security foundation program to meet future challenges and trends in cyber security..

SNW Fall 2013 (Long Beach, California, USA, October 15 - 17, 2013) SNW is the world's largest independently produced conference series focused on the evolution of architecture for a new world of mobility, Big Data and business agility. Produced by Computerworld -- and co-owned by Computerworld and the Storage Networking Industry Association (SNIA) -- SNW remains unbiased and vendor agnostic. Unlike events focused on a specific vendor agenda and product portfolio, SNW provides a forum of open thought leadership and practical education that defines the spectrum of storage, data and infrastructure solutions available to a highly qualified audience of enterprise technology decision-makers.

Hexis Exchange (Athens, Greece, October 16 - 17, 2013) Attendees will have the opportunity to participate in a knowledge exchange of the latest enterprise security topics through expert led business and technology forums, hands-on sessions, and training. Such topics will include: emerging cybersecurity threats, big data management, advanced analytics, government regulation & compliance, and data retention challenges & solutions.

Cybersecurity Symposium: "Protect. Defend. Educate." (Linthicum, Maryland, USA, October 16 - 17, 2013) The Cybersecurity Symposium being held October 16-17, 2013, will deliver first-class training for government and industry security professionals while simultaneously offering high-level keynote speakers, essential networking opportunities, and an informative technology exposition. The Symposium sessions will have a special emphasis on security challenges facing today's security professionals and cyber awareness training for security professionals responsible for protecting sensitive and classified information from the ever increasing threats of mobile devices, espionage, terrorism, and cyber-attacks to ensure our national security. Register by August 31 to ensure the reduced early bird registration fee. This event is free for government employees and active-duty military personnel. Exhibit space and sponsorship opportunities are also available.

NSU Healthcare Cyber Security Summit (Fort Lauderdale, Florida, USA, October 17, 2013) In today's modern healthcare systems, data is everywhere, including sensitive patient data that needs to be secured and monitored. Join top healthcare security professionals from Nova Southeastern University, AccessData, and RSA to hear about current regulations that affect healthcare companies of all sizes, ways to protect sensitive data, and learn techniques to monitor access for suspicious activity. If you are responsible for the privacy or security of your company's healthcare data, you will benefit from presentations from these leading experts in the field. NSU's Chief Information Security and HIPAA Security Officer, John Christly, will examine the threats to the privacy and security of todays' modern healthcare operations. You will also hear from experts from AccessData and RSA on how to detect and prevent data breaches. RSVP at the link.

Nuclear Regulatory Commission Cyber Security Conference & Expo (Rockville, Maryland, USA, October 17, 2013) This one-day conference will consist of cyber sessions in the NRC Auditorium given by government and industry speakers. Exhibit tables will be set-up just outside the Auditorium and companies will have the opportunity to demo their latest technologies to NRC's IT personnel.

Securing the Internet of Things Summit (San Francisco, California, USA, October 21, 2013) The Internet of Things is still in its infancy and the security community has a chance to build in new approaches to security if we get started now. More secure embedded operating systems and applications, more scalable approaches to continuous monitoring and threat mitigation and new ways of detecting and blocking active threats are evolving and can be tremendously effective. SANS is looking to bring together community talent and ideas to develop new solutions, demonstrate security technology that already works and to provide a force multiplier to making the Internet of Things be more secure than the first phases of Internet evolution.

13th Industrial Control Systems Cyber Security Conference (Atlanta, Georgia, USA, October 21 - 22, 2013) Industrial Control Systems (ICS) operate the infrastructures of electric power, water, chemicals, manufacturing, transportation, defense, etc. and link the digital and physical worlds. Their cyber security presents challenges that are distinct from securing traditional IT systems. The conference is attended by control & operations engineers and their IT counterparts from critical infrastructure industries, by ICS and security vendors, and by universities. Run under the Chatham House rules of confidentiality, the conference discusses ICS cyber incident case studies, provides regulatory updates, discusses solutions in the form of policies and procedures, presents demonstrations of hacking ICS and ICS protocols, and provides a status of ICS security solution field demonstrations.

Cloud Connect (Chicago, Illinois, USA, October 21 - 23, 2013) Cloud Connect returns to Chicago October 21-23, 2013 with an all new program built around the leading cloud platforms. Cloud Connect provides the independent guidance IT professionals need to successfully build, operate and manage the cloud, and the tools to measure application performance and business metrics.

cybergmut Technical Tuesday: Cyber Security Strategy — Why We're Losing and What's Needed to Win (Columbia, Maryland, USA, October 22, 2013) CrowdStrike's Steve Chabinsky of CrowdStrike explains the situation. Everybody seems to be spending more on cybersecurity, but with questionable return on investment. In fact, the problem clearly is getting worse, and current strategies show no indication of reversing that trend. This non-technical presentation explores the typical cyber risk environment, considers the proper balance and likely effectiveness of threat deterrence, vulnerability mitigation, and consequence management to reduce cyber risk, and examines the current and evolving roles of government agencies and the private sector in addressing the problem. Backed by powerful, real-world examples of threat actor tactics, this presentation will help managers develop a better understanding of how their current security approach is most likely to succeed or fail over time, and what strategies are the most likely to shift the advantage to the good guys. cybergamut is co-hosting this event with the Maryland Chapter of InfraGard.

Cyber Security Seminar and IT Expo at Peterson AFB (Colorado Springs, Colorado, USA, October 22, 2013) The Cyber Security Seminar and IT Expo is a one-day event held on-site where industry vendors will have the opportunity to display their products to personnel attending briefings concerning the latest updates in Cyber Security Awareness. This is an excellent and unique opportunity to meet IT personnel from USNORTHCOM, NORAD, Army Space Command, USSPACECOM, and the 21st Space Wing all in one day.

Joint Federal Cyber Summit 2013 (Washington, DC, USA, October 23 - 24, 2013) This collaborative government wide event is truly one of a kind, with speakers and attendees anticipated to represent more than 10 federal government agencies. Information sharing will be accomplished through keynote speakers on both days, along with numerous targeted breakout sessions (including a session with a federal CISSO panel), hands on live demonstrations, and industry exhibits.

NSU's 12 Simple Cybersecurity Rules For Your Small Business (Fort Lauderdale, Florida, USA, October 24, 2013) In this presentation twelve simple and inexpensive techniques for protecting small businesses from cyber threats will be discussed. While complex and expensive solutions exist to improve the security of information technology most of these products are not designed for the specific needs of small businesses. The techniques that will be discussed in the presentation are designed to address the most common threats encountered by small businesses without requiring significant expertise and expense. RSVP at the link.

2013 ACT–IAC Executive Leadership Conference (Williamsburg, Virginia, USA, October 27 - 29, 2013) Advances in technology and massive increases in data available can both challenge and transform Government mission performance. ELC-2013 focuses on how to make this transformation a reality, in and for agencies. We will hear from nationally prominent speakers and work across government and industry to learn new ideas and techniques. Four mission-oriented tracks will focus on initiatives for driving results using data and the "Innovate, Deliver, Protect and Analyze" paradigm that is at the heart of the Government's strategic vision.

SAP NS2: National Security Solutions Summit (Falls Church, Virginia, USA, October 29, 2013) Join us for a day of learning and networking focused on how to advance U.S. national security and homeland security through I.T. innovation. Top-notch speakers will address the new challenges facing U.S. national security and critical infrastructure -- as well as powerful, affordable technologies that are available today to tackle those challenges while saving money and simplifying operations. Learn how your organization can run faster, smarter, leaner in the most secure environments -- with world-class, breakthrough solutions that are bold alternatives to business as usual.

Regional Cyber Security Forum & IT Day (CSFI) — Hawaii (Honolulu, Hawai'i, USA, October 30, 2013) 2013 marks the 10th anniversary of National Cyber Security Awareness Month and FBC will host the 1st Annual Cyber Security Forum & IT Day (CSFI) at Fort Shafter - Club Hale Ikena to coinside with the anniversary, and activities surrounding this month. The goal of CSFI is to raise cyber security awareness, and to promote best practices in cyber while allowing DoD personnel and industry partners the opportunity to share the most up to date remediation strategies. The event will feature four educational cyber sessions to go along with an exhibit hall..

NSA Hawaii — Cyber Security, Intelligence & IT Day (Honolulu, Hawai'i, USA, October 30, 2013) Be a part of the 1st Annual Cyber Security, Intelligence and IT Day set to take place at the new National Security Agency (NSA) Hawaii Rochefort facility. The event will be hosted by NS/CCS Hawaii Technology Directorate and will focus on Cyber Security, Big Data and Cloud Computing. There are other areas of interest listed below as well. This is an extremely unique opportunity to network with NSA personnel in Hawaii at their location. Educational sessions will be provided to attendees to coincide with government and industry exhibits.

Sponsor & Support

Grow your brand, generate leads, and fill your funnel.

With the industry’s largest B2B podcast network, popular newsletters, and influential readers and listens all over the world, companies trust the CyberWire to get the message out. Learn more.

The CyberWire Daily Briefing for 9.27.2013