The CyberWire Daily Briefing 10.30.13

Cyber Trends

Enterprises struggle with access control rights (FierceITSecurity) More than one-quarter of IT pros have retrieved corporate data not relevant to their jobs

BYOD, cloud fueling demand for mobile encryption products (FierceITSecurity) Market is forecast by ABI to reach $230 million by end of 2013

Microsoft report finds decline in disclosed software vulnerabilities (FierceITSecurity) Finally there is good news on the IT security front. Software vulnerability disclosures declined 10.1 percent in the first half of 2013 compared to the same period last year and 1.3 percent compared with the second half of 2012, according to the Microsoft Security Intelligence Report released this week

IT security leaders debate their cyber threat challenges (ComputerWeekly) The IT industry is caught in an increasingly tough battle against cyber crime and the professionals tasked with looking after information security face an onslaught of challenges and attacks

Information security: From "bored" to "board" (ComputerWeekly) Increasingly, I hear information security professionals citing a lack of interest from the board room as a critical reason for their failure to address IT risk and security concerns

Control system security: safety first (Help Net Security) Every large utility, pipeline, refinery and chemical plant has a cyber security program, but most are IT-centric. Anti-virus programs, software update programs and programs of integration with corporate active directory controllers are all managed by IT teams, along with some degree of convergence and consultation with operations technology (OT) teams. While we have seen few large-scale cyber attacks in these industries, IT-style defenses invite such attacks. Cyber-sabotage is a real threat and it will take more than yesterday's firewall-level protections to ensure the safety and reliability of today's industrial sites

Software Security Maturity Plods Along (Dark Reading) While there is certainly room for improvement, the software vendor and financial services communities are making a steadily improving progression in maturing their software security practices according to a new study out today by the Building Security In Maturity Model (BSIMM) project. BSIMM today released the fifth version of an industry-wide study that examined in depth the secure development practices of many of the globe's most influential firms. "Here's the real take-home lesson: we know how to do software security on planet earth and now we just have to do it," says Dr. Gary McGrw, CTO of Cigital and one of the scientists in charge of the study. "There's a lot of people who say you should do it this way or that way and there are opinions and conjecture. But what we've done is collect a set of facts so that people can refer to them and know how to approach software security as grown-ups

The Battle for Power on the Internet (Schneier on Security) We're in the middle of an epic battle for power in cyberspace. On one side are the traditional, organized, institutional powers such as governments and large multinational corporations. On the other are the distributed and nimble: grassroots movements, dissident groups, hackers, and criminals. Initially, the Internet empowered the second side. It gave them a place to coordinate and communicate efficiently, and made them seem unbeatable. But now, the more traditional institutional powers are winning, and winning big. How these two side fare in the long term, and the fate of the rest of us who don't fall into either group, is an open question -- and one vitally important to the future of the Internet

How much custom would you lose from a data security breach? (IT Governance) We take it for granted nowadays that we can work pretty much wherever we are. The majority of us use laptops, tablets and smartphones for work as well as for leisure, Wi-Fi is by and large available wherever we go, 3G and increasingly 4G service is the norm, and cloud computing means we can access our data on the move. But an increasing reliance on virtual networks means sensitive data is more and more vulnerable to targeted attacks. Web-based applications may be convenient for you and your workforce to operate wherever you are, but they are also convenient for cyber criminals, as your and your customers' information is more exposed

Legislation, Policy and Regulation

White House: Review will address global NSA concerns (USAToday) U.S. surveillance policies aimed at allies have sparked strong reactions across the globe. Below is a sampling of reaction from leaders to the disclosure of National Security Agency spying programs in news reports

Exclusive: Obama orders curbs on NSA spying on U.N. headquarters (Reuters) President Barack Obama recently ordered the National Security Agency to curtail eavesdropping on the United Nations headquarters in New York as part of a review of U.S. electronic surveillance, according to a U.S. official familiar with the decision

France and Spain, not NSA, responsible for spying on phone calls abroad, say US officials (The Verge) US officials have told The Wall Street Journal that the NSA wasn't responsible for intercepting phone calls in France and Spain. Over the past two weeks, documents obtained by Le Monde in France and El Mundo in Spain showed that millions of phone calls in each country had been intercepted by the NSA. The unnamed officials, however, say that these calls were actually logged by French and Spanish intelligence agencies, then later given to the NSA. This corroborates a statement by Director of National Intelligence director James Clapper, who said that "the allegation that the National Security Agency collected more than 70 million 'recordings of French citizens' telephone data' [over 30 days] is false"

The spies on the roof (Economist) Location, location, location, the Americans were thinking when they moved into their new embassy in Berlin in 2008, right next to the Brandenburg Gate

NSA director Keith Alexander says European spying reports are false (Politico) National Security Agency director Gen. Keith Alexander on Tuesday called "completely false" press reports that the NSA had gathered information on millions of telephone calls in countries across Europe

'We're Really Screwed Now': NSA's Best Friend Just Shivved The Spies (Foreign Policy) One of the National Security Agency's biggest defenders in Congress is suddenly at odds with the agency and calling for a top-to-bottom review of U.S. spy programs. And her long-time friends and allies are completely mystified by the switch

Five Reactions To Dianne Feinstein Finally Finding Something About The NSA To Get Angry About (TechDirt) Dianne Feinstein, the NSA's biggest defender in the Senate (which is ridiculous since she's also in charge of "oversight") has finally had enough. It's not because she finally understands how crazy it is that the NSA is spying on every American, including all of her constituents in California. It's not because she finally realized that the NSA specifically avoided letting her know about their widespread abuses. No, it's because she just found out that the NSA also spies on important people, like political leaders around the globe. It seems that has finally ticked off Feinstein, who has released a scathing statement about the latest revelations

Clapper: NSA controversy creating 'erosion of trust' (The Hill) The firestorm of criticism facing the National Security Agency from Capitol Hill has created "an erosion of trust" within the U.S. intelligence community, according to the community's top official. The repeated criticism and second-guessing by Congress over the agency's operations has hindered intelligence community leaders from doing their jobs, Director of National Intelligence James Clapper told lawmakers on Tuesday

Anonymous NSA Officials Strike Back! (Slate) Ken Dilanian and Janet Stobart chip away at the White House's excuses—hey, we weren't told—on the NSA's monitoring of foreign leaders

Throwing the Intelligence Community Under the Bus (Washington Free Beacon) The outcry over NSA surveillance is reaching a critical breaking point. President Obama is having his options constrained by an avalanche of disclosures, and there might be only one, barely adequate way out of it

US legislators introduce bill to end dragnet phone data collection (Help Net Security) US Senate Judiciary Committee Chairman Patrick Leahy and Congressman Jim Sensenbrenner, chairman of the Crime and Terrorism Subcommittee in the House, introduced on Tuesday a legislation that seeks to restore Americans' privacy rights by ending the government's dragnet collection of phone records and requiring greater oversight, transparency, and accountability with respect to domestic surveillance authorities

Proposed USA FREEDOM Act Would Dramatically Curtail The NSA's Surveillance (TechCrunch) Senator Patrick Leahy and Representative Jim Sensenbrenner have introduced a new bill, called the Uniting and Strengthening America by Fulfilling Rights and Ending Eavesdropping, Dragnet-collection, and Online Monitoring Act (USA FREEDOM Act), designed to dramatically curtail the ability of the NSA to collect information on the average United States citizen

Data privacy concerns could derail EU–US trade talks (CSO) EU citizens' data protection is non-negotiable, saysthe EU Justice Commissioner

NSA Spying Scandal: Ecuador's Correa Slams U.S. While Visiting Russia As Spain Opens Inquiry (Fox News) During a visit to Russia, Ecuadoran President Rafael Correa continued his criticism of the United States' National Security Agency, which is currently embroiled in a worldwide scandal over allegations that the agency spied on world leaders

US spying fiasco: Will 'additional' constraints ease European fury? (Christian Science Monitor) As news of the National Security Agency's spying on world leaders, allies, and citizens continues to leak to the public, the White House said this week that there is a need for "additional constraints" on US spying, a statement that some observers fear may do little to calm the diplomatic uproar spreading globally

NDP wants parliamentary oversight of government's intelligence and security activities (Northumberland View) In the wake of disturbing revelations about the activities of the Communications Security Establishment Canada (CSEC) - Canada's equivalent to the United States' NSA - NDP Defence critic Jack Harris (St. John's-East) wants greater Parliamentary oversight of the agency

Russia 'spied on G20 leaders with USB sticks' (The Telegraph) Russia spied on foreign powers at last month's G20 summit by giving delegations USB pen drives capable of downloading sensitive information from laptops, it was claimed today

Bill provides guidance on FDA mobile medical apps regulation (FierceMobileHealthCare) A bipartisan group of House members--three Democrats and three Republicans--has introduced a bill to "provide regulatory clarity regarding mobile medical applications, clinical decision support, electronic health records and other healthcare related software," according to an announcement

SOFTWARE Act gets mixed response from industry (FierceMobileHealthCare) Reactions from industry groups to the SOFTWARE Act, which seeks to "provide regulatory clarity regarding mobile medical applications, clinical decision support, electronic health records and other healthcare related software" have been quick, but not all positive

Bill to Bolster DHS Cyber Workforce Advances (Nextgov) The House Homeland Security Committee on Tuesday advanced legislation that would require the Homeland Security Department to take additional measures to improve and assess the cybersecurity workforce. The bill — the Homeland Security Cybersecurity Boots on the Ground Act (H.R. 3107) — sponsored by Rep. Yvette Clarke, D-N.Y., requires DHS to enhance efforts to bolster the cybersecurity workforce, in part by establishing occupations classifications and developing a strategy to address identified gaps in the cyber workforce

CNO Says Navy Needs Ground Forces' Help On Cyber, Electronic Warfare (Breaking Defense) Rivalries between the services are a favorite topic in this town, especially when budgets tighten. But when it comes to cyberwarfare, electronic warfare, and the wireless world where they intersect, the Navy's top man in uniform is more than happy to get help from the Army

Products, Services, and Solutions

Samsung unveils Knox SDK to boost enterprise mobile security efforts (FierceMobileIT) End-to-end Knox solution provides security hardening from the device hardware to the application layer

Centrify launches tech partner program to secure mobile, cloud apps (FierceMobileIT) Program provides developers, cloud and mobile ISVs tools to jointly build integrated secure apps

Juniper unrolls MetaFabric, new switch (The Register) Juniper Networks has rolled out a fabric architecture and switch, along with other swag. To get a handle on it all, Vulture South spent some time talking with Dhritiman Dasgupta, Juniper's director of platform solutions, to get a handle on key aspects of the release

Sophos takes first step in rolling out cloud security strategy (NetworkWorld) Security firm provides cloud-based management and policy enforcement for endpoints, firewall UTM

Twitter Two–Factor Lockout: One User''s Horror Story (InformationWeek) Warning to users of Twitter's two-factor authentication system: Never, ever misplace your backup access code and then switch phones. Otherwise, you'll find yourself locked out of your Twitter account

Centralizing threat intelligence to feed network defense systems (Help Net Security) ThreatConnect announced the launch of a prototype that connects commercial security products with advanced threat intelligence through an open source standard known as the Structured Threat Information eXpression (STIX), created by The Mitre Corporation

CylanceV Exposes the Unknown Threats Lurking on Computers Worldwide (EON) Cylance, Inc., a global cybersecurity company, is reinventing the way companies think about security. The first to apply mathematical science to security in a scalable way, Cylance announced today the official worldwide release of CylanceV™, a new cloud and on-premise solution to find what others miss in detecting advanced malware

Avira Revamps Free Mac Security For OS X Mavericks (Dark Reading) New version of Avira Free Mac Security can perform quick scan of vulnerable directories on the computer even as the security software is being installed

Technologies, Techniques, and Standards

UK government provides advice to CIOs grappling with BYOD (FierceMobileIT) Need help assessing the strengths and weaknesses of commercial mobility platforms for your enterprise but can't bear the expense of hiring a consultant or purchasing a pricey analyst report

Why Do Big IT Projects Fail So Often? (InformationWeek) Obamacare's website problems can teach us a lot about large-scale project management and execution

What IT managers need to know about risky file–sharing (ComputerWeekly) There is a danger in employees being tech-savvy - they can use devices and means to transport and exchange files that are beyond the control of IT management. Employees may simply see webmail, file-sharing services, cloud storage, USB sticks and smart devices as easier to use than traditional corporate tools to transfer files

Obama, CEOs Meet on Cybersecurity Framework (GovInfo Security) As the National Institute of Standards and Technology began accepting public comments on the preliminary version of a cybersecurity framework on Oct. 29, President Obama met with a group of chief executives from information technology, financial services and energy companies to discuss efforts to improve the cybersecurity of the nation's critical infrastructure

Defending Against CryptoLocker (TrendLabs Security Intelligence Blog) Over the past few weeks, we've been seeing an increase in the number of spreading CryptoLocker malware. This new kind of ransomware has been hitting more users over the past few weeks, as seen in the 30-day feedback provided by the Smart Protection Network

Failure To Deploy: Aided And Abetted By Shelfware (Dark Reading) It takes more than technology acquisition to protect against the insider threat — just ask the NSA. Recent news reports indicate the NSA had acquired technologies to help prevent the leakage of classified data, but failed to deploy them before contractor Edward Snowden began working there. The technologies in question were purchased in the wake of the 2010 WikiLeaks scandal, but went uninstalled at NSA's Hawaii facility due to what was described as "bandwidth issues"

ICE Hacked Its Own Employees to Teach Self–Defense in Cyberspace (Nextgov) One federal agency is replacing workforce security awareness tutorials with real world hack attempts to test employee reflexes. So far, 80 percent of the personnel trained have successfully fought off potential cyberspies

Marketplace

Perception of Huawei is changing in India: John Suffolk (Economic Times) Huawei's global cyber security officer John Suffolk says that concerns raised by the US against the Chinese telecom gear maker has not had a lasting impact as the company's perception in markets like India is changing, albeit slowly. Speaking to ET, he denied all accusations of espionage, adding that 70% of its gear is made from parts manufactured in the US and only 30% is done in China

Dell (DELL) Go–Private Deal is Complete (Street Insider) Dell, Inc. (NASDAQ: DELL) completed its go-private tranaction by Michael Dell, Dell's Founder, Chairman and CEO, and Silver Lake Partners, a leading global technology investment firm

NCR to Help TSA Deploy Mobile Boarding Pass Scanners (Executive Biz) NCR Corp. has been awarded a delivery order for mobile technology designed to help the Transportation Security Administration speed-up and secure passenger identification at U.S. airports

Rodney Joffe of Neustar Picked for FBI Cyber Investigation Award (GovConWire) Rodney Joffe, a senior vice president and fellow at Neustar, has been selected to receive an award from the FBI recognizing his work to help resolve a malware case that crossed more than 32 countries and resulted in 55 arrests

Brussels to set up security, business networks in push for European cloud (EurActiv) The Commission is setting up new expert groups to advise on security and business related-issues to accelerate the establishment of a unique "European cloud" capable of challenging global rivals in a sector where the EU has been lagging behind

ProvenSecure Solutions Awarded Cyber Fast Track Research Grant (PRWeb) ProvenSecure Solutions, LLC (PSS), a private New Jersey based Custom Cyber Security Solutions firm, has been awarded a task order to support the Defense Advanced Research Projects Agency's (DARPA) innovative Cyber Fast Track Program (CFT)

Q&A with the Cyber Security Challenge participant who landed a cyber role at PwC (Computing) The Cyber Security Challenge UK (CSC UK), a series of national events designed to encourage talented professionals to join the UK IT security industry, is a government- and industry-backed initiative that has enabled 40 participants to secure IT security roles

Thales launches £2m cyber security 'battle lab' in the UK (Computerworld) Defence company Thales has announced a new Cyber Integration & Innovation Centre that aims to help improve the security of the UK's critical national infrastructure and government organisations

How crazy would it be for Facebook to buy Blackberry? (Quartz) Apparently BlackBerry has been hawking its wares to cash-heavy Facebook

PwC to bulk up with Booz & Co merger deal (Financial Times) PwC is planning to absorb Booz & Co in the latest move towards consolidation in the management consultancy sector. The two groups announced on Wednesday that they had signed a conditional merger agreemen

Interview: Javvad Malik and the Power of Social Media for Security Professionals (Infosecurity Magazine) Drew Amorosi recently caught up with Javvad Malik, senior security analyst with 451 Research, and an emerging supernova within the information security universe

Research and Development

How quantum key distribution works (GCN) Quantum key distribution (QKD) uses individual photons for the exchange of cryptographic key data between two users, where each photon represents a single bit of data. The value of the bit, a 1 or a 0, is determined by states of the photon such as polarization or spin

Breaking New Ground on Cyberdefenses (GovInfoSecurity) The Army Research Laboratory is collaborating with five universities to develop what's being characterized as a new science to detect, model and mitigate cyber-attacks

Security Patches, Mitigations, and Software Updates

Cisco patches remote code execution, DoS flaws in enterprise products (FierceITSecurity) Cisco has issued critical security patches for a number of products, including its Identity Services Engine and IOS XR software

Firefox moves up to Version 25, fixes a bunch of memory mismanagement problems (Naked Security) A brief reminder for Firefox users: version 25 is out. As usual, there are some new and tweaked features, plus a fair number of security fixes. Paul Ducklin takes a quick look

SIR v15: Five good reasons to leave Windows XP behind (Internet Storm Center) No, it's not because I work for MSFT and want you to upgrade for selfish reasons. :-) It's because it really is time

Cyber Attacks, Threats, and Vulnerabilities

#OpThrowBack: Official Interpol Indonesia Website Taken Down by Anonymous (HackRead) The official website of Interpol Indonesia has been taken down by Fu7ion who calls himself a supporter and part of online hacktivist group Anonymous. Fu7ion says that he has taken Interpol Indonesia website under the banner of an online operation ''#OpThrowBack''. The operation was launched by Anonymous hackers yesterday against FBI, NSA, Verizon, Microsoft and AT&T

Hack of MongoHQ exposes passwords, user databases to intruders (Ars Technica) Database provider goes into lockdown after breach of employee support system

Hosting Service MongoHQ Suffers Major Security Breach That Explains Buffer's Hack Over The Weekend (TechCrunch) NoSQL Database hosting service MongoHQ, a Y Combinator alum, has suffered a major security breach that appears to be a major factor in an attack over the weekend on Buffer, the social media scheduling service. The MongoHQ intrusion is affecting customers of the hosting service and potentially also their S3 storage accounts on Amazon Web Services (AWS)

MongoHQ compromised, Have you re–checked your Security Settings? (Kualitatem) MongoHQ is a private, Database-as-a-Service platform for securely hosting and managing shared and dedicated MongoDB instances. Buffer app hacked accounts led to compromise MongoHQ application as per MongoHQ initial reporting. All High-tech applications are based on heterogeneous structure where multiple applications have to integrate with each other in controlled fashion. Security is a continuous process; companies have to scrutinize their security parameters

Adobe security breach actually affected closer to 38 million users (ZDNet) UPDATE: Attackers are believed to have obtained access to invalid as well as inactive Adobe IDs along with test account data

Stolen Adobe account data goes public, Photoshop source code breached (CSO) In an update on the data breach disclosed earlier this month, Adobe has said that source code for Photoshop was stolen. Making matters worse, a file containing 150 million usernames and hashed passwords has appeared online, and the company says that 38 million accounts were directly impacted by the incident

New Injection Campaign Peddling Rogue Software Downloads (Threatpost) A mass injection campaign has surfaced over the last two weeks that's already compromised at least 40,000 web pages worldwide and is tricking victims into downloading rogue, unwanted software to their computer. The campaign, dubbed GWload by researchers at Websense, relies on a Cost Per Action scam that convinces users into thinking the page they've navigated to has been locked and that they need a special version of VLC Player to open it

AmEx users targeted with well–crafted phishing scheme (Help Net Security) A rather well-executed phishing campaign is targeting American Express users via fake "Fraud Alert: Irregular Card Activity" emails impersonating the AmEx Fraud Departement, warns Gary Warner

iOS apps can be hijacked to show fraudulent content and intercept data (Ars Technica) Some 10,000 titles in Apple's App Store may be susceptible to redirection hack. A large number of apps for iPhones and iPads are susceptible to hacks that cause them to surreptitiously send and receive data to and from malicious servers instead of the legitimate ones they were designed to connect to, security researchers said on Tuesday

Security hole found in Obamacare website (CNN Money) The Obamacare website has more than annoying bugs. A cybersecurity expert found a way to hack into users' accounts. Until the Department of Health fixed the security hole last week, anyone could easily reset your Healthcare.gov password without your knowledge and potentially hijack your account

Security concerns prompt subpoena for Healthcare.gov data (ComputerWorld) U.S. House committee chairman orders QSSI to turn over contract and data on Healthcare.gov-related communications

Allina Health Admits Data Breach Affecting Over 3,000 Patients (eSecurity Planet) Names, contact information, birthdates, clinical data, health information, and the last four digits of Social Security numbers may have been accessed

Yusen Logistics Acknowledges Security Breach (eSecurity Planet) Current and former employees' names, addresses, Social Security numbers and payroll benefit deduction amounts may have been exposed

When the phone call is more dangerous than malware (Help Net Security) During Social Engineer Capture the Flag contest, one of the most prominent and popular annual events at DEF CON 21, a pool of 10 men and 10 women, from diverse backgrounds and experience levels, tested their social engineering abilities against 10 of the biggest global corporations, including Apple, Boeing, Exxon, General Dynamics and General Electric. The complete results of the competition are in, and they don't bode well for businesses

Firm calls out consistent rise of "madware" in Google Play (SC Magazine) In the first half of the year, 23.8 percent of all free Google Play apps were plagued with ads that could potentially become a privacy concern for users, if not a serious nuisance, a security firm found. The "Mobile Adware and Malware Analysis" report, published on Tuesday by Symantec, revealed that the percentage of apps containing "madware" — defined as apps using overly aggressive ad libraries — has consistently increased since 2010

A Tour Through The Chinese Underground (TrendLabs Security Intelligence Blog) The Chinese underground has played host to many cybercriminals over the years. In the research brief titled Beyond Online Gaming Cybercrime: Revisiting the Chinese Underground Market, we provide some details of the current state of the Chinese underground economy. Last year, we looked into this underground sector, and this brief is a continuation of those efforts

Beyond Online Gaming Cybercrime: Revisiting the Chinese Underground Market (Trend Micro) After taking a grand tour of the Chinese underground market last year, let's revisit it and see what has changed since then. In the past, we noted that Chinese cybercriminals adapted well to their environment, trailing their sights on online gamers and mobile users, the majority of the Internet users in the country. They continue to adapt well, as the market has now reached a similar level of maturity as the rest of the global cybercriminal underground

Attackers Crib Exploit Code, But Net Benefit For Defenders (Dark Reading) A researcher finds that the top 20 crime packs copy exploit code from security researchers and sophisticated attackers, but doing away with public disclosure is no solution

Academia

Case study: Class cloud — Rochester School Department and Dell (SC Magazine) A school district in New Hampshire needed to enable BYOD, while still protecting its network and the students and faculty using it

Litigation, Investigation, and Enforcement

Privacy group doubles down on Supreme Court NSA phone spying case (PCWorld) The U.S. Supreme Court should review a U.S. National Security Agency (NSA) data collection program despite the U.S. government's argument that privacy group EPIC lacks legal standing to challenge the case, the group said Monday

Man charged in July cyber attack on DOE (Aiken Standard) An individual linked to the July 2013 cyber attacks to the Department of Energy, which affected employees at the Savannah River Site, was charged on Monday by the acting U.S. attorney for the Eastern District of Virginia

Not even two weeks after shutdown, BitTorrent search site isoHunt is back (Ars Technica) New anonymous creators tell TorrentFreak the site is a "file-sharing icon." Less than two weeks ago, IsoHunt, the notorious search engine site for BitTorrent files, agreed to shut down and pay $110 million in a settlement with the Motion Pictures of America Association. The site even shut down a day early as a way to avoid being part of an online archive

Design and Innovation

Of course Apple is engaging in planned obsolescence (Quartz) Catherine Rampell at the New York Times wonders whether her iPhone, which became much less usable after she upgraded to iOS7, is being deliberately sabotaged by Apple, to encourage her to buy a new iPhone. This is a bit like asking whether or not Apple cares about design. Planned obsolescence has been part of how Apple, and just about every other PC maker, has operated since time immemorial