The CyberWire Daily Briefing 11.01.13

Cyber Trends

Security misconceptions among small businesses (Help Net Security) More than 1,000 SMBs participated in a joint McAfee and Office Depot survey last month, and the majority (66 percent) felt confident that their data and devices are secure and safe from hackers, with 77 percent responding that they haven't been hacked

Call security to foil the cyber crooks (Sunday Times) Companies need information security officers more than ever, but they are in short supply

Romania registers 20 million cyber–attack alerts in first six months (actmedia) Romania registered 20 million cyber-attacks alters in the first six months of 2013, according to the Cert.ro data, the body registering the cyber security complaints and alerts.'The number of alerts is also increasing because the market of Romania also grew very much, because the servers and the other pieces of equipment enhanced very much in number and capacity and that is where this temptation came from,' Information Society Minister

Legislation, Policy and Regulation

Australia said to play part in NSA effort (New york Times) Australia, a close ally of the United States, has used its embassies in Asia to collect intelligence as part of the National Security Agency's global surveillance efforts, according to a document leaked by the former agency contractor Edward J. Snowden and published this week in the German newsmagazine Der Spiegel

Australia ambassador summoned amid Asia US spying reports (BBC) Indonesia has summoned Australia's ambassador amid reports that Australian embassies have been used as part of a US-led spying network in Asia

Germany hopes for Snowden meeting on US spying (BBC) The German government says it is keen to hear directly from NSA whistleblower Edward Snowden about the US spy agency's activities

How Edward Snowden Escalated Cyber War (Newsweek) For more than a decade, a relentless campaign by China to steal valuable, confidential information from United States corporations flourished with barely a peep from Washington. And now it might never be stopped

US surveillance has gone too far, John Kerry admits (The Guardian) Kerry says certain practices occurred 'on autopilot' and vows to meet allies to repair damage caused by NSA spying revelations

Lawmakers Head To Europe To Address NSA Concerns (Huffington Post) U.S. lawmakers will head to Europe to help address concerns abroad about alleged U.S. spying and convince the Europeans of the need to continue joint anti-terrorism efforts with the U.S., the chairman of a Senate subcommittee on European affairs said Thursday

Hayden: Obama 'Rebalance' of US Intel Could Harm National Security (Newsmax) The National Security Agency (NSA) is being relentlessly pilloried by resentful detractors abroad -- and strident critics on the left and right at home -- which could force the Obama administration to weaken the intelligence community's ability to protect critical U.S. interests, former CIA head Michael Hayden wrote Thursday in a Wall Street Journal op-ed

Senate panel OKs limited surveillance rollbacks (Deseret News) Leaders of a Senate panel that oversees U.S. intelligence issues said Thursday it has approved a plan to scale back how many American telephone records the National Security Agency can sweep up. But critics of U.S. surveillance programs and privacy rights experts said the bill does little, if anything, to end the daily collection of millions of records that has spurred widespread demands for reform

Senate Committee Votes in Favor of NSA Phone–Records Snooping (Wired) A key Senate committee approved today a measure that would give congressional blessing to the NSA's bulk collection of domestic telephone metadata, and bolster the legal underpinnings of the controversial snooping program

Feinstein debuts NSA "reform" bill that's really about the status quo (Ars Technica) Senator Dianne Feinstein (D-CA) has been one of the most stalwart defenders of widespread NSA surveillance since leaks with information about the programs started seeping out nearly five months ago. Civil libertarians and reformers have been none too pleased with her rhetoric—and they're not going to get any happier after reading the bill she introduced today

USA Freedom Act Would Leash the National Security Agency (Bloomberg BusinessWeek) Edward Snowden's leaks revealing the National Security Agency's eavesdropping on U.S. citizens and foreign leaders have led members of Congress to demand greater limits on government spying. The USA Freedom Act, introduced on Oct. 29 in the House and Senate, would "rein in" the NSA's ability to gather information about unsuspecting citizens, say its authors, Democratic Senator Patrick Leahy of Vermont and Wisconsin Republican Representative Jim Sensenbrenner

Amid NSA spying revelations, tech leaders call for new restraints on agency (Washington Post) Mounting revelations about the extent of NSA surveillance have alarmed technology leaders in recent days, driving a renewed push for significant legislative action from an industry that long tried to stay above the fray in Washington

After NSA leaks, Google and others scramble to lock down security (The Verge) Relations between tech companies and law enforcement have frayed after it was revealed this week that the NSA tapped into private networks at Google and Yahoo. But a new report from The New York Times reveals how seriously many companies have taken the revelations, and what they're planning to do about it. Twitter has already moved to encrypt its direct messages, a measure that designers once thought unnecessary, and Google is already scrambling to secure their private network. As one security pro told the Times, "A lot of the things everybody knew they should do but just weren't getting around to are now a much higher priority"

NSA director says he's 'not wedded' to surveillance programs (Baltimore Sun) In a public appearance in Baltimore on Thursday, National Security Agency director Keith Alexander forcefully defended surveillance methods that have come under scrutiny this year but acknowledged that some of them may need adjustments

NSA Director Keith Alexander defends data collection during Baltimore visit (Baltimore Business Journal) Two things worry the director of the National Security Agency more than anything else: terrorism and cyber attacks. Gen. Keith Alexander on Thursday addressed members of the Baltimore Council on Foreign Affairs at the Hyatt Regency Hotel. Throughout his remarks, Alexander emphasized that protecting the United States is the NSA's top priority and insisted concerns over data collection have been overblown. "If you poll Americans, they believe that we are listening to their calls and that we are reading their emails," he said. "But that is not factually correct."

A historic opportunity to change how we spy (The Independent) This is about more than bugging allied foreign leaders — it's about public accountability

Two options for big data privacy: limit collections, or audit searches (FierceGovernmentIT) The advent of big data leaves federal policymakers with at least two opposite ways to ensure privacy--limit data collection, or allow agencies to store everything and later limit and audit database searches, as the National Security Agency has done with telephony metadata

Security Think Tank: Prism fallout could be worse than security risks (ComputerWeekly) In considering whether the data collected by Prism puts the US government at risk, it is worth considering whether the vulnerability comes as a result of it being apparent that all of this data has been collected and therefore presents a target, or the reaction to the will on the part of the US to collect it

EU Petition Seeks to Restrict Export of 'Digital Arms' (Threatpost) A Dutch member of the European parliament is supporting a grass-roots effort to restrict the export of surveillance software such as FinFisher and others, which are used by some governments and law-enforcement agencies to monitor their citizens' activities

Navy expands 'cyber warrant' program to attract more tech–savvy sailors (Navy Times) The Navy is increasing its ranks of cyberwarfare sailors — about 1,000 more could join Fleet Cyber Command by fiscal 2016. But those sailors need leaders, and a program designed to build the Navy's "cyber warrant" corps stumbled out of the gate. The Navy's not getting enough qualified applicants for designator 7430, cyber warrant officer, to supply the dozen or so cyber warrant billets it wants filled in the next two years

Violators of PII will Have AFNET Accounts Locked (Aurora Sentinel) "Beginning Oct. 24, we began locking out the AFNET account of individuals who were found to be inappropriately transmitting PII data via the AFNET," explained Major General J. Kevin McLaughlin, the Commander of 24th Air Force and Air Forces Cyber

Products, Services, and Solutions

Salesforce.com Enables Private App Stores (InformationWeek) Salesforce Private AppExchange lets you put IT-approved applications in a customizable corporate app store. There's one catch, though

ViaSat, Green Hills Software team on 'military–grade' security for Android (FierceMobileIT) ViaSat Secured is integrating with Green Hills' Integrity Multivisor data protection platform

Dropbox Not So Spooky After All (Wired) Dropbox seems to be the poster child for all that is bad and scary about the cloud. IT is haunted by Dropbox (and really all file sharing apps for that matter) as it discovers that enterprise employees increasingly upload and share corporate content in the app. By nearly all accounts, Dropbox has the highest penetration into enterprises today

IPERC's Intelligent Microgrid Control System Selected as Cyber–Secure Microgrid Solution of Choice for DoD Smart Power Infrastructure Demonstration for Energy Reliability and Security (SPIDERS) (Sacramento Bee) IPERC's solution will help reduce the "unacceptably high risk" of extended electric grid outages in mission-critical environments

Blue Ridge Networks Launches AppGuard® Zero–Day Malware Protection (Herald Online) Blue Ridge Networks announced the launch of its latest version of AppGuard®, its revolutionary new zero-day malware protection software product for PC users. AppGuard has been a trusted security solution used successfully by discriminating enterprises and security professionals for some years to protect against zero-day malware

Meet The Company That Tracks More Phones Than Google Or Facebook (Forbes) Picture this scenario. A bored woman sits waiting in an airline lounge. She scrolls through her iPhone and taps on a brightly colored square to launch a free mobile game. In the instant before the app loads something extraordinary happens behind the scenes: an auction for her eyeballs, run by a company you've probably never heard of, called Flurry

Technologies, Techniques, and Standards

Forensic Software in Child Protection Cases (Forensic Focus) According to recently released statistics from ICAC, an agency whose aim is to make the internet safer for children, only 2% of reported child protection cases are investigated in the United States each year. Often the media seize every opportunity to disparage forensics organisations, child protection charities and law enforcement agencies for not coming up with more effective solutions to these cases, but the reality is that the investigation of illicit image distribution is a wide-ranging and complex area, fraught with difficulties

ForGe — Computer Forensic Test Image Generator (Forensic FOcus) Creating test material for computer forensic teaching or tool testing purposes has been a known problem. I encountered the issue in my studies of Computer Forensics at the University of Westminster. We were assigned a task to compare computer forensic tools and report results. Having already analysed test images by Brian Carrier over and over again, I found myself creating images manually, which appears to be the best and only way of doing this. One of my lecturers, Sean Tohill, confirmed this is indeed the case and a test image generator is long overdue

The threat within: How SMEs can protect themselves from light–fingered staff (Help Net Security) It hasn't been an easy time for small businesses. Where once cybercriminals shunned SMEs in favour of larger corporates, the threat landscape has changed drastically in recent years. According to the 2013 Information Security Breaches survey, 87 percent of small businesses had a security breach in the past year. However, while the threat from external attacks is undoubtedly rising - and SMEs are growing increasingly aware of it - another equally serious threat is silently lying in wait: the insider threat

ENISA Publishes Crypto Recommendations (InfoSecurity Magazine) In a technical report designed for technologists rather than consumers, the European Network and Information Systems Agency has produced a list of 'appropriate cryptographic protective measures', with recommendations for their use

Once–A–Year Risk Assessments Aren't Enough (Dark Reading) Why experts believe most organizations aren't assessing IT risks often enough. While it may be important that security organizations employ effective methods to walking through an IT risk assessment, the frequency with which they go through that process is almost as important as the means of carrying them out. Unfortunately, even when security organizations cover all of their bases in an IT risk assessment, if they don't assess often enough they could still be keeping themselves open to a great deal of risk

Continuous Monitoring and Mitigation (DataBreachToday) What are some of the unique challenges organizations face when they move into continuous monitoring and risk mitigation? Scott Gordon of ForeScout and Ken Pfeil of Pioneer Investments offer insight

That needle in the haystack of useful big data may be smaller than we thought (Gigaom) New research analyzing the log data churned out by applications developed on the Heroku platform as a service shows just how little of that data is actually useful to developers or devops personnel running those applications

Marketplace

Feds to take on greater role in procuring foreign investments (FierceGovernment) Administration officials laid out a plan to bolster the government's role in recruiting foreign investment into the United States through federal agency coordination during a Wednesday evening call for reporters

Cyber must avoid a 'sub–prime' situation, says Healey (FierceGovernmentIT) Cyberspace today looks much like the financial sector looked before 2008, said Jay Healey, director of the Atlantic Council's Cyber Statecraft Initiative. It's complex and interconnected but risk has not been fully assessed, said Healey, who spoke Oct. 23 at an event at the Atlantic Council in Washington, D.C

IBM ends legal fight against CIA cloud computing award to AWS (FierceGovernmentIT) IBM has dropped its legal case against the CIA's award of a cloud computing contract to Amazon Web Services, with Court of Federal Claims Judge Thomas Wheeler granting on Oct. 29 the company's motion to withdraw an earlier motion to stay his ruling that the CIA should procede with the AWS contract

Pulsant Awarded STAR Certification (SYS-CON Media) Cloud computing, managed hosting and colocation expert, Pulsant, has achieved the newly launched CSA STAR certification. The CSA STAR certification has been developed especially for cloud providers by Cloud Security Alliance (CSA) and BSI (British Standards Institution) and measures vendor security capability levels

Raytheon Starts UK Cyber R&D Competition for Small Businesses (ExecutiveBiz) Raytheon UK has started a contest for small- to medium-sized enterprises in the U.K. to research and develop ideas for defending against cyber threats

Cybersecurity Skills Gap Beginning to Have Real Effects on Business (InfoSecurity Magazine) The fact that there are not enough skilled cybersecurity workers is becoming an increasing drumbeat for those tasked with improving the security posture of both public and private sector businesses. A new study underscores that while it's essential that organizations continually evolve their security strategies to keep pace with the changing threat ecosystem, resource-strapped IT staffs are more often than not too bogged down by tactical activities to keep up

Cyber Security Executives Raise More Than $327,000 for Children (White Hat) The inaugural White Hat Gala raised more than $327,000 for children treated at Children's National Health System. Approximately 300 guests attended the festive black-tie optional gala at the Ronald Reagan Building in Washington, DC. Cyber security experts, leaders in the field, Government heads of the industry, VIPs, and Federal contractor executives, as well as Children's National friends and staff attended this exciting evening of food, entertainment, casino events, networking and inspiration

Security Patches, Mitigations, and Software Updates

Google Chrome to Automatically Block Malicious Downloads (Threatpost) Google is panning to add a new feature to its Chrome browser that will block malicious downloads automatically, helping to prevent drive-by downloads and the kind of malware that rides along with supposedly legitimate software

Cyber Attacks, Threats, and Vulnerabilities

Finland government network hit by serious cyber–attack (MyBroadband) Finland's foreign minister said foreign intelligence agents had carried out large-scale hacking into government communications

Finland Probes Hacking of Foreign Ministry Network (Bloomberg) Finland's Security Police is investigating the infiltration of the Foreign Ministry's data network by spies, Foreign Minister Erkki Tuomioja said

Moroccan Ghosts Defaces Nigerian Ministry of Defence Website over Sahara Dispute (HackRead) The official website of Nigerian Ministry of Defence has been hacked and defaced by world renowned hackers from Moroccan Ghosts hacking group. The site was hacked just few minutes ago, where the home page was left with a deface page along with a message. The page shows that site was defaced for an ongoing Sahara desert dispute between Morocco and Nigeria

Hacker Group Anonymous Targets Singapore with Cyber Attack Over Censorship (TIME) Group says it will be "forced to go to war" with Singaporean government

'Anonymous' hack puts Singapore on alert (Rappler) Activist group Anonymous hacked a Singapore newspaper website Friday, November 1, and threatened wider cyber attacks over Internet freedom, with government agencies reportedly on alert after the group said it would "wage war" with the city-state

Spike in suspicious traffic and TOR usage, says threat report (Help Net Security) Solutionary has released its Security Engineering Research Team (SERT) Quarterly Threat Intelligence Report for Q3 2013, providing intelligence on key security threats observed and intelligence gathered over the period

Know Your Enemy: Tracking A Rapidly Evolving APT Actor (FireEye Blog) Between Oct. 24–25 FireEye detected two spear-phishing attacks attributed to a threat actor we have previously dubbed admin@338.[1] The newly discovered attacks targeted a number of organizations and were apparently focused on gathering data related to international trade, finance, and economic policy. These two attacks utilized different malware families and demonstrate an ability to quickly adapt techniques, tactics, and procedures

The "BadBIOS" virus that jumps airgaps and takes over your firmware — what's the story? (Naked Security) "BadBIOS" is an unfolding story about a virus that is claimed to have some remarkable characteristics - such as jumping airgaps, spreading using sound waves, and taking over your firmware

Eavesdropping near-field contactless payments: a quantitative analysis (Journal of Engineering) This paper presents an assessment of how successful an eavesdropping attack on a contactless payment transaction can be in terms of bit and frame error rates, using an easily concealable antenna and low-cost electronics. Potential success of an eavesdropping attack largely depends on the correct recovery of the data frames used in the ISO 14443 standard. A near-field communication inductive loop antenna was used to emulate an ISO 14443 transmission. For eavesdropping, an identical inductive loop antenna as well as a shopping trolley modified to act like an antenna were used. The authors present and analyse frame error rates obtained with the authors equipment over a range of distances, up to 100 cm, well above the official maximum operating distance depending on the magnetic field strength

How an epic blunder by Adobe could strengthen hand of password crackers (Ars Technica) Engineers flout universal taboo by encrypting 130 million pilfered passwords. Four weeks ago, Adobe disclosed a sustained hack on its corporate network that threatened to spawn a wave of meaner malware attacks by giving criminals access to the raw source code for the company's widely used Acrobat and ColdFusion applications. Now, researchers are warning the same breach could significantly strengthen the password-crackers' collective hand by revealing a staggering 130 million passcodes used over the years by Adobe customers, many of them from the FBI, large corporations, and other sensitive organizations

Fake social media ID duped security–aware IT guys (IT World) Penetration testers used a faked woman's identity on social networks to break into a government agency with strong cybersecurity defenses

Think twice before you accept that 'friend' request (CSO) Human nature leads people to form communities and help each other—and that human nature can be turned against you with a fake social network account

Hacking a Reporter: Writing Malware For Fun and Profit (Part 1 of 3) (Trustwave SpiderLabs) Pando Daily editor Adam Penenberg recently published a story about my coworkers and I hacking his life entitled "I challenged hackers to investigate me and what they found out is chilling". If you haven't already, I strongly recommend that you read it. Pando Daily also published a follow-up blog post, "A reporter asked us to hack him, and here's how we did it", explaining our perspective on the project this week. We thought that some of our friends and readership might appreciate even more technical details about the infiltration. So we've decided to publish a three-part series of posts on the topic

Does healthcare.gov violate their own privacy policy? (ZDNet) Developer Ben Simo raises a number of security concerns about healthcare.gov, the Federal health care exchange site. In particular, he describes serious privacy problems in violation of the site's own policy

Healthcare.gov Faced Security Risks, Feds Were Told (InformationWeek) As HHS secretary Sebelius testified to Congress about the flawed rollout, a memo surfaced that predicted security risks due to inadequate testing

Personal cyber security, privacy protection: Read fine print in 'I Agree' (Fort Hood Sentinel) Web email and Internet applications can affect your privacy. How many times have you downloaded a free app or registered for a free email account and have had a dialog box to an End User Agreement to agree to before you can reap the benefits — five, 10 or a 100 times

How do spies bug phones? (The Economist) America's spooks are under attack from all sides. Leaks from Edward Snowden, a systems administrator turned whistleblower at the National Security Agency (NSA), America's signals-intelligence agency, have confirmed what the professionally paranoid long suspected: that the internet is insecure, and that modern spy agencies can—and do, on an industrial scale—tap virtually any form of online communication. But perhaps the most acute embarassment so far has been caused by the revelation that the NSA may have been listening to phone calls made by the leaders of America's allies, most notably those of the German chancellor, Angela Merkel. That it is possible to intercept mobile-phone calls will not surprise anyone who has watched a modern crime drama. But how exactly is it done

Boone Hospital Suffers Data Breach (eSecurity Planet) 125 patients' birthdates, Social Security numbers, medical diagnoses and prescribed treatments may have been inappropriately accessed

Genesis Rehabilitation Services Acknowledges Security Breach (eSecurity Planet) The names, addresses or e-mail addresses and Social Security numbers of 33 employees, agency employees, and applicants may have been exposed

Academia

Class helps military children be safe, secure online (Belvoir Eagle) Military youth learned how to stay safe in cyberspace during the community's first "Safe and Secure Online" class for children Oct. 22 at the USO Warrior and Family Center. The event was sponsored by Booz Allen Hamilton as part of Holding Down the Homefront, a series of USO programs focused on taking care of military Families

'Centers of excellence' in information assurance education and research (Washington Post) Here are schools in Maryland, Virginia and the District that the National Security Agency and Department of Homeland Security have identified as "national centers of excellence" in information assurance education at the two- or four-year level. Those also identified as centers of excellence in IA research are noted with an R

Litigation, Investigation, and Enforcement

Spy agency, cyber command jointly meddled in presidential poll: lawmaker (Yonhap) The state spy agency and the defense ministry's cyber warfare command were jointly involved in an alleged campaign to sway public opinion in favor of the ruling party ahead of last year's presidential election, an opposition lawmaker claimed Thursday

EFF Makes Case That Fifth Amendment Protects Against Compelled Decryption (Threatpost) The Electronic Frontier Foundation, along with the American Civil Liberties Union, filed an amicus brief yesterday explaining the Fifth Amendment privilege against self-incrimination prohibits compelled decryption

Investigator told executive how to hack royal's phone, court told (The Telegraph) Private investigator employed by News of the World sent one of the paper's executives email explaining how to hack phone of royal, trial hears

Supermarket Chain Settles Massive Data Breach Lawsuit (eSecurity) Schnucks customers will be paid up to $10 per compromised credit or debit card

Design and Innovation

Federal Cybersecurity Champions Honored (InformationWeek) National Institute of Standards and Technology senior scientist Ron Ross honored for creating risk management framework. The federal cybersecurity community on Tuesday honored some of this year's outstanding achievers who have helped improve computer security in the government, including one of its own for his work establishing cybersecurity requirements for federal agencies

Innovation Stalled? Bad Culture Defeats Good Strategy (InformationWeek) Your project managers' focus on meeting budgets and deadlines may be the root of your innovation stagnation. Here's how to change that culture