The CyberWire Daily Briefing 11.08.13

Cyber Trends

From Event Gatherers To Network Hunters (Dark Reading) Passive, wait-for-an-event defenses are no longer enough — companies need to move to a more proactive strategy of hunting down the bad actors in their network, say experts

'Active immunization isn't enough to contain the Cyber Plague' (InformationWeek) Jay Bavisi, President, EC-Council has alerted global thought leaders and academicians of the worsening Cyber Plague. In an exclusive interview, he talks about the magnitude of the problem and the factors that caused it

Fear of cyber attack driving a shift from risk-based security, says Gartner (ComputerWeekly) Fear of advanced cyber attacks is driving a shift from tried-and-tested, risk-based security tactics, making them more vulnerable to emerging threats, a survey has found

Rise in cyberattacks means firms must develop security skills and mindset (SiliconRepublic) Rise in cyberattacks means firms must develop security skills and mindsetRise in cyberattacks means firms must develop security skills and mindset. The recent spate of data breaches that saw 43,000 Irish people's credit and debit card details fall into the hands of hackers are a stark warning to public and private-sector organisations to be on their guard

SMEs ignore big data as skills demand rockets (V3) The UK's small and medium-sized businesses are making almost no use of big data analytics, a new IT skills report has found. However, among larger businesses, demand for big data specialists is expected to triple, increasing competition for staff in the business intelligence sector

Internet of Things poses world of worries for IT pros (FierceITSecurity) IT professionals surveyed by ISACA believe IoT poses major IT governance issues for the enterprise

Defining cyberwarfare…in hopes of preventing it — Daniel Garrie (TEDed) Can you imagine a future where wars are fought not with bombs and bullets but computer viruses and pacemaker shutdowns? Cyberware is unique in that it is not covered by existing legal framework and it often inspires more questions than we are yet capable of answering. Daniel Garrie ponders some of the practical and ethical dilemmas that may pop up as we progress towards our uncertain future

Cyber Warfare and the Corporate Environment (Journal of Law and Cyber Warfare) The "back door" is open and cyber-terrorists are in our midst

Reflections on the One Million Mark: A Threat Beyond the Android Platform (Trend Micro Simply Security) We recently reported that the number of malicious and high risk apps on the Android platform crossed the one million mark. It's important to note that this beats by a full quarter our CTO Raimund Genes' prediction from November 2012 that we would cross this mark by the end of 2013

Data brokers' collection of internet activity data raises privacy issues (CIO) Everybody who spends much time on the web knows their activities are tracked for marketing purposes. Do a little online shopping for hats, and you will quickly see ads for hats popping up on other websites you visit

Legislation, Policy and Regulation

FSB wants Russian internet communications to be recorded (Russia Today) Russia's Communications Ministry, in cooperation with security services, is finalizing a directive obliging internet providers to record private internet communications

GCHQ — General Chit-chat, Hazy Questions? (Trend Micro Countermeasures) Yesterday's questioning of intelligence chiefs by Members of Parliament is a first in British history. The momentous occasion was preceded by anticipation that the three big authorities, MI5, MI6 and GCHQ, would offer an open and transparent account of the extent of their surveillance operations, in particular GCHQ

Germany brings anti–spying bill to the UN, meets with US intelligence (ZDNet) Surveillance practices should be reviewed with an eye towards human rights, UN draft resolution says

Snowden leaks damage Obama foreign–policy agenda (NBC News) The latest stream of revelations from former National Security Agency contractor Edward Snowden – that the United States has been spying on at least 35 foreign leaders – sparked a firestorm abroad and at home and have boxed in President Barack Obama, who finds himself struggling a year into his second term. They have damaged America's relationship with some of its closest allies more so than any foreign-policy decision Obama has made, analysts say

White House mulls civilian leadership at NSA (UPI) The White House may place the National Security Agency under civilian leadership and end dual leadership of the NSA and U.S. Cyber Command, officials said

Exclusive: Hagel Defends 'Phenomenal' NSA Chief As the Rest of The Administration Backs Off (Foreign Policy) The White House and Secretary of State John Kerry may be keeping their distance from the embattled Director of the National Security Agency, Gen. Keith Alexander. But Defense Secretary Chuck Hagel, under whom the NSA resides, is standing by him, even as Hagel takes part in high-level talks that could undermine Alexander's legacy

Al Gore: NSA spying 'unacceptable' (Politico) Former Vice President Al Gore slammed the National Security Agency tactics revealed by Edward Snowden as "outrageous" and "completely unacceptable" at a speaking event in Canada

The Folly of the Data Chase (Huffington Post) When I prepared to retire from the U.S. Army after 35 years of continuous service, there were a few people here and there "mentioning" my name as a potential candidate to lead the National Security Agency (NSA). I was the senior officer of the Signal Corps and I knew a thing or two about acquiring and handling sensitive information

Army seeks to integrate cyber approach to electronic warfare efforts (Federal News Radio) Col. Jim Ekvall, chief of the electronic warfare division, joins Federal News Radio DoD reporter Jared Serbu on this week's edition of On DoD

Official: Army needs better cyber management (Army Times) The Army will squander the highly sought cyberwarfare skills within its ranks unless the personnel are better managed, Army cyber officials warn

Why the Government Should Help Leakers (Schneier on Security) In the Information Age, it's easier than ever to steal and publish data. Corporations and governments have to adjust to their secrets being exposed, regularly

Products, Services, and Solutions

Brivo Systems Achieves GSA Approved Products List Status (PRWeb) Brivo Systems LLC, leader in cloud applications for security management, today announced that as of October 30, 2013 its pre-cloud end-to-end physical access control system with high assurance readers and certificate path validation software has been approved as a fully-compliant FICAM solution by the General Services Administration

GFI MAX Mobile Device Management launched (Help Net Security) GFI MAX announced GFI MAX Mobile Device Management (MDM), a new offering for managed services providers looking to create new revenue opportunities as increasing numbers of employees use mobile devices in the office for work and personal activities

cc no evil: The one social network you don't mind sharing with your boss (Quartz) Mariano Rodriguez, the 30-year-old CEO of Joincube, is on a mission: to banish the endless reply-all work email chain forever

Technologies, Techniques, and Standards

IETF Reaches Broad Consensus to Upgrade Internet Security Protocols Amid Pervasive Surveillance (CircleID) IETF 88 Technical Plenary: Hardening The InternetInternet security has been a primary focus this week for more than 1100 engineers and technologists from around the world gathered at the 88th meeting of the Internet Engineering Task Force (IETF). Participants are rethinking approaches to security across a wide range of technical areas

PCI Council Strengthens Security Standard (InformationWeek) Payment card industry's latest information security standard adds penetration testing, malware, authentication, physical security and other requirements

NIST orders review of its encryption standards development processes (FierceHealthIT) After reports based on documents leaked by Edward Snowden raised questions about existing encryption standards, the National Institute of Standards and Technology (NIST) has launched a formal review of its processes

Smartphone security concerns prompt makers to turn to biometrics (FierceITSecurity) Number of smartphones with fingerprint sensors to increase tenfold by 2017, says IHS

How to manage the deluge of information security threat reports (Search Security) You've no doubt noticed an increasing number of vendors, researchers, consultants and others issuing reports detailing information security threats, promising new insights about the latest attacks, vulnerabilities and exploits. While many are valuable, the sheer amount of available information can be difficult to manage and digest. More importantly, the information may not even be applicable to your company's environment

Reframing discussions about return on security investment (Search Security) What's the best way to determine the return on security investment in our company? Getting a bigger security budget is difficult without being able to bring solid numbers to the board

Whistleblower policy: Preventing insider information leak incidents (Search Security) Edward Snowden, now of universal fame (or infamy) due to his disclosure of U.S. National Security Agency classified information, has been charged with a number of crimes, including espionage. The case will prove to be a long and difficult one, and its adjudication, whatever the outcome, promises to be as complex as it is uncertain

Third–party risk management: Horror stories? You are not alone (Search Security) Cyberattacks leap from the headlines almost daily, yet senior management at some companies still believe their organizations are not potential targets: "Nobody knows who we are, why would anyone want to attack us

App wrapping secures sensitive data even on malware-infected, jail-broken, unmanaged mobile consumer devices (ComputerWorld) When it comes to ensuring secure enterprise mobility, device-oriented approaches adapted from single-vendor environments like BlackBerry simply aren't working in the bring-your-own-device (BYOD) mobile enterprise. Companies need a way to secure devices they don't own or don't already manage using a mobile device management solution

Arming yourself with a cloud security checklist that covers your apps and data (Trend Micro Simply Security) In my last blog, I walked through the shared responsibility model for security in the cloud and the importance of host-based firewalls to both inbound and outbound communication; intrusion prevention capabilities to protect against vulnerabilities even before you patch; integrity monitoring to catch system changes; and anti-malware with web reputation to protect against viruses and malicious URLs

How to Spot a Twitter Spambot (Mashable) Twitter has spam issue. The social network's "follow anyone" model allows a steady influx of spammers to reach out to many people in a short amount of time, hoping at least one of them will click on a sketchy link

Marketplace

UK banks to take part in cyber–attack 'war game' (The Telegraph) Thousands of staff across dozens of London financial firms will be tested on how they react to a cyber attack in one of the largest "war games" in the world

Why NERC will attack the grid November 13 (and what it could mean for utilities) (SmartGridNews) Quick Take:More and more people are jumping on the smart grid cybersecurity bandwagon. And many of them are jumping on for the purpose of complaining that utilities aren't doing enough, as in the example below

HyTrust acquires HighCloud Security (Help Net Security) HyTrust has acquired HighCloud Security, a provider of cloud encryption and key management software. By combining HyTrust's administrative visibility and control with HighCloud's strengths in encryption and key management, the acquisition offers customers flexibility in addressing security, compliance and data privacy requirements in all cloud environments—private, public and hybrid

Apple Seeks Freedom To Disclose Gov Data Demands (InformationWeek) Apple released its first transparency report and seeks the right to tell its customers the truth about government orders for customer information

Trend Micro's Response to Bits of Freedom (Trend Micro Simply Security) Recently, Trend Micro received a request for information from Bits of Freedom that was sent to us and fourteen other security companies. Bits of Freedom asked four specific questions around our interactions with governments in regard to our detections of surveillance software

CIA Said to Pay AT&T for Customer Data in Terrorist Hunt (Bloomberg) The Central Intelligence Agency has negotiated contracts with AT&T (T) Inc. and other U.S. companies to mine their databases for records of communications, including financial transactions, of suspected terrorists overseas

Skills trump credentials in cybersecurity, but federal agencies have hiring obstacles (FierceGovIT) Ability trumps credentials when it comes to hiring cybersecurity workers, and the federal government faces obstacles in picking up the best talent, said panelists during a Nov. 1 event

Lunarline Named To Inc. 5000 List For Fourth Year Running (Sacramento Bee) The company provides a unique combination of products and consulting services, as well as cyber security training through the Lunarline School of Cyber

CACI Supports DISA Info Sharing Program (Zacks) CACI International Inc (CACI - Analyst Report) announced that it had secured a $45 million order in first quarter fiscal 2014 to support Defense Information Systems Agency's (DISA) Multinational Information Sharing (MNIS) Program Management Office (PMO)

Booz Allen Hamilton STILL Looks Cheap (Seeking Alpha) One year after paying a $7.50 per share dividend, Booz Allen Hamilton Holdings (BAH) still looks cheap. The risks facing the company have increased, given the uncertainties still surrounding the federal debt and deficit and the sequester, but they appear to be manageable

GCHQ data snooping has "destroyed trust in British tech" (PC Pro) GCHQ's online surveillance has destroyed trust in British technology companies and irrevocably damaged the nation's information security industry, according to a cryptography expert

Mikko Hypponen: How the NSA betrayed the world's trust (Help Net Security) Recent events have highlighted, underlined and bolded the fact that the United States is performing blanket surveillance on any foreigner whose data passes through an American entity — whether they are suspected of wrongdoing or not

Internet Bug Bounty Pays for Bugs in Core Technologies (Threatpost) A bounty program begun by a bevy of industry heavyweights, including Microsoft and Facebook, will pay good money to white hats, researchers and even aspiring young hackers who find bugs in any of a dozen technologies central to the vitality and trustworthiness of the Internet

Feel Cisco's WRATH: Over 1,000 placed on DENIED partner sh*t list (The Register) Cisco has launched an EMEA-wide crackdown in the channel after expelling Phoenix IT Group from the Gold Partner network, which our sources alleged was because it flouted support rules by supplying grey market kit

Research and Development

Researchers dare AI experts to crack new GOTCHA password scheme (NetworkWorld) Like CAPTCHA, GOTCHA's inkblot password system relies on humans' visual skills

Big Data is a Good Place for Hackers to Hide (Nextgov) As departments increasingly try parsing mammoth streams of Web activity to detect cyber threats, expect attackers to fight back by gaming the big data analytics, according to a new cybersecurity report by Georgia Tech researchers

NSA spying prompts open TrueCrypt encryption software audit to go viral (CSO) Concerns over NSA tampering provokes wide crowdsourcing response from security community

Experts Join Movement to Audit TrueCrypt, Perhaps Other Security Software (Threatpost) As the TrueCrypt audit chugs along toward a deterministic, clean build of the open-source encryption software and a palatable license, the organizers have brought prominent security and legal experts aboard as a technical advisory team

Security Patches, Mitigations, and Software Updates

KitKat swats yet another Android 'MasterKey' bug (The Register) Android 4.4 contains a fix for yet another - albeit weaker variant - of the so-called MasterKey bug that first surfaced in July

November's Security Releases Will Not Include Fix for Zero–Day Vulnerability (Windows IT Pro) Microsoft has released advanced notification for the November 2013 security updates that are scheduled to be released on November 12, 2013. Unfortunately, the recently reported zero-day flaw affecting multiple products will not see a fix included in next Tuesday's bundle

Microsoft Security Bulletin Advance Notification for November 2013 (Microsoft Security TechCenter) This is an advance notification of security bulletins that Microsoft is intending to release on November 12, 2013

Father–Daughter Hacking Team Finds Valuable Facebook Bug (Threatpost) The Wysopal name has been on vulnerability advisories for better than 20 years now, and it doesn't look like that is going to end anytime soon. But the name on those advisories in the future may be Renee rather than Chris Wysopal. Chris, one of the founding member of the L0pht hacking collective and now

Cyber Attacks, Threats, and Vulnerabilities

Singapore PMO Website Not Hacked, Despite Reports (TrendLabs Security Intelligence Blog) Further analysis by Trend Micro researchers on the reported defacement of the Singapore Prime Minister Office website revealed that the website was not actually defaced — attackers abused the search function of the Singapore PMO website to display an image that looks like a hacked version of the site

Ecuador minister decries "first world" cyber attack in presidential elections (BNAmericas) A large processing center located in a "first world" country attempted to sabotage the Ecuadorian electoral IT system during presidential elections held in February of this year, in which President Rafael Correa won a further four-year term in a landslide victory, according to telecoms minister Jaime Guerrero

Exploits of critical Microsoft zero day more widespread than thought (Ars Technica) At least two hacker gangs exploit TIFF vulnerability to hijack users' computers

Despite patches, Supermicro's IPMI firmware is far from secure, researchers say (CSO) The IPMI in Supermicro motherboards has vulnerabilities that can give attackers unuathorized access to servers, Rapid7 researchers said

Nginx sets world-readable logs by default (CSO) Webserver's issue found to be much larger-scale than initially thought

Vicious malware appears on campus (UDail) University of Delaware Information Technologies (IT) reports that at least one computer on campus has been infected by CryptoLocker, a particularly vicious form of "ransomware," malware that encrypts your computer's files so you cannot use them. The software then tries to extort a payment from you in order to receive the decryption key and program

Windows XP Security Apocalypse: Prepare To Be Pwned (InformationWeek) Patching XP makes Microsoft no money. But millions of unpatched and easy-to-exploit systems equal cybercrime payday

Cybercriminals opting for real–time malware campaigns and phishing (Help Net Security) The third quarter of 2013 saw further use of real-time malware campaigns and a dramatic increase in phishing sites, according to Commtouch

Low Quality Assurance (QA) iframe campaign linked to May's Indian government Web site compromise spotted in the wild (Webroot Threat Blog) We've intercepted a currently trending malicious iframe campaign, affecting hundreds of legitimate Web sites, that's interestingly part of the very same infrastructure from May, 2013's analysis of the compromise of an Indian government Web site

Source code for proprietary spam bot offered for sale, acts as force multiplier for cybercrime–friendly activity (Webroot Threat Blog) In a professional cybercrime ecosystem, largely resembling that of a legitimate economy, market participants constantly strive to optimize their campaigns, achieve stolen assets liquidity, and most importantly, aim to reach a degree of efficiency that would help them gain market share. Thus, help them secure multiple revenue streams. Despite the increased transparency on the Russian/Eastern European underground market

Researchers Debate Value of New Bitcoin Attack (Threatpost) Researchers are debating the potential value of a Bitcoin attack that could allow a small cartel of participants to become powerful enough that it could take over the mining process and whether it's actually practical in the real world

Healthcare.gov Denial–of–Service Tool Unlikely to Work (Threatpost) Arbor Networks has discovered a denial of service (DoS) tool specifically designed to target the U.S. government's healthcare enrollment marketplace, Healthcare.gov

Security firm says still more Adobe users are at risk (Gigaom) Password management company LastPass says data of 152 million Adobe customers– a far higher number than thought — was accessed by hackers earlier this year

Power Plants and Other Vital Systems Are Totally Exposed on the Internet (Wired) What do the controls for two hydroelectric plants in New York, a generator at a Los Angeles foundry, and an automated feed system at a Pennsylvania pig farm all have in common? What about a Los Angeles pharmacy's prescription system and the surveillance cameras at a casino in Czechoslovakia? They're all exposed on the internet, without so much as a password to block intruders from accessing them

University Hospitals Security Breach Exposes 7,100 Patients' Data (eSecurity Planet) Names, home addresses, birthdates, medical record numbers, insurance provider information and treatment information may have been exposed

DaVita Acknowledges Data Breach (eSecurity Planet) 11,500 patients' names, diagnoses, insurance information and dialysis treatment data may have been exposed when an unencrypted laptop was stolen

Academia

How Qualys network security tools protect University of Westminster from cyber threats (Computing) Based in the heart of London, the University of Westminster caters for more than 20,000 students and 4,500 staff

Universities, NSA Partnering on Cybersecurity Programs (Southern Maryland Online) Universities across the country are racing to prepare the next generation of cybersecurity experts before a major cyberattack leaves the country's networks struggling to reboot

Cyber security threats expanding, expert says (The Ranger) Cyber security is transitioning from small, local problems to global issues affecting nations, Arne Saustrup, senior manager of network and operations for the Alamo Colleges, said during a presentation "Network Security and the Alamo Colleges: Think Globally, Act Locally" Oct. 28 in the nursing complex

Litigation, Investigation, and Enforcement

Snowden persuaded other NSA workers to give up passwords (Reuters) Former U.S. National Security Agency contractor Edward Snowden used login credentials and passwords provided unwittingly by colleagues at a spy base in Hawaii to access some of the classified material he leaked to the media, sources said

Free guide highlights legal pitfalls of enterprise collaboration (ComputerWeekly) Cloud-based collaboration company Intralinks and international legal firm Field Fisher Waterhouse (FFW) have published a free guide to help enterprises share information without risk of violating data protection laws

Silk Road reboots: for real, or just a honeypot? (Naked Security) Trusted old-timers from the original site are staffing the relaunched site, and now it's offering PGP encryption. Is the site a sticky trap for luring more drug aficionados or is it enough to save users from the fate that's befallen all those arrested in connection with the original site

FBI seeking "Loverspy" hacker who helped jealous lovers plant spyware (Naked Security) In yet another "don't open that e-birthday card" saga, 33-year-old Carlos Enrique Perez-Melara, now on the FBI's 10 most wanted cybercriminals list, allegedly sold malware that planted a keylogger, as well as remotely controlling a victim's computer and webcam

Secret Service Report Noted Aaron Swartz's 'Depression Problems' (Wired) The Secret Service has released another 26-pages of documents about coder and activist Aaron Swartz in my ongoing Freedom of Information Act lawsuit against the agency

Design and Innovation

How Biz Stone's Biggest Mistake Spawned Twitter (TechCrunch) "The first, second, third company I went to work for, somehow I screwed them all up. Doing startups is all about making mistakes," Biz Stone nervously admitted onstage at the New Context Conference in San Francisco. He'd just confessed that he didn't prepare anything so will talk about his biggest screw-ups, including one that could earn him many millions of dollars when Twitter IPOs