The CyberWire Daily Briefing for 11.15.2013

Cyber Attacks, Threats, and Vulnerabilities

Ukraine's State Customs Service Targeted by Anonymous Hackers (Softpedia) Members of the Anonymous movement claim to have breached the servers hosting customs.gov.ua, the domain used in the Ukraine by the country's State Customs Service

Irish Data Center Breach Hits 1.5 Million European Consumers (InfoSecurity Magazine) A breach of a data center in Ireland has compromised the information of 1.5 million people

Compromised Adobe accounts include military and government users (Help Net Security) The Adobe hack is truly gargantuan, what with all the stolen source code of a number of extremely popular software and the exfiltrated database containing user email addresses, poorly encrypted passwords and associated hints in plaintext

Spam campaign doubles on threats (Help Net Security) Some malware peddlers might be moving on from using the Blackhole exploit kit to deliver malicious code, but others are still not ready to give up on it, as proven by a spam campaign recently spotted by Trend Micro

Kelihos Botnet Thrives, Despite Takedowns (InformationWeek) Fast flux infrastructure and Windows XP infections continue to keep the botnet alive

Black Friday spams are too good to be true (Naked Security) With the holiday season approaching and lots of super good deals being offered around the American Thanksgiving holiday, retailers aren't the only ones looking to make a buck

Cybercriminals target Silverlight users with new exploit kit (ComputerWorld) The creators of a Web-based attack tool called Angler Exploit Kit have added an exploit for a known vulnerability in Microsoft's Silverlight browser plug-in to the tool's arsenal

Businesses offer best practices for escaping CryptoLocker hell (ComputerWorld) It is an IT nightmare: Businesses hit with the CryptoLocker malware find their electronic files locked up inside strong encryption and the extortionist operating the malware botnet demanding money to give them the security key that would let companies get their data back

Inside the BREACH attack: How to avoid HTTPS traffic exploits (Search Security) Cryptography was under heavy analysis long before Edward Snowden released the NSA's work undermining encryption. At the ekoparty Security Conference in 2012, Thai Duong and Juliano Rizzo discussed an attack named CRIME that did not significantly affect the security of Secure Sockets Layer/Transport Layer Security (SSL/TLS). At Black Hat 2013, Yoel Gluck, Neal Harris and Angelo Prado, who continued researching SSL/TLS cryptography, revealed a new threat, the Browser Reconnaissance & Exfiltration via Adaptive Compression of Hypertext — otherwise known as the BREACH attack — which could have a far more profound impact on SSL/TLS than CRIME did

Finding SQL Injection Attacks In Unexpected Quarters (Dark Reading) Injection by Google bot and through modern mobile and Web apps will require adjustments

One–quarter of US adults continue to access documents from previous employer (FierceITSecurity) More than one-quarter of file-sharing service users report still having access to documents from their previous employer, according to a survey of 2,000 U.S. adults by Harris Interactive for Egnyte

Hacking Your Way Through Airports and Hotels (Tripwire: State of Security) Want to know how to hack travelers and hotel networks in a matter of minutes? On a recent trip, Nabil Ouchn (@toolswatch) decided to do some some security analysis with a piece of hardware called the PwnPad – a penetration testing tablet – and a few other tools to see what kind of mischief he could get into

Hackers Can Now Target Pacemakers And Other Smart Products (Forbes) Are pacemakers at risk of cyber-attack? The ever-present availability of smart, connected products magnifies the threat of cyber-attacks. Just ask former vice president Dick Cheney knows this all too well. Turns out his fear of assassination via heart device was justified

The TRUTH about mystery Trojan found in SPAAACE (The Register) The mystery malware inadvertently brought into space by scientists which then infected the International Space Station has been identified as a gaming Trojan

Security Patches, Mitigations, and Software Updates

Apple iOS 7.04 Fixes App Store Purchase Flaw (Threatpost) Apple has released a new fix for iOS 7–no, it doesn't roll your phone back to iOS 6–that patches a vulnerability that enabled a user to make app or in-app purchases without needing to enter a password

BSRT 2013-012 Vulnerability in remote file access feature impacts BlackBerry Link (BlackBerry Knowledge Base) This advisory addresses an elevation of privilege or remote code execution vulnerability that is not currently being exploited but affects BlackBerry Link

Microsoft, Cisco: RC4 encryption considered harmful, avoid at all costs (The Register) Why not try this lovely AES-GCM, and don't forget to bin SHA-1, too

Cyber Trends

Watch out for less advanced malware and new exploit kits (Help Net Security) This year, cybersecurity took center stage with nation-state attacks, numerous high-profile data breaches and prominent cybercriminal arrests. Websense Security Labs outlined their 2014 predictions to help organizations defend against attacks throughout the entire threat kill chain

Chertoff Says U.S. Disengaging Won't Ease Cybersecurity Risks (Bloomberg) Michael Chertoff, who was Homeland Security secretary under President George W. Bush, provides his outlook for the cybersecurity industry in the Nov. 18 issue of Bloomberg Businessweek

FS–ISAC threat information sharing helped thwart DDoS attacks against US banks (FierceITSecurity) Cybersecurity threat information sharing carried out by the Financial Services Information Sharing and Analysis Center helped thwart a distributed denial of service campaign launched against major U.S. banks last year, according to Denise Anderson, vice president for government and cross-sector programs at the FS-ISAC

Cybersecurity threat sharing is not working, warns MITRE's security officer (FierceITSecurity) There a number of key areas where cybersecurity threat sharing is not working, Gary Gagnon, chief security officer for The MITRE Corp., told an audience at the Advanced Cyber Security Center's annual conference held Tuesday at the Federal Reserve Bank of Boston

Cyber security gives Scotland the chance to be a centre of excellence (The Herald via TMCNet) Technology is developing at such an unprecedented rate that, while we are beguiled into surfing the seductive waves of possibilities the latest gadgets or apps offer, there are sharks lurking in the water poised to use these same advances against us

Firms can't outsource security oversight and risk, warns Manulife's CISO (FierceITSecurity) BOSTON --While firms are increasingly outsourcing IT security through managed security services, such as cloud-based security-as-a-service, they can't outsource oversight and risk, cautioned John Schramm, chief information security officer with Manulife Financial

Insurance companies press for Terrorism Risk Insurance Act renewal (FierceHomelandSecurity) Insurance company representatives pressed for a reauthorization of the Terrorism Risk Insurance Act, a law set to currently expire at the end of 2014

Multiple Drivers For Cyber Security Insurance (NSS Labs) While cyber security insurance has been discussed for more than a decade, only recently has it become a widely accepted risk management option. Today, there is even interest from the public sector in devising ways to incentivize private entities to embrace cyber insurance. Read on for an update on the latest developments in cyber insurance in the United States

The state of governmental cloud deployments in Europe (Help Net Security) The EU's cybersecurity Agency ENISA has analyzed the present state of play regarding governmental cloud deployment in 23 countries across Europe

Cyber security expert Melissa Hathaway warns governments invest too little in protection from attacks (Austrlian Broadcasting Corporation) A former cyber security advisor to President Barack Obama and George W Bush is warning computer hackers are becoming more sophisticated and pose an escalating threat to global security

11 Concerning Cybersecurity Stats About the Federal Government (FedTech) MeriTalk's latest survey indicates that noncompliance is a key security issue

Security Think Tank: Procurement and security are uneasy bedfellows (ComputerWeekly) The risks posed by software these days can be severe and numerous

More than half top bank websites hacked, study shows (ComputerWeekly) More than half of the world's 50 biggest bank websites have been hit by security incidents in the past eight years, a study has revealed

Cyber Attacks May One Day Hit Their Utility Marks (EnergyBiz) Every day it seems the newspapers are filled with stories of breached security at a bank, government agency, media outlet, or a utility. According to a recent US Department of Homeland Security report, in fiscal year 2012, ICS-CERT received and responded to 198 cyber incidents as reported by asset owners and industry partners. Attacks against the energy sector represented 41 % of the total number of incidents. While none of these attempted cyber-attacks on utilities were successful, many experts have said it is not a question of if, but when

Cisco suggests new economic metric: Gross Domestic P0wnage (The Register) Count the cost of cybercrime to understand if government tech investments deliver

Marketplace

Silicon Valley Nerds Seek Revenge on NSA Spies With Super Coding (Bloomberg BusinessWeek) Google Inc. (GOOG:US), Facebook Inc. (FB:US) and Yahoo! Inc. (YHOO:US) are fighting back against the National Security Agency by using harder-to-crack code to shield their networks and online customer data from unauthorized U.S. spying

Surveillance Infrastructure Showing Signs of Decay (Threatpost) Buried underneath the ever-growing pile of information about the mass surveillance methods of the NSA is a small but significant undercurrent of change that's being driven by the anger and resentment of the large tech companies that the agency has used as tools in its collection programs

Homeland Security Department Seeks Software Assurance Marketplace Participants (SIGNAL Magazine) The U.S. Department of Homeland Security is seeking participants for the Software Assurance Marketplace (SWAMP), which aims to help protect the nation's critical infrastructure by improving software used for essential functions

GCHQ names companies charged with cleaning up UK cyber–attacks (ComputerWorld) Two schemes will provide response services to any business suffering an attack

Cybersecurity Investment Incentive Tax Credit (Maryland Department of Business and Economic Development) Maryland provides a refundable tax credit to Qualified Maryland Cybersecurity Companies (QMCCs) that seek and secure investment from an in-state or out-of-state investor. The purpose of this new program is to incentivize and attract cybersecurity companies to start-up in or move to Maryland; and to attract investment to cybersecurity companies in order to help them grow, create jobs and retain intellectual property in Maryland

Maryland Employer Security Clearance Costs (ESCC) Tax Credit (Maryland Department of Business and Economic Development) Businesses that incur qualified federal security clearance administrative expenses, and construction and equipment costs for constructing or renovating sensitive compartmented information facilities (SCIFs) in Maryland may be eligible for a State income tax credit. In addition, a qualified small business that performs security-based contracting in Maryland may be eligible for a State income tax credit for the first year of rental payments for spaces leased in Maryland

A–T Solutions Picks Up Security Tech Contractor GreenLine Systems (GovConWire) Arlington, Va.-based counterterrorism services contractor A-T Solutions has acquired security technology provider GreenLine Systems for an undisclosed amount in a push to expand into international markets for transportation security and border protection

IBM's purchase of Fiberlink puts a big price tag on other MDM vendors (CITEWorld) IBM this morning said it acquired Fiberlink for an undisclosed sum. The deal comes at a time when the focus of mobile management has shifted from devices to apps. But the fact that IBM has bought a top tier mobile device management provider shows the function is still key

Jobs go at Lockheed as cuts bite (Financial Times) Lockheed Martin has announced plans to cut 4,000 jobs and close four factories, in the clearest sign yet of how across-the-board "sequestration" spending cuts are feeding through into redundancies

Fixmo to supply cyber security for DISA mobile initiatives (Defense Systems) Mobile security specialist Fixmo Inc. will supply data protection and cyber security components for the Defense Department's mobile device management and mobile app store initiatives

Products, Services, and Solutions

F–Secure Launches A Dropbox For the Dark Web And A VPN That Could Erase Content Borders Everywhere (Forbes) Finnish security company F-Secure is making a sizable move out of its corporate security business into the world of the consumer cryptoWeb. It announced this week it's launching a Dropbox-like cloud storage service, Younited, and a virtual private network (VPN) smartphone app called Freedome, the latter threatening to disrupt the regional restrictions on use of copyrighted material around the world

Dropbox Tackles Security Concerns in Revamped Dropbox for Business (InfoSecurity Magazine) BYOD brought personal file syncing into the limelight, and a new threat into business: Shadow IT, where employees use personal apps to move company files back and forth between personal devices and company computers outside of the control, and often even the knowledge, of the IT department

Dear NSA, there's now a Snapchat for e–mail (C/Net) SecretInk claims that it has all the properties of Snapchat, applied to your e-mail. Wait, does anyone e-mail anymore

Amazon Launches 'WorkSpaces' For Desktop Users (InformationWeek) VMware wants to move into cloud computing? Guess what, Amazon's moving into desktop virtualization

Amazon wades into big data streams with Kinesis (Ars Technica) Service is designed to take on data firehoses like Twitter's in AWS' cloud

After NSA Scandal, Crop of Whistleblower Communication Tools for Journalists Emerge (techPresident) Among the many questions raised by the NSA scandal, there is one that is especially worrying for journalists: how to have secure communications with sources given the widespread surveillance of emails, phone calls, chats and browsing activities. How should investigative reporting deal with the technological challenges posed by governments' mass control of Internet and phone traffic? A number of online platforms have now sprouted across the globe with the mission to protect the anonymity of journalists' sources

SecretInk Lets You Send Self-Destructing Messages Over Email Or SMS Right From Your Inbox (TechCrunch) PowerInbox, the email platform company which merged with competitor ActivePath a year ago, is today launching technology called SecretInk that enables "self-destructing" messages that can be sent over email or SMS. The system works online or inside Gmail and other webmail services using the company's PowerInbox add-on. This utility also enables other interactive email content from dozens of

Technologies, Techniques, and Standards

Internet architects propose encrypting all the world's Web traffic (Ars Technica) Next-gen HTTP calls for default crypto to stop spying by spooks and criminals

HTTP/2 Chair Says Protocol Will Work Only with HTTPS URIs (Threatpost) The head of the working group designing the next version of HTTP said the HTTP/2 protocol will work only with encrypted URIs

Using PGP Encryption To Communicate Privately (Intellihub) There are many tools out there that allow you to communicate privately with varying levels of security. PGP (Pretty Good Privacy), specifically the OpenPGP standard, is a well tested and solid method of encrypting emails and messages, before transmission, to ensure that the only person who can read them is the intended recipient

Israeli Cyber Game Drags US, Russia to Brink of Mideast War (Defense News) The war game began in Israel with coordinated cyber and terrorist attacks: An explosion at an offshore drilling platform, multiple blasts in Haifa and Tel Aviv and network disruptions that paralyzed hospitals and sent aviation authorities scrambling to regain contact with an inbound airliner

The best data security offense is a good defense (ComputerWorld) Pennsylvania's Department of Public Welfare establishes a security risk framework that rationalizes 4,000 regulations into 350 integrated requirements

Security Think Tank: Security pros need to be plugged into procurement (ComputerWeekly) Security professionals need to work tirelessly to ensure that, when projects are mooted – that is before the project is actually funded – they are well and truly plugged into the purchasing and/or tendering processes

Alliance dedicated to wireless biometric authentication launched (Help Net Security) Natural Security has announced the launch and newly elected governing board of the world's first open Alliance dedicated to secure transactions based on wireless and biometrics

A look at IT security health checks (Help Net Security) Over the past few days, one thing got my attention which I think in many ways sums up the state of our industry. While on a shopping trip with my wife, she noticed a billboard from a certain health insurance organization with the slogan, "Our focus is health, not shareholders."

Security Tools, Templates, Policies (CSO) CSOonline's Security Tools, Templates & Policies page provides sample documents contributed by the security community. Feel free to use or adapt them for your own organization

Tracking botnets using automatically generated domains (Help Net Security) Modern botnets rely on domain-generation algorithms (DGAs) to build resilient command-and-control infrastructures that are difficult to track or deactivate. Considerable attention has been given to recognizing automatically generated domains (AGDs) from DNS traffic, in order to identify previously unknown AGDs, which helps in the task of disrupting botnets' communication capabilities

Research and Development

Stanford Metaphone Project aims to show dangers of metadata collection (Threatpost) When the first NSA surveillance story broke in June, about the agency's collection of phone metadata from Verizon, most people likely had never heard the word metadata before. Even some security and privacy experts weren't sure what the term encompassed, and now a group of security researchers at Stanford have started a new project to collect data from Android users to see exactly how much information can be drawn from the logs of phone calls and texts

Open source can help commercialize cybersecurity research (FierceGovIT) Open source can help move cybersecurity technology from the research and development stage to commercialization--but it may be ill-advised to mandate it

The Cost of Cryptography (Nautilus) Computer security is trying to avoid wasting your time

What The Carna Botnet Also Found (Dark Reading) The researcher who rocked the security world earlier this year by revealing he had built a botnet to conduct a census of the Internet remains anonymous, but has passed to a white-hat researcher more security findings from the controversial project

Academia

How India, Rwanda, and El Salvador are solving the biggest problem in online education (Quartz) Massive open online courses have quickly fallen out of favor—initially thought to be the savior of higher education, the huge classes are now its punching bag. Critics of the free online courses point to low completion rates, a devaluation of degrees, the displacement of professors, and an absence of necessary classroom time. But a more effective application of the standalone courses is taking root, notably outside of the US

IBM Expands Cybersecurity Education (eSecurity Planet) IBM is doing its part to address a lack of skilled professionals in the cybersecurity industry

Legislation, Policy, and Regulation

Who Will China's New Security Agency Target? (Bloomberg BusinessWeek) An interesting question to consider of China's soon-to-be-formed national security committee, announced at the end of the third plenum on Nov. 12: Will its primary focus be containing what the party perceives as threats from overseas? Or will it instead aim at combating threats seen as coming from within

Boehner Wants NSA Separate From Defense Authorization (Roll Call) Bad news for National Security Agency critics who want to use the annual Defense authorization bill to exact changes to the agency's spying policies: Speaker John A. Boehner doesn't think the defense measure is an appropriate vehicle for that debate

Cyber–attacks eclipsing terrorism as gravest domestic threat — FBI (The Guardian) Counter-terrorism chiefs urge Congress to resist altering controversial surveillance programs except 'at the margins'

CIA collecting in bulk data on international money transfers, say reports (PCWorld) The U.S. Central Intelligence Agency secretly collects data in bulk on international money transfers, under a program similar to the government's collection of phone records, according to reports

Americans' personal data shared with CIA, IRS, others in security probe (Miami Herald) U.S. agencies collected and shared the personal information of thousands of Americans in an attempt to root out untrustworthy federal workers that ended up scrutinizing people who had no direct ties to the U.S. government and simply had purchased certain books

Top 10 PRISM revelations as spy scandal rumbles on (V3) It has been several months since the PRISM spying scandal broke, and the revelations have been coming thick and fast since whistleblower Edward Snowden handed over everything he knew and fled to Hong Kong

Cyber Society of India wants to Ban Ethical Hacking course in India — Compares hackers to rapists (eHacking News) I was totally shocked when I heard the words came out from the President of Cyber Society of India on local channel "Puthiya Thalaimurai'. The local channel covered a story about Ethical Hacking

Litigation, Investigation, and Law Enforcement

Homeland Security must disclose cell network 'kill switch' protocols, court says (ZDNet) The U.S. government's rules governing its ability to shut down cellular and wireless networks to prevent remote bomb detonation must be disclosed, a court has ruled

NSA chief says Snowden leaked up to 200,000 secret documents (Chicago Tribune) Former U.S. National Security Agency contractor Edward Snowden leaked as many as 200,000 classified U.S. documents to the media, according to little-noticed public remarks by the eavesdropping agency's chief late last month

Estonia will extradite three cybercrime suspects to US (AP via KRNV-DT Reno) The Estonian government will extradite to the United States three men accused of hijacking millions of computers in a widespread cyber-fraud scheme, officials said Thursday

California shuts down 10 "fraudulent" health care websites (Ars Technica) Sacramento: these sites divert consumers from real "Covered California" site

Meet the Punk Rocker Who Can Liberate Your FBI File (Mother Jones) Ryan Shapiro's technique is so effective at unburying sensitive documents, the feds are asking the courts to stop him

For a complete running list of events, please visit the Event Tracker.

Upcoming Events

Cyber Education Symposium (Arlington, Virginia, USA, Nov 19 - 20, 2013) Both the public and the private sectors suffer from a lack of highly trained and effective cyber security leaders. In response, the government, businesses, and academic institutions are all exploring ways to retrain the existing workforce and develop a new pool of cybersecurity professionals capable of meeting the needs of tomorrow. The Cyber Education Symposium offers a rare opportunity for the brightest minds in government (.gov), the private sector (.com), and the educational community (.edu) to convene and discuss trends and challenges in cybersecurity education. The Symposium will provide a forum to identify new ways of thinking about the problem, exchange best practices, and forge a pathway forward that leverages the full resources of our nation's leadership.

APPSEC USA (New York, New York, USA, Nov 18 - 21, 2013) Welcome to Appsec USA 2013, New York - a world class software security conference for developers, auditors, risk managers, and entrepreneurs, bringing you the world's top speakers, the most relevant security topics and an unbeatable atmosphere. Hosted by OWASP.

IT Forum Expo/Black Hat Regional Summit (, Jan 1, 1970) Black Hat Regional Summit will introduce a mix of local in-region experts and researchers from around the globe, discussing the latest trends in information security with an audience of peers. The sessions will provide candid insight and education for IT security professionals.

2nd Annual East Africa IT and Cyber Security Convention 2013 (Nairobi, Kenya, Nov 28 - 29, 2013) The 2nd Annual East Africa IT and Cyber Security Convention 2013 will bring together leading Cyber and IT Security experts who will provide key insights into critical cybersecurity issues surrounding cyber networks, mobile, and IT infrastructures. Enhancing the security, resiliency, and reliability of the nation's cyber and communications infrastructure is a challenge that must be met, attend the East Africa Cyber Security and IT Security Convention 2013 that will equip you with a comprehensive range of clarifications and solutions.

Operationalize Threat Intelligence (Webinar, Dec 4, 2013) Security teams are overloaded with threat feeds. It doesn't end with third party providers. It includes alerts, logs, and tips from their own security and IT solutions. We need help transforming this data into knowledge so we can act. Attendees will learn concepts and best practices that enable organizations to reduce, prioritize and operationalize threat intelligence.

Cloud Security Alliance Congress 2013 (Orlando, Florida, USA, Dec 4 - 5, 2013) The CSA Congress is the industry's premier gathering for IT security professionals and executives who must further educate themselves on the rapidly evolving subject of cloud security. In addition to offering best practices and practical solutions for remaining secure in the cloud, CSA Congress will focus on emerging areas of growth and concern in cloud security, including standardization, transparency of controls, mobile computing, Big Data in the cloud and innovation.

SINET Showcase: THE SINET 16 (Washington, DC, USA, Dec 4 - 5, 2013) The SINET Showcase is supported by the Department of Homeland Security, Science & Technology Directorate and provides a significant opportunity for industry's most innovative global entrepreneurs to present in front of 350 sophisticated investors, buyers and researchers from the commercial and government markets. If a company is selected as one of the SINET 16, it will not only be recognized at the event, but receive access to prospective investors and customers as well. Please note that the deadline to apply for the SINET 16 is August 15th.

The 8th International Conference for Internet Technology and Secured Transactions (London, England, UK, Dec 9 - 12, 2013) The 8th International Conference for Internet Technology and Secured Transactions (ICITST-2013) is an international refereed conference dedicated to the advancement of the theory and practical implementation of secured Internet transactions and to fostering discussions on information technology evolution.

World Congress on Internet Security (London, England, UK, Dec 9 - 12, 2013) The WorldCIS-2013 is an international forum dedicated to the advancement of the theory and practical implementation of security on the Internet and Computer Networks. The inability to properly secure the Internet, computer networks, protecting the Internet against emerging threats and vulnerabilities, and sustaining privacy and trust has been a key focus of research. The WorldCIS aims to provide a highly professional and comparative academic research forum that promotes collaborative excellence between academia and industry.

ACSAC 2013 (New Orleans, Louisiana, USA, Dec 9 - 13, 2013) The Annual Computer Security Applications Conference (ACSAC) is an internationally recognized forum where practitioners, researchers, and developers in information and system security meet to learn and to exchange practical ideas and experiences.

2013 ASE International Conference on Cyber Security (Orlando, Florida, USA, Dec 10 - 15, 2013) The annual ASE Cyber Security Conference is a leading international forum for cyber security researchers, practitioners, developers, and users to explore cutting-edge ideas and results, and to exchange techniques, tools, and experiences. The conference seeks submissions from academia, government, and industry presenting novel research on all practical and theoretical aspects of cyber security. The First ASE International Conference on Cyber Security provides a key forum for researchers and industry practitioners to exchange information regarding advancements in the state of art and practice of cyber security.