The CyberWire Daily Briefing 11.25.13

Cyber Trends

Large Organizations Need Open Security Intelligence Standards and Technologies (NetworkWorld) Enterprises want choices, integration, and specific types of data feeds. Will vendors acquiesce

Data Breaches May Be Worse Than Reported (Baseline Magazine) Despite the growing awareness of cyber-attacks and the increasingly sophisticated tools and technologies available to combat data breaches, the problem is getting worse. What's more, organizations face steep challenges in dealing with cyber-attacks, and many are underreporting incidents, according to a recently released research report from ThreatTrack

Under pressure: Most hospital CIOs have knowingly launched error–filled projects (FierceHealthIT) A majority of hospital CIOs said they have felt pressure at one time or another to continue launching a project that was not ready for go live, according to new survey results published this week

Only half of healthcare IT pros use formal risk assessments (Help Net Security) Tripwire and the Ponemon Institute evaluated the attitudes of 1,320 respondents from IT security, IT operations, IT risk management, business operations, compliance/internal audit and enterprise risk management. One hundred seventeen health and pharmaceutical sector respondents from the U.S. and U.K. participated in the healthcare portion of the survey

The risks of having a false sense of security (Help Net Security) Organizations are overwhelmingly confident in their readiness to combat security threats, but may not be prepared for dangers linked to new technology models and increasingly sophisticated threats, according to CompTIA

Post Prism: The new meaning of spyware (BBC) It may not just be the cybercriminals accessing your computer. If you thought you were pretty clever knowing that spyware refers to pieces of malicious code put on computers in order for cybercriminals to steal your passwords and other IDs, think again

'Big data, mobility threats too complex for one company to handle' (Business Standard) US-based Verizon projected that the dynamic nature of breaches will lead to a rise in spendings by firms on cyber security

Survey: Most Europeans fear cybercrime but fewer take security measures (CSO) Half of those surveyed have not changed online passwords in the past year

Cyber–attack at a major port could cost $1 billion per day (GSN) At a time when the nation's infrastructure faces a growing threat from cyber-attacks, maritime and homeland security officials say they are making significant progress in protecting the nation's ports, which handle more than 2 billion metric tons of cargo annually and are critical to the global economy

SMBs need help to better understand cyber attack threats (TechDay) Many SMBs are potentially putting their organisations at risk because of uncertainty about the state of their security and threats faced from cyber attacks

Cyber attacks — up close and personal (Computing) Absolute security is an absolute impossibility - and getting more impossible by the year

The Danger Of Laissez–Faire Security Attitudes (TechCrunch) A door lock does not have the same status as a modern, wall-mounted television or a couch from a world-class designer. It's not like you invite a friend over to check out the new double bolt on the front door: "Hey, you should come by and check out my new door lock! I also bought a new television and a couch, but forget that. This new door lock is awesome!" But if you did buy that $2,000

Legislation, Policy and Regulation

UN surveillance resolution goes ahead despite attempts to dilute language (Jopurnal of Law and Cyber Warfare) The US, UK and their close intelligence partners have largely failed in their efforts to water down a United Nations draft resolution expressing deep concern about "unlawful or arbitrary" surveillance and calling for protection for the privacy of citizens worldwide

Spooky silence until next Snowden bomb (Sydney Morning Herald) The ability of American whistleblower Edward Snowden to poach the Western intelligence community's most explosive secrets while working as a government contractor in Hawaii has left security experts around the world gobsmacked

House intel bill adds $75 million to NSA budget to stop future Snowdens (Ars Technica) Senate version also adds money to NSA's budget to stop "insider threat"

NSA deputy director skeptical on sharing data with FBI and others (The Guardian) John Inglis appears at University of Pennsylvania to argue legality of bulk surveillance and indicates stance on Feinstein bill

New Document Shows NSA Wanted More, More, More Power (TIME) A 2012 strategy paper says U.S. laws inadequate to meet agency's needs

Snowden and His Fellow Fantasists (Wall Street Journal) Declassified NSA documents disprove his claim that he could legally wiretap anyone

Why the U.S. needs a cyber doctrine (USA Today) How will the United States lead in this new era of cyber technologies

Zuckerberg: Government 'blew it' on data collection (Politico) Facebook co-founder and CEO Mark Zuckerberg says the government "really blew it" on the surveillance tactics used by the National Security Agency

NSA Chief Offered to Resign After Leaks (Government Executive) According to an National Security Agency official quoted by The Wall Street Journal, recent leaks have been "cataclysmic" for the organization and forced a large-scale reevaluation of its policies. They were so devastating that Gen. Keith Alexander offered to resign from his position as head of the NSA after Snowden came forward about the agency's domestic surveillance

Beijing hits back at US: Don't you DARE blame China for collapse of duty–free IT talks (The Register) Irate commerce minister: 'US is unwilling to make any concessions'

India Debates Establishing Cyber Command (DefenseNews) Top India military commanders meeting here have discussed establishing an independent Cyber Command. Addressing the Combined Commanders Nov. 22, Indian Prime Minister Manmohan Singh highlighted the need for developing capacities to counter what he described as "global surveillance operation"

Meet the man who'll TAKE OVER if UK faces CYBER ATTACK (The Register) Chris Gibson to head up UK's national Computer Emergency Response Team

President's tech council plays sad trombone for federal cybersecurity (Ars Technica) Report finds that government "rarely follows accepted best practices"

Arms regulations urged for internet surveillance systems (Engineering and Technology Magazine) New arms sale regulations urgently need to be introduced to clamp down on the export of electronic surveillance technology similar to that used in the highly controversial monitoring by GCHQ, a Labour MP has claimed

Increased space, cyber threats top concerns for AF Space Command (Air Force News Service) There are increased threats to the Air Force's space and cyber capabilities, said an Air Force senior leader during Air Force Association's 2013 Pacific Air & Space Symposium, Nov. 21

Google's Vint Cerf to FTC: "Privacy may actually be an anomaly" (FierceBigData) Google's chief internet evangelist, Vint Cerf said in a speech given before the Federal Trade Commission (FTC) last week that "privacy may actually be an anomaly." Apparently he doesn't think privacy a basic human right, but rather an "anomaly" created by the industrial revolution. Therefore, reverting to a state of no privacy at all for citizens might be a natural thing. Though his argument sounds convincing, his premise is completely wrong

Products, Services, and Solutions

Twitter upping security to thwart government hacking (C/Net) The microblogging site adds a new security measure designed to make it harder for organizations like the National Security Agency to uncover its data

Technologies, Techniques, and Standards

Simulated attacks on electrical grid show strengths, weaknesses in system (Foster's Daily Democrat) Rolling blackouts, widespread power outages, damaged infrastructure and hijacked substations. These were just some of the scenarios that bulk-power companies throughout North America were dealt in a recent 48-hour mock security exercise known as GridEx II

NTRU public key crypto released to open source community (Help Net Security) RSA and ECC are the two most common public-key crypto systems in use today. At the 2013 Black Hat conference, researchers declared that the math for cracking encryption algorithms could soon become so efficient that it will render the RSA crypto algorithm obsolete. Coupled with the recent NSA tampering allegations on ECC, this mistrust could set up a "cryptopocalypse" with organizations scrambling to retrofit systems with new, yet trusted, public-key crypto systems. Today, Security Innovation announced the availability of NTRU crypto for free use in open source software

How certificate pinning improves certificate authority security (SearchSecurity) I saw that Microsoft is going to include something called certificate pinning in version 4.0 of its EMET tool. EMET is already in use at my company, but I'm curious if you could describe what certificate pinning is and the potential benefits? And how can we use EMET for certificate pinning

From 1,024– to 2,048–bit: The security effect of encryption key length (SearchSecurity) Google is changing the length of its encryption keys from 1,024-bit to 2,048-bit, including the root certificates that sign all SSL certificates. What are the practical effects of such a switch from a security perspective, including how enterprises can plan for the switch

'Honey pot' utility trap lures hackers in show of cyberthreats (EE News) The small city water company in Arnold, Mo., went online last November. Seventeen hours later, a hacker using the SHODAN attack search engine had identified and penetrated an internal computer address leading to the control system that operated the pumps at the heart of Arnold's operation

Unofficial guide to Tor: Really private browsing (Help Net Security) The issue of privacy on the Internet has long been a difficult one: there are a lot of good reasons that you might be leery of strangers reading your emails or spying on the websites you visit

DISA's EOC Shines at Annual Cyber Flag Exercises (Federal News Radio) The Defense Information Systems Agency's new Enterprise Operations Center played a big role in the 3rd annual U.S. Cyber Command-sponsored joint exercise Cyber Flag 14-1 The training exercise was held at Nellis Air Force Base the first week in November

At AppSec USA, A Call For Continuous Monitoring (Dark Reading) Speakers, experts at AppSec conference say periodic scanning for application vulnerabilities is no longer enough

Marketplace

Case, Cleveland Clinic and University Hospitals team up for data–sharing venture (Crain's Cleveland Business) Case Western Reserve University, the Cleveland Clinic and University Hospitals have launched a venture designed to allow scientists and physicians from the three health care powerhouses to share clinical data that could be used to improve patient care

Surveillance as a Business Model (Schneier on Security) Google recently announced that it would start including individual users' names and photos in some ads. This means that if you rate some product positively, your friends may see ads for that product with your name and photo attached--without your knowledge or consent. Meanwhile, Facebook is eliminating a feature that allowed people to retain some portions of their anonymity on its website

BlackBerry's executive exodus: Three more depart in management shakeup (VentureBeat) Ailing smartphone maker BlackBerry announced a slew of management changes on Monday morning

Research and Development

The internet mystery that has the world baffled (The Telegraph) For the past two years, a mysterious online organisation has been setting the world's finest code-breakers a series of seemingly unsolveable problems. But to what end? Welcome to the world of Cicada 3301

Security Patches, Mitigations, and Software Updates

Secunia fixes PSI to work with Windows 8.1 and IE11 (Info World) Secunia has just released an update to its popular Personal Software Inspector that works with IE11 on any version of Windows

Cyber Attacks, Threats, and Vulnerabilities

UWI's 'Stop Iran' Initiative Hit by Cyber-Attack (Arutz Sheva) Successful 'Stop Iran' petition site targeted in internationally coordinated cyber-attack, 1 year after UWI Pillar of Defense site attacked

370 Israeli Websites Hacked and Defaced by CapoO_TunisiAnoO in Support of Palestine (Hack Read) The famous Tunisian hacker CapoO_TunisiAnoO is back in news by hacking and defacing 370 Israeli websites in support of Palestine. Hacker has left different deface pages with different messages on all sites hacked between 21st Nov to 24th Nov 2013

Protest Against Spying: Indonesian Gantengers Crew Hacks Australian National University Domain (Hack Read) Indonesian based hackers from Gantengers Crew has hacked and defaced an official sub-domain of Australian National University today against Australian spying activities over Indonesian government as reveled by NSA's whistleblower Edward Snowden. The targeted domain belongs to Australian National University's Deepening Histories of Place Project, which is now displaying a deface page along with a message

Z Company Hacking Crew Defaces 2 'Billabong International' Domains against Drone Strikes in Pakistan (Hack Read) The online hacktivists from Z Company Hacking Crew (ZHC) have hacked and defaced 2 official sub-domains of Australian based Billabong International Limited against drone CIA led drone strikes over Pakistani soil. Z Company hackers have left a deface page along with a message on both hacked domains against NATO and drone strikes on Pakistan

Pakistani hacker hacks and defaces official India's Armed Forces Tribunal Website (Hack Read) A breaking news where the official website of India's Armed Forces Tribunal (Regional Bench Jaipur) has been hacked and defaced by a Pakistani hacker

Indonesian Hacker Defaces Fairfield Police, NJ and Jasper County Police, IN Websites (Hack Read) An Indonesian hacker going with the handle of Maniak k4sur has hacked and defaced the official website of Fairfield Police Department, NJ and Jasper County Police, IN websites

New York State Government Sub-Domain Hacked by Indonesian Hacker (Hack Read) An Indonesian hacker going with the handle of Jje Incovers has hacked and defaced a sub-domain of New York State Government information portal. The defaced domain belongs to Hudson River Valley Greenway which is now displying a .txt deface page uploaded by the hacker with a simple note. However, the reason for targeting Hudson River Valley was not mentioned anywhere

RedHack Hackers Post Apology on PM's Behalf on Website of Political Party (Softpedia) Just as the 14 individuals suspected of being involved with RedHack and Anonymous were presented before the Ankara Courthouse, RedHack hackers were busy breaching the official website of Turkey's Justice and Development Party

FARC–EP Calls to Arrange Campaign vs. US Military Bases (Prensa Latina) The Revolutionary Armed Forces of Colombia-People''s Army (FARC-EP) described as urgent and a necessary task the arrangement of a campaign in all Latin America and Caribbean countries against U.S. military bases

Large–scale net traffic misdirections and MitM attacks detected (Help Net Security) Man-In-the-Middle BGP route hijacking attacks are becoming regular occurrences, but it's still impossible to tell who is behind them, and what their ultimate goal is, warns Jim Cowie, co-founder and CTO of Internet intelligence company Renesys

Aussies hit in global 'man–in–the–middle' hacking scam (News.com) Australians have been caught up in a new international hacking scam that has repeatedly diverted all of the internet traffic for companies and organisations through suspicious locations in Europe

Inside The Clever Hack That Fooled The AP And Caused The DOW To Drop 150 Points (Business Insider) Back in April, agents of the Syrian Electronic Army took control of the Associated Pressofficial Twitter account and punched out a single tweet

China's Cyber War (Newsweek) For more than a decade, a relentless campaign by China to steal valuable, confidential information from U.S. corporations flourished with barely a peep from Washington. And now it might never be stopped

Chinese Hackers Seen Exploiting Cloud to Spy on U.S. (Bloomberg) China-based hackers may target Internet-based e-mail, data storage and other services provided overseas by such companies as Microsoft Corp. (MSFT) to spy on the U.S., a congressional commission found

Chinese hackers spying on American cloud (PCWorld) With the National Security Agency spying on pretty much everyone inside and out of this country, we can't be too surprised, or offended, to find out that other countries are spying on us

Pre–Hacked Electronics Come Straight From China's Factories (Epoch Times) A simple tea kettle could open the door to cyber crime in one's own home

In Securing Your Supply Chain, Don't Forget To Lock The Back Door (Manufacturing Business Technology) Over time, business has gotten a lot smarter when it comes to protecting enterprise technology from the hackers and viruses that are constantly fighting to get in

EU Parliament investigating hacking of MEPs' personal email (EurActiv) A Parliament spokesperson said the institution was concerned about how easily an anonymous hacker broke into MEPs' personal emails, as was revealed yesterday (21 November) by French investigative journal Mediapart

NSA infected 50,000 computer networks with malicious software (NRC Handelsblad) The American intelligence service — NSA — infected more than 50,000 computer networks worldwide with malicious software designed to steal sensitive information. Documents provided by former NSA–employee Edward Snowden and seen by this newspaper, prove this

Facebook reveals friends list even when it's set to private (Naked Security) Don't want the entire Facebook–using and –abusing population to see your friends list? You can always change the setting to private — a setting labeled, for some strange reason, "only me", chosen in response to the "who can see your friends list?" setting. Fat lot of good it will do you, though

LG caught red-handed spying on viewers via Smart TVs (FierceBigData) Jason Huntley, U.K. ICT consultant, accidently discovered his LG Smart TV was sending extensive information about his viewing habits to the Korean manufacturer. He gives a full account of the unsettling details in his DoctorBeet's Blog. Readers should consider carefully what this means to them beyond using LG or other brands of Smart TVs

LG decides its TVs *don't* steal personal information — "viewing info" isn't personal (Naked Security) Last week, we wrote about how a UK blogger named DoctorBeet became suspicious that his LG Smart TV was phoning home with more information about his use of the TV than he might have liked

Personalized ads no excuse for privacy invasion, no benefit to consumers (FierceBigData) According to big corporations, personalized ads are a 'must have' for consumers. Therefore everything must be done--everything--to meet that demand as fast as possible. What a load of bull

Tech experts: HealthCare.gov not secure (FierceHealthIT) At a Nov. 19 hearing of the House Committee on Science, Space, and Technology, four technology experts--including two university representatives--all testified that they thought HealthCare.gov was not a secure website, Reuters reported. What's more, three of the four experts said they thought that the site should be shut down until it is secure

Report highlights several security issues within HealthCare.gov (CSO) TrustedSec report cites vulnerabilities including open redirection, XML injection

Vermont reports privacy violation on health care exchange (ZDNet) A single consumer received a copy of his application from an unknown third party

Thousands of California doctors impacted in Anthem breach (SC Magazine) Thousands of doctors at Anthem Blue Cross of California are being notified that their personal information was mistakenly posted online

Redwood Memorial Hospital Admits Data Breach (eSecurity Planet) 1,039 patients' personal information may have been exposed when an unencrypted thumb drive was lost

Faked LinkedIn job offers on the rise (USA Today) Social networks interconnect people with common interests in near real time on a global scale. That's the power of social media. And it's also a beacon to cyberscammers

Have you heard of the Happy Hour virus? (Naked Security) Vigilant Naked Security reader Betty Kann has alerted us to an online service that she felt security-conscious sysadmins ought to be made aware of

Racing Post website hacked, customer information stolen (Graham Cluley) Racing PostThe website of the Racing Post, a daily newspaper obssessed with horse racing, greyhound racing and other sports betting, has been hacked by criminals who managed to access customer information

Evernote tells some users to change their passwords. (Psst! It's Adobe's fault…) (Graham Cluley) EvernoteJust like Facebook before it, Evernote has been scouring the list of millions of email addresses and passwords exposed by the recent mega-breach at Adobe

The importance of the User–Agent in the Botnets connections (Behind the Firewalls) The RFC 1945 says in the 10.15 section: "The User-Agent request-header field contains information about the user agent originating the request. This is for statistical purposes, the tracing of protocol violations, and automated recognition of user agents for the sake of tailoring responses to avoid particular user agent limitations. Although it is not required, user agents should include this field with requests"

Asia Chats: Analyzing Information Controls and Privacy in Asian Messaging Applications (Citizen Lab) Across Asia, a new class of instant messaging (IM) mobile applications are rapidly growing in popularity and amassing enormous user bases. These applications encompass more than text, voice, and video chat as they offer social networking platforms that include expressive emoticons and stickers (known as "emoji"), photo and video sharing, e-commerce, gaming, and other features that provide a more sophisticated user experience than previous generations of IM clients

CryptoLocker Could Herald Rise Of More Sophisticated Ransomware (Dark Reading) A smarter approach to encryption is what separates CryptoLocker from other ransomware — but that might not last long

How to fight back against CryptoLocker (ComputerWorld) As early as 2007, if not earlier, Windows users encountered the very first rogue antivirus programs. Even today, end users are easily fooled by this vicious type of malware

Litigation, Investigation, and Enforcement

Leaker Snowden asked for more dirt (The West Australian) Indonesian politicians plan to quiz former US National Security Agency contractor Edward Snowden in Russia about revelations Australia tapped the phone of President Susilo Bambang Yudhoyono

Internet security chief lashes out at Snowden, calls him a criminal (Times of India) Internet Security Alliance (ISA) chief Larry Clinton, in an interview with TOI on Friday, lashed out at whistleblower Edward Snowden, calling him a "criminal who must be prosecuted". He compared Snowden's actions to instances of Mahatma Gandhi 'breaking the law' and said that what Snowden did was not honourable

Lavabit Strikes Back at Feds in Key Internet Privacy Case (Wired) Lawyers for secure email provider Lavabit just filed the reply brief in a case that will determine whether an internet company can be compelled to turn over the master encryption keys for its entire system to facilitate court-approved surveillance on a single user

Judge Appears Receptive to Critics of NSA's Collection of Phone Data (Wall Street Journal) A federal judge on Friday appeared receptive to the idea that Americans enjoy some level of privacy in their phone records, in the first court challenge to the National Security Agency's bulk collection of data from telecommunications companies. The U.S. Supreme Court held in 1979 that Americans have no expectation of privacy in who they are calling, because they knowingly give that information to phone companies

How BYOD Puts Everyone at Legal Risk (CIO) If your BYOD policy goes too far, you may be prosecuted for unfair labor practices. However, courts expect you to produce all relevant data in discovery proceedings. Meanwhile, your employees may fear retaliation if they don't sign draconian BYOD policies. CIO.com talks to attorneys to better understand the legal side of BYOD

Commentary: Sir Bernard Hogan—Howe on new cybercrime push (London Evening Standard) Over the next month more Londoners than ever before will go online and take part in what retailers hope will be a £10 billion Christmas internet spending spree. The world wide web has given consumers an unprecedented opportunity to conduct our shopping, banking and other financial activities

Newegg trial: Crypto legend takes the stand, goes for knockout patent punch (Ars Technica) Taking a bet on Whit Diffie, as the trial against "patent troll" TQP wraps up Monday

Design and Innovation

The Internet of Things, Unplugged and Untethered (Technology Review) A startup called Iotera wants to let you track your pets, your kids, or your belongings without relying on commercial wireless networks

Emerging Central And Eastern European Startups Showcased At How To Web (TechCrunch) I went to an event last week that exemplifies the enormous sea-change in tech startups that is sweeping across the Central and Eastern European region. I'll be writing about this more depth in due course. For now, suffice it to say that there is a real explosion occurring. Startups from all over the CEE region are now exhibiting or entering startup competitions in multiple locations

Half an operating system: The triumph and tragedy of OS/2 (Ars Technica) IBM doesn't make consumer, desktop operating systems anymore for a reason