The CyberWire Daily Briefing 11.27.13

Cyber Trends

Proactive security will be watchword for enterprises next year (FierceITSecurity) Enterprises should be more proactive in implementing protection measures to address the expected increase in cyberattack volumes next year, cautions Andrew Kellett, principal analyst with Ovum's IT security team

Simulated attacks on electrical grid show strengths, weaknesses in system (Fosters) Rolling blackouts, widespread power outages, damaged infrastructure and hijacked substations

Zurich's Kerner Says Matter of Time Until Cyber Attack (Bloomberg) Michael Kerner, who oversees property-casualty coverage at Zurich Insurance Group AG (ZURN), said computer threats are escalating and may soon cause "dramatic" disruptions for businesses and individuals

Utah Cyber Attacks On The Rise As NSA Facility Draws International Attention (KUTV) (KUTV) The commissioner of the Utah Department of Public Safety says, ever since reports surfaced of plans to build the National Security Administration Data Center in Bluffdale in 2011, Utah has been in the sites of hackers looking for information on the super-secret data collection facility

Identity theft continues to rise in the United States (WDAY TV) Identity theft continues to climb the charts when it comes to growing crimes in our country

Malware Creation Hits Record-High Numbers in 2013, According to PandaLabs Q3 Report (MySA) Ten million new malware strains are identified so far in 2013. New ransomware CryptoLocker hijacks users' documents and demands a ransom for them; DNS cache poisoning attacks are on the rise

FTSE 350 Companies Face Cyber Attack Risks (shareprices.com) In July 2013, the Department for Innovation, Business and Skills asked FTSE 350 listed companies to take part in a cyber risk assessment study. The study revealed that cyber leaks at major companies are a major risk to the UK's economic growth and the security of the country

Why we are losing the cyber security war and what we can do about it (NetworkWorld) If this year's attacks on Adobe, LexisNexis, NASDAQ, US Airways, and dozens of other large and technologically sophisticated US enterprises didn't provide sufficient evidence that we are losing the cyber security war, the ongoing breaches by Anonymous make it undeniable. Why are the world's most IT savvy companies unable to keep attackers out of their networks

Symantec CEO Declares IP Theft Greater Threat Than Cyber War (InfoSecurity Magazine) Symantec's CEO has said that the threat of intellectual property theft is more dangerous than that of cyber war, bringing with it the potential to "have a big negative impact on global economic growth"

How Much Does Cybercrime Cost? $113 Billion (IEEE Spectrum) According to Internet security awareness training firm KnowBe4, the losses attributable to cybercrime total US $113 billion. Take a moment to let that astounding number sink in

Legislation, Policy and Regulation

UN Passes Anti–spying Resolution (SecurityWeek) A UN rights committee on Tuesday passed a "right to privacy" resolution pressed by Germany and Brazil, which have led international outrage over reports of US spying on their leaders

The right to privacy in the digital age (United Nations General Assembly) The General Assembly, reaffirming the purposes and principles of the Charter of the United Nations, reaffirming also the human rights and fundamental freedoms enshrined in the Universal Declaration of Human Rights and relevant international human rights treaties, including the International Covenant on Civil and Political Rights and the International Covenant on Economic, Social and Cultural Rights

Uproar over French plan to extend online spying (The Local) Google and other internet giants have reacted angrily to the French government's plans to extend its surveillance of emails, phone calls and online behaviour, as the National Assembly met on Tuesday to discuss the proposal

Activists to Google: You could end Chinese internet censorship in 10 days (Naked Security) Eric Schmidt said recently that encrypting everything can end government censorship in a decade. Activists battling China's Great Firewall say why wait, when we just did it in a fraction of the time

Post–Snowden, European Commission Sets Out Actions Needed To Restore Trust In E.U.–U.S. Data Flows (TechCrunch) The European Commission has today detailed the actions it believes are required to restore trust in data-sharing agreements between the European Union and the U.S. following revelations of surveillance dragnets operated by U.S. intelligence agencies

Did NSA Secretly Tap the Internet Backbone? (CIO Today) Earlier this month, reports surfaced that the documents released by former NSA contract employee Edward Snowden showed the NSA had tapped the transmissions to and from Google's and Yahoo's data centers. The taps meant that the agency had access to hundreds of millions of user accounts, many of which are owned by Americans

Document Reveals NSA Spied On Porn Habits As Part Of Plan To Discredit 'Radicalizers' (Huffington Post) The National Security Agency has been gathering records of online sexual activity and evidence of visits to pornographic websites as part of a proposed plan to harm the reputations of those whom the agency believes are radicalizing others through incendiary speeches

Debate: Does Spying Keep Us Safe? (NPR) The recent revelations about National Security Agency surveillance programs have renewed the debate over the balance between national security and civil liberties

Surveillance Is Too Important to Be Left to the Generals (Politico) With each revelation of the National Security Agency's vast surveillance network, one thing is becoming clear: The generals charged with designing and managing the agency's initiatives—NSA Director Keith Alexander and Director of National Intelligence James Clapper—have been unable or unwilling to call attention to critical program details with broad societal implication

U.S Senators wants the NSA PRISM program to stop (Venture Capital Post) Three U.S senators, Ron Wyden of Oregon, Mark Udall of Colorado, and Martin Heinrich of New Mexico published an op-ed in the New York Times today, exhorting the U.S Senate to stop encouraging and giving NSA the green light on its "dragnet" surveillance programs. This follows after the recent revelation of NSA's activities that made everyone cry foul, including the government officials now

The Secret Story of How the NSA Began (The Atlantic) Congress was surprised to find that a federal intelligence agency they'd scarcely heard of was bigger and more powerful than one that they'd created

Home Alone (Foreign Policy) With Keith Alexander out fighting fires, meet the woman who's really running the NSA

Nation's Leading Scientists and Engineers Offer Thoughts On Enhancing Nation's Cybersecurity Posture via Presidential Level Council (CISOTech) After study and deliberation an advisory group of the Nation's leading scientists and engineers, appointed by the President to augment the science and technology advice available to him from inside the White House and from cabinet departments and other agencies, has provided recommendations on ways to strengthen the nation's cybersecurity

Privacy, Human Rights Groups Form New Anti–Surveillance Coalition (Threatpost) A large group of privacy and digital rights organizations has put together a new effort to urge politicians to curtail the mass surveillance operations that have been exposed in the last few months. The new coalition has developed a set of 13 principles for governments to follow in their intelligence gathering efforts and started a petition that it plans to deliver to the United Nations and governments around the world

Thirteen Rules of Intelligence (IMSL Insights) Admiral John Henry Godfrey, Director of Naval Intelligence from 1933 to 1935, was instrumental in the development of the OSS, a predecessor to the CIA, and he is alleged to be the inspiration for the character 'M' in the James Bond books — Ian Fleming was his 2ic

Products, Services, and Solutions

Will iOS 7 Be The Next BlackBerry? (InformationWeek) Apple's latest mobile operating system has many features enterprises will appreciate — and some things to beware

New MegaCryption Functionality Enhances Business and Cryptography Server Capabilities (Hispanic Business) Advanced Software Products Group's (ASPG) latest announced enhancements to MegaCryption feature cryptographic key centralization and position the encryption software as business and cryptography server of choice for many enterprise-grade businesses

F–Secure launches KEY, a secure password manager (Help Net Security) F-Secure Key safely stores your passwords, user names and other credentials so that you can access them wherever you are through one master password. Your personal data is strongly encrypted to keep it safe, and all F-Secure Key servers are owned and operated by F-Secure within the European Union

After a month of use, we dish out our biggest gripes with OS X Mavericks (Ars Technica) No new software is bug-free, and OS X 10.9 doesn't buck the trend

FPC And Nok Nok Labs Deliver Infrastructure For Fingerprint–Based Strong Authentication (Dark Reading) End-to-end infrastructure solution uses fingerprint sensors on smartphones and tablets

Lumeta Announces Managed Security Services Partnership With Prolinx (Dark Reading) Lumeta product suite will enable Prolinx to give its clients network visibility as part of their information security and compliance programs

How Semantics Can Make Data Analysis Work Like A Google Search (Forbes) The interfaces used in business intelligence and data analytics are becoming smarter, conversational, and more powerful because, at long last, computational semantics are starting to be applied

Technologies, Techniques, and Standards

NATO launches 'largest ever' cyber–security exercises (Russia Today) NATO has kicked off Cyber Coalition 2013, the largest ever exercise of its kind intended to thwart massive, simultaneous attacks on member states and their allies

NIST Cybersecurity Framework: What it Means (Industrial Safety and Security Source) You may have heard some buzz in the press about the release of the Cybersecurity Framework Draft from the U.S. National Institute of Standards and Technology (NIST). However, you may not know much about its background. And you probably don't know what it may mean to you as a control or security professional. This should give you a high level overview of the genesis of this document and some handy points of reference

NSA Surveillance: First Prism, Now Muscled Out Of Cloud (InformationWeek) Companies can no longer discount the risk of losing control of confidential corporate data in the cloud. Government data mining is here to stay, in one invasive form or another

Open source crypto server for thwarting malicious insiders (Help Net Security) Edward Snowden's successful exfiltration of mountains of data from NSA systems and databases has once more put the spotlight back on the threat that insiders pose to organizations

ONC's Joy Pritts on Breach Prevention (Healthcare Info Security) Healthcare organizations should make widespread use of encryption because it's the single most essential technology to use for breach prevention, says Joy Pritts, chief privacy officer at the Office of the National Coordinator for Health IT

Enterprises need to integrate DR/BC planning in data center strategy (FierceITSecurity) Enterprises should integrate "strong and well-documented" disaster recovery and business continuity planning in their data center strategy, advises research firm Gartner

A New Way to Prevent Card Data Security Breaches (Storefront Backtalk) All retailers and any business that processes payment should have a new document on hand that is meant to prevent and mitigate some of the millions of dollars in losses from card data breaches annually

Six Things You Can Learn from the Affordable Care Act (ACA) Website Snafus: Part II (Cyveillance Blog) In Part I of our blog series, we discussed three things your organization can learn from the Affordable Care ACT (ACA) website launch. In Part II, we will discuss three more

How Small Businesses Can Win On Security And Speed This Cyber Monday (Forbes) Cyber Monday is looming and more holiday shoppers than ever will buy online, skipping the crowds and snapping up last minute deals and free shipping. Next Monday is expected to produce $1.8 billion in sales – up 13.1% on last year, according to research group, IBISWorld. But, if you're a small business outsourcing most of your data storage and security to the cloud, it can be confusing to know what you should be doing to make sure your website is fast and secure

Cyber Wargaming: The Power of Disruptive Thinking (C4ISRNet) Cyber wargaming (or, as many call it, cyber attack simulation) has really taken off lately, and not just in the defense and intelligence communities. It has permeated throughout the government, the military and the intelligence communities and is rapidly making headway into the business community as well, particularly within the critical infrastructure provider community

Overcoming the data privacy obstacle to cloud based test and development (Help Net Security) How many times have data security and privacy constraints brought your key application development initiatives to a screeching halt? It usually occurs right around the time when contractors or outsourced vendors are called in to test the latest features or train users on major system enhancements but they are unable to do so. Why? The sensitive data that has traditionally been used to facilitate such activities now comes with some serious strings attached

Why BYOD actually increases security, based on the recent findings shared by Sophos (CSO) Businesses naturally manage risk. All risks, including finding and increasing revenue. Part of the process is the search for and adoption of new solutions and technologies that reduce the cost and increase the capability of driving new revenue. Due to the continued struggle for security to create, measure, and effectively communicate value, BYOD is poised to increase security and lower risks -- while providing a demonstrable value to the business

Botnet Takedowns Spur Debate Over Effectiveness, Ethics (Dark Reading) Attempts to shut down botnets have often failed to cripple the networks, but have led to improved legal strategies, greater public awareness, and stronger links between researchers and law enforcement

Survey: DDos Is Hot, Planning Is Not (Dark Reading) Most organizations don't have a game plan in the event of a distributed denial-of-service (DDoS) attack

Oubliez les mots de passe, pensez phrases de passe ! (CNET France) Pourquoi choisir des mots de passe compliqués et pourtant piratables, quand il suffit d'utiliser quatre mots aléatoires ? Attention, j'ai bien dit aléatoires. Pas quéstion d'aller chercher votre phrase dans la Bible ou dans un bouquin

Marketplace

NSA Spying Risks $35 Billion in U.S. Technology Sales (Bloomberg) International anger over the National Security Agency's Internet surveillance is hurting global sales by American technology companies and setting back U.S. efforts to promote Internet freedom

Microsoft, suspecting NSA spying, to ramp up efforts to encrypt its Internet traffic (Washington Post) Microsoft is moving toward a major new effort to encrypt its Internet traffic amid fears that the National Security Agency may have broken into its global communications links, said people familiar with the emerging plans

Meg Whitman hit the reset button at Hewlett Packard, and it just might have worked (Quartz) The numbers: Pretty good, on balance. Revenue for the fourth quarter was down 3% from a year ago, falling to $29.1 billion, but this is the smallest decline, in percentage terms, in nine quarters. Net income came in at $1.4 billion, or $1.01 per share, ahead of Wall Street consensus for $1.00, according to FactSet. The recovering PC, printing and server giant also reaffirmed its forecast for earnings in fiscal 2014 to come in between $3.55 to $3.75 per share. Wall Street expects $3.64. The stock is flying, up about 6% in after-hours trading

IBM, Hewlett–Packard, EMC among leading security and vulnerability management vendors, says TechNavio (FierceITSecurity) IBM, Hewlett-Packard, EMC, Symantec and McAfee are leading vendors in the global security and vulnerability management market, according to TechNavio

Norman Shark Sees Major Revenue Stream With Blue Coat Partnership (Digital Journal) Norman Shark, the global security leader in malware analysis solutions for enterprises, service providers and government entities, sees as much as a 50% increase in revenue this year and expects to more than double their revenue by 2016 according to the company's announcement in this week's blog "Blue Coat and Norman Shark partner to provide comprehensive threat protection to the enterprise"

SAIC Awarded Contract by U.S. Space and Naval Warfare Systems Center Atlantic (Virtual-Strategy) Science Applications International Corporation (SAIC) (NYSE:SAIC) announced today that it was awarded a prime contract by the U.S. Space and Naval Warfare Systems Center Atlantic (SSC Atlantic) to provide transport, computing and infrastructure support services related to command, control, communications, computers, combat systems, intelligence, surveillance, and reconnaissance (C5ISR)

Chris Goodrich Promoted to ManTech Cyber Group EVP (GovConWire) Chris Goodrich, who joined ManTech International (NASDAQ: MANT) in 2009 and a former senior vice president, has been promoted to EVP and chief operating officer of the Fairfax, Va.-based contractor's mission, cyber and intelligence solutions group

Mike Bowers Joins Xerox Federal Solutions as President (GovConWire) Mike Bowers, formerly chief operating officer at Indus Corp. since 2008, has taken on the role of president at Xerox Federal Solutions (NYSE: XRX), GovCon Wire has learned

Ted Davies on Unisys' Federal Growth Plans and Leveraging Commercial Technology in the Government Market (ExecutiveBiz) Ted Davies serves as president of Unisys Federal Systems and joined the IT services, software and technology firm in 2003 as managing partner for civilian agencies

Bitcoin community offers up $10K bug bounty (SC Magazine) Technology giants – such as Google, Microsoft and Yahoo – offer up big rewards to researchers who report critical vulnerabilities. Bitcoin users are now offering up their own type of bug bounty

Research and Development

NSA testing how to handle classified data over unsecured networks (Federal News Radio) In the view of the National Security Agency, just because information is classified doesn't mean authorized users should only be able to view it while they're tethered to their desks. So NSA is looking for ways to access classified information on tablets and smartphones over transport mechanisms and on devices that would have been unthinkable a few years ago

Cyber Attacks, Threats, and Vulnerabilities

AutoCAD malware paves the way for future attacks (Help Net Security) A piece of malware masquerading as an AutoCAD component with the goal of making systems vulnerable to later exploits has been analyzed by Trend Micro researchers

Symantec Reveals that Cybercriminals Employ New Linux Trojan to Embezzle Data (Spamfighter) Security researchers of well-known security firm 'Symantec' have identified a cyber-criminal operation which relies on a new-fangled Linux backdoor, nicknamed Linux.Fokirtor, to embezzle data without being discovered

Online banking faces a new threat (SecureList) On July 18, 2013, the following post was published on a closed cybercriminal forum

Why Crimekit Atrax will attract attention (CSIS) CSIS researchers have observed an introduction of a new commercial crimekit being sold on several underground web forums. The kit is dubbed "Atrax" and is both a cheap kit – costs less than $250 for the main platform - as well as it utilizes the TOR protocol for stealthy communication with C&Cs from where it is intended to get instructions, updates and new modules

Ruby on Rails CookieStore Vulnerability Plagues Prominent Websites (Threatpost) A lingering security issue in Ruby on Rails that stems from a setting in the framework's cookie-based storage mechanism is still present in almost 2,000 websites

Weakness in Android Ad Client InMobi Puts 2.5 Billion Downloaded Apps at Risk (Theatpost) A popular mobile ad client called InMobi, found in more than 2,000 Android applications on Google Play alone, exposes apps to javascript injections and is vulnerable to man-in-the-middle attacks

EvilGrab's Evil, Still Propagating (TrendLabs Security Intelligence Blog) Recently, Trend Micro published findings on a new campaign called EvilGrab that typically targets victims in Japan and China. This campaign is still attacking users, and we have now acquired a builder being used to create binaries of this campaign

CryptoLocker attackers step up attacks on small businesses, warns Cisco (FierceITSecurity) CryptoLocker wants 'you to pay them for the privilege of using your machine'

Finding Cryptolocker Encrypted Files using the NTFS Master File Table (Security Braindump) For the most part, everyone seems to be familiar with the new variants of Cyptolocker making the rounds these days. To quickly summarize, this form of ransomware that encrypts documents and pictures found on local and mapped network drives in an attempt to obtain payment for the decryption keys. The attackers are using decent encryption and the malware is very efficient

SAP–targetting Gameker Malware Linked to Carberp (InfoSecurity Magazine) Gameker, the information-stealing trojan that was recently found to be targeting the log-on client for SAP, caused alarm thanks to the size of the addressable victim pool: SAP makes enterprise software applications for tracking and managing business operations, and is used by an estimated 86% of Forbes 500 companies

An Anti–Fraud Service for Fraudsters (Krebs on Security) Many online businesses rely on automated fraud detection tools to weed out suspicious and unauthorized purchases. Oddly enough, the sorts of dodgy online businesses advertised by spam do the same thing, only they tend to use underground alternatives that are far cheaper and tuned to block not only fraudulent purchases, but also "test buys" from security researchers, law enforcement and other meddlers

Evolution of Attackers–for–Hire (GovInfoSecurity) The emergence of attackers-for-hire is a troubling trend in cybercrime, and one particular group is changing its techniques to gain access to computer systems, says Symantec researcher Kevin Haley

Anonymous Sends Message to Microsoft, Claims to Have Taken Down Its Websites (Softpedia) Anonymous says that the attack was part of #OpKillingBay. A few days ago, users in select countries across the world reported issues when trying to access Microsoft services, with Redmond managing to repair the problems in just a few minutes

UCSF Acknowledges Second Breach in Two Months (eSecurity Planet) 8294 patients' personal and health information may have been exposed when a physician's laptop was stolen

Saudi Aramco denies suffering another cyber attack (Reuters via the Chicago Tribune) Saudi state oil company Saudi Aramco said on Tuesday it had shut some of its computers for an upgrade and denied it had suffered a cyber attack similar to one it experienced last year

Did LG try to hide its tracks in Smart TV spying incident? (FierceCIO: TechWatch) LG Electronics admitted that its smart televisions track what consumers are watching. The spying first came to light when a security researcher decided to dig around after his new LG Smart TV started displaying ads

Academia

Cal Poly joins national cybersecurity educational effort (CSO) University starts educational initiative to train students to meet talent needs of cybersecurity industry

Litigation, Investigation, and Enforcement

NSA fingered in Dotcom scandal (Stuff) Police document on Kim Dotcom case makes passing reference to "data supplied to the GCSB" - raising questions of whether America's National Security Agency spied on the German millionaire. Kim Dotcom's lawyers have accused the government's electronic spy agency and police of deliberately withholding information crucial to their court case

Edward Snowden's 'Insurance Policy' Likely Means Life Or Death For Several Unnamed People (Business Insider) On Monday Mark Hosenball of Reuters reported that Edward Snowden has a "doomsday" cache of documents he stole from the NSA, which is set to dump onto the Internet and/or into the hands of selected journalists if "something happens" to Snowden

WikiLeaks's Julian Assange unlikely to face charges (Naked Security) US officials certainly don't like that he published top-secret documents, but they say that legally, he hasn't committed a crime - at least, not that they've determined so far. They've refrained from formally closing the grand jury investigation, though, so maybe they're holding out hope

Bitcoin online bank robbery — "because that's where the money is" (Naked Security) Paul Ducklin looks why hackers are more than merely interested in online Bitcoin repositories - and why you need more than just a hunch about a repository's trustworthiness before you hand over your Bitcoin data

BIPS suffers Bitcoin heist (CSO) The world is drawn ever closer to the flame of Bitcoin and the inescapable lure of easy fortune. With that brings the criminal element that instinctually follows the scent of possible easy money

Teen Arrested for Allegedly Hacking Into Long Island School District (eSecurity Planet) Matthew Calicchio allegedly published thousands of student's personal information online

GCHQ was called in to crack password in Watkins child abuse case (The Register) Not just battling terrorists, it hunts down online predators too