The CyberWire Daily Briefing 12.06.13

Cyber Trends

How Many Zero–Days Hit You Today? (Krebs on Security) On any given day, nation-states and criminal hackers have access to an entire arsenal of zero-day vulnerabilities — undocumented and unpatched software flaws that can be used to silently slip past most organizations' digital defenses, new research suggests. That sobering conclusion comes amid mounting evidence that thieves and cyberspies are ramping up spending to acquire and stockpile these digital armaments

Study finds zero–day vulnerabilities abound in popular software (CSO) Organizations selling exploits for vulnerabilities in software from major companies including Microsoft, Apple, Oracle, and Adobe

The biggest malware, security threats in 2013 (ZDNet) According to Malwarebytes' 2013 Threat report, "assumed guilt" ransomware tactics, mobile device cyberattacks and Mac-based threats are all gifts we had to cope with this year

The state of targeted attacks (Help Net Security) Trusteer announced the results of a recent study on the State of Targeted Attacks, which took into consideration the feedback from over 750 IT and IT security practitioners who have involvement in defensive efforts against APTs launched at their organisations

Cyber Attacks Up 15 Percent Since 2010, According to Emerson, Ponemon Institute Study (Wall Street Journal) With both cyber attacks and the costs of data center outages rising, there is an immediate need for businesses to secure proper technology and safeguard data. This need was highlighted in a recent study, the "2013 Study on Data Center Outages," in which 34 percent of respondents cited cyber attacks as a cause for data center downtime, compared to just 15 percent in 2010. The Ponemon Institute study — which was sponsored by Emerson Network Power, a business of Emerson (NYSE: EMR) and a global leader in maximizing availability, capacity and efficiency of critical infrastructure — explores the causes and costs of downtime in the United States

Water Utility Sector Works in Partnership to Meet Cyber Security Challenges (Huffington Post) Like most utilities in our country, the drinking water and wastewater sectors rely heavily on automated technologies to track and manage the transport and treatment of water. The evolution of computer-based management systems, or industrial control systems (ICS), has hugely improved the reliability and quality of water service. However, as the use of automated systems increase, so do the possibilities of both targeted and accidental cyber events that can affect our water supply and ultimately threaten public safety

From Prevention to Detection: A Paradigm Shift in Enterprise Network Security (SecurityWeek) While the technology used by enterprises to protect against today's advanced threats is quite complex, understanding the essence of what the technology does shouldn't be complicated at all. Rather, it should be refreshingly simple and easy to grasp- both by CISOs, who are tasked with keeping their network safe, and CFOs, who hold the "purse strings" and need to justify the investment

CSA Congress 2013: Security Professionals 'Draconian' in Lack of Trust in the Cloud (InfoSecurity Magazine) In a world dependent on cloud-based services, ADP's V. Jay LaRosa takes security professionals to task over their resistance to what is often seen — rather incorrectly in his view — as a less secure method to deliver computing resources

Big Data Challenge: Encryption (Midsize Insider) One major challenge that midsize firms face when handling big data projects is encryption. During the Cloud Security Alliance's recent CSA Congress event, industry executives called out several challenges that cryptography poses for big data. As smaller firms endeavor to implement solid big data projects, they will need to address this level of encryption security

Big Data security, privacy concerns remain unanswered (CSO) Big Data creates new security and privacy challenges that de-identification can't meet

CIOs lack the vision when it comes to mobility (Help Net Security) Mobile Helix announced the findings of an independent CIO survey of 300 IT decision makers in the UK and US; exploring how enterprises are making use of mobile technology

Legislation, Policy and Regulation

India–US homeland security dialogue: Two–day conference of police chiefs concludes (Odisha Diary) Delivering the valedictory address at the Conference, the Union Home Secretary Shri Anil Goswami said that the movement of people, goods and ideas has always driven with the development of nations and provided opportunities for economic growth and prosperity. He said that the security measures should be designed to facilitate the safe and efficient movement of people and goods while securing the critical infrastructure

British Probe Set to Clear Huawei of Allowing Spying (Bloomberg) Britain's national security adviser is to clear China's Huawei Technologies Co. of leaving its equipment open to Chinese spying, while recommending that British agencies look at how they can tighten procedures

Fighting Joe Biden vs. bowing David Cameron—a lesson from two China trips (Quartz) US vice president Joe Biden spent less than 48 hours in China this week, but managed to criticize its new air defense zone, China's treatment of foreign journalists, and general lack of democracy. In contrast, David Cameron, who was in China for three days this week, played ping pong with school children, opened a Sina Weibo account and publicly avoided controversial topics. When he returned home he even said British schools should start teaching Mandarin. The two visits couldn't have been more different. Still, both approaches reaped scorn from media mouthpieces of the Chinese government as well as the general public, raising the question—What is the right diplomatic way to appeal to China? It appears no one really knows

Obama says he will propose NSA reforms (Reuters) President Barack Obama said on Thursday he intends to propose National Security Agency reforms to reassure Americans that their privacy is not being violated by the agency

Big Transparency for the NSA: Perspectives on Spying and Privacy (Watson Institute via IC on the Record) Brown University's Watson Institute for International Studies hosted an event on December 4, 2013 that included a panel discussion with John DeLong, Chief Compliance Officer for the National Security Agency and Alexander Joel, the Civil Liberties Protection Officer at the Office of the Director of National Intelligence

NSA Surveillance, Snowden, and Freedom (Harvard Magazine) Yochai Benkler, Berkman professor for entrepreneurial legal studies at Harvard Law School, spoke on December 4 about the President's Surveillance Program (PSP, a collection of U.S. secret intelligence activities) and Edward Snowden in a talk entitled "System and Conscience: NSA Bulk Surveillance and the Problem of Freedom"

Is Cyber Command ready to stand on its own? (FCW) Debate about the relationship between the National Security Agency and U.S. Cyber Command has ratcheted up in the wake of damaging leaks about NSA surveillance activities, but no decision on whether to split the two entities is likely before dual-hatted Gen. Keith Alexander steps down in spring 2014

HIPAA burdensome to big data healthcare efforts, BPC says (FierceHealthIT) The Health Insurance Portability and Accountability Act is "misunderstood, misapplied and over-applied" to the point of being burdensome to the sharing of patient information for improved care, according to a report published this week by the Bipartisan Policy Center

OCR not fully enforcing HIPAA (FierceHealthIT) The Office for Civil Rights, the agency that enforces privacy provisions of HIPAA, has not fully enforced the law's requirements, according to a report from the U.S. Department of Health & Human Services Office of Inspector General

FTC: Is native advertising a bait–and–switch? (FierceCMO) Is native advertising fooling consumers into thinking paid sponsorships are pieces of regular editorial content was the question of the day at the Federal Trade Commission's workshop on native advertising held Wednesday

Google Pushes White House Petition Demanding The Government Secure A Warrant To Read Your Email (TechCrunch) Google is promoting a White House petition calling for reform to the Electronic Communications Privacy Act (ECPA), amending it to require a warrant for the government to read the email of its citizens

Dateline

Venture Capital and the Innovation Ecosystem (The CyberWire) The CyberWire interviewed Bob Ackerman, Founder and Managing Director, Allegis Capital. Allegis, based in Palo Alto, California, USA, invests in early stage companies developing enabling technology and software to serve emerging markets. We caught Mr. Ackerman shortly before he went in to moderate his SINET Showcase panel on "Bringing Order out of Chaos"

SINET: Startups Push IT Security's Envelope (Dark Reading) SINET conference flags 16 security startups to watch, but they are just the tip of the iceberg, experts say

Products, Services, and Solutions

FireEye Announces Availability of Oculus for Small and Midsize Businesses (MarketWatch) FireEye, Inc., the leader in stopping today's advanced cyber attacks, today announced FireEye's Oculus™ platform for small and midsize businesses (SMB). Oculus for SMB combines technology, services, and threat expertise in a solution specially tailored to small and midsized businesses

New ICS cyber security cert (Help Net Security) Global Information Assurance Certification (GIAC), a leading provider of cyber security certifications and an affiliate of the SANS Institute, announced the release of the new Global Industrial Cyber Security Professional (GICSP) certification exam

How to find out if your password has been stolen (ZDNet) There are many public databases of breached accounts, the largest breach being that of Adobe.com, but no way to search across all of them. Until now

Cisco updates CCIE routing and switching certification (Help Net Security) Cisco announced a major revision of the CCIE Routing and Switching (R&S) Certification and expert-level training to meet the increasing challenges of enterprise networks evolving in size, scope and complexity

mSpy app lets someone remotely snoop on you through your phone or tablet (Naked Security) We all know by now that the US's National Stalker Agency — oh, excuse me, I meant to say National Security Agency (NSA) - eavesdrops on just about everybody on the planet. Evidently, the UK is no better. But surveillance by your own mother? Nothing is sacred

Twitter rolls out ad retargeting tool (FierceCMO) Twitter unveiled an ad retargeting tool, tailored audiences, which gives marketers the ability to track mobile users who have browsed for specific products and services even outside of its site

Fluke Networks Rolls Out AirMagnet Enterprise (Dark Reading) Cellular spectrum security solution is designed to detect, alarm, report, and remedy cellular security events

AirWatch Develops App Reputation Scanning Into Its EMM Platform (Dark Reading) Tech is fully integrated into the AirWatch platform

Juniper Networks Unveils Junos Pulse AppConnect To Deliver Simple Per-App Mobile Security From Application To Enterprise (Dark Reading) AppConnect feature provides per-application VPN connectivity for Apple iOS and Google Android devices

Technologies, Techniques, and Standards

NTIA to begin work on facial recognition privacy code of conduct (FierceGovernmentIT) The National Telecommunications and Information Administration announced Dec. 3 it will convene a multistakeholder process focused on privacy to develop a voluntary code of conduct that specifies how the Consumer Privacy Bill of Rights applies to facial recognition technology in a commercial environment

NIST's Ron Ross calls for new critical infrastructure cybersecurity paradigm (FierceGovernmentIT) A computer scientist at the National Institute of Standards and Technology says the advent of advanced persistent threats means years of lip service to the idea of integrated system security must be replaced with real action

New HIPAA Compliance Help on the Way (Healthcare Info Security) The federal "wall of shame" tally of major health data breaches, and the results of HIPAA compliance audits conducted so far, illustrate that the healthcare sector has a long way to go when it comes to protecting patient privacy and improving information security

Partners HealthCare CISO, CIO Q&A: Security threat awareness (Health IT Security) As the threat environments facing healthcare organizations change and evolve, organizations must be proactive and adjust their security and privacy approaches on the fly. For a sizeable healthcare network such as Boston-based Partners HealthCare, the need to stay on top of these risks is amplified greatly and an "all hands on deck" strategy is needed

Cloud Security Alliance Releases Software Defined Perimeter (SDP) Framework Details (Digital Journal) The Cloud Security Alliance (CSA), a not-for-profit organization which promotes the use of best practices for providing security assurance within cloud computing, today announced the release of the Software Defined Perimeter Report

Top 20 Critical Security Controls not popular with federal IT pros (Help Net Security) The National Security Agency created a best security practices list for their customers, which was later expanded through a large-scale community project initiated by the SANS Institute and sponsored by the Center for Strategic and International Studies (CSIS)

Why don't you answer your "abuse" email? (CSO) Spam is a giant pain in the posterior. No one will argue with you on that point. With the possible exception of the spammers themselves

Planning for 2014: A Guide To Targeted Attack Defense (TrendLabs Security Intelligence Blog) By now, most IT administrators are aware that their networks and systems may require defenses against targeted attacks carried out by well-equipped, knowledgeable attackers. As companies prepare their plans for the upcoming year, some may ask: how does one develop a strategy on how to help defend against these attacks

How to Prevent DNS Attacks (eSecurity Planet) Hackers like the Syrian Electronic Army are finding weaknesses to exploit in the Domain Name System. Here's how to keep your organization from falling victim to a DNS attack

Marketplace

High CISO employment rates means shortage for security industry (CSO) Risk management at the C-suite level requires a combination of technical and business savvy, and that is a rare combination

Vistronix Deepens Cyber Operations and Signals Processing Capabilities with Acquisition of Kimmich Software Systems, Inc. (KSSI) (Virtual-Strategy) Vistronix, a leading provider of intelligence and technology solutions to national security agencies in the federal space, is pleased to announce that the company has completed its acquisition of Kimmich Software Systems, Inc. (KSSI), significantly expanding its technology solutions for the U.S. Intelligence Community. A privately-owned company out of Columbia, MD, KSSI's primary solution offerings are in cyber operations, signals processing, data analytics, software development and systems engineering

Box buys security vendor dLoop (FierceContentManagement) Last week before the Thanksgiving break, Box quietly announced it had purchased dLoop, a small security startup that could help Box enhance its security chops and make it more attractive to the enterprise customers it so craves

DIA: Budget cuts propelling shared cloud environment (Federal Times) Ongoing budget cuts are pushing intelligence agencies to move to a shared IT environment, according to federal officials

Hagel announces cuts and reorganization affecting DCMO and DoD CIO (FierceGovIT) A cost-cutting reorganization announced Dec. 4 by Defense Secretary Chuck Hagel includes changes to the departmental chief information officer and the deputy chief management officer

Unisys to Migrate DOE Staff to Google Cloud (ExecutiveBiz) Unisys has won a contract of an undisclosed value to migrate 6,000 program personnel at the U.S. Energy Department into a Google cloud computing environment

Microsoft promises wide–reaching encryption, more transparency (Help Net Security) It took them a while, but Microsoft is finally announcing a concentrated effort to protect its customers and their data from unauthorised government surveillance

If Instagram Isn't Building Private Messaging, It Should Be (TechCrunch) Once upon a time, Instagram was a little app for sharing photos with friends and photography buffs. Its mostly public sharing model worked at that size. But now with over 150 million users, widespread awareness, and years of people following each other, users may be holding back from posting as much because they don't want the whole world to see what they see

Camber Corporation announces the promotion of John Lord to President of the company. (Sacramento Bee) In John's previous position as Camber's Executive Vice President and Chief Operating Officer, John led the realignment of the company to better define and focus on Camber's markets in a resource constrained environment, and has driven the company to increased prime contract bids and awards through an emphasis on cross-Camber collaboration

Security Patches, Mitigations, and Software Updates

Siemens Patches Authentication Bypass Flaw in SINAMICS ICS Software (Threatpost) Siemens has patched a serious remotely exploitable vulnerability in its SINAMICS S/G ICS software that could enable an attacker to take arbitrary actions on a vulnerable installation without having to authenticate. The vulnerability affects all versions of the Siemens SINAMICS S/G products with firmware versions earlier than 4.6.11. ICS-CERT, a pat of the Department of Homeland Security

Passwords reset after 'Pony' botnet stole 2 million credentials (ComputerWorld) Facebook, LinkedIn and other online services have been resetting accounts after 2 million login credentials, apparently stolen from users' computers, were discovered on a server in the Netherlands

Microsoft likely to patch zero–day next week (ZDNet) It looks like a fairly busy Patch Tuesday in December. There are two open zero-day vulnerabilities in Windows. It's likely there will be a patch for one, but not the other

Microsoft's final security push is missing the kitchen sink (CSO) Tripwire's Tyler Reguly says that considering all that's being patched this month, it seems as if Redmond forgot to include the kitchen sink. Next week, Microsoft ends 2013 with 11 bulletins, covering nearly everything that was laying around

Cyber Attacks, Threats, and Vulnerabilities

Oregon State's City of Amity and Sutherlin City Websites Hacked by Iranian hackers (Hack Read) An Iranian hacker going with the handle of 'hossein19123′ from Ashiyane Digital Security Team has hacked and defaced the official websites of City of Amity and Sutherlin City, Oregon, United States

Compromised legitimate Web sites expose users to malicious Java/Symbian/Android "Browser Updates" (Webroot Threat Blog) We've just intercepted a currently active malicious campaign, relying on redirectors placed at compromised/hacked legitimate Web sites, for the purpose of hijacking the legitimate traffic and directly exposing it to multi mobile OS based malicious/fraudulent content. In this particular case, a bogus "Browser Update", which in reality is a premium rate SMS malware

Cyber Arms Dealers Peddle 85 Worms a Day (Nextgov) Cyberweapons sold to the government that are powered by glitches in popular software have opened a can of worms for citizens who increasingly are being attacked by nongovernment actors buying from the same arsenal of 85 exploits per day, according to new research

Study finds most mobile apps put your security and privacy at risk (PCWolrd) The average smartphone user has 26 apps installed. If recent research conducted by HP is any indication, approximately, well, all of them, come with privacy or security concerns of some sort

Infographic: How Snowden Breached the NSA (Venafi) There's one secret that's still lurking at the NSA: How did Edward Snowden breach the world's most sophisticated IT security organization? This secret has as much to do with the NSA as it does with your organization. In this exclusive infographic, Venafi breaks open how Edward Snowden breached the NSA

Academia

Master's Accreditation Benefits Federal Cyber Pros (Nextgov) Federal information security employees now have one additional option for pursuing a master's degree in information security that could be funded in part through their agency's tuition assistance program

Litigation, Investigation, and Enforcement

Venezuela in cyber crackdown (AP via Yahoo! News) Venezuela cracks down on websites that track black market exchange rates

Suspected Blackhole Exploit Kit creator, and 12 others, prosecuted by Russian authorities (Graham Cluley) Russian authorities have finally broken their silence, and announced that the suspected mastermind behind the Blackhole Exploit Kit is being prosecuted

Meet Paunch: The Accused Author of the BlackHole Exploit Kit (Krebs on Security) In early October, news leaked out of Russia that authorities there had arrested and charged the malware kingpin known as "Paunch," the alleged creator and distributor of the Blackhole exploit kit. Today, Russian police and computer security experts released additional details about this individual, revealing a much more vivid picture of the cybercrime underworld today

Brightest Flashlight Free — the Android app that secretly sent user location to advertisers (Graham Cluley) Tens of millions of Android users have installed the Brightest Flashlight Free app, not realising that the app engaged in dirty tricks to share information about users' location and devices with advertisers without consent

Microsoft and law enforcement disrupt ZeroAccess botnet (Help Net Security) The Microsoft Digital Crimes Unit announced it has successfully disrupted a rampant botnet in collaboration with Europol's European Cybercrime Centre (EC3), the Federal Bureau of Investigation (FBI) and leaders in the technology industry, including A10 Networks Inc

'ZeroAccess' click–fraud botnet disrupted, but not dead yet (ComputerWorld) Microsoft, along with the FBI and Europol, said the botnet cost online advertisers $2.7 million a month

International payment card fraud ring dismantled (Help Net Security) The European Cybercrime Centre (EC3) at Europol, working with police in Latvia, Estonia, Poland, Bulgaria, Spain, Lithuania, Norway, Sweden and the United Kingdom, have taken down a criminal network of Latvian payment card fraudsters and arrested eight key members of the group

NSA Wrongly Says Warrantless Mobile–Phone Location Tracking Is Legal (Wired) Despite what the NSA is saying, case law on cell-site locational tracking, while favoring the government, is nevertheless all over the books, with federal courts and appellate courts offering mixed rulings on whether warrants are needed

It's Not a WikiLeak: Assange–Manning Chat Logs Surface on Army Website (Wired) In March of 2010, WikiLeaks was just weeks away from bursting onto the world stage with the first of its major leaks from intelligence analyst Chelsea (then Bradley) Manning: the "Collateral Murder" video showing a 2007 Apache helicopter attack that

University of Nebraska Hacker Pleads Guilty (eSecurity Planet) Daniel Stratman pled guilty in return for a recommended sentence of not more than two years in prison

Romanian Man Sentenced to Eight Years in Federal Prison for Online Fraud (eSecurity Planet) Doru Gabriel Trifu was also ordered to pay $562,240 in restitution