The CyberWire Daily Briefing 12.10.13

Cyber Trends

How DDoS Taught Competitors to Make Information Sharing Work (Bank Info Security) In the wake of sophisticated DDoS attacks waged against leading U.S. banks, threat intelligence has taken on a greater role, and banking institutions have set a new bar for information sharing

Consumer Online and Mobile Banking Habits Increase Cyberattack Risks to Saudi Arabian Financial Institutions (Hispanic Business) New Booz Allen Hamilton Study Underscores Need for Cyber Awareness and Vigilance Riyadh , Kingdom of Saudi Arabia: As regulators and banks increase their efforts to protect Saudi Arabian financial institutions from evolving cyberthreats, the online and mobile device habits of the Kingdom's consumers remain a critical vulnerability

How Will NIST Framework Affect Banks? (BankInfoSecurity) The NIST cybersecurity framework will help U.S. banking institutions assess their security strategies, but some institutions fear the framework could trigger unnecessary regulations, says Bill Stewart of Booz Allen Hamilton

Myth of 'anonymized' data and rise of 're–identification experts' (FierceBigData) For years now, data crunchers have tried to soothe the public psyche with the promise that individual privacy would be protected through the process of anonymizing the data. It all sounds well and good—at least to the naïve. After all, if all personalized identifying info is scrubbed from the data how could it possibly be traced back to the person to which it applied? It turns out that it's relatively easy to do just that

Expert: Security automation can thwart attacks on cloud computing (SearchCloudSecurity) Aggressive nation-states see the cloud as a juicy target and, according to one expert, security automation represents the best tactic enterprises have to defend cloud implementations against attackers possessing nearly unlimited resources

2014 Security Issues: 'tis the Top 10 Season (CSO) Every year about this time security practitioners awaken to see that the jolly man in the red suit from marketing has jammed their email inboxes across the globe with the proverbial "top ten" lists for the next year

Trend Micro Predicts Cyber Security Concerns for 2014 and Beyond (MarketWatch) Mobile threats, targeted attacks and vulnerabilities for the Internet of Everything highlighted

Malware Drop, Ransomware Rise Forecast for 2014 (TechNewsWorld) There's a growing contingent advocating a more proactive approach to system security, driven largely by frustration. "We haven't improved the defenses of business organizations in any way," said Andrew Kellett, a principal analyst with Ovum. "We continue to find it difficult to detect security breaches…We're not doing the proactive stuff very well"

Enterprise security — a moving goalpost (ITWeb) Bring your own device and the consumerisation of IT pose new challenges for enterprise information security

Cyber Monday And The Threat Of Economic Espionage (Dark Reading) Based on recent predictions by numerous market analysts, Cyber Monday, the online equivalent of the Black Friday shopping event, is well on its way to overtake physical retail sales numbers in coming years

Report: Risk of an Uncertain Security Strategy (ZDNet) In spite of high-profile data breaches and the potential business impact of cyber attacks and data loss, small and midsize organizations are still not making cyber security a priority. Sophos and the Ponemon Institute recently released a report, Risk of an Uncertain Security Strategy, that highlights the need to make security a key priority

A New Alliance Will Let "Internet of Things" Devices Talk to Each Other (Fast Company) The Internet of Things has huge potential to shape the world we live in, but as more "smart" devices make their way into our homes, pockets, cars, and workplaces, what good are they if they can't talk to one another

Legislation, Policy and Regulation

President Obama to propose "self–restraint" on NSA (Naked Security) Without going into detail, US President Barack Obama has said that he'll propose "some self-restraint" to the National Security Agency (NSA) in order to rein in rampant snooping

Drawing the Line on Government Surveillance (Huff Post Blog) Earlier today, eight of the country's leading technology firms unveiled a website and released five principles for regulating online surveillance by governments worldwide. I applaud AOL, Apple, Facebook, Google, LinkedIn, Microsoft, Twitter, and Yahoo for presenting their case on this very important topic

State of Deception (The New Yorker) Why won't the President rein in the intelligence community

Outgoing Deutsche Telekom chief blasts EU and German leaders over surveillance inaction (Gigaom) Rene Obermann, who will end his seven-year spell as head of Germany's big telecoms player at the end of the month, said in an interview that he doesn't understand why everyone is "pussy-footing" around the U.S. on privacy issues

Dutch minister to question US Embassy about rooftop antennas (TechWorld) Dutch concerns follow rooftop spying reports form Berlin, Rome and Milan

Snowden document shows Canada set up spy posts for NSA (CBC) The leaked NSA document being reported exclusively by CBC News reveals Canada is involved with the huge American intelligence agency in clandestine surveillance activities in "approximately 20 high-priority countries"

New Legislation Would Ban NSA From Arizona (US News and World Report) State senator says 'the NSA isn't welcome in Arizona unless it follows the Constitution'

EU Data Protection Regulation implementation postponed (FierceBigData) According to a Forrester blog post, the implementation of EU Data Protection Regulation, an update to existing European data privacy laws, has been postponed to 2015. Forrester believes that means it won't be actually applicable until 2017

HealthCare.gov and the Threat to Cybersecurity (Rollcall) Even in an era when denial-of-service attacks and cyber-theft are all too common, the security of one particular website — HealthCare.gov — has garnered significant public and congressional scrutiny

Products, Services, and Solutions

"We cannot trust" Intel and Via's chip-based crypto, FreeBSD developers say (Ars Technica) Following NSA leaks from Snowden, engineers lose faith in hardware randomness

Exploring the influence of Finjan's proactive content security (CSO) Finjan president Phil Hartstein explains the inner workings of proactive content security with behavior-based content analysis technology and how it has shaped – and is continuing to shape – the industry

Infoblox Introduces DNS Appliance That Can Protect Itself (Dark Reading) Infoblox Advanced DNS Protection solution provides multiple levels of defense

CyanogenMod introduces built–in SMS encryption (Help Net Security) CyanogenMod developers have announced the fruit of several months of labor headed by Open Whisper Systems' Moxie Marlinspike: a seamless implementation of TextSecure, the latter firm's well-known and trusted SMS encryption solution

Technologies, Techniques, and Standards

Web-based malware: Why detection efforts must go beyond antimalware (SearchSecurity) According to reports, users are apparently far more likely to encounter malware when Web browsing as opposed to checking email, and that Web-borne malware is harder for antimalware systems to detect. Why is this? How can organizations shift their tactics to successfully combat Web-based malware

ASA takes on privacy issues in big data, statistical research (FierceBigData) Big data practitioners made privacy an issue to begin with by collecting information on individuals without their knowledge, much less consent, as though they have an unlimited right to know and that right supersedes an individual's right to privacy

How the Bitcoin protocol actually works (Data-driven Intelligence) Many thousands of articles have been written purporting to explain Bitcoin, the online, peer-to-peer currency. Most of those articles give a hand-wavy account of the underlying cryptographic protocol, omitting many details. Even those articles which delve deeper often gloss over crucial points. My aim in this post is to explain the major ideas behind the Bitcoin protocol in a clear, easily comprehensible way. We'll start from first principles, build up to a broad theoretical understanding of how the protocol works, and then dig down into the nitty-gritty, examining the raw data in a Bitcoin transaction

Cyber Flag exercises sharpen DOD cyber operations and defense (GCN) Cyber pros from across the military honed their skills against a realistic adversary on a closed network in an 11-day U.S. Cyber Command exercise at Nellis Air Force Base, Nev., last month

Cloud incident response planning: Know cloud provider responsibilities (SearchCLoudSecurity) Responding to a security incident in the cloud isn't that much different from a traditional security incident response, with one key exception: An enterprise must know where its cloud provider's responsibilities end and its responsibilities begin

Despite cloud computing security risks, infosec pros know their role (SearchCloudSecurity) Misconceptions abound regarding the approach enterprise information security professionals must take in order to successfully address cloud computing security risks in their organizations. It's unfortunate when those misconceptions are perpetuated, even inadvertently

The DDoS debate: Multi–layered versus single solution (Help Net Security) There is a DDoS debate in the cybersecurity industry about which solution is more effective – multi-layer or single. However, the argument is really more complex and must consider traditional defenses versus dedicated DDoS defenses, multi-provider (device or service) versus single provider (device or service), and layered defense in-depth versus single defender

Those Look Just Like Hashes! (Internet Storm Center) Have you ever during a penetration test collected a list of values that look very much like hashes, and thought "I could maybe start cracking those, if I only knew what algorithm was used to calculate those hash values"

Best Practices For Reducing Traffic Fraud Risk Unveiled By IAB (Dark Reading) IAB is also publishing "Digital Simplified: Understanding Traffic Fraud," an educational backgrounder on how digital advertising fraud takes place

Using firewall rules to migrate business applications to a private cloud (Help Net Security) An increasing number of organizations are already taking advantage or planning to take advantage of the many financial and operational benefits that a private cloud has to offer. However, in order to achieve these benefits, IT must take on complex projects to migrate business applications and/or data centers from the physical to the virtual realm

Why the Belgian Cyber Security Guide Must Be Extended? Example with MySQL! (/dev/random) A few days ago, I attended an event organized by the Chamber of Commerce in Belgium (ICC Belgium) and the Federation of Enterprises (FEB) to announce with great ceremony the release of the first Belgian Cyber Security Guide. Honestly, this is a great initiative! In the audience, many many infosec professionals were present but not many "business owners"

Marketplace

DIA releases technology wish list to solve problems more directly (Federal News Radio) The Defense Intelligence Agency has just launched a project that it thinks can help circumvent some of the ills of the government's notoriously slow procurement process for emerging technology and open the playing field to a much broader set of innovators. The platform, called Needipedia, formally launched in late November. The basic idea is to let front-line DIA users, who have discrete technological needs, communicate them to the companies and institutions that might be able to solve their problems a bit more directly, short circuiting at least some of the steps in the government's ponderous process for procurement and requirements development

6 Ways Tech Companies' 'Reform Government Surveillance' Fails (Tom's Guide) The newly unveiled public-relations campaign by top technology companies urging governments to reform Internet surveillance sounds noble, but other than to reassure foreign customers that American companies aren't the bad guys, it won't achieve much

The only thing that will stop electronic surveillance is money earned from electronic surveillance (Quartz) Tech firms and internet activists are realizing that you have to fight fire with fire

AT&T resists transparency over NSA snooping (ITWorld) A host of tech companies have asked governments around the world to reform their surveillance laws, but AT&T seems to be taking the opposite approach, resisting shareholder pressure to disclose the information requests it receives from the U.S. and foreign governments

Army graduates its first class of cyber network defenders (Defense Systems) The Army, which like the other services is looking to expand its cyber workforce over the coming years, recently graduated its first class of cyber network defenders

Leidos Supports AFA's CyberPatriot Program as Cyber Silver Sponsor (Sacramento Bee) The Air Force Association (AFA) today announced that Leidos [NYSE:LDOS], a national security, health, and engineering solutions company, will continue as a sponsor for CyberPatriot –The National Youth Cyber Education Program

Northrop Grumman Cyber Team Triumphs Again Taking First Place in Global Defense Cyber Crime Center Forensics Competition (Wall Street Journal) Holding the number one spot in the world for the second consecutive year, a Northrop Grumman Corporation (NYSE: NOC) team of cyber engineers won the overall "grand champion" title in the Defense Cyber Crime Center's (DC3's) eighth annual Digital Forensics Challenge

Raytheon BBN, GrammaTech Form Malware Detection Tech Team (GovConWire) A team comprising of a Raytheon (NYSE: RTN) subsidiary and GrammaTech has been awarded a $4.8 million contract from the Defense Advanced Research Projects Agency to develop technologies for protecting information technology devices from malware and other backdoor attacks

Jacobs Technology Awarded Contract for Information Technology Services (Hispanic Business) According to DOD: Jacobs Technology Inc., Fort Walton Beach, Fla., is being awarded an $11,341,989 cost-plus-fixed-fee task order under the previously awarded General Services Administration Alliant Multiple Award contract for information technology services

CACI losses fight to keep intell contract (Washington Technology) CACI International lost its fight to keep a Defense Intelligence Agency contract after GAO denied its protest. The winner, Mission Essential

Rodney Joffe of Neustar on Emerging Cyber Trends, Role of Working Groups in Tackling Threats (ExecutiveBiz) Rodney Joffe - Neustar, ExecutiveMosaicRodney Joffe, senior vice president and chief technologist at Neustar, joined the company in 2006 upon its acquisition of UltraDNS, a directory services provider he founded in 1999

CrowdStrike's Dmitri Alperovitch Named to Foreign Policy's Leading Global Thinkers for 2013 (MarketWatch) CrowdStrike, a global provider of security technologies and services focused on identifying advanced cyber threats and targeted attacks, today announced its Co-Founder and Chief Technology Officer, Dmitri Alperovitch, has been honored as one of Foreign Policy's Leading Global Thinkers for 2013

Splunk Buys Network Data Capture Firm Cloudmeter (SecurityWeek) San Francisco, California-based Splunk, a provider of software that helps organizations gather and make use of machine data from a diverse set of sources, today announced it has acquired Cloudmeter, a provider of network data capture technologies

Mandiant Named Among 2013 Great Places to Work (Broadway World) Mandiant Named Among 2013 Great Places to Work by The Washingtonian Magazine

Elbit Systems Creates New Unit to House Intell, Cyber and IT (GovCOnWire) Elbit Systems has created a new division to manage its portfolio of information technology, cybersecurity, intelligence and electro-optical offerings, Defense News reported Monday

Paul Gentile Joins ManTech as Cyber Solutions SVP (GovConWire) Paul Gentile, formerly a senior vice president at Science Applications International Corp. (NYSE: SAI), has joined ManTech International (NASDAQ: MANT) as SVP of the company's cyber solutions business unit

Research and Development

The Economics of Personal Data and the Economics of Privacy (OECD) In modern information economies, the reduction of the cost of storing information has made it possible to capture, save, and analyze increasing amounts of information about the individual. Companies record details of each customer transaction. Websites log their visitors‟ behaviour. Data aggregators link information coming from different sources to compose individual profiles

DARPA Plugs Contest for Watson–like System to Deflect Hackers (Nextgov) In the wake of an alleged hack that stole the passwords of two million Facebook, Google and other Internet users, Pentagon officials are plugging a new contest to build a Watson–like system that can find and eradicate Achilles heels in software

DARPA Cyber Defense Challenge: $2 Million Prize (InformationWeek) Defense research agency's Cyber Grand Challenge aims to close the gap between vulnerability discovery and remediation

Online moderates can counter violent Muslim extremism, RAND says (FierceHomelandSecurity) Key is to assist moderates in finding and disseminating their own messaging

DHS starts critical infrastructure R&D plan public process (FierceHomelandSecurity) The Homeland Security Department took first public steps in development of a research and development strategy for strengthening the security and resilience of critical infrastructure in the Dec. 5 solicitation of public comment

Security Patches, Mitigations, and Software Updates

Microsoft issues 11 security bulletins for the last Patch Tuesday of 2013 (The Inquirer) Addresses a zero-day vulnerability for bad TIFF images on Windows XP systems

Microsoft Adds New Security Features to Accounts (Threatpost) Microsoft announced yesterday that it will complement the two-factor authentication it enabled for account holders in April with additional security features designed to deny account hijacking and unauthorized access

Cyber Attacks, Threats, and Vulnerabilities

Official United Nation Ethiopia Website Hacked by Turkish Ayyıldız Tim (Hack Read) A Turkish based hacking group going with the handle of 'Ayyıldız' Tim (Ayyıldız Team) has hacked and defaced the official website of United NationEthiopia [a] few hours ago along with several other websites

Android game steals WhatsApp chats and offers them for sale (Graham Cluley) An Android game has been removed from the official Google Play store after it was found to be secretly stealing users' WhatsApp conversation databases, and offering them for sale on an internet website

Chinese hackers leak hotel guest data on WeChat (South China Morning Post) Hackers in China have leaked a database of an estimated 20 million hotel reservations on multiple websites and even WeChat, the wildly popular messaging service, reflecting failed government efforts to prevent massive leaks of personal data

Spy agencies in covert push to infiltrate virtual world of online gaming (The Guardian) NSA and GCHQ collect gamers' chats and deploy real-life agents into World of Warcraft and Second Life

Pentagon Researcher Conjures Warcraft Terror Plot (Wired) The American military and intelligence communities are increasingly worried that would-be bin Ladens might gather in a virtual world, to plan a real-life attack. But the spies haven't given many details, about how it might be done. Now, a Pentagon researcher has laid out how such a terror plot might unfold. The planning ground is World of Warcraft. The main target of this possibly nuclear strike: the White House

"EUROPOL" scareware / something evil on 193.169.87.247 (Dynamoo's Blog) 193.169.87.247 ("PE Ivanov Vitaliy Sergeevich", Ukraine) is currently serving up scareware claiming that the victim's PC is locked, using the following domains

Hacking The Zero–Day Vulnerability Market (Dark Reading) Private brokers sell zero-day bugs for anywhere between $40,000 and $160,000 — and in some cases as much as $1 million, a new study says

Malicious multi–hop iframe campaign affects thousands of Web sites, leads to a cocktail of client-side exploits — part two (Webroot Threat Blog) Ever since we exposed and profiled the evasive, multi-hop, mass iframe campaign that affected thousands of Web sites in November, we continued to monitor it, believing that the cybercriminal(s) behind it, would continue operating it, basically switching to new infrastructure once the one exposed in the post got logically blacklisted, thereby undermining the impact of the campaign internationally. Not surprisingly, we were right. The campaign is not only still proliferating, but the adversaries behind it have also (logically) switched the actual hosting infrastructure. Let's dissect the currently active malicious iframe campaign that continues to serving a cocktail of (patched) client-side

Russian–speaking group offers bulletproof hosting in Syria, Lebanon (PC World) A Russian-speaking group is advertising "bulletproof" hosting for cybercriminals from data centers in Syria and Lebanon, an apparent effort to place new services in locales where Western law enforcement has little influence

On vit une époque formidable : le botnet de caisses enregistreuses! (Qualys SecurityVibes) Il était un temps ou l'idéé d'un botnet de téléphones mobiles était considérée comme purement académique, voire relevant de la science-fiction

Chinese hackers spied on Europeans before G20 meeting: researcher (Reuters) Chinese hackers eavesdropped on the computers of five European foreign ministries before last September's G20 Summit, which was dominated by the Syrian crisis, according to research by computer security firm FireEye Inc

China Is Tied to Spying on European Diplomats (New York Times) Computer breaches at the foreign ministries of the Czech Republic, Portugal, Bulgaria, Latvia and Hungary have been traced to Chinese hackers

French government CA attempts to explain certificate spoofing (ZDNet) The certificate authority which issued unauthorized certificates for Google domains issues a lame explanation which only makes the incident more suspicious

Other browser makers follow Google's lead, revoke rogue certificates (ComputerWorld) Microsoft, Mozilla and Opera nullify unauthorized French certificates; Windows XP users out of luck

Phantom menace? A guide to APTs — and why most of us have little to fear from these 'cyberweapons' (WeLiveSecurity) "If you work for a government or large institution I'm pretty sure you are being targeted by an APT right now," says ESET malware researcher Oliver Bilodeau. "But if you work for a restaurant, you shouldn't worry"

Zero–day exploits: Separating fact from fiction (InfoWorld) You may be surprised by the number and availability of zero-days, but that's no reason to let an attack catch you unprepared

Litigation, Investigation, and Enforcement

US investigates allegations of Dell computer resales into Syria (TechWorld) Dell's standard contract prohibits distributors from reselling products to any sanctioned country, the company said

Fed police trial new net spying technology (Perth Now) Contorversial new technology capable of collecting and storing emails and other information sent via computer in real time will be rolled out by the Australian Federal Police next year

FBI used spying malware to track down terror suspect (Help Net Security) Court documents related to a recent FBI investigation have revealed that the agency has been permitted to try to compromise with spying malware the computer of a potential terrorist in order to discover his identity and location

GCHQ and NSA Join Forces to Hunt Paedophiles on 'Dark Net' (International Business Times) Technology experts from government intelligence agencies will join forces to track down and unmask paedophiles who share child abuse images anonymously on the 'dark net'

Operation Creative: 40 Illegal Websites Shut Down by British Authorities (Softpedia) A total of 40 websites found to be serving copyrighted content have been shut down as part of Operation Creative, a campaign launched by British authorities in the summer of 2013. Many of them are said to have generated serious profit for their owners through advertising programs

Malware+pr0n surge follows police op to kill illicit streaming sites (The Register) Cops fall foul of the law of unintended consequences

Here's how many data requests the U.S. gov't made for customer cell data last year (Hint: it's a lot) (ZDNet) Following requests by a leading U.S. senator, U.S. cell giants cough up their annual government data request figures. And it's a lot

US cops blew more than $26m buying 1.1m cell phone files from telcos (The Register) And you thought your data plan was pricy

Recovering stolen bitcoin: a digital wild goose chase (The Guardian) How the biggest heist in bitcoin history turned into a farcical attempt to retrieve the digital currency

Microsoft DCU — Strike Three. Now What? (Damballa: The Day Before Zero) Microsoft DCU recently announced legal actions again the click-fraud component of the ZeroAccess (ZA) botnet. It is common knowledge in the security community that ZA uses a peer-to-peer (P2P) Command and Control (C&C) channel

Ohio man pleads guilty to Santa Cruz County cyber attack (Santa Cruz Sentinel) A 28-year-old Ohio man has pleaded guilty to attacking a Santa Cruz County Internet server in a protest of the city of Santa Cruz's camping ban

Guilty Verdict in First Ever Cybercrime RICO Trial (Wired) A young Arizona identity thief is the first person in the U.S. to be found guilty of federal racketeering charges for facilitating his crimes over a website

Design and Innovation

Commentary: Every Federal Agency Needs an Innovation Lab (Nextgov) More than five years ago, then-candidate Barack Obama vowed to "make government cool again." Since then, he has advocated vocally for technology and innovation, inspiring advancements that have reduced waste and delivered services more effectively to the American people