The CyberWire Daily Briefing for 12.11.2013
Radio Free Europe and Radio Liberty again come under cyber attack — no attribution reported.
Kaspersky researchers puzzle over a 64-bit version of the Zeus banking Trojan they've found in the wild. It behaves about the way its 32-bit counterparts do, so either someone's selling sizzle on the black market (the 64-bit "wow factor") or they're positioning Zeus early for attacks on future systems.
Lookout finds a new version of MouaBad Android malware that makes phone calls without user intervention. Bitdefender reports an unrelated Android vulnerability present in Widdit, an app development framework used to build in advertising capabilities. Widdit requests (and gets) many permissions on its initial download.
Holiday-themed criminal phishing campaigns are in full swing. State intelligence services phish too: details of the G20 campaign emerge that show China used saucy pictures of then French first lady Bruni as phishbait (also Syrian insurrection news, for reeling in stodgier or more conscientious diplomats). Infected foreign ministries might have mitigated the attacks through more effective network segmentation.
Those bogus certificates Google and others revoked earlier this week were tied to a French government man-in-the-middle campaign apparently designed to keep tabs on its own workers. They're not the only ones concerned about insider threats: employers now worry about "jammers" used to hide jailbroken devices.
Anonymization remains a hard problem: Disqus is found vulnerable to deanomymization.
Blue Cross laptop theft and other organizations' equipment disposal issues highlight the hardware side of cyber risk.
Cyber labor shortages drive talent development and engineering automation.
Notes.
Today's issue includes events affecting Brazil, Bulgaria, China, Czech Republic, Denmark, European Union, France, Germany, Hungary, Iran, Italy, Japan, Republic of Korea, Democratic Peoples Republic of Korea, Latvia, Netherlands, Nigeria, Portugal, Russia, Singapore, Sweden, Switzerland, United Arab Emirates, and United States..
Cyber Attacks, Threats, and Vulnerabilities
US–Funded Radio Free Europe Again Hit by Hackers (ABC News) U.S.-funded Radio Free Europe/Radio Liberty says its news services have been disrupted by a cyberattack for the second time in two months
64–Bit Version of Zeus Banking Trojan In The Wild (Threatpost) The infamous Zeus banking Trojan has gone 64-bit. But why
'Mystery' Malware Files Often Missed In Cleanup (Dark Reading) Some malware infections leave stealthy beachhead files behind after the main malware is detected and removed
Infographic: What happens after a data breach occurs? (FierceITSecurity) Major data breaches are happening all the time. Just last week, more than two million passwords from Facebook, Gmail, Twitter and other accounts were stolen by hackers who installed keylogging malware on millions of computers
MouaBad Malware Allows Cybercriminals to Make Phone Calls (Softpedia) A new version of the MouaBad mobile malware is capable of making phone calls from infected phones without user interaction. Researchers from Lookout have analyzed the threat, which they called MouaBad.p
New Android threats could turn some phones into remote bugging devices (Ars Technica) "Weirdest permissions" include disabling lock screens and recording audio
Update vulnerability in third-party SDK exposes some Android apps to attacks (ComputerWorld) A third-party advertising framework integrated in hundreds of Android apps contains a vulnerability that could allow hackers to steal sensitive information from users' phones, according to security researchers from antivirus firm Bitdefender
Removing the Android Device Lock from any Mobile App (SANS Penetration Testing) Last week, a new Android vulnerability was disclosed: "CVE-2013-6271: Remove Device Locks from Android Phone". It affects Android Jelly Bean (JB) 4.3 devices, as well as earlier version based on my own testing, such as Android Ice Cream Sandwich (ICS) version 4.0.3. The flaw allows any mobile application (from now on referred to as an "app") to remove the passcode or lock protection of Android mobile devices, no matter the lock mechanism in place: PIN code, password or passphrase, dot pattern or gesture, or face unlock. That's pretty huge
Popular holiday–themed phishing attacks (Help Net Security) The holidays are a busy time for everyone…especially for hackers trying to phish your employees. Phishing is most effective when it exploits human emotions—fear, greed, anxiousness, curiosity, compassion, getting a good deal—and the holidays tend to bring these emotions out more than other times of the year. This gives adversaries a bevy of relevant topics to use to build phishing campaigns
Free ASDA Voucher scam tries to ruin Christmas on Facebook (Graham Cluley) Yet another scam is spreading on Facebook, this time using the tried-and-trusted technique of luring unsuspecting social networkers into clicking by pretending to be supermarket vouchers in the run-up to Christmas
Facebook Phishing and Malware via Tumblr Redirects (Internet Storm Center) We got a couple reports of pretty convincing Facebook spam redirecting users to malware and a Facebook phishing site
Nicolas Sarkozy's Naked Wife Used As Bait By G20 Hackers (Business Insider) Suspected Chinese hackers have systematically targeted diplomats working within foreign ministries in European countries, reports Nicole Perlroth of The New York Times
Security tactics might have helped in foreign ministry hacks (CSO) Network segmentation may have helped Chinese intruders breach machines at various European ministries
French gov used fake Google certificate to read its workers' traffic (The Register) Liberté, égalité…invisibilité: Homme–dans–l'intermédiaire snooping at treasury dept
Blue Cross: 840,000 healthcare records at risk after laptop theft (CSO) Two employee laptops stolen in November from Horizon Blue Cross Blue Shield of New Jersey
Inadequate electronic disposal protocols can lead to security leaks (Help Net Security) American IT departments' decisions could inadvertently put organizations at risk of an information security breach if they don't have sufficient protocols for the disposal of old electronic devices
Bed Bath and Beyond Acknowledges Insider Breach (eSecurity Planet) A cashier stole an undisclosed number of customers' credit card information
Spotlight: Employees use 'jammers' to hide jailbroken devices on corporate networks (FierceITSecurity) Employees are downloading insecure "Jailbreak Jammer" apps that enable them to access the corporate network with a jailbroken smartphone, warns Marble Security Labs
How Your IT Workers Are Putting Your Company at Risk (Mashable) The employees charged with keeping a watchful eye over a business's cybersecurity are the ones most likely to engage in risky activities, new research finds
Disqus security flaw used to deanonymize online commenters (Help Net Security) A security flaw in the API of popular blog comment hosting service Disqus can be exploited to reveal the email addresses of users, and therefore occasionally even their real-world identity
Many state health care exchanges vulnerable to login theft (ZDNet) Research by a forensics firm shows that Wifi users of many state health care exchanges could have their usernames and passwords unknowingly sniffed
Creepware — Who's Watching You? (Symantec Official Blog) Some people stick a piece of tape over the webcam on their laptop, maybe you even do it yourself. Are they over cautious, paranoid, a little strange? Are you? Or is there reason behind this madness
'Imposter' Bots On The Rise (Dark Reading) A whopping 61.5 percent of all website traffic is attributed to bots of all types, new report finds
L.A. Gay & Lesbian Center Information Systems Compromised by Cyberthieves (Gay Today) The L.A. Gay & Lesbian Center was recently the victim of a sophisticated cyber attack that, according to data security and technology experts, was designed to collect credit card, Social Security numbers and other financial information, although there is no evidence that anyone's information was actually accessed or acquired
Hackers broke into poker pro's hotel room to install 'sharking' malware (the Verge via The Journal of Law and Cyber Warfare) This September, on the Barcelona leg of the European Poker Tour, Jens Kyllönen had a strange run-in with the criminal underworld. He'd busted out of that day's tournament early, but when he returned to his hotel room, his laptop was missing. He went downstairs to find his roommate, but when they came back to the room together, the laptop had mysteriously reappeared. And to make things even more suspicious, Kyllönen's computerized room key was malfunctioning, triggered by some problem with the electronic door lock
Piratage Netissime : «Comment j'ai récupéré 60 000 adresses» (L'Informaticien) 7 000 euros : c'est l'argent qu'a touché ce jeune homme pour accéder au fichier client de l'hébergeur lyonnais Netissime
Deplorable security flaws in Santander UK banking apps and site (Help Net Security) When banks urge customers to use their mobile banking apps and sites for making online payments, users usually assume these methods are secure and do so
How We Decoded Some Nasty Multi–Level Encoded Malware (Sucuri) From time to time, we come up with interesting bits of malware that are just calling us to decode and learn more about them. This is one of those cases. Recently, I crossed pathes with this little gem
NSA uses Google cookies to pinpoint targets for hacking (Washington Post) The National Security Agency is secretly piggybacking on the tools that enable Internet advertisers to track consumers, using "cookies" and location data to pinpoint targets for government hacking and to bolster surveillance
No, I won't install your app or subscribe to your newsletter (Ars Technica) If I want your app, I'm not going to get it on my way to browsing your site
Security Patches, Mitigations, and Software Updates
Firefox 26 bumps up security by letting users screen plug–ins (ZDNet) The latest release of the Firefox web browser boosts browser security and stability by blocking all software component plug-ins from loading by default, apart from Adobe Flash
Patch Tuesday December 2013 — TIFF exploit patched, XP kernel flaw not fixed yet (Naked Security) The updates for Microsoft's December 2013 Patch Tuesday are out. Paul Ducklin takes a brief look at what's in, and what's not
Zero–Day Fixes From Adobe, Microsoft (Krebs on Security) Adobe and Microsoft today each separately released security updates to remedy zero-day bugs and other critical vulnerabilities in their software. Adobe issued fixes for its Flash and Shockwave players, while Microsoft pushed out 11 updates addressing at least two dozen flaws in Windows and other software
Box Rolls Out New Management Tools, Gives Its 200K Business Users More Control Over Their Files (TechCrunch) This morning Box announced a number of feature improvements to its file-storage platform, as well as corporate moves that the company says will help its customers better manage their employees use of the product. As a company, Box wants enterprises of scale to adopt its technologies. Those contracts are lucrative but come with an implicit feature list: companies that large are accustomed to
Cyber Trends
Smarter, shadier and stealthier cyber crime forces industry to dramatic change (CSO) Sophos today released its latest Security Threat Report. The report outlines the significant changes in cyber criminal behaviour over the course of last year and a forecast for their preferred methods of attack in 2014. This year cyber criminals continued the theme of professionalisation of their 'industry', offering easy to buy and use services that amplified the scale of cyber crime to never before seen levels
Two–step security on mobile will be rendered useless in 2014, says Trend Micro (The Inquirer) Due to 'man in the middle' attacks
2013: Rest In Peace, Passwords (InformationWeek) In the future, we will look back on 2013 as the year two-factor authentication killed passwords
IT risk management spending to reach $71.1B, says IDC (FierceITSecurity) Risk management core to business strategies across banking, capital markets, insurance sectors
Visualizing the year's top cyber attacks (Help Net Security) OpenDNS announced findings by its research organization into the most significant cyber attacks of 2013. Red October, Kelihos, Syrian Electronic Army DNS Hijack, Syria Internet shutdown and Cryptolocker topped the list of malicious Internet events over the past twelve months
What threats will dominate 2014? (Help Net Security) Trend Micro released its annual security predictions report. The outlook cites that one major data breach will occur every month next year, and advanced mobile banking and targeted attacks will accelerate
The worst IT project disasters of 2013 (IT World) The Healthcare.gov rollout leads a pack of painful projects. Trends come and go in the technology industry but some things, such as IT system failures, bloom eternal
Not all cyber theft, nor remedies, are equal for the economy, finds Brookings paper (FierceGovIT) Cyber theft of company data doesn't affect all economic sectors equally, and nor do remedies have a uniformly beneficial outcome, finds research from a group of Brookings Institution academics
Marketplace
Shortage of workers with cybersecurity skills rises just as need does (Medill Reports) The issue of cybersecurity is no longer limited to fear of cyber attacks. The concern now is the shortage of workers who can keep critical networks and infrastructure secure
The NSA Is Recruiting Teens (Mashable) The National Security Agency is hiring its spies early and recruiting teens as young as 15 for internships
You don't get higher security by restricting particular company: John Suffolk (Business Standard) Q&A with Huawei's global cyber security officer
McAfee closes on Blue Coat for lead in content security gateway appliance market (FierceITSecurity) Cisco, Websense, Symantec all bunched together behind the market leaders
Swiss Set Sights on Becoming World's Data Vault (AFP via SecurityWeek) It looks like the ideal location for a James Bond thriller: a massive underground bunker in a secret location in the Swiss Alps used for keeping data safe from prying eyes
NSA Spying Scandal Could Cost U.S. Tech Giants Billions (Time) AT&T and Verizon have remained silent about their role in the NSA's programs
What's Marissa Mayer Planning to Do With All Those New Startups? (Wired) Yahoo CEO Marissa Mayer keeps buying startups. Hopefully she has a good plan for what to do with them
Cisco Buys Data Center App Maker Insieme Networks (GovConWire) Cisco (NASDAQ: CSCO) has purchased San Jose, Calif.-based data center application developer Insieme Networks for an undisclosed amount. The company introduced an application-centric infrastructure services portfolio in November for partners to deploy data center networking services that work with customer applications
Pat Burke, George Batsakis, Paul Nedzbala Take New Roles as SRA Realigns (GovConWire) SRA International has reorganized its business structure from having four operating groups to two and created a new position of chief technology officer. Pat Burke, a two-decade company veteran, has been appointed CTO after previously serving as senior vice president of the company's intelligence, homeland security and law enforcement group, SRA said Wednesday
General Dynamics Fidelis Cybersecurity Appoints Jaeger to New Customer–facing Position (MarketWatch) Jim Jaeger named Chief Cyber Services Strategist; Mike Buratowski will succeed Jaeger as vice president of Cybersecurity Services
CrowdStrike Adds VP, Products to Leadership Team (Broadway World) CrowdStrike Inc., a global provider of security technologies and services focused on identifying advanced threats and targeted attacks, announced today that Dave Cole has joined the leadership team as Vice President of Products. Cole brings more than 15 years of product management experience and expertise to CrowdStrike
Products, Services, and Solutions
Venafi Launches Certificate–based Mobile Device "Kill Switch" (SecurityWeek) Venafi, a Salt Lake City, Utah-based provider of enterprise key and certificate management solutions, has launched a new product that the company describes as a mobile device "kill switch" which gives IT security teams the ability to instantly cut off mobile access to applications and networks when suspicious activity is detected
BlackBerry BBM Channels blocked on UAE mobile phones (Emirates 24/7) Might be available on some handsets, says BlackBerry
The iCloud keychain and iOS 7 data protection (Help Net Security) When Apple announced iOS 7, iCloud Keychain was one of its key features. It is no doubt great for usability, but what about security? What kind of access does Apple have to the passwords stored in the iCloud
New Versions Of SplashID Safe Improve Password Management (Dark Reading) Includes a major update of its consumer-focused Personal Edition
EndGuard Protects BYOD Data (Dark Reading) EndGuard integrates cloud backup and native endpoint data loss prevention capabilities in a centrally managed application
Technologies, Techniques, and Standards
Is FTP malware threatening network port security? (SearchSecurity) According to research by Palo Alto Networks, malware is increasingly targeting "old" ports like FTP because nobody is watching them. What's the best way for organizations to monitor such non-standard ports
Multi–stage attack detection best practices for enterprises (SearchSecurity) The "g01pack" toolkit apparently downloads in multiple stages to victim machines in order to avoid antivirus detection. Is there no way to detect such multi-stage attacks in the early stages of their propagation? If not, what's the most effective method for sniffing out such attacks as they download their malicious components
OIG: Limit EHR copy–paste to reduce fraud risk (FierceHealthIT) Hospitals are employing safeguards to prevent electronic health record fraud and abuse to varying degrees, but must do more, according to a new report from the U.S. Department of Health & Human Services Office of Inspector General
How Twitter tracks the websites you visit, and how to stop it (Naked Security) Last Thursday Twitter introduced promoted tweets (ads) targeted according to the websites you've visited. It seemed like a good time to explain how Twitter is doing it, how they've used a different technique to track the websites you visit for some time now, and how to turn it all off if you want
System Design Guide for Thwarting Targeted Email Attacks (Information-Technology Promotion Agency, Japan) Make your system difficult for attackers to operate inside
EU Cyber Group Guide to Mitigate Attacks (Industrial Safety and Security Source) ENISA, the European Union's (EU) cyber security agency, has a new manual on how to mitigate attacks on Industrial Control Systems (ICS)
5 Steps To Managing Mobile Vulnerabilities (Dark Reading) With employees bringing their smartphones and tablets into the workplace, companies need to work to limit the threat posed by mobile applications
7 Habits Of Highly Secure Database Administrators (Dark Reading) Most organizations could still stand for improvement in database security best practices, according to IOUG survey
Cyber Security Framework Lacks Mitigating Controls and Cloud Security (Tripwire) The protection of the nation's critical infrastructure naturally brings to mind most if not all of the sixteen sectors identified in the National Institute of Standards and Technology's (NIST) Preliminary Cyber Security Framework (CSF) – industries like energy, finance, healthcare, and transportation
Design and Innovation
Startups need to leverage their local universities (Examiner) An underutilized, but valuable resource, every startup should investigate is a formal or informal connection to your alma mater, including any local university. These resources are definitely not limited to students, since every university seeks out and needs the real world exposure and experience of entrepreneurs who already are active in the real world marketplace
Academia
NYU–Poly Training Booz Allen Hamilton Employees on Cyber Security (Campus Technology) Booz Allen Hamilton is sending its employees to Polytechnic Institute of New York University to earn master's degrees and certificates in high tech fields. The company has joined the "enterprise learning arm" of NYU-Poly to provide access to online courses in bioinformatics; cyber security; organizational behavior; and computer, electrical, industrial, and manufacturing engineering
Legislation, Policy, and Regulation
Espionage à la Française (Wall Street Journal) U.S. digital surveillance is nothing compared to what the French have in store
Nigeria: Gagging Critics or Fighting Cyber Crime? (Global Voices) Nigerian lawmakers are deliberating over multiple bills of law that aim to fight cybercrime — but could gag government critics along the way
The US and China's Common Interest: Cyber Spying (THe Guardian) U.S. and China have very similar ideas on cyberspace — anything goes
US phone carriers and wireless surveillance of Americans (Help Net Security) As part of his ongoing investigation into wireless surveillance of Americans by law enforcement, US Senator Edward J. Markey released responses from eight major wireless carriers that reveals expanded use of wireless surveillance of Americans, including more than one million requests for the personal mobile phone data of Americans in 2012 by law enforcement
Editorial: As National Security Agency spying grows, basic liberties at stake (Mass Live) If you've got nothing to hide, if you aren't up to no good, why would you care if the authorities were keeping tabs on your daily doings? This, boiled down, is one of the fundamental arguments made by many who support the federal government's gigantic spying apparatus
US tech firms' open letter a first step only (FierceITSecurity) Under economic pressure from revelations that they knowingly or unknowingly handed over data to government spy agencies, a group of high-tech firms has published an open letter addressed to the White House and Congress calling for reforms in the NSA surveillance program, including banning bulk collection of phone data and publishing stats on government surveillance requests
Bill Clinton says security does not justify espionage (Global Post) Former U.S. President Bill Clinton, currently on a visit to Brazil, has said the United States' security need does not justify spying on allied countries
NATO to Set Up Cyber Attack Response Teams (DefenseWorld) NATO will soon set-up two rapid reaction teams that can help protect its networks in the event of a cyber attack. The two cyber-defence teams are expected to be up and running in weeks in response to significant cases of cyber-attacks recorded every year
At DHS, the future is mobile (Federal Times) The Department of Homeland Security is finalizing a comprehensive plan that places mobility at the forefront of agency operations
Litigation, Investigation, and Law Enforcement
FDA Breach Raises Lawmakers' Hackles (GovInfoSecurity) Lawmakers have raised concerns that the Food and Drug Administration hasn't been as forthright as it should in disclosing an October breach that exposed personally identifiable information of 12,000 to 14,000 individuals
Data–sharing among US law agencies amounts to 'organised chaos' — report (The Guardian) The sharing of crucial intelligence about counter-terrorism between the FBI, the Department of Homeland Security and local police departments takes place through a patchwork process that amounts to "organized chaos", according to a new report
Cellphone surveillance undecided in Oregon (Statesman Journal) Searches allowed for specific cases in absence of law
The NSA's Reach Might Be Even Bigger Than We Thought (Huffington Post) The National Security Agency's court-approved authority to access and analyze phone records three "hops" away from a suspected terrorist's phone number has alarmed civil liberties groups like the ACLU, which estimated that just one starting number could yield 2.5 million people's phone records
Snowden docs had NYTimes exec fearing for his life (CNN) Informing the American people about how their government spies on them can be risky business for journalists. Rajiv Pant, chief technology officer at The New York Times (NYT), thought he could be killed for it
Two Brothers held for hacking Singaporean PMO site, face 16 charges including Email Account Hacking (Hacker Post) The two brothers, initially arrested in connection with the hacking of the Prime Minister's Office (PMO) website on Nov 8, now face a total of 16 charges under the Computer Misuse and Cybersecurity Act in Singapore's courts for separate cyber crimes
"Revenge porn" operator arrested, charged with ID theft (Ars Technica) Site's owner told the cops: "I know…people are getting screwed over"
Thousands of Germans get "porn troll" letters over streaming video (Ars Technica) Berlin law firm defends against claimed predatory behavior by "The Archive"
Pirate Bay once again forced to change domain names (Ars Technica) A Dutch anti–piracy group pushed the site to move away from Dutch–controlled .sx
Euro judge flings out Cisco beefs against Microsoft–Skype deal (The Register) We just want standards-based interoperability, pleads networking colossus
How These 5 Dirtbags Radically Advanced Your Digital Rights (Wired) Bad facts make bad law, the saying goes. But sometimes, bad people make good law
For a complete running list of events, please visit the Event Tracker.
Upcoming Events
The 8th International Conference for Internet Technology and Secured Transactions (London, England, UK, Dec 9 - 12, 2013) The 8th International Conference for Internet Technology and Secured Transactions (ICITST-2013) is an international refereed conference dedicated to the advancement of the theory and practical implementation of secured Internet transactions and to fostering discussions on information technology evolution.
World Congress on Internet Security (London, England, UK, Dec 9 - 12, 2013) The WorldCIS-2013 is an international forum dedicated to the advancement of the theory and practical implementation of security on the Internet and Computer Networks. The inability to properly secure the Internet, computer networks, protecting the Internet against emerging threats and vulnerabilities, and sustaining privacy and trust has been a key focus of research. The WorldCIS aims to provide a highly professional and comparative academic research forum that promotes collaborative excellence between academia and industry.
ACSAC 2013 (New Orleans, Louisiana, USA, Dec 9 - 13, 2013) The Annual Computer Security Applications Conference (ACSAC) is an internationally recognized forum where practitioners, researchers, and developers in information and system security meet to learn and to exchange practical ideas and experiences.
2013 ASE International Conference on Cyber Security (Orlando, Florida, USA, Dec 10 - 15, 2013) The annual ASE Cyber Security Conference is a leading international forum for cyber security researchers, practitioners, developers, and users to explore cutting-edge ideas and results, and to exchange techniques, tools, and experiences. The conference seeks submissions from academia, government, and industry presenting novel research on all practical and theoretical aspects of cyber security. The First ASE International Conference on Cyber Security provides a key forum for researchers and industry practitioners to exchange information regarding advancements in the state of art and practice of cyber security.
Cyber Defense Initiative 2013 (Washington, DC, USA, Dec 12 - 19, 2013) NetWars Tournament runs over an intense two- to three-day period, at a conference or hosted onsite. Many enterprises, government agencies, and military bases are using NetWars OnSites to help identify skilled personnel and as part of extensive hands-on training.