The CyberWire Daily Briefing for 12.18.2013
Another reminder to patch wisely and systematically: the IE flaw exposed in the Aurora attacks is still being actively exploited in the wild.
Shortly after the US Government shutdown in October, the Federal Election Commission allegedly sustained an aggressive and successful cyber attack.
Updates appear on FireEye's discovery of MisoSMS, the cybercrime SMS mobile botnet. CERT Poland finds a botnet targeting Windows and Linux devices.
Seculert describes the PHP.net attacks' malware. It employed DGA Changer, which has the ability to change the domain generation algorithm (DGA) on the fly. The fact that DGA Changer infections seem not to have downloaded, well, anything, suggests we may be seeing the preparatory stages of an extensive and sophisticated cyber campaign.
The cyber black market shows signs of oversupply-driven price-suppression.
Hacktivists have been snapping at national oil producers in Angola, Kenya, and Mexico.
Security analysts call hogwash on 60 Minutes' story about Chinese capability to "take down" the US economy. On the other hand, Reuters offers a good rundown of Chinese espionage against the US defense industry.
For discussion: should the cyber industry compete with the criminal market for malware, or would that simply drive a bandit economy? And should bug bounties become mandatory?
In industry news, Blue Coat buys Norman Shark, and Datacard Group will acquire Entrust.
US tech executives are meeting with President Obama to seek restraint on NSA surveillance. It's increasingly clear that litigation will decisively shape surveillance policy.
Today's issue includes events affecting Angola, Brazil, Canada, China, Kenya, Republic of Korea, Mexico, Netherlands, Poland, Russia, United Kingdom, and United States..
Cyber Attacks, Threats, and Vulnerabilities
IE flaw targeted in Aurora attacks still actively exploited (Help Net Security) Regular software patching is often touted as one of the best things you can do to keep your computer safe against malware infection. Unfortunately, not all users follow that advice
Federal Election Commission attacked by hackers during shutdown (CSO) According to a report from the Center for Public Integrity (CPI), on October 1, moments after the government shutdown started, the Federal Election Commission (FEC) was the victim of a massive attack against its networks
Bad VPN Website Issues Malware (Industrial Safety and Security Source) Virtual Private Networks (VPNs) can protect data, and more and more people want to use the service to ensure a safe operating environment. But there is a site out there called aquavpn(dot)com, an anonymously registered site that says it offers a VPN service called AquaVPN, said researchers at Malwarebytes
Mobile Botnet a Busy Application (Industrial Safety and Security Source) A mobile botnet is so big it apparently has been in at least 64 spyware campaigns, researchers said. The MisoSMS malware (Android.Spyware.MisoSMS) that powers the botnet is able to steal text messages and send them back via email to command and control (C&C) servers located in China, said researchers at FireEye. Over 450 unique email accounts have seen use by attackers
CERT Poland Warns of DDOS Botnet Targeting Windows and Linux Machines (Softpedia) Researchers from CERT Poland say they've come across what appears to be a new distributed denial-of-service (DDOS) botnet. What's interesting about it is the fact that the cybercriminals have developed malware to infect both Windows and Linux machines
A Business of Ferrets (Arbor Networks) Trojan.Ferret appeared on my radar thanks to a tweet by @malpush. The tweet revealed a URL that at the time of this writing was pointing to a command and control (C&C) panel that looked like this
DGA Changer Malware Able to Modify Domain-Generation Seed on the Fly (Threatpost) Malware authors have been using domain-generation algorithms for a few years now, often in botnet-related malware that needs to stay one step ahead of takedown attempts and law enforcement agencies. Now, researchers have discovered that a strain of malware that may have been part of the attack in October on PHP.net is employing
Cybercrime shopping list study points to falling prices (BBC) Fancy a bank account with $300,000 (£184,000) in it? If you know where to look and you don't mind dealing with cybercriminals then the going rate is just $300, a study of the hacking underworld suggests
Recent Cyber Operations Against Oil: Distinct Attacks Against Distinct Targets (Analysis Intelligence) The past two weeks have witnessed a series of cyber attacks against several national oil outlets. The oil industry in Angola, Kenya, and Mexico have all been targeted by website defacements in these past few weeks. The names of OpAngola, OpGreenRights, and OpPemex were attached to each, respectively. A timeline view using Recorded Future's analysis tool provides a keen visualization of these attacks in relation to one another
How China's weapon snatchers penetrate American defenses (Reuters) As Beijing seeks to close the military gap, Washington faces a wave of attempts to smuggle out sensitive U.S. defense components and systems
Exploring the Dark Side of DBaaS Offerings (CSO) Database as a Service (DBaaS) offerings are a good deal for many organizations, but they can come with a certain amount of risk, which is often unexpected
Did NSA Invent Fake Malware Threat On '60 Minutes? (International Business Times) The director of the National Security Agency, General Keith Alexander, and the Information Assurance Director, Debora Plunkett, went to CBS on Sunday night to defend the NSA's surveillance programs on "60 Minutes." Several people have questioned the credibility of the interview, especially when the officials claimed the NSA thwarted a massive malware strike from China
NSA claims it thwarted BIOS malware plot that could have destroyed the US economy. Of course, it's nonsense (Graham Cluley) BIOS chipLast weekend, American TV viewers were captivated by a frankly ridiculous investigation into the behind-the-scenes goings-on at the NSA by the CBS 60 Minutes team
Lawfare Under Cyber Attack: Stick With Us, Please (Lawfare) Well, that will teach us to post podcast interviews with NSA officials! We have been experiencing intermittent outages this morning. They appear to be the result of cyberattacks coming from IP addresses based in the Netherlands
Data Breach Affects 18,800 Colorado State Employees (eSecurity Planet) The employees' names and Social Security numbers may have been exposed, along with some home addresses
Security Patches, Mitigations, and Software Updates
Mozilla blocks rogue add–on that made computers scan sites for flaws (Help Net Security) A singular new botnet composed of over 12,500 infected computers has been used by its masters to effectively crowdsource the search for websites vulnerable to SQL injection attacks
Apple updates Mavericks to 10.9.1, issues security fixes for Safari (Naked Security) Apple just announced the first point update for its recently released OS X Mavericks. Most of the fixes and enhancements are of the not-really-to-do-with-security sort, but the update includes a new version of Safari, with remote code execution patches
Google accidentally improves Android privacy, just for a moment (Naked Security) App Ops Launcher, a hidden feature that allowed Android users to deny selected permissions to apps, was an experiment that was never supposed to be released and that could break apps instead of just policing them, Google said
Wireshark 1.10.4 and 1.8.12 are available (Internet Storm Center) Download the relevant updated version from
Santander Banking Apps Shored Up Against Serious Vulnerabilities (Threatpost) The Santander Group's online banking and mobile banking applications have been patched against a number of SSL and certificate issues discovered by a U.K. security researcher
How effective are Android AV solutions? (Help Net Security) As the onslaught of Android malware continues, the recently released testing results by independent IT-security institute AV-Test show that most providers of Android antivirus software have
Convenience still overrides security for mobile shoppers (Help Net Security) Despite a huge increase in shopping on mobile handsets, shoppers do not have security in place to protect the identity and credit card data stored on the devices, according to Tripwire
The growing hacking threat to e–commerce websites, part 1 (Help Net Security) Recently, a friend of mine, owner of a small online web store, had his website compromised. He asked me lots of questions about why this had happen (he didn't really have much sensitive information on
Smart devices get smarter, but still lack security (CSO) While many smart devices are coming with more cool features, improved security isn't one of them
Executive Viewpoint 2014 Prediction: DB Networks (Virtual-Strategy Magazine) More and more organizations are coming to the realization that cyber criminals are able to bypass their signature-based perimeter defenses with impunity. Cyber criminals use automated tools to make short work of the task. As organizations continue to witness these escalating threats against their perimeter network defenses, there will be increased emphasis on securing critical IT assets — especially databases — within the core, in 2014
Security in 2014: What are the experts predicting? (ZDNet) I get a lot of security predictions pitched at me and I was intrigued by quite a few this year. There's good and bad news, and good and bad predictions
Major Cyber Attack on UK National Infrastructure 'Only a Matter of Time' (International Business Times) IT professionals in the UK believe that a major attack on some part of the critical national infrastructure is imminent
We're watching (maybe): The surveillance society (Thompson Citizen) By now many, if not most of us, have some idea the name Edward Snowden, unknown to all but friends, family and colleagues until last May, is connected somehow to whistleblowing and the surveillance society
The massive lie about anti–virus technology (Graham Cluley) Here is one of the privacy and security predictions I am making for 2014…The media will repeat a massive lie about anti-virus technology
Here's the one thing someone needs to invent before the internet of things can take off (Quartz) As Quartz has already reported, the Internet of Things is already here, and in the not too distant future it will replace the web. Many enabling technologies have arrived which will make the internet of things ubiquitous, and thanks to smartphones, the public is finally ready to accept that it will become impossible to escape from the internet's all-seeing eye
Good guys should compete with criminals in buying zero–day vulnerabilities, report says (CSO) Formation of international vulnerability purchase program ideal way to combat attacks
The Case for a Compulsory Bug Bounty (Krebs on Security) Security experts have long opined that one way to make software more secure is to hold software makers liable for vulnerabilities in their products. This idea is often dismissed as unrealistic and one that would stifle innovation in an industry that has been a major driver of commercial growth and productivity over the years. But a new study released this week presents perhaps the clearest economic case yet for compelling companies to pay for information about security vulnerabilities in their products
UPDATE 1-UK to give spy agency greater role at Huawei cyber centre (Reuters) Huawei, the world's second biggest telecoms gear maker, opened the cyber security centre, known as The Cell, in southern England in 2010 to test
Datacard Group to acquire Entrust (Help Net Security) Datacard Group has entered into an agreement to acquire Entrust. The acquisition is expected to close on December 31, 2013, subject to regulatory approval and customary closing conditions
Blue Coat acquires anti–malware firm Norman Shark (NetworkWorld) Blue Coat gains sandboxing, industry network protection technologies
SANS Honors People Who Made a Difference in Cybersecurity in 2013 (Digital Journal) SANS Institute is pleased to announce the People Who Made a Difference in Cybersecurity 2013 Award winners. Award recipients were announced December 16th at the SANS Cyber Defense Initiative (CDI) training event in Washington, D.C. The award recognizes security practitioners that are making breakthroughs in advancing cyber security
Cybersecurity Accelerator Set To Fast–Track A New Round Of Startups (Dark Reading) Mach37 accelerator opens a new season of business and funding assistance for cybersecurity startups
Products, Services, and Solutions
Secunia Partner Program Brings Patch Management To Masses (CRN) Secunia takes the massively complicated challenging process of handing security updates for a variety of software and makes it as easy as handling
Bitdefender Adapts Leading Security Software to Latest Intel Technology (Digital Journal) Testing shows the new Intel Atom processor based tablets leap ahead from previous generation
SolarWinds enhances security tools (Help Net Security) SolarWinds announced enhancements to several of its security management solutions, including SolarWinds Log & Event Manager, SolarWinds Firewall Security Manager and SolarWinds Patch Manager
MobileFortress for Android: Secure Mobile Operating System by Tresys Technology (PRWeb) Tresys Technology, a leading provider of cyber defense technology and engineering services to our nation's defense, intelligence and critical infrastructure organizations, has released MobileFortress™ for Android™, a secure mobile operating system for Government and Commercial Enterprise mobile platforms
Technologies, Techniques, and Standards
Authentication using visual codes: what can go wrong (Help Net Security) Several password replacement schemes have been suggested that use a visual code to log in. However the visual code can often be relayed, which opens up a major vulnerability. Can anything be done
Sins of the coder (CSO) Frequently I will bring up the subject of passwords and the need for better user education. But, this responsibility to practice proper password hygiene does not rest solely with the end user
Facebook and Apple to help draft facial recognition rules (Naked Security) Big players that already have a lot of skin in the game are going to be whispering into the ear of the US Commerce Department. Will privacy be trampled in this facial-scanning gold rush
Tor use — best practices… (Digital Era) To date the NSA's and FBI's primary attacks on Tor users have been MITM attacks (NSA) and hidden service web server compromises (FBI) which either sent tracking data to the Tor user's computer, compromised it, or both. Thus you need a reasonably secure system from which you can use Tor and reduce your risk of being tracked or compromised
5 Ways Cloud Services Can Soothe Security Fears In 2014 (Dark Reading) Companies need cloud providers to delineate responsibilities for the security of data, provide better security information, and encrypt data everywhere
Special report: Breach-detection systems (Security Digest) In this multimedia special report, Information Security magazine contributor John Pirc explains why breach detection systems are an essential security tool in a malware-infested world
Do the NSA leaks change how corporate data is defended? (Search Security) Expert Joseph Granneman explains how to protect corporate data after leaks divulge information on NSA Bullrun and other government surveillance programs
Research and Development
IBM prevents services from running compromised code (Help Net Security) IBM inventors have patented a technique that can enable businesses to improve cloud security and support secure transactions by preventing mobile devices from accessing software code that has been
iWebGate Granted US Patent for Virtual Invisible Network (VIN) (IT Business Net) Australia-based iWebGate Technology Limited has been granted a patent by the United States Patent and Trademark Office (USPTO) for the first viable alternative to Virtual Private Network (VPN) solutions. This patented technology, the Virtual Invisible Network (VIN), establishes a meshed virtual network topology, without exposing end-points to unauthorized users. This technology breakthrough provides numerous functional and award winning security benefits over traditional VPN, and enables rapid creation of multi-tenant virtualized networks that are hidden over private and public infrastructures
Ron Deibert on Cyber Espionage, Surveillance and Black Code (Threatpost) Dennis Fisher talks with Ron Deibert of the University of Toronto and Citizen Lab about his group's research into cyber espionage campaigns, the surveillance landscape and his recent book, Black Code
This algorithm can tell if you're a hipster so the internet can sell you a plaid shirt (Quartz) Researchers at the University of California, San Diego, are developing an algorithm that aims to identify whether you're a hipster, a goth or a punk, just from the cut of your social media jib
Local CyberPatriot programs expands (My San Antonio) With the 24th Air Force, the Air Force ISR and some elements of the NSA, San Antonio has a well deserved reputation as Cyber City USA
Legislation, Policy, and Regulation
Momentum Gains for US Intelligence Reforms (Defense News) The public and lawmakers responded with cries of outrage immediately following the first disclosures of classified data by leaker Edward Snowden
Obama Faces Tech Executives Pressing for NSA Limits (Bloomberg) President Barack Obama is meeting with a group of executives including Apple Inc. (AAPL)'s Tim Cook and Yahoo! Inc. (YHOO)'s Marissa Mayer whose companies are pushing the U.S. to curb broad government spying on communications
The Flawed Logic of Secret Mass Surveillance (ACLU) Privacy is a form of power. Humans are always highly aware who is observing them at any given time and place, and always tailor their behavior to that audience. And they generally work to make sure that their behavior does not reveal things that might put them at a disadvantage. To really gain new insight or leverage over another person, you have to watch them when they don't know they're being watched so that their guard is down
The NSA: An Inside View (Loren's Blog) In which I relate my experience as an NSA employee and impart my thoughts on the policies in place, my former coworkers, and the current cyber war
Tone–Deaf at the Listening Post: My day at the National Security Agency headquarters at Fort Meade (Foreign Policy) For an organization that is so efficient at amassing data intended to be kept secret, the National Security Agency seemed surprisingly clumsy in accepting data that was volunteered to them. I'd emailed the bits and pieces of my personal data necessary to be cleared for access to the agency's headquarters in Fort Meade a week before the scheduled visit, with zero response. As it turns out, an NSA server has crashed, they told me, creating havoc with some email accounts. This sort of hiccup humanizes the agency, though it also raises questions about their vulnerability
NSA head Keith Alexander went on '60 Minutes' and repeated everything he already said in Baltimore (Baltimore Business Journal) Gen. Keith Alexander and the National Security Agency allowed CBS News "unprecedented access" to its headquarters at Fort Meade for a story that aired Sunday on "60 Minutes." But it seemed more like a public relations stunt than news
NSA's indiscriminate spying 'collapsing,' Snowden says in open letter (The Washington Post) National Security Agency leaker Edward Snowden wrote in a lengthy "open letter to the people of Brazil" that he has been inspired by the global debate ignited by his release of thousands of documents and that the NSA's culture of indiscriminate global espionage "is collapsing."
Lawfare Podcast Episode #53: Inside NSA, Part II—Wherein We Interview the Agency's Chief of Compliance, John DeLong (Lawfare) It's Day 2 of "Inside NSA: We Brought in a Recording Device So You Don't Have To"—a special series of podcast interviews with senior NSA officials that we conducted last week
Litigation, Investigation, and Law Enforcement
DOD official: Snowden 'stole everything — literally everything' (Daily Caller) Former National Security Agency contractor Edward Snowden stole vastly more information than previously speculated, and is holding it at ransom for his own protection
Will the NSA Finally Get Its Day in Court? (Bloomberg) In the intelligence world, as they say in spy novels, nothing is as it seems. So it goes with the National Security Agency
NSA ruling fallout hits White House (Politico) In legal terms, a federal judge's decision Monday questioning the constitutionality of the National Security Agency's massive call-tracking program seems almost certain to have no practical significance
Larry Klayman crows on NSA win: 'We hit the mother lode' (Politico) Larry Klayman's long journey in the legal wilderness appears to be over. Klayman, the conservative legal activist well-known in Washington political circles a decade ago for his no-holds-barred court battles against the Clinton administration, was thrust back into the spotlight Monday after he obtained the first major ruling from a federal judge that the National Security Agency's surveillance program was constitutionally flawed
Fighting the NSA With Footnotes (Bloomberg) I think there is a fair chance that the U.S. Court of Appeals will overturn yesterday's order by U.S. District Judge Richard J. Leon that the National Security Agency halt its telephone metadata collection program and destroy its existing records. Leon's preliminary injunction, handed down in an angry opinion in the case, Klayman v. Obama, orders President Barack Obama's administration to end the program within six months unless a higher court should reverse him
Court's NSA ruling sets stage for contentious battle over surveillance (CSO) Lawmakers are already squaring off over the decision, which questions the spy agency's actions
Dianne Feinstein: Courts should decide on NSA (Politico) Senate Intelligence Committee Chairwoman Dianne Feinstein on Tuesday said that if the Supreme Court found the National Security Agency's meta-data collection program unconstitutional, she would respect its decision
Drugmakers urge FDA security audit after cyber breach (Reuters via Yahoo! News) The U.S. Food and Drug Administration is under pressure from the pharmaceutical industry and lawmakers to undergo an independent security audit, after hackers broke into a computer system used by healthcare companies to submit information to the agency
On catching the Harvard bomb threat suspect using Tor (Wireless Fantasy) The announcement of a criminal complaint by the U.S. attorney's office in Massachusetts against one Harvard University student named Eldo Kim has the public musing on why one would deem this an appropriate method of delaying final exams, but for anonymity/privacy advocates as well as practitioners of OPSEC (operational security), what's more interesting is the way he was caught
College grad gets prison time for MCAT hack (SC Magazine) A Rockville, Va. man will serve prison time for attempting to hack into the computer systems of the Association of Medical Colleges to alter his Medical College Admission Test (MCAT) scores
Facebook facial recognition matches abused child's image to aid in arrest (Naked Security) Facebook's facial recognition technology managed to recognize the face of a female child who was victimized in a child-abuse image, and then it led law enforcement to an account where investigators found images of a child who matched the abusive images
UK payday loan spammers fined £175K for "Hi, Mate!" texts (Naked Security) Pretending to be your friend and urging you to take out a payday loan so you can go live it up is both immoral and illegal, the ICO says
For a complete running list of events, please visit the Event Tracker.
Cyber Defense Initiative 2013 (Washington, DC, USA, Dec 12 - 19, 2013) NetWars Tournament runs over an intense two- to three-day period, at a conference or hosted onsite. Many enterprises, government agencies, and military bases are using NetWars OnSites to help identify skilled personnel and as part of extensive hands-on training.
FloCon2014 (Charleston, South Carolina, USA, Jan 13 - 16, 2014) FloCon 2014, a network security conference, takes place at the Francis Marion Hotel in Charleston, South Carolina, on January 13–16, 2014. This open conference provides a forum for operational network analysts, tool developers, researchers, and other parties interested in the analysis of large volumes of traffic to showcase the next generation of flow-based analysis techniques.
NASA Langley Cyber Expo (Hampton, Virginia, USA, Jan 14, 2014) The 2013 NASA Langley Cyber Expo is an annual event dedicated to Cyber Security and Information Technology at this secure facility. As the Cyber Expo hosts, the Office of the Chief Information Officer will be recruiting top federal speakers to provide informational sessions on relevant Cyber issues. Industry exhibitors may sit in on the sessions.This event will be promoted to all NASA Cyber and IT-focused personnel, as well as the entire workforce at this location.
cybergamut Tech Tuesday: Malware Reverse Engineering - An Introduction to the Tools, Workflows, and Tricks of the Trade to Attack Sophisticated Malware (Columbia, Maryland, USA, Jan 21, 2014) Reverse engineering malware can be an integral part of every security team's calculus. This session provides a technical review of the tools, workflows, and advanced analytic insight a senior reverse engineer brings to the fight. It will help demystify the process and illustrate the value-proposition associated with deep analytics of malware. Moreover, understanding the detail available through reverse engineering gives the security professional deeper insight into the tactics and techniques the attackers use to circumvent their defensive solutions. The session empowers cyber security professionals at every level to make better-informed judgments on how to improve their response and remediation protocols.
Cybertech — Cyber Security Conference and Exhibition (Tel Aviv, Israel, Jan 27 - 29, 2014) Cybertech Israel, the first event of its kind, will present world-leading companies in the field of cyber defense alongside young companies that offer unique solutions to advance the discipline of cyber security. The conference will focus on commercial problem-solving strategies and solutions for cyber infrastructure experts across multiple sectors: energy, utilities, finance, defense, R&D, manufacturing, service sectors, health, government, telecommunications, transportation and more.
2014 Cybersecurity Innovation Forum (Baltimore, Maryland, USA, Jan 28 - 30, 2014) The 2014 Cybersecurity Innovation Forum (CIF) is a three-day event, sponsored by the National Cybersecurity Center of Excellence (NCCoE) with DHS, NIST, and NSA as primary participating organizations. The CIF will cover the existing threat landscape and provide presentations and keynotes on current and emerging practices, technologies and standards. The 2014 CIF will provide action-oriented outputs to fuel voluntary principle-driven consensus-based standards efforts, create opportunities for industry growth and drive research activities, and define use cases for subsequent exploration, which in turn will feed back into the subsequent CIF's, continually evolving the state of the art.