Cyber Attacks, Threats, and Vulnerabilities
DaVinci surveillance malware distributed via zero-day Flash Player exploit (ITworld.com) Political activists from the Middle East were targeted in attacks that exploited a previously unknown Flash Player vulnerability to install a so-called lawful interception program designed for law enforcement use, security
LadyBoyle comes to town with a new exploit (FireEye) By now you have probably heard of the new zero-day exploit in Adobe flash that was patched today. FireEye Labs identified the exploit in the wild on February 5, 2013, which based on the compile time and document creation time is the same day the malicious payload was generated. Adobe PSIRT has released information about this threat here. They have also released an advisory with details on versions and platforms affected along with applicable patches. The two exploits have been assigned CVE-2013-0633 and CVE-2013-0634. It is highly recommended that you apply this patch right away, as this threat is active in the wild
Malware injected into legitimate JavaScript code on legitimate websites (Naked Security) SophosLabs has observed a trend of hackers inserting their malicious code into legitimate JavaScript hosted on legitimate compromised websites. Learn more about what our experts have seen, and ensure that you have protection in place
Comment Group hackers specialize in high-profile targeted attacks (Help Net Security) It is common knowledge that spear-phishing has become the preferred way for persistent attackers to gain a foothold in targeted systems and network. In fact, most of the successful compromises believed to be executed by Chinese hackers in the last two, three years have been initiated by spear-phishing emails
Yahoo lambasted over using outdated Java with SiteBuilder (CSO) One security expert called Yahoo's distributing of vulnerability-ridden versions of Java to small businesses 'shockingly irresponsible'
Citi Group customers targeted with malware-laden alerts (Help Net Security) A malware-spreading spam campaign targeting Citi Group customers is underway, so if you are one, be on the lookout for an email alerting you to the receipt of a "secure message" (click on the screenshot)
Facebook's redirect error foretells the future of hacking (InfoWorld) Last week Facebook suffered an "error" that had an astounding ripple effect, as users of thousands of popular websites were inadvertently redirected to a Facebook error page. It was shocking to learn that Facebook Connect could disrupt every site it linked to -- but even more troubling was the glimpse it gave us of future hacker attacks. In security circles, the underlying issue is termed "transitive trust." The average popular website links to all sorts of sites and services, with the typical home page featuring more than a dozen third-party links
Security Patches, Mitigations, and Software Updates
Adobe releases patches for Flash Player and Shockwave Player (Computer World) Adobe released security updates for Flash Player and Shockwave Player on Tuesday in order to address a total of 19 vulnerabilities affecting the two products. New stand-alone versions of Flash Player 11 were released for Windows, Mac, Linux and Android. The Flash Player plug-ins bundled with Google Chrome and Internet Explorer 10 will be automatically updated through the update mechanisms of the two browsers
Microsoft releases 12 bulletins that address 57 vulnerabilities (Help Net Security) The second Patch Tuesday of 2013 has a much higher volume than usual. There are 12 bulletins, five of which are critical, addressing a total of 57 vulnerabilities. But the majority are concentrated
Cyber Trends
SANS Releases First Of Its Kind Deep-Dive Survey On SCADA Security Practices (Dark Reading) Survey revealed that respondents are putting most of their security focus on the computers operating their proprietary control systems
M2M offers hackers a new frontier to attack (TechWorld) Cybercriminals have a new attack vector that security watchdogs are worried about -- the growing number of devices that routinely use the Internet to function. Machine-to-machine (M2M) security is closely connected with what's known as "The Internet of Things" and involves a host of devices that use mobile modules to connect to the Internet. There's the vending machine, for example, that communicates with a distributor when supplies get low or the E-ZPass toll-paying system
Final U.S. infrastructure report offers a sober message (Homeland Security Newswire) As a way of introducing the American Society of Civil Engineers (ASCE) 2013 Report Card for Americas Infrastructure, which will be released on 19 March, the ASCE, during a teleconference on 15 January, unveiled its fifth and final report in the Failure to Act series, The Impact of Current Infrastructure Investment on Americas Economic Future, which addresses the comprehensive impacts of underinvesting in infrastructure in the United States. An ASCE release reports that ASCE has a sober message for elected officials, policy makers, businesses, and general public: unless the United States invests an additional $1. 57 billion per year in infrastructure drinking water and waste water, electricity, airports, seaports and waterways, and surface transportation between now and 2020, the nation will lose
Malware authors revert to phishing approach to trick bank defenses (Help Net Security) Banking malware that performs Man-in-The-Browser tricks such as injecting legitimate banking sites with additional forms, hijacking the authenticated session to add a new payee and transfer money in the background and so on has had much success in the past. But, as financial institutions have reacted to their existence and have implemented systems for monitoring the online sessions between customers and their web applications, the actions of malware such as Tinba, Tilon, Shylock and others employing the MitB approach get increasingly detected and thwarted. Consequently, the malware authors have had to resort to new tricks to avoid detection
Unintended, malicious and evil applications of augmented reality (Help Net Security) Most new products begin life with a marketing pitch that extols the product's virtues. A similarly optimistic property holds in user-centered design, where most books and classes take for granted that interface designers are out to help the user. Users themselves are assumed to be good natured, upstanding citizens somewhere out of the Leave it to Beaver universe. In reality, however, the opposite is often true
Highlights from 450 global data breach investigations (Help Net Security) Trustwave released details form a report that highlights details and trends from 450 global data breach investigations, 2,500 penetration tests, nine million Web application attacks, two million network
Analysts warn Britain faces 20 year cyber-attack threat (The Drum) Computer experts have warned that the UK faces a two decade long period of ineffective cyber defences as the country struggles to plug a
Mobile malware still small, but 'malnets' to rise up (CSO) With 70% of employees across corporate networks using a personal smartphone or tablet, growing attack surface too big to ignore. Mobile device operating systems are still more secure than those of desktop or laptop computers. But today's mobile spam and phishing attacks will increasingly be delivered via mobile malware networks
Marketplace
Cyber security bombast boosts UK PLC (Computer Week) Official auditors have started scrutinizing the vaguely menacing fog that has obscured government spending on cyber security. Early signs are that most of what passes for cyber crime on these shores is credit card fraud. Yet most cyber security spending has gone to intelligence and defence agencies. And much of the rhetoric used to justify the expenditure has been about "attacks" of an unspecified but most certainly frightening nature, by people of uncertain address and approximate degree of malice. One thing is most certain though, on the publication today of the National Audit Office's first report on cyber security spending, and that is that the cyber threat has been very good for business
Defense Cuts A Necessary Step To Control Deficit (Politico.com) Despite frequent protestations to the contrary, lawmakers do not love cutting the spending they actually control, particularly from the agency with the most spending of all the Defense Department. But in order to balance the budget and strengthen our economy, Congress must take on every part of government, particularly the one that extends Americas might around the world
Automatic Budget Cuts To Happen: Senator McConnell (Reuters.com) The Senate's top Republican predicted on Tuesday that automatic spending cuts will take effect on March 1 as scheduled
Top Defense Officials Renew Alarm On Sequestration Threat (Washington Post) Senior Defense Department officials warned Congress on Tuesday that the looming sequestration cuts represent a dire and unprecedented threat to the U.S. military, with the potential to harm everything from combat readiness at a time of dangerous international tensions to the Pentagon's efforts to reduce military suicide
Hunter: DoD Being Overly Dramatic About Cuts (ArmyTimes.com) A California Republican accuses the Defense Department adding drama to looming budget cuts like not deploying an aircraft carrier when less drastic options are available
Karen Mills Stepping Down From SBA Leadership (ExecutiveGov) Karen Mills, head of the Small Business Administration, told agency staff Monday she is stepping down after four years at the helm. Mills will continue to lead the agency until her successor is named
Ed Greer Joins IT Services Firm MIL Corp As COO (GovConWire) Ed Greer, former deputy assistant defense secretary for development test and evaluation, has joined information technology services provider MIL Corp. as chief operating officer. He told the Washington Post in an interview published Monday that he joined the Bowie, Md.-based company to help itInformation Technology expand its business in weapons system ITInformation Technology systems
Jerry DeMuro Retiring As General Dynamics Info Systems-Tech Group EVP (GovConWire) Gerard "Jerry" DeMuro, executive vice president of General Dynamics' (NYSE: GD) information systems and technology group, will retire from the company Feb. 28 to pursue new professional opportunities. Business units within the group will report directly to Phebe Novakovic, chairman and CEO, until the company appoints DeMuro's successor, General Dynamics said Tuesday
Haters Don't Hate Amazon (Facebook On the Other Hand…) (Wired Business) People love to hate Apple. They love to hate Microsoft. And Facebook. Each of these companies has spawned a parallel online hater community. But Amazon? Not so much
Cylance, A Cyber Security Data Company Founded By Former McAfee CTO, Raises $15M From Khosla, Fairhaven Capital (TechCrunch) Cylance,a cyber security company founded by former Global McAfee CTO Stuart McClure, has raised $15 million in a round lead by Khosla Ventures and Fairhaven Capital. Cylance uses data to help keep core systems healthy
Another big Dell stockholder says no to buyout as resistance mounts (Ars Technica) Proxy battle looms over Dell's deal to go private as T. Rowe Price says no. Dell's leveraged buyout deal has run into more resistance. Today, T. Rowe Price Chief Investment Officer Brian Rogers said that his company would vote against the buyout
Products, Services, and Solutions
Raytheon Riot: Defense spying is coming to social networks (Dark Reading) Multi-national defense company Raytheon is getting ready to ship a big data social networking spy system. But they are far from the only ones tracking you. According to the Guardian, multi-national security company Raytheon has developed Rapid Information Overlay Technology (Riot), a big data, social-networking spy program. With Riot, a user -- typically a government official -- will be able to pull together your life-history; your relationships with other people; and the places where you're most likely to be found. These tracking profiles are based not just on obvious information, such as your listing of a hometown on Facebook or FourSquare GPS location data, but also from "invisible" location metadata from digital photographs
CA Technologies Announces CA CloudMinder - IAM As-A-Service (Dark Reading) Three components of CA CloudMinder can be deployed individually or together in a single, integrated IAM service
ForeScout integrates its NAC with MobileIron (CSO) The integration helps companies control unmanaged devices
McAfee enhances its business security management and SIEM products (CSO) The company adds real-time querying capabilities to ePO and enables SIEM to automate security response to suspicious events
New security startup tackles strong authentication (Help Net Security) Nok Nok Labs launched today. Through its Unified Authentication Infrastructure, which leverages existing technologies such as fingerprint sensors or webcams, TPM chips, or voice biometrics, organization
Sophos extends UTM to the enterprise (Help Net Security) Sophos has strengthened its network security offerings with two enhanced high-end UTM appliances, Sophos UTM 525 and 625, and the new Sophos RED 50 (Remote Ethernet Device), the first security solution
Lockheed Martin Cyber Systems And Services Now Available On U.S. General Services Administration Products List (PR Newswire) Continuing efforts to offer customers more access to its cyber security solutions, several cross domain solution products developed by Lockheed Martin (NYSE: LMT) have been added to the U.S. General Services Administration (GSA) schedule of products and services. The GSA Schedule is the most widely used government contract vehicle focused solely on procuring goods and services
It's not all about Hadoop (FierceBigData) The Apache Hadoop Project has resulted in the biggest, most accessible and most recognizable open source database available for big data. But it's not the only one. HPCC Systems, a spinoff from LexisNexis, is ready to challenge it, according to CIO magazine
Microsoft Surface Pro: Right For You? (InformationWeek) Microsoft's business-friendly Windows 8 tablet-laptop hybrid isn't perfect. From battery life to weight considerations, we break down whether Surface Pro will suit your needs
Critics question Telstra's motives on P2P throttling (The Age) Consumer groups fear a trial by Telstra that will slow the speed of peer-to-peer (P2P) services could be the start of a trend that sees ISPs "interfering in people's online activities". Last week Fairfax Media revealed that Telstra was planning to throttle, or slow, certain internet services during peak periods as part of a "trial" on its ADSL network that was, according to a source, likely to become permanent
Technologies, Techniques, and Standards
Database Encryption Depends On Effective Key Management (Dark Reading) You wouldn't leave your keys in your car--so don't leave encryption keys stored next to the database
How Lockheed Martin's 'Kill Chain' Stopped SecurID Attack (Dark Reading) A rare inside look at how the defense contractor repelled an attack using its homegrown 'Cyber Kill Chain' framework. A few months after RSA had rocked the security world with news that it had been breached and its SecurID database exposed in a sophisticated attack, defense contractor Lockheed Martin discovered an intruder in its network using legitimate credentials
Main changes in the new ISO 27002 (2013 draft version) (ISO 27001 & ISO 22301 (blog)) In my previous blog post I analyzed the changes between the old ISO 27001 (published in 2005) and the 2013 draft; naturally, controls from ISO 27001 Annex A cannot change without changing ISO 27002 because the essence of these two standards is to be aligned. So, let's take a look at what changes are proposed for ISO 27002 (source: BSI website) - it is important to note here that since this is only a DIS (draft) version of ISO 27002:2013, it is expected that the final version will differ quite a bit. Here I'll focus mainly on how the controls are structured, and not so much on their description - so here are the main differences
How to sacrifice your online privacy for fun and profit (Data Protection) Should you remain a passive observer, or jump into the action yourself? Welcome to the dark side of the data economy. You have value--and not just as a good friend, loving family member, and upstanding member of society. You're also a valuable commodity that companies buy and sell.A Your age, browsing habits, and friends lists are all hot properties. And yes, all this data is recorded, packaged, and sold to the highest bidder by your favorite websites
Mark Gerencser: Collaboration & Legal Framework Key to Leveraging Big Data for Business Growth (ExecutiveBiz) The amount of information about us as individuals, the products we purchase, the processes we utilize and the businesses that surround us has grown exponentially. At present, we generate more data every two days than we did in aggregate from the dawn of early civilization through the beginning of the 21st Century. Moreover, this information explosion continues to accelerate each year by 40%. This is called the "Big Data Revolution" and it is not only big volume, it's also big in variety and velocity-meaning different types of data from flat files to streaming video and at a wide range of input speeds and refresh frequencies. Big Data has very big implications for business
Embarking on a data governance strategy (FierceBigData) If enterprises are only analyzing one percent of their data to develop their business and customer intelligence, as IDC analysts have said is the case for data analytics overall, it is safe to assume the reason, in part, is that they are unaware of all the data they have, where all their data is stored and the integrity of the data (of which they are aware). So before big data initiatives can take place, such businesses, and in good practice all businesses, need to consider applying some data governance
When Security Experts Forget Passwords (InformationWeek) What happens when you forget a crucial password? Here's what WhiteHat Security's CTO learned from his experience
HIMSS13 panelist makes the business case for predictive analytics (FierceMobileHealthcare) There are plenty of positives to predictive analytics, such as improved quality of care and efficiency. But failing to act upon predictive data could have significant negative consequences, says Tina Buop, CIO of La Clinica de la Raza, a community health center in Oakland, California
Design and Innovation
Learn COBOL: It will outlive us all (IT World) Here's an old computer science joke: What's the difference between hardware and software? If you use hardware long enough, it breaks. If you use software long enough, it works. The truth behind that is the reason that so much decades-old COBOL code is out there still driving crucial applications and banks and other huge companies
Research and Development
A quantum shell game that street hustlers would hate (Ars Technica) Unlike a classical shell game, bettors can win two-thirds of the time. In the classic con game, an object is hidden under a shell or cup. The quantum analog has very different possible outcomes. The division between the "classical" and "quantum" worlds is most obvious when performing measurements. In classical systems, measurements generally are minimally invasive: you can find your height or weight, for example, without changing either quantity in a noticeable way. Quantum systems, however, have an interdependence between the instrument and the object being measured. In recent years, weak measurements have probed the division between the classical and quantum regimes by limiting the interaction between the apparatus and the system being measured
DARPA, FIDO Alliance Join Race to Replace Passwords (Threatpost) Nearly everyone agrees that passwords are the bane of Internet security. For years, industry thinkers have somewhat vaguely referenced the need for Internet fingerprints capable of reliably verifing identities online. Yet here we are, it's 2013 and passwords remain the primary means of authenticating users onto networks and workstations
FIDO Alliance designs open, non-proprietary authentication protocol framework (Help Net Security) Internet companies, system integrators and security providers have formed the FIDO Alliance (Fast IDentity Online) to revolutionize online authentication with an industry supported standards-based open
Legislation, Policy, and Regulation
Cybersecurity Strategy of the European Union - the proposal (SecurityAffairs) Last week the European Commission and Catherine Ashton, the High Representative of the European Union for Foreign Affairs and Security Policy, have submitted to the Council and the European Parliament a draft of Cybersecurity Strategy of the European UnionThe document is a first of its kind with regard to the institutions mentioned despite since several years the authorities are emphasizing the need to raise the level of security of the member states of the EU in cyber space. One of the most interesting documents prepared in the past was the Action Plan and a Communication on Critical Information Infrastructure protection (CIIP) with which the EU aims to strengthen the security and resilience of vital Information and Communication Technology (ICT) infrastructures
Heads-Up - EU Data Protection Proposal Taken Word For Word From US Lobbyists (Slashdot) Glyn Moody looks at the proposed EU directive on Data Protection and how some of the proposed amendments seem to be cut and pasted directly from the American Chamber of Commerce that well-known European organisation... You might ask, Glyn writes, who are these MEPs representing some 500 million EU citizens that pay their salary or a bunch of extremely rich U.S. companies intent on taking away our privacy
Barack Obama Is The First Cyber War President, But A President Can't Win A Cyber War (Fast Company) President Barack Obama ran on change we can believe in--and he and the media will take the opportunity in this week's State of the Union address to assess his response to the global economic crisis and rebuilding America's health insurance system. But there's a quiet change happening in his role as Commander-in-Chief, too--one you won't likely hear much about in Tuesday evening's address. Slowly, with very few observers noting it, Obama has become our first cyber-war president
Companies Want National Policies to Combat Cyber-Spies (EWeek) In the wake of an intelligence report blaming China for most of the espionage attacks on U.S. businesses and government agencies, security experts says the private sector needs national support. Following a classified National Intelligence Estimate that reportedly blames China for the majority of cyber-espionage attacks targeting U.S. agencies and businesses, security experts called for the government to take a harder policy line to deter such attacks. The classified intelligence report, released by the Office of the Director of National Intelligence, aims to identify threats to the nation
Executive order on cybersecurity coming, but is it only a 'down payment on legislation'? (CSO) Based on leaked versions of the order, the White House is expected to put DHS in charge of organizing an cyberthreats information-sharing network. President Obama has spent much of the past two months focused on citizen security through gun control. Today, he is expected to focus on the security of the nation's critical infrastructure (CI) through a long-anticipated executive order promoting better information sharing on cyberthreats between government and private industry
Share Information To Fight Cyber Crime (Baltimore Sun) That's why, this week, I, along with House Intelligence Committee Chairman and Michigan Republican Mike Rogers, am reintroducing common-sense legislation to give American companies access to certain classified information on impending cyber threats before the attack occurs
Data protection practices in EU and Asia (Help Net Security) Research undertaken by Field Fisher Waterhouse into the existing legal framework mandating encryption of personal data in the EU and Asia details legal requirements and reveals a trajectory of data pr
Obama Order Gives Firms Cyberthreat Information (New York Times) President Obama signed an executive order on Tuesday that promotes increased information sharing about cyberthreats between the government and private companies that oversee the countrys critical infrastructure, offering a weakened alternative to legislation the administration had hoped Congress would pass last year
Litigation, Investigation, and Law Enforcement
YouTube Files Appeal Against Regulator In Russia Over Content Blocked By New Firewall (TechCrunch) Google this week fired off one of the first high profile tests of Russia's controversial new firewall -- erected November 1, 2012 to block child porn, drugs and suicide content; but seen by critics as a route for the government to block whatever else it chooses. Google's YouTube operation in Russia has filed an appeal against the Russian regulator for blocking YouTube content
White House Must Respond to Petition Seeking Swartz Prosecutors Firing (Wired) A whitehouse. gov petition demanding the President Barack Obama administration remove Aaron Swartzs prosecutor in the aftermath of the internet activists suicide has surpassed 25,000 signatures. That means the Obama administration is obliged to enter the debate over whether authorities including line prosecutor Assistant U.S. Attorney Stephen Heymann went too far in prosecuting the 26-year-old internet sensation
Hacker arrested after taunting police with clues attached to cat (CSO) Bizarre campaign included bomb threats against schools. Japanese police believe they have finally caught the man behind an extraordinary malware campaign that included taunting police in January by sending them clues on an SD card strapped to a cat