The CyberWire Daily Briefing 01.07.13

Cyber Trends

Security pros predict 'major' cyber terror attack this year (Ars Technica) That sentiment is supported by the data from the Department of Homeland Security's Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), which responded to 198 cyber incidents in the 2012 fiscal year, with 41 percent of the them

Consumers want stronger mobile payment security (Computer Weekly) UK consumers are happy to use extra levels of security on their smartphones for mobile payments according to research conducted by ICM. However few people have actually used the NFC contact-less payment technology to pay for goods. In the online survey of over 2000 UK consumers 56% of consumers would like to see banks and mobile providers guaranteeing any financial losses

Study questioning effectiveness of anti-virus software comes under fire (Fierce CIO: TechWatch) Security firm Imperva has come under fire after publishing a study last month which suggested that anti-malware software may not be worth its often hefty investment. In a report titled "Assessing the Effectiveness of Anti-virus Solutions", Imperva concluded that the initial detection rate of a newly created virus is less than 5 percent, and that antivirus vendors may take "up to four weeks" to detect a new virus

Why You'll Need A Big Data Ethics Expert (InformationWeek) The looming issue in big data isn't technology but the privacy and ethics decisions associated with how, when and if results should be provided

Survey: Over half of UK corporate networks breached because of BYOD (Fierce Mobile IT) Just over half of secure IT networks in the United Kingdom were breached last year as a result of employees using personal devices at work, according to a survey of 500 U.K. chief information officers by Virgin Media Business

Legislation, Policy and Regulation

Anonymous is 'Uniquely Offended' by UN Hijackers (Cyberwarzone) Firstly, We salute the Internet for protecting itself from the W.C.I.T., also known as the 2,012 World Conference on International Telecommunications of the United Nations International Telecommunications Union. That being said, we have reviewed the Wikit Post Mortem Panel and We want to just add in particular to what ambassador terry kramer said on the human rights sticking point because it goes deeply to a lot of concerns of our civil society

Re-register now: First batch of UAE SIM card deactivation starts from January 17 (Emirates 24/7) Mobile subscribers of etisalat and du who receive SMS to complete re-registration process and fail to do so to be affected

Obama signs legislation to deliver more government contracts to small businesses (Washington Post) Washington's elected officials are taking new steps to direct more government work to small businesses, just as contractors are bracing for the threat of sequestration. President Obama on Tuesday signed as part of the military spending budget a series of provisions to help small firms compete for more federal contracts and ensure that agencies take their annual small business contracting goals more seriously. Most notably, the law requires that small business contracting performance be part of employee reviews for senior agency officials, which factor into their consideration for bonuses and promotions

Products, Services, and Solutions

Toyota, Audi to unveil self-driving cars at CES (IT World) Move over, big-screen TVs, cell phones and tablets, because cars might steal the show at next week's International CES

D-link Wireless-G Router Year Issue (Y2K-plus-13) (Internet Storm Center) We have received a report from Melvin indicating that he discovered an issue with a D-Link WBR-1310 Version D Release 4.13 router "expired" when a computer could no longer get a new lease from the router. According to D-Link's website, this router would no longer be supported after January 2012 and the year reset to 2002 (valid year is 2002-2012). The D-link router needs to be a DHCP-client to the ISP's DHCP-server. If you are still using this model, when the DHCP lease expires, your router will no longer be serving the correct date and will need to be replaced. DD-WRT isn't an option because this model isn't supported. If you have already already encountered this issue, let us know via our contact page

20+ best FREE security tools (Help Net Security) We asked information and network security pros to name the best free software tools for their daily work. Here are 21 standouts to improve your defenses - without breaking the bank

Keycard: Unlock your Mac using an iOS device (Help Net Security) Keycard allows you to pair your iPhone or other Bluetooth enabled device with your Mac to lock and unlock your computer. It detects when you're leaving your desk, office, or room

Technologies, Techniques, and Standards

Polish prof discovers way to encrypt secret messages into silence on Skype (even if the FBI is listening) (venturebeat) Skype calls use 256-bit advanced encryption by default, but thats not secure enough for some people. So a prof at the Warsaw University of Technology has created a way to communicate even more privately on Skype by using silence. Wojciech Mazurczyk (10 points if you can pronounce that name) has found a way to hide data in the 70-bit packets that Skype sends by default when its detecting silence when youre not talking

Marketplace

World Bank seeks cybersecurity center in S. Korea (Yonhap News) The World Bank and Korea Communications Commission (KCC) will sign a deal next week on a joint project to establish a "Global Cybersecurity Center" in South Korea, officials said Sunday. The World Bank, headed by Korean-born physician Jim Yong Kim, proposed it set up the center in South Korea in late 2013, they said. The facility will be tasked with promoting cybersecurity and other information protection in developing nations

Contractors' Cutback Worries Remain (Washington Post) While the two-month delay in planned federal spending cuts that Congress approved last week provides short-term relief for government contractors, many companies said the move does little more than maintain the uncertainty that has plagued them for months

Hagel To Be Pick For Defense (Washington Post) President Obama plans to nominate former senator Chuck Hagel, a Nebraska Republican and Vietnam War veteran, to be secretary of defense, according to a person close to the process and a senior administration official

DOE Taps PNNL CIO To Improve Security (InformationWeek) The U.S. Department of Energy is looking to bolster its cybersecurity readiness with the appointment of Jerry Johnson, CIO of Pacific Northwest National Laboratory for the past eight years, as a senior policy and technical adviser. Johnson had first-hand experience with one of the federal government's most serious cyber attacks. In 2011, he oversaw PNNL's response to a dual-pronged cyber attack that was likely part of a broader attack against government agencies and private-sector companies

Cybersecurity issues remain unresolved at Commerce agencies, say auditors (Fierce Government IT) In a Dec. 28 letter to the House Oversight and Government Reform Committee, auditors include OIG recommendations related to cybersecurity as one of five groups of unimplemented changes constituting short-term priorities within the department

Northrop Grumman Cybersecurity Engineers Win Global DOD Cyber Crime Center Forensics Challenge (4-Traders) A four-person team of cyber engineers from Northrop Grumman Corporation (NYSE:NOC) won the overall "grand champion" title in the Department of Defense (DOD) Cyber Crime Center's (DC3's) seventh annual Digital Forensics Challenge

Google Leader On Way To North Korea (New York Times) Googles executive chairman, Eric Schmidt, is to leave Monday from Beijing on a commercial flight to North Korea, the country thought to have the worlds most restrictive Internet policies

Why you shouldn't be surprised if Google's Schmidt meets with Kim Jong-Un (Quartz) Google's Eric Schmidt and former New Mexico Gov. Bill Richardson are in Pyongyang this morning at the start of a three-day visit to North Korea. The pair, whose visit to North Korea was opposed to by the US State Department, is not currently expected to meet with leader Kim Jong Un, but don't be surprised if they do

Eric Schmidt's North Korea Trip May Not Be as Ridiculous as It Sounds (Wired) Google chairman Eric Schmidt's planned trip to North Korea promises few returns for the company's shareholders. But for the world's most locked-down country, where only a few thousand citizens have internet access at all, his visit could offer the strongest

Army open to possible future role for Palantir intel software (Defense Systems) Certain parts of Palantir's off-the-shelf intelligence collection, analysis and dissemination software, which has been useful in predicting locations of

DOD Saves $100m A Year With New Microsoft Licensing Deal (NetworkWorld) The Department of Defense says it will save more than $100 million per year over the course of a three-year joint enterprise licensing agreement it has signed with Microsoft

Military Signs Most Comprehensive Microsoft Contract Yet (InformationWeek) Three-year, $617 million deal gives Department of Defense its lowest prices ever on software and services. In a bid to trim information technology costs, the Department of Defense last month signed a three-year, $617 million enterprise license agreement that will give the military its lowest prices ever for Microsoft software and services

GSA predicts 'steady rollout' of new FedRAMP authorizations (Federal News Radio) The Federal Risk and Authorization Management Program (FedRAMP) late last month approved the first cloud-computing services company to pass a comprehensive security-review process

NCR Acquires Video ATM Software Maker (InformationWeek) NCR is buying uGenius Technology, which makes the software for video ATMs that offer customers remote teller services from a call center

Will SMBs Suffer If HP Dumps PCs? (InformationWeek) Who wins and who loses if HP gets rid of its PC division? Here's why most small and midsize businesses probably won't care either way. As Yogi Berra would say, it's like deja vu all over again. In a recent SEC filing, HP said it will "continue to evaluate the potential disposition of assets and businesses that no longer help us meet our objectives." The tech titan's PC division is a reasonable guess to be one such business on the chopping block. We've been down this road before

Disruptive Web Security Startup Shape Security Nabs $20M From Venrock, Google Ventures, Kleiner, Eric Schmidt (TechCrunch) Shape Security, a company that wants to disrupt web security technology, has raised $20 million in a Series B financing round led by Venrock, with participation from Kleiner Perkins Caufield & Byers, Allegis Capital, Google Ventures, Google Executive Chairman Eric Schmidt's TomorrowVentures and former Symantec CEO Enrique Salem. The new funding brings Shape's total amount raised to $26 million. As we've written in the past, Shape Security wants to change the web security paradigm by shifting costs from defenders to hackers. The premise is that companies are forced to rely on identifying and classifying malware and botnets attack signatures that have occurred in the past, with the hopes of easily finding and shutting them down in the future. But sustaining this kind of security requires a lot of human and financial capital, so Shape has developed military-grade technology that doesn't rely on past attack signatures, and instead forces hackers to spend more and more to achieve less and less

Research and Development

Teaching Computers to Hear Emotions (IEEE Spectrum) New research can detect five different emotions with 81 percent accuracy…How can we hear emotions? It's not what people are saying—here it's just numbers, a date in one case—it's how they're saying it. And we can all do this. In fact, not being able to do this is a psychological disability. Well, if we can do it reliably, the next step—this is the Information Age, after all—is teaching a computer to do it too

Security Patches, Mitigations, and Software Updates

Samsung Pushes Exynos Flaw Fix on Galaxy Phones (Threatpost) Samsung has started to push software updates to some users of its Galaxy branded phones this week, fixing a flaw that was found affecting devices containing Exynos processors shortly before Christmas

Adobe ColdFusion Security Advisory (Internet Storm Center) Adobe released a security advisory which identifies three vulnerabilities (CVE-2013-0625, CVE-2013-0629, CVE-2013-0631) affecting ColdFusion for Windows, Macintosh and Unix. They have received reports that these vulnerabilities are actively being exploited. Adobe is currently planning to release a fix for January 15, 2013

A Bit About the NVIDIA Vulnerability (Internet Storm Center) Geoff writes in this morning asking for more eploration around the Nvidia vulnerability patch that was released yesterday. He writes: "Its really quiet if it is truly a vulnerability patch. I don't see any reference to an exploit fix. Maybe you can dig deeper and confirm?" On December 25th, 2012, a security research released exploit code that leverages a buffer overflow vulnerability in versions prior to 310.90 of the GeForce Driver for a popular line of NVIDIA video cards. This is a privilege escalation exploit that allows someone with low-level access to gain administrative-privileges on that system

Microsoft to release seven advisories on Tuesday (Help Net Security) The first Microsoft Patch Tuesday of 2013 includes 7 advisories (MS13-001 - MS13-007), two of which are listed as critical because they can be executed remotely

Cyber Attacks, Threats, and Vulnerabilities

PNC Bank Warns 5 Million Customers It Might Have Been Hacked (Business Insider) The bank has sent a message to some five million customers warning of a possible cyber attack, the AP is reporting. So far, the bank's "websites are getting hit with high traffic consistent with computer attacks," and some users have been blocked from

Cyber Jihad - Iran steps up cyber attacks on U.S. financial institutions (Free Beacon) Iran is continuing aggressive cyber attacks against U.S. financial institutions and officials say the U.S. government has failed to take steps to halt the electronic strikes. The sophisticated denial-of-service cyber attacks have been underway for several months and involve Iranian-origin hackers who flood banking and financial institution web sites with massive log-in attempts that disrupt or halt remote banking services. The are going after the same types of sites, said an intelligence official familiar with reports of the attacks

Evidence of Possible Spring Cyber Attack on Banking Industry (SIGNAL Magazine) The financial services industry and government cybersecurity experts are bracing for a possible cyber attack targeting large financial institutions, which was forecasted in research conducted by a cybersecurity expert working for a major information technology security firm

DHS's Study in the States and Sharp Electronics UK hacked by Nullcrew (E Hacking News) Few months after they have been quiet, the hacker group Nullcrew have returned with interesting hack. They claimed to have breached the "Study in the States", a subdomain of US Department of Homeland Security

DHS website falls victim to hacktivist intrusion (Naked Security) Hacktivist group NullCrew recently announced a succesful intrusion (though intrusionette might be a better word) against a website in the DHS. GOV domain hierarchy. DHS, of course, is the United States Department of Homeland Security

John McAfee says he infected laptops with malware, spied and stole passwords from Belize officials (Naked Security) Twenty years ago, John McAfee ran an anti-virus company. He's not had anything to do with the company that bears his name (and was subsequently acquired by Intel) since the early 1990s, but that doesn't mean that his involvement with malware has come to an end. Many people have been following the bizarre story of John McAfee, who has been on the run from the Belize police since mid-November, had his location leaked to the world in a photo's EXIF meta-data, and was hastily deported from his Guatemala hide-out to the United States

Turkish Digital Certificate Blunder Caused by Government Agency (Hot for Security) An unauthorized digital certificate issued for search specialist Google has been used for rogue purposes since August 2011, violating digital trust and key public infrastructure. This impersonation attack was not, however, carried out by hackers, but by a government agency trying to spy on its own employees. On December 24, Google found an unauthorized digital certificate was being used to validate rogue web pages as legit services provided by Google, including validation for Google Mail and Google Search

TURKTRUST Incident Raises Renewed Questions About CA System (Threatpost) The series of missteps and failures that led to a Turkish government-related agency eventually ending up with a valid wild card certificate for Google domains began in June 2011 when the TURKTRUST certificate authority began preparing for an audit of its systems and started moving some certificate profiles from production systems to test systems. Two months later, a pair of subordinate certificates--which carried the full power and inherited trust of TURKTRUST's root certificate as far as most browsers were concerned--were issued, and one of them later was used by a Turkish government transportation and utility agency to create an attacker's holy grail: a valid certificate enabling him to intercept encrypted Google traffic

Zero-Day Vulnerability Uncovered in Symantec's PGP Whole Disk Encryption (Spftpedia) On December 25, 2012, someone published the details of what appeared to be a zero-day vulnerability in Symantec's PGP Whole Disk Encryption product. After analyzing the POC, Symantec's engineers confirmed that it was in fact a vulnerability. However, according to Symantec's Kelvin Kwan, it's not something that's easy to exploit

Second Zero-Day For Symantec PGP WDE in Thirteen Days (Dark Reading) Symantec PGP Desktop is having a bumpy new year with a second zero-day vulnerability released in thirteen days. Take action to protect your data

'TPP' keyword in cyber-attack? Culprit appears to have searched for term (The Daily Yomiuri) A cyber-attacker suspected of stealing more than 3,000 documents from the Agriculture, Forestry and Fisheries Ministry looked for specific information through a keyword search, according to government sources. It is feared that ministry information

Researchers Bypass Microsoft Fix It for IE Zero Day (Threatpost) Expect amped up pressure aimed in Microsoft's direction for a patch for the Internet Explorer zero day that surfaced last week, now that researchers at Exodus Intelligence reported today they have developed a bypass for the Fix It that Microsoft

Symantec links latest Microsoft zero-day with skilled hacker gang (InfoWorld) Symantec is crediting a hacker group with an impressive track record as responsible for finding the latest as yet unpatched vulnerability in older versions of Microsoft's Internet Explorer browser. A gang Symantec calls the Elderwood group appears to

Internet Explorer zero-day exploit linked to China (NBCNews.com) Delving further into the Microsoft Internet Explorer zero-day exploit found last week, which unknown hackers used to compromise the website of an influential American think tank, researchers have discovered the exploit's use on other websites and

Zero-day exploit (CNET) Microsoft's regular Patch Tuesday rolls around next week. But one flaw that won't be fixed in the mix is the latest zero-day exploit in Internet Explorer. Last Saturday, Microsoft warned about the zero-day flaw in IE 6, 7, and 8 that could allow

Reflected XSS vulnerability affects Millions of sites hosted in HostMonster (E Hacking News) Recently, We reported about the Reflected Cross Site scripting vulnerability in the HostGator India hosting site that affects millions of hosted sites. Today, Another Indian Security Researcher , Ramneek Sidhu , come with another interesting find. Ramneek Sidhu has discovered Reflected XSS Vulnerability in One of the Biggest WebHosting site "HostMonster"

DarkWebGoons leaks 20k Credentials from Association of Irish Festival Events (E Hacking News) 20,000 Credentials has been compromised from the Association of Irish Festival Events website (aoifeonline. com) by a new hacker with twitter handle @DarkWebGoons. The Association of Irish Festival Events(AOIFE) is an all-island voluntary network organisation that brings together organisers of festivals and events in Ireland, suppliers to the festival and event sector and policy-makers and fundersThe hacker announced the breach in Twitter and posted a link to the leak of the compromised database

German Chambers of Commerce Hacked (eSecurity Planet) Anonymous hackers claim to have stolen 2.7 GB of internal documents from the German Chambers of Commerce (AHK) in Ukraine and Azerbaijan

Conficker targets photography lovers (Help Net Security) People who bought a Hama-manufactured slide scanner from popular German retailer chain Tchibo in the weeks leading to Christmas are being warned about taking home more than they have bargained for

Crimeware Author Funds Exploit Buying Spree (KrebsonSecurity) The author of Blackhole, an exploit kit that booby-traps hacked Web sites to serve malware, has done so well for himself renting his creation to miscreants that the software has emerged as perhaps the most notorious and ubiquitous crimeware product in the Underweb. Recently, however, the author has begun buying up custom exploits to bundle into a far more closely-held and expensive exploit pack, one that appears to be fueling a wave of increasingly destructive online extortion schemes. An exploit pack is a software toolkit that gets injected into hacked or malicious sites, allowing the attacker to foist a kitchen sink full of browser exploits on visitors

PayPal, Wells Fargo Among Most-Spoofed Sites During Holidays (Dark Reading) Visa, Citibank, and Bank of America also topped the list. PayPal and Wells Fargo topped the list of spoofed e-commerce sites used in phishing campaigns over the holidays

NASDAQ Suffers Data Feed Glitch (Finextra) In an alert to traders at 13:42, picked up by Reuters, the exchange said it was looking into an issue involving its Universal Trading Platform's centralised securities information processor (SIP) data feeds. Nasdaq-listed stocks continued to trade on some exchanges but brokers reported anomalies in some prices of some securities and reporting delays of trades to the consolidated tape, says the Wall Street Journal. Fellow operator Direct Edge responded by briefly halting trading in all Nasdaq order books

Human error at Amazon takes down Netflix (Fierce CIO: TechWatch) A Netflix outage on Christmas Eve was traced to a mistake by an Amazon (NASDAQ: AMZN) Web Services engineer. The engineer is one of a very small number of developers who have access to this production environment, and whose failure to notice the mistake at that time extended the time it took the team to identify and rectify the problem

Amazon's EC2 Outage: A Closer Look (InformationWeek) Amazon Web Services once again cites human error spread by automated systems for loss of load balancing at key facility Christmas Eve

Academia

Mahindra SSG launches IAHS Academy to train cyber security (IndiaEduNews.net) By defining an innovative and path-breaking information assurance skills framework, the Academy aims to create a structured next generation workforce for

Litigation, Investigation, and Enforcement

Hospice of North Idaho Fined for Security Breach (eSecurity Planet) The $50,000 fine is the first ever for a breach affecting fewer than 500 patients. The U.S. Department of Health and Human Services (HHS) recently announced the first-ever HIPAA breach settlement for a case involving fewer than 500 patients -- the Hospice of North Idaho (HONI) has agreed to pay a fine of $50,000 for HIPAA violations related to the June 2010 theft of an unencrypted laptop containing the electronic personal health information of 441 patients

Indian Government Wiretapping and started BlackBerry interception (The Hacker News) According to a report, All major Indian telecom companies, including Bharti Airtel, Vodafone India and Tata Tele services, have agreed to share real-time interception of BlackBerry calls and data services on their networks with Security agencies to meet the December 31 deadline fixed by the Indian government

What Facebook Gives the Police (Schneier) This is what Facebook gives the police in response to a subpoena. (Note that this isn't in response to a warrant; it's in response to a subpoena.) This might be the first one of these that has ever become public.

US Court Sentences 55-Year-Old Russian Hacker to 3 Years in Prison (Softpedia) Vladimir Zdorovenin, a 55-year-old Russian national accused of carrying out sophisticated cybercrimes has been given a three-year prison sentence by the Manhattan federal court. Zdorovenin who was arrested in Zurich, Switzerland, in March 2011 was extradited in January 2012 to New York. He pleaded guilty to the accusations brought against him in February 2012

State Agencies Yet To Fully Implement Cyber Security Protections (WLTX) Not all cabinet agencies have fully implemented cyber security protections that some experts and lawmakers say are basic steps in protecting taxpayers' information, almost three months after a foreign hacker conducted a massive data breach at the state Revenue Department. Some agencies surveyed by GreenvilleOnline. com said they use two of the protections - encryption and a multi-password system - in parts of their system or were working toward full implementation

SC working on security, notifying victims of data breach (The State) More than three months after officials revealed hackers had swiped financial data belonging to 6. 4 million consumers and businesses from the S.C. Department of Revenue, the state still is continuing work to secure computers and notify victims

The CyberWire Daily Briefing for 1.7.2013