The CyberWire Daily Briefing for 3.22.2013
The "Dark Seoul" attack on banks and media in South Korea was severe. Although by consensus "less sophisticated" than denial-of-service attacks by the Izz ad-Din al-Qassam Cyber Fighters against US banks (not themselves markedly sophisticated) Dark Seoul destroyed data and devices. Attribution remains unclear, but despite finding Chinese fingerprints in the attacks, analysts are shifting their suspicions back to North Korea.
Trend Micro and Sophos talk about how they detected and contained the attack. The relatively simple logic bomb evaded signature-based firewalls and anti-virus software to target a familiar Internet Explorer vulnerability. Security officers should draw at least two lessons: signature-based defenses are increasingly susceptible to bypass, and known vulnerabilities should be closed.
The US Department of Homeland Security warns of a newly discovered vulnerability in Siemens industrial control systems. It also warns of DHS-themed ransomware.
The TeamViewer spyware found in European networks seems directed against activists in Eastern Europe and the former Soviet republics. Toronto's TD Bank suffers a denial-of-service attack similar to those US banks sustained earlier this year.
Weaknesses in the UK's 123.Reg enabled some 300 incidents of domain theft last year.
Australian medical practices receive advice on cyber insurance. NASA's IG thinks the agency's IT security redundancies are too costly, but NASA tightens them anyway in the wake of insider breaches.
The US House of Representatives hears expert testimony that only serious deterrence can be expected to quell cyber attacks. The House also heard that Iran is a bigger cyber threat than either Russia or China.
Notes.
Today's issue includes events affecting Australia, Belgium, Canada, China, France, Germany, Hungary, India, Iran, Republic of Korea, People's Democratic Republic of Korea, Panama, Russia, United Kingdom, and United States..
Cyber Attacks, Threats, and Vulnerabilities
Logic Bomb Set Off South Korea Cyberattack (Wired) A cyberattack that wiped the hard drives of computers belonging to banks and broadcasting companies in South Korea this week was set off by a logic bomb in the code, according to a security firm in the U.S
Cyber-attack on South Korea may not have come from China after all: regulator (Reuters) This week's cyber-attack on South Korean broadcasters and banks may not have originated in China after all as the IP address has been traced to one of the victim banks, the communications regulator said on Friday. But it couldn't rule
North Korea Still Chief Suspect In Cyber Attacks On South (TechWeekEurope UK) Despite evidence that the recent cyber attacks on South Korea were not…Trend Micro said it was aware of other attacks on South Korean firms
UPDATE 3-Hacking highlights dangers to Seoul of North's cyber-warriors (Reuters) The North's professional "cyber-warriors" enjoy perks such as luxury…security vendor Sophos said, noting the malicious software it detected was not
South Korea cyber attacks are linked back to China (Inquirer) Officials in South Korea have linked the recent cyber attacks in the…Sophos products have been able to detect the malware for nearly a year
Trend Micro detects multiple cyber attacks on South Korea (New Straits Times) Trend Micro, a provider of cloud security software, has detected multiple cyber attacks on South Korean banking corporations and media
Trend Micro Deep Discovery Protects South Korean Customers From Attack (PR Newswire) Crippling attacks on banks and media thwarted by advanced threat protection of Trend Micro Custom Defense. Trend Micro Incorporated announced today that customers using its Deep Discovery advanced threat protection product were able to discover and react to the recent cyber-attack before damage could be done. These attacks paralyzed several major banking and media companies, leaving many South Koreans unable to withdraw money from ATMs and news broadcasting crews cut off from their resources
South Korea bank attacks should prompt rethink in U.S. (CSO) DDoS attacks on U.S. banks were more advanced technically, but the attackers of the South Korean banks did much more damage. The simplicity of the malware that paralyzed the computer networks of three banks and two broadcasters in technically sophisticated South Korea is a warning that U.S. corporations need to rethink security. The cybercriminals did nothing out of the ordinary in penetrating the organizations' defenses on Wednesday. They used existing malware called "DarkSeoul," changed its signature to evade the organizations' firewalls and antivirus software, and targeted a well-known vulnerability in Internet Explorer (CVE-2012-1889)
South Korea Bank Hacks: 7 Key Facts (InformationWeek) Data-wiping attacks on Windows and Linux computers may have just focused on random targets to cause chaos, security researchers say
TD Bank hit by 'targeted' cyber attack that knocked out online services (Montreal Gazette) TD Canada Trust (TSX:TD) says it was hit by a "targeted" cyber attack, forcing its banking website and mobile banking service to go offline for several hours. The bank says the denial-of-service attack occurred mid-morning and prevented its customers from logging to its website and mobile site
DHS, ICS-CERT Warn of Siemens HMI Vulnerabilities (Threatpost) The Department of Homeland Security and the ICS-CERT issued an advisory yesterday warning of serious vulnerabilities in Siemens industrial control software deployed in a number of industries including water, gas and oil, and chemical
Recent Reports of DHS-Themed Ransomware (US-CERT) US-CERT has received reports of apparently DHS-themed ransomware occurring in the wild. Users who are being targeted by the ransomware receive an email message claiming that use of their computer has been suspended and that the user must pay a fine to unblock it. The ransomware falsely claims to be from the U.S. Department of Homeland Security and the National Cyber Security Division
TeamViewer-based cyberespionage operation targets activists, researchers say (Computer World) Security researchers have uncovered yet another ongoing cyberespionage operation targeting political and human rights activists, government agencies, research organizations and industrial manufacturers primarily from Eastern European countries and former Soviet Union states. The attacker group behind the campaign was dubbed TeamSpy because they use a malware toolkit built around the legitimate TeamViewer remote access application in order to control infected computers and extract sensitive information from them. The operation was analyzed by researchers from the Laboratory of Cryptography and System Security (CrySyS Lab) of the Budapest University of Technology and Economics, who collaborated with several antivirus companies, including Kaspersky Lab, Symantec and ESET
Guccifer strikes again: A major Silicon Valley venture capitalist's e-mail exposed (Quartz) While one hacker has been exposing wealthy Germans' financial secrets, another has been pulling more high-profile, but arguably more harmless tricks. A hacker going by the nom du pirate "Guccifer" has popped open the inbox of John Doerr, a partner at Kleiner Perkins Doerr, a firm that invested in early in tech giants like Google and Amazon. Doerr is a multi-billionaire and former Intel executive who is routinely cited as one of the most influential people in tech, even though he uses an AOL email account, which to most techies is practically like using pen and paper
Germany's offshore money and the hacker who helped expose it (Quartz) The German newspaper Sueddeutsche Zeitung has published the names (link in German) of wealthy Germans who were or are directors of companies in Panama, a country known as a tax haven. The directors included families behind major automakers, banks and businesses, many of whom denied keeping funds abroad for tax purposes or attributed the actions to now-deceased relatives
Security Hole in Control Panels of UK Registrars Led to Domain Hijacking (Softpedia) Last year, cybercriminals managed to steal around 300 domains by exploiting a vulnerability in the web hosting control panel of UK registrar 123-Reg. In addition to 123-Reg, its believed that four other registrars have been impacted. The Register has learned that a security hole in 123-Regs web hosting control panel allowed anyone with an account to gain access to other accounts simply by modifying the URL from the browsers address bar
PyCon Incident: Two People Fired, DDOS Attack Launched Against SendGrid Site (Softpedia) An incident at the recent PyCon Python developer conference has gotten way out of proportions, resulting in two people getting fired by their companies and distributed denial-of-service (DDOS) attacks being launched against two websites. It all started when two of the developers present at the conference started making jokes that were deemed inappropriate in nature by Adria Richards, a SendGrid developer evangelist. After becoming tired of the dongle and forked repository jokes, Richards took a picture of the two developers and posted it on Twitter
'Human Weakness' Helped Chinese Hackers Steal Secrets From US Companies (Business Insider) The APT1 hackers were able to crack into American companies' computer networks and systems by targeting "human weakness," according to [Mandiant founder, Kevin Mandia]. They would send emails to a company's employees that appeared to be from
Most Indian Websites Abused for Phishing Attacks Are from IT and Education (Softpedia) In the period between August and November 2012, 0. 11% of all phishing pages identified by Symantec were hosted on compromised websites from India. If in 2011, education sites were most targeted by phishers, in 2012, they dropped to second place, being overtaken by IT sites
Iran Is a More Volatile Cyber Threat to U.S. than China or Russia (CIO) As members of the intelligence, military and homeland security communities evaluate the emerging cyber threats emanating from hostile nation states, they must consider important distinctions in the capabilities and attack patterns of adversaries like China and Iran, cybersecurity experts told a House subcommittee on Wednesday. Testifying before the House Committee on Homeland Security's cybersecurity subcommittee, witnesses drew a sharp distinction between the threats from comparatively mature actors like China and Russia, with which the United States has longstanding--if strained--diplomatic and economic ties, and nations like Iran and North Korea
Security Patches, Mitigations, and Software Updates
Apple places kill date on apps that use 'UDID' device identifiers (ZDNet) Apple is finally putting a cap on UDIDs - often used for ad tracking - that establish a permanent link to iOS devices. Liam Tung
Temporary fixes released for Samsung Android lock-screen glitch (CSO) By manipulating the emergency call screen, an attacker could get persistent access to a device
Apple iCloud now comes with two-step verification (SlashGear) Two-step verification (also known as two-factor authentication) is becoming all the rage now. After the recent influx of security breaches and hacks on major services, companies are starting to implement two-step verification to prevent social engineers from
Cyber Trends
We must end cyber warfare 'Wild West' or risk catastrophe (Public Service Europe) In pursuit of cyber-peace states need to develop international rules of engagement and seek limitations on the use of cyber arsenals against each other as they did with nuclear weapons in the 1940s. It's an increasingly acknowledged fact that the true battleground between nation states is now the cyber-world and not the traditional military field. The use of 'cyber-force' to push through political objectives is increasingly common, as is a shift in the identification of targets towards civilian critical infrastructure systems - which if taken down have the potential to cripple a nation and cause loss of life
Cyber Security a Growing Issue for Small Business (Entrepreneur) As more business owners utilize technology such as cloud computing and mobile devices and apps, the risk of hackers accessing money and sensitive business data becomes more real. The House Committee of Small Business addressed this issue today during a special hearing called, "Protecting Small Businesses Against Emerging and Complex Cyber-Attacks.""Small businesses generally have fewer resources available to monitor and combat cyber threats, making them easy targets for expert criminals," said Chris Collins, chairman of the House's Subcommittee on Health and Technology. "In addition, many of these firms have a false sense of security and believe they are immune from a possible cyber-attack
Security; The non-commodity (infosecisland) For most users and businesses, their primary contact with the world of security solutions is via antivirus. In an enterprise environment, a computer comes preloaded with Antivirus. Updates occur centralized and automatically
Does your practice need cyber insurance? (Pulse+IT Magazine) Mr Waite said Cyber Plus had also received industry advice from a number of antivirus expert companies like Trend Micro and Bitdefender to help design a
Marketplace
Pentagon Urged To Stop Stalling, Start Planning Defense Cuts (Reuters) The Pentagon needs to stop stalling and start figuring out how to cut its budget by $50 billion annually for the foreseeable future in a way that preserves national security, defense analysts from across the political spectrum said on Thursday
Congress Approves Temporary Spending Bill To Keep The Government Open (Washington Post) Congress approved a short-term funding bill Thursday that ends the possibility of a federal government shutdown next week. But a broader budget battle about taxes and spending for the year is just beginning. The stop-gap spending resolution, approved on a broad bipartisan vote in the House, locks in the $85 billion across-the-board spending cuts known as the sequester through the Sept. 30 end of the fiscal year
NASA's redundant IT security tools costly, finds IG (FierceGovernmentIT) NASA has no effective process for tracking information technology security tool requirements or purchases, according to a March 18 NASA office of inspector general report. As a result, redundant technologies are costing the agency. In June 2012, the agency had 242 security assessment and monitoring technologies across nine different control areas--costing a total of $25.7 million
To fix IRS computer security, GAO recommends dozens of corrective actions (FierceGovernmentIT) Serious security weaknesses threaten sensitive taxpayer information, the Government Accountability Office says. The GAO says that in a report it did not release to the public, it recommended in detail that the Internal Revenue Service take 30 specific actions on newly identified information security weaknesses. The problems are related to identification and authentication, authorization, cryptography, audit and monitoring, and configuration management, the GAO says
Booz Allen Hamilton Holding Corporation : Booz Allen Hamilton to Provide Specialized Scientific Research to the National Geospatial-Intelligence Agency's InnoVision Future Solutions Program (4-Traders) Booz Allen Hamilton today announced it received a $315 million single award contract to support the National Geospatial-Intelligence Agency's (NGA) InnoVision Directorate. Booz Allen will provide specialized scientific and technical research and development subject matter expertise to all facets of the InnoVision Future Solutions Program (IFSP) through Nov. 2017. IFSP provides support to perform path-breaking scientific research and transitions innovative concepts and capabilities required to solve the Intelligence Community and Department of Defense's most complex problems
General Dynamics Fidelis Cybersecurity Solutions opens forensics lab in Columbia (Baltimore Business Journal) General Dynamics Fidelis Cybersecurity Solutions has opened a new forensic lab in Columbia. The new lab at 9055 Guilford Road in Columbia houses 15 forensic examiners who tackle cyber security threats for commercial clients. The company provides cyber security services and products for government agencies and commercial clients and has headquarters in Bethesda and Waltham, Mass
Products, Services, and Solutions
LaserLock Technologies Files New Provisional Patent For Enhanced Document (Dark Reading) New embedded security features in paper can prevent theft and copying of sensitive documents
Palo Alto Networks GlobalProtect Solution Now Available For iOS On The App Store (Dark Reading) Enterprises can now extend next-generation firewall security policies to mobile users
Route1 Announces Release Of MobiLINK (Dark Reading) Authentication and secure access technology enables users to securely access internal Web-enabled applications and Web resources
Heads-Up - Premature product - not a proper product to be used for PCI approved Web Scanning (IT Central Station) v2 Review: Premature product - not a proper product to be used for PCI approved web scanningHaving done numerous penetration tests using various manual and automated tools, today we are focusing on a new tool called QualysGuard Web Application Scanning v2.4.1. In the process of doing a pentest, we often use a quality automated tool to check for standard issues while we focus on the much more difficult issues of the testing. As this reduces the time it takes to do a full test, allows us to work more efficiently, and besides who wants to waste time doing monotonous simplistic checking
Panda Security Offers Simplicity and Greater Profits to Partners (Virtual-Strategy Magazine) Partners can now offer a comprehensive security and system management service to customers, with Panda Cloud Office Protection, Panda Cloud Office
Technologies, Techniques, and Standards
When Active Directory And LDAP Aren't Enough (Dark Reading) Cloud and mobile pose problems to most enterprise's centerpiece identity and access management technology
Wipe the drive! Stealthy Malware Persistence - Part 4 (Internet Storm Center) This is my fourth post in a series called "Wipe the Drive - Malware persistence techniques". The goal is to demonstrate obscure configuration changes that malware or an attacker on your computer can leave behind to allow them to reinfect your machine. We will pick up the conversation with techniques #7 and #8. If you missed the first six techniques you can read about those here
Design and Innovation
AngelHack Launches A Startup Accelerator, Bringing Its Hackathon To 30+ Cities This Spring (TechCrunch) AngelHack has always been a little different from your average hackathon -- rather than taking place in one place over one weekend, it has become a global event that takes place in multiple stages. As a result, the projects are usually pretty polished, though not yet at the level of full-fledged startups. Now it's taking another step in that direction with the launch of its very own accelerator
Research and Development
So It Begins: Darpa Sets Out to Make Computers That Can Teach Themselves (Wired Threat Level) The Pentagon's blue-sky researchers are eying computers that can learn on their own, which could make for some advanced new smart machines -- which are simple enough for non-experts to use as well
Academia
Cyber security startups find home at BWTech on UMBC campus (Baltimore Sun) Those entering the University of Maryland, Baltimore County, campus from Interstate 195 find it easy to mistake the buildings on the right side of the road for part of the school, or just miss them completely. Those five buildings make up the BWTech Research and Technology Park and house Life Sciences, Clean Energy and Cyber Security business incubators. The incubators provide office space, mentors, resources and collaborative opportunities for small startup companies in each of the three fields
Legislation, Policy, and Regulation
NASA Tightens Security In Response To Insider Threat (Dark Reading) NASA shuts down database and tightens restrictions on remote access following the arrest of a Chinese contractor on suspicion of intellectual property theft
Experts Tell Congress Serious Deterrence Needed to Impede Foreign Cyber Attacks (Threatpost) The House Foreign Affairs Subcommittee on Europe, Eurasia, and Emerging Threats typically is more concerned with economics and political issues than cyber attacks, but the members spent this morning in a hearing trying to come up with an answer to a fairly straightforward, but thorny question: What consequences are serious and meaningful enough that they will deter U.S. enemies from infiltrating the country's networks? After hearing from several witnesses and chewing the subject over, the members didn't emerge with a solid answer, but there seemed to be consensus around the idea that national laws alone would not solve the network security problem
U.S. cyber plan calls for private-sector scans of Net (Yahoo News) The U.S. government is expanding a cybersecurity program that scans Internet traffic headed into and out of defense contractors to include far more of the country's private, civilian-run infrastructure. As a result, more private sector employees than ever before, including those at big banks, utilities and key transportation companies, will have their emails and Web surfing scanned as a precaution against cyber attacks
DHS well positioned to carry out cybersecurity executive order, says panel (FierceGovernmentIT) The Homeland Security Department is well equipped to carry out the roll called for it by President Obama's Feb. 12 executive order, said panelists speaking at a March 15 event on Capitol Hill hosted by the Congressional Internet Caucus Advisory Committee
FITARA passes House Oversight committee (FierceGovernmentIT) A bill that would change federal information technology buying practices and authorities of IT officials passed the House Oversight and Government Reform Committee March 20 through a unanimous voice vote
CIA hangs on to everything--forever (FierceBigData) Contrary to what some experts have said about a high percentage of the volumes of data currently collected being suitable only for the landfill, Ira "Gus" Hunt, chief technology officer for the Central Intelligence Agency, said in a speech at the GigaOM Structure: Data conference in New York City this week that "The value of any piece of information is only known when you can connect it with something else that arrives at a future point in time." Since you can't connect dots you don't have, Hunt said, the agency tries to collect everything and hang on to it forever
Taxing big data, other software innovation (FierceBigData) Many experts have said that legislators, regulators and other government agencies need to catch up to the realities of emerging technologies such as big data. But they had in mind the issues around security, privacy and intellectual property. The state government in Massachusetts, however, is wasting no time catching up when it comes to taxation. The tech industry in and around Boston is none too pleased
Litigation, Investigation, and Law Enforcement
Microsoft Releases Report on Law Enforcement Requests (New York Times) Microsoft disclosed on Thursday for the first time the number of requests it had received from government law enforcement agencies for data on its hundreds of millions of customers around the world, joining the ranks of Google, Twitter and other
For a complete running list of events, please visit the Event Tracker.
Upcoming Events
CSO40 (Braselton, Georgia, USA, Apr 2 - 3, 2013) The CSO40 Security Confab + Awards will honor and share the critical viewpoints of today's leading CSOs, CISOs and security executives at the nation's leading CSO thought leadership conference.
Cloud Connect Silicon Valley (Santa Clara, California, USA, Apr 2 - 5, 2013) Cloud Connect returns to Silicon Valley, April 2-5, 2013, for four days of lectures, panels, tutorials and roundtable discussions on a comprehensive selection of cloud topics taught by leading industry experts.
An Evening in Cyberspace: Supporting Tomorrow's Cybersecurity Leaders (National Harbor, Maryland, USA, Apr 6, 2013) UMUC is pleased to present An Evening in Cyberspace: Supporting Tomorrow's Cybersecurity Leaders. Join us for this special black-tie event to support the next generation of cybersecurity students. The evening will feature a reception, dinner, keynote and entertainment.
Cyber 1.3 (, Jan 1, 1970) Maj. Gen. Suzanne Vautrinot, USAF, commander, 24th Air Force, and commander, Air Force Network Operations, will discuss the global strategic implications that relate to the cyber domain at the Space Foundation national conference Cyber 1.3, to be held Monday, April 8th, at The Broadmoor Hotel in Colorado Springs, Colorado. Cyber 1.3 is a full-day conference that takes place immediately before the official opening of the 29th National Space Symposium. The conference includes a networking breakfast, a luncheon and concludes with a networking reception, co-sponsored by General Dynamics Advanced Information Systems. Government Executive Media Group is a Cyber 1.3 media co-sponsor.
HITBSecConf2013 (Amsterdam, the Netherlands, Apr 8 - 11, 2013) HITB2013AMS will feature cutting edge attack and defense research including the a presentation on the inner workings of the iOS 6.1 Evasi0n jailbreak presented by members of the world famous Evad3rs Team, a brand new kernel level exploit affecting _all versions_ of Microsoft Windows up till Windows 8 and even a presentation on remotely hacking airplanes.
SANS Northern Virginia 2013 (Reston, Virginia, USA, Apr 8 - 13, 2013) This event features comprehensive hands-on technical training fand includes several courses that will prepare attendees for DoD 8570 and GIAC approved certification exams. Four of the courses can apply to a SANS Technology Institute's Master of Science Degree in Information Security Management or Master of Science Degree in Information Security Engineering.
INFILTRATE 2013 (Miami, Florida, USA, Apr 11 - 12, 2013) INFILTRATE is a deep technical conference that focuses entirely on offensive security issues. Researchers focused on the latest technical issues will demonstrate techniques that you cannot find elsewhere.
Information Tech Expo Series - Hawaii (Oahu, Hawaii, USA, Apr 12 - 19, 2013) This 6-series showcase will feature stops at 5 DoD locations and 1 Intel Center on the island of Oahu. Celebrating 20 years of these expos is a true testament to the government and military's readiness to learn from and work with industry partners. .
InfoSec World Conference & Expo 2013 (Orlando, Florida, USA, Apr 15 - 17, 2013) With the primary objective of providing top-notch education to all levels of information security and IT auditing professionals, InfoSec World delivers practical sessions that give you the tools to strengthen your security without restricting your business.
Cyber Guardian 2013 (Baltimore, Maryland, USA, Apr 15 - 20, 2013) Cyber Guardian is the SANS Institute's annual, interactive training session for cyber security professionals. All courses are associated with a GIAC Certification, and cover topics like intrusion detection, perimeter protection, hacker techniques, penetration testing, and advanced forensics. Cyber Guardian will feature the popular SANS NetWars Tournament on April 18-19, a hands-on, interactive training exercise.
A Dialogue on Cyber Warfare from Legal and Corporate Perspectives (New York, New York, USA, Apr 16, 2013) Conversation on Cyber Warfare and the LawThe Journal of Law & Cyber Warfare in partnership with the Columbia Society of International Law is honored to host this first cutting edge conference on the complex issues of cyber warfare.States are faced with the multi-faceted challenges of cyber warfare. No longer confined to the world of technology professionals and spies, these threats are a growing part of the daily lives of corporations and individuals. The constitution and legislation are both scarce and obsolete and the bench and the bar lack the resources and expertise to decide or advocate on these issues.
Infosec Southwest 2013 (Austin, Texas, USA, Apr 19 - 21, 2013) InfoSec Southwest is intended to be a general security and hacking conference with no specific industry or topical focus. As such, nearly all topics (other than vendor pitches) are fair game and the attending audience is expected to span all demographics.
Mobile Device Security for Defense and Government (Alexandria, Virginia, USA, Apr 23 - 24, 2013) This Defense Strategies Institute conference addresses the challenges of operating mobile devices in networks whose security is mission critical. The symposium's overall theme will focus on DOD's plan to maximize the potential uses of mobile devices. Within specific key areas: wireless infrastructure, mobile devices and mobile applications. The thought leadership and community goal of this event is to advance flexible and secure mobile devices to benefit the warfighter and keep pace with changing technology.
Infosecurity Europe (London, England, UK, Apr 23 - 25, 2013) Europe's number one Information Security event. Featuring over 350 exhibitors, the most diverse range of new products and services, an unrivalled education programme and over 12,000 visitors from every segment of the industry, it's the most important date in the calendar for Information Security professionals across Europe.
INSA Leadership Dinner Featuring Betty Sapp, Director, NRO (Reston, Virginia, USA, Apr 25, 2013) - This leadership dinner will feature a keynote address from Betty Sapp, Director of the National Reconnaissance Office highlighting her focus on innovation at the NRO and for the Intelligence Community. Registration will open on Thursday, March 14 and will close Thursday, April 18.
23rd Annual Government Procurement Conference (Washington, DC, USA, Apr 25, 2013) This unique one-day event attracts more than 3,000 participants representing government agencies, prime contractors and small businesses from around the country. Participating companies are able to network with procurement officials from federal, state and local government agencies under one roof.