The CyberWire Daily Briefing for 1.9.2013
The US Government has "no doubt" that Iran's Izz ad-Din al-Qassam Cyber Fighters are responsible for the latest wave of denial-of-service attacks on banks. The attackers use curious mathematical (perhaps numerological) formulae in planning and executing their campaign. Affected banks meanwhile attempt simultaneous customer communication and risk mitigation.
Also in the US, Anonymous and Team Ghost Shell hit the FBI.gov domain, and NullCrew uses a directory transverse vulnerability to embarrass the Department of Homeland Security. Neither breach appears seriously damaging. In the UK a Parliamentary inquiry warns that the country's armed forces are so dependent on IT systems that determined cyber attackers could cripple operations.
Developers using Ruby on Rails are exposed to SQL injection attacks—patches are available. Microsoft issued its expected set of fixes yesterday (they did not include any for the recent Internet Explorer zero day vulnerability).
CSO offers a disturbing overview of trends in health care cyber exploits: widespread data breaches, more ransom scams, and, now, direct hacking of medical devices.
The FBI and Ernst and Young have developed a screen for words and phrases whose appearance in emails often flags insider fraud: "cover up," "write off," "illegal," "failed investment," and "nobody will find out."
The EU's European Cybercrime Center launches this week. Smart Grid Security offers a generally favorable appraisal of US Defense Department plans to help assure the security of electrical power distribution.
Last year's South Carolina data breach remains under investigation, with interesting "I-told-them-so" testimony from the Department of Revenue's former security chief.
Notes.
Today's issue includes events affecting Bangladesh, Cambodia, Canada, China, European Union, Germany, India, Iran, Japan, United Kingdom, and United States..
Cyber Attacks, Threats, and Vulnerabilities
Bank Hacks Were Work Of Iranians, Officials Say (New York Times) The attackers hit one American bank after the next. As in so many previous attacks, dozens of online banking sites slowed, hiccupped or ground to a halt before recovering several minutes later
al-Qassam Hackers Create Equation to Determine Duration of Attacks on US Banks (Softpedia) As it turns out, Izz ad-Din al-Qassam Cyber Fighters like to take a mathematical approach to their operation, whose sole purpose is allegedly to get the controversial Innocence of Muslims movie removed from the Web. In the first phase of Operation Ababil, they asked US Secretary of Defense Leon Panetta to solve an equation. Now, in the fifth week of Operation Ababil 2, they make calculations to determine for how long theyll keep attacking United States financial institutions
Explaining DDoS to Consumers - Banks Work to Balance Communication with Risk Mitigation (Bank Information Security) Leading institutions are increasingly taking steps to mitigate fraud risks and online banking site outages linked to distributed-denial-of-service attacks. But they are struggling to find a balance between keeping customers informed and giving attackers too much publicity, experts say."When the attacks are acknowledged, the hacktivists seem to thrive on that," says Bill Nelson of the Financial Services Information Sharing and Analysis Center. "It's a propaganda war going on."But the Office of the Comptroller of the Currency has suggested banking institutions ensure incident-response strategies involve timely communication with consumers."As part of their contingency planning process, banks should be prepared to provide timely and accurate communication to their customers regarding Web site problems, risks to customers, precautions customers can take, and alternate delivery channels that will meet their banking needs," the regulatory alert stated
FBI.gov hacked again by Anonymous and Ghost Shell (Cyberwarzone) Today a PasteBin appeared with the title FBI.gov hacked. It seems that the FBI.gov domain has been targeted again by hackers. This time the hack is done by Anonymous and Ghost Shell as the Pastebin file claims
Over 1,400 Indian Sites Hacked by BGHH in Memory of Girl Killed by BSF (Softpedia) Members of the Bangladesh Grey Hat Hackers (BGHH) claim to have breached and defaced a total of more than 1,400 Indian websites. Today is the anniversary of the death of Felani. Felani is a poor girl from Bangladesh who was brutally killed by Indian border guards from the BSF
US Dept for Homeland Security shafted by trivial web bug (The Register) A US government website was broken into by hackers exploiting a directory traversal vulnerability, according to security researchers. Hacktivist group NullCrew announced it compromised studyinthestates.dhs.gov, a US Department of Homeland Security website, on Friday. The site advises foreigners seeking permission to study at American schools, colleges and universities. The website was vulnerable to a directory traversal vulnerability, a class of bug that allows visitors to poke around a website server's file system and access sensitive files, according to Paul Ducklin of Sophos
Extremely critical Ruby on Rails bug threatens more than 200,000 sites (Ars Technica) Servers that run the framework are by default vulnerable to remote code attacks
New twists to previously-existing cyber scams (Help Net Security) FBI's Internet Crime Complaint Center (IC3) has released a report detailing recent cyber crime trends and new twists to previously-existing cyber scams. Among them is a new approach used by pay day
Cybercriminals mostly targeting LinkedIn, PayPal and Amazon (Help Net Security) GFI Software released a collection of the most prevalent threat detections encountered last month. In December, GFI threat researchers found a handful of phony Google Play app markets hosting mobile
Anonymous Calls for Germany to Protest Against Censorship and Surveillance (Softpedia) Anonymous hacktivists reveal that the date of February 23, 2013, will be an international day of action against censorship and surveillance. In their latest video, Anonymous calls for German users to join the protests part of the operations known as OpBigBrother, OpWCIT and OpTrapwire. Governments keep claiming that the role of the surveillance systems is to enhance security, but information obtained by the hackers proves otherwise, Anonymous warns
Anonymous Supports Tar Sands Blockade (Croatan Earth First) Citizens of the World: Anonymous' Operation Green Rights would like to call to your attention an urgent situation in North America, perpetuated by the boundless greed of the usual suspects: Exxon Mobil, ConocoPhillips, Canadian Oil Sands Ltd., Imperial Oil, the Royal Bank of Scotland, The Canadian Association of Petroleum Producers, and many others. The Tar Sands oil extraction industry is an environmental disaster
Military IT dependence could result in fatal cyber attacks (Help Net Security) This week, MPs on the Defence Select Committee have produced a report stating that the UK's armed forces are now so dependent on IT that they could be 'fatally compromised' by cyber attacks
Security Patches, Mitigations, and Software Updates
Firefox and Thunderbird Updates (Internet Storm Center) Firefox 18.0 and Thunderbird 17.0.2 are just released - the version numbers change so quickly on these now I can't keep track anymore
Ruby on Rails patches more critical vulnerabilities (CSO) Those using the Ruby on Rails web application framework on their websites are being advised to update the software immediately after multiple new vulnerabilities were found. It's the second time this month that Rails has been patched because of serious flaws
Microsoft Security Bulletin Summary for January 2013 (Microsoft Security TechCenter) This bulletin summary lists security bulletins released for January 2013. With the release of the security bulletins for January 2013, this bulletin summary replaces the bulletin advance notification originally issued January 3, 2013. For more information about the bulletin advance notification service, see Microsoft Security Bulletin Advance Notification
Cyber Trends
Ransom, implant attack highlight need for healthcare security (CSO) All healthcare data breaches are not equal. They're all bad, and reaching epidemic levels. The security testing company Redspin, for one, found that Protected Health Information (PHI) breaches nearly doubled from 2010 to 2011. The Department of Health and Human Services has reported 525 breaches of 500 or more records, involving 21.4 individuals over the past three years, said Redspin president and CEO Daniel Berger. But the raw numbers are only a piece of the story. Gienna Shaw, editor of FierceHealthIT, wrote in a post this week: "It's not the numbers that interest me most. It's the stories behind them," she wrote. "And there are so many stories
Smartphone Cyber Attacks to Grow This Year (Cleveland News - Fox 8) "Apple's 'walled garden' approach makes it difficult for third parties to protect it," said Todd Kellerman, head of cybersecurity at Trend Micro and former
Marketplace
Pentagon Gets To Work Planning For Severe Cuts (Washington Times) Defense officials have begun "serious planning" for automatic spending cuts that could force the Pentagon to lay off hundreds of thousands of civilian workers as it reduces its budget by $500 billion over the next 10 years
$400 million FCC fund to bolster rural telemedicine networks (Fierce Mobile Healthcare) The Federal Communications Commission announced this week that it will make up to $400 million available to healthcare providers in order to create and expand telemedicine networks nationwide, linking urban medical centers to rural clinics while providing greater access to medical specialists and instant access to electronic health records
KCG Wins GSA Cyber Services Contract (Executive Biz) Knowledge Consulting Group has won a $3.3 million task order from the General Services Administration to provide information security assessment and authorization services to the Office of the Chief Information Officer in GSA's federal acquisition service
Web Security Startup Gets Funding From Google Ventures, Former Symantec CEO (Dark Reading) Shape Security includes key security executives from Google, Cisco, and Walmart. A Web security startup with an approach aimed at making it harder and more expensive for attackers to execute man-in-the-browser and other attacks on Web applications and websites just got a venture capital infusion from some big names
Products, Services, and Solutions
Virtustream Bakes Vormetric Encryption In Its Infrastructure Clouds (Dark Reading) Virtustream is offering Vormetric Encryption as a SaaS-based add-on with elastic, consumption-based pricing
Sophos Makes Security Personal And Enables BYOD With EndUser Protection (Dark Reading) Sophos today announced Sophos EndUser Protection, a new security offering that tackles the challenges associated with bring-your-own-device (BYOD), and the increasing number of devices used by today's mobile workforce. Unlike traditional security products, which are licensed for each device separately, Sophos EndUser Protection provides consolidated protection for every device on a network by securing per-user rather than per-device. This means the organization receives protection for all of a user's devices—from Windows and Macs to mobile devices like iPhones, iPads, and Android devices—wherever users go
Arbor Networks updates security and traffic-monitoring platform (Help Net Security) Arbor Networks announced the availability of version 5.8 of Peakflow SP, a network-wide infrastructure security and traffic-monitoring platform for service, hosting and cloud providers
New app lets administrators manage AWS on the go (Fierce CIO: TechWatch) Amazon has released an Android app for managing various aspects of the Amazon (NASDAQ: AMZN) Web Service service. Known as the "Amazon Web Services Management Console for Android," it provides a summary of important information such as Amazon Elastic Compute Cloud instances, CloudWatch alarms, service charges and the AWS Service Health status
Apache releases Cassandra 1.2 NoSQL database (Fierce CIO: TechWatch) The Apache Software Foundation has released Cassandra 1.2, a NoSQL database that is known to be scalable, fault-tolerant and fast, and is designed to handle large amounts of data
Technologies, Techniques, and Standards
What Is It You Would Say That You Do Here? (Dark Reading) Here is a dangerous question to start the new year: Does your company actually need a security department? If you are doing CYA instead of CIA, the answer is probably no
How the pros sniff out a malware infection (Infoworld) You can't be certain your system is malware-free unless you reformat and reinstall -- and you'll get a superclean PC in the process. In my last column, I talked about making online shopping safer, starting with ensuring your computer isn't already infected with some devious malware. But I didn't tell readers how to confirm that their computer wasn't maliciously compromised from the start
Most Common Fraud Words Used in Emails: Cover Up, Write Off, Illegal (Softpedia) A piece of software developed by the FBI and Ernst & Young has helped authorities determine what are the most common words and phrases utilized in email conversations by employees engaged in corporate fraud. The most common appear to be cover up, followed by write off and illegal. Phrases such as failed investment, and nobody will find out occupy the fourth and fifth positions
Research and Development
Deep Dive With David Litchfield (Dark Reading) Renowned database security researcher chats up shark-diving, bug-hunting – and how Sandra Bullock killed his zoology degree
Linguistics identifies anonymous users (SC Magazine) Up to 80 percent of certain anonymous underground forum users can be identified using linguistics, researchers say. The techniques compare user posts to track them across forums and could even unveil authors of thesis papers or blogs who had taken to underground networks. "If our dataset contains 100 users we can at least identify 80 of them," researcher Sadia Afroz told an audience at the 29C3 Chaos Communication Congress in Germany."Function words are very specific to the writer
Computational biology: a match made in Iowa (Fierce Big Data) News from ScienceDaily today points out how the sciences are coming together to cope with an overwhelming volume of data. In this case, it is computer scientists, electrical engineers and biologists
Legislation, Policy, and Regulation
Europe's New Cybercrime Center To Open Its Doors This Week: EC3 To Act As Hub For EU-Wide Collaboration To Combat E-Crime (TechCrunch) Europe's fight against cybercrime has a new home: the European Cybercrime Centre (EC3) will open its doors on January 11. The centre's focus will be on illegal online activities carried out by organised crime groups — especially attacks targeting e-banking and other online financial activities, online child sexual exploitation and crimes that affect the critical infrastructure in the EU
DoD Software Assurance for Electric Sector Security? (Smart Grid Security) The US Department of Defense has been thinking about this for a long time, and recently codified a pretty robust response in the form of the National Defense Authorization Act (NDAA) of 2013. Would this help remove vulnerabilities and substantially bolster security in our sector? You bet
Litigation, Investigation, and Law Enforcement
Airing Out Security's Dirty Laundry (Dark Reading) Last week a former security chief with the South Carolina Department of Revenue got to live out many a frustrated CISO's fantasy. He got to say 'I told you so.' More than a year after Scott Shealy was fed up enough with the lack of support for security within his department to quit, that same agency came forward to announce a breach of millions of state taxpayers. And last Thursday, Shealy testified in front of the South Carolina House committee about the departmental problems that led him to quit and likely contributed to the state's IRS becoming a target for hackers
Hacker Hides Malware Code on Cat's Collar (eSecurity Planet) A memory card strapped to the collar contained information on the iesys.exe malware, also known as the 'remote control virus.' In a recent twist that mirrors the the plot of the movie Men In Black, Japanese police have recovered a memory card on the collar of a stray cat that contains clues left by a particularly notorious hacker who claims to have created the "remote control virus."
HHS Investigates Alleged Kaiser Permanente Privacy Breach (eSecurity Planet) Both the Department of Health and Human Services and the California Department of Public Health are investigating the company's data storage methods
80 Chinese Arrested in Alleged Extortion Racket (Voice Of America) Cambodia will deport 80 Chinese nationals and Taiwanese citizens, who were arrested over the weekend in a sweeping bust of an Internet phone extortion scheme, officials said Monday. The suspects were arrested in an operation encompassing four districts in the capital, following a complaint by Chinese police, who say sophisticated extortion rings hide overseas and use Internet phone-call technology to target Chinese victims. Acting Interior Minister Em Sam Ann has signed the order to expel the first 53, among whom are 12 Chinese nationals and 41 Taiwanese, and another 27 people will be ordered deported soon, said Khieu Sopheak, a spokesman for the ministry.
Former UNL student accused of hacking NeSIS will face trial (Daily Nebraskan) The case against a former University of Nebraska-Lincoln student accused of hacking into the University of Nebraskas Nebraska Student Information System on May 23 will head to trial. Daniel Stratman, 22, refused to enter a plea during his arraignment Tuesday afternoon before U.S. Magistrate Judge Cheryl Zwart. As a result, the district court entered a plea of not guilty
WikiLeaks Suspect's Case Is Not Dropped (Washington Post) A military judge refused Tuesday to toss out the case against WikiLeaks suspect Bradley Manning but ruled that any sentence the Army private receives should be reduced by 112 days because of his mistreatment in confinement
For a complete running list of events, please visit the Event Tracker.
Upcoming Events
BWI Business Partnership Signature Breakfast (Hanover, Maryland, USA, Jan 16, 2013) Navy Rear Adm. Margaret Klein, Chief of Staff of the U.S. Cyber Command at Fort Meade, will headline the BWI Business Partnership's Signature Breakfast, Wednesday, Jan. 16, from 7:45 to 9:15 a.m., at the Hotel at Arundel Preserve, 7795 Arundel Mills Blvd., in Hanover.
TED X Baltimore: Baltimore Rewired (Baltimore, Maryland, USA, Jan 25, 2013) At our TEDxBaltimore event, TEDTalks video and live speakers will combine to spark deep discussion and connection in a small group. The TED Conference provides general guidance for the TEDx program, but individual TEDx events, including ours, are self-organized.
tmforum Big Data Analytics Summit (Amsterdam, Netherlands, Jan 29 - 30, 2012) Bringing together leading service providers, market analysts and all of the big names in Big Data, this forward-looking, education-packed two-day Summit combines keynote perspectives, case studies, debates, panels, interactive sessions and networking opportunities that maximize every participant's opportunity to network and generate ideas that can be implemented immediately.
ATMiA US Conference 2013 (Scottsdale, Arizona, US, Feb 19 - 21, 2013) A conference devoted to the design of ATMs, and the future of the ATM industry.
#BSidesBOS (Cambridge, Massachusetts, USA, Feb 23, 2013) Each BSides is a community-driven framework for building events for and by information security community members. The goal is to expand the spectrum of conversation beyond the traditional confines of space and time. It creates opportunities for individuals to both present and participate in an intimate atmosphere that encourages collaboration. It is an intense event with discussions, demos, and interaction from participants. It is where conversations for the next-big-thing are happening..
Nullcon Goa 2013 (Bogmallo Beach Resort, Goa, India, Feb 26 - Mar 2, 2013) An international information security conference that will feature speakers and training. Topics include security and politics, vulnerability elimination, Android hacking, SCADA and smart grid penetration testing, and more.
TechMentor Orlando 2013 (Orland, Florida, USA, Mar 4 - 8, 2013) Celebrating 15 years of educational events for the IT community, TechMentor is returning to Orlando, Florida, March 4-8, for 5 days of information-packed sessions and workshops. Surrounded by your fellow IT professionals, you will receive immediately usable education that will keep you relevant in the workforce. TechMentor track topics include:Windows PowerShell and AutomationCisco and Networking Infrastructure Windows Server Management Windows Client Management Cloud and Virtualization Identity, Access Management and Security Performance Tuning and Troubleshooting Mobility and BYOD Messaging and Collaboration.
Business Insurance Risk Management Summit (New York City, New York, USA, Mar 5 - 6, 2013) The annual Risk Management Summit, now in it its fourth year, provides attendees with focused insight via specific, timely general sessions and strategic, thought-provoking discussions with peers and industry leaders.
e-Crime Congress 2013 (London, England, Mar 12 - 13, 2013) The e-Crime Congress is designed to meet the needs of key stakeholders and decision makers who are responsible for designing and coordinating information security and risk management strategy, safeguarding digital assets and sensitive information, protecting customers, defending against internal or external threats and responding to incidents.
CTIN Digital Forensics Conference (Seattle, Washington, USA, Mar 13 - 15, 2013) Speakers include experts and published authors in the field of digital forensics and cybersecurity. Topics include; Mobile Device Forensics, Internet Forensics, Physical Memory Analysis, Open Source Tools, Data Carving, Registry Forensics, Placing the Suspect Behind the Keyboard, Triage and Live Forensics CDs, and more.
IT Security Entrepreneurs' Forum (ITSEF 2013) (Palo Alto, California, USA, Mar 19 - 20, 2013) Supported by the U.S. Department of Homeland Security, Office of Science and Technology, ITSEF 2013 aims to connect the ecosystem of the entrepreneur: industry, government, and academia. The conference will advance innovation, lead change and build trusted global collaboration models between the public and private sectors to defeat Cybersecurity threats.
The Future of Cyber Security 2013 (London, England, UK, Mar 21, 2013) Cyber Security and the Citizen 2013 is a one-day conference and exhibition for senior decision-makers of central and local government organisations, NGOs and major private sector enterprises.
Cloud Connect Silicon Valley (Santa Clara, California, USA, Apr 2 - 5, 2013) Cloud Connect returns to Silicon Valley, April 2-5, 2013, for four days of lectures, panels, tutorials and roundtable discussions on a comprehensive selection of cloud topics taught by leading industry experts.
An Evening in Cyberspace: Supporting Tomorrow's Cybersecurity Leaders (National Harbor, Maryland, USA, Apr 6, 2013) UMUC is pleased to present An Evening in Cyberspace: Supporting Tomorrow's Cybersecurity Leaders. Join us for this special black-tie event to support the next generation of cybersecurity students. The evening will feature a reception, dinner, keynote and entertainment.
InfoSec World Conference & Expo 2013 (Orlando, Florida, USA, Apr 15 - 17, 2013) With the primary objective of providing top-notch education to all levels of information security and IT auditing professionals, InfoSec World delivers practical sessions that give you the tools to strengthen your security without restricting your business.
Infosec Southwest 2013 (Austin, Texas, USA, Apr 19 - 21, 2013) InfoSec Southwest is intended to be a general security and hacking conference with no specific industry or topical focus. As such, nearly all topics (other than vendor pitches) are fair game and the attending audience is expected to span all demographics.
25th Annual FIRST Conference (Bangkok, Thailand, Jun 16 - 21, 2013) The annual FIRST conference provides a setting for conference participants to attend a wide range of presentations delivered by leading experts in both the CSIRT field and from the global security community.
SECRYPT 2013 (Reykjavik, Iceland, Jul 29 - 31, 2013) The 10th International Conference on Security and Cryptography (SECRYPT 2013) will take place from 29 to 31 July 2013 in Reykjavik, Iceland…The conference will focus on information systems and network security, including applications within the scope of knowledge society in general and information systems development in particular, especially in the context of e-business, internet and global enterprises. It will bring together researchers, mathematicians, engineers and practitioners interested in security aspects related to information and communication.