The CyberWire Daily Briefing for 4.9.2013
OpIsrael, like most recent Anonymous actions, has indeed largely fizzled, but it's prompted a minor cyber counter-riot among Israeli hacktivists who've attacked Palestinian, Iranian, and Turkish sites. Jordanian security forces have arrested several alleged Anonymous members in connection with OpIsrael.
The diffuse Islamist campaign against US banks reappears as the "Tunisian Cyber Army" claims to have stolen customer credentials from a small Pennsylvania bank. This represents a departure from the denial-of-service attack financial institutions have come to expect.
Commonly used home wireless routers are found vulnerable to exploitation for clickjacking, denial-of-service, and other forms of cyber crime. The browser version of AirDroid is susceptible to cross-scripting attacks. Kaspersky warns that Skype malware is mining Bitcoins in the wild.
It's Patch Tuesday, so expect to see fixes emanate from Redmond later today.
In industry news, SourceFire names John Becker CEO. Trusteer announces it's opening an office in China, intending not only expansion into local markets, but also better insight into cyber threats originating in China. US business groups continue to express their displeasure over security restrictions the current continuing resolution imposes on Chinese IT imports.
Several interesting and useful stories on personal and small business protection appear today. WAMU offers tips on personal cyber security, and Dark Reading has suggestions for small businesses interested in outsourcing security and in adopting better password management policies.
The US Air Force designates six cyber capabilities "weapons." This has greater budgetary than operational significance, but budgets have driven tactics before and may do so again.
Notes.
Today's issue includes events affecting China, European Union, France, Germany, India, Iran, Israel, Jordan, Palestinian Territories, Portugal, Singapore, Tunisia, Turkey, United Kingdom, and United States..
Cyber Attacks, Threats, and Vulnerabilities
Anonymous cyberattack on Israel finds disputed impact (Computer World) Although the hactivist group Anonymous had declared its supporters would attack Israel on April 7 and "erase Israel from cyberspace," the damage from Anonymous so far appears to be minimal to Israeli government and bank websites that are among the main targets. However, now Israeli hactivists are fired up and counter-striking at Palestinian, Iranian and Turkish website targets. From the point of view of the Israeli public, "this was not a successful attack from Anonymous," says Ronen Kenig, director of security solutions at Radware, the Tel Aviv, Israel-based firm which makes equipment to fight denial-of-service attacks
Cyber attack on Israel falls short of promised havoc (Christian Science Monitor) A much-hyped cyber attack on Israeli websites yesterday caused some disruption, but fell well short of hackers' promise to "wipe Israel off the map of the Internet" and certainly did not turn out to be the "largest Internet battle in the history of
Customer's Card Hacked After Schnucks Claimed Cyber Attack Fixed (fox2now.com) Schnucks has said the cyber attack that resulted in card numbers being stolen from customers was contained. They also say credit and debit card users can safely use their plastic at Schnucks again. But is that true? Schnucks claimed
Cyber attack downs Kochi Metro website (Times of India) The cyber attack occurred at a time when the Metro was expediting work on various construction activities related to the project. "We need to find whether the hacking was carried out by the so called Pakistan Cyber Army, which had earlier launched
Anonymous Hacks Belgian Fire Departments Site in Protest Against Abuse of Young Girl (Softpedia) Hackers of Anonymous Belgium have breached the official website of the Bree fire department in Belgium after learning that two of its volunteers have been accused of molesting a 13-year-old girl. The girl, a member of the fire departments youth unit, has been allegedly abused by a 24-year-old man who leads the unit. The other suspect is a 46-year-old volunteer, De Standaard reports
Hackers Target First National Bank of Mercersburg (eSecurity Planet) The Tunisian Cyber Army claims to have stolen 3,500 customers' clear text login credentials, Social Security numbers, and other data. Members of the Tunisian Cyber Army recently claimed to have breached the Web site of Pennsylvania's First National Bank of Mercersburg as part of the Al Qaeda Electronic Army's anti-U.S. #opBlackSummer campaign
Control system hack at manufacturer raises red flag (CSO) An unreported attack on the energy management system of a New Jersey manufacturer has been revealed by the U.S. Cyber Emergency Response Team (US-CERT). Intruders successfully exploited a credential storage vulnerability in the manufacturer's Tridium energy management software made by Honeywell and identified all the company's Internet facing devices, the agency reported in the latest edition of its quarterly ICS-CERT Monitor
German net users targeted by Skype email malware attack (Naked Security) SophosLabs has intercepted a malware attack, hitting many German internet users today, disguised as an email from Skype with the title "Wir haben Ihre Bestellung geliefert"
Your Facebook friends may be evil bots (CSOonline) How safe is your online social network? Not very, as it turns out. Your friends may not even be human, but rather bots siphoning off your data and influencing your decisions with convincing yet programmed points of view
Serious Vulnerabilities Found in Popular Home Wireless Routers (Threatpost) Hackers love to attack Java. Why? Well, not only because it is full of holes, but because it's everywhere, embedded on endpoints, Web browsers, mobile devices and more. The same goes for attacking wireless routers; they're buggy and they're everywhere
Android AirDroid Flaw Can Lead to XSS, DoS Attacks (Threatpost) Airdroid XSSA cross-site scripting (XSS) vulnerability exists in the browser version of AirDroid, a cloud management application for Google's Android phones. According to an alert from the US-Computer Emergency Readiness Team (US-CERT), at the current time, there is no patch planned and there is no logical workaround
Kaspersky Warns of Bitcoin-Mining Skype Malware (eSecurity Planet) The malware leverages the victim's CPU to mine Bitcoins. Kaspersky Lab researchers recently came across a Skype malware campaign that leverages infected machines to mine Bitcoins. According to VirusTotal, only 9 of 45 anti-virus solutions currently detect the malware, which Kaspersky identifies as Trojan.Win32.Jorik.IRCbot.xkt
SQL injection flaws easy to find and exploit, Veracode report finds (Tech World) The software industrys inability to reduce the number of security flaws in its code is fuelling an age of the everyday hacker, criminals who can exploit vulnerabilities with a minimum of technical skills, Security testing firm Vercodes latest State of Software Security (SoSS) report (reg required) has suggested. Of the 22,430 applications submitted to the firms code analysis service in the three 18 months to June 2012, only 13 percent of web applications were able to pass the generic OWASP Top 10 list of security problems. When it came to standalone applications, only 31 percent complied with the separate CWE/SANS Top 25, a significant decrease on the compliance rate in the previous SoSS report caused, Veracode suggested, by a broader sample of companies using the service
Security Patches, Mitigations, and Software Updates
PostgreSQL Updates Patch Major Security Flaw (eSecurity Planet) The organization says this is the first security issue of this magnitude since 2006. Versions 9.2.4, 9.1.9, 9.0.13 and 8.4.17 of PostgreSQL were recently released to patch a single vulnerability, CVE-2013-1899, which could be leveraged to enable denial of service, privilege escalation, and/or arbitrary code execution. Two minor security fixes are also included in the release (h/t Threatpost)
Microsoft Security Bulletin Advance Notification for April 2013 (Microsoft Security TechCenter) This is an advance notification of security bulletins that Microsoft is intending to release on April 9, 2013
Cyber Trends
Advanced Malware Prompts Security Refresh (Channelnomics) You only have to look at headlines to know that advanced malware is on the rise and becoming more pervasive. But it's often difficult to put that in real terms
Aggressive ads invading privacy of Android users (ITProPortal) Security researchers are warning users over the increasingly intrusive nature of mobile apps, with a new study from Romanian firm Bitdefender highlighting the vulnerability of data on app-heavy Android devices. Most applications require a certain
Marketplace
Sourcefire Names New CEO (Dark Reading) John Becker as been an active member of Sourcefire's board. Sourcefire, Inc. (NASDAQ: FIRE), a leader in intelligent cybersecurity solutions, today announced that it has appointed John Becker as Chief Executive Officer effective immediately. In addition, Sourcefire today announced that Kevin Klausmeyer has joined its Board of Directors as an independent director
Watchful Software Announced as Finalist for Red Herring's Top 100 (Reuters) Watchful Software, a leading provider of data-centric information security solutions, announced today it has been selected as a Finalist for Red Herring's Top 100 Europe award, a prestigious list honoring the year's most promising private technology ventures from the European business region
Trusteer Ventures Into the Chinese Hackers' Den (TechNewsWorld) If your jobs is to take on international hackers, then you want to go where the action is. For U.S. security company Trusteer, that means setting up shop in China, where hackers with designs on global mischief tend to first test out their cybernastiness on local markets. China has become hacker central thanks to highly publicized incidents and reports, so Trusteer is simply following the malware
Kratos SecureInfo Licensed to Assess AF Space Systems (The New New Internet) A Kratos Defense & Security Solutions cybersecurity business group has received a license to conduct information security assessments of space systems for the U.S. Air Force Space Command
Products, Services, and Solutions
EventTracker Enterprise Wins Certificate of Networthiness from The U.S. Army (San Francisco Chronicle) EventTracker, a leading provider of comprehensive SIEM solutions announced today that its EventTracker Enterprise v7.3 security information and event management (SIEM) solution has been awarded a Certificate of Networthiness (CoN) by the U.S. Army Network Enterprise Technology Command (NETCOM). Previously, EventTracker's Enterprise v7.0 also achieved this distinction
Cybersecurity startup launches product for the global market (Bmore) TechGuard Security LLC, a woman-owned startup in Baltimore County, is launching its first product for the international market. Bandura Box cybersecurity software will be available through the Catonsville startup or its new wholly owned subsidiary Bandura LLC
HBGary Unveils First Deep Malware Analysis Solution for Virtual Desktop Infrastructures (VDI) (MarketWatch) Active Defense 1.3 Provides Live, Simultaneous Runtime Analysis of Guest Memory on Shared Server Resources. In a significant technical advancement to help organizations proactively and quickly detect zero-days, rootkits and other targeted malware in remote virtual environments, today HBGary, a subsidiary of ManTech International Corporation, unveiled Active Defense(TM) 1.3 to provide live, runtime memory analysis of concurrent Guest OS sessions with minimal impact on the shared physical resources of the underlying server
Bitdefender Internet Security 2013 Review (Techdeville) The internet is filled with goods. Goods of all kinds. An average user like you and me can't live without it. We need the internet for all our tasks nowadays. But it also has a dark side, which is filled with all sorts of creepy things. Spam, Spyware, Viruses, etc. it's all there. So what's the one thing that keeps us at the brighter side of the Internet and doesn't let the boogeyman creep in when our guard is down? That one thing is a security-providing software like Bitdefender's Internet Security 2013
Technologies, Techniques, and Standards
Personal Cybersecurity (WAMU) Are your passwords hack-proof? Is your computer free of malware? Tech Tuesday explores personal cybersecurity and the dangers that lurk online
Four Ways To Strengthen SMB Password Security (Dark Reading) Ensuring that employees are abiding by good password policies is difficult, but there are simple ways to protect a business from workers who might choose 'password123' as the key to their accounts
Cleaning Up After the Leak: Hiding exposed web content (Internet Storm Center) Just this weekend, a user notified us of a company leaking sensitive information on its website. The information was readily available via Google, which is how the reader found it. The news outlets also talked about a case where the secret firmware key used to sign BIOS firmware from motherboard vendor MSI leaked due to an open FTP server, essentially invalidating the security of modern UEFI motherboards. So what do you do? Someone notifies you "hey, I found this document on your website, and I don't think it should be there". First thing would be to verify the leak ("Identification"). Don't forget to send back a big thank you
Evolving ICANN Carries Great Promise for Internet Users (CircleID) The headlines out of ICANN's meeting in Beijing may be all about new domains, but it is the quiet, systemic evolution of ICANN itself that holds the greatest promise for Internet users globally
NIST sorting comments on cybersecurity framework (FierceGovernmentIT) The National Institute of Standards and Technology has 185 days to release the draft framework called for in the president's cybersecurity executive order. Given the tight timeline, the agency is sorting through comments on its recent request for information--well before the comment period ends April 29
Don't Confuse Big Data With Storage (InformationWeek) A large part of big data management is knowing what data to analyze, what to back up and what to dump, says disaster recovery expert
Research and Development
Elliptic Curve Cryptography (Linux Journal) When it comes to public key cryptography, most systems today are still stuck in the 1970s. On December 14, 1977, two events occurred that would change the world: Paramount Pictures released Saturday Night Fever, and MIT filed the patent for RSA. Just as Saturday Night Fever helped popularize disco through its choreography and soundtrack, RSA helped popularize cryptography by allowing two parties to communicate securely without a shared secret
Academia
Anne Arundel Community College cyber team aiming for nationals (Capital Gazette) A team of Anne Arundel Community College students listens as adjunct professor Tim Kroeger, right, talks strategy for an upcoming cyber defense competition. The National CyberWatch Center's Mid-Atlantic Collegiate Cyber Defense Competition, set for April 10 through 13 at Johns Hopkins University's Applied Physics Lab in Laurel, will pit AACC against a team of hackers simulating a cyber attack. Eight colleges or universities will compete. This week, students from Anne Arundel Community College will be fending off an attack. Cyber terrorists will try to disrupt elections in the country of "Hackistan," and it will be up to a team from AACC to defend the democratic process
Legislation, Policy, and Regulation
The ATF Wants 'Massive' Online Database to Find Out Who Your Friends Are (Wired Danger Room) Law enforcement investigations can be pretty tedious. Hence why the ATF is seeking an automated database to quickly identify you and who you know
UK calls for opt-out of online right to be forgotten (Computer Weekly) The UK wants to opt out of the right to be forgotten, enshrined in proposed data privacy regulations for the European Union. If enforced, new European privacy legislation would force web companies like Facebook, Google and Twitter to delete users' personal details upon request. The initiative stems from increased concern by European citizens that their online reputation is being harmed by inaccurate information held by websites that cannot be removed
Singapore calls for 'new approaches' in cybersecurity (ZDNet) Cybercrimes have changed the dimensions of time, distance, and complexity when it comes to national security so countries need to blend theoretical approaches and practical strategies. According to Singapore's deputy prime minister, Teo Chee Hean, the connected nature of the world today has allowed cyberattacks and cyberespionage to take place from abroad, anonymized through multiple hop points in different countries and with no physical presence needed in the country where the target is located
Six U.S. Air Force cyber capabilities designated 'weapons' (Reuters) The U.S. Air Force has designated six cyber tools as weapons, which should help the programs compete for increasingly scarce dollars in the Pentagon budget, an Air Force official said on Monday. Lieutenant General John Hyten, vice commander of Air Force Space Command, which oversees satellite and cyberspace operation, said the new designations would help normalize military cyber operations as the U.S. military works to keep up with rapidly changing threats in the newest theater of war
Tech firms criticize anti-Chinese technology spending bill provision (FierceGovernmentIT) A group of technology company associations say a provision in the continuing resolution funding the government through the rest of the fiscal year that requires some federal agencies to certify a national interest before purchasing any technology made by a company with any direct ties to the Chinese government is counterproductive
CISPA Reworked Ahead of Vote to Appease White House (PC Magazine) Mike Rogers and Dutch Ruppersberger, the chairman and ranking members of the House Intelligence Committee, outlined several changes they plan to make to the Cyber Intelligence Sharing and Protection Act (CISPA). CISPA would allow
McConnell: Cybersecurity framework will reduce risk, but not 'fix the problem' (FierceGovernmentIT) The cybersecurity executive order signed by President Obama in February calls for a cybersecurity framework and public-sector partnership with critical infrastructure, but Bruce McConnell, senior counsel for cyber at the National Protection and Programs Directorate of the Homeland Security Department says neither will "fix the problem"
Litigation, Investigation, and Law Enforcement
BadB Gets 88 Months in Prison for Involvement in WorldPay Breach (eSecurity Planet) Vladislav Anatolievich Horohorin has also been ordered to pay $125,739 in restitution. Vladislav Anatolievich Horohorin, 30, a.k.a. "BadB," a citizen of Russia, Israel and Ukraine, was recently sentenced to 88 months in prison and ordered to pay $125,739 in restitution for his involvement in the theft of more than $9 million from RBS WorldPay
Suspected Anonymous hackers arrested in Jordan for #OpIsrael attack (E Hacking News) A massive cyber attack dubbed as "#OpIsrael" launched by joined Anonymous hacktivists hit the Israel websites. Hackers launched ddos attacks, defacements, database leaks and social network hacks. Following the cyber attack, Jordanian security forces has arrested several youths who are allegedly participated in the cyberattack
Phishing gang found guilty of spending woman's life savings (CSOonline) Eight members of a London-based phishing gang that went on a 'cheeseburgers and gold' spending binge after robbing a British expat of her APS1 million ($1. 5 million) life savings have been found guilty of the crime at Southwark Crown Court. The unfortunate victim, who now lives in South Africa, responded to a message she believed was from her bank in December 2011, entering her login details on the gang's phishing site
Secrets of FBI Smartphone Surveillance Tool Revealed in Court Fight (Wired) A legal fight over the governments use of a secret surveillance tool has provided new insight into how the controversial tool works and the extent to which Verizon Wireless aided federal agents in using it to track a suspect. Court documents in a case involving accused identity thief Daniel David Rigmaiden describe how the wireless provider reached out remotely to reprogram an air card the suspect was using in order to make it communicate with the governments surveillance tool so that he could be located. Rigmaiden, who is accused of being the ringleader of a $4 million tax fraud operation, asserts in court documents that in July 2008 Verizon surreptitiously reprogrammed his air card to make it respond to incoming voice calls from the FBI and also reconfigured it so that it would connect to a fake cell site, or stingray, that the FBI was using to track his location
63 alleged NYC gangsters busted, thanks to their own Facebook blabbing (Naked Security) The alleged members of three rival drug and gun gangs apparently spoon-fed New York police, serving up allusions to their alleged crimes in slangy, atrociously spelled postings to Twitter, Facebook and YouTube
Culture of secrecy's corrosive effects (FierceGovernmentIT) Intelligence agency and law enforcement overreach about publicly accessible information isn't limited to the American ones. It's a global phenomenon, as the French domestic intelligence agency has recently demonstrated. Apparently, Direction Centrale du Renseignement Interieur, the intelligence branch of the Ministry of the Interior, hauled in a state employee who is also a Wikipedia volunteer and threatened him with arrest unless he deleted an entry about a military communications base near Lyons
For a complete running list of events, please visit the Event Tracker.
Upcoming Events
Hack in the Box 2013 (Amsterdam, the Netherlands, Apr 8 - 11, 2013) HITB2013AMS will feature cutting edge attack and defense research including the a presentation on the inner workings of the iOS 6.1 Evasi0n jailbreak presented by members of the world famous Evad3rs Team, a brand new kernel level exploit affecting all versions of Microsoft Windows up till Windows 8 and even a presentation on remotely hacking airplanes.
SANS Northern Virginia 2013 (Reston, Virginia, USA, Apr 8 - 13, 2013) This event features comprehensive hands-on technical training fand includes several courses that will prepare attendees for DoD 8570 and GIAC approved certification exams. Four of the courses can apply to a SANS Technology Institute's Master of Science Degree in Information Security Management or Master of Science Degree in Information Security Engineering.
INFILTRATE 2013 (Miami, Florida, USA, Apr 11 - 12, 2013) INFILTRATE is a deep technical conference that focuses entirely on offensive security issues. Researchers focused on the latest technical issues will demonstrate techniques that you cannot find elsewhere.
Software Engineering Institute Invitational Career Fair (Pittsburgh, Pennsylvania, USA, Apr 11 - 12, 2013) Attention software engineers and cyber security professionals, the Carnegie Mellon Software Engineering Institute needs your top notch skills to meet today's challenges. SEI staff will be interviewing on April 11 & 12 at their offices in Pittsburgh to fill immediate local positions. All candidates must be eligible to obtain a Security Clearance. Interviews are by appointment only. At the SEI you will have opportunities to make an impact on internet security and work with some of the most talented people in the field.
Information Tech Expo Series - Hawaii (Oahu, Hawaii, USA, Apr 12 - 19, 2013) This 6-series showcase will feature stops at 5 DoD locations and 1 Intel Center on the island of Oahu. Celebrating 20 years of these expos is a true testament to the government and military's readiness to learn from and work with industry partners. .
InfoSec World Conference & Expo 2013 (Orlando, Florida, USA, Apr 15 - 17, 2013) With the primary objective of providing top-notch education to all levels of information security and IT auditing professionals, InfoSec World delivers practical sessions that give you the tools to strengthen your security without restricting your business.
Cyber Guardian 2013 (Baltimore, Maryland, USA, Apr 15 - 20, 2013) Cyber Guardian is the SANS Institute's annual, interactive training session for cyber security professionals. All courses are associated with a GIAC Certification, and cover topics like intrusion detection, perimeter protection, hacker techniques, penetration testing, and advanced forensics. Cyber Guardian will feature the popular SANS NetWars Tournament on April 18-19, a hands-on, interactive training exercise.
A Dialogue on Cyber Warfare from Legal and Corporate Perspectives (New York, New York, USA, Apr 16, 2013) Conversation on Cyber Warfare and the LawThe Journal of Law & Cyber Warfare in partnership with the Columbia Society of International Law is honored to host this first cutting edge conference on the complex issues of cyber warfare.States are faced with the multi-faceted challenges of cyber warfare. No longer confined to the world of technology professionals and spies, these threats are a growing part of the daily lives of corporations and individuals. The constitution and legislation are both scarce and obsolete and the bench and the bar lack the resources and expertise to decide or advocate on these issues.
SANS 20 Critical Security Controls Briefing (Washington, DC, USA, Apr 18, 2013) The SANS Institute presents an Executive Briefing on the 20 Critical Security Controls.
Infosec Southwest 2013 (Austin, Texas, USA, Apr 19 - 21, 2013) InfoSec Southwest is intended to be a general security and hacking conference with no specific industry or topical focus. As such, nearly all topics (other than vendor pitches) are fair game and the attending audience is expected to span all demographics.
cybergamut Technical Tuesday: Secure VoIP & Messaging for Mobile Platforms (Laurel, Maryland, USA, Apr 23, 2013) Phil Zimmermann of Silent Circle will show you how to communicate securely without relying on PKI. cybergamut Technical Tuesday is for cyber professionals to exchange ideas and discuss technical issues of mutual interest.
Mobile Device Security for Defense and Government (Alexandria, Virginia, USA, Apr 23 - 24, 2013) This Defense Strategies Institute conference addresses the challenges of operating mobile devices in networks whose security is mission critical. The symposium's overall theme will focus on DOD's plan to maximize the potential uses of mobile devices. Within specific key areas: wireless infrastructure, mobile devices and mobile applications. The thought leadership and community goal of this event is to advance flexible and secure mobile devices to benefit the warfighter and keep pace with changing technology.
Infosecurity Europe (London, England, UK, Apr 23 - 25, 2013) Europe's number one Information Security event. Featuring over 350 exhibitors, the most diverse range of new products and services, an unrivalled education programme and over 12,000 visitors from every segment of the industry, it's the most important date in the calendar for Information Security professionals across Europe.
INSA Leadership Dinner Featuring Betty Sapp, Director, NRO (Reston, Virginia, USA, Apr 25, 2013) - This leadership dinner will feature a keynote address from Betty Sapp, Director of the National Reconnaissance Office highlighting her focus on innovation at the NRO and for the Intelligence Community. Registration will open on Thursday, March 14 and will close Thursday, April 18.
23rd Annual Government Procurement Conference (Washington, DC, USA, Apr 25, 2013) This unique one-day event attracts more than 3,000 participants representing government agencies, prime contractors and small businesses from around the country. Participating companies are able to network with procurement officials from federal, state and local government agencies under one roof.
cybergamut CompTIA Security+Certification Boot Camp Training Program (Baltimore, Maryland, USA, Apr 29 - May 2, 2013) Security+ certification training delivers a foundational proficiency in the network security arena. Security+ Certified Professionals are better able and positioned to support small and medium-sized organizations that are at increased risk of cyber crime and other forms of security-related threats. Security+ certified professionals may now apply the CompTIA Security+ certification towards the Microsoft MCSA and MCSE Security certifications.
TechExpo Cyber Security Hiring Event (Columbia, Maryland, USA, Apr 30, 2013) A hiring event for experienced cyber security professionals, with many leading companies in attendance and interviewing on-the-spot. Learn from the distinguished speakers' panel, details of which will be forthcoming on the event site. All job-seekers should be US citizens with cyber security or IT experience. A security clearance is not required, but preferred.