The CyberWire Daily Briefing 04.17.13

Summary

By The CyberWire Staff

The tragedy of the bomb attack on the Boston Marathon, sadly and predictably, draws the usual cyber nihilists out: malware authors are spamming attack news—much of it addressed to the worried and bereaved—that carries a Trojan payload.

We've been following the Schnucks breach, and now the chain has been sued by credit card holders over recent cyber attacks that exposed their card numbers and resulted in unauthorized charges. The attackers who compromised Web hosting provider Linode used a zero day vulnerability in Adobe ColdFusion. Super botnets are fueling meaner attacks. Qualsys warns that wireless security cameras are disturbingly vulnerable to hacking.

Oracle fixes 42 holes in Java. Researchers and software firms are coordinating advisories with bug fixes.

Sequester? What sequester? Or so Defense News asks, suggesting that the US Congress budgets as if the automatic cuts didn't exist. According to a report from the US Director of National Intelligence, more people have security clearances than ever. Ahoy! The Navy is planning to beef up its Fleet Cyber Command to the tune of $22.6 million. Meanwhile, the Army wants to put more cyber decisions into the hands of soldiers in the field. NSA is testing the service academies' cadets for their cyber security bona fides this week in Colorado Springs.

Some think it's time to scrap CISPA and start over. (Meanwhile, the White House threatens to veto the bill.) US National Security Agency Director Keith Alexander discusses cyber war with Congress.

Australian security experts offer a list of the seven top cyber safety measures for business. Pirate Bay cofounder charged with trying to steal money from bank accounts.

Notes.

Today's issue includes events affecting Australia, China, Egypt, Latvia, Ukraine, United Kingdom, and United States..

Selected Reading

Cyber Trends

Web Hosting Provider Breached Via Adobe ColdFusion Vulnerabilities (Dark Reading ) Linode says attackers accessed one of its Web servers, some source code, and database. Web hosting provider Linode said it was hacked via a recently revealed bug in Adobe's ColdFusion that led to the attackers getting access to a Web server, some of its source code and its database

Employers in denial about insider threat to data security (CSO) Study finds nearly half of UK employers trust workers not to steal company information. Although insider threats to data security remain a serious problem, the word apparently hasn't made it up the corporate food chain in the UK

Coordinated Disclosure, Bug Bounties Help Speed Patches (Dark Reading) Vulnerability advisories are increasingly accompanied by a patch these days, indicating that researchers and software firms are working more closely. For more than a decade, researchers and software makers have debated the proper method of disclosing vulnerabilities so that end users might be best protected against the malicious exploitation of the security holes

Why the UK shouldn't fear a Cyber Pearl Harbour (ComputerworldUK) There's no doubt that "Cyber Pearl Harbour" is a great headline, ... New honeypot-based research from Trend Micro last month showed that such systems are

Legislation, Policy and Regulation

Laws Can't Save Banks From DDoS Attacks (Dark Reading ) A threat information-sharing bill wouldn't do much to help banks defend themselves against distributed denial-of-services (DDoS) attacks. The co-author of the Cyber Intelligence Sharing and Protection Act (CISPA) ought to know better

National security officials to brief House members on cybersecurity (The Hill (blog) ) Top national security officials will participate in a briefing for House members on cybersecurity Tuesday afternoon. Homeland Security Secretary Janet Napolitano, FBI Director Robert Mueller and National Security Agency Director Gen. Keith Alexander

Cyberwar: How Digital Threats Are Redefining National Security (New York Times (blog) ) Keith Alexander, who runs both the National Security Agency and the new Cyber Command, told the House Armed Services Committee. "This is an offensive team that the Defense Department would use to defend the nation if it were attacked in cyberspace

Lines Drawn on Debate Over Cyber Security Bill (CISPA) - Small Business Trends (Small Business Trends) The bill would allow the high-tech industry to share information on a real-time basis with the federal government in the event of a cyber attack. The bill has garnered support from the titans of the tech industry. Oracle, IBM, Intel, and Motorola have

White House threatens to veto CISPA ahead of vote (IDG News Service) The White House said it is concerned that the bill does not adequately prevent sharing of irrelevant personal information. The White House has threatened to veto the controversial Cyber Intelligence Sharing and Protection Act (CISPA) in its present form, citing concerns that the bill does not adequately prevent sharing of irrelevant personal information

House should scrap cyber bill (CISPA) and start over (The Hill (blog) ) Additionally, senior military, intelligence and law enforcement officials have repeatedly stated they believe the Department of Homeland Security should be the initial point of receipt for information. Improving information sharing about cyber threats

New cyber rules put combat decisions in soldiers' hands (ArmyTimes.com) Pentagon officials have been more public about U.S. Cyber Command's efforts in recent months. The military is creating a series of cyber teams, 13 focused on offense — when directed by the White House — and an additional 27 to support the military's

CISPA 2.0: House Intelligence Committee Fumbles Privacy Again (InformationWeek) Cybersecurity bill's backers portray threat intelligence sharing as a panacea, but yet again ignore the potential privacy and security downsides

Products, Services, and Solutions

Money can't buy privacy in Google Play store, study shows (PC World) Both paid and free apps in the Google Play store harvest the same amount of private information from Android phones, a researcher discovered. Paying for an app in Google's online store, Google Play, will banish nagging in-app ads, but it won't dam the flow of personal information from your phone to marketers

Microsoft Azure Public Cloud Matches Amazon Prices (InformationWeek) Previously a developer's platform, Microsoft Azure will now compete directly with Amazon Web Services, match it on IaaS pricing

Technologies, Techniques, and Standards

Seven top cyber safety measures for business (The Age) One in five Australian businesses suffered an electronic breach or cyber attack in 2012. Most report an average of two attacks a year. Companies put their own ability to effectively secure their organisation at 4.5 out of 10. Australia is now 21st in

Marketplace

SSH Communications Security Named a Finalist in 2013 Network Products Guide Hot Companies and Best Products Awards (Sacramento Bee) SSH Communications Security, known the world over as the inventor of the secure shell protocol, today announced that Network Products Guide, the industry's leading technology research and advisory guide, has selected it as a finalist for the 8th Annual 2013 Hot Companies and Best Products

What Sequester? Automatic Cuts An Afterthought At Budget Hearing (DefenseNews.com) Pentagon leaders and House appropriators on Tuesday discussed China, then Egypt. They talked about aircraft carrier deployments, Iran and sexual assault. One issue was a glaring afterthought: Sequestration

Fitch Assigns Initial 'BBB-' IDR to Corporate Office Properties Trust; Outlook (Fort Mills Times) Resultantly, the majority of COPT's assets are located in close proximity to strategic locations (i.e. Fort Meade), which gives rise to geographic concentration in the greater Washington DC and Baltimore region. Given these locations, tenants have

Industry Partners Join the National Cybersecurity Center of Excellence (Lab Manager Laboratory News) U.S. Senator Barbara Mikulski, U.S. Cyber Command Commander/National Security Agency (NSA) Director General Keith B. Alexander, Maryland Governor Martin O'Malley, Montgomery County Chief Executive Isiah Leggett and Under Secretary of

Report shows 4.9 million people hold security clearances, number may be all-time-high (AL.com) More people than ever have access to classified information and that number continues to rise, according to a report from the Office of the Director of National Intelligence. The report is required as part of the Intelligence Authorization Act of 2010 and includes the total number of security clearances across the government sectors and the timeliness in granting those clearances

DISA awards contracts to five companies for potential half-billion-dollar IT (Military & Aerospace Electronics) The U.S. Defense Information Systems Agency (DISA) at Fort Meade, Md., chose five companies Tuesday to compete for information technology (IT) enterprise work worth as much as $404.1 million in the U.S. and abroad

Kratos Serves as Third Party Assessor to Assist Large-Scale Cloud (Wall Street Journal) Kratos SecureInfo successfully helped this large CSP substantiate that it met FedRAMP's cybersecurity and information assurance requirements

Navy Plans to Beef Up Cyber Workforce (Nextgov) The Navy requested an operations budget of $22.6 million for its Fleet Cyber Command in 2014, up $2.3 million from 2013. Adm. Jonathan Greenert, chief of naval operations, told the hearing that the service plans to man and train a cyber force increase

Christopher Hegedus Joins Pragmatics as Federal Civilian VP (GovConWire) Christopher Hegedus, a former senior program manager at Science Applications International Corp. (NYSE: SAI), has joined Pragmatics as vice president and general manager of the federal civilian division. He will lead a division that works with agencies such as the Department of Homeland SecuritySecures the nation from natural and man-made threats

Frank Ruggiero Named BAE US Govt Relations Lead (GovConWire) Frank Ruggiero, a former vice president of international government relations at BAE Systems' U.S. subsidiary, has been appointed VP of federal government relations. The appointment took effect April 15 and Ruggiero succeeded Erin Moseley, who was promoted to president of the support solutions division in February, the company said Monday. Ruggiero, who joined BAE in

Mark Nackman Named VP, General Counsel at General Dynamics Advanced Information Systems (GovConWire) Mark Nackman, formerly an assistant general counsel at General Dynamics (NYSE: GD), has been promoted to vice president and general counsel for General Dynamics Advanced Information Systems, GovCon Wire has learned. Nackman will responsible for the business unit's legal, export, contracts and subcontracts functions in his new role. In his previous position, Nackman primarily supported

FCC taps Matthew Quinn to lead healthcare initiatives (FierceMobileHealthCare) After a four-month job search, the Federal Communications Commission (FCC) has picked its first Director of Health Care Initiatives, according to MobiHealthNews. Although the agency has not officially announced the appointment, the publication said it has confirmed through sources that Matthew Quinn has been chosen for the new FCC position

Security Patches, Mitigations, and Software Updates

Oracle and Apple ship critical Java updates - get yours today! (Naked Security ) The security-beleaguered Java ecosystem usually gets updates just once every four months, in February, June and October. But this year, Oracle has adapted that schedule a number of times, and this is one of them

Oracle fixes 42 holes in Java to prevent cyber hacking (Livemint) The situation grew so bad earlier this year that the US Department of Homeland Security recommended that computer users disable Java in the browser. But many large companies use internal software that relies on Java and have been pressing Oracle to

Researcher rewarded over $30,000 for nailing three Chrome OS security flaws (Naked Security) The high-risk bugs must have been poisonous indeed, given that researcher Ralf-Philipp Weinmann is looking at a $31,336 thank-you

Cyber Attacks, Threats, and Vulnerabilities

Sick malware authors exploit Boston Marathon bombing with Trojan attack (Naked Security) With sick inevitability, cybercriminals have exploited interest in the breaking news story of the explosions at the Boston Marathon by spreading malware

Fueled by super botnets, DDoS attacks grow meaner and ever-more powerful (Ars Technica) Average amount of bandwidth used in DDoS attacks spiked eight-fold last quarter. Coordinated attacks used to knock websites offline grew meaner and more powerful in the past three months, with an eight-fold increase in the average amount of junk traffic used to take sites down, according to a company that helps customers weather the so-called distributed denial-of-service campaigns

Linode Hacked Through ColdFusion Zero Day (Threatpost (blog)) The attackers who compromised Web hosting provider Linode used a zero day vulnerability in Adobe ColdFusion and were able to access the company's database, source code and customers' credit card numbers and passwords. The company said that the

WordPress users urged to change passwords after botnet attack (ITProPortal) WordPress users and Internet administrators are this week picking up the pieces from a sweeping cyber attack on the popular blogging platform. The unidentified perpetrators are believed to have built a botnet to launch attacks from thousands of unique

Wireless Camera Flaws Allow Remote Exploitation (InformationWeek) Foscam wireless IP cameras contain vulnerabilities that can be used to steal credentials or hack to launch further attacks, warn researchers from Qualys

Academia

NSA tests cadets' cyberdefense skills (DVIDS) This computer security competition fosters education and awareness among future military leaders about the role of Information Assurance in protecting the

Litigation, Investigation, and Enforcement

Pirate Bay co-founder charged with hacking offences, attempt to steal money from bank accounts (Naked Security) Pirate Bay cofounder Gottfrid Svartholm Warg has been charged in Sweden, on suspicion that he - and three other men - hacked into various organisations, and attempted to fraudulently withdraw money out of Nordea bank accounts

Lawsuit Filed Over Schnucks Cyber-Attack (Alton Daily News) Schnucks has now been sued over a recent rash of cyber-attacks. The company reported yesterday that more than two-million customers may have had their credit-card information compromised over a four-month period. At least 100 people so far have reported unauthorized charges as a result

Obama Whistleblower Prosecutions Lead To Chilling Effect On Press (Huffington Post) On April 9, McClatchy's Jonathan Landay reported that the Obama administration has 'targeted and killed hundreds of suspected lower-level Afghan, Pakistani and unidentified other militants' in drone strikes, a revelation that contradicts previous administration claims of pursuing only senior-level operatives who pose an imminent threat to the United States

Industry Events

For a complete running list of events, please visit the Event Tracker on the CyberWire website.

upcoming Events

Information Tech Expo Series - Hawaii (Oahu, Hawaii, USA, April 12 - 19, 2013) This 6-series showcase will feature stops at 5 DoD locations and 1 Intel Center on the island of Oahu. Celebrating 20 years of these expos is a true testament to the government and military's readiness to learn from and work with industry partners. .

InfoSec World Conference & Expo 2013 (Orlando, Florida, USA, April 15 - 17, 2013) With the primary objective of providing top-notch education to all levels of information security and IT auditing professionals, InfoSec World delivers practical sessions that give you the tools to strengthen your security without restricting your business.

Cyber Guardian 2013 (Baltimore, Maryland, USA, April 15 - 20, 2013) Cyber Guardian is the SANS Institute's annual, interactive training session for cyber security professionals. All courses are associated with a GIAC Certification, and cover topics like intrusion detection, perimeter protection, hacker techniques, penetration testing, and advanced forensics. Cyber Guardian will feature the popular SANS NetWars Tournament on April 18-19, a hands-on, interactive training exercise.

A Dialogue on Cyber Warfare from Legal and Corporate Perspectives (New York, New York, USA, April 16, 2013) Conversation on Cyber Warfare and the LawThe Journal of Law & Cyber Warfare in partnership with the Columbia Society of International Law is honored to host this first cutting edge conference on the complex issues of cyber warfare.States are faced with the multi-faceted challenges of cyber warfare. No longer confined to the world of technology professionals and spies, these threats are a growing part of the daily lives of corporations and individuals. The constitution and legislation are both scarce and obsolete and the bench and the bar lack the resources and expertise to decide or advocate on these issues.

SANS 20 Critical Security Controls Briefing (Washington, DC, USA, April 18, 2013) The SANS Institute presents an Executive Briefing on the 20 Critical Security Controls.

Infosec Southwest 2013 (Austin, Texas, USA, April 19 - 21, 2013) InfoSec Southwest is intended to be a general security and hacking conference with no specific industry or topical focus. As such, nearly all topics (other than vendor pitches) are fair game and the attending audience is expected to span all demographics.

cybergamut Technical Tuesday: Secure VoIP & Messaging for Mobile Platforms (Laurel, Maryland, USA, April 23, 2013) Phil Zimmermann of Silent Circle will show you how to communicate securely without relying on PKI. cybergamut Technical Tuesday is for cyber professionals to exchange ideas and discuss technical issues of mutual interest.

Mobile Device Security for Defense and Government (Alexandria, Virginia, USA, April 23 - 24, 2013) This Defense Strategies Institute conference addresses the challenges of operating mobile devices in networks whose security is mission critical. The symposium's overall theme will focus on DOD's plan to maximize the potential uses of mobile devices. Within specific key areas: wireless infrastructure, mobile devices and mobile applications. The thought leadership and community goal of this event is to advance flexible and secure mobile devices to benefit the warfighter and keep pace with changing technology.

Infosecurity Europe (London, England, UK, April 23 - 25, 2013) Europe's number one Information Security event. Featuring over 350 exhibitors, the most diverse range of new products and services, an unrivalled education programme and over 12,000 visitors from every segment of the industry, it's the most important date in the calendar for Information Security professionals across Europe.

INSA Leadership Dinner Featuring Betty Sapp, Director, NRO (Reston, Virginia, USA, April 25, 2013) - This leadership dinner will feature a keynote address from Betty Sapp, Director of the National Reconnaissance Office highlighting her focus on innovation at the NRO and for the Intelligence Community. Registration will open on Thursday, March 14 and will close Thursday, April 18.

23rd Annual Government Procurement Conference (Washington, DC, USA, April 25, 2013) This unique one-day event attracts more than 3,000 participants representing government agencies, prime contractors and small businesses from around the country. Participating companies are able to network with procurement officials from federal, state and local government agencies under one roof.

cybergamut CompTIA Security+Certification Boot Camp Training Program (Baltimore, Maryland, USA, April 29 - May 2, 2013) Security+ certification training delivers a foundational proficiency in the network security arena. Security+ Certified Professionals are better able and positioned to support small and medium-sized organizations that are at increased risk of cyber crime and other forms of security-related threats. Security+ certified professionals may now apply the CompTIA Security+ certification towards the Microsoft MCSA and MCSE Security certifications.

TechExpo Cyber Security Hiring Event (Columbia, Maryland, USA, April 30, 2013) A hiring event for experienced cyber security professionals, with many leading companies in attendance and interviewing on-the-spot. Learn from the distinguished speakers' panel, details of which will be forthcoming on the event site. All job-seekers should be US citizens with cyber security or IT experience. A security clearance is not required, but preferred.

Sponsor & Support

Grow your brand, generate leads, and fill your funnel.

With the industry’s largest B2B podcast network, popular newsletters, and influential readers and listens all over the world, companies trust the CyberWire to get the message out. Learn more.

The CyberWire Daily Briefing for 4.17.2013