The CyberWire Daily Briefing 04.24.13

Cyber Trends

Passwords Are Weak Link in Security (eSecurity Planet) New Ponemon Institute report sheds light on consumer attitudes and usage of passwords. Conclusion: They don't like them very much. Passwords hold a prominent place in the modern security landscape. Passwords guard your personal identity, private information and your financial resources. But are passwords actually working? A new study

Geer, Thieme: Specialization and Institutionalization Have Transformed Security (Threatpost) Two elders of information security came to Source Boston 2013 Wednesday morning to encourage the next generation to grab the torch from them and to urge great caution in diving too deeply into specialization. Heavy thinkers Dan Geer and Richard Thieme said that the industry is closing in on an end of an era where

4G rollout sparks enterprise security fears (ChannelWeb) SecureData urges end users to consider risks associated with a potential remote access surge before it is too late

The art of cyber war in six steps (SC Magazine) These are the six steps that are typically involved in a cyber attack cycle. Reconnaissance. The first step of any attack is discreet reconnaissance and intelligence gathering. Reconnaissance is arguably the most important step in any attack since this

Top Threats are Homegrown (Bank Info Security) Although China and Russia are often cited as the top countries targeting U.S. organizations, the reality is the majority of attacks are sourced locally from the U.S., says security strategist Don Gray. "Even though they may be directed by other attackers, the resources being used are localized," says Gray, Solutionary's chief security strategist, in an interview with Information Security Media Group

Legislation, Policy and Regulation

Intel cuts, cyberattacks 'insidious' national security threats (FCW) Making "incongruous" budget cuts to intelligence spending under sequestration puts the country at increased risk of attack, said Director of National Intelligence James Clapper. Testifying April ... "In 2012, [the Department of Homeland Security

Harper Government Announces Action Plan for Cyber Security (Wall Street Journal) 'signed the Cybersecurity Action Plan Between Public Safety Canada and the Department of Homeland Security to enhance the strong partnership and cooperation on cyber security matters between both countries, in 2012. The Action Plan also highlights

House approves cybersecurity overhaul in bipartisan vote (The Hill) The House on Thursday approved cybersecurity legislation that sets up a framework for companies and the federal government to share information about threats. The Cyber Intelligence Sharing and Protection Act (CISPA), H.R. 624, was approved in a 288-127 vote despite ongoing fears from some lawmakers and privacy advocates that the measure could give the government access to private information about consumers

House passes pro-business cybersecurity bill (The Times and Democrat) Privacy groups also objected to the bill because they said it would give the National Security Agency a front-row seat in analyzing data from private computer networks. The bill doesn't address the NSA's role specifically, but it's presumed that the

CISPA sponsor out of touch with Americans' privacy concerns (FierceEnterpriseCommunications) The amendment would have required that any cybersecurity information obtained from private companies would go directly to the Department of Homeland Security instead of the National Security Agency (NSA), according to a report by The Hill newspaper

Products, Services, and Solutions

Amazon Is Finally Setting Up Shop In Russia, Says Report, Expanding Its International Footprint Again (TechCrunch) E-commerce giant Amazon looks like it is gearing up for the latest chapter in its international expansion: an operation in Russia. According to this article in Forbes (in Russian) the company has opened its first office in the country, headed by Arkady Vitrouk. Vitrouk is the former general director of ABC-Atticus, a publishing group owned by media barron Alexander Mamut

ISC Handler Lenny Zeltser's REMnux v4 Reviewed on Hak5 (Internet Storm Center) Earlier this morning, Lenny released version 4 of REMnux, a lightweight Ubuntu Linux-based distro for analyzing malware. It was recently reviewed on Hak5. Take a look and if you haven't already, download the image and send Lenny your feedback

Secure transaction technology developed by Cambridge spin out (New Electronics) Cambridge University spin out Cronto has developed a security solution which it says protects online banking customers against 'man in the browser' attacks from Trojan malware

5 Best Enterprise-Ready Antivirus Software (Siliconindia.com) Regardless of the company size, Panda offers different modules for every solution and also provides the right security level according to the system

Thales leads the way with high assurance data protection at Infosecurity Europe 2013 (SYS-CON) Thales, leader in information systems and communications security, will be showcasing its line of high assurance data protection, mobile payments and cyber security solutions at this year's Infosecurity Europe, 23-25 April, 2013

Data Security Inc. Launches SSMD-2mm Disintegrator (Storage & Destruction Business) The National Security Agency (NSA) has evaluated the SSMD-2mm and found it satisfies the requirements of the NSA/CSS 9-12 Storage Device Declassification Policy Manual, according to Data Security. Solid-state drives (SSDs) and solid-state media

You won't believe how crazy this password infomercial is (and neither did Ellen DeGeneres) (Naked Security) Oh, the joys of late night television in the United States! When there's nothing funny on American TV, you can always rely upon an infomerical selling some crazy product to have you chuckling or simply agog in disbelief that anyone would ever buy such a thing

Google Pushes New Chrome Browser Features to Boost Business Adoption (eWeek) Google is bumping up the enterprise management tools for its Chrome Web browser as part of an effort to drive Chrome's increased adoption by businesses around the world

BlackBerry 10.1 reveals more than a dozen new features (CNET) The new SDK for BlackBerry 10.1 points to an HDR photo option, PIN-to-PIN messaging in the BlackBerry Hub, and all-new help demo

Technologies, Techniques, and Standards

Can We Cease Check-Box Compliance? (Dark Reading) Some indicators show a transition to risk-based management driving security decisions, but compliance checklists still pay the infosec bills

SOURCE Boston 2013: Friends don't let friends hack back (CSO) It is unwise to retailiate against a hacker with a hack of your own, according to Steven Maske, security engineer for a Fortune 1000 company

How do you know if an anti-virus test is any good? (Naked Security) Anti-virus tests are a bit of a minefield. Why are they all different? How do you know who to believe? What makes one test better than another, or are they all equally brilliant/useless/biased/random? John Hawes takes a look

Facebook vs. Salesforce: An Identity Smackdown? (Dark Reading) Some say Facebook's growing role as online identity provider could make it a potential enterprise IAM tool, others say Salesforce would have better shot as non-traditional IAM provider. Over the past several years, social media giant Facebook has extended its tentacles beyond Likes and status updates straight into the heart of consumers' online identities. These days it's hard to go very long during a Web browsing session without stumbling upon another major website that uses Facebook credentials as an easy way to log into its system. "It's pretty much a fact that it's becoming a de facto identity source," says Lawrence Pingree, an analyst for Gartner who is among a growing contingent of IT professionals who believes the writing is on the wall for Facebook to eventually creep its way into the enterprise identity space

Marketplace

Pentagon's Spies Want to Upgrade Their Secured Cellphones (Wired Danger Room) The Pentagon has big plans for its spy agency. But first it's going to upgrade its secret agents' cellphones

AT&T Upgrades Mobile Internet at APG (Patch.com) "Demand for wireless speed is growing rapidly, and these network enhancements on the grounds of the Aberdeen Proving Grounds, a key military facility

IRS IT programs' cost and schedule metrics unreliable, says GAO (FierceGovernmentIT) Metrics used by the Internal Revenue Service to ensure information technology programs meet cost and schedule estimates aren't consistent, says an April 17 Government Accountability Office report

Deltek: Sequestration Delays 14 of Largest 20 Pending Govt Contracts (ExecutiveGov) Fourteen out of the U.S. government's 20 largest pending contract awards have been delayed as a result of sequestration and the total value of those contracts has fallen nearly 40 percent from the prior year

Haystax buys Digital Sandbox (FierceBigData) San Jose-based Haystax Technology, a company that integrates capabilities in multi-source collection and data fusion, big data analytics, visualization and exploitation, has acquired Digital Sandbox, a McLean, Virg.-based company that provides threat and risk analysis software for homeland and national security. It monitors security threats and has done so at many recent Super Bowls. Federal, State, and Local agencies use Digital Sandbox commercial software product suites to quantify and monitor risks from natural and man-made threats, and to direct resources based on threat and risk priorities

Dell, Carl Icahn Strike Ownership Limit Deal (GovConWIre) Dell's (NASDAQ: DELL) board of directors and Carl Icahn have signed an agreement to limit the investor and affiliated entities from owning more than 10 percent of Dell. Icahn also agreed to not enter into agreements with other shareholders to own more than 15 percent of Dell's shares between them, Dell said Monday

ManTech Wins $96M to Train CBP Officers in IT (GovConWire) ManTech International Corp. (NASDAQ: MANT) has won a potential $96 million blanket purchase agreement to help U.S. Customs and Border Protection train law enforcement officers The potential four-year BPABlanket Purchase Agreement includes one base year with four option years and the company won the work through its General Services Administration Schedule contract, ManTech said Thursday

Research and Development

A Big Step Toward a Silicon Quantum Computer (IEEE Spectrum) Control of nuclear spin is key to a practical silicon quantum computer

Semantic web breakthrough good for big data (FierceBigData) What was supposed to be a three-year research collaboration effort between the Fujitsu and the Digital Enterprise Research Institute at NUI Galway, has already had what it calls a semantic web breakthrough that could unlock billions of open data sets for sharing and accelerating the process of big data

'Spooky' Quantum Entanglement May be Tested on International Space Station Over Longest Distance Yet (Science World) Quantum entanglement is a "spooky action at distance," according to Albert Einstein. It occurs when the entanglement connects two particles so that actions performed on one reflect on the other. Now, though, scientists have proposed testing this entanglement in an experiment on the International Space Station. The proposal for this study, published in the New Journal of Physics, plans to include a Bell experiment, which is essentially a test of quantum entanglement. In particular, it would test the theoretical contradiction between the predictions of quantum mechanics and classical physics. In addition, the experiment would include a quantum key distribution experiment which would use the ISS as a relay point in order to send a secret encryption key 250 miles above the planet

Security Patches, Mitigations, and Software Updates

Apple updates Safari, gives better control over Java applets (Naked Security) Apple has pushed out a Safari update to go along with this week's "Java Tuesday" fix. It's supposed to give you finer-grained control over Java in your browser. Paul Ducklin puts it through its paces

Cyber Attacks, Threats, and Vulnerabilities

Warning! Hackers are exploiting Waco explosion news to spread malware (Naked Security) Once again, cybercriminals are leaping at the opportunity to take advantage of breaking news stories to spread malware

UPDATEDx1: Boston-Related Malware Campaigns Have Begun - Now with Waco Plant Explosion Fun (Internet Storm Center) Some of the spam campaigns are now changing over to the Waco plant explosion. Basically the lure is the same, a subject that talks mentions the video and then an IP only url with /texas.html or /news.html. The landing page has a few embedded YouTube videos and an iframe with malicious content at the end

Beware of fake SourceForge site offering malicious downloads (Net Security) Cyber crooks have been misusing the reputation of the popular online source code repository SourceForge (sourceforge.net) and gave been pushing out malware from the sourceforgechile.net domain registered in the US earlier this month

Researchers find malware targeting online stock trading software (CSO) The malware is the result of a growing trend of cybercriminals targeting online brokerage accounts, Group-IB researchers said

Comment Crew Malware is After Drone Technology (Threatpost) FireEye experts have been tracking the Operation Beebus campaign for a few months now, and their latest research suggests that whomever is responsible for the attacks is ultimately interested in stealing drone technology-related secrets. Operation Beebus is an APT-style attack campaign targeting government agencies in the United States and India as well as numerous aerospace

Mobile adware is not the same as PC, has access to personal information: Bitdefender (IT World) Adware on mobile means more than just showing banners, according to Bitdefender senior e-threat analyst, Bogdan Botezatu. People may have the image of "adware" entailing some onscreen banners or pop ups during the use of software, though Botezatu said adware in PC is not the same as on mobile devices. "Desktop applications are isolated and the web browser does not know what contacts you have in your email client," he said

Rihanna sex tape? And you're scammed (TechDay) Empty promises of a Rihanna sex tape continues to hit Facebook users for six, but 'stalker' views account for the biggest scams on the social networking site. That is according to antivirus provider Bitdefender, who says almost a quarter of scams on the site offer users a bogus method to see who has viewed their profile

Academia

Russia to teach cyber security at schools (in Serbia) Russia is planning to introduce cyber security lesson at schools in the autumn, head of the Interior Ministry's Bureau for Special Technical Services Alexei Moshkov said

Homeland Security Announces Cyber Student Initiative (Albany Tribune) The Department of Homeland Security (DHS) announced Thursday the creation of the Secretary's Honors Program (SHP) Cyber Student Initiative – a new DHS program to engage exceptional community college students, including student veterans

Litigation, Investigation, and Enforcement

ACLU Asks FTC to Investigate Carriers' Lack of Android Security Updates (Threatpost) The next shoe has fallen in an effort to force wireless carriers and handset makers to provide regular security updates to Android mobile devices. The American Civil Liberties Union filed a complaint this week with the U.S. Federal Trade Commission accusing four leading carriers of deceptive business practices and knowingly selling defective phones to consumers

Japanese Authorities Urge ISPs to Block Use of Tor (Softpedia) Japanese police wants to block Tor to combat crimes that abuse the system Enlarge picture - Japanese police wants to block Tor to combat crimes that abuse the system. The Japanese National Police Agency (NPA) is urging Internet service providers (ISP) to voluntarily block the use of Tor (The Onion Router), a system that allows users to communicate anonymously on the Internet

Hacker gets a year in prison for Sony attack (The Age) A hacker who pleaded guilty to taking part in an extensive computer breach of Sony Pictures Entertainment has been sentenced to a year in prison, followed by home detention, US federal prosecutors said

Design and Innovation

Formation 8 Raises Its First Fund Of $448M To Plug Silicon Valley Startups Into Asian Conglomerates (TechCrunch) Formation 8 wants to bring venture capital back to its roots: investing in solutions to hard technology problems that could change the world. It just raised its first fund of $448 million — but with a twist. Formation 8 plans to draw on its extensive network in Asia to win its portfolio of smart enterprise and energy technology companies' huge deals with conglomerates in the region

What IAM Can Learn from Bill Gates (Dark Reading) In identity and access management, it pays to be long-term aggressive and short-term conservative

Why the Start button is Microsoft's 'New Coke' moment (IT World) Companies make mistakes, but sometimes there's an opportunity to change course and reverse the damage

Does big data science require Software Defined Networking? (FierceBigData) If you thought big data was a huge buzzword, wait until Software Defined Networking really catches on. And when the two come together, as Internet2 CEO David Lambert said they should sooner rather than later in a PCWorld article this week, get ready