The CyberWire Daily Briefing 05.15.13

Cyber Trends

There are 12.5 unprotected versions of the average American's personal information on the web (Quartz) Safe Shepherd is a company that searches the web for all the public records available on Americans, and then presents them in a dashboard. Try it for yourself—it's free—and the results are almost guaranteed to be unnerving. The information is mostly innocuous, and includes your address, phone number and email, but the fact that it's public is more than enough to create a healthy stream of business for Safe Shepherd, which, according to founder Robert Leshner, is "lightly profitable"

REUTERS SUMMIT-Top general says U.S. under constant cyber attack threat (Reuters) The top U.S. general in charge of cyber security warned on Tuesday that the United States is increasingly vulnerable to attacks like those that destroyed data on tens of thousands of computers in Saudi Arabia and South Korea in the past year

Companies, government unprepared for new wave of cybersabotage (CSO) Intelligence not the only part of government that has struggled. Senate has not moved on legislation to back President's order on cybersecurity

How employees use business email (Help Net Security) The conventional 9am–5pm working day and five-day working week is a thing of the past for the overwhelming majority of workers at SMBs, according to a new survey on work-related email habits

The top three threats facing enterprises (Help Net Security) Globalization and mobility are fueling opportunities for enterprises today, but they have a nemesis: amplification. As physical perimeters become flexible and the tools and devices organisations utilise become mobile, the downside is that the risks introduced become amplified

Kids access porn sites at 6, begin flirting online at 8 (Detroit Free Press) Bitdefender correlated results of an online survey of parents with data compiled from its parental control services, such as which sites parents choose to block, and which sites children access regularly. Almost a quarter of the kids accounted for in

Legislation, Policy and Regulation

U.N.'s ITU pursues Internet control—again—this week (ZDNet) U.S. State Department and global civil society groups prep as U.N. telecommunication arm ITU tackles Internet control at WPTF-13 this week. The Fifth World Telecommunication/ICT Policy Forum ("WTPF-13") will be held in Geneva, Switzerland, this week for three days, May 14-16. As with the bellicose WCIT-12 (the U.N.'s 2012 World Conference on International Telecommunications) last December in Dubai and its accompanying protests and dramatic walkout by the U.S. delegation, this Forum will be run by the United Nations notoriously dubious telecommunications arm, the ITU

Kenya Opens High-Tech Anti-Terrorism Facility (All Africa) The newly opened Kenya Police Operations Centre, whose mission is to co-ordinate and carry out anti-terrorism operations with the country's various national security agencies, will make Kenya and the region safer in the face of extremist threats, officials say

Too much infosec regulation undermines security, warns NAB (The Register) More prescriptive regulation of the security posture in industry sectors like banking could have the paradoxical impact of reducing security, according to Andrew Dell, head of IT security services at the National Australia Bank. We have to become much more agile and proactive how we look at, how we react to cybercrime. Our posture is changing from 'observe and analyse' to 'detect and respond', Dell told the 2013 Trend Micro Evolve Security Conference

White House cites progress in cyber talks with China, Russia (Reuters) Michael Daniel, the Obama administration's cybersecurity policy coordinator, said that China has agreed to establish a joint working group with the United States to address Internet security issues such as cyber espionage.The group will convene for the first time this summer, stepping up communication that had previously been relegated to sporadic discussions or long-running unofficial talks between private citizens from the two countries."We're working to set the agenda" for the initial meeting

Chambliss wants bill allowing cyber threat info sharing (Augusta Chronicle) An ongoing series of cyber-attacks on federal banks, government agencies and private companies has U.S. Sen. Saxby Chambliss pushing legislation that would bolster the nations defenses against computer hackers, both domestic and foreign.The Georgia lawmaker said he plans to draft a bill that would allow the U.S. to share classified cyber threat information with companies who say they are losing billions of dollars annually to stolen patents and government contracts chiefly those negotiated for

Why the US needs to flex its cyber muscles (USA TODAY) So it's fair to say that the average citizen has plenty of reason to follow the federal government's actions in this domain. It is a positive step that the Cyber Command in Washington intends to hire 4,000 new recruits, quintupling its current force

Should the G20 forum discuss Internet security? (Help Net Security) The G20 should tackle the vastly important issue of Internet security and "articulate a vision for shaping the Internet economy for the next five to 10 years," a new commentary issued by The Centre for

Products, Services, and Solutions

SAFECode Launches Software Security Training Program For Enterprises (Dark Reading) Free curriculum will help businesses build software security training programs in-house, SAFECode says. The Software Assurance Forum for Excellence in Code (SAFECode) today will publish the first modules in a free program of software security training that enterprises can implement themselves

Cydia Substrate Comes To Android (Cydia Store Next?) (TechCrunch) Cydia, a platform commonly thought of as the alternative app store for jailbroken iPhones and iPads, has just today arrived on Android of all places. Though Android is by its nature more open and customizable than Apple's locked-down iOS, it now has a growing collection of apps designed for power users who root their devices – a process that's similar in spirit to the iOS jailbreak

Rexxfield Offers Cyber Investigation Services to General Public (Softpedia) Rexxfield, a company that provides cyber investigation support services to law enforcement agencies from all over the world, has decided to make its offering available for the general public as well. Currently, law enforcement agencies dont have the resources to investigate every cybercrime that takes place, which is where Rexxfield steps in.After developing governance and best practice policies, the company has decided to offer its services to the general public

Cavium TurboDPI™ II Software to Accelerate Development of Deep Packet Inspection (The Edwardsville Intelligencer) Network equipment providers can now take advantage of this enhanced solution integrated with Emerson's Centellis™ series 40G ATCA® systems to accelerate the development and deployment of applications that use deep packet inspection (DPI)

GFI MailArchiver 2013 released (Help Net Security) GFI Software announced a new version of its email archiving solution, GFI MailArchiver, which now provides managers with the ability to better understand employee email habits and identify their email

McAfee launches security service with facial and voice recognition (Help Net Security) McAfee announced McAfee LiveSafe, an unlimited cross-device security service that uses facial and voice recognition technology to protect users' digital lives. The service will be offered at an introductory

Internet Explorer best at blocking malware (Help Net Security) NSS Labs released the results and analysis from its web browser security comparative evaluating the protection offered by five browsers - Safari 5, Chrome 25/26, Internet Explorer 10, Firefox 19 and Opera 12 - against malware downloads (also known as socially engineered malware)

NIKSUN NetDetector/NetVCR Alpine 4.2.1 (SC Magazine Australia) The system provides many network resources that allow users to see a variety of details on the network, such as IP communication, cyber attack detection and

Technologies, Techniques, and Standards

Web Application Testing Using Real-World Attacks (Dark Reading) Using exploits to test Web applications can be an enlightening way to test for vulnerabilities, but there are downsides as well. Vulnerability management and scanning systems typically combine a number of techniques to assess the risk faced by a business's information technology, from scanning files and evaluating the current patch level to launching attacks and testing for practical vulnerabilities

Know Your Pen Tester: The Novice (Dark Reading) Penetration testers put their pants on just like the rest of us, one leg at a time. Except once their pants are on, they break into computers. Not all pen testers, however, are created equal

Here's How the Next Mark Felt Can Leak to the Press (Wired) With the a recent revelation that the Department of Justice under the Obama administration secretly obtained phone records for Associated Press journalists — and previous subpoenas by the Bush administration targeting the Washington Post and New York Times

White House warns of open data mosaic effect (FierceGovernmentIT) Beyond asking agencies to guard against the release of data with personally-identifiable information, the Open Data Policy published by the White House May 9 directs agencies to account for the "mosaic effect" of data aggregation. The mosaic effect occurs when information alone is not identifiable but when coupled with other available information poses a privacy or security risk

If it's worth coding, it's worth securing (Sydney Morning Herald) "Do what you can to secure your part of cyberspace because that makes us all better." So says Howard Schmidt, former cyber tsar to US President Barack Obama, now a cyber security consultant and board member of the Software Assurance Forum for Excellence in Code (SAFECode), a non-profit organisation aimed at making the internet safer.As cyber security, or the lack thereof, reaches global levels of awareness driven by financially-motivated hacking, hacktivism, country-sponsored espionage and

Hospital Cyber Security: 10 Emergency Prevention Tips (Beckers Hospital Review) While hospitals may be highly advanced when it comes to saving lives, many of them are not quite as astute when it comes to securing patient and protected health information. Nine out of 10 hospitals in the U.S. have suffered a data breach or intrusion in their networks over the past two years, according to the "Third Annual Benchmark Study on Patient Privacy and Data" by the Ponemon Institute. That is far from acceptable in any industry, but especially horrendous in a field where highly sensitive

Human sensors: How encouraging user reporting strengthens security (Help Net Security) Despite the pervasiveness of cyber-attacks threatening the enterprise security today, many organizations are still not taking advantage of their most widely deployed security asset: people

Big Data Requires New Thinking in Security (EdTech) Threats to data and secure information change daily and demand agile security solutions. The Big Data boom isn't all about analytics; it's also about smart data management and protecting data assets

The Morning Risk Report: From Cyber Lemons to Lemonade (Wall Street Journal) For many firms, disclosing a cyberattack can lead to wary customers and a tarnished brand. But some companies are taking a different approach: they're trying to turn the disclosure of a cyber incident into a positive public-relations event

Marketplace

Cyber security claims just protectionism (Global Times) The founder of China's telecommunications equipment-maker Huawei, Ren Zhengfei, gave an interview with some local reporters in New Zealand recently. It's the first time Ren has spoken to media over the past 26 years. Ren criticized the US accusations on Huawei over cyber security issues, saying the company "has no connection to the cyber security issues the US has encountered."Chinese telecommunications enterprises like Huawei and ZTE in recent years have been suppressed in the US market on cyber

Defense Experts Warn Of More Cuts, Murky Future (Norfolk Virginian-Pilot) Pentagon officials and defense experts painted a gloomy picture Tuesday at an annual warfighting conference, warning that automatic defense cuts that began this year may be around for a while

Pentagon Risk Raised With Apple, Samsung Devices (Businessweek) The electronics company worked with the U.S. National Security Agency to create Knox, a secure version of Google (GOOG)'s Android operating system with multiple layers of software and hardware protection. The system lets employers keep corporate and

Northrop teams with DHS to expand cybersecurity protections (Washington Technology) The program is an information-sharing program to assist critical infrastructure owners and operators in enhancing the cybersecurity protections of their information systems from unauthorized access, exploitation and data exfiltration, Northrop Grumman

Bloomberg aims to reassure on executive terminal monitoring (FierceFinance) Bloomberg's top editorial executive has apologized for the shocking revelation that its reporters were able to use the company's terminal to snoop on executives. He also added some details meant to reassure users that any monitoring was limited in scope and certainly not "spying" in the traditional sense

Dell special committee seeks more information (FierceFinance) We could be settling in for a protracted tactical war when it comes to the Dell leveraged buyout saga. The latest development is that the special committee of the Dell board has asked for more specific information from Carl Icahn and Southeastern Asset Management. The committee apparently wants to determine if the proposal is a formal proposal or merely an alternative to be considered if the current deal isn't approved

Research and Development

New Algorithm Lets SCADA Devices Detect, Deflect Attacks (Dark Reading) Embedded software prototype operates under the 'new normal' that many SCADA environments have already been breached. Researchers have built a prototype that lets SCADA devices police one another in order to catch and cut off a fellow power plant or factory floor device that has been compromised

Dreaming of atomic-level big data (FierceBigData) Talk about ubiquity. Andreas Heinrich, research scientist at the IBM (NYSE: IBM) Almaden Research Center, says that when it comes to shrinking computational components, the natural end to Moore's law has been reached--at least at the research level--and that one day big data collection will be handled effortlessly by nano-sized components interwoven into everyday communications tools. He said that the research community "has jumped into a world where devices are made with atomic-scale control"

Security Patches, Mitigations, and Software Updates

Mozilla pushes out new Firefox and Thunderbird: 8 security advisories, 3 critical fixes (Naked Security) Not to be outdone by Microsoft and Adobe's Patch Tuesday releases, Mozilla pushed out its latest browser and email client updates today. There are no bated-breath patches for in-the-wild exploits, but 3 of the 8 security fixes are deemed "critical"

Microsoft takes care of IE zero day with Patch Tuesday update (PCWorld) Andrew Storms, director of security operations for nCircle (a Tripwire company), says, "As anticipated, Microsoft released a critical update for Internet Explorer 8 today that patches an outstanding zero-day bug reportedly used in a targeted watering

Cyber Attacks, Threats, and Vulnerabilities

Iran-Based Hackers Traced to Cyber Attack on US Company (Businessweek) A previously unknown hacking group believed to be based in Iran has started cyber attacks inside the U.S., according to Mandiant Corp., a security company that's linked China's army to similar activity. The Iranian group emerged within the last six

Researcher refuses to help Saudi telco to spy on people (Help Net Security) You would think that a Saudi Arabian telecom firm interested in monitoring its users' mobile communications would not be asking a well-known pro-privacy researcher such as Moxie Marlinspike for help, but you would be wrong

A Saudi Arabia Telecom's Surveillance Pitch (Thoughtcrime.org) Last week I was contacted by an agent of Mobily, one of two telecoms operating in Saudi Arabia, about a surveillance project that they're working on in that country. Having published two reasonably popular MITM tools, it's not uncommon for me to get emails requesting that I help people with their interception projects. I typically don't respond, but this one (an email titled "Solution for monitoring encrypted data on telecom") caught my eye

Fed offensive fueling hacker underground, report says (CSO) The U.S. government is contributing to the Internet's underground economy by scooping up hacker tools to incorporate into offensive cyber weapons, a report from Reuters says. The feds have become the biggest buyer in a growing gray market where hackers and defense contractors sell tools to compromise computers, the report said. A major concern about the government's actions is that it's using what it buys for offensive weapons at the expense of not only the country's cyber defenses but the private

Targeted Attack Trend Alert: PlugX the Old Dog With a New Trick (FireEye) FireEye Labs has discovered a targeted attack towards Chinese political rights activists. The targets appear to be members of social groups that are involved in the political rights movement in China. The email turned up after the attention received in Beijing during the 12th National People's Congress and the 12th National Committee of the Chinese People's Political Consultative Conference, which is the election of a new core of leadership of the Chinese government, to determine the future of China's five-year development plan

CVE-2013-2094: Linux privilege escalation (Internet Storm Center) A vulnerability was discovered using fuzzing in linux kernels 2.6.37 till 3.8.9. The vulnerability requires the kernel to be compiled with PERF_EVENTS, but unfortunately that seems the case for quite some linux distributions. CentOS even backported the vulnerability to 2.6.32

Facebook attacked with credential-harvesting malware (CSO) A new variant of the Dorkbot malware was discovered spreading through Facebook's internal chat service, in an attempt by cybercriminals to harvest users' passwords. Bitdefender researchers discovered links to the malware circulating among Facebook users in the United States, India, Portugal, the United Kingdom, Germany, Turkey and Romania. The security firm did not know the extent of the infection on Monday, but said it counted 9,000 malicious links to the malware in 24 hours

Fake 'Free Media Player' distributed via rogue 'Adobe Flash Player HD' advertisement (Webroot) Our sensors just picked up a rogue advertisement served through the Yieldmanager ad network, which exposes users to fake Adobe Flash Player HD ads, ultimately dropping a copy of the potentially unwanted application (PUA)/adware, known as Somoto Better Installer.Surprisingly, once users click, theyre presented with a rogue Free Media Player page, instead of of a Adobe Flash Player HD themed page. Users who fall victim to the social engineering scam will end up installing multiple potentially unwanted

Iowa City Police Investigating ATM Scam (KCRG) Police are investigating an ATM scam at a US Bank in Iowa City. The bank says someone installed an ATM skimmer at the Towncrest branch off William Street.The skimmer steals personal information like account and pin numbers.The bank says customers will not be liable for any unauthorized transactions.Fraud can happen anywhere, any time to anyone. Here are some fraud prevention tips for your viewers

Hacker claimed to breach into Stanford University Website and leaked personal details (Hackers News Bulletin) According to last tweet of hacker named Mr. TruthizSexy he managed to get in the Stanford University website (www.stanford.edu) and leaked large amount of personal details from their website. After a short chat with hacker he told that there is no motive behind that hack just he wants to ensure to them that how insecure they are. According to the hacker he claimed to hack the website through SQLi Injection Vulnerability and managed to get the details which contain a large amount of personal data

Across the U.S., healthcare organizations suffer data breaches (FierceHealthIT) More than 21,000 patients have been impacted by a trio of recent healthcare data breaches throughout the U.S. Indiana University Health Arnette in Lafayette, Ind., announced last week that an employee's password-protected laptop with patient information--including names, dates of birth, medical record numbers, diagnoses and dates of service--was stolen from a car in April. The organization indicated that it doesn't have reason to believe the information has been improperly accessed or used, but police were immediately notified, regardless. IU Health Arnett began mailing letters to affected patients--nearly 10,000, according to the Journal and Courier--informing them about the breach on May 10

Microsoft Tech Support Scams: Why They Thrive (InformationWeek) Readers detail "frozen DNS Trojan" cold calls and "repairs" that lead to $882 in unauthorized wire transfers

WTOP, Federal News Radio Web site access restored after attack (Washington Post) John Spaulding, the D.C. director of information systems for Hubbard Radio, said that Hubbard Media worked with the cybersecurity firm Mandiant to analyze its full site. "We have found and eliminated the vulnerabilities that were exploited," he said in

Android malware continues to rise (Help Net Security) The first quarter of 2013 was marked by firsts for Android malware that add complexity to the Android threat landscape. According to F-Secure Labs, January through March saw the first Android threat

Litigation, Investigation, and Enforcement

India IT watchdog investigating breach in ATM heist (Reuters) The Indian government's cyber watchdog is investigating how security at two companies that are part of the country's vast IT services industry was breached in a global ATM heist that saw $45 million stolen from two banks in the Middle East

See for yourself what Bloomberg's terminal contract says about spying on customers (Quartz) Bloomberg's standard contract for its terminals gives the company the right to monitor customer usage "solely for operational reasons," according to several of those customers and a copy of a contract obtained by Quartz

Email: Even The CIA Uses It. Time To Get Serious About Its Legal Protections (Forbes) A new spy scandal is unfolding. In a nutshell Russia is expelling a U.S. diplomat from Moscow, accusing him being an undercover Central Intelligence Agency officer was trying to recruit someone from the Russian intelligence services. Now here is the kicker: Allegedly the U.S. diplomat told his would-be recruit to set up a Google GOOG +1.09% Gmail account to respond if he wanted to pursue such a relationship

What the strange case of alleged US spy Ryan Fogle doesn't tell you about how espionage really works (Quartz) Today's brouhaha around Ryan Fogle, a junior US diplomat in Moscow whom Russian authorities detained and accused of spying, may have seemed to some like a joke, or else suspiciously like a bad frame-up. Fogle was paraded in front of cameras at Russia's state security service, the FSB, along with his alleged tools of tradecraft—which included two wigs, a wad of cash, a compass, and a "Dear Friend" letter intended for a potential Russian recruit—before being declared persona non grata and told to leave the country

Homeland Security Freezes the Dwolla Accounts of Largest Bitcoin Exchange Mt. Gox (Softpedia) The US Department of Homeland Security has ordered Dwolla, a mobile payments company, to stop making payments to Mt. Gox, the largest and best known Bitcoin exchange. The reason for the order is unknown, and Mt. Gox itself says it has not seen any documents and has not been served with anything. All it knows is from news reports on the issue.The DHS and the US District Court of Maryland have seized Mutum Sigillum LLC's (Mt. Gox) Dwolla account, Dwolla itself revealed, so it can't process any

PHH Corporation Suffers Security Breach (eSecurity Planet) A temp who had been indicted for identity fraud was given access to names, addresses, e-mail addresses, phone numbers, and Social Security numbers

Audit finds WA unis fail to fix known security weaknesses (ZDNet) An independent audit has found that many of Western Australia's universities and state training providers have failed to resolve the cheap and easy-to-fix information system weaknesses that they were informed about in previous years.The Western Australian auditor general has tabled his report into the state's universities and training providers, finding that although they were generally performing well, they suffered from a number of easy and cheap-to-fix information system issues

'LulzSec leader's' victim named: tiny Oz council (The Register) So: the person alleged to have described himself as the leader of LulzSec was arrested for what, exactly?There's been a lot of noise flowing around, and the odd tip-off (including some to The Register in an extensive phone call on April 29). Since we try to avoid jumping ahead of the court process, we have kept our traps shut.However, with one Matthew Flannery having appeared in the Central Local Court in Sydney today, it is now on the public record that the charges he's facing are for defacing

Deputy AG defends AP subpoenas (WCTI12.com) Thomas Drake, a former National Security Agency official, was sentenced to one year of probation and 240 hours of community service in 2011, while former CIA officer John Kiriakou was sentenced to 30 months in prison after admitting to identifying a

Fraudster who hired hackers to manipulate stock prices goes to prison (Help Net Security) The central organizer of a worldwide conspiracy to manipulate stock prices through a "botnet" network of virus-controlled computers was sentenced today to 71 months in prison and was ordered to pay a

Design and Innovation

Meet the Woman Behind Pakistan's First Hackathon (Wired) Sabeen Mahmud has short-cropped hair and rectangular glasses; she'd fit right in hunched over a laptop at Philz or behind the counter at one of Apple's Genius Bars. Her resume matches her style. She's founded a small tech company, opened

The CyberWire Daily Briefing for 5.15.2013