The CyberWire Daily Briefing 05.23.14

Cyber Trends

Cybersecurity Goes Collaborative (PYMNTS) The aftermath of the recent major retailer breaches has led to a collaborative initiative that involves both private- and public-sector organizations working to create best practices and to share information to help improve retail-systems security

Antivirus software can't keep up with new malware, Lastline Labs analysis finds (TechWorld) Startup runs malware through VirusTotal, gets depressing answer

Cryptocurrency Mining: Could It Soon Replace Adverts? (Know Your Mobile) Tom Brewster investigates cryptocurrency mining and whether it's a suitable alternative to traditional adverts

Divided we stand (The Economist) Organisms stop infections spreading by being diverse. So can computer apps

More enterprises to adopt multi-factor authentication (Help Net Security) Rising security risks, and demand for seamless and secure access across any device, anytime, has triggered greater adoption of authentication solutions

Cyber attacks on the rise across the Middle East and North Africa (The National) Ransomware attacks are on the rise in the Middle East proving to be an easy way for European cyber criminals to make money

Legislation, Policy and Regulation

Q & A: Adam Segal on China, Cyberspies and the Moral High Ground (New York Times) This week, the United States took its most aggressive step yet in trying to curb what it calls Chinese state-sponsored hacking attacks aimed at stealing trade secrets from American corporations. The Justice Department on Monday announced an indictment against five members of the People's Liberation Army accused of corporate cyberespionage. United States officials say the five men belong to Unit 61398, which operates out of an office tower on the outskirts of Shanghai

Navy Braces For Backlash After PLA Cyber Indictments (Breaking Defense) The Justice Department's indictment of five People's Liberation Army officers on charges of cyber-espionage may prove to be a double-edged sword for the US military

U.S. State Department stops Chinese delegations from attending Colorado Springs event (The Gazette) Three days before most of the world learned that the U.S. indicted five Chinese military officials for industrial spying, the U.S. State Department took action behind the scenes in a move that kept 16 people from China from attending an event in Colorado Springs this week

China responds to NSA tampering with network gear vetting process (Ars Technica) China will ban import of "unsafe" tech to counter NSA and slap US companies

Spy charges expose US cyber hegemonic mentality (Xinhua via the Pakistan Observer) The United States has indulged in its cyber hegemony mentality again as it filed ungrounded commercial cyber espionage charges against five Chinese military officers

House passes USA Freedom Act, ending NSA bulk collection of American phone records (AP via US News and World Report) The House on Thursday passed legislation to end the National Security Agency's bulk collection of American phone records, the first legislative response to the disclosures by former NSA contractor Edward Snowden

NSA reform falters as House passes gutted USA Freedom Act (Ars Technica) So-called reform measure still grants NSA broad access to phone metadata

NSA's John DeLong on Privacy Compliance (IC on the Record) The National Security Agency this week granted FedScoop an exclusive interview with John DeLong, the agency's director of compliance. I sat down with DeLong at the National Cryptologic Museum across from NSA headquarters, and he agreed to a wide-ranging discussion of what his office does at NSA and the lengths to which NSA goes to ensure it operates within the confines of the law

DHS: Lack of cyber law caused 'unnecessary delays' in Heartbleed response (Federal Times) The U.S government was forced to act quickly to fix the Heartbleed vulnerability that compromised hundreds of thousands of websites last month, but Homeland Security Department officials say that Congress' failure to pass cybersecurity legislation slowed their ability to respond to the weakness

Thailand's coup d'état has a social media blindspot (Quartz) When the Thai military declared a coup d'état yesterday, one of its first moves was to shut down the country's TV broadcasters. But Thais are among the world's most enthusiastic social media users, so many its citizens simply shrugged at the blackout, picked up their smartphones, and turned to Twitter, Facebook, and Instagram to discuss the latest military intervention—the second in eight years, and the 12th since the country ended its absolute monarchy in 1932

What does GCHQ know about our devices that we don't? (Privacy International) While the initial disclosures by Edward Snowden revealed how US authorities are conducting mass surveillance on the world's communications, further reporting by the Guardian newspaper uncovered that UK intelligence services were just as involved in this global spying apparatus. Faced with the prospect of further public scrutiny and accountability, the UK Government gave the Guardian newspaper an ultimatum: hand over the classified documents or destroy them

Dateline

Mueller: Cyber experts need offline investigative skills (FCW) Robert Mueller said cybercrime investigators must be able to take the fight beyond cyberspace. Former FBI director Robert Mueller put in a good word for his old agency's improving cybercrime and cybersecurity workforce development, even as the federal government is ramping up efforts to recruit and train qualified personnel

Buzzkill: FBI director says he was joking about hiring weed-smoking hackers (Naked Security) Sorry marijuana fans, the FBI won't be recruiting cyber-sleuthing stoners any time soon

DHS official: Heartbleed has had 'minimal' impact on federal government (FierceGovernmentIT) Due to hard work and improved coordination throughout the federal government, the impact of the Heartbleed bug on the dot-gov domain has been minimal, said Larry Zelvin, director of the National Cybersecurity and Communications Integration Center within the Homeland Security Department's National Protection and Programs Directorate

U.S. states probe eBay cyber attack as customers complain (Reuters) EBay Inc came under pressure on Thursday over a massive hacking of customer data as three U.S. states began investigating the e-commerce company's security practices

Time for action on data security (The Lawyer) A recent Microsoft case in the US highlights the lack of clarity over data security, and European businesses need to take note

L.A.'s Cyber Intrusion Command Center: A Model for Cybersecurity Governance? (Government Technology) IT governance and cybersecurity are two of the most critical issues in government, which is why Los Angeles is combining them in its new cyber command center

Products, Services, and Solutions

ForeScout CounterACT Wins Gold in 2014 Govies Government Security Awards (MarketWatch) ForeScout Technologies , Inc., a leading provider of pervasive network security solutions for Fortune 2000 enterprises and government organizations, today announced its CounterACT™ platform has received gold status in the Network Security category of the 2014 Govies Government Security Awards competition

CERN, MIT scientists launch Swiss-based secure webmail (Help Net Security) Last week marked the beta release of yet another encrypted, secure email service, and interest for it was so overwhelming that its developers had to temporarily close the signups

Free App Lets the Next Snowden Send Big Files Securely and Anonymously (Wired) When Glenn Greenwald discovered last year that some of the NSA documents he'd received from Edward Snowden had been corrupted, he needed to retrieve copies from fellow journalist Laura Poitras in Berlin. They decided the safest way to transfer the sizable cache was to use a USB drive carried by hand to Greenwald's home in Brazil. As a result, Greenwald's partner David Miranda was detained at Heathrow, searched, and questioned for nine hours

Facebook wants to listen in on your TV and music (Naked Security) Say, you don't mind if Facebook sticks one of your earbuds into its data-mining cranium, do you?

Technologies, Techniques, and Standards

Malware detection in the user profile directory (TechTarget) While looking through RSA's Blueprint report, I noticed that it advises security teams to look through user profile directories for what they call "atypical location" installs. What do they mean by atypical locations, and why are malware authors presumably taking advantage of user profile directories for their malicious activities?

Could staff training help to guard against cyber attacks? (TechRadar) The latest headlines are awash with news of security breaches at major companies, including the likes of Morrisons, Target and Kickstarter

The Only 2 Things Every Developer Needs To Know About Injection (Dark Reading) There's no simple solution for preventing injection attacks. There are effective strategies that can stop them in their tracks

Application Performance Management Offers Security Benefits (eSecurity Planet) Administrators use application performance management (APM) tools to meet ebbs and flows of demand. But few leverage the security benefits offered by APM solutions

Marketplace

Vendors getting mixed messages on cybersecurity (FCW) Initiatives to help industry and government codify compatible cybersecurity requirements and capabilities are yielding some results, but acquisition experts say those plans have clouded federal cybersecurity acquisition efforts

Thales to acquire Alcatel-Lucent cyber security business? (UPI) French companies Thales and Alcatel-Lucent are negotiating a strategic partnership that would see Thales taking over the cyber security and community security businesses of Alcatel-Lucent

Proofpoint CEO: Target's Breach, Chinese Spying Boosting Security Biz (Yahoo Finance UK) Proofpoint's stock has come down this spring because of the snapback in tech valuations, nevertheless, internet security remains a hot space in the

BlackPhone maker Silent Circle raises $30M, moves to Switzerland (Ars Technica) Crazy demand: CEO tells Ars he plans on shipping 3 million phones within a year

Research and Development

Mere possibility of measurement makes QKD protocol secure (Ars Technica) What if Eve listened, but heard nothing but noise?

The quest for true randomness and uncrackable codes (YourIs) Quantum cryptography is said to be uncrackable. It will stay safe, but only if true randomness, the generation and use of intrinsically random numbers, can be achieved

One of these defense projects could become bigger than the internet (Quartz) Forty years ago, a group of researchers with military money set out to test the wacky idea of making computers talk to one another in a new way, using digital information packets that could be traded among multiple machines rather than telephonic, point-to-point circuit relays. The project, called ARPANET, went on to fundamentally change life on Earth under its more common name, the Internet

Darpa Is Weaponizing Oculus Rift for Cyberwar (Wired) For the last two years, Darpa has been working to make waging cyberwar as easy as playing a video game. Now, like so many other games, it's about to get a lot more in-your-face

Security Patches, Mitigations, and Software Updates

Apple Safari 7.0.4 closes 22 holes, including 21 listed under "arbitrary code execution" (Naked Security) Apple just pushed out another Safari update, bumping OS X's native browser to version 7.0.4

PayPal fixes merchant account hijacking bug (Help Net Security) Well-known and prolific bug hunter Mark Litchfield has unearthed a pretty big flaw in PayPal Manager, which would allow attackers to hijack a merchants' account by changing their password, and consequently have access to their and their customers' personal information as well as being able to place orders from it

SourceForge's turn to reset passwords — this time in a good cause! (Naked Security) Hot on the heels of eBay's password problems comes yet another password reset notification

Microsoft Working on Patch for IE 8 Zero Day (Threatpost) Microsoft officials say they're well aware of the Internet Explorer 8 zero day disclosed Wednesday by the Zero Day Initiative and have been working on a fix for it. However, there's no stated timeline for releasing that patch

Cyber Attacks, Threats, and Vulnerabilities

FireEye Backs Washington with New APT1 Data Linking Attacks to China (InformationSecurity Magazine) Mandiant owner says connection days and times fit perfectly with the average PLA working day

Chinese Cyber Attacks Trigger US MIDLIFE Crisis (Vice News) On Monday, the US Department of Justice (DoJ) indicted five members of the Chinese military for "cyber espionage against US corporations and a labor organization for commercial advantage," setting off a flurry of chatter, indictments, recriminations, and polemics covering just about everything under the sun. The most interesting part about all this is that it's a phenomenal example of a MIDLIFE crisis

PLEAD Targeted Attacks Against Taiwanese Government Agencies (TrendLabs Security Intelligence Blog) In the recent 2H-2013 Targeted Attack Roundup Report we noted that we have been seeing several targeted attack campaign-related attacks in Taiwan

Syrian SRS hackers Hacks King Abdullah of Jordan website in support of Syrian Refugees (HackRead) A group of Syrian hackers going with the handle of Syrian Revolution Soldiers (SRS) has hacked and defaced six high profile government websites of Kingdom of Jordan for not paying proper attention to the Syrian refugees. The targeted websites belong to King Hussein 1, Ministry of Planning and International Cooperation, Land Transport Regulatory Commission, Jordan Deposit Insurance

Pakistani Police Website Hacked (eSecurity Planet) The hackers defaced the site with the statement, 'This site was hacked a victory for the Taliban'

Hackers raid eBay in historic breach, access 145 mln records (Reuters) EBay Inc said that hackers raided its network three months ago, accessing some 145 million user records in what is poised to go down as one of the biggest data breaches in history, based on the number of accounts compromised

By E-Mailing Hacking Victims, EBay Opens Users Up to More Risk of Attack (Bloomberg) After hackers stole e-mail addresses and other user data from EBay's network, the company announced today that it would e-mail users to suggest they change their passwords. That doesn't make a whole lot of sense

"Recent Activity" Phishing Attacks on PayPal, Due to eBay Hack? (Softpedia) Marketplace eBay has been hacked, and about 145 million accounts have been affected. Email addresses, passwords, and personal user information have been swiped by the hackers, leaving everyone affected open to phishing attacks

eBay Hack Raises Password 'Encryption' Questions (Threatpost) As is the case with most high-profile data breaches, despite an initial disclosure of information, more questions are inevitable

After the breach: eBay's flawed password reset leaves much to be desired (Ars Technica) Site can make it hard to use long passwords, especially from manager software

Reactions to the eBay breach (Help Net Security) A database containing eBay customers' name, encrypted password, email address, physical address, phone number and date of birth was compromised. Here are some of the comments we received

After seven months and no Microsoft patch, Internet Explorer 8 vulnerability is revealed (ZDNet) Microsoft has failed to address a remotely exploitable security flaw affecting the most widely used version of Internet Explorer

Patched Word Flaw Still Exploited Within Malware-Laced Assaults, Says Trend Micro (SPAMfighter) According to Trend Micro the security company, even after Microsoft patched a March 2014 declared security flaw in Word that allowed code execution from the remote, during April 2014, cyber-criminals yet continue to exploit it within their malicious attacks

Have Hackers Defeated the iPhone Kill Switch? (Intego) Last month, I explained how iPhone and iPad users could enable a "Kill Switch," effectively making it much harder for thieves to sell stolen devices

Sophisticated Google Drive phishing campaign persists (Help Net Security) Symantec researchers are once again warning about a sophisticated and persistent phishing campaign targeting Google users

Beware #BringBackOurGirls email scammers (Graham Cluley) Last month, more than 200 innocent schoolgirls were seized in the north-eastern Nigerian state of Borno. To this day, many of them are believed to still be being held captive by members of the Boko Haram group

Adobe Shockwave Lugging Around Hobbled, Vulnerable Version of Flash (Threatpost) It's bad enough that the Flash runtime bundled with Adobe's Shockwave player is deficient in security patches going back to January 2013, but what's worse is that the increased attack surface provided by Shockwave might make it easier to exploit. And, in the bargain, Adobe has known about the issue since October 2010

Android Outlook App Could Expose Emails, Attachments (Threatpost) There are two issues with the way Microsoft's Outlook application encrypts content on older versions of Android that could expose users' emails and email attachments

Bulletproof servers foil botnet/malware takedowns (SC Magazine) Check Point security innovations manager Tomer Teller says that the last two botnet/malware hosting operations his team worked with — in cooperation with the FBI and other parties — failed due to the use of bullet-proof hosting facilities by the cyber-criminal gangs concerned

XML Schema, DTD, and Entity Attacks (Virtual Security Research via Packetstorm) The eXtensible Markup Language (XML) is an extremely pervasive technology used in countless software projects. A core feature of XML is the ability to define and validate document structure using schemas and document type definitions (DTDs). When used incorrectly, certain aspects of these document definition and validation features can lead to security vulnerabilities in applications that use XML. This document attempts to provide an up to date reference on these attacks, enumerating all publicly known techniques applicable to the most popular XML parsers in use while exploring a few novel attacks as well

SNMP DDoS Attacks Spike (Dark Reading) Akamai issues threat advisory on attack campaign that uses Team Poison-developed DDoS toolkit

A peek inside a newly launched all-in-one E-shop for cybercrime-friendly services (Webroot Threat Blog) Cybercriminals continue diversifying their portfolios of standardized fraudulent services, in an attempt to efficiently monetize their malicious 'know-how', further contributing to the growth of the cybercrime ecosystem. In a series of blog posts highlighting the emergence of the boutique cybercrime-friendly E-shops, we've been emphasizing on the over-supply of compromised/stolen accounting data

Despite source code leak, Android malware fetches top $5,000 price (IT World) Despite a leak of its source code, an Android program aimed at compromising online bank accounts is still commanding US$5,000 per copy, one of the highest prices seen for a type of malware, according to research from Symantec

MHA Laptop Theft Exposes 5,500 People's Personal Data (eSecurity Planet) Names, addresses, birthdates and Social Security numbers may have been exposed

Pennsylvania Dental Students Hit by Data Breach (eSecurity Planet) Students' names, e-mail addresses and Social Security numbers were mistakenly made available online

UC Irvine Hacked (eSecurity Planet) Approximately 1,800 students' personal information may have been captured by keylogging malware

Five new threats to your mobile device security (CSO) Google's Android operating system averaged 5,768 malware attacks daily over a six-month period, according to CYREN's Security Report for 2013

Internet of Things (IOT): Seven enterprise risks to consider (TechTarget) The day when virtually every electronic device — from phones and cars to refrigerators and light switches — will be connected to the Internet is not far away. The number of Internet-connected devices is growing rapidly and is expected to reach 50 billion by 2020

Privileged Use Also a State of Mind, Report Finds (Dark Reading) A new insider threat report from Raytheon and Ponemon reveals a "privileged" user mindset

New Terrorism and New Media (Wilson Center) On the evening of March 1, 2011, Arid Uka, an Albanian Muslim living in Germany, was online looking at YouTube videos. Like many before him, he watched a jihadist video that presented the gruesome rape of a Muslim woman by US soldiers—a clip edited and posted on YouTube for jihadi propaganda purposes. Within hours of watching the video, Arid Uka boarded a bus at Frankfurt Airport, where he killed two US servicemen and wounded two others with a handgun

Academia

Discoveries By UNH Cyber Researchers Put Young Program In Tech Spotlight (The Courant) A group of "white hat" computer hackers at the University of New Haven uncovered security holes in two commonly used free texting apps this semester, briefly making them the toast of the worldwide tech media and providing welcome exposure for their nascent cyber forensics program

MSU recertified as leading cyber security learning center (Mississippi Business Journal) Federal officials have reaffirmed Mississippi State University as a leading institution for cyber security education and research

Litigation, Investigation, and Enforcement

FBI head: Cyber crime posing 'enormous challenge' (AP via Adirondack Daily Enterprise) Law enforcement faces an "enormous challenge" in preventing state-sponsored cyber crimes, FBI Director James Comey said Wednesday, days after the Justice Department announced charges against five Chinese military officials accused of hacking into American companies to steal trade secrets

Pentagon Report Calls Scope Of Snowden Leaks "Staggering," Their Impact "Grave" (TechCrunch) The Snowden Effect, that mix of consciousness raising and potential legal reform of government surveillance, has another side to it: the impact of Snowden's revelations on those revealed

Department of Defense Information Review Task Force-2 Initial Assessment (IC on the Record) Impacts resulting from the Compromise of Classified Material by a Former NSA Contractor

FBI withdraws national security letter following Microsoft challenge (Ars Technica) Rather than litigating gag order, FBI goes directly to the customer

Hackers in chains: 13 of the biggest US prison sentences for electronic crime (FierceITSecurity) Last week David Camez gained the dubious distinction of having the longest U.S. prison sentence ever for electronic crime—tied only with one other, perhaps better-known individual, Albert Gonzalez

You should fear background checks even if you've done nothing wrong (Quartz) I'm pretty sure I'm the only person named "Dan Fleshler" in the United States. That's good news. If my last name were Jones—or Smith, or Harris, or another common moniker—I might have suffered the Kafkaesque fate of Kevin A. Jones

SpyEye-using Cybercriminal Arrested in Britain (Trend Micro) We've recently seen multiple arrests and take downs of cybercriminals and their infrastructure. Here is another one to add up. Law Enforcement in England has arrested and prosecuted a cybercriminal called Jam3s in cooperation with Trend Micro. His real identity is James Bayliss. James ran some SpyEye command-and-control servers and also coded a SpyEye plugin named ccgrabber. More than four years after the investigation started, this cybercriminal has been successfully prosecuted

AFP arrests man over Melbourne IT hack (IT News) Police nab two alleged 'Anonymous' members. The Australian Federal Police has arrested two men over an alleged hacking campaign which targeted local corporate and government websites, one of whom the agency claims was involved in the 2012 attack on domain name registrar Melbourne IT