The CyberWire Daily Briefing 06.05.14

Cyber Trends

Why the Bridge Still Needs to be Built Between Operations and IT (Control) To many in the IT community, the gap in understanding industrial control system cyber security is gaping. I was drawn to a May 29th Dark Reading article titled "Large Electric Utilities Earn High Security Scores", as the title seemed to be at odds with what I have seen

After cryptolocker, how do we make data safe? (Guardian via NewsEdge) Consumers will continue to be the victims of cybersecurity crises unless businesses take more steps to protect the personal information of users, Christopher Graham, the information commissioner, warned yesterday

Cyber espionage 'is threat to global economy' (Telegraph) America and China have spent the past few years in a stand-off over Chinese attitudes to intellectual property, and how the Chinese government goes about cyber-spying. Virtually all nations engage in cyber-spying to some degree, but experts suspect China of using the material to give Chinese companies an unfair advantage over their foreign rivals

The Big Data Dump: How Info-Hoarding Can Overwhelm Startups, Spy Agencies (Bloomberg) When it comes to big data projects, there are none bigger than the National Security Agency's massive surveillance programs that were exposed by former contractor Edward Snowden a year ago. In internal documents, the agency crowed about the scope of its mission, which was encapsulated in one phrase: "Collect it all"

Security the biggest mobile banking barrier (ABA Banking Journal) Banks urged to re-imagine what mobility really means

Estimating the cost of a cloud data breach (Help Net Security) IT and security professionals expect cloud services to multiply the likelihood and economic impact of data breaches as they pervade the enterprise. They also reveal that the scope of usage and responsibility for securing cloud services remains largely unknown among IT, according to Netskope

24% of Americans stopped buying online because of breaches (USA TODAY) News of Internet security breaches at eBay, Target and other large companies appears to be having an effect on online habits

Cyber war raging as countries test strategies (News24) A cyber war could well and truly be raging as countries look to gain the upper hand by infiltrating computer networks, a security company has said

They Hack Because They Can (Krebs on Security) The Internet of Things is coming…to a highway sign near you? In the latest reminder that much of our nation's "critical infrastructure" is held together with the Internet equivalent of spit and glue, authorities in several U.S. states are reporting that a hacker has once again broken into and defaced electronic road signs over highway in several U.S. states

Legislation, Policy and Regulation

China's State Media Urges "Severe Punishment" for U.S. Tech Firms (Reuters via Re/Code) Chinese state media lashed out at Google, Apple and other U.S. technology companies on Wednesday, calling on Beijing "to punish severely the pawns" of the U.S. government for monitoring China and stealing secrets

It's More Than Just NSA Troubles In China-IBM Dust-Up (MintPressNews) "While it used to be that nobody ever got fired for buying IBM, now that's switching to: everybody gets fired for buying IBM," according to one Beijing-based consultant

Five reasons why China is attacking U.S. tech (ComputerWorld) There's a method to China's growing bluster

Senate Plans Scrutiny of NSA Tactics Defended by Director (Bloomberg BusinessWeek) The government surveillance of U.S. citizens will be examined by a Senate committee tomorrow, two days after the National Security Agency director defended the spy agency's tactics, saying they comply with legal constraints

Edward Snowden, a year on: reformers frustrated as NSA preserves its power (The Guardian) A year ago, Edward Snowden exposed the NSA's widespread surveillance practices. Privacy advocates demanded a change in the law — but today, the agency's powers remain largely intact

Hackers who threaten national security face life in prison (The Telegraph) Queen's Speech: Hackers who risk lives by attacking food, energy and police computer networks face life in prison

Canadian Cyberbullying Legislation Threatens to Further Legitimize Malware Sales (Technology, Thoughts and Trinkets) Lawful access legislation was recently (re)tabled by the Government of Canada in November 2013. This class of legislation enhances investigative and intelligence-gathering powers, typically by extending search and seizure provisions, communications interception capabilities, and subscriber data disclosure powers. The current proposed iteration of the Canadian legislation would offer tools to combat inappropriate disclosure of intimate images as well as extend more general lawful access provisions. One of the little-discussed elements of the legislation is that it will empower government authorities to covertly install, activate, monitor, and remove software designed to track Canadians' location and 'transmission data'

OFPP to issue contractor past performance guidance this summer, says OMB official (FierceGovernmentIT) The Office of Management and Budget wants agencies to have greater transparency into contractors' past performance before they sign on the dotted line

Department of Homeland Security Combats New Cybersecurity Issues (In Homeland Security) Cyber network defense is important in homeland security as it protects monitors, analyzes, detects and then responds to unauthorized activity within information systems. In the recently released Verizon 2014 Data Breach Investigations Report, the authors compiled data from 50 global organizations composed of private and public sectors. Another article from Homeland Security magazine cites from the Department of Homeland Security's (DHS) National Cybersecurity and Communications Integration Center (NCCIC) "reporting 31,593 cyber incidents, 28,000 vulnerabilities and sent out over 4,000 cyber-alerts to their 252,523 partners"

Actions Needed To Address DHS Intelligence Analysis, Workforce Challenges (Homeland Security Today) The Department of Homeland Security (DHS) has established mechanisms, including an intelligence framework and an analytic planning process, to better integrate analysis activities throughout the department, but the mechanisms are "not functioning as intended," said a new 57-page Government Accountability Office (GAO) audit report

Products, Services, and Solutions

AIG launches Colombia's first cyber risk policy (BNAmericas) US insurer AIG has launched the first insurance policy in Colombia protecting firms from cyber attacks and associated reputational damage

Google, in promoting encryption, calls out Microsoft and Comcast (ComputerWorld) Google is releasing new data about how services encrypt email in transit

Who sends e-mail securely in SA? (My Broadband) Gmail's transparency report now includes a section for "safer email", which mentions email sent from some South African domains

Microsoft: Office 365 Data Privacy Assured by 'Lockbox' (eWeek) The software giant opens up about how it handles cloud service requests from customers in lieu of unfettered access to their data

Secure Cloud Provider FireHost Doesn't Wait for Deadlines – Achieves PCI DSS 3.0 Certification Early (Digital Journal) FireHost, the secure cloud provider, today announced it has achieved the Payment Card Industry Data Security Standard (PCI DSS) 3.0 certification for its secure cloud infrastructure

Bitdefender Offers to Help CERTs, Police against CyberCrime (Broadway World) Bitdefender, the innovative antivirus software provider, is offering its years of private research and experience at the cutting edge of the fight against cyber crime to help CERTs and other organizations that may be overwhelmed by the rapid growth of cyber crime in an era of fuzzy borders and dizzying technological advances

CounterTack Engaging Channel With Advanced Threat Analytics (CRN) Businesses are increasingly concerned about targeted attacks, fueled in part by threats uncovered by FireEye, its services arm Mandiant and other firms that showcase sophisticated cyberespionage attacks

Apple Debuts iOS 8, OS X Yosemite (Law Technology News) Lawyers will love the ability to send encrypted big files that won't bounce back

Facebook's new audio feature won't snoop on us, it says (Naked Security) Just to clear things up, Facebook declared this week, we will not be eavesdropping NSA-style when we listen in on your TV and music

Watch out, there's a cyber virus about (Tewksbury AdMag) A course to help companies protect themselves from cyber attack is to be held in Malvern. The Cyber Savvy Training Course is for professional services personnel and will be held at the National Cyber Skills Centre on Malvern Hills Science Park on Tuesday, June 10

Panda Security Launches Panda GateDefender eSeries 5.5, Now with Application Control (Digital Journal) Panda Security, The Cloud Security Company, today announced the inclusion of new and enhanced features in version 5.50 of Panda GateDefender eSeries, the company's unified perimeter security device that protects against all types of threats

Technologies, Techniques, and Standards

The Open Data Era in Health and Social Care (National Health Service) A blueprint for the National Health Service (NHS England) to develop a research and learning programme for the open data era in health and social care

Probably the Best Free Security List in the World (Gizmo's Freeware) This article contains a comprehensive list of free security-related programs or web applications for Windows XP and later Windows PC-based operating systems. The few non-free programs on this list are included because they are of high merit (in our opinion) and lack a comparable free alternative. This list also includes links to webpages that contain security-related information

Navy Puzzle Challenge Blends Social Media, Cryptology (DFINews) The Navy recently announced the winners of its cryptology puzzle game challenge: "Project Architeuthis"

Homomorphic Encryption in the Real World (SYS-CON) For those following developments in cryptography, homomorphic encryption has been a hot topic in the last few years. Well, most practitioners are only interested in cryptography for what it can provide: data encryption, secure networking protocol, authentication and the ever controversial Digital Rights Management. It turns out that homomorphic encryption (HE) holds a big practical promise: when HE is finally available with good performance, people will be able to farm out CPU-intensive loads to the cloud, without having to share their actual data with the servers that process the data. So, when that happy day comes, we'll be able to benefit from the infinite scalability of the cloud, without paying the price in security

Are open-source projects the pathway to better security? (CSO) Is open source software more or less secure, and why that's the wrong question to ask

Safely Storing User Passwords: Hashing vs. Encrypting (Dark Reading) Securing user information begins with a proper understanding of security controls and the protection of user passwords using modern hashing algorithms. Here's a quick review of the fundamentals

Marketplace

For Target, A Moment Of Truth Is Just Days Away (Forbes) On June 11, when Target holds its annual meeting, shareholders will make a decision that could have far-reaching impact beyond this particular company or, for that matter, the entire retail sector

Target Gives a Defense of Its Efforts on Security (New York Times) In advance of next week's annual shareholders' meeting, Target on Monday defended its management and oversight of customer data despite the extensive hacking it experienced last year

GE Acquires Wurldtech to Advance Cyber Security Efforts (Control Design) On May 9th of this year, GE announced an agreement to acquire privately held Wurldtech, a Vancouver, British Columbia-based company and recognized leader in cyber security solutions

Vermont Firm Grows As Cybersecurity Worries Rise (VPR) A long list of well-publicized Internet breaches has helped fuel sales at Pwnie Express

Silicon star: unlocking secrets, if not its own value (Irish Times) Palantir Technologies will not help you share, message, pin, post or chat. It does not exist to make you more social or connected, or even to help advertisers get to you. Its technology is deeply geeky, its work secretive. Nonetheless, it is one of the most valuable private tech companies in Silicon Valley

Zain signs MoU with Huawei Technologies (Kuwait News Agency) Kuwaiti leading telecommunications company ZAIN on Wednesday reported signing an MoU with leading international telecommunications solutions provider Huawei Technologies Co., Ltd. as part of its ongoing effort to keep up with advances in the field and to bolster its international position through strategic partnerships

Skills in demand: Information security analysts (SC Magazine) Global organizations require information security analysts to help steer them through risk assessment

KEYW CEO: Cyber firms want to hire disciplined workers, not policy wonks (Baltimore Business Journal) College students, Len Moodispaw is not impressed by your knowledge of cyber history

FireHost names former Army security expert to its C-suite (Dallas Business Journal) FireHost, a Richardson-based cloud service provider, has hired a former Army cyber security expert to serve as its chief security officer

Global Companies with Inherent Security Risks Rely on Habif, Arogeti & Wynne, LLP to Mitigate Cyber Breaches and Protect Sensitive Data (Digital Journal) The partners of Habif, Arogeti & Wynne, LLP (HA&W), the largest Georgia-headquartered tax, accounting and business consulting firm, announced today that Eric Browning, a subject matter expert on information security, has joined the Firm to advise companies on information security risk mitigation and compliance reporting

Michael Quinn Named Kroll Cyber Practice Associate Managing Director (GovConWire) Michael Quinn, a former supervisory special agent in the cyber division of FBI, has joined Kroll's cyber investigations practice as associate managing director

Research and Development

New Insights into Email Spam Operations (Infosec Island) Our research group at UC Santa Barbara has been studying spamming botnets for a while, and our efforts in developing mitigation techniques and taking down botnets have contributed in decreasing the amount of spam on the Internet. During the last couple of years the spam volumes have significantly dropped, but spam still remains a significant burden to the email infrastructure and to email users. Recently, we have been working on gaining a better understanding of spam operations and of the actors involved in this underground economy. We believe that shedding light on these topics can help researchers develop novel mitigation techniques, and identifying which of the already-existing techniques are particularly effective in crippling spam operations, and should therefore be widely deployed

Security Patches, Mitigations, and Software Updates

Critical OpenSSL Patch Available. Patch Now! (Internet Storm Center) The OpenSSL team released a critical security update today. The update patches 6 flaws. 1 of the flaws (CVE-2014-0195) may lead to arbitrary code execution

COPA-DATA Patches DNP3 SCADA Vulnerability (Threatpost) A vulnerability exists in a particular brand of SCADA software that if left unpatched, could trigger a denial of service condition and go on to compromise the software's communication connections, resulting in system instability

Google unveils source code for Chrome encryption extension (Help Net Security) Google has made publicly available the source code for a new Chrome extension that helps users encrypt, decrypt, digitally sign, and verify signed messages within the browser using OpenPGP

Google Plots End-to-End Messaging Encryption (Infosecurity Magazine) The search giant hopes to succeed where Silent Circle and others failed

Cyber Attacks, Threats, and Vulnerabilities

List of Damage under #OpWorldCup and Anonymous' target List of Sponsors (HackerNewsBulletin) It is already in the news that Anonymous group of hackers mainly from Brazil and also from all over the world going to hit this season's World Cup Sponsors with Cyber-Attacks

Emirates takes action over World Cup hacker threat (Arabian Business) Emirates has taken precautions to protect its networks after it was warned a hacker group was planning to launch a cyber attack against because of its sponsorship of the World Cup in Brazil

U.S. Military Says South Korea Databases Hacked, Personal Data Stolen (NBC News) The U.S. military said Thursday that a hacking attack may have stolen the personal data of more than 16,000 South Koreans employed by American forces

Hacking Anxiety Grows as U.S. Hit in South Korea (24/7 Wall Street) If anyone wants to know how skilled hackers are, both in terms of stealing personal data and corporate secrets, they only need to look at the cyberattack on the U.S. military in South Korea. The accounts of 16,000 people where hit. All associated with American military operations, these accounts should be impressively guarded

Soraya Malware Combines Worst of ZeuS and Dexter to Grab Card Data (Help Net Security) Arbor Networks uncovers slick new malware targeting point of sale systems

Global Mobile Roaming Hub Accessible From the Internet and Vulnerable, Researchers Find (HITBSecNews) The GPRS Roaming Exchange (GRX) network, which carries roaming traffic among hundreds of mobile operators worldwide, contains Internet-reachable hosts that run vulnerable and unnecessary services, recent security scans reveal

They're ba-ack: Browser-sniffing ghosts return to haunt Chrome, IE, Firefox (Ars Technica) Privacy threat that allows websites to know what sites you've viewed is revived

Warning: Apple's Swift Has a Flaw That Can Clean Out Your Mac (Softpedia) On June 2 Apple proudly introduced a new programming language that it's been working on for four years. Dubbed Swift, the platform has a major vulnerability that involves the live-preview function, Playground

New OpenSSL MITM Flaw Affects All Clients, Some Server Versions (Threatpost) There is a new, remotely exploitable vulnerability in OpenSSL that could enable an attacker to intercept and decrypt traffic between vulnerable clients and servers. The flaw affects all versions of the OpenSSL client and versions 1.0.1 and 1.0.2-beta1 of the server software

SSL/TLS MITM vulnerability (CVE-2014-0224) (OpenSSL Security Advisory) An attacker using a carefully crafted handshake can force the use of weak keying material in OpenSSL SSL/TLS clients and servers. This can be exploited by a Man-in-the-middle (MITM) attack where the attacker can decrypt and modify traffic from the attacked client and server

How I discovered CCS Injection Vulnerability (CVE-2014-0224) (Lepidum) Hello. My name is Masashi Kikuchi. Here is my story how I find the CCS Injection Vulnerability

Early ChangeCipherSpec Attack (Imperial Violet) OpenSSL 1.0.1h (and others) were released today with a scary looking security advisiory and that's always an event worth looking into. (Hopefully people are practiced at updating OpenSSL now!) There are some critical bug fixes to DTLS (TLS over datagram transports, i.e. UDP), but most people will be more concerned about the fix to TLS

Molerats Go After Governments, US Financial Institution (Dark Reading) Middle Eastern hacking group uses new malware, same tactics

ANTIFULAI Targeted Attack Exploits Ichitaro Vulnerability (TrendLabs Security Intelligence Blog) Targeted attacks are difficult to detect and mitigate by nature. We recently uncovered a targeted attack campaign we dubbed as "ANTIFULAI" that targets both government agencies and private industries in Japan. In our 2H 2013 Targeted Attack Trends report, we found that 80% of the analyzed cases of targeted attacks hit government institutions

TR-24 Analysis — Destory RAT family (Luxembourg CIRCL) CIRCL analyzed a malware sample which was only sporadically detected by just a handful antivirus engines, based on heuristic detection. CIRCL analyzed the entire command structure of the malware and was able to attribute this specific malware to the Destory RAT family. The malware is a feature-rich Remote Access Tool

ESET analyzes first Android file-encrypting, TOR-enabled ransomware (Help Net Security) One year ago, Android Defender, a hybrid comprising characteristics of a rogue AV and ransomware (the lockscreen type, not a file-encryptor) was discovered. Last month we saw a report about a police ransomware for Android by the Reveton team. The malware did not encrypt any files on the infected device

Shuttering Gameover: Temporary Success (BankInfoSecurity) There's good news following this week's global law enforcement takedown of the Zeus Gameover Trojan and Cryptolocker ransomware campaigns: The number of new infections has become "very low," if not fallen to zero. But related attacks could quickly resurge once cybercriminals tweak their attack techniques to route around the takedown

Why botnet takedowns can cause more harm than good (Help Net Security) Zeus is a well-known and highly successful crimeware kit — the flat-pack furniture of the virus world. It is under constant development by several criminals or groups and new functionalities are constantly added

Peek Inside a Professional Carding Shop (Krebs on Security) Over the past year, I've spent a great deal of time trolling a variety of underground stores that sell "dumps" — street slang for stolen credit card data that buyers can use to counterfeit new cards and go shopping in big-box stores for high-dollar merchandise that can be resold quickly for cash. By way of explaining this bizarro world, this post takes the reader on a tour of a rather exclusive and professional dumps shop that caters to professional thieves, high-volume buyers and organized crime gangs

Recent barrage of IE zero days highlights risk for enterprises (TechTarget) A spate of Internet Explorer (IE) zero-day vulnerabilities in 2014 has forced Microsoft to repeatedly scramble to secure its Web browser, posing new questions about the software's overall security in an increasingly competitive browser landscape. Experts caution that enterprises shouldn't shun IE based solely on its recent problems

5 summer scams to watch out for this season (CSO) As the temps go up, so do the number of social engineering scams. Here are the latest summer cons to watch out for this year

ICS Radar (Shodan) The Shodan search engine has started to crawl the Internet for protocols that provide raw, direct access to industrial control systems (ICS). This visualization shows the location of these industrial control systems on the Internet as well as other related data

ESET Security Websites and Forum for Spain Hacked by Indonesian Hacker (HackRead) Hmei7 defacer from Indonesia has been conducting mass defacement for last couple of years. Today, the same defacer has hacked and defaced the official website of IT Security company ESET and 4 of its domains designated for Spain. The targeted websites include Spanish ESET's official domain, ESET Security Forum and Training Center and Certification ESET Spain. All domains were left with

Local Verizon cell phone users targeted in phishing scheme (Cookeville (TN) Herald-Citizen) Cell phone users who had Verizon as their carrier have recently been contacted letting them know they have won $51, which would be taken off their phone bills. The calls instruct the callers to go to … where they would be asked for their cell phone number, password and Social Security number

Stolen Laptop Exposes Alaska Political Donors' Financial Information (eSecurity Planet) More than 1,000 donors' names, addresses, phone numbers, occupations, employers' names, and bank account or credit card details may have been exposed

Ladies First Choice Acknowledges Insider Breach (eSecurity Planet) 2,365 customers' contact details, medical care provider information and order histories were stolen by a former employee

Academia

UMBC, CIC partner to teach cyber entrepreneurs how to pitch (Baltimore Business Journal) The University of Maryland, Baltimore County and the Chesapeake Innovation Center are teaming up to teach cyber entrepreneurs how to pitch to investors

Litigation, Investigation, and Enforcement

Another suspect arrested in Colombia peace talks hacking scandal (Colombia Report) Authorities in western Colombia arrested another suspect in relation to the ongoing scandal surrounding alleged illegal wiretapping on the part of a presidential campaign contractor, reported national media Wednesday

Justice Department Allowed To Intercept Info From Affected Computers Hacked By Russians (Headlines and Global News) United States District Judge Arthur Schwab ruled the Justice Department will continue to intercept information from 350,000 computers worldwide which have been infected with a data-stealing virus spread by an alleged Russian computer hacker and his conspirators

Cryptolocker: Police take further action on ransomware that hit 50,000 in UK (The Guardian) New control servers have been identified and shut down in the last two days, but no arrests yet

NSA Directors Split Over Russian Influence Over Snowden (Bloomberg BusinessWeek) The current and former directors of the U.S. National Security Agency are at odds over whether onetime government contractor Edward Snowden may be collaborating with the Russian government

Tech Giants Seek Right To Disclose National Security Demand Details (MintPressNews) Facing huge potential losses from the fallout of Edward Snowden's NSA disclosures, four Internet giants push to sidestep a gag order limiting their transparency

Australia's first public swatting victim a nice bloke (The Register) Cops squash claims of FBI involvement

Spammer sprung to run Russian national payment system (The Register) Payments kingpin walks after 2.5 year sentenced slashed