The CyberWire Daily Briefing 06.06.14

Summary

By The CyberWire Staff

The Financial Times traces the history of Russian cyber operations against Ukraine, which it suggests preceded the Crimean annexation by years.

Past Anonymous campaigns have fizzled often enough, but the cyber assault against World Cup sponsors has already achieved nuisance levels. Security experts think this time Anonymous have done a lot of preliminary work on quietly gaining access to its targets' networks.

Vodaphone's transparency report indicates that government surveillance in Vodaphone's markets is more widespread than hitherto suspected.

The FBI's good work notwithstanding, GOZeuS remains a threat globally.

"SimpleLocker" is in the wild: the first ransomware designed for Android.

OpenSSL warns its users to update their SSL.

Linksys updates firmware for its E4200 router, closing an authentication bypass vulnerability.

Microsoft is expected to issue eight fixes on Patch Tuesday. Among them will be patches to an IE 8 zero-day.

Financial institutions (long among the most cyber-savvy business) still lack confidence in their security controls. Energy utilities remain a prime critical infrastructure target, and observers wonder how secure their industrial control systems are.

Google pulls its competitors' collective nose with a study showing how little email is actually encrypted.

The US Secret Service wants automated help detecting social media sarcasm. A worthy goal, but difficult enough for actual humans, so observers are widely moved to skepticism.

It's the seventieth anniversary of D-Day, so spare a thought for the veterans of Gold, Juno, Sword, Utah, Omaha, and the drop zones behind them. (A thought for the French citizens who welcomed them, too.)

Notes.

Today's issue includes events affecting Albania, Australia, Belgium, China, Czech Republic, Congo, Egypt, Fiji, Finland, France, Germany, Ghana, Greece, Hunagary, India, Ireland, Italy, Kenya, Lesotho, Malta, Mozambique, Netherlands, New Zealand, Portugal, Qatar, Romania, Russia, Singapore, South Africa, Spain, Tanzania, Turkey, Ukraine, United Arab Emirates, United Kingdom, and United States..

the CyberWire will provide special coverage of next Tuesday's Cyber 5.0 Conference in Howard County, Maryland. We'll be live-Tweeting from the event.

Selected Reading

Cyber Trends

High-profile hacking raises cyber security fears (Financial Times) The dark world of cyber crime is slowly being prised open, as threats rise to levels where companies and individuals are forced to treat the matter as of critical importance

Windows XP: Why is the enterprise so reluctant to let it go? (ITPro) The risks to businesses from older OS and software installations are well known, but businesses still aren't budging

US state and local government bodies lack cyber defences (Financial Times) Cyber criminals on the hunt for poorly protected confidential data are circumventing the US federal government and targeting state and regional authorities on the basis that they have fewer resources to defend themselves

How much confidence do financial organizations place in security controls? (Help Net Security) The confidence financial organizations place in their security controls is only marginally better than the confidence retailers place in their controls, according to Tripwire

Internet of Things market to exceed $7 trillion by 2020 (Help Net Security) While the interest and buzz around the Internet of Things (IoT) has grown steadily in recent years, the seemingly endless market promise continues to become reality

Cybersécurité, quelle prise de conscience des entreprises? Analyse des rapports annuels du CAC40 (solucomINSIGHT) La cybersécurité est au cœur de l'actualité et de l'évolution de la réglementation. Elle constitue un enjeu majeur pour les entreprises qui doivent mettre en place des actions pour se protéger. Comment les plus grandes entreprises françaises s'emparent-elles du sujet et comment cela se reflète-t-il dans leurs rapports annuels?

Energy makes prime target in cyber threat against infrastructure (Financial Times) In May, the US Department of Homeland Security revealed that the industrial control system of a public utility had been hacked by a "sophisticated threat actor"

It's The Security, Stupid! (TechCrunch) It's 2014. Do you know where your security is? On Tuesday, Google published a full account of the current state of encryption in email, revealing that some leading providers like Comcast and France's Orange encrypted nearly none of the email that approached its servers. The news this week seemed to confirm many of our worst fears about the state of security on the Internet (as it does most weeks)

Legislation, Policy and Regulation

On Anniversary of Snowden Revelations, Senators Look at NSA Bill (Re/Code) Senate lawmakers expressed doubt about legislation to overhaul the National Security Agency's bulk-data collection program Thursday as the U.S. marked the first anniversary of surveillance revelations from whistleblower Edward Snowden

White House looking to Capitol Hill on cyber (FCW) White House adviser Ari Schwartz goes about the business of explaining the Obama administration's cybersecurity goals methodically. At multiple recent conferences for cybersecurity professionals in the Washington, D.C., area, Schwartz has offered updates on threats as varied as Heartbleed and the Chinese hackers indicted by the Justice Department

One Year Later: Snowden Disclosures' Effect on Secret Laws (Roll Call) One year ago, on June 5, 2013, Edward Snowden revealed that he had provided several reporters with access to documents he had taken from the National Security Agency. The subsequent carefully researched and thoughtfully written stories blew the lid off much of the secrecy that the National Security Agency, the Foreign Intelligence Surveillance Court, the Department of Justice, and the intelligence community had imposed on the communications surveillance in which our government had been engaging

On Snowden Anniversary, Microsoft Calls for Surveillance Reform (Threatpost) On the anniversary of the first news reports on NSA surveillance, Microsoft general counsel Brad Smith seized the opportunity to draw a line in the sand with the U.S. government

Zuckerberg, Nadella Ask Senate to Restrain NSA Spying (Bloomberg BusinessWeek) The chief executive officers of Microsoft Corp. (MSFT:US), Google Inc. (GOOG:US) and other technology companies are asking the U.S. Senate to muzzle the National Security Agency

No, Glenn Greenwald cannot be the one who decides what stays secret (The Week) In a world where anyone can claim to be a journalist, only government can decide what stays classified

NSA: Inside the FIVE-EYED VAMPIRE SQUID of the INTERNET (The Register) You may want to move to Iceland at this point

New whistleblower group encourages more efforts to inform public (McClatchy) A new whistleblower protection effort debuted this week, claiming that safeguards to shield employees who expose government activities from retaliation are not strong enough

I'm Willing to Die for Your Online Freedom (but I'm hoping it doesn't come to that). (Politico) My name is Brian Zulberti. I'm a lawyer. For the past three days I have been on a hunger strike outside the Supreme Court of the United States. I am going to remain here until coverage or death. More specifically, I want 90 seconds on a major national television network, during prime time, to warn the nation about the dangers of social media-related firings. I will fast until either I get that 90 seconds or I die

Fight internet surveillance, Reset The Net (Naked Security) It's a year since the name Edward Snowden became world famous and a year since we learned that the USA's National Security Agency has infiltrated the internet like an aggressive fungal mycelium

Strengthening standards for cybersecurity and surveillance (NewsDesk) Surveillance is a vital tool in the ﬁght against terrorism and organised crime, but governments must do more to convince the public of its necessity

Jonathan Zittrain and L. Gordon Crovitz Debate the Future of Internet Governance (Harvard: Berkman Center for Internet and Society) The recent move by the United States to relinquish its role in the assignment of Internet names and numbers has generated a wide range of predictions for the future of Internet governance. Join Professor Jonathan Zittrain and Wall Street Journal Columnist Gordon Crovitz in a Google Hangout starting at 2:30pm as they debate the impact of ICANN's independence on the Internet and its role in society as an open platform

How Have We Changed? Evolving Views in the U.S. on Security and Liberty (IC on the Record) ODNI General Counsel Robert Litt at Wilson Center Panel on Surveillance, Security and Trust

DOD Cyber Architecture Takes Shape (InformationWeek) Military's cyber defense efforts remain a work in progress, officials say

Government studied Mega Cavern as cyber attack safety net (WAVE3) Housing super computers to protect the United States economy in caves under Louisville? The federal government spent millions of dollars on that very idea in a place many visit everyday

Vice-minister calls US cybersecurity gripes hypocritical (China Daily) China has criticized the United States for being hypocritical and hegemonic in cybersecurity and urged it to stop eavesdropping on other countries and individuals, said a senior Chinese diplomat, following a series of spats between the two countries involving cyberspace

Products, Services, and Solutions

Product review: Check Point Software UTM Threat Prevention Appliances (TechTarget) The Check Point Software Next Generation Threat Prevention Appliances are the latest in a long line of security products from the vendor whose brand is synonymous with firewalls. Check Point has one of the best united threat management approaches, providing solid products — both for the high and low ends of the market — with the essential features enterprises look for

Bitdefender helps Community Emergency Response Team fight cybercrimes (Tweaktown) Software security company Bitdefender plans to help CERT and police authorities in their growing battle against organized cyberattacks

Trend Micro in pact with Broadcom (Voice and Data) Security software provider Trend Micro has partnered with Broadcom Corporation for developing an integrated security solution that will protect home security networks from cyber threats

KnowBe4 Says "We'll Pay Your Crypto-Ransom If You Get Hit" (Insurance News Net) In a bold move, IT security firm KnowBe4 announced it will pay a company's ransom in Bitcoin if they get hit with ransomware due to human error of an employee. Security experts agree It will only be a matter of weeks before CryptoLocker or a variant will be back in business as the criminals who created it are still on the loose. When it does come back, KnowBe4 is confident it can help organizations protect their employees and networks through its Kevin Mitnick Security Awareness Training

Varonis DatAnywhere Raises the Stakes in Private Cloud File Sharing With New Safeguards, Enhancements, Free Downloads (MarketWatch) Varonis Systems, Inc. VRNS +0.80%, the leading provider of software solutions for unstructured, human-generated enterprise data, today announced general availability (GA) for DatAnywhere 1.8, once again raising the functionality and security bar in the rapidly growing cloud-style file sharing and collaboration market

Technologies, Techniques, and Standards

Cyber Essentials scheme launched (Business-Cloud) Companies are overwhelmed by advice from vendors around how to protect against Internet based threats. Now the UK Government has issued its own advice

Set up email encryption in half an hour (Help Net Security) As part of the global Reset the Net action, the Free Software Foundation, a non-profit organization that promotes computer user freedom and aims to defend the rights of all free software users, has released Email Self-Defense, a step-by-step guide that can teach even low-tech users how to use email encryption

What Are Cryptocurrencies? (Cointelegraph) Cryptocurrencies are a form of digital money that rely on distributed networks and shared transaction ledgers to combine the core ideas of cryptography with a monetary system to create a secure, anonymous, traceable and potentially stable virtual currency

Phish or legit — Can you tell the difference? (Naked Security) I recently received two emails, sent to two different addresses and both from different senders

Identify stolen credentials to improve security intelligence (Help Net Security) Data is the heart of an organization, and IT security teams are its protectors. Businesses spend billions of dollars per year setting up fortresses to safeguard data from anyone who dare try to take it. The latest forecast from analyst firm Canalys has IT security spending increasing to $30.1 billion by 2017. Despite this investment, data breaches are on the rise

If HTML5 Is The Future, What Happens To Access Control? (Dark Reading) The solution for multi-device deployment is HTML5. The challenge, for the enterprise, is deploying it correctly. Here are seven tools you will need

Marketplace

U.S. technology companies beef up security to thwart mass spying (Reuters) A year after Edward Snowden exposed the National Security Agency's mass surveillance programs, the major U.S. technology companies suffering from the fallout are uniting to shore up their defenses against government intrusion

Advanced Threats Strengthen Demand for Next-Generation Firewall and Unified Threat Management Solutions, Finds Frost & Sullivan (FierceITSecurity) The dynamic nature of security threats and network traffic has challenged the efficacy of legacy firewall systems, paving the way for next generation firewalls (NGFW) and unified threat management (UTM) solutions. Faced with new technologies, business requirements and security threats, businesses of all sizes across various industries are welcoming the sophisticated network controls offered by NGFWs and UTM

Demand for unified threat management appliances on the rise, says IDC (FierceITSecurity) Demand for unified threat management, which integrates multiple security technologies into a single network appliance, is on the rise, according to IDC Research

If attorney needed to explain cyber coverage, the policy is not clear (Advisen Cyber Risk Network) Advisen: What do you see as the greatest cyber risks today? Scott Godes: The theft of credit card and financial-related information from retailers, credit card processors, and others. These are crimes, and ultimately, everyone pays a price because the crimes have happened, no matter what entity bears the liability

Lockheed Martin Celebrates 10 Years Advancing Cybersecurity Through Intelligence Driven Defense® (MarketWatch) Lockheed Martin LMT +1.10% commemorated the tenth anniversary of the formal creation of its enterprise cyber defense organization, the Lockheed Martin Computer Incident Response Team (LM-CIRT), by discussing the growing cyber threats facing corporate and government networks and looking forward to delivering another decade of cyber security services

Research and Development

KEYW Partners With the University of Central Florida to Provide Big Data Visualization Framework (MarketWatch) The KEYW Holding Corporation KEYW +10.01% announced today that its subsidiary, The KEYW Corporation, entered into a formal partnership with the University of Central Florida (UCF) formalizing teaming efforts focused on research and development in the critical cybersecurity domain. The newly signed agreement provides KEYW and UCF with a framework to work and collaborate on task orders related to big data visualization efforts

New Mechanisms Enable Users to Log in Securely Without Passwords (Tasnim) Passwords are a common security measure to protect personal information, but they do not always prevent hackers from finding a way into devices

US Secret Service wants software to "detect sarcasm" on social media (Ars Technica) Skeptics are not aware of a satisfactory algorithm to detect online sarcasm

Security Patches, Mitigations, and Software Updates

Microsoft to release seven security updates next week (ZDNet) Two of the seven are for at least one critical vulnerability. One of these affects an unusually broad collection of products

Microsoft Expected to Patch IE 8 Zero Day on Patch Tuesday (Threatpost) Prompted by the disclosure of a zero-day vulnerability in Internet Explorer 8 more than six months after it was reported, Microsoft next Tuesday will finally issue a patch

Cyber Attacks, Threats, and Vulnerabilities

Kremlin alleged to wage cyber warfare on Kiev (Financial Times) Russia's physical invasion of Crimea may have begun in late February, in the days after the removal of Ukraine's president Viktor Yanukovich, but the infiltration of Kiev's computer systems began years before

Why Anonymous threats should not be ignored (Help Net Security) International hacktivist group Anonymous is causing fear within the business and technology community once again, after a supposed Anonymous spokesperson warned that World Cup sponsors are next on the hit list

UAE is hit hard by GameOver Zeus virus (Khaleej Times) The malware, which the FBI terms "extremely sophisticated", can steal banking and other passwords from the computers it infects and mostly spread through spam e-mail or phishing messages

CryptoLocker wannabe "Simplelocker" scrambles your files, holds your Android to ransom (Naked Security) Only this week, we published an article about 10 Years of Mobile Malware

Vodafone reveals existence of secret wires that allow state surveillance (The Guardian) Wires allow agencies to listen to or record live conversations, in what privacy campaigners are calling a 'nightmare scenario'

Heartbleed Redux: Another Gaping Wound in Web Encryption Uncovered (Wired) On Thursday, the OpenSSL Foundation published an advisory warning to users to update their SSL yet again, this time to fix a previously unknown but more than decade-old bug in the software that allows any network eavesdropper

Linksys E4200 Vulnerability Enables Authentication Bypass (Threatpost) Linksys router contains an authentication bypass vulnerability that could give an attacker full administrative privileges on affected devices

Hacking Apple ID? (TrendLabs Security Intelligence Blog) The many announcements at Apple's 2014 Worldwide Developers Conference (WWDC) this week was welcome news to the throngs of Apple developers and enthusiasts. It was also welcome news for another group of people with less than clean motives: cybercriminals

OS X Yosemite and iOS 8's enticements could also entrap (InfoWorld) Apple's seamless cross-device experience will appeal to business users, but security experts warn integration poses new risks

Brokers' slip-ups add to Wall Street's cyber-attack anxiety (Reuters) The most cutting-edge technology cannot contain one of the biggest cyber hacking threats on Wall Street: sloppy actions by brokers and other industry employees

Employee Error Exposes Hurley Medical Center Data (eSecurity Planet) An undisclosed numbers of employees' and retirees' names and Social Security numbers were mistakenly exposed

Academia

A safe bet for turning a college degree into a job (CNBC) When word first got out that Case Western Reserve University in Cleveland, Ohio, was planning to build two degree programs specializing in big data analytics, vice provost of undergraduate education Donald Feke's in-box filled up with inquiries from students clamoring to get in—long before the programs were ready

Regis University to Open Region's First Dedicated College of Computer & Information Sciences (Digital Journal) College will offer 12 degrees in computer, information sciences, and health care fields

Litigation, Investigation, and Enforcement

Vodafone admits some governments have free reign to eavesdrop on calls (Engadget) Gone are the days when we thought governments could only access our phone calls through official, naive-sounding procedures like "warrants." Nevertheless, it's only now, after the whole Snowden / NSA blow-up, that companies like Vodafone are trying to be more transparent

Judge orders feds to preserve surveillance data (Politico) A federal judge affirmed Thursday that the U.S. Government must preserve records of National Security Agency surveillance relevant to ongoing lawsuits challenging the legality of the practice, including data gathered under a controversial provision allowing harvesting of foreigners' U.S.-based e-mail and social media accounts

How Researchers Helped Cripple CryptoLocker (Dark Reading) A Black Hat USA speaker will give the backstory on how he and others helped disrupt the infamous CyptoLocker operation, and what they learned about it

Man fined $8,000 for Istana website hack (The Straits Times) A businessman who was fined $8,000 yesterday for hacking into the Istana website is the first to be convicted of carrying out a cyber attack on a government website here

Police in Gloucestershire warn people to protect against cyber crime (Gloustershire Echo) Gloucestershire Police are warning people to guard their computers against cyber attack in the wake of a Government alert issued by the UK's National Crime Agency

Facebook troll jailed for posting he was 'glad' teacher was murdered (Naked Security) A Facebook troll who posted disgusting messages about the classroom killing of a much-loved UK teacher, Ann Maguire, has been jailed for six weeks

Medical centre staff post woman's STD diagnosis on Facebook (Naked Security) A US woman is suing the University of Cincinnati (UC) Medical Center, alleging that their employees posted her private medical records onto Facebook

Alabama Prison Officers Jailed for Identity Theft (eSecurity Planet) Bryant Thompson was sentenced to 10 years in prison, and Quincy Walton was sentenced to seven years

Industry Events

For a complete running list of events, please visit the Event Tracker on the CyberWire website.

upcoming Events

Cyber 5.0 Conference (Laurel, Maryland, USA, June 10, 2014) The mission of the Cyber Conference is to provide a forum for small and mid-sized businesses in Howard County and the region to access industry and government leaders with current information on cybersecurity that will improve their market position, enhance their corporate security policies and infrastructure, identify potential business opportunities, and provide a take away of information and contacts for follow-up that assists businesses in understanding the role they play in national cybersecurity and how they can address those challenges. All businesses have a role to play in protecting the national security of our infrastructure.

What to Consider when Preparing to Purchase Cyber Insurance Webinar (Webinar, June 11, 2014) With the many cyber/data breach insurance policies that are available today, there are important considerations that organizations need to know before purchasing cyber/data breach insurance coverage. Join Christine Marciano, Cyber Insurance Expert and President, Cyber Data Risk Managers for this informative webinar to learn what your organization needs to consider before purchasing cyber/data breach insurance coverage.

NRC Cyber Security Seminar/ISSO Security Workshop (Bethesda, Maryland, USA, June 16, 2014) NRC will be hosting its second NRC Semi-Annual All-Hands ISSO Workshop. This workshop will consist of computer security policy, standards, cybersecurity, guidance, FISMA compliance, and training updates. The event will be promoted agency-wide. Exhibit tables will be set-up just outside the Auditorium and companies will have the opportunity to demo their latest technologies to NRC's IT personnel. A complete agenda will be posted once all speakers are confirmed.

SC Congress Toronto (Toronto, Ontario, Canada, June 17 - 18, 2014) SC Congress Toronto is Canada's premier information security conference and expo experience. Join us for this year's SC Congress Toronto on June 17-18, 2014! The two-day gathering brings industry thought leaders together with the latest technology service solutions to provide you with the answers you need to secure your enterprise network.

MeriTalk's Cyber Security Brainstorm (Washington, DC, USA, June 18, 2014) This second annual event will take place on Wednesday, June 18 2014 at the Newseum in Washington D.C. The event will bring together Federal cyber security experts to share best practices, collaborate on challenges, and discuss what is needed for the future of cyber security. This year's program will begin with a keynote from White House Federal Agency Cybersecurity Director John Banghart, followed by panel sessions on continuous diagnostics & mitigation (CDM), data breach, and identity management.

SANSFIRE (Baltimore, Maryland, USA, June 21 - 30, 2014) For more than 10 years, the Internet Storm Center has been providing free analysis and warning to our community. SANSFIRE 2014 is not just another training event. It is our annual "ISC Powered" event. It taps into the expertise behind our daily postings, podcasts, and data collection efforts by offering evening events focusing on current trends and actual relevant threats. The strength of the Internet Storm Center is its group of handlers, who are network security practitioners tasked with securing real networks just like you. This is your chance to meet some of them in person.

26th Annual FIRST Conference (Boston, Massachusetts, USA, June 22 - 27, 2014) The Forum of Incident Response and Security Teams (FIRST) is a global non-profit organization dedicated to bringing together computer security incident response teams (CSIRTs) and includes response teams from over 240 corporations, government bodies, universities and other institutions spread across the Americas, Asia, Europe and Oceania. The annual FIRST conference provides a setting for conference participants to attend a wide range of presentations delivered by leading experts in both the CSIRT field and from the global security community. The conference also creates opportunities for networking, collaboration, and sharing technical information and management practices. The conference enables attendees to meet their peers and build confidential relationships across corporate disciplines and geographical boundaries. FIRST conference participants include not only CSIRT staff, but also IT managers, network and system administrators, software and hardware vendors, law enforcement representatives, security solutions providers, telecommunications organizations, ISPs, and general computer and network security personnel.

Gartner Security & Risk Management Summit 2014 (National Harbor, Maryland, US, June 23 - 26, 2014) The Gartner Security & Risk Management Summit is the only time when the entire Gartner analyst and security and risk management community come together in one location to bring the latest research, insights and forward-thinking perspectives.

AFCEA International Cyber Symposium (Baltimore, Maryland, USA, June 24 - 25, 2014) National security is continuously being redefined as awareness of the cyberspace domain evolves. Cyber threats and challenges grow every day. Successfully defending our networks requires a team approach. With this in mind, the AFCEA International Cyber Symposium will engage the key players, including the U.S. Government, the International Community, Industry and Academia, to discuss the development of robust cyberspace capabilities and partnerships. The operational theme "Cyber Awakening: Protecting a Nation's Cyber Security" will explore the aspects of operational security of U.S. Government, DoD and Industry Networks, cyber cooperation among Joint and Coalition partners, and discuss the training and development of the cyber workforce.

United Nations Interregional Crime and Justice Research Institute Cyber Threats Workshop (Turin, Italy, June 27 - 29, 2014) The United Nations Interregional Crime and Justice Research Institute (UNICRI) is organizing a series of workshops and short courses within the framework of the UNICRI Journalism and Public Information Programme, a unique international programme tailored for journalists, chief information officers and students who want to specialize in public information and journalism. The programme aims at deepening knowledge of emerging security threats.

INSCOM Cyber Day (Fort Belvoir, Virginia, USA, July 9, 2014) Cyber-industry vendors are invited to participate in the upcoming Cyber Day hosted by the United States Army Intelligence and Security Command (INSCOM), located at Ft. Belvoir. U.S. Army Cyber (AR Cyber) is collocated with INSCOM. This event will provide industry vendors the opportunity to showcase the latest cyber products and demos to the Fort Belvoir INSCOM community in a one-day tradeshow.

SiliconExpert Counterfeit Electronic Component Detection & Avoidance (Webinar, July 10, 2014) Join us for a free 60 minute webinar with Dr. Diganta Das from the University of Maryland's Center for Advanced Life Cycle Engineering (CALCE), which is a research leader in the area of counterfeit electronics prevention and avoidance.

2nd Annual Oil & Gas Cyber Security Conference (Houston, Texas, USA, July 15 - 17, 2014) This highly interactive, hands-on forum will break down each potential cyber threat specific to the oil and gas industry, as well as tackle key issues including managing communication between OT and IT networks and building a technologically sound incident response plan that will enhance the security and protection of ICS and SCADA networks.

Sponsor & Support

Grow your brand, generate leads, and fill your funnel.

With the industry’s largest B2B podcast network, popular newsletters, and influential readers and listens all over the world, companies trust the CyberWire to get the message out. Learn more.

The CyberWire Daily Briefing for 6.6.2014