The CyberWire Daily Briefing 06.09.14

Cyber Trends

Snowden, one year on, and it's still not 1984 (Naked Security) One of the most enjoyable aspects of working on Naked Security is reading and joining in with the discussions at the end of our articles

What we learned from Edward Snowden (Naked Security) Edward Snowden now holds a permanent place in the pantheon of US national security leakers, alongside the likes of Daniel Ellsberg, Julian Assange, and Chelsea Manning

Data Breach Roundup: May 2014 (eSecurity Planet) Third-party vendors played a significant part in a handful of data breaches in May. This is why, experts say, companies must ensure vendors are careful with their data

Most people have done nothing to protect their privacy (Help Net Security) Over 260 million people have been victims of data breaches and increased risk of identity theft since the Target revelations, yet nearly 80 percent have done nothing to protect their privacy or to guard their financial accounts from fraud, according to idRADAR

Just 22 Percent of Law Firms Use Encrypted Email (eSecurity Planet) A LexisNexis survey also found that 52.5 percent of attorneys have used free consumer file sharing services to share client-privileged communications

GAO Questions IT Security at U.S. Ports (GovInfoSecurity) The Department of Homeland Security hasn't done enough to secure the IT systems that manage American ports, Congressional auditors say in a new report

Legislation, Policy and Regulation

Merkel phone tapping claims "noted": Chinese FM (Xinhua via GlobalPost) China has "noted" that Germany has opened an investigation into claims the United States eavesdropped on German Chancellor Angela Merkel's mobile phone conversations, a Chinese Foreign Ministry spokesman said on Friday

Security ties top Tony Abbott's agenda in US (The Australian) Tony Abbott has put national security at the top of the agenda for his visit to the US this week as he meets the nation's military and intelligence chiefs as well as President Barack Obama

Snowden can't hide fact that America needs the NSA (Daily Journal) For six decades, the National Security Agency has been making codes and breaking codes to give the United States and its allies an edge against foreign adversaries. Hundreds of thousands have served this nation faithfully; 173 of them gave their lives in the line of duty. Such efforts have allowed the nation to defeat threats from those who never tire of trying to harm our people, partners, and way of life

Andreessen calls Snowden 'traitor,' blasts Obama for not countering leaks (San Jose Mercury News) While leading tech CEOs called on Congress to rein in the National Security Agency, one prominent Silicon Valley figure Thursday turned his ire toward a different target, calling former NSA contractor Edward Snowden a "traitor" for leaking government secrets

Tech Industry Keeps Pressure on Congress for NSA Surveillance Changes (Associations Now) A year after Edward Snowden revealed the U.S. spy agency's bulk collection of phone and internet user data, Congress is working on legislation to rein in those practices. Tech groups are focusing their lobbying efforts on the Senate, saying a measure the House passed is too watered down

Post-Snowden, Silicon Valley Execs Give U.S. Cyberpolicy a D-minus (IEEE Spectrum) Ten years from now, Edward Snowden's disclosures about NSA surveillance programs will be looked upon as 2013's single most important event with respect to the information technology industry. At least that's the view expressed by Pat Gelsinger, CEO of VMWare, who spoke at a panel on the "Silicon Valley State of the State" held last week on VMWare's Palo Alto, California, campus

Here's How The NSA Plans To Prevent Another Snowden (VentureBeat via Business Insider) The National Security Agency is working overtime to make sure another Edward Snowden doesn't happen again

If The NSA Can't Keep Call Records, Should Phone Companies Do It? (NPR) Perhaps the most controversial spying program revealed by former National Security Agency contractor Edward Snowden was the agency's hoarding of Americans' phone records

Remarks as Delivered by Stephanie O'Sullivan, Principal Deputy Director of National Intelligence, Open Hearing: USA FREEDOM Act (H.R. 3361) (IC on the Record) Chairman Feinstein, Vice Chairman Chambliss, and distinguished members of the Committee we are very pleased to appear before you to express the Administration's strong support for the USA Freedom Act, H.R. 3361, as recently passed by the House of Representatives. The Deputy Attorney General has provided an in-depth overview of the USA Freedom Act passed by the House last month, but I wanted to touch on a few key points in my remarks

Senators demand more accountability at NSA (The Hill) A bipartisan group of senators introduced legislation Thursday that aims to strengthen accountability at the National Security Agency by allowing the president to appoint the inspector general

Refinery security bill passes House (Martinez News-Gazette) Legislation authored by U.S. Rep. Mike Thompson (CA-5) to enhance rail and refinery security passed the U.S. House of Representatives as part of H.R. 4681, the Intelligence Authorization Act for Fiscal Years 2014 and 2015. Thompson's legislation requires the Department of Homeland Security Office of Intelligence and Analysis (DHS I&A) to conduct an intelligence assessment of the security of domestic oil refineries and related rail infrastructure, and to make any recommendations it deems appropriate to protect surrounding communities or the infrastructure itself from potential harm

FDA beefs up cybersecurity efforts to ensure safety standards (FierceMedicalDevices) Amid growing concerns over the hackability of medical devices, the FDA is beefing up its cybersecurity efforts to rally devicemakers and ensure new safety standards

Content of Premarket Submissions for Management of Cybersecurity in Medical Devices (US FDA via FierceMarkets) This guidance has been developed by the FDA to assist industry by identifying issues related to cybersecurity that manufacturers should consider in preparing premarket submissions for medical devices. The need for effective cybersecurity to assure medical device functionality has become more important with the increasing use of wireless, Internet- and network-connected devices, and the frequent electronic exchange of medical device-related health information

Nato move a sign of security issues (Acumin) Nato has led the largest global cyber manoeuvre of all-time, demonstrating the increasing significance of cyber warfare today

State gets millions in homeland security grants, but where does it go? (Rapid City Journal) After the Sept. 11, 2001 terrorist attacks, the American government opened its wallet wide to fight terrorism

Megadata: What happens when politicians can't pronounce 'metadata' (Washington Post) It's no secret that there can be a disconnect between the technical literacy of some lawmakers and the programs they are charged with overseeing. But the disclosures about government surveillance from documents leaked by former National Security Agency contractor Edward Snowden made a few obscure tech terms more popular on the hill

Government Advances Continuous Security Monitoring (InformationWeek) DOD, DHS expect smart technologies will defend networks against common attacks, free IT personnel to deal with more dangerous threats

Memorandum establishes commitment between Guard, Army Cyber Command (DVIDS) Leaders of the Army National Guard and U.S. Army Cyber Command signed a memorandum of understanding June 5 establishing a commitment toward a total force solution in cyberspace protection

Montenegro amends National Security Law (Balkans.com Business News) At yesterday's session, the Government of Montenegro approved amendments to the Law on the National Security Agency. Measures proposed by the amendments are aimed at improving the legal framework for the Agency's activities in relation to Montenegro's Euro-Atlantic commitments and meeting the requirements for joining NATO Alliance

The CIA Has Joined Facebook and Twitter (Wall Street Journal) The Central Intelligence Agency showed its hipper side Friday, launching its Twitter presence with a cheeky first tweet: "We can neither confirm nor deny that this is our first tweet"

Products, Services, and Solutions

Steps taken to bring TrueCrypt back to life (FierceCIO:TechWatch) TrueCrypt looks set to come back to life, weeks after an ominous warning was put up on its official website that warned against future use of the popular encryption program. At the same time, a new version of TrueCrypt with its ability to encrypt data hobbled was simultaneously uploaded into its official Source Force page

Will Avast or AVG Free Antivirus replace Microsoft Security Essentials on Windows XP? (Gamer Headlines) Since Microsoft have cancelled support for Windows XP and may also be seizing support for Microsoft Security Essentials, it may be time for consumers to start looking for another antivirus system such as Avast or AVG

Symantec rolls out threat-intelligence sharing with Cisco, Check Point, Palo Alto Networks (NetworkWorld) Managed security services customers get new data but have to decide whether to apply it

Trend Micro and Broadcom collaborate to provide home gateway security solution (DataQuest) Software suite provides enterprise-grade security with turnkey, user-friendly functionality

Nitro Integrates With Microsoft to Create Secure Document Workflows (ComputerWorld) Document productivity firm Nitro has launched a new integration with Microsoft RMS to provide enhanced security for document workflows

ESET Cyber Security for Mac review: Sophisticated security application with good malware detection (MacWorld) ESET is a Slovakian company, known for its Windows anti-virus software and now offering two versions for OS X — the standard Cyber Security reviewed here, and Cyber Security Pro which adds a personal firewall and parental controls

Tripwire and LifeJourney Launch Virtual Cybersecurity Education Initiative (Digital Journal) Tripwire Inc., a leading global provider of risk-based security and compliance management solutions, today announced that it will lead the Tripwire Cybersecurity Risk Manager LifeJourney Experience for the nation's youth. LifeJourney is a web-based, interactive classroom experience that allows students from middle schools, high schools and colleges to test-drive potential cybersecurity careers by enabling them to live a day in the life of one of America's cybersecurity leaders

Explaining iOS 8's extensions: Opening the platform while keeping it secure (Ars Technica) Comparisons to Android's Intents only tell part of the story

ShoreGroup Receives ISO 27001 Certification for Managed Service Security (Digital Journal) ShoreGroup today announced that it has received its ISO 27001 (ISO/IEC 27001) Certification for managed service security. The ISO 27001 Certification, published by the International Organization for Standardization, is the leading international standard for measuring information security management systems (ISMS). The certification was granted by BrightLine CPAs and Associates, an ANAB accredited Certification Body based in the United States

Technologies, Techniques, and Standards

Cryptography Is Fun, But Your Business Calls for Encryption (SmartData Collective) While it's pretty impressive that Nicolas Cage found a map on the back of the Declaration of Independence using only lemon juice and a hair dryer in "National Treasure," our 21st-century techniques for encoding and decoding information are a little more sophisticated

Identify stolen credentials to improve security intelligence (Help Net Security) Data is the heart of an organization, and IT security teams are its protectors. Businesses spend billions of dollars per year setting up fortresses to safeguard data from anyone who dare try to take it. The latest forecast from analyst firm Canalys has IT security spending increasing to $30.1 billion by 2017. Despite this investment, data breaches are on the rise

Are you prepared to manage a security incident? (Help Net Security) It's the year of the breach. Adobe, Target and eBay fell victim to cyber-attacks and 2014 has already seen the Heartbleed bug impact the majority of organizations across the globe. With attacks getting more advanced and hackers getting smarter, businesses across all sectors are potential targets. It's a case of when, not if, your company will be hit

Big Data needs a data-centric security focus (Help Net Security) CISOs should not treat big data security in isolation, but require policies that encompass all data silos if they are to avoid security chaos, according to Gartner

When you should opt-out of carrier-provided location services (CSO) Privacy advocates list protections needed in AT&T's planned location-based service to prevent credit-card fraud

Facebook Privacy: 10 Settings To Check (InformationWeek) Facebook's latest privacy changes include a number of welcome improvements. Learn how to tweak your settings for the least exposure

Gameover and CryptoLocker revisited — the important lessons we can learn (Naked Security) We recently wrote about an international takedown operation, spearheaded by US law enforcement, against the Gameover and CryptoLocker malware

How to use a cyber war exercise to improve your security program (CSO) 3 lessons learned by the participants of a recent cyber war strategic exercise that offer insights into a pathway for improvement for everyone

Marketplace

Microsoft, China clash over Windows 8, backdoor-spying charges (C/NET) Chinese state-run TV calls Windows 8 a security threat, but Microsoft denies allegations that it uses its OS to collect data from users

The backlash over Snowden could hurt US firms (Microscope) Netscape founder Marc Andreessen has hit the headlines for his comments in a recent interview with CNBC where he labelled Edward Snowden "a traitor". He went further, adding that if someone looked up 'traitor' in the encyclopaedia, they would find a picture of Ed Snowden: "Like he's a textbook traitor. They don't get much more traitor than that"

Stop snooping or face consequences: Microsoft, other tech giants warn U.S. gov't (Tech Times) Microsoft's top lawyer Brad Smith wrote a rather fiery blog post that challenged the U.S. government to "reduce the technology trust deficit it has created." Specifically, Smith wants the government to stop forcing technology companies to provide data about customers outside the U.S., end the bulk collection of phone communications data, reform the Foreign Intelligence Surveillance Court, vow to stop hacking private systems, and reinforce its efforts to increase transparency and privacy protection

Tech companies tout encryption, privacy in wake of NSA docs (Atlanta Journal-Constitution) Several high-profile tech companies are increasing security and privacy in response to the National Security Agency's data collecting practices

Google Is Making it Harder for the NSA to Grab Its Data (TIME) Google and other technology companies are strengthening their defenses against NSA intelligence gathering

Fresh responses emerging to banking security (Microscope) A couple of IT security companies, Tempest Security Intelligence of Brazil and Norwegian company Protectoria, who have ambitions to grow in this country got together at techUK's London HQ to focus on innovations targeting financial institutions

Edward Snowden threw a bucket of hot water on Scandinavia's quest to house the world's data (Quartz) Warmer summers aren't the only thing marching into the Arctic these days—more hot, server-filled data centers are on the way as well. As more companies look to take advantage of colder climates and chilly water to lower the cooling costs of running thousands of servers at full capacity, Scandinavian countries are positioning themselves as data-center locations of choice. However, the geopolitics of surveillance, data privacy and cross-border conflict are melting what were recently relatively calm relations among northern neighbors

NICE Solutions Help Secure the World's Largest Soccer Tournament, Taking Place in Brazil (Wall Street Journal) NICE Situator was chosen as the centerpiece for one of the country's Integrated Management Centers, which serves the safety and security needs of millions of citizens and tourists

FIFA World Cup: Trend Micro goes on offensive to defend fans from Cyber threats (Financial Express) Trend Micro, a global developer of security software solutions, is actively working to help defend against cyber threats related to the 2014 FIFA World Cup Brazil. As the international soccer tournament kicks off on June 12, global attention will be focused on Brazil and the pageantry and spectacle of one of the most popular sporting events

Finmeccanica Opens Cyber Defense Center (Defense News) Italy's Finmeccanica has beefed up its presence in the growing cybersecurity business by opening a cyber attack monitoring and prevention center in central Italy, using a super computer with the power of 30,000 desktop PCs

Sophos Moving Its Cyber Security Support to India (MSPNews) Sophos has confirmed it is moving the "majority of its [computer security] threat response work" to India

Duo Security to move into bigger space in downtown Ann Arbor (Crain's Detroit Business) Duo Security Inc., a fast-growing provider of highly secure, cloud-based authentication services for companies, signed a lease Thursday for much larger space in downtown Ann Arbor

Research and Development

Robots can now officially imitate humans (Quartz) A computer that has convinced humans it is a 13-year-old Ukrainian boy has potentially passed a benchmark for artificial intelligence for the first time

Security Patches, Mitigations, and Software Updates

Patch Tuesday for June 2014 — 7 bulletins, 3 RCEs, 2 critical, and 1 funky sort of hole (Naked Security) The elevator pitch for this month's Microsoft Patch Tuesday is as follows

Debian Urgin Users Patch Linux Kernel Flaw (Threatpost) Several vulnerabilities have been patched in the Linux kernel that could have led to a denial of service or privilege escalation

WordPress Promises SSL on All Domains by End of 2014 (Threatpost) The movement by technology companies to encrypt their respective corners of the Internet continues to gain steam as more and more are enabling SSL and other encryption technologies such as Perfect Forward Secrecy to ward off surveillance and enhance the privacy and security of user data

Cyber Attacks, Threats, and Vulnerabilities

Russia's Information War: Latvian Ambassador, Finnish Strategist Warn On Cyber (Breaking Defense) "We are neighbors of Russia and we have always been realists," Ambassador Andris Razans told me. "Sometimes we might be characterized as alarmists, troublemakers, etc., but I think we are realists"

Follow-up: Syrian Electronic Army responds to attack article (CSO) Earlier this week, Salted Hash published a first-hand account of an attack by the Syrian Electronic Army (SEA) against IDG Enterprise. Later that same day, one of the group's members responded

Some Governments Have Backdoor Access to Listen in on Calls, Vodafone Says (Wired) An undisclosed number of countries have direct backdoor access to the communications passing through the network of telecommunications giant Vodafone, without needing to obtain a warrant, according to a new transparency report released by the company. In these countries, the company noted, Vodafone "will not receive any form of demand for lawful interception access as the relevant agencies and authorities already have permanent access to customer communications via their own direct link"

Aadhaar Data Minefield Threatens to Blow Up in Government's Face (New Indian Express) Your biometric and biographic data collected by Unique Identification Authority of India (UIDAI) for the 12-digit unique Aadhaar number could well be at Fort Meade, the headquarters of NSA, the US spy agency. Intelligence agencies that had forewarned the government two years ago about the vulnerability of Aadhaar data due to involvement of foreign players are livid over latest NSA disclosures that reveal the US is prying on biometric database

NSA Tried to Gain Access to Pakistani Government Database (News Pakistan) The serial on the long tentacles of the National Security Agency (NSA) continues to grow. The NSA intercepts million of people face images circulating on the internet and used for facial recognition software for intelligence, as published on Sunday the New York Times from 2011 documents stolen by Edward Snowden. It is also revealed that NSA tried to access government databases in Pakistan, Iran and Saudi Arabia

More Security Flaws Discovered in OpenSSL — Patch Now! (Lumension) Remember the Heartbleed scare which had you scurrying to change your passwords and worrying about online privacy a few weeks ago? How could you forget it

AVG reveals yet another OpenSSL security flaw (Beta News) OpenSSL, which runs on the servers for many websites, has been having a rough time in recent weeks. We all learned of the near fatal flaw named Heartbleed, which affected quite a number companies and services on the web. Now a new, albeit less severe, flaw has been discovered. Security researchers at AVG have unveiled what they are calling CCS Injection, which the company terms a vulnerability, but points out that it is not easily taken advantage of

efax Spam Containing Malware (Internet Storm Center) Beware of efax that may come to your email inbox. This week I receive my first efax spam with a source address of "Fax Message […]" which contained a link to www. dropbox. com that contained malware. The link has since been removed

What to avoid in Dropbox-related phishing attack (CSO) Criminals are using malware stored in Dropbox in phishing campaign aimed at corporate employees, security researcher says

Game of Thrones cancelled? Beware bogus Java update (Graham Cluley) A message has been spread between Facebook users claiming that the hit TV series "Game of Thrones" has been cancelled

Charles Manson has NOT been granted parole. It's an internet hoax (Graham Cluley) A "news" story has been shared widely across social networks, claiming that the notorious killer Charles Manson has been granted parole

Beware fake tax refund notification emails, claiming to come from HMRC (Graham Cluley) There's a simple truth I've found during my years in computer security. Often, the oldest tricks in the book will work just fine — you don't need to make an attack sophisticated for it to dupe the unwary

TweetDeck Scammers Steal Twitter IDs Via OAuth (Dark Reading) Users who give up their TweetDeck ID are promised 20 followers for free or 100 to 5,000 new followers a day for five days

After Godzilla attack, US warns of traffic-sign hackers (Times of India) After hackers played several high-profile pranks with traffic signs, including warning San Francisco drivers of a Godzilla attack, the US government advised operators of electronic highway signs to take "defensive measures" to tighten security

Is Anonymous Dead, or Just Preparing to Rise Again? (Wired) The hacker collective Anonymous and its factions LulzSec and AntiSec drew widespread attention between 2008 and 2012 as they tore loudly through the internet ruthlessly hacking websites, raiding email spools, exposing corporate secrets and joining the fight of the 99 percent. The groups seemed unstoppable as they hit one target after another, more than 200 in all by the government's count. It seemed no one was beyond their grasp

What it's like to work for a darknet kingpin (Ars Technica) Silk Road staff describe life under Dread Pirate Roberts 2.0

U.K. Ambulance Service Acknowledges Data Breach (eSecurity Planet) The South Central Ambulance Service mistakenly published the age, sexuality and religion of each of its 2,826 staff members

iPhone users in VN safe from recent hacker attacks (VietNamNet) Millions of iPhone users in Vietnam can sigh with relief as BKAV, the best known internet security solution provider in Vietnam, has said that users were not hurt by hacking of many iPhone users in Australia and the US

Two Big Anonymous Hacktivist Pages on Facebook get Verified Badges (HackRead) While surfing Facebook, you must have seen a blue badge indicating verified pages and profiles of famous people such as celebrities, journalists and politicians etc, but looking at verified pages of Anonymous hacktivists was something totally unexpected

Bulletin (SB14-160) Vulnerability Summary for the Week of June 2, 2014 (US-CERT) The US-CERT Cyber Security Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. The NVD is sponsored by the Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC) / United States Computer Emergency Readiness Team (US-CERT). For modified or updated entries, please visit the NVD, which contains historical vulnerability information

Litigation, Investigation, and Enforcement

Thought better of it: NSA can get rid of evidence, judge says (Russia Today) A federal judge who ordered the National Security Agency to retain all records of its secret telephone surveillance related to an ongoing case has reversed the order — just a day after it was issued

Obama Administration: Preserving Evidence of NSA's Web Surveillance Would Wreck Program (Wall Street Journal) Government responds to suit from civil liberties group seeking details on how monitoring is done

What are the legal obligations to encrypt personal data? (Help Net Security) A new report by UK-based law firm FieldFisher details legal obligations for encryption of personal data resulting from both industry compliance regimes, such as PCI DSS, national laws and local regulations

Feds swoop in, snatch mobile phone tracking records away from ACLU (Naked Security) The American Civil Liberties Union (ACLU) filed a run-of-the-mill public records request about cell phone surveillance with a local police department in Florida

Snowden Explains Why He Won't Come Home in First U.S. TV Interview (Wired) In his first interview with a U.S. broadcasting company since going public with revelations about NSA surveillance last year, Edward Snowden responded to his critics on a number of topics including addressing accusations that he's working for Russia, that he failed to go through official channels to register his concerns about the NSA before going public and that he's a coward for not returning to the U.S. to face espionage charges

Jimmy Wales Blasts Europe's "Right To Be Forgotten" Ruling As A "Terrible Danger" (TechCrunch) Wikipedia founder Jimmy Wales has spoken out against a controversial ruling by the European Court of Justice that requires Google to consider information removal requests from individuals whose data its search engine has indexed

Pirate Bay Co-Founder Had His Computer Hacked, New Evidence Shows (Softpedia) Danish authorities have revealed that there is evidence to support the claims of Gottfrid Svartholm, Pirate Bay co-founder, who says that he did not hack the mainframe computers of a local IT company

Facebook stupidity leads to largest gang bust in NYC history (Naked Security) Kids can be street-smart and Facebook-stupid, to paraphrase how Vice News put it

Guccifer Hacker Who Hacked Bush and Colin Powell Sentenced to Four Years in Prison (HackRead) Guccifer, the hacker who gained notoriety for breaking into emails of the former US president George W. Bush, Gen. Colin Powell entertainment celebrities, some government officials, has been sentenced to seven years in jail by a Romanian court on Friday

Paris Hilton Hacker Heads Back to Jail (eSecurity Planet) If Cameron Lacroix's plea agreement is accepted by the court, he'll be sentenced to four years in prison

Design and Innovation

'I'd like us to move away from the dependency on passwords,' says Facebook engineer (Computerworld) In an ideal world, people would not need a password to log in to Facebook as they would use a hardware token instead, according to Facebook United States engineer Gregg Stefancik

Password dress: A frock covered in security faux pas (C/NET) How weak are your passwords? See if they show up on this unique dress designed to clue the world in to a multitude of common bad passwords

The CyberWire Daily Briefing for 6.9.2014