The CyberWire Daily Briefing 06.12.14

Cyber Trends

The Promise of a New Internet (Nextgov) People tend to talk about the Internet the way they talk about democracy—optimistically, and in terms that describe how it ought to be rather than how it actually is

Who Needs Heartbleed When Many Dot-Govs Don't Even Encrypt Communications? (NextGov) More than a quarter of federal websites are not properly configured with software to prevent intruders from intercepting data entered by citizens, according to a new study. Federal sites in general scored 10 percent lower than online banking services and social media networks at site security and server configuration, researchers at the Online Trust Alliance discovered

Network Rail: Cyber security will be 'major issue' as business goes digital (ComputerWorld) Rail operator expects increased risk as internet of things takes hold

Oil and gas assets at high risk of cyber attack (FierceSmartGrid) New infrastructure development in the oil and gas industry and the growing threats to the security of critical oil and gas assets are encouraging end users to invest in security solutions, according to research from Frost & Sullivan. Plant owners are particularly interested in security products, services, and solutions that can detect and delay threats and are able to employ cutting-edge innovation and technology

Cyber threat 'impossible to avoid' (Risk.net) Financial institutions must accept that cyber attacks are inevitable and make allowances for their occurrence, OpRisk Europe conference heard yesterday. Also, banks must continue to vet third-party suppliers

Security Needs Evolve as Computing Leaves the Office (New York Times) Five years ago, people still spoke of cloud adoption as if they had a choice

Cyber Threat Landscape: Basic Overview and Attack Methods (Recorded Future) The flourishing synergy between the internet and its beneficiaries, who use it with varying identities, for various intentions and purposes, has had a noticeable impact on the overall outlook of the global cyber threat landscape

Cyber Threat Landscape: Attackers and Operations (Recorded Future) In 1996, a group of RAND researchers published a seminal book on the then alien concept of "netwar." They introduced and defined the term as an "emerging mode of conflict (and crime)" in which actors rely on small teams lacking a "precise central command" or a rigid hierarchy (Arquilla and Ronfeld, 1996)

Cyber Threat Landscape: Forecast (Recorded Future) According to United Nations Office on Drugs and Crime's (UNODC) Comprehensive Report on Cyber Crime (2013), in 2011, at least 2.3 billion people, the equivalent of more than one third of the world's total population, had access to the internet. Over 60% of all internet users are in developing countries, with 45% of all internet users below the age of 25 years

Legislation, Policy and Regulation

Theresa May admits government has failed to win public's support for surveillance (The Guardian) Home secretary admits that individual privacy has become 'a much more salient question' following Snowden revelations

House Intel Chairman: US Getting Past 'Emotional Phase' of Snowden Disclosures (DefenseNews) While emphasizing that the cyber threat continues to be grave, US House Intelligence Committee chair Rep. Michael Rogers, R-Mich., said Wednesday that the public is moving beyond the immediate upset that surrounded the Edward Snowden disclosures, and that careful work is now underway to make "adjustments" to surveillance programs

CIA Uses Its First Public Conference to Stress Value of Human Sources (Government Executive) The nation's oldest spy agency remains relevant in the digital age, CIA Director John Brennan told an academic conference on Wednesday, saying his team "still provides intelligence and analysis that social media and foreign partners cannot because nothing can replace the insight that comes from a well-connected human source"

Separate cyber force not needed, says Navy official (FierceGovernmentIT) While the Defense Department has grown fond of referring to cyberspace as the new, fourth operational venue — along with sea, air and land — it does not warrant its own, independent branch of the armed services, said Vice Adm. Ted Branch, director of Naval Intelligence

Apple to FDA: There's a 'moral obligation' to do more with health sensors (FierceMobileHealthcare) Apple officials said the IT industry may have a "moral obligation" to "do more" with health sensors and other similar devices in a conversation held in December with U.S. Food and Drug Administration officials

Indianapolis plans citywide cyber-defense shield (6ABC: The IndyChannel) Public safety officials are constantly working to protect the city's critical infrastructure, and now that effort will be made to include the city's business community

Products, Services, and Solutions

Troubled Truecrypt the ONLY OPTION for S3, but Amazon stays silent (The Register) No noise from web warehouse as hacking rumours fly

Is TrueCrypt pining for the fjords? (Naked Security) As Monty Python famously opined in the Parrot Sketch from Monty Python's Flying Circus, no amount of jostling, explanations or hopeful wishes will bring back something that is well and truly dead

CloudFlare Teams Up With 15 NGOs To Protect Citizen Journalists And Activists From DDoS Attacks (TechCrunch) A lot of political speech now happens online, but that also makes it very vulnerable to DDoS attacks from those who don't agree with a given viewpoint. Many of these sites are hosted by individual journalists (and citizen journalists, if you want to make that distinction) and artists, who likely don't have the infrastructure and knowledge to protect themselves against these attacks

Rambus Cryptography Research Division Unveils CryptoManager™ Secure Feature Management Platform (MarketWatch) Rambus Inc. (NASDAQ:RMBS) today announced the CryptoManager™ platform, a feature management solution developed by the Rambus Cryptography Research (CRI) division. The CryptoManager platform consists of both a Security Engine and an Infrastructure suite that can dramatically improve efficiency and security during the manufacturing process. As lead customer, Qualcomm (see related release also issued today) is integrating the CryptoManager Security Engine into select SoCs and adopting the Infrastructure suite as part of its overall manufacturing process

Tufin Launches Global Customer Forum Event Series (Digital Journal) Forums to Provide Opportunity for Customers to Engage with Company Experts, Hear Best Practices and Learn about Upcoming Product Releases

eMazzanti Technologies Announces Availability of Integrated Wired and Wireless Network Security (Digital Journal) eMazzanti Technologies, a Hoboken, New Jersey and New York City area IT expert, computer consultant and 5 X WatchGuard Partner of the Year, announced today that a recently released security operating system from WatchGuard Technologies that integrates wired and wireless network security will immediately be made available to eMazzanti's customer base

Best Antivirus for Windows XP? Microsoft Security Essentials vs AVG vs Avast (Gamer Headlines) Protecting your Windows is crucial especially if you're still running Windows XP a out dated windows that many users still tend to use, mainly because of software limitations only a XP OS's. Today we go over which anti virus is best to use for your Windows XP operating system, we're merely guiding you which one to go with the choice is always up to you which you think is best

Technologies, Techniques, and Standards

Evernote's Cybersecurity Collapse And 3 Business Steps You Must Take Now (Forbes) A total collapse of network security at Evernote, which prevented all of its 100 million note taking customers from logging in and temporarily destroyed the company's ability to operate, demonstrates a growing DDoS cyber war that businesses must learn how to win

Effective Two-Factor Authentication From The Cybersecurity Silver Lining Playbook (Information Security Buzz) One of the silver linings of the Heartbleed hoopla was that it brought much needed attention to the vulnerability of online security and made a rising star out of the solutions that help combat security breaches, specifically two-factor authentication (2FA)

CIO Interview: Betfair's Michael Bischoff on making IT ready for Fifa World Cup (ComputerWeekly) Today is a big day for online bookmaker Betfair — it is the first day of 20th Fifa World Cup. CIO Michael Bischoff is confident that Betfair's IT infrastructure is ready to provide betting and sportsbook services to even more customers than before

How sandboxes benefit network protection and malware defense (TechTarget) A top security industry vendor recently announced a sandbox appliance for advanced threat protection. Can you please explain what these appliances are and in what scenarios they offer value to an enterprise?

Is your data already out there? (Help Net Security) CIOs cannot underestimate the creativity of online organized criminals to quietly penetrate their IT systems through a growing area of vulnerability: employees and vendors, according to 360 Advanced

Easy Things Are Often the Hardest to Get Right: Security Advice from a Development Manager (White Hat Security) I'm not a security guy. I haven't done much hands-on software development for awhile either. I'm a development manager, project manager, and CTO, having spent much of my career building technology for stock exchanges and central banks. About six years ago I helped to launch an online institutional trading platform in the US, where I serve as the CTO today. The reliability and integrity of our technology and operations are critically important, so we worked with some very smart people in the info sec community to make sure that we designed and built security into our systems from the start

Why database monitoring may, or may not, secure your data (CSO) A majority of IT security pros believe that continuous monitoring of the database network is the best approach to prevent large-scale breaches like the ones that occurred at retailers Target, Michaels and Neiman Marcus, a study showed

Marketplace

ZTE sees opportunities in cyber-security business on mainland (South China Morning Post) Beijing's cyber-spying concerns over foreign services present opportunities for domestic players as the technology gap narrows

Should Microsoft, Cisco, and IBM Be Worried About China? (The Motley Fool) Tensions between the United States and China have been growing over accusations that the countries are using tech companies for cyber espionage. The U.S. recently charged five Chinese military officials with hacking into various American companies to steal trade secrets, and the government has been suspicious of Chinese tech giant Huawei for years. The United States, as it turns out, has been spying on Huawei, and it was recently reported that the NSA has been intercepting some networking hardware and installing surveillance equipment before sending it on its way

Meeting with Putin, Industry Leaders Ditch Users on Digital Rights (Global Voices) At a highly anticipated meeting today, Vladimir Putin spoke to Yandex's Arkady Volozh, Mail.ru's Dmitri Grishin, and others — all Internet industry leaders who stand to lose huge sums of money if the Kremlin's Internet crackdown causes Russian consumers to take their business to foreign competitors like Google. The "Internet Entrepreneurship in Russia Forum" was organized by the Agency for Strategic Initiatives — a non-profit organization Putin created in May 2011, ostensibly to cut red tape for new businesses

SourceClear Launches to Redefine Security for Developers (Fort Mill Times) SourceClear, the company creating a modern software security platform for developers, today announced it has closed $1.5 million in seed funding for the SourceClear platform, which is turning traditional software security inside-out. With general availability in the coming weeks, SourceClear empowers developers with the intelligence to make smarter decisions while they're building software, ensuring organizations gain complete visibility across their software portfolios. The platform integrates directly into established development tools, is armed with machine-learning capabilities and leverages 'big data' analytics

Exabeam Raises $10 Million For Network-Tracking Security Software (TechCrunch) Security software developer Exabeam has raised $10 million in a Series A round of financing to protect businesses from the latest kinds of hack attacks

FireMon's Momentum Drives Majority Investment From Insight Venture Partners (MarketWatch) FireMon, the top provider of proactive security intelligence solutions, today announced that Insight Venture Partners, a leading global private equity and venture capital firm, has acquired a majority interest in the company. Specific terms of the deal were not disclosed

DigiCert Selected to 2014 Online Trust Alliance Honor Roll (MarketWatch) In naming DigiCert to the prestigious list for the third straight year, OTA recognizes the global security company's leadership role in developing, advocating and following best practices

NetCitadel, Now Known as Proofpoint, Named a Finalist in the 2014 Hot Companies and Best Products Awards by Network Products Guide (MarketWatch) Winners will be honored in San Francisco on June 23, 2014

Austin Startup SparkCognition Wins IBM Innovate App Throwdown 2014 Competition (Digital Journal) SparkCognition, the world's first Cognitive Security Analytics company, announced that it has won IBM's Innovate App Throwdown 2014 competition for the most innovative software application in the Linux on Power ecosystem

FireEye's cybersecurity unit sets up local HQ (CRN) Mandiant is setting up shop in Australia following January's $1 billion acquisition by FireEye, with a new country manager already onboard and more staff on the way

Corero appoints new chief technology officer (Education Investor) Corero Network Security has appointed a new chief technology officer and vice president of product. David Larson, previously Hewlett-Packard's chief technology officer, will direct the firm's technology and product strategy as it expands its cyber security software

Target Names Its First CISO (BankInfoSecurity) Target Corp. has chosen the former leader of information security at General Motors and General Electric as its first CISO. The move comes in the wake of a massive data breach last year that exposed 40 million credit and debit card accounts and the personal details of 70 million customers

Research and Development

Guarding against 'Carmageddon' cyberattacks (Eurekalert) The potential value of turning the nation's freeways into "smart transportation systems" is enormous. Equipping the nation's concrete arteries with a nervous system of computers and sensors that directly control on-ramp signals to keep traffic moving smoothly can substantially reduce travel times, fuel consumption and air pollution, not to mention improve road safety. In California alone the economic penalty of traffic congestion has been estimated at $400 million in extra costs and $3.5 million in lost wages every day

DARPA's Plan X Uses New Technologies to 'See' Cyber Effects (American Forces Press Service) Three years after the Defense Department named cyberspace a new domain of warfare, the Defense Advanced Research Projects Agency is unveiling technologies that soon could make it possible for military leaders and warriors to plan and execute real-time cyber missions in a territory charted so far only by machines

Security Patches, Mitigations, and Software Updates

Cisco Fixes XSS Vulnerability in AsyncOS Management Interface (SecurityWeek) Cisco has addressed a cross-site scripting (XSS) vulnerability affecting the Web management interface of Cisco AsyncOS, the operating system used for some of the company's security appliances

Metasploit now includes module to exploit CVE-2014-0195 (OpenSSL DTLS Fragment Vulnerability) (Internet Storm Center) The latest release of Metasploit released today includes a module to ease exploitation of CVE-2014-0195. This vulnerability in the DTLS implementation of OpenSSL was patch last week and didn't get the attention the MitM vulnerability got that was patched at the same time. It is absolutely critical that you patch and/or firewall your DTLS services. This is complicated buy the fact that many of them are part of embeded devices like routers and switches (SNMPv3) or VoIP systems. Your web servers are NOT affected by this

BIND Security Update for CVE-2014-3859 (Internet Storm Center) BIND has released a security update (CVE-2014-3859) for versions 9.10.0-p2, 9.9.5-p1, 9.8.7-p1. The update is available for download

iOS 8 will randomize devices' MAC address to increase privacy (Help Net Security) The next major release of Apple's iOS mobile operating system will include an important change: when local wireless networks scan for devices in range, devices running iOS 8 will provide random, locally administrated MAC addresses

Google End-to-End: The encryption silver bullet? (Help Net Security) The world seems to be turning its attention to the notion of data encryption, and Google is the latest to jump on the bandwagon. On June 3rd, Google announced that it would be offering a Chrome extension called End-to-End that provides end-to-end encryption of email. Comcast immediately followed with an announcement that they were aggressively pursuing adding encryption to email

How apps and extensions affect your browsing (Help Net Security) Google has announced the newest version of the Chrome Apps & Extensions Developer Tool, which helps developers debug apps and extensions, and power users to see which extensions ask for broad permissions that allow them to access sensitive data such as browser cookies or history

Cyber Attacks, Threats, and Vulnerabilities

Experts: CrowdStrike China Hacker Report Raises Red Flags For Business (Dark Reading) The second report on China's hacking teams supports Department of Justice's accusations, offers insight on Chinese attackers

China Based Espionage Group Putter Panda Revealed to be Behind Recent US Cyberspace Attack (International Business Times) US security researchers have uncovered the cyber espionage group behind the recent cyberspace attack that targeted various energy and manufacturing sector companies in the United States

US Cyberfirm: China Military Continues Hacking After US Indictment (Voice of America) A well-known cyber security firm says the Chinese military unit at the center of recent U.S. cyber spying charges is continuing to carry out hacking activities

Can Ukraine Win Its Information War With Russia? (The Atlantic) Scrappy news outlets are emerging in Kiev to counter the Kremlin

Anonymous World Cup Protest Campaign Kicks Off as Brazilian Government Websites Defaced (International Business Times) An Anonymous-led online protest targeting the Brazilian government and sponsors of the 2014 World Cup has kicked off with multiple websites defaced by the hacktivist group

Anonymous Hacks New York's Board of Elections Website Against Brazil Football World Cup (HackRead) Anonymous, the hacktivist collective, compromised the New York State Board of Elections official website recently to protest against the FIFA World Cup starting from tomorrow in Brazil. The hacktivists are protesting against the reported human rights abuses in Brazil, most of which were associated with the ongoing preparation for the World cup

World Cup 2014 fans are not the only ones with their eye on the ball (Help Net Security) The World Cup 2014 championship has begun and like most major sports events, employees are browsing websites to check the latest scores, watch streaming live games and chat with their peers about the latest updates. Sports-related websites receive a lot of traffic during large events like these creating a prime opportunity for advertisers to post campaign banners and watch the cash roll in

Anonymous Denmark targets Socialist Party (SF) for signing Internet surveillance bill (HackRead) The online hacktivist Anonymous has target Denmark's political party (Socialistisk Folkeparti, SF in Danish language) for signing and passing mass Internet surveillance bill from the parliament yesterday. Despite criticism from experts and human right organizations, the Danish parliament approved bill that will allow government to keep track of user's activity on the Internet

Zeus Used to Mastermind DDoS and Attacks on Cloud Apps (InfoSecurity Magazine) Prolexic warns that infamous crimeware kit is being customized for use in variety of scenarios

TweetDeck Taken Offline After XSS Flaw Hits Users (InfoSecurity Magazine) Problems seem to have stemmed from a 19-year-old Austrian who wanted to tweet a heart symbol

An innocent bot could have unwittingly spread a virus around Twitter (Quartz) Less than an hour after it was posted, this tweet had been retweeted by over 36,000 people

TweetDeck wasn't actually hacked, and everyone was silly (ZDNet) Twitter's popular account management service TweetDeck got nailed by the public discovery of a cross-site scripting vulnerability that not only replicated itself, but managed to make the security issue into a hilarious comedy of errors

TweetDeck Hacked—Panic (And Rickrolling) Ensues (Wired) TweetDeck, the popular application for managing Twitter feeds that is operated by Twitter itself, announced that it was temporarily disabling its service after a number of accounts were affected today by hackers who exploited a vulnerability in the service

XSS Flaw In TweetDeck Leads To Spread Of Potential Exploits (Dark Reading) Twitter unit fixes cross-site scripting problem, but not before many users spread vulnerable scripts with their tweets

Tweetdeck has an XSS flaw. Here's what you should do right now (Graham Cluley) A potentially serious security flaw has been found in Tweetdeck, a popular Twitter client

Air-Gapped Networks Can Be Hacked from Afar (Softpedia) Breaching air-gapped networks is not new, but researchers at Ben Gurion University discovered that an attack can be devised using a mobile phone placed in close proximity to the target system

Windows Security Feature Abused, Blocks Security Software (TrendLabs Security Intelligence Blog) We recently discussed the latest attacks affecting users in Japan that were the works of the BKDR_VAWTRAK malware. This malware family combines backdoor and infostealer behaviors and had just added the banking credentials theft to its repertoire

Gmail Bug Could Have Exposed Every User's Address (Wired) Until recently, anyone may have been able to assemble a list of every Gmail account in the world. All it would have taken, according to one security researcher's analysis, was some clever tweaking of a web page's characters and a lot of patience

P.F. Chang's Restaurant Chain May Be The Latest Victim Of A Credit Card Breach (Reuters via Business Insider) P.F. Chang's China Bistro is investigating claims of a data breach involving credit and debit card data stolen from restaurant locations in the United States, the Asian-themed casual dining restaurant chain said on Tuesday

Will PF Chang's data breach speed EMV? (FierceRetailIT) Many banking and security professionals would argue that the P.F. Chang's credit card data breach discovered on June 10 is a reason for quick EMV migration in the U.S. However, others say EMV is not the be-all, end-all for retail fraud

Death by a thousand packets (CSO) Last night some negative actors (or bored teenagers) were hard at work launching distributed denial of service attacks against the popular note taking site, Evernote and the RSS aggregator, Feedly

Was Heartbleed really that critical? Here's why it wreaked havoc across the IT community (Secunia Blog) Secunia Research classifies vulnerabilities by rating the severity of vulnerabilities from 1: "not critical" to 5: "extremely critical." Going by the PR Heartbleed received, you would be excused for thinking that what we were dealing with here was, indeed, "extremely critical." But it was not, as vulnerabilities go. That rating we use for "remotely exploitable vulnerabilities that can lead to system compromise. Successful exploitation does not normally require any interaction and exploits are in the wild"

FCC Denies Hackers Took the Site Down Last Week (Softpedia) The FCC's site went down last week, and despite what everyone thought, the group denies that it was a hacker attack that affected the site

Fake Sage accounting invoice email spreads malware (Graham Cluley) Those awfully nice people at Sage (a producer of popular accounting software) have been in touch, to let me know that I need to make a bank transfer… and the deadline is today!

Official website of Sky News Egypt Hacked by Arab Hacker (HackRead) A hacker going with the handle of "The BLuE" has hacked and defaced the official website of Sky News Egypt today. The BLuE hacker claims he is from United Arab Emirates (UAE) and reason behind defacing the Sky News website was nothing else but a challenge given by a friend. Hacker left a deface page along with

Cryptolocker cyber threat: Stroud woman Jo's laptop is taken over by international virus demanding money (Stroud News and Journal) Computer users are being urged to guard their systems against cyber attack after a Stroud woman became the latest victim of the international Trojan Horse virus Cryptolocker

Academia

University of Michigan to Open Robo Car Urban Test Track in the Fall (IEEE Spectrum) How do you test the city-driving worthiness of a self-driving car without subjecting a city to the risk of a robot run amok? Build a test city. Last week, researchers at the University of Michigan announced that they are in the process doing just that

Litigation, Investigation, and Enforcement

US Appeals Court rules warrantless phone location tracking is illegal (ZDNet) A panel of appeals judges has ruled that police must obtain a warrant before collecting cellphone location data, adding further weight to the pro-privacy argument

Microsoft challenges U.S. demand to turn over emails held overseas (InfoWorld) U.S. government's demands for private emails held in Dublin, Ireland, could spook customers abroad from using U.S. companies' cloud services

Prosecutors arrest Zuluaga 'peace talks hacker' less than 24 hours after release (Colombia Reports) A campaign worker of hard-line candidate Oscar Ivan Zuluaga was arrested on Tuesday, less than 24 hours after a judge ordered his release claiming there was not enough evidence to hold the suspect on allegations he spied on Colombia's ongoing peace talks with rebel group FARC

Gameover Zeus and Cryptolocker are a warning (ComputerWorld) Relief looks like being temporary

FBI Shutdown of Virus Demanded New Anti-Hacker Tactics (Bloomberg) Dismantling one of the world's most insidious computer viruses required complex and fast-paced tactics that will be the blueprint for U.S. law enforcement's future cyberbattles. By the time authorities claimed victory over Gameover Zeus last week, they had reverse-engineered how the virus communicated, seized command-and-control servers overseas and engaged in cyber battle with the hackers to keep them from re-establishing contact with their fast evaporating network

Cyber Chaos (UPI) Cybercrime has taken a huge chunk out of the US and allied economies, here's how

Nowhere to hide: The reign of cyber criminals is coming to an end (InfoWorld) Law enforcement is catching the modern-day Bonnies and Clydes on a regular basis

Design and Innovation

NI Demonstrates Cyber-Physical Systems at the SmartAmerica Challenge (MarketWatch) NI is working with major companies and universities to show the potential of a smart emergency response system and an interconnected energy system

NSA Playset invites hackers to 'play along with the NSA' (ZDNet) Inspired by the NSA's ANT Catalog of spyware and surveillance tools, the collaborative NSA Playset project aims for easy, at-home creation of the NSA's spy-tools arsenal — silly names encouraged