The CyberWire Daily Briefing 06.13.14

Cyber Trends

M&A Activity Makes Companies Cyber Targets (Wall Street Journal) Companies involved in merger and acquisition deals are a target for data thieves who may try to exploit employee confusion to gain access to internal systems. FireEye Inc., a Silicon Valley maker of security software, released case studies Thursday, culled from its experience investigating breaches relating to M&A deals

Report: Slow Detection, Slow Response (Dark Reading) More than one-third of data breaches aren't detected for hours, and recovering from a breach takes anywhere from days to months, a new survey says

When chatbots could become a real security threat (CSO) As the conversation programs become better at imitating real people, they could morph into a serious threat to companies

Authentication innovation, identity and credential management (Help Net Security) In this interview, Richard Parris, CEO of Intercede, talks about how the digital world has shaped our identity, the main catalyst behind authentication innovation as well as key issues you have to deal with when implementing identity and credential management

Why online tracking is getting creepier (Ars Technica) Online marketers are increasingly trying to track users offline as well

Information Risk Maturity Index Says We're Aware But Not Ready (Dark Reading) A new study from PwC and Iron Mountain shows that businesses are having trouble balancing the need for data insight and the need for data security

With the Americas running out of IPv4, it's official: The Internet is full (Ars Technica) Where did all those IP addresses go?

Legislation, Policy and Regulation

Guest Post: The Foreign Intelligence Surveillance Court: Is Reform Needed? (Just Security) With the advent of the Edward Snowden leaks commencing in June 2013, much has been written about Snowden and the United States intelligence community. This short blog post examines one of the only proposals to emerge that would constitute systemic procedural change, namely the creation of a special advocate or institutional amicus system before the Foreign Intelligence Surveillance Court — the FISC (hereafter referred to as a "special advocate" reform, for ease of reference). Such a system would be beneficial for both substantive and procedural reasons. A recently passed House bill, which merely keeps the status quo by permitting the court to appoint an amicus — a power it has now — falls short of what is needed

The Facebook War (Slate) Would taking down the social network justify a real-world attack?

House Intel chief 'extremely optimistic' on cyber bill's chances (The Hill) The head of the House Intelligence Committee thinks the odds are good that the Senate will pass a long-delayed cybersecurity bill this year

Former NSA director backs House bill to rein in spy agency (Washington Times) The head of the government's civil liberties protection board said Thursday that its classified review of the NSA's collection of Americans telephone records didn't turn up any evidence of abuses — but both he and the man who lead the National Security Agency's program said it's still time to end bulk collection

Liberty vs. security in post-9/11 world (Washington Times) Are the threats so great as to require sacrificing our rights, freedoms?

Sen. Franken's anti-stalking bill could restrict location-based mobile advertising (FierceMobileIT) Privacy is good, right? Not for mobile advertisers

DoD Bolstering Cyber Warfare Capabilities in at Risk Nations (USNI News) The Pentagon's cadre of cyberwarriors are working to bolster cyberwarfare capabilities of individual countries, tagged by the Defense Department as being particularly susceptible to cyber attacks

NSA Chief: Military Not Organized for Cyber Warfare (National Defense) The U.S. military's hidebound culture and outdated procurement system are slowing down efforts to improve cyber defenses against increasingly sophisticated network attacks, said Navy Adm. Michael S. Rogers, director of the National Security Agency and head of U.S. Cyber Command

Cyber Policy Chief Shares Perspective on Mission (American Forces Press Service) Teamwork, balancing between opportunity and risk, and transparency of intent are the keys to U.S. efforts in the cyber domain, the acting deputy assistant secretary of defense for cyber policy said today

US cyber official: Treat IT architecture as a weapon (Defense Systems) If the Defense Department wants to improve cybersecurity it needs to get a handle on its IT infrastructure and start treating it more like a weapons system, the U.S. Cyber Command's former deputy commander said this week

Products, Services, and Solutions

Blackphones coming in three weeks, will ship in millions, backers say (ComputerWorld) Carriers in Europe and the Americas have committed to selling the secure handset, Silent Circle and Geeksphone say

Twitter nabs top honors in security, privacy audit (CNET) Group that includes Symantec, VeriSign, and Microsoft tags Twitter tops among 800 websites for user protection, security

Chrome Perfected: Fast, Massively Secure and Gloriously Private (1/2) (Bromides on Infrastructure) Bromium or Chromium? The right answer is both. Chrome users have an almost religious passion for their browser, whose rapid ascent threatens to eclipse IE. Bromium's micro-virtualized Chrome substantially surpasses Google's own vision, delivering fast, massively secure and gloriously private browsing. Micro-virtualization delivers superior security, and its granular, task-centric isolation preserves the Chrome user experience while rigorously protecting user privacy — something that no browser has ever achieved before

Check Point releases software-defined protection security architecture (BusinessDay) Check Point Software Technologies Limited, the worldwide leader in securing the internet, says it has introduced Software-defined Protection (SDP), a revolutionary security architecture that can protect organisation in today's fast-evolving IT and threat landscape. Software-defined Protection offers modern security today that can effectively protect against tomorrow's threats, through a design that is modular, agile and most importantly, secure

ESET launches new and improved mobile protection for Android (CiOL) ESET has announced the availability of the enhanced ESET Mobile Security in Asia Pacific

Tenable Integration with ThreatGRID Enhances Detection of Persistent Malware (Fort Mill Times) Tenable Customers Gain Access to ThreatGRID Content that Enriches Log Data enabling them to more quickly and accurately defend against advanced threats

Lockheed Martin Earns NSA Cyber-Response Accreditation (HS Today) Lockheed Martin's Cyber Incident Response Assistance (CIRA) program earned accreditation from the National Security Agency's (NSA) Information Assurance Directorate (NSA/IAD), becoming one of the first federally-recognized companies to help organizations respond to cyberattacks

Mission impossible? Malwarebytes invents software that blocks zero-day attacks (TechWorld) Can this software end the tyranny of zero-day attacks?

HP Atalla Tackles Encryption in the Post-Snowden Era (eSecurity Planet) The need for encryption now is greater than ever

Technologies, Techniques, and Standards

Life after XP: a survival guide (Trend Micro Simply Security) April 8, 2014 marked the end of an era: the day when Microsoft withdrew support for its hugely successful Windows XP operating system for good. Statistics show that, despite declines of late, the OS is still extremely popular. In fact, it still has a market share of around 25% globally, a figure which has changed only slightly since April 8. It's true that some organizations need to stick with XP because of third-party app support reasons, and Trend Micro can help these firms, more of which I'll share later. The problem for those who refuse to migrate onto a newer system, however, is that they're unnecessarily exposing themselves to a much higher risk of infection

NIST Guide Targets Supply Chain Risks (GovInfoSecurity) Breaking down silos should help organizations mitigate vulnerabilities introduced into their systems from the information and communications technology supply chain, says the co-author of revised guidance being drafted by the National Institute of Standards and Technology

Heartbleed still matters, and we're all partly to blame (ComputerWorld) Extremely weak passwords make us vulnerable, but there are ways to create passwords you'll remember and yet are hard to crack

Why You Need to Allow Your IT Systems to Be Hacked (by the Good Guys) (IT Business Edge) If you were to give permission for an ethical hacking team to try to penetrate your systems, how difficult do you think it would be for the team to get in? According to one IT security expert who specializes in this sort of penetration testing, it would likely be a walk in the park

Not challenging DoD network resilience delusional, says CYBERCOM official (FierceGovernmentIT) When Lt. Gen. Jon Davis, deputy commander for Cyber Command, arrived at CYBERCOM the focus was on keeping networks operational, not on challenging the network's resilience to an advanced persistent threat

Leaking Trade Secrets: A Conversation with Michael Schrenk (Cyveillance) Cyveillance was recently lucky enough to chat with business intelligence specialist, author, and developer Michael Schrenk in advance of his upcoming DEF CON talk, "You're Leaking Trade Secrets." Read on for a first glimpse at his lecture and his thoughts on organizational secrets

Life after TrueCrypt (Help Net Security) While speculation continues around the fate of popular disk encryption software TrueCrypt, Sophos conducted a survey of over 100 IT professionals regarding their use of encryption. including TrueCrypt

Tool for creating booby-trapped PDFs made public (Help Net Security) Freelance security researcher Claes Spett has made available a tool he dubbed "PDF Exploit Generator," which allows penetration testers — but also malicious attackers — to create a booby-trapped PDF in a matter of minutes

Made any new friends lately? (Internet Storm Center) Earlier this week, we were testing the security aspects of an application that integrates with LinkedIn. Given that I do not own a LinkedIn account, I had to create one temporarily, to be able to test. I used a throw-away email address, and did not add any personal data, but I happened to connect to LinkedIn from the business where we were performing the work

Behind the Great Firewall: What it's really like to log on from China (ITWorld) Censorship in China affects many popular Internet services and websites, but there are ways to make do

Monitor DNS Traffic & You Just Might Catch A RAT (Dark Reading) Criminals will exploit any Internet service or protocol when given the opportunity. Here are six signs of suspicious activity to watch for in the DNS

Marketplace

Security and data center vendors renew focus on DDoS as attacks multiply (CiOL) The data center and mobile DDoS prevention segments are projected to maintain healthy double-digit CAGRs from 2013-2018

DHS readies next CDM task orders (Federal Times) The Department of Homeland Security is gearing up to issue new task orders for its Continuous Diagnostics and Mitigation program, ensuring that more agencies can obtain the necessary tools to improve the security and resilience of their networks

Korean Banks Subject to Spending Billions of Won on Every Expiration of Windows OS (Business Korea) Major Korean banks are actively seeking to strengthen security of automatic teller machines (ATMs), since most ATMs still run Windows XP. Microsoft's official support of the aging operating system (OS) ended as of April 8, and thus it has become more vulnerable to hacking or security attacks. However, the replacement of Windows XP with Windows 7 and the upgrade of the existing security solution for ATMs would cost a huge amount of money. Even with the upgrade, security problems cannot be solved completely. Therefore, Industry analysts are saying that it is necessary to come up with a measure that can fundamentally address the problem

Bank of England receives '7 or 8 cyber attacks a week', says CISO (CSO) Hires geopolitical analyst to bolster cyber security team

Exclusive: FireMon chairman says sale similar to past venture FishNet (Kansas City Business Journal) FireMon executive chairman Gary Fish says the company is following a similar strategy to that of his past venture, FishNet Security

Telefonica picks Kaspersky Lab for cyber-security services (Telecompaper) Kaspersky Lab has signed a cooperation agreement with Telefonica, to provide its customers in Europe and Latin America with cyber-security services

NICE Safe City Solutions Deployed in Glasgow to Bolster Security, Safety, and Operations Management (MarketWatch) NICE Systems (NASDAQ: NICE) today announced that the city of Glasgow is deploying its security solutions to enhance the community's safety and security infrastructure. The implementation, which includes NICE Situator and NiceVision for video management, will help the city strengthen its daily operations and streamline incident response

CounterTack named Cool Vendor Application and Endpoint Security (NewswireToday) For the third consecutive year High-Tech Bridge receives prestigious OTA Honor Roll award for demonstrating strong data protection, privacy and security in an effort to better protect the customers, partners and the brand

BAE Systems Applied Intelligence joins BBA to counter digital crime (Banking Business Review) BAE Systems Applied Intelligence is announcing that is has become an associate member of the British Bankers' Association (BBA), as part of a broader working partnership in which the two organisations will work together to counter the growing threat to the UK banking and financial services industry from cyber-enabled financial crime.

Turning Interns into Cyber Warriors (StateTech) Montgomery County, Md., is launching paid internships to build the local cybersecurity workforce

Panda Security Rewards Beta Tester of the Year With Up to $800 (Digital Journal) Panda Security, The Cloud Security Company, today announced the beta release of Panda Global Protection 2015, its comprehensive anti-malware solution for protecting the information and digital life of home computer users. The new version has more features and is lighter, more secure and more complete than ever before

Security Patches, Mitigations, and Software Updates

VMware Patches ESXI Against OpenSSL Flaw, But Many Other Products Still Vulnerable (Threatpost) While the group of vulnerabilities that the OpenSSL Project patched last week hasn't grown into the kind of mess that the Heartbleed flaw did, the vulnerabilities still affect a huge range of products. Vendors are still making their way through the patching process, and VMware has released an advisory confirming that a long list of its products are vulnerable to the latest OpenSSL bugs

Automatic updating of Android apps becomes riskier (Help Net Security) Google has made unwelcome changes to the way new app permissions are disclosed to users: no warnings will be shown if a new permission if is in the same category as an old one that has previously been accepted

Hot, Cold Reactions to New Google Play App Permissions (Threatpost) Google's revamped app permissions for Google Play are not being well received by Android users. Reddit threads are rife with adjectives such as "stupid" and "dangerous," primarily because Google's attempt to simplify permissions granted to automatically updated applications may in fact expose users to greater risk

Facebook to let advertisers see where you're surfing (Naked Security) Remember back in 2011, when Mark Zuckerberg dissed Google, Yahoo and Microsoft for following you around on the web, using browser cookies to collect a huge amount of information about who you are "behind your back"?

Apple's iOS 8 will help keep out Wi-Fi marketers and snoops, but not totally (Naked Security) A small change in iOS 8 will make privacy advocates happy, although it's going to be a tough pill to swallow for mobile marketers

Cyber Attacks, Threats, and Vulnerabilities

Fake, malicious World Cup-themed apps targeting Android users (Help Net Security) The 2014 FIFA World Cup in Brazil start today, and Trend Micro researchers have pointed out yet another thing that fans need to be careful about: fake and malicious versions of World Cup-themed apps

World Cup Attracts Online Betting Cyber Attackers (Online-Casinos) The world of the internet and online gambling is ripe for cyber attack as was recently witnessed by Cloud-based security service Incapsula. The attack designed to blackmail gaming providers was experienced by Incapsula which the firm says is becoming more common. The 100 gigabits per second distributed denial-of-service attack against an online gambling website client of Incapsula utilized more than five DDoS attack vectors

Online Extortion Rears its Head Prior to World Cup (Online-Casino) An advanced cyperattack was prevented at an online gambling website recently. Cloud-based security service Incapsula has fought off what is becoming an increasingly common cyber attack tactic designed to blackmail gaming providers. The 100 gigabits per second (Gbps) distributed denial-of-service (DdoS) attack against an online gambling website client of Incapsula utilized more than five DDoS attack vectors. Vectors used in the attack included an SYN flood, Large SYN flood, NTP amplification, DNS flood, and DNS amplification

Watch Out For Fake Versions of World Cup 2014 Apps (TrendLabs Security Intelligence Blog) The 2014 FIFA World Cup in Brazil is all but underway, and the fervor of such a prestigious and newsworthy event is already setting competing nations' populations on fire. Unfortunately, cybercriminals are getting into the mood too

Don't be a World Cup loser online: give football cyber-scammers the boot (The Guardian) Watch out for soccer-themed cybercrime, from phishing emails to malware-toting Cristian Ronaldo websites

Small businesses running cloud-based POS software hit with unique 'POSCLOUD' malware (SC Magazine) Attackers developed 'POSCLOUD' malware to compromise cloud-based POS systems used by small businesses. Unique malware targeting cloud-based point-of-sale (POS) software has been discovered by researchers with cyber intelligence company IntelCrawler

Banks: Credit Card Breach at P.F. Chang's (Krebs on Security) Nationwide chain P.F. Chang's China Bistro said today that it is investigating claims of a data breach involving credit and debit card data reportedly stolen from restaurant locations nationwide

P.F. Chang's Breach: Link to Target? (GovInfoSecurity) Restaurant chain P.F. Chang's China Bistro continues to investigate an apparent payments breach and subsequent payment card fraud. But several security experts and cyber-intelligence researchers say they believe the chain suffered a malware attack similar to those that compromised the point-of-sale networks of U.S. retailers Target Corp., Neiman Marcus and Sally Beauty Holdings Corp.. Other experts, however, say it's too soon to tell what the cause of the latest breach was, and whether it was linked to any previous breaches

A welcomed response, PF Chang's (Internet Storm Center) Krebs is running a story about the recent data breach that has happened to restaurant chain PF Chang's. As it so happens we decided to have lunch their today and I polled one of the managers if she had been briefed on the breach. She had been informed

Feedly reels from second DDoS attack, refuses to pay extortion money (FierceITSecurity) RSS reader Feedly is reeling from a second distributed denial of service attack and has been forced to shut down its service, the firm said in a blog

FCC DoSed into silence as John Oliver roused net neutrality trolls (Naked Security) Around about minute 11:05 of comedian John Oliver's viral, epic rant about net neutrality, he invites trolls to do what they do best: channel "that anger, that badly spelled bile", at the Federal Communications Commission (FCC) site's comments section

Zeus variant 'Maple' targets financial data of Canadian users (SC Magazine) A new Zeus variant called "Maple" improves upon a number of malicious capabilities familiar to fraudsters wielding the trojan

Versatility of Zeus Framework Encourages Criminal Innovation (Threatpost) A new report on the Zeus trojan's evolution shows that the malware was moved from harvesting online banking credentials to controlling botnets and launching distributed denial of service attacks attributes the evolution to the highly customized and incredibly versatile framework Zeus is today

Banking malware using Windows to block anti-malware apps (Ars Technica) BKDR_VAWTRAK is using Software Restriction Policies to restrict security software

Aviva mobile phones hit by third-party cyber attack (Post Online) Hundreds of Aviva staff were hit by a cyber attack on the insurer's mobile phone technology supplier last month

Xiaomi smartphones can wirelessly 'steal' bank card data: report (Want China Times (h/t Security Affairs)) Smartphones made by Chinese brand Xiaomi have been identified as a security threat for their ability to "steal" personal details from bank cards through wireless communication, reports the Nanjing-based Yangtse Evening News

TweetDeck bug resembles earlier MySpace 'Samy Worm', says researcher (FierceITSecurity) TweetDeck, a social media management tool for Twitter, was taken down on Wednesday for over an hour to fix a bug involving a cross-site scripting error, the Washington Post reports

A Day to Forget for Teen at Center of Tweetdeck Shutdown (Threatpost) The last 24 hours have been a sad, scary and frustrating time for an 19-year-old aspiring programmer in Austria who found himself smack in the middle of Wednesday's TweetDeck mess — all because of a Unicode heart

CryptoLocker ransom malware infected 2,000 users in Singapore (TechWorld) Clean up goes global

Advanced Mask cyber campaign ripped off 80s hacker tricks (V3) The Mask or Careto family of malware used tactics originally thought up by 80s and 90s hackers to infect government systems, according to Context Information Security

Advanced cyber attacks rely on privileged credential exploitation (Help Net Security) While new and sophisticated malware variants were continually developed to exploit systems in 2013, criminals, hacktivists and advanced attacks continue to do the most damage by exploiting privileged accounts

The state of GRX security (Help Net Security) Late last year, documents from Edward Snowden's NSA trove have revealed that Britain's GCHQ has mounted a successful attack against Belgacom (the largest telecom in Belgium) and its subsidiary BICS (Belgacom International Carrier Services), a Global Roaming Exchange (GRX) provider. Other GRXs have been targeted as well

Chinese counterfeiters are selling the iPhone 6 before it has even been released (Quartz) The release of Apple's iPhone 6 isn't expected for at least another two months. Yet, a former Taiwanese pop star has posted what he claims are photos of the phone on his blog (registration required). Meanwhile, merchants on China's largest e-commerce site Taobao are already selling non-working "models" of the iPhone 6 for anywhere between 15 yuan and 460 yuan ($2.40 and $74.06). Some are even selling something called an "iPnoho7"

Daktronics Responds to ICS-CERT Vanguard® Default Credentials Alert (Wall Street Journal) Recently, a small number of North Carolina Department of Transportation Daktronics (Nasdaq:DAKT) Vanguard® dynamic message signs were compromised. As a result, on June 5, 2014, the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), a division of the U.S. Department of Homeland Security, issued alert ICS-ALERT-14-155-01A referencing a hardcoded password in the Vanguard controller as the primary cause. The ICS-CERT later clarified the alert on Friday, June 6, 2014, stating the password is not hardcoded but is a default password that display owners should change upon installation. ICS-CERT also communicated mitigation recommendations (reprinted below) within the alert

AT&T Mobility data breach (CSO) This week AT&T Mobility filed a breach notification in California

Academia

Academia: Government's Biggest Cyber Security Ally? (Dark Reading) Federal cyber security programs need access to fresh talent. They can boost the quality of that talent by bolstering cyber security training in colleges and universities

Hackers Beware—Reinforcements Are On the Way (American News Report) If you've been following the news stories about data security breaches at such retail giants as Target and eBay the following won't surprise you

New cybersecurity company signs lease with Cecil College (Cecil Whig) Cecil College signed a one-year lease Tuesday with a cybersecurity company that will open new avenues of private-public partnerships in the future

Kids To Hack Corporate Crime Caper Case At DEF CON (Dark Reading) The Social Engineering Capture the Flag contest for kids is now an official DEF CON contest

School cancels reading program rather than promote "hacker culture" (Ars Technica) Boing Boing editor responds, offers 200 free copies to the school's students

Litigation, Investigation, and Enforcement

New charges brought against Zuluaga 'peace talks hacker' (Colombia Reports) New evidence suggests that Andres Sepulveda's wiretapping operation was much more extensive than originally suspected, Colombia media reported on Wednesday

New Ruling Shows the NSA Can't Legally Justify Its Phone Spying Anymore (Wired) The Eleventh Circuit Court of Appeals said no this week to tracking your movements using data from your cell phone without a warrant when it declared that this information is constitutionally protected

If The NSA's System Is Too Big To Comply With Court Orders, Court Should Require It To Change Its System (TechDirt) Last week, we wrote about the latest in the Jewel v. NSA case, where the Justice Department admitted to the EFF that the NSA was still destroying surveillance evidence, despite a temporary restraining order in March ordering it to stop

Local cops in 15 US states confirmed to use cell tracking devices (Ars Technica) Stingray use is widespread: Baltimore, Chicago, and even Anchorage have them

Police lack cyber skills (The Times) Police forces in England and Wales are unprepared to tackle cyber crime which is fast becoming a major element of offending, according to a report published yesterday

U.S. To Answer N.S.A. Spy Claim (Tribune242) John Kerry, the United States Secretary of State, has stepped in to oversee the investigation of reports that the National Security Agency is intercepting and recording all cell phone conversations in The Bahamas, with the ability to store them for up to 30 days

The Feds Are Auctioning a Small Fortune in Silk Road Bitcoins (Wired) The Bitcoin world has been waiting for more than six months to see where the millions in cryptocash seized from the Silk Road black market for drugs would end up. Now that fortune is about to be sold off, like so many mafiosos' cars or drug dealers' bling, to the highest bidder

Former Microsoft Employee Involved In Windows 8 Leaks Given 3-Month Sentence (TechCrunch) After pleading guilty, former Microsoft employee Alex Kibkalo will pay a $100 fine and serve three months in prison for stealing trade secrets

Man arrested for parodying mayor on Twitter files civil rights lawsuit (Ars Technica) Police raid follows mayor being upset over the portrayal of him as drug abuser