The CyberWire Daily Briefing 06.19.14

Cyber Trends

Shortage of cybersecurity professionals poses risk to national security (Phys.org) The nationwide shortage of cybersecurity professionals — particularly for positions within the federal government — creates risks for national and homeland security, according to a new study from the RAND Corporation

We're Aswarm In Denial Of Service Attacks And It's Getting Worse (Forbes) Denial of service cyberattacks get few props for their novelty in a field that prizes novelty. Lately, though, they've been making up in volume for what they lack in originality. A denial of service (DoS) attack, or DDoS if it's distributed as in originating from multiple computers, is an attempt to disrupt the operation of a Web site by flooding it with pointless requests that can clog or overwhelm network resources and eventually shut down a site Cybersecurity's Maginot Line: A Real-world Assessment of the Defense-in-Depth Model (FireEye) This first-of-its-kind study examines data from more than 1,600 FireEye network and email appliances in real-world settings. The FireEye devices were part of more than 1,200 "proof-of-value" trials in actual deployments, where they sat behind other defensive layers but were not set to block malicious activity. That unique vantage point revealed a deeply flawed defense-in-depth model

Data sharing key to fighting document fraud, says former cop (ComputerWeekly) A secure and effective way of sharing data on lost, stolen and fraudulent identity documents would go a long way to stamping out fraud, says consultant and former police officer Russ Middleton

Cybersecurity's Maginot Line: A Real-world Assessment of the Defense-in-Depth Model (FireEye) This first-of-its-kind study examines data from more than 1,600 FireEye network and email appliances in real-world settings. The FireEye devices were part of more than 1,200 "proof-of-value" trials in actual deployments, where they sat behind other defensive layers but were not set to block malicious activity. That unique vantage point revealed a deeply flawed defense-in-depth model

Legislation, Policy and Regulation

Cybersecurity Information Sharing Act of 2014 (113th Congress) A bill to improve cybersecurity in the United States through enhanced sharing of information about cybersecurity threats, and for other purposes

The senate is still trying to jam through its hugely controversial cybersecurity bill (BGR) The federal government refuses to let one of the most controversial Internet bills ever conceived die. CISPA, as it was known when it was introduced in 2011, made a temporary resurgence last year only to meet the same opposition that had blocked its passage two years before. But as Vice has discovered, the bill is back under consideration by the U.S. Senate under a slightly altered name

Funding Amendment To Curtail Warrantless Surveillance Proposed In House (TechCrunch) A bipartisan group of Congress members have proposed an amendment to the Fiscal Year 2015 Department of Defense Appropriations Act aimed at reining in government surveillance. The amendment would ban the funding of government to either demand or request a "backdoor" into products built by technology companies. It would also ban the funding of searches of the data of US persons under the authority of Section 702 of the Foreign Intelligence Surveillance Act (FISA)

Biden tries to reassure Brazil on cyber-spying (Global Post) U.S. Vice President Joe Biden was received here Tuesday by Brazilian President Dilma Rousseff, the first high-level encounter between the two governments since revelations about Washington's extensive spying on the South American nation

Victoria Police defends security of outdated software (The Age) The force's computer network still used Windows XP, for which Microsoft stopped providing software updates in April. Victoria Police insists its IT systems are not vulnerable to security breaches, despite using an outdated software system no longer supported by Microsoft

France To Train Own Cadre of Cyber Defense Experts (Defense News) Unable to compete with private firms as it looks to hire cybersecurity experts, France's Ministry of Defense will set up a course to train its own experts to protect the French military

Indonesian Navy to establish naval cyber command (IHS Jane's Defence Weekly) The Indonesian Navy (Tentera Nasional Indonesia - Angkatan Laut: TNI-AL) is to establish a naval cyber command unit in anticipation of greater maritime threats in the digital domain, said the TNI-AL in an address delivered on 16 June during a TNI-AL-hosted event in Jakarta aimed at raising awareness of digital threats

Colombia, Israel exchange knowledge on cyber-security in Bogota seminar (Colombia Reports) The Colombian capital of Bogota is playing host to a two-day seminar between national and Israeli representatives assessing the threat of cyber-attack and exploring opportunities for cooperation between the two countries

Now China can censor journalists before they even start reporting a story (Quartz) Everybody knows Chinese reporters have it rough. There are 32 of them in jail, according to the Committee to Protect Journalists' most recent figures. But they've usually been arrested only for stories that are published, well after research has uncovered the dirty secrets. Now, thanks to new rules (link in Chinese) from the main media regulator, the government can pre-empt them

Northrop Grumman Calls for Robust Partnerships to Combat Growing Cyber Threat (MarketWatch) Company announces plans to extend US-based youth cyber education programme to UK

Products, Services, and Solutions

Remove Android ransomware for free (Help Net Security) avast! Ransomware Removal is a free app that eliminates Android ransomware and decrypts locked and ransomed files

Quttera improves website anti-malware monitoring services and adds new website security monitoring features (CentralJersey.com) In June 2014 Quttera has developed and implemented several new ground breaking enhancements to anti-malware monitoring solution adding more control and scalability to webmasters. Customers reporting improved experience in managing website security and collaboration both within the organization and between third parties

Tufin Orchestration Suite Wins SC Magazine 5 Star Award and 'Pick of the Litter' Rating (Broadway World) Tufin, the market-leading provider of Security Policy Orchestration solutions, today announced that the Tufin Orchestration Suite washonored bySC Magazinewith a five star (out of five stars) award and selected "Pick of the Litter" in the magazine's latest security policy automation roundup published onJune 2, 2014. The Tufin Orchestration Suite won perfect five star marks in all review categories

Cellebrite Introduces 'Find My iPhone' Status Detection; Solution to Save Mobile Retailers Millions in Trade-In Losses and Repair Failures (MarketWatch) Cellebrite sets the standard for innovation for mobile diagnostics and automated phone buyback with new security lock detection, patent-pending battery test and integrated mobile malware removal

Geospatial framework for cybersecurity (Help Net Security) Esri is joining forces with RedSeal in order to create a geospatial framework for cybersecurity. The goal is to fully integrate existing cybersecurity and IT data with other organizational functions

ThreatTrack Security sets new standard in advanced threat defense (GSN) Reston, VA-based ThreatTrack Security has announced the availability of ThreatSecure, a cybersecurity solution that integrates network-based defenses with endpoint security and delivers threat detection with closed-loop endpoint remediation

Confer and The MITRE Corporation Join Forces to Accelerate Threat Sharing and Operationalize Threat Intelligence (Broadway World) Confer, the first company to offer endpoint and server security via an open, threat-based, collaborative platform, and The MITRE Corporation, a not-for-profit organization that has worked closely with government to strengthen our nation's cyber defenses for more than four decades, today announced an agreement to help companies better protect themselves by sharing cyber threat information. As part of this initiative, MITRE's Collaborative Research Into Threats (CRITs) Platform has been released as a new, open source project. Additionally, Confer is releasing the Confer Threat Exchange, which interfaces with CRITs to allow companies to securely share and automatically apply threat intelligence within their own infrastructure

Does Facebook's Slingshot commit true imagicide? Or is it another Snapchat? (Naked Security) Slingshot is Facebook's "disappearing" image answer to Snapchat - the the app that got away

The best password managers for PCs, Macs, and mobile devices (InfoWorld via CSO) Thanks to high-profile computer security scares such as the Heartbleed vulnerability and the Target data breach , and to the allegations leveled at the government and cloud providers by Edward Snowden, more of us Internet users are wising up about the security of our information. One of the smarter moves we can make to protect ourselves is to use a password manager. It's one of the easiest too

Breaking Into iCloud: No Password Required (Elcomsoft) With little news on physical acquisition of the newer iPhones, we made every effort to explore the alternatives. One of the alternatives to physical acquisition is over-the-air acquisition from Apple iCloud, allowing investigators accessing cloud backups stored in the cloud. While this is old news (we learned to download data from iCloud more than two years ago), this time we have something completely different: access to iCloud backups without a password! The latest release of Phone Password Breaker is all about password-free acquisition of iCloud backups

Technologies, Techniques, and Standards

Risk of re-identification 'greatly exaggerated' (FierceBigData) So sayeth Information Technology and Innovation Foundation (ITIF) Senior Analyst Daniel Castro and co-author Ann Cavoukian, the Ontario information and privacy commissioner in a new whitepaper. They bemoan the lack of public trust in de-identification and affix the blame to media reports stating "a tendency on the part of commentators… to overstate the findings." So what's the deal here? Does de-identification work or not?

Data Security Decisions In A World Without TrueCrypt (Dark Reading) The last days of TrueCrypt left many unanswered questions. But one thing is certain: When encryption freeware ends its life abruptly, being a freeloader can get you into a load of trouble

Five steps towards cyber breach preparation (Help Net Security) Earlier this week, Domino's Pizza became the latest victim of a breach and ransom demand. Recent DDoS attacks on Evernote and Feedly DDoS, along with the efforts of Cryptolocker and other tricks to extort hard cash from unsuspecting users, are rapidly gaining momentum and are becoming a serious threat to individuals and organisations of all sizes. These brazen attempts to make a quick profit will only be fuelled for as long as they remain successful

Heartbleed shows the need for password change automation (ZDNet) Passwords have all sorts of problems, but the one which is hardest to solve is when you need to change a lot of them quickly, as happened after Heartbleed

An Intelligent Approach to Fighting Cyber Attacks (ProSecurityZone) Since today's cyber attacks are moving faster than legislation's ability to keep up, companies in high-risk sectors are left following regulations that fight yesterday's war. As the government and organizations try to secure their information, federal agents alerted more than 3,000 companies last year that their computer systems had been hacked. The companies varied in size from small to large and represent what experts think is a small fraction of the total number. Analysts estimate the cost of these breaches is up to $100 billion annually for U.S. companies and consumers

Tech support scams and the wisdom of Solomon (Graham Cluley) Surprisingly enough, given the years I've put in documenting and offering advice on tech support scams, I don't spend a lot of time talking to the scammers, even though I've had many of those calls over the years

The NSA's big problem, explained by the NSA (The Week) Amongst the new trove of classified documents released by Der Speigel is a rather academic discussion, in the NSA's own foreign affairs journal, about the differences between American signals intelligence collection and German signals intelligence collection

Marketplace

What Was Boring About Check Point Now Makes Stock a Buy (Bloomberg BusinessWeek) While cybersecurity stocks like FireEye Inc. (FEYE:US) and Imperva Inc. (IMPV:US) have crashed this year, Check Point Software Technologies Ltd. has weathered (CHKP:US) the selloff

Corero Network Announces Contract Win, Stock Up (RTT News) Corero Network Security Plc. (CNS.L), a provider of security solutions for defending against DDoS attacks and cyber threats, announced its largest First Line of Defense solution contract win. The order is valued at half a million dollars. The stock climbed over 11 percent

Mobile System 7 Moves to Maryland, Receives $400,000 Investment from State, County (Insurance News Net) The Maryland Venture Fund (MVF), the equity investment arm of the Maryland Department of Business and Economic Development (DBED), has invested $300,000 in Mobile System 7 following the cybersecurity firm's move to Bethesda from Virginia. The MVF led the financing round and was joined by the Montgomery County Department of Economic Development (DED), which invested $100,000, and private investment groups

Behavioral fraud detection firm BioCatch takes in $10M investment (Gigaom) The Israeli startup examines precisely how people use the banking and e-commerce sites it is protecting, in order to spot when something is out of the ordinary

[Disruptor 50:] #23. Shape Security (CNBC) Most measures to protect against cybersecurity threats today are reactive in nature. The threat has to be analyzed, identified as malicious and ultimately blocked. Shape Security is attempting to change that formula by allowing companies to be more proactive. Instead of a company's website scanning a near infinite amount of inbound traffic looking to block threats, as is the case with most existing solutions today, Shape's technology, based on the concept of polymorphism, continually transforms the underlying DNA of a website. This means that Shape can preserve the functionality of code while transforming how it is expressed, making it harder for bad guys to hack into a website

Iron Bow Recognized in the Top 50 on CRN's 2014 Solution Provider 500 List (Digital Journal) Iron Bow Technologies LLC, an information technology solutions provider, today announced it has been named to the 2014 Solution Provider 500 (SP500) list by The Channel Company's CRN

Cybersecurity Startups Pitch Investors at MACH37™ & CIT GAP Funds Cyber Showcase (Digital Journal) The MACH37™ Cyber Accelerator and CIT GAP Funds hosted investors yesterday at the Cyber Showcase. Twelve companies presented, including the MACH37™ Spring Cohort, plus six later stage companies from both the MACH37™ and CIT GAP Fund portfolios. Invited guests included investors representing top-tier venture capital firms, leading edge technology companies and angel groups from the east coast

NSA jitters are 'just a bummer' for cloud growth, HP says (PCWorld) Revelations about U.S. National Security Agency snooping have made some buyers outside the U.S. think twice about public clouds, placing a drag on one of the world's biggest technology trends, the head of Hewlett-Packard's enterprise group said

Stephen Pace Joins Raytheon As Cyber Portfolio Sales SVP (GovConExecutive) Stephen Pace, a former sales executive at network security firms Pwnie Express and Core Security, has joined Raytheon as senior vice president of global sales for the firm's cyber products business

Ret. Navy Intell Officer Norman Hayes Joins SBG Technology Solutions (GovConExecutive) Norman Hayes, a retired U.S. Navy intelligence officer, has joined SBG Technology Solutions as a principal advisor on intelligence, national security and cybersecurity

ForeScout Named Finalist in 'Best Deployments & Case Study' Category of 2014 Hot Companies and Best Products Awards (MarketWatch) Rollins College bolstered network monitoring and policy enforcement With ForeScout CounterACT

Security Patches, Mitigations, and Software Updates

Google's Famous Security Guru Found An Embarrassing Hole In Microsoft's Products (Business Insider) On Tuesday, Microsoft warned that it was issuing an emergency patch to fix a dangerous flaw in its software

Cyber Attacks, Threats, and Vulnerabilities

Hacker Puts Hosting Service Code Spaces Out of Business (Threatpost) Code Spaces, a code-hosting and software collaboration platform, has been put out of business by an attacker who deleted the company's data and backups

Code Spaces forced to close its doors after security incident (CSO) Code Spaces, a Subversion and Git hosting provider, used by organizations for project management and development needs, has folded after an attacker compromised their internal systems

Code Spaces : Is Down! (Code Spaces) Dear Customers, On Tuesday the 17th of June 2014 we received a well orchestrated DDOS against our servers, this happens quite often and we normally overcome them in a way that is transparent to the Code Spaces community. On this occasion however the DDOS was just the start

Cybersecurity firm says large hedge fund attacked (CNBC) In an audacious and sophisticated attack, cybercriminals acting in late 2013 installed a malicious computer program on the servers of a large hedge fund, crippling its high-speed trading strategy and sending information about its trades to unknown offsite computers, CNBC has learned

Syrian Electronic Army Hacks The Sun & Sunday Times Websites (International Business Times) The Syrian Electronic Army (SEA) has claimed responsibility for attacks on The Sunday Times and The Sun newspapers' websites, which saw web users briefly redirected to a message from the pro-Assad group

Cyberattackers brought down Apple Daily website with 40 million hits every second (South China Morning Post) A cyberattack on Apple Daily's website saw more than 40 million enquiries sent to the site per second during its peak, bringing the system down and blocking normal web users from accessing pages for several hours, the company revealed today

Android 'SMS Stealer' Malware Hidden in World Cup Themed Apps (HackRead) Be careful of any new World cup themed apps, lest you should be tricked into downloading a malicious app, says a recent report published by Trend Micro

Password protected Zbot malware in the wild (Help Net Security) Early this morning a small malware campaign started up claiming to be daily customer statements from Berkeley Futures Limited (real company, but messages are spoofed)

AVG Warns Popular Websites Still Suffering an OpenSSL Security Issue (MaximumPC) Even after applying a Heartbleed patch, many websites are still vulnerable

Malicious Google Play Clone Steals Banking Credentials (Dark Reading) Google, FireEye disrupt sneaky Android malware operation

A Not-So Civic Duty: Asprox Botnet Campaign Spreads Court Dates and Malware (FireEye) FireEye Labs has been tracking a recent spike in malicious email detections that we attribute to a campaign that began in 2013. While malicious email campaigns are nothing new, this one is significant in that we are observing mass-targeting attackers adopting the malware evasion methods pioneered by the stealthier APT attackers. And this is certainly a high-volume business, with anywhere from a few hundred to ten thousand malicious emails sent daily — usually distributing between 50 and 500,000 emails per outbreak

Ragebooter: 'Legit' DDoS Service, or Fed Backdoor? (Krebs on Security) On Monday, I profiled asylumbooter.com, one of several increasingly public DDoS-for-hire services posing as Web site "stress testing" services. Today, we'll look at ragebooter.net, yet another attack service except for one secret feature which sets it apart from the competition: According the site's proprietor, ragebooter.net includes a hidden backdoor that lets the FBI monitor customer activity

Slow rollout of SSL places users of LinkedIn at risk research says (CSO) LinkedIn was notified about the potential risks over a year ago. According to research, users of LinkedIn could be vulnerable to Man-in-the-Middle (MITM) attacks, leading to account and personal information compromise

Lessons in insecure SSL courtesy of Hoyts cinemas (Troy Hunt) Why do we bother with SSL? I mean what's the risk that we're trying to protect against by using certificate authorities and serving up traffic over HTTPS? Usually it's men (or possibly even women) in the middle or in other words, someone sitting somewhere between the client and the server and getting their hands on the data. Do we all agree with this? Yes? Good, then why on earth would you possibly say this?

How to defend against the latest Android kernel flaw (CSO) Experts say careful monitoring of app activity and hardware changes will protect against the flaw that affects nearly every popular Android device

What's next for ransomware? Cryptowall picks up where CryptoLocker left off (Naked Security) When an international law enforcement action earlier this month knocked out the Gameover botnet, one happy consequence was the takedown of the servers that the CryptoLocker ransomware needed in order to do its dirty work

SNMP: Spike in Brute-force Attempts Recently Observed (Cisco Blogs) Simple Network Monitoring Protocol (SNMP) has been widely deployed as an important network management tool for decades, is a key component of scalable network device management, and is configurable in nearly all network infrastructure devices sold today. As with any management protocol, if not configured securely, it can be leveraged as an opening for attackers to gain access to the network and begin reconnaissance of network infrastructure. In the worst case, if read-write community strings are weak or not properly protected, attackers could directly manipulate device configurations

Flaws Found in USCIS RFID Card Production System (Threatpost) The system that's used to produce RFID-enabled identification cards — including permanent resident IDs — by the United States Citizenship and Immigration Service has a number of serious security issues, according to a new report from the Office of the Inspector General at DHS. Among the issues the OIG found is that nearly all of the workstations in the system were missing six years worth of Java patches and an Oracle database server was missing nearly two dozen patches

P.F. Chang's Breach Likely Began in Sept. 2013 (Krebs on Security) The recently-announced credit card breach at P.F. Chang's Chinese Bistro appears to have gone on for at least nine months: New information indicates that the breach at the nationwide restaurant chain began on or around Sept. 18, 2013, and didn't end until June 11, one day after KrebsOnSecurity.com broke the news about the break-in

When Vulnerabilities are Exploited: the Timing of First Known Exploits for Remote Code Execution Vulnerabilities (Microsoft Security Blog) One of the questions I get asked from time to time is about the days of risk between the time that a vulnerability is disclosed and when we first see active exploitation of it; i.e. how long do organizations have to deploy the update before active attacks are going to happen? Trustworthy Computing's Security Science team published new data that helps put the timing of exploitation into perspective, in the recently released Microsoft Security Intelligence Report volume 16

It's Not Funny: Facebook Users Tricked into Bitcoin Mining (Hot for Security) Hundreds of Facebook users got infected with a new Trojan secretly using their systems to mine for Bitcoins, the virtual currency that spread a global money-making fever, Bitdefender warns. Since spotted last week, the malware has seen infections in countries such as Portugal, Belgium, India, Romania and Serbia

Personal data hacked from Ashmolean Museum website (Oxford Times) Personal data of nearly 8,000 people has been hacked from the Ashmolean Museum's website

Academia

CyberPatriot Designates Fairfax County Public Schools as a "Center of Excellence" (Digital Journal) The Air Force Association's CyberPatriot program has announced Fairfax County Public Schools (FCPS) of Northern Virginia as its fifth CyberPatriot Center of Excellence

Litigation, Investigation, and Enforcement

IRS computer crash eats email evidence: Conspiracy or 'worst IT department ever'? (NetworkWorld) After the IRS claimed a computer crash ate email evidence, most techies seem to believe that no IT department could be that incompetent. Instead, the IRS claims are being dubbed preposterous, ludicrous, lies

Missing E-Mail Is the Least of the IRS's Problems (Bloomberg) Last Friday afternoon brought a disturbing news dump from the Internal Revenue Service: A big chunk of Lois Lerner's e-mail has disappeared. A hard drive crash, the agency says, permanently destroyed much of Lerner's e-mail in 2011, wiping out records from the previous two years

Data sharing deal with U.S. referred to EU's top court (Reuters) Ireland's High Court on Wednesday asked the European Court of Justice (ECJ) to review a European Union-U.S. data protection agreement in light of allegations that Facebook FB.O shared data from EU users with the U.S. National Security Agency

US Marshals Accidentally Replies All To Anonymous Bitcoin Auction Bidders In Email Fiasco (TechCrunch) In a magnificent show of technical ineptitude, today the U.S. Marshals revealed the identities of many anonymous bidders in its $18 million seized Silk Road Bitcoin auction by CC'ing them on an email thread. When one asked a question, the response was sent to 40 of the bidders, many whose names were attached or easily identifiable from their addresses, negating the whole point of the auction being anonymous. Smooth, government

FBI arrests alleged NullCrew hacker (Naked Security) Federal prosecutors have arrested and charged a Tennessee man for allegedly conspiring to attack a number of businesses and educational organisations since the middle of 2012

Hacker taunts arrested comrade after someone drops dime to FBI (Ars Technica) Timothy French, alleged member of NullCrew, arrested by Feds, thanks to helpful informant

Hacker Group Arrest in Colombia Points to Evolution of Cyber Crime (InSightCrime) Authorities in Colombia have dismantled a network of hackers accused of stealing over $5 million from electronic bank accounts, in a case that highlights the fast paced evolution of cyber crime and the potential profits it offers

Design and Innovation

Here's What Cyberspace Looks Like (Nextgov) Several federal agencies are in the early stages of mapping out a realm that has no geography, in hopes of preempting breaches and successfully hacking adversaries