The CyberWire Daily Briefing 01.17.14

Cyber Trends

Fridge raiders: Will 2014 REALLY be the year your Smart Home gets hacked? (We Live Security) At this year's Consumer Electronics Show, one thing was clear — smartphones have had their chips, at least when it comes to getting people interested

Underrated threats? Research into the evolving world of risk (Aon Risk Solutions) As part of our efforts to help companies stay abreast of emerging issues and learn what their peers are doing to manage risks and capture opportunities, we have conducted the fourth biennial Global Risk Management Survey (GRMS). It gathered input from 1,415 respondents from 70 countries in all regions of the world and from companies of all sizes and has the most comprehensive peer-provided risk data in the industry, capturing the latest risk trends and priorities companies face

Legislation, Policy and Regulation

Martha Lane Fox: UK is 'woefully quiet' on Snowden revelations (The Guardian) The Baroness of Soho said in her House of Lords speech that the UK lacked the rigorous debate that took place in the US

Obama to end NSA holding of metadata (USA Today) President Obama will call Friday for ending the National Security Agency's ability to store phone data from millions of Americans, and he will ask Congress, the Justice Department and the intelligence community to help decide who should hold these records, officials said

Obama to Speak on NSA Surveillance Controversy (Scientific American) The speech should provide some insight into the future of how the U.S. government keeps tabs on friends and foes

Obama's NSA Speech: Just What Eisenhower Warned About? (NPR) On Jan. 17, 1961, President Eisenhower used his farewell address to warn Americans that: "We must guard against the acquisition of unwarranted influence, whether sought or unsought, by the military-industrial complex. The potential for the disastrous rise of misplaced power exists and will persist"

Snowden will get his answer from Obama (My Broadband) President Barack Obama will finally give his response to Edward Snowden on Friday

NSA defenders' shameless "national security" bait and switch (Salon) Mounting evidence shows surveillance has had no impact on preventing terrorism. Is the public paying attention? In order to have a genuinely constructive debate, data must be compiled, evidence must be amassed and verifiable truths must be presented. This truism is particularly significant when it comes to debates about security and liberty

Stone: NSA metadata program captures small fraction of calls (Politico) Contrary to public perceptions, the National Security Agency's controversial program to collect information on phone calls to, from and within the U.S., gathers such metadata on only a small percentage of U.S. telephone traffic, a member of President Barack Obama's surveillance review group said Thursday

Lies, lies, and more damned Washington lies: Why you shouldn't expect much on NSA 'reforms' (ZDNet) What's to say the White House won't keep its spying efforts from ticking over as it did before the Snowden revelations came to light

For surveillance critics, some unwelcome deja vu (Politico) President Barack Obama hasn't yet delivered Friday's long-awaited speech on surveillance — but civil liberties advocates are already bracing for disappointment

Michael Hayden: Snowden 'mishaped' security debate (NBC Today) Retired General Michael Hayden, a former director of both the NSA and CIA says whistleblowing by former NSA contractor Edward Snowden has severely and irreversibly harmed the security agency's ability to perform its duties

Congress tries to curtail NSA spying, sort of (Nextgov) Buried in a soon-to-pass government spending bill is a ban on the monitoring of any specific U.S. citizen's phone calls and online activities. The small, vague passage, however, leaves wiggle room for the National Security Agency to continue sweeping up Americans' call and Internet data en masse

House Homeland Security critical infrastructure bill gets potentially controversial amendment (FierceGovIT) A House Homeland Security subcommittee approved by unchallenged voice vote a critical infrastructure cybersecurity bill, adding in the process several amendments—one of which could generate opposition to an otherwise bipartisan bill

A year after Swartz suicide, reform of anti-hacking law remains elusive (ComputerWorld) Calls for changing the Computer Fraud and Abuse Act have made little headway

Will India Deliver Cyber Command For Armed Forces This Time? (Ground Report) India is very good at contemplating concepts but equally bad at implementing the same. The latest to add to this trend is the decision to constitute a cyber command for armed forces of India. India has also in the past released the cyber security policy but experts doubt about its effectiveness as it failed on many counts including privacy protection. This is so because India needs a techno legal cyber security framework that is presently missing. Meanwhile, sophisticated cyber attacks against India are rising

Products, Services, and Solutions

This data will self-destruct: Snapchat meets encrypted messaging (InfoWorld) Snapchat's model of deliberately ephemeral data is becoming a selling feature for commodity messaging and data storage

INSIDE Secure Achieves New Level of Security for Enterprise Applications in Smartphones (The Wall Street Journal) INSIDE Secure (NYSE Euronext Paris: INSD), a leader in embedded security solutions for mobile and connected devices, today announced it has upgraded its SafeZone FIPS software cryptographic module to improve security for a broad array of smart connected devices. INSIDE's enhanced SafeZone cryptographic software enables developers for the first time to build FIPS 140-2 certified applications for Trusted Execution Environments (TEE) based on ARM TrustZone® frameworks

Computer Forensics in the Name of Social Justice (Consumer Electronics Net) Case & Point, which aims to serve indigent people who have been put on trial and lack the resources to utilize computer forensic evidence in their own defense, is pleased to announce that they have begun a campaign on Indiegogo.com to help raise funds to implement the initial infrastructure required to set up digital forensics lab. Case & Point is asking for $9,000 to obtain the necessary software and certain peripherals that are specific to digital forensics in a social justice cause

New China-developed OS takes aim at Android, Windows (Computerworld) The company behind the Linux-based OS is still looking for hardware partners to use its software

Palo Alto Networks Unveils Evolution To Threat Prevention Strategy, Significant WildFire Enhancements (Dark Reading) Advancements include extended file visibility and zero-day exploit detection

Technologies, Techniques, and Standards

Ways to avoid a multi-million dollar security disaster (SC Magazine) From Adobe to Facebook, security breaches continue to be top-of-mind for both companies and users, and organizations around the globe are all wondering if they are next in line to deal with a breach of their own. Hackers may always be a few steps ahead of companies when it comes to cracking codes and stealing information, but as we dissect breach after breach, it's clear that companies are not helping their security cause — they are actually jeopardizing it in more ways than one. With a few simple steps, companies can take back control of their infrastructure and assure that their next breach is merely an inconvenience rather than a multi-million dollar catastrophe

Information Security Policy Templates (SANS Institute) Welcome to the SANS Security Policy Resource page, a consensus research project of the SANS community. The ultimate goal of the project is to offer everything you need for rapid development and implementation of information security policies. You'll find a great set of resources posted here already including policy templates for twenty-four important security requirements

Secure Windows XP after updates end (Simon PG Edwards) Sticking with Windows XP? Here's how to secure your system to a reasonable standard

Cover your webcam when you're not using it (Flanders News) Belgium's Federal Computer Crime Unit says it's "a good precaution" to tape up or cover your computer's webcam when you are not using it. There are cases of webcam hackers in Belgium that collect private footage of victims, in order to blackmail them later on. However, police immediately that it's not a widespread problem in Belgium, and that there is no reason to panic

Security Expert Bruce Schneier Says to Foil NSA Spies, Encrypt Everything (BloombergBusinessWeek) In the world of cybersecurity, Bruce Schneier is an unusually accessible voice for those of us who feel we don't quite understand what's going on. The author of 12 books, and a prolific blogger and speaker, Schneier helped the Guardian go through the top-secret documents from the U.S. National Security Agency leaked by Edward Snowden last year

How Asian dating sites cracked your biggest complaint—everyone lies online (Quartz) Online dating site OKCupid has found an inexplicable number of men happen to be exactly six feet tall and there are four times as many people who claim to earn $100,000 per year as there should be. False advertising, or misrepresentation, is standard in any marketplace; the dating market is no different

How you will connect with your connected car (Quartz) Connected cars are coming. General Motors will roll out a bunch of 2015-model Chevrolet cars with onboard fourth-generation (4G) mobile broadband. Google just announced the Open Automotive Alliance to push its Android operating system into cars. Most auto manufacturers are working to better use the internet connectivity in their cars. In a few years, they think, our cars will be like our smartphones—able to download apps, stream music, provide better navigation, and stay connected to the internet

Why wasn't healthcare.gov security properly tested? (SC Magazine) When the healthcare.gov website was launched on Oct. 1 it didn't take long for technical issues to hit the headlines. Americans trying to register for health care found the website unusable. There were glitches, extremely long loading times, and serious errors, but most worrying of all for anyone entrusting sensitive data to the system was the lack of security testing

So You Found An Obamacare Website Is Hackable. Now What? (Forbes) Two months ago, L.A.-based security researcher Kristian Erik Hermansen was signing up for Obamacare via the Covered California site. Given his background in finding vulnerabilities in software and websites, spotting security flaws is second nature to him so he couldn't help but notice problems with the California site, which has seen the most registrations for healthcare in the country

How to keep your neighbors from hijacking your Wi-Fi (Dark Reading) Your Internet connection could be slow for many reasons, but you can rule out local Wi-Fi thieves by employing strong passwords

3 Themes For Implementing PCI DSS 3.0 For SMBs (Dark Reading) How the new PCI DSS v3.0 requirements affect the scope of cardholder data systems

Marketplace

Cloud security firm CipherCloud acquires CloudUp (FierceITSecurity) To address enterprises' cloud security and privacy concerns, cloud security firm CipherCloud has acquired CloudUp Networks, a provider of software-as-a-service application security, for an undisclosed consideration

Darting for cover: the pros and cons of cyber insurance (Computing) "They will be rubbing their hands in glee," says Ann Bevitt, head of law firm Morrison & Foerster's London privacy and data security group

Allianz teams up with Thales to offer Allianz Cyber Data Protect insurance (Insurance Business Review) Allianz Global Corporate & Specialty SE (AGCS) and Thales have joined forces to offer comprehensive protection against cybercrime

BAE Systems Rebrands Cyber-Security Business in Commercial Push (Bloomberg) BAE Systems Plc (BA/) is rebranding its cyber-security operations as Europe's largest defense company seeks to gain business from more companies beyond its traditional government customers. Activities to protect computer networks will be called BAE Systems Applied Intelligence, replacing the Detica name as of Jan. 31, the London-based company said in a message to employees. "We are changing our name in January to closer align to the BAE Systems brand," it said in a separate e-mail

FireEye rises as analyst praises its technology (AP via Yahoo!) FireEye rises as analyst sets top rating, praising its security solution and Mandiant deal

Net Neutrality Court Ruling Won't Ruin The Internet (InformationWeek) Competition, not massive regulation, is the best way to make the Internet open

New CEO Kheradpir Lays Out Vision For Future Of Juniper Networks (CRN) At Juniper Networks (NSDQ:JNPR)' Global Partner Conference this week, new Juniper CEO Shaygan Kheradpir laid out his vision for both Juniper and its partners moving into 2014. That vision, he said, is centered around Juniper embracing hybrid cloud ecosystems, highly intelligent networks, and starting to view service provider and enterprise customers through a similar lens

Executive Slams 'Lowest Price, Technically Acceptable' Acquisition Regimes (National Defense Magazine) The president of a major satellite services provider said the U.S. military's "lowest price, technically acceptable" procurement strategy is stifling innovation and ultimately shortchanging war fighters

Social Security Administration Wants Information on Private Cloud (Executive Mosaic) The Social Security Administration has issued a request for information on private cloud software packages as it seeks to automate processes, FCW reported Wednesday. Frank Konkel writes interested vendors are asked to submit data on product compliance such as a web-based portal, unified service catalog, performance monitoring, virtual machine life-cycle management, multitenancy, capacity planning and asset management

DHS awards work under $6B cyber contract (Federal Times) The Department of Homeland Security has awarded work to four companies under its $6 billion cybersecurity contract

BAE Systems Awarded Prime Position on U.S. Department of Homeland Security IT Services Contract Vehicle (The Wall Street Journal) The U.S. Department of Homeland Security (DHS) has awarded BAE Systems a prime position on the Enterprise Acquisition Gateway for Leading Edge Solutions II (EAGLE II) contract. BAE Systems is one of fifteen primes awarded under the unrestricted track of Functional Category 1 and may compete to provide systems, software, and other IT services and support

9,000 heads to roll at Dell? Tosh. It'll all go down in Feb and it's THOUSANDS more — insiders (The Register) Firm denies it … but won't give us numbers. We're being told that the 9,000 heads redundancy figure at Dell is wrong — it could be 17,000 or more. Dell disputes this strongly, saying our sources' numbers are "inaccurate", but refused to give us a figure

Cyber security talent goes to the highest bidder (Computing) When former White House cyber security co-ordinator Howard Schmidt congratulated the UK government for the launch of its Cyber Security Information Partnership scheme in March 2013, he said: "What you've been able to do in two years has taken us about 17 years to do"

What STEM shortage? Electrical engineering lost 35,000 jobs last year (Computerworld) Will the Internet of Things create jobs in the U.S. or offshore? Despite an expanding use of electronics in products, the number of people working as electrical engineers in U.S. declined by 10.4% last year

Cyber Town Malvern (BBC) The historic spa town of Malvern in Worcestershire is rapidly becoming the centre of a hub of small companies specialising in a very 21st century occupation: defending people from Internet crime. Unlikely as it sounds, Malvern has been a centre of science expertise for decades. Now it's a place where innovation thrives outside big corporate labs. Peter Day finds out why

ATMs Face Deadline to Upgrade From Windows XP (BusinessWeek) One-dollar bills. Envelope-free deposits. Stamp dispensers. These are a few of the features that Wells Fargo (WFC), Bank of America (BAC), JPMorgan Chase (JPM), and other banks tout as the latest and greatest features of their fleets of ATMs. It's hardly stuff to set the heart racing

Panda Security Appoints Diego Navarrete as New CEO (MarketWatch) Panda Security , The Cloud Security Company, today announced the appointment of Diego Navarrete as CEO of the multinational computer security company. Navarrete joins Panda Security from IBM, and brings a wealth of experience in the software and security sectors

Michael Locatis, Randy Phillips, Michael Shank Join Chertoff Group as Senior Advisors; Michael Chertoff Comments (Executive Mosaic) Michael Locatis, Randy Phillips and Michael Shank have joined security and risk management advisory firm Chertoff Group as senior advisors. The three new advisors will work with the company's professional team focusing on cybersecurity, information technology, intelligence and business development, Chertoff Group said Wednesday

Brian Sheridan Rejoins Bechtel As Defense, Security Business GM; Craig Albert Comments (Executive Mosaic) Brian Sheridan, who previously managed projects at Bechtel Corp. for 10 years, has rejoined the company as general manager of U.S. defense and security business line within its government services unit

KoolSpan Bolsters Management Team with Appointment of Nigel Jones as Chief Financial Officer (KoolSpan) KoolSpan Inc, developer of patented, hardware-based mobile security applications, announced today that Nigel Jones has joined the company as Chief Financial Officer, effective immediately. Responsible for all financial aspects of KoolSpan's business, Jones is a telecom industry veteran with more than 15 years of experience in strategic financial management, fundraising, investor relations and mergers and acquisitions

Research and Development

Quantum physics could make secure, single-use computer memories possible (Help Net Security) Computer security systems may one day get a boost from quantum physics, as a result of recent research from the National Institute of Standards and Technology (NIST). Computer scientist Yi-Kai Liu has

Cyber Attacks, Threats, and Vulnerabilities

Target credit card data was sent to server in Russia (Infoworld) The data was quietly moved around on Target's network before it was sent to a U.S. server, and then to Russia

Malware in Target attack partly in Russian (USA Today) U.S. government report describes sophisticated cyber attack operation authorities are calling Kaptoxa, a Russian word that comes from a piece of code in the malware

Researchers share more details about the Target POS malware (Help Net Security) A handful of security companies have been researching the Target breach, and the information they unearthed is slowly trickling out to satisfy the public's curiosity as the retailer has yet to share any details

Target Data Breach Being Handled By Homeland Security (KKUTV) The holiday data breach at Target is now being handled by Homeland Security. The attack could be part of a larger scheme to cripple the U.S. economy

Neiman Marcus says SSNs, birth dates not taken in breach (ComputerWorld) Neiman Marcus apologized on Thursday for a data breach that compromised payment card numbers, saying Social Security numbers and birth dates appear to be safe

Neiman Marcus computers were hacked as far back as July: NYT (Reuters via Yahoo!) Hackers breached the computer networks of luxury department store chain Neiman Marcus as far back as July, an attack that was not fully contained until Sunday, the New York Times reported, citing people briefed on the investigation

US government warns retailers on cyber-attacks (My Broadband) The US government has provided merchants with information from its investigation into the massive data breach at Target

Target attackers may have struck others (Minneapolis Star-Tribune) The government put U.S. retailers on alert Thursday that the sophisticated data heist operation that struck Target Corp. has likely infected other companies with malicious software

Target Got Hacked Hard in 2005. Here's Why They Let It Happen Again (Wired) A gang of shadowy hackers tears through the systems of big-box retailers, making off with millions of credit and debit card numbers in a matter of weeks and generating headlines around the country. Target and Neiman Marcus in 2013? No: This oh-so-familiar attack occurred in 2005

Someone's refrigerator just took part in a malicious cyberattack (Quartz) Between December 23 and January 6, more than 100,000 internet-connected smart "things," including media players, smart televisions and at least one refrigerator, were part of a network of computers used to send 750,000 spam emails. So says a study just released by enterprise security company Proofpoint. This is the first time anyone in the security industry has proved that devices that are part of the internet of things are being used just as PCs have been for decades—as part of "zombie" networks of computers used to do everything from sending spam to mining bitcoin

Cybercrooks slip fingers into TELLIES+FRIDGES, spam splurge ensues (The Register) DON'T OPEN THAT — your media centre has become a FRAUDSTER

Unsafe and sound (The Economist) Ciphers can now be broken by listening to the computers that use them. Eavesdropping, be it simply sticking an ear against a door or listening to and analysing the noises made by tapping different keys on a keyboard, is a stock-in-trade of spying. Listening to a computer itself, though, as it hums away doing its calculations, is a new idea. But it is one whose time has come, according to Adi Shamir, of the Weizmann Institute, in Israel, and his colleagues. And Dr Shamir should know. He donated the initial letter of his surname to the acronym "RSA", one of the most commonly used forms of encryption. Acoustic cryptanalysis, as the new method is known, threatens RSA's security

BANLOAD Limits Targets via Security Plugin (TrendLabs Security Intelligence Blog) The presence of a security product is normally seen as a deterrent or challenge for cybercriminals. However, that is not the case with this banking Trojan, specifically, a BANLOAD (also known as BANKER or BANBRA) variant. This malware actually limits its range of victims to online banking clients of Banco do Brasil. It does so by checking for the presence of a specific security product before it executes its malicious routines

Using an iPhone to Pay at Starbucks? Think Twice. (Brighthand) Starbucks has promised a future update to its iPhone barcode scanning app, aimed at fixing a security flaw which could leave a person's user name, email address, password, and location information open for a security-savvy thief to see

New TDoS market segment entrant introduces 96 SIM cards compatible custom GSM module, positions itself as market disruptor (Webroot Threat Blog) In need of a good example, that malicious adversaries are constantly striving to 'innovate', thereby disrupting underground market segments, rebooting TTPs' (tactics, techniques and procedures) life cycles, standardizing and industrializing their fraudulent/malicious 'know-how'? We're about to give you a pretty good one. Regular readers of Webroot's Threat Blog, are no strangers to the emerging TDoS (Telephony Denial of Service) underground market segment. Primarily relying on the active abuse of legitimate services, such as, for instance, Skype and ICQ, as well as to the efficient and mass abuse of non-attributable SIM cards, for the purpose of undermining the availability of a victim's/organization's

Massive RFI scans likely a free web app vuln scanner rather than bots (Intenet Storm Center) On 9 Jan, Bojan discussed reports of massive RFI scans. One of the repetitive artifacts consistent with almost all the reports we've received lately is that the attackers are attempting to include… I investigated a hunch, and it turns out this incredibly annoying script kiddie behavior is seemingly, rather than bots, thanks to the unfortunate misuse of the beta release of Vega, the free and open source web application scanner from Subgraph

The PLC As An ICS/SCADA Hacking Tool (Dark Reading) 'PLCpwn' hacking tool tucked inside a legitimate programmable logic controller can shut down plant systems — via a text message

When Websites Attack (Dark Reading) Windows threats like Cryptolocker and ZeroAccess get all of the attention, but malware targeting (Linux) Web servers continues to evolve

Server storing 6,000 emergency medical response calls breached (SC Magazine) North East King County Regional Public Safety Communication Agency (NORCOM), a company that provides emergency communication services to the public, fire and police agencies, had a server breached in late December

ilmeteo.it hacked (Dynamoo) Popular Italian weather site ilmeteo.it appears to have been compromised this morning, with several legitimate .js files on the site altered to drive traffic towards a malicious hacked domain at karsons.co.uk

KC engineer 'exposed unencrypted spreadsheet with phone numbers, user IDs, PASSWORDS' (The Register) Hull-based ISP investigates possible data gaffe spotted by customer

Another e-billing security flaw (My Broadband) A vulnerability in the hosted repository management system used by Mogale City lets users access one another's bills

Litigation, Investigation, and Enforcement

HHS officials questioned on HealthCare.gov security at hearing (FierceHealthIT) Rep. Darrell Issa (R-Calif.) continued his quest for answers on the security of HealthCare.gov before its launch this fall today at a Committee on Oversight & Government Reform meeting, where he facilitated the questioning of three high level staff members of the U.S. Department of Health & Human Services

Healthcare.gov is secure, says CMS official who voiced early concerns (Nextgov) A top information security officer at the Health and Human Services Department who expressed concern about HealthCare.gov before its Oct. 1 launch told lawmakers on Thursday she's now convinced the site meets all government security requirements

Apple slapped with settlement over shabby sales security in the App Store (Naked Security) Apple is understandably proud of the App Store — it has made lots and lots of money, with more or less no malware. But not everyone has been entirely happy with Cupertino's acumen in application delivery…including the FTC

Jailed terrorist gets extra time for refusing to divulge USB stick password (Naked Security) A British man already in jail for terrorist activity was given another 4 months for refusing to give police the password to a memory stick that they couldn't crack. The convicted terrorist suddenly got his memory back when police said they were launching a new investigation into credit card fraud

Will Sabu face justice at some point? (CSO) It has been a while since Hector Xavier Monsegur, otherwise know as Sabu, signed his deal and decided to turn informant for law enforcement. He was arrested on June 7, 2011 after having led his merry band of ne'er do wells on a website compromise campaign that was all for, as they called it, the "lulz"

Orlando couple stole $550,000 in massive ID-theft 'phishing scam,' FDLE says (Orlando Sentinel) An Orlando husband-and-wife team stole roughly $550,000 in a massive "phishing scam" that compromised the identities of about 400 people, and more victims are expected as the investigation continues, the Florida Department of Law Enforcement announced Thursday

US government now owns Silk Road website and $28m of its Bitcoins (ZDNet) Through a default decision on Silk Road's seized Bitcoin, the US government has taken ownership of $28m worth of the volatile currency

Design and Innovation

The Worst User Experience In Computer Security? (The New School of Information Security) I'd like to nominate Xfinity's "walled garden" for the worst user experience in computer security. For those not familiar, Xfinity has a "feature" called "Constant Guard" in which they monitor your internet for (I believe) DNS and IP connections for known botnet command and control services. When they think you have a bot, you see warnings, which are inserted into your web browsing via a MITM attack