The CyberWire Daily Briefing 06.24.14

Cyber Trends

Hacker Tactic: Holding Data Hostage (New York Times) The perpetual cat-and-mouse game between computer hackers and their targets is getting nastier. Cybercriminals are getting better at circumventing firewalls and antivirus programs. More of them are resorting to ransomware, which encrypts computer data and holds it hostage until a fee is paid. Some hackers plant virus-loaded ads on legitimate websites, enabling them to remotely wipe a hard drive clean or cause it to overheat. Meanwhile, companies are being routinely targeted by attacks sponsored by the governments of Iran and China. Even small start-ups are suffering from denial-of-service extortion attacks, in which hackers threaten to disable their websites unless money is paid

CIOs Consider Putting a Price Tag on Data (CIO) Figure out the dollar value of your information assets. Then you'll know what the 'I' in CIO is really worth — and how much to spend protecting it

Treat cloud, mobility as security tools rather than threats: IBM expert (CSO) Faced with dramatic change in their roles, CSOs need to re-evaluate their security strategies in terms of capitalising on the new capabilities of cloud and mobile rather than perceiving them simply as security threats, an IBM security expert has advised

Traffic lights, fridges and how they've all got it in for us (The Register) Interthreat of things

Internet of things will put pressure on enterprise security, says Proofpoint (ComputerWeekly) The internet of things (IoT) will put pressure on enterprise security because attackers will have more delivery vehicles for malware, says security firm Proofpoint

Despite Target, Retailers Still Weak On Third-Party Security (Dark Reading) A new survey from TripWire shows mixed results about retailers' security practices

Spammers increasingly targeting Montreal (Help Net Security) AdaptiveMobile released data that shows a marked increase in SMS spam across Canada in the past six months. The higher volume of SMS spam comes on the eve of the July 1st compliance deadline for Canada's Anti-Spam Legislation (CASL)

Improving transaction security for financial institutions (Help Net Security) Mobile technology is changing the way we conduct financial transactions. With more and more consumers relying on mobile technology to perform everyday activities, the mobile channel now represents nearly two out of three (65%) of all transactions for financial institutions

Former NSA Chief Warns Banks of Hacking Threats (PYMNTS.com) Keith Alexander, the former National Security Agency chief and head of the U.S. Cyber Command, recently spoke to cyber consultants about the potential dangers facing the financial industry. According to a recent Bloomberg article, Alexander retired in March, but is now trying to speak directly to banks about what they need to do to ensure national security

New report finds federal agencies ill prepared for cyber attacks (WPTV) Here's a chilling number: 46,160. That's the number of reported cyber incidents against federal agencies in 2013. Worse, that's a 30 percent increase in the last two years

A Cyber 'Axis of Evil'? (Eurasia Review) As almost all students and scholars of international relations would agree, the term "international order" is a contested one. There is not really a universally accepted definition, however, everyone, from the Ivy League scholars to the most unfamiliar individual, knows that there exists an "order" amongst the states in the international arena and that this order is preserved and maintained through various mechanisms. This international order we speak of is actually the post-WW2 order that is dominated by the Western, capitalist, liberal democracies. The "order", at times rather ostentatiously and sometimes implicitly, favors and protects the interests of the hegemonic countries, headed by the US. The international order is, in short, the order of the "international community", which is in other words, the Great Powers

Legislation, Policy and Regulation

NSA critics hail votes as game-changers (The Hill) Lawmakers and privacy advocates who are fighting to restrain the National Security Agency (NSA) say the tide is turning in their favor

State Measure Takes Aim at Cooperation with NSA (NBCSanDiego) There would be no welcome mat in California for the National Security Agency under a measure now making its way through the state Legislature

Spam in Canada goes "strictly opt-in" in one week — with only THREE YEARS to comply (Naked Security) A few days ago, a Naked Security reader sent us a spammy-looking email that he assumed was some sort of phish, or at least the start of some kind of social engineering exercise intended to induce him to visit an unwanted website

Senate takes one last shot at legalizing cell phone unlocking (Ars Technica) Consumers can unlock their phones, and even ask for help doing so

Products, Services, and Solutions

Cisco releases source code for experimental block cipher (Help Net Security) A team of Cisco software engineers has created a new encryption scheme, and has released it to the public along with the caveat that this new block cypher is not ready for production, i.e. is still in the experimental phase

Splunk and Syncsort Alliance Delivers Machine Data Insights from Mainframes (MarketWatch) Alliance unlocks mainframe data; enables collection and analysis of IBM zOS data

Webroot Introduces Next Generation Threat Intelligence Services for Enterprises (Broadway World) Webroot, the market leader in cloud-based, real-time internet threat detection, today announced expansion of its enterprise-class security solutions with the introduction of BrightCloud Security Services for Enterprise, a new portfolio of services which makes Webroot's industry-leading threat intelligence available to enterprises through integration with popular network security and management platforms

Protegrity Announces More Flexible, Efficient Data Security Platform (MarketWatch) New release builds on industry leading technology and innovation

ePLDT ties up with Check Point (Business World) Philippine Long Distance Telephone Co. (PLDT) said its unit ePLDT has tied up with Check Point Software Technologies in a bid to strengthen its network security offering

LightCyber and Check Point Firewall Integration Helps Enterprises Remediate Breaches (Digital Journal) LightCyber Magna Expands Its Advanced Breach Detection to Mitigate and Contain Attacks Using Industry-leading Check Point Firewall Software Blade

Vorstack Automates Security Operations to Increase Value of Threat Intelligence (Digital Journal) Vorstack, provider of a new breed of enterprise security products, announced today the release of Vorstack Automation and Collaboration Platform (ACP) 3.0, which plays an integral role in helping companies shorten discovery time and reduce complexity of identifying security risks

Panda guarantees complete protection (Business Cloud) Anyone with experience of computer security knows there is no perfect solution but Panda Security are guaranteeing they know better

Hapsis Annonce Sa Nouvelle Offre: Plan de Continuité d'Actitité et de Gestion de Crise (Hapsis Blog) Dans le cadre du renforcement de nos expertises et afin de répondre à la demande de nos clients, nous proposons des prestations en matière de Continuité d'Activité et de Gestion de Crise

Lunarline Launches Innovative Pen Testing Platform at 2014 Gartner Summit (MarketWatch) Lunarline, Inc. a leading cyber security firm, has announced plans to unveil Sniper — a new pen testing tool — during the 2014 Gartner Security & Risk Management Summit

Marsh cyber coverage includes fires, explosions, machinery breakdowns (Business Insurance) Marsh L.L.P. has launched a cyber insurance product for the energy industry underwritten by insurers and reinsurers in London and Europe

eSentire Launches SEC Response Readiness Service Ahead of SEC Cybersecurity Examinations for U.S. Fund Managers (Digital Journal) eSentire, the leader in active threat protection solutions and managed services, today announced a new service to prepare registered broker-dealers and registered investment advisors for pending U.S. Securities and Exchange Commission (SEC) examinations specific to cybersecurity

AlertEnterprise™ Demonstrates First Enterprise-Proven IT-OT Security Intelligence Platform at Gartner Security & Risk Management Summit, June 23-25. (MarketWatch) Enterprise Sentry™ delivers unified critical infrastructure protection across cyber, OT / SCADA and physical pecurity

Cabinet Office and Capita joint venture to offer cyber security training for boards and CEOs (Computing) The Cabinet Office and Capita's joint venture Axelos has moved into the cyber security space to offer training to boards and CEOs

5 Free Tools for Compliance Management (eSecurity Planet) Most IT pros consider compliance a hassle. Yet the tools of compliance can empower security technologies and simplify risk management. Better yet, some of those tools are free

Technologies, Techniques, and Standards

Top 4 Takeaways from the "Live Bait: How to Prevent, Detect, and Respond to Phishing Emails" Webcast (Rapid7 Security Street) In this week's webcast, Lital Asher-Dotan and Christian Kirsch tackled the hot topic, "Live Bait: How to Prevent, Detect, and Respond to Phishing Emails". Phishing has risen from #9 to #3 in the Verizon Data Breach Investigations Report on the most common attack vectors. Phishing attacks are often successful because it only takes error on the part of one user to compromise an entire organization. Read on to learn what security professionals should focus on to prevent, detect, and respond to phishing attacks effectively

Forget malware — stolen credentials are the real enterprise threat (VentureBeat) Focusing on malware detection as a frontline cybersecurity strategy puts IT security teams in a never-ending game of cat and mouse. A report from Pandalabs earlier this year found that 30 million new malware threats were created in 2013 — an average of 82,000 per day. Keeping pace with this rate of malware creation requires continuous upgrades to the latest cybersecurity defense technologies, the very same ones that malware developers are constantly finding new ways around. Fighting this unwinnable battle not only strains precious cybersecurity resources, but it also leaves a company vulnerable to an even greater threat: stolen credentials

Security Everywhere: One Unmanaged Desktop Is All It Takes (Information Security Buzz) An unpatched and unmonitored Windows desktop is an open gateway for viruses and trojans to sneak onto your network. Besides malware, these desktops can also act as a portal for malevolent users to steal or delete critical company data. If a criminal hacker can access your machine, they will try different options to steal company data or gain access to your network looking for bigger prizes

Security Essentials? Basics? Fundamentals? Bare Minimum? (Gartner Blogs) Let's think together — what technologies and practices constitute information security essentials? The question is actually bitchingly hard — so think before answering! One way to think of this is to imagine somebody describing his security capabilities to you, and when they miss something from that list you go "ZOMG!!! No way you missed X! What are you, stupid or something?! STOP talking to me and go deploy/do/buy that now!!!"

Does de-identification work or not? (FierceBigData) In a FierceBigData article which ran last Wednesday, Pam Baker posed some compelling questions regarding a recent "Big Data and Innovation, Setting the Record Straight:De-identification Does Work" whitepaper released by Ann Cavoukian, the Ontario information and privacy commissioner, and Daniel Castro, Information Technology and Innovation Foundation Senior Analyst. Of these, the most salient question was also the simplest: "Does de-identification work or not?"

What is the job of Chief Information Security Officer (CISO) in ISO 27001? (ISO 27001 & ISO 22301 Blog) It may sound rather funny, but ISO 27001 does not require a company to nominate a Chief Information Security Officer, or any other person who would coordinate information security (e.g., Information security officer, Security manager, etc.)

Using Words To Battle Cyber Losses (Wall Street Journal) Words matter when it comes to cybersecurity. With security concerns dominating today's corporate planning from the Board on down, the CIO often comes in as a technical expert, providing an analysis of the threat environment and what measures should be taken to prevent successful cyberattacks. And of course, the CIO is there to explain what happened when the inevitable successful attack happens. However, CIOs can do much more — and better protect the corporate bottom line — with just a little thought and some assistance from their lawyers. By using some careful contract language developed in collaboration with counsel and contract administrators, CIOs can be in a prime position to shift liability away from their company in the event of a successful cyberattack

Marketplace

Demand for data sovereignty puts home grown data centres in the spotlight (IT Director) The continuing revelations by former US National Security Agency employee Edward Snowden about the extent of data surveillance are rumbling like thunder around the cloud computing industry. This is likely to be more than just a passing storm in a tea cup as there could be lasting repercussions on where cloud users and providers store their data

DHS to award continuous monitoring task orders (Federal Times) As director of the Federal Network Resilience Division at the Department of Homeland Security, John Streufert oversees a $6 billion effort to secure public-sector networks against cyber threats. That effort, called the Continuous Diagnostics and Mitigation (CDM) program, aims to apply a strategic sourcing acquisition strategy toward the purchase of network sensors, dashboards, expertise and a variety of services to identify and fix the worst vulnerabilities threatening the dot-gov enterprise

SAIC looks to make cyber services easier to buy (FCW) The staying power of sequestration-level federal budgets has made the bang-for-buck sales pitch pervasive among security vendors. The message to federal clients is simple: Your dollars are scarce and, unlike our competitors, we are willing to save you money by bundling services or selling you less than we could

Andreessen Invests in Cybersecurity Firm (Wall Street Journal) Tanium, Which Helps Pinpoint IT Threats, Gets $90 Million. Venture-capital firm Andreessen Horowitz is placing its second-biggest bet ever on an unheralded tool for corporate-technology departments. The firm, known for backing Facebook Inc. and Pinterest Inc., among others, is investing $90 million in Tanium Inc., which helps companies pinpoint security threats and manage their sprawling computer networks. Andreessen Horowitz's investment values seven-year-old Tanium at $900 million

Qualys Joins Forces With the Council on CyberSecurity to Promote the Adoption of Cybersecurity Best Practices (MarketWatch) Qualys Inc. (NASDAQ: QLYS), a pioneer and leading provider of cloud security and compliance solutions, today announced it has joined the Council on CyberSecurity (CCS) as a Founding Member. Through this partnership Qualys will work with the Council to lay the foundation that is urgently needed to create security for all users in cyberspace

Ribose joins CSA to promote international standards for cloud security June 23 7:50 2014 (Broadway World) Ribose, a start-up redefining the way people collaborate, has joined the Cloud Security Alliance (CSA) to help promote security in cloud computing. CSA developed the first industry-accepted standard for cloud security, the Cloud Controls Matrix (CCM), and its other members include tech luminaries such as Amazon, HP and Microsoft

UK Football Club to Deploy CYREN WebSecurity SecaaS Solution to Boost Online Defenses (MarketWatch) New CYREN distribution partner VCW Security scores its first Security as a Service deal

Extending Cybersecurity in Romania (SIGNAL) Contract makes necessary products available in that country while current and new developments also protect other parts of the globe

MacAulay-Brown, Inc. Opens Fort Gordon Office (GlobeNewsWire) Expansion enables company to better serve United States Army Cyber Command, Intelligence Community and Signal Corps

Security skills shortage is real, and it's not going away anytime soon (Computerworld via CSO) There's good news and bad on the cybersecurity skills availability front

Why coding schools may be a solution to the tech talent shortage (TechRepublic) When approached correctly, coding schools might be the answer to staffing entry-level positions on your development team. We talk to a cofounder of one coding school to learn more

Research and Development

Faces Are the New Passwords (New York Magazine) One of the nine faces above is familiar to me, but the rest aren't. Can you pick it out? The answer is at the bottom of this post, and I don't like your odds. This grid is a "facelock," an alternative to the password system most websites use, and a study being published tomorrow in the journal PeerJ suggests that facelocks are a promising method of ensuring online security

The Shadow Internet That's 100 Times Faster Than Google Fiber (Wired) When Google chief financial officer Patrick Pichette said the tech giant might bring 10 gigabits per second internet connections to American homes, it seemed like science fiction. That's about 1,000 times faster than today's home connections. But for NASA, it's downright slow

Steganographic Key Leakage Through Payload Metadata (Cisco Blogs) Steganography is the ancient art of invisible communication, where the goal is to hide the very fact that you are trying to hide something. It adds another layer of protection after cryptography, because encrypted message looks like gibberish and everyone immediately notices that you want to hide something. Steganography embeds the (encrypted) secret message into an innocuous looking object such that the final communication looks perfectly normal. The "analog" form of steganography is the art of writing with invisible ink. The digital version hides the message by a subtle modification of the cover object. Probably the most researched area in digital steganography uses digital images as a cover media into which the message is inserted. The oldest (and very detectable) technique replaces the least significant bit (of each colour channel) with the communicated message. Shown below, the first picture is the cover object and the second one is the stego object

Security Patches, Mitigations, and Software Updates

Android Kitkat 4.4.4 released by Google to tackle OpenSSL security hole (Lumension) Less than three weeks after Google pushed out Android 4.4.3 to users of its Nexus smartphones and tablets, the technology giant has unexpectedly released factory images, binaries and source code for a new version — Android Kitkat 4.4.4 — patching a serious vulnerability in the OpenSSL cryptographic library

Imminent iOS 7.1.2 release tipped to bring major fixes (BGR) Apple is apparently getting ready to release iOS 7.1.2, a build that has already been released to mobile operators to test it and sign off on by Friday, June 27th. According to MacRumors, a public release could occur this week as soon as carriers approve of the new update

Cyber Attacks, Threats, and Vulnerabilities

Who is behind Isis's terrifying online propaganda operation? (The Guardian) The extremist jihadist group leading the insurgency against the Iraqi government is using apps, social media and even a feature-length movie to intimidate enemies, recruit new followers and spread its message. And its rivals — including foreign governments — are struggling to keep up

How Reuters got compromised by the Syrian Electronic Army (Frederic Jacobs) Hint: It isn't actually Reuters' fault. Earlier today, Reuters was compromised by the Syrian Electronic Army. It isn't the first time that occurs. Anyone who would try to visit a story about Syria, would be redirected to a page hosted by the Syrian Electronic Army

#OpHackingCup: Anonymous hacks website of famous Brazilian actress Glória Pires (HackRead) The online hacktivist Anonymous is back in news with another high profile hack. This time Anonymous Brasil has hacked and defaced the official website of famous Brazilian actress Glória Pires

Hedge-Fund Hack Is Part of Bigger Siege, Cyber-Experts Warn (Bloomberg) The attack on a U.S. hedge fund's network, which a cybersecurity contractor said last week disrupted the firm's high-speed trading and stole its data, is but one among many

Hedge Funds, HFT Vulnerable to Cyber Attack (Value Walk) HFT firm had their computer hacked, with hackers ironically being given an early look at their trade intentions. It was one small line in Michael Lewis's book that was most important to those closely watching the high frequency trading debate that mattered most. This line revealed the potential for HFT algorithims to fall into the "wrong hands" and cause untold economic damage. With the release of a Bloomberg report on the hacking of various hedge funds, the issue of terrorists and economic opportunists alike hacking into HFT firms and hedge funds comes squarely into focus

Researchers Go Inside HackingTeam Mobile Malware, Command Infrastructure (Threatpost) Controversial spyware commercially developed by Italy's HackingTeam and sold to governments and law enforcement for the purpose of surveillance, has a global command and control infrastructure and for the first time, security experts have insight into how its mobile malware components work

Heartbleed Attack on BYOD Service Hit Insurance Giant Aviva (Tripwire: State of Security) The Register is reporting that the Heartbleed vulnerability was leveraged in an attack last month against a BYOD service provider, allowing the attackers to potentially cause millions in damages for insurance giant Aviva after a number of the company's fleet of employee-owned mobile devices were wiped clean

Heartbleed patching effort stalls at around 300,000 vulnerable servers (IDG via CSO) Despite a great start, the rate of patching OpenSSL servers against the critical Heartbleed vulnerability has slowed down to almost a halt. Around 300,000 servers remain vulnerable and many of them are unlikely to get patched anytime soon

Why you should still worry about Heartbleed (CSO) Experts recommend some extra precautions for businesses to avoid getting caught in a Heartbleed attack

New Havex malware variants target industrial control system and SCADA users (IDG via CSO) A malware threat previously used in attacks against energy sector companies is now being aimed at organizations that use or develop industrial applications and machines

SVPENG: Mobile Malware Expanding to New Territories (Security Intelligence) Over the last week, the media has been reporting on a new mobile malware called SVPENG. Though widely regarded as a new threat, this malware had already been under investigation by Trusteer's security team in 2013, when it was discovered in its testing phases. It was presented and discussed February this year during IBM's Pulse conference

Medtronic Reveals They Were Targeted By Hackers, Lost Patient Records (Red Orbit) The largest stand-alone medical device manufacturer in the world has revealed that hackers had successfully infiltrated its computers, and that it had lost some patient records in separate incidents last year

P.F. Chang's Breach Went Undetected For Months (Dark Reading) Early reports indicate that the compromise involved a large number of restaurant locations and dates as far back as September 2013

Phishing Scam Targeted 75 US Airports (InformationWeek) Major cyberattack carried out in 2013 by an undisclosed nation-state sought to breach US commercial aviation networks, says Center for Internet Security report

AskMen website compromised, code injections leading to Caphaw infections (CSO) Researchers at Websense have discovered malware being served by AskMen.com, a popular portal dedicated to men. As an Alexa top 1000 website, the AskMen sees some 11.6 million visitors a month, offering the attackers a large pool of potential victims

Cyber attacks for ransom becoming more common (Gadsden Times) The Collinsville Police Department became the victim of cyber crime last week, and it is not the first time computer-savvy villains have targeted the cops

Dropbox-themed phishing is after multiple login credentials (Help Net Security) Phishing emails purportedly leading users to a file hosted on Dropbox are targeting Yahoo!, Gmail, Hotmail, and Aol email users, warns Malwarebytes' Jovi Umawing

A peek inside a commercially available Android-based botnet for hire (Webroot Threat Blog) Relying on the systematic release of DIY (do-it-yourself) mobile malware generating tools, commercial availability of mobile malware releases intersecting with the efficient exploitation of legitimate Web sites through fraudulent underground traffic exchanges, as well as the utilization of cybercrime-friendly affiliate based revenue sharing schemes, cybercriminals continue capitalizing on the ever-growing Android mobile market segment for the purpose of achieving a positive ROI (return on investment) for their fraudulent activities

Google Glass Snoopers Can Steal Your Passcode With a Glance (Wired) The odds are you can't make out the PIN of that guy with the sun glaring obliquely off his iPad's screen across the coffee shop. But if he's wearing Google Glass or a smartwatch, he probably can see yours

People invested $1.2 million in an app that had no security (ZDNet) Proving that no one learned from Snapchat's security and privacy spectacle, people invested $1.2 million on an app that had no security. Despite the news it was hacked, Yo still isn't coming clean

Exposing hidden domain registrations could hurt innocent users more than criminals (IDG via CSO) Banning the use of privacy and proxy services to hide details of domain name registrants would scarcely inconvenience criminals but would have privacy implications for lawful users of those services, according to a study

F1 star Michael Schumacher dead? It's the latest sick Facebook scam (We Live Security) Scammers and fraudsters think nothing of scraping the barrel of bad taste, if they believe it will help them earn a few dollars

Beware! Sad video of woman dying during a fight is really a Facebook scam (Hot for Security) Scammers are once again attempting to make an easy buck by tricking Facebook users into sharing gruesome videos that link to money-making surveys

Academia

Planned cyber center includes USNA's first classified facility (Navy Times) A state-of-the-art cyber operations center planned for the Naval Academy would allow midshipmen to view classified information and watch cyber attacks as they happen, said Capt. Paul Tortora, director of academy's Center for Cyber Security Studies

Utica College Receives Endorsements From NSA, Department Of Homeland Security (WIBX) Utica College has been designated as a National Center of Academic Excellence in Information Assurance And Cyber Defense Education by the National Security Agency and the Department of Homeland Security

University leads the way with cyber security (Voxy) One of the world's leading cyber security academics says the University of Waikato is "leading the way" in helping fill an ever-growing shortage of cyber security professionals

Litigation, Investigation, and Enforcement

Seizing data for 2.5 years amounts to "general warrant," court says (Ars Technica) Decision limits government powers to search seized computer data carte blanche

Tax, security info at cyber attack risk (Australian Associated Press via the Daily Mail) Tax and social security records and national security information remains vulnerable to cyber attacks, a new report shows. An auditor-general review of seven major government agencies found that none complied with the required cyber security measures which were due to be in place by mid-2014. The agencies included the Australian Tax Office, Department of Foreign Affairs and Trade, Australian Bureau of Statistics, Customs, Australian Financial Security Authority, the Department of Human Services and IP Australia

Why Edward Snowden deserves a fair and open trial (Russia Today) A year after his defection, first to Hong Kong and then to Russia, former National Security Agency contractor Edward Snowden continues to make headlines and expose new secrets

Massachusetts Man Pleads Guilty to Computer Hacking and Credit Card Theft (US Department of Justice, Office of Public Affairs) A Massachusetts man pleaded guilty today to hacking into computer networks around the country — including networks belonging to law enforcement agencies, a local police department and a local college — to obtain highly sensitive law enforcement data and alter academic records. He also pleaded guilty to obtaining stolen credit, debit and payment card numbers

Design and Innovation

Spy satellite agency wants to tap video game technology (USA TODAY) The National Reconnaissance Office (NRO), the secretive agency that launches and runs the nation's spy satellite system, is looking at technology developed by the video game industry to help it improve how it gathers and analyzes intelligence data, according to a research proposal released Monday