The CyberWire Daily Briefing 06.25.14

Cyber Trends

Who is ultimately responsible for data security in the cloud? (Help Net Security) A recent report following Infosecurity Europe 2014 suggested that 43 per cent of organisations had no enterprise visibility or control into whether employees were putting sensitive data into the cloud. Furthermore, a new survey has shown that almost half of firms say they already, or plan to, run their company from the cloud. Both of these findings clearly demonstrate just how integral the cloud is becoming to businesses

Private Companies Face Collapse From Cyber Attacks (SIGNAL) Firms that are not taking cybersecurity seriously enough could pay the ultimate price

Corporate Culture Key to Private Sector Cybersecurity (SIGNAL) Company leadership must play a greater role or else face departure after a cyber attack

The quantum cryptography arms race has begun (InfoWorld) Quantum computing may be taking its time to arrive, but when it does, encryption won't be the same again

Credit and debit card fraud eating away at consumer confidence in providers (TechWorld via CSO) Credit and debit card fraud is starting to erode confidence in providers, with many consumers using cards less often or abandoning them altogether after fraud incidents, a global survey of 6,100 consumers by ACI Worldwide has reported

Legislation, Policy and Regulation

Russian Bureaucracy's Race to Police the Web (Global Voices) Russia's lawmakers and police are in a race to take control over the Internet. For more than two years, the parliament has spewed out legislation that imposes new restrictions on Internet use. Now, engorged by these new laws, Russia's authorities can legally shut down, lock up, or block off just about anything happening online. The Kremlin has been careful to avoid targeting Russia's e-business sector, but political expression on the Web has become increasingly unsafe

May calls for data access changes (Belfast Telegraph) At least 20 cases have been dropped by the National Crime Agency (NCA) in six months as a result of missing communications data — including 13 threat-to-life scenarios involving children, the Home Secretary has revealed

Editorial: Finally Dealing with the NSA, Congress finds its spine (Seattle Times) To pass overdue reforms of the National Security Administration's spy powers, Congress is regrowing its oversight spine

Summary of Homeland Security bill approved by approps subcommittee this morning (Insurance News Net) The U.S. Senate Appropriations Subcommittee on Department of Homeland Security today approved fiscal year 2015 funding legislation that totals $47.2 billion, $643 million above the fiscal year 2014 enacted level. Of this total, $45.65 billion is for discretionary programs, including $213 million for Coast Guard overseas contingency operations and $6.4 billion for the Federal Emergency Management Agency (FEMA) Disaster Relief Fund. After excluding these two adjustments, the net discretionary appropriation for the Department of Homeland Security (DHS) is $39 billion. Even with this modest increase, discretionary appropriations for DHS have declined by 8.3 percent since fiscal year 2010

Agency heads hash out critical infrastructure protection roles (Federal Times) Top cybersecurity leaders in government are now hashing out how various cybersecurity-related agencies will handle the mission to protect critical infrastructure from cyber attacks

DHS Focuses on Physical Damage Via Cyber Attacks (SIGNAL) What is happening in cyberspace is secondary to its effects elsewhere for homeland security

NSA's Rogers: JIE crucial to cyber defense (FCW) The Defense Department's move to a Joint Information Environment cannot come soon enough for National Security Agency Director Adm. Michael Rogers, who said June 24 that the department-wide IT platform will provide DOD the network visibility it needs to repel cyberattacks

NSA Director Michael Rogers is encouraging employees to leave the agency (and hopefully return some day) (Baltimore Business Journal) National Security Agency chief Adm. Michael S. Rogers has been on the job for only about 90 days, but he has big plans for bolstering the agency's workforce of the future

Why Americans, like Europeans, should be able to scrub their online search results (Quartz) Based on the uproar from American internet and legal experts, I had assumed a privacy ruling by the European Union Court of Justice in May was an assault on free speech and our right to information. I also assumed it would mostly be sex offenders or hucksters who would ask to have a search term delinked from something they don't like on the web

Products, Services, and Solutions

Darktrace Announces New, Self-Learning Cyber Intelligence Platform (Digital Journal) Enterprise immune system addresses insider and external threats. Darktrace, founded by world-class machine learning specialists and operational government intelligence experts, today announced the launch of its self-learning Darktrace Cyber Intelligence Platform version 2. Darktrace gives customers the ability to detect anomalies in real time that go undetected by existing security tools, thanks to its ground-breaking Enterprise Immune System technology that learns 'self' and what is normal and abnormal activity within an organization

Fasoo Announces New Partnership with Neocol to Enhance IBM ECM Security (PRWeb) Neocol adds Fasoo Enterprise Digital Rights Management (EDRM) solutions to help its Enterprise Content Management (ECM) customers mitigate risk

Arxan Launches Customized Assessment to Identify Mobile App Exposures at Gartner Security & Risk Management Summit (MarketWatch) Enterprises can now receive a comprehensive, complimentary report within 48 hours

Agiliance Introduces First NIST Cybersecurity Framework Security Checklist and Best Practices Content Pack (MarketWatch) Packaged intelligence in RiskVision platform automates organizational assessments and continuous management of cyber security risks

Privilege Management Provides Defense Against Land-and-Expand Cyber Attacks (MarketWatch) Lieberman Software explains how advanced persistent threats (APTs) are almost impossible to stop, but damage can be limited with privilege management and secure network design

OPSWAT Releases GEARS Application for Device Security and Advanced Threat Detection (Digital Journal) OPSWAT today announced the official release of the GEARS application. This free software helps users identify if their computer is at risk or compromised by providing greater visibility into the status of installed security applications and alerting them to potential advanced threats. The release of this new application extends the capabilities of the GEARS cloud-based network security management platform to individual users and computers

Tufin's Authoritative Solution For Automated Network Segmentation Management Fortifies Security And Drives Business Agility (Insurance News Net) Tufin®, the market-leading provider of Security Policy Orchestration solutions, today announced a new version of its award winning Tufin Orchestration Suite. This new version extends Tufin's Unified Security Policy™ into SecureChange®, its Network Change Automation platform, bringing best of breed management, visibility and automation to enterprise network security policies

WatchGuard Brings Advanced Persistent Threat Protection (APT) to the Masses (Enterprise Working Planet) Seattle-based WatchGuard Technologies has deployed a new operating system for its family of security appliances and Next Generation Firewalls (NGFW). Fireware OS 11.9 incorporates advanced security technologies, such as an APT (Advanced Persistent Threat) protection service, as well as improved application security controls

CSC brings three enhanced offerings under Cloud Cybersecurity Services (Infotech Lead) CSC has announced its three enhanced cloud cyber security services — Cloud Endpoint Protection (CEP), Cloud Managed Vulnerability Assessments (CVMA), Cloud Security Incident and Event Monitoring (CSIEM), which offer to protect CSC cloud from constant threats

CyberSponse, Inc. Announces CyberSponse IR360° — Tier 4–Compliant Cybersecurity Incident Response Platform (Dark Reading) Workflow automation, command and control gives corporate incident response teams the power to manage risk, protect valuable assets, and reduce costs & risk associated with enterprise security operations

Battling The Bot Nation (Dark Reading) Online fraudsters and cyber criminals — and even corporate competitors — rely heavily on bots, and an emerging startup aims to quickly spot bots in action

Technologies, Techniques, and Standards

FDA issues social media guidance (FierceMobileHealthCare) Two new draft federal guidance documents published by the U.S. Food and Drug Administration focus on regulation of medical products and electronic digital platforms and correcting information regarding such devices and prescription drugs via Internet communication platforms

Will perimeter firewalls give way to 'RASP'? (NetworkWorld) Gartner analysts debate value of perimeter firewalls vs. "Runtime Application Self-Protection"

Extending Debuggers (Infosec Institute) Sometimes we come across situations when we are in need of doing something inside our debuggers or to extend the functionality of them. For such things, debuggers usually provide an API interface to extend or provide extra functionality for the debugger

Hackers show how to protect your iPhone (CNN Money) Here's one way to make your iPhone hacker-proof: Ask hackers for advice

Six Steps Small Businesses Can Take to Assure Bank Account Security (Kaspersky Lab) If cybercriminals were lions, small business would be a herd of antelope. Rarely are they individually targeted; the lioness simply takes down the weakest one. So, it's all about survival of the fittest: follow a few safety rules that the rest of the herd doesn't know, and your business could remain breach-free for another year

Former NSA director advocates for thin client cloud security model (TechTarget) More than a year after Edward Snowden leaked confidential information about the breadth of the National Security Agency's domestic intelligence-gathering, the former head of the NSA staunchly defended the agency's actions while advocating for enterprises to adopt the computing paradigm that helps keep the NSA's systems secure

Stronger Keys and Faster Security with ECC (SYS-CON Media) Anyone who has been involved with security knows there is a balance to providing both security and privacy and performance at the same time. Security is often blamed for performance woes, particularly when cryptography is involved

To Pay or Not to Pay — That's the Ransomware Question (TechNewsWorld) "The key is to remove power from the extortionists, and you do that by backing up your system regularly," said Kenneth Bechtel, a malware research analyst with Tenable Network Security. "This basic best practice is cheap and easy, thanks to removable hard drives. With backups, there's no need to pay the ransom to get your data back or interact with extortionists in any way"

Kenneth van Wyk: If you want developers to give a hoot about security, take a lesson from the squirrels (ComputerWorld) The problem with all too many software developers, from a security professional's point of view, is they lack a healthy sense of mistrust

Marketplace

Three Items Top Cyber Command's Industry Wish List (SIGNAL) Government technology alone will not address all of the command's challenges

Is privacy undermining trade in digital services? (ComputerWeekly) Since Edward Snowden lifted the lid on the US National Security Agency's (NSA) surveillance secrets there has been a lot of fretting about spies. It is not a new issue, but more people are now talking about keeping data in places beyond the legal reach of any foreign government

Microsoft and the future of cyber-security (The Nation) US giant sets out its strategy, commitment to keeping devices and users safe in a rapidly developing tech-driven world

Should We Trust Google With Our Smart Homes? (Wired) John Matherly operates what you might call the search engine for the Internet of Things. It's called Shodan, and it lets you probe the net for all sorts of online devices, from refrigerators and swimming-pool control panels to webcams — lots and lots of webcams

RedOwl Analytics raises $4.6M; Kevin Plank among investors (Baltimore Business Journal) Baltimore cyber security firm RedOwl Analytics has closed on a nearly $5 million funding round, with investors including Under Armour Inc. CEO Kevin Plank

CyberArk Files Registration Statement for Proposed Initial Public Offering (MarketWatch) CyberArk, a global leader and pioneer of a new layer of IT security solutions, today announced that it has publicly filed a registration statement on Form F-1 with the U.S. Securities and Exchange Commission (SEC) relating to a proposed initial public offering of its ordinary shares. The number of shares to be offered and the price range for the proposed offering have not yet been determined. CyberArk has applied to list its ordinary shares on the Nasdaq Global Select Market under the ticker symbol "CYBR"

Barnes & Noble is splitting into two companies: one for Nooks and one for books (The Verge) Company plans to spin-off its flagging hardware business after recent Samsung partnership

Akamai Positioned in the "Challengers" Quadrant of the Magic Quadrant for Web Application Firewalls (Wall Street Journal) Akamai® Technologies, Inc. (NASDAQ: AKAM), the leading provider of cloud services for delivering, optimizing and securing online content and business applications, today announced the company has been positioned by Gartner, Inc. in the "Challengers" quadrant of the Magic Quadrant for Web Application Firewalls

New UK cybersecurity training scheme prepares for hackers (C/NET) Government and business are under constant cyber attack and must learn to "take the hit," says the director of a new cybersecurity training programme

The Ramp with 5 Levels: Top 50 Information Security Interview Questions (Infosec Institute) Let's face it, Information Security has about a bazillion possible questions at any given interview across a wide variety of possible topics. On top of that, InfoSec means a lot of different things to a lot of different people

Symantec Cyber Connection (SC3) Program Overview (Digital Journal) Symantec today announced the launch of a first-of-its-kind program, the Symantec Cyber Career Connection (SC3), to address the global workforce gap in cybersecurity and provide new career opportunities for young adults who may not be college-bound

Sen. Landrieu secures $15.8 for Bossier's Cyber Innovation Center (ArkLaTex) The Chair of the Senate Homeland Security Appropriations Subcommittee, U.S. Sen. Mary Landrieu announced Tuesday that she has included $757 million for cybersecurity programs including $15.8 million for the Cyber Innovation Center in Bossier City

Pwnie Express Appoints Edwin Marin as Vice President of Product Management and Engineering (PRWeb) Marin brings over 20 years of proven enterprise SaaS, security and networking experience to company

Research and Development

hitchBOT — Privacy invading hitchhiking robot or fun social experiment? (Naked Security) Would you trade your password for a candy bar? The candy may be delicious but the potential harm surely isn't

Security Patches, Mitigations, and Software Updates

VMSA-2014-0007 VMware product updates address security vulnerabilities in Apache Struts library (VMware Security Advisories) The Apache Struts library is updated to version 2.3.16.2 to address multiple security issues

Cyber Attacks, Threats, and Vulnerabilities

Analyzing the ISIS "Twitter Storm" (War on the Rocks) For the last eighteen months we've been closely monitoring the Syrian conflict. One of the ways we do this is through social media, using a range of tools to aid our work. For Twitter, we use Palantir's Torch platform — a data analysis and visualization program — and decided to use it to analyze Friday's ISIS #AllEyesOnISIS "twitter storm"

Jihadists in Iraq hijack World Cup hashtags (ComputerWeekly) The militant Islamic group ISIS, which is battling for control of several major cities in Iraq, is hijacking Twitter hashtags for the 2014 World Cup to spread its message

World Cup security well executed if you don't count the Wi-Fi (Naked Security) Without a doubt, the world is watching the World Cup and it has been going swimmingly from a security standpoint

Government of Punjab, Pakistan Website Hacked Against Police Brutality (HackRead) Pakistani hackers are furious over police brutality on their citizens. Last week it was the website of Pakistan Electric Power Company (Private) Limited (PEPCO) targeted against shooting bullets at protesters

International Federation of Journalists deplores cyber attack on pro-democracy news websites (International Federation of Journalists via the Imperial Valley News) The International Federation of Journalists (IFJ) condemns the massive cyber attack on a Hong Kong media group, which was clearly aimed at suppressing press freedom

European bank 'hit by sophisticated cyber-thefts' (BBC) A security firm has reported uncovering evidence of cyber-thieves robbing more than 190 customers of a European bank

The Luuuk banking fraud campaign: half a million euros stolen in a single week (Kaspersky Lab) The experts at Kaspersky Lab's Global Research and Analysis Team have discovered evidence of a targeted attack against the clients of a large European bank. According to the logs found in the server used by the attackers, apparently in the space of just one week cybercriminals stole more than half a million Euros from accounts in the bank. The first signs of this campaign were discovered on 20 January this year when Kaspersky Lab's experts detected a C&C server on the net. The server's control panel indicated evidence of a Trojan program used to steal money from clients' bank accounts

Duo Security Researchers Uncover Bypass of PayPal's Two-Factor Authentication (Duo Blog) Researchers at Duo Labs, the advanced research team at Duo Security, discovered that it is possible to bypass PayPal's two-factor authentication (the Security Key mechanism, in PayPal nomenclature). The vulnerability lies primarily in the authentication flow for the PayPal API web service — an API used by PayPal's official mobile applications, as well as numerous third-party merchants and apps — but also partially in the official mobile apps themselves

Spyware subsidizes high-end Android phone (ZDNet) We're all used to crapware subsidizing Windows PCs. Now firmware-based spyware is subsidizing Android phones. Here's what to look for

How governments devise custom "implants" to bug smartphones (Ars Technica) Post provides rare glimpse inside Android-based "lawful intercept" app

Improperly anonymized taxi logs reveal drivers' identity, movements (Help Net Security) Software developer Vijay Pandurangan has demonstrated that sometimes data anonymizing efforts made by governments and businesses are worryingly inadequate, as he managed to easily deanonymize data detailing 173 million individual trips made by New York City taxi drivers

Risks of Not Understanding a One-Way Function (Schneier on Security) New York City officials anonymized license plate data by hashing the individual plate numbers with MD5. (I know, they shouldn't have used MD5, but ignore that for a moment.) Because they didn't attach long random strings to the plate numbers — i.e., salt — it was trivially easy to hash all valid license plate numbers and deanonymize all the data

Beware Flappy Bird clones carrying malware (USATODAY) Scratching the Flappy Bird itch could be dangerous, a report by computer security company McAfee finds. "Of the Flappy Bird clones we sampled, almost 80% contained malware," said Brian Kenyon, chief technical strategist at the Santa Clara, Calif.-based company

Cybercriminals exploit trusted app and service vulnerabilities (Help Net Security) The manipulation of legitimate mobile apps and services played a key role in the expansion of mobile malware at the beginning of 2014

Atypical cloned banking app pops up on Google Play (Help Net Security) An unusual instance of a cloned banking app has been spotted on Google Play by Lookout researchers: the app steals only the users' ID, and leaves alone the password

Cross-Platform Mobile Threats: A Multi-Pronged Attack (TrendLabs Security Intelligence Blog) Cross-platform threats can be dangerous, both at home and in the office. These can 'jump' from one platform to another, or target all of them at the same time — potentially infecting a user's entire network, or even a company's network if left unchecked. The risk to critical data and system functionality, not to mention overall network security, can be catastrophic if not mitigated properly

KnowBe4 Alerts Users: CryptoLocker Threat Variant Goes Stand Alone (Insurance News Net) Even with the recent international law enforcement "Operation Tovar" shutting down Cryptolocker operations, it appears the number one ransomware Trojan is back in business. KnowBe4 reports a new strain of the infamous CryptoLocker has been found. The new Trojan does not rely on the 2048-bit RSA encryption and does not need any communication with a Command & Control server to work. It operates stand-alone, and the extensions of affected files are switched to .cryptolocker after encryption

JackPOS — Another Credit Card Stealer (Fortinet Blogs) In a previous blog post on Dexter, we briefly mentioned a new strain of point-of sale (PoS) malware that has compromised over 4,500 credit cards in the United States and Canada. This new strain of malware, dubbed JackPOS, was detected early this year and between then and the time of writing, has had just one version, but with multiple variants

PlugX RAT With "Time Bomb" Abuses Dropbox for Command-and-Control Settings (TrendLabs Security Intelligence Blog) Monitoring network traffic is one of the means for IT administrators to determine if there is an ongoing targeted attack in the network. Remote access tools or RATs, commonly seen in targeted attack campaigns, are employed to establish command-and-control (C&C) communications. Although the network traffic of these RATs, such as Gh0st, PoisonIvy, Hupigon, and PlugX, among others, are well-known and can be detected, threat actors still effectively use these tools in targeted attacks

Fewer NTP servers can be abused to amplify DDoS attacks, but threat remains (IDG via CSO) The number of NTP (Network Time Protocol) servers that can be abused to amplify DDoS attacks has decreased dramatically this year, but the threat remains

Hospital Networks Are Leaking Data, Leaving Critical Devices Vulnerable (Wired) Two researchers examining the security of hospital networks have found many of them leak valuable information to the internet, leaving critical systems and equipment vulnerable to hacking

Aviva's iPhones hit by Heartbleed hack (Cable) Insurance firm Aviva has fallen victim to a major cyber attack that targeted workers' iPhones

BBC News app hijacked? Bogus breaking news alerts posted (Graham Cluley) The popular BBC News smartphone app appears to have been hijacked, or at least its "Breaking News" feature, by mischief-makers who are popping up messages on users' devices…It's good to know that the app hasn't been compromised, and this is just the BBC goofing up in a fairly harmless way. Hopefully they will be more careful next time

Spam, talk about false advertising (Internet Storm Center) SPAM SPAM SPAM, It never fails to entertain. Like most of you I get my fair share of SPAM and like a number of you I will happily click links (not a recommendation) and follow the little yellow brick road to whatever malware or "sales" opportunity presents itself. This one was just a bit more random than others I've received lately

A peek inside the online romance scam. (Webroot Threat Blog) Online dating can be rough, and no matter how many safeguards are in place in the multiple legitimate dating websites out there, the scammers are getting around the blocks and still luring in potential victims. While the reports of these types of scams are out there (even with copy and paste examples of the e-mails used), people still fall for the scams every day. In this particular case, it was my profile on eHarmony that was targeted, and this is my recount of it

False Stoned virus detections in Bitcoin files are widespread (ZDNet) Some joker stuffed the virus signature into the return address for a Bitcoin transaction leading to Stoned virus detections when transactions are stored on-disk

State of Montana sends out 1.3 million data breach notifications (CSO) Notification letters from the State of Montana started to be sent out this week outlining that they had suffered a data breach which affects 1.3 million people

Academia

Why cyber security is a safe choice for a postgrad degree (The Guardian) Graduates who know how to protect data from online attacks are in high demand

Mary Ann Hopkins: Parsons-BHEF Team Aims to Help DC Region Build Cyber Workforce (ExecutiveBiz) Parsons is collaborating with the Business-Higher Education Forum to create a Greater Washington Cyber Network of cybersecurity professionals from academia, industry and government from Maryland, Northern Virginia and Washington, D.C.

Northrop Grumman's Woodland Hills Facility Selects Winners in Seventh Annual Engineering Scholars Competition (Wall Street Journal) Northrop Grumman Corporation's (NYSE: NOC) Woodland Hills facility has announced the two winners of its seventh annual Engineering Scholars program, which will provide $20,000 in college scholarships to high school seniors in the greater San Fernando Valley area interested in studying engineering, computer science, physics or math

Litigation, Investigation, and Enforcement

Microsoft's Top Lawyer Slams Secret Surveillance Court (Wall Street Journal) The U.S.'s secret surveillance court is unaccountable to the public and not "inclined to promote justice," Microsoft's top lawyer said Wednesday

Former News of the World editor Andy Coulson found guilty of phone-hacking (Deutsche Welle) A former editor of a now defunct British tabloid has been found guilty of phone hacking. The trial was triggered by revelations that the paper had for years been hacking phones for news stories

Cupid Media data breach shown no love by Privacy Commissioner (ComputerWorld) Investigation found that 254,000 user details were stolen, company breached Privacy Act

The 'Fly' Has Been Swatted (Krebs on Security) A Ukrainian man who claimed responsibility for organizing a campaign to send heroin to my home last summer has been arrested in Italy on suspicion of trafficking in stolen credit card accounts, among other things

$800,000 Penalty for Paper Records Breach (Healthcare InfoSecurity) An $800,000 HIPAA settlement between the Department of Health and Human Services and an Indiana community health system for an incident involving paper records dumping is the latest reminder that patient information needs to be safeguarded regardless of whether it's electronic or paper-based

The CyberWire Daily Briefing for 6.25.2014