The CyberWire Daily Briefing 07.07.14

Cyber Trends

Mobile security market moves away from FUD (TechTarget) The mobile security market has matured, but some IT departments haven't gotten the message

Integrating intelligence key to better security, says FireEye (ComputerWeekly) Security threat intelligence is vital, but challenging to implement, says Joshua Goldfarb, chief security officer, enterprise forensics group, FireEye

The Rise Of Threat Intelligence Sharing (CRN) The Target breach prompted retailers to create a formalized process for disseminating threat intelligence information to help incident responders quickly address attacks targeting payment systems and threats to servers containing sensitive customer data

Gear towards resilience in cyber war (Insurance Business Online) Insurer's research finds Australasian IT companies must prepare to face global internet failure

Facebook Mood Manipulation: 10 Bigger Problems (InformationWeek) Facebook's failure to communicate about its mood experiment is the least of the things Internet companies do to us

Don't Set The CISO Up To Fail (InformationWeek) More healthcare organizations are hiring CISOs — a good thing. But bad management structure, insufficient resources, and poor understanding of risks often doom these newly appointed security executives

Journalists need to know all the things 'cyber' can mean for smart coverage (CJR) Journalists need to learn to evaluate threats by being as specific as possible in describing them, and who might be affected

Legislation, Policy and Regulation

Panel: NSA's targeting of foreigners is lawful (Washington Post) An independent executive-branch board has concluded that a major National Security Agency program targeting foreigners overseas is lawful and effective but that certain elements push "close to the line" of being unconstitutional

Edward Snowden and the NSA Can Both Be Right (TIME) Two reports raise the possibility that on balance, both the NSA collection programs and Snowden's revelations have done more to advance the public good than to harm it

US closes out no-spy deal with Germany (Voice of Russia) The United States will not sign a no-spying agreement with Germany as it attempts to settle the diplomatic fallout from the US National Security Agency's surveillance on Chancellor Angela Merkel, a White House official said Thursday

Ties Strained, Germans Press U.S. to Answer Spy Allegation (New York Times) With mystery enveloping a German intelligence service employee accused of spying — reportedly for the United States — German officials and commentators on Sunday angrily demanded a response from Washington, warning that an already troubled relationship was at risk of deteriorating to a new

Spying by US 'security agency' against international laws: Pakistan (Daily Times) Tasnim says Pakistan's embassy in Iraq functional, ambassador in touch with all Pakistanis

US spying on Sri Lanka also (Sunday Times) Sri Lanka is among many countries where the United States National Security Agency has been spying on

Warn U.S. against snooping: Karat (The Hindu) The Communist Party of India (Marxist) on Friday demanded that the Narendra Modi government get a firm assurance from the U.S. that it would not indulge in surveillance and espionage operations in India

Russia's latest internet law proposal — anti-NSA, or pro-FSB? (Naked Security) Russia's parliament, the State Duma, has heard another internet freedom bill requiring foreign web firms to host any data on Russia citizens within Russia's borders

State Department's CIO says budget doubled after harsh inspector general report (Washington Business Journal) The State Department's top cybersecurity official says his budget doubled in order to address tough criticism given by the agency's inspector general, according to Federal News Radio

AVG wants new legislation covering the Internet of Things for the sake of children (ITProPortal) AVG wants legislators to devise a plan that stops data gathering firms from spying on children by placing limits on how much can be collected from portable devices

Products, Services, and Solutions

Protect your family with Bitdefender (Download) Back by popular demand, Bitdefender is offering its top-rated, all-around security protection for the whole family at less than half the regular price

Microsoft Encryption Protects User Data From NSA and Other Snoops (Forbes) In a not-so-subtle dig at the National Security Agency, Microsoft's Vice President of Trustworthy Computing, Matt Thomlinson, described the company's expanded encryption efforts as a way to help "reinforce that governments use appropriate legal processes, not technical brute force, if they want access to that data"

Chief Minister welcomes Manx Telecom investment in cyber attack prevention (isleofman.com) Chief Minister Hon Allan Bell MHK said Manx Telecom's new cyber attack prevention solution will enhance the Isle of Man's status as a responsible jurisdiction in the digital community

'Spy-proof' IM launched: Aims to offer anonymity to whistleblowers (The Register) Security experts have teamed up to created a stealthy internet messenger client designed especially for whistleblowers

Technologies, Techniques, and Standards

Microsoft supports open source software framework for IoT (Help Net Security) The AllSeen Alliance, the broadest Internet of Everything open-source project, announced that Microsoft has joined the group's multi-company effort as a Premier Member to make it easier for a broad range of everyday devices, objects and services to interoperate seamlessly and intelligently

The building blocks of a successful authentication infrastructure (Help Net Security) In this interview, Josh Alexander, CEO of Toopher, discusses how an increasingly mobile workforce shapes the way an organization deals with authentication issues, provides advice to a CISO with the task of upgrading an outdated authentication infrastructure, and much more

How Microsoft cracks the BYOD code: 3 tips (InformationWeek) Microsoft's CISO shares best-practices for balancing employee autonomy and security in today's bring-your-own world

Avoiding the pitfalls of a corporate data breach (Gulf News) Organisations in the technology and retail sector are far more likely to have a breach

How to remember all your passwords and keep them safe (Quartz) In the days after the Heartbleed story broke, Internet users were strongly advised to change the compromised passwords on their online accounts to protect their data

Marketplace

The Internet Of Small Things Spurs Big Business (InformationWeek) IoT scenarios that appear consumer-centric and disposable hold broad business opportunities

Germany's biggest datacentre opens its doors, targeting the security-conscious (ZDNet) Deutsche Telekom's IT services arm has opened a twin facility for its existing Magdeburg datacentre

Facebook's experiment on users — what would it take for you to finally quit? [POLL] (Naked Security) Facebook is taking heat once again for perceived invasion of privacy, after it disclosed a research experiment conducted on users without their explicit consent

Albany area's Center for Internet Security expands nationwide (Albany Business Review) The Center for Internet Security, a nonprofit headquartered in Rensselaer County, New York, will expand its cyber monitoring services to all 50 states this year in a partnership with the U.S. Department of Homeland Security

Israeli ministers approve tax breaks for new cyber-security park (Haaretz) Critics note cost of move to both treasury and other business parks in south

Security Patches, Mitigations, and Software Updates

Patch Tuesday for July 2014 — 6 bulletins, 2 RCEs, 3 EoPs and get ready to reboot (Naked Security) Here's what to expect from Microsoft in the July 2014 edition of Patch Tuesday, scheduled to ship on Tuesday 08 July 2014

Five WordPress Plugins You Should Update Right Now (PC Magazine) If you own a WordPress site, make sure you are staying on top of updates — not just for the core platform, but for all the themes and plugins, too

Cyber Attacks, Threats, and Vulnerabilities

EXCLUSIVE: Tunisian Hackers Announce Cyber Jihad Against US Banks, Airport Computer Systems (HS Today) Beginning July 5, The Tunisian Hackers Team (THT), a group of Tunisian hackers known for its 2013 attempts to attack US banks, including Bancorp, announced via social media that it intends to launch a cyber attack on US banks and airport computer systems during the coming week, according to the Middle East Media Research Institute's (MEMRI) Cyber Jihad and Lab Project

Dead mobile devices banned from planes to US (IT News) International passengers travelling on American airlines from certain airports will need to prove their devices are charged before being allowed to board, in a new security effort aimed at preventing acts of terrorism

SEA hacks Israeli Defence Force Twitter account, posts bogus nuclear warning (Naked Security) Residents of the Southern District of Israel may have felt alarmed on Thursday after the Twitter account of the Israeli Defence Force warned of a possible leak at the Dimona nuclear facility

Anadolu Agency under cyber-attack: deputy PM (Hurriyet Daily News) Anadolu Agency has faced 24 cyber-attacks so far this year, mostly from the U.S., Canada and China, Deputy Prime Minister Bülent Arınç said on July 4

#OpCISA: Anonymous threatens congressmen & their families over cyber security bill (HackRead) The hacktivist collective Anonymous going with the Twitter handle of Anon_Messenger has threatened congress lawmakers to back off over CISA cyber security bill if they value the "sanctity of their loved ones" and themselves or face the consequences in shape of massive on ground protest

US Govt asks energy firms to check systems after attacks (IT News) The US government has asked critical infrastructure operators to review computer networks to see if they are infected with malicious software from the "Energetic Bear" hacking group, after three industrial control system manufacturers were found to have been penetrated

Estimated $3.75bn stolen by Brazil fraud ring (Help Net Security) An estimated $3.75 billion have been netted by a single fraud ring that took advantage of a popular Brazilian payment method — the Boleto — by wielding a frequently upgraded piece of malware that silently intercepted and rerouted payments to the crooks' bank accounts

CosmicDuke malware surprisingly linked to Miniduke campaign (Security Affairs) While investigating on MiniDuke malware, experts at F-Secure discovered a surprising link to a new malware, dubbed CosmicDuke, belonging to Cosmu family

Researchers Find Vulnerability in Internal PayPal Portal (SecurityWeek) The existence of a vulnerability in a portal used internally by PayPal staff was recently disclosed by Germany-based security research company Vulnerability Lab

Dailymotion.com Visitors Redirected to Exploit Kit (Softpedia) Cybercriminals managed to compromise the popular video sharing website Dailymotion.com, by injecting malicious code designed to redirect visitors to a website that served the Sweet Orange exploit kit

Cyber attack disrupts work of genealogists (Times Leader) Genealogists, as we now know, are not immune to cyber crime. This sad fact was amply demonstrated a few weeks ago when a DDoS (distributed denial of service) attack was levied against the popular genealogy website Ancestry.com, wreaking havoc with its services

Remote access breach via POS system sparks yet more consumer data leak fears (Naked Security) A supplier of point-of-sale (POS) equipment based in northwest US has informed its clients of a security breach in the remote access system it uses to log into clients' networks, meaning hackers could have used the system to intrude into the clients' machines and potentially harvest customer payment card data

Physical Access, Point of Sale, Vegas (Internet Storm Center) Physical Access, as most of us know, is the final point of control. While in Las Vegas (on a well earned vacation) my wife and wandered all over. It only took around a day of being completely unplugged before my mind wandered back to 'security' land. While scoping out places to eat my partner drug us into a 'pricey' looking place (will attempt to remain nameless to protect the 'really' not so smart, however I am not a photo editor so if something slipped, I tried)

The Rise of Thin, Mini and Insert Skimmers (Krebs on Security) Like most electronic gadgets these days, ATM skimmers are getting smaller and thinner, with extended battery life. Here's a look at several miniaturized fraud devices that were pulled from compromised cash machines at various ATMs in Europe so far this year

phpinfo() Type Confusion Infoleak Vulnerability and SSL Private Keys (SektionEins) In the last weeks we have spent some time looking into the PHP source code again, because we were working on new versions of Suhosin, our security extension for PHP. During this time we have discovered some security problems in PHP and disclosed them to the PHP security team, after our initial analysis was finished and POC exploits were developed

Coinbase wallet app in SSL/TLS SNAFU (Naked Security) The popular Bitcoin wallet Coinbase has a weakness in its Android app that could allow an attacker to steal authentication codes and access users' accounts, according to a security researcher

Security weakness found in WiFi enabled LED light bulb (Help Net Security) Researchers at Context Information Security have been able to expose a security weakness in a WiFi enabled, energy efficient LED light bulb that can be controlled from a smartphone

Fourth of July Malware Campaign Targets Vacationers (MarketWatch) Researchers from Proofpoint, Inc. PFPT -0.54%, a leading security-as-a-service provider, have discovered a nasty piece of malware which is targeting vacationers who visit US travel sites, just in time for the July 4th holiday

Malicious Spam Mails about Parking Fine Hit Internauts in UK; BitDefender (Spamfighter) According to BitDefender the security company, spam mails are surging which talk about parking fines, while continuously contaminate PCs within United Kingdom with malware

Spammers are always thinking up new tricks (Help Net Security) The percentage of spam in email traffic in May averaged 69.8 per cent — 1.3 percentage points less than the previous month. May saw numerous mass mailings for schools and colleges offering distance learning; other spam mailings were more straightforward, simply inviting users to buy a qualification. All that was required was a donation to a church that would then officially award an honorary doctorate to the benefactor

Changes to passwords, questions urged after cyber attacks (WAFF) Cyber attacks compromised user data of a high-profile web service, prompting the company to issue a warning to its customers

How Google Map Hackers Can Destroy a Business at Will (Wired) Rene Bertagna blames Google for the death of his restaurant, Serbian Crown

North Korea doubles number of hackers: South Korea (Press TV) South Korean sources say neighboring North Korea has doubled the number of its elite hackers over the past two years

Bulletin (SB14-188) Vulnerability Summary for the Week of June 30, 2014 (US-CERT) The US-CERT Cyber Security Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. The NVD is sponsored by the Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC) / United States Computer Emergency Readiness Team (US-CERT). For modified or updated entries, please visit the NVD, which contains historical vulnerability information

Academia

UAH cyber security expert to speak at Huntsville technology luncheon (al.com) A cyber security expert at the University of Alabama in Huntsville will address the Huntsville branch of an international technology group at a luncheon next week

Litigation, Investigation, and Enforcement

Germany Summons U.S. Ambassador Over Spy Allegations (Wall Street Journal) German arrested on suspicion of working as a foreign agent, says prosecutor. Germany summoned the U.S. ambassador on Friday after allegations of American spying erupted anew, threatening to further damage one of Washington's most important alliances

The NSA may have another leaker on its hands (Quartz) Edward Snowden has done a lot of damage to the National Security Agency by disclosing dozens of its most sensitive internet surveillance programs — but there may be a lot more to come from someone following in his footsteps

NSA Targets the Privacy-Conscious for Surveillance (Schneier on Security) Jake Appelbaum et. al, are reporting on XKEYSCORE selection rules that target users -- and people who just visit the websites of -- Tor, Tails, and other sites. This isn't just metadata; this is "full take" content that's stored forever

Report: NSA Dragnet Ensnares Way More Regular Folks Than Legal Targets (TIME) 9 out of 10 people caught up in the NSA's surveillance were average Internet users, many of whom were U.S. citizens, according to data leaked by former NSA contractor Edward Snowden

Crypto thwarts TINY MINORITY of Feds' snooping efforts (The Register) Dire warnings from cops fall flat thanks to official US.gov figures

No-IP reclaims control of domains seized by Microsoft (Help Net Security) The end of No-IP customers' troubles seems near, as Microsoft has relinquished control of the 23 domain names it seized control of on Monday with the blessing of a Nevada federal court

Euro-cops get crash course in fighting cybercrime (V3) A collection of high-ranking police officers are being trained in how to tackle increasingly advanced cyber threats at a two-week event hosted by Europol

Feds unmask mystery hacker who "hamburgled" Burger King Twitter account (Ars Technica) Serial hacker is tied to breaches involving Twitter, police, and Paris Hilton

French Police Smash Illegal Bitcoin Trading Ring (AFP) French police said Monday they had smashed an illegal Bitcoin trading network, seizing virtual currency worth 200,000 euros ($272,000) in the first such operation in Europe

Five arrested in crackdown on bogus UK government websites (ComputerWeekly) The National Trading Standards eCrime Team has arrested five people in a crackdown on bogus government websites

Computer whizzkid jailed for failing to provide password after cyber attacks on police (The Journal) A brilliant Northumbria University student suspected of hacking police systems is today behind bars for refusing to reveal his password

The CyberWire Daily Briefing for 7.7.2014