The CyberWire Daily Briefing for 7.11.2014
The Chinese campaign against international supply chains discovered this week appears to have used contaminated firmware in commonly used industrial barcode scanners to gain access to shipping and logistical networks. Coincidentally the US Government Accountability Office (GAO) releases a report excoriating the Department of Homeland Security (and subordinate agencies FEMA and the Coast Guard) for inattention to port and maritime cyber security.
South Asian cyber-rioting returns with Indonesian hackers defacing more than 2000 Indian websites. But a more consequential problem for India remains the digital certificate breach found this week. Both Google and Microsoft hustle to mitigate the problem: the effects of the breach are unknown, but are surely international and larger than one initially hoped.
IBM discovers two new variants of the Boleto malware. Gameover Zeus returns, as expected. The Blackshades RAT remains popular despite the attentions of international law enforcement.
The denial-of-service campaign suffered by Norwegian banks, airlines, telecom companies, and insurers earlier this week is resolved with the arrest of a teenaged script kiddie who exploited WordPress's pingback feature in the hack.
SANS expert Pescatore describes tension between compliance and security (and says he'd take security every time).
A Ponemon study finding power utilities poorly prepared to withstand cyber attacks prompts concerned punditry from the Economist and others.
The US investigates supply chain and OPM network hacking, and objects to Chinese espionage. Germany expels the CIA's Berlin station chief and objects to US espionage.
International police work hits Shylock and Blackshades. Seleznev fils faces a RICO rap.
Notes.
Today's issue includes events affecting Brazil, China, Colombia, European Union, France, Germany, India, Indonesia, New Zealand, Norway, Russia, Ukraine, United Kingdom, and United States..
Cyber Attacks, Threats, and Vulnerabilities
Chinese Hackers Target Logistics & Shipping Firms With Poisoned Inventory Scanners (Dark Reading) 'ZombieZero' still actively pushing rigged handheld scanning devices, reviving concerns of doing business with Chinese tech companies
How a Scanner Infected Corporate Systems and Stole Data: Beware Trojan Peripherals (Forbes) A new form of highly targeted cyber attack patently demonstrates the shift in malware sophistication and motivation. Annoying hacker pranks done for fun and sport have been supplanted by sophisticated, multi-stage software systems designed for espionage and profit. The new attack, discovered by TrapX, a developer of security software formerly known as CyberSense, is one of an increasingly common genre known as an Advanced Persistent Threat (APT) of the type that stole debit card numbers from Target TGT -0.02% or sensitive data and login credentials from any number of companies. What makes this recent attack noteworthy isn't its basic design, operation or targets, but means of initial delivery: contaminated firmware on a type of industrial barcode scanner commonly used in the shipping and logistics industry
GAO Hammers Lack of Shipping Port Cybersecurity Measures (Threatpost) The U.S. Department of Homeland Security, Coast Guard and Federal Emergency Management Agency (FEMA) have been taken to the woodshed in a General Accounting Office (GAO) report on maritime cybersecurity
2352 Indian websites hacked by Indonesian hackers (HackRead) A team of Indonesian hackers going with the handle of "Sanjungan Jiwa Team" has hacked and defaced 2352 Indian websites including some government and educational websites
Boleto Malware: Two New Variants Discovered (Security Intelligence) Cyber criminals have been targeting the Boleto payment method in Brazil throughout the past year, leading to an estimated $3.75 billion in losses, according to a recent report issued by RSA, the security division of EMC. The report details the actions of one specific fraud ring — the "Boleto bandits" — and discusses the Boleto malware they use to commit fraud. The report is very helpful in exposing this dangerous threat, which is well known to the Brazilian banking industry, to the general public. Like every bit of news, there is always more to the story
Digital certificate breach at Indian authority also targeted Yahoo domains, possibly others (CSO) The full scope of the security breach is currently unknown, a Google security engineer said
Gameover Zeus Trojan Returns (BankInfoSecurity) After takedown, criminals launch new version, botnet. Gameover Zeus appears to have returned, just one month after an international law enforcement operation targeted the malware in a high-profile takedown operation
Crooks Seek Revival of 'Gameover Zeus' Botnet (Krebs on Security) Cybercrooks today began taking steps to resurrect the Gameover ZeuS botnet, a complex crime machine that has been blamed for the theft more than $100 million from banks, businesses and consumers worldwide. The revival attempt comes roughly five weeks after the FBI joined several nations, researchers and security firms in a global and thus far successful effort to eradicate it
FBI crackdown has not lessened enthusiasm for Blackshades RAT blackmail toolkit (FierceITSecurity) Despite high-profile arrests by the Federal Bureau of Investigation and Interpol, the Blackshades remote access tool, or RAT, is continuing to threaten individuals and companies with blackmail, warns DDoS mitigation firm Prolexic
New Version Of NgrBot Wipes Hard Drives (Fortinet) NgrBot is a modified IrcBot. It has the capability to join different Internet Relay Chat (IRC) channels to perform various attacks according to the IRC-based commands from the command-and-control (C&C) server. Recently, our botnet monitoring system captured an NgrBot variant with hardcoded version 1.1.0.0
Exploit Kit Dropped Through Akamai Content Delivery Network (Softpedia) Cybercriminals abuse the Akamaihd.net content delivery network (CDN) (Alexa global rank 80) owned by Akamai Technologies to redirect users to web pages hosting exploit kits
WordPress Pingback Feature Used for DDoS Attack in Norway (Softpedia) This week's disruption of the online services of numerous companies in Norway's financial sector was possible because of the "pingback" feature in the WordPress platform
Tinba Banker Trojan Source Code Leaked (Threatpost) The source code for Tinba, known as the smallest banker Trojan in circulation, has been posted on an underground forum. Researchers say that the files turned out to be the source code for version one of Tinba, which was identified in 2012, and is the original, privately sold version of the crimeware kit
Hacking Any Facebook Accounts using REST API (eHacking News) Stephen Sclafani , a Security Researcher, has discovered a critical security vulnerability in the Social Networking giant Facebook that allowed him to hack any facebook accounts
Brazilians in the Russian Underground (TrendLabs Security Intelligence Blog) Monitoring the cybercriminal underground sometimes leads us down some interesting paths. We recently encountered a cybercriminal posting in a Russian underground forum which led to the discovery of more than 136,000 stolen credit card credentials
Vodafone alerts privacy watchdog (Stuff) Vodafone says it has informed the Privacy Commissioner about a data breach identified by a customer yesterday
Laptop Thefts Expose Personal, Medical, Financial Data (eSecurity Planet) A brokerage firm, a health district, a retirement community, a hospital and an oil change franchisee were all recently hit
Dumb People Sent a Worthless Stock Soaring. Dumb Machines May Do It Next (Wired) The stock market draws human stupidity the way a black hole sucks in starlight. The dotcom bubble of the late 20th century remains the iconic example; this week, we got a small reminder of what those dumb days were like thanks to Cynk Technology
Security Patches, Mitigations, and Software Updates
Emergency Windows update revokes dozens of bogus Google, Yahoo SSL certificates (Ars Technica) Fraudulent credentials for additional domains may also exist in the wild
Microsoft Security Advisory 2982792: Improperly Issued Digital Certificates Could Allow Spoofing (Microsoft Security Tech Center) Microsoft is aware of improperly issued SSL certificates that could be used in attempts to spoof content, perform phishing attacks, or perform man-in-the-middle attacks. The SSL certificates were improperly issued by the National Informatics Centre (NIC), which operates subordinate CAs under root CAs operated by the Government of India Controller of Certifying Authorities (CCA), which are CAs present in the Trusted Root Certification Authorities Store. This issue affects all supported releases of Microsoft Windows. Microsoft is not currently aware of attacks related to this issue
Google Constrains India CCA Root Cert in Wake of Bad Google and Yahoo Certificates Appearing (Threatpost) The Indian Controller of Certifying Authorities said that the certificate-issuance process for the National Informatics Centre of India, which issued several fraudulent certificates recently, which were blocked by Google, has been compromised and Google has decided to constrain India CCA's root certificate to a handful of domains in a future Chrome release
What are all those other Microsoft updates? (ZDNet) Microsoft released a lot more than security updates yesterday, as they do every month. If you know where to look, you can keep on top of the non-security updates
Cyber Trends
SANS Institute security expert talks gaps in public-sector compliance (Technical.ly Baltimore) Cybersecurity industry veteran John Pescatore spoke Wednesday as part of the CyberPoint Speaker Series. "I'd rather flunk my compliance test but protect my clients' data any day of the year," he said
Power Companies Recognize Cybersecurity Threats But Aren't Doing Enough To Prevent Them: Report (International Business Times) Most companies responsible for the world's power, water and other critical functions recognize increasing cybersecurity threats but are not yet fully committed to preventing attacks, according to a survey released Thursday by information technology company Unisys and independent research group Ponemon Institute
Crashing the system (Economist) How to protect critical infrastructure from cyber-attacks
Hackers Inc (Economist) Cyber-attackers have multiplied and become far more professional
World War Zero: How Hackers Fight to Steal Your Secrets (TIME) Aaron Portnoy started his hacking career when he was still in high school, at the Massachusetts Academy of Math & Science in Worcester, which not coincidentally was the institution he hacked. He did it as follows: Portnoy had a friend call one of the dorms, posing as tech support. The students were more than happy to give him their passwords. Hiding behind those borrowed accounts and routing his approach through proxies in various foreign countries, Portnoy wormed his way into the school's network through a bug in the system that's technically known as a vulnerability, or even more technically as a zero-day. "I had access to every email, grades, everything," he says. "They had a number of issues with their
Malware attacks businesses as they sleep and cloud remains a threat, researchers say (ZDNet) Cloud adoption may be on the rise, but for the enterprise, so is the risk of using such services
The emergence of the Digital Risk Officer (Help Net Security) More than half of CEOs will have a senior "digital" leader role in their staff by the end of 2015, according to the 2014 CEO and Senior Executive Survey by Gartner. Gartner said that by 2017, one-third of large enterprises engaging in digital business models and activities will also have a digital risk officer (DRO) role or equivalent
Say hello to the Power Pivoting CISO (Graham Cluley) A few years ago, if a CEO had posed the question of "Are we secure?" to the security team or CISO, many would have responded with statements revolving around new technology they've deployed or point to trailing indicators of success, anecdotally proving their worth by stating they haven't been breached
Cyber Crime in Colombia: An Underestimated Threat? (InsightCrime) Cyber crime costs Colombia's economy hundreds of millions of dollars and affects up to six million Colombians every year, according to some estimates. Is the government doing enough to combat this rapidly evolving threat?
Bit9 + Carbon Black Survey: Poor Endpoint Visibility Leads to Cyber Attack Fears and PCI Compliance Concerns (Bit9) A recent cyber security survey commissioned by Bit9 + Carbon Black shows that 64 percent of UK IT decision makers expect their organization to be a target of a cyber attack within the next 12 months. And 32 percent of respondents acknowledged that their organization already was hit by a cyber attack during the last year
Consumers don't trust any industry with their personal data (Help Net Security) U.S. consumers have little faith that companies are able to keep their person data safe. The sentiment crosses nearly all industries with consumers saying that the lack of trust will likely affect purchase habits, according to Radius Global Market Research
Here's why you may never be truly anonymous in a big data world (Quartz) Big data — the kind that statisticians and computer scientists scour for insights on human beings and our societies — is cooked up using a recipe that's been used a thousand times. Here's how it goes: Acquire a trove of people's highly personal data — say, medical records or shopping history. Run that huge set through a "de-identification" process to anonymize the data. And voila — individuals become anonymous, chartable, and unencumbered by personal privacy concerns
More than three-quarters of mobile apps would fail basic security testing, says Gartner (FierceMobileIT) HP, IBM, Veracode and WhiteHat Security are the leading app security testing vendors
Marketplace
Malwarebytes raises $30M in Series A Funding, secures 60m users (ZDNet) Security firm Malwarebytes has secured $30 million in Series A funding from Highland Capital Partners
KEYW and Oracle Collaborate on Advanced Security Solutions (MarketWatch) The KEYW Holding Corporation's subsidiaries KEYW Corporation KEYW +7.93% and Hexis Cyber Solutions, Inc. (Hexis) are working with Oracle's National Security Group (NSG) on advanced solutions for certain mission applications and advanced analytic development for KEYW's U.S. Government customers
Trend Micro 2nd Annual Internship Program Focuses on Educating Millennials on Cyber Security (Trend Micro) Trend Micro Incorporated (TYO: 4704 ; TSE: 4704), a global pioneer in security software, today announced the launch of its Second Annual Global Family Internship Program. This initiative promotes the importance of educating the millennial generation on cyber security, as well as provides first-hand work experience in a corporate environment
Products, Services, and Solutions
AVG Internet Security 2014 — All New Features and Updates (Streetwise Tech) AVG is one of the online security company providing top rated software and services to protect information, data, gadgets and devices from numerous viruses and threats. As of March 31, 2014, the company has garnered over 187 Million active PC users who frequently make use their products and services including Identity protection, privacy and their ever famous Internet Security
PhishLabs Launches New ATO|Prevent Service for Banks and Credit Unions (Digital Journal) PhishLabs, the leading provider of cybercrime protection and intelligence services that fight back against online threats, announces the launch of ATO|Prevent™ to help banks and credit unions stop account takeover (ATO) and reduce losses due to online fraud. ATO|Prevent provides proactive detection and mitigation of account takeover attacks that target bank customers and credit union members
Verizon Launches Web Application Firewall on Cloud; Andy Bokor Comments (ExecutiveBiz) Verizon's Digital Media Services arm is launching a beta version of its Web application firewall that is designed to protect Web applications and websites from cyber threats using rule sets deployed to the cloud
Assessing Akamai Kona Security Solutions (InformationWeek) Distributed denial of service (DDoS) and Web application attacks can have a significant negative impact on Web application data and security, business operations, and company reputation
'Windows To Go' Device Wins Federal Cryptographic Certification (InformationWeek) With FIPS 140-2 Level 3 certification, the Imation IronKey portable USB-based workspace becomes a mobility option for both civilian and military agencies
Technologies, Techniques, and Standards
How to Fix the Government's Security Clearance Mess (DefenseOne) The federal government's security clearance process has been under intense scrutiny since last year's Washington Navy Yard shooting by Aaron Alexis, a Marine Corp contractor with secret-level clearance and Edward Snowden's unprecedented leak of classified information. In March, Defense Secretary Chuck Hagel pledged to correct "gaps or inadequacies in the department's security" that could facilitate these types of incidents. If the federal government applied the same sort of risk analysis tools that insurance companies perform when they take on new clients, we could remove internal threats and maintain the safety of federal employees and government contractors
How to Teach Humans to Remember Really Complex Passwords (Wired) If passwords are considered the bane of the data security industry, it's partly because humans are awful at choosing them: By some counts, we still pick "password" a facepalm-inducing one in 20 times
Design and Innovation
Waiting for Dark (Wired) The inside story of two crypto-anarchists and their quest to create ungovernable weapons, untouchable black markets, and untraceable money
Research and Development
One Atom + Two Photons = Quantum Computing Switch (IEEE Spectrum) A scheme that uses a single atom to switch the direction of a single photon could pave the way toward quantum computers much more powerful than today's machines
Academia
Portland State camp aims to boost students', teachers' mastery of cyber-security (Oregon Live) Dozens of students and teachers from eight regional high schools are learning how to program robots; solve cryptographic problems; and handle cyberspace-related social, political and ethical issues
Cyber camp gives students a peek into high-paying field (Daytona Times) Forty students from schools throughout Central Florida became junior cyber sleuths June 23-26, participating in a virtual world of fun, learning and interactive challenges at Daytona State College's second annual summer cyber camp
Legislation, Policy, and Regulation
Kerry hits out at Chinese cyber-spying (The Guardian) John Kerry has condemned computer espionage at meetings in Beijing amid new reports of Chinese hacking of US offices
Why We Need to Spy on the Germans (Daily Beast) We're right to spy on a country with close ties to Russia and Iran
Zero-day game (Economist) Wielding a controversial cyber-weapon
Google Agitates For Public Debate On Europe's Right To Be Forgotten Ruling (TechCrunch) Google has now announced the full compliment of Google-selected "experts" who will be sitting on an advisory committee it has established to help navigate the decision making process in the wake of the so-called right to be forgotten ruling in Europe
White House nixes Patent Office pick after tech-sector outcry (Ars Technica) Johnson & Johnson's top IP lawyer was reportedly set to be the head of USPTO
Matthew Olsen to Retire as National Counterterrorism Center Head (ExecutiveGov) Matthew Olsen, director of the National Counterterrorism Center, will retire from the role after three years of service in leading the government's counterterrorism efforts across the intelligence community and law enforcement agencies
Litigation, Investigation, and Law Enforcement
Hacking attack on federal worker databases probed by U.S. (Bloomberg via the Akron Beacon Journal) The U.S. is investigating a hacking attack on databases containing sensitive information on federal workers, according to a Department of Homeland Security official
Global Raids Target 'Blackshades' Hacking Ring (Wall Street Journal) The Federal Bureau of Investigation and foreign police agencies have launched a series of raids around the world at the homes of people linked to a type of hacking software called Blackshades, according to posts on hacker forums and people familiar with the investigation
Computer cops strike at the heart of Shylock malware (Hot for Security) Computer crime fighters have today announced that they have seized essential infrastructure used by the highly advanced Shylock banking malware, effectively neutralising an attack which has already infected at least 30,000 Windows computers
Roman Seleznev (AKA Bulba, AKA Track2, AKA NCUX) appears in US Court in Guam (Cyber Crime and Doing Time) The media is buzzing about the arrest of hacker and stolen credit card vendor Roman Seleznev who has appeared in court in the US territory of Guam after being arrested in the Maldives. We wrote about Seleznev as part of the RICO racketeering case against the owners and operators of the Carder.su website. (See The Carder.su indictment: United States v. Kilobit et. al.) but that was only the first part of Seleznev's trouble. Until this weekend, the original 27-page indictment against Seleznev in the Western District of Washington was under court seal
Microsoft busts cyber crooks (My Broadband) Microsoft said it has freed at least 4.7 million infected personal computers from control of cyber crooks
Germany orders CIA station chief to leave over spying allegations (Washington Post) The German government ordered the CIA's top officer in Berlin to leave the country Thursday in an extraordinary escalation of a conflict between the two allies over U.S. espionage
'The Americans have humiliated us again' (The Local: German Edition) Germany's expulsion of the CIA station chief in Berlin in a spy row with the United States has found widespread support in the country. But what happens now?
Move by Goldman Sachs to 'unsend' email raises important questions about data ownership (FierceCIO) Ever sent an email that you regretted right after clicking on the "send" button, or which you realized belatedly was addressed to the wrong person? One thing for sure, you certainly would not have been the first--or last--person to have ever wished for a functional "unsend" button when it comes to email messages
NSA chief knew of Snowden file destruction by Guardian in UK (The Guardian) Revelation contrasts markedly with White House efforts to distance itself from UK government pressure to destroy disks
Tor Project is NOT getting sued for enabling revenge porn site PinkMeth (Naked Security) A Texas revenge-porn victim is suing the operators of revenge-porn site PinkMeth.com and was (until her lawyer figured out just what, exactly, the anonymising service Tor actually is) suing The Tor Project for helping PinkMeth to operate anonymously
Teen arrested for bank hack crime (The Local: Norwegian Edition) A 17-year-old youth from Bergen has been charged with Tuesday's cyber-attack on 11 businesses across Norway
Blogger fined €1,500 for harsh restaurant review (The Local: French Edition) A French blogger has been ordered by a court to pay €2,500 in damages and costs after a judge ruled that her harsh review of a restaurant crossed the line from criticism into insult. Does the judgement set a dangerous precedent for internet freedom?
For a complete running list of events, please visit the Event Tracker.
Upcoming Events
Seminar: Cybersecurity Framework for Protecting our Nation's Critical Infrastructure (Marietta, Georgia, USA, Jul 22, 2014) The Automation Federation and Southern Polytechnic State University will co-sponsor the "Cybersecurity Framework for Protecting our Nation's Critical Infrastructure." a free seminar from 8 a.m. to noon July 22 in the Joe Mack Wilson Student Center (Building A) Theater. It is meant to educate area business and manufacturing leaders on the value and importance of the recently launched US Cybersecurity Framework.
i-Society 2014 (London, England, UK, Nov 10 - 12, 2014) i-Society 2014 is a global knowledge-enriched collaborative effort that has its roots from both academia and industry. The conference covers a wide spectrum of topics that relate to information society, which includes technical and non-technical research areas.
2nd Annual Oil & Gas Cyber Security Conference (Houston, Texas, USA, Jul 15 - 17, 2014) This highly interactive, hands-on forum will break down each potential cyber threat specific to the oil and gas industry, as well as tackle key issues including managing communication between OT and IT networks and building a technologically sound incident response plan that will enhance the security and protection of ICS and SCADA networks.
SINET Innovation Summit (New York, New York, USA, Aug 6, 2013) The purpose of the Innovation Summit is to reinvigorate public private partnership efforts and increase relationships between industry, government and academia that fosters sharing of information and collaboration on mutual Cybersecurity research projects.
Security Startup Speed Lunch DC (Washington, DC, USA, Jul 22, 2014) Our goal is to connect the most promising security startups in the world with decision-makers at aerospace, asset-management, banking, communications, defense, energy, healthcare, government, technology and transportation sector companies in a novel way: the speed lunch. You'll have 6 minutes to pitch your product to a Director or higher-level executive at a private table in an exclusive setting.