The CyberWire Daily Briefing 07.15.14

Cyber Trends

Cloud malware analysis a must-have for advanced threat protection (TechTarget) Cloud-based malware analysis is becoming a must-have feature for both established and upstart advanced threat protection vendors

Info sharing key to cyber defence, says financial services firm (ComputerWeekly) Threat information sharing is key to the success of combating cyber attacks, says financial market clearing and settlement services firm Depository Trust and Clearing Corporation (DTCC)

Kaspersky Lab survey finds half of financial institutions tolerate losses caused by cybercrime (Zawya) Save as PDF Add to Reading List Dubai, 14 July 2014: According to a survey conducted by Kaspersky Lab together with B2B International in 2014 around the world, including the GCC region, 52% of financial companies reimburse customer losses caused by Internet fraud without actually investigating the circumstances. Almost a third of companies believe the costs incurred by cyber threats are less than the cost of protection. As cybercriminals increasingly target e-payments, this approach could translate into considerable expenses for the company

Why Identity Management Is the New Security (Information Security Buzz) Another day, another massive security breach. Most recently, hackers exposed a security hole in Apple's iCloud that grants unauthorized access to lost and stolen iOS devices. eBay suffered a crippling cyberattack that compromised its main database, forcing all users to change their passwords. And AOL confirmed a significant security incident involving unauthorized access to the company's network and systems

CISOs still grappling with security awareness training (SC Magazine) A study of some of the UK's top chief information security officers (CISOs) has revealed that just 21 percent are conducting security awareness training on a regular basis

Microsoft XML Remains 'Most Exposed' UK Software Program (Infosecurity Magazine) Secunia stats reveal PC users still failing to patch known vulnerabilities, while Adobe represents major end-of-life risk

Legislation, Policy and Regulation

From the Cold War to the Code War: UK boosts spending on cyber warfare (ZDNet) We don't need more tanks, we need the latest in cyber warfare, says UK PM David Cameron

Snowden Document Exposes Extensive List of British Spying Tools (TechCrunch) The Government Communication Headquarters (GCHQ) — Britain's National Security Agency (NSA) equivalent — commands a wide-ranging set of tools that enable it to hack into popular social media and communications outlets and plant false information on the Internet, according to a document published by The Intercept Monday. The long list of options ranges from inflating the results of online polls to allowing the agency to monitor Skype communications in real time, though the details of that capability remain murky

Open letter from UK legal academic experts re DRIP (via Paul Bernal) On Thursday 10 July the Coalition Government (with support from the Opposition) published draft emergency legislation, the Data Retention and Investigatory Powers Bill ("DRIP"). The Bill was posited as doing no more than extending the data retention powers already in force under the EU Data Retention Directive, which was recently ruled incompatible with European human rights law by the Grand Chamber of the Court of Justice of the European Union (CJEU) in the joined cases brought by Digital Rights Ireland (C-293/12) and Seitlinger and Others (C-594/12) handed down on 8 April 2014

OPM hacking attack exposes weaknesses in cyber defense (Federal Times) As investigators probe a March cyber attack on sensitive federal personnel databases, some experts and policy makers are calling for more clarity over who is responsible for protecting federal networks from cyber threats

Wyden Probing Economic Harm Caused by NSA Surveillance (Bloomberg) Senate Finance Committee Chairman Ron Wyden is investigating the economic harm he said is being caused by the U.S. National Security Agency's surveillance methods

Poll: US global image survives spying concerns (Deseret News) Widespread global opposition to U.S. electronic surveillance since the revelations by onetime National Security Agency contractor Edward Snowden has not badly tarnished the overall image of the United States, and it remains far more popular around the world than rising power China, according to a poll released Monday

Top Army brass defend troubled intelligence system (AP via Progress-Index) When Gen. John Campbell, the Army's vice chief of staff, appeared last year at a budget hearing on Capitol Hill, he cited his son's experiences as a soldier in Afghanistan to answer a senator's tough questions about a troubled intelligence technology system

How the CIA Partnered With Amazon and Changed Intelligence (DefenseOne) The intelligence community is about to get the equivalent of an adrenaline shot to the chest. This summer, a $600 million computing cloud developed by Amazon Web Services for the Central Intelligence Agency over the past year will begin servicing all 17 agencies that make up the intelligence community. If the technology plays out as officials envision, it will usher in a new era of cooperation and coordination, allowing agencies to share information and services much more easily and avoid the kind of intelligence gaps that preceded the Sept. 11, 2001, terrorist attacks

Products, Services, and Solutions

First aid kit for people who face digital threats (Help Net Security) A group of NGOs that includes the EFF, Global Voices, and Internews, has launched the Digital First Aid Kit, an open source self-assessment tool for people who face digital threats

Free Antivirus by Microsoft — Microsoft Security Essentials (Streetwise Tech) Microsoft is on its way in leading the world of antivirus software, as they introduce their easiest to use antivirus — the Microsoft Security Essentials. It is an antivirus software product that provides protection against different types of malware, viruses, spyware and threats

Barracuda Web Application Firewall Now Available in Azure Gallery as part of Microsoft Azure Certified (Wall Street Journal) Barracuda Networks, Inc. (NYSE: CUDA), a leading provider of cloud-connected security and storage solutions, today announced the latest release of the Barracuda Web Application Firewall, version 7.9. This new version extends Microsoft Azure support with automated provisioning and configuration, enabling customers to take advantage of the dynamic, elastic nature of the cloud. The Barracuda Web Application Firewall Vx is available in the Azure Gallery as part of the new Microsoft Azure Certified program. Barracuda is presenting this new functionality at the Microsoft Worldwide Partner Conference this week in Washington, DC

Bitdefender 2015 focuses on simplicity (ITWire) The 2015 edition of the Bitdefender security software for Windows aims to leave the user with as little to do as possible

G Data Anti-Virus — Features and Updates (Streetwise Tech) G Data Software, a collection of anti-malware solutions developed by G Data Software Inc., is considered one of the best anti-virus software in the global market today. It supports a high level of security and protection for users. Furthermore, it is user-friendly and easy to navigate

Technologies, Techniques, and Standards

How to Reduce Use-After-Free Memory Risk (eSecurity Planet) Use-after-free memory errors often crop up in software application code

NIST Advisory Group Releases Report on Cryptography Expertise and Standards Process (Dark Reading) VCAT specifically addressed NIST's interactions with the NSA

The Firewall: Questions abound about its future role in cloud, mobile and SDN environments (Networkworld) It's been 20 years since Check Point FireWall-1 made firewalls mainstream

Endpoint security myths and why they persist (Help Net Security) In this interview, Roman Foeckl, CEO of CoSoSys, illustrates the most prominent endpoint security myths and explains why they persist. Furthermore, he talks about the hurdles with protecting endpoint clients in the enterprise and offers advice on what organizations can do in order to stay ahead of the threats

IoT privacy tech working group announced (Help Net Security) TRUSTe formed a multi-stakeholder IoT Privacy Tech Working Group to identify the technical standards and best practices necessary to help enhance consumer privacy in the Internet of Things (IoT)

Salted Hash Kracker: All-in-one Salted Hash Password Recovery Tool (Security Xploded) Salted Hash Kracker is the free all-in-one tool to recover the Password from Salted Hash text

What is Haka (Haka) Haka is an open source security oriented language which allows to apply security policies on (live) captured traffic

AOC Cloud (Internet Storm Center) In matters of food and wine, the Europeans have this concept of "AOC", based on the originally French "Apellation d'origine contrée". It means that, say, Bordeaux wine actually comes from there, and is not re-bottled Malbec from Patagonia. The point I'm trying to make, albeit poorly, is that it is sometimes important to know where things are coming from, which implies traceability to the source

Introduction to Smart Meters (Security Intelligence Blog) While wearable personal technology may be the most "public" face of the Internet of Everything, the most widespread use of it may be in smart meters

Marketplace

Security industry welcomes £1.1bn government fund to fight terror and cyber threats (ComputerWeekly) The information security industry has welcomed a government grant of £1.1bn to fund defence initiatives, including fighting cyber threats

Cyber insurance complements security controls, says Aon (ComputerWeekly) Cyber insurance is a good complement to a high level of information security controls, says Aon Risk Solutions

As a channel company, we can do better: Check Point (ARN) Security vendor aims to strengthen its security messaging in a increasingly confusing marketplace

General Dynamics Fidelis Cybersecurity Solutions Joins Forces with Microsoft to Further Protect Customers (Wall Street Journal) General Dynamics Fidelis Cybersecurity Solutions announced that it has joined the Microsoft Active Protections Program (MAPP). Under this industry partnership program, General Dynamics Fidelis will receive advanced information from Microsoft about their monthly security bulletins, allowing the team to anticipate emerging threats and provide faster and more comprehensive protection for Fidelis XPS customers

Bechtel Looks to Bolster U.S. Cybersecurity Ranks (Natural Gas Intel) Seeking to shore up the United States's ability to protect against a cyber attack on government, industry or energy infrastructure, Bechtel on Monday unveiled a program with two U.S. national security laboratories to fund multiyear positions for early-career professionals in critical cybersecurity fields

Meet 'Project Zero,' Google's Secret Team of Bug-Hunting Hackers (Wired) When 17-year-old George Hotz became the world's first hacker to crack AT&T's lock on the iPhone in 2007, the companies officially ignored him while scrambling to fix the bugs his work exposed. When he later reverse engineered the Playstation 3, Sony sued him and settled only after he agreed to never hack another Sony product

Booz Allen chief executive Ralph Shrader to retire (Washington Post) Ralph Shrader, the longtime chief executive of government contractor Booz Allen Hamilton, is retiring after 40 years with the company, it was announced Monday

Research and Development

Microsoft Challenges Google's Artificial Brain With 'Project Adam' (Wired) We're entering a new age of artificial intelligence

How Quantum Cryptography Will Break The Bank (Payment Week) Lurking in some underground lab, scientists are busy working on the next Holy Grail for computational processing speed

Security Patches, Mitigations, and Software Updates

LastPass discloses now-fixed vulnerabilities ahead of security conference (PC World) Popular password manager LastPass said it fixed two vulnerabilities that were found last year. The disclosure comes just ahead of a security conference where a research paper describing the problems is due to be presented

Future Java 7 security patches will work on Windows XP despite end of official support (PCWorld) Oracle has dispelled rumors that the upcoming security update for Java 7 and those it will release in the future might not work on Windows XP

Oracle elaborates on end of Windows XP support for Java (ZDNet) A statement by an Oracle executive affirms that Java 7 and updates to it should continue to work on Windows XP. Java 8 is a different story

Java on XP? (Lumension Blog) Is it still supported, and what should you do about it?

Cisco Patches Four-Year-Old Apache Struts 2 Issue (Softpedia) A vulnerability in Apache Struts 2 that would allow a potential attacker to execute arbitrary code on an affected system has been patched by Cisco at the end of last week; the security issue was initially reported in July 2010

How to sign up for Microsoft's restored security alert email service (Computerworld) Restored mailing list functionality earlier this month, but still hides the sign-up form

Cyber Attacks, Threats, and Vulnerabilities

Hamas 'Takes Over' Channel 10 (Arutz Sheva) Terrorists from the Izz al-Din al-Qassam Brigades, Hamas's "military wing", were able to take over the broadcast of Israel's Channel 10 on Monday evening

Israel's largest newspaper "Haaretz" hacked against Gaza Bombings (HackRead) The online hacktivist AnonGhost has come up with a high profile hack in which the sub-domain of Israel's largest and oldest newspaper "Haaretz" was hacked against Israeli bombing over Gaza

Zeus-like Kronos Banking Trojan Flogged for $7,000 (Infosecurity Magazine) Researchers find new malware offer on Russian underground forum complete with security evasion tools and early-bird discount

Gameover Zeus Returns as New Version is Spotted (Infosecurity Magazine) Sophos researchers say latest variant appears less robust than previous versions

CNET attacked by Russian hacker group (CNet) A Russian hacker group that has attacked some of the biggest news and business sites in the world claims it penetrated CNET's website over the weekend and stole a database of registered reader data

BT: Whew, we've been cleared of major privacy breach. Oh SNAP, another webmail blunder (The Register) Complaint dismissed. Prepare for different complaints

Web-based DropCam Surveillance Systems Vulnerable to Hackers (Hacker News) The popular home surveillance webcam service DropCam that keep[s] an eye on your house when you aren't there, can be used as a weapon against you by the cybercriminals, claimed a pair of researchers

WiFi Is Getting Even More Public — Don't Make Yourself A Target (Forbes) Flight delayed and you need to get work done? Airport public WiFi is a tempting solution and lets you work on the marketing plan stored on your Google GOOGL +1.3% Drive. With 5.8 million hotspots expected to be available by 2015, it's becoming easier to work remotely from anywhere

Here's the only safe way to use public PCs (ZDNet) As the Secret Service says, business center PCs can be dangerous. The only safe way to use such devices is not to use the installed OS

The danger of using PCs in hotel business centres (Hot for Security) Many of us in the Northern hemisphere are gearing up for our summer holidays — and will be looking forward to some sunkissed days away from home

OSUETA v0.8 OpenSSH User Enumeration Timing Attack Released (ToolsWatch) OSUETA stands for OpenSSH User Enumeration Timing Attack and is a small script written in Python to exploit a bug present in versions 5 .* and 6.* of OpenSSH . In these versions during the authentication process, you may obtain a list of users in the system discriminated by the time it takes the system to evaluate an arbitrarily long password

"Severe" password manager attacks steal digital keys and data en masse (Ars Technica) Adoption of poorly secured password managers opens a single point of failure

E-ZPass drivers warned about Phishing scam (CSO) Drivers using the toll service are being targeted in a new scam

"I've been hacked, and now I'm pregnant!" (We Live Security) We put trust in technology every day. We drive a car to work, and trust that its brakes won't fail too badly, and that its engine won't explode in a massive fireball on the dual carriageway

Bulletin (SB14-195) Vulnerability Summary for the Week of July 7, 2014 (US-CERT) The US-CERT Cyber Security Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. The NVD is sponsored by the Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC) / United States Computer Emergency Readiness Team (US-CERT). For modified or updated entries, please visit the NVD, which contains historical vulnerability information

Academia

Cyber Operations Centers of Academic Excellence List Expands (SIGNAL) The National Security Agency (NSA) has selected five more schools for the National Centers of Academic Excellence (CAE) in Cyber Operations Program, which is designed to cultivate more U.S. cyber professionals. These schools are now designated as Cyber Operations CAEs for the 2014-2019 academic years

UTSA to promote cyber status in D.C. (San Antonio Business Journal) A team of officials from the University of Texas at San Antonio is travelling to Washington, D.C., this week to promote the school's cybersecurity agenda

Litigation, Investigation, and Enforcement

Arrests made after keyloggers found on public PCs at US hotels (Naked Security) Proof of the dangers of publicly accessible PCs came up yet again when the US Secret Service last week warned that cybercrooks are installing keyloggers on the PCs in hotel business centers to steal personal and business information from travelers

Obama administration says the world's servers are ours (Ars Technica) US says global reach needed to gut "fraudsters," "hackers," and "drug dealers"

Microsoft challenges US gov't warrant to access overseas customer data (Ars Technica) "Congress has not authorized the issuance of warrants that reach outside US"

In the Matter of a Warrant to Search a Certain E-Mail Account Controlled and Maintained by Microsoft Corporation (United States District Court for the Southern District of New York) I, Michael McDowell, declare as follows: 1) I am a Senior Counsel of the Bar of Ireland, having been called to the Bar in 1974 and to the Inner Bar in 1987

Su Bin, Lode-Tech, And Privatizing Cyber Espionage In The PRC (Digital Dao) The criminal complaint against Chinese businessman Su Bin (aka Stephen Su, Stephen Subin) is a must-read. Be sure to read the Wall Street Journal article as well. It marks the first time that the FBI has issued an arrest warrant for a foreigner charged with an act of cyber espionage via a network attack that has until now been attributed solely to state actors like the PLA

United States of America vs. Su Bin, aka Stephen Su, aka Stephen Subin (United States District Court for the Central District of California) Complaint for violation of Title 18, United States Code, and Section 1030(b) (Conspiracy to Gain Unauthorized Access to a Protected Computer and Obtaining Information and Things of Value with Intent to Defraud), and Section 1030(a)(2)(C) (Unauthorized Access of a Protected Computer and Obtaining Informaiton)

ISP blocking sees 54 Scottish charities affected (IT Security Guru) Staff at a Scottish charity providing vital youth services have hit out at "big brother" web filters that are blocking access to their websites

In the name of security, German NSA committee may turn to typewriters (Ars Technica) In other news, a German spy agency employee is arrested for leaking to US.

VA reports mishandled records at Baltimore office (Baltimore Sun) Documents included Social Security info, auditor will tell Congress

Disarray, data manipulation at Phila. VA, report finds (Philly.com) Inspectors surveying Philadelphia's Veterans Affairs benefits center in June found two stunning signs of disarray: mail bins brimming with claims dating to 2011 and other benefits that had been paid twice

FBI cyber expert is ex-discount furniture salesman (Freenewspos) J. Keith Mularski's world has expanded greatly since he stopped selling discount furniture to join the FBI in 1998. Especially since he transferred from Washington, D.C., in 2005 to fill a vacancy in the Pittsburgh field office's cyber squad — which he now heads