The CyberWire Daily Briefing 07.16.14

Cyber Trends

Securing the U.S. Electrical Grid (Center for the Study of the Presidency and Congress) Following the end of World War II, the Allied Strategic Bombing Survey — responsible for determining the damage inflicted by U.S. and Allied strategic bombing of German and Japanese industry — determined that the bombing campaign would have been more effective if it had targeted the German and Japanese electrical grid rather than urban and industrial centers

Report: Administration, Congress, Others Must Better Shield Electricity Grid Vs. Cyber Attack (Roll Call) A high-level report on the security of the electricity grid, set for release Tuesday afternoon and led by a former White House chief of staff and Department of Homeland Security secretary, is complimentary of the Obama administration's efforts to protect it and faults Congress for not doing enough

'Smart Meters' and 'Grids' Are Next Cybercrime Victims (Trend Micro IoE Insights) Every day, people live, work, and play with ease and comfort thanks to one easily overlooked resource: power. It is common for most to wake up to the wonders of indoor lighting, longer food shelf life, perfect room temperature, and connected devices. But what happens when these are taken away? Everyday life could get chaotic for the individual, and even more so once this disruption causes business costs to skyrocket and a city's services and operations fail

Utilities more vulnerable to cyber attacks with 'smart' technology (DNA India) Last November, Felix Lindner came very close to shutting down the power supply of Ettlingen, a town of almost 40,000 people in the south of Germany

Energy Sector Leaders Still Not Taking Cyber Threats Seriously, Survey Finds (National Defense) Companies and organizations in the energy sector remain vulnerable to cyber attacks, which could result in the loss of intellectual property and leave critical infrastructure prone to damage, according to a recently released study

Critical Infrastructure: Security Preparedness and Maturity (Unisys) Ponemon Institute is pleased to present the results of the "Critical Infrastructure: Security Preparedness and Maturity" study, sponsored by Unisys. The purpose of this research is to learn how utility, oil and gas, alternate energy and manufacturing organizations are addressing cyber security threats. These industries have become a high profile target for security exploits. Moreover, it has been reported that if their industrial controls systems (ICS) and supervisory control and data acquisition (SCADA) systems were attacked the damage could be enormous

Report: Cybersecurity tops list of GC worries (Daily Record) A third of general counsel are not convinced their company is secure against hackers, and cybersecurity now tops the list of concerns for directors and general counsel, according to a recent study by FTI Consulting and Corporate Board Member magazine

Cyber risk landscape quickly evolving, need to prepare with appropriate coverage (Canadian Underwriter) The cyber risk landscape is evolving rapidly in many areas and those looking to address the risk through insurance should understand that certain policies generally do not provide coverage following an attack, cautions a new white paper released Monday by the Insurance Information Institute (III)

8 Expert Views on The State of Application Security & Developer Training (Security Innovation Europe) Application security is a consistent concern for organisations. Applications are the most common attack vector, yet only 11% of security managers believe their company's applications are secure. This lack of confidence is down to ad-hoc requirements, lack of a formal security process and a disjunction between executives and practitioners

Company Cyber Resilience or Cyber Attack: Choose One (Forbes) The conversation about cybersecurity in the private sector seems to have deepened this year. Is that your sense as well? It is. Some noteworthy events in the past few months have galvanized our attention

Data Breaches Cost N.Y. Companies $1.37 Billion, Report Says (Bloomberg via American Banker) Security breaches exposing consumers' personal information are becoming larger and more frequent in New York, costing businesses more than $1.37 billion last year, the state attorney general's office said

Breaches exposed 22.8 million personal records of New Yorkers (Help Net Security) Attorney General Eric T. Schneiderman issued a new report examining the growing number, complexity, and costs of data breaches in the New York State

Information Exposed: Historical Examination of Data Breaches in New York State (State of New York Attorney General) Every day, New Yorkers share personal information with companies, government agencies, and other organizations, either out of necessity or simply for the sake of convenience. When we do, we trust these institutions to protect our sensitive data from unauthorized access. That is why New York has a data breach notification law. If an unauthorized individual accesses your personal information, the institution that suffered the data breach must notify you, as well as my office, as soon as possible. An institution that fails to provide this notification is liable for damages and enhanced penalties

Many IT security pros are sending sensitive data without encryption (FierceBigData) Nearly 36 percent of IT security professionals admit to sending sensitive data outside of their organizations without using any form of encryption to protect it, a new survey from Voltage Security found

Why Australia is the No.1 DDoS target (Business Spectator) Organisations all over the world are increasingly experiencing disruptive cyber-attacks, especially Distributed Denial of Service (DDoS) attacks, but it has now become clear that Australia is being hit the hardest

Automobile Industry Accelerates Into Security (Dark Reading) Industry looking at intelligence-sharing platform or an Auto-ISAC in anticipation of more automated, connected — and vulnerable — vehicles

Legislation, Policy and Regulation

Government orders security audit of IT infrastructure (Times of India) Alarmed at the rising cases of cyberattacks emanating from the web space of a host of nations, including Pakistan, China and the UAE, the Centre has ordered security auditing of the entire IT infrastructure of the central and the state governments

Russia Is Reportedly Reopening Its Spy Base In Cuba (Business Insider) Russia and Cuba have agreed to reopen a signals intelligence (SIGINT) base in Lourdes, Cuba that was primarily used to spy on the U.S., Russian business daily Kommersant reports

GCHQ's "Chinese menu" of tools spreads disinformation across Internet (Ars Technica) "Effects capabilities" allow analysts to twist truth subtly or spam relentlessly

Drip drip drip — how debate about our right to privacy was drowned out by the sound of reshuffling (Amnesty) Oh the irony that social media users are currently so distracted by the Prime Minister's chess board manoeuvring of Ministers ahead of next year's election, that they aren't talking about a law (being debated today) which would justify the government's ability to monitor everything they do…on social media!

Have Intelligence Agencies Become Too Reliant on Technology? (Townhall) A newly leaked document stolen by former National Security Agency contractor Edward Snowden last year reveals that one of the NSA's partner agencies within the "Five Eyes" Anglo-intelligence network — Britain's Government Communications Headquarters (GCHQ), responsible for signals intelligence — dedicated vast resources to fooling around on the Internet, according to journalist Glenn Greenwald. The GCHQ has reportedly developed tools capable of playing with the results of online polls; sending out spoof emails and Microsoft Office documents that, once opened, can grab and transmit files and info from a user's computer; collecting data from public profiles on LinkedIn and other social-networking websites; and discreetly increasing website traffic and rankings

Capitol Hill joins business leaders in cybersecurity progress (The Hill) Last week, the Senate Select Committee on Intelligence passed legislation intended to help the U.S. Government and American companies thwart cybersecurity attacks, the Cyber Information Sharing Act (CISA). Should this legislation pass Congress and be signed into law, it would be a big step towards tightening our nation's security online

Finjan Holdings Applauds Bipartisan Movement of Cybersecurity Information Sharing Act (Wall Street Journal) Finjan Holdings, Inc. (NASDAQ: FNJN), a technology company committed to enabling innovation through the licensing of its intellectual property, applauds the continued bipartisan movement of the Cybersecurity Information Sharing Act (CISA), which was approved last week, on July 8, in the Senate. Designed to enhance the nation's cybersecurity measures, the CISA aims to promote information sharing about cyber threats in both the public and private sectors

Rise in electronic payments sharpens security focus (The Hill) Companies aren't waiting on Congress to ensure that the billions of dollars in electronic payments flowing through data networks each year are defended from hackers

Agencies reset after missing the mark on cybersecurity goals (Federal News Radio) Despite steps forward, agencies fell short of their 2014 targets for cybersecurity. The Obama administration is pushing chief information officers to focus on priorities of continuous monitoring, phishing and malware, and authorization processes for 2015, according to the newly released cross-agency priority goals

Cybersecurity Is A Top Priority For Governors (Homeland Security Today) A joint action plan for cybersecurity was approved last week by the Council of Governors, Department of Defense (DoD) and Department of Homeland Security (DHS) during the National Governors Association (NGA) 2014 Summer Meeting

Products, Services, and Solutions

Can Samsung Knox security make devices safe enough for Fort Knox? (TechTarget) Samsung's Knox security tools help IT administrators preserve the integrity of corporate data, but it's important to use all the available features in Knox to reach the highest level of data security

WatchGuard Data Loss Prevention (DLP) Solution Simplifies Compliance and Reduces Risk of Sensitive Data Loss (Busbyway) eMazzanti partners with network security provider, WatchGuard Technologies to enhance data protection and reduce the costs of regulatory compliance

Trend Micro Offers New Security for Microsoft Office 365 (eWeek) At the Microsoft Worldwide Partner Conference (WPC), Trend Micro announced new security features for Microsoft Office 365 and Azure users

Trustwave Introduces Zero Malware Guarantee for New Managed Anti-Malware Service (Broadway World) Trustwave today announced a bold approach to malware protection with a zero malware guarantee for the company's recently introduced managed anti-malware service that protects businesses from web-based malware and zero-day threats. Trustwave also announced new features to the anti-malware service including big data-enabled threat intelligence that enables Trustwave experts to promptly flag risky behavior and gives businesses visibility into their own web browsing activities

Frost & Sullivan Recognizes HP Security Research and HP TippingPoint for Setting Industry Benchmark among Security Research Organizations (MarketWatch) HP Security Research Zero Day Initiative (ZDI) Leads industry in responsible disclosure programs, delivering advanced vulnerability protection to customers through HP TippingPoint DVLabs

Google sets up a cybercrime-busting task force — Project Zero (Computerworld) After unearthing the Heartbleed flaw, Google sets up a research group dedicated to finding vulnerabilities in Web software

Google Project Zero May Prove a Big Win for Security (Threapost) Billions of people — not to mention a decent portion of the world's economies — depend upon the Internet in a way that is both amazing and terrifying. We rely on the network in a way that perhaps we have never relied on anything in the course of human history. The Internet is a wonderful resource, but it's also brittle and vulnerable, and, unlike many of our other vital resources, no one has been tasked with protecting it. Google, however, has decided to shoulder some of that burden on its own

Arista Unveils Industry's First Leaf Switch With 100GbE Uplinks (Wall Street Journal) Arista Networks (NYSE: ANET) today announced the 7280E Series fixed leaf switches, along with monitoring and automation enhancements to Arista EOS(R), continuing the evolution of software driven cloud networking. This new family of switches with its ultra-deep packet buffers and 100GbE uplinks enhance application performance, while providing resiliency, programmability and visibility into the network

Wireless Live CD Alternative: ZeusGard (Krebs on Security) I've long recommended that small business owners and others concerned about malware-driven bank account takeovers consider adopting a "Live CD" solution, which is a free and relatively easy way of temporarily converting your Windows PC into a Linux operating system. The trouble with many of these Live CD solutions is that they require a CD player (something many laptops no longer have) — but more importantly — they don't play well with wireless access

Tenable Network Security Announces Pre-authorized Nessus Edition for Amazon Web Services (MarketWatch) Tenable Network Security, Inc., a leader in continuous network monitoring, today announced the availability of Nessus® Enterprise for Amazon Web Services (AWS) on AWS Marketplace. The new solution allows AWS developers and customers to scan their Amazon Machine Images (AMI) assets within the AWS Cloud for potential vulnerabilities, threats and compliance violations during development and before they are deployed into production for preauthorization

Email Grab v0.3.5 Released (ToolsWatch) Email Grab is a software project for Intelligence and Information Gathering. The aim is to look for valid email address of a company looking in the websites owned by it, on google, on pgp/gpg servers, whois and other resources

Wiper is a secure messaging app that permanently deletes your conversations with one click (TheNextWeb) Mobile messaging is the hot topic of this year — thanks to a few big acquisitions — but what can help a contender from standing out from the rest of the field? How about a privacy button that permanently removes all traces of a conversation with a single click?

Technologies, Techniques, and Standards

SSL Black List Aims to Publicize Certificates Associated with Malware (Threatpost) Malware and botnet operators are always adapting their tactics, trying to stay a step or two ahead of defensive technologies and techniques. One of the methods many attackers have adopted is using SSL to communicate with the infected machines they control, and a researcher has started a new initiative to track the certificates attackers use in these operations and publish them

Sharing Secret Files More Safely: Some Questions to Ask Yourself (Collaborista) In the old days, things seemed much simpler. If someone needed a file from you, you could simply email it to them as an attachment

Keeping the RATs out: an exercise in building IOCs — Part 1 (Internet Storm Center) Reader Jake sent us an awesome bundle of RAT-related mayhem collected during performance of his duties while investigating the unfortunate and prolonged compromise of a company we'll fictitiously call Hazrat Supply. Guess what? The RAT that was plaguing the Hazrat Supply environment was proxying traffic back to a Chinese hosting company

Payment Card Data Theft: Tips For Small Business (Dark Reading) For small businesses looking to reduce their exposure to data theft the good news is the advantage of being small

Marketplace

Snowden and NSA: A Boon to the Privacy Business (Fiscal Times via Yahoo! News) It's been a little over a year since former defense contractor Edward Snowden exposed the NSA's sweeping surveillance program — with the latest revelations confirming that the federal government has been keeping tabs on everyday citizens' emails, phone calls and instant messages

Threat intelligence lifecycle maturation in the enterprise market (Networkworld) A plethora of intelligence feeds are driving new products, services, and enterprise threat intelligence strategy

Clearswift in channel bridge-building mode (CRN) Brit security vendor restores field-based channel staff as it showcases shiny new DLP wares

Security High on Microsoft's 2015 Agenda (Channelnomics) Microsoft has added security to its list of top strategic priorities in the wake of the NSA scandal as it looks to reassure customers their data is safe

Quantum Computing IPO on the Horizon (IEEE Spectrum) Investors longing to own a piece of the quantum computing future could get their chance in the next several years. A stock market listing could be on the way for D-Wave Systems, the Canadian company that has built what it describes as the world's first commercial quantum computers

U.S. Army CECOM Awards Sotera $87 Million Task Order For Worldwide Intelligence (Intel) Systems Field Software Engineering Support (IT Business Net) Sotera Defense Solutions (Sotera), a provider of mission-critical, technology-based systems, solutions and services for national security agencies and programs of the U.S. government, was recently awarded an $87 million task order for the U.S. Army Software Engineering Center (SEC) Worldwide Intel Systems Field Software Engineering Support

Stage2Data Selects Alert Logic to Deliver Security and Compliance Solutions (Broadway World) Stage2Data, Canada's Premier Cloud Solution Provider announced today that it has added Alert Logic as a technology partner. Alert Logic is a leader in delivering on-demand Security-as-a-Service solutions for vulnerability assessment, intrusion detection and log management

HP chairman resigns from board amid health concerns (ZDNet) Hewlett-Packard's board of directors now stands at 11 people, including CEO Meg Whitman and venture capital titan Marc Andreessen

Research and Development

Your smartphone contains more data about you than you realize (IT World) Researchers find that by touching our phones all the time we're leaving our biological mark on them

Security Patches, Mitigations, and Software Updates

Adobe reports a security hole in Flash (Panda Security) Adobe has reported a vulnerability that affects users of Flash. It appears that this security hole could allow cyber-criminals to obtain users' personal data and take control of computers that are not updated with the latest version of Flash

Oracle Java: 20 new vulnerabilities patched (Internet Storm Center) Welcome to the n-th iteration of "patch now" for Java on Workstations. Oracle today published their quarterly patch bulletin, and Java SE is once again prominently featured. This Critical Patch Update (CPU) contains 20 new security fixes for Oracle Java SE. Most of the vulnerabilities are remotely exploitable without authentication, and CVSS scores of 10 and 9.3 indicate that they can be readily exploited, and lead to full compromise. Which means that keystroke loggers, ebanking trojans, etc, will soon follow

Oracle July 2014 CPU (patch bundle) (Internet Storm Center) In addition to the Java vulnerabilities that I covered earlier, there is at least one more vulnerability that warrants attention. CVE-2013-3751, a problem in the XML parser of Oracle Database

Java Update: Patch It or Pitch It (Krebs on Security) Oracle today released a security update for its Java platform that addresses at least 20 vulnerabilities in the software. Collectively, the bugs fixed in this update earned Oracle's "critical" rating, meaning they can be exploited over a network without the need for a username and password. In short, if you have Java installed it is time to patch it or pitch it

'Overblown' LibreSSL PRNG Vulnerability Patched (Threatpost) The OpenBSD Foundation late last night rushed out a patch for a vulnerability in the LibreSSL pseudo random number generator (PRNG)

Cyber Attacks, Threats, and Vulnerabilities

Chinese Hackers Extending Reach to Smaller U.S. Agencies, Officials Say (New York Times) After years of cyberattacks on the networks of high-profile government targets like the Pentagon, Chinese hackers appear to have turned their attention to far more obscure federal agencies

Active Directory flaw impacts 95% of Fortune 1000 companies (Help Net Security) Aorato identified a new threatening flaw within Active Directory that enables attackers to change a victim's password, despite current security and identity theft protection measures

Critical design flaw in Active Directory could allow for a password change (InfoWorld) Microsoft contends the general issue has been long-known, but Israel-based Aorato has developed a working attack

Why the Microsoft Active Directory design flaw isn't serious (CSO) Security experts say the right precautions would mitigate the threat posed by an attacker

Hacked Japanese porn sites spread banking malware attack (We Live Security) Thinking of spending some time perusing Japanese porn websites before you do your online banking? You might want to think again

Targeted Attacks on French Company Exploit Multiple Word Vulnerabilities (McAfee Blog Central) Spear phishing email is a major worry to any organization. Messages that appear legitimate and specific fool us more often than random phishing attempts. Exploits that use patched vulnerabilities delivered via spear phishing email are one of the most successful combinations used by attackers to infiltrate targeted organizations and gain access to confidential information

CNET hacked! Registered users details stolen by gang demanding 1 Bitcoin (Hot for Security) If you are a registered user of the CNET technology news website, it might be a good idea to put your emergency password plans into action right now

"Gameover" malware revival — is it really up from the canvas? (Naked Security) When we talk about "the XYZ malware," especially when law enforcement conducts some sort of takedown, we never literally mean "one piece of malware"

PittyTiger APT group sells its services to companies (Help Net Security) APT attackers thought to be operating from China often seem financed by the government, but there are other groups that work for the highest bidder, which is usually a private sector company looking for information that will squash their competition

EA dismisses claim its Origin software spies on users (CSO) A screenshot posted on Reddit does not represent information collected by Origin, an EA spokeswoman said

Amazon-hosted malware triples in 6 months (Help Net Security) Solutionary analyzed the threat landscape and identified the top 10 global ISPs and hosting providers that hosted malware out of more than 21,000 ISPs

Sorry, mobile mining likely isn't going to be profitable — unless you're criminal (Lookout Blog) Mobile mining is not going to be the next big way to make money on mobile. That is, if you want to avoid criminal behavior

The worst security SNAFUs this year (so far!) (CSO) From denial-of-service attacks to cyber-espionage to just plain old human flubs, network security SNAFUS abound

Academia

Verizon Foundation Supports Cybersecurity Initiative for R.I. Businesses (MarketWatch) Pell Center at Salve Regina University to use grant to support Rhode Island corporate cybersecurity initiative

On eve of stadium opening, 49ers create $4 million STEM program for local students (San Francisco Business Times) Within days of the ribbon-cutting for their new, $1.3 billion new stadium, the 49ers will also cut the ribbon on a $4 million 49ers STEM Leadership Institute. The program, created in partnership with the Silicon Valley Education Foundation and the Santa Clara Unified School District, will take promising applicants who are rising seventh graders in the district and try to further spur their interest in the areas of science, technology, engineering and mathematics

CyberCamp reaches out to girls (Denton Record-Chronicle) A new camp is on the Texas Woman's University campus this week, teaching local high school students about cybersecurity and how to protect a system online

'What's Your Story?' cyber security winners revealed (Business & Leadership) The winners of cloud security firm Trend Micro's 'What's Your Story?' competition for students have been revealed

Cyber students face off at Louisiana Tech (News-Star) With the school year over, most high school teachers and students are enjoying a well-deserved summer vacation poolside, on beaches or in the mountains. However, more than 30 teachers and 90 students from high schools across the region spent the beginning of their summer break in the world of cyberspace at the seventh annual Cyber Discovery camp at Louisiana Tech University. This program was hosted by the Cyber Innovation Center's National Integrated Cyber Education Research Center implemented nationwide through a grant with the Department of Homeland Security

Litigation, Investigation, and Enforcement

Oversight board says NSA data mining puts citizens' privacy at risk but sees no abuse (Washington Post) The National Security Agency does not have the time or personnel to eliminate innocent U.S. citizens' communications collected under Section 702 of the Foreign Intelligence Surveillance Act

Justice Department's New Crime Chief Targets Cyber Cases (Wall Street Furniture) International organized crime groups, lured by the prospect of thefts that can net hundreds of millions of dollars, increasingly are turning to cybercrime, said the new head of the Justice Department's criminal division

No-IP versus Microsoft: The Net Result (WindowITPro) Last week, I brought us all up to date on Microsoft's recent seizure of domains hosted by DNS provider, No-IP. If you remember, Microsoft secretly won a legal matter to take control over the domains in an effort to rid the electronic world of specific types of malware that had infected millions of computers over a year's time. No-IP took objection (obviously) to being back-doored by Microsoft and the legal system, suggesting that if someone had just contacted them about the issue, they could have handled it. Arguably, the company had a year or more to take care of it on its own, but nothing happened

Department of Justice Provides Update on Gameover Zeus and Cryptolocker Disruption (United States Department of Justice Office of Public Affairs) The Justice Department today filed a status report with the United States District Court for the Western District of Pennsylvania updating the court on the progress in disrupting the Gameover Zeus botnet and the malicious software known as Cryptolocker. The disruption began in late May, when the Justice Department implemented a series of Court-authorized measures to neutralize Gameover Zeus and Cryptolocker — two of the most sophisticated and destructive forms of malicious software in existence

UK data watchdog BREACHED data law, says UK data watchdog (The Register) ICO probes self in 'non-trivial security incident'

'Hidden from Google' site remembers the pages Google's forced to forget (Naked Security) So European Union courts have forced Google to forget certain people's irrelevant or outdated online histories

Design and Innovation

Out in the Open: A Tool That Will Make It Easier to Abolish Email Entirely (Wired) Email is just about as old as networked computing itself. But 40 years later, the same basic technology still very much a part of our online lives — and for good reason: It's pretty darn useful. But email is also one of the most infuriating technologies we have, and one of these days, we're going to finally produce something that can make it obsolete