The CyberWire Daily Briefing 07.24.14

Cyber Trends

Pay-to-Prey: The Reality of Cybercrime-as-a-Service Economics (McAfee Blog Central) Last month the Center for Strategic and International Studies (CSIS) released "Net Losses — Estimating the Global Cost of Cybercrime," a McAfee-sponsored report stating that the economic impact of cybercrime exceeds $400 billion worldwide, costing around 200,000 jobs in the U.S., 150,000 jobs in the European Union, and anywhere between 15 to 20 percent of the $3 trillion Internet economy

Firms turn blind-eye to BYOD policy (FierceMobileIT) Close to half of organizations either don't have a mobile device policy at all or have not fully implemented the policy they have in place, according to a survey of 1,100 IT security pros who are members of the LinkedIn Information Security Community

Study Reveals Top BYOD Security Concerns (Newsfactor Business Report) Second Annual BYOD & Mobile Security Study Reveals Exploits Entering Organizations via Mobile Devices is a Top BYOD Security Concern in 2014 — Independent Research Study Conducted by LinkedIn Information Security Community Finds more than Half of 1,100 Respondents Identify Malware Protection as a Key Requirement for Mobile Security

Global DDOS Attacks Skyrocket in Q2 (CBR) Average DDoS attack bandwidth rose by 72%. The number of Distributed Denial of Service (DDoS) attacks across the globe rose by 22% during the second quarter of 2014, the latest Prolexic Global DDoS Attack Report revealed

Poor password management leaves service accounts open to attack (Information Age) The latest study has revealed that professionals don?t practice what they preach when it comes to passwords

Over 370 Organizations Report Confirmed or Suspected Open Source Breaches in Past 12 Months According to Sonatype Survey (MarketWatch) Survey finds 75 percent put consumers at risk with poor software component control

Reuven Harrison, CTO, Tufin, predicts major enterprise network disruption ahead as businesses become increasingly run on software (PRNewswire via Virtual Press Office) Tufin®, the market leading provider of Security Policy Orchestration solutions, today called on organizations to build network security into the application release process or face business agility and network security being severely compromised

If it's connected, it's vulnerable: Know the risks. (GCN) Additionally, systems must be hardened, not just patched; unnecessary services and applications must be removed, and remaining software configured appropriately. So many systems built for the IoT either on the device side or on the cloud side are based on multipurpose operating systems and are left with many features running that unnecessarily expose risk. And, most critically, the use of the data should be monitored with a privileged user monitoring and insider threat tools

A brief history of the Internet of Things (FierceMobileIT) The Internet of Things, or IoT, promises to revolutionize the way we do business as well as the way we live our lives

Cyber-Crime: Coming to a Law Firm Near You (Willis Wire) Cyber-crime is a growing problem and is considered to be more profitable than the drugs trade. Small and medium sized firms are being targeted by cyber-criminals because they consider their systems to be unsophisticated and the information stored valuable, but this does not mean that larger firms are any less vulnerable. Due to the subtlety of cyber-criminals firms may be unaware that they have been the subject of an attack

Legislation, Policy and Regulation

Leaked paper: EU options on 'stage three' Russia sanctions (EU Observer) Even before the MH17 disaster, EU countries were discussing a potential ban on Russian oil and gas imports if worst comes to worst

U.S.-Germany Tensions Sway EU Sanctions on Russia (Wall Street Journal) U.S.-Germany tensions over American intelligence gathering could have a decisive impact on whether the EU adopts harsher sanctions on Russia

Reflections on the Tenth Anniversary of The 9/11 Commission Report (Bipartisan Policy Center) Ten years ago today, as members of the National Commission on Terrorist Attacks Upon the United States, we issued The 9/11 Commission Report, the official account of the horrific attacks of September 11, 2001. A decade later, we have reconvened, as private citizens, to reflect on the changes of the past ten years and the emerging threats we face as a country. In recent months, we have spoken with some of the country's most senior current and recently retired national security leaders…Cyber readiness lags far behind the threat

White House, senators near deal on surveillance reform (Washington Post) The Obama administration and key U.S. senators are close to a deal on legislation that aims to end the National Security Agency's collection of millions of Americans' phone call logs for counterterrorism purposes

Dianne Feinstein: Cybersecurity Information Sharing Act Will Help Protect Us (TMC.net) Sen. Dianne Feinstein, D-Calif., issued the following op-ed: Every week, millions of computer networks come under attack by hackers, cyber criminals and hostile foreign nations. These networks include banks and retail outlets, nuclear power plants and dams, even critical military hubs

The Challenge Of Keeping Tabs On The NSA's Secretive Work (NPR) Here's a question with no easy answer: How do you hold the nation's spy agencies accountable — when they control the secrets?

Products, Services, and Solutions

NetIQ Further Delivers on "Identity-Powered" Security with Sentinel 7.2 and Change Guardian 4.1 (Broadway World) NetIQ today announced the latest versions of its NetIQ Sentinel Security Information and Event Management (SIEM)and NetIQ Change Guardian privileged user activity monitoring solutions. As organizations begin to integrate more sources of identity data into their overall security and breach prevention strategies, these solutions comprehensively monitor privileged user activity to reduce the risk of data breach in an increasingly perimeter-less IT environment

Catbird Announces Intelligent Security Integration With OpenStack (CRN) Catbird, a software vendor that offers security policy automation and enforcement solutions for virtual machines, started shipping its first product Tuesday to intelligently protect OpenStack-powered clouds

LogRhythm identifies retail cyber attacks (ITWire) Security company LogRhythm has announced a new set of product features to identify early indicators of cyber-attacks on the payment processing chains of retail organisations

RSA Updates Web Threat Detection (VAR Guy) RSA unveiled the latest version of its Web Threat Detection software this week, which will allow users to monitor and stop cyberthreats in real time

Bitdefender Internet Security 2015 (PC Magazine) Bitdefender Internet Security 2015 includes all the components you'd expect, plus some welcome bonus features, and all of its parts are consistently effective. It's definitely a good choice

Splunk upgrades App for Enterprise Security (GSN) San Francisco, CA-based Splunk, a provider of a software platform for real-time operational intelligence, has announced the general availability of version 3.1 of the Splunk App for Enterprise Security. Splunk has introduced a new risk scoring framework in the Splunk App for Enterprise Security to enable easier, faster threat detection and containment by empowering users to assign risk scores to any data

Townsend Security Brings Two Factor Authentication to Leading IBM i Security Solutions (BusByway) With mobile-based two factor authentication, Townsend Security offers customers an additional control to protect core security solutions from unauthorized access due to compromised credentials

FireMon and Tripwire Partner to Enable Continuous Real-Time Threat Analysis and Remediation (CyberUlitzer) FireMon, the industry leader in proactive security intelligence solutions, and Tripwire, Inc., a leading provider of advanced threat, security and compliance solutions, today announced the integration of Tripwire IP360 and FireMon Security Manager with Risk Analyzer

Sachin Tendulkar launches Kaspersky Kids, a cyber safety awareness program for kids in India (Digit) The initiative intended to protect children in India against cyber-crime kicks off today at the hands of founder Eugene Kaspersky and cricket legend Sachin Tendulkar

Swisscom Gains Real-Time Insight Into Mobile App Risk with Appthority (MarketWatch) CheckAp Empowers Mobile Risk Management for Thousands of Swisscom Customers

Cryptography Research and Entropic Sign License Agreement for DPA Countermeasures to Secure Next Generation Content (Wall Street Journal) Cryptography Research, the security division of Rambus (NASDAQ:RMBS), and Entropic (NASDAQ:ENTR), a world leader in semiconductor solutions for the connected home, today announced they have signed a patent license agreement allowing for the use of the Cryptography Research side-channel attack countermeasures in Entropic's integrated circuits. The Cryptography Research patented technology will protect Entropic's set-top box system-on-a-chip (SoC) products against differential power analysis (DPA) and related attacks. This agreement builds on the previous agreement between the two companies with Entropic already licensing the Cryptography Research CryptoFirewall™ tamper-resistant core for set-top boxes

AnonCoin Review (Cryptocoin News) AnonCoin is today's Random Coin of the Day. AnonCoin launched on June 6, 2013, and is currently the only coin to support the I2P darknet. The coin team is currently working on a "ZeroCoin" implementation to allow for cryptographic anonymity in transactions

Georgia Tech Unveils 'BlackForest' Open Source Intelligence Gathering System (SecurityWeek) Coordinating distributed denial-of-service attacks, displaying new malware code, offering advice about network break-ins and posting stolen information — these are just a few of the online activities of cyber-criminals. Fortunately, activities like these can provide cyber-security specialists with advance warning of pending attacks and information about what hackers and other bad actors are planning

Technologies, Techniques, and Standards

Mobile Workers: 'I Want My BlackBerry Back' (CIO) The leading smartphones weren't designed with business implications in mind. One of the results: When IT gets access to popular smartphones, it gets access to everything. These privacy concerns are leading many users to ask for their BlackBerry back

Solidifying Microsoft Azure Security for SharePoint and SQL in the Cloud (NetworkWorld) Ensuring content in the cloud is protected and secured

The psychology of phishing (Help Net Security) Phishing emails are without a doubt one of the biggest security issues consumers and businesses face today. Cybercriminals no longer send out thousands of emails at random hoping to get a handful of hits, today they create highly targeted phishing emails which are tailored to suit their recipients

Phishermen Around the World Agree: Lawyers Are Mighty Tasty (Absio) Law firms are frequent targets of phishing attacks for four reasons. First, they tend to have valuable data. Second, their email addresses are usually on the firm website. Third, many use social media, so their personal and business relationships are in public view. Fourth, many lawyers may not recognize a phishing attack or even know what a phishing email is if they saw one

Just Released — The Phishing Planning Kit (SANS Institute) One of the biggest challenges with an effective phishing program is not the technology you use, but how you communicate and implement your phishing program. To assist you in getting the most out of your phishing program we have put together the Phishing Planning Kit. Based on the feedback and input of numerous security awareness officers, this kit walks you through step-by-step how to implement an effectively phishing program that your employees will actually like. In addition we include lessons learned such as how often you should do your phishing emails, who to target, what type of phishing emails you should use, what to do with violators, and what to report and to whom

Cyber Security Challenges: How Do Retailers Protect the Bottom Line? (IBM Security Intelligence) Target. Adobe. AOL. eBay. What do they have in common? Big companies that have been the victims of big security breaches over the last year. In the case of online auction site eBay, over 145 million records were compromised, while Target dealt with upwards of 70 million breaches. While the rise of e-commerce and cloud data storage have proven to be a boon for consumers, a host of compliance and security challenges have emerged. How do retailers protect their bottom lines?

Commentary: The 5 most common cybersecurity mistakes (New York Daily Record) Recent headlines confirm that cyberattacks are growing in scale and incidents are on the rise

What Tools Can You Use to Proactively Protect Your Trademarks as New gTLDs Launch? (Cyveillance) We get a lot of questions about how the Trademark Clearinghouse can help brand managers and legal counsel protect their rights. This article highlights the pros and cons of the Trademark Clearinghouse, and what you can do to enhance protection

In search of better email encryption (Marketplace) Since the Snowden revelations, it has become clear that email as a basic internet protocol is essentially insecure, and other options — texting, messaging apps, and the like — are not much better

Windows Previous Versions against ransomware (Internet Storm Center) One of the cool features that Microsoft actually added in Windows Vista is the ability to recover previous versions of files and folders. This is part of the VSS (Volume Shadow Copy Service) which allows automatic creation of backup copies on the system. Most users virtually meet this service when they are installing new software, when a restore point is created that allows a user to easily revert the operating system back to the original state, if something goes wrong

Bugcrowd Releases Open Source Vulnerability Disclosure Framework (Threatpost) The problems that come from doing security research on modern Web applications and other software aren't just challenging for researchers, but also for the companies on the receiving end of their advisories. Companies unaccustomed to dealing with researchers can find themselves in a difficult position, trying to figure out the clearest path forward

Marketplace

Ex-Cyber Spy's Message to Board Members: You're Not OK (Wall Street Journal) In his new role as CEO of Darktrace, a cyber-security firm based in Cambridge, U.K., Andrew France OBE is meeting a lot of anxious board members at some of the biggest firms in the U.K. and abroad. The cost of cyber crime to the global economy is around $445 billion annually, with the U.K. alone losing $11.4 billion during 2013, according cyber security company McAfee

EMC Earnings Preview: Stagnating Core Business Could Lead To VMware, Pivotal Spin-Offs (Forbes) EMC is scheduled to announce its Q2 earnings on July 23. The company posted mixed results in the first quarter, with net revenues growing by less than 2% year-on-year to $5.48 billion. EMC?s information infrastructure product sales, which include storage products, RSA security and content management software, declined by almost 7% year-over-year to $2.4 billion. The company witnessed significant top line growth from VMware (+16%) and Pivotal (+40%)

CYREN Awarded TRUSTe Cloud Data Privacy and EU Safe Harbor Certifications (MarketWatch) CYREN CYRN +2.55%, a global provider of cloud-based security solutions, today announced that CYREN received the TRUSTe Cloud Data Privacy Certification as well as EU and Swiss Safe Harbor Certifications recognized by the U.S. Department of Commerce

ThreatTrack Security Selected by CRN as a 2014 Emerging Vendor (BroadwayWorld) ThreatTrack Security a leader in malware protection solutions that identify, stop and remediate advanced threats, targeted attacks and other sophisticated malware designed to evade traditional cyber defenses today announced that it has been named a 2014 Emerging Vendor by CRN, a top news source for solution providers and the IT channel. The annual Emerging Vendors list identifies up-and-coming technology vendors that have introduced innovative new products, creating opportunities for channel partners in North America to create high-margin, cutting-edge solutions for their customers. Now in its second year as an independent company, ThreatTrack Security continues to expand its operations and solutions portfolio to better serve the most pressing cybersecurity needs of organizations of all sizes across the globe

Was Apple's Demolition of BlackBerry 'Click Bait' or Did It Actually Happen? (TheStreet) More than a few people chided my Monday article — Apple Will Murder Microsoft and Bury It With BlackBerry's Corpse — as "click bait" or "link bait"

Former PayPal Security Expert Joins Synack to Drive the Power of Crowd Security Intelligence (Broadway World) Synack Inc., a startup that created the industry's first enterprise-caliber system to safely and effectively crowdsource security testing, announced today that Gus Anagnos, the former PayPal executive responsible for developing and leading the PayPal Bug Bounty Program, joined the company as VP of Strategy and Business Operations. Gus brings over 18 years of invaluable experience working in information security and enterprise risk to Synack. Gus will be driving the overall business strategy and working closely with customers to provide a thorough understanding of the current security landscape and offer new ideas, tools and services to ensure customers are aware of the latest threats and how to best protect against them

All is not so rosy at Silicon Roundabout (London Evening Standard) Poor Ed Vaizey. He's only been in the newly created post of Minister for Culture and Digital Industries for a week, and already he?s having to deal with a fire in the server room

Research and Development

Wi-Fi security boost just over the horizon (ZDNet) Wi-Fi, especially public Wi-Fi, is still fraught with security problems. A solution has been in the works for some time but is still not ready for most

Human misidentification in Turing tests (Journal of Experimental & Theoretical Artificial Intelligence) This paper presents some important issues on misidentification of human interlocutors in text-based communication during practical Turing tests. The study here presents transcripts in which human judges succumbed to theconfederate effect, misidentifying hidden human foils for machines. An attempt is made to assess the reasons for this. The practical Turing tests in question were held on 23 June 2012 at Bletchley Park, England. A selection of actual full transcripts from the tests is shown and an analysis is given in each case. As a result of these tests, conclusions are drawn with regard to the sort of strategies which can perhaps lead to erroneous conclusions when one is involved as an interrogator. Such results also serve to indicate conversational directions to avoid for those machine designers who wish to create a conversational entity that performs well on the Turing test

Cyber Attacks, Threats, and Vulnerabilities

Hacker Group Instigates Attacks on Israel's Cyber Resources (The Blaze) The notorious hacker group Anonymous is urging fellow online disruptors to attack Israel-based Internet resources to protest the country's ongoing operation in Gaza

Turkish Hacker Hacks United Nation Sub-Domain against Gaza Attacks. (HackRead) A Turkish hacker going with the handle of Turk Guvenligi has hacked and defaced the official sub-domain of United Nation Civil Society Participation (iCSO), against Israeli attacks on Gaza

MailPoet Vulnerability Exploited in the Wild — Breaking Thousands of WordPress Sites (Sucuri Blog) A few weeks ago we found and disclosed a serious vulnerability on the MailPoet WordPress Plugin. We urged everyone to upgrade their sites immediately due to the severity of the issue. The vulnerability allowed an attacker to inject anything they wanted on the site, which could be used for malware injections, defacement, spam and many more nefarious acts

WordPress plugin vulnerabilities affect 20 million downloads (ZDNet) Since May, security firm Sucuri has discovered critical WordPress plugin vulnerabilities affecting four plugins that have nearly 20 million downloads

Mass exploit of WordPress plugin backdoors sites running Joomla, Magento, too (Ars Technica) MailPoet attacks commandeer an estimated 30,000 to 50,000 sites, researcher says

Facebook scams now lead to exploit kits (Help Net Security) The Facebook scam is a familiar phenomenon to every user of the popular social network, and most of them have fallen for it at one time or another as it only takes a moment of distraction to click on an interesting link

Internet Explorer vulnerabilities have doubled since 2013 (Inquirer) Microsoft's web browser has required an 'historic' shedload of security patches

You Are Being Tracked Online By A Sneaky New Technology — Here's What You Need To Know (Forbes) You are likely being tracked online by a sneaky, new technology that works without your consent, and can track you even if you use anti-tracking toolbars or strict privacy settings

Online fingerprinting: The next privacy battle (GlobeAdvisor) A growing number of websites are employing a stealthy new form of hard-to-block Internet tracking software that may pose increasing privacy risks for customers

US warns of Huawei WiFi modem XSS security threat (V3) The US Computer Emergency Response Team (CERT) has issued a warning alerting businesses of a flaw in Huawei's popular E355 wireless broadband modem that could be leveraged by hackers to mount cross-site scripting attacks

ECB Victim to Extortion Attempt After Frankfurt Database Hacked (Bloomberg) Unidentified hackers broke into a database belonging to the European Central Bank and attempted to use the breach to extort cash from the institution

How Hackers Hid a Money-Mining Botnet in Amazon's Cloud (Wired) Hackers have long used malware to enslave armies of unwitting PCs, but security researchers Rob Ragan and Oscar Salazar had a different thought: Why steal computing power from innocent victims when there's so much free processing power out there for the taking?

Daimler chief warns on potential for cyber attacks on cars (Financial Times) A car speeds down the highway, in 'autonomous' cruise control — when suddenly a computer hacker unleashes a virus that sends it hurtling off the road

Insider threat levels from ex-staffers greater than expected (SC Magazine) A third of of ex-employees have access to company data and 9% have used their access privileges says new research

Ram Scraper Malware: Why PCI DSS Can't Fix Retail (Dark Reading) There is a gaping hole in the pre-eminent industry security standard aimed at protecting customers, credit card and personal data

Media hackers behind E-toll billing problems: Minister (My Broadband) South Africa's Minister of Transport has accused "some media houses" of hacking the E-toll website and blamed the hacks for billing problems

Thousands had data on computers stolen from California medical office (SC Magazine) Three desktop computers were stolen from the California office of Bay Area Pain Medical Associates, resulting in roughly 2,780 patients being notified that their personal information was in a spreadsheet that could have been accessed

Academia

NSA targets college students to fill cyber professionals shortage (USA TODAY) In response to a shortage of cyber professionals in the U.S., the National Security Agency is reaching out to a younger crowd: college students

Case Study from Intel Showcases Collaboration with Virginia Tech (Digital Journal) The collaboration centers on Cryptography in a changing technological landscape

Litigation, Investigation, and Enforcement

Six cyber criminals charged in $1m Stubhub fraud (ComputerWeekly) The US has charged six members of an international cyber crime gang that hacked into user accounts to defraud eBay's Stubhub ticket reselling website of about $1m

Feds: Hackers Ran Concert Ticket Racket (Krebs on Security) A Russian man detained in Spain is facing extradition to the United States on charges of running an international cyber crime ring that allegedly stole more than $10 million in electronic tickets from e-tickets vendor StubHub

Android app market pirates busted by FBI (Naked Security) Trouble with law enforcement started back in 2012 for the three alternative Android app markets

Dutch spy agencies can receive NSA data, court rules (PC World) Dutch intelligence services can receive bulk data that might have been obtained by the U.S. National Security Agency (NSA) through mass data interception programs, even though collecting data that way is illegal for the Dutch services, the Hague District Court ruled Wednesday

DOJ alleges Symantec submitted false claims on software contract (FierceGovernmentIT) The Justice Department said July 22 that it has intervened in a whistleblower lawsuit against Symantec Corp., alleging the company "knowingly" submitted false claims on a General Services Administration software contract that involved hundreds of millions of dollars

Google given 18 months to change its handling of user data (Naked Security) The Italian Data Protection Commissioner has given Google 18 months to change the way it treats and stores user data

Hackers inside Chinese military steal U.S. corporate trade secrets (ComputerWorld) In May, a grand jury in the Western District of Pennsylvania indicted five members of the Chinese military on charges of hacking and economic espionage, according to a May 19 U.S. Department of Justice media release. Per the same release, the targets were six U.S. enterprises operating in the solar products, nuclear power, and metals industries. The attacks began as early as 2006 and were carried out over many years and into this year, according to the same release

We All Got Trolled (Medium) Supporters of Internet freedom rallied around weev before he went to prison. But now that the hacker is out, he's douchier — and maybe scarier — than ever

Design and Innovation

The Server Needs To Die To Save The Internet (TechCrunch) Do we have the Internet we deserve? There's an argument to say that yes, we absolutely do. Given web users' general reluctance to pay for content. We are of course, paying. Just not with cold hard cash, but with our privacy — as digital business models rely on gathering and selling intel on their users to make the money to pay (the investors who paid) for the free service

Snowden's New Anti-Surveillance Software 'Much Needed' - Internet Security Specialist (RIA Novosti) The new anti-surveillance technologies recently called for by former National Security Agency contractor Edward Snowden is much needed to ensure individuals' privacy and protection from government, Yan Zhu, a San-Francisco based staff technologist at Electronic Frontier Foundation, told RIA-Novosti Tuesday