The CyberWire Daily Briefing 07.25.14

Summary

By The CyberWire Staff

Surveillance and information operations continue respectively to reveal and spin the current state of Russia's slow re-engorgement of Ukraine. A Russian artillerist's Vkontakte posts demonstrate how difficult controlling information can be, even in military units: "All night we pounded Ukraine," he writes, sharing pictures of his battery firing from Russian territory. And these don't seem the posts of some dissident, but rather the happy over-sharing of a proud (if simple) soldier. This suggests the current futility of traditional censorship, whether it take the form of an MVD RFP for Tor anonymity-breaching technology (Snowden take note) or Iraqi net filtering (driving people to Firechat). Throw in a Florida State University demo of how easy it is to geolocate people's pets ("cat-stalking," Naked Security calls it) and one is reluctantly moved to skepticism concerning privacy, too.

Researchers track ransomware's evolution into more sophisticated forms. Some moderately good news on this front, however, comes from Sophos, which offers a guide to getting out from under the "FBI Lock" ransomware without paying off the hoods.

Observers watch for signs of negative market reaction to the European Central Bank hack. Others note this extortion attempt provides an object lesson in the risk the compromise of even a low-level database carries.

The Emmental banking malware campaign exploits two-factor authentication, intercepting session tokens transmitted to users by SMS.

The MailPoet WordPress plug-in, still widely unpatched, is still widely exploited.

Data breaches prove costly: Sony settles for $15M; the University of Maryland pays $2.6M for victims' credit monitoring.

Notes.

Today's issue includes events affecting Austria, European Union, Germany, India, Japan, Russia, Sweden, Switzerland, Ukraine, United Kingdom, and United States.

Selected Reading

Cyber Trends

Security must evolve to be 'all about the data' (CSO) Experts on panel agree that security in the future, to be effective, will not about the devices, the network or even the user, but about embedding data with its own protection

Cyber Security Threats Gain Boardroom Attention (Security Intelligence) Cyber security threats aren't just for security specialists anymore. Today, cyber security is drawing attention from the very top, with one recent study finding that it has now become the number-one concern of corporate boards

Creating a Doppler Effect for Information Security (Federal Blue Print) I'm back after spending a week in Boston at the 26th annual FIRST conference. As many times as I've flown into Logan for business trips over almost 20 years, this was the first time I actually got to spend time in the city of Boston proper

Passwords Be Gone! Removing 4 Barriers To Strong Authentication (Dark Reading) As biometric factors become more prevalent on mobile devices, FIDO Alliance standards will gain traction as an industry-wide authentication solution

Challenges of Covering Cybersecurity News Beat (Control) I remember some stories that got away, but I'll never forget those that were researched and written, but couldn't run. For instance, the most difficult topic we cover is cybersecurity

Legislation, Policy and Regulation

Repair spy partnership (HeraldNet) Given recent German indignation about the National Security Agency, it has been easy to overlook the fact that for decades the German government has cooperated extensively with the NSA on surveillance activities. But after a high-level meeting in Berlin this week, this long-standing but veiled cooperation may have a firmer legal and political base

Surviving on a Diet of Poisoned Fruit: Reducing the National Security Risks of America?s Cyber Dependencies (Center for a New American Security) Digital technologies, commonly referred to as cyber systems, are a security paradox: Even as they grant unprecedented powers, they also make users less secure. Their communicative capabilities enable collaboration and networking, but in so doing they open doors to intrusion. Their concentration of data and manipulative power vastly improves the efficiency and scale of operations, but this concentration in turn exponentially increases the amount that can be stolen or subverted by a successful attack

Clapper: Terror threat is growing (C4ISR & Networks) A "perfect storm" of factors has weakened the country’s ability to prevent and fight terrorism, according to Director of National Intelligence James Clapper

Why (Some) Secrecy is Good for Civil Liberties (Just Security) A few weeks back, Ben Wittes wrote a controversial post over at Lawfare on the latest Snowden disclosures, arguing that, "If you're okay with dumping in the lap of a journalist 160,000 of the most personal conversations a signals intelligence agency can collect, then stop whining to me about 'bulk' or 'mass' collection." As Ben subsequently clarified, his point was not to criticize Snowden for possibly violating the Privacy Act, but to flag what he perceived as the hypocrisy of various media outlets and privacy and civil liberties groups in not criticizing these disclosures — and in thereby appearing to endorse the view that transparency of secret government programs is an unmitigated good. After all, secrecy and privacy are, in many ways, two sides of the same coin — such that those who believe in the virtues of the latter should have a modicum of appreciation for the government's need for the former in at least some cases

The admiral sets a good course: the NSA and cyber attacks (The Lawyer) Admiral Mike Rogers, the new leader of the National Security Agency (NSA) and Cyber Command at the US Department of Defense, certainly has taken a different approach from his predecessor, General Keith Alexander. Right out of the gate, Admiral Rogers noted that the NSA had a public image issue and that it had lost some of its credibility with the US public

Products, Services, and Solutions

Intel unveils SSD Pro 2500 self-encrypting drives (Help Net Security) Intel announced the Intel SSD Pro 2500 Series, which offers IT departments peace of mind with advanced security features and capabilities

My Security Bulletins Dashboard (Microsoft Security Tech Center) myBulletins is an online tool that provides you with a personalized list of the Microsoft security bulletins that matter most to you

Microsoft Security Essentials waves through almost HALF of all online threats (Expert Reviews) Microsoft Security Essentials lets through almost half of all online threats according to the latest lab tests, with people once again urged to remove the dodgy bundled software. Malwarebytes Anti-Malware Free, which claims to protect computers from "new online threats that antivirus can't detect" performed almost as badly, protecting against only 63 per cent of threats

Technologies, Techniques, and Standards

How to prevent a website compromise like StubHub (CSO) Experts provide advice on stopping hackers using stolen credential on websites

aNmap - Android Network Mapper (Nmap for Android) (Kitploit) Nmap is one of the most improtant tools for every cracker (white, grey black hat "hacker"). Nmap is a legendary hack tool and probably the prevelent networt security port scanner tool over the last 10 years on all major Operating Systems. So far it was available in windows, linux and Mac OS X. But now its available at android platform too. It is compiled from real Nmap source code by some developers to provide the support for android devices

The SWAMP: A Key Resource in Improving Software Assurance Activities (Newswise) The SWAMP is open and ready for business. The Software Assurance Market Place, or SWAMP, is an online, open-source, collaborative research environment that allows software developers and researchers to test their software for security weaknesses, improve tools by testing against a wide range of software packages, and interact and exchange best practices to improve software assurance tools and techniques

SSL Blacklist a new weapon to fight malware and botnet (Security Affairs) A Security Researcher at Abuse.ch has started SSL blacklist project to create an archive of all the digital certificates used for illicit activities. In recent years security experts have discovered many cases in which bad actors have abused of digital certificates for illicit activities, from malware distribution to Internet surveillance

Dropbox advises users with privacy concerns to add their own encryption (Inquirer) Dropbox has defended its record on privacy following allegations by NSA whistleblower Edward Snowden that it is "hostile to privacy"

Sicherheitssensibilisierung am Beispiel der Passwörter (Security Insider) Security Awareness ist kein Selbstläufer, sondern muss vom Unternehmen aktiv vermittelt werden. Wie eine entsprechende Kampagne aussehen kann, lässt sich gut an einem gängigen Beispiel durchspielen: Wie bringe ich meine Mitarbeiter dazu, starke Passwörter zu wählen und diese auch nur bei einem Zugang zu nutzen?

Infographic: 25 years of the firewall (Help Net Security) This month the firewall turned 25, and McAfee is celebrating with an infographic that creatively depicts its lifetime. Click on the image below to download the complete version

Marketplace

Putin: Crack Tor for me and I'll make you a MILLIONAIRE (The Register) Russian Interior Ministry offers big pile o' roubles for busting pro-privacy browser

What the Apple-IBM deal means for the CIO (FierceCIO) Last week, Apple and IBM announced a deal that was widely acknowledged as a brilliant move by Apple to enter into the enterprise space. The partnership allows IBM to bring mobility into the enterprise at a faster clip than the organic pace of Bring-Your-Own-Device, or BYOD, growth

telent boosts cyber security with major investment in CNS Group (IT News Online) Pioneering technology services company, telent Technology Services Ltd, has increased its IT security capability by acquiring a 25% stake in CNS Group, the London-based information assurance and cyber security specialists

Viscount Awarded New Contracts to Secure U.S. Department of Immigration Facilities (Wall Street Journal) Viscount Systems (OTCQB:VSYS), a leading provider of IT-based security software and services, today announced that it has been awarded additional contracts to secure U.S. Federal Government facilities in Wisconsin and Vermont for the Department of Homeland Security — United States Citizenship and Immigration Services (USCIS)

ZeroFOX Appoints Dr. Shane Shook as Chief Strategy Officer (Baltimore City BizList) ZeroFOX, The Social Risk Management Company™, today announced the appointment of Dr. Shane Shook as Chief Strategy Officer. In his new roles, Dr. Shook will help to further establish ZeroFOX's West Coast presence and expand the company's strategic offerings for critical customer markets, including financial services, energy, retail and information technology. Coming to ZeroFOX with more than 25 years of technology experience particularly in investigative sciences, Dr. Shook has led teams within several Global Fortune 100 companies and is a true expert in risk and incident management

Cyber Attacks, Threats, and Vulnerabilities

Russian Army Gunner Brags, 'All Night We Pounded Ukraine' (Atlantic Council) Russian soldiers and paramilitaries post stories and pictures of their war on Ukraine

A new generation of ransomware (SecureList) Elliptic curve cryptography + Tor + Bitcoin. Ransomware is now one of the fastest growing classes of malicious software. In the last few years it has evolved from simple screen blockers demanding payments to something far more dangerous

Operation Emmental Targets Banks That Use Two-Factor Authentication (TechWeekEurope) Cyber criminal gang devises a new, complex method of hijacking SMS to steal money

Hacking virus 'Bladabindi' prowling in India, targets Microsoft Windows OS (Financial Express) Cyber security sleuths have alerted Indian Internet users against hacking attempts of a clandestine multi-identity virus

Apple confirms iOS backdoors, researcher says explanation is misleading (Help Net Security) In the wake of the discovery of undocumented features in Apple's iOS that can serve as backdoors, the company has modified a knowledge base article to enumerate and explain the three questionable services found by iOS forensics expert Jonathan Zdziarski

iOS services intended solely for diagnostics: 'I don't buy it for a minute' (The Register) Plus: 'Come on, BBC. You're not children'

Trend Micro backs off Google Play malware claims (TechRepublic) Jack Wallen tests the claims made in a Trend Micro press release that malware is running rampant in the Google Play Store

European Central Bank blackmailed in wake of data breach (Help Net Security) The European Central Bank (ECB) — the central bank for the euro — has suffered a data breach, and has only discovered it after receiving a blackmail letter from the attacker

European Central Bank hack highlights classic problems, say security experts (ComputerWeekly) The hacking of a database serving the website of the European Central Bank (ECB) highlights classic underlying problems facing modern organisations, according to security experts

Zero-day broker exploits vulnerability in I2P to de-anonymize Tails users (ComputerWorld) The one-two punch to privacy and security this week may push home the facts that even when using services that purportedly protect privacy, we are not as anonymous as we may like to think we are. Researchers at Exodus Intelligence, a company that sells zero-day vulnerabilities, found a critical hole in Tails, De-anonymizing Tails and Tor users short for "The Amnesic Incognito Live System," a privacy-orientated operating system that was pushed into the limelight after being recommended by Edward Snowden. This announcement came on the heels of a similar issue that can de-anonymize Tor users

Tails Linux Still at Risk Despite Security Fixes (eWeek) Researchers aim to prove a point "that no software is infallible" by finding bugs in a privacy Linux distribution favored by Edward Snowden

The App I Used to Break Into My Neighbor's Home (Wired) When I broke into my neighbor's home earlier this week, I didn't use any cat burglar skills. I don't know how to pick locks. I'm not even sure how to use a crowbar. It turns out all anyone needs to break into a friend's apartment is an off switch for their conscience and an iPhone

German Report: NSA Tracks Users Researching Privacy Software Online (Newsmax) A warning to those who might do a little online research about Internet privacy software: The NSA is tracking you, a report by the German public broadcasting group ARD concludes

Malcovery Security lists phished brands that slipped by your antivirus (Tweaktown) Phishing attacks bundled with malware or keyloggers are finding success slipping through traditional anti-virus software, causing problems for users

65 Percent DVDs, PCs With Pre-Installed Programs Have Malware (CRN Network) The threats include stealing of confidential data leading to huge monetary loss to the end-user besides making the installed system vulnerable to attacks

Security issues in Vanets (SecurityWeekly) Vehicular ad-hoc networks (Vanets) are an important component of intelligent transportation systems (ITSs). Vanets have no centralised authority or server

Benesse says data leak includes non-customers (Japan Times) Information leaked from Benesse Corp. includes personal data on people who never had a contract with the company, its parent company said Tuesday

Far right group launches cyber-attack against housing association (Inside Housing) Orbit Group has been bombarded with hundreds of emails accusing it of discriminating against white people, as part of an orchestrated campaign by a far right group

State's passport and visa system crashes (FCW) Passport verifications are one of several functions to be compromised by the Consular Consolidated Database crash. The colossal data warehouse that supports the State Department's worldwide visa and passport verification operations has crashed, potentially stranding thousands of people waiting for the documents around the world

Academia

National University Renames School of Engineering and Computing (Digital Journal) National University's School of Engineering, Technology and Media has officially changed its name to the School of Engineering and Computing, effective July 1. The updated name is meant to reflect more clearly the School's innovative programs that prepare students for professions in technology-related fields relevant to 21st Century needs. The private, nonprofit university has expanded offerings at the School in recent years to include specialties such as Cyber Security and Information Assurance, and Data Analytics

Litigation, Investigation, and Enforcement

Sony settles PSN hack lawsuit for $15 million (ZDNet) The tech giant plans to offer restitution for those affected by the 2011 PSN hack in free games, subsidies and cash payouts

Board OKs pact to protect UM security breach victims (Baltimore Sun) Experian to monitor credit activity for estimated $2.6 million. The state Board of Public Works approved a contract worth an estimated $2.6 million Wednesday for a firm to monitor the credit activity of an estimated 300,000 people whose personal information was exposed as a result of a computer security breach discovered at the University of Maryland early this year

Travel Agency Fined £150,000 for Violating Data Protection Act (Dark Reading) That'll teach them not to retain credit card data in perpetuity

Design and Innovation

Forget Passwords: This Startup Wants To Authenticate Your Mind (Fast Company) Biocatch detects fraud and identity theft based on your online behaviors

Industry Events

For a complete running list of events, please visit the Event Tracker on the CyberWire website.

newly Noted Events

SHARE in Pittsburgh (Pittsburgh, Pennsylvania, USA, August 3 - 8, 2014) LEARN: Subject-matter experts and practitioners are on-hand at SHARE events to discuss major issues facing enterprise IT professionals today. FOCUS: SHARE provides leading-edge technical education on a variety of topics. Whether you are an IT manager, IT architect, systems analyst, systems programmer or in IT support, SHARE offers focused sessions to benefit all job roles. ENGAGE: At SHARE events, you will experience a wide variety of formal and informal networking opportunities that encourage valuable peer-to-peer interaction

STOP. THINK. CONNECT. Two Steps Ahead: Protect Your Digital Life Tour (Clarksville, Tennessee, USA, August 5, 2014) The National Cyber Security Alliance (NCSA), a non-profit public-private partnership focused on helping all digital citizens stay safer and more secure online, is coming to TK with its STOP. THINK. CONNECT. Two Steps Ahead: Protect Your Digital Life Tour to educate consumers and businesses about adding layers of security to their everyday online activities

Suits and Spooks London (London, England, UK, September 12, 2014) On September 12th, in London's South bank neighborhood of Southwork, approximately 50 former intelligence officials, corporate executives, and security practitioners from the U.S. and the EU will gather at the top floor auditorium of the Blue Fin building, just behind the Tate Modern museum in Central London to discuss present and future threats to global critical infrastructure and how best to mitigate them. It will be closed to the press and held under the Chatham House Rule

NOPcon Security Conference (Istanbul, Turkey, September 16, 2014) NOPcon is a non-profit hacker conference. It is the only geek-friendly conference without sales pitches in Turkey. The conference aims to learn and exchange ideas and experiences between security researchers, consultants and developers

Hack-in-the-Box Malaysia (Kuala Lumpur, Malaysia, October 13 - 16, 2014) HITBSecConf or the Hack In The Box Security Conference is an annual must attend event in the calendars of security researchers and professionals around the world. Held annually in Kuala Lumpur, Malaysia and Amsterdam in The Netherlands, HITBSecConf is a platform for the discussion and dissemination of next generation computer security issues. Our events routinely feature two days of trainings and a two-day multi-track conference featuring cutting-edge hardcore technical talks delivered by some of the most respected names in the computer security industry. HITBSecConf is a place where ideas are exchanged, talent discovered and genius celebrated

BSidesVienna (Vienna, Austria, November 22, 2014) BSidesVienna will open it's doors again in 2014. Be part of it and stay tuned

ICISSP 2015 (Angers, Loire Valley, France, February 9 - 11, 2015) The International Conference on Information Systems Security and Privacy aims at creating a meeting point of researchers and practitioners that address security and privacy challenges that concern information systems, especially in organizations, including not only technological issues but also social issues. The conference welcomes papers of either practical or theoretical nature, presenting research or applications addressing all aspects of security and privacy, such as methods to improve the accuracy of data, encryption techniques to conceal information in transit and avoid data breaches, identity protection, biometrics, access control policies, location information and mobile systems privacy, transactional security, social media privacy control, web and email vulnerabilities, trust management, compliance violations in organizations, security auditing, and so on. Cloud computing, big data, and other IT advances raise added security and privacy concerns to organizations and individuals, thus creating new research opportunities

upcoming Events

Passwords14 (Las Vegas, Nevada, USA, August 5 - 6, 2014) Passwords is the first and only conference of its kind, where leading researchers, password crackers, and experts in password security from around the globe gather in order to better understand the challenges surrounding digital authentication, and how to adequately address them.

BSidesLV 2014 (Las Vegas, Nevada, USA, August 5 - 6, 2014) We have an amazing array of speakers each year, covering topics such as Penetration Testing, Forensics, Incident Response, Risk, and everything in between. We have a Lockpick Village, the Squirrels in a Barrel World Championship Social Engineering Capture The Flag, uncensored talks, and proximity to the other big InfoSec conferences in the world.

4th Annual Cyber Security Training Forum (Colorado Springs, Colorado, USA, August 5 - 6, 2014) The Information Systems Security Association (ISSA) — Colorado Springs Chapter and FBC, Inc. will co-host the 4th Annual Cyber Security Training Forum (CSTF). CSTF is set to convene from Tuesday August 5, 2014 to Wednesday, August 6, 2014 at the DoubleTree by Hilton, Colorado Springs, Colorado.

DEF CON 22 (Las Vegas, Nevada, USA, August 7 - 10, 2014) The annual hacker conference, with speakers, panels, and contests. Visit the site and penetrate to the schedules and announcements.

South Africa Banking and ICT Summit (Lusaka, Zambia, August 8, 2014) The South Africa Banking and ICT Summit is the exclusive platform to meet industry thought leaders and decision makers, discover leading edge products and services and discuss innovative strategies to implement these new solutions into your organization.

SANS Cyber Defense Summit and Training (Nashville, Tennessee, USA, August 13 - 20, 2014) The SANS Institute's Cyber Defense Summit will be paired with intensive pre-summit hands-on information security training (August 13-18). This event marks the first time that SANS will conduct a training event and Summit that brings together cyber defense practitioners focused on defensive tactics as opposed to offensive approaches to thwart cyber attackers and prevent intrusions.

Sponsor & Support

Grow your brand, generate leads, and fill your funnel.

With the industry’s largest B2B podcast network, popular newsletters, and influential readers and listens all over the world, companies trust the CyberWire to get the message out. Learn more.