The CyberWire Daily Briefing 10.10.14

Cyber Trends

Bruce Schneier: 'Incident response is failing' (SC Magazine) Renowned cryptographer Bruce Schneier took aim at the security industry and poor incident response planning during a typically forthright talk in London yesterday

Critical infrastructure protection more necessary than ever in wake of JPMorgan cyber attacks (Companies and Markets) The scale of the National Security investigation into the cyber attacks on JPMorgan and other financial institutions this summer is highlighting the increased need to establish critical infrastructure protection from hackers. As national security is becoming as much threatened by cyber crime as it is physical violence, Western nations are increasing emphasis on cyber security and digital safeguards

Understand the Cost of Cyber Security Crime (HP) Explore the definitive 2014 Ponemon Cost of Cyber Crime study. Cyber crimes are growing more common, more costly, and taking longer to resolve. Those are among the findings of the fifth annual Cost of Cyber Crime Study conducted by the respected Ponemon Institute on behalf of HP Enterprise Security. The 2014 global study of U.S.-based companies, which spanned seven nations, found that over the course of a year the average cost of cyber crime climbed by more than 9% to $12.7 million for companies in the United States, up from 11.6 million in the 2013 study. The average time to resolve a cyber attack is also rising, climbing to 45 days, up from 32 days in 2013

An Advanced Approach to Enterprise Network Security (FierceITSecurity) New research from Frost & Sullivan shows many companies are struggling to keep their networks secure against rapidly evolving cyber threats. Despite increasingly sophisticated attacks and rising complexity in the technological and regulatory landscapes, companies still typically rely on outdated methods to keep data secure

IBM says most security breaches are due to human error (TechRepublic) A recently released report from computing giant IBM attributes some 95% of IT security breaches to human error and that over 75% of attacks are targeted at just five industries, proving when it comes to security, people are the real problem

More data loss comes from sloppy organisations than hackers, says study (ComputerWeekly) Over half of data breaches result from organisational errors and internal mismanagement rather than malicious acts by hackers, according to a study by the Center for Media, Data and Society (CMDS)

Reducing cyber risk 'not just about buying the latest security tools,' Deloitte advises (Canadian Underwriter) Organizations can improved information technology security by having staff respond to simulated attacks and by improving access control, Deloitte & Touche LLP suggested in a report on cyber risk

Small companies can suffer from security hacks too (Oneida Daily Dispatch) It's not just big businesses like JPMorgan Chase, Target and Home Depot that get hacked. Small companies suffer from intrusions into their computer systems, too

Indian companies concerned about cyber attacks (Deccan Chronicle) Companies in China, Hong Kong and India have reported the highest number of cyber attacks linked to nation-states, causing an estimated average financial loss of USD 2.7 million globally, according to a new survey

Legislation, Policy and Regulation

China: US is Fabricating Cyber Attack Claims (International Business Times) Following the recent comments by FBI Director James Comey, who claimed the US loses billions of dollars each year due to Chinese hackers, China called the entire US ploy a "fabrication of facts"

Japan Outlines New Security Guidelines for Self-Defense Forces (Stars and Stripes) The United States and Japan outlined plans Wednesday for deeper security cooperation in a move reflecting Tokyo's new position that its pacifist constitution allows it to defend U.S. forces under attack

National security implications for financial system cyberattacks? (FCW) As the White House ponders whether this summer's massive hack of the financial services industry was a targeted, sponsored attack by Russia or terrorists, a recently released Proofpoint study provides new details on how the "cybercrime infrastructure" of a criminal operation that targets U.S. and European banking systems can work

A conversation with White House cybersecurity czar Michael Daniel (Christian Science Monitor) Does the US lack cybersecurity manpower? Even if it adds thousands of security pros, can Washington stay ahead of the hackers? And how can the federal government compete for top talent with the likes of Facebook, Google, and Twitter?

The Secret Worries of the White House Cyber Czar (Fiscal Times) Every few months, at least, Americans are reminded — by their bank, a major retailer and even the government — to reset their log-ins, monitor their accounts and come up with even more inscrutable passwords for sensitive accounts. The problem is: Too few of us actually do it

White House Shifts Its Cyber Legislative Strategy (BankInfoSecurity) Emphasis will be on smaller, not comprehensive legislation

Save the Secret Service: Remove it from the Department of Homeland Security (American Thinker) Recent Secret Service security incidents and the resignation of its Director have triggered Congressional calls for a top-down management review. Inasmuch as Secret Service reports to the Department of Homeland Security (DHS), one would hope that DHS does not manage that review. There is a clear need for competence and objectivity. The review should conclude that moving Secret Service back to the Treasury Department is essential to restoring its effectiveness

Products, Services, and Solutions

IBM and SparkCognition Tap the Power of Watson to Help ExamSoft Implement Next Generation Security Analytics (InsuranceNewsNet) SparkCognition, the world's first Cognitive Security Analytics company, and IBM (NYSE: IBM) announced today that clients, including ExamSoft Worldwide, are tapping the power of Watson to transform how businesses make use of unstructured data to enhance Security Analytics

Wurldtech's New Achilles Industrial Next Gen Firewall Delivers Comprehensive Security for OT Environments (ARC Web) Wurldtech Security Technologies announced the release of its Achilles Industrial Next Gen Firewall (NGFW) for operational technology (OT) environments. This purpose-built OT security solution monitors network traffic and blocks unexpected and malicious activity to help ensure maximum uptime and secure productivity for industrial operation

AlertBoot Integrates Microsoft BitLocker Endpoint Encryption Management Into AlertBoot Cloud (IT Business Net) AlertBoot has successfully integrated BitLocker drive encryption to its cloud-managed endpoint disk encryption service, creating a comprehensive endpoint security platform that can natively secure

The analytics black hole for detecting internal security threats (TechRepublic) Better analytics are needed to help identify insider security risks. Fortscale is one company that already provides such a solution

Soonr to Launch New Regional Data Centers in the UK (BusinessWire) Leading secure file sharing service expands regional data centers to meet increasing demand from the European region

Bitdefender eyes UK enterprise sales (ChannelPro) e92plus to focus on Bitdefender virtual, physical and cloud security products

ThreatStream™ Launches the ThreatStream Alliance and Announces the ThreatStream Alliance Preferred Partner (APP) Store (Virtual Strategy) ThreatStream™, a threat intelligence platform that prioritizes threats and facilitates trusted threat sharing, today announced the launch of the ThreatStream Alliance Preferred Partner (APP) Store, a threat-intelligence marketplace focused on delivering premium threat intelligence to an organization's already existing security infrastructure. Preferred partners in the Alliance include many market-leading threat intelligence vendors: CrowdStrike, Emerging Threats, Farsight, FlashPoint, Reversing Labs, Team Cymru and Webroot. The APP Store allows ThreatStream customers the ability to trial and subscribe to a growing number of threat intelligence feeds. With more comprehensive threat and vulnerability data, organizations can improve protection against cyber attacks and more

ESET Smart Security 8 (PC Magazine) In the best security suites, all the components do their jobs well and work well together. The components of ESET Smart Security 8 ($59.95 per year; $79.99 for three PCs) are well-integrated, but their performance varies quite a bit

iSniff GPS WiFi Sniffing Tool (eHacking) iSniff GPS passively sniffs for SSID probes, ARPs and MDNS (Bonjour) packets broadcast by nearby iPhones, iPads and other wireless devices. The aim is to collect data which can be used to identify each device and determine previous geographical locations, based solely on information each device discloses about previously joined WiFi networks

Cisco unveils 'industry's first' threat-focused next-generation firewall (Nation) Cisco has introduced what it claimed to be the industry's first threat-focused Next-Generation Firewall (NGFW) which it said would revolutionise the way organizations protect against sophisticated threats

$50m plan to fight cyber attacks takes shape (AsiaOne) Singtel will join forces with global cyber security firm FireEye in a $50 million campaign to tackle online attackers

Balabit finds security blind spots (Business Cloud) Using analytics to profile security risks is a hot topic at the moment. Outside of those selling big data solutions, Balabit is the first to deliver a workable solution

Technologies, Techniques, and Standards

Request for Comment on Automotive Electronic Control Systems Safety and Security (Federal Register) This notice presents the National Highway Traffic Safety Administration's research program on vehicle electronics and our progress on examining the need for safety standards with regard to electronic systems in passenger motor vehicles

Four-digit passcodes remain a weak point in iOS 8 data encryption (IDG via CSO) The strength of Apple's revised encryption scheme in iOS 8 hinges on users choosing a strong passcode or password, which they rarely do, according to a Princeton University fellow

6 new protections against the Chase mystery breach (Consumer Reports) How to guard your bank accounts and money when you have incomplete information about the threat

MBIA Breach Highlights Need For Tightened Security Ops (Dark Reading) Configuration change management and better monitoring could have prevented search engine indexing of sensitive financial information

How To Be A 'Compromise-Ready' Organization (Dark Reading) Incident response pros share tips on how to have all your ducks in a row before the inevitable breach

Advanced Defense Posture Assessment (Nige the Security Guy) Multi-dimensional Targeted Threats continue to evolve and exploit vulnerabilities that lead to significant loss of data and resources for organizations of all regions and sizes. These attacks are very much today's news. They represent a danger to an organization's intellectual property, financial assets and reputation

Cloud Computing Security Strategy Includes Cryptography (Midsize Insider) The movement of data and software services to the cloud has left some businesses feeling less secure. Skyhigh Networks brought together academic experts for the first industry-focused cryptography advisory board to provide insights on using encryption schemes as part of cloud computing security

Hackers Gather for Cyberwar in an Intense 48-Hour Sim (Wired) Locked Shields is among the world's preeminent cyber attack simulations. For two days, international teams of hackers and system admins play both sides of a war game, simultaneously attacking and defending critical infrastructure. The details are realistic, and the exercises reflect real-world geopolitics. It is a training ground for front-line operators in a rapidly evolving form of warfare in which network administrators at banks, electrical plants and government offices are as crucial to a country's defense as uniformed troops

Marketplace

Cyber Espionage and the Digital Redistribution of Wealth (War on the Rocks) Since the computerization of modern business, intellectual property (IP) theft in the U.S. has escalated to unprecedented levels. According to the former commander of the U.S. Cyber Command General Keith Alexander, the approximate economic loss to the U.S. amounts to $300 billion per annum. In a poignant statement to Congress, he referred to the escalating and widespread theft of U.S. trade secrets and intellectual property as "the greatest transfer of wealth in history"

Integrating IT security at the board level (Help Net Security) 2014 has seen an upsurge in public awareness of cybercrime, with a flurry of high-profile security breaches hitting the headlines. The sensationalised coverage of the Heartbleed and Shellshock bugs struck fear into the hearts of businesses and consumers alike, while a cyber-attack to eBay led to the theft of around 145 million usernames and encrypted e-mail addresses, proving that an organisation is never too big to fall prey to cybercriminals. These breaches are not likely to subside anytime soon

How Retail Can Win Back Consumer Trust (Dark Reading) Customer loyalty to their favorite brands is all about trust, which today has everything to do with security and privacy

Breakup Mania: EMC Is Back In The Hot Seat, While Analysts Eye Cisco, Too (Business Insider) With activist investors successfully getting two huge tech companies to chop themselves apart, HP and eBay, breakup mania has hit the tech industry. Now, eyes are turning once again to EMC

Symantec splits amid cyber competition (Financial Times) Symantec, the business best known for Norton antivirus software, is splitting into two publicly traded units, as it struggles to compete against a new generation of cyber security companies

Analysts react to Symantec split announcement (CSO) Symantec never delivered on their promises for storage, but the split means a less than appealing option for some organizations

HP rivals expected to exploit split move (MicroSoft) HP's rivals are expected to sow channel unease following the announcement that the vendor is splitting as they look to rock the boat with both partners and customer

FireEye's DeWalt: Symantec, HP Almost 'Choked' On Their Acquisition Models (CRN) The buying sprees of large technology vendors caused them to balloon and now many are set to pop

Israeli Cyber Security Company Sells for an Estimated $100 Million (The Tower) Pulse Secure recently acquired MobileSpaces, the Israel-based leading provider of mobile security for the app-centric enterprise, in a deal reported to be worth over $100 million. MobileSpaces is a specialist in the BYOD (bring your own device) market

Cybersecurity Startup Zenedge Emerges From Stealth With Funding (Wall Street Journal) After building cybersecurity startup Zenedge LLC for two years, the serial entrepreneurs behind it are emerging from stealth with funding and expansion plans, Venture Capital Dispatch has learned

GE Pushes For Bigger Industrial Internet (InformationWeek) GE Internet of Things portfolio expands as it brings big-data analysis to vending machines, office equipment, bridges, and other new markets

National IT workforce development expert convenes cyber security task force to build pipeline for cyber security need in the National Capital Region. (Per Scholas) Per Scholas, National IT workforce development expert, brings together cyber security specialists in a conversation on the regional skills gap for entry-level cyber security positions. The panel convened October 8 at the Silver Spring Civic Center with leaders from private industry, higher education, and government working in partnership to develop pathways into the cyber workforce

GCN names 2014 executives of the year (GCN) Tony Cole, global government liaison for FireEye Inc., was named GCN IT Industry Executive of the Year

Rackspace hires cyber security chief (San Antonio Business Journal) In the wake of the increasing numbers of cyber attacks on U.S. companies, Rackspace has hired a former Air Force lieutenant colonel with 30 years of experience in security to lead its cyber security efforts

Information security experts: Act and protect charities online (Help Net Security) Immediately after Sir Tim Berners-Lee kicked off IP EXPO and the adjoining Cyber Security EXPO, the stage was given over to Amar Singh CEO of GiveADay and Brian Honan, CEO of BH Consulting and Help Net Security columnist

Security Patches, Mitigations, and Software Updates

SAP Patches Seven Vulnerabilities in Three Products (Threatpost) SAP pushed out patches to address seven vulnerabilities in three different lines of software it produces. If exploited, the bugs — which weren't disclosed until yesterday — could expose those running the systems to specialized attacks, information disclosure and in some cases, complete compromise

Microsoft Ready with Nine Bulletins, New Critical IE Patches (Threatpost) Microsoft on Tuesday will push out its first set of patches since it announced the dissolution of the Trustworthy Computing group that gave birth to Patch Tuesday

Cyber Attacks, Threats, and Vulnerabilities

Anonymous Hackers Threaten Chinese Government with Website Blackouts and Data Leaks (International Business Times) Online activist group anonymous has warned authorities in Hong Kong and China that it will launch a massive attack on websites and leak tens of thousands of government email address details

Malware 'Mayhem' Follows Emergence of Shellshock Vulnerability (eWeek) Security experts warn that a malicious program known as Mayhem has started using the Shellshock Bash flaw to infect Linux and Unix servers

How Shellshock can be exploited over DHCP (Help Net Security) Attacks exploiting the Shellshock vulnerability (actually, vulnerabilities) are popping up daily, but while Shellshock attacks on web apps have been the most documented and discussed, attacks via other attack surfaces are possible, too

Rovnix Variant Surfaces with New DGA (Threatpost) Researchers have unearthed a new version of the Rovnix malware that has a couple of additional features, including a new domain generation algorithm and a secure transmission channel for communicating with the command-and-control servers

Evolution of the Nuclear Exploit Kit (Cisco Blogs) Exploit kits remain an efficient mechanism for cyber criminals to distribute malware. Such kits include exploits for multiple vulnerabilities within a single malicious webpage. Criminals can check operating systems, web browsers and browser plugins for anything that is not fully patched and launch an exploit specific to the out of date software

Malware needs to know if it's in the Matrix (Boing Boing) Once a security researcher discovers a new strain of malicious software — running a virtual machine on a test-bench — and adds its signature to anti-virus and network monitor blacklists, it's game over. So today's malware devotes enormous energy to figuring out if it's running on a real computer, or inside one of its enemies' virtual worlds

Dairy Queen Confirms Card Breach (BankInfoSecurity) Dairy Queen has confirmed that Backoff point-of-sale malware was used in a payment card breach that affected 395 of its 4,500 franchised U.S. locations

The Home Depot hack: How, why and what we can learn (Techradar) Another retailer suffers a cyberattack

A Closer Look At DYRE Malware, Part 1 (TrendLabs Security Intelligence Blog) We're nearing the holiday season and some of you might be going for some early holiday shopping — checking your money to go for a shopping splurge. The holiday season also ushers in cybercrime activities that are typical this time of the year

The latest Cross-site scripting vulnerabilities in WordPress plugins (Malwarelist) Five Cross-site scripting vulnerabilities in WordPress plugins: Profile Builder, Photo Gallery, EWWW Image Optimizer, Contact Form DB, and Google Calendar Events

Signed Malware = Expensive "Oops" for HP (KrebsOnSecurity) Computer and software industry maker HP is in the process of notifying customers about a seemingly harmless security incident in 2010 that nevertheless could prove expensive for the company to fix and present unique support problems for users of its older products

Is iWorm a Wake-Up Call for Mac Security? (Trend Micro: Simply Security) With various publications reporting tens of thousands of users affected around the world by iWorm, does your organization have a good Mac security plan? When iWorm has infected a Mac computer, the malware makes a connection with a command and control (C & C) server out on the Internet

200 000 private snapchat-bilder på avveie (Dagbladet) Snapsave ble hacket natt til i går. 200.000 bilder, mange av dem intime, skal være på avveie. Mange av de rammede er dansker og nordmenn

How Hackers Withdraw Cash From ATM (Naij) A Russian security company, Kaspersky Labs has discovered a flaw in cash machines that allows criminals to quickly steal cash from ATMs

Emma Watson leaked Facebook video delivers Trojans (Help Net Security) A new scam is taking advantage of Emma Watson's growing popularity and using the Harry Potter star as bait to spread malware on Facebook, warns antivirus solutions provider Bitdefender

When cybersecurity threats come from the inside (Washington Post) AT&T acknowledged earlier this week that in August an employee had gained unauthorized access to some customers' personal data — including Social Security and driver's license numbers

Privacy breaches in Europe (Help Net Security) Half of all the privacy breaches affecting people in Europe are inside jobs according to new research from Central European University

DDoS attacks: slow and smart is the order of the day (SC Magazine) DDoS attacks: evolution changes the attack vectors

Interview with a DDoS troll: Meet 'the Gods of the Internet' (C/Net) DDoS attacks are a way to keep corrupt corporations honest, according to an anonymous member of DerpTrolling, who gives us an inside look at the self-proclaimed gods of the Internet

Academia

The ethics of Hacking 101 (Washington Post) At the University of Tulsa, professor Sujeet Shenoi is teaching students how to hack into oil pipelines and electric power plants

Litigation, Investigation, and Enforcement

Only 100 cybercrime brains worldwide says Europol boss (BBC) There are only "around 100" cybercriminal kingpins behind global cybercrime, according to the head of Europol's Cybercrime Centre

Former Head of N.S.A.: Snowden Is Helping Russia (Vanity Fair) At Vanity Fair's New Establishment Summit in San Francisco, retired General Keith Alexander, former director of the N.S.A., challenged the audience to "call up Putin and ask him a question like [N.S.A. whistleblower Edward Snowden] did." There would be, Alexander said, "zero chance he would answer the phone"

iPhone Encryption and the Return of the Crypto Wars (Schneier on Security) Last week, Apple announced that it is closing a serious security vulnerability in the iPhone. It used to be that the phone's encryption only protected a small amount of the data, and Apple had the ability to bypass security on the rest of it

Crypto wars redux: why the FBI's desire to unlock your private life must be resisted (Guardian) In 1995, the US government tried — and failed — to categorise encryption as a weapon. Today, the same lines are being drawn and the same tactics repeated as the FBI wants to do the same. Here's why they are wrong, and why they must fail again

This Is How the Feds Illegally Obtain Evidence of a Crime and Lie About It in Court (Reason) The NSA and Justice Department go after suspects in crimes unrelated to national security using an unlawful, deceptive practice called "parallel reconstruction"

Police thwarted by remote wiping of tablets and phones (Naked Security) The BBC has reported that several UK police forces have found that evidence has evaporated into thin air after tablets and mobile phones have been remotely wiped, even after suspects have been taken into custody

Alleged Russian Cyber-Criminal Now Charged in 40-Count Superseding Indictment (Office of Inadequate Security) A federal grand jury in Seattle returned a second superseding indictment late yesterday charging a Russian national with 11 additional counts and further detailing his alleged scheme to hack into businesses and steal credit card information for later sale over the Internet on "carding" websites

Spies can access my metadata, so why can't I? My 15-month legal battle with Telstra (Sydney Morning Herald) The RSPCA, councils and other law-enforcement agencies can obtain reporter Ben Grubb's internet and phone metadata but Telstra won't release it to him. Here he details his 15-month fight for access

NSA: List of official leaks to the media is classified (The Hill) The National Security Agency is refusing to release a list of classified information that was deliberately leaked to the media

Design and Innovation

2 Tech Challenges Preventing Online Voting In US (Dark Reading) A new report explains that online voting in the US is a matter of "if, not when," but problems of anonymity and verifiability must be solved first

BlackPhone Co-Founder Jon Callas On Mobilizing Privacy For The Mainstream (TechCrunch) BlackPhone co-founder Jon Callas is in London to give a talk at IP Expo — pitching the concept of a secure yet capable smartphone to IT decision makers who, wind back the clock a few years, would have unquestionably bought BlackBerry. Now there are a lot more question marks over that sort of business buying decision, given BlackBerry's downward trajectory