The CyberWire Daily Briefing 11.10.14

Cyber Trends

Securing an Internet Made from 'Duck Tape and Baling Wire' (Threatpost) The Internet that we use today was not designed as a cohesive network. It was put together from found bits and pieces over the course of the last few decades, and, as major bugs such as Heartbleed and others have shown, it's a frighteningly fragile construction

Cost of retail crime skyrockets nearly 30 percent (CSO) Overall jump linked to increase in employee theft and higher security spending

Security studies warn: You will be attacked; you probably can't respond (Help Net Security) A significant cyberattack is due to strike your organization and you are ill prepared to defend against it or react to it

Data Breaches: Almost Like Clockwork (Trend Micro CTO Insights) Last year, as part of our predictions for 2014 we said there would be one major data breach every month. At the time, many people said that our prediction was overly pessimistic. It was one prediction I would have been happy to have gotten wrong

Keeping cybersecurity focused on critical infrastructure (Euractiv) There is an uneven landscape when it comes to cybersecurity readiness in Europe, writes Thomas Eboué. To build a foundation for cyber protections, the European Union needs to start with the most critical infrastructure, he argues

Middle East Oil and Gas Industry Urged to Stay on Top of Growing Cyber-Security Challenges (Zawya) Cyber-attacks could include DDoS attacks, phishing/spear-phishing emails, data theft, "zero-day" software assaults, web application exploits, and website defacement

Legislation, Policy and Regulation

NATO Hews To Strategic Ambiguity On Cyber Deterrence (Breaking Defense) NATO is now taking cyber threats as seriously as the Russian tanks and nuclear weapons it was created to deter. But the alliance has a long way to go just to shore up its own network defenses, and it explicitly eschews any role on the offense. NATO has not even written a formal policy on how it would deter a cyber attack. The net result is a certain degree of strategic ambiguity — but then NATO has survived and even thrived on ambiguity for decades

Germany, Brazil Push the UN to Be Tougher on Cyber-Spying (NDTV) Germany and Brazil are pushing the United Nations to be tougher on spying by beefing up an earlier U.N. resolution raising concerns that mass surveillance, interception of digital communications and personal data collection could harm human rights

Regional security — common interest of Germany and Baltic States (Baltic Course) President of Lithuani Dalia Grybauskaite met with the President of the Federal Republic of Germany, Joachim Gauck. Taking part in the meeting on the eve of the 25th anniversary of the fall of the Berlin Wall were also Latvian President Andris Berzimn and Estonian President Toomas Hendrik Ilves. The presidents discussed the security situation in the region and ways to counter newly emerging threats, reports BC press service of Lithuanian president

Don't assume public trusts you, MI5. 'Make a case' for surveillance — Former security chief (Register) 'Do you trust us… Snowden or …the Islamic State'? Spooks and security agencies must openly debate the public's concerns over surveillance following the Snowden revelations, former head of MI5 and current thriller writer Stella Rimington has said

Long-Awaited FISMA Reforms May Hit Stumbling Block (Nextgov) The House and Senate have hit a road bump trying to update a 2002 law that collects binders of paper once a year, as a way of monitoring federal computer security

Cyber bill advocates pin hopes on GOP Congress (The Hill) A Republican House and Senate might be the kickstart needed for perpetually stalled cybersecurity legislation

Cybersecurity inaction favors the hackers (USA TODAY) The U.S. is too vulnerable for this issue to wait. Lame duck congress must act

Cyberspace: Democrats jeopardize lives of Americans for political motives (Examiner) Besides the thrashing Democrats experienced at the voting booths on Tuesday, the Sunday morning news shows addressed a number of issues that needed attention by the new Senate and Congress in January. For example, on ABC's "This Week," the Democrat from Rhode Island, Rep. Jim Langevin, said that there is a very real risk that unfriendly nations, such as Russia and China, or Muslim terrorists with the technical know-how could launch cyber attacks against critical U.S. infrastructure such as the nation's power grid

Banks take on retailers over who foots cyber attacks bill (Financial Times) Banks are gearing up for a big fight with retailers over who covers the cost of cyber attacks, after they paid most of the bill for breaches that they blamed on retailers' own security deficiencies

Net Neutrality: President Obama's Plan for a Free and Open Internet (The White House) More than any other invention of our time, the Internet has unlocked possibilities we could just barely imagine a generation ago. And here's a big reason we've seen such incredible growth and innovation: Most Internet providers have treated Internet traffic equally

DoD Advances Information Technology to Lower Costs (DoD News) The Defense Department is pushing forward on information technology such as cloud computing, smartphones and apps, the Joint Information Environment, and data access to improve the mission and reduce costs, the Pentagon's acting chief information officer said yesterday

Goode out, Toler promoted as DHS cyber roles churn (Federal News Radio) The quiet period for the Homeland Security Department's cybersecurity division turnover seems to be over

Obama's Attorney General Pick Will Be Stranger to National Security Law (Foreign Policy) President Obama's reported choice to replace Eric Holder as attorney general, U.S. attorney for the Eastern District of New York Loretta Lynch, has vast experience as a prosecutor and, from a survey of articles written about her in the past, is well respected by her peers. But a review of her background reveals that she has little to no experience dealing with the legal issues surrounding national security that dominated Holder's time as the nation's top law enforcement official

Products, Services, and Solutions

Dell tablet, security efforts result in new 2-in-1 device (TechTarget) The latest Dell tablet includes security features that impressed IT industry watchers, but Dell's product integration poses challenges

Microsoft continuously attempts to hack Office 365 to make it safer for commercial use (WinBeta) You may not realize it, but there is a lot of money that can be made from selling your online identity to those who are up to no good. This makes it a great opportunity for hackers to make enough money to pay their electricity bills. This year alone, 5 million Gmail passwords were stolen, 7 million from Dropbox and 2 million from Facebook, and we can only guess how many other thefts went undetected

LockPath Receives U.S. Patent (MarketWired) LockPath, a leader in innovative governance, risk management, regulatory compliance (GRC) and information security (InfoSec) solutions, announced today its receipt of a newly issued patent relating to its Keylight™ platform

Black Lotus, NSONE Launch Private DNS Networks with Native DDoS Protection (BusinessWire) Powerful DNS platform provides Internet service providers always-on protection against malicious traffic

Boeing 777 Plant Security Tool Extends To IoT (Dark Reading) A secure network technology built for Boeing and later commercialized is evolving and under a new company name

John McAfee Launches The Impressive Anti Spy & Privacy App "D-Vasive" (HackRead) The Chicago's CIO Synergy symposium John McAfee and Future Tense Secure Systems (FTC) informed about the official release of D-Vasive & D-Vasive Pro Anti Spy and Privacy app

Technologies, Techniques, and Standards

Removing Wirelurker from Your iOS or OSX Device (TrendLabs Simply Security) In an earlier blog post, we tackled what Wirelurker malware is and its security implications and risks for iOS and OSX devices. Within hours of the discovery of this malware, a Windows-based malware (detected as TROJ_WIRELURK.A) that performs the same attack was also seen in the wild. In this blog post, we'd like to share practices and recommendations for users and enterprises in order secure their devices from this threat

Expanding Use of PKI in Variety of Devices Holds Challenges (Threatpost) One of the longest running jokes in the security industry is that each coming year finally will be The Year of PKI. While that one huge year never materialized, the use of PKI and digital certificates has become an integral part of how the Internet works today. But there are some challenges on the horizon that will need some innovative solutions

Security products: Best of breed or create your own monster? (Register) Beware the Frankenstack

What to look for when procuring IT security solutions (Strategic Sourceror) There are two sides to IT security procurement

What to look for in Web application firewall products (TechTarget) Attackers are increasingly seeking unauthorized access to sensitive corporate data so they can use this information to commit identity theft, financial fraud and other crimes. Because so much of this sensitive data is in back-end databases accessible through Web applications, attackers frequently target these applications to gain access to their associated data

10 ways to recharge cybersecurity ops centers (GCN) The deck is stacked against defenders of government networks, at least those who join the battle from one of a growing number of cybersecurity operations centers (CSOCs), designed to concentrate as much technology and expertise as possible in the 24/7 effort to protect the public and its institutions

Overcoming Big Data security obstacles (Help Net Security) When it comes to security, Big Data can be the cause of many obstacles. As Big Data often contains enormous quantities of personally identifiable information, privacy becomes a very real and primary concern

Data Breaches: 8 Tips For Board-Level Discussions (InformationWeek) Recent high-profile breaches put you in the board's spotlight on security. Here's how to shine

Disaster Recovery In The APT Age (InformationWeek) Does your resiliency plan take into account both natural disasters and man-made mayhem? If the CISO hasn't signed off, assume the answer is no

Collaboration group to investigate connected vehicle security (Prosecurity Zone) Intercede is part of a new collaborative group of industry partners examining the security implications of the emerging technology of connected vehicles

Marketplace

Privacy professionals are in demand. Will it lead to better privacy? (Ars Technica) Companies are spending more money to ensure legal data collection

Health-Care Industry Starts to Pay Attention to Cyber Risks (Wall Street Journal) The health-care industry is grappling with how to protect personal health information from increasing cyber threats. In addition to meeting security and privacy regulations, companies can do more to prevent breaches by assessing and prioritizing cybersecurity risks, said Jim Routh, chief information security officer at health insurer Aetna Inc. The message has already caught on at some health-care companies, who are starting to look for technology executives with risk experience

Cyber insurance goes hand in hand with good practices (Prosecurity Zone) LogRhythm comments on the UK cyber-insurance market study and the need to combine insurance cover with good practices in protecting IT assets

AVG Technologies Approached by Potential Buyers (Wall Street Journal) AVG Technologies NV has been approached by potential buyers amid a wave of deals for security-software makers, according to people familiar with the matter

Security Software In Focus: Symantec Corporation (NASDAQ:SYMC), Check Point Software Technologies Ltd. (NASDAQ: CHKP), Intralinks Holdings Inc (NYSE:IL) (StreetWise Report) Symantec Corporation (NASDAQ:SYMC) is on way to divide into two corporations by March… Intralinks Holdings Inc. (NYSE:IL) on Thursday announced that it had a loss of $4.4B in its Q3. On a per-share basis, the New York-located Corporation declared that it had a loss of 8 cents… Check Point Software Technologies Ltd. (NASDAQ: CHKP) declared that the extension of its security proposals for community cloud services, taking the firm's security gateways software to the Microsoft Azure Marketplace

IBM: What's up with the sick man of the Dow? (CNBC Trader Talk) It's downright pathetic. IBM has gone from a monster after the Financial Crisis (it doubled in a couple years) to a loser, down 14 percent this year. True, it hasn't done much in the last two years, but it has simply collapsed since it's disappointing earnings report a few weeks ago

Nice Systems Ltd Price Target Raised to $50.00 (NICE) (WKRB) Nice Systems Ltd (NASDAQ:NICE) had its target price boosted by FBR Capital Markets from $46.00 to $50.00 in a report issued on Wednesday. They currently have an outperform rating on the stock

Trend Micro for Enterprise Security (Network World) North American image of Trend as an AV vendor is inaccurate and a disservice to the company. Enterprise security professionals should know better

Deals of the Year 2014 Company of the Year award: Duo Security (Michigan Live) It's no secret that security is one of the fastest-growing segments within the information technology industry over the past year

Norse Selected as Finalist for the 2014 Red Herring 100 Global Award (Virtual Strategy) Norse, the leader in live cyber attack intelligence, today announced that it has been selected as a candidate for the Red Herring 2014 Top 100 Global award. The award recognizes and honors the year's most audacious and far-reaching private technology companies and entrepreneurs from around the world

Now hiring: Mequon company behind discovery of biggest known data breach to date (Milwaukee Business Journal) Hold Security LLC of Mequon made national news this February by uncovering what's considered the largest data breach to date, with more than 1 billion passwords stolen

Former NSA chief's firm to move to Howard County (Baltimore Sun) A cybersecurity firm headed by a former National Security Director plans to move its headquarters to Maple Lawn, bringing 24 new jobs to Howard County, officials said Friday

On the Hunt for Wall St. Hackers, but Not the Spotlight (New York Times) Lawrence Baldwin is a dark hero of the Internet whom you have probably never heard of — and for good reason

With APAC under threat, Fortinet expands India operations (Times of India) Silicon Valley headquartered network security provider Fortinet is scaling up its India operations, effecting a 56% increase in the technical workforce, as the Asia Pacific (APAC) region is turning out to be a hotbed for cyber attacks

Gemalto deploys secure online banking solution in Indonesia (Newsmaker) Gemalto (Euronext NL0000400653), the world leader in digital security, announces that its complete strong authentication solution has been selected by PT Bank Muamalat Indonesia Tbk (BMI) to enhance the security of their internet banking platform

Symantec brings the Cyber Readiness Challenge to Mumbai (DNA India) Cyber attacks are rising worldwide and the corporations are lagging behind when it comes to defending themselves, Symantec hence has created a unique Cyber Readiness Challenge where networks are simulated and attacked to see how vulnerable companies actually are, allowing them to build solutions for these problems before they are exploited

Target names Rice chief risk and compliance officer (Supermarket News) Target Corp. has hired Jacqueline Hourigan Rice as SVP, chief risk and compliance officer, the company said

Research and Development

Swedish Researchers Report Record Wireless Data Transmission Rate (IEEE Spectrum) 4K (or ultra high definition) television technology requires high-speed TV cameras that produce data streams of 12 to 20 gigabytes per second. Such data rates can only be transmitted from the cameras by optical fiber links. In live reporting of sporting events such as soccer games — often requiring slow motion instant replay — these optical cables have to be dug in under the grass, severely limiting the mobility of the cameramen. Up to now, there have been no wireless links capable of handling these torrents of data

Security Patches, Mitigations, and Software Updates

Business braces for heavy Patch Tuesday (ComputerWeekly) IT administrators face a busy month at server, desktop and application level as Microsoft plans to release a bumper security update on 11 November 2014

Alert (TA14-310A) Microsoft Ending Support for Windows Server 2003 Operating System (US-CERT) Microsoft is ending support for the Windows Server 2003 operating system on July 14, 2015.[1] (link is external) After this date, this product will no longer receive: security patches that help protect PCs from harmful viruses, spyware, and other malicious software, assisted technical support from Microsoft, software and content updates

Cyber Attacks, Threats, and Vulnerabilities

Jihadists Have Infested World's Second Biggest Streaming Music Service (HS Today) As a prelude to a major comprehensive report on the history of online jihad by Al Qaeda in Afghanistan to the Islamic State in Iraq and Syria to be released next week by the Middle East Media Research Institute (MEMRI) Jihad and Terrorism Threat Monitor, MEMRI Executive Director Steven Stalinsky made available to Homeland Security Today his new report on how jihadists of all stripes have infested SoundCloud, a Berlin-based social networking platform created in 2007 that allows users to upload and share audio content for free

Anonymous to Launch New Cyber War on Israel Next Friday (Fars News Agency) The international group of computer hackers known as "Anonymous" announced it would launch a fresh round of cyber war on Israel next Friday 14 November

Brisbane — Give Me a Cyber Target Anyday (Sam Volkering's TechInsider) 'Give me Brisbane Anyday.' That's the official slogan for Brisbane. I'm sure it took a room full of people with skinny jeans, jeggings, checkered shirts, beards and spectacles a whole week to come up with that

BlackEnergy Malware Inside Critical US Infrastructure Since 2011 (VPN Creative) This week, researchers at Kaspersky Labs released their latest report on the infamous BlackEnergy malware, claiming that Russian hackers have been using the program to infiltrate vital pieces of the US energy infrastructure including power plants, hydroelectric dams, and manufacturers of equipment destined for nuclear-powered facilities

BlackEnergy threatens U.S. infrastructure (GSN) Investigators have discovered a potential cyber security threat to the U.S. critical infrastructure. BlackEnergy is a trojan horse discovered within the software that controls oil and gas pipelines, water systems, and power transmission grids in the U.S. Using Black Energy, hackers could have the ability to use the internet to shut down pipelines, nuclear power plants, wind turbines, and water treatment plants

Russia is behind cyber attack on banks, says Kevin Mandia (Australian Financial Review) Russian President Vladimir Putin's government is actively "condoning" hacks on Western retail and banking businesses, according to the founder of one of the world's leading cyber security firms ahead of the G20 summit in Brisbane and a meeting between Prime Minister Tony Abbott and the Russian leader at the APEC summit in Beijing

WTF, Russia's domestic Internet traffic mysteriously passes through Chinese routers (Ars Technica) Unexplained diversion underscores insecurity of Net's global routing system

China suspected of breaching U.S. Postal Service computer networks (Washington Post) Chinese government hackers are suspected of breaching the computer networks of the United States Postal Service, compromising the data of more than 800,000 employees

Pakistani Hacker Hacks Consulate General of India in Guangzhou, China (HackRead) The never ending cyber war between India and Pakistan has taken new heights where hackers from both sides are targeting high profile government owned websites, but Pakistani hacker yesterday hacked the official website of Consulate General of India in Guangzhou, China

Indiana ed department site hit with second cyber attack (Education Dive) Hackers have infiltrated the Indiana Department of Education's website for the second time this week. This time around, a message was left on the site that read, "SUPRISED (sic) WE ARE HERE AGAIAN (sic)??? THE LAST TIME THIS SITE WAS DOWN NO PATCH WAS DONE." After the site went down the first time, the department claimed it was working to create a patch that would stop future hackers — but that clearly wasn't successful

Mistaken identity: Indiana Dept. of Education hacked a second time (CSO) Defacement message suggests attackers were targeting domains in India

Hacktivist 'Anonymous Leyte' Targets Philippines Gov't Sites for 'Incompetence' (HackRead) Last week we updated you how Anonymous Leyte breached in to the official website of Philippines's Department of Trade & Industry (DTI), ending up with leaking login details of 1900+ members. Now the same hacker has hacked and defaced several Philippines government website for very same reason

INTERNATIONAL SHAME: M'sian govt 'caught' hacking into US-based news website (Malaysia Chronicle) The US-based Environment News Service (ENS) has blamed the Malaysian Government for a cyber attack that caused its website to go down, according to an AFP report

Darkhotel APT Group Targeting Top Executives in Long-Term Campaign (Threatpost) APT groups tend to be grouped together in a large amorphous blob of sinister intentions and similar targets, but not all APT crews are created equal. Researchers have identified a group that's been operating in Asia for at least seven years and has been using hotel networks as key infection points to target top executives at companies in manufacturing, defense, investment capital, private equity, automotive and other industries

Hackers use DRAFT emails as dead-drops for running malware (Register) Python bite opens doors to get into Gmail, Yahoo! accounts

Serious Root Access Bug in Belkin N750 Router (Threatpost) A serious vulnerability in a popular Belkin router could be exploited by a local, unauthenticated attacker to gain full control over affected devices

MD5 Hash Broken via Collision Attack of Less Than $1 (Hot for Security) The MD5 hash collision attack that hijacked the Windows Update system back in 2012 was replicated with just 65 US cents worth of cloud computing fees, according to Nathaniel McHugh's blog post

Scamwatch: Facebook fraud (AOL Money) Clicking on that video could infect your computer with a virus

Zubie: This Car Safety Tool 'Could Have Given Hackers Control Of Your Vehicle' (Forbes) Over the last year, researchers have been guessing at ways hackers might compromise cars from afar. Now, alumni of Israel's cyber intelligence division, Unit 8200, have discovered that an innocuous American in-vehicle technology could have been exploited to remotely mess with the brakes, steering and engine. It's the first example of such a cyber attack on a specific in-car "dongle". And it may prove to be a watershed moment in the history of vehicular security

We analyze Cryptobot, aka Paycrypt (Webroot Threat Blog) Recently during some research on encrypting ransomware we came across a new variant that brings some new features to the table. It will encrypt by utilizing the following javascript from being opened as an attachment from email (posing as some document file)

Is your webcam or baby monitor video feed being streamed to this website? (Naked Security) In 2013, a cyber creep took over a baby monitor to spy on a 2-year-old Texas girl, to broadcast obscenities at the child, to swivel the camera so as to watch her shocked parents as they came in, and to then call the parents insulting names

New Details Of Home Depot Attack Reminiscent Of Target's Breach (Dark Reading) A massive payment card breach this year resulted when hackers gained access to its network using a third-party vendor's login, the retailer says, and 53 million email accounts were exposed

You Can Own the Infrastructure of a Country (Sarbanes-Oxley Compliance Journal) It is very easy for intruders to get a list of weak systems from Showdan

A look at high-profile federal cybersecurity breaches by insiders, hackers, spies (AP via the Minneapolis Star-Tribune) A $10 billion-a-year federal effort to protect critical data is struggling against an onslaught of cyberattacks by thieves, hostile states and hackers

Federal workers, contractors reportedly behind many cyber breaches — often by accident (Fox News) Federal employees and contractors are unwittingly undermining a $10 billion-per-year effort to protect sensitive government data from cyberattacks, according to a published report

N.C. Dermatology Center Discovers Hacked Server Two Years After Attack (SecurityWeek) In another cowardly Friday afternoon data breach disclosure, Chapel Hill, N.C.-based Central Dermatology Center said that one of its servers was breached by hackers back in August of 2012, but that it has just become aware of the breach

Bulletin (SB14-314) Vulnerability Summary for the Week of November 3, 2014 (US-CERT) The US-CERT Cyber Security Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. The NVD is sponsored by the Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC) / United States Computer Emergency Readiness Team (US-CERT). For modified or updated entries, please visit the NVD, which contains historical vulnerability information

Academia

Time to celebrate a cybersecurity success (Federal Times) There is a good news, bad news story in cybersecurity

Litigation, Investigation, and Enforcement

Silk Road, other Tor "darknet" sites may have been "decloaked" through DDoS [Updated] (Ars Technica) Crafted Web requests may have caused servers to give up their locations

Tor Project mulls how Feds took down hidden websites (IDG via CSO) Little is known about how U.S. and European law enforcement shut down more than 400 websites, including Silk Road 2.0, which used technology that hides their true IP addresses

Thoughts and Concerns about Operation Onymous (Tor Project) Recently it was announced that a coalition of government agencies took control of many Tor hidden services. We were as surprised as most of you. Unfortunately, we have very little information about how this was accomplished, but we do have some thoughts which we want to share

'Dark web', a big challenge to law enforcement agencies (Times of India) No sooner had authorities announced the shuttering of an alleged illegal online drug bazaar than another popped up claiming to take its place

The FBI Impersonates the Media: Some of the Rules Governing Cyber-Subterfuge (Lawfare) The developing story of the FBI's impersonation of journalists is, in a way, really the story of Timberline high school in Washington State. In June of 2007 Timberline had received a series of bomb threats, prompting a week of evacuations. The FBI and local law enforcement traced the problem to an anonymous account on the MySpace social media site. But the trail seemed to stop there, as investigators were unable to ascertain the identity of the person or persons behind the account

'NSA Slayer' to Judges: the Government is Lying! (WND) 'This court should not believe anything' feds say

Finjan Sues Palo Alto Networks for Patent Infringement (Recorder) Finjan Inc., a cybersecurity patent licensing company, has been a busy litigant in the Northern District of California. In the past two years, Finjan has wielded its patents related to computer network security against Symantec Corp., Fireeye Inc., Blue Coat Systems Inc., Sophos Inc., Websense Inc., and Proofpoint Inc. On Tuesday Palo Alto Networks became the latest Silicon Valley cybersecurity firm to face patent infringement claims from the NPE

Interpol upgrades software, solutions in fight vs cybercrime (Inquirer) Interpol has strengthened its fight against cybercrime by upgrading its security software and solutions

Mark Johnson guilty of 'crippling' Home Office cyber attack (BBC) A Twitter user has been found guilty of posting a "malicious" weblink which helped bring down the Home Office website

Design and Innovation

Big Data: Cyber Security's Silver Bullet? Intel Makes the Case (Forbes) Every new exploit seems to unleash a flood of announcements touting niche products that allegedly saved their customers from the same sorry fate. In the security business, Monday morning quarterbacking is the norm. Yet many business and IT leaders sense that something's missing from the products security hucksters have been pitching for years

China builds computer network impenetrable to hackers (Telegraph) China is building the world's first long-distance quantum encryption network, a 1,200-mile line between Beijing and Shanghai that will be theoretically unhackable

The Staggering Complexity of Application Security (Dark Reading) During the past few decades of high-speed coding we have automated our businesses so fast that we are now incapable of securing what we have built