The CyberWire Daily Briefing 12.09.14

Cyber Attacks, Threats, and Vulnerabilities

Sony Pictures attackers demand: "Stop the terrorist film!" (Ars Technica) New data dump on SPE execs along with a helping of malware

Hackers Demanded Monetary Compensation from Sony Before Cyber Attack (Variety) An email sent to Sony Pictures chiefs Michael Lynton and Amy Pascal has emerged in which monetary compensation was demanded days before the studio was crippled in a cyber attack. "We've got great damage by Sony Pictures," writes "God'sApstls" in the message that was sent Nov. 21, with the subject line: "Notice to Sony Pictures Entertainment Inc"

Identity thieves slurp Sony Pictures staff info — as CEO sends 'don't sue me, bro' memo (Register) Attack 'unprecedented,' claims Mandiant security

Don't believe the hype: Sony hack not 'unprecedented,' experts say (Mashable) The cyberattack on Sony Pictures was "unprecedented," "undetectable" and "unparalleled," according to the security firm hired to investigate it — but other experts aren't so sure

The wiper malware that hit Sony Picture was written in Korean (Security Affairs) Security experts at AlienVault discovered further elements of the wiper malware used for the attack on Sony Pictures that link it to North Korean hackers

Kaspersky exposes SONY-CRIPPLING malware DETAILS (Register) Looks like Shamoon, quacks like Dark Seoul

Researchers Try to Connect Sony with Saudi Aramco and Dark Seoul Attacks (Norse: Dark Matters) Following malware analysis, researchers at Kaspersky claim that the destructive code used in the recent Sony hack by a previously unknown group called the "Guardians of Peace" (GOP) is connected to the 2012 attack on oil and gas giant Saudi Aramco and the 2013 Dark Seoul hacks, asserting that the same actors may behind all three attacks

Lizard Squad performs a 'RIGHTEOUS' Sony HACK (Computerworld) Sony hacking: Easy as counting to five

Iran Is Officially A Real Player In The Global Cyber War (Business Insider) Iran has been steadily developing its cyber warfare capabilities for a number of years and now poses a significant threat to government agencies and critical infrastructure companies around the world

Linux software nasty slithers out of online watering holes (Register) Windows-popping Trojan thought to be govt-built takes a bite from penguinistas

Blogger Leaks 'Evidence' of China's Propaganda Machine (Nextgov) Ant-government activist "Xiaolan" has posted online an archive of email communications from the Internet Information Office of Zhanggong District, China Digital Times reports

New 'Fakedbuggerd' Vulnerability Must be Taken Seriously (Tripwire: the State of Security) In November 2014, information about "Fakedebuggerd" — a new vulnerability used to gain root access to install files on the Android device file system — was published by Chinese antivirus company 360

POODLE attack now targeting TLS (Help Net Security) There's a new SSL/TLS problem being announced today and it's likely to affect some of the most popular web sites in the world, owning largely to the popularity of F5 load balancers and the fact that these devices are impacted. There are other devices known to be affected, and it's possible that the same flaw is present in some SSL/TLS stacks. We will learn more in the following days

LusyPOS Malware Seen in Russian Underground Forums (TrendLabs Security Intelligence Blog) Earlier this month, security researchers discovered a new PoS malware family, which they named "LusyPOS" after a reference in Russian underground forums. We detect this as TSPY_POSLUSY.A. In their analysis, they mentioned that while it had some characteristics linked to the Dexter family of PoS malware, due to its behavior they also linked it to the Chewbacca PoS malware (which we detect as TSPY_FYSNA.A), which is known to use the Tor network to connect to its command-and-control (C&C) servers

Aggressive Phishing Campaign Aimed at German Users (Softpedia) Malware integrates anti-debugging mechanism

Vulnerability in AliExpress Market Site Exposes Info of Millions of Customers (Softpedia) An information disclosure flaw in the AliExpress online shopping site allowed someone signed into the marketplace to learn personal information about other customers

A Security Flaw In Anonymous Gossip App Yik Yak Lets Hackers Identify And Take Over Your Account (VentureBeat) Sharing your innermost secrets on the web anonymously isn't as safe as you thought it was

Plusnet customers SWAMPED by spam but BT-owned ISP dismisses data breach claims (Register) Refuses to notify watchdog despite subscribers' fears

More on Wiretapping ATM Skimmers (KrebsOnSecurity) Last month, this blog featured a story about an innovation in ATM skimming known as wiretapping, which I said involves a "tiny" hole cut in the ATM's front through which thieves insert devices capable of eavesdropping on and recording the ATM user's card data. Turns out, the holes the crooks make to insert their gear tend to be anything but tiny

Forgotten subdomains boost risk of account hijacking, other attacks (IDG via CSO) Subdomains that once served a purpose but later were forgotten by website administrators can be abused by hackers to attack users of sites under the same main domain

Researchers Get the Boot After Finding Google App Engine Vulnerabilities (Norse: Dark Matters) A research team from Security Explorations have been denied access to their test Google App Engine account after their discovery of more than two-dozen vulnerabilities, including Java security sandbox bypasses

UK Home Wi-Fi Cyber Security is Weak and Open to Abuse (Computer Business Review) Multiple connected devices mean wireless router hacking vulnerabilities are opening up home networks

GSMA denies latest Snowden leak (Register) No 'current' compromise, and our standards docs are public anyway

Antivirus Companies Should Be More Open About Their Government Malware Discoveries (MIT Technology Review) Antivirus companies had tracked the sophisticated — and likely U.S.-backed — Regin malware for years. But they kept what they learned to themselves

Did the FBI Break Tor? (Slate) The bureau exploited a vulnerability in the anonymous Web browsing system to arrest criminals. That could leave activists and others at risk, too

The Technology Snob's Favorite Hacker Group (Slate) Those who hate Anonymous adored a hacker group that existed for two short, glorious months

Bulletin (SB14-342) Vulnerability Summary for the Week of December 1, 2014 (US-CERT) The US-CERT Cyber Security Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. The NVD is sponsored by the Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC) / United States Computer Emergency Readiness Team (US-CERT). For modified or updated entries, please visit the NVD, which contains historical vulnerability information

November 2014 Cyber Attacks Statistics (Hackmageddon) It's time for the statistics derived from the Cyber Attacks Timelines of November

Trends in Internet trust exploits, IoT, cyber espionage and privacy (Help Net Security) In the third quarter, McAfee Labs detected more than 307 new threats every minute, or more than five every second, with mobile malware samples growing by 16 percent during the quarter, and overall malware surging by 76 percent year over year

Security Patches, Mitigations, and Software Updates

AliExpress patches account mass harvesting flaw (Register) Names, addresses and phone numbers make ripe phish food

ISC Releases Security Updates for BIND (US-CERT) The Internet Systems Consortium (ISC) has released security updates to address multiple vulnerabilities in BIND, one of which may allow a remote attacker to cause a denial of service

Cyber Trends

Nicole Wong on how big data could change the way we live (Christian Science Monitor: Passcode) After stints at the White House, Google and Twitter, Wong understands the promise and peril of big data

Online Ad Fraud Exposed: Advertisers Losing $6.3 Billion To $10 Billion Per Year (Dark Reading) A new study conducted by the Association of National Advertisers (ANA) and the security firm White Ops tracked online ad traffic patterns for 36 major companies and discovered epic levels of abuse

Software security in a market for lemons (Help Net Security) There is little doubt that it's difficult to develop secure software. First, you need to be aware of the need for security, accepting it as an important element of software quality. This is generally not something we learn in school. Not that it matters much, given how many developers are skipping education only to dive straight into building software

93 percent of Government Chinese websites are vulnerable (Security Affairs) A report issued by the China Software Testing Center revealed that 93 percent of Chinese websites are vulnerable to cyber attacks

Italy is within most targeted countries by Crypto-Ransomware in EMEA Region (Security Affairs) Trend Micro has analyzed the diffusion of Crypto-Ransomware in the EMEA Region, such attacks are very effective and Italy is in the Top infected countries

Marketplace

Healthcare InfoSec: Checking for a Pulse (Trend Micro: Simply Security) Last week, I had the pleasure to attend the SANS Healthcare Security Summit in San Francisco. It was great to see one of the leading educational and awareness organizations team up with the National Health Information Sharing and Analysis Center (NH-ISAC) to put on this important event

The cybersecurity skills gap (SC Magazine) The information security profession, which evolved largely in reaction to threats, is now paying the price of an entire "missing generation." Companies are challenged finding pros with the combination of business and technical savvy that is needed to combat growing threats

KPMG Capital Takes Equity Stake in Bottlenose, a Pioneer in Real-time Trend Intelligence (PRNewswire) Trend intelligence helps clients detect patterns in high-volume real-time streaming data, to capitalize on emerging opportunities and detect and mitigate potential threats

WhiteHat Security creating 80 jobs in Belfast (BBC) Invest NI has offered the company an employment grant of £400,000. Eighty jobs are to be created in Belfast by an American web security firm

CenturyLink Lands DHS Task Order for Cyber Services to Civilian Agencies (ExecutiveBiz) CenturyLink will continue to deliver cybersecurity services to U.S. federal civilian agencies under a one-year task order from the Department of Homeland Security's office of cybersecurity and communications

Cubic to Design, Test Updates for SPAWAR Data Link; Mike Twyman Comments (ExecutiveBiz) Cubic Defense Applications will continue to provide support for the U.S. Navy's data link systems used in operational missions under a $3.1 million contract from the Space and Naval Warfare Systems Command

CYREN WebSecurity Wins Biz Award (PRNewswire) CYREN (NASDAQ: CYRN) today announced that its cloud-based CYREN WebSecurity solution has been named a bronze winner in the Best New Product of the Year — Enterprise category in Best in Biz Awards 2014, the only independent business awards program judged by members of the press and industry analysts

FireEye Wins CRN Enterprise App Award for Security (CNN Money) Annual "Appy" award recognizes top mobile business applications

CRGT Announces Key Hire to Strengthen CyberSecurity Expertise (Virtual Strategy Magazine) Charles L. (Chuck) McGann, the former Corporate Information Security Officer (CISO) for the United States Postal Service (USPS), has joined CRGT Inc. as the Chief Cyber Strategist. His initial responsibilities include assisting customers to meet their Cyber Security goals

Meet the hacking prodigy you definitely want on your side (PRI) Chris Doman is something of a prodigy in the world of cyber security — so it's a good thing that he's one of the good guys when it comes to hacking

Products, Services, and Solutions

Tenable Network Security Announces Cisco Identity Services Engine Integration for Nessus v6 (CMO) Integration with Cisco ISE provides visibility and context to enhance security vulnerability assessment across the network

Blackphone launches app store for personal security and privacy (ZDNet) Together with the launch of updated custom Android software PrivatOS, the handset maker has revealed a new store dedicated to security and privacy applications

TrustPipe Rolls Out Marker-Based Security Technology (Dark Reading) After two years of testing in real-world deployments and at West Coast Labs, digital security vendor TrustPipe emerged from stealth mode today to introduce its breakthrough, marker-based security technology

LG gains NSA security certification for G3 (ZDNet) LG has gained the NSA's NIAP validation for its flagship smartphone to be used by the US government

Facebook launches keyword searching on past posts (Naked Security) Here's news that will horrify those of us whose pasts include truly embarrassing Facebook posts: Facebook has enabled keyword search on past posts, thus killing the concept of privacy by obscurity

Technologies, Techniques, and Standards

Bypassing Windows and OSX Logins with NetHunter & Kon-boot (Offensive Security) The Kali Linux NetHunter platform has many hidden features which we still haven't brought to light. One of them is the DriveDroid application and patch set, which have been implemented in NetHunter since v1.0.2. This tool allows us to have NetHunter emulate a bootable ISO or USB, using images of our choosing. That's right, you can use NetHunter as a boot device which holds a library of bootable ISOs and images

3 Steps To Solidifying Air-Gap Security (Dark Reading) Your isolated systems may not be as secure from exfiltration or external control as you think

The 5 worst Big Data privacy risks (and how to guard against them) (CSO) There are enormous benefits from Big Data analytics, but also massive potential for exposure that could result in anything from embarrassment to outright discrimination. Here's what to look out for - and how to protect yourself and your employees

Why You Shouldn't Use MAC Address Filtering On Your Wi-Fi Router (How-to Geek) MAC address filtering allows you to define a list of devices and only allow those devices on your Wi-Fi network. That's the theory, anyway. In practice, this protection is tedious to set up and easy to breach

Design and Innovation

US government's invention secrecy orders highest in 20 years, watchdog group says (FierceHomelandSecurity) At the end of fiscal 2014, the federal government has 5,520 invention secrecy orders that prohibit both the issuance of a patent and its public disclosure, according to recent blog post by the Federation of American Scientists

Open Source Encryption Must Get Smarter (Dark Reading) When it comes to cryptography, there are quite a few myths in the age-old debate about proprietary versus open source application security

Payment Card Vulnerabilities Abound, but what's the Fix? (FoxBusiness) There is an important similarity between the 2013 data breach at Target (TGT) stores and the 2014 breach that occurred at Home Depot (HD): Both cyber attacks targeted the retailers' point-of-sale systems

Academia

Bill Gates, Google open checkbooks for new White House initiative (The Hill) Some of the nation's largest school districts have promised to offer computer science courses in their schools, the White House announced Monday

It's Computer Science Ed Week And It's Time To Do Something (TechCrunch) It's Computer Science Education Week and for thousands of students around the country, that means nothing

Leading Information Security University, EC-Council University, Providing Expert-Level Cyber Community Workshops (Digital Journal) EC-Council University is on a mission to spread awareness of information security — especially in the information technology industry. The online seminars cover topics in cyber security and are designed to cover topics that are necessary for anyone planning on sitting for a cyber security certification exam

Symantec Renews Support of CyberPatriot at Cyber Gold Level (MarketWatch) The Air Force Association today announced that Symantec Corp. has renewed their support for CyberPatriot, the National Youth Cyber Education Program, as a Cyber Gold sponsor. For the second consecutive year, Symantec has contributed to CyberPatriot, achieving their pledge to provide $1 million in Science, Technology, Engineering, and Math (STEM) grants to non-profit organizations around the globe

Legislation, Policy, and Regulation

A huge intelligence screw-up turned the government and private companies into cyberwarfare partners (PRI) The spies had come without warning. They plied their craft silently, stealing secrets from the world's most powerful military. They were at work for months before anyone noticed their presence. And when American officials finally detected the thieves, they saw that it was too late. The damage was done

We are in a war with no boundaries, warns cyber security expert (The National) Effective defence of the nation's cyberspace must take into account the possibility that attackers are not just nations or shadowy groups, a security expert has warned

The dangers of a militarized internet (Access) Access is celebrating International Human Rights Day by bringing you a series of blog posts covering the next big digital rights challenges. The fundamental freedoms of Expression, Privacy, Association, Conscience, along with a number of others, were codified through the Universal Declaration of Human Rights, which was signed 66 years ago this week

Molly Sauter's quest to make political DDoS legitimate (Christian Science Monitor: Passcode) In 'The Coming Swarm,' Sauter argues that denial of service should be no more controversial than sit-ins

NSA's surveillance a 'trade barrier' for EU companies: EU official (Virginia Gazette) The U.S. National Security Agency's mass surveillance is a trade barrier for European Internet companies trying to provide services in the United States, a top EU official said on Monday

Senate Dem plans 'botnet' bill for 2015 (The Hill) Sen. Sheldon Whitehouse (D-R.I.) thinks the 2015 landscape will be friendly to his bill combating hackers who remotely take over millions of computers to launch attacks

Obama renews NSA spying program after reform bill fails (The Hill) The Obama administration announced on Monday that it has renewed a controversial spying program that would have been ended under legislation that was blocked by a Senate filibuster

Joint Statement from the Office of the Director of National Intelligence and the Office of the Attorney General on the Declassification of Renewal of Collection Under Section 501 of the Foreign Intelligence Surveillance Act (IC on the Record) Earlier this year in a speech at the Department of Justice, President Obama announced a transition that would end the Section 215 bulk telephony metadata program as it previously existed, and that the government would establish a mechanism that preserves the capabilities we need without the government holding this bulk data

Pentagon, Congress make changes to DoD CIO's role (Federal News Radio) The Pentagon is making some adjustments to the role of its chief information officer, intended in part to help lay down where the CIO's role begins and ends with respect to DoD's still-developing cyber doctrine

DoD to begin going live January 1 with core portion of JIE (FierceGovernmentIT) The Defense Department will begin going live with pieces of its Joint Regional Security Stacks on January 1 and will continue rolling out JRSS across locations with the goal of reaching all JRSS installations by the end of 2016, said DoD Acting Chief Information Officer Terry Halvorsen. JRSS will reach initially operating capability across the DoD network by the end of 2016, and JRSS capability will be 98 percent complete by the end of 2017, he said

Litigation, Investigation, and Law Enforcement

Here Are The FBI's Most Wanted Cyber Criminals (Business Insider) As cybercrime becomes increasingly damaging, the FBI has kept a list of "Cyber's Most Wanted"

Kenya: Chinese deny cybercriminal network claim (ITWebAfrica) Last week, media reports focussed on 77 Chinese nationals who were arrested in Kenya after the authorities established that they were running a cyber command centre within the country's capital, Nairobi

U.K. Court Case Against Google Could Clarify Law On Private Data (TechCrunch) The U.K. data protection watchdog, the ICO, has intervened in a court case brought against Google on privacy grounds by a group of U.K. Internet users because it is interested in how aspects of the case might help clarify questions around the jurisdiction of national data protection law vis-à-vis Internet giants, which are invariably based overseas

Feds' bid to seize Irish emails threatens US citizen's privacy, Microsoft says (IDG via CSO) U.S. demands to seize emails stored on a Microsoft server in Ireland are threatening the privacy of U.S. citizens, Microsoft said in its appeal in an ongoing lawsuit that threatens international relations and may violate European privacy laws

Police 'failing to train key staff to fight growing threat of cyber crime' (Independent) Britain's law enforcement agencies are ill-equipped to confront a fast-expanding and multi-billion-pound cyber-crime phenomenon, according to a survey of police intelligence analysts

Anonymous releases video showing warrantless wiretapping by Police (HackRead) Anonymous, the hacker collective, has released a video to testify warrantless wiretapping in Chicago during a #blacklivesmatter protest through a moving vehicle

Online medical bill site tricked people to hand over health records (Naked Security) Let's say you're running an online portal for people to pay their medical bills

Idaho mom's suit over NSA database gets a cool reception from appeals court (Ars Technica) Judge: "It appears to me it's the same data" allowed by Smith v. Maryland

Singaporean Jailed for Hacking Prime Minister's Website (Security Week) A court on Monday jailed a 28-year-old Singaporean for two months for defacing the prime minister's office website during a rash of cyber attacks in the city-state last year

Apple manager gets year in jail, $4.5m fine for selling industry secrets (Ars Technica) Paul Shin Devine sold secrets to companies that hoped to become Apple suppliers

Manchester festival marketers fined £70,000 over spam 'mum' texts (Register) Especially offensive to complainants who'd just lost their mothers

For a complete running list of events, please visit the Event Tracker.

Newly Noted Events

FIC 2015 (Lille, France, Jan 20 - 21, 2015) The International Cybersecurity Forum (FIC) forms part of a thinking and exchange process that aims at promoting a pan-European vision of cybersecurity and strengthening the fight against cybercrime, a priority for the European Union as stated in the Stockholm Programme for 2010–2015. Its objective is to open up the cybersecurity debate by bringing together security and risk management experts with non-specialists to enable them to compare viewpoints and lessons learnt

2015 Cyber Risk Insights Conference — London (London, England, UK, Feb 10, 2015) The cyber threat landscape is undergoing rapid change. Lloyd's and the London market are at the forefront of developing insurance products to address the evolving exposures of organizations throughout the world. Privacy remains a key concern, but increasingly board members, corporate executives and risk professionals are focusing on a broader array of cyber-related risks. These include industrial espionage and various operational risks, including business interruption and contingent business interruption. Mark your diary for Advisen's 4th Annual Cyber Risk Insights Conference in London on Tues 10 Feb 2015. Graeme Newman of CFC Underwriting is the 2015 Conference Chairman. Sponsors include Swiss Re Corporate Solutions, Willis, and Epiq Systems

InfoSec Southwest 2015 (Austin, Texas, USA, Apr 10 - 12, 2015) InfoSec Southwest is an annual information security and hacking conference held in Austin, Texas, one of the most interesting and beautiful cities in the United States. By addressing a broad scope of subject-matter, InfoSec Southwest is intended to both provide a comprehensive and valuable forum to all participants as well as fill a gap for our local attendees left by the other few conferences held here in Texas which are all focused on a narrower scope of subject matter or a narrower slice of audience demographic

Upcoming Events

Cybersecurity 2015: Beyond the Breach (Washington, DC, USA, Dec 9, 2014) With each new cybersecurity attack businesses lose millions, governments lose information and citizens lose trust. At the end of a year where these attacks regularly dominated headlines, what's ahead for government affairs, security experts, academia and policy makers in 2015? Bloomberg Government is bringing the nation's top decision-makers together for the year's definitive conversation on Washington cybersecurity policy. Join Bloomberg Government and leading cyber policy experts to go beyond the breach and look ahead to 2015. Note that this event is complimentary: admission is free, based on the space available

Tax Incentives for Cybersecurity Businesses (Elkridge, Maryland, USA, Dec 9, 2014) Learn the details and take the opportunity to ask questions of leading experts on how to apply for tax credits (including cyber, research, security clearance, and secured space tax credits) and get the latest details on the Maryland Small Business Financing Authority's newest program for small businesses looking for investment dollars

International Conference for Internet Technology and Secured Transactions 2014 (London, England, UK, Dec 8 - 10, 2014) The ICITST is an international refereed conference dedicated to the advancement of the theory and practical implementation of secured Internet transactions and to fostering discussions on information technology evolution

Healthcare Cyber Security Summit 2014 (San Francisco, California, USA, Dec 3 - 10, 2014) SANS is teaming up with the National Health Information Sharing & Analysis Center (NH-ISAC) to offer the 2nd Annual Healthcare Cyber Security Summit

(ISC)² Security Congress EMEA (London, England, UK, Dec 8 - 10, 2014) Building on the experience of the US-based (ISC)² Security Congress, now in its fourth year, (ISC)² Security Congress EMEA will offer a complementary and unique opportunity within the Europe Middle East and Africa region to participate in a comprehensive education program — over five focused tracks — and to connect with fellow colleagues in their international professional community. The themes are: Governance, Risk & Compliance; Mobile Security; Human Factor; Architecture; Data Security

ACSAC 30: Annual Computer Security Applications Conference (New Orleans, Louisiana, USA, Dec 8 - 12, 2014) ACSAC is more than just high quality, peer-reviewed research (though our 2013 acceptance rate was barely 19%). Our comprehensive program also includes training, case studies, panels, workshops, posters, and works-in-progress. Our speakers, presenters and instructors are experts involved in applied security work and research. Collectively, we explore practical solutions for computer security challenges across all phases of the system life cycle. ACSAC highlights the overall threat landscape, latest hacks and exploits, and the best prevention and defense innovations

ICFPT 2014 (Shanghai, China, Dec 10 - 12, 2014) ICFPT is the premier conference in the Asia-Pacific region on field-programmable technologies including reconfigurable computing devices and systems containing such components. Field-programmable devices promise the flexibility of software with the performance of hardware