The CyberWire Daily Briefing 02.05.14

Cyber Trends

U.S. retailers at Senate hearing: hackers have upper hand (Reuters via the Chicago Tribune) U.S. retailers speaking to a U.S. Senate panel on Tuesday bemoaned the sophistication of hackers and urged better collaboration with banks on anti-theft technology

Gartner: Nearly one-third of firms will use biometrics for mobile devices by 2016 (FierceITSecurity) To secure mobile devices without alienating users in a BYOD environment, 30 percent of firms will employ biometric authentication for mobile devices by 2016, predicts Gartner

Legislation, Policy and Regulation

Brazilian Nominates Snowden for Nobel Peace Prize (AP via ABC News) A Brazilian senator has nominated National Security Agency contractor Edward Snowden for the 2014 Nobel Peace Prize

US ambassador: Merkel phone tap was stupid (The Local (German edition)) The US ambassador admitted on Tuesday the tapping of Chancellor Angela Merkel's phone by US security services was "stupid". He was speaking minutes before it emerged the phone of Merkel's predecessor was also targeted

Bericht: NSA hat auch früheren Bundeskanzler Schröder abgehört (Kledy) Der US-Geheimdienst NSA hat offenbar auch den früheren Bundeskanzler Gerhard Schröder (SPD) abgehört. Nach Recherchen der "Süddeutschen Zeitung" und des NDR wurde Schröder spätestens 2002 unter der Nummer 388 in die sogenannte "National Sigint Requirement List" aufgenommen. Die Liste legt fest, welche Personen und Institutionen überwacht werden

Patriot Act author: Absent reform, we'll halt bulk metadata program renewal (Ars Technica) Rep. Jim Sensenbrenner has said vast data dragnet is "unbounded in its scope"

States look to rein in government surveillance (The Washington Post) Angry over revelations of National Security Agency surveillance and frustrated with what they consider outdated digital privacy laws, state lawmakers around the nation are proposing bills to curtail the powers of law enforcement to monitor and track citizens

Cyber-security expert: Target case is 'watershed moment' (Pioneer Press) Congress takes its first look at Target's data breach this week, a moment some analysts think finally will prod lawmakers to pass tougher safeguards for protecting consumer information

Satellites, electronics next in U.S. export control reform (Reuters) The U.S. government is making "great strides" in its drive to reform unwieldy export rules, and expects to unveil proposed changes covering exports of satellites, electronics and chemicals this year, a senior White House official said Tuesday

S. Korean defense chief, U.S. Cyber Command leader discuss cyber security (Yonhap) The commander of U.S. Cyber Command and director of the National Security Agency (NSA) visited Seoul to meet with South Korean Defense Minister Kim Kwan-jin to discuss cyber security issues, the defense ministry here said Tuesday

Japan, U.S. hold 1st cyberdefense talks (Yomiuri Shimbun) The defense authorities of Japan and the United States have held their first vice-ministerial talks on cyber-attack countermeasures

Summit explores cyber attack risks (Belfast Telegraph) The vulnerability of Britain's essential services to cyber attack is being discussed at the first summit bringing together intelligence and security chiefs with regulators

CDS Coalition: SOFTWARE Act goes too far (FierceMobileHealthCare) In a new legislative proposal, the Clinical Decision Support (CDS) Coalition charges that a bipartisan bill introduced in October 2013 to amend the Federal Food, Drug, and Cosmetic Act "goes too far" in deregulating CDS software that requires regulation to ensure the health and safety of patients

Legal complexities, uncertainties face mHealth app developers (FierceMobileHealthCare) Mobile health applications are affected by a patchwork of policies related to medical licensure, privacy and security protection, as well as malpractice liability--all of which must be taken under consideration by app developers

Products, Services, and Solutions

Corero Network Security Unveils SmartWall Threat Defense System for Cloud, Hosting and Internet Service Providers (Wall Street Journal) Corero Network Security (LSE:CNS), a leading provider of First Line of Defense® security protection for the enterprise, today announced the introduction of the Corero SmartWall™ Threat Defense System (TDS) for service providers. The SmartWall family of products enables service providers to deliver First Line of Defense security services, protecting their customers from DDoS attacks and cyber threats

SimpleRisk — Enterprise Risk Management Simplified (holisticinfosec) SimpleRisk is a free and open source web application, released under Mozilla Public License 2.0, and is extremely useful in performing risk management activities

Lunarline's Vulnerability Scan Converter Powers Penetration Testing and FedRAMP Cost Savings (Sacramento Bee) "For us at Lunarline, innovation is about delivering focused capabilities, tailored to specific requirements that efficiently solve common cyber security

Technologies, Techniques, and Standards

Defending Against Tor-Using Malware, Part 2 (TrendLabs Security Intelligence Blog) Last week, we talked about what Tor is, how it works, and why system administrators need to be aware of it. Now the question is: should I block Tor, and if I do decide to do that, what can be done to block Tor

Accreditation program strengthens global supply chain security (Help Net Security) The Open Group launched the Open Trusted Technology Provider Standard (O-TTPS) Accreditation Program, aimed at assuring the integrity of commercial off-the-shelf (COTS) information and communication

Retailers need to take multi-layered approach to credit card security (FierceITSecurity) Retailers should take a multi-layered approach to credit and debit card security, recommends Troy Leach, chief technology officer with the Payment Card Industry, or PCI, Security Standards Council

What Every CISO Should Learn From the Target Attack (Wall Street Journal) A remediation-centric cyber defense is not enough. Today's threat environment demands that companies or agencies have a predictive edge to sense and preempt coming attacks, writes Guest Contributor Mike McConnell, former Director of National Intelligence

By Missing the Upside of Recent Data Breaches, We Lose the Opportunity to Improve (CSO Salted Hash) The natural focus on what went wrong with recent breaches prevents us from focusing on what went right. Exploring what worked is a pathway to improvement

How to Call Ransomware's Bluff (PC Magazine) If your files have been taken over by the CryptoLocker ransomware, you had better hope your backups are current. Sure, you can pay the ransom, but that doesn't guarantee you'll get your files freed from hostile encryption. And if ransomware has taken over all of Windows, your best bet is a bootable rescue CD. But there's a new kind of ransomware spreading, a type that really doesn't have any teeth. I'll explain how to recognize it, and how to call its bluff

Marketplace

Cybersecurity Firms to Watch in 2014 (Daily Finance) It seems like not a day goes by that we don't hear about the NSA spying, Russian teen hackers, or new details about the Target security breach. Our bank, email, and social network accounts are ripe for the taking. Consumers will never fully trust retailers with financial or private information again. It's another "new normal" thrust upon us, and it's here to stay

VeriFone, EMC Seen Benefiting as Stores Combat Hacking: Retail (Bloomberg) VeriFone Systems Inc. (PAY), EMC Corp. (EMC)'s RSA and Ingenico are poised for a gain in sales as U.S. retailers turn to makers of payment terminals and security software for help shoring up their anti-hacking defenses

European operators follow acquisition strategy to enterprise security market (FierceITSecurity) European telecom operators are becoming increasingly interested in acquiring enterprise security firms, as evidenced by the Orange Business Services acquisition of French security firm Atheos last month, judges Current Analysis analyst John Marcus

Critical Software Flaws In The Shadows (Dark Reading) Researchers are often paid for discovering and privately disclosing software security flaws to vendors and third parties, but evidence of a market shift to paid research is still lacking

IBM saved its earnings by moving almost half its employees to the Netherlands (Quartz) Sort of. The IT services company, under pressure to meet a high earnings forecast, has turned to the ever-malleable tax code for a boost to its earnings

KEYW Reports Q4 and 2013 Financial Results (Wall Street Journal) Adjusted EBITDA was a loss of $11.1 million in KEYW's Commercial Cyber Solutions segment in the full year 2013 versus positive adjusted EBITDA of

BAE Systems adds 120 graduates to cyber army (V3) BAE systems has confirmed that 120 of its 2014 graduate intake of 287 will join the company's anti-hacker Applied Intelligence division, underlining

Cyber University Program Named Outstanding Training Initiative of 2013 by Training Magazine (MarketWatch) Booz Allen Hamilton's BAH -0.92% Cyber University Program was named Outstanding Training Initiative of 2013 by Training magazine at an awards gala held last night in San Diego, California. Selected from among submissions by all 14 members of the Training Hall of Fame, the Cyber University program received the highest score from a panel made up Hall of Fame peers and the magazine's editors

Ex-NSA Chief Details Snowden's Hiring at Agency, Booz Allen (Wall Street Journal) Mike McConnell says Booz Allen hired Snowden because Government had vetted him. Edward Snowden, the former NSA contractor who leaked information about the agency's surveillance program, targeted Booz Allen Hamilton for employment because of its access to national security contracts, a company vice chairman said

How Satya Nadella will lead Microsoft differently (Quartz) Satya Nadella is "honored," "humbled," and confident about Microsoft's future. In his open letter to Microsoft employees, Nadella checked all of the boxes for a CEO introduction. The letter also serves to distance the company from outgoing CEO Steve Ballmer and its recent past, and lays out a philosophy of leadership that promises to be less abrasive, and to acknowledge how far behind the company is in things like cloud services and mobile

Security Software Firm Avast Gets CVC Capital Investment, Now Valued At $1B (TechCrunch) The rise in malware and online security threats continues to give a big boost to companies that are looking for ways to make the connected world a bit safer. Avast, one of the bigger PC and mobile security software firms that competes against the likes of Microsoft, Symantec and McAfee (Intel) for consumer and enterprise business, today announced a major investment: CVC Capital Partners

Jeremiah Grossman Becomes Interim CEO At WhiteHat Security (Dark Reading) WhiteHat Security, the Web security company, today announced that effective immediately, Jeremiah Grossman, company founder, has accepted the Board of Directors offer to lead the company as its interim CEO following the resignation of former CEO Stephanie Fohn. Grossman, the company's founding CEO, has served as the company's CTO since 2004 and plans to maintain focus on company growth and innovation in the web security space

Research and Development

Revolutionary new cryptography tool could make software unhackable (ExtremeTech) A team of researchers from IBM and Microsoft may have just made a breakthrough in the quest for unbreakable cryptography. The results produced by the team from UCLA and MIT offer hope that encryption could protect not just an output, but an entire program. Once believed to be too powerful to exist in any real sense, this new method of program obfuscation could lead to ultra-secure software that keeps your personal information safe from nefarious individuals

Researchers Develop One-of-a-Kind Nanocomputer (SIGNAL) An ultra-small, ultra-low-power processor could be used for tiny robotics, unmanned vehicles and a broad range of commercial applications, including medical sensors

DARPA Wants Self-Destructible Computer Chips (Defense Tech) Called the Vanishing Programmable Resources, DARPA announced the program on Jan. 28 issuing a $3.5 million award to IBM to study the possibilities of developing "strained glass substrates" that would crumble into powder on command, according to the DARPA announcement

Security Patches, Mitigations, and Software Updates

Adobe issues emergency Flash update to patch vulnerability exploited in attacks on Windows and Mac users (The Next Web) Adobe today released a security bulletin addressing a critical vulnerability (CVE-2014-0497) in its Flash product that could allow an attacker to remotely take control of the affected system. The company says it is aware of reports that the security hole is being exploited in the wild

Mozilla Releases Multiple Updates (US-CERT) The Mozilla Foundation has released updates for the following products to address multiple vulnerabilities: Firefox 27, Firefox ESR 24.3, Thunderbird 24.3, Seamonkey 2.24

Mozilla adds standard password scheme for Firefox Sync service (FierceCIO: TechWatch) Mozilla is currently testing a more standard username and password system for the Firefox Sync service used by its popular Firefox browser. Firefox Sync enables users to securely synchronize their browsing data such as bookmarks, open tabs and passwords between devices

Tumblr offers SSL option, but not default (CSO Salted Hash) To benefit from the added security users need to enable the SSL option in the account settings

Cyber Attacks, Threats, and Vulnerabilities

All Visitors to Sochi Olympics Immediately Hacked (NBC) As tourists and families of athletes arrive in Sochi, and if they haven't been warned…visitors to Russia can expect to be hacked…it's not a matter of "if," but "when"

Cyber risks awaiting visitors and viewers of Sochi 2014 Olympics (Help Net Security) The 2014 Winter Olympics are set to start on Friday in Sochi, a Russian city located on the shores of the Black Sea. There have been many controversies regarding this choice of host city (and country), but also when it comes to the expected blanket communication surveillance — communication interception, metadata collection, etc. — that Russia will effect during the Games

To Merrillville or Sochi: How Dangerous is it to travel? (Internet Storm Center) Our reader Rodney sent us a link to a story that apparently aired on NBC Nightly News last night: "I was wondering if someone could do a piece on the report that was on NBC's Nightly News last night (see link below) regarding connecting personal devices like smart phones and laptops to the Internet while in Sochi for the Olympics. The first video leaves out some details that the second video reveals. The first video aired on NBC, the second did not. It seems as if the first video was sensationalism. The second video revealed that the journalist had willingly clicked on links to download the malware. The first video made it look like they only had to connect to become infected. I know that it can happen, but they made it sound like it will definitely happen"

Watch Out for Olympic Spam, Phishing, Malware (PC Magazine) While much of the world's scrutiny has focused on the possibility of a terrorist attack at the XXII Olympic Games in Sochi, Russia, "there are several cyber-related risks to consider," the Department of Homeland Security warned in an advisory

UK government launched DoS attack against Anonymous hackers doing the same thing (Graham Cluley) It's not just hackers who launch denial-of-service attacks. Sometimes law enforcement agencies do it too. The United Kingdom is the first Western government known to have conducted such an attack, leaked documents reveal

Professor reportedly hacked by NSA/GCHQ questions "proof" of attack (SC Magazine) Contrary to reports, famed Belgian cryptography professor Jean-Jacques Quisquater is questioning whether the National Security Agency (NSA) and the Britain's GCHQ compromised his PC and extracted encrypted data

Meet Chechclearr, the Web-savvy foreign Islamic militant in Syria (Los Angeles Times) 'Media is half of jihad,' posts the prolific Chechclearr, who seems to relish his role as a self-appointed propagandist for Al Qaeda-linked factions in Syria

Target security breach lasted longer than previously thought (Los Angeles Times) Target's finance chief tells a Senate panel that some checkout machines were missed when the malware was purged, exposing customer data for three more days

These Guys Battled BlackPOS at a Retailer (Krebs on Security) Ever since news broke that thieves stole more than 40 million debit and credit card accounts from Target using a strain of Point-Of-Sale malware known as BlackPOS, much speculation has swirled around unanswered questions, such as how this malware was introduced into the network, and what mechanisms were used to infect thousands of Target's cash registers

Eastern European hackers caught selling Target customer card data (V3) Eastern European cyber criminals have been caught selling customer data stolen during a raid on US retailer Target, say security researchers at FireEye

Misleading advertisements lead to hijacked browser settings (Naked Security) Advertisements don't have a great track record for safety and we are beginning to see more frequent abuse of search and mobile ads to deliver unwanted addons purporting to be legitimate tools. Be careful where you click and closely scrutinize software options before installation

Windows, IE, Java are most vulnerable (Help Net Security) When compared with the numbers from the previous year, 2013 has seen an increase in reported security vulnerabilities and, what's more, the number of critical vulnerabilities has also risen — although

Prolexic Warns of Cyber Attackers Using DDoS Attacks to Influence Stock Prices and Limit Trading (SYS-CON Media) Prolexic Technologies, the global leader in Distributed Denial of Service (DDoS) protection services, today shared an analysis of nearly a dozen global DDoS attacks that indicates cyber attackers are using DDoS attacks in an attempt to influence market values and interfere with exchange platforms

DDoS Attacks Against Global Markets (Prolexic Knowledge Center) Are DDoS cyber attackers trying to manipulate stock prices and trading markets? The DDoS experts in Prolexic's Security Engineering and Response Team think so. This PLXsert white paper shares cyber intelligence gathered from nearly a dozen significant DDoS cyber-attacks and the resulting market effects

Possible Belarus link to ObamaCare raises concerns about cyber attack (Washington Free Beacon via Fox News) U.S. intelligence agencies last week urged the Obama administration to check its new healthcare network for malicious software after learning that developers linked to the Belarus government might have helped produce the website, raising fresh concerns that private data posted by millions of Americans will be compromised

U.S. says no evidence Obamacare software written in Belarus (Reuters) U.S. health officials have investigated whether some of the software used in computers at the heart of President Barack Obama's healthcare reform was written in Belarus, but have found no evidence of that being the case, a White House official said on Tuesday

PNG Image Metadata Leading to iFrame Injections (Threatpost) Researchers have discovered a relatively new way to distribute malware that relies on reading malicious obfuscated JavaScript code stored in a PNG file's metadata to trigger iFrame injections

Cybercriminals release Socks4/Socks5 based Alexa PageRank boosting application (Webroot Threat Blog) Since its inception in 1996, Alexa has positioned itself as primary Web metrics data portal, empowering Web masters, potential investors, and marketers with access to free analytics based on data gathered from toolbars installed on millions of PCs across the world. Successfully establishing itself as the most popular, publicly accessible Web site performance benchmarking tool, throughout the years, the Alexa PageRank has acted as a key indicator for the measurement of a Web site's popularity, growth and overall performance, often used in presentations, competitive intelligence campaigns, and comparative reviews measuring the performance/popularity of particular Web sites

Scams Circulate After German Email Accounts Get Hacked (TrendLabs Security Intelligence Blog) Recently, the German Federal Office for Information Security disclosed that the email accounts of up to 16 million users had been compromised. The computers of these users were infected with information-stealing malware which were used to steal these login credentials

This guy Creates Billions of Fake Identities Every Month (PC Tech Mag) Jacob Allred has been contacted by NSA and FBI agents about his websites, and Social Security Administration investigators, waving badges, have showed up at his door

Anonymous Slovenia Claims FBI Hacked (International Business Times) Anonymous claims it has hacked the FBI, uploading email addresses and personal information relating to the current director to online storage site Pastebin

State Industrial Products Acknowledges Data Breach (eSecurity Planet) Employee names, addresses, e-mail addresses, Social Security numbers, driver's license numbers, birthdates and phone numbers were illegally accessed

Academia

Northrop Grumman Foundation Congratulates Top 28 CyberPatriot Teams Advancing to National Finals in Washington, D.C. (MarketWatch) Narrowed from a field of more than 1,500, high school and middle school finalists compete for worldwide recognition and scholarship money

Litigation, Investigation, and Enforcement

Probe ordered into report Colombian army cyber-unit spied on govt peace negotiators (AP via The Republic) Colombian officials said Tuesday they were ordering an investigation into a report by the country's leading news magazine that elite army cyberspies monitored the digital communications of members of the government team negotiating peace with FARC rebels

East European cyber criminals 'protected from prosecution' (SC Magazine) Respected security researcher Nart Villeneuve has controversially declared that Eastern European cyber criminal gangs — responsible for the recent attacks on Target and other major retailers — are relatively safe from arrest and prosecution

Senate cybersecurity report finds agencies often fail to take basic preventive measures (The Washington Post) U.S. officials have warned for years that the prospect of a cyberattack is the top threat to the nation and have sharply increased spending for computer security. Yet the report by the Republican staff of the Senate Homeland Security and Governmental Affairs Committee says that federal agencies are ill-prepared to defend networks against even modestly skilled hackers

Senior Congressman calls Greenwald a "thief" who sold NSA documents (Ars Technica) Greenwald: Tough talk aims to instill "climate of fear for journalism"

FBI Director Comey discusses legality of reporters, stolen Snowden documents (Washington Post) In Tuesday's hearing of the House Intelligence Committee on "Worldwide Threats," Rep. Mike Rogers (R-Mich.) questioned witnesses, including FBI Director James B. Comey, about the documents taken by former NSA contractor Edward Snowden

Why the SpyEye Conviction is a big deal (Trend Micro Simply Security) This week in the United States, the Federal Bureau of Investigation (FBI) in Atlanta, Georgia announced that Aleksandr Andreevich Panin, a Russian national also known as "Gribodemon" and "Harderman" had pled guilty before a federal court to charges related to creating and distributing the SpyEye family of malware

Dead End on Silk Road: Internet Crime Kingpin Ross Ulbricht's Big Fall (Rolling Stone) It was the eBay of vice, an online hub of guns, drugs and crime. But its alleged founder soon learned that you can't rule the underworld without spilling some blood

Dread Pirate Roberts 2.0: An interview with Silk Road's new boss (Ars Technica) New leader wants Silk Road to publish gov't secrets; calls old DPR a "fraud"

Parallel Construction Revealed: How The DEA Is Trained To Launder Classified Surveillance Info (TechDirt) Last summer, Reuters revealed how the NSA and other surveillance organizations would share info with the DEA and other law enforcement agencies, but then tell them to reconstruct the evidence via a process called "parallel construction," so that the surveillance would not then be discussed in court. This is highly questionable, and probably illegal, as a defendant has the right to know all of the evidence being used against him or her, and should also be told how that evidence was gathered, to make sure the collection was legal

Has the NSA Wiretapping Violated Attorney-Client Privilege? (The Nation) A document leaked by Edward Snowden, along with interviews with lawyers representing terrorism suspects, reveal a disturbing loophole in this once-sacred legal principle

Design and Innovation

After data breach, Target develops high-security credit cards (ZDNet) Following a disastrous data breach that resulted in the theft of millions of customer records, Target is working on high-security "smartcards" for clients

Secure Browser Alternatives On The Rise (Dark Reading) The sandboxed browser on the desktop, the disposable browser session from the cloud, and now a high-security browser that by default blocks third-party cookies and online ads

Conceal: Facebook's new Java APIs for cryptography on Android (ZDNet) Facebook is open sourcing a new security tool intended to help developers write apps that are more secure and efficient on Android