Cyber Attacks, Threats, and Vulnerabilities
North Korea Internet hit by 2 more outages (USA TODAY) North Korea's Internet service, which was out for almost 10 hours on Monday, went down two more times on Tuesday, including a 31-minute stretch, according to Dyn Research
Who Was Behind The North Korean Web Blackout? Here Are 3 Theories (Forbes) North Korea's internet connection has never been that stable by today's standards, but the almost-unprecedented 10-hour outage that ended early Tuesday morning has prompted questions about whether the U.S. government had launched some sort of cyber attack on the country's network. Pres. Barak Obama's said Friday that the U.S. would "respond proportionally" to the recent cyber attack on Sony Pictures which American officials have linked to North Korea
China is key to North Korean Internet, but maybe not hackers (IDG via CSO) A request to the Chinese government by U.S. diplomats to help crack down on North Korean hacking underlines the important role the country plays in keeping the dictatorship online
Despite What the Cyber Skeptics Say, North Korea Is Behind the Sony Hack (Slate) It is healthy to be a cynic sometimes. Taking information as it is handed out as fact is dangerous. The goal should be to investigate, to interrogate the nature of our beliefs as they meet the facts and context to settle on some wisdom as to what actually happened. The problem with the emerging narrative on the Sony hack is that in the convergence of evidence and cynicism, some still side with the idea that North Korea did not perpetuate an attack on Sony's networks
The Case for N. Korea's Role in Sony Hack (KrebsOnSecurity) There are still many unanswered questions about the recent attack on Sony Pictures Entertainment, such as how the attackers broke in, how long they were inside Sony's network, whether they had inside help, and how the attackers managed to steal terabytes of data without notice. To date, a sizable number of readers remain unconvinced about the one conclusion that many security experts and the U.S. government now agree upon: That North Korea was to blame. This post examines some compelling evidence from past such attacks that has helped inform that conclusion
North Korea May Have Had Help From the Hackers Who Hit Sony in 2011 (Bloomberg) The sweeping conclusion by President Obama and the FBI last week, blaming North Korea for the Sony hack, was clean and, to many, wholly satisfying. It's unusual that a huge cyber-crime is solved so definitively and so quickly. It felt like something out of the movies
Did North Korea really hack Sony? (Vox) Did North Korea really hack Sony? Not everyone is convinced by the FBI's claim that the country is responsible for last month's devastating cyberattackon Sony Pictures. And the skeptics are right that none of the evidence the US government has released so far definitively ties the Pyongyang regime to the attacks
Why it's so hard to tell if the Sony hack was North Korea's doing (Quartz) The US Federal Bureau of Investigation says North Korea hacked Sony. North Korea denies it. And experts of all stripes are crawling out of the woodwork to say, basically, "It's a head-scratcher"
A Modest Defense of the Government’s Legal and Policy Confusion Re Sony (Lawfare) The attribution problem makes it very hard for the public to know if North Korea in fact attacked Sony, the precise damage Sony suffered, and the party responsible for the (apparent) counter-attack in North Korea. Attribution problems are present in other realms of conflict, of course. Some kinetic terrorist attacks leave no fingerprint; covert action is by definition designed to avoid attribution; and the like. But as the Sony episode shows, what is distinctive about cyber-conflict is the pervasiveness of the attribution problem. The problem makes it hard to judge the seriousness of the attack, the justification for the response, and the proportionality (and, more broadly, legality) of the response. The cyber context highlights how much our legal and political categories depend on knowing who did what
Here Are Some Of The US's Options For Cyber-Retaliation Against North Korea (Business Insider) North Korea's isolation from the world, coupled with its abundance of heavy weapons pointed towards South Korea's capital and largest airport, limits a lot of the US's options in responding to Pyongyang's alleged involvement in the Sony hack
How to respond to the Sony cyber attack (Washington Times) Whatever happens to the movie "The Interview" — a Sony Pictures flick that parodies an assassination of North Korea's Kim Jong-un — is not quite as important as our nation's response to the North Korean attack on Sony, but nearly so. At this point, the Obama administration appears undecided on what, if any, our response should be
Sony Data Breach is Not a Case of Sophisticated Hacking, Says SolPass Security Analyst (MarketWatch) Reports surrounding the Sony data breach are missing a simple, critical concept. Because user credentials were misused, the Sony breach is similar to the dozens of other recent breaches, from Target to Home Depot to JP Morgan, says Linda S. Millis, a security analyst with government and civilian credentials
Is Sony Hack Really 'The Worst' In U.S. History, As CEO Claims? (NPR) The CEO of Sony Pictures has been saying that the cyberattack against his company is "the worst cyberattack in U.S. history." And you can see where he's coming from. An entire feature film got canned — at least for now. And his corporate networks were so damaged, Sony workers had to revert to using fax machines to communicate. That said, "the worst" is a big claim
Take that, Kim Jong-un! The Interview will play in theaters on Christmas Day (Quartz) Several US theater owners are reporting that Sony has contacted them to authorizing screenings of The Interview. Sony had yanked the film from its original Dec 25 release date after the group that hacked the company posted threats against any theaters showing the film, a comedy in which North Korean leader Kim Jong-un is assassinated
Eclairage sur le brouillard diplomatico-numérique entre la Corée du Nord et les Etats-Unis (Telerama) Sabotage chez Sony, éclipse de plusieurs heures de la Corée du Nord sur Internet… la tension monte entre Washington et Pyongyang. Entretien avec Nicolas Arpagian, spécialiste en sécurité numérique
Sony Hack: What You Missed (re/code) On Nov. 24, a group of hackers calling themselves the Guardians of Peace unveiled the mother of all hacks — the break-in of the computer networks of Sony Pictures Entertainment. The group has claimed to have stolen just about everything and has steadily released a huge trove of emails from senior executives, the personal information of its employees, secrets about upcoming projects and five feature films. In all, the group said it has under 100 terabytes of data that it has disclosed periodically
If cyberwar erupts, America's electric grid is a prime target (Christian Science Monitor: Passcode) Cybersecurity experts say that targets in a cyberwar wouldn't be Hollywood studios but instead the nation's critical infrastructure, which is already under attack by hackers trying to infiltrate, study, and potentially cripple US utilities
MBR Wiper Attacks Strike Korean Power Plant (TrendLabs Security Intelligence Blog) In recent weeks, a major Korean electric utility has been affected by destructive malware, which was designed to wipe the master boot records (MBRs) of affected systems. It is believed that this MBR wiper arrived at the target systems in part via a vulnerability in the Hangul Word Processor (HWP), a commonly used application in South Korea. A variety of social engineering lures were used to get would-be victims to open these files. Below is a quick overview of the attack with the infection chain starting from a spearphishing email sent to the employees' inboxes
Anonymous-allied hacktivist group 'Gator League' takes down GCHQ website. (HackRead) A group of hacktivists going with the handle of Gator League, allied with Anonymous hackers took down the official website of Britian's Government Communications Headquarters (GCHQ) surveillance agency on Tuesday
In Denial: British Spy HQ Says 'Offline' Doesn't Mean 'Hacked' (Sputnik News) British intelligence agency, the Government Communications Headquarters (GCHQ), has "categorically" denied claims by hactivist group the Gator League that it took the GCHQ website down on Tuesday evening
Meet Anunak — The Hacker Crew That Owned Staples And Earned $18m In 2014 (Forbes) In November this year, dignitaries and bigwigs of the cyber security industry gathered inside Europol's headquarters in The Hague. As they talked about general issues affecting the community, namely financially-motivated criminals, ears pricked up when one particular strain of malware, called Anunak, was said to have brought about the "armageddon" of the Russian banking industry, according to Andy Chandler, a senior vice president at security firm Fox-IT
Crimeware-as-a-Service offers custom targeting (CSO) The Vawtrak banking malware botnet allows cybercriminals to target specific geographic areas with custom malware
Thunderbolt devices can infect MacBooks with persistent rootkits (IDG via CSO) Attackers can infect MacBook computers with highly persistent boot rootkits by connecting malicious devices to them over the Thunderbolt interface
Flaw in open-source PDF viewer could put WikiLeaks users, others at risk (IDG via CSO) An open-source component used to display PDF files on WikiLeaks.org and other websites contains vulnerabilities that could be exploited to launch cross-site scripting (XSS) and content spoofing attacks against visitors
Backoff Malware Validates Targets Through Infected IP Cameras (Dark Reading) RSA report on Backoff dives deeper into clues about the POS software and hints at attackers potentially located in India
Patches Not Cure-all for Shellshock (TrendLabs Security Intelligence Blog) Earlier this year, Linux system administrators all over the world had to deal with the Shellshock vulnerability, which could lead to malicious code being run on Linux systems. Servers running various web services were at particular risk
Top Facebook scams and malware attacks (Help Net Security) Millions of people fell for Facebook scams in 2014. Though security experts, companies and tech-savvy users guard against Facebook cyber attacks, many unwary users continue to fall victim to scams on the social network every day, with veteran users still falling for the same old e-threats
The "Snappening" Had No Impact On Snapchat Growth, Usage Or Engagement (TechCrunch) No single bad PR incident can impact Snapchat's growth or popularity, it seems. Earlier this year, the mobile social network made headlines when thousands of Snapchat accounts were hacked, causing around 200,000 private photos — many of a decidedly racy nature — to be leaked publicly to the web. Meanwhile, Snapchat's tone-deaf response to the event — dubbed the "Snappening," a hat-tip to the iCloud photo breach which had been referred to as the Fappening — was to point the finger at third-party apps which had reverse-engineered the Snapchat API. But Snapchat's explanation also meant the company was essentially blaming its own user base — the victims — for putting themselves at risk
Wise County Sheriff defiant after cyber-attack (WFAA) Christmas carols and country music echo off the walls of the Wise County Courthouse. The Decatur courthouse square rings with nostalgia. And the Wise County sheriff longs for those good old days of rural Texas, before cyber-crooks on the far side of the world could hold his computer files for ransom
Security Patches, Mitigations, and Software Updates
Microsoft patch mashes Office forms and macros (Register) Fixing Redmond's fixes … AGAIN!
Apple copies Microsoft security system (Fudzilla) The fruity cargo cult Apple has done what Microsoft has been doing for years — pushing out security updates. It seems that Apple has just discovered the technique which the Tame Apple Press is trying to explain as something "super", "cool" and "original"
Cyber Trends
How The Sony Hack Will Turn Technology Upside Down… Again (Business Insider) The Sony hack is more than a security nightmare. It's a once-a-decade event that will kick off major changes in how companies use technology
Sony hack: is the intersection of cyber-warfare and terrorism a challenge for our times? (SBS) Does the Sony Pictures cyber-attack and the pulling of The Interview suggest that politically-motivated hackers are embracing terrorists' methods?
GovCon Leaders Talk Federal Cyber Defense in Sony Hack's Wake (ExecutiveBiz) The widely-reported cyber attack on Sony Pictures Entertainment that compromised emails written by the movie and television company's leaders and personal information of employees took another turn Friday when the FBI publicly held North Korea's government responsible for the hack
2014: A Specious Odyssey (Threatpost) The wonderful and terrifying thing about the security world is that things never stay calm for long. As soon as you think you have a chance to catch your breath, someone breaks something and it's time to scramble again. In 2014, those small moments of downtime were hard to come by. There was a seemingly endless parade of major vulnerabilities, data breaches and high-profile hacks. It was a year filled with Heartbleeds, POODLEs, Shellshock and a lot of pain for users, administrators and anyone else who likes to do things on the Interweb. Thankfully, the network is still standing after all that, so we went back and looked at all the stories we did this year and picked out the 10 most popular ones, put a fresh coat of paint on them and put them together to give you a picture of the year that was in security. Enjoy
What does 2015 hold in store for cyber crime? BAE releases five predictions for the year ahead (City A.M.) This year has had more than a few digital crimes committed, ranging from the North Korea Sony hack, which is still playing out, to the iCloud hack known as iBrute, resulting in nude photos of celebrities being published online
Are Companies Too Focused on Cybercrime? (Law Technology News) Companies are not paying enough attention on errant employees, and will pay the price in 2015
Vendor security will be an increasing challenge for overworked IT security teams in 2015 (FierceITSecurity) Q&A with Steve Durbin of the Information Security Forum
Marketplace
Security Intelligence Becomes a Critical Service (MSPmentor) IT security attacks are becoming more covert with each passing year. Rather than launching waves of attacks that can be easily detected, cybercriminals these days are injecting malware into systems and lying in wait for months before doing anything. Known collectively as advanced persistent threats (APTs), these types of attacks still represent a minority of the types of IT security attacks being launched, but they are generally among the most lethal
Keep An Eye Out For Cybersecurity Stocks (Bidness Etc.) Cyber-attacks plagued companies this year like never before, and the issue is thought to be getting more serious. In such a scenario, cybersecurity companies may come out as winners
ModernGraham Annual Valuation Of Symantec Corporation (Seeking Alpha) SYMC is not suitable for Defensive Investors or Enterprising Investors following the ModernGraham approach. According to the ModernGraham valuation model, the company is undervalued at the present time. The market is implying only 4.93% earnings growth over the next 7-10 years, considerably lower than the rate the company has seen in recent years
Elastica Named "Security Innovation of the Year" Finalist in Cloud Awards Program (Marktewired) Company recognized for innovative solutions that provide security and compliance for sensitive data in the cloud
Products, Services, and Solutions
8 Free Privacy Programs Worth Your Year-End Donations (Wired) Free software isn't free. Someone's got to shell out for the expensive development, maintenance, bug fixes and updates for programs that so many of us who live online have come to see as almost natural resources. And increasingly, those taken-for-granted tools have become vital for the privacy and security of millions of people
Vectra Networks X-Series Platform IDs Real-Time Threats (eWeek) The platform detects and analyzes attacks at every phase of an ongoing attack, regardless of how the attack enters an organization's network
Mark Cuban Explains How His Confidential Messaging App Cyber Dust Works (Business Insider) Mark Cuban spoke with Henry Blodget at Business Insider's Ignition 2014. He told us about his new app Cyber Dust
Technologies, Techniques, and Standards
Are You Prepared For A Cyber-Attack? The Treasury Department Provides 10 Questions To Guide Corporate Leaders Through A Cybersecurity Assessment. (Law.com) On December 3rd, Deputy Secretary of the U.S. Treasury Sarah Bloom Raskin addressed the importance of cybersecurity planning and preparedness in a speech to the Texas Bankers' Association. With these comments, Treasury joins the Securities and Exchange Commission ("SEC"), the Federal Trade Commission ("FTC") the Federal Communications Commission ("FCC"), and other regulators in saying that cybersecurity must be a high priority in the c-suite of financial services intuitions. Arguably, cyber threats are a greater risk to the economy than terrorism in that one serious breach of a major financial institution could cause a customer confidence crisis that cripples a financial services firm
Health IT: Medical Devices (National Cybersecurity Center of Excellence) The National Cybersecurity Center of Excellence (NCCoE), in collaboration with the Technological Leadership Institute at the University of Minnesota, has devised a project to improve the security of wireless medical infusion pumps. This is the first of a series of use cases focused on medical device security
5 working days left until the deadline for compliance with PCI DSS 3.0 kicks in (Help Net Security) Maintaining credit and debit card information on behalf of financial services clients demands the highest levels of security and customer confidence, and adhering to standards like PCI DSS plays a crucial role in this
How PCI DSS 3.0 Can Help Stop Data Breaches (Dark Reading) New Payment Card Industry security standards that take effect January 1 aim to replace checkmark mindsets with business as usual processes. Here are three examples
Key industries train to thwart cyber attacks (USA TODAY) In a small hotel meeting room a few blocks from the White House, employees from power plants, factories, airports and oil refineries hunched over their laptops as they worked frantically to stop cyber terrorists from firing a rocket launcher into the heart of a picturesque American town
Encrypted Communications: Tools That Keep You Safe in Cyber Space (TechVibes) Between the NSA surveillance scandal and almost daily news of cyber hacks, the days of feeling secure and alone on your personal devices are over
How I learned to stop worrying and love malware DGAs… (Internet Storm Center) The growth of malware families using algorithms to generate domains in 2014 has been somewhat substantial. For instance, P2P Gameover Zeus, Post-Tovar Zeus and Cryptolocker all used DGAs. The idea is that code generates domains (usually but not always) by taking the data and running it throw some magic math to come up with a list of many domains per day. This allows the attacker to avoid static lists of domains for callbacks in their code and allow them additional flexibility to make takedowns a little more difficult. Instead of getting one domain suspects, now you have to get thousands suspended. And if you think the "good guys" are on to you, you can change your encryption seed and get a new list of domains
How to Avoid Cyber-Burglars this Holiday Season (ABC News) Before the age of computers and smartphones, a would-be burglar would have to look in your window to see that you are gone on a holiday vacation. These days, all a would-be burglar has to do is check social media to see if you are away — a 21st century reality Laverne Cheatham learned the hard way
Design and Innovation
Risk Modelers Working on Tools for Gauging Cyber Attack Risk (Insurance Journal) Even as the Sony Corp. cyber attack laid bare the kinds of vulnerabilities that typically drive companies to buy insurance policies, the lack of a risk model for insurers means such protection is not always easy to get
Research and Development
Throwing Money at Data Breach May Make It Worse (Newswise) Study offers model for response to large-scale data breaches
Academia
RIT Cyber Security Scholarship (13 WHAM) Rochester Institute of Technology is offering students an incentive to study computing security
Legislation, Policy, and Regulation
North Korea boycotts UN Security Council and threatens US (Christian Science Monitor: Secruity Watch) North Korea, amid ongoing fallout over 'The Interview,' has issued a new threat against the United States and refused to appear at a UN meeting on the country's human rights record
No rules of cyber war (Politico) U.S. in uncharted waters with 'proportionate response' on hack attacks
America — and world — must restrain cyber-warfare (Tacoma News Tribune) Here's the most pleasant explanation for this week's blackout of North Korea's Internet: China did it
Ukrainian government sings agreement on cyber security cooperation with Microsoft (Kyiv Post) State Service for Special Communication and Information Protection of Ukraine, supervised by the Cabinet of Ministers, and the Ukrainian office of Microsoft (U.S.) have signed an agreement, according to which the corporation will provide the agency with access to source code and technical data on Microsoft software, services and systems (Government Security Program, GSP)
House Democrat seeks full details from Sony on sweeping cyber-attack (Guardian) The top Democrat on the powerful US House Oversight and Government Reform Committee has asked Sony Pictures Entertainment to hand over details of what he describes "the most damaging cyberattack ever inflicted on an American business"
ANSSI adapts to Wassenaar (Intelligence Online) France's computer security agency ANSSI is looking to have a say on exports of French cryptography materiel
How Laws Restricting Tech Actually Expose Us to Greater Harm (Wired) We live in a world made of computers. Your car is a computer that drives down the freeway at 60 mph with you strapped inside. If you live or work in a modern building, computers regulate its temperature and respiration. And we're not just putting our bodies inside computers — we're also putting computers inside our bodies. I recently exchanged words in an airport lounge with a late arrival who wanted to use the sole electrical plug, which I had beat him to, fair and square. "I need to charge my laptop," I said. "I need to charge my leg," he said, rolling up his pants to show me his robotic prosthesis. I surrendered the plug
"Open Caching," Open Standards, and Privacy (Center for Democracy and Technology) In a recent letter, FCC Commissioner Ajit Pai claims that Netflix took steps to "impede[ ] open caching software from correctly identifying and caching Netflix traffic[.]" Absent from that letter is a discussion of what "open caching" is, whether software used by ISPs and others should be able to identify the source and content of traffic requested by Internet users, and what limitations should apply to how such information is used. Instead, the letter charges that Netflix's nonparticipation in an unnamed "effort to develop open standards for streaming video" threatens "standards collectively agreed upon by much of the industry[.]" The letter does not explain what those standards are or how they were agreed upon. The implications of this dustup for both privacy and the development of open standards warrant attention
FCC Confirms That Nearly 4M Net Neutrality Comments Were Submitted By The Public (TechCrunch) After some katzenjammer about just how many comments were submitted to the Federal Communications Commission (FCC) regarding its notice of proposed rulemaking (NPRM) dealing with net neutrality, the governmental agency confirmed today that nearly 4 million comments were in fact submitted
Privacy Groups Upbraid MPAA For Trying To Bring SOPA Back At The State Level (TechCrunch) The ongoing struggle between Google and the Mississippi Attorney General Jim Hood has new players this week, as a number of privacy groups waded into the mix, dinging the Motion Picture Association of America (MPAA) for, in their words, a "coordinated campaign to shut down and block access to individual websites through backdoor methods resoundingly rejected by the public and federal lawmakers"
Litigation, Investigation, and Law Enforcement
Sony Threatens to Sue Twitter Over Tweets Containing Leaked Emails (Wired) Sony is now in damage control mode
Ireland backs Microsoft in US battle over emails (Financial Times) The Irish government has stepped into a legal case involving Microsoft in a dispute with a US court over the release of emails stored on servers in Ireland
Boston Children's Hospital Settles Data Breach Allegations (FierceITSecurity) Boston Children's Hospital (BCH) has agreed to pay $40,000 and take steps to prevent future security violations following allegations related to a data breach that affected patient information, Attorney General Martha Coakley announced today
Now Tinder Is Being Used To ID Suspected Thieves (TechCrunch) Stories of thieves being caught by social networks like Facebook or Twitter are nothing new. But what about Tinder?