The CyberWire Daily Briefing 02.07.14

Cyber Trends

Wireless technology opens up manufacturers to security risks (FierceMobileIT) Manufacturers' increasing use of wireless technology is improving productivity but also increasing security risks, warns IHS Technology

Insecure file sharing puts corporate data at risk (Help Net Security) Personal email could be 2014's biggest threat to corporate data. A new survey of more than 500 professionals by Globalscape found that in the past 12 months, 63 percent of employees have used personal email to send sensitive work documents. Perhaps more surprisingly, 74 percent of those employees believe that their companies approve of this type of file-sharing behavior

The Invisible World of Software Backdoors and Bounty Hunters (The Nation) It's increasingly clear that the online world is, for both government surveillance types and corporate sellers, a new Wild West where anything goes

How the speed of technological change can be an opportunity (FCW) AT&T's Chris Smith argues that mobile, cloud computing and the Internet of Things have untapped potential for agencies able to embrace them. It isn't surprising that cloud, mobility and cybersecurity will be front and center federal issues for the next 18 months, but the speed with which those technologies are developing and their increasingly significant impact for agency management could present opportunities for historic change, according to a former federal CIO who is now AT&T's vice president of technology

Legislation, Policy and Regulation

Governments Need to Discuss Use of Cyber Weapons (Threatpost) Attacks on critical infrastructure have been grabbing headlines for years now, long before sophisticated operations such as Stuxnet and Flame hit the scene. But we're probably still in the early stages of the evolution of such attacks, and the use of so-called cyber weapons in these operations is likely going to increase in the

DHS sees a wave of information sharing as the key to raising all cyber boats (Federal News Radio) The Homeland Security Department is trying to raise all boats as the wave of cyber threats and attacks continues to increase

Turkey approves legislation to block Internet sites (CNet) Passed by Turkey's parliament, the bill would allow the government to cut off access to any site without the need for court approval

Amid Flow of Leaks, Turkey Moves to Crimp Internet (New York Times) Shortly after an audio recording in which Prime Minister Recep Tayyip Erdogan is said to be heard talking about easing zoning laws for a construction tycoon in exchange for two villas for his family, SoundCloud, the file-sharing site where it was leaked last month, was suddenly unavailable to Internet users in Turkey

Activists and Hacktivists Preparing to Protest Against (Softpedia) Turkey's parliament has approved controversial changes to an Internet law, allowing authorities to block access to certain websites. Activists and hacktivists are preparing to protest against the new law, which, they say, limits freedom of speech. Hackers of the group RedHack, which represents the Turkish government's fiercest adversary from cyberspace, say they plan on protesting against the new law alongside NGOs and other groups. The demonstrations are scheduled to start on Saturday at 19:00

House Homeland Security approves critical infrastructure cybersecurity bill (FierceGovIT) The House Homeland Security Committee approved by unanimous voice vote a cybersecurity bill that would codify the Homeland Security Department's role in federal cybersecurity and require it to work with the private sector on securing critical infrastructure

Senate Republicans lambast federal agencies for exposing sensitive, private sector data (FierceITSecurity) Republicans on a powerful Senate committee have issued a scathing report criticizing the Obama administration for failing to take basic steps to secure federal agency networks, which has resulted in sensitive information about the private sector being exposed to attackers

Meet the Man Who Will Be Slashing the Pentagon's Bloated Budget (Foreign Policy) After months of feverish speculation about who would succeed Ash Carter as the Pentagon's No. 2, former Marine colonel and current think tank chief Bob Work appears to have won the job and gone into pre-nomination mode, declining invitations to give speeches or take part in other public events -- a sure sign in Washington that someone's about to get the nod

The 'Least Untruthful' National Security State (Huffington Post) NSA National Security Agency Nsa Surveillance National Intelligence National Security Senate Intelligence Politics News The question Senator Ron Wyden asked on March 12 of last year was straightforward enough and no surprise for Director of National Intelligence James Clapper. He had been given it a day in advance of his testimony before the Senate Intelligence Committee and after he was done, Senator Wyden and his staff offered him a chance to "amend" his answer if he wished

More than 4,000 groups sign up to protest the NSA (PCWorld) More than 4,000 groups and websites have signed on to support a day of protest against U.S. National Security Agency surveillance programs, scheduled for Tuesday

Foreign Intelligence or Intelligence? (Huffington Post) The debate over the National Security Agency's cyber surveillance and collection of telephone records should lead to a better balance between rights of privacy and requirements of foreign intelligence. But whatever the outcome of that debate, it has failed to acknowledge inherent deficiencies and risks in "foreign intelligence" and the transcendent role of foreign policy in the defense of our national interests. Important fundamentals that shape our national security policy will be unaddressed and unchanged

Products, Services, and Solutions

Israeli start-up claims it may be able to stop all viruses (The Times of Israel) An Israeli start-up claims it may be able to put an end to the viruses, malware, and trojan horses that cost the world economy hundreds of billions of dollars a year. Not only does Cyactive say it can stop viruses that are already "in the wild," currently causing damage, but according to CEO & Co-Founder, Liran Tancman, it can beat them most of them even before they are invented

CSG International launches enterprise security service (Telecompaper) Global provider of interactive transaction-driven services, CSG International has announced the worldwide launch of CSG Invotas, a new software and services business focused on enterprise security services designed to help clients combat increasing frequency, sophistication and unpredictability of cyber attacks. Rather than detecting and analysing intrusion, Invotas provides automation and orchestration services to respond in realtime to emerging and ongoing cyber attacks. Invotas builds on CSG's services that support mitigation and eradication of cyber attack across complex enterprise environments

Technologies, Techniques, and Standards

Many IT pros turning to NAC for mobile security (FierceITSecurity) More than three-quarters of IT pros are using or planning to use network access control technology to improve mobile security, according to a survey of more than 750 IT pros by CyberEdge Group on behalf of NAC vendor ForeScout Technologies and eight other IT security firms

We want it HARDER: City bankers survive simulated cyber-war (The Register) Finance firms reckon Waking Shark II should have featured espionage & malware threats

Can Hacker Techniques Defend Financial Security? (eSecurity Planet) At the upcoming RSA Security conference, researchers from Trustwave will detail how financial institutions can use lessons learned from hacker techniques to boost security

Security Protocols and Evidence: Where Many Payment Systems Fail (Cryptography and Data Security) As security protocols are used to authenticate more transactions, they end up being relied on in legal proceedings. Designers often fail to anticipate this. Here we show how the EMV protocol (the dominant card payment system worldwide) does not produce adequate evidence for resolving disputes. We propose five principles for designing systems to produce robust evidence. We apply these to other systems such as Bitcoin, electronic banking and phone payment apps. We finally propose specific modifications to EMV that could allow disputes to be resolved more efficiently and fairly

New ISO Standards on Vulnerability Handling and Disclosure (Internet Storm Center) Also in the news, ISO standard 30111 was published recently (on Jan 21) — a standard for the Vulnerability Handling Processes. The standard was edited by Katie Moussouris, Senior Security Strategist Lead at Microsoft

Hello Virustotal? It's Microsoft Calling. (Internet Storm Center) You might think that phone call might be unlikely, but as of this week it's built in and is likely happening right now. I was poking around in the latest version of Sysinternals, and tripped over a new option. You can now submit any running process in memory directly to Virustotal. it's a simple right-click in the latest version of Process Explorer

Effective incident response (Help Net Security) Organizations are bombarded with potential threats every day. Most of these are small and irritating, not truly critical — but among those needles are little threads of larger actions at work. An incident response program enables you to pull out the needles that make up the haystack of the big picture, according to Jaime Blasco, Director at AlienVault Labs

Large enterprises will increasingly turn to big data to improve security (FierceITSecurity) One-quarter of large enterprises will use big data analytics for at least one security breach or fraud detection case by 2016, according to market research firm Gartner

Big data fail: Network security monitoring won't get you too far (TechTarget) Big data gets big hype, but monitoring it creates more information than companies have time or money to analyze. Are we experiencing a big data fail

The Problem With Two-Factor Authentication (InformationWeek) The failure of corporate security strategies to protect personal identity information from hackers resides more with system architecture than with authentication technology. Here's why

A Look at Malware with Virtual Machine Detection (Malwarebytes) If you use VMware, adding these options to your POWERED OFF .vmx file will be of great value if you perform malware analysis

Event Security with Surveillance Technologies (IPWatchdog) Governmental infringement of our privacy has been a hot-button issue in recent months, with the public discovery and outcry over the U.S. National Security Agency's mining of private citizen data. The government claims that by mining all of this information we are safer, although it is hard to evaluate those claims given the cloak of secrecy. Whether we like it or not, surveillance technologies are proliferating due to the dangerous world in which we live

Marketplace

Federal CIO Council shared services catalog could be indicator of policy stasis (FierceGovIT) When the Federal CIO Council announced in April 2013 a catalog of shared services available to agencies in furtherance of the Office of Management and Budget's policy of "Shared First," FierceGovernmentIT grew curious about the contents of the catalog

IT management, security challenges are widespread at agencies (FierceGovIT) Struggles with information technology are the most common management challenges across large agencies, an analysis from the consulting firm Grant Thornton shows

Wartime expedient will stick around in peace (Colorado Springs Gazette) Conceived as a wartime experiment, the Army's Rapid Equipping Force will stick around in peace time, the Pentagon announced

The FBI issues request for quotes to purchase malware (TripWire State of Security) The Federal Bureau of Investigation has issued a Request for Quotes (RFQ) soliciting vendors to provide malware to assist the Operational Technology Division (OTD) Investigative Analysis Unit (IAU) with their mission to support field agents in criminal investigations

Uncle Sam: I want you to sell me malware (ZDNet) The FBI has an RFQ out to buy malware for research. Read the document and the project sounds legitimate, but the RFQ is still funny to read

DARPA hires Raytheon to work on Plan X cyber warfare platform (Defense Systems ) The Defense Advanced Research Projects Agency has awarded a $9.8 million contract to Raytheon as a part of its Plan X program, which is designed to plan for, conduct and assess cyber warfare in the same way that kinetic warfare is analyzed. Raytheon's research and development will be contracted to enable scaling and execution of cyber operations for the Defense Department

TEDCO Invests $1.3 Million in 13 Maryland Startups (TEDCO) The Maryland Technology Development Corporation (TEDCO) announced today that 13 companies have received a total of $1.3 million in funding from the organization's Technology Commercialization Fund (TCF) since July 2013. The funding will be used to advance the companys' technology and product commercialization efforts. Funds were awarded to startups representing a wide-range of industries including medicine and disease treatment, health care, biopharmaceuticals, software development and systems integration. Companies including Allovue, LLC; Altenera Technology, Inc.; An Estuary, LLC; Ariadne Diagnostics, LLC; Citelighter, Inc.; Graftworx, LLC; I-lighting, LLC; Integrata Security, LLC; Maryland Energy and Sensor Technologies, LLC; Noble Life Sciences, Inc.; PrintLess Plans, LLC; Rehabtics, LLC and SurveySnap, Inc. were each awarded $100,000

New at the top: KoolSpan's Nigel Jones got ahead by thinking A to B, not A to Z (Washington Post) What success I've had has been a function of the lessons I learned about working hard, always doing your best, discipline, persistence, never giving up, and always doing work that you are passionate about

Security Firm Starts Accepting Bitcoin Payment (InfoSecurity Magazine) Malwarebytes plans to become the first major security company to accept Bitcoin payment

Ellumen Wins Information Assurance Contract to Support Military Health Systems Enterprise Infrastructure (PRWeb) Ellumen increases its cyber security footprint with new award, expanded office space, and additional certifications

Southern Israel Slated to be 'Silicon Wadi,' Cyber-Security Hub (JNS via the Allgemeiner) The southern Israeli city of Be'er Sheva has long been stigmatized by its peripheral location, economic instability, and poor public image. That reputation, however, is quickly getting a full makeover to a complete cyber-field ecosystem with all the components for global leadership

An Equity Investor's Due Diligence (IOActive Labs) Information technology companies constitute the core of many investment portfolios nowadays. With so many new startups popping up and some highly visible IPO's and acquisitions by public companies egging things on, many investors are clamoring for a piece of the action and looking for new ways to rapidly qualify or disqualify an investment ; particularly so when it comes to hottest of hot investment areas — information security companies

Security Patches, Mitigations, and Software Updates

Microsoft to patch Windows, Forefront this month (ZDNet) This Patch Tuesday will see just five updates and just two critical. Every version of Windows is affected

Flash Player update or Groundhog Day? (CSO Salted Hash) News came out this week that Adobe has issued a new update for Flash Player. My initial reaction was, "Oh great, Groundhog Day"

Cyber Attacks, Threats, and Vulnerabilities

Sochi Could Turn into Hacker Olympics (Slashdot) Multiple groups are warning that the Winter Olympics could turn into a hive of hacking and government surveillance

US, European security officials worry about Sochi-related attacks (Reuters via the Chicago Tribune) Intelligence agencies believe attacks by militants during the Sochi Winter Olympics are … on flights between Russia and the United States, a U.S. Department of Homeland Security official said on Thursday

Intelligence Report on Sochi (International Policy Digest) The folks over at Homeland Security Today sent me a notification that might interest our readers as it pertains to security at the Sochi Olympics. While journalists for the past few days have been tweeting humorous stories of falty toilets, manholes without covers and hotel rooms that aren't quite ready, there is a seriousness surrounding the games. With Sochi, Russia only 250 miles from Chechnya there is a real concern over security at the games and whether terrorists will strike. Homeland Security Today has partnered with BAE Systems to produce daily reports concerning security at the games. Below is the press release

Sochi Olympics hacking fears hyped by misleading NBC TV report (Graham Cluley) Earlier this week, NBC News broadcast a sensational report about the dangers of taking computers to the Sochi Olympics in Russia. Unfortunately, it's complete bunk — and badly misrepresents the facts

Think Sochi is a Cyber-War Zone? Try Your Local Starbucks. (Gartner) Richard Engle and NBC News recently posted several reports from Sochi, Russia based on an "experiment" they did

The President of Nepal has been hacked by Iranian hackers (CyberWarZone) The website of the President in Nepal has been hacked by Iranian hackers. The hackers claim that they have hacked the website and that they accessed the /etc/passwd so they could hack the Database. The database has been dumped to a Pastebin file

Syrian Electronic Army puts its stamp on Mark Monitor (The Inquirer) Draws Facebook, Yahoo and Amazon into its web. Hacktivist outfit the Syrian Electronic Army (SEA) has been back at it and has posted screenshots of an apparently hacked Mark Monitor console

Hackers try to hijack Facebook, other high profile domains through domain registrar (CSO Salted Hash) Some registration information for facebook.com was changed, but the domain was not redirected to an unauthorized server

How Facebook leaked thousands of private messages all because of a typo (Naked Security) We shouldn't know about how this teenager's friends slaughtered calves in Farmville or that her idol is some dreamy looking guy, but we do, all because of a bizarre, fluky little glitch in the email confirmation (that's only now being fixed)

Target Breach: HVAC Contractor Systems Investigated (InformationWeek) Hackers may have used access credentials stolen from refrigeration and HVAC system contractor Fazio Mechanical Services to gain remote access to Target's network

Sharpsburg firm is 'victim of sophisticated cyber attack' in Target breach (Pittsburgh Post-Gazette) Sharpsburg firm Fazio Mechanical Services has confirmed that it is cooperating with a federal investigation of a data breach at Target. The Target security breach that compromised the data of millions of Christmas shoppers could be traced to the cybertheft of information from a Sharpsburg-based heating, air conditioning and refrigeration company

Did the crooks who broke into Target tailgate the cleaners? (Naked Security) Intrepid chronicler of the Target breach, Brian Krebs, has uncovered yet another cog in the criminal gearbox behind Target's data disaster. Guess what? 2FA and network segregation would have made things a lot harder for the crooks

Target breach happened because of a basic network segmentation error (ITWorld) Hackers gained access to Target POS systems using login credentials belonging to an HVAC company

Building control systems can be pathway to Target-like attack (CSO) Credentials stolen from automation and control providers were used in Target hack

'Debit Or Credit' Becomes A Point-Of-Fail (Dark Reading) Target's massive breach of payment cards and other retailer security incidents have stirred debate on alternative payment options at the register

FBI Issues Cyber Attack Warning To Retailers: Is Chip And PIN The Answer? (mondaq) Point-of-sale (POS) systems are under attack. In the wake of breaches at Neiman Marcus, Target and other stores over the 2013 holiday season, the FBI is now warning retailers to expect similar cyber attacks in the coming months. The warning came in the form of a 3 page report distributed to numerous retailers on January 17th, detailing the current risks with POS systems

Does chip-and-PIN actually solve the problem? Find out by asking these questions (CSO Salted Hash) Defining any problem in terms of the solution is a dangerous, if not common, shortcut. We need to ask some hard questions and have a serious discussion about chip-and-PIN before presenting it as the solution or we risk the credibility of the industry

New identity fraud victim every two seconds thanks to massive data breaches (CSO Salted Hash) There have been a number of high-profile data breaches lately—and a whole bunch of smaller data breaches that didn't make national headlines. The data breach itself, however, is just the beginning. What matters most is what happens with the sensitive customer information after it is stolen

Encrypted Java Archive Trojan bankers from Brazil (SecureList) I have never bought a PlayStation and neither has my colleague Micha-san from Japan — well, in his case, at least not from Brazil. Nonetheless, we both received the same email notification

Popular Swedish news site latest link to fake AV infection (Help Net Security) The website of popular Swedish tabloid Aftonbladet has been compromised to redirect visitors to a website sporting bogus infection warnings in order to trick them into buying a fake AV solution

Large-scale DNS redirection on home routers for financial theft (CERT Polska) n late 2013 CERT Polska received confirmed reports about modifications in e-banking websites observed on iPhones. Users were presented with messages about alleged changes in account numbers that required confirmation with mTANs. This behavior would suggest that some Zeus-like trojan had been ported to iOS. As this would be the first confirmed case of such malware targeting the platform, and at the same time it targeted Polish e-banking users, it immediately attracted our attention. Internally we have come up with several scenarios of how it might have happened, but unfortunately were not able to gather enough first-hand data about the case to rule out any options

Beware of snoopy Valentine apps (ITWire) A security vendor has warned that along with the usual seasonal scams, a number of Valentine's Day related apps are privacy invaders

Cost of doing APT business dropping (Threatpost) The term APT often is used as a generic descriptor for any group—typically presumed to be government-backed and heavily financed—that is seen attacking high-value targets such as government agencies, critical infrastructure and financial systems. But the range of targets APT groups are going after is widening, as are the levels of talent and financing these groups possess

Skilled, Cheap Russian Hackers Power American Cybercrime (NBC News) When it comes to finding original ways of virtually stealing real money, Russian criminals are in a class of their own. With an estimated annual turnover of more than $2 billion a year, the Russian cybercrime industry is the source of at least a third of all viruses, Trojans and other malicious software, or malware, sent around the world

Twitter Commerce plans leak: When will businesses learn about secure data sharing? (Graham Cluley) Information about Twitter's latest play for monetization fell into the public eye, after journalists went digging around a publicly accessible directory on a third-party partner's website

Why Android devices are a security nightmare for companies (Graham Cluley) Fiery arguments between the rival camps of Android and Apple iPhone lovers about the merits of their respective devices aren't likely to be extinguished any time soon, but there's one thing that's clear: Android is a lot less safe than iOS. Read my guest blog on the Foursys website

North Country Hospital Acknowledges Another Data Breach (eSecurity Planet) Two employees were found to have inappropriately accessed patient records

Academia

Cyber Contest Hones Military Cadets' Skills (SIGNAL) The U.S. Defense Department launched a new competition to promote cybersecurity education and training in the nation's military service academies

Litigation, Investigation, and Enforcement

Colombian rebels say Uribe behind spying on peace negotiators (EFE via Global Post) Colombia's FARC rebels said Wednesday that former President Alvaro Uribe is behind an alleged espionage operation targeting the current government's peace negotiators, and indicated their delegates also have been spied upon

Colombian army intelligence reportedly spying government negotiators (VOXXI) The targets were the Colombian government's negotiators in Cuba, NGO representatives, and opposition (and arguably FARC-friendly) leaders such

Colombia's spying scandal Snoopers sacked (The Economist) The peace process with the FARC, which aims to end half a century of internal conflict, has many detractors, particularly among those who believe the

Twitter transparency report shows government takedown and account info requests are on the rise (TNW) Twitter released its latest transparency report today, detailing a rise in the number of requests it received from government and copyright holders throughout the second half of 2013. The numbers are broken down between government applications for account information and the removal of user content, as well as the content allegedly infringing Digital Millennium Copyright Act (DMCA). In all three sections, the number of requests it received had increased from its previous report

More governments want Twitter user data (CSO) Twitter has complied roughly 70 percent of the time with data requests from the US government

Twitter seeks to disclose more about government data requests (Washington Post) Twitter said Thursday that it is pressing the Justice Department for permission to disclose more information about government data requests on its customers

Twitter: France leads world in battling abuse (The Local (French edition)) When it comes to countries demanding Twitter remove abusive or illegal tweets France stands out well ahead of the pack. Is it something to be proud of or is it a sign of a growing infringement on basic civil liberties

New Delhi accuses Huawei of nobbling ZTE kit at state-owned telco (The Register) Cross-departmental body to figure out just what happened in Andhra Pradesh

Why a Railroad Merger May Get the Supreme Court to Rule on NSA Spying (Wired) In legal circles, the biggest "off the board" bet going is whether the Supreme Court this term will decide the constitutionality of the NSA's bulk telephone metadata program, and resolve the issue once and for all. Virtually every expert agrees

FISC Approves Government's Request to Modify Telephony Metadata Program (IC on the Record) During his speech on Jan. 17, 2014, President Obama ordered a transition that will end the Section 215 bulk telephony metadata program as it currently exists, and establish a mechanism that preserves the capabilities we need without the government holding this bulk data. As a first step in that transition, the President directed the Attorney General to work with the Foreign Intelligence Surveillance Court to ensure that, absent a true emergency, the telephony metadata can only be queried after a judicial finding that there is a reasonable, articulable suspicion that the selection term is associated with an approved international terrorist organization. The President also directed that the query results must be limited to metadata within two hops of the selection term instead of three

When Will Glenn Greenwald Return to the United States? (Slate) Glenn Greenwald hasn't been back to the United States since he began publishing a seemingly never-ending string of Edward Snowden-fueled stories about the NSA and government surveillance last year. Greenwald is an American citizen but lives primarily in Brazil, so it's not exactly a surprise that he's opted to stay out of the country given the prosecution-themed rhetoric that's been coming from the mouths of some U.S. lawmakers and government officials

Yet Another Surveillance Tool in FBI Hands. But How Are They Using It? (ACLU) Yesterday, we filed a Freedom of Information Act request with the FBI asking for details about a surveillance tool we know too little about, called a port reader

Armenian national security service promises to provide evidence of former policeman's spying for Azerbaijan (ARKA News Agency) Armenia's national security agency promises to provide evidence of former police officer Khachik Martirosyan's spying for Azerbaijan

Judge Denies Juniper Motion for Infringement Against Palo Alto Networks (SecurityWeek) Palo Alto Networks said on Thursday that a judge for the District of Delaware rejected Juniper Networks' motion for summary judgment of patent infringement, and granted in part several Palo Alto Networks' motions for summary judgment of non-infringement based on the doctrine of equivalents

Former Mount Sinai Medical Center Employee Jailed for Identity Theft (eSecurity Planet) Oliver Gayle was sentenced to 51 months in prison

Design and Innovation

Seeing science: The year's best visualizations (Ars Technica) The National Science Foundation and Science name 2013's best