The CyberWire Daily Briefing 02.12.14

Cyber Trends

Building the security bridge to the Millennials (CSO) The younger generation's desire to be connected all the time expands the attack surface. But experts say enterprises can, and should, manage the risk

Growing interference on the customer's PC (Dave Waterson on Security) It used to be that the customer's PC program files were sacrosanct — safe from interference from well-meaning security applications. Not anymore. Recently it was reported that Microsoft remotely deleted the Tor browser from two million PCs. Without asking their customers for permission

Study shows those responsible for security face mounting pressures (CSO) Trustwave report shows year-over-year increase of pressures on InfoSec leaders

CDT: Privacy, security concerns at forefront of telehealth (FierceHealthIT) The full potential of telehealth cannot be realized unless privacy and security risks are addressed up front, according to Joseph Lorenzo Hall, chief technologist at the Center for Democracy and Technology

Firms fail to implement PCI DSS, leading to credit card breaches, says Verizon (FierceITSecurity) Organizations are consistently failing to implement the Payment Card Industry Data Security Standard, which provides guidelines to secure credit and debit card information, according to the Verizon 2014 PCI Compliance Report

Trend Micro's 2013 Threat Roundup Highlights The Profitability Of Private Data (Dark Reading) Cyberthreats and attacks have become more complex

Attacking ICS Systems Like Hacking in the 1980s (Threatpost) Here's how nuts the world of ICS security is: Jonathan Pollet, a security consultant who specializes in ICS systems, was at a Texas amusement park recently and the ride he was waiting for was malfunctioning. The operator told him the ride used a Siemens PLC as part of the control system, so he went

Will smart machines take away your job? (FierceMobileIT) Will the rise of smart machines, the so-called "Internet of Things," make your job obsolete? That is the question asked by Gartner analyst Tom Austin in a recent blog. He cites a study by University of Oxford researchers Carl Frey and Michael Osborne, which found that close to one-half of all current U.S. jobs are at risk from smart machines and computerization over the next two decades

Legislation, Policy and Regulation

Top U.S. Spy Claims 'Terrorists Are Going to School' on Snowden Leaks (Wired) A clearly frustrated U.S. intelligence chief complained today that America's adversaries are changing the way they communicate electronically in the wake of the leaks by NSA whistleblower Edward Snowden

NSA spying undermines separation of powers (USA Today) The program makes it easy for the president to spy on and blackmail his enemies

NSA Protest Day Drives More Than 200K Emails And Calls To Congress (TechCrunch) A planned day of protest against the NSA's surveillance efforts called "The Day We Fight Back" got off to a strong start. So far, more than 69,000 phone calls have been placed to Congressional representatives, along with more than 140,000 emails as part of the effort. In-person protests are planned, as well, both in the United States and abroad

Maryland lawmakers look to cut off NSA's water, power (The Hill) A bill in Maryland's state legislature would cut off state services like water and power at the National Security Agency's (NSA) headquarters. The bill from eight Republicans in the House of Delegates, including the chamber's minority leader, would prevent the state from granting "material support, participation or assistance" to the NSA or any other federal agency that collects people's information without a warrant

Indiana bills seek to shelter digital privacy (AP via the Kansas City Star) Police would have to get a search warrant before they could take data off of cellphones or computer tablets or use aerial drones under bills that are still breathing in the Indiana General Assembly

Technology group downplays incentives in recommendations on DHS Voluntary Program (Inside Cybersecurity) The Department of Homeland Security over the next year should focus on raising awareness about the government's new framework of cybersecurity standards and downplay the issue of providing incentives to encourage framework adoption, the Information Technology Industry Council says in a new paper

Why South Korea is really an internet dinosaur (The Economist) South Korea likes to think of itself as a world leader when it comes to the internet. It boasts the world's swiftest average broadband speeds (of around 22 megabits per second). Last month the government announced that it will upgrade the country's wireless network to 5G by 2020, making downloads about 1,000 times speedier than they are now. Rates of internet penetration are among the highest in the world. There is a thriving startup community

Products, Services, and Solutions

Cyber Squared Inc. Launches ThreatConnect Partner Program to Automate Cyber Defenses from Powerful Threat Analysis Data (MarketWatch) Carbon Black, General Dynamics Fidelis, Sourcefire/Cisco, and Tenable Network Security are initial integrations

FireEye Expands Security Platform: Offers Customers One Solution to Detect, Contain, Resolve and Prevent Threats (MarketWatch) MVX-based security platform to include new capabilities for intrusion prevention, endpoint protection, analytics and managed services

Palo Alto Networks releases next-generation firewall to keep data safer (V3) Palo Alto Networks has released a new next-generation firewall called the PA-7050, claiming the security tool will offer businesses advanced threat-detection powers

Is Your Company Running A Data Dump? (InformationWeek) Hoarding useless data makes analytics harder. Companies like Paxata say their brand of analytics lets non-data experts turn data landfills into useful info

The Glitch That Will Kill Bitcoin (Bloomberg) What kind of "experiment" has a $14 billion market cap? As the world's first, and most popular, cryptocurrency, Bitcoin has by now suffered every possible setback a payment project could encounter. It was implicated in a huge drug bust when the Federal Bureau of Investigation took down the Silk Road electronic exchange. It has experienced regulatory pressure in forms ranging from trading restrictions in China to a recent threat of a complete ban by the Russian authorities. It survived a scare involving an apparently Ukraine-based operation taking over close to half of the currency's "mining". It absorbed Apple's decision to remove all related software from its app store. Now, a top Bitcoin exchange, where the cryptocurrency could be traded in for government-issued money, has hit a snag that forced it to stop Bitcoin transfers to outside addresses

Technologies, Techniques, and Standards

Tools for Internet Counter Surveillance (InfosecInstitute) Today's world is an Internet world. These days, everyone wants to save their professional data and private content

Does PCI DSS help prevent credit card breaches? (FierceITSecurity) With all of the data breaches at major retailers, the question arises as to whether the Payment Card Industry Data Security Standard, or PCI DSS, is working to prevent theft of credit and debit card data

Tips to Get Ready for (or Possibly Avoid) Software Audits (CIO) Software compliance is a complex and interpretative process that if not done correctly and with forethought can cost organizations millions. Follow these guidelines to ensure the best possible outcome

How to Avoid Intruders in your Smartphone (Mobile World Capital) We tend to believe that viruses are a problem that is limited to desktop computers, specifically the ones running Windows, but this is simply not true. Although it is much less common, your smartphone can be infected just like any other device and it could even be spying on you

Banks fare better in a staged, 36hr IT attack (ContractorUK) The UK's banks would hold up better than they did a few years ago if a hostile state launched a three-day cyber attack on London's financial system, a mock exercise suggests

New data stewardship guidelines released (FierceCMO) Marketers can "drastically improve" data stewardship if they follow new guidelines released by the IAB at its annual meeting on Tuesday

Locking Down E-mail With Security Services (Dark Reading) Companies are increasingly looking to the cloud for services to encrypt, backup and archive their e-mail to protect from accidental leakage and intentional disruption

Marketplace

Sapient Buys Federal IT Services Provider OnPoint; Allan Herrick Comments (GovConWire) Sapient (NASDAQ: SAPE) has acquired OnPoint Consulting for an undisclosed sum as part of Sapient's efforts to bolster its presence in the public sector technology services market

Managing Life with Cyber Threats (Defense Update) IAI is developing the tools and methodologies enabling organizations to better prepare to cyber attacks and minimize the negative effects that such attacks can cause

Swiss Federal Railways turns to HP TippingPoint for network security (FierceITSecurity) Swiss Federal Railways is turning to HP TippingPoint to secure the national railway's network, which controls the signaling system and the energy framework

FireEye climbs as analyst initiates coverage (AP via BloombergBusinessWeek) FireEye's stock rose Monday as an analyst started coverage of the computer security software company with an "Outperform" rating, saying it's a way for investors to get into the sector as concerns about cybersecurity grow

Let's Stay Together (Infosecurity Magazine) The information security industry is at war — with itself. A civil war occurring simultaneously with the more widely publicized war against cybercrime, and whatever and whomever threatens the security of information

Group Aims To Foster Cybersecurity Industry In Md. (CBS Baltimore) Cybersecurity executives and government officials are forming a roundtable group aimed at boosting Maryland's efforts to become a center for the growing field

Light Point Security ready to no longer be a one-two combo (Baltimore Business Journal) Cyber startup Light Point Security is looking to grow from its two-person team and hire its first full-time employee

Lunarline Sees Dramatic Increase in Demand for Advanced Penetration Testing Services (Sacramento Bee) Lunarline today announced that FY2013 saw a dramatic increase in the number of advanced penetration testing engagements conducted by the company's technical assessment team. The company noted that a flurry of high profile cyber events in 2013 drove increased demand for penetration testing services

Bonnie Cook Promoted to ManTech Mission Solutions, Services Group EVP Role (GovConWire) Bonnie Cook, a 25-year veteran of ManTech International (NASDAQ: MANT), has been promoted to serve as executive vice president of business operations for the company's mission solutions and services group

Research and Development

Memex: The next generation of deep-Web search? (Defense Systems) Web search engines are a great way to find information quickly, and they're always improving the quality of their results. Google "Winter Olympics" and you get 1.69 billion results in 0.29 seconds, along with the schedule for the day's events in Sochi and the current medal standings right there on the results page

Dumbing down cyberwar: Is the US military ready for simpler cyberweapons? (The Interpreter) America's military science lab DARPA (the Defense Advanced Research Projects Agency) is now spending $110 million 'to allow those with little or no hacking experience to engage in cyberwarfare', reports the technology website CNET. The goal is to help US military commanders launch cyber attacks 'using preplanned scenarios that do not involve human operators manually typing in code'

Quantum Computers Could Crack Existing Codes But Create Others Much Harder to Break (Science World Report) The massive release of the US National Security Agency (NSA)'s classified documents by Edward Snowden continues to raise questions about security

Survey: Online trolls are 'everyday sadists' (CNN) If you've ever complained that the trolls junking up online comment sections are a bunch of sadistic psychopaths, you might be onto something

Security Patches, Mitigations, and Software Updates

Microsoft patches critical vulnerabilities, secures IE (Help Net Security) At first take, it looked like Microsoft would continue the 2014 trend of keeping patch Tuesday relatively light. There were only 5 advisories this month, two critical, three important

Adobe patches critical flaw in Shockwave Player (ZDNet) Memory corruption vulnerabilities in the Player could lead to complete system compromise. The new version is 12.0.9.149

Joomla JomSocial Remote Code Execution Vulnerability (Sucuri Blog) The JomSocial team just released an update that fixes a very serious remote code execution vulnerability that affects any JomSocial version older than 3.1.0.4. From their hot-fix update

Facebook Fixes Instagram CSRF Vulnerability to Keep Private Profiles Private (Threatpost) Facebook has fixed Instagram to remedy a cross-site request forgery (CSRF) vulnerability that could've put some photos users thought were private, out in the open

Cyber Attacks, Threats, and Vulnerabilities

Unveiling 'The Mask': Sophisticated malware ran rampant for 7 years (PC Magazine) A cyberespionage operation that used highly sophisticated multi-platform malware went undetected for more than five years and compromised computers belonging to hundreds of government and private organizations in more than 30 countries

Mask Spyware Outdoes Flame (InformationWeek) Rare Spanish-speaking cyberespionage campaign uses spyware and malware tools that researchers call the most sophisticated yet

'The Mask' Espionage Malware (Schneier on Security) We've got a new nation-state espionage malware. "The Mask" was discovered by Kaspersky Labs

'The Mask' malware campaign, undetected by anti-virus firms since 2007? (Graham Cluley) Kaspersky used the backdrop of the luxurious beach resort of Punta Cana in the Dominican Republic to announce its malware discovery to the world's press. But if Careto, aka "The Mask", has been missed by security firms since 2007 that's not a great advert for the anti-virus industry

CloudFlare Infrastructure Hit With 400Gbs NTP-Based DDoS Attack (SecurityWeek) Web performance and security firm CloudFlare said late Monday that a customer running on its platform was hit with a massive DDoS attack today that affected service in much of Europe and then into some of its US infrastructure

Europe shrugs off largest DDoS attack yet, traffic tops 400Gbps (The Register) NTP flaw used again, effects minimal

DDoS Attack Hits 400 Gbit/s, Breaks Record (InformationWeek) A distributed denial-of-service NTP reflection attack was reportedly 33% bigger than last year's attack against Spamhaus

NTP Amplification Blamed for 400 Gbps DDoS Attack (Threatpost) For those of you who thought the infamous Spamhaus distributed denial-of-service attack set an ugly bar for the volume of spurious traffic sent at a target, gird yourself for worse

Get Ready for Powerful NTP-Based DDoS Attacks (Tripwire) Internet security experts from Cloudflare say the Internet saw a massive denial-of-service attack that exploited a vulnerability in the Web's infrastructure, resulting in the largest such attack of its kind ever recorded, and they warn that this is the just beginning of "ugly things to come"

Prolexic Warns of New DNS Flooder DDoS Attack Toolkit (SecurityWeek) Prolexic Technologies, a provider of Distributed Denial of Service (DDoS) protection services that was recently acquired by Akamai Technologies, today warned organizations about a new version of an attack toolkit that makes it easy for attackers to launch DNS flood attacks

Trojan.Win32.FSYSNA.fej AKA Chewbacca (Tenable) Before I begin the technical portion of this analysis, I think it's important to understand the severity of this threat, which is very low. This threat was initially discovered on the 25th of October 2013, in the world of counter malware, this is very old news. The recent RSA paper and industry coverage is more about the ongoing threats to the Point of Sales (POS) systems, that is gaining spotlight based in part on the local highly visible retail vendors compromised during the holiday season by another POS targeting malware. At the time of writing there are three families of malware known to target POS systems

LinkedIn "LIONs" Are an Easy Target for Criminals (Duo Security) When criminals want to spam or spear phish, finding targets that willingly give up details about themselves to strangers is a good place to start. With social networking enabling the exchange of personal information quicker than ever, it's not a shock that sometimes an opportunity to connect trumps online security practices

Hacked X-Rays Could Slip Guns Past Airport Security (Wired) Could a threat-simulation feature found in airport x-ray machines around the country be subverted to mask weapons or other contraband hidden in a traveler's carry-on

Target Breach Was Months in the Making (American Banker) It looks increasingly likely that the hackers responsible for the massive data breach at Target were lurking inside the retailer's network for months before they started swiping customers' credit card data, according to security expert and blogger Brian Krebs

Target Credit Card Breach (Critical Watch) Security Journalist Brian Krebs broke the Target Story on December 18, 2013, and on December 19, Target Officially confirmed the breach of 40 Million Credit Cards

Hackers attack prominent med device makers' networks (FierceHealthIT) Computer networks at three prominent medical device makers—Medtronic, Boston Scientific and St. Jude Medical—were hacked in the first half of 2013, and may have lasted several months, according to a report this week from the San Francisco Chronicle

Bitcoin Exchange Bitstamp Halts Withdrawals After Cyber Attack (FoxBusiness) Bitcoin exchange Bitstamp temporarily halted withdrawals and deposits on Tuesday due to a cyber attack that caps off a rocky stretch for the crypto currency

Lots Of Major Bitcoin Exchanges Are Under A 'Concerted And Massive Attack' Right Now (Reuters via Yahoo! Finance) Andreas Antonopolous is chief security officer at Blockchain.info, a popular Bitcoin wallet service, and he tells CoinDesk that numerous Bitcoin exchanges are experiencing a "massive and concerted" denial of service attack right now

Modular Corcow banking Trojan poised for success (Help Net Security) Banking Trojans are among the most used stealthy malware, and the most popular ones are undoubtedly Zeus, SpyEye, Citadel and Carberp

Suspected Mass Exploit Against Linksys E1000 / E1200 Routers (Internet Storm Center) Brett, who operates an ISP in Wyoming, notified us that he had a number of customers with compromised Linksys routers these last couple of days. The routers, once compromised, scan port 80 and 8080 as fast as they can (saturating bandwidth available). It is not clear which vulnerability is being exploited, but Brett eliminated weak passwords. E1200 routers with the latest firmware (2.0.06) appear to be immune against the exploit used. E1000 routers are end-of-life and don't appear to have an immune firmware available.

Snapchat Hacked By Fruit Smoothie Enthusiast (TechCrunch) If one of your friends randomly sends you a photo of a smoothie on Snapchat, don't go to the URL on the picture. It's a hack that has affected several accounts, as a Twitter search shows. Wired writer Joe Brown was one of the users who suffered a Snapchat fruiting. A Snapchat spokesperson told him that the startup did not see any evidence of "brute-force tactics," and that someone had likely

Academia

DON Pathways Internship Program (Electrical/Electronics Engineer Student Trainee) (USAJobs) Who may apply: Current students accepted for enrollment and/or pursuing a degree in Electrical or Electronics Engineering

DON Pathways Internship Program (Information Technology Student Trainee) (USAJobs) Who may apply: Current students accepted for enrollment and/or pursuing a degree in Computer Science or a related field that includes 24 semester hours of related course work as listed under the Qualification section who live or go to school in the Washington DC Commuting Area

DON Pathways Internship Program (Computer Science Student Trainee) (USAJobs) Who may apply: Current students accepted for enrollment and/or pursuing a degree in Computer Science or a related degree that includes 30 semester hours in a combination of Mathematics, Statistics, and Computer Science. At least 15 of the 30 semester hours must include any combination of Statistics and Mathematics that included differential and integral calculus

DON Pathways Internship Program (Computer Engineer Student Trainee) (USAJobs) Who may apply: Current students accepted for enrollment and/or pursuing a degree in Computer Engineering

DON Pathways Internship Program (Security Clerk Student Trainee) (USAJobs) Who may apply: Current students accepted for enrollment and/or pursuing a diploma or degree program that live or go to school within the Washington, DC Commuting Area

Litigation, Investigation, and Enforcement

NSA cybersecurity issues echo scathing Hill report (FCW) Like the more than 15 civilian agencies lambasted for poor cybersecurity practices in a Feb. 4 Senate committee minority report, it appears the National Security Agency is also guilty of failing to promptly upgrade its IT software and security measures

Americans find swift stonewall on whether NSA vacuumed their data (McClatchy via the Kansas City Star) Since last year's revelations about the National Security Agency's massive communications data dragnets, the spy agency has been inundated with requests from Americans and others wanting to know if it has files on them. All of them are being turned down

Dropbox Outlines Its Principles For Handling Government Data Requests (TechCrunch) Joining other leading technology firms, Dropbox today detailed the number of national security requests it received in the preceding 12 months for user data of its customers: 0-249

When hacking isn't (CSO Salted Hash) This week I read an article about a French journalist, Olivier Laurelli, who had the temerity to to fix a URL in order to get to a proper webpage. The information that he accessed was not behind a firewall. The information was not password protected

Barclays customer data stolen and sold to rogue traders (Finextra) Authorities are investigating a security breach at Barclays which saw the confidential information of thousands of customers stolen and sold on to unscrupulous City traders

Eerste phishingproces van start in Brussel (Redactie) In Brussel vindt het eerste proces rond phishing plaats. Bij phishing proberen criminelen mits een list bankgegevens te ontfutselen via het internet. In Brussel staan nu 25 mensen terecht voor phishing. Ze maakten zo'n 220.000 euro buit

Nederlandse politie haalt verborgen drugsmarkplaats offline – update (Tweakers) Utopia, een marktplaats waar illegale waren konden worden gekocht en die enkel via het anonimiseringsnetwerk Tor toegankelijk was, is offline. De Nederlandse politie heeft de site offline gehaald, bevestigt het Openbaar Ministerie

Dutch Minister of Interior Fights for His Political Life (Wall Street Journal) The Dutch Minister of the Interior, Ronald Plasterk, is fighting for his political future, as he faces continued questioning that he misinformed the public over activities of his intelligence service. Mr. Plasterk backtracked last week when he admitted that the collection of telephone traffic and data wasn't the work of the U.S. National Security Agency as he previously suggested, but his own intelligence service

Encryption at Times a Detriment to Honest Policing (Threatpost) The use of surveillance tactics by law enforcement in the performance of precisely targeted criminal investigations is still widely accepted and supported by much of the global public

Japanese Man Accused of Using Malware to Make Threats Says He's Innocent (Softpedia) Around one year ago, Japanese authorities arrested 30-year-old Tokyo resident Yusuke Katayama on suspicion of being behind the malware that hijacked computers to make threats on behalf of their owners. The man says he's innocent

Design and Innovation

Secrecy Is the Key to the Next Phase of Social Networking (Wired) Over the past week, I've been getting a steady stream of push notifications alerting me that another one of my friends has joined the new social media app Secret. "Who could it be?" my screen asks each time, which is less an actual question and more an attempt to pique my curiosity. Technically, it could be any one of the couple hundred random people whose number I have in my phone. Within that parameter, I know for sure that it's someone I've at least talked to; whether or not I consider that person a friend is questionable, mostly because Secret won't tell you who it is that just joined the service