The CyberWire Daily Briefing 02.27.14

Summary

By The CyberWire Staff

Brazilian hacktivists mature their plans to disrupt the coming World Cup on behalf of a basket of grievances against Brazilian policy and the social conditions they believe it engenders.

The Christian Science Monitor claims to have found a supply-chain angle to Stuxnet's incapacitation of Iranian nuclear facilities.

Facebook users are cautioned against a malicious "profile viewer" browser add-on that purports to reveal stalkers. A fix for a zero-day affecting Avaya's one-X 9608 IP telephones is expected to become available tomorrow. The IE zero-day that first surfaced in watering-hole attacks staged through a compromised VFW site continues to cause trouble in the wild.

Target's conference call provides a case study of how a large company handles a major breach with its investors: the breach, unsurprisingly, was addressed prominently.

The insurance sector continues to evolve its approach to cyber coverage, and to assessing the value of assets at risk to cyber attack. An interesting piece in the WillisWire discusses how much cyber insurance retailers need to carry against the sort of attack Target and Neiman Marcus sustained. The BBC reports insurers have denied coverage to power companies with weak cyber defenses. Where insurance goes, so goes litigation, and corporate directors now face derivative lawsuits following breach disclosures.

New products show the value the market may be placing on privacy. Two new phones with similar names are particularly interesting: Boeing's "Black" (for government markets) and Silent Circle/Geeksphone's "Blackphone" (for consumers).

The US Army releases a new field manual covering cyber security and operations.

Notes.

Today's issue includes events affecting Australia, Brazil, Canada, European Union, Germany, Iran, Israel, Japan, Russia, United States.

Selected Reading

Cyber Trends

97% of SaaS vendors use SAML-based single sign-on (Help Net Security) OneLogin and the Cloud Security Alliance today announced findings from their OneLogin 2014 State of SaaS Identity Management survey, which was conducted to better understand the maturity of SaaS vendors in their implementation of identity management solutions, security standards and assurance certifications

Survey Reveals Generation Gap in Attitudes About Security and Privacy (CIO) Gen-Xer's and Millenials' different behaviors protecting sensitive information could be a concern for employers

Gartner warns companies: hit the brakes, don't cross 'creepy line' (FierceBigData) Gartner research VP Frank Buytendijk warned the private sector to be ready to hit the brakes on big data before they cross the 'creepy line'

The Internet Of Things Poses New Security Challenges (Forbes) If you thought bugs, viruses and phishing schemes were tough on security, you ain't seen nothin' yet. Your business will soon be faced with a new, even more formidable foe: The Internet of Things

One Password For Work And Home — Is This The Future? (Forbes) With the myriad devices, websites and apps people now access at home and at work every day, remembering every user ID and password for each account has become a nightmare for most people

Consumers' bad data security habits should worry employers (Help Net Security) Consumers are not securing the data on their personal laptops or desktops correctly, if at all, according to the results of a Harris Poll survey commissioned by WinMagic

Consumers want privacy, but don't take advantage of opt-out technologies (Help Net Security) A majority of consumers worry about how marketers use their personal data, but 79 percent are more likely to provide personal information to what they consider a "trusted brand," according to a new consumer behavior study from SDL

Government Cybersecurity Guidance Wanted By Private Sector (InformationWeek) Nearly 90% of IT leaders worldwide believe government needs to be involved in helping private sector firms set cyber defense strategies, Dell study finds

Why near-CDP is nudging true CDP from data protection landscape (TechTarget) Over the past few years, we've watched so-called near-continuous data protection overtake true CDP to become the de facto norm for organizations dealing with tight recovery time objectives. The reason why is simple — near-CDP is just plain good enough for most organizations

Legislation, Policy and Regulation

FM 3-38: Cyber Electromagnetic Activities (Headquarters, Department of the Army) FM 3-38, Cyber Electromagnetic Activities, provides overarching doctrinal guidance and direction for conducting cyber electromagnetic activities (CEMA). This manual describes the importance of cyberspace and the electromagnetic spectrum (EMS) to Army forces and provides the tactics and procedures commanders and staffs use in planning, integrating, and synchronizing CEMA

Army experts talk cyber domain (Redstone Rocket) It's a war fighting domain that is ever-evolving and offers no easy answers for the fight, but is becoming all the more important as the Army heads into the future

EMP Effects and Cyber Warfare — Part I (The Jewish Voice) The Jewish Voice has been at the forefront of media outlets in providing much needed information to the public about U.S. critical electric infrastructure vulnerabilities. The effects of an electromagnetic pulse (EMP) attack in the form of high-altitude nuclear weapons and geomagnetic disturbances (GMD) from coronal mass ejections have been described within this publication over the past several weeks

Snowden to Testify Before European Parliament's LIBE Committee (Information Security Magazine) The question over whether direct testimony from US whistleblower Edward Snowden will be heard by the European Parliament (EP) has finally been settled. On Monday the Civil Liberties, Justice and Home Affairs Committee (LIBE) voted to accept testimony in relation to the parliament's inquiry into mass surveillance

Feds Refuse to Release Public Comments on NSA Reform — Citing Privacy (Wired) The President Barack Obama administration has received 28 proposals from corporations with ideas for managing the NSA's massive database of U.S. phone call metadata. But don't expect to see the proposals any time soon

Privacy or national security: Have spy agencies gone too far? (Globe and Mail) The Debate: Is your government gathering masses of cellphone information to protect you, or to invade your privacy? Spy agencies in the Canada, the United States and elsewhere have been caught harvesting huge amounts of potentially private data from laptops, tablets and cellphones of millions of people, including their citizens

Japan Studies Regulation of Bitcoin After Mt. Gox Goes Dark (New York Times) A top government official said on Wednesday that Japan was studying ways to regulate Bitcoin trading in the wake of the implosion of a prominent Tokyo-based trading platform for the virtual currency

Surprising No One, LinkedIn for China Will Be Subject to Government Censorship (Slate) When you think about the Internet in China, free and open discourse probably isn't the first thing that comes to mind. Now, LinkedIn is confronting the Chinese government's censorship regulations while the company works to roll out the Simplified Chinese language version of LinkedIn

Products, Services, and Solutions

Boeing Black: A hush-hush mobe secure enough for the US gov? (The Register) Who makes the most secure smartphones? Apple? Samsung? BlackBerry? Boeing is betting the US government's answer is "none of the above"

Blackphone Promises Super Security And Privacy (Sky News) Users are promised "world class cryptography" and the choice to reveal "what, when and to whom" but are told it's not NSA-proof

The hidden risk in Blackphone's "secure" communications (Quartz) Messaging, cheap phones, and the tensions between the telecom industry and web companies have been the overriding themes at the Mobile World Congress (MWC), an annual telecom-industry gathering in Barcelona this week. But another current has been flowing underneath the surface: security and privacy

Military-grade encryption tunnel scrambles voice, text and emails (Help Net Security) GOTrust Technology Inc. announced that National Institute of Standards Technology (NIST) has awarded the company Federal Information Processing Standards (FIPS) 140-2 level 3 certification for their SDencrypter microSD working on Android and many other Operating Systems including Windows and Linux

Samsung And Zscaler Announce Enterprise-Ready Mobile Security Solution (Dark Reading) Solution extends security and compliance policies from Zscaler security cloud to Samsung KNOX

Cisco security strategy update: Cisco adds Sourcefire AMP to gateways (TechTarget) If the significance of Cisco's new security products and strategy could be distilled into a single, exasperated line, it would be the one uttered by its chief security officer, John N. Stewart. "It's different," Stewart said, "and it's about time something is different"

Data company Versium says it can bust fraudsters one email address at a time (TechTarget) Digital thieves can be difficult to spot before they strike. That's partly because traditional security methods haven't kept pace with technology, giving fraudsters a chance to exploit holes in the wall of fraud detection systems, said Chris Matty, CEO of Seattle-based Versium Inc., a predictive analytics startup

Cyber Security Startup Announces Release of Cyber War Games DDoS Module (Digital Journal) Today, MazeBolt Technologies, an Israeli based Cyber Security Startup announced the release of their DDoS Simulation module to strengthen their posture in the Cyber Security arena.A methodology commonly known in cyber security circles as a "War Games Simulation". A roleplay of realistic DDoS attack scenarios on your network infrastructure or website

Hexis Cyber Solutions Launches Worldwide Security Channel Program (Wall Street Journal) Hexis Cyber Solutions, Inc. (Hexis), a wholly-owned subsidiary of The KEYW Holding Corporation (Nasdaq:KEYW), today announced the launch of its new Worldwide Security Channel Program, which is designed to extend the company's security footprint while providing sales and marketing resources to reseller partners throughout the world

CSC Extends Govt Market Cyber Service to Commercial Markets; Samuel Visner Comments (Executive Biz) Computer Sciences Corp. will offer a commercially-available incident response service to companies that are seeking to acquire tools for combating persistent and evolving threats

New Verizon Cyber Intelligence Center Helps Speed Detection, Mitigation Of Cyberthreats For Enterprises, Government Agencies (Dark Reading) VCIC will provide sources of threat intelligence so enterprises can identify and respond to threats early in attack cycle

Technologies, Techniques, and Standards

ONC, Inova look to NSTIC for healthcare identity management (FierceGovIT) The healthcare industry could greatly benefit from innovations in digital identity authenticiation, said Jeremy Grant, senior executive advisor for identity management at the National Institute of Standards and Technology

Marketplace

Energy firm cyber-defence is 'too weak', insurers say (BBC News) Power companies are being refused insurance cover for cyber-attacks because their defences are perceived as weak, the BBC has learned

POS Systems and P.O.S. Hackers: How Much Cyber Insurance is Enough for a Retailer? (WillisWire) It's been about 2 months since the first of the stories broke on the multiple large-scale hacking attacks in the retail sector. The target in this recent round were the "Point of Sale" systems, the computers and card/pin pads formerly known as 'cash registers'. We have leaned since that several national retailers succumbed to the sophisticated series of hacks, losing millions of debit and credit card numbers in some cases

Identity relationship management market to exceed $50 billion by 2020 (Help Net Security) ForgeRock announced today that the identity relationship management (IRM) market, focused on managing customer interactions across any device or environment, will exceed $50 billion by 2020

2014 SC Awards U.S. Winners (SC Magazine) Reflecting back on 2013 I'm reminded of Sir Winston Churchill's statement that, "The farther back you can look, the farther forward you are likely to see"

Trend Micro responds to increasing 'onslaught' of mobile cyber attacks (ITWire) Internet security provider Trend Micros has launched a set of new solutions to combat what it says is an increasing onslaught of cyber attacks that are continually placing people using mobile devices at risk

H-P Lands $32M Cyber Security Contract From Dept. of Homeland Security (FoxBusiness) Hewlett-Packard (HPQ) won a $32.4 million cyber security contract on Wednesday from the U.S. Department of Homeland Security to provide software security product licenses for 33 federal civilian government agencies

Governor's Cyber Aces Championship is Saturday (eNews Park Forest) Illinois' leading role in recruiting Veterans and career changers to enter the cybersecurity workforce shines this Saturday in the state's first ever Cyber Aces State Championship, the Illinois Department of Employment Security (IDES) said today

Security Patches, Mitigations, and Software Updates

Apple retires Snow Leopard from support, leaves 1 in 5 Macs vulnerable to attacks (ComputerWorld) Twice now that Apple's bypassed Snow Leopard when it patched newer editions

Tenable adds cloud management and multi-scanner support to Nessus (Help Net Security) Tenable Network Security announced powerful cloud management capabilities will be delivered to Nessus users in a March 3rd update

Cyber Attacks, Threats, and Vulnerabilities

Hackers target Brazil's World Cup for cyber attacks (Reuters) Brazilian hackers are threatening to disrupt the World Cup with attacks ranging from jamming websites to data theft, adding cyber warfare to the list of challenges for a competition already marred by protests, delays and overspending

Exclusive: New thesis on how Stuxnet infiltrated Iran nuclear facility (Christian Science Monitor via Yahoo! News) The Stuxnet worm that attacked Iran's nuclear facility at Natanz came to light nearly four years ago, but how it got there remains a mystery. A possible new explanation, outlined Tuesday, cites the supply chain as the key

Facebook users warned vs 'profile viewer' addon (GMA News) Users of Facebook were warned over the weekend against a so-called "Profile Viewer" browser addon claiming to let them see who is stalking them on the social networking giant

Avaya to Patch Zero Days that Turn IP Phone into Radio Transmitters (Threatpost) Two zero-day vulnerabilities in Avaya's latest one-X 9608 IP telephones have been discovered and are expected to be patched on Friday by the provider

Security Researchers Discover Way to Log Touch Input on iOS Devices (Daily Tech) Security researchers have already proven that apps can be placed on Jailbroken iOS devices that enable background monitoring by third parties. However, security researchers from FireEye have announced that they have found a vulnerability on iOS 7 devices that allows the bypassing of the official app review process and allows the exploitation of iOS device that aren't even jailbroken

IE zero-day exploit that struck VFW website being used in widespread attacks (PC World) The number of attacks exploiting a yet-to-be-patched vulnerability in Internet Explorer has increased dramatically over the past few days, indicating the exploit is no longer used just in targeted attacks against particular groups of people

Ongoing NTP Amplification Attacks (Internet Storm Center) Brett, who alerted us earlier this month regarding the mass exploit against Linksys devices has surfaced a current issue he's facing with ongoing NTP amplification attacks

Black market lights up with 360M stolen credentials — report (C/Net) Some 360 million account credentials are newly available for sale on the black market, according to one security firm, and may be from several yet-to-be-reported security breaches

Kaspersky charts surge in mobile banking malware (V3) Mobile banking malware was the biggest security threat to emerge in 2013, while 98 percent of all attacks targeted the Android platform, according to new data from Kaspersky Lab

US Tax Season Phishing Scams and Malware Campaigns (US-CERT) In the past, US-CERT has received reports of an increased number of phishing scams and malware campaigns that seek to take advantage of the United States tax season. The Internal Revenue Service has issued an advisory on its website warning consumers about potential scams

Data-breach costs take toll on Target profit (AP via Boston.com) Target Corp. will be feeling the financial pain for a while from the theft of credit card numbers and other information from millions of its customers

Highlights from Target's Q413 Earnings Conference Call (Benzinga) Below are some highlights from Target's (NYSE: TGT) fourth-quarter conference call: Target committed to an end-to-end review in cooperation with third-party experts to understand how the breach occurred

Why Target Breach was Preventable (GovInfoSecurity) The Target retail POS breach is the most talked-about incident in recent memory - and it was entirely preventable with available security solutions, says Adam Tegg, CEO of Wontok Solutions

Lessons Learned From The Target Breach (Dark Reading) The time is ripe for organizations to take a long hard look at how they manage employee access and secure sensitive data in cloud environments

California insurance exchange had 'vulnerability' (AP via News Daily) More than three months after it opened for business, California's online health insurance marketplace had what federal officials described as a potential security flaw in its computer system and one that had already been disclosed publicly

Jewish websites reportedly hacked (Cleveland Jewish News) Secure Community Network has received multiple reports from Jewish organizations indicating that their websites were hacked and defaced, according to an intelligence report sent by SCN to Jewish agencies and security directors Feb. 25

Indiana University Acknowledges Data Breach (eSecurity Planet) 146,000 names, addresses and Social Security numbers may have been exposed

Stolen USB Drive Exposes 2,172 Brooklyn Hospital Patients' Data (eSecurity Planet) The unencrypted drive held limited medical information, including diagnoses and some lab values

University of Maryland Extends Credit Protection for Data Breach Victims (eSecurity Planet) The university is offering five years of free credit monitoring services to the more than 300,000 people affected

Electric Cars: Booming Sales Prompt Power Grid Cyber Attack Conerns (Inquisitr) Electric cars are attracting more buyers than ever before. Although the now more sporting looking vehicles may be better for the environment, they pose a great risk to the power grid. Not only are power grid segments in some cities already too overly burdened to sustain increased usage by a multitude of charging electric cars, the "refueling" stations themselves are reportedly extremely susceptible to cyber hacking

Litigation, Investigation, and Enforcement

NSA surveillance: A new door to court challenges? (AP via the Milwaukee Journal Sentinel) A Brooklyn man in prison for terrorism may have a new opportunity to challenge his conviction because the government only recently told him how it obtained evidence it intended to use against him. It was through one of the National Security Agency's secret surveillance programs

NSA now meddling with lawyers (Washington Times) The right of clients and attorneys to speak feely is under siege. In the months since Edward Snowden revealed the nature and extent of the spying that the National Security Agency (NSA) has been perpetrating upon Americans and foreigners, some of the NSA's most troublesome behavior has not been a part of the public debate.

Directors Sued for Cyber Breach (WillisWire (h/t BlackOps Partners)) After disclosure of a recent cyber breach, the company's board of directors was sued by shareholders in two separate legal actions—derivative lawsuits to be precise

Design and Innovation

MasterCard aims to reduce card fraud with smartphone geo-location technology (Naked Security) MasterCard and Syniverse are running a pilot scheme that aims to reduce credit card fraud by making sure that a customer's card and mobile phone are in the same location when the card is used

Apple's goto fail needs a massive culture change to fix (ZDNet) Apple may be shiny on the surface, but the recently revealed SSL security flaw means that something's rotten inside — or perhaps even poisoned

Industry Events

For a complete running list of events, please visit the Event Tracker on the CyberWire website.

upcoming Events

RSA Conference USA (San Francisco, California, USA, February 24 - 28, 2014) Hundreds of game-changing interactions will give you an unparalleled diversity of industry insight and information based on best practices, real implementation stories, and detailed case studies. Each year, educational sessions feature new and returning educational tracks you won't find anywhere else.

Cloud Expo Europe (, January 1, 1970) Cloud Expo Europe covers everything from hybrid cloud to software defined networks and data centres, from open source cloud to IaaS, from security and governance to cloud applications and from complex hosting to development platforms.

Suits and Spooks Security Town Hall (, January 1, 1970) Privacy versus Security: An Informed Debate and Discussion to Raise Industry Awareness. Taia Global and our sponsoring companies are hosting our first Suits and Spooks Security Town Hall at the Ritz Carlton San Francisco on February 27, 2014 (7pm-10pm). We are condensing the Suits and Spooks two-day "collision" model into a 3-hour debate and discussion format to help raise awareness about the complexities involved in balancing security objectives with our privacy rights.

Trustworthy Technology Conference (, January 1, 1970) Join us for the first Trustworthy Technology Conference, to be held on 27 February 2014 at the AMC Metreon Theatre in San Francisco, California. We welcome all security researchers, practitioners and citizens who are interested in discussing the technical, legal and ethical underpinnings of a stronger social contract between users and technology.

Creech AFB Technology & Cyber Security Expo (, January 1, 1970) The Armed Forces Communications & Electronics Association (AFCEA) - Las Vegas Chapter, with support from the 432d Wing, will host a Cyber Security Awareness Day & Technology Expo at Creech AFB. This is an excellent opportunity for technology, cyber and tactical technology companies to meet with remote personnel at Creech AFB. At the 1st Annual event held in February 2013 over 100 Creech AFB personnel attended this event. Some of their job descriptions included: Commander, Flight Chief, Communications Officer in Charge, IT Lead, Systems Admin, Wing Training, Information Assurance Officer, Knowledge Management, Section Chief, Avionics, Physical Security, Project Manager, Director and more.

Nuclear Regulatory Commission ISSO Security Workshop (, January 1, 1970) Exhibitors will have the opportunity to showcase cutting-edge products and services available in today's market. All companies specializing in products and services that would benefit the NRC workforce are encouraged to exhibit at this one-day expo. Topics of the workshop and of high interest to attendees include: computer security policy, standards and guidance, cybersecurity, FISMA compliance, and training updates.

ICS Summit 2014 (Lake Buena Vista, Florida, US, March 17 - 18, 2014) The 9th Annual North American ICS Security Summit brings together the program managers, control systems engineers, IT security professionals and critical infrastructure protection specialists from asset owning and operating organizations along with control systems and security vendors who have innovative solutions for improving security.

27th Annual Federal Information Systems Security Educators' Association (FISSEA) Conference (, January 1, 1970) The 27th Annual Federal Information Systems Security Educators' Association (FISSEA) Conference will be held at the National Institute of Standards and Technology on March 18-20, 2014, exhibits will be on display March 19 only. This year's theme "Partners in Performance: Shaping the Future of Cybersecurity Awareness, Education, and Training" will focus on developing a better understanding of current information systems/cybersecurity projects, emerging trends, and initiatives. Through numerous high quality sessions, approximately 200 attendees will learn new ways to improve their IT security program and practical solutions to training problems while earning Continuing Professional Education (CPE) credits. The vendor fair gives attendees a tactical look at the products and services available to meet their professional goals.

Suits and Spooks Singapore (, January 1, 1970) Our first international Suits and Spooks conference will be held in Singapore with a visit to Malaysia on March 20-21, 2014. The focus will be on how multi-national corporations can profitably operate in a globally hostile environment that consists of foreign intelligence collection, mercenary hacker crews, insider threats, and supply chain/vendor vulnerabilities. Our international list of speakers will discuss who the threat actors are, what they're after, and best practices to mitigate the risks.

MCT-Congress: Going Mobile with Clinical Trials (Edinburgh, Scotland, UK, March 20 - 21, 2014) It is almost inevitable that mHealth solutions will be adopted across healthcare systems worldwide over the next decade. What is less clear is the impact that mobile solutions are having and could have on the clinical research process.

Cyber Security for Energy & Utilities (, January 1, 1970) Following the rapid evolution of the cyber and digital world, IT Security Directors, Information Security Directors, Chief Security Officers, Chief Information Officers and many more will gather at the 3rd Edition of Cyber Security for Energy & Utilities conference taking place from 23 -26 March 2014 at The Westin Golf Resort in Abu Dhabi, UAE.

Veritas 2014 (, January 1, 1970) At Veritas 2014, hear directly from the big data experts in top tier retail finance who are now implementing strategy and starting to yield real commercial value. Experts dedicated to Big Data in the sector will show you how the right approaches can lead to far-reaching results in business model innovation, risk mitigation and identifying new revenue streams. See how Veritas 2014 will help you develop your big data implementation strategy.

Black Hat Asia (, January 1, 1970) Black Hat is returning to Asia for the first time since 2008, and we have quite an event in store. Here the brightest professionals and researchers in the industry will come together for a total of four days--two days of deeply technical hands-on Trainings, followed by two days of the latest research and vulnerability disclosures at our Briefings.

Cyber Security Management for Oil and Gas (, January 1, 1970) Attend to gain cutting-edge information from oil and gas cyber security experts on: Using the very latest in intelligence techniques to find and neutralize the newest threats in time. Preventing security breaches while ensuring your employees, social media and mobile devices operate effectively. Implementing best practices in order to achieve and maintain SCADA and other key systems security. How a "critical infrastructure" designation would impact different aspects of oil and gas cyber security management.

SyScan 2014 (Singapore, March 31 - April 4, 2014) SyScan is a deep knowledge technical security conference. It is the aspiration of SyScan to congregate in Asia the best security experts in their various fields, to share their research, discovery and experience with all security enthusiasts in Asia.

Interop Conference (, January 1, 1970) Interop Conference sessions help you find actionable solutions to your current IT headaches and plan for future developments.

Sponsor & Support

Grow your brand and reach new customers.

Grow your brand and increase your customer base by educating our audience about your products, services, and events by advertising on The CyberWire. We’ve built trust with an influential (and often hard to reach) audience of CISOs, CSOs, and other senior execs in the security space, across a wide array of industry verticals. Learn more.

Be a part of the CyberWire story.

People ask us (a lot) how they can support what we do. We have our sponsorships and services, of course, but those are not always within every supporter’s financial reach, or it might just not be the right time for you to do those things. That’s why we launched our new Patreon site, where we’ve created a wider variety of support levels, each with some new benefits. Our patrons are important to our future, and we hope you’ll consider becoming one. We invite you to become part of the CyberWire story. Become a patron today.