The CyberWire Daily Briefing 03.03.14

Cyber Trends

Industry Needs To Do More To Protect the Power Grid From a Cyber Attack (Defense One) Energy companies should create a new industry-led body to deflect cyber threats to the electric grid — from large generators to local distribution utilities, according to a new report co-authored by Ret. Gen. Michael Hayden, former CIA and National Security Agency director

Cybersecurity and the North American Electric Grid: New Policy Approaches to Address an Evolving Threat (Belfer Center) Protecting the nation's electricity grid from cyber attacks is a critical national security issue. Evidence collected by the U.S. Department of Homeland Security (DHS) suggests that cyber attacks on key energy infrastructure—and on the electricity system in particular—are increasing, both in frequency and sophistication. These trends are alarming because the potential consequences of a successful large-scale cyber attack—or combined cyber and physical attack—on the electric power sector are difficult to overstate

Organised fraudsters pose biggest cybersecurity threat: survey (CSO) The growing onslaught of cyber security attacks reflect a rapidly evolving criminality whose impact is near-unanimously expected to continue growing as mobile compromises, financial fraud and organised groups of fraudsters outweigh other risks such as those posed by supply-chain partners, a recent survey of IT decision makers has found

DDoS Attack! Is Regulation The Answer? (InformationWeek) Four security experts weigh in on why there's been little progress in combating DDoS attacks and how companies can start fighting back

Security Budgets: Do You Know Your Priorities? (Information Security Buzz) As business leaders become more 'cyber aware' concerns over data security shift from awareness to action. Organisations around the globe are increasing security spending, but have they prioritised budgets correctly or are they just throwing money at the problem

IoT Brings A Tremendous Risk To Consumers (Information Security Buzz) Let's all think back to 2009 when "cloud computing" was first entering the majority of technologists' lexicon. There was much groaning towards the name with statements such as, "we've all been doing this for years" and "this doesn't change anything". Now fast-forward to the present and you may notice a similar line of dialog about how the "Internet of Things" isn't really that important. Unfortunately for dissenters, they couldn't be more wrong

You will be hacked — it's inevitable, says cyber security expert (Insurance Business Online) Too few organisations have plans in place for how they should respond following a cyber attack — especially dangerous as the likelihood of suffering one is close to inevitable

India 2nd in list of countries facing cyber attack on mobiles: Kaspersky (The Hindu Business Line) India is the second-most cyber attacks on mobile devices prone country with a major chunk of these intrusions designed for phishing and stealing banking details, a report by security software maker Kaspersky said

The future of access control according to HID (Help Net Security) A new security environment in which users will have a seamless experience when using cloud-based applications and services, accessing data, and opening doors is emerging. This environment will move the industry beyond traditional strong authentication approaches, cards, and readers to simplify and improve how we create, manage and use identities across many different applications on both smart cards and smartphones

1 in 4 European internet users experience blocking of internet content (Help Net Security) 24% of European internet users say they are prevented by their providers from watching videos, listening music or using other applications of their choice, according to a new Eurobarometer survey of 28,000 citizens across the EU

Average Enterprise Is Hit by a Cyber Attack Every 1.5 Seconds (eSecurity Planet) That's twice the rate seen in 2012, according to FireEye researchers

The Info-Access Hack That Changed the World (Slashdot) According to Pew's survey, 42 percent of Americans had never heard of the Internet in 1995. Now 87 percent use it frequently

Legislation, Policy and Regulation

Germany: no spy deal with US anytime soon (AP via the Washington Post) The German government is conceding that it doesn't expect to reach agreement with Washington in the foreseeable future on a hoped-for "no-spy" deal

Labour to overhaul spy agency controls in response to Snowden files (The Guardian) Yvette Cooper says debate over privacy, civil liberties and the role of the intelligence agencies has barely started in Britain

Senators blast NSA for webcam spying (The Hill) Sens. Ron Wyden (D-Ore.), Martin Heinrich (D-N.M.) and Mark Udall (D-Colo.) slammed the National Security Agency after reports that its surveillance program capture images from users' webcams

An end to warrantless email searches? (The Hill) Legislation in the House that would end the warrantless searches of email records is gaining steam

More congressional action brewing on data-breach notification issues (Inside Cybersecurity) The House Financial Services Committee is the latest panel to jump into the debate over consumer data-breach notification, scheduling a subcommittee hearing for next week, but data-breach legislation introduced in the Senate apparently isn't ready yet for committee action

Cyber Spending Rare Bright Spot in Budget (Defense News) US spending on cyber, both defensive and offensive, will continue to grow in the coming years, including in the fiscal 2015 budget, officials said. But while the money has poured in, there are still questions to be answered as to how that money should be spent as the military settles what cyber preparedness really means

U.S. military not prepared for cyber warfare, commander warns (Washington Free Beacon) The U.S. military is ill-prepared for waging cyber warfare and needs to bolster defenses against the growing threat of cyber attacks against both military systems and private infrastructure, the commander of U.S. Cyber Command told Congress on Thursday

NSA head floats idea: What if we only gathered terrorist communications? (Ars Technica) Gen. Keith Alexander raises possibility of reining in NSA's metadata program

NSA's director defends surveillance, but calls for better cybersecurity (TechWorld) Keith Alexander says his agency is doing what the US residents want it to do

Cybersecurity Gets a Boost from the National Guard (Government Technology) The National Guard has a critical role to play in coordinating cyber-resources across federal, state and local governments

DHS lays out cyber framework details (FCW) The Department of Homeland Security will make managed cybersecurity services available for all 56 U.S. state and territorial governments this week, said Phyllis Schneck, deputy undersecretary for cybersecurity

Yahoo slams British spy agency that allegedly snapped up webcam images (Christian Science Monitor) Britain's surveillance agency GCHQ intercepted webcam images of millions of innocent Internet users with its Optic Nerve program, according to a report in the Guardian

Two Washington County delegates withdraw as co-sponsors after learning more about Fourth Amendment Protection Act (Hagerstown Herald-Mail) Del. Andrew Serafini says that when it comes to some proposed legislation, "the devil can be in the details"

The Era of Security Clearance Self-Review Could Be Permanently Over (Government Executive) Fallout continues from last September's fatal shooting at the Washington Navy Yard, with a prime federal contractor, U.S. Investigative Services (USIS), emerging seriously but not irreparably scathed

Products, Services, and Solutions

FBI to launch malware-analysis system to allow people identify bugs (Business Standard) The Federal Bureau of Investigation (FBI) has reportedly announced that it is planning to roll out a malware-analysis system that would help people and businesses identify and report malware attacks. FBI Director James Comey didn't disclose much about the new system, but said that it would be derived from the Binary Analysis Characterization and Storage System (BACSS), which the agency already uses

Quickly identify and act on endpoint security issues (Help Net Security) Promisec announced plans for Promisec Integrity, a series of cloud-based offerings to help small-to-medium enterprise organizations with endpoint security and remediation

Risk Analytics as a Service by Brinqa (Help Net Security) Brinqa announced the industry's first Risk Analytics as a Service offering

Two-factor authentication for WordPress using Rublon (Help Net Security) Rublon provides automatic two factor authentication for web applications. It currently supports Drupal, WordPress, Magento, PrestaShop and OpenCart. Two-factor authentication is definitely something that all web based applications should enforce, so using Rublon or some similar plugin is a good way to ramp up your security

Google Android chief: Android may be open, but it is not less secure (ZDNet) Contrary to reports, Google's head of Android development Sundar Pichai did not say that the OS is not focused on security -- rather, he meant the opposite

Apple Explains Exactly How Secure iMessage Really Is (TechCrunch) Millions and millions of people use iMessage every day. But how many people know exactly what's going on behind the scenes, or what happens to a message once you send it? Maybe a handful

Five things you should know about iOS security (Mac World) Security is an extra-hot topic these days, as all sorts of government agencies short on letters but long on budgets keep getting accused of spying on their own citizens, and debates rage on whether what look like accidental bugs may actually turn out to be quite intentional

Tor secure messaging client in pipeline for safer chat (SlashGear) Internet anonymity service Tor is working on a messaging client to offer Skype, Google Hangouts, and other IM users concerned about who might be reading their conversations a little piece of mind. Dubbed the Tor Instant Messaging Bundle, or TIMB, the app is expected to build on top of the existing InstantBird messenger, which will eventually be bundled in locked-down, encrypted form with the general Tor Launcher later this year

RSA Creates New Managed Security Service Program (Channelnomics) RSA, the security division of EMC Corp., has created a new program designed to unleash a new generation of managed security services. The company also has signed Verizon Enterprise Solutions as its marquee global services partner to aid enterprise customers worldwide. Other partners include: Foreground Security, DataShield Consulting and Communication Valley Reply Group

Trend Micro unveils three products in ongoing fight against mobile malware at work and in the home (ITProPortal) Trend Micro is continuing its fight against mobile malware by unveiling three new solutions that are geared towards assisting enterprises and consumers in the ongoing battle with mobile threats

Technologies, Techniques, and Standards

Meet the seven people who hold the keys to worldwide internet security (The Guardian) It sounds like the stuff of science fiction: seven keys, held by individuals from all over the world, that together control security at the core of the web. The reality is rather closer to The Office than The Matrix

Using microVM isolation to improve malware detection and defense (TechTarget) My company has been evaluating network-based detection tools recently. In doing research, I came across a product that puts each Internet instance into its own virtual machine (VM) instead of even trying to detect malware and the like

Encryption Would Have Stopped Snowden From Using Secrets (Bloomberg BusinessWeek) Edward Snowden could have been thwarted from leaking classified U.S. documents if the National Security Agency encrypted the information to make it unreadable, two former senior cybersecurity officials said

The IETF needed a wake-up call on security, says chairman (PC Advisor) The Snowden revelations have made the standards organization rethink its approach on security

How to travel safely: An in-depth look at data security on the road (ITProPortal) Travel security used to mean stashing your cash in a money belt. With the wide acceptance of credit cards, that inconvenience is mostly gone — replaced, due to the rise of cybercrime and identity theft, with the need to secure your data when traveling. Unfortunately, it is a lot trickier than most people realise to protect your personal information when you use your computer on the road

How to craft the perfect password (BGR) It seems obvious, but passwords are our first line of defense against a growing army of nefarious hackers looking to steal our data, money or even identities. While many people know how serious the issue of cybersecurity is, many still use passwords that are remarkably bad. Compounding matters is the common practice of using the same password across multiple accounts, so a hacker who gains access to one account may be able to breach others. But protecting yourself is easy and there's just no excuse for leaving your accounts vulnerable with bad passwords

Before we abandon passwords, these 3 critical elements of authentication need to be fixed (CSO Salted Hash) Passwords are a factor of authentication. The problem is less with the factor than the overall system of authentication. While people are part of the process, two additional elements are routinely overlooked. Focusing attention on improving all three elements yields better and more secure authentication — password or otherwise

Marketplace

Good Technology buys BoxTone as EMM market shifts to bigger vendors (TechTarget) Good Technology's move to acquire BoxTone for enterprise mobility management is the latest in a trend viewed as positive for the mobile IT community

Northrop Grumman Australia completes Qantas Defence Services acquisition (Australian Defence Magazine) Northrop Grumman Australia has completed the acquisition of Qantas Defence Services Pty Limited, now called Northrop Grumman Integrated Defence Services Pty Limited (IDS)

Stock Adds Fuel to Tech-Deal Fire (Wall Street Journal) Facebook FB -0.70% might have shelled out a shocking $19 billion for Whats-App, but it at least had the presence of mind to finance the bulk of the deal with its highly valued stock. That may become a repeat story as tech companies realize lofty valuations give them a virtual printing press for acquisition currency

2014 US Cyber Challenge Kicks Off in April (Infosecurity Magazine) The US Council on Cyber Security (USCC) has launched the 2014 US Cyber Challenge, calling on the industry and government to "get serious" about the workforce problem. The initiative aims to find 10,000 bright students and turn them into cybersecurity professionals

Spy Lockout Shareholder Proposal To Be Raised At Apple Annual Meeting (PRWeb) "Apple can lead our industry's escape from vast, wasteful surveillance and earn back the trust of users the world over." At the annual Apple Inc. shareholder meeting today, shareholders will ask the Bay Area computer maker to take several policy and technical actions immediately, a Spy Lockout to protect the company against negative business impact from the NSA bulk surveillance scandal

Anti-NSA services on the rise (Bloomberg News via the Fort Wayne Journal-Gazette) Encryption technology to leave no data trail for spying. The National Security Agency's snooping on email traffic and phone records has prompted a cottage industry in products meant to keep spies out of their customers' business

Spy fears drive smartphone security business (Gulf News) An estimated 48 per cent of users take no basic security measures, according to anti-virus software seller Norton

Santa Rosa's Sonic leads in online privacy protection (Santa Roas Press-Democrat) In a large, cold, immaculate room, rows of black metal cabinets shelter Internet servers whose blinking green lights indicate the frenetic pulse of our every online move, whether it's sending mundane emails, trolling online forums, messaging a lover or making online purchases

Bug bounty operator presses vendors to pick up patching pace (ComputerWorld) HP TippingPoint's 'Zero Day Initiative' will go public with bug information 120 days after reporting vulnerabilities to software makers

KEYW subsidiary Hexis plans to increase revenue through global resellers (Baltimore Business Journal) Hexis Cyber Solutions develops a product called the HawkEye G, which is designed to detect and disable cyber threats in a company's network. Hexis Cyber Solutions, a growing subsidiary of KEYW Corp., is launching a worldwide program that will provide sales and marketing resources to its reseller partners across the globe

Rupert Soames to Join Serco Group as Chief Executive (GovConWire) Rupert Soames, currently chief executive at Scotland-based power generation company Aggreko, will join international government services contractor Serco Group as chief executive on June 1

Research and Development

Decrypting the most mysterious book in the world (The Verge) After 600 years, the secret language of the Voynich manuscript may finally be understood

Security Patches, Mitigations, and Software Updates

Snow Leopard updates are probably done—here are your OS X upgrade options (Ars Technica) As OS X 10.6 fades, you'll need to start considering alternatives

Cyber Attacks, Threats, and Vulnerabilities

Russia, the Ukraine invasion, and U.S. cybersecurity implications (ZDNet) ZDNet's resident cyberwar expert, David Gewirtz, presents a SITREP (situation report) analyzing unexpected areas where US interests might be vulnerable in the unlikely event that the Russian invasion of Ukraine generates a response by US or UN forces

Russians Blocking Access to Websites Run by Ukrainian Protestors (AP via Matthew Aid) Russia's Internet monitoring agency has blocked 13 Internet pages linked to the Ukraine protest movement that helped oust the country's Russia-leaning president last week

Russia Today's website defaced in 'Nazi' hack attack (Graham Clulely) The pro-Kremlin news agency found its website hacked overnight, with headlines changed to refer to "Nazis". As is so often the case, real-life conflict can spill over to internet attacks

Uroburos — highly complex espionage software with Russian roots (G Data SecurityBlog) G Data discovers alleged intelligence agency software. G Data Security experts have analyzed a very complex and sophisticated piece of malware, designed to steal confidential data. G Data refers to it as Uroburos, in correspondence with a string found in the malware's code and following an ancient symbol depicting a serpent or dragon eating its own tail

Yahoo, ICQ chats still vulnerable to government snoops (CNet) Spy agencies and hackers at your local Starbucks can vacuum up Yahoo and ICQ chats and metadata about AOL's AIM users. These services are over a decade old — why are they not fully encrypted? Nine months after Edward Snowden revealed extreme Internet surveillance by US and British intelligence agencies, some major technology companies have yet to take rudimentary steps to shield their users' instant messages from eavesdropping

Unlucky casino punters have data hacked in huge cyber attack (Yorkshire Post) Hackers stole the personal information of tens of thousands of Las Vegas Sands customers during a huge cyber-attack, it has emerged. The casino company said in a regulatory filing that information about some patrons at its Bethlehem, Pennsylvania, hotel-casino was compromised during the attack

'Mind boggling' trove of 1.25bn emails discovered for sale on online black market (The Independent) A "mind boggling" cache of personal data has been discovered for sale on the online black market. The trove included credentials from more than 360 million accounts and around 1.25 billion email addresses

Fresh Target Breach Cards Hitting Black Market (InformationWeek) A Bitcoin-powered marketplace is selling stolen card data in small batches, offering card validity guarantees, an RSA presentation reveals

Sears Denies Breach (BankInfoSecurity) On Feb. 28, Bloomberg News and others reported that a possible breach at Sears Holding Corp. was being investigated by the Secret Service. Sears, which also owns Kmart, mygofer, Shop Your Way and Land's End, says it has not confirmed a breach

Sears investigating possible cyber security breach (Globe and Mail) Sears Holdings Corp. said Friday it has launched an investigation to determine whether it was the victim of a security breach, following Target Corp.'s revelation at the end of last year that it had suffered an unprecedented cyber attack

Report: Secret Service investigates possible network breach of Sears (Ars Technica) No evidence yet of actual breach, retailer says

Android's Jelly Bean, Kit Kat under cyber threat: CERT-In (Financial Press) A "critical flaw" has been detected in the virtual private network offered by Android operating systems in the Indian cyberspace leading to "hijack" of personal data of users

Spam Mails Offering Loans on the Prowl, Warns Kaspersky (Spamfighter News) Cyber Security Company Kaspersky has cautioned about spam mails increasing recently that offer loans but actually steal users' data. Following this incident, the company's security researchers posted one fresh advisory giving guidance to Internauts that could keep them protected

Mt. Gox Source Code Leaked By Hackers Along With Team Information, Customer Data (TechCrunch) Those interested in building a Bitcoin exchange should look no further than this chunk of source code posted by a "Russian leaker" called nanashi_. It alleges to contain the 1,700-line source code for Mt. Gox's electronic exchange

Sunsets and Cats Can Be Hazardous to Your Online Bank Account (TrendLabs Security Intelligence Blog) It's been said that a picture is worth a thousand words. Unfortunately, there's one that's worth your bank accounts. We came across malware that uses steganography to hide configuration files within images. However unique this technique might seem, it is hardly new—we previously featured targeted attacks that use the same technique

DeKrypto - Padding oracle attack against IBM WebSphere Commerce (CVE-2013-05230) (NetSpi) IBM WebSphere Commerce or WebSphere Commerce Suite (WCS), developed by IBM, is a software platform framework for e-commerce and is actively being used by giant retailers

Chinese government still sponsoring cyber-espionage, says FireEye COO (Network World) Chinese networking giant Huawei, though, says last year's report lacked credibility

Dutch digital activist discusses Anonymous in depth SPECIAL (Digital Journal) As the Anonymous collective branches out into public street-level operations and gains momentum, a digital activist discusses some of the philosophy and strategy behind the online activities of the movement

Litigation, Investigation, and Enforcement

NSA revelations may let jailed terrorists challenge their convictions (Japan Times) A man in prison for terrorism may have a new opportunity to challenge his conviction, because the U.S. government only recently told him how it obtained evidence it intended to use against him: through one of the National Security Agency's secret surveillance programs

Bitcoin exchanges pressed to reveal cyber attack coping strategies (IT Pro) Sources claims US lawyers have subpoenaed Bitcoin exchanges. US Attorney Preet Bharara has sent subpoenas to Mt. Gox, other bitcoin exchanges, and businesses that deal in the virtual currency to seek information on how they handled recent cyber attacks, sources claim

MtGox sets up call center in Japan for queries from worried Bitcoiners (Ars Technica) Company starts "civil rehabilitation" after losing nearly $500m in bitcoins

Jail time for university hacker who changed his grades to straight As (Naked Security) A former student of Purdue University in Indiana has been sentenced to 90 days in jail for his part in hacking into college computer systems and changing grades

British Man Charged with Hacking U.S. Federal Reserve (eSecurity Planet) Lauri Love allegedly stole names, e-mail addresses and phone numbers from Federal Reserve servers and posted the stolen data online

Three Korean Hackers Arrested for Theft of 17 Million People's Personal Data (eSecurity Planet) The three, surnamed Kim, Choi and Lee, allegedly stole the data from 225 different Web sites

Design and Innovation

Intel Designs a Safe Meeting Place for Private Data (MIT Technology Review) A super-secure place for sensitive data to mingle could free companies to get the benefits of sharing it without risking leaks

The CyberWire Daily Briefing for 3.3.2014