The CyberWire Daily Briefing 03.12.14

Cyber Trends

Web@25: Sir Tim Berners-Lee urges the world to protect his creation (V3) Sir Tim Berners-Lee has called on web users around the world to show their support for keeping the internet a free and open platform, to mark 25 years of the web's existence

Reestablishing trust in the Internet (Help Net Security) "The next phase of the internet will be data-centred and connectivity driven. Cloud computing, big data, the Internet of Things; tools which support manufacturing, education, energy, our cars and more. The internet is no longer about emails," said Neelie Kroes, European Commissioner responsible for the Digital Agenda, in her speech at CeBIT 2014 in Hanover on Monday

The NSA, Snowden, and the Internet's Offensive Future (Threatpost) Despite everything that has transpired in the last year, Edward Snowden sounded calm, reflective and in some ways wistful yesterday discussing the fallout and consequences of the multitude of NSA programs and methods he's revealed. Snowden bemoaned the fact that the NSA specifically and the intelligence community in general have shifted its focus to offensive operations, implying that defense should be focus. But now that those agencies have the tremendous offensive powers they've accumulated in the last decade, they're never giving them back

The browser's resized future in a fragmented www world (The Register) The safe option in a native jungle

Leon Panetta Warns of Cyber Pearl Harbor: and a CTO gives him a polite earful (CTO Vision) Leon Panetta spoke today at the Symantec government conference in DC. No matter what your politics are, I hope you see this man as a great American who always puts country above himself. I believe that. He has spent his entire adult life proving that

The Internet of Things Needs Anti-Virus Protection (Slate) As the Internet of Things grows and more devices than ever have network connectivity baked in, you might start to wonder what protects all of these smart home appliances and media streaming dongles against hacks. The answer: pretty much nothing. Companies can release security updates or patches when they learn about vulnerabilities in their devices, but who is going to do a software update on their refrigerator

Internet of things will drive forward lifestyle innovations (ComputerWeekly) Internet-connected devices have been predicted to become popular for many years, but the emergence of the internet of things (IoT) has been held back by many issues — the main one being cost

Forget the Internet of things…this is the Internet of crap (CSO Salted Hash) Unless we begin to treat all of our devices, boxes, technologies, etc. as hostile by default, we will continue to find ourselves cleaning-up the havoc wrought by adversaries with poor intentions and friends with good ones

Resolving the Critical Infrastructure Cybersecurity Puzzle (SIGNAL) Isolation measures to address vulnerabilities will not work well with vulnerable systems

Guest Column: Protecting power grid must be priority (Montgomery Advertiser) Revelations about the cyber theft of customer data at Target and Neiman Marcus are just the most recent reminders about the threat to the United States of cyber attacks. But invasive and costly attacks on businesses and all of us as customers may not even be the most worrisome threats

SME cloud — blanket security or security blanket? (ComputerWeekly) Small and medium-sized enterprises (SMEs) are as vulnerable to security threats as their larger counterparts. Everyone uses the same internet, much of the same software and has the same vulnerabilities from employee mishap or attacks on valuable data. Yet the SMEs does not normally have the luxury of a full-time IT security specialist, let alone the budget for bullet-proof specialist security systems

Infographic: Mobile policies fail to keep pace with device use in healthcare (FierceMobileIT) Doctors are increasingly using mobile devices to provide patient care, yet many healthcare organizations do not have a mobile technology policy in place, according to a recent survey by the Healthcare Information and Management Systems Society

Do organizations care about data protection? (Help Net Security) Most consumers just don't believe that the personal and financial data they submit to corporations is safe. That's the unmistakable takeaway from a new snap poll conducted by HyTrust

UK's top 100 online brands often allow lax password security, research finds (TechWorld) Apple scores top marks, Urban Outfitters comes bottom

Cyber-crime cost Irish economy €350m in 2013 (Independent) One in five of us a victim of €350m cyber-crime spree

Big Data still 'a new frontier' for most of the public sector (CSO) NSA surveillance technology is cutting edge, but for most of the government, Big Data analytics is a promise unfulfilled

Legislation, Policy and Regulation

Japan preps new law to bolster government cyber defences (The Register) Government systems attacked every thirty seconds

US Cyber Command Nominee Adopts Open Approach at Confirmation Hearing (Defense News) When US Army Gen. Keith Alexander submitted written answers to questions for his confirmation hearing to head the newly created US Cyber Command in 2010, he avoided publicly answering all or part of 29 questions, instead providing his responses to Congress in a classified document

NSA nominee backs protection for companies in any cyber law (Reuters via the Chicago Tribune) President Barack Obama's nominee to head the National Security Agency and U.S. Cyber Command said on Tuesday liability protection for corporations that share information with intelligence agencies is crucial in any new U.S. cybersecurity legislation

NSA nominee promotes cyberwar units to Senate (New York Times via the Columbus Dispatch) All of the major combat commands in the U.S. military soon will have dedicated forces to conduct cyberattacks alongside their air, naval and ground capabilities, Vice Adm. Michael S. Rogers, President Barack Obama's nominee to run the National Security Agency, told the Senate yesterday

Encryption makes you an NSA target expert warns (SlashGear) Following Edward Snowden's call for internet users to encrypt everything as a matter of course is likely to make you an even bigger target for the NSA, activist journalist Glenn Greenwald has warned, arguing that the stance inside the spying agency is that those protecting their data are inherently suspicious. "If you want to hide what you're saying from them" Greenwald said during a video appearance at SXSW this week, "it must mean that what you're saying is a bad thing," the former Guardian writer said the National Security Agency's assumptions

Who Wants To Unplug The NSA? Not Arizona's State Agencies (Forbes) Revelations last spring that the National Security Agency secretly gathered information on the communications of millions of Americans have led to a groundswell of legislation aimed at reining in government surveillance. But the response of state agencies in Arizona, one of the states where a popular anti-spying bill is furthest along, indicates unauthorized collection of personal information is deeply entrenched at both the state and federal levels

US, UK and Indian bodies named among worst online spies (Economic Times) US National Security Agency, India's Centre for Development of Telematics, and the UK's GCHQ have been named among the worst online spies by a non-profit group for implementing censorship and surveillance

GCSB dismisses whistleblower claims (Radio New Zealand News) The Government's external spying agency is denying it had help from the United States National Security Agency in rewriting the law governing the way it operates

Senate panel 'very close' to cyber bill (The Hill) Lawmakers on the Senate Intelligence Committee are getting "very close" to a new cybersecurity bill, according to the panel's top Republican

FCC task force will better intersect technology, health (FierceMobileHealthCare) Federal Communications Commission Chairman Tom Wheeler announced March 5 the launch of a new Connect2Health Task Force, which aims to use the agency's expertise to better intersect broadband connectivity, advanced technology and health

Gaps in State Dept. oversight of security training (FierceGovernment) Before traveling to certain dangerous countries, State Department employees are supposed to undergo security training, but the department doesn't always ensure they do so

Products, Services, and Solutions

Protecting data against unwanted surveillance (Help Net Security) Network security has been in the spotlight more than ever the past few months, and for good reason. We've seen many scary headlines that have put the pressure on security professionals — and also raised the stakes

Check Point Next Generation Threat Prevention Appliance (SC Magazine) The Threat Prevention Appliance from Check Point Technologies provides a solid security platform that can be customized with the addition of several software blades

Google Glass offers additional security to ATM users (Help Net Security) Taking photos with a wink, checking one's calendar with a glance of the right eye, reading text messages — the multinational cooperation Google wants to make it possible with Google Glass. But what IT experts celebrate as a new milestone makes privacy groups skeptical. So far, few people have access to the prototype to test how it can be used in daily life

Technologies, Techniques, and Standards

White House's Cybersecurity Framework Highlights Need for Preparedness (National Law Review) The White House recently announced the official launch of the Cybersecurity Framework, which provides voluntary guidelines for both public and private organizations operating as part of the "critical infrastructure" to create or improve upon their defenses and response protocols for cyber-attacks. The framework was drafted as a result of the President's February 12, 2013 Executive Order 13636 called for the development of a "prioritized, flexible, repeatable, performance-based, and cost-effective approach" for assisting organizations responsible for "critical infrastructure services" to manage cybersecurity risk. In October, the U.S. Department of Commerce's National Institute of Standards and Technology released a Preliminary Framework. The release of the Preliminary Framework was followed by a 45-day public comment period

Public outreach accelerates on cyber framework amid questions about measuring success (Inside Cybersecurity) Obama administration public outreach is in high gear one month after release of the framework of cybersecurity standards, although the metrics for measuring the effectiveness of the campaign remain in question

Breaking Kryptonite's Obfuscation: A Static Analysis Approach Relying on Symbolic Execution (Diary of a Reverse Engineer) Kryptonite was a proof-of-concept I built to obfuscate codes at the LLVM intermediate representation level. The idea was to use semantic-preserving transformations in order to not break the original program. One of the main idea was for example to build a home-made 32 bits adder to replace the add LLVM instruction. Instead of having a single asm instruction generated at the end of the pipeline, you will end up with a ton of assembly codes doing only an addition

Is it the ISP's Fault if Your Home Broadband Router Gets Hacked? (ISP Review) As consumers we have a right to be huffy at our ISPs when something goes wrong. But is the Internet provider still to blame if, as in the recent cases of AAISP and now PlusNet, your home broadband router ends up being hijacked by a DNS redirection exploit

Unbalanced Security is Increasing Your Attack Surface (TripWire: The State of Security) In the first article in the series, we talked about how when you don't understand your attack surface, too much security can actually make you more vulnerable and undermine the efficiency of your organization's operations. Now we will look at problems caused by unbalanced security, which will lead us to the third and final installment on security solutions that fight for the same resources

Can we test protection against targeted attacks? (Naked Security) In my day job as a tester of anti-malware solutions, I often get asked the same question: how do I plan to test against Advanced Persistent Threats, aka APTs? These threats are very different from your everyday malware, and testing protection against them turns out to be a very different kind of

Think data breach won't happen to you? Why we need to close the gap between perception and reality (CSO) Closing the gap between perception and reality of data breach is necessary to discuss and advance real solutions to the challenge of protecting people and information

Marketplace

Mergers, Spinoffs, Cyber Security, Disaster Planning and Executive Pay among Top Issues at 2014 Shareholder Meetings According to BDO USA, LLP (Herald Online) As the 2014 annual meeting season begins, shareholders will be focused on both opportunities and threats. After slumping through January and early February, the stock market has bounced back and is within shouting distance of new highs, but mixed economic data on hiring, exports, housing and manufacturing, coupled with worries about emerging markets are cause for potential concern. This unsettled climate should make for an interesting annual meeting season this Spring. BDO USA, one of the nation's leading accounting and consulting firms, has compiled the following list of topics that corporate management and boards of directors should be prepared to address in connection with 2014 annual meetings

Cisco, Check Point, Fortinet top growing security appliance market, says IDC (FierceITSecurity) The top three security appliance vendors—Cisco, Check Point and Fortinet—all gained market share in the fourth quarter of 2013, according to the latest stats from IDC

Startups dominate SMB cloud security market, says ABI (FierceIT Security) Startups dominate the security services market for small and medium-sized businesses using the public cloud, according to ABI Research

Security Services Cater To SMBs (Dark Reading) Cloud and managed security services are headed down market with simpler interfaces masking their enterprise heritage

Global Digital Solutions Files Form 8-K, Announces Unsolicited Letter of Intent to Acquire Remington Outdoor Company, with Estimated Annual Sales of $1.25 Billion and a P (Broadway World) Global Digital Solutions, Inc. (OTC-QB: GDSI), a company that is positioning itself as a leader in providing cyber arms manufacturing, complementary security and technology solutions and knowledge-based, cyber-related, culturally attuned social consulting in unsettled areas

What does the Bit9 and Carbon Black merger mean for businesses? (TechRadar) Bit9 recently merged with Carbon Black, a move that, in the newly-formed company's words, makes it the only one capable of detecting advanced threats on endpoints and servers to provide incident responses in seconds

Stealthy Enterprise Security Company Niara Raises $9M From Index And NEA (TechCrunch) We hear that Niara is playing in a similar space to Mandiant, focusing on companies and enterprises that have succumbed to security attacks. Niara

Jericho Systems to Research Data Privacy for U.S. Department of Homeland Security (Broadway World) Jericho Systems to Research Data Privacy for U.S. Department of Homeland SecurityJericho Systems Corporation, developers of EnterSpace Decisioning Service (ESDS) technology for externalized dynamic access control and content filtering, has executed a Broad Agency Announcement (BAA) contract with the U.S. Department of Homeland Security (DHS) Science and Technology Directorate to use fine-grained access control policies and data labels to secure sensitive and personally identifiable data at DHS fusion centers

Inspired by Key West, KEYW tackles cybersecurity, intelligence (Capital Gazette) Len Moodispaw does not consider himself a "big company" person, so when Northrup Grumman bought the firm he was working for, he decided to start his own business

You've already been hacked. Here's why it's okay (Fortune) Newly appointed AVG chief executive Gary Kovacs on simplicity, Mark Twain, and what to do in a world where you've already been hacked

Attracting cyber security talent a 'challenge' for police — Cyber Crime Unit's Andy Archibald (Computing) The public sector — and the police force in particular — is struggling to attract top cyber security talent to help protect the public from hackers and cyber criminals because security professionals can often get far better salaries in the private sector.

Michael Mullen, 25-Year Secret Service Vet, Named Cyveillance Security Services VP; Scott Kaine Comments (GovConWire) Michael Mullen, former assistant to the special agent in charge at the U.S. Secret Service, has joined QinetiQ subsidiary Cyveillance as vice president of security services

Steve Pataky, Vice President of FireEye Worldwide Channels and Alliances, Named as One of CRN's 50 Most Influential Channel Chiefs (MarketWatch) FireEye, Inc. FEYE -0.16%, the leader in stopping today's advanced cyber attacks, announced today that Steve Pataky has been recognized on the CRN 2014 Channel Chiefs list and has been named as one of this year's 50 Most Influential

Research and Development

How to Eat Your Entropy and Have it Too — Optimal Recovery Strategies for Compromised RNGs (International Association for Cryptologic Research) Random number generators (RNGs) play a crucial role in many cryptographic schemes and protocols, but their security proof usually assumes that their internal state is initialized with truly random seeds and remains secret at all times. However, in many practical situations these are unrealistic assumptions: The seed is often gathered after a reset/reboot from low entropy external events such as the timing of manual key presses, and the state can be compromised at unknown points in time via side channels or penetration attacks. The usual remedy (used by all the major operating systems, including Windows, Linux, FreeBSD, MacOS, iOS, etc.) is to periodically replenish the internal state through an auxiliary input with additional randomness harvested from the environment. However, recovering from such attacks in a provably correct and computationally optimal way had remained an unsolved challenge so far. In this paper we formalize the problem of designing an efficient recovery mechanism from state compromise, by considering it as an online optimization problem

Partnership Promises to Prevent Cloud Computing Problems (SIGNAL) The U.S. Army, government agencies and the private sector fund university research

Security Patches, Mitigations, and Software Updates

Patch Tuesday wrap-up, March 2014 — critical fixes from Microsoft and Adobe (Naked Security) Five updates from Microsoft, with two of them critical, including an APB for Internet Explorer users. One critical from Adobe, making that three must-get Flash fixes in just over a month. Don't delay. Patch today

Many non-security updates released for Windows and Office (ZDNet) It's Patch Tuesday, so Microsoft released many non-security updates in addition to the security patches. Windows 8.1 gets an even dozen

Is Microsoft really risking its reputation by retiring Windows XP? (FierceCIO: TechWatch) As administrators and IT managers are no doubt aware, Microsoft will stop shipping security updates for Windows XP after April 8, 2014. As I wrote previously, this comes after an incredible run of more than 12 years, which is substantially longer than other desktop operating systems such as

Adobe issues non-critical Flash update (ZDNet) A new version of Flash fixes two vulnerabilities in the Windows, Mac and Linux versions. They're not super-high priority

Joomla Fixes Critical SQL Injection Vulnerability (Threatpost) The open-source content management framework Joomla pushed out version 3.2.3 of its product last week, fixing a SQL injection zero-day vulnerability that could have let attackers steal information from databases or insert code into sites running the CMS

Cyber Attacks, Threats, and Vulnerabilities

Crimea — The Russian Cyber Strategy to Hit Ukraine (Infosec Institute) The year 2014 started with a diplomatic crisis in Crimes and Ukraine. The tension rose just after the 2014 Ukrainian revolution, in which the government of President Viktor Yanukovych was ousted after a popular revolt in Kiev. In the region there are groups contrary to the protest that desire the integration of Crimea with Russia, and these groups are opposed to others consisting of Crimean Tatars and ethnic Ukrainians which supported the revolution. The deposed president Yanukovych during the days of revolution covertly requested the intervention of the Russian military to stabilize the internal situation of Ukraine

Intel Analysts Dissect the Headlines: Russia, hackers, cyberwar! Not so fast. (FireEye) Claims of a cyber attacks, website defacements, sophisticated Russian malware, and even "cyberwar" have hit front pages since the conflict in Crimea heated up. With all the noise, it's hard to know what has actually occurred, and even tougher to interpret the consequences of the potential activity. Here's our take on the major cyber activities that have been reported throughout the Russia-Ukraine crisis

Eugene Kaspersky: Russia Ukraine Cyber Attacks Probably Not State Sponsored (TechWeekEurope) Eugene Kaspersky criticises espionage and cyber warfare, saying that countries should be working together to fight cybercrime, but reckons it's hacktivists involved this time

Masked Russians seized our gear: Norway journos (The Local (Norwegian Edition)) Masked guards seized computers and storage devices from three Norwegian journalists on Tuesday and labelled them as spies as they attempted to leave the Crimean peninsula for mainland Ukraine

Hole In WhatsApp For Android Lets Hackers Steal Your Conversations (TechCrunch) As part of what is predominantly an Android security issue, a CTO and consultant has discovered a vulnerability in WhatsApp encryption that could allow another app to access and read all the chat conversations in the WhatsApp app

A Trojan is circulating through Facebook Messenger (The Inquirer) Targets users pretending to be a Facebook friend with a 'LOL' and a fake image file

Hackers turn 162,000 WordPress sites into DDoS attack tools (V3) Hackers have hijacked more than 162,000 legitimate WordPress sites, connecting them to a criminal botnet and forcing them to mount distributed denial-of-service (DDoS) attacks, according to security firm Sucuri

WordPress pingback abuse blamed for massive DDoS attack (CSO Salted Hash) On Monday, Daniel Cid, the CTO of Sucuri, said in a blog post that his company recently mitigated a DDoS attack that leveraged more than 162,000 legitimate WordPress installations. The attack was possible because of the pingback function in the XML-RPC implementation used by WordPress

Large DDoS Attack Brings Wordpress Pingback Abuse Back Into Spotlight (CIO) Attackers exploited the pingback feature in WordPress to use 160,000 WordPress sites as DDoS proxies, researchers from Sucuri said

BB10's 'dated' crypto lets snoops squeeze the juice from your BlackBerry — researcher (The Register) BEAST will attack your sensitive web traffic, warns poster

Twitter goes down — but there's no place now for the Internet to freak out (VentureBeat) Uh-oh, looks like there's trouble in the Twitter land and other sites that hook in to the social network. This morning the service went down, initially without explanation and later "for maintenance." Features like Twitter cards were not working perfectly by 11:41 a.m. PT

Grand Theft Auto V Release Stirs Spam (Trend Micro Threat Encyclopedia) Game enthusiasts and fans of Grand Theft Auto need to be wary of the latest spam run we spotted, which capitalized on the said game

Timken Company Acknowledges Data Breach (eSecurity Planet) 4,987 names, birthdates, genders and Social Security numbers were exposed

Target's Data Breach Raised Few Alarms in Europe (Collections & Credit Risk) Three months after coming to light, the massive exposure of 40 million card accounts at Target Corp. still has the payments industry and consumers talking about what should be done to prevent this happening again. In the United States, that is

Target did not have CISO to oversee information security prior to massive breach (FierceITSecurity) Like Sony before it, Target did not have a chief information security officer overseeing security prior to its massive data breach that compromised 40 million credit and debit card accounts, and personal information on 70 million more shoppers, in November and December of last year

Don't be the next Target (FierceITSecurity) We can only wonder why Target, which handles millions of credit and debit card transactions every day, did not have a chief information security officer before its massive data breach that resulted in lost customers and profits

200 million consumer records left exposed in Experian security oversight (ZDNet) Smooth words and a fake identity gave one man the power to compromise millions of private financial records belonging to U.S. consumers

New techniques used to steal cyber-info (Yomiuri Shimbun via the Daily Herald) Cyber-attacks designed to steal valuable business information are becoming more refined and diverse

On the trail of Advanced Persistent Threats… (Naked Security) SophosLabs expert Gabor Szappanos has written a highly-recommended report entitled "Advanced Persistent Threats - the new normal?" Szappi explains how exploits once seen only in APTs are appearing ever more widely in money-making malware, and why that puts us all at ever greater risk

Litigation, Investigation, and Enforcement

Feinstein: CIA searched Intelligence Committee computers (Washington Post) The head of the Senate Intelligence Committee on Tuesday publicly accused the CIA of secretly removing documents from computers used by her panel to investigate the agency's controversial interrogation program and said that an internal agency investigation of the action has been referred to the Justice Department for possible criminal prosecution

CIA Hack Scandal Turns Senate's Defender of Spying Into a Critic (Wired) It's quite a change to hear Dianne Feinstein, the powerful chair of the Senate Select Committee on Intelligence, express outrage over warrantless and potentially illegal government spying

Edward Snowden critiques Dianne Feinstein remarks (Politico) National Security Agency leaker Edward Snowden called out Sen. Dianne Feinstein after her fiery floor speech Tuesday assailing the CIA, calling her anger hypocritical

How CIA snooped on Senate Intel Committee's files (Ars Technica) It's easy to search someone's network when you hired the IT department

Guest Post: The Elephant in the Room: The FBI (Just Security) Commissions, oversight boards, and review groups are all the rage these days. Recent weeks have seen hundreds of pages of reports evaluating American intelligence agencies, and there's a promise of more to come. These reports have recommended dozens of modifications affecting all three branches of government. But there's an integral part of the surveillance state that has thus far largely escaped the current scrutiny: the FBI. And while failure to "connect the dots" is an oft-cited flaw within the intelligence community, not insisting on examining more closely the FBI's surveillance activities represents a similar flaw by those outside the intelligence community

Snowden Isn't Exactly a "Traitor," Says the Top Nominee for NSA Director (Motherboard) In stark contrast to Edward Snowden's appearance yesterday in front of an SXSW crowd, Vice Admiral Michael Rogers, the man likely to take over the helm of the National Security Agency, today testified in front of the Senate armed services committee to talk about his vision for the future of US cyber defense

Spy Chief Assures Bar Association that NSA Respects Attorney-Client Privilege (Wall Street Journal Law Blog) The outgoing head of the National Security Agency has a message to the nation's lawyers: Your clients' secrets are in safe hands

The NSA won't shut up about Snowden, but what about the spy who stole more? (The Guardian) Why the incoming NSA chief needs to crack down on international espionage, not worthy whistleblowing

Tech Companies Shine Some Light on National Security Requests (MIT Technology Review) "Transparency reports" reveal insights about the requests made in the name of national security—including information that was previously kept secret

Australian telcom fined less than $10k for privacy violations (SC Magazine) An Australian telecommunications and media company was fined $9,161.18 (AU$10,200) for violating privacy laws as a result of a data breach affecting 15,775 of its customers

Judge freezes all of MtGox's US assets, lets class-action suit continue (Ars Technica) CEO, MtGox firms accused of fraud: "He is those companies and they are him"

Design and Innovation

Use this jargon to describe your startup—and you're sure to annoy journalists (Quartz) As tech journalists, our job is to decipher the lingo that startup entrepreneurs love to throw around at events like SXSW

How Facebook and Twitter built the best employee training programs in Silicon Valley (Quartz) Training employees and managers is essential at any company but particularly for startups. Yet many avoid it because it seems too hard or expensive