The CyberWire Daily Briefing 03.14.14

Cyber Trends

High-Risk Security Vulnerabilities Identified During Reviews of Information Technology General Controls at State Medicaid Agencies (US Department of Health and Human Services) High-risk security vulnerabilities we identified during previous, restricted reviews of information system general controls at 10 State Medicaid agencies (State agencies) raise concerns about the integrity of the systems used to process Medicaid claims. The integrity of the State agencies' Medicaid systems depends on the effectiveness of the information system general controls, which are critical to the reliability, confidentiality, and availability of Medicaid data. Without effective general controls, State agencies are not able to adequately safeguard sensitive Medicaid systems and data

Healthcare industry advised to do more thorough risk analyses (CSO) Recent study indicates growing list of risks for healthcare security, prompting experts to call for the improved analyses

Obamacare Vs. Patient Data Security: Ponemon Research (InformationWeek) Healthcare professionals worry that healthcare regulations mandating patient data exchange are luring more data thieves, says Ponemon study

Electric-Grid Attack Fuels Sniper-Versus-Hacker Debate (BusinessWeek) U.S. energy regulators' efforts to harden the power grid against snipers and terrorists are fueling a debate over whether they're diverting resources from other threats, like cyber attacks

Ponemon and AccessData Study Reveals Majority of Organizations Unable to Effectively Respond to and Resolve a Cyber-Attack (Open PR) AccessData, the leader in incident resolution solutions, and the Ponemon Institute released new findings focused on the current state of incident response and threat intelligence and how both can be improved to better benefit organizations. The report, Threat Intelligence & Incident Response: A Study of U.S. & EMEA Organizations, sponsored by AccessData, surveyed 1,083 CISOs and security technicians in the United States and EMEA about how their company handles the immediate aftermath of a cyber-attack and what would help their teams more successfully detect and remediate these events

Cyberspace: What is it, where is it and who cares? (Armed Forces Journal) Assured access to cyberspace is a key enabler of national security, so the answer to the question in the title is: we should all care. Two of the defining characteristics of a strong, modern, industrial nation are economic prosperity and a credible defense. The ability to use cyberspace has become indispensable to achieving both of these objectives

Social media scams rampant. Water is wet. (CSO) I'm rather amused reading this article in the Globe and Mail today about social media scams. It talks about how people are falling for scams on social media sites time and again. While my initial reaction is to scoff, I have to constantly remind myself that these scams, social media based or otherwise, continue to work. Why? People are greedy, gullible and easily swayed in many cases. They want that $250 gift card for completing a survey or a free set of Ginsu knives for providing their banking details

Enterprises Harness Social Networking for Increased Agility and Responsiveness, Finds Frost & Sullivan (FierceITSecurity) The need to enhance communication and collaboration in the workplace to increase employee engagement, accelerate decision-making, and boost overall productivity is driving the global enterprise social networking market. Organizations are integrating purposeful social collaboration functionality into workflows to dynamically connect people and information at the appropriate time, instead of relying solely on legacy collaboration tools utilized in traditional static use cases

Today's IT Organization—Delivering Security, Value, and Performance Amid Major Transformation (Proviti) If there is one word to describe the state of IT organizations in 2014, it is transformation

Bruce Schneier on Incident Response and His Next Book (Ars Technica) Bruce Schneier explains the role that incident response technology should play in the modern IT security landscape

Convergence of SIEM and Forensics (InfoSecurity Magazine) Sometimes technology areas that once seem distinct converge. Indeed, there was a time when the term convergence was used, without qualification, to refer to the coming together of IT and traditional telephone networks, something that for many is now just an accepted reality

Legislation, Policy and Regulation

U.S.-Russian cybersecurity talks face uncertainty amid Ukrainian crisis (Inside Cybersecurity) The turmoil in Ukraine has cast a shadow of uncertainty over the next chapter of U.S.-Russian cybersecurity talks, which last year led to the creation of a White House-Kremlin cybersecurity crisis hotline — thus far, never used, according to U.S. officials

Progress on EU data protection reform now irreversible following European Parliament vote (European Commission) The European Parliament today cemented the strong support previously given at committee level to the European Commission's data protection reform (MEMO/13/923 and MEMO/14/60) by voting in plenary with 621 votes in favour, 10 against and 22 abstentions for the Regulation and 371 votes in favour, 276 against and 30 abstentions for the Directive). The reports of MEPs Jan-Philipp Albrecht and Dimitrios Droutsas, on which members of the European Parliament voted, are a strong endorsement of the Commission's data protection reform and an important signal of progress in the legislative procedure. The data protection reform will ensure more effective control of people over their personal data, and make it easier for businesses to operate and innovate in the EU's Single Market

New EU cybersecurity law avoids making big Internet companies report breaches (NetworkWorld) Breach rule extends only to companies that own, operate or provide technology for critical infrastructure facilities

Europe Approves New Data Protection Law with Punitive Fines (CIO) European politicians voted overwhelmingly on Wednesday in favor of new laws safeguarding citizens' data

La CNIL actualise ses conseils sur le paiement en ligne (Le Monde Informatique) La Commission nationale de l'informatique et des libertés a décidé de mettre à jour ses recommandations sur le paiement en ligne qui avaient été émises il y a plus de 10 ans et a mis l'accent sur la confidentialité des données relatives aux cartes bancaires

Foreign Officials In the Dark About Their Own Spy Agencies' Cooperation with NSA (The Intercept) One of the more bizarre aspects of the last nine months of Snowden revelations is how top political officials in other nations have repeatedly demonstrated, or even explicitly claimed, wholesale ignorance about their nations' cooperation with the National Security Agency, as well as their own spying activities. This has led to widespread speculation about the authenticity of these reactions: Were these top officials truly unaware, or were they pretending to be, in order to distance themselves from surveillance operations that became highly controversial once disclosed

Stop mass surveillance now or face consequences, MEPs say to US (Help Net Security) Parliament's consent to the EU-US trade deal "could be endangered" if blanket mass surveillance by the US National Security Agency does not stop, members of European Parliament said on Wednesday, in a resolution wrapping up their six-month inquiry into US mass surveillance schemes

Key NSA Defender Wants to End Bulk Data Collection (National Journal) Dutch Ruppersberger has a plan to overhaul the controversial spying program

Feinstein Shifts Slow-Burning Anger From Guns to Spies (Roll Call) Few senators wait until their 80s, or the start of their third decade in office, to have their breakout moment. But that's what this past year has been for Dianne Feinstein

It's time for Obama to take a side in the battle between the CIA and the Senate (The Week) He can start by demanding that a report on Bush-era interrogation methods be declassified

Senate sets up departure of top CIA lawyer by lifting block on successor (The Guardian) Confirmation of Caroline Krass had been put on hold by Senate to gain leverage against CIA in procuring post-9/11 documents

NSA Director nominee wants every branch of the military to have a dedicated cyber attack force (Engadget) It seems like President Obama was pretty serious about that cyber attack list he drew up last year — his nominee candidate for NSA Director, Admiral Michael Rogers, just told the Senate that the military is building several new cyber combat units. Rogers, who is slated to both take over at the NSA and head the United States Cyber Command, spent several hours answering to the Senate Armed Services Committee this week

U.S. Military Given Secret "Execute Order" on Cyber Operations (FAS) Last June, the Chairman of the Joint Chiefs of Staff issued a classified "execute order" to authorize and initiate a military operation. The nature, scope and duration of the military operation could not immediately be determined — even the title of the order is classified — but it evidently pertains to the conduct of military cyberspace activities. The existence of the previously undisclosed execute order was revealed last week in a new Air Force Instruction

NSA says "indiscriminate" Facebook hacking allegations "are simply false" (Ars Technica) Spooks "only support lawful and appropriate foreign intelligence operations"

Zuckerberg to Obama: 'I'm frustrated' (MarketWatch) Facebook CEO reacts to report that the NSA used Facebook for spying

Bill Gates: 'No admiration' for Edward Snowden (Politico) Gates said some details about government surveillance are best left secret. Microsoft founder Bill Gates says despite his concerns about privacy, he has no "admiration" for National Security Agency leaker Edward Snowden

Surveillance And Security Companies Set Up Zero-Day Exploit Portals For Governments To Use In 'Offensive' Actions (TechDirt) Just under a year ago we wrote about Gamma International's use of Mozilla's trademark to trick people into installing surveillance malware from the company. A post from Privacy International points out the company has now set up what it calls the "Finfly Exploit Portal" providing

New NSA chief explains agency policy on "zero-day" exploits to Senate (Ars Technica) Most discovered bugs are revealed to vendors, but some kept for attacks, he says

NSA: Our zero days put you at risk, but we do what we like with them (ZDNet) NSA chief nominee US Navy Vice Admiral Michael S Rogers details some of the procedures it follows for disclosing or withholding its trove of zero day flaws

Justifying New Federal Cyber Campus (InfoRiskToday) When President Obama proposed spending $35 million to design a federal cyber campus to promote a "whole-of-government" approach to cybersecurity incident response, the administration provided scant details on the initiative buried deep in its $3.9 trillion fiscal year 2015 budget proposal

JIE not a program of record, says Takai (FierceGovIT) Defense Department effort to restructure its information technology infrastructure is not a program of record, although it is subject to program of record-like oversight, said DoD Chief Information Officer Teri Takai

DHS seeks to erase database walls, but filter searches (FierceGovIT) An effort to create an internal data mining and search capability encompassing multiple Homeland Security Department databases will be constrained by a system that filters results according to employee authorization to see certain kinds of data, says the department privacy office

Products, Services, and Solutions

Google encrypts search; bad news for NSA, China (The Washington Post via Herald Net) Googling the words "Dalai Lama" or "Tiananmen Square" from China long has produced the computer equivalent of a blank stare, as that nation's government has blocked websites that it deemed politically sensitive

Google gives UK government "super flagger" status for YouTube (Computing) Google has granted the UK security services privileged 'super flagger' status over YouTube videos, enabling the government to demand instant screening of videos it deems threaten national security

Skybox Security Introduces Vulnerability Center (Broadway World) Skybox Security Introduces Vulnerability CenterSkybox Security, the leading provider of risk analytics for cyber security, today launched the Skybox Vulnerability Center, a free online resource for IT security practitioners that includes access to the Skybox Vulnerability Database, one of the most advanced vulnerability databases in the industry. Users can search the Skybox Vulnerability Database by vendor, category, severity, date, CVE number and more, and drill down for special details on specified vulnerabilities

Validian Launches Next Generation of Intrusion Prevention (Wall Street Journal) Validian Corp. (OTCQB:VLDI), first-to-market with next generation cyber security technology that provides secure access of critical applications and secure access, transfer and storage of digital information on wired, wireless and mobile networks over the Internet, announced today that it has launched its next generation Intrusion Prevention System, which is the first technology in the market to actually prevent cyber attacks that result from breaching critical applications, and the improper access and theft of valuable digital information

Apple iPhones Could Thwart Thieves, Attackers (Dark Reading) Apple patent application suggests the company is looking to add personal security features to its mobile devices

Cloud-based wireless network monitoring (ProSecurityZone) Smaller businesses now have access to wireless monitoring, security and management tools available in a cloud computing model thereby avoiding hardware dependence

Product integration for critical infrastructure protection compliance (ProSecurityZone) Suite of products available from Tripwire enabling utility companies to achieve compliance with NERC Critical Infrastructure

Technologies, Techniques, and Standards

Your Cloud Was Breached. Now What? (InformationWeek) You're not happy. You just experienced a breach. Here's how to keep calm and secure your cloud

Ensure compliance with Windows BitLocker encryption using MBAM 2.0 (TechTarget) Before you can use MBAM 2.0 to manage Windows BitLocker encryption across multiple computers, follow these tips on deploying and administering it

MBAM 2.0 simplifies large-scale Microsoft BitLocker implementations (TechTarget) Ensuring encryption compliance across multiple machines gets easier with MBAM 2.0, which enables enforcement and management of Microsoft BitLocker

IT can tackle Windows configuration with a well-planned desktop audit (TechTarget) Enforcing Windows policies across the enterprise seems like a pain, but a few desktop audit practices can help IT reach its configuration goals

Enemy at the gates? Antimalware screens unlucky coder's software (TechTarget) This week, a developer asks our expert why antimalware protection is deleting his software. The cause might not be bad code, and there is recourse

The paranoid's survival guide, part 2: Protect your privacy on social, mobile and more (ComputerWorld) Here's how to minimize your personal data footprint when messaging, on social media, and using mobile apps

Guide to ERM: Risk Governance (Willis Wire) What should a board expect from management regarding risk and resiliency? As a part of strong enterprise risk management practice the board of directors should consider the following

Don't Confuse Email with Social Media in the Workplace (Willis Wire) There is a quite a bit (rightfully) being written about the challenges of addressing social media related employment actions (hiring / firing); I've written some of these myself

Will Self-Encrypting Drives Help Stop Data Breaches? (PC Magazine) In light of all the security breaches last year, companies are looking for ways to protect their own and their clients' data. Samsung claims that self-encrypting drives are the solutions to better security software protection. In a recent infographic, the company outlines a few reasons why self-encrypting drives are better for businesses

Involving the C-suite in risk management (FCW) As the world becomes more digitized and interconnected, the door to emerging threats and proprietary data leaks has opened wider. The number of security breaches affecting enterprises across numerous industries continues to grow, seemingly every day. Once a topic restricted to the IT organization, security is now unquestionably a C-suite priority. A strong plan for risk management throughout the organization has become essential

Marketplace

Cyber, IT Bright Spots in Defense Budget (National Defense Magazine) The Pentagon's budget proposal for fiscal year 2015 includes $5.2 billion for cyber security. But when intelligence agencies are added to the mix, the amount nearly doubles, according to new estimates

Record prizes for Pwn2Own and Pwnium contestants (Help Net Security) The results of the first day of the traditional Pwn2Own hacking contest at the CanSecWest Conference currently taking place in Vancouver are in, and the losers are Adobe, Microsoft and Mozilla

IE 11 Stands Up to Pwn2Own Exploit Attempt (Threatpost) Browser exploits continue to make news at Pwn2Own, but one that failed stood out in particular

Keen Team of China Takes Down Safari and Flash at Pwn2Own (Threatpost) Keen Team, a group of Chinese hackers, took down Apple Safari and Adobe Flash at the annual Pwn2Own contest

Pwn2Own: The perfect antidote to fanboys who say their platform is safe (Ars Technica) Despite huge leaps in secure code, nothing is immune when hackers are motivated

Accuvant to be acquired by the Blackstone Group (SC Magazine) In a deal that is reported to be worth $225 million, the Blackstone Group will buy a majority of the stake in cyber security firm Accuvant from investment firm Sverica International

Solving The Security Workforce Shortage (Ars Technica) To solve the skills shortage, the industry will need to attract a wider group of people and create an entirely new sort of security professional

Former DISA Vice Director Joins DB Networks Board (Newsfactor) DB Networks, an innovator of behavioral analysis in database security, today announced that Maj. Gen. James David Bryan, U.S. Army (Ret.) has joined its board of advisors. In this new role, Mr. Bryan will provide insight and counsel as the company takes its behavioral analysis technology for database security into new growth markets

Security Patches, Mitigations, and Software Updates

Security update available for Adobe Shockwave Player (Adobe Security Bulletin) Adobe has released a security update for Adobe Shockwave Player 12.0.9.149 and earlier versions on the Windows and Macintosh operating systems. This update addresses a critical vulnerability that could potentially allow an attacker to remotely take control of the affected system. Adobe recommends users of Adobe Shockwave Player 12.0.9.149 and earlier versions update to Adobe Shockwave Player 12.1.0.150 using the instructions provided in the "Solution" section below

USN-2147-1: Mutt vulnerability (Ubuntu Security Notice) The mutt mail client could be made to crash or run programs as your login if it opened a specially crafted email

Red Hat's Fedora 21 brimming with security, crypto upgrades (InfoWorld) Changes to Fedora, like smart card access control and systemwide policy for cryptography, could end up in Red Hat Enterprise Linux

Google Play update adds enhanced security options for app purchases (Phandroid) A new version of the Google Play Store is arriving for Android users, giving folks more control over security measures surrounding app purchases. Users can now decide how often the Play Store will ask for password confirmation, adding a layer of protection against the happy fingers of a child

Windows XP Goes Dark: 5 Things To Expect (InformationWeek) Microsoft customers face Windows XP's end-of-service deadline. How much will you suffer from the lack of support

For Windows XP, the end is nigh (Boston Globe) I drive a 12-year-old Ford, and why not? It's quiet and comfy, and it gets me there. Lots of people feel the same way about software. Almost 30 percent of the world's desktop computers run Microsoft Corp.'s Windows XP, an operating system introduced in 2001. About 40 percent of the PCs at The Boston Globe still run XP, and so do 95 percent of the world's automatic teller machines, according to ATM maker NCR

Sailing the Seas of Digital Detritus (CSO) Much like the hundreds of discarded satellites and assorted rocket pieces that circle the planet high above our heads, the Internet is littered with junk. I'm not talking about people taking pictures of EVERY single meal that they sit down to eat. Rather, broken and/or forgotten websites. For the last couple days I've been sailing along the tubes of the Internet looking for broken sites and there is no shortage

Cyber Attacks, Threats, and Vulnerabilities

Hackers down Russian presidential site in 'powerful cyber-attack' (Russia Today) Unidentified hackers brought down the Russian presidency's site and the Central Bank's web page in a wave of online attacks. The website is now operational for most users

20 million reasons the Kremlin just blocked a bunch of opposition websites (Quartz) With tensions rising over Crimea, Russia yesterday blocked a number of opposition websites. One of them is the blog of Alexei Navalny, an opposition leader currently under house arrest, who is known for publishing documents about official corruption online. In response to the censorship, he published what he says are his blog's traffic statistics (link in Russian) for the past 12 months, showing 20 million unique visitors (note that it's not possible for us to verify this independently). Assuming most of them are from Russia, it's a not-insignificant chunk of the country's population of 143 million—good reason for the authorities to be worried

NSA Nominee Confirms Ukraine is under Cyberattack (Nextgov) A top U.S. military official said Tuesday he believes hackers are attacking Ukrainian computer and communications networks—but he declined to point the finger at Russia. "In an open unclassified forum, I'm not prepared to comment on the specifics of nation-state behavior," Vice Adm. Michael Rogers told the Senate Armed Services Committee when asked whether Russia is using cyberattacks against Ukraine

Inside Turla: US military's worst cyber breach (Gadget) G-Data and BAE Systems have released information on the cyber espionage operation codenamed Turla. Furthermore, Kaspersky's has found a connection between it and the already existing Agent.BTZ malware, which took the Pentagon over a year to eradicate it from the U.S. military's networks

Target says it declined to act on early alert of cyber breach (Reuters) Target Corp's security software detected potentially malicious activity during last year's massive data breach, but its staff decided not to take immediate action, the No. 3. U.S. retailer said on Thursday. "With the benefit of hindsight, we are investigating whether if different judgments had been made the outcome may have been different," company spokeswoman Molly Snyder said in a statement

Why Target is as much a victim as to blame for cyber attacks (Digital Journal) If you were one of those people that got a phone call out of nowhere stating that your account has been compromised, you're well aware that Target has been the victim of recent cyber attacks

Rbrute Trojan hacks Wi-Fi routers to help spread Sality (Help Net Security) Researchers from Russian AV company Dr. Web have recently analyzed a Trojan that hacks Wi-Fi routers in order to facilitate the spreading of the infamous Sality malware family

Malicious advertising offers broad reach and quick rewards for malware perpetrators (CSO) Dynamic, expanding advertising scene opening juicy targets for Internet bandits

DDoS attacks using NTP amplification soar, warns Prolexic (FierceITSecurity) Distributed denial of service attacks using network time protocol amplification surged 371 percent in February, warns DDoS protection service firm Prolexic Technologies

110,000 Wordpress Databases Exposed (CSO) For years now I've been writing my various blog posts and I have used many different kinds of CMS platforms right back to posting using VI back in the 90s. My favourite platform that I've used to create content has been Wordpress by far. I can almost here the security folks cringe. Yes, it is a massive headache to lockdown. But, I fight on as the user experience makes the pain worthwhile

Incorrect mobile numbers undermine One-Time Password security, survey finds (Techworld) A small but persistent percentage of SMS One-Time Passwords (OTPs) sent by two-factor authentication systems never reach users because organisations have no way of spotting incorrect mobile numbers, new research has suggested

Commercial Windows-based compromised Web shells management application spotted in the wild — part two (Webroot Threat Blog) Sticking to good old fashioned TTPs (tactics, techniques and procedures), cybercriminals continue mixing purely malicious infrastructures with legitimate ones, for the purpose of abusing the clean IP reputations of networks, on their way to achieving positive ROI (return on investment) for their fraudulent activities. For years, this mix of infrastructures has lead to the emergence of the 'malicious economies of scale' concept, in terms of efficient abuse of legitimate Web properties, next to the intersection of cybercriminal online activity, and cyber warfare

CTO of WordPress-based business downplays pingback DDoS risks (CSO Salted Hash) Jason Cohen, founder and CTO of WP Engine, says the news surrounding DDoS attacks launched from WordPress' pingback function have been incorrectly and unfairly characterized by the media

Hacker who Snowdenized ethical hacking site also grabbed email control (Naked Security) The hacker behind the pasting of Edward Snowden's mug onto the EC-Council's site also managed to send a password-reset to its cloud-based enterprise email and get control of some customers' accounts

Morrisons supermarket hit by MASSIVE staff payroll data robbery (The Register) Details of 100,000 staffers leaked online, sent to local paper

Cybercriminals Tell Users They Might Have Cancer to Trick Them into Installing Malware (Softpedia) Cybercriminals have hit a new low. They're telling users they might have cancer just to trick them into installing a piece of malware on their computers

NYC MTA Data Breach Exposes 15,000 Employees' Info (eSecurity Planet) A CD containing Social Security numbers, birthdates and salary information was found in a refurbished PC sold at a major retailer

UCSF Medical Center Admits Third Data Breach in Four Months (eSecurity Planet) Unencrypted computers containing 9,986 people's personal and health information were stolen in early January

The Smart Car will be hacked (ReadWrite) Connected cars are computers on wheels, and before long they'll do most everything our phones and tablets do now—store personal data, finalize transactions, play games. Oh, and catch viruses and other malware

Thoughts on Exploiting Trust and Targeting Security's Weakest Link (CSO) Social engineering, including Phishing, is my favorite form of attack. Hands down, it's the most cost effective, and often the simplest method of cracking an organization's defenses

Study Shows Phone 'Metadata' is Highly Sensitive (Threatpost) The term metadata and the implications of its collection and analysis have been one of the key points in the debate surrounding the NSA's broad surveillance programs over the last year. Legislators, policy makers and others continue to argue about whether metadata can actually reveal anything about the people behind the phone numbers, but researchers

Academia

Government to give kids cyber security lessons (TechRadar) The UK government thinks it is wise to train 11-14 year old cyber security skills under its plans for new higher-level and advanced apprenticeships

Eighty Invited to Compete in 2014 NJ Cyber Aces State Championship at Brookdale March 22 (Atlantic Highlands Herald) Eighty men and women of various ages and backgrounds will compete in a face-to-face competition at Brookdale Community College March 22 for a chance to train for a career in cybersecurity at the New Jersey Cyber Aces Academy at Brookdale

Litigation, Investigation, and Enforcement

CIA-Senate dispute raises murky legal, policy issues; no guarantee of criminal prosecution (AP via the Greenfield Daily Reporter) A fight between the Senate and the CIA over whether crimes were committed in the handling of sensitive classified material appears unlikely to be resolved in the courts, legal experts say

Senator's claims of CIA violating computer fraud act shaky, legal expert says (CSO) Establishing CFAA liability could be uphill task for Sen. Dianne Feinstein

In two key cases, activists now ask judge to order NSA metadata preservation (Ars Technica) After FISC reverses itself, EFF also asks Feds to disclose what was deleted

BT caught in data gaffe drama: Whistleblower squeals over alleged email fail (The Register) Britain's privacy watchdog probes 'likely breach'. BT is being investigated by the UK's data regulator after a whistleblower exposed evidence that allegedly showed the one-time national telco's customer email accounts were being compromised by spammers, The Register has learned

NY Judge Questions Rare Arrest In Trade Secret Theft Case (Law360) New York Supreme Court Judge Jeffrey K. Oing on Wednesday questioned whether hedge fund Two Sigma Investments LLC had gone too far by seeking the arrest of a former analyst accused of stealing trade secrets, saying other employers might now copy the tactic and try to jail ex-workers in such disputes

Design and Innovation

The World's Richest Ex-Hackers (Forbes) Long before he was the two-hundred-and-second richest person on the planet, Jan Koum was just another curious kid with a wardialer