The CyberWire Daily Briefing 03.21.14

Cyber Trends

Internet of Things Presents CIOs With Both Technical and Ethical Questions (CIO) Chamberlain Group's garage door opener lets consumers monitor and control their garage doors via Android and Apple mobile phones. It's convenient for customers, but what happens to the data collected

Ponemon Institute: Healthcare Industry Vulnerable to Cyber Attacks (Money News) Most healthcare organizations let their employees use their smartphones and tablets to connect to medical networks without installing virus or malware protection amid a 100 percent increase in cyber attacks since 2010, a new Ponemon Institute Patient Privacy and Data Security study finds

60 percent of FTSE companies mention cyber security risks in annual reports (SC Magazine) "Data breaches have become a fact of life for most companies," says John Yeo, Trustwave SpiderLabs EMEA director

Retail Speed Brief: Retailers at risk of cyber attacks now more than ever (Eversheds) In recent years businesses worldwide have seen a sharp rise in the number of cyber attacks. With the significant advancements in technology in the retail sector retailers in particular are increasingly at risk of cyber attack

A "Tale of Two Cities" — where are the insurance companies? (Control Global) According to an article in BBC, underwriters at Lloyds' of London say they have seen a "huge increase" in demand for cover from energy firms. But surveyor assessments of the cyber-defenses in place concluded the cyber defenses were inadequate. "In the last year or so we have seen a huge increase in demand from energy and utility companies," said Laila Khudari, an underwriter at the Kiln Syndicate, which offers cover via Lloyd's of London

PaaS, Present & Future: Developers Will Decide (InformationWeek) Platform-as-a-service differs from IaaS. IBM's Ric Telford predicts what we'll see as it matures during the next two years

Half a Billion Reasons Why Data Security Still Faces Major Challenges (IBM Security Intelligence Blog) Today we released the 2014 IBM X-Force Threat Intelligence Quarterly which explores the latest security trends—from malware delivery to mobile device risks—based on 2013 year-end data and ongoing research

Big Data Reaches Inflection Point (InformationWeek) Enterprises see the light on big data opportunities. It's only a matter of time before mainstream data-management environments evolve

Big data vs. crowdsourcing: What's the future? (ITProPortal) Big data analytics has been recently touted in the media as the revolutionary technology of the 21st Century. According to enraptured journalists and the vendors of big data solutions, a new age is awaiting us, an age where everything is known, analysed and acted upon, a world where big data knows us better than we know ourselves

SC Congress London: BYOD issues remain in post-Blackberry era (SC Magazine) Bring Your Own Device is making waves in business, but concerns remain on how employees use personal smartphones and tablets, how they're managed and the laws to which companies must adhere

Legislation, Policy and Regulation

Orange Gives All Of Its Data To France's NSA (TechCrunch) Orange and France's main intelligence agency (the DGSE) have been cooperating illegally for years. According to a newly found report by Edward Snowden and Le Monde's investigation, the DGSE has had access to all of Orange's data (not just metadata) for years

La France suspectée de cyberespionnage (Le Monde) La posture de victime affichée par la France depuis les révélations sur les activités de la NSA à son encontre risque d'être de moins en moins crédible

Quand les Canadiens partent en chasse de «Babar» (Le Monde) C'est une véritable traque qu'ont menée les services secrets techniques canadiens du Centre de la sécurité des télécommunications du Canada (CSEC)

Twitter Goes Dark In Turkey Hours After The Country's PM Threatened To "Wipe Out" The Service (TechCrunch) After the Turkish Prime Minister Tayyip Erdoğan promised that he would "wipe out" Twitter after it apparently ignored court orders asking the site to remove certain corruption allegations, the service has gone dark in the country. The situation is developing: a site that lets the public track decisions made by the courts over Internet communications indicates that today the

Why Is Turkey Blocking Twitter? (Electronic Frontier Foundation) "Twitter and so on, we will root them out. The international community can say this or that — I don't care. They will see the power of the Turkish Republic"

Turkey blocks Twitter: Here's 4 ways to beat the ban (ITProPortal) Turkish Prime Minister Recep Tayyip Erdoğan has had it in for Twitter ever since a stream of damaging leaks alleging widespread corruption in his inner circle spread via the social network

NSA at TED: 'arrogant' Snowden put lives at risk (Wired) The US National Security Agency went on the offensive today after Edward Snowden's surprise Tuesday appearance at the TED conference in Vancouver

US officials: NSA overseas surveillance is targeted, not bulk collection (NetworkWorld) Critics question the officials' description of the NSA's overseas surveillance programs

NSA Contradicts Assertions by Microsoft and Other Service Providers (Redmond Magazine) Service provider denials that they knew of broad access to customer data by the U.S. National Security Agency appear to have been contradicted by an attorney for that agency

'US not waging industrial espionage' (AAP via SBS) The US says the goal of gathering data on companies or economic intelligence is "to support national security interests" and "not to try to help Boeing"

Snowden Disclosures and Norms of Cyber-Attacks (Lawfare) Secrecy—of the sort that typically shrouds cyber-defense and cyber-attack capabilities and doctrine—complicates the development of international norms. Secrecy makes it difficult to engage in sustained diplomacy about rules. Officials can talk about them at high levels of generality, but can't get very specific, and it's therefore hard to reach agreement. Secrecy makes it difficult to verify commitments or demonstrate compliance. Perceived distance between mere words and true actions may be large amid high degrees of secrecy

Meet Becky Richards — The NSA's New Civil Liberties and Privacy Officer (Armed with Science) I think it goes without saying that the National Security Agency had something of a tumultuous 2013

Agency begins analysis of U.S. gov't surveillance programs (SC Magazine) A bipartisan agency met this week to begin research on U.S. government online surveillance programs

Counsel: Senate intel panel 'close' on cybersecurity information-sharing bill (Inside Cybersecurity) The leaders of the Senate Select Committee on Intelligence are "close" to reaching agreement on a cybersecurity information-sharing bill with liability protection for industry that is designed to win the support of 60 or more senators, according to Jack Livingston, the panel's minority counsel

Bipartisan Policy Committee Report on Cyber Security of the Electric Grid — What's Missing (Control Global) I reviewed the Bipartisan Policy report and then had a chance to meet with one of the project leads to discuss some of my concerns. I will address the big picture policy issues as they continue to recur in almost all industries and industrial organizations (there is a reason I am giving a lecture on control system cyber security at West Point next month)

DoD still hesitant about mobile devices (C4ISR & Networks) The Defense Information Systems Agency's work with other Defense Department components to develop an enterprise-wide mobile device network could help address longstanding concerns about mobile devices, according to Daniel Risacher, associate director of enterprise services and integration at DoD

U.S. Mulling Big Data Policy (GovInfoSecurity) The Obama administration is in the midst of a four-week effort to get the public to chime in on policies the federal government could develop regarding the privacy and security of big data

US Drug Enforcement Administration helps Bulgaria build cyber security system (Standart) The US Drug Enforcement Administration (DEA) will support us in the development of a full-scale cyber security system, it emerged after Deputy PM Tsvetlin Iovchev met with Alejandro Mayorkas, Deputy Secretary of the United States Department of Homeland Security, and Secret Service director Julia Pearson, the MI reported

Products, Services, and Solutions

Prominent security mailing list Full Disclosure shuts down indefinitely (PCWorld) The popular Full-Disclosure mailing list that has served as a public discussion forum for vulnerability researchers for the past 12 years was suspended indefinitely by its maintainer

Full Disclosure mailing list shuts down, but won't fully disclose why (Graham Cluley) The Full Disclosure mailing list, which often published details of unpatched vulnerabilities, has announced it is shutting down. But — ironically — it refuses to fully disclose why it is closing its doors

'Full-Disclosure' Suspends Operations: Very Sad Day for Internet Security (TechZone360) There is an old saying that even all good things must come to an end. In this respect we should all mark March 19, 2014, as one of those days when a really good thing closed up shop

Missing Perspective on the Closure of the Full-Disclosure Mail List (OSVDB) This morning I woke to the news that the Full-Disclosure mail list was closing its doors. Assuming this is not a hoax (dangerously close to April 1st) and not spoofed mail that somehow got through, there seems to be perspective missing on the importance of this event. Via Facebook posts and Twitter I see casual disappointment, insults that the list was low signal to noise, and that many had stopped reading it a while back. I don't begrudge the last comment one bit

Product pitch: DigiCert Certificate Inspector (Help Net Security) SSL Certificates serve as the security backbone of the internet, securing billions of interactions annually. Yet, too often, system administrators fail to properly configure and install certificates, unknowingly leaving open vulnerabilities

Android Wear is about to make things creepier (ITWorld) Google wants to put Android-powered devices all over your body. What could go wrong?

One-Swipe QR Code authentication on show at IT security event (ProSecurityZone) SecurEnvoy is attending InfoSecurity Europe in London next month to demonstrate the latest technology and advantages of using two-factor authentication including one-time QR codes

Tags provide trusted identities for for internet of things (ProSecurityZone) Trusted tags can be read by NFC-enabled mobile devices and provide secure authentication capabilities for non-human identities on networks

Technologies, Techniques, and Standards

Indian Health Service systems hacked in mock cyber attack (FierceHealthIT) The 28-hospital Indian Health Service—a U.S. Department of Health & Human Services agency that provides healthcare to Native American and Alaskan Natives—failed a mock cyber attack carried out by the HHS Office of Inspector General, according to a report

Penetration Test of the Indian Health Service's Computer Network (Office of the Inspector General, US Department of Health and Human Services) This report provides an overview of the results of our penetration test of the Indian Health Service's (IHS) computer network. It does not include specific details of the vulnerabilities that we identified due to the sensitive nature of the information. We have provided more detailed information and recommendations to IHS so that it can address the issues we identified

Understanding Security Through Probability (Cisco Blogs) Security is all about probability. There is a certain probability that something bad will happen to your networks or your systems over the next 24 hours. Hoping that nothing bad will happen is unlikely to change that probability. Investing in security solutions will probably reduce the chance of something bad happening, but by how much? And where should resources be most profitably directed

Target Breach: Missed Alarms … and Missed Perspectives (ThreatGeek) On March 14th, Bloomberg BusinessWeek published a lengthy article entitled, "Missed Alarms and 40 Million Stolen Credit Card Numbers: How Target Blew It". The article highlighted the fact that Target had purchased $1.6M in FireEye advanced threat defense gear that had indeed detected two related pieces of malware on the Target network, but that Target had failed to respond to the alerts issued by the MSSP in Bangalore that was monitoring the equipment

Risks and opportunities of personal data, privacy, and trust (Help Net Security) The increased number of stories on data breaches in the news today has many implications, for consumers it's an increased risk of financial loss, identity theft and personal privacy erosion. For business its loss of customer trust and a drop in revenue

Apple users: Try these five tips for better Mac security (Naked Security) Security for Macs is often a hotly-debated topic, perhaps because Apple has a reputation for security that is based more on a brand promise than reality. Don't panic. Here are five simple tips to help you get serious about security on OS X

Marketplace

Symantec fires CEO, shares plunge (CNN Money) Security giant Symantec fired its president and CEO Steve Bennett Thursday, sending shares plunging 7% in after-hours trading. Symantec's (SYMC, Fortune 500) board announced that company director Michael Brown will replace Bennett on an interim basis until a permanent replacement is hired

DDoS attacks fuel rise in cloud-based DDoS mitigation services (FierceITSecurity) The rising number and size of distributed denial of service attacks are fueling demand for cloud-based DDoS mitigation services, according to Infonetics Research

Unified Threat Management Was Main Driver of the EMEA Security Appliance Market in 2013 (FierceITSecurity) According to the International Data Corporation (IDC) Europe, Middle East and Africa Quarterly Security Appliance Tracker, 4Q14 vendor revenue for the EMEA security appliance market reached $688.5 million, a 0.4% decrease over the same quarter a year ago. Shipments declined by 8.7% year on year with 185,019 units shipped. For 2013, the security appliance market vendor revenue totalled about $2.5 billion, representing a 2.4% increase over 2012

In-Q-Tel-Backed Platfora Gets $38M in Venture Capital; Ben Werther Comments (GovConWire) A big data analytics company funded by In-Q-Tel has received a $38 million investment in the latest round of venture capital from firms such as Tenaya Capital, Citi Ventures and Cisco

GSA Taps Metrica-Led Venture to Build Federal Cyber Dashboard (GovConWire) The General Services Administration has awarded a Metrica-led industry team with a $47.3 million contract to develop a government-wide dashboard for tracking and reporting cyber vulnerabilities, Federal News Radio reported Thursday

BT, IBM, Capgemini to offer cyber security apprenticeships (Computing) Cyber security apprenticeships will be offered by organisations including BT, IBM, Capgemini and Atos as part of a programme set up by skills body e-skills UK. Defence and security firms Cassidian and QinetiQ, and other small businesses specialising in cyber security, are also taking part in the initiative, which should see more than 100 apprentice positions filled by this summer

SD aims to build cyber security cluster (U-T San Diego) Industry employs 6,600 workers and has a $1.5 billion impact locally

Theresa May warns Yahoo that its move to Dublin is a security worry (The Guardian) Internet firm is known to be unhappy about snooping and would be under no obligation to hand over material under Irish laws

Security Patches, Mitigations, and Software Updates

Cisco AsyncOS Patch (Internet Storm Center) Cisco released a patch for AsyncOS, the operating system used in its E-Mail Security Appliance (ESA) and Security Management Appliance (SMA)

Staying at the forefront of email security and reliability: HTTPS-only and 99.978 percent availability (Google Online Security) Your email is important to you, and making sure it stays safe and always available is important to us. As you go about your day reading, writing, and checking messages, there are tons of security measures running behind the scenes to keep your email safe, secure, and there whenever you need it

Bitcoin's software gets security fixes, new features (CSO) Bitcoin-QT, rebranded as Bitcoin Core, has more than six fixes for the so-called transaction malleability problem

Cyber Attacks, Threats, and Vulnerabilities

Estonian Foreign Ministry's website comes under cyber attack (Baltic Business News) The website of the Estonian Ministry of Foreign Affairs came under cyber attack yesterday afternoon, reported ERR

AFTER CRIMEA: Top Intelligence Analysts Forecast The 5 Things That Putin Might Do Next (Business Insider) Russian President Vladimir Putin has invaded and annexed Crimea, continuing a Kremlin practice of employing military intervention abroad under the pretext of protecting ethnic Russians and Russian interests

Taken in phishing attack, Microsoft's unmentionables aired by hacktivists (Ars Technica) If Microsoft and eBay aren't safe from social engineering attacks, who is?

Flight 370 Investigation: Cyber Ties (GovInfoSecurity) The investigation of the disappearance of Malaysian Flight 370 is raising issues that are very similar to those considered in cybersecurity cases: the insider threat, deleting potentially key data from a computer, failure to share critical information and even corruption of the supply chain

BlackOS malicious web traffic managing software is on sale (Help Net Security) Security researchers are keeping a close eye on underground cybercrime forums and are quick to spot new offerings, such as the BlackOS software package

Operation Windigo botnet has infected 25,000 servers in the last two years (Tech Spot) Security researchers from antivirus provider ESET on Tuesday announced a massive cyber attack that has managed to take control of at least 25,000 Linux/Unix servers over the last two years. The infected servers are used to steal credentials, send spam, and redirect web traffic to malicious web pages

Sneaky "pileup" malware can exploit Android upgrades, researchers say (CITE World) If you've read a lot recently about the dangers of granting excessive permissions to mobile apps, you know that apps asking unnecessarily for personal information and control over device functions are best avoided — or at least managed with tools you can download

Android Custom Permissions Leak User Data (TrendLabs Security Intelligence Blog) A key part of Anrdoid's access control policies are permissions. To access certain resources on an Android device, applications need to request and be granted specific permissions. However, beyond those permissions specified by the operations system, an app can define its own customized permissions. Generally, this is done to protect an app's own functions or data

Hackers turning to Tor network to hide evolved malware, warns Kaspersky Lab (V3) Criminals plan to release a fresh wave of advanced cyber attack campaigns using the anonymising Tor network, according to Kaspersky Lab. Kaspersky Lab senior security researcher Sergey Lozhkin issued the warning during a webinar attended by V3, citing the recently discovered ChewBacca and evolved Zeus Tor malware as proof of their claim

Mass-Produced ATM Skimmers, Rogue PoS Terminals via 3D Printing? (TrendLabs Security Intelligence Blog) On several underground forums, a cybercriminal named gripper is selling ATM skimmers and fake POS terminals, and is making some very bold claims doing so

Retail Tracking and Privacy Crypto Cracked in Minutes, for Less than a Dollar (InfoSecurity Magazine) Retail analytics have been around for a dog's age, allowing stores — whether virtual or real — to track customer behavior and offer up related offerings accordingly. It's a central part of the up-sell and cross-sell process that keeps the sector humming along with repeat business

Arrest of secret-leaking ex-Microsoftie raises Hotmail privacy concerns (Updated) (Ars Technica) "We should not conduct a search…unless the circumstances would justify a court order"

Al-Qaida magazine cites weakness of Buffalo Niagara region (The Buffalo News) First the New York Times took notice of Buffalo's great architecture. Then Forbes magazine ranked the city as the nation's most affordable. And now Buffalo Niagara has garnered some worldwide media attention — in Inspire, the magazine of al-Qaida in the Arabian Peninsula. Inspire, which is not nearly as elegantly written as the New York Times or Forbes, tells us in its most recent issue that America's anti-terror strategy is "failing and fruitless" — and then goes on to say, in essence, that the Buffalo Niagara region isn't prepared for an attack

Manitoba Hydro may be vulnerable to cyber-attacks: report (CTV News Winnipeg) Manitoba's auditor general says Manitoba Hydro could be vulnerable to a cyber-attack by hackers or terrorists

End of XP Support: Are Banks Really Ready? (BankInfoSecurity) Banking institutions should be taking specific steps to prepare for Microsoft's dropping of support next month for the Windows XP operating system, banking regulators have warned. But industry experts disagree on whether the zero-day vulnerabilities and other risks related to XP's demise should be a major concern

A peek inside a modular, Tor C&C enabled, Bitcoin mining malware bot (Webroot Threat Blog) Cybercriminals continue to maliciously 'innovate', further confirming the TTP (tactics, techniques and procedure) observations we made in our Cybercrime Trends

CoinEX.pw: We Were Hacked, But Will Cover All Losses (CoinDesk) CoinEX.pw has confirmed it recently suffered a hack resulting in the theft of all the bitcoins in its possession

Hootsuite suffers DoS attack, reassures users (Naked Security) Social media management tool Hootsuite has recovered from a denial of service (DoS) attack which left users unable to use the system for some time yesterday

Virus compromises sensitive info on 5,400 Colorado hospital patients (SC Magazine) Social Security numbers and payment card data is among the personal information that may have been compromised for about 5,400 patients of Colorado-based Valley View Hospital after a computer virus was identified on some hospital computers

Univ. of Maryland victim of another cyber attack (WJLA TV ABC 7 News) Anne G. Wylie, UMD's interim vice-president and chair of the president's newly-formed task force on cybersecurity, sent a letter to faculty Thursday reporting that a "cyber intrusion into the university's network" was detected this past Saturday morning, March 15

Litigation, Investigation, and Enforcement

Secretary Johnson Highlights Results of Operation That Dismantled Underground Child Exploitation Enterprise on Tor Network (US Department of Homeland Security) Department of Homeland Security (DHS) Secretary Jeh Johnson, joined by representatives from U.S. Immigration and Customs Enforcement (ICE), U.S. Postal Inspection Service (USPIS) and the U.S. Attorney for the Eastern District of Louisiana today highlighted the complete results of one of the largest online child exploitation investigations in the history of ICE, involving victims in 39 states and five countries

Emergency Hearing on NSA Data Destruction (Courthouse News Service) At an emergency hearing Wednesday, opponents of the National Security Agency's telephone surveillance program will demand preservation of collected telephone metadata for discovery

NSA Official: Keeping Americans' Phone Records Could Jeopardize National Security (Foreign Policy) A federal judge has ordered the National Security Agency to indefinitely hold onto the phone records of hundreds of millions of Americans in a massive database that civil liberties groups have long wanted to destroy and that's been at the center of a legal controversy for months. But in a bizarre twist, the NSA itself now says keeping the phone records will impose a heavy toll on the agency and will ultimately distract the NSA from its national security mission

Former Microsoft employee arrested over Windows 8 leaks (The Guardian) Alex Kibkalo accused of leaking Windows 8 and anti-piracy code to a blogger

Microsoft Will Now Deploy Two Legal Teams, Outside Former Federal Judge To Approve User-Data Searches (TechCrunch) Following a court document revealing that Microsoft read the email of a third-party blogger to uncover an internal leak, the company this evening announced a policy change, effective immediately, regarding how it searches user data that is part of its own network of services. Noting that it couldn't, in its view, get a court order to search itself as none is needed, it will instead add layers of

Google's Widespread Wiretapping Could Have Snowden-esque Repercussions (Precursor Blog) A shocking new legal fact set recently came together in public as a result of a Gmail wiretapping case, Fread v. Google. Revelations of Google's secret widespread wiretapping of hundreds of millions of people over the last three years, using a NSA-PRISM-like device called "Content One Box" could have Snowden-esque repercussions

Kim Dotcom loses key evidence ruling at NZ Supreme Court (Ars Technica) Dotcom can't look at his own data to prepare an extradition defense

Using Contract Provisions to Mitigate Potential Damage from Cyber Attacks (Cyveillance) Law Seminars International hosted a thought-provoking teleconference event last week on "Contractual Protections for Cyber Attacks." While most information security presentations emphasize technology solutions, this one focused on the legal aspects of cyber attacks for attorneys, risk management professionals, contract professionals, and lawyers, and specifically, on the importance of updating contracts to protect your business

NSA Deputy Director: 'Always Room' to Discuss Amnesty for Snowden (Wired) NSA Deputy Director Rick Ledgett told the audience at TED there was "room for discussion"

"Weev" prosecutor admits: I don't understand what the hacker did (Ars Technica) Andrew "weev" Auernheimer gets his day in appellate court

Weev Needs To Walk (TechCrunch) Andrew "Weev" Auernheimer is a troll, but he's not a criminal. This is clear. In his recent appearance in federal appellate court in Philadelphia, the ignorance surrounding his actions and the lack of proof that they are a felony, even according to the wide-open standards of the Computer Fraud and Abuse Act, makes it clear that the defendant should walk

Comcast Issues First Transparency Report (Threatpost) Comcast transparency report reveals government interest in data belonging to customers of the largest American Internet service provider

Man arrested for hacking League of Legends database, aiding gamer denial-of-service attacks (Graham Cluley) A suspected hacker has been arrested in connection with a serious security breach of servers belonging to the "League of Legends" video game

Mt. Gox finds forgotten wallet with 200,000 bitcoins (Washington Post) Defunct Bitcoin exchange Mt. Gox has found nearly a quarter of the bitcoins it previously reported missing in an old digital file

Report: California top target of cyber-gangs (AP via the Detroit News) International criminal enterprises follow the money, and a report being released Thursday says they are increasingly focusing on California because of its wealth and innovation