The CyberWire Daily Briefing for 3.26.2014

Cyber Attacks, Threats, and Vulnerabilities

Potential 7 Million Credit Card Details Leaked (DATALOSSdb) The last couple of weeks have seen tensions rising between Russia and Ukraine, and along with it an increase in computer crime. Sometime earlier this morning, a post allegedly by Anonymous Ukraine has claimed to have published "more than 800 million credit cards" by releasing four archives: Visa, Mastercard, American Express, and Discover cards. Based on the initial analysis by Risk Based Security, the number appears to come to a total of 955,579 cards

Three Things You Should Know About the Syrian Electronic Army (Bloomberg) For the past three years, cyber-security research firm IntelCrawler has studied the Syrian Electronic Army using a combination of operatives, underground sources and public information. The result? A 94-page report that is among the most comprehensive studies of the prominent hacking group's activities

New Malware Named Ploutus: Cybercriminals Steal Cash from ATMs (ClickSSL) A leading Security Certificate Authority named Symantec has detected a new malware which can steal cash from ATM machines. When Microsoft declared that support for windows XP will cease from April 8, 2014, every bank started to worry about the security of their ATMs. In the world of cyber culprits, hackers are inventing new techniques everyday to steal confidential information and money of companies and internet users. Symantec recently find out an ATM malware named "Backdoor.Ploutus.B" that works on a single SMS pattern in which, attacker sends a simple SMS to compromised ATM and can easily collect the cash. This technique is currently in use by attackers across the world. Below is an image showing that how an attacker withdraw cash from an ATM using a phone

Gameover ZeuS now targets users of employment websites (Help Net Security) Some newer variants of the Gameover Zeus Trojan, which is exceptionally good at using complex web injections to perform Man-in-the-Browser (MITB) attacks and gain additional information about the victims to be used for bypassing multi-factor authentication mechanisms and effecting social engineering attacks, has been spotted targeting users of popular employment websites

New worm infects thousands of IoT devices, mines cryptocurrency, warns Symantec (FierceITSecurity ) A new type of malware, first discovered in November, is infecting Internet of Things, or IoT, devices in order to mine cryptocurrency, according to computer security company Symantec. The worm, known as Linux.Darlloz, takes advantage of the tendency not to change access restrictions on IoT devices and routers from default factory user names and passwords

Android bug can push devices into an endless reboot loop (Help Net Security) A Proof-of-Concept app exploiting a recently discovered Android vulnerability that triggers the continuous rebooting of an affected device was apparently also behind the recent DoS attack on Google Play

Hackers targeting Microsoft Word and Outlook zero-day vulnerability (V3) Hackers are targeting a newly discovered zero-day vulnerability in Microsoft's Word and Outlook services, according to security firm Qualys

Latest Word zero-day similar to exploits in other targeted attacks (CSO Salted Hash) Exploits involved booby-trapped Rich Text Format file and Microsoft Outlook email

Boeing rules out cyber sabotage connection to missing plane (WTOP) The difficult search for answers about the disappearance of Malaysia Airlines flight MH370 is compounded by the inability to find either the plane intact or the wreckage

ZIP Codes Show Extent of Sally Beauty Breach (Krebs on Security) Earlier this month, beauty products chain Sally Beauty acknowledged that a hacker break-in compromised fewer than 25,000 customer credit and debit cards. My previous reporting indicated that the true size of the breach was at least ten times larger. The analysis published in this post suggests that the Sally Beauty breach may have impacted virtually all 2,600+ Sally Beauty locations nationwide

Phantom lonely women online were lures to victims of malware in February (ZDNet) China and the US were countries with the biggest spammers, but at 6th place, India could soon get that dubious top slot once internet penetration rates ramp up

YouTube has fallen (Bromium) Last year I wrote about our critical state of cyber-security: the barbarians are at the gates, and CISOs must take bold steps forward to adopt new practices to dramatically reduce enterprise insecurity

Cyber Trends

Middle East Malware Rates Five Times Worldwide Average (InfoSecurity Magazine) At the RSA conference 2014 in San Francisco, Tim Rains, director of Trustworthy Computing at Microsoft, spoke to Infosecurity editor Eleanor Dallaway about the security threat landscape in the Middle East

Cybercriminals have upper hand in IT security race (FierceITSecurity) In this Editor's Corner, I'd like to take a deep dive into a cybercrime report prepared by the nonprofit think tank RAND, best known for its national security research

Hacker black markets outbid IT companies in bidding for zero-day exploit disclosures (Computer Weekly) The hacking black market is outbidding legitimate IT companies for disclosure information on zero-day exploits

Disruptive Commercial Technologies (Naval Research Advisory Committee) The internet functions effectively as both an R&D resource and supply chain for irregular forces throughout the world. Commercial technologies pose a real and enduring threat

Focus Cyber Risk on Critical Infrastructure: Remote Substations are Vulnerable (CSO) Doug DePeppe has some especially strong feelings about protecting remote substations from cyber attacks

Healthcare Security: Where's the Hype for HIPAA? (SecurityWeek) I've written a good deal about hype in the past year or so, and how I believe the security industry does itself a disservice by continually playing up issues to serve its own short-sighted purposes. However, it's also been my experience that, for one reason or another, there are segments of the security market that aren't discussed enough. One of those segments is healthcare. While retail breaches continue to dominate headlines (most notably Target), healthcare security issues continue to fly under the radar

Cybersecurity Expert and CIO: Internet of Things is 'Scary as Hell' (CIO via ComputerWorld) The terms "Internet of Things" (IoT) and "connected home" are two of the trendiest buzzwords in the technology world today. And while both clearly offer very real potential, they also introduce their own share of risk, particularly if they're not approached with caution, according to Jerry Irvine, an owner and CIO of IT outsourcing services firm, Prescient Solutions

The NSA is burning down the web, but what if we rebuilt a spy-proof internet? (The Guardian) To realize what we've given away, imagine going totally offline. Better yet, believe in what a truly secure online life might look like

Marketplace

Cyber-attacks increase leads to jobs boom (BBC) There is going to be a very high demand for cybersecurity workers. Every cloud has a silicon lining

Cisco's SourceFire buy gives tech giant renewed network security momentum (FierceITSecurity ) Cisco's $2.7 billion purchase of Sourcefire last fall has enabled the tech giant to regain momentum in the growing network security market, according to data from Infonetics Research

As Hackers Begin to Target the Power Grid, Startups Are Helping to Keep the Lights On (Bloomberg) On March 8, a blackout in Wolfsburg, Germany, paralyzed a Volkswagen plant, leading to the loss of production of more than 100 cars

InvestMaryland Challenge finalists unveiled (Baltimore Business Journal) Four Baltimore startups have made it to the final round of this year's InvestMaryland Challenge. All together, 12 finalists are competing for a $100,000 top prize in four categories — information technology, life sciences, general industry, and cyber security. Cyber startups Light Point Security and Zero Fox, as well as Foodem.com and Staq, are the Baltimore finalists

Products, Services, and Solutions

SecurityStarfish, LLC Announces Assured Anonymity for Threat Information Sharing (Yahoo! Finance) Anonymization Engine enables anonymous sharing without third-party middlemen

Guidance and Blue Coat to provide a 360-degree view of cyber threats (CIOL) Partnership integrates endpoint and network security to deliver comprehensive visibility of modern and zero-day cyber threats

Tera Group creates swap agreement to hedge bitcoin exchange rate risk (FierceFinanceIT) Tera Group has created a non-deliverable forward swap agreement to hedge the risk of fluctuations in the exchange rate for bitcoin. The agreement has the potential to "open doors" to more bitcoin users who may want to accept bitcoin payments while hedging the risk that the virtual currency will lose value, Tera Group executives say

Defense Department Deploys Secure Cloud Service (InformationWeek)) The Department of Defense (DOD) is rolling out a new cloud computing service as part of its ongoing efforts to trim IT costs and provide more streamlined services to its military and civilian users. The service, called MilCloud, provides an integrated suite of capabilities, including the ability for users to configure infrastructure resources and manage applications on a self-service basis

Procera Networks Unleashes Embedded Intelligence at Interop Las Vegas 2014 (MarketWatch) Procera Networks, Inc. PKT -1.17%, the global Internet Intelligence company, today announced it will showcase the award-winning Network Application Visibility Library (NAVL) at Interop 2014, April 1-3 in Las Vegas

(Free!) Security Tools you should try (Network World) A whirlwind guide to free network security, anti-virus products. Who doesn't like free stuff? There's a long tradition of free or open-source security tools, and one of the best sites to learn more about them is Security Tools, a running list of what it claims are the 125 best free security tools around

Twitter Bags Encryption Program (TechNewsWorld) While Twitter is concerned with the privacy of its users and protecting them from run-of-the-mill phishing attacks and such, it's unlikely anything it was going to do would protect its users' direct messages from the likes of the NSA, noted Tal Klein, vice president of marketing for Adallom. Moreover, that kind of encryption would very likely crank up the customer complaints

Technologies, Techniques, and Standards

How to build an effective corporate privacy compliance program (TechTarget) Expert Mike Chapple reviews major data privacy laws and explains how to build a data privacy compliance program to meet regulatory requirements

Breach detection systems: Deployment models that detect malware better (TechTarget) Advanced malware has increased the need for organizations to expand their security best practices to include tier-two security technologies. There are many tier-two security technologies; the value of a breach detection system (BDS), which serves as a complementary technology to tier-one security tools, is its ability to detect malware

Network Virtualization: Final Piece of the Private Cloud (Forbes) Server virtualization epitomizes the benefits of abstracting logical IT resources from their physical manifestation. Hypervisors like VMware vSphere or Microsoft Hyper-V create immense efficiencies and flexibility in data centers by allowing previously underutilized equipment to run multiple applications in software-isolated environments. Networks are the next piece of data center infrastructure to get the virtualization treatment and the ensuing products provide comparable improvements in efficiency, versatility and productivity

Tor networks: Stop employees from touring the deep Web (TechTarget) Interest in the deep Web exploded in 2013 as international headlines broadcast the unexpected reach of National Security Agency's mass surveillance programs, and the made-for-Hollywood story unfolded of the Silk Road website and arrest of its alleged proprietor, "Dread Pirate Roberts"

You want to know who has access to what? Good luck (ComputerWorld) There's a dirty little secret in the computer security world that makes the dream of least-privilege access control very hard to attain: It's often literally impossible to determine who has what level of access to which objects

Design and Innovation

Chesapeake Innovation Center Moving to Odenton, Fort Meade Area (Broadneck Patch) The incubator's new site across the gates from Fort George G. Meade will make it easier for companies to work with the national security sector, leaders said

Research and Development

Password Hashing Competition (PHC (h/t Bruce Schneier)) The Password Hashing Competition (PHC) is an effort organized to identify new password hashing schemes in order to improve on the state-of-the-art (PBKDF2, scrypt, etc.), and to encourage the use of strong password protection. Applications include for example authentication to web services, PIN authentication on mobile devices, key derivation for full disk encryption, or private keys encryption

Academia

Northrop Grumman and University of Maryland, Baltimore County Launch Global Externship Summer Program (MarketWatch) Northrop Grumman Corporation NOC +0.57% and the University of Maryland, Baltimore County (UMBC) today announced a 2014 Global Externship Program to give international students exposure to career fields in cyber, program management and computer engineering

Moraine Valley to Host Midwest Regional Cybersecurity Competition (Midland Daily News) After months of preparation, the top cybersecurity teams in the Midwest are set to demonstrate their skills on Friday, March 28, 1:30-10 p.m., and Saturday, March 29, 8 a.m.-5 p.m. at the National Center for Systems Security and Information Assurance (CSSIA) housed at Moraine Valley Community College

Legislation, Policy, and Regulation

White House plan would end NSA's bulk collection of Americans' phone data (Washington Post) The Obama administration is preparing legislation that would end the National Security Agency's widespread collection of Americans' phone data while, officials say, preserving the government's ability to gain information about terrorists

Obama says new NSA proposal alleviates privacy concerns about surveillance (Washington Post) President Obama on Tuesday said he believes the plan his administration has given him to address concerns about the National Security Agency's widespread collection of Americans' phone data is "workable," and he hopes Congress will move to enact it

Obama says US needs to win back trust after NSA spying (Global Post) US President Barack Obama said on Tuesday that because of the revelations about US spying, the United States needs to win back the trust of governments and citizens

Former NSA Director: 'Shame On Us' (Der Spiegel) In a SPIEGEL interview, former NSA director Michael Hayden, 69, discusses revelations of US spying on Germany made public in documents leaked by Edward Snowden, surveillance against German leaders and tensions between Berlin and Washington

Rand Paul takes some credit on NSA plan (Politico) Sen. Rand Paul on Tuesday praised reports that President Barack Obama is moving toward ending the National Security Agency's bulk collection of Americans' phone data, saying he's willing to take some credit

The real losers in NSA's hacking of Huawei (FierceCIO: TechWatch) The National Security Agency reportedly hacked into the networks of Huawei Technologies, stealing product source code and monitoring the communications of company executives. This startling revelation was jointly unveiled over the weekend by The New York Times and the German newspaper Der Spiegel, drawn once again from the huge trove of data leaked by former NSA contractor Edward Snowden

Keith Alexander: NSA Isn't Spying On Jimmy Carter's Emails, So He Can Stop Using Snail Mail (Huffington Post) Gen. Keith Alexander, director of the National Security Agency, on Tuesday denied the agency spies on former President Jimmy Carter's emails

Director of national intelligence wins 'worst open government' prize (Seattle Post Intelligencer) James Clapper, the Obama administration's director of national intelligence, is winner of this year's Rosemary Award, given out for the "Worst Open Government Performance of 2013" by the National Security Archive at George Washington University

In Age of Cyber Strikes & Sanctions, Will Only US Ground Forces Deter Putin? (Intercepts) Cyber strikes. Sophisticated sanctions. In an ever-more technologically and economically connected world, the US national security apparatus increasingly talks about and employs these "new" tools of conflict. But will either work against an adversary/irritant who still moves his forces via freight rail? One influential Washington think tank says no

A way forward to effectively regulate the trade in surveillance technology (Privacy International) The market for surveillance technologies has expanded so much in recent years that oversight has been totally unable to keep up, which has led to devastating consequences in the lives of human rights defenders in repressive regimes around the world

Rise in security clearances worries OMB (FierceGovernmentIT) The large number of individuals ruled eligible for a security clearance is risky and costly, the Office of Management and Budget warned in a recently released report

Human Resources Command stands up Cyber Branch (Army News Service) U.S. Army Human Resources Command established a provisional Cyber Branch Thursday, to provide career management, development and readiness to the Army's cyber forces

Where next for the new EU data protection regulation? (ComputerWeekly) The new European Union data protection regulation to replace the outdated 1995 directive will not be finalised before May's European Parliament elections

Benefits of big data must not outweigh privacy concerns, argues EU data protection chief (V3) The benefits of big data must not ride roughshod over the need for privacy and data protection, according to Europe's privacy tsar

Japan establishes cyber defence unit (Jane's Defence Industry) The Japanese Ministry of Defense (MoD) established a Cyber Defence Unit (CDU) on 26 March to detect and respond to attacks on the MoD and the Japan Self-Defense Forces

Litigation, Investigation, and Law Enforcement

Why NSA spying is breaking UK law (ComputerWeekly) The show is over. The fat lady has finally sung. The fat lady, in this case, is a former White House lawyer, Rajesh De, now the senior legal counsel for the US National Security Agency

Petitions call on U.S. government to leave Snowden alone (PCWorld) U.S. President Barack Obama's administration should reverse its decision to suspend the passport of U.S. National Security Agency leaker Edward Snowden and end its efforts to prosecute him as policymakers push to change the programs he exposed, a group of activists said

Stanford Univ., L.A. County privacy breaches costly, expansive (FierceHealthIT) A breach of state privacy law could cost Stanford Hospital & Clinics and one of its former contractors more than $4 million after medical information of 20,000 emergency room patients was posted online for nearly a year

Target missed many warning signs leading to breach: U.S. Senate report (Reuters) Target Corp missed multiple opportunities to thwart the hackers responsible for the unprecedented holiday shopping season data breach, U.S. Senate staffers charged in a committee report released on Tuesday

Feds notified more than 3,000 companies about hacking in 2013 (CNBC) Amid a rash of cyber attacks, Federal officials told more than 3,000 companies last year that their systems had been compromised, The Washington Post reported

'Think Before You Click': Project iGuardian Takes Aim At Cyber Safety (CBS) Federal and local law enforcement officials were expected Tuesday to announce the launch of a first-of-its-kind national cyber safety campaign

For a complete running list of events, please visit the Event Tracker.

Upcoming Events

Veritas 2014 (, Jan 1, 1970) At Veritas 2014, hear directly from the big data experts in top tier retail finance who are now implementing strategy and starting to yield real commercial value. Experts dedicated to Big Data in the sector will show you how the right approaches can lead to far-reaching results in business model innovation, risk mitigation and identifying new revenue streams. See how Veritas 2014 will help you develop your big data implementation strategy.

Black Hat Asia (, Jan 1, 1970) Black Hat is returning to Asia for the first time since 2008, and we have quite an event in store. Here the brightest professionals and researchers in the industry will come together for a total of four days--two days of deeply technical hands-on Trainings, followed by two days of the latest research and vulnerability disclosures at our Briefings.

SEC Cybersecurity Roundtable (Washington, DC, USA, Mar 26, 2014) The Securities and Exchange Commission today announced that it will host a roundtable next month to discuss cybersecurity and the issues and challenges it raises for market participants and public companies, and how they are addressing those concerns.

Cyber Security Management for Oil and Gas (, Jan 1, 1970) Attend to gain cutting-edge information from oil and gas cyber security experts on: Using the very latest in intelligence techniques to find and neutralize the newest threats in time. Preventing security breaches while ensuring your employees, social media and mobile devices operate effectively. Implementing best practices in order to achieve and maintain SCADA and other key systems security. How a "critical infrastructure" designation would impact different aspects of oil and gas cyber security management.

Financial Incentives for Cybersecurity Businesses (Elkridge, Maryland, USA, Mar 27, 2014) Learn the details and take the opportunity to ask questions of leading experts on how to apply for tax credits (Cyber Tax Credits, Research Tax Credits, Security Clearance Tax Credits, Secured Space Tax Credit) and the latest details on the Maryland Small Business Financing Authority's newest program for small businesses looking for investment dollars.

ISSA Colorado Springs — Cyber Focus Day (Colorado Springs, Colorado, USA, Mar 27, 2014) Join us for the Information Systems Security Association (ISSA) — Colorado Springs Chapter — Cyber Focus Day set to take on Thursday, March 27, 2014 at Colorado Technical University (CTU).

Corporate Counter-Terrorism: the Role of Private Companies in National Security (Washington, DC, USA, Mar 28, 2014) The 2014 American University Business Law Review Symposium will address the growing role of corporate America in governmental counter-terrorism programs, including the bulk metadata and PRISM surveillance initiatives. John Carlin, Assistant Attorney General for National Security, will deliver the keynote. Other speakers will include current and senior officials from the Justice Department, National Security Agency, Office of the Director of National Intelligence, FBI, DHS, Google, and Microsoft.

CyberBiz Summit (Linthicum, Maryland, USA, Mar 28, 2014) Learn first-hand how to get your cyber business started, how to raise capital, and what to do to make it happen. Join us for four informative sessions, networking and breakfast at the BWI Westin on Friday, March 28th.

Cyber Saturdays (Laurel, Maryland, USA, Mar 29, 2014) Are you a community college student with an interest in network security or information assurance? Would you like to test your skills in a fast-paced game environment? If so, one if Capitol College's upcoming Cyber Saturdays could be a great way to spend part of your weekend.

Interop Conference (, Jan 1, 1970) Interop Conference sessions help you find actionable solutions to your current IT headaches and plan for future developments.

SyScan 2014 (Singapore, Mar 31 - Apr 4, 2014) SyScan is a deep knowledge technical security conference. It is the aspiration of SyScan to congregate in Asia the best security experts in their various fields, to share their research, discovery and experience with all security enthusiasts in Asia.

NSA Hawaii (, Jan 1, 1970) Be a part of the 2nd Annual Information Technology Expo set to take place at the new National Security Agency (NSA) Regional Operations Center in Wahiawa, HI. The event is being sponsored once again by the NSA Hawaii NSA/CSS Technology Directorate. The focus of this event will be Cyber Security, Big Data and Cloud Computing technologies but all interested companies are welcome to exhibit.

InfoSec World Conference & Expo 2014 (, Jan 1, 1970) With the primary objective of providing top-notch education to all levels of information security and IT auditing professionals, InfoSec World delivers practical sessions that give you the tools to strengthen your security without restricting your business.

NIST IT Security Day (Gaithersburg, Maryland, USA, Apr 8, 2014) The Office of the Chief Information Officer, OCIO, is hosting NIST IT Security Day as a means to heighten awareness for all NIST users on the many aspects of operational information technology security and networking at home and in the office. This event's objective is to educate users on IT security and related topics. The event will feature guest speakers on general and technical IT security topics and tutorials on internal services and products.

IT Security Entrepreneurs Forum (ITSEF) 2014 (, Jan 1, 1970) IT Security Entrepreneurs Forum (ITSEF) is SINET's flagship event, designed to bridge the gap between the Federal Government and private industry. ITSEF brings unique value to the Cybersecurity community by providing a venue where entrepreneurs can meet and interact directly with top government agency and industry officials in an open and collaborative environment. This SINET community of interest and trust facilitates broadened awareness of the government's challenges, needs, and its future direction regarding Cybersecurity, while shining a spotlight on the entrepreneurs and their innovative technologies that are helping to address and solve today and tomorrow's security challenges.

SOURCE (, Jan 1, 1970) The purpose of SOURCE Conference is to bridge the gap between technical excellence and business acumen within the security industry. SOURCE fosters a community of learning where business and security professionals come together to gain knowledge and skills, network with peers, and advance their careers and professional development. SOURCE enables individuals, teams, and organizations to leverage information to improve decision-making, optimize performance, and achieve business objectives.

Women in Cybersecurity Conference (, Jan 1, 1970) WiCyS is an effort to bring together women (students/faculty/researchers/professionals) in cybersecurity from academia, research and industry for sharing of knowledge/experience, networking and mentoring. Any individual or organization interested in recruitment/retention of women in this field and/or diversification of their cybersecurity workforce is especially encouraged to get involved.

Suits and Spooks San Francisco (, Jan 1, 1970) S3+: Surveillance, Security, Sovereignty and other Critical Issues. Not another hacker conference. Suits and Spooks is a unique gathering of experts, executives, operators, and policymakers who discuss hard challenges in a private setting over two days. CFP is now open. If you're interested in being a speaker at Suits and Spooks San Francisco, please send an email with your topic title, short abstract, and your bio by February 15th.

East Africa Banking and ICT Summit (Kampala, Uganda, Apr 25, 2014) The global event series for Banking and ICT Summit enters its third year. The summit will continue to provide delegates with technical & practical sessions, lectures and showcase for banking and ICT innovations, and unique networking opportunities.

National Collegiate Defense Cyber Competition (, Jan 1, 1970) Registration for the 2014 CCDC season is underway! Visit your region's website or contact your regional for registration and competition information.

InfoSecIndy (Indianapolis, Indiana, USA, Apr 26 - 27, 2014) Join us on April 26-27, 2014 in Indianapolis, Indiana for the premier Midwest Information Security and Digital Forensics Conference.

Infosecurity Europe 2014 (, Jan 1, 1970) Infosecurity Europe is Europe's number one Information Security event. Featuring over 350 exhibitors, the most diverse range of new products and services, an unrivalled education programme and over 12,000 visitors from every segment of the industry, it's the most important date in the calendar for Information Security professionals across Europe.