The CyberWire Daily Briefing 03.27.14

Cyber Trends

What Defense Could Learn About Cyber From Financial Firms (Defense News) As the defense industry sorts out the complications of information sharing and improved cyber protection, it might turn to another sector thought by many experts to have the best security in the US: financial firms

Cyber Vulnerabilities of Tech and Telecom Companies — as Reported to the SEC (Willis Wire) It is virtually impossible to do business today without using technology and telecommunications, both directly and indirectly, in the delivery and payment of goods and services. "Critical infrastructure" is what the federal government labeled this sector

Advanced threat detection products yet to earn trust of enterprises (TechTarget) A wave of network-based security products from vendors such as FireEye Inc., Damballa Inc. and Palo Alto Networks Inc. have raised the bar when it comes to detecting sophisticated attacks, but circumstances surrounding the massive Target data breach suggest that without a sizable incident response team or a complex mix of additional security products, network-based threat detection products may not do much good

Why Cybersecurity Doesn't Stop Attacks (Wall Street Journal) Current models for cybersecurity are becoming less and less effective in the face of more sophisticated attacks. They tend to be compliance- or technology-driven and are highly manual—making them difficult to scale. All too often as well, security is the bottleneck for innovative business initiatives

Hackonomics: 'Cyber Black Market' more profitable than illegal drug trade (ZDNet) A new report by RAND commissioned by Juniper Networks has some eyebrow-raising conclusions about the black market for hacks, cracks, data theft, botnets, and zero days

Hackonomics: Stolen Twitter accounts 'more valuable' than credit cards (ZDNet) According to a new report, the value of Twitter accounts on the black market for hacked wares has eclipsed the value of stolen credit card data

Forget black hats — the best hackers are going grey and getting legit (The Register) Bug bounties make going legit a tempting proposition

Is data privacy an out of date concept? (Naked Security) For some people, it seems as if they put their whole lives on display on social media. They are often, themselves, posting the very information that organisations go to great lengths to try to protect. So are we trying to protect privacy based on past social values? Are we old-fashioned in trying

Is data privacy more important than ever? (Naked Security) This article is inspired by another piece we've published today in which John Bryan asks 'is data privacy an out of date concept?' I think we all have a responsibility to ourselves and the younger generation to take greater steps to protect our data - we can't know the significance of exposure

March Madness: Online Privacy Edition (Dark Reading) Say hello to the privacy revolution where an emerging backlash is being spurred by NSA spying, mass data collection and plain old common sense

Surveillance is driving organizations away from the cloud (Help Net Security) A third of IT security professionals do not keep corporate data in the cloud because of fear of government snooping, with the majority of them preferring to store sensitive corporate data within their own networks, a new survey from Lieberman Software reveals

32% of merchants say mobile poses greater risk of fraud (FierceRetailIT) The mobile channel now accounts for 20 percent of retailers' business, double that of last year. But it also poses greater risk of fraud and the need for new tools to combat that fraud

Over half of Android users fail to lock their phones (Help Net Security) An ad hoc survey conducted by Google's anti-abuse research lead Elie Bursztein has shown that over half of Android users don't lock their phones in any meaningful way

FBI Agent Says No Computer is Safe (Government Technology) Unless a computer is turned off and unplugged from the Internet, it is at risk of cyber attack — and even that may not be safe

Six clicks: How hackers use employees to break through security walls (ZDNet) Employees are prime targets for cybercrime attacks against your company. Find out the six top ways criminals gain access to your valuable data, IP, and more

Legislation, Policy and Regulation

House Intel leaders unveil surveillance reforms (Politico) House Intelligence leaders on Tuesday unveiled a plan to curtail the NSA's ability to collect phone call data in bulk, but the effort differs from proposals from other top lawmakers and the White House

Proposed Changes to the National Security Agency (CSPAN) Julian Sanchez compared President Obama's proposed plan that would end the National Security Agency's storage of bulk telephone data to legislation put forth by the House Intelligence Committee

Officials: Senate secretly considered and rejected phone company option 3 years ago (AP via the Star Tribune) The Senate Intelligence Committee three years ago secretly considered — but ultimately rejected — alternate ways for the National Security Agency to collect and store massive amounts of Americans' phone records

Why Obama and his NSA Defenders Changed their Minds (National Journal via Nextgov) It was only months ago that President Obama, with bipartisan backing from the heads of Congress's Intelligence committees, was insisting that the National Security Agency's mass surveillance program was key to keeping Americans safe from the next major terrorist attack. They were also dismissing privacy concerns, saying the program was perfectly legal and insisting the necessary safeguards were already in place

NSA Reforms Demonstrate Value Of Public Debate (Threatpost) The Snowden leaks and the ensuing critical spotlight shone on the National Security Agency's surveillance programs have nudged many technologists, privacy hounds and politicians away from their desks and onto the front lines calling for reforms

Editorial: Planned changes at NSA take a step toward liberty (Mass Live) In America, asking isn't merely a courtesy, it's a constitutional imperative

U.S. and EU announce closer cyber issue ties (FierceGovIT) European Union leaders and President Obama today announced a new effort to formalize and broaden cooperation on cyber issues

Brazil caves to Google: New bill drops local data storage requirement (Ars Technica) If bill passes, Brazil would become largest country with a net neutrality law

Lawmakers may force VA to act on information security (FierceGovIT) Perennial information security weaknesses at the Veterans Affairs Department have led a House Veterans' Affairs subcommittee to consider legislation to compel the VA to address them, perhaps at the expense of departmental discretion

VA vulnerable to cyber attacks, GAO official says (FierceHealthIT) Information security problems have left the U.S. Department of Veterans Affairs vulnerable to cyber attacks, according to testimony presented Tuesday by the Government Accountability Office before the House Committee on Veterans' Affairs' subcommittee on oversight and investigations

Retailers urge adoption of PIN-based credit cards (Help Net Security) The National Retail Federation told the Senate that it's time for an overhaul of the nation's fraud-prone credit and debit card system, saying banks' insistence on cards that use a signature instead of a Personal Identification Number puts merchants and their customers at risk

Shoppers blame retailers for data breaches, Congress blames Target (FierceRetailIT) The finger pointing continues regarding the spate of data breaches at U.S. retailers, and the message going forward is that both the government and shoppers place the blame squarely on merchants

Senator who called for a US ban on Bitcoin now backs off, a bit (Ars Technica) Manchin tells WashPost: "The whole thing lent itself to a lot of improprieties"

Products, Services, and Solutions

Amazon Web Services lands DoD security authorization (ZDNet) The Department of Defense security and compliance blessing means more government agencies can move workloads to AWS

BlackBerry gets U.S. clearance for security solution (Reuters) BlackBerry Ltd said it received U.S. government security clearance for its solution that separates and secures work and personal data on mobile devices powered by Google Inc's Android platform and Apple Inc's iOS operating system

Full Disclosure Mailing List: A Fresh Start (Insecure.org) Like many of us in the security community, I (Fyodor) was shocked last week by John Cartwright's abrupt termination of the Full Disclosure list which he and Len Rose created way back in July 2002. It was a great 12-year run, with more than 91,500 posts during John's tenure. During that time he fought off numerous trolls, DoS attacks, spammers, and legal threats from angry vendors and researchers alike. John truly deserves our appreciation and thanks for sticking with it so long

Candy Crush and its privacy (Panda Security News) Who hasn't heard of Candy Crush? Even if you're not hooked yourself, you probably receive a stream of messages from your friends about the game. The company behind Candy Crush, King, is about to be floated on the stock market, and can justly claim to be the creator of one of the most addictive social games of recent times, with more than 500 million downloads

Lynn DeCourcey: NJVC-InfoSec Partnership to Focus on Govt Cyber Training (ExecutiveBiz) NJVC has partnered with the InfoSec Institute to offer information security courses that are designed to meet cyber workforce training requirements set by the Defense Department

Wombat Security Adds Security Awareness Materials to Provide One Stop Shopping for Cyber Security Education (IT Business Net) Wombat Security Technologies (Wombat) today announced that it is adding awareness materials to its comprehensive security education and training offering

Foresight Releases Cloud-Based Website Security Platform (Broadway World) Foresight announced the release of Foresight-AIR, the first cloud-based website security platform to simplify Web Application Firewall (WAF) operations and reduce costs, while significantly improving website security and performance levels

Entatech and Panda shake paws for second time (CRN) Distributor hooks up with internet security vendor once again following five-year hiatus

Use Public WiFi: Better Check Out Cloak (V3) The ability to access free public wifi seems to be everywhere. Many airports, coffee shops and malls offer some sort of free wifi Internet access

6 Anti-NSA Technological Innovations That May Just Change the World (The Daily Sheeple) Rather than grovel and beg for the U.S. government to respect our privacy, these innovators have taken matters into their own hands, and their work may change the playing field completely

Finally, Plug & Play Authentication! (Dark Reading) Lower costs, high end-user acceptance, and the ability for security teams to develop risk-based access control policies are three benefits organizations will derive from proposed FIDO Alliance technology, says Phillip Dunkelberger, President & CEO of Nok Nok Labs. The technology will, for the first time, allow enterprises to replace passwords with plug-and-play multifactor authentication

Technologies, Techniques, and Standards

Facebook boasts of superior threat detection system (Help Net Security) Facebook has a new internal threat-catching framework that is fed with disparate data from all over the Internet, different vendors, and Facebook's internal sources, and is more efficient

Security the Facebook Way (Threatpost) Protecting the internal network as well as the users of Facebook is an unenviable task. Facebook users constantly are the target of all manner of phishing, malware and other attacks, and the company's own network is a major prize for attackers, as well. To help better defend those assets, Facebook's security team has built an

Cybersecurity training at EPA too specific or too general (FierceGovernmentIT) The Environmental Protection Agency's primary tool for information security training is too technical for executives but too general for technical personnel, say auditors

Natural Security Alliance releases specs for strong authentication standard (Help Net Security) The Natural Security Alliance has released the newest specifications for its world first strong authentication standard

Web Browser Security Revisited (WindowSecurity) In this article we'll look at the special features Google provides for enterprise administrators with its Chrome for Business

How to Find Wi-Fi Security Encryption Type of a Router from Mac OS X (OSX Daily) Have you ever needed to know what type of security and encryption method a wireless network is using? While the Mac will figure this out itself when joining most networks, you may need to relay the information to others, or specify it yourself when joining other networks. You can get the encryption protocol in use by a router without ever having to log into the router, or even connect to the wi-fi network at all, just by using a simple trick in Mac OS X

Experts Question Security Payoff Of Sending Apps To The Cloud (Dark Reading) Startups offer browsers in the cloud for security, while email and productivity apps are already there

The 3 kinds of cybersecurity every utility needs (and a reference architecture you need to know about) (Smart Grid News) It is no secret that cybersecurity related to smart grid systems and deployments has garnered much attention over the past several years. Much of it has been and still is negative in the form of criticism that the industry as a whole is not doing enough to address cybersecurity. While most utilities today agree on the need to secure these systems and are actively working to do so, the debate of the adequacy of the industry's efforts is not likely to subside anytime soon

4th Flt Passes Cyber Security Inspection On First Attempt (U.S. 4th Fleet Public Affairs via the Florida Times-Union) U.S. 4th Fleet on March 21 concluded a weeklong cyber security inspection by a team from U.S. Fleet Cyber Command, earning a passing score on its first attempt

Marketplace

Northrop Grumman Australia, DSTO Confirm Research Partnership (Wall Street Journal) Northrop Grumman Corporation (NYSE: NOC) and the Australian Defence Science and Technology Organisation (DSTO) have signed a strategic alliance to conduct collaborative research in a range of advanced defence technologies

Why Former Symantec CEO Enrique Salem Is Invested in Security (eWeek) Enrique Salem, former CEO of Symantec, discusses his involvement with ForeScout and FireEye

MACH37™ Launches Latest Class of Cybersecurity Startups (Digital Journal) The MACH37™ Cyber Accelerator announced today the launch of its Spring 2014 session for cybersecurity startups at its Herndon, Virginia headquarters. Out of over 40 applicants, five companies were selected to participate in the Spring Cohort to accelerate the growth of their innovative concepts and bring their technologies to market

SINET IT Security Entrepreneurs Forum Connects Prominent Leaders from Government, Industry and Investment Communities to Advance Cybersecurity Innovation (BusinessWire) US Department of Homeland Security Deputy Secretary Alejandro Mayorkas and Norway's National Security Authority Director General Kjetil Nilsen to keynote

Security firm ThreatMetrix takes $20M after hooking up with Internet gambling companies (VentureBeat) ThreatMetrix, a security firm which recently dove into New Jersey's young online gambling industry, just raised a sizable $20 million

A look at insurance for cyber space (Business Ledger) Almost everyone heard the news that Target stores was the victim of a criminal data breach that resulted in over 110 million confidential customer records falling into the wrong hands

Don't Put Too Much Faith in Cyberinsurance (Dark Reading) Cyberinsurance is great for covering discrete costs like breach notifications and legal fees, but don't rely heavily on it for much else

Research and Development

The ultimate physical limits of privacy (Nature) Among those who make a living from the science of secrecy, worry and paranoia are just signs of professionalism. Can we protect our secrets against those who wield superior technological powers? Can we trust those who provide us with tools for protection? Can we even trust ourselves, our own freedom of choice? Recent developments in quantum cryptography show that some of these questions can be addressed and discussed in precise and operational terms, suggesting that privacy is indeed possible under surprisingly weak assumptions

DARPA applies Big Data to debugging (C4ISR Net) DARPA wants to employ Big Data techniques to eliminate software errors and bad coding. The project, known as Mining and Understanding Software Enclaves (MUSE), would develop tools to automatically detect and repair errors, according to the DARPA announcement

Security Patches, Mitigations, and Software Updates

Entity Framework Gets Code First Model Generation Through Reverse Engineering (Visual Studio Magazine) Microsoft last week released a minor version update of its popular Object Relational Mapping (ORM) tool with numerous bug fixes and new features, including the ability to reverse engineer an existing database to create a Code First model

Cyber Attacks, Threats, and Vulnerabilities

TCS Founder Says Hacker Attacks on His Bank May Be From Ukraine (Bloomberg) Oleg Tinkov, founder of Russia's TCS Group Holding Plc (TCS), said online attacks on the consumer lender may possibly have originated from hackers in Ukraine

Russian ministers ditch iPads over security concerns (ComputerWeekly) Russian government officials have ditched their Apple iPads in favour of Samsung tablets over security concerns

Hackers Breached Israeli Defence Forum, gathered info, sent threatening SMS to Israeli journalists (HackRead) A possibility that Muslim hackers could have compromised the IsraelDefense magazine database and its website, to launch the recent SMS attack on Israelis, is being explored, according to Times of Israel. It's not clear if that database was the source of the phone numbers used in the SMS 'attack,' but there were no reports of

Famous South Korean Search Portal NAVER Hacked, 25 Million accounts Hacked Using Stolen Data (HackRead) A hacker going with the handle of 'Seo' has been arrested for breaching in to the accounts of 25 million people on NAVER, South Korea's largest Web portal. According to Korea Herald, the hacker bought private information of 25 million people

'Dendroid' virus threatening Android phones in India (Economic Times) Indian cyber security sleuths have alerted users of Android smartphone about the malicious activities of a tricky virus called 'Dendroid' whose infection could "completely compromise" their personal phone device

DDoS attacks soar as cyber-criminals hit Basecamp (SC Magazine) Distributed-denial-of-service attacks are being bigger and more common, with Prolexic saying that these attacks are exceeding 100 Gbps on a regular basis

Hidden crypto currency-mining code spotted in apps on Google Play (Help Net Security) You already know that cyber criminals are using malware to make victims' computers mine crypto currencies for them, but did you know that your phone can be instructed to do the same? A month ago researchers from G Data discovered mining code hidden in several repackaged popular Android apps on 3rd party apps stores. Lookout researchers are now warning of similar apps being offered on Spanish forums dedicated to the distribution of pirated software, and made for mining Bitcoin, Litecoin, and Dogecoin

Cryptolocker infection forces chamber of commerce to spend $5,000 on new PCs (CSO) Still cutting a swathe through small-town America

A Study In Bots: Dexter (Cylance) During our session "Hacking Exposed: The Art of Deterrence" at RSA Conference 2014, Stuart McClure and I demonstrated various Art of Deterrence tactics against the Dexter botnet. Dexter is just one of many pieces of malware released recently that targets Point of Sale (POS) systems and is designed to scrape—and exfiltrate—credit card information. It does this by reading the RAM of processes it has access to, looking for any string that matches the credit card track format and then verifies whether or not the string matches the Luhn algorithm. Lastly, it uploads the information to a command and control server using simple encoding/encryption

Hackers preparing 'wild west' zero-day assault on Windows XP (SC Magazine) With Windows XP finally set to go end-of-life next week, Microsoft has made one final call for businesses and consumers to update to a newer version of the operating system

Deceptive ads expose users to the Adware.Linkular/Win32.SpeedUpMyPC.A PUAs (Potentially Unwanted Applications) (Webroot Threat Blog) Rogue vendors of Potentially Unwanted Applications (PUAs) continue tricking tens of thousands of gullible users into installing deceptive and privacy violating applications. Largely relying on 'visual social engineering' tactics and basic branding concepts, the majority of campaigns convincingly present users with legitimately looking ToS

Cyber attack reportedly fools Waze to report fictitious traffic jams, leads drivers to alternative routes (BGR) Google-owned crowdsourced navigation service Waze was caught napping as an intelligent student duo's program hacked into the system, causing the service to report fictitious traffic jams on the streets of Israel and leading drivers to take alternative routes. The whole exercise didn't just show the students' potential but also exposed the weak points in Waze's system

Spammers take advantage of Naked Security writing about spammers (Naked Security) An identity theft focused spam campaign is doing the rounds pretending to be a winning notification from the American "green card lottery". Worse yet, the spammers decided to utilize imagery hosted on Naked Security

Noted cyber-group 'Anonymous' plans attack on APD websites (KOB 4) The international network of online activists known as "Anonymous" has announced their plans to launch a cyber attack on the Albuquerque Police Department's websites

Sally Beauty data breach could include 280,000 accounts compromised (FierceRetailIT) Sally Beauty Supply's (NYSE: SBH) data breach could be much higher than originally reported, as information from more than 280,000 credit cards from nearly all the retailer's 2,600 locations may have been compromised

12,000 Phishing sites hosted on compromised WordPress installs (CSO Salted Hash) Stats compiled by Netcraft show that 12,000 WordPress installations were compromised in February and used in Phishing campaigns that targeted Apple customers and PayPal users

Lost Flash Drive Exposes Florida Children's Medical Data (eSecurity Planet) Last names, medical record numbers, birthdates, gestational ages, birth weights and dates of hospitalizations may have been exposed

Shelburne Country Store Hacked (eSecurity Planet) Customer names, addresses, credit or debit card numbers, expiration dates and verification numbers may have been accessed

U.S. Suspicions of China's Huawei Based Partly on NSA's Own Spy Tricks (IEEE Spectrum) Fears of Chinese espionage based on "back doors" built into computer hardware have prompted the U.S. government to block China's technology giant Huawei from doing business on U.S. shores. Such suspicions may come in large part from the knowledge that U.S. spies have already learned how to install similar "back doors" in computer hardware and software

China Voice: Huawei spying betrays blatant U.S. hypocrisy (Xinhua) Just as a Chinese saying tells of a thief who yells "Stop the thief!", the United States made a complete fool of itself through years of spying on Chinese telecom giant Huawei

How a Chinese Tech Firm Became the NSA's Surveillance Nightmare (Wired) The NSA's global spy operation may seem unstoppable, but there's at least one target that has proven to be a formidable obstacle: the Chinese communications technology firm Huawei, whose growth could threaten the agency's much-publicized digital spying powers

Richard Clarke: Foreign Governments Not So Surprised by US Snooping (Dark Reading) Former White House cybersecurity advisor Richard Clarke thinks foreign governments' outrage about American cyber-snooping is largely an act being put on for the benefit of political and economic agendas

Academia

IT security is heating up. Are universities prepared for it? (CNN) The relatively new business of cybersecurity is booming. As it turns out, so is the business of training the next crop of engineers for it

Open University launches MSc in computer forensics to bridge UK skills shortage (ComputerWorld) The Open University (OU) has announced a new MSc programme in computing it hopes will help to plug a UK skills shortage in areas such as digital forensics, insider threats and IP theft

Litigation, Investigation, and Enforcement

In rare move, banks sue Target's security auditor (CSO) Trustwave failed to fulfill its obligations, complaint alleges

Banks' suit in Target breach a 'wake up call' for companies hiring PCI auditors (CSO Salted Hash) Two banks have filed a lawsuit against Target and Trustwave Holdings, the retailer's security assessor

Turkish court lifts Twitter ban (The Guardian) Deputy prime minister says Turkish government will accept court decision to lift ban on microblogging website

Evidence Missing From Charges Snowden Works for Putin (Time) The Arizona Senator joins a slew of lawmakers who have accused the man who leaked secret documents on the NSA's spying program of treason, but McCain's charges lack evidence to support them

Jimmy Carter says he would consider pardoning Edward Snowden (Washington Post) Former president Jimmy Carter (D) said Wednesday that he would consider pardoning Edward Snowden if he returned to the United States and was convicted and sentenced, but acknowledged he doesn't have enough information to judge how much damage the former National Security Agency contractor has done to U.S. national security interests

Hacker Weev's attorney: The FBI is intercepting my client's mail (Daily Dot) The FBI is intercepting the prison correspondence of infamous Internet troll Andrew "weev" Auernheimer, including letters from his defense team, according to his attorney

Police Convict Chile Drug Trafficker After Discovering Secret Code (InSightCrime) Authorities in Chile have used a secret code belonging to drug dealers to convict a suspect, in a case showing that, while criminal methods are constantly evolving, the most basic techniques can still throw authorities off the trail

Chinese cops cuff 1,500 in fake base station spam raid (The Register) Thousands of devices, hundreds of millions of unwanted texts

Design and Innovation

The Drone that can Fly and Spy on Your Smartphone (McAfee Blog Central) For many, the notion of a flying drone conjures an image of an unmanned airborne military surveillance machine, or a high-flying courier sent to deliver your latest Amazon purchase. As a developing technology, the threat of drones being used for cybercriminal sabotage (especially on civilians, such as you and I) seems distant—but it might not be as foreign a concept as you may think