The CyberWire Daily Briefing 04.02.14

Summary

By The CyberWire Staff

Various cyber espionage campaigns appear, several of them centered on the Middle East. A flaw in shareware file archiver and data compression utility WinRAR is reportedly being exploited against government and industry enterprises. Symantec finds njRAT spreading from the Middle East, used for hacktivism, information theft, and botnet building. Most of its command-and-control servers are located in Saudi Arabia, Iraq, Tunisia, Egypt, Algeria, Morocco, the Palestinian Territories and Libya.

Trend Micro warns of "Farheit," a Windows Trojan that also serves as a channel for Zeus infections and Cribit ransomware.

ESET continues to track "Windigo," the rapidly spreading and spam-generating malware campaign, and appeals to Unix users for help running it to ground.

Websense, in its periodic report on cyber black markets, notes (again) the features they share with legitimate markets, including cost-conscious buyers. That said, economic rationality doesn't imply diligence or genius: F-Secure's bloggers point out (we paraphrase) that cyber crooks remain lazy, opportunistic losers: they generally target businesses for relatively unprotected money exposed in cyberspace.

Bad news for Texans and Californians who like wine: their liquor stores suffer data breaches.

Apple upgrades Safari security.

Arms control mavens tackle the familiar dual-use problem, now in cyberspace.

US Director of National Intelligence Clapper responds to a Senate inquiry with acknowledgement that the Intelligence Community has engaged in warrantless electronic surveillance.

The US Department of Justice looks for easier ways of getting electronic surveillance warrants.

Google seeks to convince the US Supreme Court that packet-sniffing from unprotected Wi-Fi sources is already legal.

Notes.

Today's issue includes events affecting Algeria, Belgium, Egypt, Germany, Hungary, Iraq, Ireland, Israel, Libya, Morocco, Palestinian Territories, Saudi Arabia, Sweden, Syria, Tunisia, Ukraine, United Kingdom, United States.

The CyberWire will cover ITSEF 2014 in special issues next week. See the Events section below for information on the conference.

Selected Reading

Cyber Trends

Internet of Things: Mitigating the Risk (BankInfoSecurity) Tony Sager, a 30-plus-year National Security Agency information assurance expert, has a new mission: to identify ways to help mitigate the cyberthreats posed by the Internet of Things, those billions upon billions of unmanned devices connected to the Internet

Energy Pipeline: Cyber attacks hit oil, gas, just as much as retail (Greeley Tribune) Recent cyber attacks on retail giants such as Target and Neiman-Marcus have been well documented

Key challenges to securing Software-Defined Data Centers (Help Net Security) Tufin announced international survey results that highlight specific security challenges that need to be addressed in order to enable innovations such as the Software-Defined Data Center

Are organizations prepared for a data breach? (Help Net Security) 82% of IT professionals are either "concerned" or "very concerned" that their organization will face a security breach in the next year, according to EiQ Networks

Attitudes about best practices for access control (Help Net Security) An HID Global survey of 600 respondents revealed enterprise end users' perceptions about change and the importance of industry best practices, and how well today's technology and policy best practices are being implemented

Legislation, Policy and Regulation

The Dictator's Little Helper (Slate) How to stop Western companies from exporting surveillance technologies to authoritarian governments

NSA and GCHQ spied on German satcomms, world governments' leaders (Help Net Security) Another week, another explosive revelation coming from Edward Snowden's archive of NSA documents. This time they reveal the widespread compromise of several German satellite communication providers by the hands of Britain's GCHQ intelligence service and the US NSA, as well as the latter's targeting and spying on 122 country leaders, including German Chancellor Angela Merkel

NSA searched U.S. calls, emails without warrant, U.S. intelligence chief admits (ZDNet) For the first time, the highest ranking U.S. intelligence community official admitted to two senators that the NSA used a "backdoor" in surveillance laws to conduct the searches

How the NSA Used a 'Loophole' to Spy on Americans (National Journal) Obama's intel czar confirms targeting U.S. communications

NSA isn't evil, says noted civil libertarian (ComputerWorld) Geoffrey Stone says the beleaguered agency has successfully thwarted multiple terrorist plots since 9/11

U.S. government seeking easier hacking sparks privacy debate (CSO) A government request to change federal court rules to make it easier to hack into computers during criminal investigations places a new twist in the debate over privacy rights versus fighting crime in the digital world.The Justice Department is arguing for warrants that provide law enforcement with more flexibility in tracking down suspects using anonymizing tools, such as Tor, The Wall Street Journal reported.The government is arguing that the number of criminals taking advantage of anonymization technologies is increasing, so law enforcement needs help in penetrating these cloaks for criminal activity. In essence, the government wants to obtain one warrant that allows it to hack one computer and use it as a springboard for searching systems it is connected to over the Internet.To read this article in full or to leave a comment, please click here

Mr. Bitcoin Goes To Washington (TechCrunch) Congressman Jared Polis [D-CO2] has invited the bitcoin ATM company Robocoin to the United States Capitol for a demonstration of their hardware. While companies visiting with congress is nothing new, the wild, wooly world of bitcoin makes this definitely an interesting development

Products, Services, and Solutions

Box wants to let businesses control cloud encryption keys "this year" (Ars Technica) Government data requests might be thwarted if customers own the encryption keys

AWS admits scanning Android app in secret key hunt (SC Magazine via ITNews) Amazon Web Services has admitted it decompiles Android apps to search for secret keys that have been mistakenly hard-coded, as part of "normal operating procedures"

Google clarifies commercial spyware ban for Play store (CSO) Google has made it clear that commercial Android apps sold on the Play store are not allowed to secretly track user activity.The company released Friday an update to the Spyware section of its developer guidelines that bans apps from hiding, cloaking or misleading users about surveillance functionality. In addition, apps that track activity must present a "full-time persistent notification and icon that clearly identifies the app." Google also introduced an App Promotion policy that requires developers to "clearly disclose" when an advertised feature in the app's description requires an in-app payment.To read this article in full or to leave a comment, please click here

Why Feds are Still Buying IT that Works with Windows XP (Nextgov) During the past year, various agencies have bought or expressed interest in buying products compliant with a Microsoft operating system set to lose security support next week, according to a review of federal solicitations and the agencies themselves. The Air Force, Navy and Marine Corps, as well as the Veterans Affairs, Labor and State departments are a few of the Windows XP holdouts

Free tool calculates the damage of a cyber attack (Help Net Security) The Economist Intelligence Unit has launched an online tool that is designed to tally the bill from cyberattacks. Incidents of cybercrime are reported in the media almost every day, yet reliable estimates of their financial impact on companies are few and far between. CyberTab, sponsored by Booz Allen Hamilton, is designed to address this gap

MarkLogic Server 6.0-4 Earns Common Criteria Security Certification (Broadway World) MarkLogic Server 6.0-4 Earns Common Criteria Security CertificationMarkLogic Corporation, the leading Enterprise NoSQL database platform company, today announced that MarkLogic Server 6.0-4 has earned Common Criteria Certification through independent testing conducted by Leidos

IE PassView 1.31 (SecTechno) We have several tools for recovering passwords in web browsers. IE PassView can be used for internet explorer in case you have forget the passwords you are using to log in different system. the tool have a graphical interface and simple to use

Technologies, Techniques, and Standards

CryptoDefense ransomware leaves decryption key accessible (ComputerWorld) It's unlikely, however, that average users would pick up on the error and reclaim their files

SANS Checklist for Securing Mobile Devices in the Enterprise (SANS Institute) To help organizations better understand, manage, and mitigate risks associated with mobile devices and their infrastructures, we've released an updated SANS SCORE Mobile Device Checklist. This checklist is designed to provide a repeatable approach to adding mobile devices to your environment in a secure fashion

Marketplace

Buying Cyber Insurance: A Matter of Perspective (Willis Wire) With stories of commercial mass data loss and network downtime grabbing headlines on an almost weekly basis, the commercial world is having to take note of the very real risk presented by our reliance on technology—and the methods available to mitigate and manage that risk. However, when it comes to insurance, are we seeing a disconnect between the insurer and insured's expectations in the buying process of cyber coverage?

DOD Launches New Offensive in Cyber-Expert Hiring (The Fiscal Times) Help Wanted: Cyber geeks who want an "opportunity to do some really cool stuff" (if they follow the dress code)

Camber Corporation Announces the Close of its Acquisition of Avaya Government Solutions IT Consulting Services (IT Business Net) Camber Corporation announced that it has completed the acquisition of the IT consulting services business from Avaya Government Solutions, a subsidiary of Avaya Inc. With the formal closing of the acquisition, Camber welcomes to its workforce approximately 530 new employees in the information technology, software development and engineering, network architecture and engineering, and program management fields who support solutions for the Defense and Civil government markets

Trading Places: FireEye QA engineer swaps Hungary for one of the IT capitals of Europe (Silicon Republic) With people from all over the world choosing Ireland as a place to live and work, we speak to those that have put down roots in the country. This time, we talk to Tibor Flach, a senior QA engineer at FireEye

Pwnie Express Partners with IT Governance, Extends Reach in United Kingdom (Digital Journal) Pwnie Express, the only company to assess wired and wireless network security in remote locations on demand, today announced its partnership with UK-based IT Governance Ltd, a leading cyber security solutions provider

Another cyber firm picks Columbia for headquarters (Baltimore Business Journal) A cyber security company with more than 45 employees across the U.S. has picked Columbia for its headquarters. Jovian Concepts has signed a six-year lease for 3,000 square feet at 6700 Alexander Bell Drive

Virginia cybersecurity company plots Kettering office, 30 jobs (Exclusive) (Dayton Business Journal) A cybersecurity company is looking for funds from Montgomery County to open an office in Kettering. Lunarline Inc. is proposing a $600,000 project to build out a 3,000 square foot facility at Miami Valley Research Park

DISA Taps CGI Federal to Help Unify Military's Cloud Security Controls (GovConWire) CGI Federal (NYSE: GIB) has obtained a provisional authorization from the Defense Information Systems Agency for the subsidiary's cloud-based virtual machine services

Belgacom biedt Cloud-opslagdienst (Telecompaper) Op 1 april gaat Belgacom Cloud geactiveerd worden. Dat maakt het Belgische telecombedrijf bekend, nadat het een testperiode met 4.500 gebruikers heeft verwerkt

Announcing CRTC TechAwards 2014 Winners (Chesapeake Regional Tech Council) The Chesapeake Regional Tech Council (CRTC) and more than 350 technology executives from around the Annapolis-Baltimore-Washington region gathered Wednesday night to honor the region's rising tech companies, outstanding innovators and all-around top professionals at the 9th annual TechAwards 2014: Get in the Game. The CRTC received more than 60 submissions for the six nominated award categories from a variety of accomplished technology businesses and individuals throughout the Annapolis-Washington-Baltimore region. A thirteen-member selection committee examined the nominations and voted on the top contenders

Security Patches, Mitigations, and Software Updates

Apple Fixes More Than 25 Flaws in Safari (Threatpost) Apple has updated its Safari browser, dropping a pile of security fixes that patch more than 25 vulnerabilities in the WebKit framework. Many of the vulnerabilities Apple repaired in Safari can lead to remote code execution, depending upon the attack vector. There are a number of use-after-free vulnerabilities fixed in WebKit, along with some buffer

42 days to go for XP — 8 tips if you aren't going to make it (Naked Security) In a tip of the hat to the late Douglas Adams, we'll ask, "How many days has XP really got left?" If you include today — April Fool's Day, no less - the answer is, "42"

Cyber Attacks, Threats, and Vulnerabilities

WinRAR zero-day exploited in cyber espionage campaign (Security Affairs) Israeli researcher Danor Cohen has discovered a security flaw in WinRAR, IntelCrawler confirmed was exploited in cyber espionage campaign

Middle Eastern hackers use remote access Trojan to infect 24,000 machines worldwide (V3) Security firm Symantec has uncovered 487 groups actively using njRAT malware, claiming the malicious users have managed to infect 24,000 machines worldwide

Trojan Targets Windows-users who then get hit with Ransomware, States Trend Micro (SpamFighter) Trend Micro warns that Windows-users who contract one particular Trojan are likely to get hit with a ransomware, which locks PC folders, followed with demanding huge Bitcoins the Internet-based currency so the data-files can be unlocked. The Trojan used for infecting Windows is known as "Farheit." It's one kind of information-stealer, which can also pull down other malicious programs such as ZeuS. Of late, nonetheless, security researchers found that Farheit also disseminated "Cribit" a ransomware

With Extended Random, Cracking Dual EC In BSAFE 'Trivial' (Threatpost) Known theoretical attacks against TLS using the troubled Dual EC random number generator— something an intelligence agency might try its hand at—are in reality a bit more challenging than we've been led to believe

Upgrading Your Android, Elevating My Malware (Internet Storm Center) A new study by Indiana University Bloomington show that updating any Android device can allow an attacker to escalate apps privileges

When the back door into Unix opened… (TechChannel MEA) Close to 25,000 Linux and Unix servers have been compromised over the last three years using a backdoor Trojan. Recent efforts by global security vendor ESET, documented as Operation Windigo, explain details of how the servers were compromised leading to tens of millions of spam emails on a daily basis

Cyber Criminals Operate On A Budget, Too (Dark Reading) New report shines light on how attacks have gotten more advanced but still basically use some of the same old, same old, tools

Easy money: The simple reason cybercriminals target businesses (F-Secure Blog) Businesses deal with money — usually a lot of money, whether as payments to partners and subcontractors, wages to employees, taxes and official fees to authorities, etc. For cybercriminals, all this money going around is a target worth aiming for. And in addition to the money in circulation, there are ways to turn business IT resources into hard cash

APT1: The State of the Hack One Year Later (FireEye Blog) A little over a year ago, Mandiant released a report that brought the term "Advanced Persistent Threat" (APT) into the public conversation and made these types of targeted attacks top of mind for government and commercial organizations around the world. Recently, FireEye's COO, Kevin Mandia took the stage at RSA USA 2014 to take a look back and share his perspective on the activities that led to the release of the APT1 report and the aftermath

Texan liquor chain Spec's leaks 550k card details in 17 month breach (Naked Security) Spec's, the fifth largest wine retailer in the US, has leaked 550,000 customers' card details, after some of its systems were compromised for close to 17 months

Ukrainian Hacker falsely claimed theft of 800 million Credit Card (The Hacker News) 800 Million US based Credit and Debit cards compromised! Really it's a big number and till now it has not been sized by the cyber security officials but a hacker group claims that they had stolen data on hundreds of millions of U.S. card accounts

Virus Held Vt. Chamber of Commerce PCs Ransom For $400 — but Caused $5,000 in Damages (Nextgov) The organization ended up paying thousands of dollars to replace the infected computers, servers and backup drives, after unsuccessfully attempting to transmit a payment

Cyber-attack shuts down Kansas state testing (KSHB) A cyber-attack shut down state testing in Kansas. It caused the state to stop all federally required math and reading tests until the site was fixed

Subcontractor Error Exposes 3,100 Alabama Patients' Medical Data (eSecurity Planet) A billing vendor's IT subcontractor mistakenly stored files on an unsecured server

Malware Exposes Rosenthal Wine Shop Customer Data (eSecurity Planet) Customers' names, addresses, payment card account numbers, expiration dates and security codes may have been exposed

Windows XP to remain in most organizations after the deadline (Help Net Security) Over three quarters (77 per cent) of UK organizations will have Windows XP running somewhere in their IT estate after the April 8th end of support deadline, according to AppSense. 68 per cent of organizations had no plans to pay for extended support despite repeated warnings about the vulnerability of the 12 year-old operating system to exploits and malware

Academia

For the best ROI, get your computer science degree at a state school (IT World) Based on the expected annual return, computer science degrees from state universities pay off better than those from private schools

North Hollywood High wins national cyber-security competition (Los Angeles Times) A team of tech-savvy students from North Hollywood High clinched the national championship this past weekend in Maryland at the CyberPatriot VI competition, which tests their cyber-security knowledge

Litigation, Investigation, and Enforcement

Google Takes Wi-Fi Snooping Scandal to the Supreme Court (Wired) The biggest internet wiretapping program outside the NSA may be headed to the Supreme Court

Google tells Supreme Court it's legal to packet sniff open Wi-Fi networks (Ars Technica) After an appeals court ruling and a $25,000 fine, Google says the law is on its side

Federal Agents Pierce Tor Web-Anonymity Tool (Wall Street Journal) Law-enforcement agencies are increasingly finding ways to unmask users of a popular Web browser designed to hide identities and allow individuals to exist online anonymously

Alleged Silk Road Founder's Lawyer Moves to Dismiss Charges Against His Client (Wired) The attorney for alleged Silk Road ringleader Ross Ulbricht is asking a federal judge to throw out most of the charges against his client, arguing that the case contains "fatal flaws" and must be dismissed

Exclusive: U.S. Intel Committee Chiefs Blast Deal for Israeli Spy (Daily Beast) The Obama administration is considering releasing convicted spy Jonathan Pollard in exchange for Israel extending their peace talks with the Palestinians but is facing a bipartisan backlash from Congress

Manning's new lawyer decries 35-year sentence (AP) Army Private Chelsea Manning's 35-year sentence for leaking reams of classified information is out of proportion with the offenses for which she was convicted, the lawyer who will represent her in court-martial appeals said Tuesday

Sell Hack, the controversial plugin that offered to uncover LinkedIn email addresses, shuts down for now (Graham Cluley) Well, that didn't take long. Sell Hack, the controversial browser extension that promised to reveal LinkedIn users' private email addresses has been shut down by its makers (at least temporarily) after they received a cease & desist order from the business networking site

Man Running Microsoft Tech Support Scam Sentenced to Prison in the UK (Softpedia) Did you think that tech support scammers couldn't be brought to justice? Authorities in the United Kingdom have demonstrated that they've started cracking down on such fraud schemes. A 34-year-old man has been sentenced to 4 months in prison for running such an operation

Phony tech support scammer escapes with a slap on the wrist (Naked Security) A UK court has handed down a sentence of suspended jail time plus fines and costs to the operator of a phony tech support cold-calling scam. Mohammed Khalid Jamil ran a firm called Smart Support Guys based in Luton, and staff at his India-based call centre are thought to have carried out the deceptive cold calling.

Industry Events

For a complete running list of events, please visit the Event Tracker on the CyberWire website.

upcoming Events

SyScan 2014 (Singapore, March 31 - April 4, 2014) SyScan is a deep knowledge technical security conference. It is the aspiration of SyScan to congregate in Asia the best security experts in their various fields, to share their research, discovery and experience with all security enthusiasts in Asia.

NIST IT Security Day (Gaithersburg, Maryland, USA, April 8, 2014) The Office of the Chief Information Officer, OCIO, is hosting NIST IT Security Day as a means to heighten awareness for all NIST users on the many aspects of operational information technology security and networking at home and in the office. This event's objective is to educate users on IT security and related topics. The event will feature guest speakers on general and technical IT security topics and tutorials on internal services and products.

2014 GovCon Cyber Summit (McLean, Virginia, USA, April 9, 2014) The U.S. Computer Emergency Readiness Team (US-CERT) noted that last year federal networks saw a substantial increase in hacking incidents, with 48,000 attacks reported by agencies. In recognition of this fact, and to help emphasize the importance of a secure framework, the Obama administration released the Cybersecurity Cross-Agency Priority (CAP) Goal to help agencies improve secure performance through network consolidation, strong identity management, and continuous monitoring. Agencies are implementing new procedures and technologies to shore up defenses before it's too late, and it's clear that the federal government is not going to stop in their increased efforts to minimize and prevent cyber security attacks. Bottom line, the federal government will continue to place significant focus on securing the nation's cyber infrastructure and it's having an impact on the entire GovCon community.

2014 Computer Security Day (Eugene, Oregon, USA, April 11, 2014) The Fourth Computer Security Day at the University of Oregon will feature a slate of distinguished speakers from academia, industry, and government, discussing current challenges and future opportunities in cybersecurity. The range of topics will be broad and diverse, ranging from examining future trends in computer security, to understanding cybersecurity within the federal government, to exciting new research in authentication mechanisms and securing systems and data. There will be plenty of opportunities to engage with the speakers and other attendees.

Women in Cybersecurity Conference (Nashville, Tennessee, USA, April 11 - 12, 2014) WiCyS is an effort to bring together women (students/faculty/researchers/professionals) in cybersecurity from academia, research and industry for sharing of knowledge/experience, networking and mentoring. Any individual or organization interested in recruitment/retention of women in this field and/or diversification of their cybersecurity workforce is especially encouraged to get involved.

NSA Procurement in today's business arena (Elkridge, Maryland, USA, April 16, 2014) An opportunity to gain inside perspective on market trends in NSA Procurement. The guest speaker will be William Reybold, National Security Agency's Deputy Senior Acquisition Executive (SAE), who manages all Agency procurements, from off-the -shelf supplies to developing and deploying large, highly technical, and complex new system. He is directly accountable for delivery of all major systems acquisitions and includes as part of the organization, the NSA Contacting Group.

East Africa Banking and ICT Summit (Kampala, Uganda, April 25, 2014) The global event series for Banking and ICT Summit enters its third year. The summit will continue to provide delegates with technical & practical sessions, lectures and showcase for banking and ICT innovations, and unique networking opportunities.

InfoSecIndy (Indianapolis, Indiana, USA, April 26 - 27, 2014) Join us on April 26-27, 2014 in Indianapolis, Indiana for the premier Midwest Information Security and Digital Forensics Conference.

cybergamut Technical Tuesday: Malware Reverse Engineering (Columbia, Maryland, USA, May 6, 2014) An introduction to the tools, workflows, and tricks of the trade to attack sophisticated malware by Dale Robson of CyberPoint. Industry standard cyber security products do a good job in blocking and defending against recognized or suspicious malware. Yet increasingly, advanced malware is customized to evade detection and remediation; and even those that are caught can have deeper and more dangerous capabilities. In order to truly understand the malware's capabilities and to assess its success in gaining access to an enterprise, cyber security professionals should reverse engineer the binary to expose its secrets. But organizations may forgo reverse engineering and rely on industry solutions to characterize and defend against the threat. Reverse engineering is done by exception and within the constraints of budget, time, and available professional talent, if it is done at all. However, reverse engineering malware can be an integral part of every security team's calculus. This session provides a technical review of the tools, workflows, and advanced analytic insight a senior reverse engineer brings to the fight.

STEM Café (Geneva, Illinois, USA, May 6, 2014) At the next STEM Café, Raimund Ege, associate professor in NIU's Department of Computer Science, will lead a lively discussion on how computer crime affects our everyday lives and what we can do to protect ourselves and our data. The event will take place from 6:30 to 8:30 p.m. Tuesday, May 6, at Claddagh Irish Pub, 1702 Commons Drive in Geneva.

Sponsor & Support

Grow your brand and reach new customers.

Grow your brand and increase your customer base by educating our audience about your products, services, and events by advertising on The CyberWire. We’ve built trust with an influential (and often hard to reach) audience of CISOs, CSOs, and other senior execs in the security space, across a wide array of industry verticals. Learn more.

Be a part of the CyberWire story.

People ask us (a lot) how they can support what we do. We have our sponsorships and services, of course, but those are not always within every supporter’s financial reach, or it might just not be the right time for you to do those things. That’s why we launched our new Patreon site, where we’ve created a wider variety of support levels, each with some new benefits. Our patrons are important to our future, and we hope you’ll consider becoming one. We invite you to become part of the CyberWire story. Become a patron today.