Cyber Attacks, Threats, and Vulnerabilities
Government Websites Disabled by Cyber Attack (Arutz Sheva) Israeli government Websites, including those of the Ministry of Education and the Airports Authority were disabled at various times, Monday morning, as part of a hacking attack by the "Anonymous" group. People who tried to enter the sites received error messages
OpIsrael: Anonymous Hackers Target Websites of Israeli Banks and Government (Softpedia) Today, April 7, hacktivists from several countries have launched a new campaign against Israel. Hundreds of websites have been targeted in the pro-Palestine campaign dubbed Operation Israel (OpIsrael)
Hackers Threaten Cyber-Attack Against Israel (Arutz Sheva) 'We will not stop until Palestine is freed,' hackers warn. But how serious is the threat?
S Korea detects suspected N Korea hacking attempt (Channel News Asia) South Korea detected a suspected North Korean hacking attempt Thursday to steal military data by using a journalist's notebook computer, defence ministry officials said
Hackers deface AU website (Times of India) Students of Andhra University logged onto the varsity's website … on Saturday only to be greeted by a black and green page screaming 'Pakistan Zindabad' along with a Pakistani flag and names of prominent Pakistani personalities like M A Jinnah, Dr A Q Khan, Shahid Afridi and Javed Miandad, among others
Garfield Garfield True, or the story behind Syrian Malware, .NET Trojans and Social Engineering (SecureList) It's been a while since the last massive Internet outage took down Syria's backbone network (AS29386). More recently, however, Syria suffered yet another large-scale Internet black out that lasted for about seven hours. In contrast to previous incidents, where networking routes began to disappear gradually from border routing devices, this time a cut off fiber optic cable was deemed responsible for leaving most of the country off-line
XSS flaw in popular video-sharing site enabled DDoS attack through visitors' browsers (IT World) Attackers exploited the vulnerability to hijack 22,000 browsers and launch a large-scale DDoS attack, researchers from Incapsula said
Researchers Uncover Interesting Browser-Based Botnet (Threatpost) Security researchers discovered an odd DDoS attack against several sites recently that relied on a persistent cross-site scripting vulnerability in a major video Web site and hijacked users' browsers in order to flood the site with traffic
Smart malware campaign attacks only Android (ZDNet) A recent email campaign contains links that send most users to a conventional spam site, but Android users get Android malware
Android social apps slated for sending 'growth hacking' spam (CSO) Mobile security firm AdaptiveMobile has named and shamed a clutch of popular Android apps it believes have been using the 'growth hacking' technique to spam large volumes of invitations to the contacts database of installed users
SMS Trojan goes after digital wallets (Help Net Security) Not satisfied with the money earned via mobile Trojans sending out text messages to premium numbers, cyber crooks have begun adding other money-stealing functionalities to the malware. Kaspersky Lab experts have recently spotted and analyzed an SMS Trojan for Android devices that is currently mostly targeting Russian users, and which along with the premium SMS-sending also attempts to steal money by emptying the victims' QIWI digital wallet
German police finds 18M stolen and misused account logins (Help Net Security) Police in northwestern German city of Verden have discovered a collection of 18 million stolen email addresses and corresponding passwords that are being actively used to send out spam, compromise social networks' accounts and event to occasionally plunder the victims' banking accounts
Credit Cards for 1.2 Million Drivers Vulnerable at TxTag.org (David Longenecker) It's been a bad couple of weeks for transportation authorities in the two biggest US states. On March 22, Brian Krebs broke the story of a wide-ranging credit card breach at the California DMV. That breach apparently involved credit cards used at the CA DMV's online web site over a 6 month period from August 2013 to January 2014. Today I discovered a serious flaw at TxTag.org, the Texas Department of Transportation's toll road account management and payment system. This flaw exposes personal information for the (as of December 31) 1.2 million drivers with active TxTags, including names, full mailing addresses, email addresses, phone numbers, and credit card numbers with expiration date
Kansas State Assessments Hit by DDoS Attacks (eSecurity Planet) 'We don't know if it was two bored teenagers or an anti-testing attack,' Center for Education Testing and Evaluation co-director Marianne Perie says
LewisGale Regional Health System Suffers Insider Breach (eSecurity Planet) An employee of LewisGale's billing service accessed 40 patients' names, Social Security numbers, home addresses and health insurance information
Computer Theft Exposes 2,394 Texas Children's Personal Data (eSecurity Planet) Names, addresses, birthdates, Social Security numbers, Medicaid numbers, photos and/or health information may have been accessed
Can You Spot The Fake SWIFT Transaction Document? (Digital Dao) We've been working our way through almost 1GB of documents that were part of the Russian Industrial Investment Fund leak last month by Russian Cyber Command (@Rucyborg on Twitter)
Security flaws could give hackers control of power plants and oil rigs (ITProPortal) Power plants, oil rigs and refineries could be at risk from hackers, new research shows, as there are vital bugs in their software that could allow an outsider to gain remote access. Around the world about 7,600 plants are using the vulnerable software that could allow an attacker with the "lowest skill in hacking" to exploit them. The software, named Centum CS 3000, was first released to run on Windows 98 and is used to monitor and control the heavy machinery in many of the globe's large industrial installations
Gov't contractor Klas Telecom responds to getting hacked by NullCrew (ZDNet) A skirmish erupted last week when hacking group NullCrew successfully broke into tactical communications company Klas Telecom. The global government contractor had an interesting response to its attackers
Security Patches, Mitigations, and Software Updates
Microsoft to release only four bulletins on Tuesday (Help Net Security) The Microsoft April security release is almost upon us with security updates scheduled to deploy on Tuesday, April 8th. This day will go down in history as a major milestone for Windows XP and Office 2003 since it will be the last day these products will be supported
Patch Tuesday for April 2014 — it's Goodbye, Farewell and Amen for Windows XP (Naked Security) The date's been in our diaries since 2007. But even with seven years to prepare for it, you'll be forgiven for approaching this month's Microsoft Patch Tuesday with a bit of a lump in your throat
WIndows XP End-of-Life Breeding Equal Parts FUD, Legit Concerns (Threatpost) For those of you anticipating the start of a Walking Dead-style malware apocalypse next Tuesday, calm yourselves
IE 12 to Support HSTS Encryption Protocol (Threatpost) Microsoft confirmed today it will support HTTPS Strict Transport Protocol (HSTS) in Internet Explorer 12, bringing its browser in line with other major vendors in its support of the protocol
Cyber Trends
Emerging trends in cyber-attack methodology (Help Net Security) Websense documented the latest shift in complex attack trends, evolution in the threat ecosystem and shifting motivation of cyber-attacks. "Cybercriminals continue to evolve their attack planning and execution to stay ahead of most existing security measures," said Charles Renert, vice president of security research for Websense. "While the determined, persistent attackers continue to have success in advanced, strategic attacks using zero-day exploits and advanced malware, there has also been a boom in cybercriminal activity on a massive scale. Even these more 'common' forms of attack are easily slipping past organizations without real-time defenses"
Cybercriminals use legitimate sites to launch attacks: Websense (ARN) Report finds 85 per cent of malicious links in web or email attacks on legitimate websites
Exploit Kits and Redirection Anchor the Data Theft 'Kill Chain' (InfoSecurity Magazine) There is a growing global criminal-infrastructure-as-a-service economy being perpetrated through exploit kits and compromised website redirection chains — with billions of attacks adding to cybercriminals' sophistication and ability to evade detection. According to the latest Websense Security Labs 2014 Threat Report, the infrastructure of an attack campaign is now typically constantly developed, enhanced and reused throughout the entire threat lifecycle
Security is Not a Commodity — Breaking Out of Security Paralysis (SecurityWeek) Security is in the midst of a renaissance in most organizations. High profile breaches and lost intellectual property have made cybersecurity top of mind from the boardroom to the practitioner, and everywhere in between. However there is a very big difference between talking about security and actually becoming more secure. In fact, there is an unsettling tendency for organizations to invest considerable time and money in security solutions that don't take action at the critical moment of an attack. For instance, a recent post-mortem of the Target breach showed that the security team had advanced tools that identified the malware used to steal credit card data, but the information and alerts were not acted upon
Marketplace
Security acquisitions: Palo Alto buys Cyvera; Trustwave buys Cenzic (TechTarget) March 2014 saw a pair of notable acquisitions in the information security market
GlobalFoundries rumoured to be sniffing around IBM's fabs (Bit-Tech Net) GlobalFoundries has been named as the strongest contender in a deal to purchase IBM's unwanted semiconductor fabrication facilities
How US surveillance efforts spiked interest in overseas cloud providers (FedScoop) Since summer, revelations about the scope of the National Security Agency's surveillance efforts have ignited debates about privacy and the government's boundaries when it comes to protecting citizens from terrorism and security concerns
Does nationality still matter in tech buys today? (ZDNet) It does apparently to the U.S. government, which reportedly will be scrutinizing Lenovo's move to buy IBM's server business to ensure it doesn't lead to a backdoor access to U.S. national secrets and infrastructure
Chinese Investment In U.S. Tech Booms Despite Cybersecurity Fears (Huffington Post) Chinese tech companies have splurged on major acquisitions of U.S. high tech firms in the first quarter of 2014, spending big bucks in pursuit of the markets, technology and talent found in the U.S., according to a report released Tuesday by the Asia Society and the Rhodium Group. But with cybersecurity questions driving a wedge in U.S.-China relations recently, the acquisitions are generating equal amounts of excitement and anxiety
Facebook doled out $1.5 million to researchers in 2013 for bug bounties (SC Magazine) Facebook awarded more than $1 million in bug bounty awards last year and received close to 15,000 submissions
DHS Prepares Overhaul of Internal Security Operations (Nextgov) The Homeland Security Department late Thursday announced future plans to overhaul an organization that defends DHS' own internal networks
Not dead yet: Dutch, British governments pay to keep Windows XP alive (Ars Technica) Governments pay Microsoft millions to continue support for "end of life" OS
Products, Services, and Solutions
Microsoft will block adware without easy uninstall (Computerworld) Company revises policies for classifying, detecting and handling adware programs in its security software
Google adds extra encryption for Gmail, but remains silent on other apps (FierceCIO:TechWatch) A couple of weeks ago, Google made an announcement that it has enabled end-to-end data encryption for messages handled by the company's Gmail service. This means that every email message that is sent and received is encrypted while moving internally, explained Nicolas Lidzborski, the engineer lead for Gmail Security
Allot Builds Gateway to SDN (Light Reading) At the behest of a large European mobile operator, deep packet inspection (DPI) specialist Allot has developed a new service gateway designed to help operators deliver new services as they transition to software-defined networking
DuckDuckGo: the plucky upstart taking on Google with secure searches (The Guardian) Gabriel Weinberg launched DuckDuckGo as a search engine that puts privacy first, rather than collecting data for advertisers and security agencies
A Complete Operating System Optimized For Anonymous Surfing (Gizmo's Freeware) If you want to use the internet while remaining completely anonymous, there are plenty of tools that you can use. Encrypted email programs, an operating system that never stores any files on your hard disk and which wipes all your RAM memory when you've finished, and a web browser that uses the Tor network of anonymizing proxies to ensure that your IP address is untraceable
Technologies, Techniques, and Standards
Why marketing principles can help a security awareness program succeed (TechTarget) Marketing is an ongoing communications exchange with customers in a way that educates, informs and builds a relationship over time. The "over time" part is important because only over time can trust be created
Twitter uses code refactoring to reduce risk and improve testing (TechTarget) Andrés Ornelas, Web DevOps lead at Twitter, decided to go a step beyond software testing. He took a peek underneath the covers of Twitter's code in order to manage the risks associated with defects, and ultimately, to simplify testing. He found that by developing better techniques for analyzing its code, it could also improve, reuse and reduce the costs of adding new features
Encryption: the key to online privacy (Deutsche Welle) As more details of systematic, global government surveillance come to light, maintaining online privacy appears increasingly difficult. But there are some steps that are still effective at protecting privacy
Tech Insight: Making Data Classification Work (Dark Reading) Data classification involves much more than simply buying a product and dropping it in place. Here are some dos and don'ts
Design and Innovation
Kaspersky's Real Time Cyber Threat Map Is One Part Cool, Two Parts Terrifying (Hot Hardware) Sometimes it's helpful to have a visual aid to better understand something, and with that in mind, security vendor Kaspersky Labs has launched an interactive cyber threat map that lets viewers see cyber security incidents as they occur around the world in real time. It includes malicious objects detected during on-access and on-demand scans, email and web antivirus detections, and objects identified by vulnerability and intrusion detection sub-systems. In other words, you have a front row seat to the attempted carnage that's constantly taking place on the web
One big reason we lack Internet competition: Starting an ISP is really hard (Ars Technica) Creating an ISP? You'll need millions of dollars, patience, and lots of lawyers
Research and Development
New "Unbreakable" Encryption Is Inspired By Your Insides (Gizmodo) A new form of encryption promising to be "highly resistant to conventional methods of attack" could make our digital lives more secure—and it's all inspired by the way our heart and lungs coordinate their rhythms by passing information between each other
Coupling Functions Enable Secure Communications (Physical Review X) Secure encryption is an essential feature of modern communications, but rapid progress in illicit decryption brings a continuing need for new schemes that are harder and harder to break. Inspired by the time-varying nature of the cardiorespiratory interaction, here we introduce a new class of secure communications that is highly resistant to conventional attacks. Unlike all earlier encryption procedures, this cipher makes use of the coupling functions between interacting dynamical systems
Cookies that give you away: Evaluating the surveillance implications of web tracking (Randomwalker (h/t Bruce Schneier)) We investigate the ability of a passive network observer to leverage third-party HTTP tracking cookies for mass surveillance. If two web pages embed the same tracker which emits a unique pseudonymous identifier, then the adversary can link visits to those pages from the same user (browser instance) even if the user's IP address varies. Using simulated browsing profiles, we cluster network traffic by transitively linking shared unique cookies and estimate that for typical users over 90% of web sites with embedded trackers are located in a single connected component. Furthermore, almost half of the most popular web pages will leak a logged-in user's real-world identity to an eavesdropper in unencrypted traffic. Together, these provide a novel method to link an identified individual to a large fraction of her entire web history. We discuss the privacy consequences of this attack and suggest mitigation strategies
Academia
DSU Offers New Doctoral Degree in Cyber Security Beginning Fall (University Herald) Dakota State University, well-known for its cyber security-related programs, is adding another program to its already strong cyber curriculum
Midshipmen to participate in NSA's Cyber Defense Exercise competition (Capital Gazette) A team of midshipmen will participate in the National Security Agency's annual Cyber Defense Exercise competition this week at the Naval Academy
Anne Arundel Community College wants to train business pros on how to prevent cyber attacks (Baltimore Business Journal) Anne Arundel Community College is partnering with Hanover-based OPS Consulting to launch a new cyber training initiative aimed at educating businesses on how to handle cyber threats
Legislation, Policy, and Regulation
Germany's de Maiziere hits out at Washington over NSA (Deutsche Welle) German Interior Minister Thomas de Maiziere has strongly criticized the US over revelations about electronic surveillance by intelligence services. The minister complained that German questions have not been answered
Brazil's senate warns of country's 'vulnerability' to spying (Reuters) A Brazilian senate inquiry on U.S. spying in the country found Brazil "unprepared" to deal with eavesdropping by foreign agents and proposes a new law to address its "profound vulnerability," according to a copy of a report obtained by Reuters
Developments in Iranian Cyber Warfare, 2013-2014 (Independent Media Review and Analysis) Over the course of 2013, Iran became one of the most active players in the international cyber arena. Iran's progress can be attributed to a
combination of two elements: a certain easing of the restraints on offensive activity in cyberspace by Iranian decision makers, and a qualitative leap by the Iranian cyber warfare system. The rapid development of Iran's cyber warfare capability means that Israel and other Western countries must work decisively and systematically to maintain qualitative and operational superiority in cyberspace
U.S., Japanese officials to hold cybersecurity talks next week (Inside Cybersecurity) The United States will host the next U.S.-Japan Cyber Dialogue at the director-general level on April 10. State Department Coordinator for Cyber Issues Christopher Painter and Ambassador Jun Shimmi, deputy director-general of Japan's foreign policy bureau, will lead the talks, a State Department spokesman told Inside Cybersecurity
U.S. Tries Candor to Assure China on Cyberattacks (New York Times) In the months before Defense Secretary Chuck Hagel's arrival in Beijing on Monday, the Obama administration quietly held an extraordinary briefing for the Chinese military leadership on a subject officials have rarely discussed in public: the Pentagon's emerging doctrine for defending against cyberattacks against the United States — and for using its cybertechnology against adversaries, including the Chinese
Watching the watchmen (Daily News) The problem isn't the NSA. It's the people giving them authority
If President Obama wanted the NSA to quit storing phone metadata, he'd act now (Ars Technica) Obama's pen, not Congress, could stop NSA bulk telephone metadata collection immediately
US agency that created "Cuban Twitter" faces political firestorm (Ars Technica) Senator calls the subversion project "dumb, dumb, dumb"
Firms that breach data rules may be fined up to €100m (Irish Times) A resolution of the European Parliament last month saw MEPs call for an end to blanket mass surveillance activities by the US National Security Agency. The resolution was made in the context of a report and recommendations by MEPs aimed at increasing EU citizens' privacy through EU-wide data protection rules. MEPs want to see firms that breach these new rules fined up to €100 million, or up to 5 per cent of their annual worldwide turnover
Businesses face rising political pressure from data breaches (CSO) FTC encourages Congress to pass national breach notification legislation, among other efforts
Is it time to make cyber jobs a national priority? (Nextgov) With research showing a vast shortage of skilled talent to fill cybersecurity jobs, it may be time for the United States to make cybersecurity a national imperative in much the same way it did with aerospace technology, nuclear science and biotechnology
Litigation, Investigation, and Law Enforcement
Government breaches at all-time high, press blunder under-reports by millions (ZDNet) This is one of those articles that spoils your faith in mankind. Not only are government security incidents fully into holy-cow territory, the press is reporting numbers three magnitudes too low because someone misread a chart and everyone else copied that report
One Chart Shows Why You Shouldn't Trust the Feds With your Data (Nextgov) We reported in January about the spike in government data breaches that has compromised the personal information of federal employees and citizens
Hayden: Pollard Release Would Signal Willingness to Negotiate on Snowden (National Review) The intelligence community would see the release of Israeli spy Jonathan Pollard as a signal of the administration's willingness grant clemency to National Security Agency leaker Edward Snowden, according to former NSA and CIA director Michael Hayden. "They would believe that this kind of behavior could actually be politically negotiated away, and that would be a very disturbing message for the people who provide America with intelligence," he told Fox News' Chris Wallace on Sunday
Hayden suggests Feinstein too 'emotional' about CIA interrogation techniques (Washington Post) Former CIA and National Security Agency director Michael Hayden suggested Sunday that Senate Intelligence Committee Chairwoman Dianne Feinstein (D-Calif.) might have compromised the objectivity of a report on CIA interrogation techniques because she personally wants to change them
Experian in hot seat after exposing millions of social security numbers (Ars Technica) Did Experian subsidiary play fast and loose with Americans' data? Regulators from several states are investigating a data breach from a subsidiary of the credit-tracking behemoth Experian
Neiman Marcus Data Breach Said Work of Russians Who Eluded U.S. (Bloomberg BusinessWeek) Hackers who raided the credit-card payment system of Neiman Marcus Group Ltd. belong to a sophisticated Russian syndicate that has stolen more than 160 million credit-card numbers from retailers over seven years, according to people with knowledge of the matter
Italy slaps Google with $1.4m fine over Street View privacy concerns (ITProPortal) Google has paid a fine of 1 million euros to Italy's Data Protection Authority (DPA) to settle complaints that the Street View cars used to record mapping images in the country four years ago were not distinctly marked