The CyberWire Daily Briefing for 4.10.2014

Cyber Attacks, Threats, and Vulnerabilities

Critical crypto bug exposes Yahoo Mail, other passwords Russian roulette-style (Ars Technica) OpenSSL defect still exposing sensitive data even after patch is released

Sending a "Heartbleed" password reset email? Please don't include a login link! (Naked Security) With all the buzz about resetting your passwords caused by the "Heartbleed" bug, you can imagine what cybercrooks are thinking. TIME TO GO PHISHING! Fortunately, many people these days know to be careful of password reset emails, at least those that helpfully provide a link that takes you to what looks like a login screen

Heartbleed OpenSSL bug: FAQ for Mac, iPhone and iPad users (Intego: the Mac Security Blog) In the last couple of days you cannot fail to have seen the huge number of media articles about the so-called Heartbleed bug. In this article, we'll try and answer some of the common questions that users of Apple products have raised about this issue

Man who introduced serious 'Heartbleed' security flaw denies he inserted it deliberately (Sydney Morning Herald) The German software developer who introduced a security flaw into an encryption protocol used by millions of website globally says he did not insert it deliberately as some have suggested

Heartbleed: What you should know (Washington Post) Experts have discovered a major flaw in the security software used by millions of Web sites — including banks, e-mail and social media services — that exposes users' names and passwords, the content of their communications, and their data to anyone who knows how to exploit the weakness. This does not mean your information has necessarily been stolen. It may mean that it's been vulnerable to theft and may remain vulnerable until a fix is applied

How to tell if Heartbleed could have stolen your password, and when it's safe to change it (Quartz) As you've probably heard, the Heartbleed bug exposes websites that use a popular encryption technology to malicious attacks, and some of your passwords—and personal data—may well have been compromised. The vulnerable software, OpenSSL, is used to encrypt something like two-thirds of all sites on the web

More Than A Half-Million Servers Exposed To Heartbleed Flaw (Dark Reading) What the newly exposed SSL/TLS threat really means for enterprises and end-users

The Heartbleed Hit List: The Passwords You Need to Change Right Now (Mashable) An encryption flaw called the Heartbleed bug is already being called one of the biggest security threats the Internet has ever seen. The bug has affected many popular websites and services — ones you might use every day, like Gmail and Facebook — and could have quietly exposed your sensitive account information (such as passwords and credit card numbers) over the past two years

How does the Heartbleed bug affect me? (Help Net Security) By now, you have surely heard about the "Heartbleed" bug discovered in Open SSL, and you're wondering how its existence affects you. The situation is, indeed, serious. "'Catastrophic' is the right word," says Bruce Schneier, noted cryptographer and computer security and privacy specialist. "On the scale of 1 to 10, this is an 11"

Revoke, reissue, invalidate: Stat! Security bods scramble to plug up Heartbleed (The Register) Paper is safe. Clay tablets too

Difficulty of Detecting OpenSSL Heartbleed Attacks Adds to Problem (Threatpost) The list of products and sites affected by the OpenSSL heartbleed vulnerability continues to grow, and as security teams implement the patch and dig into the thornier work of revoking certificates, a new problem is emerging: It's difficult to know whether an attacker has exploited the vulnerability on a given system

Heartbleed is the new security risk (FierceRetailIT) There's yet another security nightmare staring down retailers as the Heartbleed bug threatens to expose encrypted data in OpenSSL

The Internet's Telltale Heartbleed (New Yorker) The cryptography expert Bruce Schneier, who has been writing about computer security for more than fifteen years, is not given to panic or hyperbole. So when he writes, of the "catastrophic bug" known as Heartbleed, "On the scale of 1 to 10, this is an 11," it's safe to conclude that the Internet has a serious problem. The bug, which was announced on Tuesday—complete with an explanatory Web site and a bleeding-heart logo—is a vulnerability in a widely used piece of encryption software called OpenSSL

The heartbleed bug shows how fragile the volunteer-run internet can be (Quartz) Matthew Prince, CEO of the online security company Cloudflare, watched his company's top cryptographer turn "white as a ghost" after learning about a bug in the essential infrastructure of the internet last week. That flaw, he says now, is the worst thing to happen to the internet since it became a mass medium in the early 2000s

Has the NSA Been Using the Heartbleed Bug as an Internet Peephole? (Wired) When ex-government contractor Edward Snowden exposed the NSA's widespread efforts to eavesdrop on the internet, encryption was the one thing that gave us comfort. Even Snowden touted encryption as a saving grace in the face of the spy agency's snooping. "Encryption works," the whistleblower said last June. "Properly implemented strong crypto systems are one of the few things that you can rely on"

'Heartbleed' mystery: Did criminals take advantage of cyber-security bug? (Christian Science Monitor) Website operators rushed to patch a cyber-security vulnerability called 'Heartbleed' that allows 'anyone on the Internet' to access website server memory without leaving a trace. A major concern: It existed 'in the wild' for two years

Deltek suffers cyber attack putting 80,000 employees of vendors at risk (Federal News Radio) About 80,000 employees of federal contractors are at risk of identity theft after a hacker broke into business research firm Deltek's GovWin IQ system

BlackBerry 10 Smartphones Impacted by Remote Code Execution Flaw in qconnDoor (Softpedia) BlackBerry is warning customers that a stack-based buffer overflow vulnerability in the qconnDoor service could lead to remote code execution on BlackBerry 10 smartphones

Security Patches, Mitigations, and Software Updates

Heartbleed vendor notifications (Internet Storm Center: InfoSec Handlers Diary Blog) As people are running around having an entertaining day we thought it might be a good idea to keep track of the various vendor notifications. I'd like to start a list here and either via comments or sending it let us know of vendor notifications relating to this issue. Please provide comments to the original article relating to the vulnerability itself, and use this post to only provide links to vendor notifications rather than articles etc about the issue

Heartbleed OpenSSL vulnerability: A technical remediation (Help Net Security) OpenSSL released an bug advisory about a 64kb memory leak patch in their library. The bug has been assigned CVE-2014-0160 TLS heartbeat read overrun

BlackBerry Patches Remote Code Execution Vulnerability Affecting BlackBerry 10 (SecurityWeek) Joining Microsoft and Adobe in issuing security fixes on Tuesday, BlackBerry issued a patch to address a remote code execution vulnerability (CVE-2014-1468) that affects BlackBerry 10 smartphones and could enable an attacker to take control of the device with root/superuser rights

WordPress releases important security update (Help Net Security) WordPress 3.8.2 is now available. This is an important security release for all previous versions and you should update immediately

Google patches 31 Chrome flaws, issues bug bounty rewards (ZDNet) Thousands of dollars have been awarded to bug hunters for the Chrome 34 release who reported 31 flaws, 19 deemed critical

Chrome makes new password grab in version 34 (The Register) Even with autocomplete off, Google will ask if it can 'help' by storing your passwords

Facebook Privacy: 4 Changes In Works (InformationWeek) Facebook plans to give users more control over sharing, including new photo privacy settings and reminders about public posts. Here's what to expect

Windows 8.1 Update — Microsoft forces users to update OS if they want future security updates (Lumension Blog) Most of the attention this week, from the patching point of view at least, has been directed towards the last ever security fixes for Windows XP

Windows 8.1 Update required for all future updates can actually STOP all future updates! (Graham Cluley) Microsoft has temporarily suspended distribution of Windows 8.1 Update, after it was found that it can cause some updated PCs to actually stop looking for future updates

A closer look at Microsoft's April Patch Tuesday (Help Net Security) April's Microsoft Patch Tuesday is on par with the prior releases this year. There are only four bulletins being released, two rated "Critical" and two rated "Important". Of course the long coming, but somehow still apocalyptic news that Windows XP is dead has overshadowed these bulletins

Cyber Trends

Cyber threat moving to critical infrastructure, study shows (ComputerWeekly) The cyber threat is moving from data breaches to global critical infrastructure, an insurance industry commissioned study shows. Technology running the world's critical infrastructure is increasingly at risk of cyber attack, according to in-depth research by Lloyd's of London insurer Aegis London

Financial malware on the rise (Gadget) According to Kaspersky Lab's Financial cyber threats in 2013 study, the number of cyber attacks involving financial malware increased to 28.4 million — 27.6% more than 2012

Universities Ripe for Hacker Plundering (Tripwire) Universities are falling way behind in the race to secure sensitive data from the threat of compromise, and the trend is expected to continue in perpetuity because they lack the financial and technical resources required to safeguard critical systems, according to a recent study

Attitudes about best practices for physical access control (Help Net Security) An HID Global survey of 600 respondents revealed enterprise end users' perceptions about change and the importance of industry best practices, and how well today's technology and policy best practices are being implemented

Bruce Schneier: Technology Magnifies Power in Surveillance Era (Threatpost) Bruce Schneier said during his Source Boston keynote that history will not look kindly on society's tradeoff of privacy for convenience in the age of surveillance

Marketplace

To Compete or Non-Compete: Contracts That Make Michigan Less Competitive (Concentrate) Dug Song believes that his company, Duo Security, has a lot of competitive advantages when it comes to attracting professional talent: Company culture. Working in downtown Ann Arbor. Building cool technology. No non-compete contracts

Easy Solutions Earns Spot on CIOReview Magazine's 2014 'Top 20 Most Promising Security Companies' (Broadway World) Easy Solutions, the Total Fraud Protection company, is honored to receive recognition from CIOReview Magazine as one of 2014's "Top 20 Most Promising Enterprise Security Companies". Easy Solutions was selected by a panel of experts and members of CIOReview's editorial board, which awards this honor to recognize and promote technology entrepreneurship

Innovation, Expansion and Channel Growth Highlight First Anniversary of ThreatTrack Security (Providence Journal) In its first year as an independent company, ThreatTrack Security has successfully expanded its operations and solutions portfolio to better serve the most pressing cybersecurity needs of enterprises and government agencies. The development and recent launch of ThreatSecure™ — the industry's first solution to provide real-time detection and endpoint remediation of advanced malware threats — is the culmination of the company's strategy to empower organizations of all sizes to protect themselves from the world's most sophisticated malware

Security Startups: Interview With Defense.Net Founder and CTO Barrett Lyon (SecurityWeek) SecurityWeek: How did you start out in the computer field and in particular, security? Barrett: As a child, I had a lot of interest in computers and became very interested in Unix. Unix is hyper-focused on security

Milestone Systems, Inc. Announces New Partnerships (Digital Journal) Milestone Systems, Inc., the nation's fastest growing information security and infrastructure provider is pleased to announce new partnerships for 2014

Marillyn Hewson seeks to diversify Lockheed (Politico) Lockheed Martin is best known as the $45 billion-a-year builder of the F-35 Joint Strike Fighter and other such war machines

Former US Policy Chief Joins Cyber Firm's Board (DefenseNews) Endgame, the cybersecurity firm most famous for selling information about system vulnerabilities, has added former Pentagon policy chief James Miller to its advisory board, the company will announce today

Products, Services, and Solutions

Check Point Receives Internationally Recognized Common Criteria Certification (MarketWatch) Check Point® Software Technologies Ltd. CHKP +0.31%, the worldwide leader in securing the Internet, today announced it has achieved the distinction of Common Criteria (CC) certification for Check Point R77 and Check Point Endpoint Security. As part of Check Point's on-going certification efforts, the CC certifications for R77 and Endpoint further demonstrate the company's continued commitment to support the Government market and provide independent validation of its security solutions and capabilities

AT&T Leverages Blue Coat for Cloud Web Security Service for SMBs (Converge) AT&T launched a subscription-based Cloud Web Security service for businesses that provides real-time protection against viruses, malware, and compromised web sites

Ensnare Attack Detection Tool Hopes to Frustrate Hackers, Too (Threatpost) Two Netflix security engineers released an open source attack detection tool for Web applications that responds with tactics aiming to frustrate hackers

CSC's New App Security Offering (Dark Reading) Help organizations to test the security of software applications and build security into the software development lifecycle

Quarri Announces Partnership with Bynet Data Communications (MarketWatch) Partnership provides information security solutions for various sizes of organization, protecting websites, Intranet and cloud services access

Technologies, Techniques, and Standards

Cybersecurity Is About Attitude, Culture — Not Strictly Compliance (Wired) How do you avoid becoming the Next Big Retail Breach Target? There are plenty of points — and counterpoints — on the topic. As a cybersecurity professional who has specialized in compliance with the Payment Card Industry (PCI) Data Security Standard for more than a decade, I have a great deal of thoughts to share. So consider this the first of a five-part blog in which I'll lend my perspective about the state of systems protection in the retail industry — and how to safeguard your business

Compliance misconceptions, challenges and tips (Help Net Security) In this interview, Paul Koziarz, President and General Manager of Regulatory Compliance at CSI, talks about the misconceptions related to compliance, provides advice for CSOs and discusses the difference between being compliant and being secure

Social Media Monitoring and Compliance: Five Best Ways to Navigate Complexity in the Workplace, Part III (Cyveillance) In our previous posts, we discussed why companies need to find a balance between a legitimate interest in finding misbehavior and meeting compliance requirements with expectations of privacy, along with why you need to set objectives and clear boundaries. In today's post, we'll examine the need for transparency and a social media policy

New FedRAMP controls baseline coming this summer (FierceGovernmentIT ) Private sector cloud computing providers will have a changed set of security controls to adhere to when selling to federal agencies starting later this summer

Metrics matter in privacy engineering (FierceGovernmentIT) As the privacy field seeks greater precision in a bid to make technical implementation of privacy controls a possibility, it should be cautious about the metrics it adopts, warns a computer scientist

Federal privacy advocates seek precision as a means for controls (FierceGovernmentIT ) Privacy as a field lacks the precision of cybersecurity, leaving a gap when it comes to implementing specific protective measures, federal officials said today during a workshop at the National Institute of Standards and Technology

UK seeks input on cybersecurity plan similar to NIST framework (Inside Cybersecurity) The British government is seeking comment on a proposed cybersecurity "scheme" that mirrors key elements of the Obama administration's recently released framework of voluntary standards. Both the British plan and U.S. framework call for a tiered system that allows businesses and organizations to determine the level of compliance appropriate for them

Best practices for secure use of Windows XP (Help Net Security) Microsoft's support for Windows XP ended yesterday, April 8, 2014. However, Gartner estimates that one-third of enterprises currently have more than 10 percent of their systems remaining on XP

Research and Development

New IDS project spots anomalous system behavior (Help Net Security) A team of researchers from Binghamton University have been working on a new intrusion detection approach based on monitoring the behavior of systems and spotting when it differs from the one that is considered normal

Stung by file-encrypting malware, researchers fight back (IT World) Ransomware programs such as CryptoDefense, CryptorBit and HowDecrypt have left users enraged — and often helpless

Academia

Call of cyber duty: Military academies take on NSA (AP via the Washington Post) If Douglas MacArthur or Ulysses S. Grant went to the U.S. Military Academy today, they might be testing their defensive skills hunched in front of a computer screen.

Legislation, Policy, and Regulation

Caught Between The Lines: How Online Censorship Harms Corporate Security (Tripwire) National governments are increasingly powerful stakeholders on the internet, changing and filtering the digital landscape in the process. Recently we saw instances of Twitter and YouTube access blocked, performed by Turkish authorities due to circulation of a series of confidential recordings with evidence of alleged corrupt practices

Hagel pushes for Chinese reciprocation on cyber doctrine exchanges (FierceGovernmentIT ) New U.S. openness regarding its military cyber doctrine is so far unreciprocated by China, say U.S. officials

Is the US headed toward a cyber Cold War with China? (Ars Technica) Harvard scholar suggests the superpowers are locked in a "cool war"

The Kremlin's Digital Gulag (Moscow Times) A Moscow city lawmaker, Alexei Lisovenko, is trying to resuscitate a government push to expand Russia's "digital sovereignty." On April 3, Lisovenko appealed to State Duma Deputy Sergei Zheleznyak, asking him to pass legislation that would require all online social networks to house users' personal data on servers located on Russian soil. Lisovenko, an active member of Facebook, Twitter, and Instagram, cites former National Security Agency contractor Edward Snowden's revelations about U.S. spying as a reason for the move. "Snowden has confirmed that the largest intelligence-gathering corporation there is — the National Security Agency — is monitoring our social media accounts," Lisovenko said

Germany asked U.S. about monitoring of Merkel but got no response: MP (Reuters) The German government asked the United States what information the National Security Agency had collected on Angela Merkel after monitoring her mobile phone for years but got no response, a German lawmaker said on Wednesday

Dueling dilemmas for national security reform (Politico) Congress is awash in ideas for revamping the government surveillance programs exposed by Edward Snowden. Although behind-the-scene talks have picked up in recent days, lawmakers' appetite, the path and timing for reform remains far from clear

Lofgren calls for sweeping NSA, email privacy reforms (The Hill) Rep. Zoe Lofgren (D-Cailf.) repeated calls for sweeping privacy reforms to address both National Security Agency (NSA) surveillance and digital privacy from law enforcement agencies

Chamber of Commerce urges government to steer clear of pricing cybersecurity products (Inside Cybersecurity) The federal government should "openly" acknowledge the high costs companies could incur to counter advanced cyber threats, but officials should stay away from trying to influence the price of cybersecurity products and services, according to the U.S. Chamber of Commerce

Canadian privacy bill floats $100k fine per breach victim not notified (SC Magazine) On Tuesday, the Digital Privacy Act was introduced in Canada's Parliament, proposing stiff penalties for organizations that fail to adequately respond to breaches

New law seeks to make retailers financially responsible for data breaches (Naked Security) When it comes to massive data breaches — such as the ones at Target and Neiman Marcus — in which millions of customers' credit and debit card numbers were breached, who should foot the bill? Banks and credit card companies have been stuck paying for the damages stemming from hacking of payment data in such crimes, but a new law introduced in California last week seeks to pass the buck right on back to the retailers that spawn the breaches

Litigation, Investigation, and Law Enforcement

HHS reveals "high-risk" security issues at Medicaid agencies (SC Magazine) The Department of Health and Human Services' (HHS) has released a report on "high risk" security issues that impacted 10 state Medicaid agencies

How the IRS is Leaving Your Financial Data Unprotected (Nextgov) The tax agency needs to better audit its own accounts, according to the Government Accountability Office. GAO officials during the past year discovered that Internal Revenue Service was not sufficiently monitoring databases for abnormal activity that could indicate a breach. They also found poor encryption on key agency systems

US attorney general says criminals use crypto currencies (The Inquirer) United States attorney general Eric Holder has told the US House Judiciary Committee that criminals use crypto currencies and that US law enforcement has no way to keep it free from crime

Big data used to catch bulk cash smugglers (FierceBigData) Bulk cash is exactly what it sounds like: oodles of money bound, hidden and smuggled from one country to another as one of the three top preferred international money laundering schemes used by criminals. We're talking about seriously big time criminals here with really big bags of cash. This is not a small time players' game. Somehow it seems fitting that big data would be the tool most likely to find bulk cash, doesn't it? Here's how that works

HMIC report highlights concern over cybercrime plans (BBC) Three out of 43 police forces in England and Wales have a comprehensive plan to deal with a large-scale cyber-attack, a report has found

Whistleblower Says He Warned University Of Maryland Before Data Breach (CBSBaltimore) A data breach drew the nation's attention to the University of Maryland. It exposed sensitive information, including Social Security numbers of hundreds of thousands of current and former students and employees, and it led to an FBI raid on the home of a software engineer in Baltimore County whose former employer contracted with the university

Man behind Carder.su racketeering, other cybercrime, pleading guilty (Ars Technica) Eight of 55 connected associates have copped guilty pleas in the $50 million scam

For a complete running list of events, please visit the Event Tracker.

Upcoming Events

Cyber Security EXPO (, Jan 1, 1970) Securing information, mobility, cloud, and social interaction for the modern enterprise. Disruptive technologies such as cloud computing, mobile, bring your own device (BYOD) and social media are pushing sensitive data and function closer to the user and away from traditional controls. Cyber crime is at an all-time high, attackers are using highly sophisticated methods taking advantage of a hyper-connected world. The challenge of securing corporate data and networks to mitigate risk is greater than ever. CISOs need new tools, new thinking and policies to meet these challenges. Cyber Security Expo 2014 has been designed to do just that. Cyber Security Expo will have a dedicated conference as well as five highly focused theatres and a significant exhibition. Major themes examined include: Internet & Network Security, Social and Consumer Trends, Cyber Crime, Log Data & Advanced Analytics, Identity & Access Management, Privacy & Data Protection, Cloud Security & Governance and Mobile Device Management.

SOURCE (, Jan 1, 1970) The purpose of SOURCE Conference is to bridge the gap between technical excellence and business acumen within the security industry. SOURCE fosters a community of learning where business and security professionals come together to gain knowledge and skills, network with peers, and advance their careers and professional development. SOURCE enables individuals, teams, and organizations to leverage information to improve decision-making, optimize performance, and achieve business objectives.

2014 Computer Security Day (Eugene, Oregon, USA, Apr 11, 2014) The Fourth Computer Security Day at the University of Oregon will feature a slate of distinguished speakers from academia, industry, and government, discussing current challenges and future opportunities in cybersecurity. The range of topics will be broad and diverse, ranging from examining future trends in computer security, to understanding cybersecurity within the federal government, to exciting new research in authentication mechanisms and securing systems and data. There will be plenty of opportunities to engage with the speakers and other attendees.

Women in Cybersecurity Conference (, Jan 1, 1970) WiCyS is an effort to bring together women (students/faculty/researchers/professionals) in cybersecurity from academia, research and industry for sharing of knowledge/experience, networking and mentoring. Any individual or organization interested in recruitment/retention of women in this field and/or diversification of their cybersecurity workforce is especially encouraged to get involved.

NSA Procurement in today's business arena (Elkridge, Maryland, USA, Apr 16, 2014) An opportunity to gain inside perspective on market trends in NSA Procurement. The guest speaker will be William Reybold, National Security Agency's Deputy Senior Acquisition Executive (SAE), who manages all Agency procurements, from off-the -shelf supplies to developing and deploying large, highly technical, and complex new system. He is directly accountable for delivery of all major systems acquisitions and includes as part of the organization, the NSA Contacting Group.

Suits and Spooks San Francisco (, Jan 1, 1970) S3+: Surveillance, Security, Sovereignty and other Critical Issues. Not another hacker conference. Suits and Spooks is a unique gathering of experts, executives, operators, and policymakers who discuss hard challenges in a private setting over two days. CFP is now open. If you're interested in being a speaker at Suits and Spooks San Francisco, please send an email with your topic title, short abstract, and your bio by February 15th.

US News STEM Solutions: National Leadership Conference (, Jan 1, 1970) The STEM crisis in the United States demands solutions—and nowhere is the search more concentrated than at U.S. News STEM Solutions. Now in its third year, this premier national leadership conference is an outcome-focused forum for the entire network of experts, advocates and change-makers who are proactively working to fill jobs now and advance the future of the STEM workforce. More than a broad-based discussion of the issues, this year's conference will zero in on tangible results, real successes and collaborative strategies that are already moving the needle. If you have a vested interest in the development of the STEM pipeline, make your voice heard where it will have the most impact.

East Africa Banking and ICT Summit (Kampala, Uganda, Apr 25, 2014) The global event series for Banking and ICT Summit enters its third year. The summit will continue to provide delegates with technical & practical sessions, lectures and showcase for banking and ICT innovations, and unique networking opportunities.

National Collegiate Defense Cyber Competition (, Jan 1, 1970) Registration for the 2014 CCDC season is underway! Visit your region's website or contact your regional for registration and competition information.

InfoSecIndy (Indianapolis, Indiana, USA, Apr 26 - 27, 2014) Join us on April 26-27, 2014 in Indianapolis, Indiana for the premier Midwest Information Security and Digital Forensics Conference.

United States Cyber Crime Conference 2014 (, Jan 1, 1970) This is the only event of its kind that provides both hands-on digital forensics training and an interactive forum for cyber professionals to network. The conference covers the full spectrum of topics facing defenders as well as law enforcement responders. All aspects of computer crime will be covered, including intrusion investigations, cyber crime law, digital forensics, information assurance, along with research and development, and testing of digital forensic tools.

Infosecurity Europe 2014 (, Jan 1, 1970) Infosecurity Europe is Europe's number one Information Security event. Featuring over 350 exhibitors, the most diverse range of new products and services, an unrivalled education programme and over 12,000 visitors from every segment of the industry, it's the most important date in the calendar for Information Security professionals across Europe.