Mountain View: the latest from SINET ITSEF 2014
Exclusive: Interview with Kjetil Nilsen Director General, Nasjonal Sikkerhetsmyndighet (NSM — Norway's National Security Authority) (The CyberWire) The CyberWire interviewed Mr. Kjetil Nilsen, Director General of Norway's National Security Authority (NSM), who delivered the final keynote at SINET ITSEF 2014. Mr. Nilsen's agency is responsible for information assurance, cyber security, cryptography and other national protective security services. NSM also leads NorCERT and a public-private partnership that includes Norway's national sensor network. Mr. Nilsen shared his perspective on the role of trust and cooperation in coping with an increasingly complex threat environment
Homeland Security Deputy Secretary Mayorkas' Trip to California and the IT Security Entrepreneurs' Forum (Imperial Valley News) Yesterday, Deputy Secretary of Homeland Security Alejandro Mayorkas traveled to California where he delivered remarks at the 8th annual IT Security Entrepreneurs' Forum hosted by the Security Innovation Network to discuss the cyber threat landscape and the importance of innovation in the field
Cyber Attacks, Threats, and Vulnerabilities
Call of Duty 'fragged using OpenSSL's Heartbleed exploit' (The Register) So it begins … or maybe not, says one analyst
Hackers prepping for OpenSSL Heartbleed attacks (CSO) Hackers suspected of listing 10,000 domains that the flaw has made vulnerable on Pastebin
Canada halts online tax returns in wake of Heartbleed (CSO) Canada Revenue Agency anticipates restoring services by weekend
Heartbleed in TOR (and in Poland) (CERTPolska) In the last few days most popular vulnerability seems to be CVE-2014-0160. This two years old vulnerability was in OpenSSL library and allows to read a part of the memory of the process. The use of this library is very prevalent not only in the server environments (e.g. WWW, or mail), but also on desktops in some client applications. However, the most popular browsers are not affected in any way. We publish our analysis of this CVE and its effect on TOR and Polish network. Information on the Electronic Frontier Foundation Deeplinks blog allows to speculate that the intelligence agencies knew about the bug a year ago and actually used it
Blackberry, Cisco Products Vulnerable to OpenSSL Bug (Threatpost) Vendors are continuing to check their products for potential effects from the OpenSSL heartbleed vulnerability, and both Cisco and BlackBerry have found that a variety of their products contain a vulnerable version of the software
Heartbleed Found in Cisco, Juniper Networking Products (Bloomberg) The Heartbleed Web-security flaw has been found in the hardware connecting homes and businesses to the Internet, underscoring the amount of time and effort that will be needed to defuse the threat
Twitter, at least, dodged the horrors of Heartbleed (CSO) Users have to be careful protecting their data because the vulnerability existed for years on many sites
The Other Side of Heartbleed — Client Vulnerabilities (Internet Storm Center) We're getting reports of client applications that are vulnerable to the heartbleed issue. Just as with server applications, these client applications are dependant on vulnerable versions of OpenSSL
Heartbleed Bug—Mobile Apps are Affected Too (TrendLabs Security Intelligence Blog) The severity of the Heartbleed bug has led countless websites and servers scrambling to address the issue. And with good reason—a test conducted on Github showed that more than 600 of the top 10,000 sites (based on Alexa rankings) were vulnerable. At the time of the scanning, some of the affected sites included Yahoo, Flickr, OKCupid, Rolling Stone, and Ars Technica
Heartbleed Explained (Critical Watch) Vulnerability in OpenSSL handling of the SLL heartbeat request that triggers a buffer over-read, resulting in confidential Information being disclosed
The Heartbleed Bug: Cutting Through the Noise (Cyveillance) As a trusted security partner, our phones have been blowing up the past 24 hours with clients calling to ask us about the Heartbleed bug found in the OpenSSL library. It's been all over the news, and some of the brightest security minds out there are throwing around really scary words like "catastrophic" and "doomsday". We've been delving into the details the last few days, and working in cooperation with our friends at Codenomicon, the security vendor that discovered the bug
Heartbleed Bug: What Can You Do? (Krebs on Security) In the wake of widespread media coverage of the Internet security debacle known as the Heartbleed bug, many readers are understandably anxious to know what they can do to protect themselves. Here's a short primer
Here's some really bad Heartbleed bug advice about changing your passwords (Graham Cluley) A lot of folks are going around at the moment telling the public to change all of their passwords in response to the serious Heartbleed internet security bug. For instance, here's what the Tumblr website (owned by Yahoo) has told its users
The Heartbleed genie is out of the bottle — now what? (ComputerWeekly) The Heartbleed vulnerability in OpenSSL has been recognised as a major blow for internet security and open source development. But the first thing businesses need to do is verify whether their version of OpenSSL is affected
How Heartbleed Broke the Internet — And Why It Can Happen Again (Wired) Stephen Henson is responsible for the tiny piece of software code that rocked the internet earlier this week. The key moment arrived at about 11 o'clock on New Year's Eve, 2011. With 2012 just minutes away, Henson received the code from Robin Seggelmann, a respected academic who's an expert in internet protocols. Henson reviewed the code — an update for a critical internet security protocol called OpenSSL — and by the time his fellow Britons were ringing in the New Year, he had added it to a software repository used by sites across the web
Heartbleed: Examining The Impact (Dark Reading) With Heartbleed, there's little hope of knowing if an asset was breached, if a breach can be identified, or what, if any, data was leaked. Here's how to defend against future attacks
Heartbleed Will Go On Even After The Updates (Dark Reading) What's next now that the mindset is 'assume the worst has already occurred?'
Many Devices Will Never Be Patched to Fix Heartbleed Bug (MIT Technology Review) Home automation systems and networking equipment vulnerable to a major encryption flaw are unlikely to be fixed
Mexico Cyber Criminals 'Kidnapping' Business Computer Systems (InSightCrime) Hackers in Mexico have found a profitable illicit enterprise in extorting businesses by hijacking computer systems, another dimension in the country's large and growing cyber crime industry
Advantech WebAccess webvact.ocx NodeName Stack Buffer Overflow Remote Code Execution Vulnerability (Zero-Day Initiative) This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Advantech WebAccess. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file
High-earners are three times more likely to be victims of identity fraud (Quartz) If you live in North America or Europe and are paid over $85,000 a year, you are three times more likely to be defrauded than those who earn less, according to Trustev, an online anti-fraud company. A salary of $85,000 is hardly enough to qualify someone as rich in those countries, but in the United States it would put you in the top quartile of earners (top 6% if you're single) and far above the national average or median wage
ATMs on Windows XP: How Risky Is It? (eSecurity Planet) Microsoft has ended official support for Windows XP. What does that mean for the security of the world's ATMs, most of which run XP?
Windows XP Alive & Well in ICS/SCADA Networks (Dark Reading) End-of-life for XP support not raising many red flags in critical infrastructure environments, where patching is the exception
Security Patches, Mitigations, and Software Updates
Cisco finds 13 products (so far) vulnerable to Heartbleed—including phones (Ars Technica) Cisco has issued a security bulletin for customers about the Heartbleed bug in the OpenSSL cryptography code, and it's not about Web servers. So far, the company has unearthed 11 products and 2 services susceptible to attack through the vulnerability, which can be used to retrieve random bits of content from an attacked device's memory. Cisco's IOS XE operating system for network hardware is one of the higher-profile products on the company's list
Google Bulks Up Security for Android Phones (Recode) At a time when security vulnerabilities are disturbingly prominent, Google said it is bulking up security for Android phones to provide users more protection
Cyber Trends
Iran to rival China in cyber war on west (The Australian) Iran and Syria are emerging as powers to be reckoned with in global cyber warfare, with hackers in Tehran especially posing an ever-increasing threat, experts have warned
The mysterious disappearance of China's elite hacking unit (Washington Post) The company that helped uncover major online security breaches from China last year says exposing the hackers had the effect of shutting them down — at least temporarily
Just One-Third of Organizations Discover Breaches on Their Own: Mandiant (SecurityWeek) FireEye-owned Mandiant has published the latest release of its Mandiant M-Trends report, which provides analysis on the threats of 2013 and highlights emerging global threat actors and the types of targets and information they have in their sights
M-Trends® 2014: Beyond the Breach (Mandiant: A FireEye Company) Mandiant's annual threat report, reveals key insights, statistics and case studies illustrating how the tools and tactics of advanced persistent threat (APT) actors have evolved over the last year. The report, compiled from hundreds of Mandiant incident response investigations in more than 30 industry sectors, also includes approaches that organizations can take to improve the way they detect, respond to, and contain advanced attacks
Security Threats: Risk's Often Neglected Step Child (SecurityWeek) According to Gartner ("Security and Risk Management Scenario Planning, 2020"), by 2020, 30% of global 2000 companies will have been directly compromised by an independent group of cyber activists or cyber criminals. This prediction is not surprising, considering the fact that leading risk indicators are difficult to identify when the organization's cyber foes, including their strategy, competences, and actions, are unknown. In turn, many organizations still focus on control gaps and vulnerabilities when performing risk assessments and neglect taking threats into account. This can lead to inaccurate prioritization of remediation actions and inefficient allocation of resources
Why CFOs Must Lead the Discussion on Cyber Security (CFO Global) Early this year, Target was in the midst of controversy as a cyber security breach leaked the private information of its online consumers. Now, Target CFO John Mulligan must testify before Congress and discuss the details of online customer information theft. An estimated 40 million credit card numbers were stolen alongside the contact information for over 70 million people. When the breach went public, Target spent an estimated $61 million on damage control, fixing the breach, and securing the website from future attacks
LTE: The need for speed opens up security potholes (FierceITSecurity) Mobile operators' deployment of high-speed 4G LTE networks has opened the door to security threats because of vulnerabilities inherent in the all IP architecture, warns Stephane Teral, principal analyst for mobile infrastructure and carrier economics at Infonetics Research
Cyber Crime Explosion Leads To Security Update Releases Every 40-50 Minutes (Misco) The level of cyber criminal activity has reached such proportions that security solution providers are being forced to roll out updates every 40 to 50 minutes, according to Symantec, the US company behind the Norton Internet Security package
Marketplace
An introduction to cyber liability insurance cover (ComputerWeekly) For years, security professionals have been saying "either you have been data breached or you just do not know that you have been data breached." Data breaches are now a fact of life together with taxes and death, but how can businesses better manage the risks related to a data breach and reduce the significant cost that can result from them? One of the options is to buy an insurance
AEGIS London launches Next generation of cyber insurance product (Insurance Business Review) Lloyd's of London insurer AEGIS London has rolled out a new breed of cyber insurance product following a major study of the evolution of cyber risk in the energy sector and its impact on so-called critical infrastructure businesses
ESET Focused on Growing Presence in Indian Market (Parda Phash) ESET, global provider of security solutions for businesses and consumers, focusing on growing presence in Indian market. The Federation of Indian Chambers of Commerce and Industry (FICCI) have recently conducted the India-Central Europe Business Forum on 27-28 March in New Delhi, the first in the series. This business forum was focused on promoting multifaceted industry engagement with highly promising Central European economies including Slovakia
Palo Alto Networks® Completes Acquisition of Cyvera (MarketWatch) Palo Alto Networks® PANW +1.83%, today announced it has completed its acquisition of Cyvera Ltd., a privately held cybersecurity company located in Tel-Aviv, Israel. Originally announced on March 24, 2014, Palo Alto Networks acquired Cyvera for an aggregate purchase price of approximately $200 million
CACI's Six3 Systems deal named best of the year (Washington Technology) From the moment CACI International's acquisition of Six3 Systems was announced last year, it had all the markings of a top deal of the year
Parsons Expands Md. Cyber Center with New Training, Conference Facility (ExecutiveBiz) Parsons Corp. has launched a training and conference center in Columbia, Md. The 4,000-square-foot facility located in Parsons' Columbia cybercenter houses operations areas, labs and innovation centers, the company said Tuesday
Lunarline Narrows Search for New Facility to Support its Rapid Growth (Broadway World) Lunarline Inc, a Service Disabled Veteran Owned Small Business and one of the country's leading cyber security companies, announced today that it has narrowed its search for a new security operations facility to Kettering, Ohio though the company is still considering other locations
How to stop the next Heartbleed bug: pay open-source coders to protect us (The Guardian) Don't wait for the next Snowden to tell us if the NSA's been using this privacy hole, too. Help support more heroes of the free and secure web to spot the next one
Symantec simulation could be a recruiting tool (FCW) Symantec has been hosting cyber-readiness simulations for a couple of years, but this week's event in Washington, D.C., was the first the firm has held for federal executives with a workforce shortage in mind
Products, Services, and Solutions
Your phone has Heartbleed? Lookout's Detector app can tell (Android Authority) Following this week's discovery of the serious Heartbleed bug in OpenSSL, mobile security company Lookout released an Android tool that will help users detect the presence of the security vulnerability on their Android devices
Free Heartbleed-Checker Released for Firefox Browser (Dark Reading) Browser plug-ins arrive for Firefox and Chrome that scan websites for Heartbleed risk
At Feds' request, GoGo in-flight Wi-Fi service added more spying capabilities (Ars Technica) GoGo hands over user data "if we believe… that such disclosure is necessary"
Leading schools use WatchGuard Technologies to secure student Web access, critical network data (ITWeb) WatchGuard Technologies, a leader in integrated security platforms, announced that the Carol Morgan School, one of the Dominican Republic's leading non-profit, private K-12 grade schools, is using WatchGuard's Unified Threat Management (UTM) platforms with WatchGuard Dimension to secure its network and manage student access to online resources and applications
What is a Threat Intelligence Platform (ThreatConnect News) Last week, Anton Chuvakin from Gartner wrote a blog about what he is calling an Intelligence Management Platform. He includes some thoughts by Facebook on how they are building their own platform. He alludes to non-public sources and I'm sure ThreatConnect™ is one, so rather than keep you all in suspense, I thought this would be an opportune time for ThreatConnect to say what we think a Threat Intelligence Platform is
Protect your device from malicious ads (CNET) The chances of encountering a malware-bearing ad on your phone or tablet are increasing. But blocking ads on mobile is neither easy nor very effective. Here's a better approach to ad-blocking on your device
Technologies, Techniques, and Standards
The effect of the Heartbleed bug on open source projects (Help Net Security) The Heartbleed bug in OpenSSL is all the information security world is talking about these days. Many are beginning to realize, its existence has opened multiple cans of worms
Heartbleed: Making The Case For SDN (InformationWeek) Software-defined networking technology could help protect against vulnerabilities like Heartbleed. It's time to develop a more mature SDN option
Turning the Tables: Using Evasion Tactics to Help Prevent Malware Infection (SecurityWeek) Sandboxing is a relatively new trend in malware analysis. It allows companies, such as antivirus vendors, to execute malicious malware in an environment where it can't do any real damage. By watching what the executable does, security researchers can identify whether the software is malicious or if it's a legitimate application users genuinely want to install. For example, if an unknown application is executed in the sandbox and is observed sending passwords to a random website in a foreign country, the executable is likely malware. If no such observations are made, then it's "probably" goodware
Securing Passwords with Bcrypt Hashing Function (Hacker News) Passwords are the first line of defense against cyber criminals. It is the most vital secret of every activity we do over the internet and also a final check to get into any of your user account, whether it is your bank account, email account, shopping cart account or any other account you have
Hackathons Should Be More Than A Circus (InformationWeek) Tapping into developer talent at a hackathon should be fun, but don't lose sight of the potential business benefits
Beat it, bloatware: How to clean the crap off your PC (PCWorld) Boot up a new PC for the first time, and you should be able to watch it fly. Instead, it may sputter and struggle to get off the ground, thanks all the preinstalled junk that vendors habitually dump onto new PCs
Design and Innovation
Government-Run Competitions Should Be About Markets, Not Prizes (Nextgov) Running a prize competition in government or industry is about "understanding where the market's going in 10 years and trying to make it go there in three years," Christopher Frangione, vice president for prize development at the X Prize Foundation, told members of Congress on Wednesday
Academia
CDX pits NSA hackers against service academies (FCW) A low-slung building in a suburban office park might seem an unlikely setting for military war games, but that's exactly what's taking place at the Columbia, Md., outpost of the Parsons Corporation
Tripwire Donates $11.75M Cybersecurity Service to Penn State (Dark Reading) Gift is a cloud-based risk and analytics cybersecurity service to the Center for Cyber Security, Information Privacy and Trust
Legislation, Policy, and Regulation
2 Regulators Issue Guidelines on Sharing Cyber Security Information (New York Times) Sharing information between companies about threats to cybersecurity is not likely to raise antitrust concerns, the Justice Department and the Federal Trade Commission said Thursday
Blowing the Whistle at Your Agency May Have Just Gotten Easier (Government Executive) Federal whistleblowers will soon have new allies on Capitol Hill. Sen. Chuck Grassley, R-Iowa, announced Thursday he will create the Senate Whistleblower Caucus to ensure protections for federal employees exposing wrongdoing at their agencies are being enforced
Goodlatte: NSA reform can't dodge Judiciary Committee (Politico) House Judiciary Committee Chairman Bob Goodlatte (R-Va.) declared Thursday that he'll fight any effort to move National Security Agency surveillance reform legislation to the House floor without going through his panel
Top U.S. lawmaker: intelligence top priority in defense bill (Reuters via the Chicago Tribune) The chairman of the U.S. House Armed Services Committee said on Thursday that intelligence, surveillance and reconnaissance capabilities would be top priorities as the panel puts together this year's massive defense policy bill
HHS pushes state agencies to share data (FierceGovernmentIT ) Information sharing since 9/11 has been associated mostly with intelligence and counterterrorism. But the Health and Human Services Department is also trying to bring together information dispersed across the numerous state systems used for HHS-funded programs
Menendez Slams 'Dumb' Criticisms of Obama's Secret Social Media Program in Cuba (Foreign Policy) The chairman of the Senate Foreign Relations Committee on Thursday tore into critics of a controversial U.S.-backed social media program in Cuba. The program, created by the U.S. Agency for International Development and run with the help of American contractors, established a Twitter-like social media site on the Communist island called ZunZuneo but was shuttered after two years with little to show for it
Super-cyber Turkey in Syberia (Hurriyet Daily News) Jamie Shia, NATO's deputy assistant secretary general for emerging security challenges, once said: "One hundred twenty countries currently have or are developing offensive cyber-attack capabilities which are now viewed as the fifth dimension of warfare after space, sea, land and space." The Turks took that very seriously — well, at least the idea. Last June, the Turkish government launched the Center for Response to National Cyber Threats. Earlier, the Turkish military headquarters had formed a Cyber Warfare Command
Can Malaysia handle cyber attacks? (Free Malaysia Today) Cyber security is a growing concern worldwide. Hacking is rampant and the threat is real to any nation, for its implications can be far-reaching
Litigation, Investigation, and Law Enforcement
It may be ILLEGAL to run Heartbleed health checks — IT lawyer (The Register) Do the right thing, earn up to 10 years in clink
Whitehat hacker breaches UMD servers to jump-start security remediation (Help Net Security) Daving Helkowski, a software architect/engineer working for software consultancy Canton Group, has made a serious mistake that has already cost him his job and might end up costing him even more
NSA subverted EU privacy laws, spied on human rights orgs (Help Net Security) In a testimony delivered by video-link from Moscow, NSA whistleblower Edward Snowden has revealed to EU parliamentarians that the US NSA is actively spying on human rights organizations such as UNICEF and Amnesty International
The Snowden Saga: 10 Key Questions Regarding His National-Security Disclosures (Vanity Fair) In the 10 months since The Guardian and The Washington Post published the first disclosures based on documents leaked by Edward Snowden, a vigorous debate about the National Security Agency's aggressive intelligence-gathering activities has erupted. An in-depth account of Snowden's journey from N.S.A. contractor to world-famous whistle-blower, published in the May issue of Vanity Fair, injects a much-needed dose of humanity into the conversation, showing how Snowden's experiences shaped his decisions. But it's also worth examining the key questions that concerned citizens in America and around the world have been asking ever since the sheer scope of the N.S.A.'s efforts became clear. Ahead, VF Daily addresses 10 such questions, with input from Snowden's legal representative, Ben Wizner, the director of the American Civil Liberties Union's Speech, Privacy & Technology Project
Ukraine Boasts of Rounding Up Russian Spies. Will Washington Notice? (Foreign Policy) To hear Ukraine tell it, you'd think their fledgling new government is full of crack spy hunters rooting out every Russian mole and agitator from Kiev to Kharkiv. Ukraine's main security agency, the SBU, has been keeping a running tally of all the Russian provocateurs who've been discovered or captured in the past month. The list includes an alleged "espionage ring of the military intelligence of the Russian Federation," a Russian and three Ukrainians who were preparing to hand over computer hard drives to Russia's security service, and a Russian woman attempting to "destabilize the situation in the southern regions of Ukraine." An SBU Web site shows what appears to be the woman's social media page, where she poses in combat fatigues while sporting an assault rifle
70 People Arrested for Airline Ticket Fraud (eSecurity Planet) According to Europol, the arrests took place in 23 countries, in connection with 265 fraudulent ticket purchases