The CyberWire Daily Briefing 04.22.14

Cyber Trends

Former Australian spy boss warns on growing cyber security risks (Financial Review) The man who recently resigned after six years as the Australian government's chief electronic spy has warned that top business executives do not fully appreciate the complexity and danger of threats they are now facing from evolving cyber security risks

Hacked off? Organisations should step up their cyber security (Business Technology) Organisations should be taking the same precautions as governments, as cyber attacks become increasingly common

DBIR: Point-of-Sale Breaches Trending Downward (Threatpost) The attention given to the Target data breach elevated concerns about point-of-sale hacks and got us reacquainted with RAM scrapers and other threats to retailers big and small. And while it's been a noteworthy highlight to the annual Verizon Data Breach Investigations Report for the past few years, the data in this year's report indicates the trend is reversing course

Espionage hacking grows, with more from east Europe: Verizon study (Reuters) Hacking for espionage purposes is sharply increasing, with groups or national governments from Eastern Europe playing a growing role, according to one of the most comprehensive annual studies of computer intrusions

Stolen Passwords Used In Most Data Breaches (Dark Reading) New Verizon 2014 Data Breach Investigations Report identifies nine types of attack patterns that accounted for 93 percent of security incidents in the past decade

Hackers are getting better at offense. Companies aren't getting better at defense. (Washington Post) High-profile data breaches at retailers such as Target, Neiman Marcus and Michaels brought the sorry state of corporate cybersecurity into sharp focus last year as millions of customers found the data they had entrusted to companies had fallen into the hands of cybercriminals

Getting Inside the Adversary's OODA Loop: Automation and Information Sharing for Cyber Defense (The CyberWire) The CyberWire interviewed Mr. Philip Quade, Chief Operating Officer of NSA's Information Assurance Directorate, who participated in SINET ITSEF 2014. The NSA's Information Assurance Directorate is responsible for the security of US national security systems. He shared his views on Active Cyber Defense, and how it depends upon automation and information sharing for a risk-based approach to Sensing, Sense-making, Decision-making, and Acting in cyberspace

Cyber Attack Exercise Reveals Information Sharing Struggles in Healthcare Industry (SecurityWeek) Healthcare organizations are still struggling with information sharing both internally and externally, participants in an industry-wide cyber-security exercise said

First CyberRX simulation allows chief information security officers to practice a joint response between industry and HHS (Healthcare Informatics) On April 1, a cross-section of healthcare industry information security executives took part in the first full-day interactive simulation of an industry-wide cyber threat. During the CyberRX simulation, put on by the nonprofit Health Information Trust Alliance (HITRUST) in coordination with the U.S. Dept. of Health and Human Services, companies displayed a wide range in terms of organizational preparedness for processing threat intelligence and communicating and engaging with other stakeholders, internally and externally, noted Jim Koenig, principal, Global Leader, Commercial Privacy, Cybersecurity and Incident Response for Health at consulting firm Booz Allen Hamilton

Legislation, Policy and Regulation

China is setting up covert spy networks in US and Australian universities (Quartz) The ever-rising droves of Chinese people studying abroad is generally considered an all-around win. It's good for Chinese students, who get a coveted credential, as well as for host universities and local communities, which benefit from the spending boost

NSA's Implementation of Foreign Intelligence Surveillance Act, Section 702 ( NSA Director of Civil Liberties and Privacy Office Report) This document provides an unclassified overview of NSA's implementation of Foreign Intelligence Surveillance Act Section 702. It is also entered into the Federal Register (docket PCLOB-2013-005-0073) to satisfy PCLOB request for information to inform their upcoming report and to be more transparent to the public

Intel chief bars spies from talking to the press without permission (The Hill) The Obama administration has issued a new directive warning most intelligence agency workers that they are forbidden from talking to the press without permission

Letitia Long: Leading NGA into a new era of intelligence (C4ISR Networks) Letitia Long, director of the National Geospatial-Intelligence Agency, is at the helm of some of the intelligence community's biggest moves. NGA, along with the Defense Intelligence Agency, are leading development of ICITE, the intelligence community's shared IT environment, and Long is also helping to architect a transition to the idea of comprehensive, immersive intelligence that weaves together various disciplines'

Products, Services, and Solutions

Chrome does certificate revocation better (ZDNet) There's a dirty little industry secret: The classic methods of certificate revocation don't really work. That's why Google Chrome doesn't do certificate revocation checking the normal way

Splunk Releases Version 3.1 of the Splunk App for VMware (Compliance Week) Splunk, a provider of software platform for real-time operational intelligence, this month announced the general availability of Version 3.1 of the Splunk App for VMware, which provides comprehensive operational visibility into virtualized environments

Facial recognition — coming soon to a shopping mall near you (Naked Security) Facial recognition. Image courtesy of ShutterstockTechnology giant NEC's Hong Kong branch is promoting a small, "easy to install" appliance which will enable businesses to monitor their customers based on facial recognition

Dropbox VP: People's trust comes first, followed by IT security (FierceEnterpriseCommunications) April 21, 2014 | By Scott M. Fulton III. For the last three years, by far the name at the top of people's lists when they're discussing the trend of "shadow IT"—users bringing apps into organizations that bypass company policies—is Dropbox. It's a simple and effective mechanism for distributing files, and both managers and executives have come to rely upon Dropbox for reaching out to their own subordinates

BAE Systems Unveils Geospatial Intelligence Mobile App For Google Glass (Homeland Security Today) A new app for Google Glass unveiled by BAE Systems is described as "a potential game-changer for the way our military, police, fire and first responders collect data," BAE said

Athena Announces Fastest Elliptic Curve Cryptography Accelerator Core (Design & Reuse) The Athena Group, Inc., the leader in high-performance public key (PK) and elliptic curve cryptography (ECC), today announced the industry's fastest ECC accelerator core. Athena's commitment to maintaining leadership in the high-performance PK cryptography and ECC marketplace is reinforced with the release of the EC Ultra family of dedicated ECC accelerators. Athena introduced three variants ranging in performance from 2,000 to 8,000 NIST P-256 EC-DSA verify operations per second

Apps offer users ways to boost online security (CTVNews) The uproar surrounding the National Security Agency's Prism program, in which the U.S. government collected data from citizens' webmail and social network accounts, has led to the development of encrypted alternatives to Gmail, Hotmail and other popular messaging services. Known only to a small set of users in the past, solutions for enhanced data security are now beginning to hit the mainstream

Reddit punishes technology community for censoring 'NSA,' 'Snowden' and 'Bitcoin' links (Washington Examiner) Social-sharing website reddit has punished the subreddit r/technology for censoring posted links containing words like "National Security Agency," "Edward Snowden" and even "Bitcoin."

Free Heartbleed scanner for Chrome and Android (Help Net Security) To help Internet users protect themselves from the Heartbleed bug that is eroding SSL security features on websites worldwide, Trend Micro released two free Heartbleed scanners for computers and mobile devices designed to verify whether they are communicating with servers that have been compromised by the Heartbleed bug

Openics Decodes Control System Traffic, Builds Data Dictionaries (Threatpost) An ICS protocol sniffer has been released to GitHub. OpenICS builds data dictionaries, rather than signatures, from the packets it captures in order to help business leaders make security decisions

Technologies, Techniques, and Standards

How to enable the "Kill Switch" on your iPhone or iPad, right now! (Intego) The big smartphone manufacturers—Apple, Google, Samsung and Microsoft—have all committed to introducing a smartphone "Kill Switch" for their devices by 2015

Third-party audits best way to oversee cyber security (Hartford Business Journal) Last week's announcement that Connecticut's utilities have been compromised by cyberattacks isn't surprising, but it does raise serious concerns about the vulnerability of the state's electricity, natural gas, and water infrastructure

Research shows vulnerabilities go unfixed longer in ASP (SC Magazine) While there is no significant difference between the number of security vulnerabilities found, on average, in widely used programming languages, like .Net, Java and ASP, the number of days it takes to make fixes can differ noticeably, a WhiteHat Security report reveals

Big data's defense against cyber crime (FierceBigData) Big data is both a blessing and a curse in terms of security. Cybercriminals can hide within big data and they can use big data to aid their efforts in a myriad of ways. But, big data tools also present a formidable defense when they're used correctly. A new report from Gartner gives some good advice on how to do that

Significant breakthrough for information interoperability: partners agree on baseline of attributes (ISE) At the office of the PM-ISE, we understand the challenges involved with strengthening both information sharing and information safeguarding — to advance the sharing of terrorism, homeland security, cyber, and other national security information. Thus our vision: "National Security through responsible information sharing"

NIST to Drop Crypto Algorithm from Guidance (GovInfoSecurity) Move comes following concerns about NSA actions. A draft of revised guidance from the National Institute of Standards and Technology drops a cryptographic algorithm the National Security Agency is believed to have used to circumvent encryption that shields much of global commerce, banking systems, medical records and Internet communications

Our Comments On NIST's Cryptographic Standards Review Process (Center for Democracy and Technology) The US National Institute of Standards and Technology (NIST) has taken a first, important step in making sure no flaws or trapdoors end up in their cryptographic standards: they put out for public comment a document that describes the high-level principles for standardizing cryptography at NIST. In this post, I will discuss recent events that lead NIST to take this step and the comments CDT submitted last Friday in response

FAQ: Understanding The True Price of Encryption (Dark Reading) In the wake of recent events like Heartbleed, the search for cost-effective, easy, and scalable encryption solutions has never been more important

Marketplace

US retailers plan industry-wide cyber-security information pool (Gulf News) National Retail Federation says it will establish an Information Sharing and Analysis Centre in June

Bank of England to employ hackers (Computing) The Bank of England is set to employ ethical hacking and penetration testing in an effort to strengthen cyber security of banks and other financial institutions

Surviving the post Heartbleed Cyber Security Skills Crunch (ComputerWeekly) IT users and suppliers, particularly those in financial services and its suppliers are about to be hit by an IT Skills shortfall akin to that during the run up to Y2K: for similar reasons. A surge in demand for skills in short supply is hitting an industry which has not recruited sufficient trainees for over a decade

Big decline in SA security appliance market (BusinessTech) The South African security appliances market declined 10.3% in value year on year during Q4 2013 to total $12.25 million

Chuck Harrington: Parsons Buys Secure Mission Solutions for Security, Defense Business Strategy (GovConWire) Parsons Corp. has acquired Secure Mission Solutions from Riordan, Lewis & Haden Equity Partners for an undisclosed amount in a move to expand Parsons' cybersecurity market presence

Howard County's AirPatrol Corp. acquired by Silicon Valley firm for up to $30M (Baltimore Business Journal) AirPatrol Corp., a Howard County cyber security firm that focuses on wireless and mobile systems, has been acquired by a Silicon Valley company in deal worth up to $30 million

Maryland invests $600K in cybersecurity startup Luminal (MDBizNews) Cybersecurity startup Luminal has moved its headquarters to Maryland and plans to expand, thanks in part to a State investment, Governor Martin O'Malley announced Monday

Cross Match acquires DigitalPersona (Help Net Security) Cross Match Holdings and DigitalPersona announced a merger agreement that will combine the two companies. With more than 300 employees, a network of partners and millions of users relying on its solutions worldwide, the merged companies will have a global presence in the government, financial, retail, defense, law enforcement and corporate markets

CRGT Expands Homeland Security Mentor-Protégé Relationships (Digital Journal) CRGT Inc., a leading provider of Big Data, Agile development, Cyber Security, and Infrastructure Optimization for the Federal Government, has increased its focus on the Department of Homeland Security (DHS) programs through the execution of formal DHS Mentor-Protégé engagements with Novel Applications of Vital Information, Inc. (Novel Applications) and EnProVera Corporation. These business partners have skills and experience that strengthens CRGT's market offerings as we pursue new business within select government agencies

Firehost, Linode news shows IaaS life beyond Amazon Web Services (GigaOm) The week in cloud: Firehost nets $25 million in new funding to add features to and market its secure cloud; Linode pours $45M into its infrastructure

Nokia sees Microsoft deal closing this week (Reuters) Nokia said on Monday it expects the sale of its handset business to Microsoft to be finalized on April 25, as it had received all the required regulatory approvals

Ken Asbury: SPAWAR Picks CACI to Help Secure Facilities Under Electronic Surveillance Program (ExecutiveBiz) CACI International has been awarded a position on a potential five-year contract vehicle to sustain electronic surveillance systems for the U.S. Navy's anti-terrorism and force protection programs

Splunk Named One of the "Best Places to Work" for Seventh Consecutive Year (MarketWatch) Splunk Inc. SPLK -2.72%, provider of the leading software platform for real-time operational intelligence, today announced that it has been named as one of the "Best Places to Work" in the Bay Area by San Francisco Business Times and Silicon Valley Business Journal

Army denies troops superior software because MONEY (Daily Caller) The Army has denied soldiers the use of a privately developed software intended to mitigate the threat of improvised explosive devices, reportedly because it has already invested time and money in its own product

CloudFlare Launches Bug Bounty Program (Threatpost) As the OpenSSL heartbleed saga unfolded over the last couple of weeks, one of the companies that was at the forefront of figuring out the scope and effects of the problem was CloudFlare. The company put up a challenge server, asking researchers to hit it with the heartbleed exploit to determine whether private SSL keys

Research and Development

OpenBSD forks, prunes, fixes OpenSSL (ZDNet) In the wake of Heartbleed, a well-known open source development group is creating a simpler, cleaner version of the dominant OpenSSL

A New Approach to Prioritizing Malware Analysis (SEI Blog) Every day, analysts at major anti-virus companies and research organizations are inundated with new malware samples. From Flame to lesser-known strains, figures indicate that the number of malware samples released each day continues to rise. In 2011, malware authors unleashed approximately 70,000 new strains per day

Budget Problems Impact Science and Technology Personnel as Much as Programs (SIGNAL) Gadgets and gizmos are not the only things beset by the U.S. Defense Department's continued battle with shrinking budget dollars. While some projects may be delayed, and others even derailed, the civilian work force "is now showing the early signs of stress," Alan Shaffer, acting assistant defense secretary for research and engineering, recently warned Congress

Cyber Attacks, Threats, and Vulnerabilities

Bihar BJP website hacked and defaced by Pakistani Hackers (eHacking News) Bharatiya Janata Party's(BJP) website once again has been targeted by hackers claimed to be from Pakistan

How Heartbleed transformed HTTPS security into the stuff of absurdist theater (Ars Technica) Certificate revocation checking in browsers is "useless," crypto guru warns

Heartbleed's Never-Ending Drip, Drip, Drip (E-Commerce Times) It's going to take a while to clean up Heartbleed's bloody mess. "If history is any lesson, when Internet-scale vulnerabilities are announced that require firmware updates, we can count on a persistently vulnerable population of devices," said Easy Solutions CTO Daniel Ingevaldson. "This population may stay vulnerable for years, or until these devices become obsolete and are replaced"

Heartbleed Will Require Rehab (InformationWeek) Patches are just band-aids. Heartbleed's long-term effects will force companies to reassess how they deploy and manage technology

Datacentre lessons learnt from Heartbleed bug (ComputerWeekly) The Heartbleed bug, an OpenSSL cryptographic library flaw that allows attackers to steal sensitive information from remote servers and devices, affected nearly two-thirds of websites

Subterfuge: The Automated Man-in-the-Middle Attack Framework (Infosec Institute) Surfing the internet through untrustworthy public networks whether wired or wireless has been known to be risky for a long time now. We all think twice before logging into our bank account or accessing any kind of sensitive information, but what about simply browsing our favourite site?

Easter egg: DSL router patch merely hides backdoor instead of closing it (Ars Technica) Researcher finds secret "knock" opens admin for some Linksys, Netgear routers

P2P Zeus Performs Critical Update (Fortinet) P2P Zeus, a.k.a. Zbot, has evolved into a powerful bot since its discovery in 2007. It is capable of stealing infected hosts' banking information, installation of other malware, and other cybercrime-related behavior. Currently, P2P Zeus supports both the UDP and TCP protocols for its various communication tasks including peer list exchange, command-and-control (C&C) server registration, and malware binary updates

Millions [of] Feedly users vulnerable to Javascript Injection attack (Security Affairs) A security researcher discovered a serious Javascript Injection vulnerability in the popular Feedly Android App impacting millions [of] users

Feedly Android JavaScript zero day found, fixed and can be forgotten (Daniweb) Feedly app left attack window open for malicious JavaScript hackers according to one security researcher. Security consultant and blogger Jeremy S revealed that the Feedly Android app, or at least the version prior to the update on March 17th 2014, had been subject to a zero-day JavaScript code injection vulnerability. Jeremy reported the discovery to the Feedly developers who patched the vulnerability within 24 hours, ethical disclosure working at its best if you ask me

Active malware campaign steals Apple passwords from jailbroken iPhones (Ars Technica) Origin and source of mysterious "unflod" app remain unknown

How to stop the UnFlod Baby Panda malware infecting your iPhone (Graham Cluley) Here is today's question: How can I stop the UnFlod Baby Panda malware infecting my iPhone? I've heard that the malicious app can steal the Apple ID from my iPhone, so I would like to protect it. I love questions like this, because there's a really easy answer: Don't jailbreak your iPhone in the first place

Four of the newest (and lowest) Social Engineering scams (CSO) Social engineering thugs have reached new lows, as gangs play on users' fears of privacy loss, theft and even death

Hundreds of medical professionals targeted in multi-state tax scam (CSO) Medical professionals in several states have come forward with reports of identity theft, after their personal information was used to file fraudulent tax returns

Parallon Business Solutions Acknowledges Insider Breach (eSecurity Planet) A former employee inappropriately accessed names, Social Security numbers, home addresses and health insurance information

Academia

Collegiate cyber championship coming to San Antonio (San Antonio Business Journal) The nation's top collegiate cyber warriors will be making their way to San Antonio next week to compete in the Raytheon National Collegiate Cyber Defense Competition

Army nips Air Force in NSA's cyber competition (Defense Systems) The U.S. Military Academy took the top spot in the National Security Agency's most recent service-academy cyber competition, which involved designing and building a network from scratch, then defending it against a NSA and service red teams while handling other challenges

Litigation, Investigation, and Enforcement

FTC in position to enforce data stewardship standards among cloud providers, says paper (FierceGovIT) Enforcement actions by the Federal Trade Commission have laid a foundation for establishment of data stewardship standards controlling cloud services that involve processing personal data, say two academics

GOP demands answers on electric grid security leak (The Hill) Republicans on the House Energy and Commerce Committee are asking the Federal Energy Regulatory Commission (FERC) to report on how sensitive information about electric grid security became public

Alleged Heartbleed hacker known for finding flaws (The Spec) The university student accused in the Heartbleed hacking has a penchant for pointing out weakness

DoD system still showing contractors fired for misconduct as elegible for security clearance, IG says (FierceGovernment) When contractor employees accused of misconduct are fired or quit before DoD makes judgement, the system that records the adjudication still shows them as eligible for security clearance, a DoD inspector general report says

Court Rejects Bankruptcy Protection for Mt. Gox (AP via Supply and Demand Chain Executive) The mess is a setback for bitcoin because its boosters promoted its cryptography as protecting it from counterfeiting and theft

Digging for answers: The "strong smell" of fraud from one Bitcoin miner maker (Ars Technica) A Butterfly Labs exec loses a probation hearing, but details from the case are worse

Florida Man Gets Five Years in Prison for Identity Theft (eSecurity Planet) Andrew Ware was involved in a stolen identity tax refund scheme claiming a total of $137,132 in fraudulent refunds

Design and Innovation

Google's next design challenge: Unify app design across platforms (Ars Technica) Google wants a single app design across iOS, Android, the Web, and wearables

The CyberWire Daily Briefing for 4.22.2014