The CyberWire Daily Briefing 05.08.14

Cyber Trends

Intelligence-driven security has benefits, but beware its limits (TechTarget) Too often, what firms and vendors consider intelligence-driven security amounts only to threat predictions and is not very worthwhile from a strategy standpoint, according to Kim Jones, Senior Vice President and CSO of payment processing provider Vantiv. Instead, companies need to use security data to drive decision-making in order for it truly to be considered "intelligence-driven," he added

Anti-virus is dead — but ghosts get chased (SC Magazine) Symantec declares AV dead. Not everyone agrees, though FireEye researchers say most malware is gone before AV starts looking

Ghost-Hunting With Anti-Virus (FireEye Blog) In October 2012, data security firm Imperva released a controversial report on the efficacy of anti-virus (AV), which concluded that AV solutions only stopped 5 percent of all malware identified. Few reports in the security industry had been as polarizing as this one—many reacting with white-knuckle rage. It was a classic case of Chris Christensen's "Innovator's Dilemma," where old school technologies cling to life, in the face of a new paradigm. Just yesterday, one of the original anti-virus vendors joined the fray in "declaring anti-virus dead" in the Wall Street Journal

Industries on the cyber war front line (Help Net Security) ThreatTrack Security published a study that looks at the security vulnerabilities of two industries most often targeted by cybercrime: energy and financial services

Verizon Blockbuster Data Breach Report Is Bad News for Organizations (Business2Community) Verizon has published a blockbuster report on Internet "data breaches" which has garnered major headlines because it fingers Eastern Europe (primarily Russia) as a greater source of attacks than those from East Asia, primarily China

Majority of UK firms unprepared for DDoS attacks, study finds (ZDNet) A new survey suggests that most UK businesses are ill-equipped to cope with DDoS attacks

2014 starts with record-breaking malware traffic (Help Net Security) AppRiver released a detailed analysis of web and email-borne threats and malware trends traced between January and March 2014

World's Most Advanced Hackers are in Russia and Eastern Europe (Infosecurity Magazine) At Infosecurity Europe 2014, Eleanor Dallaway caught up with Ross Brewer, vice president and managing director for international markets, and Mike Reagan, CMO at LogRhythm to talk insider threats, and the global threat landscape

Three Ways Criminals Are Using Social Media: Phishing, Malware, and Physical Threats (Cyveillance Blog) In our previous post, we discussed some of the reasons why criminals like social media. In this article, we'll look at more ways that they're using it to find and deceive unsuspecting victims

Tweet your heart out for privacy (ZDNet) Doing what's necessary to protect your own privacy is not easy. Better just to blame someone else for the whole problem. #ResetTheNet!

Legislation, Policy and Regulation

Tim Berners-Lee: Worldwide web Magna Carta by 2015 (ComputerWeekly) The founder and inventor of the worldwide web, Tim Berners-Lee, has repeated his call for a bill of rights or Magna Carta for the internet, and urged mass action to achieve it in the face of powerful opposing interests

EU Data Protection Regulation: Detection is the best prevention (Help Net Security) The UK government recently published guidelines for companies covering the five basic controls that businesses must follow to ensure a minimum level of protection. The goal of this 'Cyber Security Implementation Profile' is to serve as notice that all companies must ensure that they have defenses in place to protect their intellectual property and the consumer data that they hold. This mirrors similar efforts across the EU. In March the EU parliament voted to implement a new Data Protection Regulation which will seek to eliminate the legal differences in data protection across EU countries

German Lawmakers Want to Question Snowden Despite Government's Warning (Wall Street Journal) Chancellor Angela Merkel's Administration fears relations with the U.S. may suffer

A Bill Drastically Curbing the NSA's Powers Moves a Step Forward (Mashable) A bill to curb the NSA's surveillance powers, including ending its bulk metadata collection program, is moving forward after a House committee voted unanimously in its favor during a markup session on Wednesday. The bill is now one step closer to a floor vote by the full House of representatives

Nadler calls for end to sweeping security measures (San Diego Jewish World) Congressman Jerrold Nadler (D-New York), a veteran member of the House Judiciary Committee, delivered a statement during the markup Wednesday, May 7, of the USA Freedom Act

Former NSA Chief Defends Stockpiling Software Flaws for Spying (Wired) The NSA has never said much about the open secret that it collects and sometimes even pays for information about hackable flaws in commonly used software. But in a rare statement following his retirement last month, former NSA chief Keith Alexander acknowledged and defended that practice. In doing so, he admitted the deeply contradictory responsibilities of an agency tasked with defending Americans' security and simultaneously hoarding bugs in software they use every day

The Way the NSA Uses Section 702 is Deeply Troubling. Here's Why. (Electronic Frontier Foundation) The most recent disclosure of classified NSA documents revealed that the British spy agency GCHQ sought unfettered access to NSA data collected under Section 702 of the FISA Amendments Act. Not only does this reveal that the two agencies have a far closer relationship than GCHQ would like to publicly admit, it also serves as a reminder that surveillance under Section 702 is a real problem that has barely been discussed, much less addressed, by Congress or the President

Public-private partnerships help America combat cyberthreats (MarketWatch) CenturyLink executive testifies before U.S. Senate subcommittee

D.C. Confidential: Secret Service cyber sleuths saved two financial firms from going down the tubes, it says (New York Daily News) The Secret Service notified "two financial institutions" of cyber attacks on their computer systems and saved them from going out of business. Wednesday testimony from William Noonan, who heads the agency's cyber investigations unit, claimed the agency informed the two unidentified institutions of "intrusions" they didn't know about

Products, Services, and Solutions

McAfee's Back, With Chadder (InformationWeek) Embattled antivirus pioneer John McAfee backs Chadder, an app that promises private communications through server encryption

Seagate Wireless Plus offers advanced cloud backup (Help Net Security) The Seagate Wireless Plus mobile device storage now consists of a family of capacities at 500GB, 1TB and 2TB versions to suit every need along with integration with cloud services, such as Dropbox and Google Drive

Tor Browser v3.6 Released (ToolsWatch) The Tor Browser Bundle lets you use Tor on Windows, Mac OS X, or Linux without needing to install any software. It can run off a USB flash drive, comes with a pre-configured web browser to protect your anonymity, and is self-contained

Technologies, Techniques, and Standards

Blinding users to URLs: Good or bad for security? (CiteWorld) The URL, or Uniform Resource Locator, has always felt like a leftover from the early age of the commercial Internet, an inelegant address for a specific website or (more inelegantly) a specific website page

Improving the URL bar (Jake Archibald) iOS has hidden the pathname of URLs for some time now, but recently Chrome Canary introduced something similar behind a flag. I'm not involved in the development of Chrome experiment at all, but I've got more than 140 characters worth of opinion on it

Security Slice: the Botnet Wars (Tripwire: the State of Security) ZeuS is one of the most infamous botnets in information security history, but recently, a researcher by the name of Xylitol uploaded a video revealing how to successfully exploit a bug in ZeuS in less than sixty seconds. According to Xylitol: "ZeuS is one of the most popular botnets, it's naturally a good hacking target." Who's going to take advantage of the security vulnerabilities in cybercrimeware?

Data Center Security Lessons from Heartbleed and Target (Data Center Knowledge) Data center security is of increasing concern, with data breaches and cyber vulnerabilities more and more in the news headlines. The recent Symantec's threat report highlighted more "zero day" attacks in 2013 than in the two previous years combined. Verizon's Data Breach Investigations Report shows data breached and cyber attacks at levels substantially above previous years

Employee education: Why cyber attacks are closer to home than CIOs may think (Information Age) The importance of employee education in the fight against cybercrime, and why human error could be the weakest link in a business

It's World Password Day: Change your passwords (Help Net Security) Today (May 7) is World Password Day — a day dedicated to promoting the use of strong passwords and the creation of good habits when it comes to choosing passwords. However insecure this method of authentication is, it's not going away anytime soon, and people should be educated on how to make the best of it

Marketplace

Steinhafel's departure leaves Target looking for IT redemption (FierceRetailIT) Heads continue to roll at Target (NYSE:TGT) in the wake of its massive data breach. CEO Gregg Steinhafel abruptly resigned and while Target's data breach wasn't the only reason, it certainly was a contributing factor. Steinhafel's sudden departure helps reinforce the growing importance of IT security and systems in the upper reaches of the executive offices

Cyber Insurance Goes Mainstream as Data Security Threats Prevail (Digital Journal) Solace Insurance comments on multi-million dollar threat, potential reputation loss. Recent extensive data breaches have made it evident that no American business is safe from cyber-attacks — Solace Insurance details the nuances of cyber insurance and the steps necessary to secure coverage

Biz Break: FireEye buys a 'black box' to track hackers' movements (San Jose Mercury News) Today: FireEye follows $1 billion Mandiant acquisition with the purchase of a private firm that records all network traffic to track where the bad guys go and what they do. FireEye added another soldier to its mission of helming the most complete network-security offering Tuesday, acquiring nPulse Technologies for about $70 million to act as its "black box" to record attacks from nefarious hackers

Microsoft, Oracle Likely to Stop Working With Russian Banks Over Sanctions (Moscow Times) Leading U.S. IT companies Microsoft, Oracle, Hewlett-Packard and others may be cutting off services to Russian banks and companies to comply with Washington's sanctions over Russia's actions in Ukraine, spreading the same political anxiety that the banking sector has experienced in recent months into the Russian IT market

NSA spy praises Huawei ban (Australian Financial Review) The recently retired director of the United States National Security Agency says Australia was correct to exclude Chinese telecommunications manufacturer Huawei from helping build the national broadband network because of evidence of Chinese espionage against the nation

Lieberman Software rebuilds European channel from scratch (CRN) 'US-centric' privileged identity management vendor claims it can become serious European player following expansion drive

Netskope Named a "Cool Vendor" by Analyst Firm Gartner (Digital Journal) "Cool Vendor" report recognizes innovative, impactful and intriguing vendors in the security intelligence market

GovSec Recognizes Contributions of Government Security Leaders with Gov30 Awards (Fort Mill Times) GovSec — the Government Security Conference and Expo, which also features TREXPO, the Law Enforcement Expo, today announced the individuals who will be honored with the first-ever Gov30 awards

House panel approves $52B for cybersecurity (The Hill) The House Armed Services Committee on Wednesday approved legislation that would provide $52 billion to the Pentagon's cybersecurity operations

Postal Service cloud contracts omit security measures (FierceGovernmentIT) The 13 cloud computing contracts that the Postal Service awarded in recent years inadequately addressed data security, says the USPS office of inspector general

4chan launches bug bounty program (Help Net Security) In the wake of the recent data breach that spelled the end of art products Canvas and DrawQuest, 4chan founder and owner Chris "moot" Poole has announced that they will be launching the 4chan Vulnerability Disclosure Program

Smaller cities look to compete in a growing InfoSec job market (CSO) In 2013, InfoSec accounted for nearly 10 percent of all IT jobs nationwide. On Wednesday, a local firm in Indianapolis, added to that growth

AirPatrol Names New Vice President of Engineering (Wall Street Journal) Director of software development, Mark Wilson, tapped to lead mobile locationing and cyber security company's engineering group

Corero Network Security Names Dave Larson Chief Technology Officer and Vice President, Product (Ulitzer) Corero Network Security (LSE: CNS), a leading provider of First Line of Defense® security solutions, today announced the appointment of 20-year industry veteran, Dave Larson to its management team as Chief Technology Officer and Vice President, Product

Big Data Security Visionary Joins ThreatStream to Lead Data Strategy (Broadway World) ThreatStream, a next generation cyber intelligence company that enables the disruption of cyber attacks in real-time, today announced the appointment of big data security luminary, Jason Trost (formerly with Endgame, Inc.), to lead its data science vision

Paul Falkler Joins Vistronix as National Intell Programs Corporate VP (GovConWire) Paul Falkler, formerly director of strategic development at Varen Technologies, has joined Vistronix as corporate vice president for national intelligence programs

Security Patches, Mitigations, and Software Updates

It's time to get rid of Windows XP, as Patch Tuesday looms (Graham Cluley) As I write this today, Windows XP is patched against known Microsoft security vulnerabilities

Why Microsoft is guilty of bad parenting with the IE XP update (ITPro) Microsoft should have employed tough love tactics and excluded XP users from the latest Internet Explorer patch, argues Davey Winder

Cyber Attacks, Threats, and Vulnerabilities

Colombia raids office that 'spied to undermine peace' (BBC) It is alleged that the emails of President Juan Manuel Santos were also "probably intercepted." Colombian authorities say they have raided an office that illegally spied on rebel and government communication to try to undermine peace talks

Colombian Judge Orders Accused Cyber Spy Held (Latin American Herald Tribune) A man arrested for conducting a clandestine cyber-espionage operation targeting the Colombian government's negotiations with leftist guerrillas will remain in custody pending trial, a judge ordered Wednesday

Syrian Electronic Army Hijacks WSJ Twitter Accounts (Softpedia) The Syrian Electronic Army has hijacked a total of four Twitter accounts of the Wall Street Journal (WSJ) and has posted a message claiming that Ira Winkler is a cockroach

Look out, sysadmins — HOT FOREIGN SPIES are targeting you (The Register) Agents are greasing up IT bods to access all areas, warns MI5

Confessions of a LinkedIn Imposter: We Are Probably Connected (Tripwire: the State of Security) I have a confession to make. I created a fake profile on LinkedIn and we are probably connected. Curious after receiving several obvious and some not so obvious fake profiles, I did a bit of experimenting creating my own

Feds: You Need to Fix Your TSP Passwords this Weekend (Nextgov) The website of the Thrift Savings Plan, the retirement program for 4.6 million federal employees and retirees, gives identity thieves clues about how to crack users passwords, some security analysts say

Koler Android malware demands $300 ransom from its victims (HotforSecurity) Ransomware has posed a serious threat to desktop computer users for some time

Orange warns of Phishing attacks after data breach (CSO) Orange, Europe's fourth largest telecom, has confirmed reports that personal information for 1.3 million customers has been compromised. The breach is the second one in three months, but notification was delayed so that the company could asses the true scale of the problem

Is DDoS smokescreen for real attacks? (Business-Cloud) When companies come under cyber attack, their primary concern is keeping the business running but few do a good enough job of examining what happened

Scam Alert: Your Facebook Accounts will be Permanently Disabled (eHackingNews) We have seen large numbers of facebook posts that promise something, but it turns out to be a scam. Fb users are still believing such kind of posts and blindly following the instructions. So, Cyber criminals are keep coming up with new themes to trick users

Beware of Google+ "Fraudulent Verification Survey" phishing scam (Help Net Security) Phishers are again after Google account login details — this time they are trying pass themselves off as the nonexistent "Google+ All Domain Mail Team" and are urging users to participate in a "spam and fraudulent verification" survey

Apparent cyber attack strikes Pullman schools (Moscow-Pullman Daily News) Numerous apparent cyber attacks on the Pullman School District's computer network have disrupted state standardized tests

POS attacks on the rise as RAM scraping makes a comeback (FierceRetailIT) Cybercriminals are gaining on retailers as hackers use RAM scraping malware to compromise POS systems at retailers at an alarming rate

Attackers rope DVRs in bitcoin-mining botnet in record time (Help Net Security) How long does it take for one out of the box digital video recorder to be compromised with malware once the device has been connected to the Internet? The unfortunate answer is just one day

Tax identity fraudsters target third-party payroll sites: are you protected? (WeLiveSecurity) Tax identity fraud is on the rise this year, possibly due to criminals getting craftier in their choice of breach targets. According to a series of reports from Brian Krebs, fraudsters are now targeting third-party payroll services

Academia

The Role Of STEM Education In Shaping The Future Of Information Security (Forbes) The hardest thing to manage is change

Government launches Your Life campaign to boost STEM interest (ComputerWeekly) The government has launched a campaign to accelerate participation in science, technology, engineering and maths (STEM) subjects at school and beyond

NSA funds 'science of cybersecurity' research (FCW) The National Security Agency is funding the creation of small laboratories — "lablets" in NSA vernacular — that will support research into the science of cybersecurity at four major universities

Litigation, Investigation, and Enforcement

Ex-NSA Chief Warns Edward Snowden is Under Russian Control (Reuters via the Moscow Times) Former National Security Agency contractor Edward Snowden is now likely under the control of Russian intelligence agencies former NSA Director General Keith Alexander said

Tales of the Cyber Underground: A Hacker's Life Inside (Infosecurity Magazine) In the latest Tales of the Cyber Underground instalment, Tom Brewster ponders the effect that jail time has on convicted hackers, and talks to cybercriminals who have served prison sentences about their experiences

No, McAfee didn't violate ethics scraping OSVDB (Errata Security) My twitter feed is full of people retweeting this claim that McAfee (the company) violated ethics by scraping [OSVDB]. This is completely wrong: McAfee violated no ethics (nor law)

DEA settles suit alleging government lie-detector abuses (McClatchy) The Drug Enforcement Administration has agreed to pay 14 contractors $500,000 to settle a lawsuit that accuses the agency of illegally requiring them to undergo highly intrusive lie detector tests to keep their jobs as translators

Court: Two accused of hacking Navy servers located in Tulsa to change plea (AP via the Tulsa World) A change of plea hearing has been set for two men accused of conspiring to hack into the computer systems of the Navy and more than 30 other websites in an attempt to steal identities of service members

87 arrested in the Philippines in bust of sextortion ring (Naked Security) A gang of at least 87 Filipino sexual blackmailers, some of them allegedly connected to the suicide of 17-year-old Daniel Perry, was busted last week

Design and Innovation

Cristin Dorgelo: Gov't Agencies Increasingly Use Prizes to Spur Tech R&D (ExecutiveBiz) Data from the Office of Science and Technology Policy shows that federal agencies hosted 87 technology-related prize competitions during fiscal 2013, an 85 percent increase over the prior fiscal year

For a complete running list of events, please visit the Event Tracker on the CyberWire website.

upcoming Events

US Secret Service Cybersecurity Awareness Day (Washington, DC, May 8, 2014) This Cybersecurity event will be the first of its kind at the USSS. There will be 2-3 opportunities for participating companies to present a 1/2 hour presentation on a Cybersecurity topic of concern to the agency. In addition, this event will be widely attended by the majority of personnel at the USSS HQ building. Attendance is expected to be over 300 for the event.

HackMiami 2014 (Miami Beach, Florida, USA, May 9 - 11, 2014) The HackMiami 2014 Hackers Conference seeks to bring together the brightest minds within the information security industry and the digital underground. This conference will showcase cutting edge tools, techniques, and methodologies that are at the forefront of the global threat landscape.

ISPEC 2014 (Fujian, China, May 12 - 14, 2014) The ISPEC conference series is an established forum that brings together researchers and practitioners to provide a confluence of new information security technologies, including their applications and their integration with IT systems in various vertical sectors.

GovSec 2014 (Washington, DC, USA, May 13 - 14, 2014) GovSec is the nation's premier event for Government, Homeland Security, and Law Enforcement professionals looking for proven strategies and cost effective technology so they can achieve their mission of protecting our critical infrastructures, key assets, communities and the nation.

CyberWest (Phoenix, Arizona, USA, May 13 - 14, 2014) Cyber threats affect all industry sectors and impact individuals, businesses and governments. From hacktivists to advanced persistent threats, conducting business on-line exposes individuals, corporations and Governments to a complex threat environment including hacktivists to trans-national crime organizations and advanced persistent threats. Join experts from government, industry and academia in discussing how we are making our future more secure.

FOSE Conference (Washington, DC, USA, May 13 - 15, 2014) Spend 1 day or 3 days at the FOSE conference and leave with actionable information, covering a broad spectrum of trending topics including: Cybersecurity, Cloud and Virtualization, Mobile Government, Big Data and Business Intelligence, Project Management, Procurement and Acquisition and more. (free-of-charge for government personnel).

Fraud Summit (Chicago, Illinois, USA, May 14, 2014) From account takeover to payment card fraud and the emerging mobile threatscape, the ISMG Fraud Summit series is where thought-leaders meet to exchange insights on today's top schemes and the technology solutions designed to stop them.

Security BSides Denver 2014 (Denver, Colorado, USA, May 16, 2014) Each BSides is a community-driven framework for building events for and by information security community members. The goal is to expand the spectrum of conversation beyond the traditional confines of space and time. It creates opportunities for individuals to both present and participate in an intimate atmosphere that encourages collaboration. It is an intense event with discussions, demos, and interaction from participants. It is where conversations for the next-big-thing are happening.

Security Start-up Speed Lunch NYC (New York, New York, USA, May 19, 2014) Our goal for this inaugural event is to connect the most promising security startups in the world with decision-makers at aerospace, asset-management, banking, communications, defense, energy, healthcare, government, technology and transportation sector companies in a novel way: the speed lunch.

CEIC 2014 (Las Vegas, Nevada, USA, May 19 - 22, 2014) It's no exaggeration to say that CEIC is the biggest digital-investigations conference of its kind and the only one to offer hands-on lab sessions and training for practical skills development. From sessions on acquiring evidence from mobile devices to international e-discovery to cyber security intelligence, there's simply no other training or seminar series available that packs so much relevant and practical information from so many expert speakers into a single four-day period.

The Device Developers' Conference: Bristol (Bristol, England, UK, May 20, 2014) The Device Developers' Conference is an annual UK event for the developers of intelligent systems and devices. The objective is to provide an event that provides engineers with an opportunity to learn about the latest tools, technologies and techniques for the successful development of leading edge electronic products and systems.

Mobile Network Security in Europe (London, England, UK, May 21, 2014) Following on from two successful events in the United States, this first Light Reading conference on Mobile Network Security in Europe will again focus on the key role of the network in safeguarding the mobile carrier's network assets while protecting its customers from security attacks. The conference will also consider the case for distributing and coordinating security strategies across the end-user device, the mobile network, and the cloud as carriers look to prevent attackers from triggering outages and degradations or from stealing sensitive customer information.

CyberMontgomery (Rockville, Maryland, USA, May 22, 2014) Montgomery County, MD is home to over 18 federal agencies including NIST, FDA, NOAA, and the National Cybersecurity Center of Excellence (NCCoE). NCCoE is an exciting addition to Montgomery County's growing cybersecurity sector, especially in commercial cyber applications. Established in 2012 through a partnership among NIST, the State of Maryland and Montgomery County, NCCoE is dedicated to furthering innovation through the rapid identification, integration and adoption of practical cybersecurity solutions. Montgomery County is also proud to boast over 40 cybersecurity companies. According to a recent analysis by the Workforce Investment Board, local companies with a major cyber focus employ upwards of 37,000 people. Cybersecurity will be a major growth engine for Montgomery County for many years to come.

The Device Developers' Conference: Cambridge (Cambridge, England, UK, May 22, 2014) The Device Developers' Conference is an annual UK event for the developers of intelligent systems and devices. The objective is to provide an event that provides engineers with an opportunity to learn about the latest tools, technologies and techniques for the successful development of leading edge electronic products and systems.

CyberMontgomery Forum: Center of Gravity (Rockville, Maryland, USA, May 22, 2014) Cybersecurity will be a major growth engine in the region for many years to come. With solid federal government, industry and academic assets already in place in the region, there is still a need to bring them together so that they can coalesce and elevate the cyber ecosystem to a level of national prominence. CyberMontgomery Forum events will provide clear direction on finding business opportunities, contracting, forecasted demand areas, workforce development, recruiting & staffing, legal responsibilities for businesses, updates on technologies being developed in MoCo and summary updates regarding our NCCoE neighbors, federal civilian agencies and commercial sector leaders.