The CyberWire Daily Briefing 02.11.15

Cyber Trends

Eugene Kaspersky: Information sharing is the key to achieve stability in Cyber (Israel Defense) Real-time sharing of threat information within and between both the private and public sectors would make America better prepared to find, stop and then apprehend the bad guys

How the Sony Breach Changes Cybersecurity (Wall Street Journal) Richard Bejtlich and Shuman Ghosemajumder say the key Is limiting damage

Security now one of the top risks for business leaders worldwide (Help Net Security) Cybersecurity has come to the forefront of risk oversight for board members and C-suite executives, according to results of a survey of business executives by Protiviti and the Enterprise Risk Management (ERM) Initiative at the North Carolina State University Poole College of Management

Unsurprisingly, adults don't read terms and conditions of mobile apps (Help Net Security) Today, we spend more time on our smartphones and tablets than ever before, downloading games on the go, banking online or conducting the weekly grocery shop. However, despite the rise in the use of mobile apps, of the 2,000 UK adults surveyed by Intel Security, 63% are unaware of the personal information they could be giving away by not reading terms and conditions on the apps they download

Legislation, Policy and Regulation

The many reasons why Cameron's plans to weaken encryption are a farce (Computing) Plans by David Cameron and other politicians to weaken encryption by inserting backdoors are "a farce", says Olivier Thierry, CMO at Zimbra, the open-source email and collaboration company

Did UK's Spy Agency Partner with NSA for Cyberattacks on Iran? (Wired) An NSA document newly published today suggests two interesting facts that haven't previously been reported

Government must step in on cyber attack risk, says insurer (Out-Law) Cyber attacks on businesses are such a threat that governments need to step in to cover the risks, the head of one of the UK's largest insurance companies has said

Obama urges 'swift work' on cyber issues in call with Chinese leader (The Hill) President Obama in a call with Chinese President Xi Jinping called for "swift work" between the two nations to narrow their differences on cybersecurity issues, the White House said

White House creates new cybersecurity agency (USA TODAY) The White House on Tuesday announced the creation of a new federal agency to analyze threats to the nation's cybersecurity and coordinate strategy to combat them

President to Initiate the Cyber Threat Intelligence Integration Center (Dark Matters) The White House will be announcing the creation of a cyber intelligence fusion center which will focus on breaking down information silos and foster better threat intelligence sharing between government agencies and bolster the nation's cybersecurity posture

Obama's New Cyber Agency Puts Spies in Charge of Sharing Threat Tips with Agencies (Nextgov) The Obama administration is creating a new agency intended to protect online privacy and secure sensitive data by combing through spies' threat assessments and sharing them with other federal agencies

US to Create New Federal Cybersecurity Agency (Infosecurity Magazine) The United States is creating a new cybersecurity agency to sniff out cyber-threats and centralize threat intelligence for use by existing federal agencies

Privacy experts question Obama's plan for new agency to counter cyber threats (Guardian) White House to unveil on Tuesday the Cyber Threat Intelligence Integration Center but critics fear an expansion of government monitoring of online data

DHS Wants to Plug Holes in Cyber Defenses with Big Data (Nextgov) The Department of Homeland Security has a new big idea for improving the cybersecurity of federal agencies and key private industries: big data

The FCC Bickers As Its Net Neutrality Vote Looms (TechCrunch) It's go time at the FCC, which is set to vote on new net neutrality regulations on February 26

Products, Services, and Solutions

BT Assure Threat Intelligence launched to reduce cyber attack (InfoTechLead) BT Assure Threat Intelligence, a new services launched by BT, is aimed at assisting enterprises to anticipate and defend against cyber threats, protecting their assets, customers and employees from DDoS attacks to hacking and data theft

ThreatConnect, Inc. Announces Partnership with Wapack Labs (Fort Mill Times) Threat intelligence platform to include Wapack Labs' Cyber Intelligence subscription service

Soonr Launches Industry's First Mobile Smart Sync and Integrated Device Security For Secure File Sharing and Collaboration (Virtual Strategy Magazine) New "Soonr Go" app delivers true mobility to the mobile workforce

G DATA offers the Best Protection for Online Banking Customers (Virtual Strategy Magazine) IT security "Made in Germany" tops the annual comparison test

SecureRF Announces Algebraic Eraser™ Core to provide Public Key security for FPGAs, ASICs, and embedded devices (PRWeb) Ultra-Fast and very low power public key security solution that provides greater than 60X performance improvement over ECC at a 128-bit security level (ECC 256) — perfect for devices that are part of the Internet of Things

New Foundation Will Oversee Popular Coding Tool Node.js (Wired) Node.js — the popular open source tool for building and running websites and other online applications — is getting a new steward

Technologies, Techniques, and Standards

Humanizing Non-Human High Privileged Accounts (Infosec Island) Every IT environment has them. They are called by a variety of names: Non-human accounts; system accounts; service accounts; administrator accounts; shared accounts; group accounts; and the list goes on. What is common is that they have exceedingly high privileges to often the most critical areas of an IT environment

Kill Chain 3.0: Update the cyber kill chain for better defense (Help Net Security) If you're in infosec, you've surely heard of the kill chain — a defense model designed to help mitigate more advanced network attacks

SSL is officially declared dead (PCIGuru) On January 30, 2015, QSAs received the latest edition of the Council's Assessor Newsletter. Buried in that edition was the following statement

Whodunit? In cybercrime, attribution is not easy (CSO) The U.S. government's announcement that North Korea was behind the hack of Sony Pictures Entertainment reignited the debate on how accurate cyber attribution can be

Attribution is Hard, Part 2 (Tenable) Last week in Attribution is Hard, Part 1, I described a classic hacking incident and discussed the challenges of establishing attribution. This week, I explain what weak attribution is, and I conclude the discussion on the four requirements of establishing attribution

Businesses need privileged access security layer, says CyberArk (ComputerWeekly) Businesses need a layer that provides security for privileged access accounts — the "keys to the kingdom," says David Higgins, professional services manager, UK and Ireland, CyberArk

Securely wiping an Android smartphone or tablet (ZDNet) Your selling or otherwise planning on getting rid of your existing Android smartphone or tablet, but you want to make sure that all your data has been securely deleted. Here's what you need to do

Marketplace

Asset owners demand info on cybersecurity processes (Pensions and Investments) Insufficient cybersecurity is becoming a deal breaker for firms that provide investment services to defined benefit and defined contribution plans

Opinion: 5 tech stocks you can use to hack the cybersecurity boom (MarketWatch) Another day, another massive data breach that compromises customer privacy and costs companies millions of dollars

This Top Cyber Stock Is Surging Ahead Of Earnings (Investor's Business Daily) CyberArk Software (NASDAQ:CYBR) is climbing on the stock market Tuesday after the U.S. government said it plans to establish a new agency to monitor cybersecurity threats

Alert Logic Opens Seattle Office (PRNewswire) Houston-based Security-as-a-Service solution provider opens sixth office amid global expansion

Security incubator with ties to Israeli military forms with $18M (Gigaom) A new Israeli-based cyber-security incubator called Team8 plans to announce its launch on Tuesday and is banking that its ties to the Israeli military will give its startups a competitive edge in the crowded security startup market

Greg Wenzel on Booz Allen's Digital Ecosystem Focus and the Internet of Things' Public Sector Future (ExecutiveBiz) Wenzel, a senior vice president at Booz Allen Hamilton, is one of several company leaders for the firm's organization focused on new ideas and concepts related to technology — the Strategic Innovation Group

Sansa Security Joins the Industrial Internet Consortium (MarketWired) Participation in consortium expected to help drive innovation, boost interoperability and ensure security for the industrial Internet and the IoT

ThreatTrack Security Appoints John Lyons President (Providence Journal) ThreatTrack Security — a leader in cyber threat prevention solutions that substantially change how organizations respond to cyberattacks — today announced the appointment of John Lyons as President. Lyons, a proven security industry veteran, will lead worldwide commercial and government operations, and report to the company's Board of Directors

John O'Donnell Joins Prelert as CFO to Support Company's Accelerated Growth Strategy (Herald Online) Experienced executive to manage finance, legal, human resources and administrative operations

Tenable Network Security Names Technology Sales Veteran Mike Kirby as Senior Vice President of Worldwide Sales (BusinessWire) Tenable Network Security®, Inc., the leader in continuous network monitoring, today announced Mike Kirby has joined its executive team as the company's first senior vice president of worldwide sales. A Silicon Valley executive with more than 25 years of experience in building high growth technology companies, Kirby will lead Tenable's global sales strategy and oversee its execution

Research and Development

Microsoft researchers say their newest deep learning system beats humans — and Google (Venture Beat) Microsoft Research has outdone itself again when it comes to a trendy type of artificial intelligence called deep learning

NIST Seeks to Raise Its Cryptographic Profile (BankInfoSecurity) Budget addresses threats posed by quantum computing

Security Patches, Mitigations, and Software Updates

Stable Channel Update for Chrome OS (Chrome Releases) The Stable channel has been updated to 40.0.2214.114 (Platform version: 6457.94.0). Systems will be automatically updated over the next few days. This build contains a number of security updates and stability fixes. Some highlights of these changes are: PPAPI Flash updated to 16.0.0.305-r1

Microsoft Security Bulletin Summary for February 2015 (Microsoft Security TechCenter) This bulletin summary lists security bulletins released for February 2015

Microsoft fixes bugs exploited to hack military and financial firms (ComputerWeekly) Microsoft's February 2015 security update includes fixes for a bug exploited by attackers targeting US defence and financial services firms and a vulnerability affecting core components of Windows

On Patch Tuesday, Microsoft unveils fix for critical Windows flaw "JASBUG" (SC Magazine) On Patch Tuesday, Microsoft addressed a total of 56 vulnerabilities in its products, including a major Windows flaw, dubbed "JASBUG," that could allow remote code execution (RCE)

Microsoft tightens leash on POODLE attacks against IE11 (Computerworld) Lags behind Google's Chrome and Mozilla's Firefox; will finally disable SSL 3.0 in April

The "JASBUG" Windows vulnerability — beyond the hype, what you need to know (Naked Security) Two of this month's Update Tuesday vulnerabilities relate to Microsoft's Group Policy system

Why 1.6 million people will miss Microsoft's Windows Server 2003 date with fate (Register) You want to do what? Again?!

Don't let JASBUG distract you (Naked Security) So far, Adobe doesn't seem to have put out any fixes for Update Tuesday [2015-02-11T08:00Z]

Box Giving Customers Control Over Encryption Keys (Dark Reading) Box says they've eliminated the last major barrier to cloud adoption, even in highly regulated organizations

Google hands out free Drive space for running quick security checklist (Computerworld via Network World) Promises to bump up consumers' Google Drive permanent storage space by 2GB

Google Riles Silicon Valley by Exposing Others' Security Flaws (Bloomberg) Google Inc. has given fellow tech companies an ultimatum: patch your software vulnerabilities within 90 days or we'll make them public

Cyber Attacks, Threats, and Vulnerabilities

CyberCaliphate claims Newsweek Twitter hack (Military Times) The Twitter account for Newsweek was briefly hacked Tuesday morning by a group calling itself the CyberCaliphate, which claims to be affiliated with the Islamic State group

Newsweek's Twitter account hacked, Obama family threatened (Fortune) The group claimed to be affiliated with the Islamic State, Newsweek said

ISIS hacker targets military spouses (The Hill) Hackers claiming to be part of the Islamic State in Iraq and Syria (ISIS) apparently hacked into the Twitter account of a military spouse Tuesday, threatening military spouses and their children

OpISIS: Anonymous crushes 800 Twitter accounts, 12 Facebook pages of ISIS supporters (HackRead) The online hacktivist Anonymous has claimed that it took down about 800 Twitter accounts and 12 Facebook pages belonging or somehow supporting the terrorist group Islamic State of Iraq and the Levant (ISIS)

How to Troll Islamic State Like a Pro (Bloomberg) From the grainy post-Sept. 11 video clips of Osama bin Laden to today's sophisticated online propaganda, Islamic terrorists and their supporters worldwide have proved adept at using the press, Internet and social media to get out their message and attract recruits

Dutch government says hack took down its websites (Associated Press) The Dutch government says a "distributed denial of service" attack was responsible for taking down several of its websites for hours on Tuesday

Chinese Hacking Group Codoso Team Uses Forbes.com As Watering Hole (Dark Reading) ASLR vulnerability patched today used in tandem with previously patched Flash vuln to carry out drive-by-downloads against political and economic targets

Forbes Web site was compromised by Chinese cyberespionage group, researchers say (Washington Post) Chinese hackers hijacked Forbes.com and used the site as part of an attack on the U.S. defense and financial industry, according to cybersecurity researchers at iSIGHT Partners and Invincea

Forbes.com attacked; coordinated disclosure viewed as a sales pitch (CSO) Word of the hyped attack comes too late to matter

Poor Anthem? These Are the Real Victims… (Dark Matters) The other morning I was making breakfast and had the news on in the background. The Anthem breach was being reported on and sensationalized by the media outlet and all kinds of speculation was being tossed about

Twitter's CFO clearly wasn't using two-factor authentication. Which is silly of him (Graham Cluley) Twitter has been providing users with a way to better protect their accounts from phishers and hackers for some time now

Uber left its lost-and-found database open to anyone on the internet (Graham Cluley) The Uber ride-sharing service is dogged by its fair share of controversies, and now another one has emerged which suggests — like many online companies before it — it has grown too big, too fast, and not had security embedded in its soul

Jeb Bush's email dump puts constituents' personal data online (IDG via CSO) Jeb Bush, the former Florida governor now contemplating a run for U.S. president, may not have privacy high on his agenda

Corporate users hit with fake Microsoft email delivering sneaky malware (Help Net Security) A well-crafted and extremely legit-looking spam email campaign is currently targeting corporate users around the world, ultimately leading the victims to difficult-to-detect malware that downloads additional malicious programs on the target's computer

Most Android dating apps have severe security flaws, risking corporate secrets (ZDNet) The majority of dating apps have serious security vulnerabilities that put user data at risk. And because people are online dating at work, those risks are passed onto their employer

Internet of Thieves: All that shiny home security gear is crap, warns HP (Register) If you can monitor your house across the web, so can everyone else

Ransomware authors streamline attacks, infections rise (IDG via CSO) Ransomware authors continue improving file-encrypting programs and infection methods for Windows and Android, making these nightmarish attacks harder to avoid

Researchers identify buffer overflow vulnerability in Advantech device (SC Magazine) The Core Security researchers said that, as far as they know, there has been no exploitation attempts in the wild. Advantech released firmware version 1.64 for a Modbus Gateway device on Monday, and with it comes a fix for a buffer overflow vulnerability — identified by researchers with Core Security — that can be exploited remotely by attackers to execute arbitrary code

MongoDB databases at risk (Universität des Saarlandes &#124 CISPA ) Several thousand MongoDBs without access control on the Internet

One-Bit To Rule Them All: Bypassing Windows' 10 Protections using a Single Bit (BreakingMalware) Today, Microsoft released their latest Patch Tuesday. This Patch includes a fix for vulnerability CVE-2015-0057, an IMPORTANT-rated exploitable vulnerability which we responsibly disclosed to Microsoft a few months ago

How public Wi-Fi puts unprotected users at risk (Help Net Security) 76% of American smartphone and tablet users are at risk of privacy loss and identity theft via public Wi-Fi networks. The risk of using public Wi-Fi without a protected Internet connection leaves users' personal information vulnerable to cyber criminals. However, using public Wi-Fi is harmless for users, if they install protection that allows secure Internet connection while accessing public networks

Report: Chinese groups behind most state-sponsored attacks in 2014 (CSO) Chinese adversaries were the most active state-sponsored cyberthreat groups last year

Global Threat Intel Report (Crowdstrike) In 2014, it became abundantly clear that threat intelligence would provide the decisive advantage when protecting your network

Academia

Pope Francis announces Scholas.Labs, A Vatican startup accelerator (Unlockpwd) Yesterday, Pope Francis surprised everyone again at an event on education and announced the creation of an accelerator of startups within the Vatican

Litigation, Investigation, and Enforcement

FBI to Probe Fraudulent Tax Filings (Wall Street Journal) As states move to contain bogus returns through TurboTax, signs emerge that fraud may involve Federal filings

Insurers Asleep on Cyber Risk, N.Y. Says (InsuranceNewsNet) Insurers are asleep at the switch in protecting their systems against cyber attacks, according to a warning from New York

U.S. states want Anthem to provide hack info quickly to customers (Computerworld) The health insurer said last week its IT system was breached

Attorney General demanding answers from Anthem after cyber attack (WTNH) State Attorney General George Jepsen is demanding answers from the health insurance company Anthem after a major cyber-attack affecting tens of millions of people nationwide

NSA wins key ruling in years-old phone and Internet spying lawsuit (Ars Technica) Case not over yet, says EFF, will continue "fight to end NSA mass surveillance"

Obama's role in net neutrality decision under investigation (FierceCIO) Politics have always weighed heavily in the net neutrality debate, and now comes word that the U.S. House Oversight Committee has opened an investigation into whether the White House has exercised undue influence in the debate

Anonymous loose cannon admits DDoSing social services and housing websites (Register) 51-yr-old Liverpudlian cuffed after bragging on social media

Design and Innovation

This Cryptography Game Is Also A Navy Recruiting Tool (Popular Mechanics) Players must solve a series of puzzles to win the chance at … another puzzle

For a complete running list of events, please visit the Event Tracker on the CyberWire website.

newly Noted Events

Cyber Risk Wednesday: Breaking the Cyber Information-Sharing Logjam (Washington, DC, USA, February 18, 2015) A moderated discussion on challenges and solutions for information-sharing, the Administration's recent proposals for better practices between the private sector and government, and goal-directed approaches to sharing. The event will be accompanied by the release of a report, supported by CISCO, which examines the challenges of information-sharing, the Administration's emerging proposals, along with solutions to breaking the current logjam

Cyber Framework and Critical Infrastructure: A Look Back at Year One (Washington, DC, USA, February 19, 2015) Last February, the Obama administration rolled out the nation's first cybersecurity standards to protect critical infrastructure. One year later, Dr. Phyllis Schneck, the Department of Homeland Security leader responsible for helping institutions implement the new standard, will reflect on how the nation has improved its protection of critical infrastructure over the last year. We'll discuss the effectiveness of the standard so far, whether security protections are strong enough, and if incentives are attractive enough to induce companies to take on the new standard

The Future of Cybersecurity Innovation (Washington, DC, USA, February 26, 2015) The US intelligence community has ranked cyberattacks as the No. 1 threat to national security — more than terrorist groups or weapons of mass destruction. But the military's cyberwarriors fight these battles hunkered over computers, working with strings of code — a laborious process that requires advanced engineering skills. That's why the Pentagon's advanced research arm, the Defense Advanced Research Projects Agency (DARPA), is building a system to give the military instantaneous knowledge of network attacks by displaying them in real-time with rich graphics and 3-D visualizations

upcoming Events

ICISSP 2015 (Angers, Loire Valley, France, February 9 - 11, 2015) The International Conference on Information Systems Security and Privacy aims at creating a meeting point of researchers and practitioners that address security and privacy challenges that concern information systems, especially in organizations, including not only technological issues but also social issues. The conference welcomes papers of either practical or theoretical nature, presenting research or applications addressing all aspects of security and privacy, such as methods to improve the accuracy of data, encryption techniques to conceal information in transit and avoid data breaches, identity protection, biometrics, access control policies, location information and mobile systems privacy, transactional security, social media privacy control, web and email vulnerabilities, trust management, compliance violations in organizations, security auditing, and so on. Cloud computing, big data, and other IT advances raise added security and privacy concerns to organizations and individuals, thus creating new research opportunities

AFCEA West 2015 (San Diego, California, USA, February 10 - 12, 2015) Showcasing emerging systems, platforms, technologies and networks that will impact all areas of current and future Sea Service operations.

Cybergamut Technical Tuesday: An Hour in the Life of a Cyber Analyst (Hanover, Maryland, USA, February 17, 2015) Workshop Description: This hands-on workshop will demonstrate how easy it is for a breach to occur by analyzing a virtualized web server environment. Participants will use open source tools such as port scanners and protocol analyzers to identify security issues and then attempt to exploit the discovered vulnerabilities. Following the hands-on activity, the workshop will conclude with a discussion about how to avoid some of the security failures that were identified. The workshop will be presented by Ryan Harvell of OPS Consulting and Marcelle Lee of Anne Arundel Community College CyberCenter

DEFCON &#124 OWASP International Information Security Meet (Lucknow, India, February 22, 2015) Defcon &#124 OWASP Lucknow International Information Security Meet is a combined meet of Defcon and OWASP Lucknow. Defcon Lucknow is a DEF CON registered convention for promoting, demonstrating & spreading awareness regarding the field of Information Security and OWASP Lucknow is a chapter of OWASP Community

10th Annual ICS Security Summit (Orlando, Florida, USA, February 22 - March 2, 2015) Attendees come to the Summit to learn and discuss the newest and most challenging cyber security risks to control systems and the most effective defenses. The Summit is designed so you leave with new tools and techniques you can put to work immediately when returning to your office. The summit will allow you to learn from industry experts on attacker techniques, testing approaches in ICS, and defense capability in ICS environments

Cybersecurity for a New America: Big Ideas and New Voices (Washington, DC, USA, February 23, 2015) In addition to featuring keynote remarks by Admiral Mike Rogers, Director of the National Security Agency, this event will convene experts and practitioners from the public and private sector, military, media, academia, non-governmental and intergovernmental organizations for a series of discussion panels and first person "pop-up" style speeches on the wide range of cybersecurity issues that are affecting and infecting everything from personal devices and corporate networks to national defense and international affairs. The focus of the event will be to push past the status quo and instead explore the next generation of challenges, as well as highlight bold, new ideas to face them. CNN is the event's media partner and will provide a live-stream of the event

Workforce Development Forum — CyberWorks Information Session (Baltimore, Maryland, USA, February 24, 2015) Are you a technology company that would like to actively participate in growing the right candidates for your open IT and cybersecurity positions? Are you a job seeker interested in pursuing a career in IT/cybersecurity who would benefit from business mentorship and hands-on practical work experience? If you said yes to either question please join us at the upcoming CyberWorks information session to learn how you can benefit from this innovative program. CyberWorks is an industry-led, workforce development program designed to help Maryland companies fill their cybersecurity needs with qualified candidates, while simultaneously helping individuals start careers and improve Maryland's economy

Cybersecurity: You Don't Know What You Don't Know (Birmingham, Alabama, USA, February 24 - 25, 2015) What: Connected World Conference in partnership with University of Alabama at Birmingham's Center for Information Assurance and Joint Forensics Research (The Center) have teamed up to bring professionals together to discuss security and connected devices. Purpose: Convene the leading industry, government, and academia leaders. Chief Objective: Influence professionals from the most innovative and influential organizations in the world will meet to unravel the relationship between the connected society and cybersecurity

NEDForum: Cyber Network Exploitation and Defence: "Darknet & the Primordial Soup of Cyber Crime" (Edinburgh, Scotland, UK, February 27, 2015) Speakers will cover such topics as: "Fear and loathing on Darknet," (Greg Jones, Managing Consultant, Digital Assurance), "Securing the internet of everything" (Rik Ferguson, Global Vice President Security Research, Trend Micro), and "Is your organisation setup for success in security?" (Patrick Brady, Independent Consultant)