The CyberWire Daily Briefing 01.06.15

Cyber Attacks, Threats, and Vulnerabilities

A Breakdown and Analysis of the December, 2014 Sony Hack (Risk Based Security) Note: This article is being updated almost daily with new developments regarding the leaks from the Sony Pictures breach

CES 2015: Sony condemns 'vicious' cyber attack (BBC) Sony has condemned the "vicious" cyber attack that led to it suspending the release of its film The Interview

Sony's Hirai praises staff in hack, hails freedom of speech (IDG via CSO) Sony CEO Kazuo Hirai called the hack of Sony Pictures vicious and malicious

A Morgan Stanley Employee Stole And Posted Data On 900 Clients (Business Insider) Morgan Stanley said it has fired an employee who had stolen data from 900 of the firm's wealth management clients

H4LT hacking team leaks secret Xbox One SDK, accesses unreleased games (SC Magazine) Xbox One's software development kit (SDK) was reportedly accessed by a hacking group known as H4LT, which released the proprietary information that could allow unapproved developers to create homemade games for the console

Hackers Deface Two More EC-Council Sub-Domains (HackRead) On January 1st, 2015, a sub-domain of International Council of Electronic Commerce Consultants (EC-Council) website was defaced by Indonesian Gantengers Crew hackers. Now two more sub-domains of the EC-Council has been defaced by same group

Hoax! Don't copy and paste that 'Copyright' Facebook message (USA TODAY) You may have noticed a "Privacy Alert Notice" in your Facebook feed. It claims that if you copy and paste a certain notice into your Facebook feed, it will protect your privacy

Medical File Hack Affected Nearly Half a Million Postal Workers (Nextgov) Network intruders compromised health information on current and former U.S. Postal Service employees who filed for workers' compensation, USPS officials say

Google shows hackers how to exploit Windows 8.1 (Lumension) If I told that you that a bunch of hackers had found a zero-day vulnerability in Microsoft Windows 8.1 you would probably be concerned

Unpatched security hole has left millions of Moonpig customers at risk for 17 months (We Live Security) Moonpig, the online personalised card company, has been accused of a shockingly sloppy attitude to security, after apparently leaving a serious hole in its security unpatched

GoGo in-flight WiFi creates man-in-the-middle diddle (Register) Join the mile-high club by getting screwed with fake certs

Gogo Denies Using Fake Google Certificate to Spy on Passengers (SecurityWeek) Inflight Internet service provider Gogo has been caught using a fake Google SSL certificate, but the company says the certificate's role is to prevent video streaming

CERT Warns of UEFI Hardware Vulnerabilities (Threatpost) The CERT/CC at Carnegie Mellon University today released three advisories warning of vulnerabilities that affect some unified extensible firmware interface (UEFI) systems and the BIOS of some Intel chipsets

HTTPS can be set as your super-cookie (Register) Even your security can be abused

Phish out WPA networks' password with Wifiphisher (Help Net Security) Greek computer geek George Chatzisofroniou has released a stable version of Wifiphisher, a tool aimed at automating phishing attacks against WPA networks in order to discover the password needed to access them

Hackers are gonna hack, but can the enterprise do jack? (ITPro) With Lizard Squad offering up their DDoS tools to others, Davey Winder wonders why the enterprise isn't doing more to protect itself?

MWR InfoSecurity sounds mobile security alarm (MicroScope) The new year has barely started but already users are being urged to be on their guard against security threats they are introducing to their mobile phones via downloading free apps

Identity theft for dummies (Help Net Security) It happened again. Checking into the hotel, I was asked if I can provide my credit card to cover additional expenses (not unusual). However, the receptionist simply wrote my credit card information down on a piece of paper and put it into an unlocked drawer. This, of course, led to a very awkward conversation in my best Spanglish regarding Principle 9 of the PCI-DSS standard

Held for ransom by the digital 'mob' (CSO) Experts say ransomware is the future of consumer cybercrime. But you don't have to be a helpless victim, if you are willing to invest in security

Social Engineering: The dangers of positive thinking (CSO) The assumption that everything's okay is a risky one

Security Patches, Mitigations, and Software Updates

iCloud hole closed following brute force attack (SC Magazine) A hole in iCloud's security allowed attackers to access any iCloud account via a brute force attack that side-stepped blocks — but it is now reported to have been patched

Moonpig pulls API after ignoring vulnerability reports (CSO) API pulled hours after vulnerability was made public

Cyber Trends

Reconnaissance is the name of the game in 2015 (SC Magazine) I was in an airport lounge waiting for my flight to the Middle East when the news broke. Millions of credit card numbers had been exposed over a number of months. How about you? Where were you when you heard about Target? It was just a year ago when the Target breach broke into mainstream media, becoming a reference point for cyber thefts exposing personal financial information. 2014 has been a wakeup call for those outside the world of cybersecurity

Four cyber security risks not to be taken for granted (Help Net Security) It's pretty difficult to make information security predictions, and even more difficult to verify them afterwards: we can only judge the effectiveness of information security by the number of public security incidents that were uncovered, while the majority of data breaches remain undetected

The Biggest Security Threats We'll Face in 2015 (Wired) As the clock strikes midnight on the new year, so begins the countdown to a new round of security threats and breaches that doubtless will unfold in 2015. But this year will be a little different. In the past, when we've talked about threat predictions, we've focused either on the criminal hackers out to steal credit card data and banking passwords or on the activist hackers out for the lulz (and maybe to teach corporate victims a lesson)

The Cyber Threat in 2015: 10 Twists on Hackers' Old Tricks (Nextgov) Hacking trends are not like fashion fads. They don't go in and out each year. They withstand defenses by advancing, in terms of stealth and scope

Don't let "breach fatigue" leave you vulnerable to hackers and malware (Consumer Affairs) Everyone's sick and tired of all these hackings — except the hackers themselves

Nico Sell: 'To me, the NSA and Edward Snowden are just the tip of the iceberg' (Guardian) The founder of secure messaging app Wickr on privacy, why she always wears dark glasses in public and why girls make great hackers

Are Nonprofit Hospitals Especially Vulnerable to Internet Hacking? (Nonprofit Quarterly) The implementation of electronic health records (EHR) in hospitals across the U.S. has been accompanied by unauthorized access to patient records. Data security firm Websense reports a 600 percent increase in web-based attacks on hospitals in the past ten months. Websense believes that attacks on hospitals will increase in 2015 as more hospitals use EHR more widely and as more patient information is available online

Why Healthcare Cybersecurity Measures Must Evolve (HealthITSecurity) Without current healthcare cybersecurity measures, facilities could be vulnerable to online attacks

One in 8 users do not believe in cyberthreats: Kaspersky Lab Survey (Times of India) According to a survey carried out jointly by B2B International and Kaspersky Lab, internet users do not believe that cyber-attacks are real. They feel that the threat is exaggerated by Internet security companies. However, this complacency leaves them without any protection against a risk that threatens their data and virtual lives every day

Marketplace

How an acute shortage of cyber talent gave rise to 'spooks as a service' (IT World) At the RSA Security Conference last year, companies large and small were trumpeting the spy agency connections of senior staff as never before. Startups in areas like 'threat intelligence' and endpoint protection touted their executives' experience at three-letter agencies as a precursor to conversations about the scourge of advanced threats and attacks

BAE Systems plans to take on 710 apprentices (Works Management) The number surpasses the record set in the previous year by 142 places and includes 45 places for apprentices who will eventually join companies in BAE Systems' supply chain or work in local engineering companies. The latter are funded under the Government's Employer Ownership Programme

Belden Completes Tripwire Acquisition (GovConWire) Belden Inc. (NYSE: BDC) has wrapped up the acquisition of security and compliance services provider Tripwire for $710 million

Colorado Springs tech company grows again with Philly-area acquisition (Colorado Springs Gazette) Braxton Science & Technology Group has acquired Gnostech, a 75-employee engineering and consulting company based in the Philadelphia area. It's the second in a series of acquisitions the Colorado Springs-based aerospace firm hopes to make over the next few years

Palo Alto Networks, Fortinet and Check Point Software: 3 Security Stocks to Watch in 2015 (The Street) With chronic complaints from corporate America that cyber thieves are winning the battle to keep customers' personal and financial information under lock and key, as well as company information secure, three security software vendors are poised to outperform their rivals in 2015

iSIGHT Partners Raises $30 Million Series C Round to Fuel Rapid Growth in Enterprise Security and Cyber Threat Intelligence Market (Marketwired) iSIGHT Partners, Inc., the leading provider of cyber threat intelligence for global enterprises, today announced it has closed a $30 million Series C equity-financing round with Bessemer Venture Partners

From Federal Hill, federal contractor patrols social networks for spies (Baltimore Sun) For years, the group of hackers took on assumed names on popular sites such as Facebook and LinkedIn to lure their targets — defense and other government workers here and abroad

Year in Review: MTN Government (Milsat Review) Commercial companies offering satellite capacity to the U.S. government had a challenging year in 2014, with budget cutbacks and military force reductions overseas combining to reduce demand for bandwidth and end-to-end services

As Vistronix Expands in the National Intelligence Community, John Hassoun Adds CEO to Title (Virtual Strategy Magazine) Vistronix, a leading provider of intelligence and technology solutions to national security agencies in the federal space, is pleased to announce that, effective immediately, John Hassoun will take on the role of Chief Executive Officer (CEO) in addition to his role as Corporate President. Former CEO, Deepak Hathiramani, will retain the role of Chairman of the Board

Products, Services, and Solutions

BAE Systems launches Corporate Social Risk Monitoring and Security Analysis Service (GSN) Mclean, VA-based BAE Systems is launching a new Corporate Security Analysis service to assist companies with social risk monitoring and regional security analysis

Soteria Intelligence Combats Social Media Threats to Shopping Malls (Businesswire) Soteria Intelligence is pleased to announce that due to an increase in social media threats related to shopping malls, the company has expanded its research into finding more ways social media can be used to keep mall customers, employees, and property safe

CheckPoint, Watchguard earn top spots in UTM shootout (Network World) UTM appliances for SMB security are getting smaller, more powerful and more feature rich

Nice Systems launches fraud-prevention tech using speech analytics (Finextra) NICE Systems (NICE) today launched its Real-Time Fraud Prevention solution, which enables contact centers to detect and prevent fraud in real time using voice biometrics and both speech and desktop analytics

ThinkUp: How You Really Look On Social Networks (InformationWeek) How do you look to recruiters and hiring managers based on social activity? This service aims to make you more aware of your Facebook and Twitter activity

This is the insanely fast, alien-like router of the future (Quartz) D-Link's new wireless routers look like the future, and they act like it, too

Technologies, Techniques, and Standards

The Coder War: Approaches to cybersecurity defense (InfoWorld) Looking inside the history of cyberdefense and how NIST is moving the government forward

Intrusion Detection Systems: a Primer (eSecurity Planet) Intrusion detection systems can be a key tool in protecting data. This primer can help you determine which kind of IDS is right for you

Why Commercial Clouds Are More Secure than Federal Data Centers (Nextgov) Ever since the Office of Management and Budget issued its cloud first strategy in 2010, the security of cloud offerings has been a major concern for federal IT managers. It is the primary reason the largest share of cloud expenditures in government has been on private clouds

The SBC & BYOD: Helping With Mobile Device Security (No Jitter) An SBC can play several key roles in securing mobile endpoint devices

The big password mistake that hackers are hoping you'll make (State of the Net.Net) You're smart. You don't use passwords like the perennial 123456 and qwerty. Or even slightly better ones, like Cassie86 or Cubs1908. Because you put some thought into them, your passwords are better than those, right?

The argument for moving SSH off port 22 (Internet Storm Center) An interesting discussion is occurring on reddit on whether Secure Shell (SSH) should be deployed on a port other than 22 to reduce the likelihood of being compromised

Design and Innovation

Lavabit founder wants to make "dark" e-mail secure by default (Ars Technica) Drop-in SMTP and IMAP replacements will wrap messages in layers of encryption

Legislation, Policy, and Regulation

Inside Putin's Information War (Politico) I spent years working for Russian channels. What I saw would terrify the West

The nexus of 2015's geopolitical risks will be found in…Moldova? (Quartz) When the analysts at the Eurasia Group mull the risks ahead in 2015, their spinning globe stops at one spot: Moldova. You know, Moldova

State bolsters online security (China Daily) National strategy rolled out to deal with cyberthreats both at home and abroad

"Quite a few Terrorists lost their lives owing to Big Data" (Isreal Defense) A first-ever interview with the Head of the Information Technology Division of ISA, Ronen Horowitz, upon his retirement. How intelligence information is utilized in the era of the Internet, cellular telephones and social networks?

S. Korea, China to hold security talks (Korea Times) South Korea and China were to hold working-level security talks in Seoul Monday to discuss an array of bilateral and regional security issues such as the situation with North Korea, the foreign ministry said

Who's the true enemy of internet freedom — China, Russia, or the US? (Guardian) Beijing and Moscow are rightly chastised for restricting their citizens' online access — but it's the US that is now even more aggressive in asserting its digital sovereignty

U.S. Sanctions Target N. Korean Arms Trade, Not Cyber Terrorism (Forbes) The sanctions imposed by President Obama have almost nothing to do with cyber terrorism but instead show U.S. concern with North Korea as an arms exporter to regimes that Washington detests

Response to Sony hack reveals limits of U.S. cyber doctrine (Fedscoop) The Obama administration imposed additional sanctions on North Korea Friday in response to the November cyber attack against Sony Pictures Entertainment. The sanctions, which block access to the U.S. financial system, target 10 North Korean government officials, as well as the reclusive regime's military intelligence bureau and state-run arms dealer

Cyber Terrorism as a Strategy (Fabius Maximus) Much as defense experts in 1913 thought more about cavalry than airplanes, today's experts think more about the aircraft carriers and 5th generation fighters (e.g., F-35) than cyberwar and cyberterrorism. But that's changing. To help you stay current about these developments, here's the first chapter in another series about cyberterrorism

What Should the 114th Congress Do About Cybersecurity in 2015? (Network World) Bellicose rhetoric and intelligence sharing aren't enough, the U.S. needs a comprehensive cybersecurity strategy ASAP

FBI Seeks Cyber Special Agents (eSecurity Planet) The aim, according to the Bureau, is to 'protect our nation and the American people from the rapidly evolving cyber threat'

FBI wants cyber sleuths with some muscle (FCW) Applicants heeding the FBI's recent call for new cybersecurity experts had better get to the gym soon, as the agency isn't changing its physical requirements for the new positions

Litigation, Investigation, and Law Enforcement

Hunting the hackers: Tough and getting tougher, but more important than ever (ZDNet) ZDNet's Monday Morning Opener: Working out who is really behind hacking attacks is already painful and tricky -- but the consequences of not acting are far worse

FBI says search warrants not needed to use "stingrays" in public places (Ars Technica) Feds' position on decoy cell-site towers continues anti-privacy theme

Attkisson sues government over computer intrusions (Washington Post) For months and months, former CBS News investigative correspondent Sharyl Attkisson played an agonizing game of brinkmanship regarding her privacy: She strongly suggested that the federal government was behind a series of intrusions into her personal and work computers, though she has consistently hedged her wording to allow some wiggle room

NSA Reports to the President's Intelligence Oversight Board (IOB) (National Security Agency) Following a classification review, the National Security Agency (NSA) is releasing in redacted form NSA reports to the President's Intelligence Oversight Board (IOB). The release includes quarterly reports submitted from the fourth quarter of 2001 to the second quarter of 2013. The materials also include four annual reports (2007, 2008, 2009, 2010) which are consolidations of the relevant quarterly reports

FBI Waking Up To The Fact That Companies With Itchy Trigger Fingers Want To Hack Back Hacking Attacks (TechDirt) from the dangerous-ideas dept It's no secret that some in the computer security world like the idea of being able to "hack back" against online attacks. The simplest form of this idea is that if you're a company under a denial-of-service attack, should you be able to "hack" a computer that is coordinating those attacks to stop them? More than two years ago, an LA Times article noted that some cybersecurity startups were marketing such services. Related to this, when the terrible CISPA legislation was being debated, one concern was that it would legalize such "hack backs" because, among other things, CISPA would grant immunity to companies "for decisions made based on cyber threat information." Some interpreted that to mean that companies would have immunity if they decided to hack back against an attacker

Would the U.S. Really Crack Down on Companies That Hack Back? (Bloomberg) Officially, the U.S. government warns companies not to hack, even when done as retaliation against attacks on their systems. Unofficially, the FBI may let it slide, according to cyber-security experts

Intel Shuts Down Russian Developer Forums To Comply With Russia's 'Blogger Law' (TechCrunch) Add Intel to the growing list of U.S. tech companies that are changing up some of their policies and business in Russia as a result of the government's tightening reign on Internet use. Citing Russia's new "Blogger Law" that was first introduced last year, Intel has shut down all of its popular Russian-language developer forums

Former US cybersecurity official gets 25 years for child porn charges (Ars Technica) Even though Timothy DeFoggi used Tor, the feds got him via admin's poor opsec

GamerGate critic 'swatted', about 20 cops go to old address (Naked Security) An 8chan forum thread (since removed) detailing a plan to swat "pixel artist" and game developer Grace Lynn led to about 20 police officers surrounding a home in the US city of Portland, Oregon on Friday night

A Bot Just Purchased Fake Passports and Ecstasy (Popular Mechanics) European art collectives got more than they bargained for in their new show: A bot they programmed to make automatic purchases on the Darknet sent back Ecstasy pills and a fake Hungarian passport

For a complete running list of events, please visit the Event Tracker.

Upcoming Events

Cybersecurity World Conference (New York, New York, USA, Jan 9, 2015) Welcome to Cyber Security World Conference 2015 where renowned information security experts will bring their latest thinking to hundreds of senior business executives and officials focused on protecting the information of today's enterprises and government agencies, respectively. Cyber security experts will discuss topics such as protecting individuals and companies against cyber-attacks, cyber security in the Internet of Things age, biometrics as the future of security, risks brought by mobile computing, and protecting corporate and national infrastructure against foreign attacks

U.S. Commercial Service Market Briefings on Europe's Cyber Security & IT Market (Washington, DC, USA, Jan 12, 2015) Join the U.S. Commercial Service Market Briefings on Europe's Cyber Security & IT Market. The value of the global cyber security market is expected to grow by 11.3% each year, reaching $120 billion by 2017. The Western Europe region alone is estimated to contribute $28.1 billion to this industry, driven by changing threats and technologies. These briefings aim to provide the latest information on Cyber Security & IT markets in Europe

FloCon 2015 (Portland, Oregon, USA, Jan 12 - 15, 2015) FloCon is an open network security conference organized by Carnegie Mellon University

National Cybersecurity Center Of Excellence (NCCOE) Speaker Series: Security In A Cyber World (Rockville, Maryland, USA, Jan 14, 2015) The National Cybersecurity Center of Excellence (NCCoE) Speaker Series showcases global thought-leaders to highlight critical cybersecurity issues of national importance. The keynote speaker will be Chris Inglis, former Deputy Director of the National Security Agency

California Cybersecurity Task Force Quarterly Meeting (Walnut Creek, California, USA, Jan 20, 2015) The California Cyber Security Task Force serves as an advisory body to California's senior government administration in matters pertaining to Cyber Security. Quarterly Cybersecurity Task Force meetings address State and Federal cyber legislation; provide updates on Task Force efforts to improve California's cyber workforce and education; promulgate critical information to enhance California's cyber awareness and preparedness; discuss state advances in cybersecurity and digital forensics; and grant residents an opportunity to share cyber information and innovation

FIC 2015 (Lille, France, Jan 20 - 21, 2015) The International Cybersecurity Forum (FIC) forms part of a thinking and exchange process that aims at promoting a pan-European vision of cybersecurity and strengthening the fight against cybercrime, a priority for the European Union as stated in the Stockholm Programme for 2010–2015. Its objective is to open up the cybersecurity debate by bringing together security and risk management experts with non-specialists to enable them to compare viewpoints and lessons learnt

IARPA Proposers' Day for the Cyber-attack Automated Unconventional Sensor Environment (CAUSE) Program (Washington, DC, metropolitan area, Jan 21, 2015) The Intelligence Advanced Research Projects Activity (IARPA) will host a Proposers' Day Conference for the Cyber-attack Automated Unconventional Sensor Environment (CAUSE) Program on January 21, 2015, in anticipation of the release of a new solicitation in support of the Program. The Conference will be held from 9:00 AM to 4:00 PM EDT in the Washington, DC metropolitan area. The purpose of the Conference will be to provide introductory information on CAUSE and the research problems that the Program aims to address, to respond to questions from potential proposers, and to provide a forum for potential proposers to present their capabilities and identify potential team partners

4th Annual Human Cyber Forensics Conference: Exploring the Human Element for Cloud Forensics (Washington, DC, USA, Jan 21 - 22, 2015) The Human Cyber Forensics Conference addresses the human element of cyber. Presentations will look at the tradecraft and efforts required to identify, understand, navigate, and possibly influence human behavior within and across networks. The conference will bring together subject matter experts to discover and share new means of recognizing human related cyber indicators, and the evolution of these human indicators in the coming decades. The Human Cyber Forensics Conference will focus on such topics as insider threat, next generation social engineering, progressive communications, neuroscience, social cognition, social media, and neuro-ethics

Cyber Security for Critical Assets: Chemical, Energy, Oil, and Gas Industries (Houston, Texas, USA, Jan 27 - 28, 2015) Cyber Security for Critical Assets Summit will connect Corporate Security professionals with Process Control professionals and serve to provide a unique networking platform bringing together top executives from USA and beyond. They are coming together not only to address the continuing cyber threats and set precautions framework, but most importantly to provide necessary tools, insights and methodological steps in constructing a successful secure policy. These policies will after all protect the critical assets needed to safeguard their company assets

Data Privacy Day San Diego — The Future of IoT and Privacy (San Diego, California, USA, Jan 28, 2015) Join the Lares Institute, Morrison & Foerster, and the National Cyber Security Alliance for Data Privacy Day in San Diego. DPD San Diego will bring together privacy luminaries to discuss fundamental issues facing consumers and business, including in-depth panel discussions on privacy, the Internet of Things (IoT), and many other critical topics