Washingtion, DC: the latest from DARPA and Passcode
The Pentagon is building an app store for cyberoperations: An exclusive inside look at DARPA's futuristic Plan X (Christian Science Monitor: Passcode) It looks like outer space. The hundreds of thousands of computers look like stars. Across the vast military network, the sparkling connections between them form constellations
The Future of Cybersecurity Innovation: Plan X (Christian Science Monitor: Passcode) A glimpse into the future of defending against threats to cybersecurity featuring a live demo by DARPA's Plan X team of its cyber threat visualization system with The Christian Science Monitor's new section on digital security and privacy, Passcode
DARPA offers rare glimpse at program to visualize cyberdefenses (Christian Science Monitor: Passcode) The Pentagon's advanced research arm revealed its latest version of Plan X, an in-progress system designed for the military to visualize defending against cyberattacks, at a Passcode event on the future of cybersecurity innovation
Active Authentication (DARPA) The current standard method for validating a user's identity for authentication on an information system requires humans to do something that is inherently unnatural: create, remember, and manage long, complex passwords. Moreover, as long as the session remains active, typical systems incorporate no mechanisms to verify that the user originally authenticated is the user still in control of the keyboard. Thus unauthorized individuals may improperly obtain extended access to information system resources if a password is compromised or if a user does not exercise adequate vigilance after initially authenticating at the console
Cyber Attacks, Threats, and Vulnerabilities
Arab Hackers Go Running After Trend Micro Report (Computer Business Review) Social media goes quiet, but attackers keep hacking
Signs of Superfish-like MitM Attacks Discovered in the Wild (Softpedia) Evidence has been found suggesting that cybercriminals may be relying on the traffic interception engine from Komodia, integrated in Superfish and other software solutions, for nefarious purposes in the wild
Anthem healthcare breach is smaller — and bigger — than first thought (Naked Security) At the start of February 2015, we wrote about a large-scale data breach at US health insurance company Anthem
Joomla Reflection DDoS attacks exploit a Google Maps Plugin flaws (Security Affairs) Akamai firm discovered numerous attacks exploiting a known vulnerability in a Google Maps plugin to run Joomla Reflection DDoS attacks against enterprises
DDOS Exploit Targets Open Source Rejetto HFS (Threatpost) Apparently no vulnerability is too small, no application too obscure, to escape a hacker's notice. A honeypot run by Trustwave's SpiderLabs research team recently snared an automated attack targeting users of the open source Rejetto HTTP File Server
Spam Uses Default Passwords to Hack Routers (KrebsOnSecurity) In case you needed yet another reason to change the default username and password on your wired or wireless Internet router: Phishers are sending out links that, when clicked, quietly alter the settings on vulnerable routers to harvest online banking credentials and other sensitive data from victims
How Hackers Can Hijack Your Website And Read Your Email, Without Hacking Your Company (Tripwire: the State of Security) Imagine coming into the office one day, and finding that visitors to your website are not only seeing messages and images posted by hackers, but that the attackers are also posting screenshots of private emails sent to your company on Twitter
Serious TalkTalk data breach leads to scam phone calls for customers (Graham Cluley) TalkTalk, we need to have a serious talk
How nine out of ten healthcare pages leak private data (Naked Security) A study by a Timothy Libert, a doctoral student at the University of Pennsylvania, has found that nine out of ten visits to health-related web pages result in data being leaked to third parties like Google, Facebook and Experian
DDoS Attacks Will Do More Than Tickle The Internet Of Things' Soft Underbelly (TechWeek Europe) Nexusguard's 2015 Internet Security Trend report reveals DDoS assaults on the Internet of Things will cost businesses millions of pounds
Iran Behind Cyber-Attack on Adelson's Sands Corp., Clapper Says (Bloomberg) The top U.S. intelligence official confirmed for the first time that Iran was behind a cyber attack against the Las Vegas Sands Corp. last year
US-Bangladesh blogger Avijit Roy hacked to death (EIN) A knife-wielding mob has hacked to death a US-Bangladeshi blogger whose writing on religion had brought threats from Islamist hardliners
Cyber Trends
Study Finds Disconnect Between IT, Leadership on Cyber Security (eSecurity Planet) Two thirds of CIOs and CISOs say senior leaders in their organization don't view cyber security as a strategic priority
The business and social impacts of cyber security issues (Help Net Security) With multiple recent high profile attacks targeting household names and large employers, individuals increasingly fear cyber crime and its resulting consequences at work as well as at home, according to GFI Software
The growth of cyber crime and why it may take a Manhattan Project-scale response to stop (National Post) Examples are easy. In December, malicious software allowed bank robbers to take as much as $1 billion from institutions in 30 countries. In November, Sony had that little problem with North Korea. In October, hackers snagged 40 million credit and debit card numbers from Target. A few months before that, computer systems at Canada's National Research Council suffered a massive hit by a cyberattacker
The spy in your pocket (Economist) Watch out for hackers — and spooks
'Shadow' Cloud Services Rampant In Government Networks (Dark Reading) Survey finds public sector employees use unmanaged cloud services just as much as private employees
Cyber deterrence 'relatively immature,' says head of US Cyber Command (FierceGovernmentIT) The U.S. military has acknowledged that it regularly engages in "active defense" — taking a range of proactive measures against an adversary in cyberspace. But the risks associated with this cyclic exchange of attack and retaliation are not unique to the cyber domain, said Adm. Mike Rogers, director of the National Security Agency and commander of the U.S. Cyber Command
Top Spy: Small Hacks Are Bigger Threat Than 'Cyber Armageddon' (Daily Beast) Good news: the U.S. is getting better at detecting cyber attacks already underway. Bad news: they're multiplying
Cyber attacks top US national threat list (ComputerWeekly) Cyber attacks by politically and criminally motivated actors top the list of threats facing the US, according to national intelligence director James Clapper
US intelligence chief: New classified intel suggests cyber threat from Russia more severe (US News and World Report) The U.S. has elevated its appraisal of the cyber threat from Russia, the U.S. intelligence chief said Thursday, as he delivered the annual assessment by intelligence agencies of the top dangers facing the country
Remarks as Delivered by the Honorable James R. Clapper, Director of National Intelligence (Office of the Director of National Intelligence) Chairman McCain, Ranking Member Reed and Members of the Committee, Gen. Stuart and I are honored to be here this morning
Hack scares put focus on cloud security (New Zealand Herald) Safe environment for users will require co-operation between devices, providers and software writers: expert
Marketplace
Healthcare security spending to reach US$10 billion by 2020 (Help Net Security) The healthcare sector is ill-prepared for the new cyberage. Hospitals, clinics, trusts, and insurers are under attack from malicious online agents. The value of personal health information, made more easily available with the convergence to electronic health records, is ten times that of financial data such as credit card numbers
Cyber-Security In Insurance: 7 Things To Know (InformationWeek) Insurers need to boost their security knowledge amidst the growing risk of cyberattacks
Want to be acquired? Get your cybersecurity in order (Washington Business Journal) More and more, cybersecurity has become a key factor in analyzing the amount of risk that a financial or strategic buyer would take on with an acquisition
High Risk, High Reward: The Ups And Downs Of Security Startups (CRN) A new wave of disruptive security startups are redrawing the battle lines in the growing conflict between cybercriminals and corporate America. For solution providers, the risks of partnering with these upstarts is high. But so are the rewards
Zimperium raises $12M to protect mobile phones from cyber threats (Geektime) Israeli cyber startup Zimperium raises an impressive $12M Series B round of funding within 18 months of raising $8M. Could it be on the fast track to an exit?
UK seeks next hacking genius to save queen, country from cyberterror (CNN) A fake cyberattack was staged against a landmark telecommunications building, but it was no mere academic exercise for self-taught "ethical hackers" fighting cyberterrorism
Lockheed Martin Awarded Contracts To Support U.S. Navy Cross Domain Intelligence Sharing Solution (PRNewswire) Lockheed Martin (NYSE: LMT) will continue to support the Navy system that allows secure sharing of sensitive data between unclassified and classified security domains. The U.S. Navy recently awarded Lockheed Martin two contracts with a total ceiling value of $90 million to support the Radiant Mercury cross domain solution for five years
Products, Services, and Solutions
Paranoid Android Kaymera smartmobe takes on Blackphone (Register) Super-secure Israeli platform only lacks Mossad bodyguard
Sicherheit für heterogene Netzwerke (ITSecCity) "G Data Antivirus für Mac": Der Einsatz einer Sicherheitslösung für Mac schützt nicht nur den eigenen Apple-Rechner, sondern sichert zugleich auch Windows-Systeme innerhalb des Netzwerk
Technologies, Techniques, and Standards
Cyber Threat Analysis for the Aviation Industry (Infosec Institute) Cyber attacks on the aviation industry are becoming a sensitive issue. Considering that cyberspace provides a low-cost haven for carrying out a broad range of disruptive activities, it is reasonable to conclude that hackers will consider the aviation sector as one of their targets. Also, because of lower risk, cyber terrorism is replacing the bomber and hijacker and becoming the weapon of choice when it comes to attacks against the aviation industry
Preventing insider attacks requires a phased approach that involves all departments, says PwC (FierceITSecurity) While much of the media coverage about data breaches focus on attacks by outside elements, many of the less publicized cases of data theft results from malicious insider actions
How better log monitoring can prevent data breaches (CIO via CSO) Recent high-profile data breaches reaffirm that the threat from data thieves is both persistent and pervasive. Could better log monitoring mitigate or even prevent these types of security catastrophes?
11 Ways To Track Your Moves When Using a Web Browser (Internet Storm Center) There are a number of different use cases to track users as they use a particular web site. Some of them are more "sinister" then others. For most web applications, some form of session tracking is required to maintain the user's state. This is typically easily done using well configured cookies (and not the scope of this article). Session are meant to be ephemeral and will not persist for long
OpenSSH Three factor Authentication using Google Authenticator and Public Key authentication (Ethical Hacking) I use Google Authenticator on all of my Google account because it's a nice, efficient way to do multi-factor authentication for the great price of free-ninety-nine. I wanted to use it on one of my servers, but I wanted to be extra secure and use not only TOTP, but password based and RSA key authentication as well. All of the documentation I could find on doing so with OpenSSH was only on doing Google Authenticator's TOTP and password based authentication. Thankfully, this is possible since OpenSSH 6.2 introduced the Authentication Methods argument
Social threat intelligence: will Facebook's Threat Exchange have an impact? (Information Age) Organisations can go about obtaining real-time threat intelligence through social media honeynets and honeypots
HP: Threat intelligence sources need vetting, regression testing (TechTarget) According to HP Security Research, threat intelligence best practices can be difficult to implement, and even the most trustworthy sources must be tested for fidelity
Symantec's CyberWar Games are coming to a computer screen near you (Silicon Valley Business Journal) A disgruntled research scientist posing a serious threat to trials of a new cold drug at a hospital by her pharmaceuticals-company employer doesn't sound out of the realm of reality these days, after recent large-scale hacks like the one that hit Sony Pictures Entertainment
Northrop Grumman CFO's Job: Attack the Hackers (CFO) Like other companies, Northrop Grumman is focusing on what to do after an attack, because you just can't prevent them all
Research and Development
Dusting for Cyber Fingerprints: Coding Style Identifies Anonymous Programmers (Forensic Magazine) A team of computer scientists, led by researchers from Drexel University's College of Computing & Informatics, have devised as way to lift the veil of anonymity protecting cyber criminals by turning their malicious code against them. Their method uses a parsing program to break down lines of code, like an English teacher diagramming a sentence, and then another program captures distinctive patterns that can be used to identify its author
Academia
Scots students welcome cyber-security chiefs (Herald Scotland) Cyber-security experts from the intelligence services are to attend a conference organised by Scottish students
Legislation, Policy, and Regulation
Govt to launch Internet safety programme with Google; wants to create cyber-threat awareness (Tech 2) Government will launch Internet safety programme in partnership with Google in order to create awareness among users regarding cyber-threats
Cisco, Apple, Citrix products no longer welcome on Chinese government systems (Help Net Security) A slew of US tech companies have been dropped from China's Ministry of Finance's approved government procurement list, including Apple, McAfee, Citrix Systems and Cisco Systems
Ensuring the New CTIIC is a Success (FedBizBeat) The recent news about formation of the Cyber Threat Intelligence Integration Center (CTIIC), which, according to a DoD News report, will analyze and integrate information already collected under existing authorities, piqued our interest. So much so, we wanted to speak with Keith Rhodes to get his take on it
Administration's cyber sharing proposal a 'policy puzzle,' not a panacea (Federal News Radio) In its latest legislative proposal on cybersecurity, the White House is advocating for liability protections for companies who agree to share cyber threat information with the government and with one another. But Department of Homeland Security officials freely acknowledged Wednesday that legal immunity will not, by itself, open the floodgates to the privately-held threat information DHS thinks it needs to help defend the country from cyber attacks
GOP chairman: White House not supporting Intel cyber bill (The Hill) Lack of White House support for the draft of a Senate Intelligence Committee bill to enhance cybersecurity information-sharing may be delaying the measure, which was expected to be released this week
The Snowdenites Are Winning (Slate) Opponents of surveillance have gained the upper hand. And like gun-rights activists, they don't need a majority to keep it
Here's 140 Fully-Redacted Pages Explaining How Much Snowden's Leaks Have Harmed The Nation's Security (TechDirt) If the US intelligence committee is concerned about the status of "hearts and minds" in its ongoing NSA v. Snowden battle, it won't be winning anyone over with its latest response to a FOIA request
In Twist, House to Vote on Stopgap DHS Bill (Defense News) House Republican leaders will bring a stopgap funding bill to the floor Friday that would fund the Department of Homeland Security for three weeks, buying time for a possible resolution on controversial immigration provisions
Say hello to net neutrality — FCC votes to "protect the open internet" (Naked Security) The FCC, courtesy of Shutterstock and Mark Van ScyocThe US Federal Communications Commission (FCC) has decided: it's bowed down to the 4 million voices who've joined in the net neutrality battle, ruling that broadband should be treated as a public utility, like water flowing from our taps or electricity to our lights, free of blocking, throttling or paid prioritization for those willing to pay more, and also thereby subject to greater government regulation
Republicans not giving up on net neutrality (The Hill) Congressional Republicans are continuing to push full steam ahead with plans to stop federal regulators' "power grab of the Internet," according to a top senator
Litigation, Investigation, and Law Enforcement
Insurance firm Staysure fined £175,000 for 'unbelievable' credit card hack (Computerworld UK via CSO) ICO report uncovered chaotic security
Europol takedown of Ramnit botnet frees 3.2 million PCs from cybercriminals' grasp (Naked Security) Europol's European Cybercrime Centre (EC3) has announced a victory in the never-ending battle against cybercrime
Ransomware Looming as Major Long-Term Threat (Threatpost) On May 30, 2014, law enforcement officials from the FBI and Europol seized a series of servers that were being used to help operate the GameOver Zeus botnet, an especially pernicious and troublesome piece of malware. The authorities also began an international manhunt for a Russian man they said was connected to operating the botnet, but the most significant piece of the operation was a side effect: the disruption of the infrastructure used to distribute the CryptoLocker ransomware
Marriage of ransomware and bitcoins is no honeymoon for targeted firms (FierceITSecurity) The rising popularity of the malware known as ransomware is targeting small- to mid-sized businesses and organizations who lack sophisticated enterprise security infrastructures
Controversy over 2006 Ernst & Young breach continues (Office of Inadequate Security) In September, I reported a case in Canada involving Mark Morris, a man who purchased decommissioned hardware from Ernst & Young in 2006 that he claimed had not been properly wiped. Morris had been employed by Synergy Partners, a firm Ernst & Young bought in 2003. He had purchased at least two servers and dozens of devices in 2006, but it wasn't until March 2014, when he booted one of the servers, that he discovered that it contained personal information that had not been wiped