The CyberWire Daily Briefing 01.07.15

Cyber Trends

Security Threat Trends 2015 (Sophos) Cybersecurity is experiencing enormous growth, as an industry and as a theme in the daily lives of people and businesses using technology. And because our technology keeps changing at an astounding rate, threats are evolving fast too — with cybercriminals finding new and creative ways to exploit users and technology all the time

Companies Are Freaked Out About Cybersecurity And Plan To Spend A Lot More On It This Year (Business Insider) Reports of security breaches reached new heights in 2014, following the iCloud and Sony hacks. Many consider the Sony hack to be the worst cyberattack in US corporate history

Legislation, Policy and Regulation

The Top Five Cyber Policy Developments of 2014: The IANA Transition (Council on Foreign Relations) One of the biggest cyber policy developments of the year is undoubtedly the U.S. government's announcement to transition certain critical administrative functions that keep the Internet running, known collectively as the Internet Assigned Numbers Authority (IANA) functions, to the multistakeholder community

Denmark Plans to Invest $75 Million towards Empowering its Cyber Control (Security Affairs) Denmark decided to invest $75 million by 2017 towards getting offensive cyber division and protecting the country against cyber attacks and hostile targets

Incoming: What Is a Cyber Attack? (SIGNAL) Unfortunately, cyberspace is an increasingly attractive venue for aggression these days. The digital domain facilitates operational maneuver in a manner that obfuscates an actor's identity, affiliation and tactics. But unlike sea, air and land, much of cyberspace's doctrine remains undefined, to include even the most fundamental of terms. We do not even have an agreed-upon definition of what constitutes an attack in cyberspace — and it is high time we did

Welcome to 21st century warfare (The Hill) As the scale and sovereign culprit behind the attack on Sony were revealed, the world awakens to the specter of an uncomfortable new normal emerging in warfare — cyber terrorism

The Problem With Calling Cyber Attacks 'Terrorism' (Defense One) Yesterday, Sen. Robert Menendez (D-NJ), the ranking member of the Senate Foreign Relations Committee, appeared on CNN's State of the Union where he proposed placing North Korea on the State Department's State Sponsors of Terrorism list. Menendez contended that the additional sanctions announced by the White House last week were insufficient, and that "we need to look at putting North Korea back on the list of state sponsors of terrorism, which would have far more pervasive consequences." Beyond claiming this would have additional consequences for North Korea, he disagreed with President Obama's characterization of the alleged Sony hack as "an act of cyber vandalism"

Cyberdefense Is a Government Responsibility (Wall Street Journal) The Navy fought Barbary pirates to protect U.S. commerce. Digital pirates have much less to fear

The State of Humanitarian Law in Cyber Conflict (Just Security) During the recent Sony incident, politicians and pundits debated whether the cyber operations allegedly launched by North Korea were an "act of war." Presumably, they were asking whether the operations qualified as an "armed attack" that allows a victim State to respond with armed force, including destructive cyber operations, under the law of self-defense

Cybersecurity: A Congressional Priority (GovInfoSecurity) New Congress likely to reconsider cyberthreat info-sharing bill

Abolish the Intelligence-Industrial Complex (Reason) A modest proposal for doing away with the intelligence agencies that violate our privacy

The rights of whistleblowers vs. the Federal Government (Communities Digital News) Whistleblowers, not those who seek to silence them, should be the ones to be protected

Winter Arrives at ONR (USNI News) The former head of unmanned programs at Naval Air Systems Command (NAVAIR) has taken charge of the U.S. Navy's Office of Naval Research, ONR announced on Monday

Products, Services, and Solutions

ForeScout Recognized as a Leader in the 2014 Magic Quadrant for Network Access Control (GlobeNewswire) ForeScout next generation NAC innovation serves as the cornerstone technology enabling organizations to achieve continuous monitoring and mitigation

Buying British: Clearswift claims new DLP tech is taking off (CRN) Theale-based security vendor says it has already racked up two million users for its Adaptive Redaction technology

Alpha Gen feels the NetBeat with Hexis signing (CRN) Distributor says latest vendor signing fits in with its 2015 focus on compliance

Promisec Signs SYNNEX Corporation to Deliver Endpoint Security Solutions to the Channel (PRNewswire) Promisec, a leader in endpoint security, compliance and system management, has signed a distribution agreement with SYNNEX Corporation, a leading distributor of IT products and services, to provide a range of endpoint security solutions to solution providers in the channel. SYNNEX, which distributes a range of integrated security and other IT solutions to businesses, now offers its customers a variety of endpoint security solutions from Promisec

WP Pro Host Announces Strategic Partnership with FireHost to Provide the World with Most Secure Platform for WordPress Website Hosting (Digital Journal) To meet the demands of its growing number of clients, and provide them with maximum security, WP Pro Host has formed an alliance with FireHost to offer a complete and most secure WordPress Hosting solution

Kudelski Security Launches The First Swiss Cyber Fusion Center (Newswire Today) Kudelski Security, the cyber security division of the Kudelski Group, today announced the launch of its Cyber Fusion Center, a next-generation Security Operations Center operated out of Switzerland

Radware Launches Its Newest Application Delivery Controller Platform — Alteon NG 5208 (Nasdaq) Radware's latest ADC fully ensures application SLA for enterprises of any size

Microsemi Steps Up Its Cyber Security Leadership in FPGAs: SmartFusion2 SoC FPGAs and IGLOO2 FPGAs Enhanced with Physically Unclonable Function Technology (MarketWatch) Ideal for IoT applications, Microsemi's FPGAs are the first and only to employ hardened physically unclonable function technology licensed from Intrinsic-ID

SPARTA — Network Infrastructure Penetration Testing Tool (Kitploit) SPARTA is a python GUI application which simplifies network infrastructure penetration testing by aiding the penetration tester in the scanning and enumeration phase. It allows the tester to save time by having point-and-click access to his toolkit and by displaying all tool output in a convenient way. If little time is spent setting up commands and tools, more time can be spent focusing on analysing results

Rails security scanner Brakeman 3.0.0 released (Help Net Security) Brakeman is an open source vulnerability scanner specifically designed for Ruby on Rails applications. It statically analyzes Rails application code to find security issues at any stage of development

UL upgrades EMV Personalisation Validation Tool (Finextra) UL's flag ship product for EMV and cloud-based payment product personalization validation, the Collis EMV Personalization Validation Tool 4.0 (EMV PVT 4.0), is filled with new features and added functionality

Kensington unveils thinnest security lock for ultrabooks and tablets (Help Net Security) Kensington announced the MiniSaver Mobile Lock, the thinnest security lock system with the Kensington mini security slot technology — for use on ultra-thin mobile devices including Ultrabooks and tablets

Toshiba releases FlashAir III wireless SD card (Help Net Security) Toshiba introduced the FlashAir III wireless SD card, a third generation memory card that serves as its own wireless LAN access point, allowing users to share images, videos and files wirelessly. Now with enhanced photo sharing and management features, users can quickly designate which photos to instantly share and easily manage files from a web browser on a PC

Technologies, Techniques, and Standards

A Critical Review of Tom Rid and Ben Buchanan's "Attributing Cyber Attacks" (Digital Dao) Thomas Rid and Ben Buchanan recently tackled the problem of attribution in cyber attacks in "Attributing Cyber Attacks", an academic paper published by Taylor & Francis. I don't know Ben Buchanan but I do know Tom Rid to be a very bright and honest individual. I believe that this paper is his and Ben's best effort. Unfortunately, they only managed to serve up the same flawed recipe for attribution that information security companies have been using for the past 15 years

CES: F.T.C. Chairwoman Notes Concerns Raised by Connected Devices (New York Times) The head of the Federal Trade Commission on Tuesday offered a prescription for protecting consumer data collected by Internet-connected gadgets like wearable fitness trackers and "smart home" devices, previewing themes of a coming report by the agency on Internet privacy and security

Six Strategies for Reducing Vulnerability Risk (Tripwire: the State of Security) There's little doubt that effectively remediating vulnerabilities is an important part of a comprehensive information security strategy. Vulnerabilities in desktops, servers, laptops and infrastructure are commonly involved in intrusions and incidents

The Case Against Hack-Back (BankInfoSecurity) Experts calculate the risks of cyber-retaliation

Enter the matrix: Track down hacks with log files (InfoWorld) Any system can collect logs, but most security operations do a poor job of filtering them to find evidence of malicious activity. Here's where to start

Moonpig breach highlights need for app and API testing (Netcraft) A severe vulnerability in the API used by Moonpig's Android app has highlighted the need for organisations to apply greater scrutiny to the security of their apps and endpoints. Through its apps and website, the custom greetings card company sends out more than 12 million cards every year and turned over £53 million last year

2015 — the year automated malware protection and firewalls become worthless? (BetaNews) Whether you're a home or business user, one thing you've probably had drummed into you for years is the importance of virus protection, an effective firewall and malware guards. Well, as we start our journey into 2015 such security tools may not be anywhere near as effective as they used to be. Is it worth investing in them at all?

The hackers are winning: here's how to stop them (New Daily) With the hacking of Sony Pictures Entertainment, a plethora of celebrities, Microsoft and Sony PlayStation, 2014 proved no one is safe from hackers. But is there a way to protect your online identity, your credit card and your sanity?

The one compliance lesson you need to learn (Help Net Security) We are living in a data driven society with globalizing economies, data transfer, and ubiquitous access to everything from everywhere. At the same time, we have seen an influx of compliance and data security stories flood news outlets

Breaking the (Algorithmic) Black Box in Security Affairs (War on the Rocks) Algorithms have become a buzzword in policy circles — but in many cases, using the term "algorithm" alone is akin to the common journalist errors of making every armored vehicle a tank or assault rifle an AK-47. It renders the details of the technology — and their ramifications for public policy — a black box immune to rational policy analysis. We need something more, especially when talking about ill-specified and complex computational problems that arise from particular defense applications

Data fairy godmothers don't exist for protecting information on your mobile — so what does? (Information Age) Employees want to know that someone is protecting the personal information on their mobile device without having access to it

Prepping for 2015's HIPAA Audits (HealthcareInfoSecurity) Attorneys offer tips for surviving OCR scrutiny

Resource allocation for virtual machines is like running a gym (IT World) A gym is a place I've heard about that other people visit to get fit and be healthy. The days and times that each person goes to the gym can vary greatly, but there is a general trend to the light and heavy use periods of the day. If you own the gym, you need members. You have a finite amount of equipment for your members to use, but you wouldn't stay in business long if you limited the number of members to the number of machines that you have. Instead, knowing that your member's visits will be sporadic, you oversubscribe your memberships to make better use of your resources. This is the same theory behind oversubscribing virtual machines, especially where VDI (virtual desktop infrastructure) is deployed

Marketplace

FBI in tough competition for cybersecurity talent (Naked Security) The FBI can't get enough cybFBI seeks to add more cyber-agentsersecurity agents to join its ranks

Happy New Year — Unless You're A Startup (TechCrunch) As we enter a new year, innovation is advancing across a broad front — mobile, data analytics, virtualization, security, the sharing economy, payment systems and more. That's the good news

Alert Logic Acquires Critical Watch For Risk, Compliance (CRN) Alert Logic acquired Critical Watch in a deal that adds deeper vulnerability and configuration data to its managed security information and event management platform

SuperCom to Acquire Cyber Security Company Prevision Ltd. (MarketWatch) SuperCom SPCB, +0.20% a leading provider of Electronic Intelligence Solutions for e-Government, Public Safety and Mobile Payments announced today its intent to acquire Prevision Ltd. (Prevision) as part of its strategy to offer complimentary security products and solutions to its growing customer base

In Their Own Words: Brendan Hannigan Of IBM Security Systems (Forbes) It's been a while since I put together one of these "In Their Own Words" interviews, and this one breaks tradition in some ways. The previous interviews have focused on founders and CEOs, but this time I am diving in to learn more about Brendan Hannigan, a general manager with IBM Security Systems

Silent Circle appoints Connor as CEO (Telecompaper) Global private communications service, Silent Circle has appointed F. William "Bill" Connor as chief executive officer and member of the board of directors, effective immediately. As CEO of Silent Circle, Connor also joins the board of directors of Blackphone

Research and Development

The Military's New Year's Resolution for Artificial Intelligence (National Journal) Should we be afraid of AI? The military wants a real answer by the end of 2015

Security Patches, Mitigations, and Software Updates

Secure OS Qubes fixes security bugs, confirms no government backdoors (CSO) Qubes. a Fedora-based OS that aims to improve desktop security through virtualised isolated environments, has released two fixes for "security problems" and its first statement confirming that it hasn't been ordered by a government to install a backdoor

Cyber Attacks, Threats, and Vulnerabilities

Ex-Sony Employees Echo Cybersecurity Company's Suspicion That Hack Was An Inside Job (Huffington Post) A Silicon Valley cybersecurity firm is doubling down on its claim that at least one former Sony employee was involved in hacking Sony. Some former employees of the company are expressing that sentiment as well, even as the U.S. government stands by its conclusion that North Korea orchestrated the massive cyberattack

South Korea says North Korea doubled size of its "cyber forces," can nuke US (Ars Technica) Defense Ministry report claims North Korea has cyber army of 6,000

Hackers hit website of French defence ministry (The Local (France)) Internet activists launched an attack on the website of the French defence ministry on Tuesday to protest the death of a young environmentalist during clashes with police last year

United Nation Pakistan Website Hacked By Free Syrian Hacker (HackRead) The famous anti-Bashar Al Assad hacker Dr.SHA6H from Free Syrian Hacker group has hacked and defaced the official website of UNDP — United Nations Development Programme, Pakistan against the ongoing Syrian conflict

Md. station's Twitter, website hacked by ISIL supporters (USA TODAY) The Twitter account for WBOC, a Salisbury-based television station, was hijacked Tuesday by a hacker claiming to be sympathetic to the Islamic State terrorist group, or ISIL

The Connections Between MiniDuke, CosmicDuke and OnionDuke (F-Secure) In September, we blogged about CosmicDuke leveraging timely, political topics to deceive the recipient into opening the malicious document. After a more detailed analysis of the files we made two major discoveries

CryptoWall 2.0 Has Some New Tricks (Dark Reading) New ransomware variant uses TOR on command-and-control traffic and can execute 64-bit code from its 32-bit dropper

Ransomware on Steroids: Cryptowall 2.0 (Cisco Blogs) Ransomware holds a user's data hostage. The latest ransomware variants encrypt the user's data, thus making it unusable until a ransom is paid to retrieve the decryption key. The latest Cryptowall 2.0, utilizes TOR to obfuscate the command and control channel. The dropper utilizes multiple exploits to gain initial access and incorporates anti-vm and anti-emulation checks to hamper identification via sandboxes. The dropper and downloaded Cryptowall binary actually incorporate multiple levels of encryption. One of the most interesting aspects of this malware sample, however, is its capability to run 64 bit code directly from its 32 bit dropper. Under the Windows 32-bit on Windows 64-bit (WOW64) environment, it is indeed able to switch the processor execution context from 32 bit to 64 bit

AOL advertising network used to distribute malware (SC Magazine) Ransomware is being distributed to visitors of The Huffington Post website, as well as several other sites, via malicious advertisements served over the AOL advertising network, according to researchers with Cyphort Labs

AOL halts malicious ads served by its advertising platform (IDG via CSO) AOL.com said Tuesday it has stopped malicious advertisements being served by its advertising platforms after being alerted by a security company

Microsoft reports variant of banking malware that targets German speakers (CSO) Microsoft says German speakers are being targeted by a new variant of a powerful type of malware that steals online banking credentials

Malformed AndroidManifest.xml in Apps Can Crash Mobile Devices (TrendLabs Security Intelligence Blog) Every Android app comprises of several components, including something called the AndroidManifest.xml file or the manifest file. This manifest file contains essential information for apps, "information the system must have before it can run any of the app's code." We came across a vulnerability related to the manifest file that may cause an affected device to experience a continuous cycle of rebooting — rendering the device nearly useless to the user

Users Report Malicious Ads in Skype (Threatpost) Some Skype users have reported seeing malicious ads inside their Skype clients in recent days that lead to a site that tries to download a fake Adobe or Java update

Thieves Jackpot ATMs With 'Black Box' Attack (KrebsOnSecurity) Previous stories on KrebsOnSecurity about ATM skimming attacks have focused on innovative fraud devices made to attach to the outside of compromised ATMs. Security experts are now warning about the emergence of a new class of skimming scams aimed at draining ATM cash deposits via a novel and complex attack

Morgan Stanley Insider Theft Affects Tenth of Wealth Management Clients (Threatpost) The financial services giant Morgan Stanley announced yesterday that that an employee had stolen sensitive information pertaining to more than 900 of the firm's wealth-management clients

The Morning Download: Morgan Stanley Hack Underscores Internal Cyber Risk (Wall Street Journal) Good Morning. The apparent large-scale theft of customer data at Morgan Stanley underscores the fact that the greatest risks to cybersecurity often reside within an organization

Over $5 million confirmed stolen in Bitstamp hack (Help Net Security) While the Bitstamp exchange is still offline, its team has shared some more details about the compromise they suffered recently

Hacking the Tor Network: Follow Up (Infosec Institute) In a previous post, I presented the main techniques used to hack Tor networks and de-anonymize Tor users. Law enforcement and intelligence agencies consider "de-anonymization" of Tor users a primary goal

Attacking UEFI Boot Script (Bromium Labs) UEFI Boot Script is a data structure interpreted by UEFI firmware during S3 resume. We show that on many systems, an attacker with ring0 privileges can alter this data structure. As a result, by forcing S3 suspend/resume cycle, an attacker can run arbitrary code on a platform that is not yet fully locked. The consequences include ability to overwrite the flash storage and take control over SMM

Speed Racer: Exploiting an Intel Flash Protection Race Condition (Bromium Labs) In this paper we describe a race condition that allows an attacker to subvert a component of the firmware flash protection mechanisms provided by Intel chipsets. Although the impact of this attack is mitigated by additional chipset flash protection features, we discuss how these additional features can also be overcome in practice

I was taught to dox by a master (Daily Dot) There are few things more startling than seeing your private information released online. It makes you feel vulnerable and on-edge, knowing that anyone has the details necessary to throw a brick through your window at a moment's notice

Android witnesses 300 times increase in malware (Business Standard) According to Quick Heal's Annual Threat Report for 2014, 536 new malware families and a further 616 new variants affecting the Android platform were detected

DHS releases the wrong FOIA-requested documents, exposing infrastructure vulnerabilities (Homeland Security Newswire) On 3 July 2014, DHS, responding to a Freedom of Information Act(FOIA) request on Operation Aurora, a malware attack on Google, instead released more than 800 pages of documents related to the Aurora Project, a 2007 research effort led by Idaho National Laboratoryto show the cyber vulnerabilities of U.S. power and water systems, including electrical generators and water pumps

IT Security Stories to Watch: Was Chick-fil-A Breached? (MSPMentor) Here are four IT security stories to watch during the first week of January

Litigation, Investigation, and Enforcement

Going postal: Reporter sues government for spying from USPS network (Ars Technica) Sharyl Attkisson seeks $35 million in damages from DOJ and USPS

Netjets is allegedly battling its pilots by impersonating them on Twitter (Quartz) Skirmishes between companies and their unionized employees tend to bring out the worst on both sides. The conflict between Netjets, the private jet-sharing firm owned by Warren Buffet's Berkshire Hathaway, and its pilots has brought out the weird, too, if allegations in a December lawsuit are correct

FBI eyes Chinese hacking of dams database (Washington Times) A federal weather service employee charged with stealing sensitive infrastructure data from an Army Corps of Engineers database met a Chinese government official in Beijing, according to court documents that reveal the case to be part of an FBI probe of Chinese economic espionage

'Find My iPhone' foils thieves once again (Network World) You might think that smartphone thieves would be smarter by now