The CyberWire Daily Briefing 03.10.15

Summary

By The CyberWire Staff

Canada's CSEC attributes Babar, Bunny, Casper, Dino, NBot and Tafacalou (Kaspersky calls the Trojans "Animal Farm") to France's DGSE. (Much publicly cited evidence is linguistic or circumstantial, based on presumed DGSE intelligence targets.)

Elsewhere in Canada, a group styling itself the "United Islamic Cyber Force" vandalizes websites belonging to the francophone party Bloc Québécois. (The UICF calls for an invasion of Rome, but this seems more prophetic and aspirational than imminent.) The Bloc Québécois is Provincial but not provincial, larger and better resourced than other recent North American targets of Islamist cyber vandals.

The University of Toronto's Citizenlab accuses the Hacking Team (a well-known Italian cyber firm) of selling its ICS lawful intercept tool to Ethiopia ("the world's first turnkey surveillance state") for use against US-based dissident journalists.

Xiaomi says the M 4 LTE device in which Bluebox found pre-loaded malware was, in fact, a counterfeit (Bluebox concurs). Not only a counterfeit, but "a very good one at that," the device offers an object lesson in supply chain vulnerability.

Trend Micro reports finding a bogus Flash update sniffing home networks for vulnerabilities.

Sophos grumps at BitTorrent for including "foistware" in its uTorrent client.

While waiting for Redmond's Patch Tuesday, admins may consult Apple's latest upgrades.

The Guardian runs a surprisingly sympathetic piece on cybercrime victims giving hackers a dose of their own medicine.

Concerns over cyber labor shortages continue: Cisco estimates there are more than 1M unfilled cyber jobs worldwide.

Analysts wonder how one determines threat intelligence return on investment.

Notes.

Today's issue includes events affecting Algeria, Austria, Canada, China, Ethiopia, France, Germany, Iran, Iraq, Ireland, Israel, Italy, Malaysia, Morocco, Netherlands, New Zealand, Russia, Sweden, Syria, Turkey, Ukraine, United Kingdom, and United States.

The CyberWire will be offering special coverage of SINET's ITSEF conference in Mountain View, California, next week. We'll be live-tweeting from the event, and our editor will be moderating a panel on emerging trends in cyber attack.

Selected Reading

Cyber Trends

Should we hack the hackers? (Guardian) Western companies are being fleeced for hundreds of millions by cybercriminals. Is it time to give them a dose of their own medicine?

Enterprises Seek Third-Party Compliance with Security Requirements (eSecurity Planet) 79 percent of respondents to a recent survey said ensuring that partners comply with their security requirements is a top priority in the coming year

Data classification ranks in top 3 security controls (Help Net Security) Bloor Research surveyed 200 senior IT security executives in the UK and the US, all with organizations that have more than 1,000 employees

Legislation, Policy and Regulation

New Zealand Prime Minister Retracts Vow to Resign if Mass Surveillance is shown (Intercept) In August, 2013, as evidence emerged of the active participation by New Zealand in the "Five Eyes" mass surveillance program exposed by Edward Snowden, the country's conservative Prime Minister, John Key, vehemently denied that his government engages in such spying

Government must encourage cyber threat information sharing to combat hacking (The Hill) In such uncertain times, Americans are justifiably seeking safety and security. That extends to their lives in cyberspace, where threats are poorly understood and growing

Cybersecurity legislation needed to safeguard personal information (The Hill) In representing Texas's 4th Congressional District, I have the privilege of meeting many hardworking Texans who together represent all aspects of our diverse private sector

Stepping up defense of net infrastructure (The Hill) You leave for work and lock the door behind you. You get in the car and fasten your seatbelt. On the highway, you abide by the legal speed limit. These choices reflect a desire for physical security and an awareness, even subconsciously, of potential danger in your daily routine

U.S. credit unions locked in cyber battle with their regulator (Reuters) A common question asked of people in positions of power is what keeps them up at night

The government is doubling down on cybersecurity — really this time (Washington Business Journal) I tend to be reluctant to make definitive forecasts, but I'm ready to say 2015 is quickly turning into the year of cybersecurity. Yes, cyber has been a top concern for several years, and several policy initiatives are simply carrying over. But a brand new initiative potentially brings a fresh, game-changing new focus to the crucial concept of cyber threat sharing

Should the U.S. be able to counter-attack nation-state cyber-aggressors without attribution? (The Stack) The testimony of U.S. Navy Adm. Michael S. Rogers on March 4th — before the House Armed Services Committee on cyber operations and improving the military's cybersecurity posture — not only paints an unusually vivid picture of a nation trying to re-invent its military infrastructure in response to a problem that it only partially understands, but also provides some indication as to the means by which it intends to get off the back-foot regarding response policies to cyber-attacks such as last autumn's Sony Hack incident

Maritime Security: Sneak Preview of the Coast Guard's Cybersecurity Strategy (In Homeland Security) Last week, the Coast Guard participated in a maritime cybersecurity learning seminar and symposium with American Military University (AMU) and Command, Control and Interoperability Center for Advanced Data Analysis, (CCICADA), at Rutgers University. The organizers of the event plan to publish a comprehensive book on cybersecurity as an outcome of the symposium. The attendees included participants from government, private sector and academia. CCICADA is the Department of Homeland Security's University Center of Excellence on cybersecurity

Cyber Subs: A Decisive Edge For High-Tech War? (Breaking Defense) THE FUTURE: Imagine you're a Chinese high commander, taking stock at the outbreak of the next great war. All your aides and computer displays tell you the same thing: For hundreds of miles out into the Western Pacific, the sea and sky are yours. They are covered by the overlapping threat zones of your long-range land-based missiles, your Russian-made Sukhoi aircraft, your home-grown stealth fighters, and your ultra-quiet diesel submarines, all cued by your surveillance network of sensors on land, sea, air, and space

Products, Services, and Solutions

NSS Labs Launches New "Radar" for Cyber Threats (Yahoo! Finance) World's first cyber Advanced Warning System™ helps clients focus on the threats relevant to their environment

Tired of paying for automated scanning and still seeing your website hacked? (Help Net Security) Try ImmuniWeb now. ImmuniWeb combines automated assessment with manual penetration testing performed by experienced security experts

Pindrop Security (Jitter) Protect your assets, reputation, and goodwill before your company becomes the next big news story

CertainSafe Neutralizes Threat of Payment Card Industry (PCI) Data Breaches with Solution that Sets New Record of Tokenization at 2 Billion Bits (CBS 8) MicroTokenization® adds protection to data "around the card", adding to the newest requirement set for October 2015 EMV Standards

NRI SecureTechnologies Launches New Cutting-Edge Security Operation Center in US (Nomura Research Institute) Firm strengthens services to promote information security measures for global companies

Check Point Strips Malware From Emails in Less Than a Second (Infosecurity Magazine) Check Point is claiming to offer 100% malware-free emails with a new threat protection service that strips away any unsafe content in real-time

Technologies, Techniques, and Standards

OpenSSL To Undergo Major Audit (Dark Reading) The Linux Foundation's Core Infrastructure Initiative funding work to take a closer look at the TLS stack

Techniques, Lures, and Tactics to Counter Social Engineering Attacks (Dark Reading) If you are unsure of whether a destination link is safe, tools like TrustedSource are a good place to start

Managing cyber risks more than just IT: p&c conference (Canadian Underwriter) Managing cyber risk in brokerages is really about managing people, not just IT issues, said two speakers at Insurance Canada's 13th Annual P&C Insurance Technology Conference in downtown Toronto on Monday

For threat intelligence programs, ROI evaluation proves tricky (TechTarget) Threat intelligence programs are taking root in many enterprises, but experts say variables like disparate service offerings, pricing models and response capabilities make ROI evaluation a vexing proposition

CISO's Need a Seat at the Table (Venafi Blog) Cyber breach headlines are on the increase and underscore the need for security awareness at the very highest levels of an organization. In 2014 alone, hundreds of millions of records were stolen and tens of millions of dollars were spent on investigations, fines and lawsuits. I was wondering… in how many cases did the CISO have access to the Board of Directors?

How to keep your connected home safe: 7 steps you can take to boost home security (TechHive) The Internet of Things is based on sensors and controls in all sorts of devices. When those types of devices are used to create a smart home, they can give residents unprecedented control and insight. The proliferation of smart devices, however, also opens the door to new dangers and threats

Why the Hillary Clinton email story is a big deal (CSO) A look into the security problems behind Hillary Clinton's use of a personal email address for official government business. Could the same thing happen at your company?

Don't Be Like Hillary: Tips to Make Sure Your Email is Safe and Sound (MainStreet) Most people have something in common with Hillary Clinton, and it has nothing to do with politics: they struggle to keep their email accounts safe. This could be particularly dangerous as far as their finances are concerned

Small-time security threats bigger concern (Automotive News) Hackers? Stolen laptops more likely an issue

Marketplace

Cybersecurity Companies Booming in Wake of Major Corporate Cyber Attacks (Intellectual Property Brief) Over the last year and a half, several major multinational corporations have fallen victim to an unprecedented number of massive cyber attacks and security breaches. Consumer databases and information systems have released millions of records. But not everyone is suffering; cyber security companies and the overall stock market are reaping the benefits of hackers' dirty work

Why Israel could be the next cybersecurity world power (ITWorld via CSO) A well established university program, major industry partners, sponsored research projects and a venture capital partner give Beersheva the makings for becoming a major cybersecurity player

Startup Focuses On Stopping Data Exfiltration (Dark Reading) Former Akamai and Imperva exec heads up new security firm enSilo, launches an operating system-level endpoint security tool

Defense Firm Called Isis Wins $7 Million Pentagon Cyber Contract (Nextgov via Defense One) A little-known Virginia startup company with an unfortunate name will help Pentagon analysts sift through big data research to track threats

Shortage of security pros worsens (Network World via CSO) Cisco estimates a million unfilled security jobs worldwide

Obama Unveils Cyber Training Initiative (GovInfoSecurity) Program aims to bolster nation's high-tech workforce

Akamai CSO takes a creative approach to finding security pros (Network World via CSO) Andy Ellis, chief security officer at Akamai, doesn't try to hire perfect candidates. Here's why

FireEye CTO Tony Cole Enters Wash100 List for Public Sector Cyber Leadership (GovConWire) Tony Cole has been listed among this year's Wash100 most influential leaders in GovCon for his leadership role in the public sector cyber market

Research and Development

Galois Successfully Demonstrates 'Anti-Hacking' Software For UAVs And Cars (Midland Daily News) To address growing evidence that commercial Unmanned Aerial Vehicles (UAV), automobiles and other vehicles are vulnerable to hacking and sophisticated cyber security attacks, Galois today announced it has developed and successfully demonstrated what has been called "the world's most secure UAV software"

Security Patches, Mitigations, and Software Updates

Apple fixes FREAK in iOS, OS X and Apple TV — and numerous other holes besides (Naked Security) Apple has just announced its latest round of security updates

iOS 8.2 stops attackers being able to restart your iPhone with a malicious Flash SMS (Graham Cluley) Apple rolled out a brand new version of iOS for iPhone owners today, largely in readiness for the imminent arrival of the Apple Watch

Seagate Confirms NAS Zero Day, Won't Patch Until May (Threatpost) Seagate, over the weekend, confirmed the zero-day vulnerability in its Seagate Business Storage 2-Bay NAS boxes disclosed March 1. But in the same breath, told customers exposed to the vulnerability that a patch is still two months away

TextSecure to Drop Support for Encrypted SMS (Threatpost) Open Whisper Systems is phasing out support for encrypted SMS and MMS messages in its TextSecure messaging product. The move does not spell the end for encrypted messaging for users of the Android app, as the company plans to switch to its own transport protocol to address some of the security and performance issues inherent in SMS

Dell Enhances Cloud Access Manager With More Security Features (eWeek) Adaptive risk-based security lands in Dell's access management single-sign-on platform

February 2015 Cyber Attacks Statistics (Hackmageddon) Here we go with the aggregated statistics extracted from the Cyber Attacks Timelines of February 2015

Cyber Attacks, Threats, and Vulnerabilities

Cyberespionage arsenal could be tied to French intelligence (Computerworld) Five additional Trojan programs are related to the Babar malware that Canada's government thinks came from French intelligence

Spionageprogramm Casper gelangt über Sicherheitslücke auf Computer (Pressebox) Dritte Malware mit Verbindung zu kanadischen Nachrichtendienst-Dokumenten entdeckt

Bloc Québécois website apparently hacked, taken over by 'United Islamic Cyber Force' (National Post) A group calling itself the United Islamic Cyber Force took credit for a cyber attack on the Bloc Québécois website and many other sites Monday morning

Italy's Hacking Team allegedly sold Ethiopia's despots cyberweapons used to attack journalists (BoingBoing) Ethopia's despotic regime has become the world's first "turnkey surveillance state," thanks to technology sold to it by western companies, including, it seems, Italy's Hacking Team, whose RCS spyware product is implicated in an attack on exiled, US-based journalists reporting on government corruption

Xiaomi says Mi 4 smartphone tested for security issues was a fake (SC Magazine) A smartphone maker says that a firm's security analysis of one of its phones was actually done on a counterfeit device

Malware Snoops Through Your Home Network (TrendLabs Security Intelligence Blog) In recent years, we have seen a lot of reports about home routers being vulnerable to attacks. Our research as early as 2008 shows malware rigging routers to redirect users to different sites. Other attacks we have seen include backdoors and possible DNS rebinding attacks. In these scenarios, the intent and goal of the attacks are pretty straight-forward

Fancy a cryptocoin miner with your Torrent client? "Foistware" back in the spotlight… (Naked Security) You're probably all-too-familiar with "foistware"

BEDEP: Backdoors Brought Into The Light By Flash Zero-Days (TrendLabs Security Intelligence Blog) The earlier Flash zero-days of the year have brought a new malware threat to the forefront: the BEDEP malware family. It has been the payload of two zero-day exploits in recent weeks: CVE-2015-0311 in late January, and CVE-2015-0313 in early February

Ouch! Google crocks capacitors and deviates DRAM to root Linux (Register) 'Rowhammer' attack flips bits in memory to take control of the kernel

State Investigating Cyber-Attack On FSA Testing System (CBS Miami) South Florida students did not encounter any technical issues Monday while taking the state's new standardized test, however, the state's top law enforcement agency is investigating testing delays caused by cyber-attacks on a server used to administer the Florida Standards Assessment (FSA)

Busted scammer resorts to death threats (Naked Security) When his phone rang and he began to listen to the crook on the other end, Jakob Dulisse wasn't fooled for an instant by the "Microsoft tech support" scam

Whoops! AVG data centre KO'd by 'unplanned' outage (Register) Anti-spam software hit, firm says all will be well again 'soon'

How a UK Bank's Security Flaws Dodged FCA Scrutiny (Computer Business Review) Two-factor flaws and a plethora of bugs passed by the regulators

Cyber criminals turn their attention to cloud service credentials (ComputerWeekly) Cyber criminals are turning their attention to cloud-based services to steal credentials as the use of cloud-based documents becomes increasingly popular, say researchers at security firm Proofpoint

Academia

Mother-Son Team Poised For Cybersecurity National Finals (Leesburg Today) A Leesburg 11-year-old discovered a love for cybersecurity less than a year ago and is now on his way to go up against some of the brightest young minds in the nation at the CyberPatriot National Youth Cyber Defense Competition this week

Litigation, Investigation, and Enforcement

Curious Case of M. Yousefi: How Iran Traps its Facebook users with "Black Spider" Program (HackRead) A 27-year-old graduate student Mohammad Yousefi, was sent to prison in Iran as part of a crackdown on social media users by using "Black Spider" trapping project

Justice Dept. vows to strike harder against hackers, nations behind cyberattacks (Christian Science Monitor: Passcode) John Carlin, chief of the Justice Department's National Security Division, says the US needs to raise the stakes for cyberattacks on the US: If the cost of stealing information from American companies results in swift criminal action or sanctions, hackers may eventually decide it's not worth it

Authorities Strike Against Dozens Of Cyber Crooks (Dark Reading) Last week was a banner week for the arrest and indictment of criminals accused of data theft, massive fraud, and DDoS attacks against private and public sector targets

Canada's anti-spam law gets first success with $1.1m fine (Naked Security) Canada's fledgling anti-spam laws have brought their first success, with a $1.1 million fine levied against a Canadian business training firm

Pence offers assistance in cyber attack investigation (WTHI TV) Governor Mike Pence is among those seeking to find out who committed cyber attacks on websites in Indiana

Microsoft Case: The Government Responds, But Fails to Convince (Just Security) The government has now filed its Second Circuit brief in the dispute with Microsoft (discussed here, here, and here), challenging key assertions by Microsoft and its many amici, and making a strong argument that a warrant issued under the Stored Communications Act (SCA) requires Microsoft to turn over emails in its custody and control, regardless of whether they are being held (in this case in Dublin)

Programmer Pleads Guilty to Hacking High-Voltage Power Manufacturer's Networks (Dark Matters) In yet another example of the difficulty in combating threats from malicious insiders, a former employee has pled guilty to hacking into the computer network of a Long Island-based company that manufactures high-voltage power supplies

Armed robber caught after boasting about planned stick-up on Facebook (Naked Security) Doing. Tesco. Over. Andrew Hennells wrote it at 7.25 pm on 13 February. At 7:40 pm, that's exactly where he was: trying to rob a branch of Tesco, the UK supermarket chain

Design and Innovation

'Dark' coins rising (CSO) Cryptocurrency users are stepping up efforts to make payments payments untraceable and fully anonymous

The Security Download: Anticipating Cyberattacks with Machine Learning (Wall Street Journal) Artificial intelligence and machine learning are playing a larger role in cybersecurity, which can in theory help companies identify risks and anticipate problems before they occur. The idea is to create software that can adapt and evolve to combat ever-changing attack strategies, or identify patterns of suspicious behavior

Wearable technology — vulnerabilities are too often ignored (IT Security Guru) Whilst wearable technology and Internet of Things (IoT) are popular, security concerns are often ignored for convenience

Industry Events

For a complete running list of events, please visit the Event Tracker on the CyberWire website.

newly Noted Events

Conference on Cyber Defence in Europe (Berlin, Germany, March 25 - 26, 2015) The conference aims to address these and other issues of cyber defense in a broad audience of policy-makers, senior officials and experts from EU institutions and Member States, representatives of industry and academia. Thus the conference aims at discussing EU cyber defence matters among an audience of approximately one hundred policy-makers, senior officials from EU entities and from EU Member States as well as other interested officials in four panels: Implications of the EU's Cyber Defence Policy Framework; the EU's Mutual Defence and Solidarity Clause in the Cyber Context; Cyber Defence in EU Military Operations; and Civil-Military Cooperation in Cyber Defence

BSides Augusta 2015 (Augusta, Georgia, USA, September 12, 2015) Each BSides is a community-driven framework for building events for and by information security community members. The goal is to expand the spectrum of conversation beyond the traditional confines of space and time. It creates opportunities for individuals to both present and participate in an intimate atmosphere that encourages collaboration. It is an intense event with discussions, demos, and interaction from participants. It is where conversations for the next-big-thing are happening

Fraud Summit San Francisco (San Francisco, California, USA, September 15, 2015) ISMG's Fraud Summit is a one-day event focused exclusively on the top fraud trends impacting organizations and the mitigation strategies to overcome those challenges. Among the areas to be discussed are the fraud ecosystem, trends in consumer fraud awareness (what's working and what's not), and threat intelligence

Annual Privacy Forum 2015 (Luxemburg, October 7 - 8, 2015) The distributed implementation of networks and services offers the opportunity for new Privacy Enhancing Technologies (PETs) that could support users' needs while safeguarding their personal data. Although these technologies are widely discussed in the research community, their mere existence is often unknown to the general public. Hence PETs need the support of policy to find their way into IT products. The terms privacy/security by design and by default have found their way into legal and policy texts; however, there is still a lack of knowledge regarding their implementation into services. The European Commission Directorate General for Communications Networks, Content and Technology (DG CONNECT), the European Union Agency for Network and Information Security (ENISA) and, as local host, the University of Luxemburg organize a two-day event with the objective of providing a forum to academia, industry and policy makers. This year, the main focus of the Annual Privacy Forum will be on the privacy of electronic communications

upcoming Events

Financial Services Cyber Security Summit: Middle East and North Africa (Dubai, UAE, March 9 - 10, 2015) Building on the success and feedback of our Cyber Security Summit in Europe — 180 attendees, 3 streams, CPE certified — we are pleased to invite you to the Financial Services Cyber Security Summit MENA — a highly interactive experience sharing platform for top experts from banks, insurance companies, monetary organizations and government institutions, accountancy companies, consumer finance, investment funds, stock brokerages and more

The Vulnerability Economy: Zero-Days, Commerce and National Security (Rockville, Maryland, USA, March 10, 2015) Dr. Ryan Ellis (Belfer Center, Harvard University) will explore a series of topics around cybersecurity including the challenges and opportunities associated with the growing trade in previously unknown and undisclosed software vulnerabilities ("zero days"). Drawing from a real-world case study, Dr. Ellis investigates the tension between the development of offensive cyber capabilities and cybersecurity. The discussion considers different approaches to disclosing newly discovered vulnerabilities and highlights the key roles that government and industry can play in promoting enhanced cybersecurity

Cyber Security Opportunities in Japan, S. Korea and Taiwan Webinar (Online, March 10, 2015) Export.gov, of the US Department of Commerce, invites you to listen to experts from the Japan, South Korea and Taiwan and learn how to position your company for success in these countries. Learn about cyber security opportunities, gain insights into these significant Pacific Rim markets, and learn how to position your company for success

OISC: Ohio Information Security Conference (Dayton, Ohio, USA, March 11, 2015) Technology First invites you to participate in the 12th Annual Ohio Information Security Conference Wednesday, March 11, at the Sinclair Community College Ponitz Center in Dayton, Ohio. The conference will focus on three areas/tracks: management, technical and implementation. CEUs (7) are available for this event

RiSK Conference 2015 (Lasko, Slovenia, March 11 - 12, 2015) In recent years RISK conference has become one of the leading events on computer security in the Adriatic region and is attended by engineering as well as executive staff of companies from the region. Much has changed in the field of security and data protection in recent times. There are popular new technologies in the form of SaaS (Security as a Service) and services in a cloud (cloud computing), green computing, etc

B-Sides Vancouver (Vaqncouver, British Columbia, Canada, March 16 - 17, 2015) The third annual Security B-Sides Vancouver is an information security conference that will be held March 16th and 17th. We love to see brand new speakers, seasoned speakers, and everyone in between

Insider Threat 2015 Summit (Monterey, California, USA, March 16 - 17, 2015) The Insider Threat 2015 Summit is about bringing Government and Industry organizations and their cybersecurity leaders together in order to better understand the type of threats that may impact their infrastructure and overall operations. Our two-day summit will provide insights on the most unique and thought provoking active defenses currently available for physical and personnel security, as well as, cyber threats. By supplying intelligent focus through tailored solutions our presenters and sponsors will be contributing to a forum to discuss ways to mitigate the risk of insider threats. This event allows for a truly unique opportunity to hear from experts in the field talk about their current and future solutions, giving way to an optimal setting for networking

2015 North Dakota Cyber Security Conference (Fargo, North Dakota, USA, March 17, 2015) The North Dakota Cyber Security Conference brings together community members from academia, government and industry to share strategies, best practices and innovative solutions to address today's challenges in cyber security. The vast scope of modern cyber threats calls for active participation from individuals and organizations across the state

IT Security Entrepreneurs Forum: Bridging the Gap Between Silicon Valley & the Beltway (Mountain View, California, USA, March 17 - 18, 2015) IT Security Entrepreneurs Forum (ITSEF) — SINET's flagship event — is designed to bridge the gap between the Federal Government and private industry. ITSEF provides a venue where entrepreneurs can meet and interact directly with leaders of government, business and the investment community in an open, collaborative environment focused on addressing the Cybersecurity challenge

Philadelphia SecureWorld (Philadelphia, Pennsylvania, USA, March 18 - 19, 2015) Join your fellow security professional for affordable, high-quality cybersecurity training and education at a regional conference near you. Earn CPE credits while learning from nationally recognized industry experts on many diverse topics such as: Risk Mitigation, Malware Detection, Digital Forensics, Cloud Security, Privacy, Big Data, PCI Compliance, Security Metrics, Encryption, Mobile Device Management, Incident Response, and much more. Keynote speakers will be Larry Ponemon (of the Ponemon Institute) and Christopher Pierson (General Counsel & Chief Security Officer, Viewpost)

Sponsor & Support

Grow your brand, generate leads, and fill your funnel.

With the industry’s largest B2B podcast network, popular newsletters, and influential readers and listens all over the world, companies trust the CyberWire to get the message out. Learn more.