The CyberWire Daily Briefing 03.12.15

Cyber Trends

In our modern surveillance state, everyone can be exposed (Christian Science Monitor: Passcode) Maintaining anonymity against powerful surveillor is nearly impossible. Even the most skilled hackers and spies risk discovery. In an era when everything is tracked and stored, we either need more robust ways of preserving anonymity — or to give up on the idea entirely

Survey: Trust in certificates 'near breaking point' (CSO) InfoSec pros believe that trust in keys and certificates is in jeopardy

Prepare for damaging cyberattack, FBI agent warns (The Hill) A New York-based FBI official is warning the public to prepare for major cyberattack given the increasing sophistication of hackers around the world

2015 Cyberthreat Defense Report (Tenable Network Security) How does your security effectiveness compare? The 2015 Cyberthreat Defense Report from the CyberEdge Group is based on an analysis of 814 survey responses from North American and European IT security professionals. Covering a wide range of issues, the report will help you benchmark your security practices with those of your peers, while also offering insights that address questions such as

US Cyber Security Survey: Fear of Cyber Crime Up 66 Percent (GFI) Growing threats from hacking groups, terrorists and government-sanctioned retaliation has individuals fearful of attacks and losses, GFI Software commissioned research shows

Survey: Infosec pros under increasing pressure, short-staffed (CSO) Security professionals say they were under more pressure in 2014 than the year before

Most Big Firms Have Had Some Hacking: Business of Law (Bloomberg) Data breaches don't just affect retailers and banks. Most big law firms have been hacked, too

Canadian security pros lag in cyber threat awareness, says Trustwave (IT World Canada) Within the past two years a Canadian organization quietly had to pay millions of dollars in fines to credit card companies after a data breach

Legislation, Policy and Regulation

UK Parliament says it's "technologically infeasible" to block Tor (Ars Technica) A breath of fresh air after the PM talked of banning strong encryption

Stronger encryption on consumer devices won't hurt national security (Christian Science Monitor: Passcode) … according to three-quarters of Passcode Influencers

Opinion: How to defuse a simmering crypto war (Christian Science Monitor: Passcode) In an Op-Ed provided by our partners at the Information Technology and Innovation Foundation, the director of the Cyber Security Policy and Research Institute at the George Washington University argues that engineering trust can help avoid a new battle over data encryption

A Comparative Analysis of National "Cyber" Security Strategies — Germany and the U.S. (Tripwire: the State of Security) Last week, Tripwire published an article analyzing the ways in which the United States' International Strategy for Cyberspace (ISC 2011) has informed the ideas outlined in the recently released 2015 National Security Strategy (U.S. NSS 2015)

Opinion: Obama needs a cyberwar cabinet (+video) (Christian Science Monitor: Passcode) The Sony hack demonstrated that modern warfighting will be defined as much by circuits and networks as by missiles and guns. Therefore, we need a new war cabinet comprised of cybersecurity experts from government and the private sector to ensure the US can respond in real time to the next massive breach

Blog: Cybersecurity Information Sharing a Tool for Situational Awareness (SIGNAL) Knowing the cybersecurity threat might be half the battle toward mitigating problems, but the popular push and mounting trend toward increased information sharing, particularly between industry and the federal government, is not the be all and end all, according to one security expert

Senate Intel panel to mark up cyber bill (The Hill) The Senate Intelligence Committee will mark up controversial cybersecurity legislation in a closed session Thursday, the panel's spokeswoman confirmed

NAFCU Letter to House and Senate Leaders on 2015 Verizon Report — 4 out of every 5 global retailers fail PCI test (Credit Union Insight) On behalf of the National Association of Federal Credit Unions (NAFCU), the only trade association exclusively representing our nation's federal credit unions, I write today to bring your attention to the recently released Verizon 2015 Payment Card Industry Compliance Report. Massive data breaches at our nation's largest retailers have put millions of consumers at risk and have cost credit unions across the country millions of dollars in fraud related investigations and losses, card reissuance costs, and additional card monitoring. Credit unions and their 100 million members continue to believe Congressional action mandating a strong federal data safekeeping standard for merchants is the only way to prevent breaches and make a meaningful difference for consumers

Products, Services, and Solutions

Panda antivirus labels itself as malware, then borks EVERYTHING (Register) Spanish security firm in baffling tail-chasing auto-immune kerfuffle

Bugcrowd Enters Financial Sector, Announces Managed Bug Bounty Program for Western Union (Virtual Strategy Magazine) Bugcrowd's crowd of more than 15,000 security researchers dig deeper to test for vulnerabilities in Western Union's Website

HP Granted FedRAMP Authorization for Government Agencies to Use HP Fortify on Demand (MarketWired) HP Fortify on Demand first security software-as-a-service (SaaS) offering to achieve approval

HyTrust KeyControl Cryptographic Module Enters Process for FIPS 140-2 Validation (BusinessWire) New level of compliance helps strengthen support for regulatory mandates

Check Point 'threat extraction' tech cleans booby-trapped email attachments (Computerworld) Blade customers offered new email security system to beat common attack

Ars tests ExoNet, the personal VPN that takes you home (Ars Technica) A hardware-based two-factor VPN that connects to your home LAN for Web privacy

Transport for London adopts ultra-secure USB drives (Help Net Security) Transport for London (TfL) has adopted ultra-secure USB flash drives to ensure that its data is protected in the event of the loss or theft of portable devices. DatAshur USB flash drives will now be used as standard by TfL staff for transporting data on the move

Technologies, Techniques, and Standards

Syslog Skeet Shooting — Targetting Real Problems in Event Logs (Internet Storm Center) A common bit of advice that we tend to offer up frequently is "monitor your logs" or "review your logs periodically". However, with daily syslogs — even in a small environment — ranging from 300mb to 5GB, that's no easy task. We've discussed parsing logs out using grep and similar tools in the past, but that assumes that nothing drastic ever happens — you're banking on the fact that anything being logged can wait until you have time to check your logs

Defending Against PoS RAM Scrapers (TrendLabs Security Intelligence Blog) Stealing payment card data has become an everyday crime that yields quick monetary gains. Attackers aim to steal the data stored in the magnetic stripe of payment cards, optionally clone the cards, and run charges on the accounts associated with them. The topic of PoS RAM scraper malware always prompts businesses and retailers to ask two important questions: "How do I protect myself?" and "What new technologies are vendors introducing to protect businesses and consumers?"

FIs urged to improve cyber protection (Global Trade Review) Financial institutions (FIs) should adopt an asset-based approach to cyber risk, as the number of attacks continues to grow, experts say

Don't Panic! Six Steps for Surviving your First Data Breach (Continuity Central) Once you've come to terms with the harsh reality of the world, you come to understand that sooner or later, you will be the victim of a security breach. Chances are that it may not be this month, or even this year, but as the insightful Tyler Durden so shrewdly observed, "On a long enough timeline, the survival rate for everyone drops to zero"

OpenSSL Faces Major Security Audit Post-Heartbleed (Computer Business Review) Cryptography Services will check integrity of Transport Layer Security

Clinton email snafu highlights danger of 'print-to-file' archiving (FierceContentManagement) Best practices are your best bet

Cyber Compliance Is Not Cyber Protection (Daily Signal) Leading cybersecurity analysts met at the 2015 SecureWorld conference in Boston on March 4 – 5 to discuss the emerging threats and increasingly noticeable drawbacks of cyber regulations. Panelists not only discussed the new, more complex, and difficult-to-detect types of threats, but also agreed that regulatory compliance is the wrong way to strengthen cybersecurity

When it comes to patient data privacy, compliance and security differ (Help Net Security) If a name perfectly underscored a growing issue of concern, it's Anthem. In February, the health insurance plan provider disclosed cyber attackers had breached its IT system for several weeks and obtained consumers' personal data. The message this revelation spread is that healthcare-related organizations are increasingly prime targets for hackers and cyber thieves

DISA looks to FedRAMP high as base for high-plus (C4ISR & Networks) The Defense Information Systems Agency is looking the General Services Administration's FedRAMP high baseline as the starting point for a "high-plus" standard that would pertain to the most highly sensitive data

How automated threat response can close the cyber gap (Federal Times) The IT security skills gap is getting wider again, and it will affect your organization's security

Marketplace

Politics intrude as cybersecurity firms hunt foreign spies (Reuters) The $71 billion cybersecurity industry is fragmenting along geopolitical lines as firms chase after government contracts, share information with spy agencies, and market themselves as protectors against attacks by other nations

Cybersecurity Firms Struggle to Keep Up With Threats (Voice of America) Bomb attacks typically grab news headlines. But there are almost invisible activities occurring every day that could create a more widespread and devastating calamity — cyber intrusions into government and corporate information and control systems that could cripple vital services and bring normal commerce to a halt

Changing how the security industry works with government (SecurityInfoWatch) In his work on the SIA Government Summit Planning Committee, Louroe Electronics CEO Richard Brent said he wanted to change how the industry works with and views the federal government

How hedge funds need to address cybersecurity threats (HedgeWeek) The threat of cyberattacks is growing within the hedge fund community, requiring managers to put in place policies and procedures that address the cybersecurity risks unique to their firm. This goes beyond merely acquiring technology and hoping for the best

Avast becomes most valuable IT company in the CR (Prague Post) Company attributes global user growth and financial performance to its investment in the Czech Republic

Splunk Goes Down Market — Good Move Or Sign Of Weakness? (Forbes) Splunk was one of the early kid of the block in terms of publicly listing a big data company. Their timing was good, the amount of competition in their space is far greater now than it was when they launched. But getting their IPO away was one thing, returning sufficient growth to keep Wall Street happy is another and today sees Splunk SPLK -0.08% launch an initiative aimed at targeting that growth, a new, lighter weight offering for smaller businesses

Prevoty Announces $8m Series A Funding Round, Led by USVP (PRWeb) Funding caps an impressive year of growth for RASP application security pioneer

CyberArk Software Ltd. Announces Pricing of Secondary Offering (BusinessWire) CyberArk Software Ltd. (NASDAQ: CYBR), the company that protects organizations from cyber attacks that have made their way inside the network perimeter, today announced the pricing of a registered secondary public offering of 4,000,000 ordinary shares at a price of $51.00 per share. The underwriters have a 30-day option to purchase up to an additional 600,000 ordinary shares at the public offering price. All of the shares are being sold by CyberArk's shareholders. The Company will not receive any proceeds from the sale of these shares. The offering is expected to close on March 17, 2015, subject to customary closing conditions

Israeli Cyber Security Startup enSilo Raises $2-3M Seed Round from Carmel Ventures (iamwire) Israeli cyber security startup, enSilo has raised seed funding round from Carmel ventures to prevent the exfiltration or taking of data. Though neither enSilo nor Carmel Ventures commented on the value of the seed funding round, sources indicate that the funding round was estimated between $2-3 million

MACH37 Cyber Accelerator Teams with Product Savvy for Product Boot Camp (Digital Journal) For third time, cyber startups see most value in product management training

CloudLock Announces Matthew Maloney as Vice President of Global Sales (MarketWired) Industry veteran to lead cloud security leader's global sales organization

Sophos Strengthens Management Team With New Technical Support Leader (MarketWatch) Michael Anderson Joins as Senior Vice President, Global Technical Services

Jürgen Schnöbel Appointed As Vanderbilt Chief Financial Officer (Source Security) Vanderbilt, a global leader in the delivery of innovative, highly reliable technologies that help organizations ensure safety and security, recently announced the addition of Jürgen Schnöbel as Chief Financial Officer

Research and Development

AI Researchers Propose a Machine Vision Turing Test (IEEE Spectrum) Researchers have proposed a Visual Turing Test in which computers would answer increasingly complex questions about a scene

Security Patches, Mitigations, and Software Updates

Dropbox patches Android SDK vulnerability (CSO) Dropbox says the issue is minor, but it was serious enough to be patched in four days

MS Update 3033929 Causing Reboot Loop (KrebsOnSecurity) One of the operating system updates Microsoft released on Tuesday of this week — KB3033929 — is causing a reboot loop for a fair number of Windows 7 users, according to postings on multiple help forums. The update in question does not appear to address a pressing security vulnerability, so users who have not yet installed it should probably delay doing so until Microsoft straightens things out

Problems reported with Microsoft patch KB 3002657, warning issued on KB 3046049 (InfoWorld) But in general, this month's massive patching exercise is going surprisingly well so far

As easy as 123: Xen hypervisor bug found, fixed, phew…make sure you're patched! (Naked Security) Popular virtualisation platform Xen has just announced a worrying bug

Run WordPress SEO by Yoast on your website? You need to update it (Graham Cluley) WordPress SEO by Yoast's an incredibly popular WordPress plugin, because it's tremendously good at what it does

Android Lollipop 5.1 brings promised anti-theft "kill switch" (Naked Security) Google just announced a new version of Android, Lollipop 5.1, which it says includes some "tasty additions" along with improved stability

Cyber Attacks, Threats, and Vulnerabilities

Cyber attack: Pro-ISIS hackers target Vizag company (Deccan Chronicle) A Moroccan hacking group, claiming to be the supporters of Islamic State, hacked the website of the Visakhapatnam chapter of the Indian Institute on Tuesday and posted comments and a picture supporting extremist organisation

Here's How the US Should Fight ISIS with Social Media (Wired) The Islamic State wants to rule the world. It murders enemies — sometimes in mass, sometimes individually, always brutally. It enslaves and abuses women. It jails everyday joes for smoking, drinking, trading, or speaking their minds. It is a brutal, dead-end regime cloaked in a perverted medieval understanding of one of the world's great religious faiths

Why did victims in Islamic State beheading videos look so calm? They didn't know it was real. (Washington Post) For all their stage-managed professionalism, the videos of killings released by the Islamic State have often left viewers confused about the exact circumstances of what was being shown in the video. Their videos of beheadings, for instance, do not show the act itself, which initially led some to speculate that they may have been faked

Cyber-whizs partake in mass eye-roll event over latest leaks: CIA spies 'spying on iPhones' (Register) Plot to subvert Xcode to insert backdoors into apps mulled

Equation Group Cyberspying Activity May Date Back To The '90s (Dark Reading) New Kaspersky Lab findings show how the 'master APT' nation-state group likely the longest-running cyber espionage gang of all, and newly discovered code artifacts include English-language clues

Details Surface on Stuxnet Patch Bypass (Threatpost) It took 10 hours to find what had eluded others for close to five years

The ghost of Stuxnet past (Virus Bulletin) Microsoft patches .LNK vulnerability after 2010 patch was found to be incomplete

Guardian backtracks, says Whisper doesn't spy on its users after all (Ars Technica) Newspaper decides that IP address information is minimally useful for tracking locations

Apple Pay: Bridging Online and Big Box Fraud (KrebsOnSecurity) Lost amid the media firestorm these past few weeks about fraudsters turning to Apple Pay is this stark and rather unsettling reality: Apple Pay makes it possible for cyber thieves to buy high-priced merchandise from brick-and-mortar stores using stolen credit and debit card numbers that were heretofore only useful for online fraud

Hey Siri, How Come Strangers Are Listening To My Private Messages? (Tripwire: the State of Security) I don't often use Siri on my iPhone, but I've got to admit that when I do it's really handy

RedHack Hacks Istanbul Police Assoc. website, Tributes Berkin Elvan on 1st Death Anniversary (HackRead) The online Turkish hacktivist group RedHack has hacked and defaced the official website of Istanbul Police Association in tribute to Berkin Elvan, a 15-year-old teenager who died March 11, 2014 after being in a coma for 269 days due to a head injury caused by a teargas canister during the Gezi protests in Istanbul, Turkey

Stolen hard drives bring more data breach pain for US health services (Naked Security) The Indiana State Medical Association (ISMA) has warned 39,090 of its clients that their private data may be at risk of leakage, after the "random" theft of a pair of backup hard drives

Academia

Air Force Reserve Signs on as a Cyber Silver Sponsor of the Air Force Association's CyberPatriot Program (PRNewswire) The Air Force Association today announced that the Air Force Reserve, the federally controlled Air Reserve component of the U.S. Air Force, has partnered with CyberPatriot, the National Youth Cyber Education Program as a Cyber Silver sponsor

College asks experts what to teach cyber-security students (WTNH News 8) With hacker attacks on the rise, one local college wants to offer a degree in cyber-security. Naugatuck Valley Community College held a summit this morning with a whole bunch of people who know about internet security, telling officials from NVCC what they should be teaching their students about internet security

Cyber engineering a new pathway to graduation in La. (Shreveport Times) The Louisiana State Board of Education approves Cyber Engineering as one of 11 new graduation pathways in the state, according to a press release. This new pathway will help address the state's growing demand for information technology professionals

Litigation, Investigation, and Enforcement

Joint Statement from the Office of the Director of National Intelligence and the Department of Justice on the Declassification of Renewal of Collection Under Section 501 of the Foreign Intelligence Surveillance Act (IC on the Record) On February 27, 2015, the Director of National Intelligence declassified and disclosed publicly that the U.S. government had filed an application with the Foreign Intelligence Surveillance Court seeking renewal of the authority to collect telephony metadata in bulk, and that the FISC renewed that authority

Stuxnet leak probe stalls for fear of confirming US-Israel involvement (Ars Technica) Obama admin wants to prosecute leakers but doesn't want to admit Stuxnet role

Global Cyber Surveillance May Help Prevent Lone Wolf Attacks (Bloomberg) "Lone wolf" assailants rely on online platforms and networks that can provide important warnings to law enforcement officials if monitored properly, Israeli cyber academics and a former government official say

Pakistan's cellphone-registration policy will do little to curb terrorism (Quartz) Following the Dec. 2014 terrorist attack on a school in Peshawar, which killed 133 children, the Pakistani government has announced a number of national measures to fight terrorism in the country. While over 56,000 Pakistanis have been killed in terrorist-related violence since 2003, the measures introduced by the government late last year are some of the most focused actions yet in the attempt to make the country safer

VPN use punishable under law: Dubai Police (Emirates 24/7) Tampering with internet network is crime and against TRA's policies

Accused Russian Hacker on Tropical Holiday Nabbed by U.S. Agents (Bloomberg) For more than a decade, the U.S. Secret Service hunted Roman Seleznev, a computer wizard suspected of being one of the world's most prolific traffickers in stolen credit cards

Experts believe Clinton emails could be recovered (The Hill) Thousands of Hillary Clinton's emails may be gone — but not necessarily for good

Clinton's iPad while secretary of state not certified as 'secure,' sources say (Fox News) Not only was Hillary Clinton exclusively using a personal email account for government business, but according to her own memoir she relied on an iPad — though security and investigative sources tell Fox News the device was not certified as "secure"

The human cost of phone hacking (We Live Security) How would you feel if a stranger was not only listening to your private voicemail messages, but then taking the information they gleaned from them and using it to write lurid, invasive news stories designed to sell tabloid newspapers?

Congressperson asks DoJ to "intensify enforcement" of online harassment laws (Ars Technica) Says only 10 cases out of estimated 2.5 million were prosecuted from 2010-13