Cyber Caucus News Round-up 9-7-12

Sep 7, 2012

The Congressional Cybersecurity Caucus News Round-Up is a collection of the major news stories in cybersecurity policy.  The Congressional Cybersecurity Caucus is co-chaired by Congressmen James Langevin and Michael McCaul.  If your Member is interested in joining the Caucus, or would like to be removed from the Caucus distribution list please e-mail Michael Hermann michael.hermann@mail.house.gov (Langevin) or James Murphy james.murphy@mail.house.gov (McCaul).

 

Congressional Cybersecurity Caucus News Round-up

Clips from around the globe, web and Hill…

 

September 7, 2012

 

HILL

House Intel Committee to hold open hearing on Chinese telecom firms

 

ADMINISTRATION

Sniffing open WiFi networks is not wiretapping, judge says

DISA to Embrace New Internet and Communication Technologies 

White House circulating draft of executive order on cybersecurity

Botnet master gets 30-month prison term for renting out infected PCs

3 Ways to Meet the Patch Management Challenge

BYOD security monitoring is not the norm

Official: Congress must establish electric grid cybersecurity authority

Dem, GOP platforms expose divide over cyber defense

Clinton calls for US, China to work together on cybersecurity

Stop computer prodigies before they hack

NPPD Lacks Strategy to Guide International Cybersecurity Efforts

Navy seeks software to assess and exploit network vulnerabilities

 

INDUSTRY

Vendor cybercrime report in the hot seat again

Guild Wars 2 officials say ongoing password attack affects 11,000 accounts

Alleged FBI Hack: Much Ado about Nothing

Internet Explorer 10's bundled Flash leaves users exploitable

New open-source app extracts passwords stored in Mac OS X keychain

Amid Hacker Attacks, Security Start-Ups Draw Attention

Android users are prime target for malware

Firm has no evidence that Romney’s tax returns were stolen

Hackers Claim to Have 12 Million Apple Device Records

Secret account in mission-critical router opens power plants to tampering

Despite Weak Economy, Businesses Heighten Cyber Security

Widely used fingerprint reader exposes Windows passwords in seconds

 

INTERNATIONAL

Insiders suspected in Saudi cyber attack

Sleuths Trace New Zero-Day Attacks to Hackers Who Hit Google

GCHQ to advise senior business leaders on how to fight cyber attacks

Swedish websites shut down by hacker attacks

 

TECHNOLOGY

Cyber security takes a 'prime' number quantum leap

Study finds app users worried about privacy

Is it time to knock infected PCs off the internet?

Secrecy surrounding ‘zero-day exploits’ industry spurs calls for government oversight

 

 

 

HILL

 

House Intel Committee to hold open hearing on Chinese telecom firms

The Hill

September 7, 2012

The House Intelligence Committee is kicking off the next phase of its probe into the national security threats posed by Chinese telecommunications companies doing business in the United States by holding an open hearing next Thursday. Representatives from Huawei and ZTE have been invited to testify about their business operations. The Intelligence Committee's investigation centers on the two Chinese telecom giants' operations in the United States and whether the companies have ties to the Chinese government. The fear is that the companies' telecommunications equipment could serve as a backdoor for the Chinese government to spy on the United States, threatening the safety of American infrastructure. Committee leaders Reps. Mike Rogers (R-Mich.) and Dutch Ruppersberger (D-Md.) have met with representatives from Huawei and ZTE in China and have also sent letters to their executives asking for further details about any of the companies' connections to the Chinese government. So far ZTE plans to send Zhu Jinyun, a senior vice president at the telecom company, to testify next week. Huawei, on the other hand, will testify "once appropriate arrangements are agreed with the committee," company spokesman William Plummer said in an email.

 

 

ADMINISTRATION

Sniffing open WiFi networks is not wiretapping, judge says

Ars Technica

September 7, 2012

A federal judge in Illinois has ruled that intercepting traffic on unencrypted WiFi networks is not wiretapping. The decision runs counter to a 2011 decision that suggested Google may have violated the law when its Street View cars intercepted fragments of traffic from open WiFi networks around the country. The ruling is a preliminary step in a larger patent trolling case. A company called Innovatio IP Ventures has accused various "hotels, coffee shops, restaurants, supermarkets," and other businesses that offer WiFi service to the public of infringing 17 of its patents. Innovatio wanted to use packet sniffing gear to gather WiFi traffic for use as evidence in the case. It planned to immediately delete the contents of the packets, only keeping the headers. Still, the firm was concerned that doing so might violate federal privacy laws, so it sought a preliminary ruling on the question. Federal law makes it illegal to intercept electronic communications, but it includes an important exception. It's not illegal to intercept communications "made through an electronic communication system that is configured so that such electronic communication is readily accessible to the general public." Judge James Holderman ruled that this exception applies to Innovatio's proposed packet sniffing. In the Google Street View case, a California judge had suggested that WiFi communications were not public, even if they were sent without encryption. But Judge Holderman reached the opposite conclusion.

 

DISA to Embrace New Internet and Communication Technologies 

American Forces Press Service

September 7, 2012

The Defense Information Systems Agency is taking a new tack by embracing smartphones, tablets and other commercial mobile-device technologies considered vital to improving communications access and data sharing. The aim, a senior DISA official told American Forces Press Service, is to improve the Defense Department’s information edge while continuing to ensure cybersecurity. “We in the Department of Defense have been very, very reluctant to embrace the cell phone and tablet technologies because of the security vulnerabilities,” Tony Montemarano, DISA’s strategic planning director, acknowledged from his headquarters here. “Well, it is time to get over that,” he said. “The modern-day soldier, sailor [and] airman is accustomed to using this on the outside, [and] they expect that same technology on the inside -- not to mention the effectiveness and improved capability this technology gives them. So we have to stand up to the security challenges of what we call mobility. And that is a big, focused change.” This shift will be just one part of DISA’s focus moving forward, as outlined in its new five-year strategic plan released this week. The plan aligns the agency with White House and DOD priorities, with an emphasis on more agile and technologically advanced forces, and increased communications capabilities in the Asia-Pacific region.

 

White House circulating draft of executive order on cybersecurity

The Hill

September 6, 2012

The White House is circulating a draft of an executive order aimed at protecting the country from cyberattacks, The Hill has learned. The draft proposal, which has been sent to relevant federal agencies for feedback, is a clear sign that the administration is resolved to take action on cybersecurity even as Congress remains gridlocked on legislation that would address the threat. The draft executive order would establish a voluntary program where companies operating critical infrastructure would elect to meet cybersecurity best practices and standards crafted, in part, by the government, according to two people familiar with the document. The concept builds off of a section in the cybersecurity bill from Sen. Joe Lieberman (I-Conn.) that was blocked last month by Senate Republicans, who called it a backdoor to new regulations. The draft has undergone multiple revisions and is brief, spanning no more than five pages. It is still being worked on and is subject to change, the people familiar with the draft stressed. It's also unclear whether the final product will get the president's approval to move forward. A new draft of the executive order is expected to be shared with agencies next week. According to the people familiar with the draft, the executive order would set up an inter-agency council that would be led by the Department of Homeland Security (DHS). Members of the council would include the Department of Defense and the Commerce Department, and discussions are ongoing about including other agencies and officials, such as representatives from the Department of Energy and Treasury Department, as well as the attorney general and the director of national intelligence.

 

Botnet master gets 30-month prison term for renting out infected PCs

Ars Technica

September 6, 2012

A hacker who controlled a botnet of 72,000 computers and rented out command-and-control access to various malcontents was sentenced to 30 months in prison today, the Department of Justice said. Joshua Schichtel, 30, of Phoenix, Ariz., pleaded guilty in August of last year to one count of "attempting to cause damage to multiple computers without authorization by the transmission of programs, codes, or commands, a violation of the Computer Fraud and Abuse Act," the DOJ said. Schichtel sold botnet access to various individuals who paid to have him install malware on victims' computers. Although the DOJ said multiple people paid Schichtel to install malware on computers, he pleaded guilty to a charge involving one customer who paid $1,500 to have malware installed on 72,000 computers. A charge filed last year against Schichtel in US District Court in Washington, DC, says his alleged crime occurred on or around Nov. 20, 2009, in the DC Area. The court document and the DOJ announcement don’t contain many details on the crime that put him behind bars, but Schichtel’s history with the law goes back some time. Schichtel was also named in a 2004 complaint in which he and four other defendants were charged with conspiring to use thousands of infected computers to launch Distributed Denial of Service attacks against e-commerce websites.

 

3 Ways to Meet the Patch Management Challenge

Gov Info Security

September 6, 2012

Patch management is a fundamental component of all organizations' information-security regime. Still, the patch-management process to identify, acquire, install and verify security updates for applications and systems isn't consistently applied by many organizations. To encourage wider use of patch-management processes, the National Institute of Standards and Technology has issued a draft of Special Publication 800-40 Revision 3: Guide to Enterprise Patch Management Technologies. The revised guidance would replace SP 800-40 Revision 2 that NIST issued in 2005. If done effectively, organizations that minimize the time they spend dealing with patching can use those resources to address other security concerns, write guidance authors Murugiah Souppaya and Karen Scarfone. The NIST guidance recommends that organizations: deploy enterprise patch management tools using a phased approach that allows process and user communication issues to be addressed with a small group before deploying the patch application universally; reduce the risks associated with enterprise patch management tools through the application of standard security techniques that should be used when deploying any enterprise-wide application; and balance their security needs with their needs for usability and availability.

 

BYOD security monitoring is not the norm

Nextgov

September 6, 2012

More than 82 percent of federal computer security professionals have policies for safeguarding government data on employees’ personal smartphones -- but most have no idea whether those policies are being followed every day, according to new research. The findings of the survey by cybersecurity compliance firm nCircle suggest that many agencies are embracing the concept of bring-your-own-device, or BYOD, for office work. Yet they are sacrificing data protection to make that happen. While government-owned electronics use “continuous monitoring” -- or near-real-time reporting of security status through sensors and other automated tools -- the technology to track personal devices doesn’t quite exist in the government yet, the study revealed. The protective policies that most security professionals are enforcing likely are more basic, such as training employees on proper connectivity settings and requiring personnel to notify the agency of the type of phone they are using, said Keren Cummins, nCircle's director of federal markets. About 90 percent of participants who had BYOD security policies said they were enforcing them, according to the study released Thursday. Enforcement for personal devices probably involves simply spot checking security posture and other periodic oversight, Cummins said. Only 62 percent of respondents said they have a strategy for conducting continuous monitoring.

 

Official: Congress must establish electric grid cybersecurity authority

The Hill

September 5, 2012

With both Republicans and Democrats advocating for improved cybersecurity in their platforms, an Obama official on Wednesday called on Congress to approve new federal authority to manage cybersecurity on the electric grid. The need for mitigating cybersecurity at the electric utility level is urgent, Federal Energy Regulatory Commission Chairman Jon Wellinghoff said Wednesday at a media event hosted by IHS's The Energy Daily in Washington, D.C. Congress has so far failed to ensure regulators can respond to or alleviate "very concerning" threats, he said. “Nobody has adequate authority with respect to both the electric and the gas infrastructure in this country regarding known vulnerabilities,” said Wellinghoff, who is a Democrat. “If I had a cyber threat that was revealed to me in a letter tomorrow, there is little I could do the next day to ensure that that threat was mitigated effectively by the utilities that were targeted.” Wellinghoff has made such statements before. But with cybersecurity legislation stalled in Congress, Wellinghoff — whose chairmanship could be in jeopardy if GOP presidential candidate Mitt Romney wins the Nov. 6 election — will likely need to take that message beyond this session. Wellinghoff’s explanation of the current restraints on improving cybersecurity paid heed to the different Republican and Democratic approaches on the topic. “No. 1, I don’t have an effective way to confidentially communicate [cyber threats] to the utilities,” Wellinghoff said. “And No. 2, I have no effective enforcement authority, and I’ve said this for six years now. And I’ve also said I don’t care who has the authority, but Congress should give someone the authority.”

 

Dem, GOP platforms expose divide over cyber defense

Government Computer News

September 5, 2012

With the failure of Congress to pass legislation aimed at bolstering the nation’s cybersecurity, the Democratic platform asserts the president’s willingness to act on his own through executive order. “President Obama has supported comprehensive cybersecurity legislation that would help business and government protect against risks of cyber attacks while also safeguarding the privacy rights of our citizens,” says the platform adopted Sept. 4 by the Democratic National Convention. “And, going forward, the president will continue to take executive action to strengthen and update our cyber defenses.” The Republican platform, adopted last week, also recognizes the importance of securing cyberspace, calling for the United States to develop an offensive cyberattack capacity to deter would-be enemies. “We will pursue an effective cybersecurity strategy, supported by the necessary resources, that recognizes the importance of offensive capabilities,” against nations, terrorists and criminals, the platform says. The two platforms reflect the partisan differences that have divided the 112th Congress and prevented the passage of meaningful cybersecurity legislation despite the efforts of leaders on both sides to move bills. Republicans see cybersecurity largely as a business issue and object to any regulations on industry establishing requirements for securing IT infrastructure and systems. Democrats have sought to establish minimum standards of security for privately owned critical infrastructure and would place responsibility for securing non-military government systems in the Homeland Security Department.

 

Clinton calls for US, China to work together on cybersecurity

The Hill

September 5, 2012

Secretary of State Hillary Clinton called for the United States, China and other countries to work together on addressing the rising threat of cyber attacks at a press conference in Beijing on Wednesday. "Both the United States and China are victims of cyber attacks. Intellectual property, commercial data, national security information is being targeted," Clinton said in remarks at the press conference. "This is an issue of increasing concern to the business community and the government of the United States, as well as many other countries, and it is vital that we work together to curb this behavior." Though Clinton extended an olive branch to China in her remarks, the United States and the rising Eastern superpower have had somewhat of a rocky relationship when it comes to cybersecurity. U.S. officials, including National Security Agency Director Gen. Keith Alexander and House Intelligence Committee Chairman Mike Rogers (R-Mich.), have warned that China has engaged in cyber espionage campaigns against the United States to steal American intellectual property. U.S. companies have also raised alarm bells about China's cyber capabilities. Web giant Google grabbed headlines in 2010 when it revealed that its infrastructure was hit by a cyber attack stemming from China. Clinton said she had "constructive and productive in-depth discussions" with Chinese Foreign Minister Yang Jiechi on Tuesday and met with Chinese President Hu Jintao on Wednesday morning. Yang voiced willingness to work with the United States and other countries to boost international cooperation on cybersecurity.

 

Stop computer prodigies before they hack

Nextgov

September 5, 2012

Reports that students suspected of hacking Sony Corp.’s Web assets were simultaneously participating in cyber defense contests suggests, to some, a need for young cyberwarriors to learn Cybercrime 101 at an early age. Federal agencies need tens of thousands of computer whizzes educated in network protection and offensive techniques who are able to exploit flaws in an adversary’s networks, as well as detect weaknesses in the government’s own networks. But some trainees may choose to become attackers themselves, as evidenced by the two men who apparently stole data from a Sony website while studying network security at the University of Advanced Technology in Arizona. So some cybersecurity programs have set out to immunize kids against harmful hacking before they reach the fork in the road. The Air Force Association’s CyberPatriot contest for high schoolers does not even teach ethical hacking or penetration testing. The first subject that participants in the national cyber defense competition learn is cyber ethics and cyber citizenship, said CyberPatriot commissioner Bernie Skoch, a former Air Force information technology director. CyberPatriot, which receives sponsorship funding from the Northrop Grumman Foundation, aims to “strongly discourage” malicious activity by “explaining the legal consequences, the career consequences of someone in their adolescence doing the wrong thing,” he said. During the past few years, many universities and nonprofits have sponsored school and professional contests that do try to teach ethical hacking. There is always the risk the cybersecurity scholars may be up to no good. But computer experts say one of the most important jobs in defending U.S. national security is detecting America’s network vulnerabilities.

 

NPPD Lacks Strategy to Guide International Cybersecurity Efforts

HS Today

September 4, 2012

As many cyberattacks occur just as easily across international borders as they do domestically, the Department of Homeland Security (DHS) must work with international partners to fully safeguard cyberspace. But the DHS directorate charged with supporting cybersecurity goals could do more to strengthen and streamline its international activities, advised the DHS inspector general (IG) in a report Friday. The White House produced an International Strategy for Cyberspace in May 2011 and DHS developed the Blueprint for a Secure Cyber Future: The Cybersecurity Strategy for the Homeland Security Enterprise as a result in November 2011. But the DHS blueprint does not specify roles and responsibilities for the National Protection and Programs Directorate (NPPD), the DHS division managing the department's cybersecurity missions, noted the IG report, DHS Can Strengthen Its International Cybersecurity Programs. As such, NPPD operates without an overall plan to guide its international cybersecurity activities, the IG report said. "While continuing to build upon existing partnerships, NPPD's Office of Cybersecurity and Communications (CS&C) needs to establish and implement a plan and goals to further its international affairs program with other countries, international industry and the private sector to protect global cyberspace and critical infrastructure," the report recommended. "For more efficient and effective operations, NPPD should streamline its international affairs functions to better coordinate foreign relations and consolidate resources. Finally, the United States Computer Emergency Readiness Team (US-CERT) needs to strengthen its communications and information-sharing activities with and among its counterparts to promote international incident response and the sharing of best practices." NPPD Undersecretary Rand Beers agreed with the IG recommendations to finish a strategic plan and to streamline NPPD international affairs activities. He further acknowledged US-CERT must dedicate sufficient resources to maintaining and building international relationships.

 

Navy seeks software to assess and exploit network vulnerabilities

Nextgov

September 4, 2012

In another indication of the growing market for offensive security software, the Navy is in the market for a suite of tools that will scan and assess security holes in networks and exploit unknown glitches in computer programs, contract documents indicate. The Pentagon’s goal is to use the technology to teach personnel how networks are breached so they can better defend military computers. The Naval Postgraduate School is seeking price quotes for a penetration testing kit that will simulate malicious attacks to networks by assessing vulnerabilities in systems and launch zero-day attacks -- the exploitation of previously unpublished vulnerabilities. The solicitation highlights a more aggressive push to train military officers how to play both defense and offense in cyber operations. The Navy wants to use the tools in a newly designed course that will teach officers and students how to respond to hostile computer attacks. “The chosen tool will be used by students to assess and gain entry into a network established by other students,” a contracting notice says. The course “explores the development of cyber-orientated war games and exercises from the perspective of maintaining a high state of readiness in the face of state-sponsored cyber attacks,” it adds.

 

 

INDUSTRY

 

Vendor cybercrime report in the hot seat again

CSO

September 7, 2012

Symantec's Norton group released a new cybercrime study this week that found the average cost of online crime per victim declined during the past year. However, while down, at $110 billion a year that's still a very big global business. The credibility of studies commissioned by security vendors has been strained of late. While nobody disputes that the cost of cybercrime is well into the billions, a number of critics have charged that such surveys inflate the numbers to scare more people into buying security software. McAfee has recently estimated the annual cost of cybercrime worldwide at $1 trillion; Symantec has estimated the annual cost of intellectual property theft in the U.S. at $250 billion. Computer scientists Dinei Florencio and Cormac Herley, of Microsoft Research, authors of a recent paper titled "Sex, Lies and Cyber-crime Surveys," wrote: "Our assessment of the quality of cybercrime surveys is harsh: they are so compromised and biased that no faith whatever can be placed in their findings." Norton based its latest report on an online survey of more than 13,000 adults aged 18-65 in 24 countries. The company acknowledged in a statement that consumer surveys are not subject to peer review, but said that in addition to review by StrategyOne and Norton's own internal experts, it also turned the report over to Jonah Berger, Assistant Professor of Marketing at the University of Pennsylvania's Wharton School, who said, "The standards and best practices for market research were followed and meet the established guidelines of market research." Andrew Jaquith, CTO of Perimeter E-Security, is not convinced. He called the U.S. loss figures "preposterous." Last year the Federal Trade Commission (FTC) aggregated "more than 1.8m complaints about identify theft, fraud and other types of complaints from a wide variety of law enforcement -- 15% of these were identity theft complaints, and 55% were fraud related. The fraud costs to consumers were reported to be about $1.5 billion. That's less than one-tenth of Norton's $20 billion figure," he said.

 

Guild Wars 2 officials say ongoing password attack affects 11,000 accounts

Ars Technica

September 7, 2012

Password crackers have hacked more than 11,000 accounts belonging to players of the popular game Guild Wars 2, in part by using credentials siphoned from an unknown fan site that was recently compromised, game officials said. Officials with Guild Wars 2 developer ArenaNet recently began the practice of proactively e-mailing customers when someone logs into an account from a new location. They're also advising users to choose long, random passwords that are unique to their accounts and to check e-mail only from trusted devices. From Friday to Sunday, officials said they received about 8,500 support requests related to hacked accounts and another 2,574 requests by Monday. "If you don't want your account hacked, don't use the same email address and password for Guild Wars 2 that you've used for another game or web site," officials wrote over the weekend. "Hackers have big lists of email addresses and passwords that they've harvested from malware and from security vulnerabilities in other games and web sites, and they're systematically testing Guild Wars 2 looking for matching accounts." The compromised sites include an unidentified Guild Wars related fan site that ArenaNet officials said recently warned of a breach of its account database. "That's important, but just one of many apparent breaches of other games and web sites that hackers have been collecting email addresses and passwords from," they added. The warnings come amid a wealth of anecdotal evidence pointing to an ongoing campaign, possibly by people located in China, to gain unauthorized access to Guild Wars 2 player accounts. On Thursday, an employee of Norway-based security firm Norman ASA recounted receiving an e-mail warning that someone used her details to attempt to log in to her Guild Wars 2 account just one day after it was created.

 

Alleged FBI Hack: Much Ado about Nothing

Gov Info Security

September 6, 2012

Owners of Apple iPad, iPhone and iPod Touch devices whose unique device identifiers might have been exposed in an alleged breach of an FBI computer would face little, if any, potential harm as a result, some security experts say. The Anonymous-affiliated hacktivist group called AntiSec claims it breached last spring the computer of an FBI agent and downloaded 12 million Apple unique device identifiers, or UDIDs, a string of 40 characters given to each Apple mobile device. AntiSec claims it posted 1 million UDIDs on the website Pastebin. The FBI denies the breach, saying in a tweet that the hacktivists' claim was "totally false." Apple said it did not provide the FBI with the UDIDs. A hacker with a UDID wouldn't be able to breach the device without other forms of authentication, such as a password and encrypted key. "Unless you have the other two steps, it's really not going to help you a whole lot," says former CIA Chief Information Security Officer Bob Bigman, who runs the IT consultancy 2BSecure. UDIDs identify specific devices and are used to synchronize e-mail, music or security patches when an Apple mobile device is linked to a computer, though it also can be used as one of three forms of identification to gain access to the device. Apple plans to phase out UDIDs, according to a number of published reports.

 

Internet Explorer 10's bundled Flash leaves users exploitable

Ars Technica

September 6, 2012

Early users of Windows 8's built-in Internet Explorer may find themselves at risk of exploitation via the Flash plugin, as the version included with Windows 8 is out of date. Adobe patched Flash on August 21 to resolve known security flaws, but the patch can't be applied to Internet Explorer 10. Internet Explorer 10 bundles Adobe Flash, with Microsoft taking on responsibility for shipping updates to the integrated plugin. One repercussion of this arrangement is that Adobe's patches and autoupdate mechanism can't be used; they can update the standalone version used by Firefox, but not the embedded version in Internet Explorer. The same is true of Chrome; it includes an embedded version of Flash, and the only way to update that is with a Chrome update. Adobe's updater can't touch it. There has been some chatter on Twitter about this issue since Adobe shipped its most recent patch. Ed Bott at ZDNet asked Microsoft about the issue, and was told: “We will update Flash in Windows 8 via Windows Update as needed. The current version of Flash in the Windows 8 RTM build does not have the latest fix, but we will have a security update coming through Windows Update in the GA timeframe.” "GA" means general availability; it refers to the October 26th date when Windows 8 will go on sale through retail channels. There is a contradiction implicit in this statement; Flash in Windows 8 needs an update now, so plainly Microsoft is not updating it "as needed."

 

New open-source app extracts passwords stored in Mac OS X keychain

Ars Technica

September 6, 2012

A software developer has released an open-source app for the Mac that, when run with administrator privileges, dumps all the passwords belonging to other people currently logged on to the machine. Within hours of the release of Keychaindump by Helsinki-based Juuso Salonen, other Mac experts were downplaying its significance. "News flash, root can also format your hard drive, news at 11," OS X serial hacker Charlie Miller wrote on Twitter, referring to the "root" account that by definition has unfettered privileges in operating systems. "Root is totally a dick, he stole my prom date in high school!" another exploit developer known as thegrugq responded. Their point is that the Keychaindump's ability to root out passwords isn't a vulnerability or even an oversight by Apple engineers. It's a necessary design with parallels that can be found in any advanced operating system, including Microsoft Windows and various distributions of Linux. Labeling it as a "bug" or a "vulnerability" is like claiming a meat slicer is flawed because it can saw through the finger of the person using it. That said, Salonen's software and an accompanying blog post appear to be the first time anyone has documented the inner workings of the widely used Mac Keychain and released attack code built on those findings. Salonen says his app is "far from perfect," but he also says it "seems to work well" at scouring the internal memory of Macs for the passcodes all currently logged-in account owners enter to access passwords stored on their personal keychains. And that includes the passcode for the root user.

 

Amid Hacker Attacks, Security Start-Ups Draw Attention

The New York Times

September 5, 2012

As hacker attacks swell, so do the fortunes of security start-ups. Accel Partners, an early backer of Facebook, announced on Wednesday that it had invested $50 million in Tenable Network Security, a software maker that helps companies identify network security problems. The investment represents the venture capital firm’s largest initial investment in an American company. “We’re trying to accelerate in an exploding market,” said Ping Li, an Accel partner. “Tenable is a company we’ve been trying to invest in for a couple of years.” Accel’s big bet on Tenable, which was founded in 2002, comes as other venture capital firms plow more and more money into security software start-ups and the broader enterprise market. Last year, the industry invested nearly a billion dollars in technology security start-ups, almost double the amount spent in 2010, according to a MoneyTree report produced by PricewaterhouseCoopers, the National Venture Capital Association and Thomson Reuters. The technology security market is expected to grow in the coming years, as corporations — in response to highly publicized security breaches — spend more money on patching up security holes and adjusting to the rise of mobile and cloud computing. “These major black eyes are happening with increasing frequency,” Mr. Li said. “And its not just big companies but also smaller companies, too.” Part of the problem is that businesses have taken a piecemeal approach to security by using firewalls to keep hackers at bay and antivirus software to weed out malware. But none of these solutions communicate well with each other, a situation hackers readily exploit. When a vulnerability is detected, often it is after trade secrets have been stolen or customer data has already been exposed.

 

Android users are prime target for malware

Computerworld

September 5, 2012

A new report summarizing the malware and cybersecurity trends for the second quarter of 2012 has been released. The report found the biggest spike in malware samples detected in four years, and illustrates the growing threat faced by mobile devices particularly Android mobile devices. There isnt necessarily anything Earth-shattering in the quarterly report. The fact that its essentially more of the same, with slight variations on themes from previous quarterly reports, however, should be cause enough for concern. The bottom line message is that malicious attacks are a serious threat, and theyre not going away any time soon. Malicious websites are a popular method for getting malware out there. An average of 2.7 million malicious URLs were detected each month, pointing to approximately 300,000 bad domains. That works out to about 10,000 new malicious domains being created every day with the express purpose of hosting malware and hijacking unprotected PCs or mobile devices. Botnet activity is at a 12-month high, and the attackers are continuing to evolve clever new ways of managing and controlling the massive armies of compromised computers. Researchers have found that Twitter is now being used by some botnets to issue commands to infected systems.

 

Firm has no evidence that Romney’s tax returns were stolen

The Hill

September 5, 2012

The financial firm PricewaterhouseCoopers on Wednesday said it has no evidence that a hacker group broke through their security and stole copies of Mitt Romney's tax returns. "We are aware of the allegations that have been made regarding improper access to our systems," the financial firm said in a statement. "We are working closely with the United States Secret Service, and at this time there is no evidence that our systems have been compromised or that there was any unauthorized access to the data in question." The hackers claimed to have stolen the Republican nominee's tax forms last month in an elaborate heist. The hackers said they snuck into a Tennessee office of PricewaterhouseCoopers and then, after waiting for nightfall, scanned Romney's 1040 tax forms. They said they sent copies to the local Democratic and Republican Party offices. The group demanded $1 million and threatened to release the forms to the public on Sept. 28 if PricewaterhouseCoopers failed to pay that amount. Romney's campaign did not comment on the alleged break-in.

 

Hackers Claim to Have 12 Million Apple Device Records

The New York Times

September 4, 2012

Hackers released a file that they said contained a million identification numbers for Apple mobile devices, claiming that they had obtained it by hacking into the computer of an F.B.I. agent. The F.B.I. said it had no evidence that this was true. The hacking group, known as AntiSec — a subset of the loose hacking collective known as Anonymous — posted copies of the file on Sunday and claimed to have a total of 12 million numbers for iPhone, iPad and iPod Touch devices, along with some phone numbers and other personal data on their owners. They said their goal in releasing a slice of the data was to prove that the F.B.I. used device information to track people. While the leaked identification numbers appeared to be real, security experts said the release posed little risk. They said that without more information on the devices’ owners — like e-mail addresses or date of birth — it would be hard for someone to use the numbers to do harm. And the actual source of the file was not clear. The F.B.I. said in a statement that “at this time there is no evidence indicating that an F.B.I. laptop was compromised or that the F.B.I. either sought or obtained this data.”

 

Secret account in mission-critical router opens power plants to tampering

Ars Technica

September 4, 2012

The branch of the US Department of Homeland Security that oversees critical infrastructure has warned power utilities, railroad operators, and other large industrial players of a weakness in a widely used router that leaves them open to tampering by untrusted employees. The line of mission-critical routers manufactured by Fremont, California-based GarrettCom contains an undocumented account with a default password that gives unprivileged users access to advanced options and features, Justin W. Clarke, an expert in the security of industrial control systems, told Ars. The "factory account" makes it possible for untrusted employees or contractors to significantly escalate their privileges and then tamper with electrical switches or other industrial controls that are connected to the devices. GarrettCom boxes are similar to regular network routers and switches except that they're designed to withstand extreme heat and cold, as well as dry, wet, or dusty conditions. They're also fluent in the Modbus and DNP communications protocols used to natively administer industrial control and supervisory control and data acquisition gear. Search results recently returned by the Shodan computer search engine showed nine of the vulnerable devices connected to the Internet using US-based IP addresses. If the default credentials haven't been changed, the undocumented factory account can allow people with guest accounts to gain unfettered control of the devices, said Clarke, who is a researcher with Cylance, a firm specializing in security of industrial systems.

 

Despite Weak Economy, Businesses Heighten Cyber Security

USA Today

September 4, 2012

Nasty things began happening at Jones & Wenner not long after the Fairlawn, Ohio, insurance brokerage decided it had grown large enough to handle company email in-house. The free Web mail services the firm's 20 employees had used to conduct business no longer cut it. So the company purchased a Microsoft Outlook Exchange email server. Within weeks, email spam began to inundate each employee's in-box, much of it carrying viral attachments or links to poisoned Web pages, recalls Joyce Sigler, Jones & Wenner's information technology vice president. "We caught a virus that actually moved from one machine to another," Sigler says. "Someone just opened something they shouldn't have opened." For companies like Jones & Wenner, the Internet is a powerful enabler of new efficiencies. But it also exposes them to savvy and persistent cybercriminals seeking weak prey. Some attackers specialize in breaching company websites to pilfer business documents and customer information. Others are expert at poisoning a company's Web pages as a means to infect and take control of visitors' PCs. Small and midsize businesses — so-called SMBs, those with five to 5,000 employees — face a heightened risk, because many lack the wherewithal to recover from the long-run consequences of a serious breach, says Lawrence Pingree, research director at technology research firm Gartner. So SMBs have begun to increase spending on specialized help to shore up security in basic areas, including spam filtering, website defenses, data encryption and basic anti-virus protection. Global spending on security equipment and software by companies of all sizes is in the midst of a multiyear run of 8.9 percent annual growth — and is projected to rise to $85.8 billion in 2016, up from $56 billion in 2011, despite a sputtering economy, according to Gartner.

 

Hacker steals $250k in Bitcoins from online exchange Bitfloor

Ars Technica

September 4, 2012

The future of the up-and-coming Bitcoin exchange Bitfloor was thrown into question Tuesday when the company's founder reported that someone had compromised his servers and made off with about 24,000 Bitcoins, worth almost a quarter-million dollars. The exchange no longer has enough cash to cover all of its deposits, and it has suspended its operations while it considers its options. Bitfloor is not the first Bitcoin service brought low by hackers. Last year, the most popular Bitcoin exchange, Mt.Gox, suspended operations for a week after an attacker compromised a user account and sold all of his Bitcoins in a firesale that temporarily pushed the price down to zero. The site survived the attack and remains the leading Bitcoin exchange today. Hackers made off with another $228,000 in Bitcoins from online services earlier this year. Bitcoin's peer-to-peer design means that transactions are irreversible. Once a transaction appears in the blockchain, the global record of Bitcoin transactions, no one has the authority to reverse it. And the pseudonymous nature of Bitcoin makes it difficult to trace stolen Bitcoins to their new owners. Some regard irreversible transactions as a key Bitcoin feature, since it means merchants never have to worry about "chargebacks." But this "feature" also dramatically raises the security stakes. Anyone who deals in Bitcoins, from complex exchanges to ordinary users, have to worry about hackers making off with their cash. Indeed, malware that steals your Bitcoins automatically has been spotted in the wild.

 

Widely used fingerprint reader exposes Windows passwords in seconds

Ars Technica

September 4, 2012

Fingerprint-reading software preinstalled on laptops sold by Dell, Sony, and at least 14 other PC makers contains a serious weakness that makes it trivial for hackers with physical control of the machine to quickly recover account passwords, security researchers said. The UPEK Protector Suite, which was acquired by Melbourne, Florida-based Authentec two years ago, is marketed as a secure means for logging into Windows computers using an owner's unique fingerprint, rather than a user-memorized password. In reality, using the software makes users less secure than they otherwise would be. When activated, the software writes Windows account passwords to the registry and encrypts them with a key that is easy for hackers to retrieve. Once the key has been acquired, it takes seconds to decrypt the password. "After analyzing a number of laptops equipped with UPEK fingerprint readers and running UPEK Protector Suite, we found that your Windows account passwords are stored in Windows registry almost in plain text, barely scrambled but not encrypted," said an advisory issued by Elcomsoft, a Russia-based developer of password-cracking software. "Having physical access to a laptop running UPEK Protector Suite, we could extract passwords to all user accounts with fingerprint-enabled logon."

 

INTERNATIONAL

 

Insiders suspected in Saudi cyber attack

Reuters

September 7, 2012

One or more insiders with high-level access are suspected of assisting the hackers who damaged some 30,000 computers at Saudi Arabia's national oil company last month, sources familiar with the company's investigation say. The attack using a computer virus known as Shamoon against Saudi Aramco - the world's biggest oil company - is one of the most destructive cyber strikes conducted against a single business. Shamoon spread through the company's network and wiped computers' hard drives clean. Saudi Aramco says damage was limited to office computers and did not affect systems software that might hurt technical operations. The hackers' apparent access to a mole, willing to take personal risk to help, is an extraordinary development in a country where open dissent is banned. "It was someone who had inside knowledge and inside privileges within the company," said a source familiar with the ongoing forensic examination. Hackers from a group called "The Cutting Sword of Justice" claimed responsibility for the attack. They say the computer virus gave them access to documents from Aramco's computers, and have threatened to release secrets. No documents have so far been published. Reports of similar attacks on other oil and gas firms in the Middle East, including in neighboring Qatar, suggest there may be similar activity elsewhere in the region, although the attacks have not been linked.

 

Sleuths Trace New Zero-Day Attacks to Hackers Who Hit Google

Wired

September 7, 2012

It’s been more than two years since Google broke corporate protocol by revealing that it had been the victim of a persistent and sophisticated hack, traced to intruders in China that the company all but said were working for the government. And it turns out the hacker gang that hit the search giant hasn’t been resting on its reputation; it’s been busy targeting other companies and organizations, using some of the same methods of attack, as well as a remarkable menu of valuable zero-day vulnerabilities. The attackers used at least eight zero-days in the last three years, including ones that targeted the ubiquitous software plugin Flash and Microsoft’s popular IE browser. Researchers at Symantec traced the group’s work after finding a number of similarities between the Google attack code and methods and those used against other companies and organizations over the last few years. The researchers, who describe their findings in a report published Friday, say the gang — which they have dubbed the “Elderwood gang” based on the name of a parameter used in the attack codes — appears to have breached more than 1,000 computers in companies spread throughout several sectors – including defense, shipping, oil and gas, financial, technology and ISPs. The group has also targeted non-governmental organizations, particularly ones connected to human rights activities related to Tibet and China. The majority of the victims have been in the U.S., with the attacks focused on gathering intelligence and stealing intellectual property – such as product design documents and trade secrets, infrastructure details and information about contacts. Many of the attacks have involved supply-chain companies that provide services or electronic and mechanical parts to targeted industries. Symantec says it appears the attackers have used victims in the supply-chain as stepping-stones to breach companies they’re really targeting.

 

GCHQ to advise senior business leaders on how to fight cyber attacks

The Telegraph
September 5, 2012

GCHQ is to use its expertise to take a lead role advising Britain's senior business leaders on how to combat the multi-billion pound threat of cyber attacks, under a programme being unveiled today. The involvement of the listening centre in such a scheme marks the first time that the Government and the intelligence services have worked directly in such a way with the private sector, a newspaper reported. The programme, Cyber Security for Business, is expected to pave the way for more extensive cooperation in the future. CEOs and chairs of FTSE 100 companies, together with ministers and officials from security and intelligence agencies are to attend the launch of the programme, the Independent reported. It comes amid concern about the growing threat of cyber warfare to the British economy - with its cost to the country estimated at £27 billion a year. A report by the Commons Intelligence and Security Committee concluded thta the UK's defences remained inadequate despite a £650 million cyber security programme while Jonathan Evans, the head of MI5, has described an "astonishing" level of state and criminal cyber attacks, with one London business losing £800 million on a single occasion. GCHQ has drawn up a blueprint to focus on the "Top 20 Critical Controls for Effective Cyber Defence" which it says can "substantially reduce the cyber risk by helping to prevent or deter the majority types of attacks."

 

Swedish websites shut down by hacker attacks

AP
September 3, 2012

Swedish government websites were jammed by hackers for hours Monday, with some supporters of WikiLeaks founder Julian Assange claiming responsibility on Twitter. The websites of the Swedish government, Armed Forces and the Swedish Institute were among those experiencing problems. Niklas Englund, head of digital media at the Swedish Armed Forces, said it was unclear who was behind the so-called denial-of-service attacks, in which websites are overwhelmed with bogus traffic. But he noted that an unidentified group urging Sweden to take its "hands off Assange" claimed responsibility on Twitter. Assange has been sheltering at Ecuador's Embassy in Britain since June 19 in an effort to avoid extradition to Sweden, where prosecutors want to question the founder of the secret-spilling WikiLeaks site over alleged sex crimes.

 

 

TECHNOLOGY

 

Cyber security takes a 'prime' number quantum leap

NBC News

September 6, 2012

Scientists have taken a quantum step on the road to the future of cyber security that will keep our digital data transmissions safe from the most sophisticated cyber criminals imagined. The step involved running an algorithm on a custom-built solid state quantum processor to determine —with 48 percent accuracy — that the prime factors of 15 are 3 and 5. While 48 percent is a failing grade at school, it is nearly as good as theoretically expected when dealing with quantum states where answers are parsed in probabilities. Fifty percent is a “perfect” score. The feat took Erik Lucero five years while he was pursuing his Ph.D in physics at the University of California at Santa Barbara. The accomplishment earned him the degree and paved the way to his current gig as a post-doctoral researcher in experimental quantum computing at IBM. The findings are reported in the advanced online issue of the journal Nature Physics. Practical applications of the research concern cyber security. Factoring very large numbers, ones with 600 digits, is at the heart of the most common form of encoding, called RSA encryption. “Anytime you send a secure transmission — like your credit card information — you are relying on security that is based on the fact that it’s really hard to find the prime factors of large numbers,” Lucero said in a news release. How hard is really hard? On a classical computer, longer than the age of the universe, which is 14.6 billion years, noted Lucero. In theory, a quantum factoring algorithm formulated by mathematician Peter Shor at the Massachusetts Institute of Technology, can do this in a matter of minutes. If it can be shown that quantum computing can render RSA encryption insecure, quantum cryptography is the likely replacement, according to Lucero.

 

Study finds app users worried about privacy

The Hill

September 5, 2012

More than half of mobile application users have uninstalled or avoided certain apps over privacy concerns, according to a study released Wednesday by the Pew Center. The study found that 54 percent of app users have avoided an app when they discover how much personal information it collects or shares. About 30 percent have uninstalled an app that was already on the phone when they learned how it was using their data. Taken together, the study found that 57 percent of app users have either uninstalled or avoided apps due to privacy issues. Mobile apps can raise more privacy concerns than applications on desktop computers because they have access to more personal information, such as the user's physical location. The Pew study found that 19 percent of app users have turned off location tracking features to protect their privacy. Apple changed its privacy policy for apps earlier this year after researchers revealed that the Path social networking app was accessing users' address books without their permission.

 

Is it time to knock infected PCs off the internet?

PC Pro

September 3, 2012

Malware could block your access to the internet – but in some cases by those on the right side of the security fence, who are deploying tactics such as blocked ports, letters in the mail and PCs quarantined from the net to combat the most damaging threats. Last year, authorities – led by the FBI – arrested the criminals behind the DNSCharger operation, taking over their servers. The malware changed victims' DNS settings, and unplugging the servers would have cut off the four million infected PCs from the web. The FBI won a court order allowing it to keep the servers running long enough to work with ISPs to warn infected customers and clean up machines. The 120-day grace period was extended once, but eventually the plug was pulled in July, with 250,000 machines still infected – 13,000 in the UK alone. While some described it as an "internet doomsday", there were few reports of PCs suddenly refusing to find websites. This is partially because ISPs – including Virgin Media – stepped in to handle the DNS re-routing, meaning that some infected PCs are still being propped up. The case raised questions about how far authorities can – or should – go to tackle the worst malware, and who is responsible if it all goes wrong. One idea that's been previously mooted is quarantining infected PCs. When malware is detected, that PC would be blocked from openly accessing the internet. Microsoft's vice president of trustworthy computing, Scott Charney, suggested the idea at the RSA security conference in 2010, asking, "Why don't we think about access providers who are doing inspection and quarantine, and cleaning machines prior to access to the internet?" Microsoft has since pulled back, renaming it "internet health" and proposing PCs receive a "health check" before gaining access to networks.

 

Secrecy surrounding ‘zero-day exploits’ industry spurs calls for government oversight

The Washington Post

September 1, 2012

Deep in Iran’s nuclear facilities, gas centrifuges used to enrich uranium began spinning erratically: fast, then slow, then fast, until they failed. First dozens, then hundreds, then an estimated 1,000 centrifuges were disabled that way, delaying Iran’s nuclear program by up to 18 months. The cause of the failures — first disclosed in 2010 — is now well known to have been Stuxnet, the computer worm developed by U.S. and Israeli intelligence agencies. The sophisticated tool relied on computer code to take advantage of then-undiscovered security flaws, open the way into the Iranians’ software and deliver a payload. But the use of such tools, known as “zero-day exploits,” is not reserved exclusively for the intelligence community. Instead, through a little-known and barely regulated trade, researchers around the world are increasingly selling the exploits, sometimes for hundreds of thousands of dollars apiece. It is a trade, analysts say, that is becoming more controversial, one that even some of those in the business think should be regulated. Exploits are tools developed by hackers and security researchers to take advantage of a specific flaw in a particular piece of software. They are the part of a computer virus that grants access to a user’s system — they open the way in. Stuxnet, for instance, used at least four zero-days. Because they work in such a targeted way, their lifespan is short. Software manufacturers and antivirus providers work to patch the flaws as soon as a new exploit is spotted, often within days. An exploit that has never been seen before is called a “zero- day,” and there are no specific countermeasures designed to tackle it. Analysts say the potency and unpredictability of zero-day exploits has created a strong demand for the tools. That has alarmed experts, some of whom are calling for greater government oversight.