Posted by Kevin on October 1, 2014.
The ITsecurity daily security briefing: Wednesday, October 1, 2014.
If you find this security briefing useful, please spread the word via social media. If you have any comments or recommendations, please email kevtownsend at gmail dot com.
LulzSec – minus Sabu – reconvenes on stage
“Jake Davis (Topiary), Ryan Ackroyd (Kayla), Mustafa Al-Bassam (TFlow), and Darren Martyn (Pwnsauce) joined anthropologist and Anonymous expert Gabriella Coleman on stage at the Royal Court, where Tim Price’s play Teh Internet is Serious Business is currently attempting to replicate the rise and fall of LulzSec…
“This week, those four men met each other in the real world for the first time, to talk Anonymous, Sabu, and what the internet is really for…
“This is exemplified by Ryan Ackroyd, whose online persona was that of a 16-year-old girl named Kayla. Listening to the 27-year-old man in front of me, impeccably dressed in a three piece suit, speaking with a strong Yorkshire accent about the power of the internet to help disseminate information, was disconcerting to say the least.”
International Business Times:
ACLU shows NSA’s reliance on exec order 12333
FOIA documents discussed by the ACLU on Monday show that much of the NSA’s surveillance authority is taken from Executive Order 12333 issued by Ronald Reagan in 1981. The implication is that attempts to modify section 215 of the PATRIOT Act will have little effect since it is not the ultimate authority used by the NSA. Executive Order 12333 specifies the only limitation on NSA surveillance. This is reinterpreted by the agency so nebulously that there is effectively no limitation. For example, one document says that NSA agents can collect information on USPs (American people or companies) if any one of 16 conditions is met. Just one of those is if it involves “Potential sources of assistance to intelligence activities.”
Businesses spend less on cyber security despite rise in attacks
“Corporate cyber security budgets are falling despite a huge rise in the number of attacks and an increase in the financial losses they cause, according to a new report from PwC, the professional services group…
“Global security budgets fell 4 per cent in 2014, compared with the year before, according to the survey of almost 10,000 executives and IT directors released on Tuesday…
“Security budgets at companies with less than $100m in revenues fell by an average of 20 per cent, while at medium and large businesses they edged up by 5 per cent.
Trend Micro and INTERPOL collaborate to fight global cybercrime
“Trend Micro has today announced a three year collaboration deal with Interpol. “Over the next three years, Trend Micro will share its threat information analysis with INTERPOL officers through its Trend Micro™ Threat Intelligence Service. The goal of this initiative is to investigate, deter and ultimately prevent cybercrimes. This effort will also help to bridge the gap in information-sharing between the public and private sectors…
“Trend Micro will also assist INTERPOL in providing a cybercrime investigation training program to improve techniques and increase capabilities of member countries conducting a growing number of investigations. To support these new initiatives, a Trend Micro security researcher will be onsite at the INTERPOL Global Complex for Innovation (IGCI) in Singapore.”
Microsoft partners with financial services industry on fight against cybercrime
“The most critical component of our efforts to thwart cybercriminals online is deep partnerships with law enforcement and industry partners. A key ally in this fight is the Financial Services Information Sharing and Analysis Center (FS-ISAC), the global financial industry’s go-to resource for cyber and physical threat intelligence analysis and sharing. That’s why I’m pleased today to announce a new collaboration with the FS-ISAC to share cyber-threat intelligence, free of charge, to better protect our mutual customers and partners.
“Through this pilot program, Microsoft will make its Cyber Threat Intelligence Program feed available to participating FS-ISAC members, which will receive near real-time information on known malware infections affecting more than 67 million unique IP address. With this information, FS-ISAC members will be able to quickly identify infected computers on their networks and clean them of malware, through an automated, confidential and secure feed distributed via the cloud with Microsoft Azure.”
Pakistani Man Indicted for Selling ‘StealthGenie’ Spyware App
“A Pakistani man has been indicted in the Eastern District of Virginia for allegedly conspiring to advertise and sell StealthGenie, a spyware application (app) that could monitor calls, texts, videos and other communications on mobile phones without detection. This marks the first-ever criminal case concerning the advertisement and sale of a mobile device spyware app…
“’This application allegedly equips potential stalkers and criminals with a means to invade an individual’s confidential communications,’ said FBI Assistant Director in Charge McCabe. ‘They do this not by breaking into their homes or offices, but by physically installing spyware on unwitting victim’s phones and illegally tracking an individual’s every move. As technology continues to evolve, the FBI will investigate and bring to justice those who use illegal means to monitor and track individuals without their knowledge’.”
Department of Justice:
Peter Sims slams Uber over privacy
Claiming that he was originally a fan and user of Uber, Peter Sims explains why he lost faith and trust in the organization.
“One night, a couple of years ago, I was in an Uber SUV in NYC, headed to Penn Station to catch the train to Washington DC when I got a text message from a tech socialite of sorts (I’ll spare her name because Gawker has already parodied her enough), but she’s someone I hardly know, asking me if I was in an Uber car at 33th and 5th (or, something like that). I replied that I was indeed, thinking that she must be in an adjacent car. Looking around, she continued to text with updates of my car’s whereabouts, so much so that I asked the driver if others could see my Uber location profile? ‘No,’ he replied, ‘that’s not possible.’
“At that point, it all just started to feel weird, until finally she revealed that she was in Chicago at the launch of Uber Chicago, and that the party featured a screen that showed where in NYC certain ‘known people’ (whatever that means) were currently riding in Uber cabs…”
Four Members of International Computer Hacking Ring Indicted for Stealing Gaming Technology, Apache Helicopter Training Software
“Four members of an international computer hacking ring have been charged with breaking into computer networks of prominent technology companies and the U.S. Army and stealing more than $100 million in intellectual property and other proprietary data. Two of the charged members have already pleaded guilty. The alleged cyber theft included software and data related to the Xbox One gaming console and Xbox Live online gaming system; popular games such as ‘Call of Duty: Modern Warfare 3’ and ‘Gears of War 3’; and proprietary software used to train military helicopter pilots…
“’Electronic breaking and entering of computer networks and the digital looting of identities and intellectual property have become much too common,’ said U.S. Attorney Oberly. ‘These are not harmless crimes, and those who commit them should not believe they are safely beyond our reach’.”
Holder also (obliquely) criticizes Apple and Android encryption
This was in a speech at the Biannual Global Alliance Conference Against Child Sexual Abuse Online, linking as government often does, its need and right to access to paedophilia.
“We are also stepping up our efforts to build strong partnerships with technology companies, which can be important allies in this fight… And going forward, I am confident that these relationships will only become more critical to making the Internet a safer space for children around the world. Moreover, we would hope that technology companies would be willing to work with us to ensure that law enforcement retains the ability, with court-authorization, to lawfully obtain information in the course of an investigation, such as catching kidnappers and sexual predators. It is fully possible to permit law enforcement to do its job while still adequately protecting personal privacy. When a child is in danger, law enforcement needs to be able to take every legally available step to quickly find and protect the child and to stop those that abuse children. It is worrisome to see companies thwarting our ability to do so.”
That first sentence could be a bit worrying.
Department of Justice:
Political TV Ads Will Soon Reach Facebook-Level Creepiness
A concern for the future, and the not-very-distant future, will be the heavily targeted delivery of adverts via TV. The National Journal explains:
“It’s a technology that’s been around for years, but is only now starting to gain a foothold in the TV ad market. And it could change the way political candidates enter your living room.
“Addressable advertising allows campaigns to reach viewers not by district or neighborhood, but by individual household. Ad-makers can select individuals, based on what they know about them, then pipe ads through their DVR or cable box—and only when they know the TV is on.”
Of course, once this gets into full swing, it won’t just be limited to political advertising…
Google increases its Chrome bug bounties
“First, we’re increasing our usual reward pricing range to $500-$15,000 per bug, up from a previous published maximum of $5,000. This is accompanied with a clear breakdown of likely reward amounts by bug type. As always, we reserve the right to reward above these levels for particularly great reports. (For example, last monthwe awarded $30,000 for a very impressive report.)
“Second, we’ll pay at the higher end of the range when researchers can provide an exploit to demonstrate a specific attack path against our users. Researchers now have an option to submit the vulnerability first and follow up with an exploit later. We believe that this a win-win situation for security and researchers: we get to patch bugs earlier and our contributors get to lay claim to the bugs sooner, lowering the chances of submitting a duplicate report.
“Third, Chrome reward recipients will be listed in the Google Hall of Fame, so you’ve got something to print out and hang on the fridge.”
Google Online Security Blog:
Sonaecom acquires 60% of Spanish cybersecurity multinational S21sec
“Sonaecom’s Software and Information Systems’ business division (SSI Software and Technology), has acquired a 60% stake in S21sec, a Spanish multinational specializing in the cybersecurity sector. S21sec, which has a team of over 200 cybersecurity experts, also counts Schneider Electric and a group of founders as minority shareholders.
“S21sec works with large organizations in the financial sector, energy, telecommunications and public administration (including defense and law enforcement agencies), mainly based in Spain.”
Missed Viber call leads to Asprox malware
A fake Viber voice message notification leads you to the Asprox botnet.
“The Link will point to a URL on a compromised web server. The download php file will check your user agent (to make sure you are using windows + IE) and your IP address (to make sure you didn’t try to many times like a malware researcher). If the conditions are right, you will be handed back a zip file (which actually is only proxied by the compromised server). The zip will contain an exe trojan which joins your computer to the Asprox botnet.”
Tech Help List: