| 05.20.14 | US indicts 5 Chinese military hackers; Carder gets 20-year prison term

If you are unable to see the message below, click here to view.

Editor's Corner: Security risk management: I have seen the future and the quants win What's New: 1. 5 Chinese military hackers indicted for spying on US companies (UPDATED) 2. Carder forum participant gets 20-year sentence under RICO act 3. Knock knock! Law enforcement agencies coordinate global raids on Blackshades users (UPDATED) 4. States join to discuss best regulation precedents for bitcoin, emerging payments Spotlight: Experian breach tied to NY, NJ identity theft ring Also Noted: LifeLock yanks app over security concerns; Free tools for offensive security; more Much more... News From The Fierce Network: 1. IT's Hottest Jobs: Information Security Architect 2. Why you are not spending enough on security 3. Big data in absence of sound governance 'does not a free society make' May 20, 2014 Subscribe | Website Refer FierceITSecurity to a Colleague This week's sponsors: HP Mashery HP CA Technologies Follow @fierceitsec on Twitter This week's sponsor is HP.   Cyber Risk The "Cyber risk report 2013 Executive summary" presents the major findings of HP Security Research's comprehensive dive into today's cyber vulnerability and threat landscape. It provides information you need to effectively plan your cyber security strategy and deploy your defenses. The summary concludes that security is about an integrated, systematic approach that includes both protective and reactive measures. Read it to learn more. Editor's Corner Security risk management: I have seen the future and the quants win By Derek C. Slater Comment | Forward | Twitter | Facebook | LinkedIn There are two camps in the IT security world.  Camp One says security is a risk management function, and risk management requires measurement. Camp Two says risk measurement is a red herring. It can't be done correctly, and therefore can't be done at all, so we should stop pretending and rely on simpler lines of reasoning to justify the practice of security. I've been in the former camp for a number of years. My first exposure to some of the rudimentary concepts was probably Scott Berinato's in-depth look at nascent study of ROSI (return on security investment), written for CSO Magazine in 2002. Shortly after that article appeared, I also had my first interaction with a leading light in the latter camp--Donn Parker of SRI. Parker wrote to us (as he had and has written elsewhere) that the winning arguments for security investment are simple: due diligence and regulatory compliance. The Board and executives are required to take reasonable fiduciary care of the organization's assets. Just that, and nothing more.  No fake math required.  Here's a good summary of Parker's position with supportive comments from Richard Bejtlich's blog back in 2006. And other smart people have helped carry the banner for that camp--for example, here's Rich Stiennon's 2012 Network World article Why risk management fails in IT. I actually have some sympathy for this point of view. We still don't have a solid statistical basis to create that fabled unicorn, the IT Security Actuarial Table. And the ever-shifting nature of technical attacks means the numbers generated to address last year's threats and risks might not apply to this year's. So yes, there are huge, major, vast, enormous challenges to applying real risk management to IT security. And even for myself, it's tempting to think--yeah, why burn all these mental calories in an effort to create an unreliable model? Let's appeal to the CEO's fiduciary responsibility, execute informed common-sense security and be done with it. Here's the problem: Quants want numbers. And your business is run by quants.  Hell, everything is run by quants. You've noticed? Moneyball. Nate Silver. Big data. Marketing analytics. Quantified self. SPOILER: THE QUANTS WIN. Those who throw up their hands and say "I don't have numbers," will be even more marginalized than security is already. That's the way history is flowing.  So if you want to stay relevant, you have to keep working on your numbers. Happily you'll have help from the others in Camp One. I recommend the work of (in no particular order, and probably forgetting lots of others) Adam Shostack, Bob Rudis, Pete Lindstrom, Alex Hutton, Wade Baker, Dave Mortman, Andrew Jaquith, Josh Corman and Ben Tomhave. Look up SIRA, the Society of Information Risk Analysts. Attend Metricon. Join the Security Metrics mailing list. Find out what ISACA has been doing for a long time in the Enterprise Risk Management arena. Read this discussion between Alex Hutton and author Douglas Hubbard. (Hubbard makes the salient point that you just need numbers good enough to improve on intuition, which isn't that hard, because intuition is riddled with weird but predictable cognitive biases.) Neither the data nor the models are perfect. But they've come a long way and you've got resources now that are a heck of a lot better than what you could access in 2002, or 2006. Mostly because of all these people who refuse to throw their hands up. - Derek (@derekcslater) More reading on security risk management and ERM: More on getting risk management right How a decent risk assessment could save you a lot of money (FierceCIO) Read more about: ERM Sponsor: HP Webinars > Rethinking Enterprise Mobility Management - Beyond BYOD - SPONSORED BY: CA Technologies Events > Gartner Security & Risk Management Summit 2014 - June 23-26, 2014 - National Harbor, MD Marketplace > Whitepaper: Finding ROI in Document Collaboration > Whitepaper: Delight & Engage Customers with Mobile APIs > Whitepaper: 5 Unsung Tools of Dev Ops > eBook: Critical Infrastructure and Cybersecurity > eBook: Getting to DevOps (And Getting the Payoff) > Whitepaper: 802.11ac in the Enterprise: Technologies and Strategies > Whitepaper: Defense Against the Dark Arts: Finding and Stopping Advanced Threats > Whitepaper: Longline Phishing: A new Class of Advanced Phishing Attacks > eBook: eBrief | Best Practices in Mobile Application and Management Delivery > Whitepaper: APIs Drive Opportunity Explosion > Whitepaper: Supporting VDIs and Thin Clients > Whitepaper: Four Ways to Improve IT Efficiency This week's sponsor is Mashery. Delight & Engage Customer with Mobile APIs Read this success story and learn how a robust API and secure API Management powered Keep's iOS app to become one of the most popular apps in the Lifestyle category in the iTunes App Store. Read now! What's New 1. 5 Chinese military hackers indicted for spying on US companies (UPDATED) By Derek C. Slater Comment | Forward | Twitter | Facebook | LinkedIn A U.S. grand jury has issued indictments against members of the Chinese military on charges of spying on U.S. companies. The charges allege industrial espionage conducted against companies in several industries including nuclear power, metals and solar products. The targeted U.S. companies include Alcoa, US Steel, Westinghouse Electric and Allegheny Technologies, according to reports from Reuters and NBC News. "This is a case alleging economic espionage by members of the Chinese military and represent the first-ever charges against a state actor for this type of hacking," said U.S. Attorney General Eric Holder. More details are being released this morning. UPDATE: The Wall Street Journal reports that the indicted hackers allegedly work for Unit 61398 of the People's Liberation Army, based in Shanghai. The hacks date back at least to 2010 and work on the indictments has covered the past year or more, according to Holder. The individuals named in the indictment are Wang Dong, Sun Kailiang, Wen Xinyu, Huang Zhenyu, and Gu Chunhui; the charge is 'conspiracy to commit computer fraud and abuse'. For more: - Read Reuters' account - and NBC News' story - See more details from the WSJ (subscription required) More on espionage: FireEye's Operation Saffron Rose report details new Iranian digital offensive capabilities Spotlight: US panel calls for action against China for industrial cyberespionage France, Germany in talks to set up NSA-free European Internet Read more about: China back to top This week's sponsor is HP.   NextGen Enterprise Sol Hackers are quick to exploit newly discovered vulnerabilities in the software enterprises deploy and use. Traditional security defenses rely on known attack signatures, so they often fail to detect attacks that exploit new vulnerabilities. HP TippingPoint Next-Generation Intrusion Prevention System (NGIPS) and Next-Generation Firewall (NGFW) combine technology that focuses on the root problems common to multiple threats with the latest vulnerability intelligence provided by HP Security Research and supported by more than 3,000 external security researchers. This enables them to block new threats that escape detection by traditional threat pattern recognition with minimal impact on network performance. Learn More! 2. Carder forum participant gets 20-year sentence under RICO act By Derek C. Slater Comment | Forward | Twitter | Facebook | LinkedIn David Ray Camez, a member of the carder.su website trafficking in stolen credit card numbers and identities, was sentenced to 20 years in prison last Thursday. He is also charged to pay $20 million in restitution. Originally, Camez received a seven-year sentence for his participation. (The site was shut down; accounts vary as to whether it was in 2010 or 2012.) However, the sentence was lengthened last week by a Nevada federal court to 20 years after Camez received an additional conviction of racketeering, under the RICO act.  Another carder.su participant, Cameron Harrison, has plead guilty to the same federal charge and will be sentenced by the same court. Ars Technica's Dan Goodin reports that of 55 defendants under four separate indictments, 14 have already agreed with prosecutors to enter a guilty plea. For more: - read Ars Technica's coverage - and the BBC article - also, see Wired's 2013 in-depth look at the carder.su takedown More on cybercrime: 5 Chinese military hackers indicted for spying against US industry Identity theft ring steals $10M in federal tax returns Suspected cybercriminals broadcast location to law enforcement Read more about: prison sentences, identity theft back to top 3. Knock knock! Law enforcement agencies coordinate global raids on Blackshades users (UPDATED) By Derek C. Slater Comment | Forward | Twitter | Facebook | LinkedIn Some hackers who bought the remote access tool (RAT) known as Blackshades got something extra over the weekend with their purchase: a visit from the police. Blackshades has legimate uses, such as for remote computer service or accessing files accidentally left behind. However, it can also be used by hackers to control, or gather data from, an unwitting victim's system. bshades.eu, a website selling the software, was taken offline mid-week. Law enforcement officials in multiple countries then carried out coordinated raids on the homes of Blackshades users. Media reports (including the Wall Street Journal's, which broke the news) indicated that police actions took place in the U.S., Germany, Netherlands and Australia. UPDATE: European agencies Interpol and Interjust claimed credit for coordinating the raids, which they report comprised 16 countries, 97 arrests and seizure of more than 1,000 computing devices in addition to cash, drugs and firearms. For more: - Read the WSJ coverage - See an update from the AP More on hacking and law enforcement: Former Subway franchisee sells, exploits infected POS systems to other stores Hackers scour  Windows 7 patches for clues to XP flaws "Swatting" reporter Brian Krebs earns Canadian teen arrest Call center employee, others indicted for stealing AT&T customer data, money   Read more about: hackers back to top 4. States join to discuss best regulation precedents for bitcoin, emerging payments By Robert Bartley Comment | Forward | Twitter | Facebook | LinkedIn Representatives from several U.S. state governments have created a coalition to create the first bitcoin rulebook, according to a Reuters report. The group says it will work to create precedents that will help prevent fraud and other crime, while also trying not to silence creative outflows from the active user base. While the IRS has handed down instructions for federal tax purposes, those rulings give both consumers and businesses little direction when it comes to day-to-day transactions. The group of state regulators, a subgroup of the Conference of State Bank Supervisors--called the Emerging Payments Task Force, will convene to discuss the role cryptocurrency could play at a practical, legal level. "We may be looking at some type of model definitions, or model laws or regulations, and very likely recommendations to either our federal colleagues or to Congress," David Cotney, Massachusetts commissioner of banks, said to Reuters. Cotney will serve as the head of the nine-person task force charged with looking at all emerging payment platforms, including mobile payments, PayPal and virtual currencies. Among the reasons for the group's establishment are the numerous cases of fraud and cyberattacks involving cryptocurrencies, and the high-profile case involving the Japan-based Mt. Gox, which lead to $650 million in lost bitcoins. However, little regulation has moved past the discussion phase. According to the Reuters report, New York and California are may require businesses operating in their states to register for "BitLicenses" in order to accept bitcoins as payments, but no immediate plans are ready to go into effect. For more: - read this Reuters report - read the IRS decision on taxing virtual currency Related Articles: Newly rich Bitcoin users likely target for fraudsters, SEC warns Bitcoin mining malware hidden in Google play apps Heartbleed undermines bitcoin client, developers advise update Read more about: David Cotney, Bitcoin back to top Also Noted This week's sponsor is CA Technologies. Webinar: Rethinking Enterprise Mobility Management – Beyond BYOD Thursday, May 29th, 12pm ET / 9am PT Our panel of experts will help you understand how to develop effective strategies that accelerate mobility transformation and prepare your organization for the mobile future. Register Today! TODAY'S SPOTLIGHT... Experian breach tied to NY, NJ identity theft ring "Last year, a top official from big-three credit bureau Experian told Congress that the firm was not aware of any consumers that had been harmed by an incident in which a business unit of Experian sold consumer records directly to an online identity theft service for nearly 10 months." What Experian couldn't determine, Brian Krebs sure could find out … Read more.   > LifeLock yanks mobile app over security concerns (The Register) > Free tools for offensive security (Dark Reading) > Building an information security policy, part 5: Managing identities (Network Computing) > Is infosec getting more stressful? (eSecurityPlanet) And Finally... You have the right to remain moronic (Infoworld)     Webinars > Rethinking Enterprise Mobility Management - Beyond BYOD - SPONSORED BY: CA Technologies Enterprise mobility management is about more than just getting handle on the flood of BYOD devices coming into the organization. It is about managing the explosion of new devices, applications, content and transactions, which threatens to overwhelm IT managers. Our panel of experts will help you understand how to develop effective strategies that accelerate mobility transformation and prepare your organization for the mobile future. Register Today! Events > Gartner Security & Risk Management Summit 2014 - June 23-26, 2014 - National Harbor, MD Discover five programs covering IT security, risk and compliance, BCM, the CISO and the marketplace for security, so you can validate your strategy against the full spectrum of security and risk initiatives. Save $300 with code GARTFSI. To register, visit gartner.com/us/securityrisk. Marketplace > Whitepaper: Finding ROI in Document Collaboration Read this Accusoft whitepaper to learn about the factors that make document collaboration more difficult than it should be, and about how to create a collaboration strategy that makes sense for your organization. Download Now! > Whitepaper: Delight & Engage Customers with Mobile APIs Read this success story and learn how a robust API and secure API Management powered Keep’s iOS app to become one of the most popular apps in the Lifestyle category in the iTunes App Store. > Whitepaper: 5 Unsung Tools of Dev Ops Jonathon Thurman shares his five favorite DevOps tools which have been around a long time. They may not be flashy but they're time tested and just work. He also tells you how to use them and how to configure them for maximum value. Download 5 Unsung Tools of DevOps to see which tools make the cut and why. > eBook: Critical Infrastructure and Cybersecurity This FierceITSecurity eBook looks at key dependencies among critical infrastructure sectors and how companies in these areas can stay ahead of threats and maximize their defensive efforts. Download this eBook today! > eBook: Getting to DevOps (And Getting the Payoff) DevOps is a more holistic approach to application development, more fully taking into account deployment and ongoing operational needs – and tossing a lot of automation into the mix. This FierceEnterpriseCommunications eBook provides step-by-step guidance on implementing DevOps for CIOs and IT and application development managers. Download this eBook today! > Whitepaper: 802.11ac in the Enterprise: Technologies and Strategies Download the White Paper "802.11ac in the Enterprise: Technologies and Strategies" to learn from industry expert Craig Mathias about the technologies behind 802.11ac, deployment misconceptions and review steps that every organization should take in getting ready for 802.11ac. Download today! > Whitepaper: Defense Against the Dark Arts: Finding and Stopping Advanced Threats Today's most-damaging targeted attacks don't occur by happenstance. They are carefully planned and executed by a new breed of professional adversaries. Read this white paper, Defense Against the Dark Arts: Finding and Stopping Advanced Threats to gain a practical understanding of today's Advanced Threat Landscape and strategies for detecting and stopping Advanced Threats. Download today! > Whitepaper: Longline Phishing: A new Class of Advanced Phishing Attacks The last few years have seen a dramatic increase in the use of email as a vehicle for cyberattacks on organizations and large corporations. Recently, Proofpoint researchers identified a new class of sophisticated and effective, large-scale phishing attack dubbed "longline" phishing attacks. Download this whitepaper to learn about the unique characteristics of these attacks, how they are carried out, and the alarming effectiveness they have. Download today! > eBook: eBrief | Best Practices in Mobile Application and Management Delivery Your organization knows that mobile productivity is important, and it may have already started down the road toward Mobile Device Management (MDM) and Mobile Application Management (MAM). But have you developed a holistic view of application management and delivery -- and its impact on the business? Download this free eBrief to learn about best practices for your mobile deployment. > Whitepaper: APIs Drive Opportunity Explosion Argos took bold, transformative measures to respond to market disruption from competitors selling online in addition to the move by grocers into non-food product ranges. Learn how APIs paired with a secure API Management solution can enable a digital transformation by delivering content and purchasing capabilities to customers any where at anytime. Download Today! > Whitepaper: Supporting VDIs and Thin Clients Companies have already begun deploying VDIs and thin clients (like Google's Chromebook) on a massive scale. The low-cost, easily deployed workstations present a significant cost savings for companies, but require unique tools to support them. This whitepaper, written by Proxy Networks, outlines the best way to do that. Download now. > Whitepaper: Four Ways to Improve IT Efficiency The role of the help desk within businesses has expanded considerably over the last decade, becoming an integral piece of the overall corporate strategy. In this whitepaper, Proxy Networks outlines the best way to align your IT department with that strategy in order to improve overall departmental efficiency. Download now. ©2014 FierceMarkets, a division of Questex Media Group LLC This email was sent to ignoble.experiment@arconati.us as part of the FierceITSecurity email list which is administered by FierceMarkets, 1900 L Street NW, Suite 400, Washington, DC 20036, (202) 628-8778. Refer FierceITSecurity to a Colleague Contact Us Editor: Fred Donovan. VP sales and business development: Jack Fordi. Publisher: Ron Lichtinger. Advertise General advertising: Jack Fordi. Press releases: Fred Donovan. Request a media kit. Email Management Manage your subscription Change your email address Unsubscribe from FierceITSecurity Explore Our Network You may enjoy these publications from FierceMarkets: FierceBigData FierceBiotech FierceBiotechIT FierceBiotech Research FierceCable FierceCIO FierceCIO:TechWatch FierceCMO FierceCFO FierceContentManagement FierceCRO FierceDeveloper FierceDiagnostics FierceDrugDelivery FierceEMR FierceEnergy FierceEnterpriseCommunications FierceFinanceIT FierceGovernment FierceGovernmentIT FierceHealthcare FierceHealthFinance FierceHealthIT FierceHealthPayer FierceHealthPayerAntiFraud FierceHomelandSecurity FierceITSecurity FierceMedicalDevices FierceMedicalImaging FierceMobileGovernment FierceMobileHealthcare FierceMobileIT FierceMobileRetail FierceOnlineVideo FiercePharma FiercePharmaManufacturing FiercePharmaMarketing FiercePracticeManagement FierceRetail FierceRetailIT FierceSmartGrid FierceTelecom FierceVaccines FierceWireless FierceWireless:Europe FierceWirelessTech Hospital Impact