Macs again prove vulnerable to malware as a new variant of the OSX/Imuler Trojan targets supporters of the Dalai Lama. Pdfs were among the attack vectors. An Egyptian hacker releases personal information apparently from stolen Adobe files; Adobe is investigating. Skype warns that hackers can hijack accounts knowing just a user's email address. Cloudflare and Facebook users are currently being phished.
Anonymous attacked the Organization for Security and Co-operation in Europe (OSCE) last week in retaliation for allegedly slack OSCE monitoring of Ukrainian elections. No attribution yet in the cyber espionage campaign being waged against Israel and the Palestinian Authority. Attribution continues to be one of the thornier problems surrounding cyber war. US Defense Secretary Panetta claims the US has solid attribution capabilities, but Russian cyber expert Kaspersky thinks not.
Microsoft issued its November patches yesterday: four remote code execution vulnerabilities are rated "critical."
Researchers say bring-your-own-device (BYOD) practices and unstructured data constitute major enterprise vulnerabilities. Other research indicates that DDoS attacks are as poorly mitigated as they are common.
The cyber labor market in the US's Washington-Baltimore corridor becomes "fratricide on the Parkway" as government and industry compete hard for the same scarce talent. Lockheed Martin wins an $800M Defense cyber range contract.
Lockheed continues to warn of supply chain vulnerability, and NIST releases an IT supply chain risk assessment guide.
China pressures foreign companies to assist with Internet surveillance and censorship. The major lesson of the Petraeus imbroglio seems to involve privacy: email accounts people thought were anonymous...aren't.
Today's issue includes events affecting Australia, Brazil, Canada, China, Egypt, European Union, France, Germany, Italy, India, Republic of Korea, Russia, Spain, Turkey, Ukraine, United Arab Emirates, United Kingdom, United States..
Skype users warned of serious security problem - accounts can be hijacked with ease(Naked Security) A serious security problem has been uncovered in Skype, which allows hackers to hijack accounts just by knowing users' email addresses. The Next Web describes how it managed to reproduce the attack, accessing the Skype accounts of staff by just knowing their email address, and then changing the passwords of their "victims" to lock them out. According to The Next Web:"The reason this works is simple, but it's still worrying
CloudFlare users targeted by phishers(Help Net Security) Popular content delivery network and distributed domain name server service CloudFlare has issued a warning to its users about an ongoing phishing scam
Anonymous Raids European Organization Over Ukrainian Elections(Security Week) Supporters of Anonymous have raided the Organization for Security and Co-operation in Europe (OSCE), accusing them of failing to hold up their end of a promise to keep an eye on the Ukrainian elections. The raid resulted in several hundred documents being leaked, most marked as classified or confidential, and covering everything from political memos and internal communications to phone records
Cyberespionage campaign hits Israeli, Palestinian targets(CSO) While the software tools were not sophisticated, the techniques used to trick email recipients were. A single attacker using advanced social engineering techniques waged a yearlong cyberespionage campaign against Israeli and Palestinian targets, a Norwegian security firm said on Monday. The attacker used the same infrastructure and malicious code in trying to penetrate computer systems, apparently to steal information, Norman ASA said. The identity and motivation of the attacker was not known
Security Patches, Mitigations, and Software Updates
Eugene Kaspersky: Clear Need to Define Cyberweapons and Cyberwar(Threatpost) The term cyberwar has become a catch-all used by politicians, talking heads and others to encompass just about any online threat, regardless of the attacker or the target. Among security professionals, however, the word has a specific connotation--an attack by one nation against another nation's infrastructure. Aside from the semantic issues, one of the major challenges for government agencies and security teams dealing with his problem is attribution and recognizing what constitutes an actual act of cyberwar. Stuxnet, Flame and their cousins may qualify, but more discussion is needed to help define the terms of these new conflicts, experts say
Gary McGraw on Cyberwar and the Folly of Hoarding Cyber-Rocks(Threatpost) Gary McGrawDennis Fisher talks with Gary McGraw of Cigital about some of the holes in the current thinking about cyberwar, why traditional military analogies don't hold up in cyberwar discussions and how better defense can make a difference. McGraw will be discussing his thoughts on cyberwar at King's College London this week
Russia Software Tycoon: US Cyber Tracing May Not Work(Wall Street Journal) "I'm afraid it's possible to design [a cyber attack] in such a way that" its source could remain hidden, Mr. Kaspersky told a small group of reporters over dinner at a steakhouse in Chicago, when asked about Mr. Panetta's remarks. Cyber attackers often
Cyber-attack: An act of war?(ITWorld Canada) Based on what we've seen, an attack on by an enemy country's on a government or military network isn't viewed as gravely as an enemy launching mortar shells at a command post. The latter would almost certainly lead to a shooting war, whereas the former
Zero-Day Exploits Provide an Inside Look at the Cybercriminal Black Market(McAfee) The Cyber Black Market: While it sounds like something out of a cheesy Hollywood movie, it is a real and thriving commercial hub built on the trade of hacking tools. Almost daily, reports surface that new zero-day exploits are being bought and sold in the underground marketplace, with price tags that typically range from $50,000 to $200,000. Our team at McAfee Labs pays close attention to these reports, because zero-day exploits are, by nature and by name, brand new never before seen in the wild
Social Media Q&A With Eugene Kaspersky(Threatpost) The security of social networks and the people who use them every day has become a serious concern for enterprises and consumers alike. Millions of people rely on networks such as Facebook and Twitter to communicate and connect with friends and colleagues and attacks against the networks themselves and the users on them undermines some of the trust people place in them. Eugene Kaspersky, CEO of Kaspersky Lab, recently answered questions on the security concerns surrounding social media and what people can do to protect themselves on these networks
Big Data will be Big Business in India(Quartz) Just over a decade ago, as the world panicked over what would happen when 1999 turned into the year 2000, India threw down the gauntlet, proving it could write software and manage big tech projects with the best of them. Now India is ready to prove that it's got the chops to tackle "big data"
New Report Reveals 65 percent of Organizations Experience Three DDoS Attacks a Year, but Majority are Unprepared to Mitigate Attacks(Equities,com) Despite the increasing sophistication and severity of cyber attacks, a survey of more than 700 senior IT professionals reveals that organizations are surprisingly unarmed to deal with today's threat landscape. In a new report titled "Cyber Security on the Offense: A Study of IT Security Experts," the Ponemon Institute and Radware, (NASDAQ: RDWR), a leading provider of application delivery and application security solutions for virtual and cloud data centers, found that while 65 percent of organizations experienced an average of three distributed denial-of-service (DDoS) attacks in the past 12 months, less than half reported being vigilant in monitoring for attacks - much less putting into practice proactive and preventative measures to protect their organizations
The Future Of Hacktivism(newmatilda) After some high-profile arrests, hacker groups like Anonymous are changing the way they work. Asher Wolf interviews a former member of LulzSec about the future of hacktivism. On 5 November 2012, hackers under the banner of Anonymous led a hacking operation to mark Guy Fawkes Day
Forrester: Big data deniers must separate hype from reality(Fierce Big Data) Any technology trend that catches on too quickly will attract deniers who call it a fad or just the same old technology under a new name. Big data certainly has its detractors and deniers, with some criticizing the terminology itself and others disparaging the promises of great insights as either a pipe dream or a privacy nightmare. Forrester research says they should get over it: big data is the future
Federal agencies, private firms fiercely compete in hiring cyber experts(Washington Post) Along the Baltimore-Washington Parkway, the concentration of government agencies and contractors brimming with computer geeks rivals any cyber defense area on the planet. And in this age of growing cyber threats, those firms are engaged in a cyber-hiring competition so fierce that one expert called it "fratricide on the parkway"
DHS aims to hire 600 cybersecurity pros -- if it can find them(CSO) Experts say Department of Homeland Security recruitment suffers from lack of understanding of talent pool. The Obama administration is hoping to make good on its promise to create new jobs -- in this case, 600 of them in cybersecurity. Department of Homeland Security (DHS) Secretary Janet Napolitano, acting on the recommendation of the Homeland Security Advisory Council's Task Force on Cyberskills, said at a Washington Post cybersecurity forum that DHS wants to hire at least 600 cyber experts, analysts, IT specialists and people who are familiar with coding
Accenture helps DHS scour social media for bio risks(Fierce Big Data) The U.S. Department of Homeland Security said late last week it will spend $3 million over the next year with Accenture on a pilot program for social media analytics to identify, predict and respond to national health emergencies such as an infectious disease outbreak or a biological attack
Lockheed Wins $80M Contract to Support DoD Cyber Range Operations(Govconwire) Lockheed Martin Corp. (NYSE: LMT) has won an $80 million contract under the national cyber range program to support operations at a military test range that is about to become operational, according to NextGov. Dawn Lim writes that the five-year contract supports the cyber range housed in a "specially architected sensitive compartmented information facility with appropriate
Lockheed to cyber-armour its supply chain against 'the Adversary'(Register) Top Pentagon supplier Lockheed Martin says its computer networks are under increasing heavy fire from hackers, forcing it to beef up its supply chain's defences. Lockheed veep and chief information security officer Chandra McMahon said about a fifth of
After Trying To Make Bug Tracking Fun, PlayNicely To Enter The Deadpool(TechCrunch) PlayNice.ly, the UK startup that set out to make bug tracking fun, is to enter the deadpool. In an email sent out to users, the company has announced that it is shutting down the service in the New year, and in the meantime has released a data export tool so that users can begin migrating away from PlayNice.ly
Salient Fed Buys App Software Developer, Gains Contract Spots(Govconwire) Salient Federal Solutions has acquired application software developer LIST Innovative Solutions Inc. and now covers 90 percent of its contract base with prime federal software or application development contracts. The Fairfax, Va.-based federal information technology and engineering contractor said it also added positions on blanket purchase agreements with the U.S. Office of Personnel Management and the Patent and Trademark Office through
Ciber Appoints Michael Casullo SVP and CIO(Govconwire) Ciber has appointed Michael Casullo senior vice president and chief information officer, according to a company release. Casullo has a three-decade career in the information technology industry, with a background which includes disaster recovery strategies, cloud computing, major application implementations and data center operations
Post-defenestration Microsoft: It's the APIs, stupid. And Metro(The Register) Sinofsky, Microsoft's Caligula…The sudden departure of Steve Sinofsky from Microsoft leaves Redmond with its biggest crisis for years - and it needs to assure investors as a matter of urgency. He's achieved a huge amount of change, but he's also left a real mess, the full extent of which isn't appreciated by financial or technology sector analysts
F-Secure secures online banking transactions(Help Net Security) As cybercriminals continue to develop more and more sophisticated financial malware, F-Secure is using its security expertise to protect consumers' bank accounts. Banking Protection, a new feature of
GFI Software updates VIPRE Antivirus Business(Help Net Security) GFI Software launched the latest edition of VIPRE Business, which provides SMBs with access to a single solution for antivirus, patch management and Mobile Device Management (MDM)
SAP Takes Big Step Putting CRM On Hana(InformationWeek) Watch out Salesforce.com: SAP releases a Hana in-memory database upgrade capable of running core transactional applications, starting with a customer relationship package
Windows Defender helps Windows 8 stop common malware(Fierce CIO: TechWatch) Security vendor BitDefender ran 385 samples of malware most favored by cybercriminals on a Windows 8 system to test the Microsoft's (NASDAQ: MSFT) latest operating system. The company found that the pre-installed Windows Defender successfully filtered out all but 15 percent of them. The outcome is significantly different when Windows Defender was disabled however, resulting in 234 of the sample malware running without any problems
ONC releases draft Meaningful Use Stage 3 recommendations(Fierce Government IT) Eligible doctors, healthcare professionals and hospitals could receive financial incentives if they meaningfully use certified electronic health record technology in a more patient- and family-centered way, according to draft recommendations published by the Office of the National Coordinator for Health Information Technology
NIST issues IT supply chain risk management guide(Fierce Government IT) Historically, federal departments and agencies had no consistent or comprehensive methodology for recognizing supply chain compromises in their information technology products and services, says a recently published National Institute of Standards and Technology interagency report. The NIST document aims to remedy that by outlining repeatable and "commercially reasonable" supply chain assurance practices
Design and Innovation
The Patent Problem Shackles Business Innovation(Wired Business) Without those assurances, there would arguably be no incentive to innovate; why invest money and effort on a breakthrough that anyone could then take and sell? Patents created a business environment that led to such landmark technologies as the cotton
Games may help train analysts to overcome bias(Phys.Org) "Biases are often difficult to identify, but it's important to recognize bias in decision theory and analysis," said Graham, who worked with Donald Kretz and B. J. Simpson, both cognitive scientists at Raytheon Intelligence and Information Systems
CYBER-CHARTERS: How districts are luring cyber students back(Lancaster Newspapers) Then Jonathan and his family found what they believed was an even better option: Lancaster-Lebanon Virtual Solutions. The cyber program run by Intermediate Unit 13 allows students in a number of local districts to take classes online while also
US-Canada Integrated Cybersecurity Agenda(Bay Area Indymedia) Merging cyber threat strategies would force Canada to further bring its security practices in line with American ones and under the reach of the Department of Homeland Security (DHS). On October 26, Public Safety Canada and the DHS released
China orders foreign companies to help with internet surveillance(The Verge) Thomas Parenty, a security specialist formerly of the US National Security Agency, told the Times that such hardware could make it easier for the Chinese government to spy on international corporations, noting that the boxes "would be able to intercept
Senate readies for fight over cybersecurity surveillance(CNET) "There is established a National Cybersecurity Council…The Council shall establish procedures under which each owner of critical cyber infrastructure shall report significant cyber incidents affecting critical cyber infrastructure
Still at the starting line in the cyberdefense race(GCN.com) With the presidential election behind us and the political status quo confirmed in Washington, the dangers in cyberspace continue to grow, says NSA Director and U.S. Cyber Command commander Gen. Keith B. Alexander. The nation's dependence on a
Far-reaching cyber law a legal necessity(The National) Last year, legal experts in the UAE warned that cyber crimes in the Emirates were increasing at such a pace that new laws were needed to catch offenders. The worry, judges warned then, was that weak legal frameworks were so full of loopholes that criminals could easy exploit them
Cybersecurity Legislation in the Lame Duck Session(Chemical Facility Security News) Michelle Kincaid has an interesting outlook on cybersecurity legislation potential in the lame duck session in her cybersecurity blog post. While I dont see anything in particular to disagree with, it is important to remember that political calculations change significantly in a lame duck session, making it much more difficult to successfully predict political outcomes. While most people focus on legislators that are on their way out, who may (or may not) vote on principle instead of political motives now that they may never face the voters again, there is a new crop of Senators that are now starting into their two year election cycle; many of them will now begin paying more attention to political posturing than principle
Petraeus Case Raises Fears About Privacy in Digital Era(New York Times) The F.B.I. investigation that toppled the director of the C.I.A. and now threatens to tarnish the reputation of the top American commander in Afghanistan underscores a danger that civil libertarians have long warned about: that in policing the Web for crime
The Surveillance State Takes Friendly Fire(New Yorker) This struck me as funny, because several years earlier I had written a book about the National Security Agency during Hayden's tenure as its director, and his office had stonewalled my repeated requests for an interview. I clicked on his profile to see
Online Privacy Issue Is Also In Play In Petraeus Scandal(New York Times) The F.B.I. investigation that toppled the director of the C.I.A. and has now entangled the top American commander in Afghanistan underscores a danger that civil libertarians have long warned about: that in policing the Web for crime, espionage and sabotage, government investigators will unavoidably invade the private lives of Americans
Petraeus tripped up by trust in supposedly anonymous email account(Naked Security) The US's top spy guy, who resigned abruptly on Friday, conducted a romantic affair behind the thin sheet of a pseudonymous email account. It's a good reminder to us all that email headers often spill the beans, revealing IP addresses that lead to our webmail hosts and geolocation. It's a short hop from there to our identities
Keeping hackers out of personal email(Winnipeg Free Press) In light of the Gmail-related scandal involving former CIA chief David Petraeus, one has to wonder if, given the relative ease by which an intelligence agency — or just about anybody — can break into a private email account, government
It's not that hard for authorities to get to your email(NBC News) Paula Broadwell is a trained intelligence officer who'd spent years working with some of the most secretive agencies in the world, according to her biography from her book publisher, Penquin. How were FBI agents able to hunt her
IBM sued over botched SAP project implementation(Fierce CIO: TechWatch) A chemical products manufacturer has taken the unusual step of suing IBM for a botched ERP--Enterprise Resource Planning--implementation, and publicizing the details via press release. In it, Avantor Performance Materials alleged that it suffered losses amounting to tens of millions of dollars after forking over $13 million in fees for a system built using the SAP platform that was "unable to perform properly." The failure was attributed to project mismanagement on the part of IBM
For a complete running list of events, please visit the Event Tracker on the CyberWire website.
E2 Innovate Conference & Expo(Santa Clara, California, November 14 - 15, 2012) E2 Innovate, formerly Enterprise 2.0, brings strategic business professionals together with industry influencers and next-gen enterprise technologies.
Anatomy of an Attack(New York, New York, November 15, 2012) Join Sophos security experts in exploring how threats like malware, Trojans, worms and spyware actually work and what you can do to protect your company, even if you're on a tight budget.
ZeroNights(Moscow, Russia, November 19 - 20, 2012) ZeroNights is an international conference dedicated to the technical side of information security. The mission of the conference is to disseminate information about new attack methods, threats and defense...
IRISSCERT Cyber Crime Conference(Dublin, Ireland, November 22, 2012) The IRISSCERT Cyber Crime Conference will be held this year on Thursday the 22nd of November 2012 in the D4Berkley Court Hotel, in Ballsbridge Dublin. This is an all day conference which focuses on providing...
Digital Security Summit(Riyadh, Saudi Arabia, December 1 - 2, 2012) A major conference to discuss the growing threat to digital security in the Middle East, especially in Saudi Arabia.
tmforum Management World Americas(Orlando, Florida, USA, December 3 - 6, 2012) Management World Americas is the only conference covering end-to-end management of digital services and the challenges of running any service provider business. In addition to a full Cable Summit and Executive...
BayThreat(Sunnyvale, California, December 7 - 8, 2012) The theme for BayThreat is a new spin on the dichotomy of attacking and defending in information security. We're calling out all of the attackers and defenders that are on the front lines of the battle.
SANS Cyber Defense Initiative(Washington, DC, December 7 - 16, 2012) Specialized courses covering the latest in cyber attacks, including how they work and how to stop them. The event will also feature the Netwars Tournament of Champions.
2012 European Community SCADA and Process Control Summit(Barcelona, Spain, December 10 - 11, 2012) The European SCADA Summit brings together the program managers, control systems engineers, IT security professionals and critical infrastructure protection specialists from asset owning and operating organizations...
Grow your brand and increase your customer base by educating our audience about your products, services, and events by advertising on The CyberWire. We’ve built trust with an influential (and often hard to reach) audience of CISOs, CSOs, and other senior execs in the security space, across a wide array of industry verticals. Learn more.
Be a part of the CyberWire story.
People ask us (a lot) how they can support what we do. We have our sponsorships and services, of course, but those are not always within every supporter's financial reach, or it might just not be the right time for you to do those things. That's why we launched our new Patreon site, where we've created a wider variety of support levels, each with some new benefits. Our patrons are important to our future, and we hope you'll consider becoming one. We invite you to become part of the CyberWire story. Become a patron today.