skip navigation

More signal. Less noise.

Daily briefing.

Adobe confirms it suffered a password disclosure breach via SQL injection attack. Skype disables password reset to fix account hijacking vulnerabilities. Symantec warns that Instagram exposes users to phishing. Symantec also checks Windows 8 and finds it vulnerable to Trojan.Ransomlock.U, a piece of ransomware designed for older versions of Windows. The Home button on the iPhone and iPad can leak data.

Two US Government agencies have a rough week. NASA warns employees that it lost a laptop on Halloween. The space agency is now rushing to full-disk laptop encryption. Department of Energy unclassified networks are found vulnerable to exploitation. (One Energy unit, Iowa National Laboratory, positions itself as a national SCADA security leader.)

Identity fraud rings grow in profitability, and cyber organized crime generally continues to spread internationally. One piece of good news on cyber crime: the Russian vorVzakone mob has called off its announced campaign against US banks. Too risky, too much publicity.

US power utility analysts warn that a successful attack on the power grid could cause "thousands of deaths," and other policy mavens continue to warn darkly of the dangers of cyber war. (For a contrary view, see Bruce Schneier's continuing efforts to convince people that cyber fears are mostly hype.) In any case, US state regulators take an increasingly activist role in utility cyber security.

South Carolina's Governor Haley orders sharply increased information security measures following that state's major data breach. US President Obama signed, last month, a secret executive order authorizing retaliation against cyber attacks.


Today's issue includes events affecting Egypt, European Union, Germany, Russia, South Africa, Spain, Taiwan, United Kingdom, United States..

Cyber Attacks, Threats, and Vulnerabilities

Another month another password disclosure breach (Internet Storm Center) Adobe has revealed that apparently a password database from was compromised via a SQL injection attack.[1] Ars Technica reports that the passwords were hashed using MD5 (not clear whether they were salted or not).[2] Do we really need to remind you what constitutes a strong password and not to reuse them? Some previous password diaries that might be of interest

Hacker claims to have breached Adobe, releases customer data (Help Net Security) An Egyptian hacker claims to have breached one of Adobe's servers and gotten his hands on a database containing over 150,000 records belonging to Adobe's customers. For the time being, he leaked only a text document containing 202 complete records of Adobe employees and 230 of users employed by the US military, government, NASA and a number of educational institutions

Skype blocks password resets after trivial account hijacking flaw made public (IT Worlf) Skype has disabled the account password reset option on its website following reports that the feature can be abused to hijack Skype accounts if the attackers know the email addresses associated with them

Skype fixes account hijacking vulnerability (Help Net Security) Skype has temporarily disabled its password reset function while it was investigating reports about a vulnerability that has been misused to hijack users' accounts

Symantec: Be Careful When Using Instagram (Sci-Tech Today) Symantec security analyst Ben Nahorney noted that the Instagram threat could lead to phishing scams, among other possible security issues. His advice to users is to set your account to Private, don't follow unknown Instagram followers, and don't click shortened URLs on Instagram unless you know where they lead

Should Windows 8 users be worried about ransomware? (Help Net Security) Does ransomware designed for Windows 7 and older versions of the OS work on the newly released Windows 8? Symantec researchers took it upon themselves to answer that question by testing a number of

Home button on iPhone, iPad poses data leakage risk (Fierce Mobile IT) When the Home button on the Apple (NASDAQ: AAPL) iPhone and iPad creates a screenshot of the current view and stores it as an image on the device, it can pose a risk that data in the screenshot could be leaked, according to a mobile app security assessment conducted by Mushegh Hakhinian

Malware spreads fake Twitter and Facebook messages (Help Net Security) PandaLabs detected a new Twitter spam campaign that may compromise user security. Users receive a direct message on Twitter, which contains the text "Check out Obama punch a guy in the face for calling

NASA scrambles to encrypt laptops after major breach (Computer World) NASA is scrambling to implement full disk encryption on agency laptops after one containing unencrypted personal information on a "large" number of people was recently stolen. Agency employees were told of the October 31 theft of the laptop and NASA documents from a locked car in an email message Tuesday from Richard Keegan Jr., associate deputy administrator at NASA. Keegan told employees that the stolen laptop contained sensitive "Personally Identifiable Information" (PII) about a large number of NASA employees, contractors and others."Although the laptop was password protected, it did not have whole disk encryption software, which means the information on the laptop could be accessible to unauthorized individuals," Keegan warned

Cybersecurity weaknesses persist in Energy unclassified systems (Fierce Government IT) Cybersecurity weaknesses at the Energy Department's unclassified networks overall decreased in the last fiscal year compared to the previous, but the types and severity of known weaknesses "remained consistent with prior years," the departmental office of inspector general says

Planned Cyberattacks on US Banks on Hold (Threatpost) Upwards of 30 major U.S. banks and financial institutions have been given a reprieve. The hacker behind a coordinated attack against giants such as Bank of America, Chase, Citibank, PNC, Wells Fargo and nearly two dozen other banks has called off the operation after media reports surfaced a month ago exposing the planned attacks

Small-time ID fraud goes big time (CSO) Study finds more than 10,000 ID fraud rings, many among friends and family

The global expansion of cybercrime (Help Net Security) McAfee released a new report which explores techniques in cybercrime as well as the global evolution of cyber exploits. It uncovers new details of "Operation High Roller," tracks that mobile malware

United States on Brink of Major Cyber Attack, Industry Executive Predicts (National Defense) The United States could be on the cusp of a major cyber attack that would rival the destruction that was seen on 9/11, a retired lieutenant general and cybersecurity executive said. "The day of the cyber-9/11 is looming and gaining on us," said Ret. Air Force Lt. Gen. Harry D. Raduege Jr. who serves as the chairman of the Deloitte Center for Cyber Innovation in Arlington, Virginia

Thousands Seen Dying If Terrorists Attack US Power Grid (Businessweek) The study released today by the National Academy of Sciences was sponsored by the Department of Homeland Security and completed by the National Research Council, which is part of the National Academy of Sciences

Lockheed Martin: defence industry suppliers' security flaws exposed our systems to cyber attack (Out-Law) A major supplier of security systems and technology within the defence industry in the UK and US has said that it has been subjected to increasingly frequent and sophisticated cyber attacks in recent years

Cyber Trends

Cyber security will change ideas of the nation state, says Stonesoft (Computer Weekly) Lack of security in the cyber world is one of the most significant threats faced by the civilized world, according to Jarno Limnell, director of cyber security at security firm Stonesoft. But it seems that we have to experience a catastrophic incident before this threat is taken seriously enough, he said. Limnell, a former advisor to the military and government in Finland, said that it was time to take cyber security seriously because in the coming years it will change most radically the worlds understanding of security of nation states, society and individuals

IT professionals too trusting of Generation Y (Computer Weekly) More employees of the Generation Y age group are ducking IT policies to use their personal devices and applications at work than corporations realise. A study from Cisco, conducted by InsightExpress, showed 53% of IT professionals trusted employees to sticking to the rules set for using tools on the corporate network. But 77% of the 18- to 30-year-olds surveyed admitted to ignoring IT policies for company-owned devices

One man's crusade to end the hysteria over cyberwar (Quartz) Bruce Schneier, a legend among hackers and security experts, is having trouble convincing the world that the threat of cyberwar is overstated. In 2010, the year after the US launched a Cyber Command division of its military, he lost a public debate on the subject. And in October, US Secretary of Defense Leon Panetta said that the US should gird itself for a cyber Pearl Harbor. Yet Schneier is undeterred. Through countless essays, speeches and debates, he has tirelessly argued that what we should really be paying attention to is how we establish trust online, and failing that, what are the basic security measures which will help us cope with both cyberwar and the countless acts of cybercrime, cyberhooliganism, cyberterrorism, and cyberespionage that happen every day

Information Security In A Post-Stuxnet World (CRN) The advent of Stuxnet and other weapons-grade malware has profoundly changed the IT security landscape. That common denominator summarizes the viewpoints of three security industry executives participating in a COMDEXvirtual panel discussion, Information Security in a Post-Stuxnet World.""[Stuxnet] demonstrates the ability of a dedicated team to develop extremely sophisticated and complex weapons by leveraging the resources of nation-states," said Patrick Bedwell, vice president of products at Sunnyvale, Calif.-based Fortinet. "These tools then trickle down into the hacker community and begin to be used against enterprises"

Gartner's state of cloud security: Outages are bigger risk than breaches (Computerworld New Zealand) The Cloud Security Alliance, for example, has undertaken broad measures to address a variety of topics, but he questions how in depth those efforts have been at drilling down into specific areas. RELATED: Amazon opens up about its cloud security

Gartner: 'Scant Growth' In Global Enterprise IT Spending This Year, But 2.5 Percent Rise Projected For 2013: To Total of $2.679 Trillion (TechCrunch) A deterioration in the global economic outlook is leading to scant overall growth in 2012 enterprise IT spending, says Gartner. However the analyst says its third quarter outlook points to "more substantial growth" next year — assuming "significant fiscal crises" are avoided in the U.S. and Europe. Its view is enterprises have cut IT spending so much they have little room to reduce it further

Surveys show disconnect between IT, employees over BYOD security (Fierce Mobile IT) More than two-thirds of employees are accessing the corporate network with their personal smartphones, yet few employees want security controls placed on their devices, according to an IDG Research survey of 350 IT managers and employees at enterprises with more than 250 employees

How real is 'Skyfall's' portrayal of cyberterrorism? (CNN) CNN spoke to Morgan Wright, a decorated former law enforcement officer who has done work relating to cyberterrorism for the United States Department of Justice, the Department of Homeland Security, and the Department of Defense about what "Skyfall


Three Ways to Engage with the InfoSec Community (infosec island) Folks who are just coming into infosec often ask me for a few ways to engage with the infosec community and begin to build relationships. Here a few quick words of advice that I give them for making that happen. 1) Join Twitter and engage with people who are also interested in infosec

SMB New Hires: Cybersecurity Skills Wanted (Midsize Insider) A new survey released by the National Cyber Security Alliance and Symantec shows that 53 percent of small businesses need these skills to keep their

New Cyber Group Aims To Spread Basic Security (Defense News) When cybersecurity legislation failed a key procedural hurdle in the U.S. Senate this fall, experts said immediate widespread improvement of networks was unlikely. But a new public-private partnership is attempting to step in, providing a framework based on 20 security concepts designed to eliminate the vast majority of vulnerabilities and increase the cost of attack

Top U.S. Cyber Defenders Work in Idaho Falls (Wall Street Journal) Noted cybersecurity expert Alan Paller believes there are only 18 to 20 people in the whole country qualified to protect the nation's infrastructure from a concerted cyber attack. That's an incredibly small number of people considering the hundreds of thousands of engineers working in the private, public and military sectors, but Paller isn't the only person who thinks that's the case

VA to migrate 600,000 employees to cloud email (Fierce Government IT) The Veterans Affairs Department will move all of its 600,000 employees to a cloud-based email, messaging and calendar system over the next five years, says Hewlett-Packard in a Nov. 13 press release

NGA focusing on 'service-enabled' data, says Long (Fierce Government IT) For the past year, the National Geospatial Agency's primary focus has been cleaning up and organizing data so it enables consumers to be producers, said National Geospatial-Intelligence Agency Director Letitia Long while speaking Oct. 9 at the GEOINT Symposium in Orlando

Work starts on FGDC shared geospatial platform (Fierce Government IT) The Federal Geographic Data Committee is creating a shared geospatial information technology infrastructure for civilian agencies that should reduce the number of single-agency portals

SRA to Help DOJ Run Biometric Data Exchange (Govconwire) SRA International has won a $21.4 million contract to continue helping the U.S. Justice Department run its system for exchanging biometric data, the company announced Tuesday. The company will manage, operate and maintain the infrastructure for DOJ's Joint Biometric Data Exchange Hosting Environment. SRA will also provide DOJ system operations, maintenance and help desk support

Lunarline Teams with EES for FCC Contract Win (The Herald) "We are proud to be part of the winning Alliant Small Business team," stated Lunarline CEO, Waylon Krush. "The growing sophistication of cyber threats requires that we use assertive and holistic measures to defend critical network and information assets

Nuspire Networks Aiding in Defense of Cyber Attacks (The Complete Managed Services Resource) Nuspire Networks stood out for its excellence in cyber defense that it provides to the National Cyber Security Alliance and was recently voted as a champion

Cyberattack Worry Spurs Check Point Security Services (Investor's Business Daily) Check Point, a network security software maker, says it's been working with…calling it "about advanced intelligence and augmenting capabilities

CACI International - CACI - Intent to Acquire Emergint Technologies (Stock Market News) CACI International Inc (NYSE: CACI) announced that it has signed a definitive agreement to acquire Emergint Technologies, Inc., a premier provider of emerging technology solutions focused on the data-driven needs of national health organizations. This acquisition builds on CACI's healthcare IT capability and expands its presence in the growing healthcare IT market. Closing is anticipated by December 1, 2012

SAIC completes sale of test and evaluation business (Washington Technology) American Systems picks up 300 employees and expands skills. Science Applications International Corp. and American Systems Corp. have completed the sale of SAIC's test and evaluation business. Terms of the deal were not disclosed by American Systems, who is picking up 300 SAIC employees with skills in areas such as testing, scientific, engineering, logistics, administrative and ancillary support. The deal was first announced in September

Texas Instruments Cuts 1,700 Jobs As It's Driven Away From Mobile Chip Market By The Rise Of Custom Chipmaking (TechCrunch) Chipmaker Texas Instruments has announced it's cutting 1,700 jobs as part of a business restructuring move. The company says it's shifting its historical focus away from mobile chips because it's become too resource and investment intensive to play in this space, blaming large customers "increasingly" developing their own custom chips

Sinofsky's Exit Points To Major Microsoft Shakeup (InformationWeek) Windows chief's sudden departure comes amid questions about Windows 8 sales and Microsoft's hardware plans

Products, Services, and Solutions

Sophos Intros New UTM Exclusively For SMBs (Dark Reading) Sophos UTM 100 with BasicGuard provides network, email, Web, and wireless protection

Internet Explorer 10 on Windows 7 now available (IT Proportal) Microsoft has launched a release preview version of Internet Explorer 10 for Windows 7. The updated browser is available for download now on Microsoft. com."Consumers can now enjoy a fast and fluid web with the updated IE10 engine on their Windows 7 devices," Microsoft said in a blog post

So you broke our encrypted files? Ha! They were DOUBLY encrypted (Register) Developers have launched a sync-and-share service aimed at small businesses that adds an extra layer of encryption absent from popular services such as Dropbox and Box. InfraScale says its Filelocker software protects data by encrypting it locally, in-transit and again in the cloud. Files are encrypted with a user's personal passphrase before leaving a device, transferred over a standard 256-bit SSL connection, encrypted again for peace of mind server-side, and then stored in the FileLocker cloud

Xirrus First to Deliver Application Control at the Wireless Network Edge (Broadcast Newsroom) Xirrus Application Control builds on the power of next-generation Deep Packet Inspection (DPI) technology to provide rich information about applications accessing the network, allowing Xirrus Wireless Arrays to prioritize critical applications

Check Point Taps ThreatCloud to Revolutionize Attack Response ( Check Point Software Technologies Ltd…powered by Check Point's revolutionary ThreatCloud security intelligence

Blue Coat releases Mobile Device Security service (Help Net Security) Blue Coat Systems introduced the Blue Coat Mobile Device Security (MDS) service, enabling businesses to extend the boundaries of the security perimeter to iOS devices in any location, on any network

Live cyber risk intelligence for enterprise security (Help Net Security) NorseCorp launched the cloud security service IPViking, which harnesses Big Data analytics of live Internet traffic to deliver contextually-aware and actionable cyber risk intelligence

Palo Alto Networks adds virtual firewall, targeted malware protection (TechTarget) Local malware analysis and protection not only provides faster protection against zero-day attacks, Pescatore said. It also helps enterprises who have

Palo Alto Networks releases new products (Help Net Security) Palo Alto Networks announced several new products that extend its lead in next-generation network security by addressing today's mixed virtualized and physical enterprise networks

Oracle Stakes Claim In Engine Yard PaaS (InformationWeek) Engine Yard provides an online platform for application developers using different Web languages. Oracle's investment is a way to keep itself in front of those developers

RIM Promises BlackBerry 10 Handsets Shortly After Launch (InformationWeek) RIM insists that its BlackBerry 10 smartphones are nearly ready and will ship soon after the big January 30 launch event

Technologies, Techniques, and Standards

The Root Of All Database Security Evils = Input (Dark Reading) Some of the most embarrassing database breaches of the past few years boil down to one big root cause: poor input validation and sanitization imposed by developers that create Web applications that tap into these data stores. In the rush to get code compiled and out the door, developers create input fields that allow users to type in anything they want. That's fine for most users who just need to type in their username, a search term, or an address and phone number. But when the bad guys get their hooks into these unchecked input fields, they're one step closer to hacking the database

Testing proves advice on keeping computers safe is sound (Help Net Security) Amid the often repeated advice about how to keep your computer and yourself safe from malware and criminals spreading it there are some real gold nuggets, as the German Federal Office for Information

Petraeus Fallout: 5 Gmail Security Facts (InformationWeek) Where did the former CIA director and the woman with whom he was having an affair go wrong? Learn from his experience with Gmail

7 Dumb Cloud Computing Myths (InformationWeek) You've heard the arguments: The cloud is not secure, costs too much, and wrecks the environment. Let us set you straight


German scientist wins Taiwan's top academic prize (Taiwan Today) Johannes Buchmann, a German expert in cryptography and computer algebra research, was named winner of the 2012 Tsungming Tu Award, the highest academic honor bestowed on foreign scientists by the ROC government

In Search of Digital Tough Guys and Gals (Sacramento Bee) After months of preparation and days of intense competition, a handful of student hackers participating in the 9th annual Cyber Security Awareness Week games at the Polytechnic Institute of New York University

Legislation, Policy, and Regulation

The Evolving Role of State Regulation in Grid Cybersecurity (Smart Grid Security) Led by Elizaveta Malashenko, the grid cybersecurity team at California's Public Utility Commission, makes a good case for increased PUC involvement in cybersecurity matters, particularly those affecting distribution elements:State regulators have not traditionally played a large role in cybersecurity. However, this is beginning to change with the recognition that Federal compliance-based models may not be sufficient to ensure grid resiliency, reliability and safety, as well as customer data privacy. With grid modernization on the way, there is an important role that State regulators need to step into, as much of this new infrastructure will be located on the distribution grid, which is currently outside of NERC authority

Act being amended to stop cyber attacks before they strike (Straits Times) The Government wants pre-emptive powers to thwart potentially crippling cyber attacks, according to proposed amendments to the Computer Misuse Act tabled in Parliament on Monday

Cybersecurity bill's death opens door for Obama executive order (Pittsburgh Post Gazette) "It to some degree hardens the lines of division, which makes it more likely we'll see an executive order, rather than an attempt to revive the legislation in the near term," Stewart Baker, a former Department of Homeland Security assistant secretary

Homeland Security office OKs efforts to monitor social media (California Watch) A little-known privacy office in the Department of Homeland Security has given its stamp of approval to an ongoing initiative aimed at monitoring social media sites for emerging threats. Congress created the department's privacy office in 2003 to

Haley orders extra cyber security (Carolina Live) South Carolina Governor Haley announced Wednesday she handed down an Executive Order requiring extra forms of cyber security be implemented in all of her cabinet agencies

Five reasons why Congress should pass Cybersecurity Act of 2012 (The Hill) Leading civil liberties groups have praised the protections in the bill, while the head of the National Security Agency has also strongly supported it. If the Intelligence Community and the civil liberties community can find common ground on a national

Obama Secret Order Authorizes Cybersecurity Strikebacks (InformationWeek) Last year, National Security Agency director and Cyber Command commander Gen. Keith Alexander said that for cybersecurity, "the advantage is on the offense," and argued that government agencies should -- at last in some cases -- be able to take down

Obama: Transparently Disappointing (Reason) The CIA and the National Security Agency were sued by the Electronic Freedom Foundation for refusing to release documents detailing internal lawbreaking. Agencies across the executive branch recorded 466,872 FOIA denials, an increase of 66 percent

Big Brother, Kill Lists, and Secrecy: What to Expect from Obama's Second Term (Business Insider) Clapper, evaluating a lawsuit filed by journalists, human rights workers, and lawyers, who claimed that their jobs are unnecessarily hampered by the specter of the National Security Agency eavesdropping on their communications with clients overseas

The Petraeus Affair: Surveillance State Stopper? (InformationWeek) Lawmakers, now reminded of their own vulnerability, need to strengthen email privacy protections. Companies need to do more to help customers protect content

FTC Commissioner Chats With Industry Leaders (Dark Reading) "Privacy is being incorporated at the most fundamental levels," said Julie Brill at Annual PMA Marketing Law Conference

Litigation, Investigation, and Law Enforcement

How one law student is making Facebook get serious about privacy (Ars Technica) Max Schrems requested his personal data from Facebook, got a 1,000-page PDF

Suing our way to Better Security…Redux (infosec island) One of the latest publicly known Government Data Breaches has incurred yet another lawsuit for the people by the peoples lawyers. First, I want to mention the depth of the lawsuit and the misperception of the monetary and punitive damages that can be incurred through Personal Identifiable Information (PII) loss resulting in fraud or victimization. I really feel that this lack of proper security in a Government agency cant be confined to 600k limits when the quantity of victims is millions of people

South Africa to get cyber inspectors as cyber crime proliferates (Business Day Live) THE Department of Communications is appointing cyber inspectors as mandated by the Electronic Communications and Transactions Act, Communications Minister Dina Pule said on Tuesday at a seminar on the Future of Privacy at the University of Pretoria

The U.S. Government's Growing Appetite for Google Users' Data (Technology Review) Government and law enforcement demands that Google share user data are growing 25 percent every six months

For a complete running list of events, please visit the Event Tracker on the CyberWire website.

Upcoming Events

ZeroNights (Moscow, Russia, November 19 - 20, 2012) ZeroNights is an international conference dedicated to the technical side of information security. The mission of the conference is to disseminate information about new attack methods, threats and defense...

Digital Security Summit (Riyadh, Saudi Arabia, December 1 - 2, 2012) A major conference to discuss the growing threat to digital security in the Middle East, especially in Saudi Arabia.

Passwords^12 (, January 1, 1970) Passwords^12 is a 3-day conference only about passwords & PIN codes. With an "all-star" cast of speakers, including Joan Daemen (AES/SHA3), Jens Steube (alias "atom", hashcat author), Colin Percival (CSO...

CIO Cloud Summit 2012 (, January 1, 1970) The CIO Cloud Summit will help C-level executives better understand the true capabilities of cloud computing and the transformational opportunities it can bring.

BayThreat (Sunnyvale, California, December 7 - 8, 2012) The theme for BayThreat is a new spin on the dichotomy of attacking and defending in information security. We're calling out all of the attackers and defenders that are on the front lines of the battle.

2012 European Community SCADA and Process Control Summit (Barcelona, Spain, December 10 - 11, 2012) The European SCADA Summit brings together the program managers, control systems engineers, IT security professionals and critical infrastructure protection specialists from asset owning and operating organizations...

TechMentor Orlando 2013 (Orland, Florida, USA, March 4 - 8, 2013) Celebrating 15 years of educational events for the IT community, TechMentor is returning to Orlando, Florida, March 4-8, for 5 days of information-packed sessions and workshops. Surrounded by your fellow...

e-Crime Congress 2013 (London, England, March 12 - 13, 2013) The e-Crime Congress is designed to meet the needs of key stakeholders and decision makers who are responsible for designing and coordinating information security and risk management strategy, safeguarding...

The Future of Cyber Security 2013 (London, England, UK, March 21, 2013) Cyber Security and the Citizen 2013 is a one-day conference and exhibition for senior decision-makers of central and local government organisations, NGOs and major private sector enterprises.

25th Annual FIRST Conference (Bangkok, Thailand, June 16 - 21, 2013) The annual FIRST conference provides a setting for conference participants to attend a wide range of presentations delivered by leading experts in both the CSIRT field and from the global security community.

Grow your brand and reach new customers.

Grow your brand and increase your customer base by educating our audience about your products, services, and events by advertising on The CyberWire. We’ve built trust with an influential (and often hard to reach) audience of CISOs, CSOs, and other senior execs in the security space, across a wide array of industry verticals. Learn more.

Be a part of the CyberWire story.

People ask us (a lot) how they can support what we do. We have our sponsorships and services, of course, but those are not always within every supporter's financial reach, or it might just not be the right time for you to do those things. That's why we launched our new Patreon site, where we've created a wider variety of support levels, each with some new benefits. Our patrons are important to our future, and we hope you'll consider becoming one. We invite you to become part of the CyberWire story. Become a patron today.