Adobe confirms it suffered a password disclosure breach via SQL injection attack. Skype disables password reset to fix account hijacking vulnerabilities. Symantec warns that Instagram exposes users to phishing. Symantec also checks Windows 8 and finds it vulnerable to Trojan.Ransomlock.U, a piece of ransomware designed for older versions of Windows. The Home button on the iPhone and iPad can leak data.
Two US Government agencies have a rough week. NASA warns employees that it lost a laptop on Halloween. The space agency is now rushing to full-disk laptop encryption. Department of Energy unclassified networks are found vulnerable to exploitation. (One Energy unit, Iowa National Laboratory, positions itself as a national SCADA security leader.)
Identity fraud rings grow in profitability, and cyber organized crime generally continues to spread internationally. One piece of good news on cyber crime: the Russian vorVzakone mob has called off its announced campaign against US banks. Too risky, too much publicity.
US power utility analysts warn that a successful attack on the power grid could cause "thousands of deaths," and other policy mavens continue to warn darkly of the dangers of cyber war. (For a contrary view, see Bruce Schneier's continuing efforts to convince people that cyber fears are mostly hype.) In any case, US state regulators take an increasingly activist role in utility cyber security.
South Carolina's Governor Haley orders sharply increased information security measures following that state's major data breach. US President Obama signed, last month, a secret executive order authorizing retaliation against cyber attacks.
Today's issue includes events affecting Egypt, European Union, Germany, Russia, South Africa, Spain, Taiwan, United Kingdom, United States..
Cyber Attacks, Threats, and Vulnerabilities
Another month another password disclosure breach(Internet Storm Center) Adobe has revealed that apparently a password database from connectusers.com was compromised via a SQL injection attack. Ars Technica reports that the passwords were hashed using MD5 (not clear whether they were salted or not). Do we really need to remind you what constitutes a strong password and not to reuse them? Some previous password diaries that might be of interest
Hacker claims to have breached Adobe, releases customer data(Help Net Security) An Egyptian hacker claims to have breached one of Adobe's servers and gotten his hands on a database containing over 150,000 records belonging to Adobe's customers. For the time being, he leaked only a text document containing 202 complete records of Adobe employees and 230 of users employed by the US military, government, NASA and a number of educational institutions
Skype fixes account hijacking vulnerability(Help Net Security) Skype has temporarily disabled its password reset function while it was investigating reports about a vulnerability that has been misused to hijack users' accounts
Symantec: Be Careful When Using Instagram(Sci-Tech Today) Symantec security analyst Ben Nahorney noted that the Instagram threat could lead to phishing scams, among other possible security issues. His advice to users is to set your account to Private, don't follow unknown Instagram followers, and don't click shortened URLs on Instagram unless you know where they lead
Should Windows 8 users be worried about ransomware?(Help Net Security) Does ransomware designed for Windows 7 and older versions of the OS work on the newly released Windows 8? Symantec researchers took it upon themselves to answer that question by testing a number of
Home button on iPhone, iPad poses data leakage risk(Fierce Mobile IT) When the Home button on the Apple (NASDAQ: AAPL) iPhone and iPad creates a screenshot of the current view and stores it as an image on the device, it can pose a risk that data in the screenshot could be leaked, according to a mobile app security assessment conducted by Mushegh Hakhinian
Malware spreads fake Twitter and Facebook messages(Help Net Security) PandaLabs detected a new Twitter spam campaign that may compromise user security. Users receive a direct message on Twitter, which contains the text "Check out Obama punch a guy in the face for calling
NASA scrambles to encrypt laptops after major breach(Computer World) NASA is scrambling to implement full disk encryption on agency laptops after one containing unencrypted personal information on a "large" number of people was recently stolen. Agency employees were told of the October 31 theft of the laptop and NASA documents from a locked car in an email message Tuesday from Richard Keegan Jr., associate deputy administrator at NASA. Keegan told employees that the stolen laptop contained sensitive "Personally Identifiable Information" (PII) about a large number of NASA employees, contractors and others."Although the laptop was password protected, it did not have whole disk encryption software, which means the information on the laptop could be accessible to unauthorized individuals," Keegan warned
Cybersecurity weaknesses persist in Energy unclassified systems(Fierce Government IT) Cybersecurity weaknesses at the Energy Department's unclassified networks overall decreased in the last fiscal year compared to the previous, but the types and severity of known weaknesses "remained consistent with prior years," the departmental office of inspector general says
Planned Cyberattacks on US Banks on Hold(Threatpost) Upwards of 30 major U.S. banks and financial institutions have been given a reprieve. The hacker behind a coordinated attack against giants such as Bank of America, Chase, Citibank, PNC, Wells Fargo and nearly two dozen other banks has called off the operation after media reports surfaced a month ago exposing the planned attacks
The global expansion of cybercrime(Help Net Security) McAfee released a new report which explores techniques in cybercrime as well as the global evolution of cyber exploits. It uncovers new details of "Operation High Roller," tracks that mobile malware
United States on Brink of Major Cyber Attack, Industry Executive Predicts(National Defense) The United States could be on the cusp of a major cyber attack that would rival the destruction that was seen on 9/11, a retired lieutenant general and cybersecurity executive said. "The day of the cyber-9/11 is looming and gaining on us," said Ret. Air Force Lt. Gen. Harry D. Raduege Jr. who serves as the chairman of the Deloitte Center for Cyber Innovation in Arlington, Virginia
Thousands Seen Dying If Terrorists Attack US Power Grid(Businessweek) The study released today by the National Academy of Sciences was sponsored by the Department of Homeland Security and completed by the National Research Council, which is part of the National Academy of Sciences
Cyber security will change ideas of the nation state, says Stonesoft(Computer Weekly) Lack of security in the cyber world is one of the most significant threats faced by the civilized world, according to Jarno Limnell, director of cyber security at security firm Stonesoft. But it seems that we have to experience a catastrophic incident before this threat is taken seriously enough, he said. Limnell, a former advisor to the military and government in Finland, said that it was time to take cyber security seriously because in the coming years it will change most radically the worlds understanding of security of nation states, society and individuals
IT professionals too trusting of Generation Y(Computer Weekly) More employees of the Generation Y age group are ducking IT policies to use their personal devices and applications at work than corporations realise. A study from Cisco, conducted by InsightExpress, showed 53% of IT professionals trusted employees to sticking to the rules set for using tools on the corporate network. But 77% of the 18- to 30-year-olds surveyed admitted to ignoring IT policies for company-owned devices
One man's crusade to end the hysteria over cyberwar(Quartz) Bruce Schneier, a legend among hackers and security experts, is having trouble convincing the world that the threat of cyberwar is overstated. In 2010, the year after the US launched a Cyber Command division of its military, he lost a public debate on the subject. And in October, US Secretary of Defense Leon Panetta said that the US should gird itself for a cyber Pearl Harbor. Yet Schneier is undeterred. Through countless essays, speeches and debates, he has tirelessly argued that what we should really be paying attention to is how we establish trust online, and failing that, what are the basic security measures which will help us cope with both cyberwar and the countless acts of cybercrime, cyberhooliganism, cyberterrorism, and cyberespionage that happen every day
Information Security In A Post-Stuxnet World(CRN) The advent of Stuxnet and other weapons-grade malware has profoundly changed the IT security landscape. That common denominator summarizes the viewpoints of three security industry executives participating in a COMDEXvirtual panel discussion, Information Security in a Post-Stuxnet World.""[Stuxnet] demonstrates the ability of a dedicated team to develop extremely sophisticated and complex weapons by leveraging the resources of nation-states," said Patrick Bedwell, vice president of products at Sunnyvale, Calif.-based Fortinet. "These tools then trickle down into the hacker community and begin to be used against enterprises"
Surveys show disconnect between IT, employees over BYOD security(Fierce Mobile IT) More than two-thirds of employees are accessing the corporate network with their personal smartphones, yet few employees want security controls placed on their devices, according to an IDG Research survey of 350 IT managers and employees at enterprises with more than 250 employees
How real is 'Skyfall's' portrayal of cyberterrorism?(CNN) CNN spoke to Morgan Wright, a decorated former law enforcement officer who has done work relating to cyberterrorism for the United States Department of Justice, the Department of Homeland Security, and the Department of Defense about what "Skyfall
Three Ways to Engage with the InfoSec Community(infosec island) Folks who are just coming into infosec often ask me for a few ways to engage with the infosec community and begin to build relationships. Here a few quick words of advice that I give them for making that happen. 1) Join Twitter and engage with people who are also interested in infosec
New Cyber Group Aims To Spread Basic Security(Defense News) When cybersecurity legislation failed a key procedural hurdle in the U.S. Senate this fall, experts said immediate widespread improvement of networks was unlikely. But a new public-private partnership is attempting to step in, providing a framework based on 20 security concepts designed to eliminate the vast majority of vulnerabilities and increase the cost of attack
Top U.S. Cyber Defenders Work in Idaho Falls(Wall Street Journal) Noted cybersecurity expert Alan Paller believes there are only 18 to 20 people in the whole country qualified to protect the nation's infrastructure from a concerted cyber attack. That's an incredibly small number of people considering the hundreds of thousands of engineers working in the private, public and military sectors, but Paller isn't the only person who thinks that's the case
VA to migrate 600,000 employees to cloud email(Fierce Government IT) The Veterans Affairs Department will move all of its 600,000 employees to a cloud-based email, messaging and calendar system over the next five years, says Hewlett-Packard in a Nov. 13 press release
NGA focusing on 'service-enabled' data, says Long(Fierce Government IT) For the past year, the National Geospatial Agency's primary focus has been cleaning up and organizing data so it enables consumers to be producers, said National Geospatial-Intelligence Agency Director Letitia Long while speaking Oct. 9 at the GEOINT Symposium in Orlando
Work starts on FGDC shared geospatial platform(Fierce Government IT) The Federal Geographic Data Committee is creating a shared geospatial information technology infrastructure for civilian agencies that should reduce the number of single-agency portals
SRA to Help DOJ Run Biometric Data Exchange(Govconwire) SRA International has won a $21.4 million contract to continue helping the U.S. Justice Department run its system for exchanging biometric data, the company announced Tuesday. The company will manage, operate and maintain the infrastructure for DOJ's Joint Biometric Data Exchange Hosting Environment. SRA will also provide DOJ system operations, maintenance and help desk support
Lunarline Teams with EES for FCC Contract Win(The Herald) "We are proud to be part of the winning Alliant Small Business team," stated Lunarline CEO, Waylon Krush. "The growing sophistication of cyber threats requires that we use assertive and holistic measures to defend critical network and information assets
CACI International - CACI - Intent to Acquire Emergint Technologies(Stock Market News) CACI International Inc (NYSE: CACI) announced that it has signed a definitive agreement to acquire Emergint Technologies, Inc., a premier provider of emerging technology solutions focused on the data-driven needs of national health organizations. This acquisition builds on CACI's healthcare IT capability and expands its presence in the growing healthcare IT market. Closing is anticipated by December 1, 2012
SAIC completes sale of test and evaluation business(Washington Technology) American Systems picks up 300 employees and expands skills. Science Applications International Corp. and American Systems Corp. have completed the sale of SAIC's test and evaluation business. Terms of the deal were not disclosed by American Systems, who is picking up 300 SAIC employees with skills in areas such as testing, scientific, engineering, logistics, administrative and ancillary support. The deal was first announced in September
Internet Explorer 10 on Windows 7 now available(IT Proportal) Microsoft has launched a release preview version of Internet Explorer 10 for Windows 7. The updated browser is available for download now on Microsoft. com."Consumers can now enjoy a fast and fluid web with the updated IE10 engine on their Windows 7 devices," Microsoft said in a blog post
So you broke our encrypted files? Ha! They were DOUBLY encrypted (Register) Developers have launched a sync-and-share service aimed at small businesses that adds an extra layer of encryption absent from popular services such as Dropbox and Box. InfraScale says its Filelocker software protects data by encrypting it locally, in-transit and again in the cloud. Files are encrypted with a user's personal passphrase before leaving a device, transferred over a standard 256-bit SSL connection, encrypted again for peace of mind server-side, and then stored in the FileLocker cloud
Blue Coat releases Mobile Device Security service(Help Net Security) Blue Coat Systems introduced the Blue Coat Mobile Device Security (MDS) service, enabling businesses to extend the boundaries of the security perimeter to iOS devices in any location, on any network
Palo Alto Networks releases new products(Help Net Security) Palo Alto Networks announced several new products that extend its lead in next-generation network security by addressing today's mixed virtualized and physical enterprise networks
Oracle Stakes Claim In Engine Yard PaaS(InformationWeek) Engine Yard provides an online platform for application developers using different Web languages. Oracle's investment is a way to keep itself in front of those developers
The Root Of All Database Security Evils = Input(Dark Reading) Some of the most embarrassing database breaches of the past few years boil down to one big root cause: poor input validation and sanitization imposed by developers that create Web applications that tap into these data stores. In the rush to get code compiled and out the door, developers create input fields that allow users to type in anything they want. That's fine for most users who just need to type in their username, a search term, or an address and phone number. But when the bad guys get their hooks into these unchecked input fields, they're one step closer to hacking the database
7 Dumb Cloud Computing Myths(InformationWeek) You've heard the arguments: The cloud is not secure, costs too much, and wrecks the environment. Let us set you straight
German scientist wins Taiwan's top academic prize(Taiwan Today) Johannes Buchmann, a German expert in cryptography and computer algebra research, was named winner of the 2012 Tsungming Tu Award, the highest academic honor bestowed on foreign scientists by the ROC government
In Search of Digital Tough Guys and Gals(Sacramento Bee) After months of preparation and days of intense competition, a handful of student hackers participating in the 9th annual Cyber Security Awareness Week games at the Polytechnic Institute of New York University
Legislation, Policy, and Regulation
The Evolving Role of State Regulation in Grid Cybersecurity(Smart Grid Security) Led by Elizaveta Malashenko, the grid cybersecurity team at California's Public Utility Commission, makes a good case for increased PUC involvement in cybersecurity matters, particularly those affecting distribution elements:State regulators have not traditionally played a large role in cybersecurity. However, this is beginning to change with the recognition that Federal compliance-based models may not be sufficient to ensure grid resiliency, reliability and safety, as well as customer data privacy. With grid modernization on the way, there is an important role that State regulators need to step into, as much of this new infrastructure will be located on the distribution grid, which is currently outside of NERC authority
Cybersecurity bill's death opens door for Obama executive order(Pittsburgh Post Gazette) "It to some degree hardens the lines of division, which makes it more likely we'll see an executive order, rather than an attempt to revive the legislation in the near term," Stewart Baker, a former Department of Homeland Security assistant secretary
Homeland Security office OKs efforts to monitor social media(California Watch) A little-known privacy office in the Department of Homeland Security has given its stamp of approval to an ongoing initiative aimed at monitoring social media sites for emerging threats. Congress created the department's privacy office in 2003 to
Haley orders extra cyber security(Carolina Live) South Carolina Governor Haley announced Wednesday she handed down an Executive Order requiring extra forms of cyber security be implemented in all of her cabinet agencies
Five reasons why Congress should pass Cybersecurity Act of 2012(The Hill) Leading civil liberties groups have praised the protections in the bill, while the head of the National Security Agency has also strongly supported it. If the Intelligence Community and the civil liberties community can find common ground on a national
Obama Secret Order Authorizes Cybersecurity Strikebacks(InformationWeek) Last year, National Security Agency director and Cyber Command commander Gen. Keith Alexander said that for cybersecurity, "the advantage is on the offense," and argued that government agencies should -- at last in some cases -- be able to take down
Obama: Transparently Disappointing(Reason) The CIA and the National Security Agency were sued by the Electronic Freedom Foundation for refusing to release documents detailing internal lawbreaking. Agencies across the executive branch recorded 466,872 FOIA denials, an increase of 66 percent
Suing our way to Better Security…Redux(infosec island) One of the latest publicly known Government Data Breaches has incurred yet another lawsuit for the people by the peoples lawyers. First, I want to mention the depth of the lawsuit and the misperception of the monetary and punitive damages that can be incurred through Personal Identifiable Information (PII) loss resulting in fraud or victimization. I really feel that this lack of proper security in a Government agency cant be confined to 600k limits when the quantity of victims is millions of people
South Africa to get cyber inspectors as cyber crime proliferates(Business Day Live) THE Department of Communications is appointing cyber inspectors as mandated by the Electronic Communications and Transactions Act, Communications Minister Dina Pule said on Tuesday at a seminar on the Future of Privacy at the University of Pretoria
For a complete running list of events, please visit the Event Tracker on the CyberWire website.
ZeroNights(Moscow, Russia, November 19 - 20, 2012) ZeroNights is an international conference dedicated to the technical side of information security. The mission of the conference is to disseminate information about new attack methods, threats and defense...
Digital Security Summit(Riyadh, Saudi Arabia, December 1 - 2, 2012) A major conference to discuss the growing threat to digital security in the Middle East, especially in Saudi Arabia.
Passwords^12(, January 1, 1970) Passwords^12 is a 3-day conference only about passwords & PIN codes. With an "all-star" cast of speakers, including Joan Daemen (AES/SHA3), Jens Steube (alias "atom", hashcat author), Colin Percival (CSO...
CIO Cloud Summit 2012(, January 1, 1970) The CIO Cloud Summit will help C-level executives better understand the true capabilities of cloud computing and the transformational opportunities it can bring.
BayThreat(Sunnyvale, California, December 7 - 8, 2012) The theme for BayThreat is a new spin on the dichotomy of attacking and defending in information security. We're calling out all of the attackers and defenders that are on the front lines of the battle.
2012 European Community SCADA and Process Control Summit(Barcelona, Spain, December 10 - 11, 2012) The European SCADA Summit brings together the program managers, control systems engineers, IT security professionals and critical infrastructure protection specialists from asset owning and operating organizations...
TechMentor Orlando 2013(Orland, Florida, USA, March 4 - 8, 2013) Celebrating 15 years of educational events for the IT community, TechMentor is returning to Orlando, Florida, March 4-8, for 5 days of information-packed sessions and workshops. Surrounded by your fellow...
e-Crime Congress 2013(London, England, March 12 - 13, 2013) The e-Crime Congress is designed to meet the needs of key stakeholders and decision makers who are responsible for designing and coordinating information security and risk management strategy, safeguarding...
The Future of Cyber Security 2013(London, England, UK, March 21, 2013) Cyber Security and the Citizen 2013 is a one-day conference and exhibition for senior decision-makers of central and local government organisations, NGOs and major private sector enterprises.
25th Annual FIRST Conference(Bangkok, Thailand, June 16 - 21, 2013) The annual FIRST conference provides a setting for conference participants to attend a wide range of presentations delivered by leading experts in both the CSIRT field and from the global security community.
SPONSOR & SUPPORT
Grow your brand and reach new customers.
Grow your brand and increase your customer base by educating our audience about your products, services, and events by advertising on The CyberWire. We’ve built trust with an influential (and often hard to reach) audience of CISOs, CSOs, and other senior execs in the security space, across a wide array of industry verticals. Learn more.
Be a part of the CyberWire story.
People ask us (a lot) how they can support what we do. We have our sponsorships and services, of course, but those are not always within every supporter's financial reach, or it might just not be the right time for you to do those things. That's why we launched our new Patreon site, where we've created a wider variety of support levels, each with some new benefits. Our patrons are important to our future, and we hope you'll consider becoming one. We invite you to become part of the CyberWire story. Become a patron today.