Escalating violence around Gaza finds its inevitable expression in cyberspace. Not only are Israel and Hamas tweeting their air and rocket strikes, but Hamas sympathizers among Anonymous open a cyber campaign against Israeli sites.
Georgia Tech warns that increasingly capable search personalization will soon enable sophisticated information operations in which attackers can shape their targets' information. Proof-of-concept malware shares USB smart card readers over the Internet. The Opera browser's homepage is found to be redirecting users to the Blackhole exploit kit.
Adobe closes its Connect user forum in the wake of the Egyptian Hacker breach. NASA continues to work to repair the damage done by its stolen laptop—the theft exposed 10,000 people's personal information.
Notable cyber trends include "information sprawl" into the cloud, the inadequacy of attack information sharing (inhibited by legal and regulatory regimes), the financial risk companies assume when collecting personal information, and the "reckless trust" companies accord third-party software.
After $1B, the US Air Force cuts its losses on a failed ERP program. Fidelity makes a major commitment to secure code development. Lockheed Martin's warnings about supply chain security say much about the complexity and fragility of the logistics the company established for its F-35 program. Thales continues a characteristically quiet expansion into the cyber market, opening an R&D center in Quebec and hinting that its next CEO may be a cyber expert.
The US Congress will not pass a cyber bill this session, making further executive orders likely. South Carolina's data breach moves into litigation.
Today's issue includes events affecting Australia, Canada, China, Egypt, France, Israel, Norway, Palestinian Authority, United Arab Emirates, United Kingdom, United States..
Cyber Attacks, Threats, and Vulnerabilities
Anonymous Attacks Israeli Web Sites(New York Times) After Israel killed a top military commander of Hamas on Wednesday, Anonymous, the loose affiliation of hackers, retaliated with a series of attacks on Israeli Web sites. In a coordinated action that began at 3 a.m. New York time Thursday, hackers attacked Web sites belonging to the Israel Defense Forces, the prime ministers office, Israeli banks, airlines and security companies by flooding them with Web traffic, in a campaign they called #OpIsrael
Attackers to Exploit Search Personalization, Supply Chains(Threatpost) Information systems and algorithms designed to personalize online search results will give attackers the ability to influence the information available to their victims in the coming years. Researchers, in turn, must seek ways to fortify these systems against malicious manipulation, according to the Emerging Cyber Threats Report 2013, a report released ahead of yesterday's Georgia Tech Cyber Security Summit 2012
Curiosity-piquing Twitter DM leads to double threat(Help Net Security) A double threat has been aimed at Twitter users as Direct Messages carrying a Facebook link and the question "what on earth could you be doing in our movie?" are currently doing rounds
Spoofed Better Business Bureau email leads to malware(Help Net Security) A massive spam campaign impersonating the Better Business Bureau is currently hitting inboxes around the world. The emails urges users to check out a report and to respond to the matter urgently
Cracked passwords from the alleged 'Egyptian hacker' Adobe breach(Naked Security) An allegedly Egyptian hacker going by the name ViruS_HimA has allegedly hacked into Adobe. According to himself, he's made off with a largish database of personally identifiable information. Wherever the data actually comes from, it reveals yet more poor password hygiene at both the client and the server…find out just how bad
Adobe suspends Connect user forum after apparent hack(ZDNet) Adobe has suspended a user forum where customers discuss its Connect videoconferencing product, after an apparent security breach in which credentials for members of the US military were leaked. The company said on Wednesday that the Connectusers. com forum was the only service to be compromised by the "unauthorised third party"
Adequate Attack Data and Threat Information Sharing No Longer a Luxury(Threatpost) While some industry groups such as the Financial Services Information Sharing and Analysis Center (FS-ISAC) and cross-industry groups such as the Advanced Cyber Security Center (ACSC) facilitate the exchange of threat information, for the most part organizations are still hamstrung by legal constraints and other business factors that prevent an adequate flow of actionable information
Despite security concerns, enterprises place sensitive data in the cloud(Net-Security) One third of enterprises place highly sensitive data in the public cloud even though most are wary of the implications on security and other business processes, according to Forrester Consulting. Nearly half of respondents do not think their existing identity and access management (IAM) infrastructures will be able to support cloud applications and provide single sign-on (SSO). While most enterprises are concerned about exposing data to the cloud, nearly a third of them already place highly sensitive data like regulated financial (34%) and healthcare information (29%) in SaaS apps
European enterprises cautiously accepting BYOD(Net-Security) Results of the European edition of the ISACA IT Risk/Reward Barometer show slowly growing acceptance of BYOD in the workplace, with 28% of organisations freely allowing the use of personal mobile devices for work, compared with 34% in North America and 48% in Oceania. However, there has been a 20-percentage-point drop in enterprises that prohibit BYOD (down from 58% to 30%). More than half (54%) of IT professionals in Europe continue to report that the risk of BYOD outweighs the benefit, compared to 15% who say benefits are greater than risk and 31% who say that benefits and risk are balanced
Companies collecting personal info face financial risks(Net-Security) Many organizations lack the business behaviors and compliance practices necessary to adequately address growing consumer and regulatory concerns about data security and privacy, according to Edelman. The comprehensive study of 6,400 corporate privacy and security executives was conducted by the Ponemon Institute, a leading independent research organization. The analysis spans 29 countries around the world, and is believed to be one of the largest studies of its kind ever fielded
Attacks targeting government info, intellectual property grow more complex(GCN) Government -- in common with business sectors such as manufacturing, IT and technical services -- is being targeted by increasingly complex attacks with the intent of stealing data rather than money, according to the most recent snapshot from the Verizon Data Breach Investigation Report. Although the types of sensitive information held by government often differs from private sector intellectual property, government and the private sector share a lot in common as victims, according to Verizon analysts. While most financially motivated attacks are against targets of opportunity, when it comes to IP theft, the targeted nature of the attacks considerably changes how they are conceived and carried out, the report says
90 percent say online privacy is threatened(Help Net Security) Ninety percent of U.S. consumers who use a mobile device for work activities feel their online privacy is threatened, but many persist in putting their privacy and security at risk
Mobile spam is impacting most U.S. adults(Help Net Security) Mobile spam has become prevalent, with the majority of U.S. adults who text reporting that they have received an unsolicited text message, according to a survey conducted online by Harris Interactive
Privacy scholars at the wall(Fierce Big Data) I went to a lecture last night put on by one of the Meetup groups I belong to. My family and friends think the group is some kind of subversive cult, which is an indication that I may need new friends--not much I can do about my family
Why Android's Dominance Is Bad(InformationWeek) Google's Android platform grabbed a commanding 72% share of the smartphone market during the third quarter. That needs to change
Army Reserve Chief Jeffrey Talley Not Worried Over Sequestration(Govconwire) Army Lt. Gen. Jeffrey Talley, chief of the Army Reserve, told the Defense Writer's Group Wednesday he is not worried that sequestration will occur, American Forces Press Service reports. He said he is not worried because both Defense Secretary Leon Panetta and Army Secretary John McHugh told the departments to not plan for the cuts
Risks in Modernized e-File will delay retirement of legacy systems, says TIGTA(Fierce Government IT) The Internal Revenue Service may not be able to retire its legacy e-File system due to insufficient testing of the latest release of the Modernized e-File system, or MeF. Performance waivers and deferrals used in performance tests of MeF 7.0 remain unresolved, according to a Treasury Inspector General for Tax Administration report published Nov. 14 but dated Sept. 27
Profile: Michael Del Vecchio, OUSD-I Senior Cyber Adviser(ExecutiveGov) In 2005, he began his service as the National Security Agency's senior official assigned to the National Reconnaissance Office, where he also served as deputy director for NRO's signals intelligence acquisition and operations directorate, deputy chief
TWD Acquires Federal Cloud, IT Services Contractor(Govconwire) TWD & Associates has acquired federal information technology contractor The Engle Group in a move to expand its offerings in IT service management, cloud computing and application development. McLean, Va-based Engle provides IT services to federal customers including the Justice, Department and Interior departments and "expands our reach into the civilian sector," said Larry Besterman
Microsoft Names Julie Larson-Green to Lead Windows Operations(Govconwire) Microsoft Corp. has promoted Julie Larson-Green to lead all Windows software and hardware engineering, succeeding Windows and Windows Live president Steven Sinofsky. Larson-Green will lead all future Windows product development and future hardware opportunities, according to a company statement, "Leading Windows engineering is an incredible challenge and opportunity, and as I looked at the technical and
Antivirus startup linked to infamous Chinese hacker(CSO) Anvisoft, a Chinese antivirus startup, has been linked to an infamous hacker suspected of developing sophisticated malware used to siphon sensitive information from Defense Department contractors in 2006. Through some high-tech sleuthing on the Web, Brian Krebs, author of the KrebsonSecurity blog, found Anvisoft-connected IP addresses connected Anvisoft to registered to "tandailin" in Gaoxingu, China. Tan Dailin, a.k.a. Withered Rose, was the subject of Verisign's 2007 iDefense report, which described Dailin as the 20-year-old leader of a state-sponsored hacking team called NCPH, which stood for Network Crack Program Hacker
OpenDNS Goes Mobile(Dark Reading) New service an alternative to the VPN. OpenDNS founder and CEO David Ulevitch says his company over the past few years has become more of a security company than a pure DNS resolution service provider
GlobalSign Releases Free SSL Configuration Checker(Softpedia) World-renowned SSL certificate provider GlobalSign has released a free online service the SSL Configuration Checker which allows organizations that rely on SSL for website security to assess their configurations. Numerous organizations utilize SSL to ensure that their customers information is protected against cybercriminal attacks. However, companies must also make sure that their SSL configurations are not faulty, and this is where the SSL Configuration Checker steps in
NETGEAR unveils new VDSL application firewall(Help Net Security) NETGEAR introduced the ProSecure UTM25S Unified Threat Management Firewall, which provides two modular slots that fit optional interface cards, enabling IT administrators to custom-tailor the firewall
Rackspace enhances Private Cloud software(Help Net Security) Rackspace announced new features and enhanced support offerings for the Rackspace Private Cloud. Since the OpenStack-powered Rackspace Private Cloud Software launched in August, thousands of organizations
Newvem Brings Cloud Analytics To AWS To Help Businesses Not Just Save, But Actually Profit On The Cloud(TechCrunch) Over the last few years, Amazon Web Services (AWS) has emerged as one of the most popular cloud infrastructure solutions out there, managing an unusual feat for those of its ilk by appealing equally to both early stage startups and enterprise. While it provides access to next-gen computing and hosting services for cheap and scales like a champ, the onboarding process remains tough for startups and
Google Sheds Light on New Android App Scanner(Threatpost) Google has divulged more information about its forthcoming application verifier for the Android operating system. The feature is being rolled out over the air alongside the latest build of the OS, Jelly Bean 4.2, on Nexus 7 and Galaxy Nexus devices as of yesterday
LucidWorks successfully betas search app development platform(Fierce Big Data) Disaster planning, deep web intelligence and search and discovery are a few of the applications built by companies using the LucidWorks enterprise-grade search development platform, which the company will make generally available next month
Microsoft Windows 8 Tablet Plans In Disarray(InformationWeek) Surface Pro and other systems that run Win8 on Intel's Clover Trail platform are missing in action at a key time -- creating a nasty enterprise tablet problem for Microsoft.
Technologies, Techniques, and Standards
Encryption of Data-in-Use to Harness the Power of the Cloud(SYS-CON Media) The not-for-profit Cloud Security Alliance notes in its most recent Email Security Implementation Guidance that it is critical that the customer - not the cloud service provider - be responsible for the security and encryption protection controls
Shop Safer This Cyber Monday(Business 2 Community) Here is a list of steps from The Better Business Bureau and the National Cyber Security Alliance that you can take to protect yourself from fraud this Cyber
How to report a computer crime: SQL injection website attack(Naked Security) Do you know how to report a computer crime? Or even who you would report it to? So far, we've looked at unauthorised email account access and malware in our series of articles on how to report a computer crime. In this article, we'll look at an SQL injection attack
7 Cheap Cloud Storage Options(InformationWeek) You have a multitude of cloud storage choices beyond Dropbox, for enterprise and personal use. But make sure you understand the differences
Nine security controls to look for in cloud contracts(NetworkWorld) To help ease the concerns of cloud security, which Gartner says is still a chief inhibitor to enterprise public cloud adoption, buyers are looking to contracts and service-level agreements to mitigate their risks. But Gartner cloud security analyst Jay Heiser says SLAs are still "weak" and "unsatisfying" in terms of addressing security, business continuity and assessment of security controls."A lot of these things are getting a lot of attention, but we're seeing little consistency in the contracts," he says, especially in the infrastructure-as-a-service (IaaS) market. Software-as-a-service (SaaS) controls are "primitive, but improving."Below are some of the common and recommended security provisions in cloud contracts and how common and effective they are
10+ challenges facing the 'international' CIO(Tech Republic) CIOs and managers who are responsible for international IT encounter different kinds of technical, organizational, and people issues from those who have IT responsibilities only on the home front. Yet few of these international executives get formal training on how to conduct international business before they go abroad. There are numerous issues to consider and many are only peripherally related to technology
Design and Innovation
CSC's Yogesh Khanna Wins 2012 'CTO Innovator Award'(Govconwire) Yogesh Khanna, vice president and chief technology officer for the North American public sector at Computer Sciences Corp. (NYSE: CSC), has won this year's CTO Innovator Award in the large company category. According to CSC, Khanna was was recognized for helping establish the company's data center consolidation and cloud computing go-to-market strategy and offerings
Stanford Physicists Take First Step Toward Quantum Cryptography(Patch.com) Quantum mechanics offers the potential to create absolutely secure telecommunications networks by harnessing a fundamental phenomenon of quantum particles. Now, a team of Stanford physicists has demonstrated a crucial first step in creating a quantum
Building Tomorrow's Cyber Defenders(Virginia Connection Newspapers) "Northrop Grumman is the largest cybersecurity provider to the federal government," said corporate spokeswoman Marynoele Benson. "This camp was about network defense, so kids could understand how their computers can be infiltrated and how to protect
Harry Reid's Virus(Wall Street Journal) The House adopted on a bipartisan vote in April the Cyber Intelligence Sharing and Protection Act giving companies liability protection to encourage them to monitor their systems and report attacks to the National Security Agency and other federal
Political Gridlock Leaves US Facing Cyber Pearl Harbor(Businessweek) Last month, Obama signed a separate cybersecurity directive authorizing the National Security Agency and other military units to take more aggressive action to defeat attacks on government and private computer systems. An Oct. 4 Bloomberg Government
Blocked Leaks Bill More About Message Discipline Than National Security(ACLU) Sen. Ron Wyden (D-OR) deserves significant credit for placing a hold today on a draft intelligence spending bill that would place enormous new obstacles in the path of journalists trying to report on government illegality, fraud and waste in the intelligence community. Although it is true that national security sometimes requires secrecy, restrictions on freedom of the press would do little to benefit the national security while significantly insulating government wrongdoing from public scrutiny
Why Congress Hacked Up a Bill to Stop Hackers(Businessweek) On July 30, U.S. Army General Keith Alexander, the director of the secretive National Security Agency, which helps guard the government's computer networks, addressed a group of lawmakers in a packed room in the Capitol. He said the U.S. had evidence
Congress Kills Cybersecurity Bill, White House Action Expected(InformationWeek) …"government and military targets face repeated exploitation attempts by Chinese hackers," the report said, fingering China in cyber espionage and cyber attacks aimed at the Department of Defense, NASA and U.S.-based companies like Lockheed Martin
As CIA Chief Scandal Looms, Lawmakers Consider Tightening E-Mail Privacy(As CIA Chief Scandal Looms, Lawmakers Consider Tightening E-Mail Privacy) Recent intrusions by the FBI into e-mail correspondence between former CIA Director David Petraeus and his mistress and biographer, Paula Broadwell, have raised a lot of questions and concerns about the governments ability to access private e-mails. The current law covering access to e-mail gives the government the right to snoop without a court order on email thats older than 180 days, but requires a court order for missives that are newer than this, a fact that privacy activists have been trying to change for years. Now they might finally be getting closer to that wish
Kramer: U.S. will emphasize market liberalization in WCIT-12(Fierce Government IT) A second tranche of U.S. proposals for the planned December treaty-writing conference of the International Telecommunication Union in Dubai emphasizes "the criticality of liberalized markets," said Amb. Terry Kramer, head of the U.S. conference delegation
Last attempt at Senate cybersecurity bill fails(Fierce Government IT) A last attempt this Congress to pass a cybersecurity bill in the Senate failed Nov. 14 when less than a supermajority of lawmakers voted to invoke cloture, a necessary step before the bill can come to the floor. Lawmakers voted 51-47 for cloture, but with Republican senators voting against, consideration of a cybersecurity measure will likely have to wait until a bill can be reintroduced following the Jan. 3 convening of the 113th Congress
Litigation, Investigation, and Law Enforcement
Maker of Airport Body Scanners Suspected of Falsifying Software Tests(Wired) A company that supplies controversial passenger-screening machines for U.S. airports is under suspicion for possibly manipulating tests on privacy software designed to prevent the machines from producing graphic body images. The Transportation Security Administration sent a letter Nov. 9 to the parent company of Rapiscan, the maker of backscatter machines, requesting information about the testing of the software to determine if there was malfeasance. The machines use backscatter radiation to detect objects concealed beneath clothes
Report Says $67.9 Billion In Defense Budget Is Idled Away(Boston Globe) Fishy is right, according to "Department of Everything," a wry but scathing new report commissioned by Senator Tom Coburn of Oklahoma that identified $67.9 billion in the defense budget during the next decade designated for projects that have little to do with defending the nation. That waste includes conducting nonmilitary research, running schools, grocery stores, and microbreweries, and maintaining unnecessary overhead and supplies
China: No. 1 Cyber Threat(Free Beacon) Chinese state-run cyber attacks pose most significant global cyber threat, congressional report says. China's government carried out numerous cyber attacks against United States government and private sector computers this year and has emerged as the most significant threat in cyberspace, according to a congressional commission report made public Wednesday
Major Data Breach in State Tax System(Courthouse News) South Carolina's cyber-security contractor, Trustwave, let hackers into the state tax system, compromising the personal information of 3.6 million South Carolinians, taxpayers claim in a federal class action
Data breach could cost businesses $330M, ex-FBI official says(Greenvilleonline) The ultimate cost to some South Carolina businesses from the data breach at the state Department of Revenue could top $330 million, a former high-ranking FBI official says. Chris Swecker, the former No. 3 official at the FBI, told GreenvilleOnline. com this morning that even if only 1 percent of the 650,000 businesses whose information was exposed in the massive data breach was used for financial gain, it could mean losses totaling $338 million, based on FBI historical experience with data fraud
For a complete running list of events, please visit the Event Tracker on the CyberWire website.
ZeroNights(Moscow, Russia, November 19 - 20, 2012) ZeroNights is an international conference dedicated to the technical side of information security. The mission of the conference is to disseminate information about new attack methods, threats and defense...
Digital Security Summit(Riyadh, Saudi Arabia, December 1 - 2, 2012) A major conference to discuss the growing threat to digital security in the Middle East, especially in Saudi Arabia.
Passwords^12(, January 1, 1970) Passwords^12 is a 3-day conference only about passwords & PIN codes. With an "all-star" cast of speakers, including Joan Daemen (AES/SHA3), Jens Steube (alias "atom", hashcat author), Colin Percival (CSO...
CIO Cloud Summit 2012(, January 1, 1970) The CIO Cloud Summit will help C-level executives better understand the true capabilities of cloud computing and the transformational opportunities it can bring.
BayThreat(Sunnyvale, California, December 7 - 8, 2012) The theme for BayThreat is a new spin on the dichotomy of attacking and defending in information security. We're calling out all of the attackers and defenders that are on the front lines of the battle.
2012 European Community SCADA and Process Control Summit(Barcelona, Spain, December 10 - 11, 2012) The European SCADA Summit brings together the program managers, control systems engineers, IT security professionals and critical infrastructure protection specialists from asset owning and operating organizations...
TechMentor Orlando 2013(Orland, Florida, USA, March 4 - 8, 2013) Celebrating 15 years of educational events for the IT community, TechMentor is returning to Orlando, Florida, March 4-8, for 5 days of information-packed sessions and workshops. Surrounded by your fellow...
e-Crime Congress 2013(London, England, March 12 - 13, 2013) The e-Crime Congress is designed to meet the needs of key stakeholders and decision makers who are responsible for designing and coordinating information security and risk management strategy, safeguarding...
The Future of Cyber Security 2013(London, England, UK, March 21, 2013) Cyber Security and the Citizen 2013 is a one-day conference and exhibition for senior decision-makers of central and local government organisations, NGOs and major private sector enterprises.
25th Annual FIRST Conference(Bangkok, Thailand, June 16 - 21, 2013) The annual FIRST conference provides a setting for conference participants to attend a wide range of presentations delivered by leading experts in both the CSIRT field and from the global security community.
SPONSOR & SUPPORT
Grow your brand and reach new customers.
Grow your brand and increase your customer base by educating our audience about your products, services, and events by advertising on The CyberWire. We’ve built trust with an influential (and often hard to reach) audience of CISOs, CSOs, and other senior execs in the security space, across a wide array of industry verticals. Learn more.
Be a part of the CyberWire story.
People ask us (a lot) how they can support what we do. We have our sponsorships and services, of course, but those are not always within every supporter's financial reach, or it might just not be the right time for you to do those things. That's why we launched our new Patreon site, where we've created a wider variety of support levels, each with some new benefits. Our patrons are important to our future, and we hope you'll consider becoming one. We invite you to become part of the CyberWire story. Become a patron today.