Researchers give smartphone users new reasons to worry: leaving WiFi on can expose a phone to data leakage, even when it's not connected to a network, and proof-of-concept Android malware uses a phone to create 3D maps of private spaces.
The Philippines enact new cyber crime legislation, and Anonymous pledges to fight what it calls "e-martial law." The Islamist hacktivists who claim responsibility for last week's anti-banking campaign promise more attacks against US targets. (For all the furor surrounding those attacks, the damage appears to have been tolerable.) Sweden's raids on Pirate Bay appear to have provoked a hacking backlash.
We've seen local governments take an increasingly active cyber security role. This week Tulsa shows the risks inherent in that role: the city forgot it had engaged penetration testers, saw the testers' activity, and began warning citizens their personal data had been exposed. (May Reno and San Antonio have better luck with upcoming cyber exercises.)
Hacktivism is increasingly a precursor to financial crime. A DataMation survey finds one-third of companies take compliance risks. The Defense Department has hinted it will pick up contractors' legal fees if sequestration produces layoffs that prompt lawsuits. "Data scientist" is the hot job in the labor market, but recruiters find qualified candidates hard to spot. Booz Allen and KEY-W continue their push from government into commercial cyber work.
US cyber policymakers continue to advocate public-private partnership. The Department of Homeland Security receives harsh bipartisan criticism in a Senate report on fusion center failures: "pools of ineptitude."
Today's issue includes events affecting .
Cyber Attacks, Threats, and Vulnerabilities
What is your phone saying behind your back?(Naked Security) Do you always turn WiFi off on your smartphone before leaving the house or work? You might think there's no harm in having WiFi turned on but not connected to a network, but that's not necessarily the case
Anonymous Message to Philippines internet E-Martial Law(Cyberwarzone) Anonymous Philippines just released an new video after the internet law went active in the Phillippines. Watch the video here. The Cybercrime Prevention Act of 2012 poses serious threats to Internet freedom, the right to privacy and other essential civil liberties including the freedom of speech, expression, and the press
Islamist Cyber Fighters Vow More Attacks Against US Targets(NewsMax.com) Keith B. Alexander, chief of the U.S. Cyber Command (also head of the National Security Agency), since it was launched two years ago, said the cyber threat has grown in 10 years "from exploitation to disruption to destruction of computer networks"
Swedish raid prompts new cyber attack threat(The Local.se) Swedish police raided the Stockholm offices of PRQ on Monday afternoon, the same day that a cyber attack paralyzed the websites of several Swedish government agencies, businesses, and media outlets. While it remains unclear who may have been
City of Tulsa Cyber Attack Was Penetration Test, Not Hack(eSecurity Planet) The City of Tulsa, Oklahoma last week began notifying residents that their personal data may have been accessed -- but it now turns out that the attack was a penetration test by a company the city had hired. "City officials didn't realize that the
Security Losses Remain Within Range Of Acceptable(Dark Reading) Not a single breach among the many in the past two weeks did enough damage to trigger an alarm. Catastrophic denial-of-service attacks by a foreign power against our largest financial institutions. An actively exploited 0day vulnerability in the world's most-used Web browser. The infiltration of one of technology's largest consumer and enterprise software vendors, resulting in the hijacking of their infrastructure to distribute digitally signed malicious software. The deep compromise of a major supplier of control software to utilities providers -- one with remote access to its customers control systems. New vulnerabilities in Java affecting all major platforms. The release of a tool that, for $20, can rapidly crack one of the most popular types of virtual private networks. The breach of an extremely common open-source Web application tool's servers and insertion of back doors. All in two weeks
SecTor: Old Security Vulnerabilities Live On(eSecurity Planet) Security researcher identifies security vulnerabilities from the 1990s that still persist today. The more things change, the more things stay the same. At the SecTor security conference in Toronto, Jamie Gamble, security researcher at Accuvant, detailed how old security issues that first
Online Criminals' Best Friends: Malnets(InformationWeek) The number of large malnets--server-side infrastructure used to infect PCs and sometimes to control botnets--tracked by security firm Blue Coat has tripled this year.
DHS Issued False 'Water Pump Hack' Report; Called It a 'Success'(Wired Threat Level) While DHS was busy accusing an Illinois fusion center last year of spreading false rumors about a water pump that was supposedly hacked by Russians, the department had been irresponsibly spreading the same false information privately in a report to
Should you give up e-mail?(Fox New) According to a survey of U.S. consumers released this week by the National Cyber Security Alliance (NCSA) roughly 90 percent of people admit that they feel vulnerable to hackers and malware online. The report, which coincides with October, or National
One in three companies take compliance risks(Help Net Security) Despite having corporate security and compliance policies and solutions in place, there is a widespread lack of confidence in their effectiveness. According to a DataMation survey, 84% of respondents
Information Security: Race with No Finish Line(GovInfoSecurity.com) Markell highlights some of the initiatives underway in Delaware, including a cyber challenge camp to attract young people to the field of information security, as well as the state progressing to the next phase of a cybersecurity community training
Cyber Day SA(San Antonio Express) The plan is a three-prong approach to ensure the city is prepared in the event of a cyber attack or mishap that affects the local infrastructure. The collaborative initiative between local public and private sector leadership seeks to increase citizen
DISA picks new CIO(Federal Computer Week) The Defense Information Systems Agency has made changes in two posts key to the agency's IT operations. David Bennett, pictured at left, has been named the new CIO of DISA, according to an Oct. 2 announcement from the Defense Department. Bennett previously served as the agency's vice component acquisition executive. Bennett was preceded as CIO by Henry Sienkiewicz, who served in the position since May 2010. Sienkiewicz has been named as DISA's vice chief information assurance executive
2 Senators Upset About Sequestration Advice(Washington Times) Two top Republicans said this week that the Obama administration may not have had the legal authority to tell defense companies that taxpayers will pick up their legal bills if the companies are sued because of layoffs resulting from pending defense cuts
HMRC deploys Becrypt off-the-shelf encryption(ComputerWeekly) HM Revenue and Customs (HMRC) is implementing disk encryption as part of a laptop refresh programme following a pilot rollout using 300 laptops. HMRC will use Becrypt Disk protect, which has been certified by the CESG, the UK Government's National Technical Authority for Information Assurance (IA). According to HMRC, the pilot demonstrated that Becrypt would provide simplified faster deployment and centralised management
PAE's Tina Dolph Discusses Lockheed Executive Development Program, Finance Background and More(Govconwire) Tina Dolph is the president of PAE's global security & development business unit where she is responsible for 3,000 employees, currently conducting a litany of development projects throughout the world. In her Q&A with ExecutiveBiz, Dolph covers an array of topics concerning her leadership role at the company…The 20-year industry-vet has a background in finance and along with many other PAE executives, is a former Lockheed Martin executive where she attended the Executive Assessment and Development Program in 2010
Cyber security win for Macquarie Telecom(The Australian) Macquarie Telecom has been awarded a five-year, multimillion dollar contract to supply cyber security services to the Department of Agriculture, Fisheries and Forestry and 11 other federal agencies. Macquarie Telecom's managing director of hosting, Aidan Tudehope, said the deal would underpin a new $14 million investment in the telcos Canberra facilities to improve network capacity, and software and product development. That investment will see Macquaries capital expenditure for fiscal 2013 increase to $48 million from previous guidance of $34 million
Nokia Confirms It's Looking At HQ Sale, May Lease It Back, No Plans To Leave Finland(TechCrunch) As beleaguered handset maker Nokia continues to downsize its operations to conserve cash, the handset maker is looking to sell its global headquarters in Espoo, Finland for a price of up to $387 million (?300 million). The news was first reported by the Finnish-language Helsingen Sanomat, with the real-estate price estimate coming from Ilta-Sanomat. A Nokia spokesperson has confirmed to TechCrunch that it is evaluating this option, but that it may end up leasing back the same building, and in any case has no plans to leave Finland in the process
Ancestry.com Acquires Photo Digitization And Sharing Service 1000memories(TechCrunch) 1000memories, the San Francisco-based startup which offers web and mobile applications for storing, organizing, sharing, and most importantly, digitizing, your print photographs, has been acquired. Given the company's focus on preserving family memories, it's not too surprising who the new owner is: Ancestry.com. And fortunately for current users of the service, the deal doesn't mean a shutdown of 1000memories' website or apps, but rather more resources to continue their development.
$45 Billion Later, Larry Ellison Says No Major Acquisitions For Next Few Years(TechCrunch) Larry Ellison said today that Oracle does not plan to do any acquisitions in the next few years but would not rule one out down the road. He made the remarks in a CNBC interview at OracleOpenWorld in San Francisco. Ellison was also asked about a successor to the company he has run for the past three decades. He only said there are several who could take his place.
Windows 8 in the enterprise: Fragmentation and deployment(ZDNet) The more information that comes to light about Windows 8, the more the dreaded "F" word comes to mind. When you think of fragmentation in the mobile space the first thing you think of is the Android platform. Volumes have been written about the forks in Android that are enough to drive enterprises batty. So many versions, so many different devices to support, it's enough to give fits to IT folks tasked with making BYOD work
Free USSD exploit blocker app(Help Net Security) Avira released a free security app for Android phone users to protect them from remote USSD attacks. The Avira USSD Exploit Blocker app is available on Google Play. "Most malware writers are motivated
Microsoft Guides Help You Build BYOD Test Lab(InformationWeek) Wondering how to implement your own BYOD or consumerization-of-IT strategy? Here's how to do it, at least the Microsoft way, in a test lab. Microsoft offers background materials and instructions for a safe and efficient BYOD/CoIT setup using Windows Server 2008 R2
The Ant Internet(IEEE Spectrum) Before researchers developed the Internet, ants developed the Anternet, a surprisingly similar communications network
PCI Security Standard: Mobile Payment Acceptance Security Guidelines(Internet Storm Center) What would Cyber Security Awareness Month with a Standards theme be without discussing some semblance of PCI-related content? Carefully avoiding the debate over the benefits and drawback of PCI DSS, I'll instead focus on a recent read with a quick summary of PCI Mobile Payment Acceptance Security Guidelines for Developers. This guideline hit my radar on 14 SEP courtesy of Ian's Dragon News Bytes and was intriguing as I had just published Mobile application security best practices in a BYOD world a couple of weeks earlier in Information Security
Design and Innovation
Appcelerator Launches "Innovation Fund" To Help Startups Speed Up Mobile App Development(TechCrunch) Appcelerator is all about speeding the development of rich, native mobile apps. One way it does this is with Titanium, its next-gen mobile app development platform. But now it's looking to accelerate app development by helping other startups focused on features, capabilities, or verticals that it's not focused on itself. With that in mind, the startup is introducing the Appcelerator Innovation Fund, through which it will invest in and provide support to promising startups who build apps based on its
Utilities open to cybersecurity dialogue(Nextgov) A group of electric companies says it is not opposed to working with the federal government to secure power-grid computer networks, as long as regulators dont proscribe new burdensome and inflexible rules. Senate Commerce Committee Chairman Jay Rockefeller, D-W. Va., helped sponsor legislation that would have created more government oversight of certain critical networks, including those that control electric grids
India may take the lead in Budapest cyber space security dialogue(The Hindu) The Government has begun efforts to put in place a comprehensive cyber security strategy as Indian representatives head to Budapest for the Cyber Space Conference this week. In the last few months, National Security Adviser Shivshankar Menon has slowly built a case for the Government to get its house in order. Three areas of focus are revitalising the Computer Emergency Response Team (CERT-IN), the creation of a professional body that certifies security of networks and cyber defence of critical information infrastructure networks that may be vulnerable to foreign governments or non-State actors
De Lima vows not to abuse anti-cybercrime powers(Abs-CbnNews) Justice Secretary Leila De Lima assured the public that government, especially the Department of Justice (DOJ), will not abuse its authority in the implementation of Republic Act (RA) No. 10175, also known as the Cybercrime Prevention Act. The law, assailed before the Supreme Court (SC) by various sectors for being "patently unconstitutional," takes effect beginning Wednesday. De Lima said the law's Implementing Rules and Regulations (IRR) will be crafted to "harmonize and clarify" questioned provisions of the law, such as the provisions on libel and the 'takedown powers' of the DOJ on websites
US Leaders Cite Partnership as Key to Cybersecurity(Equities.com) As the cyber threat intensifies over time from exploitation to disruption to destruction, responsible U.S. agencies and industries can fight back using cooperation and transparency, the commander of U.S. Cyber Command said here yesterday
Edmonds 16-Year-Old Arrested in Cyber-Threat at Sammamish School(Patch) Police arrested a 16-year-old former Skyline High School student at his home in Edmonds Tuesday morning for allegedly threatening to bring a semi-automatic weapon to the school and shoot students in the commons, after receiving tips from Skyline students."I want to thank our public for coming forward and to our detectives," with tips that led to the arrest, Sammamish Police Chief Nate Elledge told reporters at a press conference at Sammamish City Hall
Microsoft Reaches Settlement with Site Linked to Nitol Botnet(Threatpost) Microsoft announced today it's reached a settlement with the operator of a Chinese Web site whose domain and sub-domains hosted more than 500 kinds of malware, including the Nitol botnet found on brand new computers. In a lawsuit filed two weeks ago by the software giant, Microsoft alleged the domain 3322. org hosted Nitol, which was found being preloaded onto computers during an investigation into supply chain security last August
Scareware defendant fined $163M in FTC suit(Computer World) A U.S. judge has imposed a judgment of $163. 2 million against a defendant accused by the U.S. Federal Trade Commission of being part of an operation that sold software to people it tricked into thinking their computers were infected with malicious software. Judge Richard Bennett of U.S. District Court for the District of Maryland ordered defendant Kristy Ross, vice president of Business Development for Ukraine-based Innovative Marketing, in a Sept. 24 ruling
Government Asks Court to Toss Wiretap Claims(Courthouse News Service) Two lawsuits have been filed in recent years, claiming the National Security Agency, under the current direction of Director Keith Alexander and the president of the United States, have orchestrated a program of indiscriminate surveillance of US
World spies in NZ only days before Dotcom bolt(Stuff.co.nz) It is believed he was joined by representatives from the US Central Intelligence Agency, National Security Agency, Britain's Communications Headquarters, Canada's Communications Security Establishment and the Australian Secret Intelligence Service
THOTCON 0x4(, January 1, 1970) A small, non-commercial hacking conference.
Cyber Maryland 2012(Baltimore, Maryland, October 16 - 17, 2012) "Designed for information security insiders, business innovators and aspiring professionals, this two-day conference features national thought leaders, showcases business opportunities and provides outstanding...
National Cyber Security Hall of Fame(Baltimore, Maryland, October 17, 2012) Baltimore welcomes the US cyber security community to honor the members of the National Cyber Security Hall of Fame innaugural class.
Cyber Security: A National Imperative(Washington, DC, October 29, 2012) Lockheed Martin is hosting a panel discussion on Cyber Security: A National Imperative – An in-depth view of Cyber Security from the world's leading defense contractor on Monday, Oct. 29, 11:00am at the...
TechExpo Cyber Security Careers(Columbia, Maryland, November 1, 2012) Profit from presentations by leading industry figures and networking opportunities designed for serious job-seekers.
E2 Innovate Conference & Expo(Santa Clara, California, November 14 - 15, 2012) E2 Innovate, formerly Enterprise 2.0, brings strategic business professionals together with industry influencers and next-gen enterprise technologies.
Anatomy of an Attack(New York, New York, November 15, 2012) Join Sophos security experts in exploring how threats like malware, Trojans, worms and spyware actually work and what you can do to protect your company, even if you're on a tight budget.
SPONSOR & SUPPORT
Grow your brand and reach new customers.
Grow your brand and increase your customer base by educating our audience about your products, services, and events by advertising on The CyberWire. We’ve built trust with an influential (and often hard to reach) audience of CISOs, CSOs, and other senior execs in the security space, across a wide array of industry verticals. Learn more.
Be a part of the CyberWire story.
People ask us (a lot) how they can support what we do. We have our sponsorships and services, of course, but those are not always within every supporter's financial reach, or it might just not be the right time for you to do those things. That's why we launched our new Patreon site, where we've created a wider variety of support levels, each with some new benefits. Our patrons are important to our future, and we hope you'll consider becoming one. We invite you to become part of the CyberWire story. Become a patron today.