The GSA's url-shortening system's vulnerabilities leave the US Government "with egg on its face" as hackers continue to spoof .gov domains. Smartphone privacy apps can also be used for cyber eavesdropping. Attack trend studies report more mobile malware, more drive-by attacks, and more email malware vectors.
Sophos gives Hotmail poor security marks (Gmail and Yahoo fare better). Three offerings hit the hackers' black (or at least very dark grey) market: HackRF Jawbreaker promises low-cost wireless intercept and reverse engineering tools; an online service sells access to compromised corporate machines; another outfit rents hacked PCs.
Polish security firm and Oracle gadfly Security Explorations offers a Java patch it claims is too important to wait for Oracle's promised February fix.
Journalists explore the mobile payment market and return mixed findings: the developing world seems to want it more than consumers in the developed world do. US Immigration & Customs Enforcement announces it will adopt the iPhone as its standard mobile device—a security vote of confidence for iOS. Booz Allan announces plans to replace its BlackBerrys with either iPhones or Android devices. Bill Gates says Windows 8 is the future of the PC, but Wired thinks few businesses will bother with it.
A survey finds that successful defense against insider threats is "more psychology than technology." The US Government moves closer to a continuous monitoring IT security policy. The Dutch government expands authorization of legal intercept to foreign systems. US users of Huawei gear defend their vendor against Congressional accusations of espionage.
Today's issue includes events affecting Finland, Germenay, Israel, Italy, Netherlands, Poland, Russia, Singapore, United Arab Emirates, United Kingdom, United States..
Cyber Attacks, Threats, and Vulnerabilities
Spammers exploit open redirects on US government websites(Naked Security) Would you trust a URL which ends with .gov? US government websites have been left with egg on their faces, after spammers exploited sloppily coded redirect code to redirect gullible internet users into visiting "make money fast" websites
Mobile Privacy Apps Can Also Be Used for Spying, Experts Warn(Softpedia) Smartphone users have a lot of options when it comes to protecting their privacy. They can utilize all sorts of applications that can hide conversations, SMS messages and other incriminatory evidence which in many cases can represent the cause of conflict between spouses and business partners. However, many of these apps can be utilized not only for protection, but also for spying on others
Wrong response to zero day attacks exposes serious risks(Infosec Island) Recent revelations on Flame case raise the question on the efficiency of "zero day vulnerabilities", software bugs that hackers exploit to avoid security defenses of target systems. The real problem when we talk about zero-day is related to the duration of the period in which hackers exploit the vulnerability before world wide security community respond applying needed countermeasures. I desire to share with you the results related to an interesting study of a couple of researchers, Leyla Bilge and Tudor Dumitras from Symantec Research Labs, titled "Before We Knew It…An Empirical Study of Zero-Day Attacks In The Real World"
HackRF Jawbreaker Could Bring Low-Cost Wireless Hacking to the Masses(Threatpost) Generations of hobbyists hardware hackers have spent countless hours messing with piles of radio gear, happily tinkering away in garages and basements looking for new ways to connect to people around the world. Now, a researcher has put together a new radio called HackRF that is a kind of all-in-one hacker's dream with functionality to intercept and reverse-engineer traffic
Report: Service Offers Cheap Access to Hacked Servers(Threatpost) An online service that sells fairly cheap access to compromised corporate machines creates a pay-to-play scenario for criminals seeking access to the networks of high-profile organizations, according to a Krebs on Security report
FireHost Q3 Web Application Report -- XSS Attacks Lead Pack As Most Frequent Attack Type(Dark Reading) FireHost categorizes four attack types, in particular, as representing the most serious threat. Secure cloud hosting company, FireHost, has today announced the findings of its latest web application attack report, which provides statistical analysis of the 15 million cyber-attacks blocked by its servers in the US and Europe during Q3 2012. The report looks at attacks on the web applications, databases and websites of FireHost's customers between July and September, and offers an impression of the current internet security climate as a whole
Security Patches, Mitigations, and Software Updates
Researcher Develops Patch for Java Zero-Day, Puts Pressure on Oracle to Deliver its Fix(Threatpost) A security researcher has submitted to Oracle a patch he said took him 30 minutes to produce that would repair a zero-day vulnerability currently exposed in Java SE. He hopes his actions will spur Oracle to issue an out-of-band patch for the sandbox-escape vulnerability, rather than wait for the February 2013 Critical Patch Update as Oracle earlier said it would
A Stuxnet Future? Yes, Offensive Cyber-Warfare is Already Here(ISN) As US Secretary of Defense Leon Panetta warned in front of the Senate Armed Services Committee in June 2011; "the next Pearl Harbor we confront could very well be a cyber-attack that cripples our power systems, our grid, our security systems, our
Mobile operators spending big on DPI(Mobile Europe) The service provider deep packet inspection (DPI) market is forecast by Infonetics Research to grow at a 34% compound annual growth rate from 2011 to 2016, driven by the increased use of DPI in wireless networks
Privacy worries impeding the cloud(CenterBeam) Neal Ziring, the National Security Agency's technical director of the Information Assurance Directorate, told Network World that awareness is key. Employees and officials must know the practice and policy of business security at all times to keep
Smartphones Not Required – Mobile Money On Feature Phones Is Hot In Emerging Markets(TechCrunch) Mobile money is a big deal in emerging markets. When a farmer can simply SMS payment for a cow or two people can transact business by swapping airtime, that changes the entire dynamics of an economy. So it's little surprise that some research just out today indicates how big the market is going to be. And it's all done on plain old feature phones
Mobile payments: A solution in search of a problem?(CNet) There's been a lot of hype around mobile payments over the past year, but the No. 1 problem that the mobile payments market faces is adoption. Consumers simply don't see a reason to replace their cash or plastic with a phone. And yet one company after another is clamoring to get into the market
Mikko Hypponen: Stuxnet and Flame Are Like James Bond(Softpedia) F-Secures Chief Research Officer Mikko Hypponen has had an interesting interview with Dutch website Tweakers on topics such as digital wars and cybercrime. In the interview, the expert shares some insight not only on cyber wars, but also on the actors that run them. The computer security field keeps changing
No plan to license third UAE telecoms company(Emirates 24/7) Phone tariffs of Etisalat, du reasonable: TRA. The idea of launching a third company to provide telecommunications services in the UAE is not on the table, said Majid Sultan Al Mesmar, Deputy Director-General of the Telecom Regulatory Authority (TRA)
Report: Over Half of Job Losses Due to Sequestration Would Come From Small Businesses(ExecutiveBiz) If sequestration occurs, 52% of all job losses will come from small businesses, a study previously covered on ExecutiveBiz has forecast. A KansasCity.com article details the struggles of a number of small business owners suffering from recession, and dreading the thought of lost federal business while highlighting aspects of that study
Phone Becomes Mobile Device Of Choice For U.S. Immigration And Customs Enforcement(TechCrunch) The U.S. Immigration & Customs Enforcement (ICE) office, part of the Department of Homeland Security, recently revealed that it will be adopting iOS devices from a variety of service providers for its 17,676 users. It's a win for Apple in terms of landing a sizeable government client, but also a significant vote of confidence for the overall security of iOS as a mobile platform
iEHR aims to be agile and open(Fierce Government IT) Agile techniques have gained importance as the Defense and Veterans Affairs departments try to quickly launch the integrated electronic health record, or iEHR. With more than 100 scrum teams working at once, it's a lot to coordinate, said Barclay Butler, director of the DoD-VA interagency program office
CMS looks to NSTIC for identity management(Fierce Government IT) The Centers for Medicare and Medicaid Services wants to move away from providing credentials and instead leverage the National Strategy for Trusted Identities in Cyberspace, or NSTIC, according to CMS Chief Information Officer Tony Trenkle
DOE labs help CMS manage healthcare data(Fierce Government IT) The Centers for Medicare and Medicaid Services has more data and must facilitate its use with a broader array of partners thanks to initiatives mandated by the Patient Protection and Affordable Care Act (P.L. 111-148). By the end of 2015 Medicare claims data will almost double and Medicaid claims data will triple, "that's not counting the quality and counter data that we have," said CMS Chief Information Officer Tony Trenkle Oct. 18 at the AFCEA Bethesda Health IT Day in Bethesda, Md
After snagging $4.6B contract, Lockheed plans 'cyber kill chain' for Global Information Grid(Defense News) The Defense Department's day-to-day operations are linked in a vast, international in-house data communications network called the Global Information Grid. Seven million people — uniformed members of the armed forces as well as civilians — rely on it to exchange classified and unclassified information on personnel, vehicles, weapons and surveillance systems. Now, in a coup coming in tight economic times, Lockheed Martin has taken over the multibillion-dollar contract to manage and upgrade the system
Mellanox Forms Unit To Boost U.S. Government Business(Investor's Business Daily) Mellanox Technologies (MLNX), a maker of high-speed interconnect products for data centers and computer networks, said Monday that it's created a new unit called Mellanox Federal Systems that will drive business development with all U.S. federal agencies and the federal integrator market
ICF International Wins Contract to Improve DHS State-Urban Fusion Centers(ExecutiveBiz) ICF International has been chosen by the Department of Homeland Security to maintain and improve the agency's fusion centers for state and urban area networks, the company announced today. ICF said the one-year base and four option years contract has a potential value of $18.1 million
Raytheon Closes Wireless Cyber Buy, Looks to Access Emerging Markets(Govconwire) In the company's 11th cybersecurity-related acquisition in the past six years, Raytheon Co. (NYSE: RTN) has bought a South Carolina-based technology developer as it looks to expand its ability to provide defense, intelligence and commercial customers with wireless services. The Waltham, Mass.-based contractor did not disclose the terms of the deal and said it will not affect total sales or earnings per share through its 2013 fiscal year. Teligy Co. specializes in "transitioning prototype and proof of concept cyber products into deployable solutions," according to Raytheon's announcement, and will work to grow Raytheon's wireless, reverse engineering and vulnerability analysis offerings
One-, two-star flag assignments announced(Navy Times) Navy leadership announced the following flag officer assignments today. Rear Adm. (lower half) Sean Filipowski will be assigned as the director of intelligence, J2, U.S. Cyber Command in Fort Meade, Md. He is currently serving as the deputy director of operations, J3, U.S. Cyber Command in Fort Meade
Catapult Appoints Fred Haggard VP, Will Lead Kickstand Integration(Govconwire) Catapult Technology Ltd. has appointed Fred Haggard vice president for technology and management solutions, according to a Washington Technology article. Haggard will report to David Lyons, Catapult's chief technology officer and executive vice president, and is expected to manage the integration of Kickstand into Catapult. Both companies are owned by DC Capital Partners
Products, Services, and Solutions
Army's Anti-IED System Gets A PR Push(Washington Times) The Army has hired private firms to help improve a $2.5 billion intelligence analytical processor used in Afghanistan by troops who have given it poor reviews in identifying the enemy and deadly buried explosives
Analysis of 15 million cyber attacks(Help Net Security) A new web application attack report by FireHost offers an impression of the current internet security climate and provides statistical analysis of 15 million cyber attacks blocked in the US and Europe
First application firewall for Google Apps(Help Net Security) CloudLock launched CloudLock Apps Firewall, which helps enterprises discover, classify and enable trusted third party mobile and web apps that require access to users' Google Apps accounts and data
Verdasys launches Digital Guardian 6.1(Help Net Security) Verdasys announced Digital Guardian 6.1, an information protection platform that integrates compliance, insider threat prevention and cyber threat prevention. The release also includes an enterprise
STARHUB LTD : StarHub Unveils Government Public Cloud Services(4-traders) To stay at the forefront of cloud security, StarHub has joined the Cloud Security Alliance, the world's leading platform for promoting cloud security awareness and practices. StarHub is committed to adopting the best practices for managing and
Bill Gates: "Windows 8 Is Key To Where Personal Computing Is Going"(TechCrunch) Microsoft co-founder and current chairman Bill Gates recently sat down with the editor of Microsoft's own Next blog Steve Clayton to talk about Windows 8, Windows Phone 8 and the Surface tablet. Unsurprisingly, Gates was pretty upbeat about all of the company's upcoming product and argued that "Windows 8 is key to where personal computing is going"
Welcome To The Beta: Windows 8 Will Succeed, Despite All The FUD(TechCrunch) Microsoft is already screwing it up. Microsoft can't win. Windows 8 is sunk. Seriously: to read the headlines this last week you'd think Microsoft wasn't still one of the premier tech manufacturers in the world. While I would agree that it faces a number of challenges, both from Apple and its own OEM partners, Windows 8 will thud into the landscape with more a bang and much less than a whimper
Forrester: Windows 8 Will Just "Stop The Shrinking" – Won't Take Hold Until 2014(TechCrunch) Forrester Research analyst Frank Gillett predicts that Microsoft's Windows 8 will get off to a slow start in 2013, but will take hold in 2014. Windows 8, Gillett argues, will keep Microsoft relevant on the PC, but it will remain "simply a contender in tablets, and a distant third in smartphones." Windows 8, he says, will "simply stop the shrinking," but it won't be a fix
For Business, Windows 8 Can Wait(Wired Business) While it remains to be seen whether consumers will be lining up to buy Windows 8, one thing is clear – most businesses, large and small, aren't going to bother
Cyber Security Awareness Month - Day 22: Connectors(Internet Storm Center) Over the years, I collected quite a number of "standard" connectors/cables and interfaces. This is certainly an area where standards seem to be proliferating quickly. To stick with our theme of security and security awareness, I would like to focus on a couple of popular standards and particular outline security aspects of the standard. First of all, pretty much all peripherals connected to a system require drivers to interact with the device. These device drivers frequently are part of the kernel and a vulnerability in the device driver will lead to a system compromise. I don't think the full potential of this class of vulnerabilities has been realized yet, but there have certainly been some notable exploits that were based on these vulnerabilities. Even simple devices like VGA monitors do send some data to the system, and could potentially be used to exploit vulnerabilities (I am not aware of a VGA vulnerability)
Why Patch Management is Vital to Your Business Network Security(Infosec Island) If your business has any IT resources at all and is connected to the Internet, its not a question of if you will suffer a security incident; its just a matter of when. Just how bad such an incident will be comes down to your patch management strategy. Patch management is critical in any size company, from the sole proprietorship to the international enterprise, and keeping up with the patching on every single server and workstation on your network is the most effective thing you can do to minimize your exposure to the threats facing your network
5 Ways to Make Your Browser More Secure(eSecurity Planet) Installing antivirus software is a good starting point for protecting data while surfing the Web -- but it's only a start. Here are five ways to make browsing sessions more secure. While installing antivirus software is a good start to safe Internet browsing, it's only a start. There is much more you can do to help protect yourself when browsing the Web than merely installing antivirus
How much do you know on search engines? Quis Custodiet Ipsos Custodes?(SecurityAffairs) Every day billions of people submit an unimaginable number of queries through Internet search engines. These powerful instruments have profoundly changed the users perception of web content. Before search engine popularity, web portals, like DMOZ Open Directory Project
Dutch government to let law enforcement hack foreign computers(ComputerWorldUk) The Dutch government wants to give law enforcement authorities the power to hack into computers, including those located in other countries, for the purpose of discovering and gathering evidence during cybercrime investigations. In a letter that was sent to the lower house of the Dutch parliament last week, the Dutch Minister of Security and Justice Ivo Opstelten outlined the government's plan to draft a bill in upcoming months that would provide law enforcement authorities with new investigative powers on the internet
Japan & India strengthen cyber-security cooperation(Infosecurity Magazine) During a meeting to exchange views on regional and international security, including maritime, cyber and outer-space security, India and Japan have agreed to kick off the India-Japan Cyber Security Dialogue, starting with an early meeting in the coming
Retired OMB IT Chiefs Urge Federal Cyber Policy Rewrite(Nextgov) Veteran White House information technology leaders going back to the Nixon administration on Tuesday are expected to press the Obama administration to overhaul federal cybersecurity policy now, without legislation, according to a report reviewed by Nextgov
GOP Legislators Question HITECH Merits - Senators Demand Meeting With Regulators(Government Information Security) Four Republican senators have joined four congressmen in questioning the value of the HITECH Act's electronic health record incentive program, which is providing billions to hospitals and physicians who make meaningful use of EHRs. For example, they question whether EHRs enable billing fraud and if the program's requirements for interoperabity and secure data exchange are tough enough. Senators Tom Coburn, R-Okla., John Thune, R-S.D., Richard Burr, R-N.C., and Pat Roberts, R-Kan., are requesting that officials at the Department of Health and Human Services meet by Oct. 26 with the Senate Finance Committee and the Senate Health, Education, Labor and Pension Committee to address their concerns
SASC report too blunt an instrument to address Accumulo(Fierce Government IT) Language in the Senate Armed Service Committee's fiscal 2013 national defense authorization bill report regarding Defense Department utilization of an open source NoSQL database may have unintentional bad side effects
Huawei gear is secure, say U.S. network service providers(Computer World) Responding to a congressional report warning U.S. businesses not to buy equipment from Huawei Technologies or ZTE, three U.S.-based telecommunications companies that use Huawei products said they take strong precautions to safeguard their networks. The report, by the House Permanent Select Committee on Intelligence, said the possibility that the two Chinese companies have ties to the Chinese government raises the prospect that China is using their gear to conduct electronic espionage. After the report was issued, three Huawei customers -- Clearwire, Cricket Communications and Level 3 Communications -- defended their choices
Mirror Group faces allegations of phone hacking(Telegraph) The claims relate to Mirror Group Newspapers, which also publishes the Sunday People and the Sunday Mirror. Mr Erikssons claim is believed to relate to the Daily Mirror during a period when Piers Morgan was editor. Mr Morgan has repeatedly denied any role in phone hacking
Will the Apocalypse Arrive Online?(Huffington Post) How Fear of Cyber Attack Could Take Down Your Liberties and the Constitution. First the financial system collapses and it's impossible to access one's money. Then the power and water systems stop functioning. Within days, society has begun to break down. In the cities, mothers and fathers roam the streets, foraging for food. The country finds itself fractured and fragmented -- hardly recognizable
A Mixed Message for National Security Whistleblowers(Huffington Post) While an official at the National Security Agency, Drake became concerned that the agency's use of a computer program to search through Americans' electronic communications was wasteful and illegal. He scrupulously followed official whistleblowing
For a complete running list of events, please visit the Event Tracker on the CyberWire website.
Cyber Security: A National Imperative(Washington, DC, October 29, 2012) Lockheed Martin is hosting a panel discussion on Cyber Security: A National Imperative – An in-depth view of Cyber Security from the world's leading defense contractor on Monday, Oct. 29, 11:00am at the...
TechExpo Cyber Security Careers(Columbia, Maryland, November 1, 2012) Profit from presentations by leading industry figures and networking opportunities designed for serious job-seekers.
E2 Innovate Conference & Expo(Santa Clara, California, November 14 - 15, 2012) E2 Innovate, formerly Enterprise 2.0, brings strategic business professionals together with industry influencers and next-gen enterprise technologies.
Anatomy of an Attack(New York, New York, November 15, 2012) Join Sophos security experts in exploring how threats like malware, Trojans, worms and spyware actually work and what you can do to protect your company, even if you're on a tight budget.
ZeroNights(Moscow, Russia, November 19 - 20, 2012) ZeroNights is an international conference dedicated to the technical side of information security. The mission of the conference is to disseminate information about new attack methods, threats and defense...
IRISSCERT Cyber Crime Conference(Dublin, Ireland, November 22, 2012) The IRISSCERT Cyber Crime Conference will be held this year on Thursday the 22nd of November 2012 in the D4Berkley Court Hotel, in Ballsbridge Dublin. This is an all day conference which focuses on providing...
Digital Security Summit(Riyadh, Saudi Arabia, December 1 - 2, 2012) A major conference to discuss the growing threat to digital security in the Middle East, especially in Saudi Arabia.
tmforum Management World Americas(Orlando, Florida, USA, December 3 - 6, 2012) Management World Americas is the only conference covering end-to-end management of digital services and the challenges of running any service provider business. In addition to a full Cable Summit and Executive...
BayThreat(Sunnyvale, California, December 7 - 8, 2012) The theme for BayThreat is a new spin on the dichotomy of attacking and defending in information security. We're calling out all of the attackers and defenders that are on the front lines of the battle.
SANS Cyber Defense Initiative(Washington, DC, December 7 - 16, 2012) Specialized courses covering the latest in cyber attacks, including how they work and how to stop them. The event will also feature the Netwars Tournament of Champions.
SPONSOR & SUPPORT
Grow your brand and reach new customers.
Grow your brand and increase your customer base by educating our audience about your products, services, and events by advertising on The CyberWire. We’ve built trust with an influential (and often hard to reach) audience of CISOs, CSOs, and other senior execs in the security space, across a wide array of industry verticals. Learn more.
Be a part of the CyberWire story.
People ask us (a lot) how they can support what we do. We have our sponsorships and services, of course, but those are not always within every supporter's financial reach, or it might just not be the right time for you to do those things. That's why we launched our new Patreon site, where we've created a wider variety of support levels, each with some new benefits. Our patrons are important to our future, and we hope you'll consider becoming one. We invite you to become part of the CyberWire story. Become a patron today.