Adobe patches Flash again as two new exploits are discovered in the wild. Kaspersky reports finding the HackingTeam's DaVinci lawful intercept product installed via a Flash Player vulnerability. FireEye reports the LadyBoyle espionage tool is also exploiting Flash.
As financial institutions swiftly and effectively upgrade defenses, spearphishing has as we've noted displaced more sophisticated attacks against banks. Help Net Security profiles one of the more effective spearphishing crews, a Chinese hacking gang called "Comment Group" because it deploys malicious payloads in website comment sections.
Yahoo receives harsh criticism for directing small-business clients to SiteBuilder, a free website-building tool that uses an out-of-date and vulnerable version of Java. Last week's Facebook redirecting error spooks security analysts: some see it as foreshadowing a new class of hacks that exploit transitive trust issues.
Yesterday Microsoft addressed fifty-seven vulnerabilities in twelve bulletins (five critical)—fixes to Internet Explorer and Windows Kernel driver win32k.sys are the most significant.
Several reports on critical infrastructure protection trends appear. Machine-to-machine links are opening new vulnerabilities. And augmented reality? Another new field for bad actors.
Britain is spending a lot on cyber security (and industry has certainly benefited) but apparently not enough to satisfy authors of a National Audit Report, who see the UK as decades behind the threat. US Federal budget sequestration looks likelier; Senate Republicans see it as a near certainty.
T. Rowe Price opposes Dell's leveraged buyout.
US President Obama signed an executive order on threat information sharing yesterday; another cyber executive order is expected today.
Today's issue includes events affecting Algeria, Argentina, Australia, Bahrain, Canada, Ethiopia, European Union, France, India, Iran, Italy, Japan, Kazakhstan, Mali, Mexico, Russia, Saudi Arabia, Turkey, United Arab Emirates, United Kingdom, United States..
LadyBoyle comes to town with a new exploit(FireEye) By now you have probably heard of the new zero-day exploit in Adobe flash that was patched today. FireEye Labs identified the exploit in the wild on February 5, 2013, which based on the compile time and document creation time is the same day the malicious payload was generated. Adobe PSIRT has released information about this threat here. They have also released an advisory with details on versions and platforms affected along with applicable patches. The two exploits have been assigned CVE-2013-0633 and CVE-2013-0634. It is highly recommended that you apply this patch right away, as this threat is active in the wild
Comment Group hackers specialize in high-profile targeted attacks(Help Net Security) It is common knowledge that spear-phishing has become the preferred way for persistent attackers to gain a foothold in targeted systems and network. In fact, most of the successful compromises believed to be executed by Chinese hackers in the last two, three years have been initiated by spear-phishing emails
Citi Group customers targeted with malware-laden alerts(Help Net Security) A malware-spreading spam campaign targeting Citi Group customers is underway, so if you are one, be on the lookout for an email alerting you to the receipt of a "secure message" (click on the screenshot)
Facebook's redirect error foretells the future of hacking(InfoWorld) Last week Facebook suffered an "error" that had an astounding ripple effect, as users of thousands of popular websites were inadvertently redirected to a Facebook error page. It was shocking to learn that Facebook Connect could disrupt every site it linked to -- but even more troubling was the glimpse it gave us of future hacker attacks. In security circles, the underlying issue is termed "transitive trust." The average popular website links to all sorts of sites and services, with the typical home page featuring more than a dozen third-party links
Security Patches, Mitigations, and Software Updates
Adobe releases patches for Flash Player and Shockwave Player(Computer World) Adobe released security updates for Flash Player and Shockwave Player on Tuesday in order to address a total of 19 vulnerabilities affecting the two products. New stand-alone versions of Flash Player 11 were released for Windows, Mac, Linux and Android. The Flash Player plug-ins bundled with Google Chrome and Internet Explorer 10 will be automatically updated through the update mechanisms of the two browsers
M2M offers hackers a new frontier to attack(TechWorld) Cybercriminals have a new attack vector that security watchdogs are worried about -- the growing number of devices that routinely use the Internet to function. Machine-to-machine (M2M) security is closely connected with what's known as "The Internet of Things" and involves a host of devices that use mobile modules to connect to the Internet. There's the vending machine, for example, that communicates with a distributor when supplies get low or the E-ZPass toll-paying system
Final U.S. infrastructure report offers a sober message(Homeland Security Newswire) As a way of introducing the American Society of Civil Engineers (ASCE) 2013 Report Card for Americas Infrastructure, which will be released on 19 March, the ASCE, during a teleconference on 15 January, unveiled its fifth and final report in the Failure to Act series, The Impact of Current Infrastructure Investment on Americas Economic Future, which addresses the comprehensive impacts of underinvesting in infrastructure in the United States. An ASCE release reports that ASCE has a sober message for elected officials, policy makers, businesses, and general public: unless the United States invests an additional $1. 57 billion per year in infrastructure drinking water and waste water, electricity, airports, seaports and waterways, and surface transportation between now and 2020, the nation will lose
Malware authors revert to phishing approach to trick bank defenses(Help Net Security) Banking malware that performs Man-in-The-Browser tricks such as injecting legitimate banking sites with additional forms, hijacking the authenticated session to add a new payee and transfer money in the background and so on has had much success in the past. But, as financial institutions have reacted to their existence and have implemented systems for monitoring the online sessions between customers and their web applications, the actions of malware such as Tinba, Tilon, Shylock and others employing the MitB approach get increasingly detected and thwarted. Consequently, the malware authors have had to resort to new tricks to avoid detection
Unintended, malicious and evil applications of augmented reality(Help Net Security) Most new products begin life with a marketing pitch that extols the product's virtues. A similarly optimistic property holds in user-centered design, where most books and classes take for granted that interface designers are out to help the user. Users themselves are assumed to be good natured, upstanding citizens somewhere out of the Leave it to Beaver universe. In reality, however, the opposite is often true
Highlights from 450 global data breach investigations(Help Net Security) Trustwave released details form a report that highlights details and trends from 450 global data breach investigations, 2,500 penetration tests, nine million Web application attacks, two million network
Mobile malware still small, but 'malnets' to rise up(CSO) With 70% of employees across corporate networks using a personal smartphone or tablet, growing attack surface too big to ignore. Mobile device operating systems are still more secure than those of desktop or laptop computers. But today's mobile spam and phishing attacks will increasingly be delivered via mobile malware networks
Cyber security bombast boosts UK PLC(Computer Week) Official auditors have started scrutinizing the vaguely menacing fog that has obscured government spending on cyber security. Early signs are that most of what passes for cyber crime on these shores is credit card fraud. Yet most cyber security spending has gone to intelligence and defence agencies. And much of the rhetoric used to justify the expenditure has been about "attacks" of an unspecified but most certainly frightening nature, by people of uncertain address and approximate degree of malice. One thing is most certain though, on the publication today of the National Audit Office's first report on cyber security spending, and that is that the cyber threat has been very good for business
Defense Cuts A Necessary Step To Control Deficit (Politico.com) Despite frequent protestations to the contrary, lawmakers do not love cutting the spending they actually control, particularly from the agency with the most spending of all the Defense Department. But in order to balance the budget and strengthen our economy, Congress must take on every part of government, particularly the one that extends Americas might around the world
Top Defense Officials Renew Alarm On Sequestration Threat(Washington Post) Senior Defense Department officials warned Congress on Tuesday that the looming sequestration cuts represent a dire and unprecedented threat to the U.S. military, with the potential to harm everything from combat readiness at a time of dangerous international tensions to the Pentagon's efforts to reduce military suicide
Hunter: DoD Being Overly Dramatic About Cuts(ArmyTimes.com) A California Republican accuses the Defense Department adding drama to looming budget cuts like not deploying an aircraft carrier when less drastic options are available
Karen Mills Stepping Down From SBA Leadership(ExecutiveGov) Karen Mills, head of the Small Business Administration, told agency staff Monday she is stepping down after four years at the helm. Mills will continue to lead the agency until her successor is named
Ed Greer Joins IT Services Firm MIL Corp As COO(GovConWire) Ed Greer, former deputy assistant defense secretary for development test and evaluation, has joined information technology services provider MIL Corp. as chief operating officer. He told the Washington Post in an interview published Monday that he joined the Bowie, Md.-based company to help itInformation Technology expand its business in weapons system ITInformation Technology systems
Jerry DeMuro Retiring As General Dynamics Info Systems-Tech Group EVP(GovConWire) Gerard "Jerry" DeMuro, executive vice president of General Dynamics' (NYSE: GD) information systems and technology group, will retire from the company Feb. 28 to pursue new professional opportunities. Business units within the group will report directly to Phebe Novakovic, chairman and CEO, until the company appoints DeMuro's successor, General Dynamics said Tuesday
Raytheon Riot: Defense spying is coming to social networks(Dark Reading) Multi-national defense company Raytheon is getting ready to ship a big data social networking spy system. But they are far from the only ones tracking you. According to the Guardian, multi-national security company Raytheon has developed Rapid Information Overlay Technology (Riot), a big data, social-networking spy program. With Riot, a user -- typically a government official -- will be able to pull together your life-history; your relationships with other people; and the places where you're most likely to be found. These tracking profiles are based not just on obvious information, such as your listing of a hometown on Facebook or FourSquare GPS location data, but also from "invisible" location metadata from digital photographs
New security startup tackles strong authentication(Help Net Security) Nok Nok Labs launched today. Through its Unified Authentication Infrastructure, which leverages existing technologies such as fingerprint sensors or webcams, TPM chips, or voice biometrics, organization
Sophos extends UTM to the enterprise(Help Net Security) Sophos has strengthened its network security offerings with two enhanced high-end UTM appliances, Sophos UTM 525 and 625, and the new Sophos RED 50 (Remote Ethernet Device), the first security solution
It's not all about Hadoop(FierceBigData) The Apache Hadoop Project has resulted in the biggest, most accessible and most recognizable open source database available for big data. But it's not the only one. HPCC Systems, a spinoff from LexisNexis, is ready to challenge it, according to CIO magazine
Microsoft Surface Pro: Right For You?(InformationWeek) Microsoft's business-friendly Windows 8 tablet-laptop hybrid isn't perfect. From battery life to weight considerations, we break down whether Surface Pro will suit your needs
Critics question Telstra's motives on P2P throttling(The Age) Consumer groups fear a trial by Telstra that will slow the speed of peer-to-peer (P2P) services could be the start of a trend that sees ISPs "interfering in people's online activities". Last week Fairfax Media revealed that Telstra was planning to throttle, or slow, certain internet services during peak periods as part of a "trial" on its ADSL network that was, according to a source, likely to become permanent
How Lockheed Martin's 'Kill Chain' Stopped SecurID Attack(Dark Reading) A rare inside look at how the defense contractor repelled an attack using its homegrown 'Cyber Kill Chain' framework. A few months after RSA had rocked the security world with news that it had been breached and its SecurID database exposed in a sophisticated attack, defense contractor Lockheed Martin discovered an intruder in its network using legitimate credentials
Main changes in the new ISO 27002 (2013 draft version)(ISO 27001 & ISO 22301 (blog)) In my previous blog post I analyzed the changes between the old ISO 27001 (published in 2005) and the 2013 draft; naturally, controls from ISO 27001 Annex A cannot change without changing ISO 27002 because the essence of these two standards is to be aligned. So, let's take a look at what changes are proposed for ISO 27002 (source: BSI website) - it is important to note here that since this is only a DIS (draft) version of ISO 27002:2013, it is expected that the final version will differ quite a bit. Here I'll focus mainly on how the controls are structured, and not so much on their description - so here are the main differences
How to sacrifice your online privacy for fun and profit(Data Protection) Should you remain a passive observer, or jump into the action yourself? Welcome to the dark side of the data economy. You have value--and not just as a good friend, loving family member, and upstanding member of society. You're also a valuable commodity that companies buy and sell.A Your age, browsing habits, and friends lists are all hot properties. And yes, all this data is recorded, packaged, and sold to the highest bidder by your favorite websites
Mark Gerencser: Collaboration & Legal Framework Key to Leveraging Big Data for Business Growth(ExecutiveBiz) The amount of information about us as individuals, the products we purchase, the processes we utilize and the businesses that surround us has grown exponentially. At present, we generate more data every two days than we did in aggregate from the dawn of early civilization through the beginning of the 21st Century. Moreover, this information explosion continues to accelerate each year by 40%. This is called the "Big Data Revolution" and it is not only big volume, it's also big in variety and velocity-meaning different types of data from flat files to streaming video and at a wide range of input speeds and refresh frequencies. Big Data has very big implications for business
Embarking on a data governance strategy(FierceBigData) If enterprises are only analyzing one percent of their data to develop their business and customer intelligence, as IDC analysts have said is the case for data analytics overall, it is safe to assume the reason, in part, is that they are unaware of all the data they have, where all their data is stored and the integrity of the data (of which they are aware). So before big data initiatives can take place, such businesses, and in good practice all businesses, need to consider applying some data governance
HIMSS13 panelist makes the business case for predictive analytics(FierceMobileHealthcare) There are plenty of positives to predictive analytics, such as improved quality of care and efficiency. But failing to act upon predictive data could have significant negative consequences, says Tina Buop, CIO of La Clinica de la Raza, a community health center in Oakland, California
Design and Innovation
Learn COBOL: It will outlive us all(IT World) Here's an old computer science joke: What's the difference between hardware and software? If you use hardware long enough, it breaks. If you use software long enough, it works. The truth behind that is the reason that so much decades-old COBOL code is out there still driving crucial applications and banks and other huge companies
Research and Development
A quantum shell game that street hustlers would hate(Ars Technica) Unlike a classical shell game, bettors can win two-thirds of the time. In the classic con game, an object is hidden under a shell or cup. The quantum analog has very different possible outcomes. The division between the "classical" and "quantum" worlds is most obvious when performing measurements. In classical systems, measurements generally are minimally invasive: you can find your height or weight, for example, without changing either quantity in a noticeable way. Quantum systems, however, have an interdependence between the instrument and the object being measured. In recent years, weak measurements have probed the division between the classical and quantum regimes by limiting the interaction between the apparatus and the system being measured
DARPA, FIDO Alliance Join Race to Replace Passwords(Threatpost) Nearly everyone agrees that passwords are the bane of Internet security. For years, industry thinkers have somewhat vaguely referenced the need for Internet fingerprints capable of reliably verifing identities online. Yet here we are, it's 2013 and passwords remain the primary means of authenticating users onto networks and workstations
Cybersecurity Strategy of the European Union - the proposal(SecurityAffairs) Last week the European Commission and Catherine Ashton, the High Representative of the European Union for Foreign Affairs and Security Policy, have submitted to the Council and the European Parliament a draft of Cybersecurity Strategy of the European UnionThe document is a first of its kind with regard to the institutions mentioned despite since several years the authorities are emphasizing the need to raise the level of security of the member states of the EU in cyber space. One of the most interesting documents prepared in the past was the Action Plan and a Communication on Critical Information Infrastructure protection (CIIP) with which the EU aims to strengthen the security and resilience of vital Information and Communication Technology (ICT) infrastructures
Heads-Up - EU Data Protection Proposal Taken Word For Word From US Lobbyists(Slashdot) Glyn Moody looks at the proposed EU directive on Data Protection and how some of the proposed amendments seem to be cut and pasted directly from the American Chamber of Commerce that well-known European organisation... You might ask, Glyn writes, who are these MEPs representing some 500 million EU citizens that pay their salary or a bunch of extremely rich U.S. companies intent on taking away our privacy
Barack Obama Is The First Cyber War President, But A President Can't Win A Cyber War(Fast Company) President Barack Obama ran on change we can believe in--and he and the media will take the opportunity in this week's State of the Union address to assess his response to the global economic crisis and rebuilding America's health insurance system. But there's a quiet change happening in his role as Commander-in-Chief, too--one you won't likely hear much about in Tuesday evening's address. Slowly, with very few observers noting it, Obama has become our first cyber-war president
Companies Want National Policies to Combat Cyber-Spies(EWeek) In the wake of an intelligence report blaming China for most of the espionage attacks on U.S. businesses and government agencies, security experts says the private sector needs national support. Following a classified National Intelligence Estimate that reportedly blames China for the majority of cyber-espionage attacks targeting U.S. agencies and businesses, security experts called for the government to take a harder policy line to deter such attacks. The classified intelligence report, released by the Office of the Director of National Intelligence, aims to identify threats to the nation
Executive order on cybersecurity coming, but is it only a 'down payment on legislation'?(CSO) Based on leaked versions of the order, the White House is expected to put DHS in charge of organizing an cyberthreats information-sharing network. President Obama has spent much of the past two months focused on citizen security through gun control. Today, he is expected to focus on the security of the nation's critical infrastructure (CI) through a long-anticipated executive order promoting better information sharing on cyberthreats between government and private industry
Share Information To Fight Cyber Crime(Baltimore Sun) That's why, this week, I, along with House Intelligence Committee Chairman and Michigan Republican Mike Rogers, am reintroducing common-sense legislation to give American companies access to certain classified information on impending cyber threats before the attack occurs
Data protection practices in EU and Asia(Help Net Security) Research undertaken by Field Fisher Waterhouse into the existing legal framework mandating encryption of personal data in the EU and Asia details legal requirements and reveals a trajectory of data pr
Obama Order Gives Firms Cyberthreat Information(New York Times) President Obama signed an executive order on Tuesday that promotes increased information sharing about cyberthreats between the government and private companies that oversee the countrys critical infrastructure, offering a weakened alternative to legislation the administration had hoped Congress would pass last year
Litigation, Investigation, and Law Enforcement
YouTube Files Appeal Against Regulator In Russia Over Content Blocked By New Firewall(TechCrunch) Google this week fired off one of the first high profile tests of Russia's controversial new firewall -- erected November 1, 2012 to block child porn, drugs and suicide content; but seen by critics as a route for the government to block whatever else it chooses. Google's YouTube operation in Russia has filed an appeal against the Russian regulator for blocking YouTube content
White House Must Respond to Petition Seeking Swartz Prosecutors Firing(Wired) A whitehouse. gov petition demanding the President Barack Obama administration remove Aaron Swartzs prosecutor in the aftermath of the internet activists suicide has surpassed 25,000 signatures. That means the Obama administration is obliged to enter the debate over whether authorities including line prosecutor Assistant U.S. Attorney Stephen Heymann went too far in prosecuting the 26-year-old internet sensation
For a complete running list of events, please visit the Event Tracker on the CyberWire website.
North American ICS & SCADA Summit(Lake Buena Vista, Florida, USA, February 6 - 15, 2013) The Summit brings together the program managers, control systems engineers, IT security professionals and critical infrastructure protection specialists from asset owning and operating organizations along...
ATMiA US Conference 2013(Scottsdale, Arizona, US, February 19 - 21, 2013) A conference devoted to the design of ATMs, and the future of the ATM industry.
#BSidesBOS(Cambridge, Massachusetts, USA, February 23, 2013) Each BSides is a community-driven framework for building events for and by information security community members. The goal is to expand the spectrum of conversation beyond the traditional confines of...
RSA USA 2013(San Francisco, California, USA, February 25 - March 1, 2013) RSA Conference continually evolves program offerings to meet the ever-changing needs of our delegates in the dynamic infosec industry.
Nullcon Goa 2013(Bogmallo Beach Resort, Goa, India, February 26 - March 2, 2013) An international information security conference that will feature speakers and training. Topics include security and politics, vulnerability elimination, Android hacking, SCADA and smart grid penetration...
NRO Winter Way Forward Conference(Chantilly, Virginia, USA, February 28, 2013) This annual event will provide an increased awareness, understanding and support among the IT workforce by focusing on the NRO IT Way-Forward in terms of the NRO IT Sub-Portfolio Roadmaps. Exhibitors will...
TechMentor Orlando 2013(Orland, Florida, USA, March 4 - 8, 2013) Celebrating 15 years of educational events for the IT community, TechMentor is returning to Orlando, Florida, March 4-8, for 5 days of information-packed sessions and workshops. Surrounded by your fellow...
IHS CERAWeek 2013(Houston, Texas, USA, March 4 - 8, 2013) IHS CERAWeek 2013 will offer new insight on the energy future -- and on the strategic and investment responses by producers, consumers and policy-makers. What are the changes ahead in the competitive...
Business Insurance Risk Management Summit(New York City, New York, USA, March 5 - 6, 2013) The annual Risk Management Summit, now in it its fourth year, provides attendees with focused insight via specific, timely general sessions and strategic, thought-provoking discussions with peers and industry...
CanSecWest 2013(Vancouver, British Columbia, Canada, March 6 - 8, 2013) CanSecWest, the world's most advanced conference focusing on applied digital security, is about bringing the industry luminaries together in a relaxed environment which promotes collaboration and social...
e-Crime Congress 2013(London, England, March 12 - 13, 2013) The e-Crime Congress is designed to meet the needs of key stakeholders and decision makers who are responsible for designing and coordinating information security and risk management strategy, safeguarding...
CTIN Digital Forensics Conference(Seattle, Washington, USA, March 13 - 15, 2013) Speakers include experts and published authors in the field of digital forensics and cybersecurity. Topics include; Mobile Device Forensics, Internet Forensics, Physical Memory Analysis, Open Source Tools,...
Google and University of Maryland Cybersecurity Seminar(College Park, Maryland, USA, March 14, 2013) Dr. Ari Juels, Chief Scientist of RSA, The Security Division of EMC, and Director of RSA Laboratories, will discuss "Aggregation and Distribution in Cloud Security." His talk will feature information...
Department of Homeland Security 6th Annual Industry Day(Washington, DC, USA, March 18, 2013) The Department of Homeland Security (DHS) will be hosting its 6th Annual Industry Day to provide advanced acquisition planning information to industry. DHS Industry Day will consist of two sessions, the...
SPONSOR & SUPPORT
Grow your brand and reach new customers.
Grow your brand and increase your customer base by educating our audience about your products, services, and events by advertising on The CyberWire. We’ve built trust with an influential (and often hard to reach) audience of CISOs, CSOs, and other senior execs in the security space, across a wide array of industry verticals. Learn more.
Be a part of the CyberWire story.
People ask us (a lot) how they can support what we do. We have our sponsorships and services, of course, but those are not always within every supporter's financial reach, or it might just not be the right time for you to do those things. That's why we launched our new Patreon site, where we've created a wider variety of support levels, each with some new benefits. Our patrons are important to our future, and we hope you'll consider becoming one. We invite you to become part of the CyberWire story. Become a patron today.