skip navigation

More signal. Less noise.

Daily briefing.

Several new exploits appear in the wild, including more problems for Java (but see the SANS Institute's suggestions about why you might need Java before you disable it). Another iPhone passcode vulnerability is found, as are a certified banking Trojan, a Japanese word-processor zero-day, and SMS-stealing malware.

In news from the various fronts of the cyber cold war, Bruce Schneier is concerned that Chinese attacks are needlessly fueling a cyber arms race. InformationWeek, however, suggests you "focus on the sorry state of your information security defenses" instead of obsessing over the People's Liberation Army. In any case, the relationship between the US and China is far more complex than simple war or peace.

Stuxnet returns to the news in a big way with the revelation that its precursors were quietly at work against Iran as early as 2005, prompting the Huffington Post to say that as far as this cyber cold war is concerned "the West started it."

"Cyber war" has apparently become sufficiently elastic to encompass electromagnetic pulse—a secondary effect of a nuclear detonation.

The Intelligence Community seeks to preserve capability in the coming austerity of US Federal budget cuts. US Defense Department mobile device policy shifts will prompt a scramble among device and service providers. Industry leaders participating in the Cloud Security Alliance Summit say cyber labor shortfalls put their organizations at risk.

The University of Maryland University College's president, noting that demand for cyber workers exceeds supply, challenges academia and industry to help close the gap.

Notes.

Today's issue includes events affecting Australia, Canada, China, India, Iran, Israel, Japan, Republic of Korea, Serbia, Spain, United States..

Dateline RSA

[RSA 2013] Conference Resources (RSA Conference) Bookmark this page for easy access to the information and resources you'll need to make the most out of your week. Make sure to check out what's new for 2013!

A walk through the expo at RSA Conference 2013 (Help Net Security) The expo floor at this year's RSA Conference is bigger than ever, with numerous companies exhibiting for the first time. Here's a look at the show floor, with more interesting booths. For up-to-date

The look and feel of RSA Conference 2013 (Help Net Security) The much anticipated expo at RSA Conference 2013 today opened its doors in great style. Here's the first of several galleries we'll have from the show. For up-to-date conference news check out our

RSA 2013: Is Cryptography Still Necessary? (eSecurity Planet) Is cryptography becoming less important? At least one member of a panel at the RSA 2013 conference thinks so. At the core of modern security is the idea that cryptography is essential. Yet this premise was challenged today by a panel of the world's top cryptographers at the RSA 2013 conference. Adi Shamir, co-inventor of the RSA cryptographic algorithm, challenged his fellow co-inventor Ron Rivest and Whit Diffie, co-inventor of the Diffie-Hellman algorithm, during a keynote panel session. "Cryptography is becoming less important," Shamir flatly stated to the shock of his fellow panelists. "In the 21st century, even the most secure isolated systems have been penetrated"

Debate: Does Security Awareness Training Actually Improve Enterprise Security? (Dark Reading) It has been an ongoing debate for years: On one side are experts who say that proper end user training is an essential element in their security. On the other side are experts who say that it is a waste of time and the best solution is to implement technology and controls to protect users from themselves

RSA: Stopping Data Mishaps More Important Than Stopping Zero-Days (PC Magazine) Testing company Spirent dropped a fairly bold claim today during a discussion with me at the RSA conference. While describing their extensive suite of testing products, a representative from the company described how preventing everyday mistakes by users may be more important than out-thinking a cyber attacker…The other piece of Spirent's work Chadda showed me was an interface for IT professionals to replicate the kind of traffic they'd see from different apps. Chadda explained that with it, companies could institute rules for specific applications--such as allowing Skype instant messages and voice chats, but not file transfers--and then test those rules to ensure they are working correctly

Latest Kelihos Botnet Shut Down Live at RSA Conference 2013 (Threatpost) Down goes Kelihos again. The third version of the prolific peer-to-peer botnet responsible for volumes of pharmaceutical spam, Bitcoin wallet theft and credential harvesting was shut down before a live audience today at RSA Conference 2013. With the execution of a few commands that culminated weeks of intelligence gathering and coding, a CrowdStrike researcher was able to sinkhole thousands of bots before a packed session hall

RSA 2013: Anatomy of a ''Longlining' attack (CSO Salted Hash) Proofpoint study describes a "new" industrial phishing technique that's becoming increasingly popular among attackers

Maryland Cyber Stars at RSA (with pub crawl) (CyberMaryland) Today at RSA, some of Maryland's cyber stars will visit the CyberMaryland booth, #216. If you're in San Francisco for the conference, stop by. If not, stay tuned to this page, follow @CyberMaryland on Twitter and visit CyberMaryland.org for updates

Qualys FreeScan service expanded with vulnerability scanning and configuration auditing (Help Net Security) At RSA Conference 2013, Qualys has expanded its popular FreeScan service to support scanning internal and external systems and web applications and also added new security and compliance audits

Centralized security management for physical, virtual and mobile endpoints (Help Net Security) At the RSA Conference 2013 in San Francisco, Bitdefender announced GravityZone, a centralized security management system for physical, virtual and mobile endpoints. Using cloud computing architecture

AhnLab offers dynamic disruption of active security breaches (Help Net Security) At the RSA Conference 2013 in San Francisco, AhnLab announced the AhnLab Malware Defense System (MDS), an enterprise strength security system that combines local and cloud-based analytics to stop advanced

Qualys brings vulnerability management to Amazon EC2 and VPC (Help Net Security) At RSA Conference 2013 in San Francisco, Qualys announced powerful new vulnerability management capabilities for Amazon EC2 and VPC customers using a QualysGuard connector leveraging Amazon APIs

LynuxWorks Debuts Industry's First Real-Time Zero-Day Rootkit and Bootkit Defense (MarketWire) LynuxWorks, Inc., a world leader in secure virtualization, today announced that they will be demonstrating the industry's first technology capable of real-time detection, alert and protection against zero-day rootkits and bootkits. Rootkits are the most sophisticated and lethal type of malware -- stealthy and extremely potent. When resident on endpoint devices, the LynxSecure 5.2 product can help security experts and IT staff discover rootkit infections and neutralize them, and then easily remotely clean infected machines, thereby preventing future infections

Thales and Entrust Partner to Deliver High Levels of Assurance for Identity Management, Encryption and Public Key Infrastructure Solutions (Sacramento Bee) Under a commercial relationship Entrust to resell Thales nShield HSMs to complement its enterprise and managed service offerings. Thales, leader in information systems and communications security, and Entrust Inc., a pioneer and global leader in public-key infrastructure (PKI) technology, announce a strategic partnership to deliver easy to deploy, high-assurance encryption and key management solutions for customers worldwide, whether they are securing their enterprise or protecting information in the cloud

Threats Neutralized Here: Narus and Teradata Enhance Offerings for Cyber Defense (IT News Online) It started out as a low-level DDoS alert on the network of a government agency, but turned out to be a systematic DNS enumeration originating from a botnet. Another government body discovered multiple infrastructure policy violations, including unauthorized equipment and applications connected to and running on their networks. This is one of countless surreptitious security breaches that newly enhanced Narus and Teradata cyber security analytics quickly help clients detect and neutralize

Mandiant Launches New Threat Intelligence Offering (Dark Reading) Threat Intelligence provides customers with the analytical tools and contextual analysis to help customers better understand high priority threats. Mandiant, the leader in advanced threat detection and response solutions, today announced the launch of Mandiant Intelligence Center&trade, a new offering that enables security teams to access Mandiant's threat and malware intelligence. The Mandiant Intelligence Center provides customers with the analytical tools and contextual analysis to help customers better understand high priority threats so they can identify and stop attacks

HP Announces New Security Research Organization at RSA (eSecurity Planet) HP consolidates the effort of multiple security divisions into a single unit for quicker and more effective risk remediation. In recent years HP has expanded its security portfolio by acquiring multiple security vendors. Now in an effort to provide greater clarity and improve its research efforts, HP is consolidating DVLabs, the Zero Day Intiative (ZDI) and HP Fortify Software Security Research into a single unit called HP Security Research (HPSR)

HID Global Unveils Turnkey ActivID Appliance Solution For Strong And Versatile Authentication (Dark Reading) HID Global, a worldwide leader in secure identity solutions, today announced its new ActivID Appliance solution for strong authentication. Enabling organizations to protect corporate data against unauthorized access, ActivID Appliance is an essential component to ensure enterprise data security across numerous industries including banking, government and healthcare. Targeted at medium to large organizations, the versatile appliance is interoperable with the widest range of authentication methods to ensure an organization's employees, consultants, partners, and customers have secure and appropriate access to corporate data and online applications

Cyber Attacks, Threats, and Vulnerabilities

2 More Java Zero-Day Vulnerabilities Emerge (Dark Reading) While Oracle investigates reports that two bugs in Java 7 could allow attackers to remotely bypass the sandbox and compromise a system, security experts reiterate: If you don't need Java, turn it off

All I need Java for is… (Internet Storm Center) Java just can't catch a break! A number of our readers have pointed out that Security Explorations claims they have 2 new Java zero days (no verification from Oracle on this yet). This of course has fueled the fire of "it's time to just say no and uninstall Java" in many quarters. And for general purpose internet browsing, maybe you can. If you do need Java, and if you do, changing the security settings to "ask every time" is a good way to go. Of course, if you run a business app that needs Java, you need to make it transparent to your user community somehow - this can be particular problem if your app needs a specific (aka old / vulnerable) Java version - we've talked about this in a few different stories over the last few months. But this got me to thinking, as security folks, what tools or processes do we use daily that need Java

Second iPhone passcode hack vulnerability discovered (Naked Security) You too can get into somebody's locked iPhone, particularly if you have a prehensile tail and don't mind (almost) placing a phony emergency call. Which you a) probably don't and b) hopefully do

Certified online banking trojan in the wild (The H) Jean-Ian Boutin, who works for AV firm Eset, has discovered trojans that carry a valid digital signature. This potentially allows online banking spyware to pass superficial tests as harmless. Apparently, the certificate in question was issued by the DigiCert Certificate Authority – to a company that ceased to exist a long time ago

Ichitaro Vulnerability: Another Zero-Day Exploit in the Wild (Symantec) We have already seen a handful of zero-day vulnerabilities being exploited in the wild this year. These vulnerabilities have affected users globally leaving both individuals and organizations scrambling to protect their computers. While this does become tiring, this is not the time to rest or become complacent, especially for those using the Japanese word processor software, Ichitaro

Korean Android users targeted with SMS-stealing Trojan (Help NEt Security) The popularity of Starbucks coffee shop coupon application is being misused by malware peddlers to target South Korean Android users and intercept their incoming text messages. Once installed, the

Fifty thousand exposed in ABC website hack (Sydney Morning Herald) The personal details of almost 50,000 internet users have been exposed online after the ABC's main website was hacked. A subdomain of abc.net

Bank of America, TEKsystems exposed by Anonymous, more to come (CyberWarNews) Anonymous vs Bank of america aka boFa has been a on going battle the past few years and now anonymous has struck back with a huge release of logs and evidence that ties a lot of the research and Intel gathering that bank of America has been doing on them. The data, depending where you are located was announced on the 24th/25th of February 2013 and first came in the format of "teaser" release files that contained personal information from staff at TEKsystems who anonymous says is being hired by Bank of America to watch and infiltrate them

Chinese hacker attacks risk fuelling cyber arms race, warns Bruce Schneier (V3) Security expert Bruce Schneir has warned that mistaking the recently revealed cyber attacks on large US businesses for an act of war - rather than espionage - risks fuelling a cyber arms race. Earlier this week security firm Mandiant reported it had managed to link a global cyber snooping campaign to a military unit based in Shanghai's Pudong district. Schneier said that while the report was accurate, attacks like the one listed by Mandiant are commonplace

Don't Blame China For Security Hacks, Blame Yourself (InformationWeek) Focus on the sorry state of your information security defenses before worrying about the Chinese, Russians, hacktivists or cybercrime gangs. The Chinese are coming! The Chinese are coming! Thanks to headlines splashed over every major newspaper in recent weeks, you'd be hard-pressed to miss the news that digital forensic investigation firm Mandiant has blamed People's Liberation Army (PLA) Unit 61398, a Chinese military cyber operations group, for launching advanced persistent threat (APT) attacks against over 140 businesses and government organizations since 2006

Cyberwar-The West Started It (Huffington Post) A few years ago, Israeli and American intelligence developed a computer virus with a specific military objective: damaging Iranian nuclear facilities. Stuxnet was spread via USB sticks and settled silently on Windows PCs. From there it looked into networks for specific industrial centrifuges using Siemens SCADA control devices spinning at highspeed to seperate Uranium-235 (the bomb stuff) from Uranium-238 (the non-bomb stuff)

Analysis Dates Stuxnet Effort To 2005 (Washington Post) The secret cyber-sabotage campaign aimed at Iran's nuclear program may have been in existence as early as 2005 and may have been capable of inflicting more damage than previously known, according to a security firm's analysis released Tuesday

Revealed: Stuxnet "beta's" devious alternate attack on Iran nuke program (Ars Technica) Version 0.5 shows cyberweapon development began two years earlier than thought. Researchers have uncovered a never-before-seen version of Stuxnet. The discovery sheds new light on the evolution of the powerful cyberweapon that made history when it successfully sabotaged an Iranian uranium-enrichment facility in 2009

Stuxnet's earliest known version sheds light on the worm's development (Help Net Security) Symantec researchers have discovered an older version of the infamous Stuxnet worm that caused the disruption at Iran's nuclear facility in Natanz: Stuxnet 0.5. Stuxnet 0.5 is, as of now, the old

An Eerie Silence on Cybersecurity (New York Times) Apart from a few companies like Google, which revealed that Chinese hackers had tried to read its users' e-mail messages, American companies have been disturbingly silent about cyberattacks on their computer systems -- apparently in fear that this disclosure will unnerve customers and shareholders and invite lawsuits and unwanted scrutiny from the government. In some cases, such silence might violate the legal obligations of publicly traded companies to share material information about their businesses

Technical paper: Exploring the history and technology of ransomware (Naked Security) Over the last year, we have seen the resurgence of ransomware. Examples include fake FBI warnings and accompanying 'fines' to taking your data hostage. Earlier this month, the arrest of a Ransomware gang was announced

Sledgehammer of Cyber Warfare: EMP Attack (WND) Enemies' doctrines include devastating blow as part of 'strategic operations.' Warnings from U.S. Defense Secretary Leon Panetta and U.S. Department of Homeland Security Secretary Janet Napolitano that enemy nations are carrying out cyber attacks on the U.S. are on the rise. The target? The U.S. electric infrastructure. Even President Obama has pointed out that "our enemies are also seeking the abilities to sabotage our power grid, our financial institutions and our air traffic control systems." But that may not be the worst of it. Those same adversaries - China, Russia, Iran and North Korea - also incorporate in their military doctrine the use of a nuclear electromagnetic pulse, or EMP, attack as "part of a strategic operation that would basically 'throw the kitchen sink' at the United States," according to Cynthia E. Ayers, who once was with the National Security Agency and currently is with the U.S. Army War College

Security Patches, Mitigations, and Software Updates

Facebook Patches OAuth Authentication Vulnerability (Threatpost) Social media supersite Facebook has fixed a vulnerability that could have allowed a hacker to access a user's account simply by getting them to click through to a specially crafted website. The flaw essentially mimicked the functionality of an authentic Facebook application without actually installing an application to their profile

Adobe tells users to update Flash Player for the third time this month (Naked Security) How many times has Adobe Flash had to be updated on your computer with a new security patch? Probably more times than you can count, right? Well, let me make the question easier. How many times has Adobe Flash had to be updated on your computer this month? The (perhaps surprising) answer is three. And let's not forget that February is the shortest month of the year

Cyber Trends

Solera Networks And Ponemon Study Reveals Rise in Security Breaches, With Organizations Taking Months To Detect And Contain Them (Dark Reading) According to the majority of respondents, data breaches have increased in both severity and frequency in the past 24 months

Smartphones, Foolish Security Choices (Dark Reading) People with smartphones could be smarter in their security practices. One smartphone user in every four, according to security firm AVG Technologies, stores intimate photos on a smartphone or tablet, a practice that makes a lost or stolen device a potential privacy problem

Businesses deluded about threat of cyber attack (CBS News) Do you think you're prepared for a cyberattack? Believe that your business is not really at risk? Well congratulations -- according to consulting firm Deloitte, you're as delusional as 88 percent of the rest of the business world

The Blurring of the Business Identity (infosec island) The concept of a well defined business identity is blurring and this is causing a complex reaction in the area of identity and access management. Internal, enterprise class identity and access management (IAM) has been long defined, as the managing of user access as defined by approval workflows, authoritative source integration and well defined system connectivity

The identity credential in an ever-connected future (Near Field Communication News) The Internet, technology and innovation move quickly and can change directions just as fast. The forecast is showing more - more devices, more connectivity, more data - and with that, the need for better, trusted security. Everyone wants the ability to use and benefit from the Internet, devices and new technologies without sacrificing personal identities, privacy and security

Beware of big data naysayers (FierceBigData) Everyone has an angle. In business, the first goal of a new company with a market-ready product is to get noticed. The same goes for some other ambitious companies. It's also true of pundits. A good way for them to get noticed is to be a contrarian. And this, I believe, is behind much of the motivation for those "big data naysayers," who bash big data as both a flawed business model and a meaningless marketing term

Marketplace

As Budget Cuts Loom, Austerity Has Killed Off Government Jobs (New York Times) The federal government, the nations largest consumer and investor, is cutting back at a pace exceeded in the last half-century only by the military demobilizations after the Vietnam War and the cold war

U.S. Spy Chief Looks For Ways To Avoid Cuts (Wall Street Journal) U.S. spy agencies are working to avoid widespread program cuts and layoffs, but the nation's top intelligence official warned Tuesday that the magnitude of coming budget shifts eventually will impact their operation

Hagel Confirmed -- Now Hard Work Begins (Washington Post) Chuck Hagel's painful, prolonged and divisive nomination battle in the Senate finally ended Tuesday, but it is only a prelude to the national-security challenges that will greet him on his first day of work at the Pentagon

Md. military bases brace for reductions (Baltimore Sun) Some gates into Fort Meade could be shut down. And routine maintenance at military installations across the state could be delayed, under federal budget cuts set to begin on Friday. Military bases in Maryland stand to lose $114 million in operational

Jack London, CACI: Sequestration, Fiscal Imbalances Threaten National Security (ExecutiveBiz) "There are only three ways to close the yawning gap between ends and means: scale down the objectives, thus restoring strategic clarity and focus; increase the means, which is highly unlikely, given fiscal realities; or, most dangerously, bluff. Doing nothing and allowing the gap to deepen is the last resort"

Pentagon Unveils Plan To Tap Potential Of Mobile Devices (Reuters.com) The Pentagon unveiled a plan on Tuesday to ultimately enable the Defense Department's 600,000 users of smartphones, computer tablets and other mobile devices to rapidly share classified and protected data using the latest commercial technologies

Federal CIO Q&A: Security, Sequestration And More (InformationWeek) Biggest challenge in realizing agile, efficient government IT continues to be the required cultural change, says Federal CIO Steve VanRoekel. In the 18 months since he was appointed federal CIO, Steven VanRoekel has been a change agent in government IT, overseeing a half-dozen tech initiatives launched by his predecessor, Vivek Kundra, while introducing new projects of his own

West Virginia wasted $5M on enterprise-class gear (FierceCIO: TechWatch) We reported late last year about how California State University saved $100 million by ditching Cisco. On the flip side, the legislative auditor for West Virginia has released a report that accused officials of overspending at least $5 million of federal money in 2010 on Cisco equipment. At the heart of the matter were 3,945 Cisco (NASDAQ: CSCO) routers geared towards mid-to-large deployments, many of which ended up being deployed in small facilities with only a single Internet connection

LGS Providing Army Training Base Avaya Digital Comm System (GovConWire) LGS Innovations has won a $14.1 million contract to provide an Avaya communications system to a U.S. Army base and transition the bas digital voice-over Internet Protocol data system. The Army trains between 85,000 and 90,000 military and civilian personnel per year at Fort Leonard Wood in earthmoving, truck driving, civil support and first response to

Jon Remington Named Technical Services VP, Controller (GovConWire) Jon Remington, most recently a director of business management and division controller at Northrop Grumman (NYSE: NOC), has been promoted to vice president and controller for the technical services sector. Remington will oversee financial operations such as planning and reporting for the Herndon, VaDepartment of Veterans Affairs.-based sector, the company said Monday

Samsung and Nokia: Tomorrow's Apple and BlackBerry? (ZDNet) Apple has shown that having control over the hardware and software has its advantages, and BlackBerry once demonstrated that same success

Cisco CEO: We're All In On Internet Of Everything (InformationWeek) CEO John Chambers touts Internet of Everything as cornerstone of Cisco's strategy, urges business leaders to join push toward open standards and cross-industry collaboration.

Ex-Yahoos Confess: Marissa Mayer Is Right To Ban Working From Home (Business Insider) Last Friday, Yahoo HR boss Jackie Reses sent out a memo telling all remote employees that they needed to find a way to be working in an office by June. This upset lots of Yahoo employees - including some working mothers, who say they wish they could afford to build a nursery at the office the way CEO Marissa Mayer has. But we've just heard from a former Yahoo engineer who tells us Mayer is making the exact right call. "For what it's worth, I support the no working form home rule. There's a ton of abuse of that at Yahoo. Something specific to the company"

Despite Mayer's Beliefs, Telecommuting Has Its Benefits (ERE) In a surprising move, it was announced on Friday that Yahoo CEO Marissa Mayer has mandated a telecommuting ban for all employees, which will go into effect this July

How Yahoo's Decision to Stop Telecommuting Will Increase Innovation (ERE) Marissa Mayer's decision to require Yahoo employees to "come into the office" has already been criticized by many. But most of the criticisms that I have come across have been based on emotion rather than data. If you understand the science behind increasing innovation through face-to-face interaction, her decision can only be classified as "a brilliant business decision"

Damballa Further Strengthens Executive Leadership Team with Two Appointments (MarketWatch) Damballa Inc., the recognized experts in advanced threat protection, today announced it has expanded the executive leadership team with two important hires to support business operations and drive strategy. David Fortune has been named vice president of operations, and Bassam Khan will serve as the vice president of corporate strategy. These additions are indicative of the strong momentum the company is experiencing as it continues to grow its customer base in nearly every vertical, deliver significant innovations in its product lines and advance its threat research capabilities. Recently, the company closed a $15M round of funding and added key executives including Dave Scholtz, CEO, and Jennifer Byrne, vice president of global alliances

Security Worker Shortfall Is Putting Organizations at Risk (EWeek) When asked whether their companies had as many information-security workers as they needed, attendees at the Cloud Security Alliance (CSA) Summit here just snorted and laughed. With stolen intellectual property and data breaches regularly making headlines these days, no company or government agency feels that they have the resources they need to secure their business, said Mark Weatherford, deputy undersecretary for cyber-security at the U.S. Department of Homeland Security (DHS), who asked the question during a keynote at the RSA Conference pre-show Feb. 25. In fact, security people are in such demand that Weatherford regularly steals workers from other agencies, he said

Products, Services, and Solutions

RSA Transforms Enterprise Authentication With Big Data-Driven Risk Analytics (Dark Reading) RSA Authentication Manager 8 analyzesf risk factors to verify and authorize end-user access to corporate or cloud-based resources

What's Missing From Facebook's Graph Search (ERE) I've been using Facebook's much-vaunted graph search for about a month now, having been on the list for early users. The feature was launched with much fanfare by Facebook in January at a press conference that proved to be distinctly underwhelming. Expectations were high that the company would announce a Facebook phone (The fPhone?) — a blue device capable of automatically recording all your activities and posting them publicly (privacy settings would be permanently disabled). But instead those watching found that the company was rolling out…a better search. Evidence of disappointment was the company's stock price which had been rising but reversed course halfway through the press conference

Check Point Revolutionises Attack Prevention with Threat Emulation (Channel EMEA) Check Point is today announcing a new Threat Emulation Software Blade that prevents infections from undiscovered exploits, zero-day and targeted attacks. This innovative solution quickly inspects suspicious files, emulates how they run to discover malicious behaviour and completely prevents malware from entering the network

Trend Micro solutions detect C&C communications used by ATPs (Help Net Security) Trend Micro is introducing new advances in its Custom Defense solution that focus on identifying and blocking the command and control (C&C) communications used by advanced persistent threats (APTs)

Create a hardware encrypting USB with your own Linux OS (Help Net Security) SPYRUS announced the Secure Pocket Drive (SPD) Build Your Own Linux Program with its Secure Pocket Drive bootable USB product line. Secure Pocket Drive is a secure trusted endpoint that augments

Intel launches latest platform for crunching Big Data (Reuters) Intel launched a new software platform for number-crunching on a massive scale, its latest offering in a growing field that it hopes will boost sales of its powerful server chips. The Santa Clara, California-based chipmaker is one of a growing number of technology companies that want to help organizations find value in Big Data -- the analysis of vast troves of information that can be culled from social media, Web searches, financial records, and other mountains of digital facts and figures

Cloudera takes Hadoop data management into mainstream (FierceBigData) At the Strata Conference this week in Santa Clara, Calif., Cloudera introduced new tools that provide users of its Hadoop distribution better enterprise data and access management capabilities, as well as enterprise level back-up and disaster recovery

Hortonworks announces Apache Hadoop for Windows (FierceBigData) HortonWorks did its part this week to expand the reach of Apache Hadoop across the enterprise with the release of its new Hortonworks Data Platform for Windows. This is the first Hadoop distribution available for both Linux and Windows

Mozilla Firefox OS Ignites Carrier Rebellion (InformationWeek) At least 18 mobile operators are planning to offer Firefox OS mobile phones

Microsoft Surface Pro: Why One SMB Says No (InformationWeek) Microsoft's tablet doesn't suit every SMB. An engineering firm IT leader explains why Microsoft's Surface Pro isn't likely to end up in any of his users' hands

Windows Blue: Next Windows OS update 'may be on its way' (FierceCIO: TechWatch) More rumors on the next release of the Windows operating system have been spotted. Known as "Blue," the next release of Windows has been pegged as a feature release and takes the place of a service pack that Microsoft would typically release a year after a major operating system goes to retail

Security edition of Dell Latitude 10 comes with fingerprint reader, TPM support (FierceCIO: TechWatch) Dell this week unveiled a business-centric "enhanced security configuration" version of the Latitude 10 tablet. Incorporating an Intel (NASDAQ: INTC) Atom processor, the 10.1-inch tablet is a Windows 8 Pro-based device that comes with additional security features such as a fingerprint reader and a smart-card reader

Technologies, Techniques, and Standards

Five tips to combat a denial of service cyber attack (Association of Corporate Counsel) Who's next? That's a question probably lingering on the minds of many American banking executives these days. After all, eight U.S. banks were hammered by distributed denial of service (DDoS) cyber attacks in recent weeks and more could be in the works. A DDoS attack typically floods a website or network with so much traffic that it shuts down. The attack can last anywhere from hours to days, depending on how long it takes the victim to divert the traffic and how long the perpetrator can keep blasting the traffic at the victim's site and network

Encryption no longer seen as just an IT issue (Help Net Security) There has been a steady increase in the deployment of encryption solutions used by organizations over the past eight years. The percentage of overall IT security spending dedicated to encryption has a

Separating single sign-on myths from fact (Help Net Security) Single Sign On (SSO), the ability to authenticate only once and have automatic access to many systems, has many potential benefits ranging from lower IT overhead costs to increased end user convenience

Design and Innovation

Nassim Taleb's distinction between 'robust' and 'antifragile' is worth reflecting on (IEEE Spectrum) In titling his new book, Nassim Nicholas Taleb has coined a new word: "antifragile." I was not surprised that such a word did not previously exist, because, like most people, I had thought that the opposite of "fragile" was "robust." But Taleb argues that something that is robust merely tolerates adverse or unexpected conditions, whereas something that is antifragile thrives—its performance actually improves. He uses the example of a mailed package labeled "Fragile, do not shake." The opposite would say, "Antifragile, please shake." Taleb's book mostly considers the notions of fragility and antifragility in biological, medical, economic, and political systems. Do we have any electronic systems that are antifragile

Why language is the key to winning India's mobile market (Quartz) India has the world's largest mobile phone market after China. Yet the amount of money mobile networks make per user is among the lowest in the world: around $2 per month. Chinese carriers such as China Mobile make five times as much. AT&T rakes in $65 per user per month in the US

Cancer fears could prevent Google Glass from ever becoming a phone (Quartz) Google's first attempt at face-based computing, Project Glass, isn't very useful unless it's connected to a wireless network. Without a connection to the internet, it can't deliver search results, provide turn-by-turn directions, instantly share pictures with friends, or accomplish any of the other feats promised in Google's video demonstration of Glass

Research and Development

Why Qualcomm Wants To Bring Ultrasound Transmitters To Smartphones And Tablets (TechCrunch) Mobile chipmaker Qualcomm has a track record of pushing new capabilities into its chips faster than its competitors in a bid to carve out a bigger chunk of the market — and one of its latest acquisitions is in the field of digital ultrasound. So what capabilities could this technology bring to phones and tablets

The Future of Lying (Slate) Here's something I bet we all believe: Lying is bad. Telling the truth is good. It's what our parents told us, right up there with "eat your vegetables," "brush your teeth," and "make sure you unplug the soldering iron." (What? I was raised by engineers). But there's something else none of us can argue: We are all liars. According to a 2011 survey of Americans, we humans lie about 1.65 times a day. (Men lie a little more than woman, 1.93 lies to 1.39 lies a day.) Perhaps this is why people got really excited in 2007 when Jeff Hancock, a communications professor at Cornell University, starting talking about how we could use computers and algorithms to help detect lie

Can We Teach Computers What 'Truth' Means? (Slate) I'd like to begin with two different ideas of truth. The first appears to be the simplest: "It is true that 1+1=2." The second is from the beginning of the Declaration of Independence: "We hold these truths to be self evident, that all men are created equal, that they are endowed by their Creator with certain unalienable Rights, that among these are Life, Liberty, and the pursuit of Happiness." Now, these sound like quite different ideas about truth. But the process of trying to teach computers to understand truths like these, difficult for both notions, is revealing the ways in which they are similar

Academia

Cyber help wanted (Baltimore Sun) Maryland has 19,413 openings for computer security professionals, most of them in Baltimore -- let's start training for these jobs. Focus on that number. Like so many numbers in news articles, you might easily have skipped over 19,413. But this is an important number for what is happening in Maryland higher education. According to the Cyber Security Jobs Report issued this month, this is the number of job openings in Maryland, as of October 2012, for qualified cybersecurity professionals

Online cyber security career-simulation platform (Help Net Security) LifeJourney, the new online career-simulation platform that lets students and jobseekers test-drive careers in cyber security and gain exposure to the skills they'll need to achieve their dreams,

Chris Bosh, will.i.am Join Campaign To Teach All Kids To Code (Slate) It's not surprising that Mark Zuckerberg and Bill Gates both show up in a new video from Code.org to convince kids to learn how to program. But a couple of the other talking-heads may throw you: Chris Bosh, who studied some programming during his year at Georgia Tech, and will.i.am, who is currently learning to code. The primary message of the PSA: "You don't have to be a genius to code," as one participant puts it, and it will help you land a cool job

A School in the Cloud and the Future of Learning (Wired Business) Professor Sugata Mitra is developing an entirely new approach to education, one that could dismantle a centuries-old way of teaching

Wharton MBA Classes Go Bi-Coastal With Video (InformationWeek) Cisco telepresence setup for classroom videoconferencing allows a lecturer at Wharton's main Philadelphia campus to simultaneously teach a class in San Francisco

Computer Science Education Had A Good Day In America (TechCrunch) America's elite institutions came out in full force for computer science education. First, the House of Representatives voted to update its traditional students arts competition to include a nationwide mobile apps competition. Then, to top off the day, the nation's leading geeks, from Mark Zuckerberg to Bill Gates, helped launch a national nonprofit to encourage young programmers

Legislation, Policy, and Regulation

Federal Government Makes Silo-Busting, Startup-Unleashing Healthcare Move (TechCrunch) For the first time, the federal government has provided large financial incentives to share one's health data between authorized healthcare providers and with patient themselves to facilitate patient engagement. In the past, there was a

Killer Apps: NATO looking at how to protect alliance members from cyber attack (Foreign Policy) Although NATO has been working for a while on protecting its own networks (meaning the in-house systems NATO relies on for everyday functions) from cyber attacks, it hasn't come up with any plans to defend its member states from cyber attack

HIPAA security rule needs better definition for text messaging (FierceMobileHeatlhcare) The Health Insurance Portability and Accountability Act (HIPAA) Security Rule leads to uncertainty about how to make text messaging policy decisions, according to an article in the American Journal of Public Health. However, the article's authors assert that text messaging used to send health information can be implemented in a public health setting through two possible approaches

Litigation, Investigation, and Law Enforcement

FTC moves against mobile device makers over security (CSO) While targeting HTC, move seen as warning to all makers who fail to update Android devices in a timely manner

Document shows how much data cops suck up from suspects' cell phones (Ars Technica) Police can gain warrantless access to messages and past locations. The courts have traditionally allowed the police to inspect any items a suspect is carrying when they arrest him or her. But in the past, the information the police could obtain in this fashion was fairly limited. The advent of the smartphone has changed all that.

Online sports streaming site owner avoids jail time in new deal with Feds (Ars Technica) Brian McCarthy, the accused operator of Channelsurfing.net—a site that linked to unauthorized streams of sporting events—has signed a deal with the Department of Justice. This will effectively grant him amnesty, according to court documents filed earlier this month published Tuesday by TorrentFreak

Investigation into massive data breach widens to Justice Department (Ottawa Citizen) An investigation into the federal government's loss of personal information on over 5,000 Canadians has widened to include the Justice Department. The loss of a portable data key containing information connected to Canada Pension Plan disability benefits was initially thought to involve only Human Resources and Development Canada, which administers the program

After raid, Australian hacker fears possible arrest (Computer World) Dylan Wheeler, a computer security and gaming enthusiast who lives near Perth in Western Australia, could very well be in a lot of trouble. Wheeler, who is in his late teens, is by his own description somewhat of a hacker. He claims to have breached both Microsoft's and Sony's game development networks, extracting software tools used to develop games for the upcoming versions of the Xbox and PlayStation

Hacker Jeremy Hammond bashes US government's 'flawed, corrupt' cyber laws (IT Proportal) A hacker who is facing charges for his involvement in the extensive breach of security firm Stratfor has penned a jailhouse missive that takes the US federal government to task for a "flawed and corrupt" approach to cyber security. Jeremy Hammond (aka yohoho, tylerknowsthis, or crediblethreat), was arrested in March 2012 in Chicago and charged with crimes relating to the December 2011 hack of Stratfor. He faces a sentence of 30 years to life, if convicted, he said in his letter, which was posted online by the Sparrow Project

Google spars with Spain over data privacy (CNet) The search giant and Spanish officials can't agree on when data should be deleted from Google's pages. Google and Spain's data-protection authorities took to Europe's highest court, the European Court of Justice, to discuss whether the search giant has a responsibility to delete data that could infringe a person's privacy. The issue at play relates to what is and what is not suitable for public consumption

Cyber security not priority at DOR on eve of data breach, House concludes (Greenvilleonline) Cyber security was not a priority at the Department of Revenue prior to a massive data breach at the agency last year, the chairman of a House special committee investigating the breach has concluded. We did not focus on the risk that was there, Rep. Bruce Bannister of Greenville, House majority leader and chairman of the committee, told GreenvilleOnline. com

Central Hudson still investigating cyber attack (Poughkeepsie Journal) Central Hudson Gas & Electric Corp. is continuing to work with law enforcment officials and cyber security experts to determine the extent of a cyber security attack discovered last week that may have compromised customer information. "There is still no evidence confirmed to date that any data was transferred, but we want these customers to make sure that they remain vigilant until we have more definitive information," said James P. Laurito, Central Hudson's president in a statement

Judge refuses to dismiss charges in WikiLeaks case (MyrtleBeachOnline.com) An Army private accused of sending classified material to the anti-secrecy website WikiLeaks has not been denied a speedy trial despite his lengthy pretrial confinement, a military judge ruled Tuesday. Attorneys for Pfc. Bradley

No Standing to Challenge FISA Surveillance (Volokh Conspiracy) Today, in Clapper v. Amnesty International USA, the U.S. Supreme Court held that petitioners Amnesty International, et al., lacked standing to challenge surveillance of international communications under the Foreign Intelligence Surveillance Act. The Court split 5-4 along traditional right-left lines. Justice Alito wrote for the majority opinion. Justice Breyer dissented. Here is the introduction from Justice Alito's opinion

Aaron Swartz Prosecutors Weighed 'Guerilla' Manifesto, Justice Official Tells Congressional Committee (Huffington Post) A Justice Department representative told congressional staffers during a recent briefing on the computer fraud prosecution of Internet activist Aaron Swartz that Swartz's "Guerilla Open Access Manifesto" played a role in the prosecution, sources told The Huffington Post

Apple settles lawsuit on in-app purchases made by kids (SlashGear) When your kids get a hold of your iPhone or iPad, bad things can happen. They could always accidentally drop the device and break it, but it seems that inadvertently making in-app purchases is a growing epidemic by kids, costing parents millions of dollars

For a complete running list of events, please visit the Event Tracker on the CyberWire website.

Upcoming Events

RSA USA 2013 (San Francisco, California, USA, February 25 - March 1, 2013) RSA Conference continually evolves program offerings to meet the ever-changing needs of our delegates in the dynamic infosec industry.

Nullcon Goa 2013 (Bogmallo Beach Resort, Goa, India, February 26 - March 2, 2013) An international information security conference that will feature speakers and training. Topics include security and politics, vulnerability elimination, Android hacking, SCADA and smart grid penetration...

NRO Winter Way Forward Conference (Chantilly, Virginia, USA, February 28, 2013) This annual event will provide an increased awareness, understanding and support among the IT workforce by focusing on the NRO IT Way-Forward in terms of the NRO IT Sub-Portfolio Roadmaps. Exhibitors will...

TechMentor Orlando 2013 (Orland, Florida, USA, March 4 - 8, 2013) Celebrating 15 years of educational events for the IT community, TechMentor is returning to Orlando, Florida, March 4-8, for 5 days of information-packed sessions and workshops. Surrounded by your fellow...

IHS CERAWeek 2013 (Houston, Texas, USA, March 4 - 8, 2013) IHS CERAWeek 2013 will offer new insight on the energy future -- and on the strategic and investment responses by producers, consumers and policy-makers. What are the changes ahead in the competitive...

Business Insurance Risk Management Summit (New York City, New York, USA, March 5 - 6, 2013) The annual Risk Management Summit, now in it its fourth year, provides attendees with focused insight via specific, timely general sessions and strategic, thought-provoking discussions with peers and industry...

CanSecWest 2013 (Vancouver, British Columbia, Canada, March 6 - 8, 2013) CanSecWest, the world's most advanced conference focusing on applied digital security, is about bringing the industry luminaries together in a relaxed environment which promotes collaboration and social...

e-Crime Congress 2013 (London, England, March 12 - 13, 2013) The e-Crime Congress is designed to meet the needs of key stakeholders and decision makers who are responsible for designing and coordinating information security and risk management strategy, safeguarding...

CTIN Digital Forensics Conference (Seattle, Washington, USA, March 13 - 15, 2013) Speakers include experts and published authors in the field of digital forensics and cybersecurity. Topics include; Mobile Device Forensics, Internet Forensics, Physical Memory Analysis, Open Source Tools,...

Google and University of Maryland Cybersecurity Seminar (College Park, Maryland, USA, March 14, 2013) Dr. Ari Juels, Chief Scientist of RSA, The Security Division of EMC, and Director of RSA Laboratories, will discuss "Aggregation and Distribution in Cloud Security." His talk will feature information...

Department of Homeland Security 6th Annual Industry Day (Washington, DC, USA, March 18, 2013) The Department of Homeland Security (DHS) will be hosting its 6th Annual Industry Day to provide advanced acquisition planning information to industry. DHS Industry Day will consist of two sessions, the...

IT Security Entrepreneurs' Forum (ITSEF 2013) (Palo Alto, California, USA, March 19 - 20, 2013) Supported by the U.S. Department of Homeland Security, Office of Science and Technology, ITSEF 2013 aims to connect the ecosystem of the entrepreneur: industry, government, and academia. The conference...

The Future of Cyber Security 2013 (London, England, UK, March 21, 2013) Cyber Security and the Citizen 2013 is a one-day conference and exhibition for senior decision-makers of central and local government organisations, NGOs and major private sector enterprises.

SANS Cyber Threat Intelligence Summit (Washington, DC, USA, March 22, 2013) Conventional network defense tools such as intrusion detection systems and anti-virus focus on the vulnerability component of risk, and traditional incident response methodology presupposes a successful...

AFCEA Belvoir Industry Days 2013 (National Harbor, Maryland, USA, April 2 - 3, 2013) The purpose of this event is to inform the IT community about the recent successes and the forward-thinking opportunities that the Department of Defense and the Department of the Army have developed.

CSO40 (Braselton, Georgia, USA, April 2 - 3, 2013) The CSO40 Security Confab + Awards will honor and share the critical viewpoints of today's leading CSOs, CISOs and security executives at the nation's leading CSO thought leadership conference.

Cloud Connect Silicon Valley (Santa Clara, California, USA, April 2 - 5, 2013) Cloud Connect returns to Silicon Valley, April 2-5, 2013, for four days of lectures, panels, tutorials and roundtable discussions on a comprehensive selection of cloud topics taught by leading industry...

An Evening in Cyberspace: Supporting Tomorrow's Cybersecurity Leaders (National Harbor, Maryland, USA, April 6, 2013) UMUC is pleased to present An Evening in Cyberspace: Supporting Tomorrow's Cybersecurity Leaders. Join us for this special black-tie event to support the next generation of cybersecurity students. The...

Cyber 1.3 (, January 1, 1970) Maj. Gen. Suzanne Vautrinot, USAF, commander, 24th Air Force, and commander, Air Force Network Operations, will discuss the global strategic implications that relate to the cyber domain at the Space Foundation...

HITBSecConf2013 (Amsterdam, the Netherlands, April 8 - 11, 2013) HITB2013AMS will feature cutting edge attack and defense research including the a presentation on the inner workings of the iOS 6.1 Evasi0n jailbreak presented by members of the world famous Evad3rs Team,...

INFILTRATE 2013 (Miami, Florida, USA, April 11 - 12, 2013) INFILTRATE is a deep technical conference that focuses entirely on offensive security issues. Researchers focused on the latest technical issues will demonstrate techniques that you cannot find elsewhere.

Information Tech Expo Series - Hawaii (Oahu, Hawaii, USA, April 12 - 19, 2013) This 6-series showcase will feature stops at 5 DoD locations and 1 Intel Center on the island of Oahu. Celebrating 20 years of these expos is a true testament to the government and military's readiness...

InfoSec World Conference & Expo 2013 (Orlando, Florida, USA, April 15 - 17, 2013) With the primary objective of providing top-notch education to all levels of information security and IT auditing professionals, InfoSec World delivers practical sessions that give you the tools to strengthen...

Infosec Southwest 2013 (Austin, Texas, USA, April 19 - 21, 2013) InfoSec Southwest is intended to be a general security and hacking conference with no specific industry or topical focus. As such, nearly all topics (other than vendor pitches) are fair game and the attending...

23rd Annual Government Procurement Conference (Washington, DC, USA, April 25, 2013) This unique one-day event attracts more than 3,000 participants representing government agencies, prime contractors and small businesses from around the country. Participating companies are able to network...

Interop Las Vegas (Las Vegas, Nevada, USA, May 6 - 10, 2013) Attend Interop Las Vegas, May 6-10, and attend the most thorough training on Apple deployment at the NEW Mac & iOS IT Conference. Join us in Las Vegas for access to 125+ workshops and conference classes,...

Maryland/DC Celebration of International Trade (Linthicum, Maryland, USA, May 21, 2013) Join Maryland exporters and international business experts as they celebrate International Trade Week. Hosted by the Maryland/DC District Export Council this event is a content rich celebration of international...

Consumerization of IT in the Enterprise Conference and Expo (San Francisco, California, USA, June 2 - 4, 2013) From smartphones to mobile apps, social software and 4G networks, the wave of innovation in the consumer space is transforming the way companies do business, both inside and outside of the enterprise.

25th Annual FIRST Conference (Bangkok, Thailand, June 16 - 21, 2013) The annual FIRST conference provides a setting for conference participants to attend a wide range of presentations delivered by leading experts in both the CSIRT field and from the global security community.

SECRYPT 2013 (Reykjavik, Iceland, July 29 - 31, 2013) The 10th International Conference on Security and Cryptography (SECRYPT 2013) will take place from 29 to 31 July 2013 in Reykjavik, Iceland…The conference will focus on information systems and network...

TechCrunch Disrupt San Francisco (San Francisco, California, September 7 - 11, 2013) For the fourth year in a row, TechCrunch Disrupt will take over the San Francisco Design Center Concourse, and we're bringing the hottest startups and best minds in the industry with us. Block off September...

Grow your brand and reach new customers.

Grow your brand and increase your customer base by educating our audience about your products, services, and events by advertising on The CyberWire. We’ve built trust with an influential (and often hard to reach) audience of CISOs, CSOs, and other senior execs in the security space, across a wide array of industry verticals. Learn more.

Be a part of the CyberWire story.

People ask us (a lot) how they can support what we do. We have our sponsorships and services, of course, but those are not always within every supporter's financial reach, or it might just not be the right time for you to do those things. That's why we launched our new Patreon site, where we've created a wider variety of support levels, each with some new benefits. Our patrons are important to our future, and we hope you'll consider becoming one. We invite you to become part of the CyberWire story. Become a patron today.