Some follow-up to yesterday's reports of Syrian Electronic Army regime-directed hacktivism and pro-Morsi hacker attempts against Emirati networks.
Security Research Labs' exposure of a longstanding but unrecognized vulnerability in SIM card encryption continues to draw considerable attention. The consensus appears to be that the problem is real and widespread (with a notable dissent from the GSM Association). Analysts suggest the discovery lends weight to arguments for data containerization (particularly as BYOD becomes increasingly common).
With SIM-card news following months of iOS and Android exploits, Scientific American's warning that mobile hacks may be coming seems almost naÏve, like announcing the discovery of sin. (Still, worth a look.)
As Quantum Dawn 2 wraps up, along with similar exercises in Australia and South Korea, the International Organisation of Securities Commissions and the World Federation of Exchanges find that cyber attacks on trading markets aim more for disruption than direct fraud.
SC Magazine discerns a trend in vulnerability research: there are signs it's being chilled by fear of prosecution.
The big marketplace news, of course, is Cisco's acquisition of Sourcefire for $2.7B, or $76 per share. The move is intended to improve Cisco's position against competitors like Juniper, Check Point, and Palo Alto Networks.
With interest driven by PRISM leaks, companies specializing in privacy solutions emerge as venture capital darlings.
Der Spiegel reports ties between the Bundesamt Für Verfassungsschutz (BfV) internal security service and the US NSA, and the Bundestag launches an investigation.
The US considers tax breaks and other incentives for cyber innovation.
Today's issue includes events affecting Australia, China, Egypt, Germany, Indonesia, Philippines, Syria, United Arab Emirates, United Kingdom, United States..
Government and industry leaders will gather in New York for SINET's Innovation Summit, August 6, to discuss cyber innovation and entrepreneurship. The CyberWire will provide special coverage of this event.
Cyber Attacks, Threats, and Vulnerabilities
Syrian Electronic Army hacks Online Newspaper The Daily Dot, removes article(HackRead) The Syrian Electronic Army has hacked into the official website of an Online Newspaper The Daily Dot and removed an article related to their latest Mobile Messaging Service Tango.me hack. Background: On 22nd July 2013, Curt Hopkins of The Daily Dot had posted an article along with a caricature of Syrian President Bashar al-Assad. The hackers then requested the newspaper for removing the image making fun of
UAE under Egyptian cyber-attack(The North Africa Post) Officials of United Arab Emirates Telecoms Authority have claimed that they have dealt with a cyber-attack originating from Egypt against government websites. Officials linked the attack to the support rendered by the United Arab Emirates
SIM Card Hack A Wakeup Call(Dark Reading) A researcher has discovered major flaws in some SIM cards that could pave the way for more targeted attacks against mobile device users. Famed encryption researcher Karsten Nohl of Security Research Labs will show at Black Hat USA next week how he was able to hack some SIM cards in mobile phones by cracking the Data Encryption Standard (DES) keys used for over-the-air updates. The vulnerability in the DES authentication, as well as another flaw Nohl found in the cards' virtual machine or sandbox feature, could affect millions of SIM cards
70's Cryptography Causing Security Catastrophy(SiliconANGLE TV) Welcome to NewsDesk on SiliconANGLE TV for Monday July 22, 2013. If your identity has been stolen, your phone may have been an accomplice to the crime. Joining us now to explain more is SiliconANGLE Contributing Editor John Casaretto
Hijacking SIM Cards through Over-the-Air Updates(Symantec) We all know that mobile phones have been the focus of cybercriminals for a while now. But Trojanized mobile applications are only one attack scenario. Some problems lie even deeper in your phone. Karsten Nohl, a German researcher who has done a lot of work with GSM networks and mobile phones in the past, has found a critical vulnerability connected to mobile phones
SIM flaw boosts mobile data container argument(CSO) With 40-year-old encryption find on Subscriber Identification Module cards, researcher says at least 500 million phones may be vulnerable. The discovery of 40-year-old encryption standards in the SIM cards in possibly hundred of millions of mobile phones bolsters the argument for isolating corporate data in devices
Mobe SIM crypto hijack threatens millions: Here's HOW IT WORKS(The Register) You'll kick yourself when you know how. Analysis A German researcher reckons he can take control of your phone's SIM card and hijack the handset by cracking the encryption on the device. But he's not alone: network operators have long been able to do just that, and a careful look at how that's possible makes the long-standing security of GSM phone networks all the more remarkable
Fact or Fiction: Your Smartphone and Tablet Are Vulnerable to Hackers(Scientific American) Stories of high-profile attacks on Internet-connected mobile devices are hard to come by, but it may not always be this way. Personal computers have been subject to cyber attacks from the moment we began connecting them to the Internet. Nowadays, malicious software lurking in spam and on Web pages is kept at bay only through effort and expense. So why don't we have the same security problem with our smartphones and tablets, which are essentially variations on the PC
Phantom apps appear in Chinese fanbois' iTunes accounts(The Register) Chinternet a-flutter with speculation and conspiracy theories. Chinese fanbois are reporting that mobile apps they didn't buy have started appearing in their iTunes accounts, leading to speculation an app promotion company may be illegally accessing accounts
[OVH] Security incident(OVH.com) A few days ago, we discovered that the security of our internal network at our offices in Roubaix had been compromised. After internal investigations, it appeared that a hacker was able to obtain access to an email account of one of our system administrators. With this email access, they was able to gain access to the internal VPN of another employee. Then with this VPN access, they were able to compromise the access of one of the system administrators who handles the the internal backoffice
Royal Baby: Exclusive Pics! — Don't Fall for It(Infosecurity Magazine) When Kate Middleton, the Duchess of Cambridge, went into labor with the child who recently became third in line for the throne of England, the event immediately had millions of royal-watchers riveted – and, apparently, plenty of spammers ready to leverage the vast amount of public interest in everything from the sex of the baby to "secret pictures" of the new arrival
St. Mary's Bank Suffers Security Breach(eSecurity Planet) Malware found on an employee's computer may have captured customer data. New Hampshire's St. Mary's Bank recently began notifying 115,775 customers that malware found on an employee's computer may have captured sensitive information, including customer names, addresses, Social Security numbers, account information and transcaction records
How Digital Certificates are Used and Misused(Lenny Zeltser) Online communication and data sharing practices rely heavily on digital certificates to encrypt data as well as authenticate systems and people. There have been many discussions about the cracks starting to develop in the certificate-based Public Key Infrastructure (PKI) on the web. Let's consider how the certs are typically used and misused to prepare for exploring ways in which the certificate ecosystem can be strengthened
How to spot and avoid Facebook 'Like' scams(C/NET) When you click or press the Like button, you may be disclosing more about yourself than you imagine. You may also be contributing to the bank accounts of Internet scammers
Indonesia Joins China as Cyber-Attack Powerhouse(Businessweek) Indonesia isn't known as an epicenter for hacking, but the Southeast Asian country was the source of 21 percent of the world's cyber-attack traffic in the first quarter of this year, according to a report by Akamai Technologies to be published later
My Editorial: Q3 issue: Lost For Words(Infosecurity Magazine) Seven years reporting on this industry has left me amused, and sometimes strangely comforted, by the over-use of clichés by the industry's professionals. More recently, however, the exposure has frustrated me and left me asking why, in an industry dominated by intelligent people, we can't be more innovative and creative with our communications
Study: Cloud Computing Security Still Immature(Midsize Insider) The article points out that the Cloud Security Alliance is such an example, offering a checklist to help IT pros consider whether cloud security services are appropriate for their company. Security should not be an afterthought with the cloud
Fear of prosecution hampers security research(SC Magazine) As Black Hat and DefCon near, there's a noticeable "chill" in the air due to recent, aggressive legal action taken against security researchers. And the biggest loser of all may be the public. A few months ago, Matthew Green was asked to advise a small team of undergraduate students who were investigating possible security vulnerabilities in a state's toll collection system
CSIS Releases Study Linking Cybercrime To Job Loss(Dark Reading) McAfee-sponsored report quantifies economic impact of cybercrime. McAfee announced today that it has sponsored a first-of-its-kind report quantifying the economic impact of cybercrime. After years of guesswork and innumerable attempts to quantify the costly effects of cybercrime on the U.S. and world economies, McAfee engaged one of the world's preeminent international policy institutions for defense and security, the Center for Strategic and International Studies (CSIS), to build an economic model and methodology to accurately estimate these losses, which can be extended worldwide. "Estimating the Cost of Cybercrime and Cyber Espionage" posits a $100 billion annual loss to the U.S. economy and as many as 508,000 U.S. jobs lost as a result of malicious cyber activity
Trillion-dollar global hacking damages estimate called exaggerated(Reuters) A $1 trillion estimate of the global cost of hacking cited by President Barack Obama and other top officials is a gross exaggeration, according to a new study commissioned by the company responsible for the earlier approximation. A preliminary report being released Monday by the Center for Strategic and International Studies and underwritten by Intel Corp's (INTC.O) security software arm McAfee implicitly acknowledges that McAfee's previous figure could be triple the real number
Is Software Quality Going To Hell In A Shopping Basket?(Forbes) When I was a CIO back in the day, I'd get into frequent debates with my peers. One philosophical question: "Is it better for new software to be on-time and buggy, or late and bug-free?" To me the answer was a no-brainer. No one remembers if you were a bit late, but everyone remembers a buggy start. Here it is, twelve years later, and I'm feeling really old fashioned. Whether delivered late, early or on time, software just seems to always be buggy. Not just new software - but even seemingly minor updates. And not just small bugs either. We're talking major glaring holes. It has been a problem for a long time, and what Facebook calls "The Hacker Way" has only exacerbated the problem
Under Attack: the Threat from Cyberspace(F-Secure) "There are now three certainties in life -- there's death, there's taxes and there's a foreign intelligence service on your system." —MI5's Head of Cyber. BBC Radio 4 recently aired a very interesting series on cyber espionage, theft, and war
Escalating Cyber Security Threats Mean Rise of the CISO(American Banker) Tom Sanzone has a curriculum vitae few in the bank technology sphere can rival. CAO of Merrill Lynch. CIO of Credit Suisse. CIO for the Corporate and Investment Bank, the Private Client Group, and the Global Transaction Services business at Citigroup. Managing director and head of global application development at Salomon Brother
Morozov and the Internet's Great Failure(Slashdot) When you learn that Evgeny Morozov's previous book was called The Net Delusion: The Dark Side of Internet Freedom, you quickly realize that his new book, To Save Everything, Click Here, isn't likely to be an ode to the utopian wonder of the Web. And indeed it isn't
The Bring-Your-Own-Device Dilemma(IEEE Spectrum) Employees and businesses seek to balance privacy and security. The smartphone revolution opened the floodgates to the BYOD (bring your own device) trend among workers. Carrying two devices is cumbersome, and many people simply preferred to use their new devices over corporate-issued phones or laptops. IT departments might have been able to brush this off, except that many of the early iPhone (and later, Android) adopters sat in executive offices. Now BYOD has spread around the world, creating a host of new challenges for IT departments concerning security, device management, and support costs
E-shopkeepers stabbed with SQL needles 'twice' as much as other sites(The Register) US number-one source of injection attacks, says security biz. Retailers suffer twice as many SQL injection attacks on their systems as other industries, according to a new study by data-centre security firm Imperva, which claims the ferocity of web-based assaults is growing
Cisco to buy security software maker Sourcefire for $2.7 billion(Reuters) Cisco Systems Inc said it will buy software maker Sourcefire Inc for about $2.7 billion (1.7 billion pounds) to increase its network security services. Cisco will pay $76 per share for the company, a premium of 28.6 percent over its closing price on Monday of $59.08
DuckDuckGo, PRISM, and the new business of privacy(VentureBeat) One the most valuable things in the world right now is your data. For Facebook and Google, your data is a window into your soul, your interests, and your buying habits. It's how they can convince advertisers that giving them money makes sense. It's how they've gotten rich
Venture Funds Invest in Electronic Spying Startups(Wall Street Journal) The string of revelations about America's surveillance apparatus by former National Security Agency contractor Edward Snowden has cast a spotlight on the growing number of American companies involved in electronic spycraft
Michael Dell Faces Biggest Week Of His Career(InformationWeek) This week could alter the course of Michael Dell's legacy, as investors consider his $24.4 billion offer to take the company private. Throughout his career, Dell CEO Michael Dell has overcome many challenges. He famously launched the company, once the world's biggest PC maker, from his college dorm room, for example. Along the way, he became one of the world's richest people
Northrop Grumman taps new sector VP of business development(Washington Technology) Kondrotis comes to Northrop Grumman having served in executive business development roles at CACI International and in General Dynamics Information Technology's Intelligence Solutions division. She has also worked at Lockheed Martin in business
Products, Services, and Solutions
Apricorn unveils FIPS 140-2 encrypted USB 3.0 drive(Help Net Security) Apricorn debuted its Aegis Padlock Fortress, a secure drive designed specifically for the stringent requirements of the Government, Military and Healthcare. The first USB 3.0 hardware encrypted
Getting Physical At Black Hat(Dark Reading) Researchers offer up work on breaking into buildings by hacking alarm key pad sensors and key card access control systems
Tripwire Announces New Version Of TRIPWIRE Log Center Solution(Dark Readin) Tripwire Log Center solution is powered by the Tripwire VIA agent. Tripwire, Inc., a leading global provider of risk based security and compliance management solutions, today announced the availability of the Tripwire Log Center TLC™ 7.0 featuring the first phase of integration with IP360™, as well as Tripwire's new VIA™ Agent, advanced log intelligence, and enhanced correlation analytics designed to improve log intelligence
MaskMe: Finally a way to use the web without surrendering all your personal info(VentureBeat) Here's an obvious reality about privacy breaches: Companies can't lose data that they don't have. Taking advantage of this realization is privacy company Abine, which has officially announced MaskMe, an ambitious browser extension that gives users the privacy-protecting power of disposable e-mail addresses, phone numbers, and even credit card numbers
The Fallacy of Targeted Attacks, Advanced Threats and Sandboxing-based Technologies(Damballa) Over the last few months, mainly due to my new role in Damballa, I had the tremendous opportunity to visit, meet and hold extensive discussions with people in the security field. These people varied from sales representatives and operational security practitioners, to executives in large companies. I've realized with great sadness (to be perfectly honest) a great level of misconception around the detection or even prevention of targeted attacks and advanced threats
Children as adversaries in technologically-enhanced homes(Help Net Security) You might sometimes consider your child an adversary when it prevents you from sleeping enough hours or having a sit-down meal without interruptions, but Microsoft researcher Stuart Schechter uses the same unexpected word for describing the effect of children's natural tendency to "hack" technology made for adult use
Tactics for Responding to Cyber Attacks - Squeezing Your Cyber Response-Curve: Part 1(CircleID) Many cyber attacks against companies today go unreported, and more still are undetected. This poses a critical threat to organizations that are striving to innovate, maximize efficiency and compete in a connected world. Timing and context are everything. The faster a company identifies a problem, and the faster and deeper it is understood and its relevance to the business, the more effectively the company can respond. We call this squeezing the cyber response curve. This two-part post will discuss the current state of cyber threats, what the cyber response curve is and its impact your organization and how you can effectively squeeze this curve to improve attack response
Will CSOs become CROs in the future?(CSO) Is the chief security officer title destined to evolve into one that is about more than just security? Many CSOs have seen their responsibilities morph from defending an organization, to calculating an organization's risk profile as well
Top IaaS Security Requirements To Consider(NetworkComputing.com) "The security requirements for using Infrastructure as-a-Service are essentially the same as they would be for using your own data center," Dave Cullinane, chairman of the Cloud Security Alliance board, told Network Computing. "You should evaluate
MIT researchers teach TCP new tricks with software named Remy(NetworkWorld) Remy automatically generates congestion-control algorithms for dramatically improved speeds and lower latency. Network World - A sophisticated piece of software called Remy can be used to manage network communications with unprecedented precision, creating new protocols and controls on the fly in order to wring maximum efficiency out of a network
Germany to Probe Secret Service Ties with NSA(SecurityWeek) German Chancellor Angela Merkel's government Monday announced a probe into ties between its secret services and US agencies whose sweeping online surveillance was revealed by fugitive intelligence analyst Edward Snowden
Spying Scandal Piles Pressure on Merkel Over Extent of NSA Links(Businessweek) German Chancellor Angela Merkel came under renewed pressure over the trans-Atlantic surveillance scandal after a report that German intelligence cooperated closely with the U.S. National Security Agency. Germany's BND Federal Intelligence Service, led
US Surveillance, Syria At Issue On Defense Bill(Associated Press) Limits on secret U.S. surveillance programs and President Barack Obama's push to help Syrian rebels were in dispute as the House weighed legislation to fund the nation's military. The House planned to begin debate Tuesday on the $598.3 billion defense spending bill for the fiscal year beginning Oct. 1, and late Monday the House Rules Committee voted to allow votes on the contentious issues
DHS approps slightly higher under Senate committee than House(FierceHomelandSecurity) Senate Appropriations Committee funding for the Homeland Security Department would be greater by about $334.16 million than the amount the House approved June 6 in that chamber's version of the DHS fiscal 2014 spending bill--although a large amount of that difference comes from the overseas spending for the Coast Guard, which the House would fund through the Navy
The key to cleaning up the internet is tackling the darknets, not letting censorship in by the back door(ZDNet) The UK government's proposals for blocking search terms for illegal content aren't only badly thought through, they're dangerous. The latest proposals to lock down the UK internet in the name of preventing child pornography are at best a misunderstanding of how the dark side of the internet works, and at worst a basis for a censorship infrastructure that could make the Great Firewall of China look like a leaky sieve
The Ever-Evolving Cyber Laws(Insurance Journal) There is a wide array of state, federal, and international laws requiring individuals and entities that gather, use and secure "personal" or "protected" information to report, and/or "notice," when this type of information is accessed or acquired without authorization. The original motivator behind these laws is that this type of information, when in the hands of the wrong person, can be used to commit fraud. The goal is to provide affected individuals, and the government or consumer agencies they may turn to for assistance, with notice of the data security incident so that they may take steps to protect themselves
Litigation, Investigation, and Law Enforcement
Chinese hacker to help defend Western companies(Yahoo News) A leading Chinese hacker who used to attack American targets in the name of patriotism is now sharing his skills with Western multinational firms. Cyber security has become a major diplomatic sticking point between the world's superpowers, and a cyber war between China and the US is escalating. The US has come under fire after former spy Edward Snowden revealed a vast US surveillance program that also targeted Hong Kong and the Chinese mainland. Earlier, US security experts had identified a specialist hacking unit within the People's Liberation Army honing in on their institutions. China is now calling for a global anti-hacking agreement, but one of the biggest threats still comes from those working outside the system. Hacker Laoying, meaning Eagle, is seen as something of a godfather by his peer
U.S. Army Sergeant Admits Data Theft(eSecurity Planet) Ammie Brothers faces up to five years in prison. Ammie Brothers, 29, of Columbus, Ga., recently pled guilty to unlawfully obtaining personal information from the U.S. Army's Army Knowledge Online system
For a complete running list of events, please visit the Event Tracker on the CyberWire website.
2013 World Comp(Las Vegas, Nevada, USA, July 22 - 23, 2013) 2200 leading researchers, academics, and executives from government, academia and industry will come together at this annual event which facilitates communication among researchers in different fields...
EAGB Summer Quarterly Webinar(Webinar, July 24, 2013) Join us Wednesday, July 24 from 10:00-11:00 AM as Patrick Dougherty discusses the EAGB's two newest reports: the Summer 2013 Quarterly Regional Economic Update and Cyber Security in Greater Baltimore:...
Black Hat 2013(Las Vegas, Nevada, USA, July 27 - August 1, 2013) Black Hat USA is a major international security conference, featuring learning, networking, and skill-building. Sessions include training, briefings, technical presentations, and more.
SECRYPT 2013(Reykjavik, Iceland, July 29 - 31, 2013) The 10th International Conference on Security and Cryptography (SECRYPT 2013) will take place from 29 to 31 July 2013 in Reykjavik, Iceland…The conference will focus on information systems and network...
AFCEA Global Intelligence Forum(Washington, DC, USA, July 30 - 31, 2013) During this day and one half unclassified conference in the National Press Club in downtown Washington, D.C., leaders from across the government, military, and industry will explore the role that the Intelligence...
International Conference on Cyber Security(New York, New York, USA, August 5 - 8, 2013) The Federal Bureau of Investigation and Fordham University will host the fourth International Conference on Cyber Security (ICCS 2013) on August 5 - 8, 2013 in New York City. ICCS, the White Hat Summit,...
Third Annual SINET™Innovation Summit(New York, New York, USA, August 6, 2013) SINET™, the premiere community builder and innovation catalyst for the Cybersecurity industry hosts their third annual Innovation Summit at Columbia University on August 6th. SINET programs are where the...
SINET Innovation Summit(New York, New York, USA, August 6, 2013) The purpose of the Innovation Summit is to reinvigorate public private partnership efforts and increase relationships between industry, government and academia that fosters sharing of information and collaboration...
3rd Annual Cyber Security Training Forum(Colorado Springs, Colorado, USA, August 6 - 7, 2013) The Information Systems Security Association (ISSA) - Colorado Springs Chapter and FBC, Inc. will once again host the 3rd Annual Cyber Security Training Forum (CSTF). Formerly known as the Cyber Security...
SPONSOR & SUPPORT
Grow your brand and reach new customers.
Grow your brand and increase your customer base by educating our audience about your products, services, and events by advertising on The CyberWire. We’ve built trust with an influential (and often hard to reach) audience of CISOs, CSOs, and other senior execs in the security space, across a wide array of industry verticals. Learn more.
Be a part of the CyberWire story.
People ask us (a lot) how they can support what we do. We have our sponsorships and services, of course, but those are not always within every supporter's financial reach, or it might just not be the right time for you to do those things. That's why we launched our new Patreon site, where we've created a wider variety of support levels, each with some new benefits. Our patrons are important to our future, and we hope you'll consider becoming one. We invite you to become part of the CyberWire story. Become a patron today.