Bloomberg breaks news of another major Chinese cyber espionage campaign, this one directed against defense and security contractor QinetiQ North America. The campaign lasted at least five years, involved multiple (and diverse) points of attack, and succeeded against a company whose considerable security expertise failed to prompt effective action once warnings appeared. The attackers stole technology that now appears in fielded Chinese systems. The notorious People's Liberation Army Unit 61398 (a.k.a. "Comment Crew") is blamed for the attack; Terramark, HBGary, and Mandiant were engaged to contain it, apparently with mixed success.
The story is worth close attention because it's by no means an aberration. As a Center for Strategic and International Studies senior fellow put it to Businessweek, "The line forms to the left when it comes to defense contractors that have been hacked."
The US Department of Labor's website (now fixed) was hacked to serve malware in a watering hole attack. Unknown parties breached a US Army Corps of Engineers database recording physical vulnerabilities in dams.
In industry news, South Carolina's recovery from last year's data breach offers lessons for businesses approaching this market. VentureBeat offers Fixmo as an example of how an international company can succeed in the US security market. Struggling tech companies continue to grasp at cyber as a profitable lifeline. Apple thinks its designs have suffered from skeuomorphism. (Who knew?)
The US FBI wants backdoors it can use to push through carrier reluctance to cooperate with eavesdropping. Thirty-six governments worldwide now use FinFisher for surveillance.
Today's issue includes events affecting Australia, Austria, Bahrain, Bangladesh, Brunei, Bulgaria, Canada, China, Czech Republic, Estonia, Ethiopia, Germany, Hungary, India, Indonesia, Japan, Republic of Korea, People's Democratic Republic of Korea, Latvia, Lithuania, Macedonia, Malaysia, Mexico, Mongolia, Netherlands, Nigeria, Pakistan, Panama, Qatar, Romania, Serbia, Singapore, South Africa, Taiwan, Turkey, Turkmenistan, United Arab Emirates, United Kingdom, United States, and Vietnam..
Cyber Attacks, Threats, and Vulnerabilities
China Cyber Hacking the U.S. for 5 Years, Report Confirms(International Business Times) QinetiQ North America (QQ) a world leading defense technology and security company providing satellites, drones and software services to the U.S. Special Forces deployed in Afghanistan and Middle East suffers humiliation as intelligence officials confirmed that China was able to steal the U.S. classified documents and pertinent technological information - all this because of QinetiQ's faulty decision-making
'Chinese' attack sucks secrets from US defence contractor(The Register) Just when it looked like US-China relations couldn't get any more frosty, news has emerged that defence contractor QinetiQ suffered a massive breach of classified data over three years which may have leaked advanced military secrets to the infamous PLA-linked hacking gang Comment Crew
China Cyberspies Outwit US Stealing Military Secrets(Businessweek) Among defense contractors, QinetiQ North America (QQ/) is known for spy-world connections and an eye- popping product line. Its contributions to national security include secret satellites, drones, and software used by U.S. special forces in Afghanistan and the Middle East. Former CIA Director George Tenet was a director of the company from 2006 to 2008 and former Pentagon spy chief Stephen Cambone heads a major division. Its U.K. parent was created as a spinoff of a government weapons laboratory that inspired Q's lab in Ian Fleming's James Bond thrillers, a connection QinetiQ (pronounced kin-EH-tic) still touts
China's hackers shifting focus: report(Taipei Times) China's cyberarmy now numbers more than 100,000, has a budget of more than US$2.71 million and targets telecoms and think tanks, the NSB said. The National Security Bureau (NSB) believes that the Chinese military has shifted the emphasis of cyberattacks on Taiwan from government institutions to civilian think tanks, telecommunications service providers, Internet node facilities and traffic signal control systems, according to an NSB report
Jaws, Nuclear Weapons, and Cyber War(Huffington Post) The top Chinese official of the People's Liberation Army, General Fang Fenghui, created his own Jaws effect when he recently announced that the consequences of a major cyber attack "may be as serious as a nuclear bomb." You yell cyber, everybody says
Reputation.com resets all user passwords following breach(Naked Security) Fortunately, the few passwords that were nabbed were salted and hashed. Also, the company doesn't request sensitive information such as Social Security Numbers and doesn't store financial data such as credit card numbers or bank accounts. Kudos for good security practices, guys
ESEA gaming client hijacks GPUs for Bitcoin mining(CSO) The co-owner of widely used computer gaming service ESEA has admitted that the company used its client software to mine bitcoins using customers hardware without their knowledge. Some ESEA users say that the unannounced activity overheated their graphics cards, damaging them in the process
Beware of encryption companies bearing gifts!(Naked Security) An iPhone messaging app that claims to be "totally secure" is offering a £10,000 prize to anyone who can intercept a message from it. Paul Ducklin wonders how you are supposed to win the prize if the app really is "totally secure"
Trend Micro Uncovers Trojan Vernot in Fresh Version(SPAMfighter News) Researchers from Trend Micro the security company report about one fresh version of Vernot a notorious Trojan, which they've analyzed and nicknamed BKDR_VERNOT.B. The Vernot, notably, is a perfect example of how malware can bypass security detections by resorting to genuine software and services for carrying out their malevolent activities
Nearly Nine in Ten Websites Contain One Serious Vulnerability(Threatpost) For at least the third year in a row, the number of serious vulnerabilities per website has fallen. That sounds like good news until you look at the numbers and realize that the average website carried an astonishing 56 holes in 2012, according to statistics compiled by WhiteHat Security and based upon data gathered from tens of thousands of websites
Veracode Maps Out Security Risks Accelerated By Connected Vehicles(Dark Reading) Infographic provides tips for securing the latest and future generations of connected vehicles. Veracode, Inc., the leader in cloud-based application security testing, today released the "Connected Vehicles: Too Smart For Their Own Good?" infographic, which maps out the IT security risks of features in connected cars
Utah health data breach offers a lesson in the benefits of prevention(FierceHealthIT) The theft of Social Security numbers provides cyber criminals a gift that keeps on giving, posing the potential for fraud for years. When Eastern European hackers gained access to healthcare information for roughly 780,000 Medicaid participants in Utah in March 2012, the Social Security numbers for 280,000 beneficiaries were compromised
Responding to the 'Dark Seoul Cyber Attack'(The Korea Herald) On March 20, 2013, South Korea suffered a cyber attack that resulted in the denial of service of several major banks, broadcasters, and the defacement of the websites of a telecommunications operator. Although reported as a major cyber attack, multiple
Consumer Reports: 58 Million U.S. PCs Infected With Malware(Dark Reading) The recently-released Consumer Reports' Annual State of the Net Report statesthat a projected 58.2 million American adults had at least one malware infection that affected their home PC's features or performance in the past year. The cost of repairing the damage from those infections was nearly $4 billion, the report says
M2M deployment to speed up enterprise mobility, survey finds(FierceMobileIT) The deployment of machine-to-machine communications technology is expected to speed up enterprise mobility, according to a survey of IT decision makers by Harris Interactive on behalf of SAP. The survey of 751 IT decision makers in six countries found that M2M is seen as a natural evolution of the consumerization of IT. Enterprise uses of M2M technology include fleet management, factory automation, remote facility monitoring and maintenance, inventory tracking and billing services, as well as physical security
Pentagon Prepares To Ask Congress For Break From 'Sequester'(Reuters) The Pentagon is preparing to ask Congress soon for more authority to shift funds to cope with automatic spending cuts, confronting lawmakers with another exception to the "sequester" just days after they gave a break to the flying public and the airline industry
Veterans Program Offers IT Certifications(InformationWeek ) HP, Microsoft, NetApp and Oracle are offering training and certification for their respective technologies, while SANS Institute and Global Information Assurance Certification are doing the same in the area of IT security. Service members who
Cyber-Responders Seek New Ways to Respond to Cyberattacks(GovTech) Last year the South Carolina Department of Revenue found that a hacker had used a "spear-phishing" attack to install at least 33 unique pieces of malicious software and utilities on the department's servers to steal financial data…The business models of large anti-virus vendors such as Symantec and McAfee incorporate everyone who has a computer, because perimeter defense is an important aspect of protection and is mandated by many federal regulations, including the Health Insurance Portability and Accountability Act (HIPAA). "But that approach is not geared toward someone who is a specific target of an attack," Ling said. "When that happens, you need specialized help. The vendors who are going after thousands of customers may not be the company you ask to help eradicate a particular piece of malware and do incident response. That is where these newer niche players are coming in"
Profits Slide 70% at Spirent Communications(Motley Fool) The shares of Spirent (LSE: SPT ) declined 1% to 129 pence during early London trade this morning after the FTSE 250 mid-cap revealed first-quarter profits had plunged 70% to $7.6 million. Spirent, which provides performance-testing services for the telecoms industry, confirmed revenues had slumped 18% to $97 million. The company blamed the decline on "challenging trading conditions" and a smaller order book at the start of the year…The company maintained it would increase investment by as much as $14 million during 2013, to exploit opportunities in new technologies such as 4G and cyber security
Airbnb's new Verified ID system makes guests to prove they are real people(CSO) Airbnb's new Verified ID system requires proof of identity to use their system. It's tough out there in recession land. You know who has lots of disposable money? Complete strangers from out of town who you meet on the Internet. Matching guests and hosts has been the successful premise of the online short-term rental marketplace, Airbnb
AWS cloud computing pros get certification program(Help Net Security) With the accelerating adoption of cloud computing and the AWS Cloud around the world, organizations are increasingly seeking mechanisms to identify candidates and consultants with demonstrated knowledge
Combat phishing attacks from all email domains(Help Net Security) Return Path announced that its Anti-Phishing Solutions have expanded to enable brand owners to combat attacks from all email domains, including those beyond their control. This represents a product
1010data updates big data analytics platform(Help Net Security) 1010data released a new version of its cloud-based Big Data analytics platform, which improves the ability of business analysts to quickly glean insights from the largest volumes of data with its ad-hoc
New mobile security practice from Trustwave(Help Net Security) Trustwave unveiled a new mobile security practice designed to help businesses embrace mobility and BYOD programs while maintaining compliance, managing security risks and protecting corporate networks
Magnet Forensics Adds More to Free Tool - Encrypted Disk Detector v2(Forensic Focus) A little while back Chad Tilbury, a SANS trainer and talented forensicator, was kind enough to write a blog post about our free tool EDD (Encrypted Disk Detector) and ask his readers to fill out a survey to indicate which additional encryption support they wanted added to EDD
Protecting Your Privacy on the Go With Bitdefender's Android App(Technorati) Bitdefender's clueful sorts out this problem by creating an application which keeps a watch on other applications on the mobile device. Previously, clueful was available only for iPhone, but Bitdefender took a step further to bring the same app for
10 Top Password Managers(InformationWeek) Tired of being stuck in password hell? Consider these password managers that balance security with convenience
Technologies, Techniques, and Standards
Learning From Auditor War Stories(Dark Reading) Sometimes the best lessons come from cautionary tales lived by those before us who didn't get things right the first time around. And in the IT compliance world, no one is more prepared to offer up those stories than the auditors and assessors tasked to check up on IT practices
Top 10 tips: Why you should use the cloud and how to do it securely(ITProPortal) Everyone has an opinion on the 'cloud' and its effect on business – some believe it is dark and scary and fraught with unnecessary risk, while others would argue it's silver lined and the path to greater business performance and cost savings. The truth is that the cloud undeniably has the potential to open up a whole new dimension of opportunities to businesses – but only if data security is properly addressed
Should You "Freeze" Your Credit Reports?(Huffington Post) Although the odds of having your identity stolen remain quite low, anyone who's ever had their bank or credit card account compromised knows what a pain it can be to unravel the mess. Sometimes enterprising hackers just need your Social Security number, address and date of birth to start running up charges on your existing accounts -- or worse, to open new ones in your name
NIST releases 4th version of security control catalog SP 800-53(FierceGovernmentIT) The National Institute of Standards and Technology released April 30 a revised version of its security control catalog for federal systems, SP 800-53. The revision, the fourth version of the security controls catalog, also includes for the first time an appendix of privacy controls. Changes to the security controls include a new emphasis on secure software development in an effort to shift security away from the focus of the past few years, during which it's targeted matters such as configuration management or continuous monitoring
Design and Innovation
Apple's attempt to ditch skeuomorphism resulting in tight iOS 7 deadlines(Ars Technica) Famed Apple product designer Jony Ive has his hands deep into iOS 7 following the departure of former iOS software head Scott Forstall, leading to potential delays as he revamps the look and feel of the software. That's according to a new report at Bloomberg, which cites sources claiming that Ive is working to rid iOS of the skeuomorphism that came from Forstall's influence in order to impose a "flatter design that's more unified and less cluttered"
Cyber Warfare: Special Report Thursday at 10 pm(WHNT) "Well the whole point is where is the cyber attack coming from? Sometimes to actually know who launched the cyber attack is not immediately known," said Sara Graves, a UAH Cyber Security Expert. "It's not like an attack from another nation. And then if
Groups criticize FBI plan to require Internet backdoors for wiretaps(CSO) U.S. task force reportedly working on plan to severely penalize companies that fail to comply quickly with wiretap orders. Privacy groups are denouncing a federal government move to force Internet companies like Facebook and Google to build backdoors that would let the FBI and other agencies snoop in on real time online communications
Obama Sides with Anti-CISPA Petitioners(BankInfoSecurity) Here's how Daniel and Park address the administration's three key principles it seeks in any information sharing legislation: (1) privacy and civil liberties protections, (2) ensuring a civilian department (read: Department of Homeland Security)
Do You Want the Government Buying Your Data From Corporations?(Atlantic) Our government collects a lot of information about us. Tax records, legal records, license records, records of government services received-- it's all in databases that are increasingly linked and correlated. Still, there's a lot of personal information the government can't collect. Either they're prohibited by law from asking without probable cause and a judicial order, or they simply have no cost-effective way to collect it. But the government has figured out how to get around the laws, and collect personal data that has been historically denied to them: ask corporate America for it
Expert: Don't be too hands-off with medical apps(Politico) An advocate for health IT regulation worried Tuesday that the Obama administration had been too lenient with medical app developers, some of whom push programs that haven't been evaluated for safety or medical efficacy
For Their Eyes Only: The Commercialization of Digital Spying(Citizen Lab) Citizen Lab is pleased to announce the release of "For Their Eyes Only: The Commercialization of Digital Spying." The report features new findings, as well as consolidating a year of our research on the commercial market for offensive computer network intrusion capabilities developed by Western companies. Our new findings include: We have identified FinFisher Command & Control servers in 11 new Countries. Hungary, Turkey, Romania, Panama, Lithuania, Macedonia, South Africa, Pakistan, Nigeria, Bulgaria, Austria. Taken together with our previous research, we can now assert that FinFisher Command & Control servers are currently active, or have been present, in 36 countries
Whether or not you're a Chinese spy, you shouldn't download porn onto a NASA laptop(Quartz) Bo Jiang, a Chinese research scientist who worked at a NASA facility and was suspected of stealing secrets, is expected to plead guilty today–not for espionage, but for downloading porn on his work computer. Mr Bo, 31, was fired in January for taking a NASA laptop on holiday to China and shortly afterwards named a threat to national security
IGs probe government's handling of Boston intel info(Washington Times) The inspectors general of the intelligence community, the CIA, the Justice Department and the Department of Homeland Security have begun a "coordinated and independent review" of the government's handling of intelligence information leading up to the
USPS has data-related issues, say auditors(FierceGovernmentIT) The Postal Service has data-related issues, the USPS office of inspector general says in a review of reports it's issued from fiscal 2009 through fiscal 2012
For a complete running list of events, please visit the Event Tracker on the CyberWire website.
U.S. Department of State Mobile Computing Forum(Washington, DC, USA, May 23, 2013) The U.S. Department of State's Bureau of Information Resource Management will host an educational forum and IT Expo, themed "Mobile Computing," reflecting their mission to empower diplomacy, consular services...
2013 ICAM Information Day and Expo(Washington, DC, USA, June 18, 2013) This day provides a forum for the Identity, Credential and Access Management (ICAM) community to get first-hand information on current identity management and related technologies.
NASA National Capital Region Industry Days(Washington, DC, USA, June 25 - 27, 2013) This dedicated Information Technology Expo - sponsored by the Office of the Chief Information Officer - will serve as a focal point for NASA personnel to learn about the latest products and advances in...
2013 World Comp(Las Vegas, Nevada, USA, July 22 - 23, 2013) 2200 leading researchers, academics, and executives from government, academia and industry will come together at this annual event which facilitates communication among researchers in different fields...
INSA Leadership Dinner with NGA Director Letitia Long(McLean, Virginia, USA, May 2, 2013) NGA At the Crossroads - Visualizing the Future. Join INSA and NGA Director Letitia Long as she shares her vision for transforming NGA and GeoInt in innovative ways that more effectively put the power of...
Interop Las Vegas(Las Vegas, Nevada, USA, May 6 - 10, 2013) Attend Interop Las Vegas, May 6-10, and attend the most thorough training on Apple deployment at the NEW Mac & iOS IT Conference. Join us in Las Vegas for access to 125+ workshops and conference classes,...
ITWeb Security Summit 2013(Sandton, South Africa, May 7 - 9, 2013) A conference devoted to cyber security, with a particular emphasis on countering the latest attack vectors. The gathering creates an opportunity for senior security professionals and business decision-makers...
The Computer Forensics Show(New York City, New York, USA, May 8 - 9, 2013) For IT and business executives responsible for creating, implementing, and managing a proactive and comprehensive IT strategy for information security, risk management, compliance, and business continuity...
ASIS 23rd New York City Security Conference and Expo(New York City, New York, USA, May 8 - 9, 2013) Join more than 2,500 professionals in the Big Apple for the largest annual conference in the Northeast for security management and law enforcement professionals. This exciting event will focus on key challenges...
Software Engineering Institute Invitational Hiring Event(Arlington, Virginia, USA, May 8 - 9, 2013) Attention software engineers and cyber security professionals: Carnegie Mellon's Software Engineering Institute needs your top notch skills to meet today's challenges. SEI staff will be interviewing on...
Baltimore Tech-Security Conference(Baltimore, Maryland, USA, May 9, 2013) The Baltimore Tech-Security Conference features 25-30 vendor exhibits and several industry experts discussing current tech-security issues such as email security, VoIP, LAN security, wireless security,...
CyberSecurity UAE Summit 2013(Dubai, UAE, May 13 - 14, 2013) Review developments, strategies and best practice in global cyber security. Assess the nature of the latest threats being faced and the impact of these upon your organisation. Discuss the most promising...
GovSec(Washington, DC, USA, May 13 - 15, 2013) GovSec is the nation's premier event for Government, Homeland Security, and Law Enforcement professionals looking for proven strategies and cost effective technology so they can achieve their mission of...
Thriving in the Post-Sequestration GovCon Era(McLean, Virginia, USA, May 14, 2013) The Potomac Officers Club is hosting a summit for GovCon executives and government leaders to collaborate and share ideas on how to navigate a new era involving sequestration. At least five speakers, each...
Second Maryland Cybersecurity Center Symposium (MC2)(College Park, Maryland, USA, May 14 - 15, 2013) Drawing on regional experts of national and international acclaim, MC2's second Annual Cybersecurity Symposium will showcase the latest research, trends, and topics in cybersecurity, including: keynote...
FOSE(Washington, DC, May 14 - 16, 2013) FOSE is the premier event for government technology professionals interested in innovative, effective tools and solutions allowing you and your agency or organization to advance your mission. From IT managers...
7th Annual INSA IC Industry Day(Springfield, Virginia, USA, May 15, 2013) This annual event is held at the TS/SCI level in cooperation with ODNI as a comprehensive forum for IC leaders to relate their budget priorities to industry. The theme of this year's IC industry day is...
Hack Miami(Miami, Florida, USA, May 17 - 19, 2013) The HackMiami 2013 Hackers Conference seeks to bring together the brightest minds within the information security industry and the digital underground. This conference will showcase cutting edge tools,...
CEIC 2013(Orlando, Florida, USA, May 19 - 22, 2013) The largest digital-investigations conference of its kind and the only one to offer hands-on lab sessions for practical skills development. CEIC offers relevant and practical information from expert speakers.
IEEE Symposium on Security and Privacy(San Francisco, California, USA, May 19 - 22, 2013) Since 1980, the IEEE Symposium on Security and Privacy has been the premier forum for the presentation of developments in computer security and electronic privacy, and for bringing together researchers...
International Workshop on Cyber Crime (IWCC)(San Francisco, California, USA, May 24, 2013) The aim of this workshop is to bring together the research accomplishments provided by the researchers from academia and the industry. The other goal is to show the latest research results in the field...
Web 2.0 Security and Privacy(San Francisco, California, USA, May 24, 2013) The goal of this one-day workshop is to bring together researchers and practitioners from academia and industry to focus on understanding Web 2.0 security and privacy issues, and to establish new collaborations...
Maryland/DC Celebration of International Trade(Linthicum, Maryland, USA, May 21, 2013) Join Maryland exporters and international business experts as they celebrate International Trade Week. Hosted by the Maryland/DC District Export Council this event is a content rich celebration of international...
IEEE-Cyber 2013(Nanjing, China, May 26 - 29, 2013) This conference will cover cyber physical systems, cyber control and automation, cyber robotics, and the Internet of things.
Cyber Security @ CeBIT(Sydney, New South Wales, Australia, May 28 - 30, 2013) The Cyber Security Conference will serve as a platform where all those involved in securing and governing ICT within an organisation can discuss the newest challenges and strategies. The event is a must-attend...
Cyber Security for the Chemical Industry(Franfurt, Hessen, Germany, May 29 - 30, 2013) It is becoming increasingly more important than ever to be aware of the latest cyber threats, and equipped to protect your company from them. In addition to physical security, these industries are faced...
DGI Cyber Security Conference & Expo(Washington, DC, 2013, May 30, 2013) Data security threats continue to increase in number and sophistication. The growing use of collaborative technologies - from mobile devices and social media to virtualization and cloud computing - will...
SPONSOR & SUPPORT
Grow your brand and reach new customers.
Grow your brand and increase your customer base by educating our audience about your products, services, and events by advertising on The CyberWire. We’ve built trust with an influential (and often hard to reach) audience of CISOs, CSOs, and other senior execs in the security space, across a wide array of industry verticals. Learn more.
Be a part of the CyberWire story.
People ask us (a lot) how they can support what we do. We have our sponsorships and services, of course, but those are not always within every supporter's financial reach, or it might just not be the right time for you to do those things. That's why we launched our new Patreon site, where we've created a wider variety of support levels, each with some new benefits. Our patrons are important to our future, and we hope you'll consider becoming one. We invite you to become part of the CyberWire story. Become a patron today.