skip navigation

More signal. Less noise.

Daily briefing.

The US Administration may be backing away from punitive strikes against the Syrian regime, but cyber-rioting, some state-sponsored, some whose inspiration and control are less clear, continues. It's mostly low-grade vandalism on both sides of the Syrian civil war. (One target is NASA, whose sites are defaced by anti-NSA messages; one wonders how much of the cyber odium the space agency attracts is due to it's being a four-letter agency just one letter removed from a three-letter agency.)

Tomorrow, of course, is the anniversary of the 9/11 attacks. opIsrael calls for Islamist cyber strikes against Israel (and others); enterprises everywhere would do well to be on their toes.

Websense reports "low-volume, high-payoff" attacks on financial services in Asia, particularly in the UAE, Pakistan, and Nepal.

Hackers are making more use of PHP SuperGlobal variables to compromise their targets, and security experts recommend blocking SuperGlobal parameters in requests. A web-based, DNS-amplification denial-of-service attack mode has been seen in the wild. (Malware commodification continues: this DDoS tool is offered on the black market for only $800.)

It's Patch Tuesday: watch for Office, Windows, and SharePoint fixes later in the day.

If you're interested in hacker culture, read "Topiary's" post-conviction reflections on his career.

FireEye has set terms for its $186M IPO. Active defense proponent CrowdStrike raises $30M in Series B funding. Icahn abandons his play for Dell. Google announces plans for comprehensive end-to-end encryption.

The US Review Group on Intelligence and Communications Technologies begins meetings on surveillance policy and solicits public input.

Notes.

Today's issue includes events affecting Australia, Canada, China, Germany, Indonesia, Israel, Italy, Kenya, Macau, Nepal, Pakistan, Qatar, Russia, South Africa, Syria, Ukraine, United Arab Emirates, United Kingdom, United States, and Venezuela..

Today we offer special congratulations to the members of the National Cyber Security Hall of Fame class of 2013. Willis H. Ware, James Anderson, Eugene Spafford, David Bell, and James Bidzos will be recognized next month.

Cyber Attacks, Threats, and Vulnerabilities

14 official NASA domains hacked by BMPoC, left with messages against NSA spying and War on Syria. (Hack Read) National Aeronautics and Space Administration (NASA) which is now more famous for its poor cyber security rather then any else is again under attack, this time a hacker going with the handle of BMPoC along with his team has defaced 14 official sub-domains of the agency today. Hackers left a deface page along with a message on all hacked websites against possible U.S strike over Syria and National Security Agency

627 websites hacked and defaced by Indonesian Hackers for #OpFreeSyria (Hack Read) Two Indonesian hackers going with the handle of SultanHaikal and Brian Kamikaze have hacked and defaced total 627 random websites under the banner of #OpFreeSyria. Hackers left a deface page, a simple note with Syrian flag displaying victory sign. The deface message was expressed in following words: Hacked by SultanHaikal & Brian Kamikaze #Free Syrian Welcome to The 0day Thanks To All Muslim hackers

Overheated Rhetoric Undermines The Case For Syria Cyber Attacks (Forbes) In the lead-up to possible airstrikes against Syria, a contradiction has emerged in the U.S. public policy debate about the prospective uses and impacts of cyber weapons. The use of such weapons against the United States is portrayed as potentially catastrophic and as an act of war. Used against a potential adversary, the same weapons are portrayed as a bloodless alternative to traditional airstrikes. But years of cyber-doom scare stories undermine the case for cyber weapons as a humanitarian alternative to traditional airstrikes

Marine Corps responds to Syria–based cyber attack (Marine Corps Times) The Marine Corps says it's taking precautions to prevent future cyber attacks like the one that made international news Sept. 2 when hackers allegedly supporting the Syrian government compromised an official recruiting website

Cyber attack on Israel planned for Wednesday to mark 9/11 (Globes) A few days ago, a YouTube video was distributed calling on Muslim hackers worldwide to attack Israel on Wednesday, September 11. Just over five months ago, on Holocaust Day, "Globes" reported on a cyber attack against Israel by Muslim hacker groups sponsored by underground organization, Anonymous. The attack included hacking into Israeli websites and crashing them, hacking into Facebook accounts of Israeli citizens, and other activity aimed at damaging Israel's Internet space

Low Volume, High Payoff Attacks Target Financial Services Industries in Asia (Websense) A few days ago, researchers from Websense Security Labs™ were reviewing data in the Websense ThreatSeeker® Intelligence Cloud and noticed a very small volume email attack targeting companies dealing with currency transfer/exchange located in Asia. Countries that were affected were the UAE, Pakistan and Nepal, but it's possible that other countries in the region were also targeted. The email messages were spoofing an email account that belongs to a remittance and currency exchange company. They were sent to recipients from the same company and a few other financial organizations in Asia. Some of the headers reveal they were most likely sent from compromised accounts in India and Pakistan. Websense Cloud Email Security proactively blocked the messages, and the data was stored in the ThreatSeeker Intelligence Cloud for review

Web–based DNS amplification DDoS attack mode supporting PHP script spotted in the wild (Webroot Threat Blog) The idea of controlling multiple, high-bandwidth empowered servers for launching DDoS attacks, compared to, for instance, controlling hundreds of thousands of malware-infected hosts, has always tempted cybercriminals to 'innovate' and seek pragmatic 'solutions' in order to achieve this particular objective. Among the most recent high profile example utilizing this server-based DDoS attack tactic is Operation Ababil, or Izz ad-Din al-Qassam a.k.a Qassam Cyber Fighters attacks against major U.S financial institutions, where the use of high-bandwidth servers was utilized by the attackers. This indicates that wishful thinking often tends to materialize. In this post, we'll take a peek inside what appears to

Exploring attacks against PHP applications (Help Net Security) Imperva released its September Hacker Intelligence Initiative report which presents an in-depth view of recent attacks against PHP applications, including attacks that involve the PHP "SuperGlobal"

PHP SuperGlobals: Supersized Trouble (Imperva) For a while now, the ADC research group has been looking into the implication of third-party applications on the security posture of an organization. Attackers are always looking to capitalize on their activities, and therefore, they are aiming at commonly used third-party components that yield the best return on investment. With that in mind, we decided to look into one of the most commonly used web infrastructures, PHP

PHP SuperGlobal Variables Increasingly Targeted by Hackers (SecurityWeek) Hackers are increasingly trying to exploit PHP 'SuperGlobal' variables as a way to compromise their targets, according to a new report from Imperva. Over the course of May, Imperva identified 3,450 requests that manipulated PHP SuperGlobal variables targeting 24 web applications. These requests were generated by 27 different source IP addresses and appeared in the form of request burst floods with peaks of more than 20 hits per minute on a single application

iPhone 5S Phishing Mail Arrives In Time for Launch (TendLabs Security Intelligence Blog) While millions of mobile users are anticipating the launch of the new iPhone (5S and 5C), cybercriminals are already making their move to distribute spam that promise to give away the said devices for free, in the guise of a contest. We saw samples of spammed messages that attempted to spoof an Apple Store email notification. The said message informs recipients that they won the latest iPhone 5S mobile phones and iPad

Security experts question if Google's Chrome Apps is worth the risk (CSO) Worry based on security issues with cross-platform tech such as Flash and Java, which 'pioneered the write once, infect everywhere model'

[Video] Episode 4: ThreatVlog SMS Fake Installer tricking Android Users (Webroot Threat Blog) In this episode of ThreatVlog, Nathan Collier covers the old, but still around, SMS Fake Installer, a Russian based program used to trick phone users to send premium text messages, costing money to the user. Nathan talks about how these threats work, how this threat is different, and the easiest way to stay protected on your Android powered phone

As Websites See More Zombie Traffic, The Bots Now Come From Southeast Asia (Forbes) Suspicious website traffic is one the rise once again but with new hotbeds of bot activity, data from Solve Media suggests. In its quarterly bot traffic report released Monday, the security and advertising company found that the numbers haven't gotten better since its last review found bots on the rise. The increasing amount of non-human traffic on the mobile Web, however, means those bots are increasingly coming not from China or Russia but from southeast Asia

Hacking and your smartphone (Swinburne University of Technology) The US National Security Agency (NSA) leaks just keep coming. Only a few days after details of its software anti-cryptography hacks were exposed by The Guardian, New York Times and ProPublica, German news source Der Speigel yesterday reported some intriguing news regarding the NSA's activities in hacking smartphones

Mac cyber-attacks on the rise (PCR) Security specialist Bitdefender claims attacks on Macs — such as the recent 'Flashback' malware — are increasing. Since its discovery in September 2011, Flashback has managed to infect more than 600,000 machines, making use of no less than three separate vulnerabilities to download and execute itself on Mac OS systems from compromised websites

Security Patches, Mitigations, and Software Updates

Microsoft Security Bulletin Advance Notification for September 2013 (Microsoft Security Tech Center) This is an advance notification of security bulletins that Microsoft is intending to release on September 10, 2013

Cyber Trends

Has Cyber Become the Equalizer? (SecurityWeek) Stepping back from the day-to-day enterprise view on cyber security we normally discuss in this column, I want to focus on the more macro impact of cyber security from a global perspective. While they teach you in law school to never ask a question that you don't already have the definitive answer for, I'm going to go against this logic and pose the question of whether or not cyber has been the global equalizer to my fellow security experts. While I have my own opinions, I believe this is an important topic that warrants greater discussion within the industry

The Definition of a Website Must be Updated (Search Engine Watch) Unfortunately, the current outdated definition of a website has perpetuated the view of a website as an exercise in technology, rather than a function of business

Tackling Enterprise Threats From The Internet Of Things (Dark Reading) With all of the sensational stories about baby monitors being taken over by remote intruders and SCADA systems perennially vulnerable to potentially disastrous flaws, it's easy to forget that insecurity in the Internet of Things isn't just relegated to consumer devices and critical infrastructure

Enough Clucking — Start Fixing the SCADA Security Problem (TOFINO) In a recent blog article Enough Clucking — Start Fixing the SCADA Security Problem Chicken, Egg, and Chicken Omelette with Salsa Enough Clucking — Start Fixing the SCADA Security Problem Dale Peterson is squawking like a rooster. Nothing new, but this time his message is scrambled. He once again referred to me as a SCADA Apologist, though this time he also labeled me the "salsa" that accompanies a chicken omelette. While I responded to his opinion in my January 30 blog post, I'd like to revisit this spicy topic

Executives, IT officers most concerned about malicious insiders (Help Net Security) An international survey polling 260 respondents from a wide variety of industry sectors has revealed that over half of them are more worried about their own employees turning rogue than about external

The Mouse Click that Roared (Project Syndicate) Until recently, cyber security has primarily interested computer geeks and cloak-and-dagger types. The Internet's creators, part of a small, enclosed community, were very comfortable with an open system in which security was not a primary concern. But, with some three billion or so users on the Web nowadays, that very openness has become a serious vulnerability; indeed, it is endangering the vast economic opportunities that the Internet has opened for the world

'Topiary' tells all: Prison, activism, and LulzSec's beginnings (CNET) The young hacker, who's real name is Jake Davis, opens up about his time in the cyberattack collective

With crypto being insecure, whom do you trust? (Help Net Security) Last week's revelation that the NSA has for years now concentrated on subverting the encryption that protects commerce and banking transactions, sensitive data, e-mails, phone calls, web searchers and so on would have not come as such a shock were it not for the array of questionable methods they used

Marketplace

Anti–Contractor Rhetoric as Common as Fed-Bashing, Industry Says (Government Executive) With collaboration between agencies and contractors at a "low ebb," government should centralize services acquisition-related human capital planning to confront a retirement-wave brain drain and align itself with industry trends, a key contractor group recommends

ICITE Builds From the Desktop Up (SIGNAL Magazine) The Intelligence Community Information Technology Enterprise, or ICITE, is deploying its first desktop elements on the way to a communitywide cloud architecture. Different intelligence agencies are building ICITE elements based on their own specific expertise, and many are tapping efforts that have been underway for some time

CRGT Inc. Enterprise Solutions Group Appraised at CMMI Level 3 (PRWeb) CRGT Inc., a leading provider of full life-cycle IT services and an expert in emerging technology solutions for the Federal Government, announced that it has been re-appraised as operating at the Capability Maturity Model Integration (CMMI) Maturity Level 3 for its Software Development Projects, affirming the company's continued commitment to employing industry best practices. This appraisal was performed by an industry Lead Appraiser from Schilling Knowledge Engineering, LLC (SKELLC), and further demonstrates CRGT's commitment to employing industry best practices

Shine Security Is Reinventing The Antivirus Company For The Age Of Zero-Day Attacks (TechCrunch) Launching today at TechCrunch Disrupt San Francisco, Shine Security is reinventing the idea of what it means to be an antivirus company in an age of cyber-warfare and zero-day attacks. The company's technology was built by white hat, ethical hackers, and works in real time, performing behavioral monitoring on end users' systems in order to stop newly emerging threats that other anti-virus firms have yet to discover or identify

Yahoo hops on transparency report bandwagon (Naked Security) Yahoo's first Transparency Report shows the US makes the most data requests, predictably as most Yahoo users live there. But which countries are going on fishing expeditions, asking Yahoo for data which doesn't exist or making requests without the proper legal justification

Cyber security company FireEye sets terms for $182 million IPO (NASDAQ) FireEye, which provides virtual machine-based IT security software to enterprises and the government, announced terms for its IPO on Monday. The Milpitas, CA-based company plans to raise $182 million by offering 14.0 million shares at a price range of $12 to $14. At the midpoint of the proposed range, FireEye would command a fully diluted market value of $1.7 billion

CrowdStrike Raises $30 Million (SecurityWeek) CrowdStrike, a security firm focused detection and mitigation of targeted attacks, today announced that it has raised $30 million in Series B financing, bringing the total raised by the Irvine, California-based company to $56 million. The company said it would use the new cash to enhance its big data analytics and security intelligence and support an aggressive go-to-market strategy in the next-generation threat protection space

Carl Icahn Throws In Towel On Dell Fight (CRN) Corporate raider Carl Icahn said Monday he will back down off his crusade to stop Michael Dell (NSDQ:Dell)'s $24.8 billion privatization plan

Carl Icahn gives up on Dell; did he make any money? (FierceFinance) With little hope of winning at this week's shareholder meeting, the third that had been scheduled, Carl Icahn has given up on Dell — hardly a surprising move. He left with a few barbs. In a letter to shareholders, he "jokingly" asked, "What's the difference between Dell and a dictatorship?" The answer: "Most functioning dictatorships only need to postpone the vote once to win." But he also congratulated Michael Dell, saying that "I intend to call him to wish him good luck (he may need it)." I'd love to hear that conversation

Twitter And MoPub Want Slice Of 445 Billion Minutes (Forbes) More than half of all time spent on the Internet is now through a mobile device — 12 percent on tablets and 39 percent on smartphones, according to a joint study by Comscore and Jumptap. Twitter clearly wants a slice of that mobile time with its just announced acquisition of MoPub

Products, Services, and Solutions

Google to encrypt data "end–to–end" in effort to block NSA and other agencies (Naked Security) Google is stepping up efforts to toughen data encryption in an effort to limit unofficial snooping on user information in the wake of the revelations about the NSA and PRISM

Google plan to thwart government surveillance with encryption raises stakes (CSO) Strategy would make probing data flow expensive and hard, likely forcing the NSA to obtain a court order for targeted data

Silent Circle Announces New Service Bundles (Dark Reading) Apps include Silent Phone for secure mobile voice and video calls. Silent Circle, the global encrypted communications firm revolutionizing mobile device security for organizations and individuals alike, today announced new bundled service offerings for customers turning to the company's unique peer-to-peer encryption platform as a secure alternative to traditional calling, mobile messaging and file transfer tools susceptible to escalating privacy threats. The new bundle options help businesses, government agencies and individuals in Silent Circle's fast-growing customer segments secure their preferred means of communication, from mobile calling and messaging to desktop videoconferencing

SecureKey To Add Fido Specification Support To Its Cloud-Based briidge.net Authentication Service Inbox (Dark Reading) With the addition of FIDO specification support, briidge.net customers will have the option of employing briidge.net DNA-enabled devices, as well as any FIDO-enabled authenticator

SecureCheq: A Free Configuration Evaluator from Tripwire (Tripwire) Configuration failures, whether accidental or malicious, are some of the most pervasive risks in IT today. And often the most invisible. Security Configuration Management solves this problem, but how does it work? What does it look for and what advice does it offer? SecureCheq is a fast, simple utility for Windows servers and desktops that answers these questions while it tests for common configuration risks. This free utility

McAfee releases 2014 core PC security products (Help Net Security) McAfee announced its new 2014 line of core PC security suites delivering increased power and performance with a lighter and faster footprint resulting in an enhanced user experience. The line includes

Telstra Kicking Off Voluntary Filter Trials, Seeking Volunteers (Gizmodo Australia) Fancy putting your hand up to be part of a voluntary filter trial involving deep packet inspection all designed to thwart piracy? Telstra wants to hear from you

Fortinet Readies Sandboxing Approach To Rival Competitors (CRN) Zero-day exploits and other custom malware not captured in the first layer are sent for full analysis in the virtual sandbox, said Derek Manky, a senior security

Ultra Electronics, 3eTI Prevents Cyber-Attacks with New Defense-in-Depth Security Device for Industrial Control Systems (ICS) (Fort Mill Times) EtherGuard L3 integrates enhanced layers of Information Assurance (IA) and cyber security controls for truly intelligent, more secure protection of real-time systems

Facebook Password Finder tools claim to hack into accounts, but are actually worthless (Graham Cluley) It seems not a day goes by without someone on the internet asking me how they can "recover" a password for a Facebook account that they can no longer access. Some of them are more honest, and admit that they want to crack the password for someone else's Facebook account because of a feud, or to pull a practical joke, or to spy upon a boyfriend or girlfriend that they believe might be cheating on them

Service lets companies manage Amazon Web Services encryption keys (NetworkWorld) KeyNexus, a division of Dark Matter Labs, today announced a secure encryption key-management service that lets organizations store, manage and audit the encryption keys they use in the cloud

RapidCompute achieves security certification (Express Tribune) Pakistan's first and largest enterprise cloud service provider RapidCompute has announced that it has achieved ISO/IEC 27001 security certification for providing cloud services. In this regard, an audit was carried out by SGS SSC, a global leader in the systems and certification market, says a press release

Kaspersky takes Internet security to Android (Gadget) Kaspersky Lab has announced Kaspersky Internet Security for Android, a protection solution for especially designed for Android smartphones and tablets. The number of Internet-enabled mobile devices keeps growing. According to an international survey conducted by B2B International in April 2013, the average household currently owns 4.5 "connected" devices - and two of them are mobile smartphones or tablets. These may be used in addition to, or even in place of, traditional PCs or laptops

BitDefender Internet Security 2014 v17.17 (V3) It's not an easy decision trying to consider the security software best required for your system. There are a number of factors that you need to take in to account. There are a number of individual security applications from freeware developers, but if you want the ultimate protection, can you be assured that they're going to be updated to fight against the latest virus and spyware threats? It was recently reported that a hacking group had produced malware encrypted so it was capable of getting behind even the best security software, so that's a worrying trend

Service Lets Companies Manage Amazon Web Services Encryption Keys (CIO) KeyNexus, a division of Dark Matter Labs, today announced a secure encryption key-management service that lets organizations store, manage and audit the encryption keys they use in the cloud

Technologies, Techniques, and Standards

Red Hat CIO Takes an Open-Source Approach to Security and BYOD (eWeek) Every organization today faces a similar set of challenges about implementing bring-your-own-device (BYOD) practices, secure access measures and new technology deployment. When you're the CIO of a technology vendor, those challenges are magnified, as subject matter experts on any and every choice that the CIO has to make, are plentiful and often vocal. That's the challenge that faces Lee Congdon, CIO of Linux vendor Red Hat

Vulnerability bureaucracy: Unchanged after 12 years (IOActiveLabs) One of my tasks at IOActive Labs is to deal with vulnerabilities; report them, try to get them fixed, publish advisories, etc. This isn't new to me. I started to report vulnerabilities something like 12 years ago and over that time I have reported hundreds of vulnerabilities - many of them found by me and by other people too

What is Encryption? (McAfee) Encryption is the science of encoding and decoding secret messages. It began as cryptography—the ancient Greeks used it to protect sensitive information that might fall into the hands of their enemies. More recently, governments have used encryption for military purposes, but these days the term if often used in reference to online security

Cybersecurity Basics: Surf the Web Safely With These Browsers (Entrepreneur) Web-based cyber security attacks on small businesses are on the rise. Of all internet-borne attacks, 31 percent are targeted at businesses with fewer than 250 employees, according to a recent report from Symantec. In order to protect yourself and your business against hackers, you'll want to use a secure web browser, along with a trusted antivirus and firewall software package

Limit Exposure to Facebook Friends of Friends (F-Secure) Yesterday, Forbes reporter Kashmir Hill asked a question which has been on my mind for years: Why Doesn't Facebook Show You What A 'Friend of a Friend' Sees On Your Profile? The question is in reference to Facebook's "View As" feature which can be used to audit your account. And the answer given is rather a surprise. According to Facebook's chief privacy officer Erin Egan: "We've never gotten feedback about that before

Latest NSA Crypto Revelations Could Spur Internet Makeover (Dark Reading) Documents taken from the NSA showing that the spy agency has systematically been cracking encryption and establishing a foothold in secure communications technology could provide the strongest impetus yet to spur a long overdue update of the underlying protocols of the Internet

Workplace Surveillance Revisited (eSecurity Planet) As revelations about the NSA's security program continue to come, it's a good time to discuss workplace surveillance and when and why it might be used. Each new revelation about the National Security Agency (NSA) and its domestic surveillance program heightens concern about possible abuses of government power. So it wasn't surprising when a news item

If the New iPhone Has Fingerprint Authentication, Can It Be Hacked? (Wired) When Apple bought AuthenTec for its biometrics technology -- reported as one of its most expensive purchases -- there was a lot of speculation about how the company would incorporate biometrics in its product line. Many speculate that the new Apple iPhone to be announced tomorrow will come with a fingerprint authentication system, and there are several ways it could work, such as swiping your finger over a slit-sized reader to have the phone recognize you

If the NSA can hack your bank account, who else can? (CNN Money) Revelations that the National Security Agency can break through web site encryptions and access huge amounts of personal data has raised questions about how safe our day–to–day financial dealings really are. Many people carry out their entire financial lives online — doing everything from paying their bills to managing their investments. And while financial institutions have put layers of protections in place to prevent fraud and hacking, security experts say that if the NSA is able to find a way in, other sophisticated cybercriminals could do the same

So You Wanna Be A Pen Tester? (Dark Reading) If you're looking to advance your career in the world of security, then you probably have a lot of questions about what you should do — what books to read, what groups to join, what training or certifications to get

How important is penetration testing? (Help Net Security) With cyber attacks becoming the norm, it is more important than ever before to undertake regular vulnerability scans and penetration testing to identify vulnerabilities and ensure on a regular basis

Keeping Communication Secure in New Era (BankInfoSecurity) Even with the latest disclosures that the National Security Agency is regularly subverting the cryptography used to secure large swaths of Internet communications, there is no reason for enterprises to give up on encryption, experts say. Enterprises can still retain control over their sensitive information by implementing encryption correctly, improving key management and auditing software for vulnerabilities

Preparing for Notorious Cyber Attack Dates: Radware Provides Five Steps to Secure Your Network (Wall Street Journal) There are several dates throughout the year that are notorious for wreaking havoc on businesses via denial-of-service (DoS) attacks, data breaches and even malware or botnet assaults. As September 11(th) nears, rumors about coordinated cyber attacks on American websites continue to increase. Because of these potential risks, it's imperative that businesses tighten their network security measures now in order to protect themselves from potential intrusion or disruption, which can result in profit-loss and tarnished user confidence

Alan Solomon reminds NSA (and anyone else listening) that unbreakable codes do exist (Graham Cluley) Computer security veteran Dr Alan Solomon shares his reflections on the NSA electronic snooping debacle that has been dominating the headlines

Windows Picture Passwords — are they really as "easily crackable" as everyone's saying? (Naked Security) Following a USENIX paper about the security of Windows Picture Passwords, you may have read that they are "easily crackable." Paul Ducklin wondered about that, and tried to come up with a balanced view

Design and Innovation

10 Paradoxical Traits of Creative People (Fast Company) Creative people are humble and proud. Creative people tend to be both extroverted and introverted. Creative people are rebellious and conservative. How creative are you

How Albert Einstein, Steve Jobs, and Maria Popova Got More Creative (Fast Company) "We learn, from the time we're little, the process of the scientific method--how to discover things--but we don't teach the parallel art of how to invent things," Stanford innovation scholar Tina Seelig told us, "That's one of the reasons creativity seems so mysterious. We don't, from the time they're young, teach people the components of what you need to invent, as opposed to discover"

Nairobi's iHub seeks investment for new hardware hackspace, Gearbox (ZDNet) One of the stalwarts of the Kenyan tech scene wants to move beyond its focus on software and apps by offering hardware workspace for design and rapid prototyping

Israel's secret intel unit spawns high-tech tycoons (UPI) The Israeli military's top-secret Unit 8200, the Jewish state's equivalent of the U.S. National Security Agency, has spawned a generation of high-tech start-ups and more technology millionaires than many business schools, and these days the cyber security sector is booming

Research and Development

National Cyber Security Hall of Fame 2013 inductees annnounced (SecurityInfoWatch) The National Cyber Security Hall of Fame, today released the names of 5 cyber security pioneers who will be enshrined in the National Cyber Security Hall of Fame on Wednesday, October 9th at a gala banquet in Baltimore. In announcing the inductees, Mike Jacobs, the first Information Assurance Director for the National Security Agency (NSA) and Chairman of the National Cyber Security Hall of Fame said, "these honorees continue to represent the best and the brightest of our past. These individuals helped define an industry and secure a nation." Of the more than 250 nominations reviewed, the board of advisors named 5 inductees to the 2013 Cyber Security Hall of Fame

Academia

What universities are doing to keep the next Mark Zuckerberg from dropping out (Quartz) When Mark Zuckerberg founded Facebook and dropped out of Harvard, he inspired future generations of students that they too might create successful businesses without getting a degree. One of Facebook's early investors, Peter Thiel, went on to create a fellowship program which offers budding entrepreneurs up to $100,000 to drop out of school for two years or skip further education entirely

Legislation, Policy, and Regulation

Germany sent helicopter to snoop for NSA spy equipment at US consulate (Russia Today) Germany infuriated its American ally after it sent a helicopter to seek out listening posts at the US consulate in Frankfurt, in the wake of revelations that the National Security Agency spied on the European country

US spying not for security but for economic, strategic gains, Brazil pres. says (Press TV) Brazilian President Dilma Rousseff says a US spying program on the Brazilian oil giant Petrobras has not been for security reasons, accusing Washington of spying for its "economic and strategic" gains. "Without doubt, Petrobras is not a threat to the security of any country," Rousseff said on Monday, adding, "if the facts are confirmed, it would be clear the espionage was not for security or the fight against terrorism, but to respond to economic and strategic interests"

Of Course The NSA Should Be Spying On Petrobras (Forbes) Over the weekend the Guardian, New York Times and others wrote about Glenn Greenwald's disclosure of Edward Snowden's top secret NSA docs revealing that the U.S. government had been monitoring the phone calls and emails of Petrobras PBR +0.65% executives as well as of Brazilian President Dilma Rousseff

Review Group on Intelligence and Communications Technologies Conducts Meetings with Privacy and Civil Liberties Experts and Information Technology Industry Experts (Intelligence Community on the Record) Today, members of the Review Group on Intelligence and CommunicationsTechnologies met with more than a dozen privacy and civil liberties groups and experts to hear comments about how the review group should carry out its tasks. Participants discussed recommendations about how to respect the Intelligence Community's commitment to privacy and civil liberties and maintain the public trust

What Members of Congress Are Saying About NSA Spying (Center for Democracy and Technology) Sen. Ron Wyden (D-OR), NPR Interview, September 3rd: "Secret operations are different than secret law. The law always ought to be public. That's the central underpinning of a system like ours

EU politicians want suspension of data-sharing deal amid new NSA spying allegations (PC World) European politicians on Monday called for the immediate suspension of a data-sharing agreement between the U.S. and the European Union following more revelations of spying by the U.S. National Security Agency. The Terrorist Finance Tracking Program (TFTP) provides the U.S. Treasury with data stored in Europe by the international bank transfer company Swift. However documents leaked by former NSA contractor Edward Snowden and reported by The Washington Post indicate the NSA spied on Swift. The company is included in an NSA training manual for new agents on how to target private computer networks, according to the documents

NSA overreach requires pull back for good of nation (FierceGovIT) Intelligence communities have a natural tendency to overreach. Their missions by definition require intrusion into private spaces and since their motivation is the well-being of the United States and its residents, they're little apt to see pushing for more efficient execution of that mission as a problem

The NSA's Biggest Strength Is Also Its Biggest Weakness (Business Insider) The bread and butter of NSA chief Keith Alexander's reign is the push to collect more and more data, saving essentially everything passing through the Internet, encrypted or not, according to recent reporting from Foreign Policy's Shane Harris. In Alexander's stint, not only has the NSA's budget blown up, but the agency has saved so much data that it has filled servers at the headquarters in Ft. Meade and built a new installation in Utah — all to save Internet and communications traffic

Spy programs make us safer: Opposing view (USA Today) Don't play games with U.S. security. Many of us played Pick Up Sticks in our youth, slowly pulling first one then another stick from the jumble. You lost the game by pulling out the stick that collapsed the pile. It's a great way to pass a rainy afternoon, but a bad way to set national security policy

Reverse engineering software should be allowed: DTI (Mybroadband) The reverse engineering of software, so long as it is consistent with our international treaty obligations, should be allowed in South Africa. This is according to the draft Intellectual Property Policy which was published by the Department of Trade and Industry (DTI) in the Government Gazette on Wednesday, 4 September 2013

In China, being retweeted 500 times can get you three years in prison (Quartz) Details of a new law issued by China's supreme court are bound to make loose talkers on Sina Weibo and other social media platforms think twice before speaking freely. The law says that any libelous posts or messages will be considered "severe" breaches of the law if they are visited or clicked on more than 5,000 times or forwarded (or "retweeted," in Western parlance) more than 500 times. Those found guilty could face up to three years in jail, reports Reuters, citing Chinese state media

Crime to "Disparage" an Under–18–Year–Old "With Intent to Harass"? (Volokh Conspiracy) That's what Pennsylvania HB1163, which passed the Judiciary Committee by a 25-0 vote in May, would provide: (1) A person commits the crime of cyber harassment of a child if, by means of an electronic communication and with intent to harass a child, he repeatedly communicates or, on at least one occasion, makes available to a user of an electronic social media network or service, information about a child under 18 years of age which, whether true or not, includes any of the following

Litigation, Investigation, and Law Enforcement

Microsoft, Google, Facebook and Yahoo! file motions in FISA Court (ZDNet) Today Microsoft, Google, Yahoo! and Facebook all filed motions with the FISC (U.S. Foreign Intelligence Surveillance Court) to allow them to release certain aggregate data about the numbers of requests they receive from the government. Microsoft and Google filed such motions many weeks ago; the proceedings were delayed at the government's request until just recently as the parties negotiated. The negotiations have failed and the matter will be heard in the FISC

DC Court Questions Validity of Net Neutrality Rules (The Wrap) Judges suggest a big defeat for technology companies and consumer advocates may be on the way. Judges on a DC appellate court sharply questioned the validity of the FCC's Net Neutrality rules on Monday, suggesting the regulatory agency's so-called "Open Internet" rules are on borrowed time

Verizon argues it should be able to block websites (ComputerWorld) Congress didn't authorize the FCC to pass net neutrality rules, Verizon's lawyer tells an appeals court. Verizon Communications should be able to block its broadband customers from going to websites that refuse to pay the provider to deliver their traffic, a lawyer for Verizon told an appeals court Monday

HIPAA compliance: Questions linger about liability (FierceHealthIT) With only two weeks to go before organizations must meet HIPAA compliance under the omnibus rule published in January, questions about liability--who's responsible and for what--are becoming increasingly frequent, according to Kathy Kudner, a healthcare attorney with law firm Dykem Gossett

Massive breach spawns class action lawsuit against Advocate Medical Group (FierceHealthIT) On top of federal and state investigations into its data breach, Advocate Medical Group in Downers Grove, Ill, faces a class-action lawsuit from affected patients

B.C. computer servers linked to $500M global theft ring (Yahoo! Canada) Police believe that servers in Burnaby, B.C., may have been part of a global network of computers used to steal $500 million from bank accounts around the world, according to a search warrant filed in June

Missouri man to plead guilty in Koch cyber attack, report says (Wichita Business Journal) A Missouri man will plead guilty next month to organizing and participating in a cyberattack that impacted the performance of several Koch Industries-related websites, according to a report from the website The Smoking Gun

TRENDnet Settles with FTC Over Camera Privacy Flaws (eSecurity Planet) The company is required to obtain third-party assessments of its security programs every two years for the next 20 years. The U.S. Federal Trade Commission (FTC) recently announced that TRENDnet has settled charges that its "lax security practices" had exposed hundreds of consumers' private lives to public viewing online (h/t SC Magazine)

For a complete running list of events, please visit the Event Tracker on the CyberWire website.

Upcoming Events

TechCrunch Disrupt San Francisco (San Francisco, California, September 7 - 11, 2013) For the fourth year in a row, TechCrunch Disrupt will take over the San Francisco Design Center Concourse, and we're bringing the hottest startups and best minds in the industry with us. Block off September...

High Technology Crime Investigation Association 2013 International Conference and Training Expo (Summerlin, Nevada, USA, September 8 - 11, 2013) The High Technology Crime Investigation Association (HTCIA) Annual Conference is committed to bringing its participants — members or non–members — the best training, tools and networking the industry has...

SANS CyberCon Fall 2013 (Online, September 9 - 14, 2013) With sequestration still in place, organizations are finding themselves with training budgets, but drastically reduced travel budgets. This one-of-a-kind online training event brings SANS' top instructors...

15th Annual AT&T Cyber Security Conference (New York, New York, USA, September 10, 2013) The AT&T Cyber Security Conference is an annual day-long conference offered by the AT&T Chief Security Office. Combining the expertise of its security experts, the scale and reliability of its global IP...

First Regional Southeast Conference on Cyber Security for National Secuerity (Charleston, South Carolina, USA, September 10, 2013) The First Southeast Regional CS4NS Conference focuses on the immediate need of strengthening the critical cyber infrastructure of our nation. The conference will address the current cyber security state...

First Regional Southeast Conference on Cyber Security for National Security (Charleston, South Carolina, USA, September 10, 2013) The First Southeast Regional CS4NS Conference focuses on the immediate need of strengthening the critical cyber infrastructure of our nation. The conference will address the current cyber security state...

International Common Criteria Conference (Orlando, Florida, USA, September 10 - 11, 2013) FBC invites you to participate in the International Common Criteria Conference (ICCC) taking place in Orlando, Florida. This is the first time since 2000 that the ICCC is taking place in the U.S. The ICCC...

Angel Venture Forum: Cyber Security & Healthcare Investment Conference (Washington, DC, USA, September 11, 2013) With the increasing adoption of cloud computing, mobile devices and web-based applications, hackers have more opportunities than ever to infiltrate and crash network systems, especially in healthcare,...

GrrCon (Grand Rapids, Michigan, USA, September 12 - 13, 2013) Says IT World, "Another hacker conference, this time in Michigan. The schedule looks to be bawdy, brash and anything but dull, with hackers promising to "pwn" you before you leave town. There are also...

cybergamut Technical Tuesday: Malware Analysis for the Masses (Columbia, Maryland, USA, September 17, 2013) With malware becoming more prevalent, and the pool of capable reversers falling short of overall need, there is a greater need to provide quick and efficient malware analysis for network defense. With...

GovConnects Business Breakfast: Surviving Sequestration (Elkridge, Maryland, USA, September 17, 2013) This Business Breakfast will feature presentations by seasoned professionals in the field of government contracting as they share best practices for dealing with current challenges of doing business in...

Shaping the Future of Cybersecurity Education Workshop (Gaithersburg, Maryland, USA, September 17 - 19, 2013) The third annual Shaping the Future of Cybersecurity Education Workshop will be held at the National Institute of Standards and Technology (NIST) in Gaithersburg, MD and focus on "Navigating the National...

ISSA Cyber Security Forum at Ft Belvoir (Fort Belvoir, Virginia, USA, September 19, 2013) This event will allow personnel from Fort Belvoir the chance to learn about the latest cyber security trends, network with peers, discuss Army best practices and to view and demo some of the latest cyber...

CISO Executive Summit (Atlanta, Georgia, USA, September 19 - 20, 2013) Be on the forefront of a new global initiative where today's world-class leaders in information security will gather to navigate through international waters. Join these leaders as they follow the wind...

Grow your brand and reach new customers.

Grow your brand and increase your customer base by educating our audience about your products, services, and events by advertising on The CyberWire. We’ve built trust with an influential (and often hard to reach) audience of CISOs, CSOs, and other senior execs in the security space, across a wide array of industry verticals. Learn more.

Be a part of the CyberWire story.

People ask us (a lot) how they can support what we do. We have our sponsorships and services, of course, but those are not always within every supporter's financial reach, or it might just not be the right time for you to do those things. That's why we launched our new Patreon site, where we've created a wider variety of support levels, each with some new benefits. Our patrons are important to our future, and we hope you'll consider becoming one. We invite you to become part of the CyberWire story. Become a patron today.