skip navigation

More signal. Less noise.

Daily briefing.

Minor hacktivist cyber vandalism affects South Asian sites from Turkey through Iran to Pakistan, India, and Bangladesh.

China's Huawei in high dudgeon (although probably with private cheer) accuses the US NSA of cyber espionage. Belgium's big telecom firm, Belgacom, finds and cleans malware on its internal systems amid speculation about a state-sponsored attack. NASA has recovered from last week's NSA-protesting cyber vandalism.

Der Spiegel alleges NSA monitoring of international credit card transactions; both Threatpost and InformationWeek reality test NSA-centric paranoia.

The Pushdo botnet makes inroads into Practical Malware Analysis. A new variant of ransomware appears, unusually objectionable because it first misdirects victims to illegal sites, and then takes their systems hostage.

Security researchers detail issues with Dropbox previews. Google appears to know an awful lot about people's Wi-Fi passwords.

IT security managers are struggling to (1) maintain their credibility while (2) grappling with an increasingly unmanageable threat intelligence load amid (3) a tight cyber labor market.

Cyber security firms are hot acquisition targets right now. The emergence of highly desirable niche capabilities strongly contributes to buyers' interest.

BYOD policies continue to lag the pull of rogue IT (with its attendant risk of insider compromise).

Recent IT problems on financial exchanges expose a problem: automated trading outstrips effective management.

Argentina and Brazil conclude a cyber defense agreement. Current and former US intelligence officials consider serious electronic surveillance policy overhaul. (DNI Clapper expresses nostalgia for the Soviet Union—you get that all the time from Volodya, but the DNI means it differently.)


Today's issue includes events affecting Argentina, Bangladesh, Belgium, Brazil, Brunei, Cambodia, Canada, China, Finland, France, Germany, India, Indonesia, Israel, Laos, Japan, Malaysia, Myanmar, Netherlands, Pakistan, Philippines, Saudi Arabia, Singapore, South Africa, Thailand, Turkey, United Kingdom, United States, and Vietnam..

Cyber Attacks, Threats, and Vulnerabilities

Turk Hack Team Defaces 750 Websites for #OpNoWar (HackRead) Turkish hackers from Turk Hack Team going with the handle of Black-Spy and WhooLe have hacked and defaced total 750 random websites from all over the world under the banner of #OpNoWar. A member of team contacted me via email explained that purpose for targeting these sites was to deliver message of peace all around the world. The deface page on all hacked websites shows following message: General interest

Bangladeshi Hackers defaces 60 Indian websites, declare Cyber War against Border Security Forces (HackRead) A group of Bangladeshi hackers going with the handle of Bangladesh Black HAT Hackers (BBHH) have hacked and defaced 60 Indian websites, declaring cyber war against Indian Border Security Forces (BSF)'s allege brutality. Hacking contacted me via email in which the reason for starting a cyber war was explained as a form of press release. The release can was expressed in following words: We are Bangladesh

Facebook Account of Iran's Minister of Foreign Affairs Hacked (Softpedia) The official Facebook account of Mohammad Javad Zarif (, Iran's current minister of foreign affairs, has been hacked. Zarif has issued a statement explaining that someone has hacked into his Facebook account and changed the password

OpCambodiaFreedom: Anonymous Hackers Threaten Cambodian Government (Softpedia) Hacktivists of Anonymous Cambodia have issued a video statement threatening the Cambodian government. "Government of the once great Kingdom of Cambodia, It has come to our attention that despite our continued warnings you have decided to disregard our requests to assist the people of this country, and have persisted in running a one-way system which only shows to benefityourselves," the hackers said

Huawei accuses NSA of illegal practices after spying revelations (The Age) The US National Security Agency (NSA) appears to have been caught spying on Chinese technology company Huawei — and Huawei is furious about it. Earlier this week a host of new documents leaked by former NSA contractor Edward Snowden were revealed on Brazilian TV network Globo. The new files offer a significant amount of fresh details about surveillance programs operated by the NSA and its British counterpart, GCHQ. One of the documents, reportedly taken from an NSA training presentation dated May 2012, showed a number of surveillance targets. They included a Saudi bank, the French Ministry of Foreign Affairs, the financial cooperative SWIFT and Huawei

Ban Porn says 3xp1r3 Cyber Army by hacking 30 Pornography websites (HackRead) A Bangladeshi hacker going with the handle of ExpirED BraiN from 3xp1r3 Cyber Army has hacked and defaced 30 pornography websites, deleting entire database of all hacked sites

Belgacom takes actions related to IT security (Belgacom Group) This weekend, Belgacom successfully performed an operation in the light of its continuous action plan to protect the security of its customers and their data and to assure the continuity of its services. Previous security checks by Belgacom experts reveiled traces of a digital intrusion in the company's internal IT system. Belgacom has taken all appropriate actions to protect the integrity of its IT system and to further reinforce the prevention against possible incidents

Belgian Telecoms Company Belgacom Hacked, Spy Agencies Blamed (Softpedia) Belgacom, the largest telecommunications company in Belgium, has been hacked. The company's representatives said they found a piece of malware on a number of internal IT systems. According to a statement published by Belgacom, the unknown virus found on servers and workstations has been cleaned up. Authorities have been called in to investigate the incident

"Stop spy on us!" 14 NASA sites hacked (Naked Security) As of Friday afternoon, a notice on NASA's website was reading "Down for Maintenance: The requested webpage is down for maintenance. Please try again later." The site is only one of what appear to be 14 hacked subdomains, hosted in the heart of Silicon Valley, that were defaced on Tuesday and stayed offline for some time

NSA Allegedly Spies On International Credit Card Transactions (TechCrunch) Germany's Der Spiegel newspaper - increasingly joining the NSA revelations train - reports today that the intelligence agency is interested in international credit card transactions and may have found a way to monitor payments processed by companies including Visa. Spiegel alleges it has even set up its own financial database to track money flows. The paper says that in 2011, the NSA possessed 180 million records via its "Follow the Money" branch dubbed 'Tracfin', according to information acquired by former NSA contractor and whistleblower Edward Snowden. The vast majority of information is from credit card transactions

Unanswered Questions on the NSA Leaks (Threatpost) The flood of documents regarding the NSA's collection methods and capabilities that have been leaked this summer has produced thousands of news stories and several metric tons of speculation about what it all means. But for all of the postulating, analysis and reporting, there are still a lot of questions left unanswered in all of this. Let's try to address some of them

The NSA And Your Cloud Data: Navigating The Noise (InformationWeek) Revelations about the reach of the National Security Agency have made waves, but don't get overwhelmed. In the past few months, we've seen more and more coverage of how existing laws have been used to gain access to cloud-based data without the data owner's knowledge or consent. What's different with the latest revelation, as highlighted in The New York Times recently, are reports of the National Security Agency actively trying to undermine encryption technology and standards, including those adopted by National Institute of Standards and Technology, such as the Dual EC DRBG standard

Pushdo botnet spams malware analysis site, researchers find (SC Magazine) Saboteurs behind the Pushdo botnet are sending spam to a website meant to educate users on malware, researchers have found. Blue Coat Systems researchers Chris Larsen and Jeff Doty co-authored a blog post on Wednesday, which detailed how the site,, was being targeted with Pushdo-related spam

Aggressive ransomware scam redirects to child porn (Help Net Security) Getting denounced for viewing or owning child pornography is a huge deal in most Western world countries, so it's no wonder that ransomware peddlers are using that specific - and in this case true

How stalking has been made easier by the internet, mobiles and social networks (Graham Cluley) Most victims don't immediately think "I have a stalker". It starts off much more subtly. The victim may just think this person is acting a bit odd, then they find them annoying, being a nuisance; they don't take hints or respond to a direct request for them to leave the victim alone

Three Reasons Why Dropbox Previews Are Security & Privacy Nightmares (ThreatAgent) This is a follow up from my last post Who's That Peeking in My Dropbox. I also want to say that I love the Dropbox service and use it daily. This post is from a pure security perspective. So the short story is every time you upload Word Documents (.DOC) to Dropbox they open the files in LibreOffice. This was discovered by Daniel McCauley who used our service and noticed the behavior. Daniel wrote a blog post that went viral

Google knows nearly every Wi–Fi password in the world (ComputerWorld) If an Android device (phone or tablet) has ever logged on to a particular Wi-Fi network, then Google probably knows the Wi-Fi password. Considering how many Android devices there are, it is likely that Google can access most Wi-Fi passwords worldwide

Email contains personal data on thousands of insurance agents (SC Magazine) Thousands of agents with state online health insurance exchange MNsure in Minnesota may have had personal data compromised when an employee inadvertently sent out an email attachment that contained the information

North East expert warns following cyber attack (Sky: Tyne and Wear) A North East expert has today warned that companies across the region are at major risk from cyber criminals in the wake of the computer attack on a branch of Santander. Steve Nelson (pictured), solutions architect at Newcastle-based Calibre Secured Networks Limited and an expert in ethical hacking and an offensive security professional, is urging companies to review their systems and procedures to ensure they are properly protected

Finnish hacker swipes thousands of usernames, passwords in massive cyber attack (Washington Post) Helsinki Police say they detained a hacker last weekend suspected of accessing thousands of usernames and passwords of visitors to more than

Security Patches, Mitigations, and Software Updates

Mac users: You have to patch too (ZDNet) OS X and Mac applications have security vulnerabilities too; some people still don't believe it, but it's true. Here are the latest ones and why you need to take them seriously. The release yesterday of OS X 10.8.5 caps a a fairly busy security update season for Mac users. Yes, you thought Windows users were getting all the grief? In fact, Mac users have a lot of work to do too to keep their systems safe. And it's not just updates from Apple you need. Along with 10.8.5, Apple released Security Update 2013-0004 for OS X 10.7 (Snow Leopard) and for 10.8 (Lion) and a separate security update for Safari for Mac on Lion (10.6), bringing it to version 5.1.10

Oracle finally adds whitelisting capabilities to Java (ComputerWorld) Java 7 Update 40 allows system administrators to define which specific Java applets should be trusted and executed

Cyber Trends

For Security Pros, Maintaining Credibility Means Walking A Fine Line (Dark Reading) In the old fable, the Boy Who Cried Wolf was capricious and stupid. He cried "wolf" the first two times because he wanted to see who would come. The third time, when the wolf actually appeared, he cried out and no one came. He became wolf chow

Italian information Security Association 2013 Report (CLUSIT) We are well-aware of the task we enrolled when writing the annual report on ICT security in Italy: a task of contents, precision, and information. A task we can fulfill thanks to the diligence of our Clusit members which represent, at the highest level, the various professionalities which build the complex supply chain of the information security world

Consumer ignorance drives big jump in medical ID fraud (CSO) Medical records contaminated by the perpetrator 'could actually have severe impact,' says study's sponsor, Medical Identity Fraud Alliance

Why Are Hackers Flooding Into Brazil? (Bloomberg) The answer, to channel notorious bank robber Willie Sutton: Because that's where the money is. In recent years, Brazil has become a major source of malware that steals online banking passwords, a development that may surprise you given the attention paid to attacks originating in Eastern Europe and Asia. To understand why Brazil is a magnet for hackers, it helps to consider the country's long history in electronic banking, according to a report by Trend Micro, a Tokyo-based security firm

IT pros lack support to manage security intelligence (Help Net Security) SolarWinds, in conjunction with SANS, today released the results of a security survey of more than 600 IT professionals representing a broad range of industries and organization sizes. The survey was conducted to identify the impact of security threats and the use of security analytics and intelligence to mitigate those threats

New Mobile Survey Reveals 41% of Employees Are Deliberately Leaking Confidential Data (Forbes) My congratulations and condolences to the nation's CIOs for being responsible for data security. There's now more job security but now there's less information security too. Because, according to a new survey from uSamp , 41% of workers used an unsanctioned cloud service for document storage in the last 6 months, despite the fact that 87% of these workers knew their company had policies forbidding such practices

Cyber security: The new arms race for a new front line (Christian Science Monitor) The Pentagon — and a growing cyber industrial complex — gears up for the new front line: cyberspace. Cyber defense is necessary. But it could cost us

Most companies choose on-premise private cloud deployments (Help Net Security) 87 percent of IT professionals currently leveraging private cloud solutions indicate that their companies host clouds on-premises rather than with third-party providers, according to Metacloud

IT pros lack support to manage security intelligence (Help Net Security) SolarWinds, in conjunction with SANS, today released the results of a security survey of more than 600 IT professionals representing a broad range of industries and organization sizes

US Internet users less vigilant than ever about their online safety (Help Net Security) As the Internet has become a ubiquitous part of life, US consumers are less vigilant about protecting their safety online, says this year's Microsoft Computing Safety Index (MCSI) for the US

Cryptographers Have an Ethics Problem (MIT Technology Review) Mathematicians and computer scientists are involved in enabling wide intrusions on individual privacy. Last week, I visited the MIT computer science department looking for a very famous cryptographer. As I made my way through the warren of offices, I noticed a poster taped to the wall--the kind put up to inform or inspire students. It was the code of ethics of the Association for Computing Machinery, the world's largest professional association of computer scientists


Cyber Security Ablaze in M&A World (Fox Business News) Fueled by a rapidly intensifying cyber battleground, the deals market has turned red hot for boutique security firms. As enterprises better arm themselves, there has been a flurry of investment for specialized security firms both on and off Wall Street. "This industry is so large there are now all sorts of new specializations," said Tenable Network Security CEO Ron Gula, who has participated in the deals market

How a little–noticed factory fire disrupted the global electronics supply (Quartz) It was an industrial mishap barely noticed outside the arcane world of electronics supply chains. On Sept. 4, a fire engulfed a substantial portion of an SK Hynix production plant in Wuxi, China. The plant produced between a tenth and a sixth of the world's supply of dynamic random access memory (DRAM), a sort of memory chip used in all computing electronics from laptop computers to mobile phones. Hynix is the world's second-largest maker of the stuff, supplying everybody from Apple and Dell to Lenovo and Sony

Economy needs 300,000 digital workers by 2020 to reach full potential (ComputerWeekly) The digital sector will need nearly 300,000 new recruits by 2020 if the industry is to reach its full potential, according to a report published today (16 September 2013). The Technology and Skills in the Digital Industries report suggests the lack of digital skills in the UK is hampering economic growth

Merlin International Awarded DHS FirstSource II Contract (Marketwired) Merlin International, a leading Cyber Security and IT solutions provider to the U.S. Federal Government, today announced the company has been awarded a prime contract for the Department of Homeland Security's (DHS) FirstSource II contract. The Merlin award is part of a suite of multiple Indefinite Delivery/Indefinite Quantity (IDIQ) contracts for commercial items. Each FirstSource II contract will have a base ordering period of five years, with two one-year option periods (7 years total if all option periods are exercised)

The NSA Effect: Scandal Casts $35B Shadow Over U.S. Cloud Computing (Ad Age) Many execs in the digital media and marketing industries cringe at the notion that the National Security Administration surveillance scandal has any ties to their consumer data-collection practices. As that debate rages on, a bedrock of the consumer data explosion — cloud computing — could be at risk in the U.S

Meet Hacking Team, the company that helps the police hack you (The Verge) Hacking Team may not have any clients in the US yet, but it's not for lack of trying. In 2001, a pair of Italian programmers wrote a program called Ettercap, a "comprehensive suite for man-in-the-middle attacks" — in other words, a set of tools for eavesdropping, sniffing passwords, and remotely manipulating someone's computer. Ettercap was free, open source, and quickly became the weapon of choice for analysts testing the security of their networks as well as hackers who wanted to spy on people. One user called it "sort of the Swiss army knife" of this type of hacking

Email & Social Media 'In Bed': Zuly's Day (Wall Street Journal) Light Point Security co-founder Zuly Gonzalez says her typical "day in the life" starts and ends with email and social media in bed. In between, she and co-founder Beau Adkins are out-and-about, meeting and networking with potential customers. Oh, and walking the dog!

Why a Killer Twitter IPO Could End Up Killing Twitter (Wired) Brands want their ads on social networks, which is great news for Twitter. But if that demand means more ads in your stream, that's bad news for everyone else

BlackBerry buyers may break up company, claim sources (ITPro) Smartphone maker could be broken up by potential bidders, with its patent portfolio and services business attracting much investor interest

China's 3rd, 4th largest search engines merge in $448M deal (ZDNet) Chinese Internet giant Tencent's Soso will combine with Sohu's Sogou, as it looks to steal a bigger slice of the local search engine market dominated by Baidu, already under pressure from new player Qihoo

Products, Services, and Solutions

Adobe announces major update to cloud testing tool, emphasis on mobile (Fierce CMO) Adobe Systems has directed its attention toward digital optimization with a major update of its testing tool, which the company promises will "help CMOs maximize marketing budgets by optimizing across all of their digital properties, including websites, email, mobile sites, and mobile apps." The upgrade includes a touch-based mobile interface and a process that lets marketers more easily test digital promotions and personalize Web content for specific audiences

Box aims for NSA–resistant cloud security with customers holding the keys (Ars Technica) After eight years of existence, file sharing service Box has built a huge user base—claiming 180,000 businesses, including 97 percent of the Fortune 500—by offering cloud storage and collaboration tools with top-notch security and regulatory compliance

Will the iPhone 5S's fingerprint technology help enterprise security? (ComputerWeekly) A fingerprint sensor has been built into Apple's latest iPhones, but what will this mean for enterprise security? Apple's influence on the smartphone market is undeniable, and this technology addition may lead to a revolution in smartphone security as others adopt similar technologies. But what does fingerprint security mean for the enterprise

Fury as Facebook erases Social Fixer's page (with 340,000 fans) without explanation (Graham Cluley) Social Fixer, formerly known as Better Facebook, is a tool that over half a million Facebook members use to enhance the look, feel and functionality of the world's most popular social network

SolarWinds Server & Application Monitor 6.0 released (Help Net Security) SolarWinds released SolarWinds Server & Application Monitor (SAM) 6.0, designed to deliver agentless performance and availability monitoring, alerting and reporting for over 150 applications and serve

Algorithm Protection Software prevents reverse engineering (Thomasnet) CodeSEAL™ provides software protection mechanisms that can be inserted into desktop and embedded software applications using code insertion engine. Through drag-and-drop interface, users can augment insecure applications with configurable protection mechanisms that fortify deployed applications against software reverse engineering vulnerabilities, debugging, tampering, and code-lifting attacks. Mechanisms detect and react to dynamic attacks, and issue/error system provides immediate feedback

USB Condoms (int3) Have you ever plugged your phone into a strange USB port because you really needed a charge and thought: "Gee who could be stealing my data?". We all have needs and sometimes you just need to charge your phone. "Any port in a storm." as the saying goes. Well now you can be a bit safer. "USB Condoms" prevent accidental data exchange when your device is plugged in to another device with a USB cable. USB Condoms achieve this by cutting off the data pins in the USB cable and allowing only the power pins to connect through.Thus, these "USB Condoms" prevent attacks like "juice jacking"

Apple Hackers Rate iPhone 5s Security (InformationWeek) Apple will soon release the iPhone 5s, and hackers plan to test these 6 exploit techniques on the smartphone. Will the fingerprint scanner hold them off

How to safeguard your smartphone (Sydney Morning Herald) Bitdefender and F-Secure are good options for people who use the Google Chrome browser on their mobile device. Beware of fake security apps that appear to

Tenable release Passive Vulnerability Scanner 4.0 (Help Net Security) Tenable Network Security's Passive Vulnerability Scanner (PVS) 4.0 is now generally available as a standalone product. Already available as part of Tenable's SecurityCenter continuous monitoring

Technologies, Techniques, and Standards

How To Cushion The Impact Of A Data Breach (Dark Reading) For five years now, a Ponemon Institute annual report has tried to put a number on the cost of data breaches. It creates benchmarks for direct costs such as regulatory fines and the cost of notifying customers, alongside estimates of indirect costs such as customer churn and lost business. In 2013, Ponemon pegged the cost of a data breach at $136 per lost record on average across the globe. Ponemon estimated the cost in the U.S. at $188 per record, and $277 per record when the breach came at the hands of malicious and criminal attacks such as outside hacking or insider theft

Ten Things To Consider When Developing An Enterprise BYOD Security Policy (Dark Reading) Is there a safe way to let employees access corporate data from their own mobile devices? Here are some things to think about. BYOD, or bring-your-own-device, is a trend that is not going away. In InformationWeek's 2013 State of Mobile Security report, based on a survey of 424 business technology professionals, 68% of respondents said their mobility policy allows employees to use personal mobile for work, with 20% saying they are developing such a policy

Eyeing Next-Generation Biometrics (SIGNAL Magazine) The FBI is on schedule to finish implementing next-generation biometric capabilities, including palm, iris and face recognition, in the summer of next year. New technology processes data more rapidly, provides more accurate information and improves criminal identification and crime-solving abilities

Five More Hacker Tools Every CISO Should Understand (The State of Security) As we mentioned in the first article, Top Five Hacker Tools Every CISO Should Understand, the role of the CISO continues to evolve within organizations towards that of an executive level position. Nonetheless, CISOs need to keep on top of the best tools and technologies available that can benefit their organization's security posture

How to Keep NSA From Getting Between You and Your Googling (Nextgov) One of the documents leaked by Edward Snowden indicates that the NSA uses "man in the middle" attacks to hijack your interactions with Google servers. Here's how such attacks work, and how to protect your browsing. Tech website Techdirt appears to have been the first to notice the reference to the attack, which appeared on a slide which aired during a Brazilian newscast. A section of that slide is below

How to Stop the In–House Data Thief (Wall Street Journal) Technology can help counter the growing threat of information theft by company insiders. Edward Snowden has triggered a blizzard of media coverage with his revelations of classified intelligence information he stole while working as a U.S. National Security Agency contractor. That should serve as a warning to corporate executives: It could happen to you. The highly networked computer technology that has made companies more efficient has also left them more vulnerable to threats from insiders intent on stealing information or sabotaging a company's operations. And those vulnerabilities are regularly exploited

The Geeks on the Front Lines (Rolling Stone) Inside a darkened conference room in the Miami Beach Holiday Inn, America's most badass hackers are going to war - working their laptops between swigs of Bawls energy drink as Bassnectar booms in the background. A black guy with a soul patch crashes a power grid in North Korea. A stocky jock beside him storms a database of stolen credit cards in Russia. And a gangly geek in a black T-shirt busts into the Chinese Ministry of Information, represented by a glowing red star on his laptop screen. "Is the data secured?" his buddy asks him. "No," he replies with a grin. They're in

Cyber Risk Management for Lawyers (LegalTalkNetwork) Lawyers hold some of their clients' most private communications, which makes them a top target of all hackers. As technology competence becomes the required norm, lawyers need to understand not only how to protect their clients' information but how to react if a cyber attack does happen. On this episode of Digital Detectives, Sharon D. Nelson, Esq. and John W. Simek invite Steven Chabinsky to discuss cyber-risk management for lawyers

Net Optics' CEO on leveraging network security to stymie cyber 'hit teams' (FierceCIO: TechWatch) …We spoke with Bob Shaw, President and CEO of Net Optics Inc, about the role of security-centric software defined networking in defending the network, and about what steps enterprises can take to deter or frustrate hackers. Net Optics is a leading provider of network solutions that delivers real-time network monitoring and security--within physical, virtual and private cloud environments

Secure Domain Name System (DNS) Deployment Guide (NIST) The Internet is the world's largest computing network, with hundreds of million of users. From the perspective of a user, each node or resource on this network is identified by a unique name--the domain name--such as However, from the perspective of network equipment that routes communications across the Internet, the unique identifier for a resource is an Internet Protocol (IP) address, such as To access Internet resources by user-friendly domain names rather than IP addresses, users need a system that translates domain names to IP addresses and back. This translation is the primary task of an engine called the Domain Name System (DNS)

Apple Touch ID Fingerprint Scanner Unlocks Biometrics Debate (Dark Reading) Apple's new fingerprint scanner may help biometrics gain popularity, but challenges mean passwords aren't going anywhere any time soon. Giving the finger - so to speak - to Apple's Touch ID feature may unlock the iPhone 5s and allow users to authorize purchases on iTunes, but whether the fingerprint scanning technology will push biometrics deep into the mainstream remains to be seen. "Fingerprint readers, or biometrics, will not replace passwords in the near future for two reasons," says Gene Meltser, technical director of security services firm Neohapsis

Understanding insider threats (FCW) What: A Preliminary Examination of Insider Threat Programs in the U.S. Private Sector, from the Intelligence and National Security Alliance. Why: The intelligence community has been exploring ways to reduce access to sensitive information, even since before Edward Snowden dished on the National Security Agency's secret surveillance and cryptography programs to reporters. A presidential memorandum from November 2012 tasked government agencies with implementing minimum standards for threat detection, including audits of user activity on government networks, background checks and other personnel security evaluations for government employees and contractors, as well as having threat monitors trained in counterintelligence and security

Design and Innovation

In Silicon Valley start–up world, pedigree counts (Reuters) The notion that anyone with smarts, drive and a great idea can start a company is a central tenet of Silicon Valley's ethos. Yet on close inspection, the evidence suggests that scrappy unknowns striking rich are the exceptions, not the rule

How Adobe's Chief Security Officer Made Security a Product Priority (eWeek) There was a time when Adobe Systems' products, particularly its Flash and PDF Reader applications were constantly attacked and exploited with a seemingly endless stream of zero-day flaws. Those days are now mostly in the past, as Adobe has made security an embedded part of its development process and rebuilt Flash and Reader to be more resilient and secure. Leading the charge for Adobe's product security efforts is Chief Security Officer Brad Arkin. In a video interview with eWEEK, Arkin explains how he transformed his organization from being in constant damage-control mode, to now being on a more sane and stable, security footing

Research and Development

25–GPU cluster cracks every standard Windows password in less than six hours (WBITT) A password-cracking expert has unveiled a computer cluster that can cycle through as many as 350 billion guesses per second. It's an almost unprecedented speed that can try every possible Windows passcode in the typical enterprise in less than six hours

Cryptography breakthrough could make cloud more secure (CloudPro) Idea once considered "Alice in Wonderland" stuff now a reality, thanks to efforts of university research teams. Scientists in Bristol and Denmark have made a cryptography breakthrough that may boost the security of cloud computing environments. Multi-party computation (MPC) is a subset of cryptography that enables two or more people to compute any function choosing secret inputs, without actually revealing the contents of those inputs to either party

Trading bots create extreme events faster than humans can react (Ars Technica) Our algorithms now show collective behavior that we do not control. High–frequency trading is the practice where automated systems search for minor differences in price of stocks that can be exploited for small financial gains. Executed often enough and with a high enough investment, they can lead to serious profits for the investment firms that have the wherewithal to run these systems. The systems trade with minimal human supervision, however, and have been blamed for a number of unusually violent swings that have taken place in the stock market


Academics decry Hopkins' removal of professor's blog post (Baltimore Sun) In recent weeks, Green thought his contributions to the growing public discourse surrounding the National Security Agency, including the recent revelations that

Is Trademark Infringement The Real Key To National Security? The NSA Thinks So — Johns Hopkins Agrees (Or Maybe Not So Much) (Forbes) It looked this week as if Johns Hopkins University was intent upon offering a course that could be entitled "How to Create a Media Crisis Without Really Trying." The University took the unprecedented step of asking a professor to remove a blog post citing both national security and trademark concerns. The topic, not unexpectedly, was the NSA. The story has taken several twists throughout the week, each adding a more ominous feel, rather than clarifying matters. The incident began when Matthew Green, a cryptography expert and research professor at Johns Hopkins, laid out his opinions on the most recent NSA revelations. The news revolved around circumventing encryption. A natural and valuable addition to a crucial public discussion point, or so you would you think

Legislation, Policy, and Regulation

Pakistani Activists Smell A Mole In Government's Proposed YouTube Filtering Plan (TechCrunch) After ignoring repeated requests to appear in a court case challenging the Pakistan government's year-long YouTube blackout, the country's elusive IT minister is expected to appear at a hearing later this month to outline plans to drop the blanket ban — and instead selectively restrict "blasphemous" and "offensive" material on the video-sharing site. However, activists have decried the move as a

Argentina, Brazil agree on cyber–defense alliance against US espionage (Russia Today) Defense ministers of Brazil and Argentina have pledged to cooperate closely to improve cyber defense capabilities following revelations of the scale of US spying on Latin American countries. "We need to reflect on how we cooperate to face these new forms of attack," Brazil's defense minister, Celso Amorim, said at a conference in Buenos Aires

Dutch govt response to revelations by Edward Snowden (Cyberwar Blog) The government is closely following the response of the United States to the revelations by Mr. Snowden. The government is committed, as previously stated, to highly meticulous and adequate protection of personal data. Hence, where national security and privacy protection meet, maximum transparency about procedures, powers, safeguards and oversight measures is a necessity. The government considers it encouraging that US Congress Members are specifically debating about those topics, and are submitting proposals for changing legislation, and that President Obama also declared, in his press conference of August 9th, that he is seeking more transparency and oversight. It is also gratifying that the US government has already acted by providing more insight into the powers and by publishing a legal substantiation for a few programs. The Netherlands is in conversation with the US about this

What do we know about Canada's eavesdropping agency? (CBC News) Revelations about the extent of surveillance by the National Security Agency (NSA) in the U.S. have sparked interest in the activities of Canada's own, highly secretive agency

£27bn UK cyber crime wave prompts AGCS cyber policies (Post Online) The European Union is expected to introduce new legislation over the next two years to significantly increase the costs of losing data in a cyber attack, he added

Japan, ASEAN to fight cyber–attacks (Japan News) Japan and the 10 member countries of the Association of Southeast Asian Nations agreed Friday to collaborate further on research to predict cyber-attacks. They also agreed on Friday that Japan will provide the ASEAN countries with warnings about computer viruses

IDF Hackers Test Israeli Preparedness for Cyberattacks (Al Monitor) "An army hacker does not sit all by himself with a pizza and a Coke," says Lt. Col. M. and Capt. A., two senior officers serving in the Israeli Defense Forces (IDF) cybersecurity lineup. "We must work together, and we have to practice brainstorming and to allocate tasks. Ultimately, we are running against the clock. These are the qualities we are looking for in our soldiers — teamwork and the ability to think outside the box"

Intelligence Officials Admit That Edward Snowden's NSA Leaks Call For Reforms (Forbes) The intelligence community's reaction to National Security Agency contractor Edward Snowden's leaks has moved through the typical stages of denial, anger, and depression. Now it seems to be coming to acceptance. Over the past week, two high-level intelligence officials have now acknowledged that the still-widening scandal around Snowden's disclosures of classified information have actually led to a worthwhile public debate and warrant legal reforms. In an opinion released Friday by the Foreign Intelligence Surveillance Court (FISC) that oversees the NSA, Judge Dennis Saylor wrote that the Court should in fact make more of its rulings public in response to the public's demand for greater transparency around foreign and domestic surveillance following the Snowden leaks

NSA cryptanalyst: We, too, are Americans (ZDNet) ZDNet Exclusive: An NSA mathematician shares his from–the–trenches view of the agency's surveillance activities. Many voices — from those in the White House to others at my local coffee shop — have weighed in on NSA's surveillance programs, which have recently been disclosed by the media. As someone deep in the trenches of NSA, where I work on a daily basis with data acquired from these programs, I, too, feel compelled to raise my voice. Do I, as an American, have any concerns about whether the NSA is illegally or surreptitiously targeting or tracking the communications of other Americans? The answer is emphatically, "No." NSA produces foreign intelligence for the benefit and defense of our nation. Analysts are not free to wander through all of NSA's collected data willy–nilly

Review, Release, Repeat (Washington Post) Nothing has demonstrated a J. Edgar Hoover-style conspiracy to abuse the extraordinary amount of information the NSA can access. But the revelations have underscored the importance of imposing more meaningful checks on the agency's activities

What Keeps James Clapper Up at Night? (National Journal) Today's current-events whirlwind, the director of national intelligence says, "kind of makes you miss the Soviet Union." As someone who is charged with overseeing the 17-agency U.S. intelligence community, which includes the CIA, NSA, and FBI, James Clapper often gets asked, "What keeps you up at night?" His answer? "What I don't know," Clapper told the Intelligence and National Security Alliance summit Thursday. "Things you know, even if you don't have all the information, you can work with them, you can get more information"

Former NSA Director Pans Recommended Changes To Surveillance Court As 'Cosmetic' (Think Progress) Former National Security Agency Director Gen. Michael Hayden on Sunday dismissed recommended changes to the Foreign Intelligence Surveillance Court as "cosmetic," including the idea of adding an adversarial system into the court's workings. One potential solution to what has been seen as the court's "rubber-stamping" administration requests for warrants to target persons with the U.S. for eavesdropping includes adding an adversarial process to the court, one in which judges will have to hear opposing views on why a warrant should or shouldn't be granted. Hayden, however, doesn't see much value in such a change. "There are some things that people are calling for that I think will make people feel better, but they're largely cosmetic," he said. "They want an advocate at the [Foreign Intelligence Surveillance Act] court? Okay, but I don't know if that changes anything"

Former NSA and CIA director says terrorists love using Gmail (Washington Post) Former NSA and CIA director Michael Hayden stood on the pulpit of a church across from the White House on Sunday and declared Gmail the preferred online service of terrorists. As part of an adult education forum at St. John's Episcopal Church, Hayden gave a wide ranging speech on "the tension between security and liberty." During the speech, he specifically defended Section 702 of the Foreign Surveillance Intelligence Act (FISA), which provides the legal basis for the PRISM program. In doing so, Hayden claimed "Gmail is the preferred Internet service provider of terrorists worldwide," presumably meaning online service rather than the actual provider of Internet service. He added: "I don't think you're going to see that in a Google commercial, but it's free, it's ubiquitous, so of course it is"

Reforming the NSA (Schneier on Security) Leaks from the whistleblower Edward Snowden have catapulted the NSA into newspaper headlines and demonstrated that it has become one of the most powerful government agencies in the country. From the secret court rulings that allow it collect data on all Americans to its systematic subversion of the entire Internet as a surveillance platform, the NSA has amassed an enormous amount of power

Don't blame the corporations for the surveillance state (ZDNet) If the law of the land requires Microsoft or Google or Facebook to surrender data about their customers then that's what they have to do. They're victims of the situation. They're spying on us! But who are "they"? Usually it's not the FBI or the NSA directly monitoring our communications, but the private corporations with which we intend to do business. Read the privacy policy — whatever else it says about protecting your data, it also says that they will respond to proper legal requests from law enforcement and other government authority

NSA has long role as top US locksmith, lock–picker (Worcester Telegram and Gazette) Years ago, back when computer users were dialing up the Internet, civilian government scientists already were expressing concerns about the National Security Agency's role in developing global communication standards, according to documents reviewed by The Associated Press. The records mirror new disclosures, based on classified files 24 years later, that the NSA sought to deliberately weaken Internet encryption in its effort to gather and analyze digital intelligence

US snooping scandal risks stunting internet's growth (Bangkok Post) The US is at a key crossroads, trying to regain the trust of its citizens and friendly nations around the world even while it continues to lie and dissimulate in defence of National Security Agency (NSA)

Google's Eric Schmidt says government spying is 'the nature of our society' (The Guardian) Tech giant's executive chairman calls for greater transparency but declines to 'pass judgment' on spying operations. Eric Schmidt, the executive chairman of Google, reiterated the tech industry's call for greater transparency from the US government over surveillance on Friday, but declined to "pass judgment" on American spying operations

Four Principles for a Libertarian National Security State (Daily Beast) You know what libertarians are against: unnecessary foreign wars, the growing surveillance state. But what sort of national security state do libertarians support? Nick Gillespie lays out four principles, and Rand Paul's 2016 team should be taking notes

DHS Uses Social Media To Enhance Information Sharing and Mission Operations, But Additional Oversight and Guidance Are Needed (OIG, Department of Homeland Security) We audited the Department of Homeland Security's (DHS) efforts to implement Web 2.0 technology, also known as social media. The objective of our audit was to determine the effectiveness of DHS' and its components' use of Web 2.0 technologies to facilitate information sharing and enhance mission operations

Litigation, Investigation, and Law Enforcement

Two Men Arrested in India for Stealing Source Code from Tech Firm (Softpedia) A couple of men from India were arrested for stealing and selling source code from MIC Electronics limited, a Hyderabad-based tech company that specializes in the design, development and manufacturing of LED video displays and high-end electronics and telecoms equipment

Millions in Germany have data compromised in Vodafone hack (SC Magazine) Authorities have identified an attacker suspected of carrying out a sophisticated hack against Vodafone Germany. The individual was able to obtain information – including names, addresses, dates of birth, genders and banking details – on roughly two million of the mobile phone company's customers, a company spokesperson said, adding there was no access to credit card information, passwords, PIN numbers or mobile phone numbers

Joburg hacking case: why you may get angry (My Broadband) The City of Joburg may be wasting valuable state resources to try to cover up its own incompetence, online commentators say

The Beijing cop behind China's online crackdown wields a "heavy fist" (Quartz) Fu Zhenghua, China's recently-named vice minister of public security, once promised to apply a "heavy fist" to police corruption as the head of the Beijing Police. But in recent weeks, he has taken aim at a softer target: a string of well-known internet commentators and personalities, part of a nation-wide push to control information and rumor-spreading on the internet. Since Fu, a career policeman, got the new public security ministry post, China has detained or arrested several high-profile individuals with big followings on the internet, known as "Big V's" for their "verified" status on Sina Weibo, the Twitter-like microblogging platform

FBI Admits It Controlled Tor Servers Behind Mass Malware Attack (Wired) It wasn't ever seriously in doubt, but the FBI yesterday acknowledged that it secretly took control of Freedom Hosting last July, days before the servers of the largest provider of ultra-anonymous hosting were found to be serving custom malware designed to identify visitors. Freedom Hosting's operator, Eric Eoin Marques, had rented the servers from an unnamed commercial hosting provider in France, and paid for them from a bank account in Las Vegas. It's not clear how the FBI took over the servers in late July, but the bureau was temporarily thwarted when Marques somehow regained access and changed the passwords, briefly locking out the FBI until it gained back control

Court: UK govt can eye items taken in Snowden case (Times Herald) A British court ruled Thursday that if national security issues are at stake, the U.K. government may look through items seized from the partner of a journalist who has written stories about documents leaked by former National Security Agency contractor Edward Snowden

Spy court rulings unveiled in a 'rebuke' for surveillance (MSNBC) The secret court that oversees the National Security Agency surveillance programs ruled on Friday that court opinions regarding the agency's use of the Patriot Act must be released. The ruling is potentially a major victory for the ACLU, which had sued for the release of the opinions

Government must declassify court opinions on phone surveillance after ACLU legal victory (The Verge) The US FISA Court has ordered the government to declassify some aspects of its phone and internet surveillance program, the most recent of several disclosures in the past month. In the wake of leaks over the summer, the ACLU and many others have filed suit against the US government, looking for everything from more transparency to a way to take down a powerful surveillance program. The latter goal is still far from fruition, but the ACLU and Yahoo have both made progress in the former with a pair of recent court decisions

Cyber Crime Growing Priority for FBI (Memphis Daily News) Glankler Brown PLLC attorneys on Wednesday, Sept. 11, welcomed FBI Supervisory Special Agent Scott E. Augenbaum as the guest speaker for a cyber crime seminar for staff and clients at its East Memphis office. Augenbaum hopes to spread the word about cyber crime by demonstrating how anyone that has a computer or mobile device, who banks online or has a database that holds sensitive financial information is at risk

Markey expands probe into police access to cellphone data (The Hill) Sen. Ed Markey (D-Mass.) is expanding his investigation into how often police acquire personal data from cellphone carriers. Last year, as a member of the House, Markey sent letters to the major cellphone carriers to gather statistics about police access to cellphone data. He discovered that in 2011, police made 1.3 million requests for information, such as text messages, location data, call logs and "cell tower dumps," in which the wireless carriers provide police with all of the phone numbers that connected to a particular cell tower in a period of time

When it mattered most, invasive surveillance programs didn't work, say reporters (CNN) Thursday marks a dubious anniversary — September 12, the day the United States woke up to a different world, one where the Patriot Act, digital surveillance, and secret data collection programs routinely bend individual liberties in the name of national security

How the cops watch your tweets in real-time (Ars Technica) Products like BlueJay search all your tweets, then present results to cops

Anonymous hacker @ItsKahuna sentenced to 3 years for hacking police sites (Naked Security) John Anthony Borell III, aka "@ItsKahuna", admitted to attacking a slew of police sites in an operation that included exposing the personal details of thousands

For a complete running list of events, please visit the Event Tracker on the CyberWire website.

Upcoming Events

GovConnects Business Breakfast: Surviving Sequestration (Elkridge, Maryland, USA, September 17, 2013) This Business Breakfast will feature presentations by seasoned professionals in the field of government contracting as they share best practices for dealing with current challenges of doing business in...

Shaping the Future of Cybersecurity Education Workshop (Gaithersburg, Maryland, USA, September 17 - 19, 2013) The third annual Shaping the Future of Cybersecurity Education Workshop will be held at the National Institute of Standards and Technology (NIST) in Gaithersburg, MD and focus on "Navigating the National...

NovaSec! (McLean, Virginia, USA, June 13, 2013) NovaSec! is Northern Virginia's largest Cybersecurity and physical security networking event of the year. We are bringing together security professionals from commercial and government organizations with...

Strange Loop (, January 1, 1970) Meet us in St. Louis, Sept 18-20th, 2013, to make connections with the creators and users of the languages, libraries, tools, and techniques at the forefront of the industry. Find out where we're going…and...

ISSA Cyber Security Forum at Ft Belvoir (Fort Belvoir, Virginia, USA, September 19, 2013) This event will allow personnel from Fort Belvoir the chance to learn about the latest cyber security trends, network with peers, discuss Army best practices and to view and demo some of the latest cyber...

CISO Executive Summit (Atlanta, Georgia, USA, September 19 - 20, 2013) Be on the forefront of a new global initiative where today's world-class leaders in information security will gather to navigate through international waters. Join these leaders as they follow the wind...

CCBC Leadership Seminar Luncheon: Cyber Awareness: What Employers Need To Know (Owings Mills, Maryland, USA, September 20, 2013) , no later than September 13, 2013.

cybergamut Technical Tuesday: Malware Analysis for the Masses (Columbia, Maryland, USA, September 17, 2013) With malware becoming more prevalent, and the pool of capable reversers falling short of overall need, there is a greater need to provide quick and efficient malware analysis for network defense. With...

2013 Cyber Security Summit (New York, New York, USA, September 25, 2013) The 2013 Cyber Security Summit connects executives responsible for protecting their company's critical infrastructure with innovative product, service and solution providers. The one day event, to be...

4th Annual Cybersecurity Summit (Washington, DC, USA, September 25, 2013) GEN Keith Alexander, Commander of U.S. Cyber Command, Director of the NSA/Chief, Central Security Service and Dr. Pat Gallagher, Director, NIST are among the distinguished speakers confirmed to keynote...

The Monktoberfest (Portland, Maine, USA, October 4, 2013) Our speakers will explore how social trends can change the way we build and use technology, and how technology in turn can change the way we socialize.

Suits and Spooks NYC 2013 (New York, New York, October 5, 2013) Since the landscape is foggy, the threat actors numerous and hard to identify, and the attacks proliferating on a daily basis, the focus of the next Suits and Spooks conference will be to identify non-state...

Forensics and Incident Response Summit EU (Prague, Czech Republic, October 6 - 13, 2013) The Summit will focus on high quality and extremely relevant content as well as panel discussions in Digital Forensics and Incident Response. In addition, we encourage you to take every opportunity to...

CyberMaryland 2013 (Baltimore, Maryland, USA, October 8 - 9, 2013) Join cybersecurity leaders, luminaries and rising stars at CyberMaryland 2013. This two-day event at the epicenter of the nation's cybersecurity innovation and education, will create opportunities for...

2013 Maryland Cyber Challenge (Baltimore, Maryland, USA, October 8 - 9, 2013) Held in conjunction with Cyber Maryland and intended to let students and young professionals showcase their cybersecurity skills, Maryland Cyber Challenge offers competition in three divisions: high school,...

AFCEA Hill AFB Technology & Cyber Security Expo (Ogden, Utah, USA, October 9, 2013) The purpose of this first-time event is to allow base personnel the opportunity to learn about the latest computer security trends, network with peers, share remediation strategies and to view and demo...

International Conference on Cyber–Enabled Distributed Computing and Knowledge Discovery (Shanghai, China, October 10 - 12, 2013) International Conference on Cyber-enabled distributed computing and knowledge discovery -promotes research and development of the cyber-related technology. It is unique and significant that spans through...

VizSec 2013 (Atlanta, Georgia, USA, October 14, 2013) VizSec brings together researchers and practitioners in information visualization and security to address the specific needs of the cyber security community through new and insightful visualization techniques.

Hack-in-the-Box Security Conference 2013 (Kuala Lumpur, Malaysia, October 14 - 17, 2013) The 11th annual HITB Security Conference (16th/17th October) will be a triple track offering featuring keynotes by Andy Ellis, Chief Security Officer at Akamai and Joe Sullivan, Chief Security Officer...

USDA Cyber Security Symposium and Expo 2013 (Washington, DC, USA, October 15, 2013) The Cybersecurity Expo, running in conjunction with the Summit, will allow exhibitors the opportunity to provide live demos and share information with government personnel and industry partners. Summit...

SNW Fall 2013 (Long Beach, California, USA, October 15 - 17, 2013) SNW is the world's largest independently produced conference series focused on the evolution of architecture for a new world of mobility, Big Data and business agility. Produced by Computerworld -- and...

Hexis Exchange (Athens, Greece, October 16 - 17, 2013) Attendees will have the opportunity to participate in a knowledge exchange of the latest enterprise security topics through expert led business and technology forums, hands-on sessions, and training. Such...

Cybersecurity Symposium: "Protect. Defend. Educate." (Linthicum, Maryland, USA, October 16 - 17, 2013) The Cybersecurity Symposium being held October 16-17, 2013, will deliver first-class training for government and industry security professionals while simultaneously offering high-level keynote speakers,...

Nuclear Regulatory Commission Cyber Security Conference & Expo (Rockville, Maryland, USA, October 17, 2013) This one-day conference will consist of cyber sessions in the NRC Auditorium given by government and industry speakers. Exhibit tables will be set-up just outside the Auditorium and companies will have...

13th Industrial Control Systems Cyber Security Conference (Atlanta, Georgia, USA, October 21 - 22, 2013) Industrial Control Systems (ICS) operate the infrastructures of electric power, water, chemicals, manufacturing, transportation, defense, etc. and link the digital and physical worlds. Their cyber security...

Cloud Connect (Chicago, Illinois, USA, October 21 - 23, 2013) Cloud Connect returns to Chicago October 21-23, 2013 with an all new program built around the leading cloud platforms. Cloud Connect provides the independent guidance IT professionals need to successfully...

cybergmut Technical Tuesday: Cyber Security Strategy — Why We're Losing and What's Needed to Win (Columbia, Maryland, USA, October 22, 2013) CrowdStrike's Steve Chabinsky of CrowdStrike explains the situation. Everybody seems to be spending more on cybersecurity, but with questionable return on investment. In fact, the problem clearly is getting...

Cyber Security Seminar and IT Expo at Peterson AFB (Colorado Springs, Colorado, USA, October 22, 2013) The Cyber Security Seminar and IT Expo is a one-day event held on-site where industry vendors will have the opportunity to display their products to personnel attending briefings concerning the latest...

Joint Federal Cyber Summit 2013 (Washington, DC, USA, October 23 - 24, 2013) This collaborative government wide event is truly one of a kind, with speakers and attendees anticipated to represent more than 10 federal government agencies. Information sharing will be accomplished...

2013 ACT–IAC Executive Leadership Conference (Williamsburg, Virginia, USA, October 27 - 29, 2013) Advances in technology and massive increases in data available can both challenge and transform Government mission performance. ELC-2013 focuses on how to make this transformation a reality, in and for...

SAP NS2: National Security Solutions Summit (Falls Church, Virginia, USA, October 29, 2013) Join us for a day of learning and networking focused on how to advance U.S. national security and homeland security through I.T. innovation. Top-notch speakers will address the new challenges facing U.S.

Regional Cyber Security Forum & IT Day (CSFI) — Hawaii (Honolulu, Hawai'i, USA, October 30, 2013) 2013 marks the 10th anniversary of National Cyber Security Awareness Month and FBC will host the 1st Annual Cyber Security Forum & IT Day (CSFI) at Fort Shafter - Club Hale Ikena to coinside with the anniversary,...

NSA Hawaii — Cyber Security, Intelligence & IT Day (Honolulu, Hawai'i, USA, October 30, 2013) Be a part of the 1st Annual Cyber Security, Intelligence and IT Day set to take place at the new National Security Agency (NSA) Hawaii Rochefort facility. The event will be hosted by NS/CCS Hawaii Technology...

Grow your brand and reach new customers.

Grow your brand and increase your customer base by educating our audience about your products, services, and events by advertising on The CyberWire. We’ve built trust with an influential (and often hard to reach) audience of CISOs, CSOs, and other senior execs in the security space, across a wide array of industry verticals. Learn more.

Be a part of the CyberWire story.

People ask us (a lot) how they can support what we do. We have our sponsorships and services, of course, but those are not always within every supporter's financial reach, or it might just not be the right time for you to do those things. That's why we launched our new Patreon site, where we've created a wider variety of support levels, each with some new benefits. Our patrons are important to our future, and we hope you'll consider becoming one. We invite you to become part of the CyberWire story. Become a patron today.