skip navigation

More signal. Less noise.

Daily briefing.

Iranian hackers (state-sponsored, according to reports) are said to have breached an unclassified US Navy network. Cyber-rioting continues in the Indian subcontinent.

WordPress vulnerabilities are being exploited to create a DDoS botnet. Researchers also discern malware brute-forcing user credentials from WordPress.

The Internet Explorer zero-day exploit appears more widespread than thought. Email encrypted with widely used PGP software is, says PGP's creator, fatally vulnerable to interception. Yahoo's recycled names continue to raise security issues (and analyst hackles).

The Mevade Trojan endemic to Tor has its roots in a much older threat. Spearphishing remains an imperfectly addressed threat to power grid security. CIO runs down seven "devious" hacking techniques.

Analysts discern a hacktivist shift toward social networks. Dark Reading foresees a breakdown in online commerce's trust model. Wearable devices prompt inevitable speculation about novel threats and vulnerabilities.

Industry news is dominated, in the US at least, by the possibility of a "Government shutdown" at midnight; experts explain what this might actually mean. Cyber skills continue to be scarce and expensive, and more employers are seen willing to reach out to "hackers" with dodgy backgrounds to fill skills gaps. In Maryland, bwtech@UMBC graduates its first start-up class: AccelerEyes, Five Directions and Oculis Labs. Down I-95, Virginia's Center for Innovative Technology pushes similar innovation through the Mach37 accelerator.

Congressional deliberation over NSA surveillance continues. The US and Japan move toward closer cyber collaboration. Britain moves toward a national cyber warfare reserve force.

The FBI begins investigating last week's breach of major data brokers.

Notes.

Today's issue includes events affecting Brazil, Canada, European Union, France, Germany, India, Iran, Japan, Pakistan, South Africa, Switzerland, Taiwan, Thailand, United Kingdom, United States..

Cyber Attacks, Threats, and Vulnerabilities

Iranian Hackers infiltrated US Navy computers (Hacker News) The Wall Street Journal reported that Iranian hackers have successfully penetrated unclassified US Navy computers, the allegations were made by US officials that consider the attacks a serious intrusion within the Government network

Free Kashmir Says Pakistani Hackers after Hacking and Defacing 20,000 Indian Websites (Hack Read) Two Pakistani hackers going with the handle of Dr@cul@ and Muhammad Bilal have hacked and defaced twenty thousand (20,000) Indian websites against Indian government and in support of alleged freedom movement in Indian administrated Kashmir. All sites were left with a deface page along with a message in support of Kashmir, asking Indian government to leave Kashmir or the hackers will keep on attacking Indian

The Official NUST SEECS subdomain hacked by Hasnain Haxor (HackersPost) The official subdomain of NUST SEECS has been hacked and defaced by a hacker with the handle "Hasnain Haxor". The hacker is from the hacking group Pakistan Haxors Crew (PHC). NUST School of Electrical Engineering and Computer Science (NUST-SEECS, formerly NUST Institute of Information Technology, is the biggest and top school in Islamabad, Pakistan. Mobilink Career Blog, FATA secretariat

Over 100 Thailand Government Websites Hacked and Defaced (Softpedia) Hackers have breached a server that hosts websites from Thailand. As a result, they've defaced 234 websites, over 100 of which are owned by the government of Thailand

Hackers launch huge DDoS attack using WordPress websites (ITProPortal) Thousands of WordPress websites are being used to carry out a huge cyber attack campaign in the form of a distributed denial of service [DDoS] attack. The Hacker News reports that hackers have targeted "a large number" of sites on the WordPress platform after successfully compromising some 90,000 servers way back in April 2012 and in the process have created a WordPress botnet

Malware With Bruteforce Capabilities (abuse.ch) Today I came across an interesting piece of malware that attacks websites that are running WordPress by trying to guess the users credentials using brute-force methodology. Arbor already did an analysis of this threat in the beginning of September which they have published under the name Fort Disco. However, the brute-force attacks issued by Fort Disco is not limited to Content Management Systems (CMS)

IE zero–day vulnerability exploited more widely than previously thought (ComputerWorld) A recently announced and yet-to-be-patched vulnerability that affects all versions of Microsoft Internet Explorer (IE) has been exploited in targeted attacks against organizations in Taiwan since the beginning of July, according to security researchers

Old Mac malware uncovered (ZDNet) Icefog, a Mac version of Windows malware, is a year old but only recently discovered by Kaspersky. It was used experimentally in the far east, bundled with the legitimate program Img2icns. In a report on the Icefog APT (Advanced Persistent Threat) Kaspersky Lab reveals that the authors created a Mac program to connect to their botnet. It was used in limited, experimental attacks in the far east, primarily in South Korea and Japan

Email surveillance could reveal journalists' sources, expert claims (Guardian) Phil Zimmermann, the creator of the email encryption software PGP, has warned that anyone who uses consumer email services needs to be aware of the threats of exposing their metadata to eavesdroppers

Yahoo proves it has a reckless and moronic attitude to email security (Graham Cluley) The new owners of recycled Yahoo email accounts are receiving private emails, containing personal information, not intended for them. None of this would have happened if Yahoo hadn't initiated the reckless, harebrained scheme in the first place

Tor–using Mevade botnet is stealthy new version of old threat (Help Net Security) The Mevade Trojan and botnet have gained unexpected notoriety when it turned out that the majority of the recent, sudden and massive uptick in Tor users was the result of it adding Tor as a method of

Why You Need To Pay Attention To The Slow HTTP Attack (Acunetix) Okay, I admit, I haven't been stressing enough to people just how critical the Slow HTTP vulnerability really is. The Slow HTTP flaw is present on practically every Apache-based system I test and can facilitate denial of service (DoS) conditions rendering even the most resilient web environments useless

New anti-malware drive focuses on 'EvilGrab' (ComputerWorld) A new malware targeting governments in Asia and Europe has recently been discovered by Trend Micro. Called EvilGrab, the malware is found to be the object of the new anti-APT (advanced persistent threat) campaign that targets security software and uses a system's audio and visual components to seize information after monitoring the data

EE hit by weekend of outages (ComputerWeekly) Users of the EE mobile network were affected by outages over the weekend, with little explanation offered up by the operator. Customers were unable to access mobile data up and down the country, with some of the problems falling over into Monday morning

"One click, then boom": Spear–phishing could "black out" energy companies, expert warns (We Live Security) Spear–phishing attacks on energy companies are becoming increasingly sophisticated, an expert has warned — and all it takes is one lucky strike to cause devastating damage to the power grid, or to companies which supply oil and gas

The Ghost in the (Portable) Machine: Securing Mobile Banking (TrendLabs Security Intelligence Blog) Online banking is one of the many tasks that have been made more convenient by mobile technology. Now, users can purchase products and/or services, pay their bills and manage their finances from anywhere, and anytime. However, there are threats against mobile banking exist, which need to be addressed and secured against

7 Sneak Attacks Used By Today's Most Devious Hackers (CIO) Most malware is mundane, but these innovative techniques are exploiting systems and networks of even the savviest users

Fake "You Sent a Mobile Payment" PayPal Emails Used in Phishing Scam (Softpedia) In case you receive an email from PayPal informing you that a mobile payment has been made from your account to JD Sports, take a good look at it, as it might have nothing to do with PayPal. Cybercriminals are abusing the payment processor's reputation in a phishing scam

Scam Alert: Facebook "Unblock Government" Emails Point to Phishing Site (Softpedia) Beware of emails that appear to come from Facebook bearing the subject "Unblock Government" (misspelled as "goverment")! The fake notifications are designed to lure users to a phishing website

PayPal phishers bite via hacked dog training website (Graham Cluley) Beware PayPal phishing emails, and make sure that your own websites aren't vulnerable to hackers who might embed malicious code and webpages

Online dating scam costs lovelorn Canadian $500k (Naked Security) The rise of online dating has been spotted by cyber-crooks looking to exploit every weakness of the web-using world. Poor "Tony" lost $500,000 (CAD) to online scammers after being pulled into a complex, long-term fake romance con by a man he met on a dating site

ICG America Acknowledges Security Breach (eSecurity Planet) Attackers had access to the company's payment processing system from January 2, 2013 through August 2, 2013

State Farm Admits Insider Data Breach (eSecurity Planet) A call center employee misused at least 11 customers' credit card numbers

Insider Incident Leads Breach Roundup (HealthCareInfoSecurity) In this week's breach roundup, Holy Cross Hospital in Fort Lauderdale, Fla., is notifying 9,900 patients that a former employee inappropriately accessed their records with the apparent intent to commit fraud. Also, Virginia Tech reports that a computer server containing job application information was illegally accessed, exposing information on 145,000

Cyber Trends

Social Networks Are the New Battleground of the Cyber-Activist, According to Panda Security PandaLabs Report (PR.com) Panda Security, The Cloud Security Company, has just published the results of its Quarterly Report for Q2 2013, drawn up by PandaLabs. One of the main conclusions that can be drawn from this global study is that malware creation reached record levels in the second quarter of the year. In this context, Trojans continued to account for most infections. Additionally, the report shows a worrying increase in malware targeting the Android platform, and discuses some of the major stories concerning cyber-war and cyber-espionage

Cyber Execs' Competing Priorities are Often aT Odds with Each Other (Nextgov) Cybersecurity executives are faced with such a broad range of complex challenges that their priorities — from staffing to training to technology — are often at odds with each other, according to a new report. A survey of more than 1,600 C-level executives from around the world by (ISC)², Booz Allen Hamilton and Frost and Sullivan, found that top security executives are faced with a number of critical, yet often paradoxical, security challenges

Financial markets next big cyber target, says US expert (ComputerWeekly) Manipulation of international financial markets will be the next evolution of cyber crime, according to Scott Borg, chief of the US Cyber Consequences Unit. There is a limit to the amount of money criminals can make through theft and credit card fraud, he told a joint session of the ASIS International and (ISC)2 annual congresses in Chicago

Security industry in 'rut,' struggling to keep up with cybercriminals (CSO) Experts agree hackers are winning but some are hesitant to blame it on a lack of new technology, however. Dramatic changes are needed in multiple fronts if the security industry hopes to move ahead of cybercriminals, who are continuously finding new ways to breach corporate systems, experts say. Some technology pros say the industry needs to develop new technologies and architectures that send hackers back to the drawing boards

Commerce In A World Without Trust (Dark Reading) The trust model underlying online commerce has been threatened by the constant attacks on information providers used to authenticate consumers. Is the Internet as secure as it needs to be anymore? Trust is kind of a squishy concept. If you refer back to the definition from our pals at Merriam-Webster, trust is the "belief that someone or something is reliable, good, honest, effective, etc." Reliable? Honest? Sounds great, right

Future malware could harm bytes, bone and brain (CSO) Wearable devices raise risks for damages from bad actors. Wearable computers and use of augmented reality could increase the consequences of cyber attacks for people in the near future, according to a report released this week by a pair of cyber security organizations

Lack of SA skills leads to cyber attack risk (News24) A lack of skills in the computer security sector doesn't bode well for South African companies to protect themselves from cyber attacks, a security company has asserted

Marketplace

On Brink Of Shutdown, All Quiet At Capitol (Washington Post) The U.S. government appeared on Sunday to be on the verge of shutting down for the first time in nearly two decades as House leaders were running out of time and options to keep it open

The Obscure Law That Governs Shutdowns (Government Executive) If rogue Republicans do not relent over the budget impasse by October 1, whatever pandemonium happens next will largely be governed by a federal statute you likely have never heard of: the Antideficiency Act. You can call it the "anti-deadbeat" law — a collection of statutory and administrative provisions, really — that forbid federal officials from entering into financial obligations for which they do not have funding, like paying the salaries of their employees or buying the things they need to run the government. It's also the law that wisely permits certain "essential" government functions — like the military and the courts, for example — to keep operating even in the absence of authorized legislative funding. Predictably, there aren't many legal experts who have built careers around the Antideficiency Act, but I managed to corral a few. The most important messages they offer are these: 1) It's not just present federal work that's affected by the shutdown, it's future work, too; and 2) shutting down the federal government is terribly wasteful and expensive because of the re-start costs involved. That's the point made by the acclaimed dean of Antideficiency Act scholars, University of Baltimore Law Professor Charles Tiefer ("For obscure details," he told me, "you've come to the right guy")

DHS Adds 30 Businesses to $22B EAGLE II Vehicle (GovConWire) The Department of Homeland Security has selected 30 businesses to develop, implement and maintain technology for DHS mission and business functions under the department's seven-year, $22 billion Enterprise Acquisition Gateway for Leading Edge Solutions II contract vehicle

Would you hire a hacker to run your security? 'Yes' say Brit IT bosses (The Register) We don't have enough securo bods in the industry either, reckon gloomy BOFHs. More than two in three IT professionals would consider ex-hackers for security roles, providing they have the right skills to do the job, a survey has found. In addition, 40 per cent of respondents to CWJobs' survey of 352 IT bods reckoned there aren't enough skilled security professionals in the UK technology industry

Skills in demand: Incident response professionals (SC Magazine) Companies who leverage the cloud have concerns over the security of their data. The migration has increased demand for incident response pros, including reverse engineers and malware analysts

NSA Internet Spying Sparks Race to Create Offshore Havens for Data Privacy (Wall Street Journal) Firms Tout 'Email Made in Germany' as More Secure; Brazil Wants Its Own Servers

Palantir Technologies raises $196.5 million (Chicago Tribune) Data-analytics company Palantir Technologies has raised $196.5 million, the company disclosed Friday in a regulatory filing

Northrop Grumman, bwtech@UMBC Graduate First Three Companies from Cyber Cync Program (Wall Street Journal) Northrop Grumman Corporation (NYSE: NOC) and the University of Maryland, Baltimore County's Research Park Corporation - also known as bwtech@UMBC - hosted a ceremony today for the first graduating class of the Cyber Cync Program: AccelerEyes, Five Directions and Oculis Labs

Virginia Cybersecurity Program Targets Startup Businesses (GovConWire) The nonprofit Center for Innovative Technology has launched a public-private cybersecurity program for Virginia businesses to receive an initial investment and make presentations to professional investors. The MACH37 Cyber Accelerator is targeted to cyber startups and will comprise of two 90-day sessions per year, Gov. Bob McDonnell's office said Sept. 12

Who Will Stay, and Who Will Go? (Wall Street Journal) Five are in, and five are out! Since the last round of eliminations, the founders have documented a typical day in their lives and endured "hot seat" questioning from two SOTY mentors. Today, the top ten become the final five, one of which will soon be named WSJ Startup of the Year

Products, Services, and Solutions

BlackBerry mulling Messenger expansion to more platforms beyond Android, iOS (FierceMobileIT) BlackBerry (NASDAQ:BBRY) said it is considering extending its signature Messenger chat service to other platforms beyond Google's (NASDAQ:GOOG) Android and Apple's (NASDAQ:AAPL) iOS

Ars takes a look at the tools of the surveillance trade (Ars Technica) We also talk about the merits of purple and Google's new real-life delivery service

Metasploit creator seeks crowd's help for vuln scanning (The Register) Security outfit Rapid7 has decided that there's just too much security vulnerability information out there for any one group to handle, so its solution is to try and crowd-source the effort. Announcing Project Sonar, the company is offering tools and datasets for download, with the idea that the community will provide input into the necessary research

John McAfee wants to sell you a $100 gadget that blocks the NSA (The Verge) Part–time fugitive and antivirus software founder John McAfee has a new invention he's working on. After spending some of his time filming a drug-fueled video tutorial to uninstall the antivirus program he helped create, McAfee now believes he can outsmart the NSA. Speaking at the San Jose McEnery Convention Center on Saturday, McAfee unveiled his grand plan to create a "D–Central" gadget that communicates with smartphones, tablets, and laptops to create decentralized networks that can't be accessed by government agencies

Protect high–value transactions on iOS and Android (Help Net Security) SecureKey introduced its enhanced cloud-based briidge.net Connect multi-factor authentication service. This latest version of briidge.net Connect incorporates the new briidge.net Connect Mobile SDK, which enables developers to easily add robust multi-factor authentication capabilities into iOS and Android mobile apps

Cyberoam launches next-generation firewall appliances (Help Net Security) Cyberoam unveiled Next-Generation Firewalls (NGFW) in its NG Series appliances. Cyberoam NGFW come with Layer 8 Identity-based technology for actionable intelligence and controls that offer complete security controls over L2-L8 for future-ready security in enterprises

Insurer Allianz adds cyber–crime response specialists from Incoming Thought to its policy cover (bobsguide) The insurance giant Allianz has grown its cyber response team to fight financial crime, distributed denial of service (DDoS) and other such malfeasance by partnering with specialists at Incoming Thought. The information security consultancy will provide experts to help the insurance firm's clients recover from a cyber-attack

Microsoft Security Essentials: Aiming low? (ZDNet) Microsoft has offered a free consumer security product for years, but is it good enough for you? It's certainly better than nothing, but it's way short of the best products

TCC releases new encryptor for secure voice and cross-network conferencing (MENAFN) Technical Communications Corp. TCCO said it has released its HSE 6000 radio headset and telephone encryptor to secure the land mobile radio voice communications of public safety special operations, and telephone-to-radio conferencing between commanders and field forces, enabled by TCC's innovative X-NCrypt Cross Network Cryptography

Non–NIST Cipher Suite (Silent Circle) One of the most upsetting things about the recent revelations about the NSA's shenanigans is that it has apparently devoted US$250M to suborning international standards. (One of the very upsetting things about these revelations is that there are several most upsetting things.) Over the last few weeks, just about everyone in the standards and crypto business has been looking over the crypto with an eye towards seeing what the NSA might have subverted

Silent Circle will "move on" from NSA–associated encryption standards, but is that necessary? (Gigaom) The secure communications firm will bring in default replacements for widely-used encryption standards that came out of the U.S. National Institute of Standards and Technology (NIST). However, at least one security expert thinks this may be "a trifle of an overreaction"

Technologies, Techniques, and Standards

Tech Insight: Top 4 Problem Areas That Lead To Internal Data Breaches (Dark Reading) External data breaches (think: Anonymous) and internal data leaks (think: Edward Snowden) have enterprises questioning and rethinking their security programs. Are they doing enough to protect their data? Are their security controls effective? Would they be able to respond appropriately to a data breach and contain it quickly

Do you have your network perimeter secured against downloading malicious content? (Internet Storm Center) Information security professionals take very seriously the network perimeter and tend to put in place several devices to enforce access control to network resources like firewalls, IPS, content filtering devices including antimalware functionality and network access control. But there are two specific variables that can increase a lot the risk of external compromises: Administrative privileges in desktop computers: Many types of business software do not have implemented the principle of requiring the least privileges. That us why now a significant percentage of companies grant Administrator privileges to users, where their use is not monitored in detail

Simplify security but tighten management to keep virtual desktops in check: Imation (CSO) Built-in encryption makes removable USB-based desktop images intrinsically more secure against loss or compromise than conventional desktops, but a virtual-desktop expert warns that companies must still look to two-factor authentication and innovations such as biometrics to ensure security is easy enough that employees won't circumvent it

Continuous monitoring has great promise, says IA specialist (ComputerWorld) Continuous monitoring is fast becoming a security buzzword, but it is a way for security professionals to regain lost ground, according to Bill Hargenrader, information assurance manager at Booz Allen Hamilton

The impact of false positives on web application security scanners (Help Net Security) Ferruh Mavituna is the CEO at Mavituna Security and the Product Architect of Netsparker. In this interview he discusses what impact false positives have on web application security scanners and what his team is doing to deliver false positive free scans

Cyber attack retaliation a bad idea, says international panel (ComputerWeekly) Retaliatory cyber attacks are not a good idea, an international panel has told attendees of a joint session of the ASIS International and (ISC)2 2013 annual congresses in Chicago. Although security practitioners' ability to trace the source of cyber attacks is improving, they said it is seldom possible to do this with total certainty, particularly in the most sophisticated attacks

Cloud Security Alliance releases Cloud Controls Matrix 3.0 (Help Net Security) The Cloud Security Alliance (CSA) released the CSA Cloud Control Matrix (CCM) 3.0, the standard for assessing cloud centric information security risks. It expands its control domains to address

F1 champions Red Bull battle constant threats of cyber attacks and data theft (V3) Triple championship-winning Formula One team Infiniti Red Bull Racing faces constant challenges from both internal and external threats as its technological developments provoke the interest of amateur hackers and rival teams. In response to questions from V3 on a visit to the Red Bull team's headquarters in Milton Keynes, CIO Matt Cadieux (pictured) explained that the intensely competitive and secretive nature of Formula One technology means he has to ensure his networks are in complete lockdown so no "bad apples" could ever walk away with technical data and give it to another team

Buffering SSL encryption to combat today's emerging threats (TechRepublic) Next-generation firewalls should include intrusion prevention (IPS), the ability to decrypt and inspect SSL sessions in real time, and the ability to visualize and control application traffic as it crosses the network

Five Tips for Measuring Progress in Information Security (Tripwire) In my post on Measuring and Reporting on Vulnerability Risk, I talked about how rankings and categories make for some easy to understand graphs, but they tend to fail at meaningfully measuring progress over time. It's tempting to use the standard output of your information security products as the basis for tracking progress, but counting the numbers of highs, mediums and lows simply isn't an accurate a representation overall progress

Could agencies avoid disaster in a Nirvanix–like cloud shutdown? (GCN) The collapse of cloud storage vendor Nirvanix — and the stampede by its customers to recover their data — illustrates why government agencies need sound exit and migration strategies in place before moving any data to the cloud. Upfront due diligence will help agencies if they have to move massive amounts of data on short notice from one cloud service provider to another

Research and Development

Why Recommendation Engines Are About To Get Much Better (InformationWeek) Expanding data sources, including social media sources, are making recommendation engines much more powerful. Amazon.com certainly deserves credit for bringing the term "recommendation engine" into the general lexicon. But recommendation engines have expanded well beyond consumer-facing shopping sites like Amazon as programmatic ways of making accurate recommendations

New proof–of–concept tool detects stealthy malware hiding in graphics cards (PC World) As anti-virus solutions become more robust and Microsoft becomes better at plugging Windows vulnerabilities, malware designers have to get more creative about attacking PCs and servers. One wide-open avenue of attack: hardware components like graphics and network cards. Yes, you read that right

Academia

New Penn State Homeland Security Programs Leader Predicts Evolution in Threats and Changes in Education (Digital Journal) In just the last two years, the nation has experienced deadly man-made and natural disasters, including the Boston Marathon bombing, Hurricane Sandy and wildfires. And as terrorism and organized crime continue to converge, information technology security challenges, threats to information integrity, identity theft and cyber-attacks will further increase, predicts Alexander Siedschlag, Penn State's new chair of online homeland security programs

Legislation, Policy, and Regulation

Report: NSA tracks social ties on Facebook (New Press) The National Security Agency has used its massive collections of electronic data to create a graphic analysis of some American citizens' social connections including travel, location, associates and even Facebook ties, a published report said Saturday

NSA should put all Americans' phone records in a lockbox for later search, director says (Syracuse Post=Standard) The National Security Agency wants to collect more phone records so they can be examined at need, the agency's director told a Senate committee that wants to limit NSA's authority to gather such information. Gen. Keith Alexander's made the assertion Thursday during a Senate Intelligence Committee hearing after Sen. Mark Udall, D-Colo., asked him if the NSA wants "the phone records of all Americans," the Huffington Post reported. According to the Post, Alexander replied: "I believe it is in the nation's best interest to put all the phone records into a lockbox that we can search when the nation needs to do it, yes"

Rights groups plan anti–NSA surveillance rally in D.C. (ComputerWorld) ACLU, EFF, Mozilla among nearly 100 organizations planning event on 12th anniversary of U.S. Patriot Act

US Lawmakers Seek Surveillance Reform (Voice of America) U.S. senators in both parties are proposing changes in the way the National Security Agency collects information as it hunts for terrorists and other threats. Some lawmakers want to limit or end the bulk collection of telephone and email records

Why the nation needs a US Cyber Force (Boston Globe) IN THE early 1980s cyber fiction film, "War Games," a young hacker played by Matthew Broderick almost managed to start World War III when he accidentally nearly launched nuclear strikes against the Soviet Union. It seemed unlikely in those relatively primitive days before the widespread use of the Internet, but it foreshadowed the emerging era of the profound intersection of national security and the cyber world. If we think of cyber as we did of aviation a little more than 100 years ago, we are just now on the beach at Kitty Hawk

Japan, US to Discuss Strengthening Cybersecurity: Reports (SecurityWeek) Japan and the United States will discuss strengthening defenses against cyber-attacks, reports said Monday, as Tokyo looks to play a more active role in global security. At talks in Japan later this week, the foreign and defence ministers from both countries will undertake their first review for 15 years of how their security alliance operates

Hammond's £500m new cyber army: As he reveals top-secret Whitehall bunker for the first time, Defence Secretary says future wars will be fought with viruses (Daily Mail) A new 'cyber strike force' costing up to Hammond's £500m new cyber army: As he reveals top-secret Whitehall bunker for the first time, Defence Secretary says future wars will be fought with viruses500 million is being secretly built by Britain to wage war with a regiment of computer geeks instead of bombs and bullets. Fighter planes, warships and regiments face being replaced by futuristic cyber assaults using lethal computer worms and viruses to wipe out enemy targets

Britain's new cyberwar strike capabilities may just be political posturing (Quartz) Britain's defense minister Philip Hammond made a startling statement yesterday: "We are developing a full-spectrum military cyber capability, including a strike capability, to enhance the UK's range of military capabilities." This is not the first time a government has admitted to developing such capabilities. But it is the first time one has explicitly said it will seek to use it for offensive purposes. In the past, calls for offensive capabilities have been just that: proposals

As governments wage cyber wars, Europe stays away (CNBC) Governments across the world are engaged in cyber-attack campaigns against one another, while European administrations have so far fore-sworn any involvement in offensive online attacks, according to a new report by cyber security firm FireEye. FireEye says that "cyber weapons" are now part of the arsenal governments can use in real-world conflicts

Game apps under fire from consumer law makers (Naked Security) The UK's Office of Fair Trading has investigated how apps and browser-based games comply with consumer law. Alarmed by their findings, they're recommending new developer guidelines around in-app purchases and language inciting children to pay for in-game rewards

FDA's mobile medical apps guidance: Our advisors weigh in (FierceHealthIT) While the U.S. Food and Drug Administration unveiled its long-awaited final guidance on the regulation of mobile medical applications on Monday, some in the healthcare industry weren't sure it went far enough. For instance, Bradley Merrill Thompson, who serves as general counsel for the mHealth Regulatory Coalition, said the final guidance was porous in some areas, such as the definition of what are regulated; disease intended uses compared to unregulated, wellness intended uses; and the exact meaning of an accessory to a medical device

Litigation, Investigation, and Law Enforcement

Microsoft releases latest Law Enforcement Requests Report — no Skype content handed over (Naked Security) Microsoft has published its second Law Enforcement Requests Report, covering the first half of 2013. The quick summary: not much increase over last year's numbers

What did the detention of David Miranda achieve? (ComputerWorld) The physical transport of data shouldn't matter. But sometimes it does. The recent detention of David Miranda, partner of The Guardian newspaper journalist Glenn Greenwald, has created yet another furore, instigating much indignation and re-igniting the debate on the ethics of Prism

Edward Snowden e–mail provider Lavabit faced 'pen register' order (Politico) Lavabit—the e-mail provider that shut down last month in a surveillance-related dispute with the federal government—was faced with a "pen register" order that could have been used to obtain information in real-time when National Security Agency leaker Edward Snowden logged into his account and might even have been used to seek his password

LexisNexis confirms data breach; FBI investigating (Bradenton Herald) LexisNexis, one of the country's largest collectors of personal information on individuals and businesses, said it is trying to determine whether hackers may have gained access to Social Security numbers, background reports and other details on millions of Americans during a data breach earlier this year

Qaeda Plot Leak Has Undermined U.S. Intelligence (New York Times) As the nation's spy agencies assess the fallout from disclosures about their surveillance programs, some government analysts and senior officials have made a startling finding: the impact of a leaked terrorist plot by Al Qaeda in August has caused more immediate damage to American counterterrorism efforts than the thousands of classified documents disclosed by Edward Snowden, the former National Security Agency contractor

£1.01 billion kept out of cybercrooks' hands, claim UK e-cops (Naked Security) The UK's Police Central e-crime Unit (PCeU) is claiming to have kept an astonishing £1.01 billion out of the hands of cybercrooks over the past two-and-a-half years. But just how accurate is that figure? John Hawes investigates

Two youngsters arrested for different DDoS attacks (Help Net Security) Following the massive DDoS attack against anti-spam outfit Spamhaus earlier this year, a 35-year-old Dutch citizen believed to be Sven Kamphuis, the owner and manager of Dutch hosting firm Cyberbunker, was arrested in Spain because he was suspected of having participated in the attack

Google To Be Punished In France For Failing To Pare Back Its Overreaching Privacy Policy (TechCrunch) Google is facing sanctions in France after it failed to amend its privacy policy to comply with French data protection law within a timetable set out by the national regulator. France's data privacy regulator, the CNIL, said Friday it intends to initiate "a formal procedure for imposing sanctions" — which could include a fine — after a three-month deadline to comply with its requirements passed without Google making any changes

Facebook finally wins $3 million payout in Power Ventures spam lawsuit (Naked Security) Power Ventures lured Facebook users into handing over access to their contact lists, then spammed everyone they knew with emails urging them to join their site. Now that Facebook has won its five-year legal battle, has it earned back some trust

Legal pitfalls lurk in common enterprise BYOD practices (FierceMobileIT) Legal pitfalls could lurk in common enterprise BYOD practices, such as remote wiping of data and tracking of employee-owned devices. This is the warning from Route 1, a digital security and identity management firm, in a recent white paper. Route 1 stresses that the practice of remotely wiping personal devices if they are lost or stolen and the GPS tracking of their devices are "legally ambiguous"

For a complete running list of events, please visit the Event Tracker on the CyberWire website.

Upcoming Events

cybergamut Technical Tuesday: Location Based, Context Aware Services for Mobile — Today and Tomorrow by Guy Levy–Yurista, Ph.D. (available at various nodes, November 12, 2013) As we continue to grow our dependence on mobile devices in our daily routine from taking pictures to delivering corporate documents, the contexts in which these devices are acting becomes increasingly...

InfoSecIndy (Indianapolis, Indiana, USA, April 26 - 27, 2014) Join us on April 26-27, 2014 in Indianapolis, Indiana for the premier Midwest Information Security and Digital Forensics Conference.

Information Security Conference (Charleston, West Virginia, USA, October 2, 2013) On October 2, the WVOT Office of Information Security and Controls, will be sponsoring a no-charge information and cyber security awareness event at the Charleston Civic Center. The agenda will offer...

NSU Hosts FBI Presentation on National Cyber Security Awareness (Fort Lauderdale, Florida, USA, October 3, 2013) GSCIS Hosts the Federal Bureau of Investigation (FBI) Special Agents special presentation on "National Cyber Security Awareness." RSVP at the link.

The Monktoberfest (Portland, Maine, USA, October 4, 2013) Our speakers will explore how social trends can change the way we build and use technology, and how technology in turn can change the way we socialize.

Suits and Spooks NYC 2013 (New York, New York, October 5, 2013) Since the landscape is foggy, the threat actors numerous and hard to identify, and the attacks proliferating on a daily basis, the focus of the next Suits and Spooks conference will be to identify non-state...

Forensics and Incident Response Summit EU (Prague, Czech Republic, October 6 - 13, 2013) The Summit will focus on high quality and extremely relevant content as well as panel discussions in Digital Forensics and Incident Response. In addition, we encourage you to take every opportunity to...

CyberMaryland 2013 (Baltimore, Maryland, USA, October 8 - 9, 2013) Join cybersecurity leaders, luminaries and rising stars at CyberMaryland 2013. This two-day event at the epicenter of the nation's cybersecurity innovation and education, will create opportunities for...

2013 Maryland Cyber Challenge (Baltimore, Maryland, USA, October 8 - 9, 2013) Held in conjunction with Cyber Maryland and intended to let students and young professionals showcase their cybersecurity skills, Maryland Cyber Challenge offers competition in three divisions: high school,...

AFCEA Hill AFB Technology & Cyber Security Expo (Ogden, Utah, USA, October 9, 2013) The purpose of this first-time event is to allow base personnel the opportunity to learn about the latest computer security trends, network with peers, share remediation strategies and to view and demo...

NSU's Raising Savvy Cyber Kids with Ben Halpert (Fort Lauderdale, Florida, USA, October 10, 2013) Ben Halpert is an award-winning author of several books for diverse audiences. The Savvy Cyber Kids At Home: The Family Gets A Computer (October, 2010) is a picture book that teaches the concepts of online...

International Conference on Cyber–Enabled Distributed Computing and Knowledge Discovery (Shanghai, China, October 10 - 12, 2013) International Conference on Cyber-enabled distributed computing and knowledge discovery -promotes research and development of the cyber-related technology. It is unique and significant that spans through...

VizSec 2013 (Atlanta, Georgia, USA, October 14, 2013) VizSec brings together researchers and practitioners in information visualization and security to address the specific needs of the cyber security community through new and insightful visualization techniques.

Hack-in-the-Box Security Conference 2013 (Kuala Lumpur, Malaysia, October 14 - 17, 2013) The 11th annual HITB Security Conference (16th/17th October) will be a triple track offering featuring keynotes by Andy Ellis, Chief Security Officer at Akamai and Joe Sullivan, Chief Security Officer...

USDA Cyber Security Symposium and Expo 2013 (Washington, DC, USA, October 15, 2013) The Cybersecurity Expo, running in conjunction with the Summit, will allow exhibitors the opportunity to provide live demos and share information with government personnel and industry partners. Summit...

SNW Fall 2013 (Long Beach, California, USA, October 15 - 17, 2013) SNW is the world's largest independently produced conference series focused on the evolution of architecture for a new world of mobility, Big Data and business agility. Produced by Computerworld -- and...

Hexis Exchange (Athens, Greece, October 16 - 17, 2013) Attendees will have the opportunity to participate in a knowledge exchange of the latest enterprise security topics through expert led business and technology forums, hands-on sessions, and training. Such...

Cybersecurity Symposium: "Protect. Defend. Educate." (Linthicum, Maryland, USA, October 16 - 17, 2013) The Cybersecurity Symposium being held October 16-17, 2013, will deliver first-class training for government and industry security professionals while simultaneously offering high-level keynote speakers,...

NSU Healthcare Cyber Security Summit (Fort Lauderdale, Florida, USA, October 17, 2013) In today's modern healthcare systems, data is everywhere, including sensitive patient data that needs to be secured and monitored. Join top healthcare security professionals from Nova Southeastern University,...

Nuclear Regulatory Commission Cyber Security Conference & Expo (Rockville, Maryland, USA, October 17, 2013) This one-day conference will consist of cyber sessions in the NRC Auditorium given by government and industry speakers. Exhibit tables will be set-up just outside the Auditorium and companies will have...

Securing the Internet of Things Summit (San Francisco, California, USA, October 21, 2013) The Internet of Things is still in its infancy and the security community has a chance to build in new approaches to security if we get started now. More secure embedded operating systems and applications,...

13th Industrial Control Systems Cyber Security Conference (Atlanta, Georgia, USA, October 21 - 22, 2013) Industrial Control Systems (ICS) operate the infrastructures of electric power, water, chemicals, manufacturing, transportation, defense, etc. and link the digital and physical worlds. Their cyber security...

Cloud Connect (Chicago, Illinois, USA, October 21 - 23, 2013) Cloud Connect returns to Chicago October 21-23, 2013 with an all new program built around the leading cloud platforms. Cloud Connect provides the independent guidance IT professionals need to successfully...

cybergmut Technical Tuesday: Cyber Security Strategy — Why We're Losing and What's Needed to Win (Columbia, Maryland, USA, October 22, 2013) CrowdStrike's Steve Chabinsky of CrowdStrike explains the situation. Everybody seems to be spending more on cybersecurity, but with questionable return on investment. In fact, the problem clearly is getting...

Cyber Security Seminar and IT Expo at Peterson AFB (Colorado Springs, Colorado, USA, October 22, 2013) The Cyber Security Seminar and IT Expo is a one-day event held on-site where industry vendors will have the opportunity to display their products to personnel attending briefings concerning the latest...

Joint Federal Cyber Summit 2013 (Washington, DC, USA, October 23 - 24, 2013) This collaborative government wide event is truly one of a kind, with speakers and attendees anticipated to represent more than 10 federal government agencies. Information sharing will be accomplished...

NSU's 12 Simple Cybersecurity Rules For Your Small Business (Fort Lauderdale, Florida, USA, October 24, 2013) In this presentation twelve simple and inexpensive techniques for protecting small businesses from cyber threats will be discussed. While complex and expensive solutions exist to improve the security...

2013 ACT–IAC Executive Leadership Conference (Williamsburg, Virginia, USA, October 27 - 29, 2013) Advances in technology and massive increases in data available can both challenge and transform Government mission performance. ELC-2013 focuses on how to make this transformation a reality, in and for...

SAP NS2: National Security Solutions Summit (Falls Church, Virginia, USA, October 29, 2013) Join us for a day of learning and networking focused on how to advance U.S. national security and homeland security through I.T. innovation. Top-notch speakers will address the new challenges facing U.S.

Regional Cyber Security Forum & IT Day (CSFI) — Hawaii (Honolulu, Hawai'i, USA, October 30, 2013) 2013 marks the 10th anniversary of National Cyber Security Awareness Month and FBC will host the 1st Annual Cyber Security Forum & IT Day (CSFI) at Fort Shafter - Club Hale Ikena to coinside with the anniversary,...

NSA Hawaii — Cyber Security, Intelligence & IT Day (Honolulu, Hawai'i, USA, October 30, 2013) Be a part of the 1st Annual Cyber Security, Intelligence and IT Day set to take place at the new National Security Agency (NSA) Hawaii Rochefort facility. The event will be hosted by NS/CCS Hawaii Technology...

Grow your brand and reach new customers.

Grow your brand and increase your customer base by educating our audience about your products, services, and events by advertising on The CyberWire. We’ve built trust with an influential (and often hard to reach) audience of CISOs, CSOs, and other senior execs in the security space, across a wide array of industry verticals. Learn more.

Be a part of the CyberWire story.

People ask us (a lot) how they can support what we do. We have our sponsorships and services, of course, but those are not always within every supporter's financial reach, or it might just not be the right time for you to do those things. That's why we launched our new Patreon site, where we've created a wider variety of support levels, each with some new benefits. Our patrons are important to our future, and we hope you'll consider becoming one. We invite you to become part of the CyberWire story. Become a patron today.