skip navigation

More signal. Less noise.

Daily briefing.

The Heartbleed OpenSSL vulnerability dominates today's news, and is likely to do so for days (if not weeks) to come. Ars Technica describes the bug as exposing data "Russian roulette style," and the metaphor's not a bad one: a missing bounds check in source code is said to enable blind access to whatever parts of memory are handling SSL processes. Vendors and security experts are sifting through affected sites and products now and issuing fixes as they're developed.

The Sydney Morning Herald finds the software developer who cops to responsibility for the bug. He explains how the unintentional vulnerability was inadvertently introduced. (Conspiracy-mongers are undeterred from offering alternative attributions.)

It's not clear whether the vulnerability has been exploited in the wild (although a note from Deltek about a breach involving its GovWin product might give one the willies—still, no mention there of Heartbleed) but OpenSSL exploits can be difficult to detect. Experts advise taking protective steps quickly but with caution. Heartbleed is obvious phishbait (Sophos points out); it's also a good wateringhole lure (as SANS notes).

Quartz sees the whole episode as an instance of the tragedy of the commons, where a public good is steadily eroded in the absence of clear property rights and responsibilities.

Retailers face a large Heartbleed problem, adding insult to injury as legislation in several jurisdictions begins to fix liability for data breaches squarely on them.

In non-Heartbleed news, the insurance industry (led by Lloyd's of London) continues to note critical infrastructure's cyber vulnerability.

Notes.

Today's issue includes events affecting Canada, China, Germany, Norway, Russia, Turkey, United Kingdom, United States..

Cyber Attacks, Threats, and Vulnerabilities

Critical crypto bug exposes Yahoo Mail, other passwords Russian roulette-style (Ars Technica) OpenSSL defect still exposing sensitive data even after patch is released

Sending a "Heartbleed" password reset email? Please don't include a login link! (Naked Security) With all the buzz about resetting your passwords caused by the "Heartbleed" bug, you can imagine what cybercrooks are thinking. TIME TO GO PHISHING! Fortunately, many people these days know to be careful of password reset emails, at least those that helpfully provide a link that takes you to what looks like a login screen

Heartbleed OpenSSL bug: FAQ for Mac, iPhone and iPad users (Intego: the Mac Security Blog) In the last couple of days you cannot fail to have seen the huge number of media articles about the so-called Heartbleed bug. In this article, we'll try and answer some of the common questions that users of Apple products have raised about this issue

Man who introduced serious 'Heartbleed' security flaw denies he inserted it deliberately (Sydney Morning Herald) The German software developer who introduced a security flaw into an encryption protocol used by millions of website globally says he did not insert it deliberately as some have suggested

Heartbleed: What you should know (Washington Post) Experts have discovered a major flaw in the security software used by millions of Web sites — including banks, e-mail and social media services — that exposes users' names and passwords, the content of their communications, and their data to anyone who knows how to exploit the weakness. This does not mean your information has necessarily been stolen. It may mean that it's been vulnerable to theft and may remain vulnerable until a fix is applied

How to tell if Heartbleed could have stolen your password, and when it's safe to change it (Quartz) As you've probably heard, the Heartbleed bug exposes websites that use a popular encryption technology to malicious attacks, and some of your passwords—and personal data—may well have been compromised. The vulnerable software, OpenSSL, is used to encrypt something like two-thirds of all sites on the web

More Than A Half-Million Servers Exposed To Heartbleed Flaw (Dark Reading) What the newly exposed SSL/TLS threat really means for enterprises and end-users

The Heartbleed Hit List: The Passwords You Need to Change Right Now (Mashable) An encryption flaw called the Heartbleed bug is already being called one of the biggest security threats the Internet has ever seen. The bug has affected many popular websites and services — ones you might use every day, like Gmail and Facebook — and could have quietly exposed your sensitive account information (such as passwords and credit card numbers) over the past two years

How does the Heartbleed bug affect me? (Help Net Security) By now, you have surely heard about the "Heartbleed" bug discovered in Open SSL, and you're wondering how its existence affects you. The situation is, indeed, serious. "'Catastrophic' is the right word," says Bruce Schneier, noted cryptographer and computer security and privacy specialist. "On the scale of 1 to 10, this is an 11"

Revoke, reissue, invalidate: Stat! Security bods scramble to plug up Heartbleed (The Register) Paper is safe. Clay tablets too

Difficulty of Detecting OpenSSL Heartbleed Attacks Adds to Problem (Threatpost) The list of products and sites affected by the OpenSSL heartbleed vulnerability continues to grow, and as security teams implement the patch and dig into the thornier work of revoking certificates, a new problem is emerging: It's difficult to know whether an attacker has exploited the vulnerability on a given system

Heartbleed is the new security risk (FierceRetailIT) There's yet another security nightmare staring down retailers as the Heartbleed bug threatens to expose encrypted data in OpenSSL

The Internet's Telltale Heartbleed (New Yorker) The cryptography expert Bruce Schneier, who has been writing about computer security for more than fifteen years, is not given to panic or hyperbole. So when he writes, of the "catastrophic bug" known as Heartbleed, "On the scale of 1 to 10, this is an 11," it's safe to conclude that the Internet has a serious problem. The bug, which was announced on Tuesday—complete with an explanatory Web site and a bleeding-heart logo—is a vulnerability in a widely used piece of encryption software called OpenSSL

The heartbleed bug shows how fragile the volunteer-run internet can be (Quartz) Matthew Prince, CEO of the online security company Cloudflare, watched his company's top cryptographer turn "white as a ghost" after learning about a bug in the essential infrastructure of the internet last week. That flaw, he says now, is the worst thing to happen to the internet since it became a mass medium in the early 2000s

Has the NSA Been Using the Heartbleed Bug as an Internet Peephole? (Wired) When ex-government contractor Edward Snowden exposed the NSA's widespread efforts to eavesdrop on the internet, encryption was the one thing that gave us comfort. Even Snowden touted encryption as a saving grace in the face of the spy agency's snooping. "Encryption works," the whistleblower said last June. "Properly implemented strong crypto systems are one of the few things that you can rely on"

'Heartbleed' mystery: Did criminals take advantage of cyber-security bug? (Christian Science Monitor) Website operators rushed to patch a cyber-security vulnerability called 'Heartbleed' that allows 'anyone on the Internet' to access website server memory without leaving a trace. A major concern: It existed 'in the wild' for two years

Deltek suffers cyber attack putting 80,000 employees of vendors at risk (Federal News Radio) About 80,000 employees of federal contractors are at risk of identity theft after a hacker broke into business research firm Deltek's GovWin IQ system

BlackBerry 10 Smartphones Impacted by Remote Code Execution Flaw in qconnDoor (Softpedia) BlackBerry is warning customers that a stack-based buffer overflow vulnerability in the qconnDoor service could lead to remote code execution on BlackBerry 10 smartphones

Security Patches, Mitigations, and Software Updates

Heartbleed vendor notifications (Internet Storm Center: InfoSec Handlers Diary Blog) As people are running around having an entertaining day we thought it might be a good idea to keep track of the various vendor notifications. I'd like to start a list here and either via comments or sending it let us know of vendor notifications relating to this issue. Please provide comments to the original article relating to the vulnerability itself, and use this post to only provide links to vendor notifications rather than articles etc about the issue

Heartbleed OpenSSL vulnerability: A technical remediation (Help Net Security) OpenSSL released an bug advisory about a 64kb memory leak patch in their library. The bug has been assigned CVE-2014-0160 TLS heartbeat read overrun

BlackBerry Patches Remote Code Execution Vulnerability Affecting BlackBerry 10 (SecurityWeek) Joining Microsoft and Adobe in issuing security fixes on Tuesday, BlackBerry issued a patch to address a remote code execution vulnerability (CVE-2014-1468) that affects BlackBerry 10 smartphones and could enable an attacker to take control of the device with root/superuser rights

WordPress releases important security update (Help Net Security) WordPress 3.8.2 is now available. This is an important security release for all previous versions and you should update immediately

Google patches 31 Chrome flaws, issues bug bounty rewards (ZDNet) Thousands of dollars have been awarded to bug hunters for the Chrome 34 release who reported 31 flaws, 19 deemed critical

Chrome makes new password grab in version 34 (The Register) Even with autocomplete off, Google will ask if it can 'help' by storing your passwords

Facebook Privacy: 4 Changes In Works (InformationWeek) Facebook plans to give users more control over sharing, including new photo privacy settings and reminders about public posts. Here's what to expect

Windows 8.1 Update — Microsoft forces users to update OS if they want future security updates (Lumension Blog) Most of the attention this week, from the patching point of view at least, has been directed towards the last ever security fixes for Windows XP

Windows 8.1 Update required for all future updates can actually STOP all future updates! (Graham Cluley) Microsoft has temporarily suspended distribution of Windows 8.1 Update, after it was found that it can cause some updated PCs to actually stop looking for future updates

A closer look at Microsoft's April Patch Tuesday (Help Net Security) April's Microsoft Patch Tuesday is on par with the prior releases this year. There are only four bulletins being released, two rated "Critical" and two rated "Important". Of course the long coming, but somehow still apocalyptic news that Windows XP is dead has overshadowed these bulletins

Cyber Trends

Cyber threat moving to critical infrastructure, study shows (ComputerWeekly) The cyber threat is moving from data breaches to global critical infrastructure, an insurance industry commissioned study shows. Technology running the world's critical infrastructure is increasingly at risk of cyber attack, according to in-depth research by Lloyd's of London insurer Aegis London

Financial malware on the rise (Gadget) According to Kaspersky Lab's Financial cyber threats in 2013 study, the number of cyber attacks involving financial malware increased to 28.4 million — 27.6% more than 2012

Universities Ripe for Hacker Plundering (Tripwire) Universities are falling way behind in the race to secure sensitive data from the threat of compromise, and the trend is expected to continue in perpetuity because they lack the financial and technical resources required to safeguard critical systems, according to a recent study

Attitudes about best practices for physical access control (Help Net Security) An HID Global survey of 600 respondents revealed enterprise end users' perceptions about change and the importance of industry best practices, and how well today's technology and policy best practices are being implemented

Bruce Schneier: Technology Magnifies Power in Surveillance Era (Threatpost) Bruce Schneier said during his Source Boston keynote that history will not look kindly on society's tradeoff of privacy for convenience in the age of surveillance

Marketplace

To Compete or Non-Compete: Contracts That Make Michigan Less Competitive (Concentrate) Dug Song believes that his company, Duo Security, has a lot of competitive advantages when it comes to attracting professional talent: Company culture. Working in downtown Ann Arbor. Building cool technology. No non-compete contracts

Easy Solutions Earns Spot on CIOReview Magazine's 2014 'Top 20 Most Promising Security Companies' (Broadway World) Easy Solutions, the Total Fraud Protection company, is honored to receive recognition from CIOReview Magazine as one of 2014's "Top 20 Most Promising Enterprise Security Companies". Easy Solutions was selected by a panel of experts and members of CIOReview's editorial board, which awards this honor to recognize and promote technology entrepreneurship

Innovation, Expansion and Channel Growth Highlight First Anniversary of ThreatTrack Security (Providence Journal) In its first year as an independent company, ThreatTrack Security has successfully expanded its operations and solutions portfolio to better serve the most pressing cybersecurity needs of enterprises and government agencies. The development and recent launch of ThreatSecure™ — the industry's first solution to provide real-time detection and endpoint remediation of advanced malware threats — is the culmination of the company's strategy to empower organizations of all sizes to protect themselves from the world's most sophisticated malware

Security Startups: Interview With Defense.Net Founder and CTO Barrett Lyon (SecurityWeek) SecurityWeek: How did you start out in the computer field and in particular, security? Barrett: As a child, I had a lot of interest in computers and became very interested in Unix. Unix is hyper-focused on security

Milestone Systems, Inc. Announces New Partnerships (Digital Journal) Milestone Systems, Inc., the nation's fastest growing information security and infrastructure provider is pleased to announce new partnerships for 2014

Marillyn Hewson seeks to diversify Lockheed (Politico) Lockheed Martin is best known as the $45 billion-a-year builder of the F-35 Joint Strike Fighter and other such war machines

Former US Policy Chief Joins Cyber Firm's Board (DefenseNews) Endgame, the cybersecurity firm most famous for selling information about system vulnerabilities, has added former Pentagon policy chief James Miller to its advisory board, the company will announce today

Products, Services, and Solutions

Check Point Receives Internationally Recognized Common Criteria Certification (MarketWatch) Check Point® Software Technologies Ltd. CHKP +0.31%, the worldwide leader in securing the Internet, today announced it has achieved the distinction of Common Criteria (CC) certification for Check Point R77 and Check Point Endpoint Security. As part of Check Point's on-going certification efforts, the CC certifications for R77 and Endpoint further demonstrate the company's continued commitment to support the Government market and provide independent validation of its security solutions and capabilities

AT&T Leverages Blue Coat for Cloud Web Security Service for SMBs (Converge) AT&T launched a subscription-based Cloud Web Security service for businesses that provides real-time protection against viruses, malware, and compromised web sites

Ensnare Attack Detection Tool Hopes to Frustrate Hackers, Too (Threatpost) Two Netflix security engineers released an open source attack detection tool for Web applications that responds with tactics aiming to frustrate hackers

CSC's New App Security Offering (Dark Reading) Help organizations to test the security of software applications and build security into the software development lifecycle

Quarri Announces Partnership with Bynet Data Communications (MarketWatch) Partnership provides information security solutions for various sizes of organization, protecting websites, Intranet and cloud services access

Technologies, Techniques, and Standards

Cybersecurity Is About Attitude, Culture — Not Strictly Compliance (Wired) How do you avoid becoming the Next Big Retail Breach Target? There are plenty of points — and counterpoints — on the topic. As a cybersecurity professional who has specialized in compliance with the Payment Card Industry (PCI) Data Security Standard for more than a decade, I have a great deal of thoughts to share. So consider this the first of a five-part blog in which I'll lend my perspective about the state of systems protection in the retail industry — and how to safeguard your business

Compliance misconceptions, challenges and tips (Help Net Security) In this interview, Paul Koziarz, President and General Manager of Regulatory Compliance at CSI, talks about the misconceptions related to compliance, provides advice for CSOs and discusses the difference between being compliant and being secure

Social Media Monitoring and Compliance: Five Best Ways to Navigate Complexity in the Workplace, Part III (Cyveillance) In our previous posts, we discussed why companies need to find a balance between a legitimate interest in finding misbehavior and meeting compliance requirements with expectations of privacy, along with why you need to set objectives and clear boundaries. In today's post, we'll examine the need for transparency and a social media policy

New FedRAMP controls baseline coming this summer (FierceGovernmentIT ) Private sector cloud computing providers will have a changed set of security controls to adhere to when selling to federal agencies starting later this summer

Metrics matter in privacy engineering (FierceGovernmentIT) As the privacy field seeks greater precision in a bid to make technical implementation of privacy controls a possibility, it should be cautious about the metrics it adopts, warns a computer scientist

Federal privacy advocates seek precision as a means for controls (FierceGovernmentIT ) Privacy as a field lacks the precision of cybersecurity, leaving a gap when it comes to implementing specific protective measures, federal officials said today during a workshop at the National Institute of Standards and Technology

UK seeks input on cybersecurity plan similar to NIST framework (Inside Cybersecurity) The British government is seeking comment on a proposed cybersecurity "scheme" that mirrors key elements of the Obama administration's recently released framework of voluntary standards. Both the British plan and U.S. framework call for a tiered system that allows businesses and organizations to determine the level of compliance appropriate for them

Best practices for secure use of Windows XP (Help Net Security) Microsoft's support for Windows XP ended yesterday, April 8, 2014. However, Gartner estimates that one-third of enterprises currently have more than 10 percent of their systems remaining on XP

Research and Development

New IDS project spots anomalous system behavior (Help Net Security) A team of researchers from Binghamton University have been working on a new intrusion detection approach based on monitoring the behavior of systems and spotting when it differs from the one that is considered normal

Stung by file-encrypting malware, researchers fight back (IT World) Ransomware programs such as CryptoDefense, CryptorBit and HowDecrypt have left users enraged — and often helpless

Academia

Call of cyber duty: Military academies take on NSA (AP via the Washington Post) If Douglas MacArthur or Ulysses S. Grant went to the U.S. Military Academy today, they might be testing their defensive skills hunched in front of a computer screen.

Legislation, Policy, and Regulation

Caught Between The Lines: How Online Censorship Harms Corporate Security (Tripwire) National governments are increasingly powerful stakeholders on the internet, changing and filtering the digital landscape in the process. Recently we saw instances of Twitter and YouTube access blocked, performed by Turkish authorities due to circulation of a series of confidential recordings with evidence of alleged corrupt practices

Hagel pushes for Chinese reciprocation on cyber doctrine exchanges (FierceGovernmentIT ) New U.S. openness regarding its military cyber doctrine is so far unreciprocated by China, say U.S. officials

Is the US headed toward a cyber Cold War with China? (Ars Technica) Harvard scholar suggests the superpowers are locked in a "cool war"

The Kremlin's Digital Gulag (Moscow Times) A Moscow city lawmaker, Alexei Lisovenko, is trying to resuscitate a government push to expand Russia's "digital sovereignty." On April 3, Lisovenko appealed to State Duma Deputy Sergei Zheleznyak, asking him to pass legislation that would require all online social networks to house users' personal data on servers located on Russian soil. Lisovenko, an active member of Facebook, Twitter, and Instagram, cites former National Security Agency contractor Edward Snowden's revelations about U.S. spying as a reason for the move. "Snowden has confirmed that the largest intelligence-gathering corporation there is — the National Security Agency — is monitoring our social media accounts," Lisovenko said

Germany asked U.S. about monitoring of Merkel but got no response: MP (Reuters) The German government asked the United States what information the National Security Agency had collected on Angela Merkel after monitoring her mobile phone for years but got no response, a German lawmaker said on Wednesday

Dueling dilemmas for national security reform (Politico) Congress is awash in ideas for revamping the government surveillance programs exposed by Edward Snowden. Although behind-the-scene talks have picked up in recent days, lawmakers' appetite, the path and timing for reform remains far from clear

Lofgren calls for sweeping NSA, email privacy reforms (The Hill) Rep. Zoe Lofgren (D-Cailf.) repeated calls for sweeping privacy reforms to address both National Security Agency (NSA) surveillance and digital privacy from law enforcement agencies

Chamber of Commerce urges government to steer clear of pricing cybersecurity products (Inside Cybersecurity) The federal government should "openly" acknowledge the high costs companies could incur to counter advanced cyber threats, but officials should stay away from trying to influence the price of cybersecurity products and services, according to the U.S. Chamber of Commerce

Canadian privacy bill floats $100k fine per breach victim not notified (SC Magazine) On Tuesday, the Digital Privacy Act was introduced in Canada's Parliament, proposing stiff penalties for organizations that fail to adequately respond to breaches

New law seeks to make retailers financially responsible for data breaches (Naked Security) When it comes to massive data breaches — such as the ones at Target and Neiman Marcus — in which millions of customers' credit and debit card numbers were breached, who should foot the bill? Banks and credit card companies have been stuck paying for the damages stemming from hacking of payment data in such crimes, but a new law introduced in California last week seeks to pass the buck right on back to the retailers that spawn the breaches

Litigation, Investigation, and Law Enforcement

HHS reveals "high-risk" security issues at Medicaid agencies (SC Magazine) The Department of Health and Human Services' (HHS) has released a report on "high risk" security issues that impacted 10 state Medicaid agencies

How the IRS is Leaving Your Financial Data Unprotected (Nextgov) The tax agency needs to better audit its own accounts, according to the Government Accountability Office. GAO officials during the past year discovered that Internal Revenue Service was not sufficiently monitoring databases for abnormal activity that could indicate a breach. They also found poor encryption on key agency systems

US attorney general says criminals use crypto currencies (The Inquirer) United States attorney general Eric Holder has told the US House Judiciary Committee that criminals use crypto currencies and that US law enforcement has no way to keep it free from crime

Big data used to catch bulk cash smugglers (FierceBigData) Bulk cash is exactly what it sounds like: oodles of money bound, hidden and smuggled from one country to another as one of the three top preferred international money laundering schemes used by criminals. We're talking about seriously big time criminals here with really big bags of cash. This is not a small time players' game. Somehow it seems fitting that big data would be the tool most likely to find bulk cash, doesn't it? Here's how that works

HMIC report highlights concern over cybercrime plans (BBC) Three out of 43 police forces in England and Wales have a comprehensive plan to deal with a large-scale cyber-attack, a report has found

Whistleblower Says He Warned University Of Maryland Before Data Breach (CBSBaltimore) A data breach drew the nation's attention to the University of Maryland. It exposed sensitive information, including Social Security numbers of hundreds of thousands of current and former students and employees, and it led to an FBI raid on the home of a software engineer in Baltimore County whose former employer contracted with the university

Man behind Carder.su racketeering, other cybercrime, pleading guilty (Ars Technica) Eight of 55 connected associates have copped guilty pleas in the $50 million scam

For a complete running list of events, please visit the Event Tracker on the CyberWire website.

Upcoming Events

Cyber Security EXPO (, January 1, 1970) Securing information, mobility, cloud, and social interaction for the modern enterprise. Disruptive technologies such as cloud computing, mobile, bring your own device (BYOD) and social media are pushing...

SOURCE (, January 1, 1970) The purpose of SOURCE Conference is to bridge the gap between technical excellence and business acumen within the security industry. SOURCE fosters a community of learning where business and security professionals...

2014 Computer Security Day (Eugene, Oregon, USA, April 11, 2014) The Fourth Computer Security Day at the University of Oregon will feature a slate of distinguished speakers from academia, industry, and government, discussing current challenges and future opportunities...

Women in Cybersecurity Conference (, January 1, 1970) WiCyS is an effort to bring together women (students/faculty/researchers/professionals) in cybersecurity from academia, research and industry for sharing of knowledge/experience, networking and mentoring.

NSA Procurement in today's business arena (Elkridge, Maryland, USA, April 16, 2014) An opportunity to gain inside perspective on market trends in NSA Procurement. The guest speaker will be William Reybold, National Security Agency's Deputy Senior Acquisition Executive (SAE), who manages...

Suits and Spooks San Francisco (, January 1, 1970) S3+: Surveillance, Security, Sovereignty and other Critical Issues. Not another hacker conference. Suits and Spooks is a unique gathering of experts, executives, operators, and policymakers who discuss...

US News STEM Solutions: National Leadership Conference (, January 1, 1970) The STEM crisis in the United States demands solutions—and nowhere is the search more concentrated than at U.S. News STEM Solutions. Now in its third year, this premier national leadership conference is...

East Africa Banking and ICT Summit (Kampala, Uganda, April 25, 2014) The global event series for Banking and ICT Summit enters its third year. The summit will continue to provide delegates with technical & practical sessions, lectures and showcase for banking and ICT innovations,...

National Collegiate Defense Cyber Competition (, January 1, 1970) Registration for the 2014 CCDC season is underway! Visit your region's website or contact your regional for registration and competition information.

InfoSecIndy (Indianapolis, Indiana, USA, April 26 - 27, 2014) Join us on April 26-27, 2014 in Indianapolis, Indiana for the premier Midwest Information Security and Digital Forensics Conference.

United States Cyber Crime Conference 2014 (, January 1, 1970) This is the only event of its kind that provides both hands-on digital forensics training and an interactive forum for cyber professionals to network. The conference covers the full spectrum of topics...

Infosecurity Europe 2014 (, January 1, 1970) Infosecurity Europe is Europe's number one Information Security event. Featuring over 350 exhibitors, the most diverse range of new products and services, an unrivalled education programme and over 12,000...

Grow your brand and reach new customers.

Grow your brand and increase your customer base by educating our audience about your products, services, and events by advertising on The CyberWire. We’ve built trust with an influential (and often hard to reach) audience of CISOs, CSOs, and other senior execs in the security space, across a wide array of industry verticals. Learn more.

Be a part of the CyberWire story.

People ask us (a lot) how they can support what we do. We have our sponsorships and services, of course, but those are not always within every supporter's financial reach, or it might just not be the right time for you to do those things. That's why we launched our new Patreon site, where we've created a wider variety of support levels, each with some new benefits. Our patrons are important to our future, and we hope you'll consider becoming one. We invite you to become part of the CyberWire story. Become a patron today.