Heartbleed continues to make vendors, enterprises, and users scramble. There may be signs of the vulnerability's exploitation ("fragging" the Call of Duty MMOG), but the evidence remains ambiguous. CERTPolska publishes an interesting rundown of the bug and its implications for Tor. BlackBerry, Cisco, and Juniper Networks all warn that their products have been affected; Twitter seems to have escaped. Affected mobile apps include (the very popular) Yahoo, Flickr, OKCupid, Rolling Stone, and Ars Technica.
Much advice on how to protect yourself against Heartbleed is on offer, but changing all passwords immediately and indiscriminately isn't a particularly good idea: at least find out if a service is (1) affected, and (2) fixed. Various tools for checking and fixing Heartbleed have been released: evaluate and use them with prudent circumspection. One issue is legal: checking a third-party site's security without permission may run afoul of laws, including the US Computer Fraud and Abuse Act and the UK's Computer Misuse Act.
Heartbleed's malign effects are expected to linger indefinitely, as many affected applications—particularly home systems—will almost certainly never be patched.
Security experts consider how similar vulnerabilities might be prevented, and consider what Heartbleed means for the future of open source.
FireEye's Mandiant unit releases its annual threat report to considerable interest. Why have China's PLA cyber units become (apparently) quiescent? Will Iran and Syria become major offensive players?
SecurityWeek talks evasion and advanced sandboxing.
Threat information sharing gets a boost in the US: it (probably) won't expose companies to anti-trust litigation.
Today's issue includes events affecting Canada, China, Dominican Republic, Estonia, European Union, India, Iran, Malaysia, Norway, Poland, Russia, Syria, Turkey, Mexico, Ukraine, United Kingdom, United States..
We direct your attention to a follow-up article related to SINET ITSEF 2013: in an exclusive interview, the Director General of Norway's National Security Authority talks with the CyberWire about how one sophisticated country sees security in an increasingly complex cyber environment.
Dateline SINET ITSEF 2014
Exclusive: Interview with Kjetil Nilsen Director General, Nasjonal Sikkerhetsmyndighet (NSM — Norway's National Security Authority)(The CyberWire) The CyberWire interviewed Mr. Kjetil Nilsen, Director General of Norway's National Security Authority (NSM), who delivered the final keynote at SINET ITSEF 2014. Mr. Nilsen's agency is responsible for information assurance, cyber security, cryptography and other national protective security services. NSM also leads NorCERT and a public-private partnership that includes Norway's national sensor network. Mr. Nilsen shared his perspective on the role of trust and cooperation in coping with an increasingly complex threat environment
Heartbleed in TOR (and in Poland)(CERTPolska) In the last few days most popular vulnerability seems to be CVE-2014-0160. This two years old vulnerability was in OpenSSL library and allows to read a part of the memory of the process. The use of this library is very prevalent not only in the server environments (e.g. WWW, or mail), but also on desktops in some client applications. However, the most popular browsers are not affected in any way. We publish our analysis of this CVE and its effect on TOR and Polish network. Information on the Electronic Frontier Foundation Deeplinks blog allows to speculate that the intelligence agencies knew about the bug a year ago and actually used it
Blackberry, Cisco Products Vulnerable to OpenSSL Bug(Threatpost) Vendors are continuing to check their products for potential effects from the OpenSSL heartbleed vulnerability, and both Cisco and BlackBerry have found that a variety of their products contain a vulnerable version of the software
The Other Side of Heartbleed — Client Vulnerabilities(Internet Storm Center) We're getting reports of client applications that are vulnerable to the heartbleed issue. Just as with server applications, these client applications are dependant on vulnerable versions of OpenSSL
Heartbleed Bug—Mobile Apps are Affected Too(TrendLabs Security Intelligence Blog) The severity of the Heartbleed bug has led countless websites and servers scrambling to address the issue. And with good reason—a test conducted on Github showed that more than 600 of the top 10,000 sites (based on Alexa rankings) were vulnerable. At the time of the scanning, some of the affected sites included Yahoo, Flickr, OKCupid, Rolling Stone, and Ars Technica
Heartbleed Explained(Critical Watch) Vulnerability in OpenSSL handling of the SLL heartbeat request that triggers a buffer over-read, resulting in confidential Information being disclosed
The Heartbleed Bug: Cutting Through the Noise(Cyveillance) As a trusted security partner, our phones have been blowing up the past 24 hours with clients calling to ask us about the Heartbleed bug found in the OpenSSL library. It's been all over the news, and some of the brightest security minds out there are throwing around really scary words like "catastrophic" and "doomsday". We've been delving into the details the last few days, and working in cooperation with our friends at Codenomicon, the security vendor that discovered the bug
Heartbleed Bug: What Can You Do?(Krebs on Security) In the wake of widespread media coverage of the Internet security debacle known as the Heartbleed bug, many readers are understandably anxious to know what they can do to protect themselves. Here's a short primer
The Heartbleed genie is out of the bottle — now what?(ComputerWeekly) The Heartbleed vulnerability in OpenSSL has been recognised as a major blow for internet security and open source development. But the first thing businesses need to do is verify whether their version of OpenSSL is affected
How Heartbleed Broke the Internet — And Why It Can Happen Again(Wired) Stephen Henson is responsible for the tiny piece of software code that rocked the internet earlier this week. The key moment arrived at about 11 o'clock on New Year's Eve, 2011. With 2012 just minutes away, Henson received the code from Robin Seggelmann, a respected academic who's an expert in internet protocols. Henson reviewed the code — an update for a critical internet security protocol called OpenSSL — and by the time his fellow Britons were ringing in the New Year, he had added it to a software repository used by sites across the web
Heartbleed: Examining The Impact(Dark Reading) With Heartbleed, there's little hope of knowing if an asset was breached, if a breach can be identified, or what, if any, data was leaked. Here's how to defend against future attacks
High-earners are three times more likely to be victims of identity fraud(Quartz) If you live in North America or Europe and are paid over $85,000 a year, you are three times more likely to be defrauded than those who earn less, according to Trustev, an online anti-fraud company. A salary of $85,000 is hardly enough to qualify someone as rich in those countries, but in the United States it would put you in the top quartile of earners (top 6% if you're single) and far above the national average or median wage
ATMs on Windows XP: How Risky Is It?(eSecurity Planet) Microsoft has ended official support for Windows XP. What does that mean for the security of the world's ATMs, most of which run XP?
Security Patches, Mitigations, and Software Updates
Cisco finds 13 products (so far) vulnerable to Heartbleed—including phones(Ars Technica) Cisco has issued a security bulletin for customers about the Heartbleed bug in the OpenSSL cryptography code, and it's not about Web servers. So far, the company has unearthed 11 products and 2 services susceptible to attack through the vulnerability, which can be used to retrieve random bits of content from an attacked device's memory. Cisco's IOS XE operating system for network hardware is one of the higher-profile products on the company's list
Iran to rival China in cyber war on west(The Australian) Iran and Syria are emerging as powers to be reckoned with in global cyber warfare, with hackers in Tehran especially posing an ever-increasing threat, experts have warned
M-Trends® 2014: Beyond the Breach(Mandiant: A FireEye Company) Mandiant's annual threat report, reveals key insights, statistics and case studies illustrating how the tools and tactics of advanced persistent threat (APT) actors have evolved over the last year. The report, compiled from hundreds of Mandiant incident response investigations in more than 30 industry sectors, also includes approaches that organizations can take to improve the way they detect, respond to, and contain advanced attacks
Security Threats: Risk's Often Neglected Step Child(SecurityWeek) According to Gartner ("Security and Risk Management Scenario Planning, 2020"), by 2020, 30% of global 2000 companies will have been directly compromised by an independent group of cyber activists or cyber criminals. This prediction is not surprising, considering the fact that leading risk indicators are difficult to identify when the organization's cyber foes, including their strategy, competences, and actions, are unknown. In turn, many organizations still focus on control gaps and vulnerabilities when performing risk assessments and neglect taking threats into account. This can lead to inaccurate prioritization of remediation actions and inefficient allocation of resources
Why CFOs Must Lead the Discussion on Cyber Security(CFO Global) Early this year, Target was in the midst of controversy as a cyber security breach leaked the private information of its online consumers. Now, Target CFO John Mulligan must testify before Congress and discuss the details of online customer information theft. An estimated 40 million credit card numbers were stolen alongside the contact information for over 70 million people. When the breach went public, Target spent an estimated $61 million on damage control, fixing the breach, and securing the website from future attacks
LTE: The need for speed opens up security potholes(FierceITSecurity) Mobile operators' deployment of high-speed 4G LTE networks has opened the door to security threats because of vulnerabilities inherent in the all IP architecture, warns Stephane Teral, principal analyst for mobile infrastructure and carrier economics at Infonetics Research
An introduction to cyber liability insurance cover(ComputerWeekly) For years, security professionals have been saying "either you have been data breached or you just do not know that you have been data breached." Data breaches are now a fact of life together with taxes and death, but how can businesses better manage the risks related to a data breach and reduce the significant cost that can result from them? One of the options is to buy an insurance
AEGIS London launches Next generation of cyber insurance product(Insurance Business Review) Lloyd's of London insurer AEGIS London has rolled out a new breed of cyber insurance product following a major study of the evolution of cyber risk in the energy sector and its impact on so-called critical infrastructure businesses
ESET Focused on Growing Presence in Indian Market(Parda Phash) ESET, global provider of security solutions for businesses and consumers, focusing on growing presence in Indian market. The Federation of Indian Chambers of Commerce and Industry (FICCI) have recently conducted the India-Central Europe Business Forum on 27-28 March in New Delhi, the first in the series. This business forum was focused on promoting multifaceted industry engagement with highly promising Central European economies including Slovakia
Palo Alto Networks® Completes Acquisition of Cyvera(MarketWatch) Palo Alto Networks® PANW +1.83%, today announced it has completed its acquisition of Cyvera Ltd., a privately held cybersecurity company located in Tel-Aviv, Israel. Originally announced on March 24, 2014, Palo Alto Networks acquired Cyvera for an aggregate purchase price of approximately $200 million
Lunarline Narrows Search for New Facility to Support its Rapid Growth(Broadway World) Lunarline Inc, a Service Disabled Veteran Owned Small Business and one of the country's leading cyber security companies, announced today that it has narrowed its search for a new security operations facility to Kettering, Ohio though the company is still considering other locations
Symantec simulation could be a recruiting tool(FCW) Symantec has been hosting cyber-readiness simulations for a couple of years, but this week's event in Washington, D.C., was the first the firm has held for federal executives with a workforce shortage in mind
Products, Services, and Solutions
Your phone has Heartbleed? Lookout's Detector app can tell(Android Authority) Following this week's discovery of the serious Heartbleed bug in OpenSSL, mobile security company Lookout released an Android tool that will help users detect the presence of the security vulnerability on their Android devices
What is a Threat Intelligence Platform(ThreatConnect News) Last week, Anton Chuvakin from Gartner wrote a blog about what he is calling an Intelligence Management Platform. He includes some thoughts by Facebook on how they are building their own platform. He alludes to non-public sources and I'm sure ThreatConnect™ is one, so rather than keep you all in suspense, I thought this would be an opportune time for ThreatConnect to say what we think a Threat Intelligence Platform is
Protect your device from malicious ads(CNET) The chances of encountering a malware-bearing ad on your phone or tablet are increasing. But blocking ads on mobile is neither easy nor very effective. Here's a better approach to ad-blocking on your device
Heartbleed: Making The Case For SDN(InformationWeek) Software-defined networking technology could help protect against vulnerabilities like Heartbleed. It's time to develop a more mature SDN option
Turning the Tables: Using Evasion Tactics to Help Prevent Malware Infection(SecurityWeek) Sandboxing is a relatively new trend in malware analysis. It allows companies, such as antivirus vendors, to execute malicious malware in an environment where it can't do any real damage. By watching what the executable does, security researchers can identify whether the software is malicious or if it's a legitimate application users genuinely want to install. For example, if an unknown application is executed in the sandbox and is observed sending passwords to a random website in a foreign country, the executable is likely malware. If no such observations are made, then it's "probably" goodware
Securing Passwords with Bcrypt Hashing Function(Hacker News) Passwords are the first line of defense against cyber criminals. It is the most vital secret of every activity we do over the internet and also a final check to get into any of your user account, whether it is your bank account, email account, shopping cart account or any other account you have
Beat it, bloatware: How to clean the crap off your PC(PCWorld) Boot up a new PC for the first time, and you should be able to watch it fly. Instead, it may sputter and struggle to get off the ground, thanks all the preinstalled junk that vendors habitually dump onto new PCs
Design and Innovation
Government-Run Competitions Should Be About Markets, Not Prizes(Nextgov) Running a prize competition in government or industry is about "understanding where the market's going in 10 years and trying to make it go there in three years," Christopher Frangione, vice president for prize development at the X Prize Foundation, told members of Congress on Wednesday
CDX pits NSA hackers against service academies(FCW) A low-slung building in a suburban office park might seem an unlikely setting for military war games, but that's exactly what's taking place at the Columbia, Md., outpost of the Parsons Corporation
Blowing the Whistle at Your Agency May Have Just Gotten Easier(Government Executive) Federal whistleblowers will soon have new allies on Capitol Hill. Sen. Chuck Grassley, R-Iowa, announced Thursday he will create the Senate Whistleblower Caucus to ensure protections for federal employees exposing wrongdoing at their agencies are being enforced
Goodlatte: NSA reform can't dodge Judiciary Committee(Politico) House Judiciary Committee Chairman Bob Goodlatte (R-Va.) declared Thursday that he'll fight any effort to move National Security Agency surveillance reform legislation to the House floor without going through his panel
Top U.S. lawmaker: intelligence top priority in defense bill(Reuters via the Chicago Tribune) The chairman of the U.S. House Armed Services Committee said on Thursday that intelligence, surveillance and reconnaissance capabilities would be top priorities as the panel puts together this year's massive defense policy bill
HHS pushes state agencies to share data(FierceGovernmentIT ) Information sharing since 9/11 has been associated mostly with intelligence and counterterrorism. But the Health and Human Services Department is also trying to bring together information dispersed across the numerous state systems used for HHS-funded programs
Menendez Slams 'Dumb' Criticisms of Obama's Secret Social Media Program in Cuba(Foreign Policy) The chairman of the Senate Foreign Relations Committee on Thursday tore into critics of a controversial U.S.-backed social media program in Cuba. The program, created by the U.S. Agency for International Development and run with the help of American contractors, established a Twitter-like social media site on the Communist island called ZunZuneo but was shuttered after two years with little to show for it
Super-cyber Turkey in Syberia(Hurriyet Daily News) Jamie Shia, NATO's deputy assistant secretary general for emerging security challenges, once said: "One hundred twenty countries currently have or are developing offensive cyber-attack capabilities which are now viewed as the fifth dimension of warfare after space, sea, land and space." The Turks took that very seriously — well, at least the idea. Last June, the Turkish government launched the Center for Response to National Cyber Threats. Earlier, the Turkish military headquarters had formed a Cyber Warfare Command
Can Malaysia handle cyber attacks?(Free Malaysia Today) Cyber security is a growing concern worldwide. Hacking is rampant and the threat is real to any nation, for its implications can be far-reaching
NSA subverted EU privacy laws, spied on human rights orgs(Help Net Security) In a testimony delivered by video-link from Moscow, NSA whistleblower Edward Snowden has revealed to EU parliamentarians that the US NSA is actively spying on human rights organizations such as UNICEF and Amnesty International
The Snowden Saga: 10 Key Questions Regarding His National-Security Disclosures(Vanity Fair) In the 10 months since The Guardian and The Washington Post published the first disclosures based on documents leaked by Edward Snowden, a vigorous debate about the National Security Agency's aggressive intelligence-gathering activities has erupted. An in-depth account of Snowden's journey from N.S.A. contractor to world-famous whistle-blower, published in the May issue of Vanity Fair, injects a much-needed dose of humanity into the conversation, showing how Snowden's experiences shaped his decisions. But it's also worth examining the key questions that concerned citizens in America and around the world have been asking ever since the sheer scope of the N.S.A.'s efforts became clear. Ahead, VF Daily addresses 10 such questions, with input from Snowden's legal representative, Ben Wizner, the director of the American Civil Liberties Union's Speech, Privacy & Technology Project
Ukraine Boasts of Rounding Up Russian Spies. Will Washington Notice?(Foreign Policy) To hear Ukraine tell it, you'd think their fledgling new government is full of crack spy hunters rooting out every Russian mole and agitator from Kiev to Kharkiv. Ukraine's main security agency, the SBU, has been keeping a running tally of all the Russian provocateurs who've been discovered or captured in the past month. The list includes an alleged "espionage ring of the military intelligence of the Russian Federation," a Russian and three Ukrainians who were preparing to hand over computer hard drives to Russia's security service, and a Russian woman attempting to "destabilize the situation in the southern regions of Ukraine." An SBU Web site shows what appears to be the woman's social media page, where she poses in combat fatigues while sporting an assault rifle
For a complete running list of events, please visit the Event Tracker on the CyberWire website.
2014 Computer Security Day(Eugene, Oregon, USA, April 11, 2014) The Fourth Computer Security Day at the University of Oregon will feature a slate of distinguished speakers from academia, industry, and government, discussing current challenges and future opportunities...
Women in Cybersecurity Conference(Nashville, Tennessee, USA, April 11 - 12, 2014) WiCyS is an effort to bring together women (students/faculty/researchers/professionals) in cybersecurity from academia, research and industry for sharing of knowledge/experience, networking and mentoring.
NSA Procurement in today's business arena(Elkridge, Maryland, USA, April 16, 2014) An opportunity to gain inside perspective on market trends in NSA Procurement. The guest speaker will be William Reybold, National Security Agency's Deputy Senior Acquisition Executive (SAE), who manages...
East Africa Banking and ICT Summit(Kampala, Uganda, April 25, 2014) The global event series for Banking and ICT Summit enters its third year. The summit will continue to provide delegates with technical & practical sessions, lectures and showcase for banking and ICT innovations,...
InfoSecIndy(Indianapolis, Indiana, USA, April 26 - 27, 2014) Join us on April 26-27, 2014 in Indianapolis, Indiana for the premier Midwest Information Security and Digital Forensics Conference.
cybergamut Technical Tuesday: Malware Reverse Engineering(Columbia, Maryland, USA, May 6, 2014) An introduction to the tools, workflows, and tricks of the trade to attack sophisticated malware by Dale Robson of CyberPoint. Industry standard cyber security products do a good job in blocking and defending...
STEM Café(Geneva, Illinois, USA, May 6, 2014) At the next STEM Café, Raimund Ege, associate professor in NIU's Department of Computer Science, will lead a lively discussion on how computer crime affects our everyday lives and what we can do to protect...
US Secret Service Cybersecurity Awareness Day(Washington, DC, May 8, 2014) This Cybersecurity event will be the first of its kind at the USSS. There will be 2-3 opportunities for participating companies to present a 1/2 hour presentation on a Cybersecurity topic of concern to...
HackMiami 2014(Miami Beach, Florida, USA, May 9 - 11, 2014) The HackMiami 2014 Hackers Conference seeks to bring together the brightest minds within the information security industry and the digital underground. This conference will showcase cutting edge tools,...
ISPEC 2014(Fujian, China, May 12 - 14, 2014) The ISPEC conference series is an established forum that brings together researchers and practitioners to provide a confluence of new information security technologies, including their applications and...
GovSec 2014(Washington, DC, USA, May 13 - 14, 2014) GovSec is the nation's premier event for Government, Homeland Security, and Law Enforcement professionals looking for proven strategies and cost effective technology so they can achieve their mission of...
CyberWest(Phoenix, Arizona, USA, May 13 - 14, 2014) Cyber threats affect all industry sectors and impact individuals, businesses and governments. From hacktivists to advanced persistent threats, conducting business on-line exposes individuals, corporations...
SPONSOR & SUPPORT
Grow your brand and reach new customers.
Grow your brand and increase your customer base by educating our audience about your products, services, and events by advertising on The CyberWire. We’ve built trust with an influential (and often hard to reach) audience of CISOs, CSOs, and other senior execs in the security space, across a wide array of industry verticals. Learn more.
Be a part of the CyberWire story.
People ask us (a lot) how they can support what we do. We have our sponsorships and services, of course, but those are not always within every supporter's financial reach, or it might just not be the right time for you to do those things. That's why we launched our new Patreon site, where we've created a wider variety of support levels, each with some new benefits. Our patrons are important to our future, and we hope you'll consider becoming one. We invite you to become part of the CyberWire story. Become a patron today.