The US Department of Homeland Security warns hackers are scanning networks looking for Heartbleed holes. The Department is also investigating rumors that Heartbleed has already been used to attack encrypted communications of industrial control systems (the rumors are, it is stressed, unconfirmed).
CloudFlare believed late last week there was reason to think that private keys would prove inaccessible through Heartbleed, and so sensibly set up a public challenge to test the hypothesis. They found, contrary to expectations, that private keys were indeed accessible, and that the vulnerability is thus more dangerous than feared. It's also proving difficult to patch, as fixes often turn out to have undesirable (and cascading) collateral effects.
Bloomberg reported late Friday that the US NSA knew about, and exploited, Heartbleed for some time before the vulnerability was discovered and disclosed by Codenomicon researchers. The Office of the Director of National Intelligence and the White House categorically deny the claim.
Germany's DLR aerospace research center has come under sustained, persistent cyber attack. There's no attribution yet, but Deutsche Welle reports the Chinese government is suspected.
Israeli cyber vigilantes seek to out hacktivists responsible for attacks on Israel's networks and Websites. (They claim most attacks come from Malaysia and Indonesia.)
Anonymous woofs "OpSafeEdu," in which the hacktivists will redress (by attacks on schools) the many ills schools inflict on students.
The US Administration announces that its policy is one of "bias toward [zero-day] disclosure" (absent a national-security reason to exploit such zero-days).
Nigeria opens a cyber-crime enforcement unit.
Today's issue includes events affecting Algeria, Canada, China, Finland, Germany, Indonesia, Israel, Italy, Malaysia, Nigeria, Portugal, Saudi Arabia, Switzerland, United Kingdom, United States..
The Results of the CloudFlare Challenge(CloudFlare) Earlier today we announced the Heartbleed Challenge. We set up a nginx server with a vulnerable version of OpenSSL and challenged the community to steal its private key. The world was up to the task: two people independently retrieved private keys using the Heartbleed exploit
Bloody Cert Certified(Dan Kaminsky's Blog) Oh, Information Disclosure vulnerabilities. Truly the Rodney Dangerfield of vulns, people never quite know what their impact is going to be. With Memory Corruption, we've basically accepted that a sufficiently skilled attacker always has enough degrees of freedom to at least unreliably achieve arbitrary code execution (and from there, by the way, to leak arbitrary information like private keys). With Information Disclosure, even the straight up finder of Heartbleed has his doubts
"Heartbleed" — would 2FA have helped?(Naked Security) You won't have missed the "Heartbleed" bug. Recent versions of OpenSSL — in fact, versions available for two years — have a buffer overflow vulnerability that can cause data leakage
Reverse Heartbleed Testing(Internet Storm Center) I wanted to know if the tools/software I execute regularly are vulnerable to scraping my system memory. Now the reverse heartbleed scenario is very possible, but the likelihood seems to be much more of a non-issue
Heartbleed: What is the impact on health IT?(FierceHealthIT) When it comes to maintaining the safety of health information technology and patient data, encryption is almost always one of the first recommendations made by security experts
A Cloud-Connected Car Is a Hackable Car, Worries Microsoft(IEEE Spectrum) Way back in the 1980s I watched my computer-geek friend manipulate the hot-rolling process of his client's steel mill in Cleveland in real time—from his home. I wondered whether millions of dollars and dozens of lives might be destroyed should this great power somehow fall into the wrong hands. "Yes," he explained. That's the difference between hacking a physical rather than a virtual entity
Bulletin (SB14-104) Vulnerability Summary for the Week of April 7, 2014(US-CERT) The US-CERT Cyber Security Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. The NVD is sponsored by the Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC) / United States Computer Emergency Readiness Team (US-CERT). For modified or updated entries, please visit the NVD, which contains historical vulnerability information
Security Patches, Mitigations, and Software Updates
Vendors address the Heartbleed bug(Help Net Security) Which products and services are affected by the Heartbleed bug in OpenSSL? Vendors have started issuing security advisories telling users which of their products are safe and which will have to be updates
Three Questions for Eugene Kaspersky(MIT Technology Review) It's only a matter of time before more cyberweapons emerge, says the founder of the Moscow-based computer security firm Kaspersky
As companies grow, managing risks gets more complex(CSO) Davi Ottenhelmer says security is still an afterthought when it comes to Big Data. Size matters when it comes to security, according to Davi Ottenhelmer. Ottenhelmer, senior director of trust at EMC, titled his presentation at SOURCE Boston Wednesday, "Delivering Security at Big Data Scale," and began with the premise that, "as things get larger, a lot of our assumptions break"
HHS CISO on Healthcare Cybersecurity(HealthcareInfoSecurity) Kevin Charest Discusses Cyberdrill, Threats and HealthCare.gov. Many healthcare organizations need to improve their basic cybersecurity "blocking and tackling," and most also need to improve their willingness to share cyber-security information, says Kevin Charest, chief information security officer at the U.S. Department of Health and Human Services
Inadequate 'Internet of Things' Security Puts Our Lives at Risk(International Business Times) Even pacemakers and insulin pumps are now connected meaning failure to adequately test them could leave them vulnerable to cyber-attack. Security vulnerabilities in devices which we do not typically thing of as connected are often not fixed in some cases leaving users's lives at risk
Rogue IT Driven By Need For Speed(InformationWeek) We've lost control to business users before. But this time, the thing that initiated our pain (the cloud) may also be the cure
Advanced attackers go undetected for 229 days(Help Net Security) A new FireEye report details the tactics used by threat actors to compromise organizations and steal data. It also highlights emerging global threat actors, their suspected motives, as well as the types of targets and information they are after
The state of remote access security(Help Net Security) At the end of 2013, HOB conducted a survey of more than 200 CIOs and CTOs in the U.S. The survey quantified the trends and challenges IT decision makers experience when implementing remote access solutions and revealed that remote access solutions are still gaining momentum, despite the associated security risks
Most cloud services are putting businesses at risk(Help Net Security) A new Skyhigh Networks report analyzes usage data from more than one million users across more than 40 companies spanning the financial services, healthcare, high technology, manufacturing, media, and professional service industries to quantify the use of cloud services and the security risk that they pose to enterprises
Why collaboration is the only way to combat cyber threats(TechTarget) Cyber threats are now the most effective way to attack an organisation and the fact is that those with malicious intent are finding ever more sophisticated ways of carrying out their activities. According to the Bank of England's Financial Stability Report, 25% of banks perceive cyber attack as a major risk
Inside jobs — the security risks from the rise in temporary staff(TechTarget) One feature of recent economic times has been the rise in temporary staff. According to the Chartered Institute of Personnel and Development (CIPD), 29% of new recruits in the UK are employed on a temporary basis. Their numbers and their range of responsibilities are growing rapidly. While there are many sound management reasons for doing so, this is leaving companies vulnerable to a new kind of fraud — executive-level impersonation
Huawei Tries to Overcome 'Fear of Huawei'(EE times) For the past few years, Cisco Systems and other telecom hardware manufacturers have been successful at convincing American businesses, telecoms, and government agencies to stay away from Huawei and ZTE products for fear of industrial and communications espionage by Chinese organizations and authorities. So far the market share of Huawei products in the United States has dropped to a record low of 5%
DB Networks Honored as 'Hot Companies' Finalist(CIO Today) DB Networks, an innovator of behavioral analysis in database security, today announced that Network Products Guide, the industry's leading information security research and advisory guide, has named the DB Networks IDS-6300 as a finalist in the 9th Annual Hot Companies and Best Products Awards Program for the Security Hardware Awards category
nPulse Technologies Named Finalist for CBIC 2014 Award(Broadway World) nPulse Technologies today announced that Charlottesville Business Innovation Council (CBIC) has named the company's Capture Probe eXtreme (CPX) 4.0 appliance as a finalist for the annual CBIC awards. CPX 4.0, an ultrafast, multi-petabyte traffic recording and analysis platform for security operations centers (SOCs), is competing in the Breakthrough Category, which recognizes a remarkable breakthrough or a quantum advance in a currently existing solution
APT Management Software provides real-time visibility(Thomasnet) Available on WatchGard UTM and NGFW appliances, APT Blocker v11.9 delivers real-time threat visibility and protection in minutes. Program identifies and submits suspicious files to cloud-based sandbox using full-system-emulation environment for detecting advanced persistent threats and zero day malware
Do You Really Need to Pay for Antivirus Software?(Tom's Guide) It's a free world out there. Free maps, free navigation, free calls on the Internet, free email, free apps for smartphones — but should you trust your digital security to a free program? For Windows users, some measure of security is needed on every computer. Malware, botnets, keyloggers and viruses are daily nuisances and constant threats
Facebook wages war on Like-baiting and spammy posts(Naked Security) It's a full frontal assault on cute kittens and the Pages that pimp them out for Likes. Facebook's tweaked its algorithms to try to scrape off the clingy, whiny, needy stories published by Pages that deliberately try to game Facebook's News Feed to get more distribution than they normally would
Securing mobile applications(Help Net Security) In this interview, Dan Cornell, Principal of Denim Group, talks about the most common pitfalls of securing mobile applications, discusses the challenges involved in performing a detailed mobile application security assessment, and illustrates what future threats we can expect down the road
Thwarting Cyber-Induced External Business Disruptions(Business Solutions) Global dependence on the Internet as the backbone for conducting business is leading to a surge in malicious and sophisticated cyber attack activity aimed at interrupting or compromising these economically-critical online activities. These threats are frequently referred to as distributed denial-of-service, or DDoS, attacks
Op-Ed: UK banking cyber-attack test draws attention(Digital Journal) During the last few years, there has been increase in security issues affecting stock markets and investors. Cyber criminals now pose a larger threat to corporate and personal information
UTSA cybersecurity center collaborates on $800,000 FEMA grant to create cybersecurity consortium(Phys.org) The University of Texas at San Antonio Center for Infrastructure Assurance and Security (CIAS), the University of Arkansas System's Criminal Justice Institute and the University of Memphis' Center for Information Assurance have received a three-year, $800,000 grant from the Federal Emergency Management Agency (FEMA) to help states and communities prepare for, detect and respond to cyber attacks in a consistent manner
Universities now have access to cybersecurity education(Help Net Security) (ISC)² is making its educational resources, which are updated regularly by its members and industry luminaries, available to academia to help meet the global demand for more skilled cybersecurity professionals. With nearly 100,000 members worldwide, the (ISC)² common body of knowledge (CBK) incorporates disciplines within information security, software security, forensics and healthcare
U.S. Army Compares New Hacker School To "The Birth Of The Air Force"(OhhWorld (h/t DC3 Dispatch)) Over the next three years, the U.S. Army will be filling its brand new cyber warfare institute at West Point with the best and brightest hackers it can find. Not just hackers, however: the institute will bring together psychologists, lawyers, mathematicians—anyone who can help the country win the inevitable cyber war and save America
Legislation, Policy, and Regulation
NSA Said to Exploit Heartbleed Bug for Intelligence for Years(Bloomberg) The U.S. National Security Agency knew for at least two years about a flaw in the way that many websites send sensitive information, now dubbed the Heartbleed bug, and regularly used it to gather critical intelligence, two people familiar with the matter said
Obama Lets N.S.A. Exploit Some Internet Flaws, Officials Say(New York Times) Stepping into a heated debate within the nation's intelligence agencies, President Obama has decided that when the National Security Agency discovers major flaws in Internet security, it should — in most circumstances — reveal them to assure that they will be fixed, rather than keep mum so that the flaws can be used in espionage or cyberattacks, senior administration officials said Saturday
NSA has Obama's backing in exploiting Internet flaws?(Dehli Daily News) NSA has Obama's backing in exploiting Internet flaws? In a startling revelation, it has been claimed that US President Barack Obama allowed National Security Agency (NSA) to exploit some major flaws in Internet security for espionage or cyber attack activities
Hunter Gross: Despite Cyber Espionage, U.S.-China Relations Are Business as Usual(Council on Foreign Relations: Asia Unbound) Just as U.S. president Barack Obama and Chinese president Xi Jinping were set to meet in The Hague, documents leaked by Edward Snowden revealed that the National Security Agency installed backdoors in the computer networks of the Chinese telecommunications firm Huawei. Despite extensive U.S. media coverage and angry reactions from Chinese news sources such as Xinhua and the Global Times, this revelation follows the pattern of previous cyber-related disclosures; the issue first flares up, and then quickly fades until the next disclosure. Why does such a divisive issue neither strain U.S.-China relations or trigger significant actions to address the problem?
A new organization for cybersecurity across the electric grid(Bulletin of the Atomic Scientists) Cyber attacks are an increasing risk for the US electric sector and have eclipsed terrorism as the primary threat, according to the Federal Bureau of Investigation. The Industrial Control Systems Cyber Emergency Response Team responded to 256 incidents that targeted critical infrastructure sectors in fiscal year 2013, and 59 percent of those incidents involved the energy sector. A large-scale cyber attack or combined cyber and physical attack could lead to enormous costs, potentially triggering sustained power outages over large portions of the electric grid and prolonged disruptions in communications, food and water supplies, and health care delivery. Moreover, cyber threats are more difficult to anticipate and address than traditional threats to electric grid reliability, such as extreme weather
Nigeria launches emergency response to cyber security(Africatime) The Nigerian government Tuesday launched a Computer Emergency Readiness and Response Team (CERRT.ng) Ecosystem, aimed at providing support in responding to computer, network and related cyber security incidents
Litigation, Investigation, and Law Enforcement
Edward Snowden the 'traitor' looms over Pulitzers(NDTV) Hero or traitor? America is still polarised over Edward Snowden and whether the newspapers that exposed the extent of National Security Agency's vast global spying network should be lauded or condemned
Hacker Weev Free After Appeal(InformationWeek) Andrew "Weev" Auernheimer, who embarrassed AT&T by exposing a security flaw, had his conviction overturned by federal appeals court
IRS plays-up identity theft, fraud fight(CSO) While tax return fraud seems to have hit epidemic proportions, the Internal Revenue Service today said it has started more than 200 new investigations this filing season into identity theft and refund fraud schemes
ORR school officials grilled on cyberattack(South Coast Today) Tri-town selectmen had some hard questions for ORR school officials about a 2011 cyber attack on an Old Rochester Regional School District bank account that still has $34,000 unaccounted for
For a complete running list of events, please visit the Event Tracker on the CyberWire website.
NSA Procurement in today's business arena(Elkridge, Maryland, USA, April 16, 2014) An opportunity to gain inside perspective on market trends in NSA Procurement. The guest speaker will be William Reybold, National Security Agency's Deputy Senior Acquisition Executive (SAE), who manages...
Suits and Spooks San Francisco(, January 1, 1970) S3+: Surveillance, Security, Sovereignty and other Critical Issues. Not another hacker conference. Suits and Spooks is a unique gathering of experts, executives, operators, and policymakers who discuss...
US News STEM Solutions: National Leadership Conference(, January 1, 1970) The STEM crisis in the United States demands solutions—and nowhere is the search more concentrated than at U.S. News STEM Solutions. Now in its third year, this premier national leadership conference is...
East Africa Banking and ICT Summit(Kampala, Uganda, April 25, 2014) The global event series for Banking and ICT Summit enters its third year. The summit will continue to provide delegates with technical & practical sessions, lectures and showcase for banking and ICT innovations,...
InfoSecIndy(Indianapolis, Indiana, USA, April 26 - 27, 2014) Join us on April 26-27, 2014 in Indianapolis, Indiana for the premier Midwest Information Security and Digital Forensics Conference.
United States Cyber Crime Conference 2014(, January 1, 1970) This is the only event of its kind that provides both hands-on digital forensics training and an interactive forum for cyber professionals to network. The conference covers the full spectrum of topics...
Infosecurity Europe 2014(, January 1, 1970) Infosecurity Europe is Europe's number one Information Security event. Featuring over 350 exhibitors, the most diverse range of new products and services, an unrivalled education programme and over 12,000...
SPONSOR & SUPPORT
Grow your brand and reach new customers.
Grow your brand and increase your customer base by educating our audience about your products, services, and events by advertising on The CyberWire. We’ve built trust with an influential (and often hard to reach) audience of CISOs, CSOs, and other senior execs in the security space, across a wide array of industry verticals. Learn more.
Be a part of the CyberWire story.
People ask us (a lot) how they can support what we do. We have our sponsorships and services, of course, but those are not always within every supporter's financial reach, or it might just not be the right time for you to do those things. That's why we launched our new Patreon site, where we've created a wider variety of support levels, each with some new benefits. Our patrons are important to our future, and we hope you'll consider becoming one. We invite you to become part of the CyberWire story. Become a patron today.