We lead with links to three informative Heartbleed overviews: what it is, how it was discovered, and what its larger implications are.
Among those implications is, now, exploitation in the wild. Canada's tax service suspended web operations and extended filing deadlines after hackers extracted taxpayer information through Heartbleed holes. The bug is also blamed for a data breach in British parenting site Mumsnet. Other victims are widely expected to turn up at any time, and the problem isn't confined to servers: Android devices, for example, are also vulnerable, as are at least forty-eight cloud apps. Analysts discern Heartbleed exposure in virtual private networks and (attention Tor users) the Deep Web.
A thoughtful article in CIO reflects on Heartbleed and raises an important issue: "If our checks and balances are so fragile that a typo can obliterate all meaningful security, we have some fundamental things to fix."
The SANS Internet Storm Center sounds a rare optimistic Heartbleed note: IT teams are aware of the vulnerability and are taking appropriate action. Patches and mitigations continue to roll out (but Akamai has to recall theirs). VMWare alone plans twenty-seven patches this week.
Cyber threat information sharing advances on at least three fronts: agriculture (with collaboration planned among the AFBF, Monsanto, DuPont, and John Deere), retail, and the electrical grid.
Anonymity tools Tails and DuckDuckGo receive consumers' attention.
The first phase of the TrueCrypt audit is encouraging: no major issues found.
US policymakers deny exploiting Heartbleed. US DNI Clapper calls for inter-security-agency transparency.
Today's issue includes events affecting Brunei, Burma, Cambodia, Canada, China, Estonia, Georgia, Germany, India, Indonesia, Israel, Italy, Laos, Malaysia, Netherlands, Philippines, Romania, Singapore, Thailand, Ukraine, United Arab Emirates, United Kingdom, United States, and Vietnam..
Cyber Attacks, Threats, and Vulnerabilities
The Heartbleed Bug(Heartbleed Bug (h/t Bruce Schneier)) The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs)
Heartbleed disclosure timeline: who knew what and when(Sydney Morning Herald) Who knew about Heatbleed first? We detail the timeline. Ever since the "Heartbleed" flaw in encryption protocol OpenSSL was made public on April 7 in the US there have been various questions about who knew what and when
How Heartbleed Happened, The NSA And Proof Heartbleed Can Do Real Damage(Forbes) Last week during the Heartbleed chaos I wrote two articles, one outlining how to stay safe and the other explaining what heartbleed actually is. As we enter this week it is clear that we are far from out of the woods, indeed I will shortly explain why Heartbleed is going to be around for some time to come, but now that a great deal of patching and password re-setting has occurred it seems like a good time to reflect on a few of the recent revelations
US government warns over Heartbleed hacker attempts(ITPro) The US government has warned businesses to be on alert for hackers seeking to steal data exposed by the "Heartbleed" bug, as a German programmer took responsibility for the widespread security crisis
Heartbleed Impacting the Deep Web?(Trend Micro Simply Security) News of this week's massive and far reaching OpenSSL vulnerability "Heartbleed" has put all of us on our heels. In what I would call the equivalent of an Internet oil spill, individuals and organizations are scrambling to discover how to clean up this mess and get on with business as usual. This will not be trivial or a quick fix. I say this with conviction as I personally know the challenges of keeping large amounts of highly complex infrastructure patched and secure to support both revenue and critical business operations
Heartbleed Poses Risk to Clients and the Internet of Things(Symantec Connect) While most of the focus on Heartbleed has been on vulnerable public websites, the bug affects much more than this. While most popular sites are no longer vulnerable, this does not mean that end-users can drop their guard
Heartbleed Especially Risky for SMBs(eSecurity Planet) Enterprises with IT security staffs should find it easy to implement the patch for the Heartbleed vulnerability. But small companies may struggle to protect their websites and customers, experts say
9 expert opinions on the 'Heartbleed Bug'(SC Magazine) Considered one of the most significant internet security vulnerabilities to date — affecting websites, emails, direct messages and other communications utilizing SSL/TLS encryption — the 'Heartbleed Bug' quickly made headlines around the world. Security experts have plenty to say about the vulnerability, and we've compiled the opinions of some of them in this slideshow
Crimeware Helps File Fraudulent Tax Returns(Krebs on Security) Many companies believe that if they protect their intellectual property and customers' information, they've done a decent job of safeguarding their crown jewels from attackers. But in an increasingly common scheme, cybercriminals are targeting the Human Resources departments at compromised organizations and rapidly filing fraudulent federal tax returns on all employees
Arbitrary Code Execution Bug in Android Reader(Threatpost) The Android variety of Adobe Reader reportedly contains a vulnerability that could give an attacker the ability to execute arbitrary code on devices running Google's mobile operating system
Threats in the Cloud — Part 2: Distributed Denial of Service Attacks(Microsoft Security Blog) Organizations that operate or use Internet connected services such as websites, portals and Cloud services need to be aware of threats that can disrupt service. In the first part of this series I discussed Domain Name System (DNS) attacks and their potential to disrupt services and infect large volumes of users with malware. This article discusses Distributed Denial of Service (DDoS) attacks using insights from the latest volume of the Microsoft Security Intelligence Report
VFW Hacked(eSecurity Planet) A hacker believed to be from China accessed 55,000 VFW members' names, addresses and Social Security numbers
Security Patches, Mitigations, and Software Updates
INFOCon Green: Heartbleed — on the mend(Internet Storm Center) We are going back to INFOCon Green today. Things have stabilized and the INFOCon is used to indicate change. Awareness of Heartbleed is well saturated and Internet teams everywhere appear to be responding appropriately
Farm machines harvest Big Data, reap privacy worries(Ag Professional) Steps away from a replica of the revolutionary 1837 steel plow at tractor company John Deere's headquarters sits a combine as big as a tank and packed with computer wizardry that harvests huge volumes of valuable data as it gathers crops
U.S. retailers to share cyber threat data after Target attack(Reuters via the Chicago Tribune) U.S. retailers are planning to form an industry group for collecting and sharing intelligence about cyber security threats in a bid to prevent future attacks in the wake of last year's big attack on Target Corp
Electric Grid Safety Hinges on Partnership and Information Sharing(infosec island) Electric utilities have been focused on improving the safety and reliability of the complex and dynamic electric grid for years, testified Sue Kelly, president and CEO of the American Public Power Association (Public Power) at a Senate Energy and Natural Resources Committee hearing today. Kelly testified on behalf of investor-owned, cooperatively owned, and publicly owned utilities, as well as independent generators and Canadian utilities. The industry's top priority is to protect critical power infrastructure from cyber and physical threats by partnering with all levels of government and sharing critical information, she said
Big data is not about petabytes, but complex computing(FierceBigData ) You've heard me and several others repeatedly say that the term big data is unfortunate because it's really not about the size of the data, but about the complexity of the computing. In other words, big data tools are not contained to usage where there are petabytes of data. Those tools are useful with just about any sized data if you're doing complex computing with it. Here's why
Chinese Military Increases Scope of Cyberattacks on the US(Epoch Times) After several major cyberattacks were traced to the Chinese military in February 2013, hackers in China's People's Liberation Army (PLA) have not only continued their attacks against the United States, but they are attacking on an even larger scale, and with greater frequency
Protecting Your Company's Reputation in a Heartbleed World(Forbes) The Heartbleed vulnerability claimed its first known victim: at least 900 Canadian taxpayers, who had their personal data compromised in the middle of tax season. Canada's tax agency made the announcement today, after temporarily shutting down its online access last Wednesday to deal with the vulnerability
UAE Telecommunications Regulatory Authority & Huawei to Outline Vision for National Broadband Networks(Zawya) With the rapid advancement of information & communication technologies (ICT) ushering in a new era of digital connectivity across the region, Huawei—a leading global ICT solutions provider—in association with the UAE Telecommunications Regulatory Authority (TRA) have confirmed plans to host the UAE's first Huawei Broader Way Forum 2014, examining how national broadband initiatives are expected to transform the region's socio-economic landscape in the years ahead. The full-day conference will take place on April 29, 2014, at the Radisson Blu Royal Hotel in Dubai, UAE
Luring The Elusive Cyber Security Pro(InformationWeek) Struggling to find scarce IT security talent? Make sure your hiring managers understand the certifications and match candidates for skills fit — not just credentials
Is Imperva's Guidance an Indication to Avoid Cyber-Security Stocks?(The Motley Fool) In a rather ugly Thursday for the broader market, shares of Imperva (NYSE: IMPV) were particularly crushed following disappointing guidance. The security software vendor lost nearly half of its valuation, and in the process affected the stock prices of peers like Palo Alto Networks, FireEye (NASDAQ: FEYE), Fortinet (NASDAQ: FTNT), and Proofpoint. Yet, given this performance, combined with that of the last month, are these losses overdone, or are they just getting warmed up
Products, Services, and Solutions
These Sites Tell Which Of Your Accounts Have Been Hacked(Forbes) Heartbleed, the massive flaw in web encryption recently made public, is just one of the unending stream of vulnerabilities that enables hackers to steal personal details and passwords from companies with which you do business
DuckDuckGo is the Anonymous Alternative to Google(PhoenixTS) Google rules the world, but what about the other search engines? Do you know about ixquick, Alhea, Contenko, Dogpile, blekko, or DuckDuckGo? Do you have the time to create your own search engine with Yacy?
Out in the Open: Inside the Operating System Edward Snowden Used to Evade the NSA(Wired) When NSA whistle-blower Edward Snowden first emailed Glenn Greenwald, he insisted on using email encryption software called PGP for all communications. But this month, we learned that Snowden used another technology to keep his communications out of the NSA's prying eyes. It's called Tails. And naturally, nobody knows exactly who created it
Open Source Software Is the Worst Kind Except for All of the Others(CircleID) Heartbleed, for anyone who doesn't read the papers, is a serious bug in the popular OpenSSL security library. Its effects are particularly bad, because OpenSSL is so popular, used to implement the secure bit of https: secure web sites on many of the most popular web servers such as apache, nginx, and lighttpd
How to keep your tax return safe from the Heartbleed bug(Quartz) Looking for a silver lining in the mess stirred up by the discovery of a major flaw in the software used by many internet sites to encrypt your passwords and other private data? Good news: The so-called "Heartbleed" bug has delayed tax day. But only if you're Canadian
Inside a Cyber Emergency Kit(Wall Street Journal) From "zero day exploits" and "ransomware" to "end of life" and "insider threats," cyber attackers are constantly coming up with new ways to attack systems, and also are finding new systems to attack
Detecting criminal organizations in mobile phone networks(ScienceDirect) The study of criminal networks using traces from heterogeneous communication media is acquiring increasing importance in nowadays society. The usage of communication media such as phone calls and online social networks leaves digital traces in the form of metadata that can be used for this type of analysis
Why nobody can tell whether the world's biggest quantum computer is a quantum computer(Quartz) For the past several years, a Canadian company called D-Wave Systems has been selling what it says is the largest quantum computer ever built. D-Wave's clients include Lockheed Martin, NASA, the US National Security Agency, and Google, each of which paid somewhere between $10 million and $15 million for the thing. As a result, D-Wave has won itself millions in funding and vast amounts of press coverage—including, two months ago, the cover of Time
Former NSA head to speak at Norwich commencement(Burlington Free Press) The man in charge of the National Security Agency while it secretly monitored the communications of foreign leaders and millions of Americans will be the 2014 commencement speaker at Norwich University, the school announced Monday
Stay Classy, BU: Maintaining Professionalism in an Online World(The Quad) The idea of a work-life balance isn't a new concept (but if you've never heard of it, check out this awesome TED Talk). It's the age-old question that every worker asks at some point in their career: how do I balance the demands of my personal life with the demands of my professional life?
Northrop Grumman Engineering Competition Encourages Students to Focus on Science and Technology Careers(MarketWatch) Students from Antelope Valley area high schools proved on April 5 that imagination and dedication can ignite innovation. Competing in the annual Northrop Grumman NOC +0.01% High School Innovation Challenge (HSIC), the students took on an engineering problem with limited budget, resources and time. The challenge is modeled each year after a current Northrop Grumman program or engineering capability
Did the NSA know about Heartbleed all along?(Christian Science Monitor) The National Security Agency hasn't exactly been in the Internet's good graces following revelations about its extensive surveillance efforts, and a new report says the agency knew about the Heartbleed bug before everyone else, but kept it secret for its own use. How likely is the claim?
Trove of Software Flaws Used by U.S. Spies at Risk(Bloomberg BusinessWeek ) Two people familiar with the matter said that the agency was aware of the flaw and had used it as part of the intelligence gathering toolkit, as reported by Bloomberg News last week
Heartbleed denial reveals loophole for NSA spying(ComputerWeekly) The US National Security Agency has denied it knew about or exploited the Heartbleed security flaw, but government officials have revealed a loophole that would allow such actions
Heartbleed Suspicion And NSA Denial Show Why NSA's Dual Offense/Defensive Role Must End(TechDirt) We've talked for a while how dangerous and ridiculous it is that the NSA has a dual role as both handling "offensive" attacks and (supposedly) stopping incoming attacks in a "defensive" role. While technically, the NSA is supposed to be handling the "defensive" side while the US Cyber Command handles the offensive, there is no real separation between the two. The US Cyber Command is headquartered within the NSA and is run by the same person. Despite multiple recommendations to split the roles, the White House refuses to do so. Meanwhile, the NSA itself has been doing more and more offensive work anyway
The Policy Tension on Zero-Days Will Not Go Away(Lawfare) The proposition that NSA should under no circumstances stockpile zero-day vulnerabilities, but should in all cases disclose them in order to perfect defenses, apparently has appeal in some quarters. It is based on at least two false assumptions
Amerigroup data discovered in a suspect's possession — may affect 74,000 others(HackSurfer) Law enforcement in Florida was searching a suspect's car when they found printed screenshots of 183 clients' info, including "full name, social security number, date of birth, [and] city and state of residence." Investigation of the potential source revealed that over 74,000 additional records may have also been compromised
General denies clemency in Manning case(Politico) Turning aside calls for clemency, an Army general has approved the 35-year prison sentence imposed on Pfc. Chelsea (Bradley) Manning for a massive leak of military and diplomatic data to Wikileaks, the Army announced Monday
FBI Arrests Trio For Microsoft Xbox Hacking(The Smoking Gun) A group of alleged hackers has been charged with breaking into the computer systems of the U.S Army, Microsoft, and several other firms to steal pre-release copies of popular video games like "Call of Duty," simulation software for Apache attack helicopter pilots, and confidential data that was used to create counterfeit versions of the Xbox gaming system, The Smoking Gun has learned
For a complete running list of events, please visit the Event Tracker on the CyberWire website.
NSA Procurement in today's business arena(Elkridge, Maryland, USA, April 16, 2014) An opportunity to gain inside perspective on market trends in NSA Procurement. The guest speaker will be William Reybold, National Security Agency's Deputy Senior Acquisition Executive (SAE), who manages...
East Africa Banking and ICT Summit(Kampala, Uganda, April 25, 2014) The global event series for Banking and ICT Summit enters its third year. The summit will continue to provide delegates with technical & practical sessions, lectures and showcase for banking and ICT innovations,...
InfoSecIndy(Indianapolis, Indiana, USA, April 26 - 27, 2014) Join us on April 26-27, 2014 in Indianapolis, Indiana for the premier Midwest Information Security and Digital Forensics Conference.
cybergamut Technical Tuesday: Malware Reverse Engineering(Columbia, Maryland, USA, May 6, 2014) An introduction to the tools, workflows, and tricks of the trade to attack sophisticated malware by Dale Robson of CyberPoint. Industry standard cyber security products do a good job in blocking and defending...
STEM Café(Geneva, Illinois, USA, May 6, 2014) At the next STEM Café, Raimund Ege, associate professor in NIU's Department of Computer Science, will lead a lively discussion on how computer crime affects our everyday lives and what we can do to protect...
US Secret Service Cybersecurity Awareness Day(Washington, DC, May 8, 2014) This Cybersecurity event will be the first of its kind at the USSS. There will be 2-3 opportunities for participating companies to present a 1/2 hour presentation on a Cybersecurity topic of concern to...
HackMiami 2014(Miami Beach, Florida, USA, May 9 - 11, 2014) The HackMiami 2014 Hackers Conference seeks to bring together the brightest minds within the information security industry and the digital underground. This conference will showcase cutting edge tools,...
ISPEC 2014(Fujian, China, May 12 - 14, 2014) The ISPEC conference series is an established forum that brings together researchers and practitioners to provide a confluence of new information security technologies, including their applications and...
GovSec 2014(Washington, DC, USA, May 13 - 14, 2014) GovSec is the nation's premier event for Government, Homeland Security, and Law Enforcement professionals looking for proven strategies and cost effective technology so they can achieve their mission of...
CyberWest(Phoenix, Arizona, USA, May 13 - 14, 2014) Cyber threats affect all industry sectors and impact individuals, businesses and governments. From hacktivists to advanced persistent threats, conducting business on-line exposes individuals, corporations...
FOSE Conference(Washington, DC, USA, May 13 - 15, 2014) Spend 1 day or 3 days at the FOSE conference and leave with actionable information, covering a broad spectrum of trending topics including: Cybersecurity, Cloud and Virtualization, Mobile Government,...
Fraud Summit(Chicago, Illinois, USA, May 14, 2014) From account takeover to payment card fraud and the emerging mobile threatscape, the ISMG Fraud Summit series is where thought-leaders meet to exchange insights on today's top schemes and the technology...
SPONSOR & SUPPORT
Grow your brand and reach new customers.
Grow your brand and increase your customer base by educating our audience about your products, services, and events by advertising on The CyberWire. We’ve built trust with an influential (and often hard to reach) audience of CISOs, CSOs, and other senior execs in the security space, across a wide array of industry verticals. Learn more.
Be a part of the CyberWire story.
People ask us (a lot) how they can support what we do. We have our sponsorships and services, of course, but those are not always within every supporter's financial reach, or it might just not be the right time for you to do those things. That's why we launched our new Patreon site, where we've created a wider variety of support levels, each with some new benefits. Our patrons are important to our future, and we hope you'll consider becoming one. We invite you to become part of the CyberWire story. Become a patron today.