The Voice of America looks at the possibility of large-scale cyber war prompted by Russian incursions into Ukraine.
Cyber vandalism is among the minor aftershocks of Algeria's elections.
Most sites have patched the Heartbleed vulnerability, but it remains a lingering if diminishing risk. Investment News polls eight major financial firms. Seven of them report no risk; only one recommends a password change. The fledgling US Healthcare.gov site, on the other hand, warns its users to change their login credentials. FireEye's Mandiant unit discloses a bit more about an exploit it discovered in the wild late last week: it's said to have affected the virtual private network of an unnamed "major" company known for its "sophisticated attack detection systems." Cyber criminals will continue to squeeze the last drops of opportunity from Heartbleed as long as they're there to be had.
Dark Reading offers a useful overview of the pluses and minuses of password managers.
Network Time Protocol (NTP) amplification proves an easy-to-use denial-of-service method.
Avast reports a WordPress plugin vulnerability that particularly affects mobile visitors.
An Android Trojan being sold on the black market is designed to bypass banks' two-factor authentication.
Security experts talk compliance and see too much human intervention for too little security payoff.
In the US, the Department of Homeland Security gets privacy praise from the ACLU.
Presidential intelligence panel members Clarke and Swire weigh in on whether security services ought to stockpile or disclose vulnerabilities. (They advocate disclosure.)
Snowden's interview with Putin gets tepid reviews from journalists.
Today's issue includes events affecting Algeria, Bahrain, Brazil, Egypt, European Union, Jordan, Republic of Korea, Kuwait, Lebanon, Malaysia, Oman, Qatar, Russia, Saudi Arabia, Turkey, Ukraine, United Arab Emirates, United States..
Today we're pleased to offer a CyberWire exclusive interview with Philip Quade, Chief Operating Officer of the Information Assurance Directorate, US National Security Agency. He discusses "Getting Inside the Adversary's OODA Loop: Automation and Information Sharing for Cyber Defense."
Cyber Attacks, Threats, and Vulnerabilities
Russia-Ukraine Crisis Could Trigger Cyber War(Voice of America) On the day Crimeans voted in a referendum in March on secession from Ukraine, hackers from a group calling itself the "Cyber Berkut" pelted NATO websites with online nuisance attacks designed to knock the pages offline
Heartbleed maliciously exploited to hack network with multifactor authentication(Ars Technica) In-the-wild VPN attack using Heartbleed underscores real-world threat of bug. Demonstrating yet another way the catastrophic Heartbleed vulnerability threatens users, malicious hackers were able to exploit the bug to successfully bypass multifactor authentication and fraud detection on an organization's virtual private network (VPN), security researchers said
8 Heartbleed responses from financial firms(Investment News) Advisers and financial services firms have been scrambling to avert any potential damage from the "Heartbleed" cybersecurity bug that threatens millions of web users
Heartbleed Bug Bit Before Patches Were Put in Place(IEEE Spectrum) It's been a little less than a month since the Heartbleed bug and was discovered and less than two weeks since the public was informed about it. The bug is a "trivial" programming error made in early 2012 and discovered by Google in March that non-trivially affects the OpenSSL (secure socket layer) cryptographic software library
Criminals try to cash in on 'Heartbleed' bug(Boston Globe) As Internet users worldwide race to guard their computers against the potentially devastating Heartbleed security breach, criminals are moving just as quickly to exploit it
WordPress plugin vulnerability puts mobile visitors at risk(Avast Blog) Today one of our colleagues came into our office and said, "Hey guys, I've been infected." I thought to myself, yeah, how bad can this be? After a bit of digging we found the results were worth it; it turned out to be a really "interesting " case of mobile redirected threats localized for each country
Android Malware Repurposed to Thwart Two-factor Authentication(InfoSecurity Magazine) A malicious mobile application for Android that offers a range of espionage functions has now gone on sale in underground forums with a new trick: it's being used by several banking trojans in an attempt to bypass the two-factor authentication method used by a range financial institutions
Beware of clever phishing scam that bypasses Steam Guard(Help Net Security) Malwarebytes' Chris Boyd is warning owners of Steam accounts about a relatively new phishing approach that goes after both their account login credentials and a file that allows them to bypass the entering of the Steam Guard verification code
Bulletin (SB14-111) Vulnerability Summary for the Week of April 14, 2014(US-CERT) The US-CERT Cyber Security Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. The NVD is sponsored by the Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC) / United States Computer Emergency Readiness Team (US-CERT). For modified or updated entries, please visit the NVD, which contains historical vulnerability information
Security Patches, Mitigations, and Software Updates
Experts Worry About Future of Critical Infrastructure Security(Threatpost) The problem of critical infrastructure security has become a key issue in the last few years, as high-profile attacks such as Stuxnet and others have grabbed headlines and alerted politicians and others to the weaknesses facing these vital systems. It's an issue that Eugene Kaspersky has been thinking about for a long time, and isn't sure that the organizations running these systems are any closer to addressing these threats than they were several years ago
Internet of Things, Boon for Manufacturers(Product and Service Advantage) It's planting season and a farmer in the Midwest is busy at work, but he's not in the field — he's working from a digital operations center on his tablet computer. Meanwhile, one of his tractors is running low on diesel. No problem. The tank has already notified the supplier it needs a refill
Will the Internet of Things become the Internet of Broken Things?(ComputerWorld) Cisco Systems estimates that the number of devices connected to the Internet will reach 50 billion by 2020. This brings promise for users, corporations and vendors but also a major challenge: What happens if this Internet of Things (IoT), all 50 billion of them, morphs into the Internet of broken things?
How the cyber threat landscape is evolving — Comodo security [Q&A](Beta News) In recent years the threats faced by both individuals and businesses have changed thanks to the adoption of new technologies like the cloud, a shift towards social engineering attacks, BYOD and more. We spoke to Egemen Tas, vice president of engineering for leading certificate authority and security software provider Comodo to get his view on current threats
Organizations remain vulnerable to SQL injection attacks(Help Net Security) Privacy and information security research firm Ponemon Institute, along with DB Networks, an innovator of behavioral analysis in database security, today announced the results of the Ponemon Institute's first-of-its-kind SQL injection threat study
Compliance is no guarantee of security(Help Net Security) The regulatory landscape is constantly evolving. For example tougher new EU data protection laws are scheduled to come into effect over the next year or two. These new regulations will result in non-compliant firms being fined €100m or up to five per cent of global turnover — whichever is the higher. Last year there were 2,164 incidents of data loss. According to a report by Risk Based Security and the Open Security Foundation 72% involved external attackers while 25% were classified as internal incidents, although the latter were attributed mainly to human error and accidents rather than malicious intent
10 Big Ideas in Digital Security(PC Magazine) From Snowden to Heartbleed, security is arguably the biggest tech story of the year. But what's the real story, and what's just hype? Here's what the experts are saying, thinking, and fearing.It wasn't long ago that security news meant obscure vulnerabilities and viruses spreading across desktop computers. But now people everywhere are worried about snooping government agencies, Heartbleed letting their personal data loose on the Web, and rising mobile threats. Heck, the coverage of Edward Snowden's leaks about the National Security Agency's domestic spying efforts netted Pulitzer Prizes this year. As our lives become more focused around digital devices and the Internet, more people are getting worried about security, and rightly so. The question is, what are the real issues—and what's just flavor-of-the-month hype from the mainstream media?
Security pros largely unhappy with compliance methods(Help Net Security) Despite the fact that 63% consider regulatory compliance to be "very important", a new Osterman study shows a low satisfaction level with current methods of managing compliance. Only 13% are very satisfied with the current methods they use
Cyber security a must for telcos, banks(Free Malaysia Today) Banks, telecommunications and government portals in Malaysia must ramp up efforts in adopting advance and effective cyber-defence capabilities to protect against espionage and fraud
FireHost Secures $25 Million in Series E Funding(Talkin' Cloud) FireHost, a managed cloud infrastructure-as-a-service (IaaS) provider, has received $25 million in Series E funding led by private investment firm The Stephens Group. According to a press release, FireHost plans to use the funds to extend its brand awareness, product development and sales
Why Splunk Is A Good Buy For The Long Run(Guru Focus) As traffic over the Internet increases, the demand for traffic analysis arises by the organization that enables them in decision making and planning. Web analytics software resolves most of the traffic analysis requirement for an individual or organizations. Splunk (SPLK) is one such company that provides operation intelligence software solution that comprises of analytics and security solutions at an enterprise level
Homeland Defense Advisory Firm Taps Into Demand for Market Intelligence(National Defense) The homeland security business is mind-boggling, for both buyers and sellers. Agencies need products but may not know where to find them. And sellers have trouble locating customers in the maze of federal, state and local agencies that are responsible for homeland defense
ESET launches secure authentication SDK(Help Net Security) ESET launched the ESET Secure Authentication Software Development Kit (SDK). With this release, ESET provides system architects with a comprehensive developer guide in three mainstream programming languages to add two-factor authentication (2FA) protection to nearly any system that requires protection
PCI DSS — What's new in v3.0?(Naked Security) If the Payment Card Industry Data Security Standard (PCI DSS) applies to your business you should also know that it has been updated
Understanding What Constitutes Your Attack Surface(Tripwire) Put simply, your attack surface is the sum of your security risk exposure. Put another way, it is the aggregate of all known, unknown and potential vulnerabilities and controls across all software, hardware, firmware and networks. A smaller attack surface can help make your organization less exploitable, reducing risk
Questioning Information Security — You are only as good as your questions(Life at 6700') Your security is only as good as the questions you ask. It is the questions that drive the search for answers. And the answer drives informed action or inaction. Anything else is a random, uninformed walk. So, as you shape your security strategy to support the innovations of the business, it is in asking good questions and creating correct answers through which effective security is achieved. No one else but the enemy will tell you the questions you should have asked and the answers you should have come up with. But by then it is too late. Because they told you by running all over your system
Heartbleed: A chance to talk to kids about guarding online personal information(Trend Micro: Internet Safety) In the last week or so, there has been a lot of news around an Internet vulnerability called Heartbleed that was recently discovered. Without getting into too much technical detail, this basically caused many websites to possibly expose the personal information people submitted to those sites. This includes shopping sites, social networks, email services, music streaming services, and gaming sites, because many of the world's websites use the same technology that was impacted
Learning to Code: New After-School Activity(Wall Street Journal Digits) With the advent of smartphones and handy mobile applications that help you hail a cab or find a gas station, the use of software has become more tightly intertwined with our daily lives. The success stories of some app developers have encouraged students and professionals to learn coding, the language of the future
The Sorry State Of IT Education(InformationWeek) Our profession is rife with people capable of performing procedures they've been taught, but incapable of thinking through a problem. Here's what we need to do
Legislation, Policy, and Regulation
Way to go DHS! And Shame on the Rest of You(ACLU) A very important government report on privacy and cybersecurity programs flew under the radar last week. Produced following President Obama's executive order from last February, agencies were directed to explain how they share our private information, and what they do to protect it. Overwhelmingly, agencies offered little to no information, and what they did share was discouraging. With one exception: the Department of Homeland Security (DHS)
The NSA Shouldn't Stockpile Web Glitches(Daily Beast) Members of the President's Intelligence Review Group declare that playing defense by alerting the public to hacks is the best response when situations like Heartbleed occur
Did President Obama Accept Recommendation 30?(Lawfare) Richard Clarke and Peter Swire, two of the five members of the President's Intelligence Review Group, argue at The Daily Beast that the NSA should rarely keep (as opposed to disclose, and allow patching of) software vulnerabilities, and that those rare circumstances should be decided in the White House rather than NSA. The argument basically repeats the Review Group's Recommendation 30
Gen. Franz takes over INSCOM(FCW Insider) The U.S. Army on April 17 named Maj. Gen. George J. Franz III commanding general of its Intelligence and Security Command in Ft. Belvoir, Va. INSCOM is a main Army command center for information security and has personnel in 180 locations worldwide
Edward Snowden asks Vladimir Putin softball questions on surveillance(Kansas City Star) If Edward Snowden had any credibility as a fugitive former National Security Agency contractor he lost it this week when he asked Russian President Vladimir Putin softball questions about whether the communist country conducts mass surveillance on its citizens as the United States does
Snowden Email Provider Remains in Contempt(Courthouse News Service) The former email provider of National Security Agency leaker Edward Snowden should be held in contempt for trying to keep its metadata out of the government's hands, the 4th Circuit ruled
For a complete running list of events, please visit the Event Tracker on the CyberWire website.
East Africa Banking and ICT Summit(Kampala, Uganda, April 25, 2014) The global event series for Banking and ICT Summit enters its third year. The summit will continue to provide delegates with technical & practical sessions, lectures and showcase for banking and ICT innovations,...
InfoSecIndy(Indianapolis, Indiana, USA, April 26 - 27, 2014) Join us on April 26-27, 2014 in Indianapolis, Indiana for the premier Midwest Information Security and Digital Forensics Conference.
cybergamut Technical Tuesday: Malware Reverse Engineering(Columbia, Maryland, USA, May 6, 2014) An introduction to the tools, workflows, and tricks of the trade to attack sophisticated malware by Dale Robson of CyberPoint. Industry standard cyber security products do a good job in blocking and defending...
STEM Café(Geneva, Illinois, USA, May 6, 2014) At the next STEM Café, Raimund Ege, associate professor in NIU's Department of Computer Science, will lead a lively discussion on how computer crime affects our everyday lives and what we can do to protect...
US Secret Service Cybersecurity Awareness Day(Washington, DC, May 8, 2014) This Cybersecurity event will be the first of its kind at the USSS. There will be 2-3 opportunities for participating companies to present a 1/2 hour presentation on a Cybersecurity topic of concern to...
HackMiami 2014(Miami Beach, Florida, USA, May 9 - 11, 2014) The HackMiami 2014 Hackers Conference seeks to bring together the brightest minds within the information security industry and the digital underground. This conference will showcase cutting edge tools,...
ISPEC 2014(Fujian, China, May 12 - 14, 2014) The ISPEC conference series is an established forum that brings together researchers and practitioners to provide a confluence of new information security technologies, including their applications and...
GovSec 2014(Washington, DC, USA, May 13 - 14, 2014) GovSec is the nation's premier event for Government, Homeland Security, and Law Enforcement professionals looking for proven strategies and cost effective technology so they can achieve their mission of...
CyberWest(Phoenix, Arizona, USA, May 13 - 14, 2014) Cyber threats affect all industry sectors and impact individuals, businesses and governments. From hacktivists to advanced persistent threats, conducting business on-line exposes individuals, corporations...
FOSE Conference(Washington, DC, USA, May 13 - 15, 2014) Spend 1 day or 3 days at the FOSE conference and leave with actionable information, covering a broad spectrum of trending topics including: Cybersecurity, Cloud and Virtualization, Mobile Government,...
Fraud Summit(Chicago, Illinois, USA, May 14, 2014) From account takeover to payment card fraud and the emerging mobile threatscape, the ISMG Fraud Summit series is where thought-leaders meet to exchange insights on today's top schemes and the technology...
SPONSOR & SUPPORT
Grow your brand and reach new customers.
Grow your brand and increase your customer base by educating our audience about your products, services, and events by advertising on The CyberWire. We’ve built trust with an influential (and often hard to reach) audience of CISOs, CSOs, and other senior execs in the security space, across a wide array of industry verticals. Learn more.
Be a part of the CyberWire story.
People ask us (a lot) how they can support what we do. We have our sponsorships and services, of course, but those are not always within every supporter's financial reach, or it might just not be the right time for you to do those things. That's why we launched our new Patreon site, where we've created a wider variety of support levels, each with some new benefits. Our patrons are important to our future, and we hope you'll consider becoming one. We invite you to become part of the CyberWire story. Become a patron today.