skip navigation

More signal. Less noise.

Daily briefing.

The Voice of America looks at the possibility of large-scale cyber war prompted by Russian incursions into Ukraine.

Cyber vandalism is among the minor aftershocks of Algeria's elections.

Most sites have patched the Heartbleed vulnerability, but it remains a lingering if diminishing risk. Investment News polls eight major financial firms. Seven of them report no risk; only one recommends a password change. The fledgling US Healthcare.gov site, on the other hand, warns its users to change their login credentials. FireEye's Mandiant unit discloses a bit more about an exploit it discovered in the wild late last week: it's said to have affected the virtual private network of an unnamed "major" company known for its "sophisticated attack detection systems." Cyber criminals will continue to squeeze the last drops of opportunity from Heartbleed as long as they're there to be had.

Dark Reading offers a useful overview of the pluses and minuses of password managers.

Network Time Protocol (NTP) amplification proves an easy-to-use denial-of-service method.

Avast reports a WordPress plugin vulnerability that particularly affects mobile visitors.

An Android Trojan being sold on the black market is designed to bypass banks' two-factor authentication.

Security experts talk compliance and see too much human intervention for too little security payoff.

In the US, the Department of Homeland Security gets privacy praise from the ACLU.

Presidential intelligence panel members Clarke and Swire weigh in on whether security services ought to stockpile or disclose vulnerabilities. (They advocate disclosure.)

Snowden's interview with Putin gets tepid reviews from journalists.

Notes.

Today's issue includes events affecting Algeria, Bahrain, Brazil, Egypt, European Union, Jordan, Republic of Korea, Kuwait, Lebanon, Malaysia, Oman, Qatar, Russia, Saudi Arabia, Turkey, Ukraine, United Arab Emirates, United States..

Today we're pleased to offer a CyberWire exclusive interview with Philip Quade, Chief Operating Officer of the Information Assurance Directorate, US National Security Agency. He discusses "Getting Inside the Adversary's OODA Loop: Automation and Information Sharing for Cyber Defense."

Cyber Attacks, Threats, and Vulnerabilities

Russia-Ukraine Crisis Could Trigger Cyber War (Voice of America) On the day Crimeans voted in a referendum in March on secession from Ukraine, hackers from a group calling itself the "Cyber Berkut" pelted NATO websites with online nuisance attacks designed to knock the pages offline

Hackers target Algerian president in Oman state news agency attack (Arabian Business) An investigation has been launched after Oman's state news agency was targeted by cyber attackers and used to send "inaccurate news" about newly re-elected Algerian president Abdelaziz Bouteflika

Heartbleed maliciously exploited to hack network with multifactor authentication (Ars Technica) In-the-wild VPN attack using Heartbleed underscores real-world threat of bug. Demonstrating yet another way the catastrophic Heartbleed vulnerability threatens users, malicious hackers were able to exploit the bug to successfully bypass multifactor authentication and fraud detection on an organization's virtual private network (VPN), security researchers said

8 Heartbleed responses from financial firms (Investment News) Advisers and financial services firms have been scrambling to avert any potential damage from the "Heartbleed" cybersecurity bug that threatens millions of web users

Heartbleed Means Healthcare.gov Users Must Reset Passwords (Nextgov) Federal officials are telling Obamacare website account holders to reset their passwords, following revelations of a bug that could allow hackers to steal data

Poll: Dark Reading Community Acts On Heartbleed (Dark Reading) Roughly 60 percent of respondents to our flash poll have installed the Heartbeat fix or are in the process of doing so

Heartbleed Bug Bit Before Patches Were Put in Place (IEEE Spectrum) It's been a little less than a month since the Heartbleed bug and was discovered and less than two weeks since the public was informed about it. The bug is a "trivial" programming error made in early 2012 and discovered by Google in March that non-trivially affects the OpenSSL (secure socket layer) cryptographic software library

Criminals try to cash in on 'Heartbleed' bug (Boston Globe) As Internet users worldwide race to guard their computers against the potentially devastating Heartbleed security breach, criminals are moving just as quickly to exploit it

Heartbleed: A Password Manager Reality Check (Dark Reading) Is a password manager an effective defense against vulnerabilities like Heartbleed, or just another way to lose data to hackers?

RedHack Hackers Target Aktif Bank over Controversial e-Ticketing System (Softpedia) Members of the hacktivist collective RedHack claim to have breached into the systems of Aktif Bank, Turkey's largest privately owned investment bank. The attack comes just as the bank introduced a controversial e-ticketing system for soccer (football) fans

Easy-to-Use NTP Amplification Emerges as Common DDoS Attack Vector (eWeek) Reflection attacks using the Network Time Protocol surge in the first quarter, as attackers shift to bandwidth-clogging floods of data

WordPress plugin vulnerability puts mobile visitors at risk (Avast Blog) Today one of our colleagues came into our office and said, "Hey guys, I've been infected." I thought to myself, yeah, how bad can this be? After a bit of digging we found the results were worth it; it turned out to be a really "interesting " case of mobile redirected threats localized for each country

Android Malware Repurposed to Thwart Two-factor Authentication (InfoSecurity Magazine) A malicious mobile application for Android that offers a range of espionage functions has now gone on sale in underground forums with a new trick: it's being used by several banking trojans in an attempt to bypass the two-factor authentication method used by a range financial institutions

Beware of clever phishing scam that bypasses Steam Guard (Help Net Security) Malwarebytes' Chris Boyd is warning owners of Steam accounts about a relatively new phishing approach that goes after both their account login credentials and a file that allows them to bypass the entering of the Steam Guard verification code

3M payment cards compromised in Michaels Stores/Aaron Brothers breach (Help Net Security) In the wake of the highly publicized Target and Neiman Marcus breaches, Texas-based arts and crafts store chain Michaels has stated in January that it has been targeted by cyber crooks that were after their customers' payment card data

Don't share your location with your friends on WhatsApp (Naked Security) A group of budding security researchers at the University of New Haven (UNH) in Connecticut, USA, recently taught themselves a handy lesson about the difference between liking something and trusting it

Bulletin (SB14-111) Vulnerability Summary for the Week of April 14, 2014 (US-CERT) The US-CERT Cyber Security Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. The NVD is sponsored by the Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC) / United States Computer Emergency Readiness Team (US-CERT). For modified or updated entries, please visit the NVD, which contains historical vulnerability information

Security Patches, Mitigations, and Software Updates

Most but not all sites have fixed Heartbleed flaw (ComputerWorld) Web's top-1,000 sites are immune to exploit but 2% of the top 1 million have yet to patch the problem

Windows XP security update with bug error causes havoc (V3) An update to Microsoft's anti-malware software for Windows XP has caused systems to crash in the latest issue for those running the ageing platform

Microsoft corrects Windows XP/Security Essentials bug (ZDNet) A bad update caused users of many Microsoft security products, not just Security Essentials, to experience "interrupted service". The latest update fixes the problem

Cyber Trends

Next target for cyber hackers could be your smart TV, says anti-virus chief (Telegraph) The chief executive of global IT security business Kaspersky Lab says financial services firms now have most to fear from criminals

Experts Worry About Future of Critical Infrastructure Security (Threatpost) The problem of critical infrastructure security has become a key issue in the last few years, as high-profile attacks such as Stuxnet and others have grabbed headlines and alerted politicians and others to the weaknesses facing these vital systems. It's an issue that Eugene Kaspersky has been thinking about for a long time, and isn't sure that the organizations running these systems are any closer to addressing these threats than they were several years ago

Internet of Things, Boon for Manufacturers (Product and Service Advantage) It's planting season and a farmer in the Midwest is busy at work, but he's not in the field — he's working from a digital operations center on his tablet computer. Meanwhile, one of his tractors is running low on diesel. No problem. The tank has already notified the supplier it needs a refill

Will the Internet of Things become the Internet of Broken Things? (ComputerWorld) Cisco Systems estimates that the number of devices connected to the Internet will reach 50 billion by 2020. This brings promise for users, corporations and vendors but also a major challenge: What happens if this Internet of Things (IoT), all 50 billion of them, morphs into the Internet of broken things?

IT security is national security — but you're not alone (Network World) Managing the danger of cyberattacks has to involve all parts of an enterprise, speakers tell a Kaspersky conference

How the cyber threat landscape is evolving — Comodo security [Q&A] (Beta News) In recent years the threats faced by both individuals and businesses have changed thanks to the adoption of new technologies like the cloud, a shift towards social engineering attacks, BYOD and more. We spoke to Egemen Tas, vice president of engineering for leading certificate authority and security software provider Comodo to get his view on current threats

Organizations remain vulnerable to SQL injection attacks (Help Net Security) Privacy and information security research firm Ponemon Institute, along with DB Networks, an innovator of behavioral analysis in database security, today announced the results of the Ponemon Institute's first-of-its-kind SQL injection threat study

Compliance is no guarantee of security (Help Net Security) The regulatory landscape is constantly evolving. For example tougher new EU data protection laws are scheduled to come into effect over the next year or two. These new regulations will result in non-compliant firms being fined €100m or up to five per cent of global turnover — whichever is the higher. Last year there were 2,164 incidents of data loss. According to a report by Risk Based Security and the Open Security Foundation 72% involved external attackers while 25% were classified as internal incidents, although the latter were attributed mainly to human error and accidents rather than malicious intent

10 Big Ideas in Digital Security (PC Magazine) From Snowden to Heartbleed, security is arguably the biggest tech story of the year. But what's the real story, and what's just hype? Here's what the experts are saying, thinking, and fearing.It wasn't long ago that security news meant obscure vulnerabilities and viruses spreading across desktop computers. But now people everywhere are worried about snooping government agencies, Heartbleed letting their personal data loose on the Web, and rising mobile threats. Heck, the coverage of Edward Snowden's leaks about the National Security Agency's domestic spying efforts netted Pulitzer Prizes this year. As our lives become more focused around digital devices and the Internet, more people are getting worried about security, and rightly so. The question is, what are the real issues—and what's just flavor-of-the-month hype from the mainstream media?

Security pros largely unhappy with compliance methods (Help Net Security) Despite the fact that 63% consider regulatory compliance to be "very important", a new Osterman study shows a low satisfaction level with current methods of managing compliance. Only 13% are very satisfied with the current methods they use

Security Policies Hampered by Limited Visibility, Manual Processes (eWeek) Almost 20 percent of respondents raised the issue of poor communication among key stakeholders across development, security and operations groups

Firewall Policy Management Evolves To Security Policy Orchestration (Forbes) As networks have grown and network security device deployments have skyrocketed, it has become much more difficult to manage the policies that go along with those devices

Cyber security a must for telcos, banks (Free Malaysia Today) Banks, telecommunications and government portals in Malaysia must ramp up efforts in adopting advance and effective cyber-defence capabilities to protect against espionage and fraud

Marketplace

Cambridge security software startup Threat Stack raises $2.7M (Boston Business Journal) Cambridge startup Threat Stack, a TechStars alum offering security software aimed at the cloud, has raised $2.7 million in funding, according to a U.S. Securities and Exchange Commission filing

FireHost Secures $25 Million in Series E Funding (Talkin' Cloud) FireHost, a managed cloud infrastructure-as-a-service (IaaS) provider, has received $25 million in Series E funding led by private investment firm The Stephens Group. According to a press release, FireHost plans to use the funds to extend its brand awareness, product development and sales

Why Splunk Is A Good Buy For The Long Run (Guru Focus) As traffic over the Internet increases, the demand for traffic analysis arises by the organization that enables them in decision making and planning. Web analytics software resolves most of the traffic analysis requirement for an individual or organizations. Splunk (SPLK) is one such company that provides operation intelligence software solution that comprises of analytics and security solutions at an enterprise level

Security innovator Finjan returns as security investor (Times of Israel) California-based company, itself a pioneer in the cyber field, sees Israel as the source of new tech successes

The Upshot of 'Heartbleed'? Jobs (Newswise) Higher than average job growth expected in cybersecurity and information assurance

Homeland Defense Advisory Firm Taps Into Demand for Market Intelligence (National Defense) The homeland security business is mind-boggling, for both buyers and sellers. Agencies need products but may not know where to find them. And sellers have trouble locating customers in the maze of federal, state and local agencies that are responsible for homeland defense

Products, Services, and Solutions

Netcraft tool flags websites affected by Heartbleed (PCWorld) Worried about how the Heartbleed vulnerability may affect your personal accounts? A new tool may be of help

ZoneAlarm Extreme Security review: antivirus that lives up to its name (PCWorld) Extreme Security offers top-tier protection but lacks the cross-platform and mobile support that are becoming common in similar suites

ESET launches secure authentication SDK (Help Net Security) ESET launched the ESET Secure Authentication Software Development Kit (SDK). With this release, ESET provides system architects with a comprehensive developer guide in three mainstream programming languages to add two-factor authentication (2FA) protection to nearly any system that requires protection

emt and Catbird offer security products for virtualisation (Zawya) New range for specialised security solutions for virtualisation from Catbird to feed the growing demand for secure virtualisation in Middle East

Technologies, Techniques, and Standards

Even the most secure cloud storage may not be so secure, study finds (NetworkSecurity) Johns Hopkins researchers question 'zero-knowledge' policies

PCI DSS — What's new in v3.0? (Naked Security) If the Payment Card Industry Data Security Standard (PCI DSS) applies to your business you should also know that it has been updated

Understanding What Constitutes Your Attack Surface (Tripwire) Put simply, your attack surface is the sum of your security risk exposure. Put another way, it is the aggregate of all known, unknown and potential vulnerabilities and controls across all software, hardware, firmware and networks. A smaller attack surface can help make your organization less exploitable, reducing risk

Questioning Information Security — You are only as good as your questions (Life at 6700') Your security is only as good as the questions you ask. It is the questions that drive the search for answers. And the answer drives informed action or inaction. Anything else is a random, uninformed walk. So, as you shape your security strategy to support the innovations of the business, it is in asking good questions and creating correct answers through which effective security is achieved. No one else but the enemy will tell you the questions you should have asked and the answers you should have come up with. But by then it is too late. Because they told you by running all over your system

Heartbleed: A chance to talk to kids about guarding online personal information (Trend Micro: Internet Safety) In the last week or so, there has been a lot of news around an Internet vulnerability called Heartbleed that was recently discovered. Without getting into too much technical detail, this basically caused many websites to possibly expose the personal information people submitted to those sites. This includes shopping sites, social networks, email services, music streaming services, and gaming sites, because many of the world's websites use the same technology that was impacted

Academia

Field Set for 2014 Raytheon/UTSA National Collegiate Cyber Defense Competition Championship (MarketWatch) Top 10 teams in the country meet in San Antonio to compete for the Alamo Cup

Area Cyber Security students take part in first ever Mohawk Valley Hackathon (WKTV) SUNYIT'S Cyber Security and Information Systems Information Analysis Center was filled with a flurry of activity on Saturday

Learning to Code: New After-School Activity (Wall Street Journal Digits) With the advent of smartphones and handy mobile applications that help you hail a cab or find a gas station, the use of software has become more tightly intertwined with our daily lives. The success stories of some app developers have encouraged students and professionals to learn coding, the language of the future

The Sorry State Of IT Education (InformationWeek) Our profession is rife with people capable of performing procedures they've been taught, but incapable of thinking through a problem. Here's what we need to do

Legislation, Policy, and Regulation

Way to go DHS! And Shame on the Rest of You (ACLU) A very important government report on privacy and cybersecurity programs flew under the radar last week. Produced following President Obama's executive order from last February, agencies were directed to explain how they share our private information, and what they do to protect it. Overwhelmingly, agencies offered little to no information, and what they did share was discouraging. With one exception: the Department of Homeland Security (DHS)

The NSA Shouldn't Stockpile Web Glitches (Daily Beast) Members of the President's Intelligence Review Group declare that playing defense by alerting the public to hacks is the best response when situations like Heartbleed occur

Did President Obama Accept Recommendation 30? (Lawfare) Richard Clarke and Peter Swire, two of the five members of the President's Intelligence Review Group, argue at The Daily Beast that the NSA should rarely keep (as opposed to disclose, and allow patching of) software vulnerabilities, and that those rare circumstances should be decided in the White House rather than NSA. The argument basically repeats the Review Group's Recommendation 30

Activists want net neutrality, NSA spying debated at Brazil Internet conference (ComputerWorld) A campaign on the Internet is objecting to the exclusion of issues like net neutrality, the cyberweapons arms race and surveillance by the U.S. National Security Agency from the discussion paper of an Internet governance conference this week in Sao Paulo, Brazil

Gen. Franz takes over INSCOM (FCW Insider) The U.S. Army on April 17 named Maj. Gen. George J. Franz III commanding general of its Intelligence and Security Command in Ft. Belvoir, Va. INSCOM is a main Army command center for information security and has personnel in 180 locations worldwide

Litigation, Investigation, and Law Enforcement

Cyber cops: Target hackers may take years to find (AP via Yahoo! News) Secret Service investigators say they are close to gaining a full understanding of the methods hackers used to breach Target's computer systems last December

New VOICE website a resource tool for cyber crime victims (SC Magazine) A new website aimed at arming consumers with the ability to quickly report cyber crime is now available

Edward Snowden asks Vladimir Putin softball questions on surveillance (Kansas City Star) If Edward Snowden had any credibility as a fugitive former National Security Agency contractor he lost it this week when he asked Russian President Vladimir Putin softball questions about whether the communist country conducts mass surveillance on its citizens as the United States does

Here's What Putin Didn't Tell Snowden About Russia's Spying (WAMC) "Does Russia intercept, store or analyze in any way the communications of millions of individuals?" former National Security Agency contractor Edward Snowden asked Russian President Vladimir Putin on Thursday

Edward Snowden on his Putin TV appearance: 'Why all the criticism?' (The Register) Denies Q&A cameo was meant to slam US, big-up Russia

Snowden reporter promises more NSA revelations are coming (The Hill) One of the reporters honored with a Pulitzer Prize last week for his reports on National Security Agency surveillance on Sunday promised further revelations

Snowden Email Provider Remains in Contempt (Courthouse News Service) The former email provider of National Security Agency leaker Edward Snowden should be held in contempt for trying to keep its metadata out of the government's hands, the 4th Circuit ruled

Three Self-Described Anonymous Hackers Arrested in South Korea (eSecurity Planet) The three have been charged with threatening to launch cyber attacks against the Korean government

For a complete running list of events, please visit the Event Tracker on the CyberWire website.

Upcoming Events

East Africa Banking and ICT Summit (Kampala, Uganda, April 25, 2014) The global event series for Banking and ICT Summit enters its third year. The summit will continue to provide delegates with technical & practical sessions, lectures and showcase for banking and ICT innovations,...

InfoSecIndy (Indianapolis, Indiana, USA, April 26 - 27, 2014) Join us on April 26-27, 2014 in Indianapolis, Indiana for the premier Midwest Information Security and Digital Forensics Conference.

cybergamut Technical Tuesday: Malware Reverse Engineering (Columbia, Maryland, USA, May 6, 2014) An introduction to the tools, workflows, and tricks of the trade to attack sophisticated malware by Dale Robson of CyberPoint. Industry standard cyber security products do a good job in blocking and defending...

STEM Café (Geneva, Illinois, USA, May 6, 2014) At the next STEM Café, Raimund Ege, associate professor in NIU's Department of Computer Science, will lead a lively discussion on how computer crime affects our everyday lives and what we can do to protect...

Kirtland AFB - Cyber Security Seminar & Information Technology Expo (Albuquerque, New Mexico, USA, May 7, 2014) Join FBC and the Armed Forces Communications & Electronics Association (AFCEA) - Albuquerque Chapter for the Cyber Security Seminar & Information Technology Expo set to take place at Kirtland Air Force...

Kirtland AFB — Cyber Security Seminar & Information Technology Expo (Albuquerque, New Mexico, USA, May 7, 2014) Join FBC and the Armed Forces Communications & Electronics Association (AFCEA)-Albuquerque Chapter for the Cyber Security Seminar & Information Technology Expo set to take place at Kirtland Air Force Base.

US Secret Service Cybersecurity Awareness Day (Washington, DC, May 8, 2014) This Cybersecurity event will be the first of its kind at the USSS. There will be 2-3 opportunities for participating companies to present a 1/2 hour presentation on a Cybersecurity topic of concern to...

HackMiami 2014 (Miami Beach, Florida, USA, May 9 - 11, 2014) The HackMiami 2014 Hackers Conference seeks to bring together the brightest minds within the information security industry and the digital underground. This conference will showcase cutting edge tools,...

ISPEC 2014 (Fujian, China, May 12 - 14, 2014) The ISPEC conference series is an established forum that brings together researchers and practitioners to provide a confluence of new information security technologies, including their applications and...

GovSec 2014 (Washington, DC, USA, May 13 - 14, 2014) GovSec is the nation's premier event for Government, Homeland Security, and Law Enforcement professionals looking for proven strategies and cost effective technology so they can achieve their mission of...

CyberWest (Phoenix, Arizona, USA, May 13 - 14, 2014) Cyber threats affect all industry sectors and impact individuals, businesses and governments. From hacktivists to advanced persistent threats, conducting business on-line exposes individuals, corporations...

FOSE Conference (Washington, DC, USA, May 13 - 15, 2014) Spend 1 day or 3 days at the FOSE conference and leave with actionable information, covering a broad spectrum of trending topics including: Cybersecurity, Cloud and Virtualization, Mobile Government,...

Fraud Summit (Chicago, Illinois, USA, May 14, 2014) From account takeover to payment card fraud and the emerging mobile threatscape, the ISMG Fraud Summit series is where thought-leaders meet to exchange insights on today's top schemes and the technology...

Grow your brand and reach new customers.

Grow your brand and increase your customer base by educating our audience about your products, services, and events by advertising on The CyberWire. We’ve built trust with an influential (and often hard to reach) audience of CISOs, CSOs, and other senior execs in the security space, across a wide array of industry verticals. Learn more.

Be a part of the CyberWire story.

People ask us (a lot) how they can support what we do. We have our sponsorships and services, of course, but those are not always within every supporter's financial reach, or it might just not be the right time for you to do those things. That's why we launched our new Patreon site, where we've created a wider variety of support levels, each with some new benefits. Our patrons are important to our future, and we hope you'll consider becoming one. We invite you to become part of the CyberWire story. Become a patron today.