More low-level cyber vandalism on the Subcontinent: this time India's Bharatiya Janata Party's the target.
Ars Technica calls checking certificate revocation in browsers post-Heartbleed "futile". (ZDNet gives Chrome a lonely good grade, however, in handling revocation.) Heartbleed may require what some observers call "rehab" as opposed to simple fixing. One surprising comparison is with Y2K—ComputerWeekly forecasts a similar squeeze on available IT labor. One hopes Heartbleed is approached more realistically than was Y2K.
As businesses continue to receive warnings of their cyber risks, Verizon's Data Breach Investigations Report notes some trends. Positive: point-of-sale data breaches are trending downward. Not-so-positive: cyber espionage is up (emanating particularly from Russian-speaking regions, now more than from China), stolen passwords remain a big problem, and cyber criminals are inside businesses' defensive decision cycles.
Information sharing remains more aspirational than one would like to see, but positive signs include financial sector leadership from the Bank of England and US retailers' firm plans to stand up a threat information exchange this summer. The CyberRX attack exercise, on the other hand, shows how healthcare IT lags (unsurprisingly, given that sector's particular sensitivity to privacy).
In industry news, Parsons buys Secure Mission Solutions; Sysorex acquires AirPatrol.
Today's issue includes events affecting Australia, Belarus, China, India, Japan, Pakistan, Russia, South Africa, Ukraine, United Kingdom, United States..
We're pleased to offer another CyberWire exclusive this morning: an interview with Alejandro Mayorkas Deputy Secretary, US Department of Homeland Security. He offers some reflections, post-SINET ITSEF, on public-private partnership for cyber defense.
Heartbleed's Never-Ending Drip, Drip, Drip(E-Commerce Times) It's going to take a while to clean up Heartbleed's bloody mess. "If history is any lesson, when Internet-scale vulnerabilities are announced that require firmware updates, we can count on a persistently vulnerable population of devices," said Easy Solutions CTO Daniel Ingevaldson. "This population may stay vulnerable for years, or until these devices become obsolete and are replaced"
Heartbleed Will Require Rehab(InformationWeek) Patches are just band-aids. Heartbleed's long-term effects will force companies to reassess how they deploy and manage technology
Datacentre lessons learnt from Heartbleed bug(ComputerWeekly) The Heartbleed bug, an OpenSSL cryptographic library flaw that allows attackers to steal sensitive information from remote servers and devices, affected nearly two-thirds of websites
Subterfuge: The Automated Man-in-the-Middle Attack Framework(Infosec Institute) Surfing the internet through untrustworthy public networks whether wired or wireless has been known to be risky for a long time now. We all think twice before logging into our bank account or accessing any kind of sensitive information, but what about simply browsing our favourite site?
P2P Zeus Performs Critical Update(Fortinet) P2P Zeus, a.k.a. Zbot, has evolved into a powerful bot since its discovery in 2007. It is capable of stealing infected hosts' banking information, installation of other malware, and other cybercrime-related behavior. Currently, P2P Zeus supports both the UDP and TCP protocols for its various communication tasks including peer list exchange, command-and-control (C&C) server registration, and malware binary updates
How to stop the UnFlod Baby Panda malware infecting your iPhone(Graham Cluley) Here is today's question: How can I stop the UnFlod Baby Panda malware infecting my iPhone? I've heard that the malicious app can steal the Apple ID from my iPhone, so I would like to protect it. I love questions like this, because there's a really easy answer: Don't jailbreak your iPhone in the first place
Former Australian spy boss warns on growing cyber security risks(Financial Review) The man who recently resigned after six years as the Australian government's chief electronic spy has warned that top business executives do not fully appreciate the complexity and danger of threats they are now facing from evolving cyber security risks
DBIR: Point-of-Sale Breaches Trending Downward(Threatpost) The attention given to the Target data breach elevated concerns about point-of-sale hacks and got us reacquainted with RAM scrapers and other threats to retailers big and small. And while it's been a noteworthy highlight to the annual Verizon Data Breach Investigations Report for the past few years, the data in this year's report indicates the trend is reversing course
Stolen Passwords Used In Most Data Breaches(Dark Reading) New Verizon 2014 Data Breach Investigations Report identifies nine types of attack patterns that accounted for 93 percent of security incidents in the past decade
Getting Inside the Adversary's OODA Loop: Automation and Information Sharing for Cyber Defense(The CyberWire) The CyberWire interviewed Mr. Philip Quade, Chief Operating Officer of NSA's Information Assurance Directorate, who participated in SINET ITSEF 2014. The NSA's Information Assurance Directorate is responsible for the security of US national security systems. He shared his views on Active Cyber Defense, and how it depends upon automation and information sharing for a risk-based approach to Sensing, Sense-making, Decision-making, and Acting in cyberspace
First CyberRX simulation allows chief information security officers to practice a joint response between industry and HHS(Healthcare Informatics) On April 1, a cross-section of healthcare industry information security executives took part in the first full-day interactive simulation of an industry-wide cyber threat. During the CyberRX simulation, put on by the nonprofit Health Information Trust Alliance (HITRUST) in coordination with the U.S. Dept. of Health and Human Services, companies displayed a wide range in terms of organizational preparedness for processing threat intelligence and communicating and engaging with other stakeholders, internally and externally, noted Jim Koenig, principal, Global Leader, Commercial Privacy, Cybersecurity and Incident Response for Health at consulting firm Booz Allen Hamilton
Bank of England to employ hackers(Computing) The Bank of England is set to employ ethical hacking and penetration testing in an effort to strengthen cyber security of banks and other financial institutions
Surviving the post Heartbleed Cyber Security Skills Crunch(ComputerWeekly) IT users and suppliers, particularly those in financial services and its suppliers are about to be hit by an IT Skills shortfall akin to that during the run up to Y2K: for similar reasons. A surge in demand for skills in short supply is hitting an industry which has not recruited sufficient trainees for over a decade
Cross Match acquires DigitalPersona(Help Net Security) Cross Match Holdings and DigitalPersona announced a merger agreement that will combine the two companies. With more than 300 employees, a network of partners and millions of users relying on its solutions worldwide, the merged companies will have a global presence in the government, financial, retail, defense, law enforcement and corporate markets
CRGT Expands Homeland Security Mentor-Protégé Relationships(Digital Journal) CRGT Inc., a leading provider of Big Data, Agile development, Cyber Security, and Infrastructure Optimization for the Federal Government, has increased its focus on the Department of Homeland Security (DHS) programs through the execution of formal DHS Mentor-Protégé engagements with Novel Applications of Vital Information, Inc. (Novel Applications) and EnProVera Corporation. These business partners have skills and experience that strengthens CRGT's market offerings as we pursue new business within select government agencies
Nokia sees Microsoft deal closing this week(Reuters) Nokia said on Monday it expects the sale of its handset business to Microsoft to be finalized on April 25, as it had received all the required regulatory approvals
Army denies troops superior software because MONEY(Daily Caller) The Army has denied soldiers the use of a privately developed software intended to mitigate the threat of improvised explosive devices, reportedly because it has already invested time and money in its own product
CloudFlare Launches Bug Bounty Program(Threatpost) As the OpenSSL heartbleed saga unfolded over the last couple of weeks, one of the companies that was at the forefront of figuring out the scope and effects of the problem was CloudFlare. The company put up a challenge server, asking researchers to hit it with the heartbleed exploit to determine whether private SSL keys
Products, Services, and Solutions
Chrome does certificate revocation better(ZDNet) There's a dirty little industry secret: The classic methods of certificate revocation don't really work. That's why Google Chrome doesn't do certificate revocation checking the normal way
Splunk Releases Version 3.1 of the Splunk App for VMware(Compliance Week) Splunk, a provider of software platform for real-time operational intelligence, this month announced the general availability of Version 3.1 of the Splunk App for VMware, which provides comprehensive operational visibility into virtualized environments
Facial recognition — coming soon to a shopping mall near you(Naked Security) Facial recognition. Image courtesy of ShutterstockTechnology giant NEC's Hong Kong branch is promoting a small, "easy to install" appliance which will enable businesses to monitor their customers based on facial recognition
Dropbox VP: People's trust comes first, followed by IT security(FierceEnterpriseCommunications) April 21, 2014 | By Scott M. Fulton III. For the last three years, by far the name at the top of people's lists when they're discussing the trend of "shadow IT"—users bringing apps into organizations that bypass company policies—is Dropbox. It's a simple and effective mechanism for distributing files, and both managers and executives have come to rely upon Dropbox for reaching out to their own subordinates
Athena Announces Fastest Elliptic Curve Cryptography Accelerator Core(Design & Reuse) The Athena Group, Inc., the leader in high-performance public key (PK) and elliptic curve cryptography (ECC), today announced the industry's fastest ECC accelerator core. Athena's commitment to maintaining leadership in the high-performance PK cryptography and ECC marketplace is reinforced with the release of the EC Ultra family of dedicated ECC accelerators. Athena introduced three variants ranging in performance from 2,000 to 8,000 NIST P-256 EC-DSA verify operations per second
Apps offer users ways to boost online security(CTVNews) The uproar surrounding the National Security Agency's Prism program, in which the U.S. government collected data from citizens' webmail and social network accounts, has led to the development of encrypted alternatives to Gmail, Hotmail and other popular messaging services. Known only to a small set of users in the past, solutions for enhanced data security are now beginning to hit the mainstream
Free Heartbleed scanner for Chrome and Android(Help Net Security) To help Internet users protect themselves from the Heartbleed bug that is eroding SSL security features on websites worldwide, Trend Micro released two free Heartbleed scanners for computers and mobile devices designed to verify whether they are communicating with servers that have been compromised by the Heartbleed bug
Third-party audits best way to oversee cyber security(Hartford Business Journal) Last week's announcement that Connecticut's utilities have been compromised by cyberattacks isn't surprising, but it does raise serious concerns about the vulnerability of the state's electricity, natural gas, and water infrastructure
Research shows vulnerabilities go unfixed longer in ASP(SC Magazine) While there is no significant difference between the number of security vulnerabilities found, on average, in widely used programming languages, like .Net, Java and ASP, the number of days it takes to make fixes can differ noticeably, a WhiteHat Security report reveals
Big data's defense against cyber crime(FierceBigData) Big data is both a blessing and a curse in terms of security. Cybercriminals can hide within big data and they can use big data to aid their efforts in a myriad of ways. But, big data tools also present a formidable defense when they're used correctly. A new report from Gartner gives some good advice on how to do that
NIST to Drop Crypto Algorithm from Guidance(GovInfoSecurity) Move comes following concerns about NSA actions. A draft of revised guidance from the National Institute of Standards and Technology drops a cryptographic algorithm the National Security Agency is believed to have used to circumvent encryption that shields much of global commerce, banking systems, medical records and Internet communications
Our Comments On NIST's Cryptographic Standards Review Process(Center for Democracy and Technology) The US National Institute of Standards and Technology (NIST) has taken a first, important step in making sure no flaws or trapdoors end up in their cryptographic standards: they put out for public comment a document that describes the high-level principles for standardizing cryptography at NIST. In this post, I will discuss recent events that lead NIST to take this step and the comments CDT submitted last Friday in response
A New Approach to Prioritizing Malware Analysis(SEI Blog) Every day, analysts at major anti-virus companies and research organizations are inundated with new malware samples. From Flame to lesser-known strains, figures indicate that the number of malware samples released each day continues to rise. In 2011, malware authors unleashed approximately 70,000 new strains per day
Budget Problems Impact Science and Technology Personnel as Much as Programs(SIGNAL) Gadgets and gizmos are not the only things beset by the U.S. Defense Department's continued battle with shrinking budget dollars. While some projects may be delayed, and others even derailed, the civilian work force "is now showing the early signs of stress," Alan Shaffer, acting assistant defense secretary for research and engineering, recently warned Congress
Army nips Air Force in NSA's cyber competition(Defense Systems) The U.S. Military Academy took the top spot in the National Security Agency's most recent service-academy cyber competition, which involved designing and building a network from scratch, then defending it against a NSA and service red teams while handling other challenges
NSA's Implementation of Foreign Intelligence Surveillance Act, Section 702( NSA Director of Civil Liberties and Privacy Office Report) This document provides an unclassified overview of NSA's implementation of Foreign Intelligence Surveillance Act Section 702. It is also entered into the Federal Register (docket PCLOB-2013-005-0073) to satisfy PCLOB request for information to inform their upcoming report and to be more transparent to the public
Letitia Long: Leading NGA into a new era of intelligence(C4ISR Networks) Letitia Long, director of the National Geospatial-Intelligence Agency, is at the helm of some of the intelligence community's biggest moves. NGA, along with the Defense Intelligence Agency, are leading development of ICITE, the intelligence community's shared IT environment, and Long is also helping to architect a transition to the idea of comprehensive, immersive intelligence that weaves together various disciplines'
GOP demands answers on electric grid security leak(The Hill) Republicans on the House Energy and Commerce Committee are asking the Federal Energy Regulatory Commission (FERC) to report on how sensitive information about electric grid security became public
For a complete running list of events, please visit the Event Tracker on the CyberWire website.
East Africa Banking and ICT Summit(Kampala, Uganda, April 25, 2014) The global event series for Banking and ICT Summit enters its third year. The summit will continue to provide delegates with technical & practical sessions, lectures and showcase for banking and ICT innovations,...
InfoSecIndy(Indianapolis, Indiana, USA, April 26 - 27, 2014) Join us on April 26-27, 2014 in Indianapolis, Indiana for the premier Midwest Information Security and Digital Forensics Conference.
cybergamut Technical Tuesday: Malware Reverse Engineering(Columbia, Maryland, USA, May 6, 2014) An introduction to the tools, workflows, and tricks of the trade to attack sophisticated malware by Dale Robson of CyberPoint. Industry standard cyber security products do a good job in blocking and defending...
STEM Café(Geneva, Illinois, USA, May 6, 2014) At the next STEM Café, Raimund Ege, associate professor in NIU's Department of Computer Science, will lead a lively discussion on how computer crime affects our everyday lives and what we can do to protect...
US Secret Service Cybersecurity Awareness Day(Washington, DC, May 8, 2014) This Cybersecurity event will be the first of its kind at the USSS. There will be 2-3 opportunities for participating companies to present a 1/2 hour presentation on a Cybersecurity topic of concern to...
HackMiami 2014(Miami Beach, Florida, USA, May 9 - 11, 2014) The HackMiami 2014 Hackers Conference seeks to bring together the brightest minds within the information security industry and the digital underground. This conference will showcase cutting edge tools,...
ISPEC 2014(Fujian, China, May 12 - 14, 2014) The ISPEC conference series is an established forum that brings together researchers and practitioners to provide a confluence of new information security technologies, including their applications and...
GovSec 2014(Washington, DC, USA, May 13 - 14, 2014) GovSec is the nation's premier event for Government, Homeland Security, and Law Enforcement professionals looking for proven strategies and cost effective technology so they can achieve their mission of...
CyberWest(Phoenix, Arizona, USA, May 13 - 14, 2014) Cyber threats affect all industry sectors and impact individuals, businesses and governments. From hacktivists to advanced persistent threats, conducting business on-line exposes individuals, corporations...
FOSE Conference(Washington, DC, USA, May 13 - 15, 2014) Spend 1 day or 3 days at the FOSE conference and leave with actionable information, covering a broad spectrum of trending topics including: Cybersecurity, Cloud and Virtualization, Mobile Government,...
Fraud Summit(Chicago, Illinois, USA, May 14, 2014) From account takeover to payment card fraud and the emerging mobile threatscape, the ISMG Fraud Summit series is where thought-leaders meet to exchange insights on today's top schemes and the technology...
Security BSides Denver 2014(Denver, Colorado, USA, May 16, 2014) Each BSides is a community-driven framework for building events for and by information security community members. The goal is to expand the spectrum of conversation beyond the traditional confines of...
SPONSOR & SUPPORT
Grow your brand and reach new customers.
Grow your brand and increase your customer base by educating our audience about your products, services, and events by advertising on The CyberWire. We’ve built trust with an influential (and often hard to reach) audience of CISOs, CSOs, and other senior execs in the security space, across a wide array of industry verticals. Learn more.
Be a part of the CyberWire story.
People ask us (a lot) how they can support what we do. We have our sponsorships and services, of course, but those are not always within every supporter's financial reach, or it might just not be the right time for you to do those things. That's why we launched our new Patreon site, where we've created a wider variety of support levels, each with some new benefits. Our patrons are important to our future, and we hope you'll consider becoming one. We invite you to become part of the CyberWire story. Become a patron today.