Cyber criminal informants prove to be as blowback-prone as regular wiseguy snitches. "Sabu" provides exhibit A: the New York Times reports that while he was an FBI informant, Sabu continued to exploit zero-days, some against Brazilian, Syrian, and Iranian government sites.
Enterprises continue to mop up Heartbleed. Many Android apps remain leaky, but some are found protected, ironically, by a common implementation coding error. The number of direct exploits still seems small in comparison with the scope and potential of the vulnerability. Clean-up itself presents at least two problems: some fragile SSL implementations have been disabled when scanned for Heartbleed, and the frenzy to find and close Heartbleed holes has provided hackers with useful misdirection, particularly in attacks on US universities. And, of course, Heartbleed continues to provide useful phishbait to spammers.
The unrelated but very large We_heart_it diet spam campaign has oozed from AOL over to Twitter. Its origins remain obscure, but it's become a significant nuisance.
Many US physicians have suffered identity theft recently, which, Krebs suggests, hints at problems in some commonly used service.
Bkav claims to have found serious vulnerabilities in Amazon's Cloud IaaS Service.
Medical devices and maritime shipping remain, sector analysts say, dangerously open to cyber attack even though the worst bogeymen have yet to materialize. Electrical utilities move toward a consensus that cyber risks are more serious than physical ones.
Insurers find many retailers remain oblivious to cyber risk. Financial analysts warn against cascading effects of widespread failure to insure against cyber losses.
Today's issue includes events affecting Brazil, Cambodia, European Union, Iran, Russia, Syria, Tunisia, United Kingdom, United States..
Cyber Attacks, Threats, and Vulnerabilities
FBI knew of zero-day attack on websites, let hackers use it(Ars Technica) NY Times reports Sabu directed attacks with Plesk exploit after arrest. Hector Xavier Monsegur, the hacker known as "Sabu," became a confidential FBI informant following his 2011 arrest. But he continued to direct other hackers to attack more than 2,000 Internet domains in 2012, including sites operated by the Iranian, Syrian, and Brazilian governments
Heartbleed Security Cyber Attacks Roundup(Gadget Gestures) If you paid attention to the information flooding your news feed that warned you over and over again about the Heartbleed security bug that makes your passwords and personal data vulnerable to theft and all sorts of cyber attacks, then you know the problem is serious and affects more people that one could have imagined in the beginning
While Heartbleed distracts, hackers hit US universities(CSO) The panic over the Heartbleed bug is proving to be a convenient distraction for hackers using standard techniques in a fresh wave of attacks targeting at least 18 U.S. universities, according to a computer security researcher
Be Careful what you Scan for!(Internet Storm Center) After some fun and games at one customer site in particular, I found that the SSL services on the earlier versions of the HP Proiliant Servers iLo ports (iL01 and iLO2) are not susceptible to heartbleed. However, their implementation of SSL is fragile enough that scanning them for the Heartbleed vulnerability will render them inoperable. This affects Proliants from G1 all the way up to G6, as well as many of the HP Bladesystems
How To Detect Heartbleed Mutations(Dark Reading) The nightmare of Heartbleed is not the chaos of fixing the bug. It's identifying hundreds, possibly thousands, of small mutations still hiding in the network
States: Spike in Tax Fraud Against Doctors(Krebs on Security) An unusual number of physicians in several U.S. states are just finding out that they've been victimized by tax return fraud this year, KrebsOnSecurity has learned. An apparent spike in tax fraud cases against medical professionals is fueling speculation that the crimes may have been prompted by a data breach at some type of national organization that certifies or provides credentials for physicians
Amazon Cloud IaaS Service servers riddled with vulnerabilities(Help Net Security ) An investigation spurred by one of the customers of their security product has lead researchers of security company Bkav to an unexpected discovery: the servers provided by Amazon's Cloud IaaS Service are riddled with vulnerabilities
Six Degrees datacentre suffers outage for more than 12 hours(ComputerWeekly) Customers using Six Degrees Group's datacentre and hosting services faced downtime on Tuesday — a crucial business day after the Easter weekend — as the datacentre, hosting and managed services provider suffered an outage for more than 12 hours
Medical devices at risk from cyber attack(Business Technology) A pacemaker designed to send life-saving electrical pulses to your heart and provide your doctor with vital information about your health can also unfortunately be a target of a sinister cyber attack
Dissecting the unpredictable DDoS landscape(Help Net Security) DDoS attacks are now more unpredictable and damaging than ever, crippling websites, shutting down operations, and costing millions of dollars in downtime, customer support and brand damage, according to Neustar
Apple + Patching = You're Doing It Wrong :((Kristin Paget's Blog) Apple just released iOS 7.1.1, which contains a bunch of security fixes for a wide range of things. Of particular interest is the list of issues they fixed in WebKit, which includes
Verizon DBIR 2014: Incident patterns show industry-specific threats(TechTarget) "We may be able to reduce the majority of attacks by focusing on a handful of attack patterns." That's the thought that Verizon used to tantalize readers of the 2013 iteration of its Data Breach Investigations Report, but as it turns out, the 2014 version found that more than nine out of ten data breaches can be described by just one of nine attack patterns, an enticing claim for enterprise information security teams
Cybersecurity quickly trumping physical security(FierceSmartGrid) Security is becoming an important part of the day-to-day operations of every utility across the United States, and a recent ruling by the Department of Justice (DOJ) is meant to make it easier for companies to keep their assets secure while keeping the lights on
Demand for BYOD access control leads to NAC resurgence(TechTarget) Network access control technology has come a long way from its days of being derided as an expensive and difficult tool that only succeeds in locking users out of the network. As the number of devices and the diversity of the users hitting networks across all industries grows, NAC security is becoming a must-have technology for any corporate environment
Intelligence-Sharing Suffers Growing Pains(Dark Reading) For most organizations, intelligence-sharing remains mainly ad-hoc and informal — and thus fraught with frustration and pitfalls, new report from Ponemon finds
Heartbleed as Metaphor(Lawfare) I begin with a paragraph from Wikipedia: Self-organized criticality is one of a number of important discoveries made in statistical physics and related fields over the latter half of the 20th century, discoveries which relate particularly to the study of complexity in nature…That may or may not leave you cold. I begin with those lines because they say that complexity in the large can arise from locally simple things
Lack of cyber risk insurance could lead to "global financial shock"(We Live Security) The financial damage caused by a large data breach or malicious employee activity can be enormous, but while more than three-quarters of organizations say they have become more concerned about information security and privacy in the past three years, the lack of cyber risk insurance could lead to a "global" shock
A strong information security program is a competitive gain, not just a cost(TechTarget) CIOs are often asked to quantify the value of technology investments, but the CIO of an East Coast company was caught off guard by one such recent request and whom it came from. "The marketing chief wanted to know if we should use our security and privacy measures as a competitive differentiator to market our business and services," said the CIO, who is still in the midst of his research and asked not to be named
Cybersecurity's new frontier(Daily Record) The exterior walls of Luminal's downtown Frederick headquarters office are made of brick. But the company isn't focused on walls. Its software aims to make a computer system more secure from the inside, instead of relying only on exterior defenses
South-East police forces on the hunt for information assurance services in £20m tender(Computing) The police and crime commissioner for Surrey has issued a tender on behalf of police forces within the South East Regional Information Security Management Group including: British Transport Police, Civil Nuclear Constabulary, Essex Police, Hampshire Police, Hertfordshire Police, Kent Police, Metropolitan Police Service, Surrey Police, Sussex Police and Thames Valley Police
Forescout launches new PSN compliance package(UK Authority) A programme to help local authorities and government departments to meet the requirements of the Public Service Network (PSN), the secure network enabling local and central government organisations to communicate electronically has been launched today
CrowdStrike offers new free Heartbleed Scanner tool(CSO) In the wake of the Heartbleed vulnerability revelation, many security vendors raced to provide tools to help businesses and individuals test for the flaw on their own systems. Unfortunately, many of those tools used flawed logic, or delivered inaccurate results—either causing undue alarm, or providing an unwarranted sense of security. CrowdStrike has developed a new free Heartbleed Scanner tool that delivers more comprehensive information to help you understand which systems or applications are at risk
eScan Launches a unique online tool to identify Heartbleed bug affected websites(OpenPR) eScan, one of the leading Anti-Virus and Content Security Solution providers has launched an online tool to identify the latest vulnerability, Heartbleed bug which has been creating chaos in the cyber security landscape. This tool introduced by eScan can be used by IT users to check whether the website they are browsing is affected with the Heartbleed bug or not
Is CyberSec Framework Doomed to Fail?(infoRisk Today) Researcher Touts Market-Driven Approach as Alternative. A George Mason University research fellow says the cybersecurity framework, issued earlier this year by the National Institute of Standards and Technology, is likely to cause more problems than it solves
PCI DSS — Why it fails(Naked Security) The Payment Card Industry Data Security Standard (PCI DSS) is a globally agreed standard of compliance for any company that accesses, stores or transmits cardholder data (CHD) and personally identifiable information (PII). I've written a contrasting article about the successes of the PCI DSS, but in this article I want to highlight five reasons I think it fails in its goal
PCI DSS - Why it works(Naked Security) The Payment Card Industry Data Security Standard (PCI DSS) is a document that sets the de facto standard of compliance for any company that accesses, stores or transmits cardholder data (CHD) and personally identifiable information (PII). The PCI DSS's founding members — American Express, Discover Financial Services, JCB International, MasterCard, and Visa Inc. — sought to replace their individual data security compliance programs in favour of a globally agreed standard
Learning from others(Help Net Security) The old saying "one man's misfortune is another man's gain" is eminently applicable in the information security industry. When an organization becomes the victim of a security breach, its misfortune should be viewed as an opportunity for the rest of us to learn how to improve the security of our own systems
How to prevent RATs from taking over your Mac(ITProPortal) My partner and I have seven pet rats at home and I love every single one of them. But there is one kind of rat I am keen on keeping out of my home — and my computer — and that's a Remote Access Trojan. These nasty, malicious applications let attackers use your computer as if they were sitting right in front of it, giving them complete access to your files, your network, and your personal information
Fun with Passphrases!(Internet Storm Center) As systems administrators and security folks, we've all had our fill of our users and customers using simple passwords. Most operating systems these days now enforce some level of password complexity by default, with options to "beef up" the password requirements for passwords
Design and Innovation
Ultraprivate Smartphones(MIT Technology Review) New models built with security and privacy in mind reflect the Zeitgeist of the Snowden era
Designing a Prize for Usable Cryptography(Electronic Frontier Foundation) In an era when email and messaging services are being regularly subject to attacks, surveillance, and compelled disclosure of user data, we know that many people around the world need secure end-to-end encrypted communications tools so that service providers and governments cannot read their messages. Unfortunately, the software that has traditionally been used for these purposes, such as PGP and OTR, suffers from numerous usability problems that make it impractical for many of the journalists, activists and others around the world whose lives and liberty depend on their ability to communicate confidentially
Inside the 'DarkMarket' Prototype, a Silk Road the FBI Can Never Seize(Wired) The Silk Road, for all its clever uses of security protections like Tor and Bitcoin to protect the site's lucrative drug trade, still offered its enemies a single point of failure. When the FBI seized the server that hosted the market in October and arrested its alleged owner Ross Ulbricht, the billion-dollar drug bazaar came crashing down
Research and Development
Error-Free Quantum Computing Made Possible in New Experiment(IEEE Spectrum) For quantum computing to ever fulfill its promise, it will have to deal with errors. That's been a real problem until now, because although scientists have come up with error correction codes, the quantum machines available couldn''t make use of them. But researchers report today that they've created a small quantum computing array that for the first time performs with enough accuracy to allow for error correction—paving the way toward practical machines that could outperform ordinary computers
Guidance Software to Sponsor the National Collegiate Cyber Defense Competition(Wall Street Journal) Guidance Software, Inc. (NASDAQ:GUID) announced today that it is sponsoring and participating in the National Collegiate Cyber Defense Competition (NCCDC). The three day-event, which is being held April 25-27 in San Antonio, Texas, provides a real-time educational venue where students can apply theoretical and practical skills that they've learned in the classroom to real-world cybersecurity scenarios. Students from 180 colleges and universities in ten regions competed at the qualifying and regional levels. The top team from each region will compete at this national competition
Legislation, Policy, and Regulation
Vision is needed at NETmundial(Center for Democracy and Technology) The Global Multistakeholder Meeting on the Future of Internet Governance, a.k.a. the NETmundial meeting, starts today in Sao Paulo, Brazil. The NETmundial meeting has two goals: 1) articulate a set of Internet governance principles, and 2) propose a roadmap for the future development of the Internet governance ecosystem. The meeting comes a short 7 months after Brazilian President Dilma Rousseff gave a scathing speech at the UN General Assembly on NSA surveillance in which she called for mechanisms that would reinforce key principles related to Internet governance and use
For a complete running list of events, please visit the Event Tracker on the CyberWire website.
US News STEM Solutions: National Leadership Conference(, January 1, 1970) The STEM crisis in the United States demands solutions—and nowhere is the search more concentrated than at U.S. News STEM Solutions. Now in its third year, this premier national leadership conference is...
East Africa Banking and ICT Summit(Kampala, Uganda, April 25, 2014) The global event series for Banking and ICT Summit enters its third year. The summit will continue to provide delegates with technical & practical sessions, lectures and showcase for banking and ICT innovations,...
InfoSecIndy(Indianapolis, Indiana, USA, April 26 - 27, 2014) Join us on April 26-27, 2014 in Indianapolis, Indiana for the premier Midwest Information Security and Digital Forensics Conference.
United States Cyber Crime Conference 2014(, January 1, 1970) This is the only event of its kind that provides both hands-on digital forensics training and an interactive forum for cyber professionals to network. The conference covers the full spectrum of topics...
Infosecurity Europe 2014(, January 1, 1970) Infosecurity Europe is Europe's number one Information Security event. Featuring over 350 exhibitors, the most diverse range of new products and services, an unrivalled education programme and over 12,000...
Cyber COMSEC and IT Day at Fort Huachuca(, January 1, 1970) This one-day vendor expo is a unique opportunity to demonstrate your products and services to military and civilian personnel at Fort Huachuca. Exhibitors will have a casual atmosphere to share ideas,...
cybergamut Technical Tuesday: Malware Reverse Engineering(Columbia, Maryland, USA, May 6, 2014) An introduction to the tools, workflows, and tricks of the trade to attack sophisticated malware by Dale Robson of CyberPoint. Industry standard cyber security products do a good job in blocking and defending...
US Secret Service Cybersecurity Awareness Day(Washington, DC, May 8, 2014) This Cybersecurity event will be the first of its kind at the USSS. There will be 2-3 opportunities for participating companies to present a 1/2 hour presentation on a Cybersecurity topic of concern to...
SANS Security West(, January 1, 1970) SANS Security West will arm information security professionals with the necessary insight to prepare their organization for today and the future. Attendees will have the opportunity to advance their information...
HackMiami 2014(Miami Beach, Florida, USA, May 9 - 11, 2014) The HackMiami 2014 Hackers Conference seeks to bring together the brightest minds within the information security industry and the digital underground. This conference will showcase cutting edge tools,...
Eurocrypt 2014(, January 1, 1970) Eurocrypt 2014 is the 33rd Annual International Conference on the Theory and Applications of Cryptographic Techniques. It is devoted to all aspects of cryptology.
ISPEC 2014(Fujian, China, May 12 - 14, 2014) The ISPEC conference series is an established forum that brings together researchers and practitioners to provide a confluence of new information security technologies, including their applications and...
CyberWest(Phoenix, Arizona, USA, May 13 - 14, 2014) Cyber threats affect all industry sectors and impact individuals, businesses and governments. From hacktivists to advanced persistent threats, conducting business on-line exposes individuals, corporations...
GovSec 2014(Washington, DC, USA, May 13 - 14, 2014) GovSec is the nation's premier event for Government, Homeland Security, and Law Enforcement professionals looking for proven strategies and cost effective technology so they can achieve their mission of...
Cyber Security for National Defense Symposium(, January 1, 1970) DSI's Cyber Security for National Defense Symposium is designed as an educational and training "Town Hall" forum, where thought leaders and key policy-makers across military and civilian organizations...
FOSE Conference(Washington, DC, USA, May 13 - 15, 2014) Spend 1 day or 3 days at the FOSE conference and leave with actionable information, covering a broad spectrum of trending topics including: Cybersecurity, Cloud and Virtualization, Mobile Government,...
INFILTRATE(, January 1, 1970) INFILTRATE is a deep technical conference that focuses entirely on offensive security issues. Groundbreaking researchers focused on the latest technical issues will demonstrate techniques that you cannot...
Security BSides Denver 2014(Denver, Colorado, USA, May 16, 2014) Each BSides is a community-driven framework for building events for and by information security community members. The goal is to expand the spectrum of conversation beyond the traditional confines of...
Security Start-up Speed Lunch NYC(New York, New York, USA, May 19, 2014) Our goal for this inaugural event is to connect the most promising security startups in the world with decision-makers at aerospace, asset-management, banking, communications, defense, energy, healthcare,...
CEIC 2014(Las Vegas, Nevada, USA, May 19 - 22, 2014) It's no exaggeration to say that CEIC is the biggest digital-investigations conference of its kind and the only one to offer hands-on lab sessions and training for practical skills development. From sessions...
The Device Developers' Conference: Bristol(Bristol, England, UK, May 20, 2014) The Device Developers' Conference is an annual UK event for the developers of intelligent systems and devices. The objective is to provide an event that provides engineers with an opportunity to learn...
Positive Hack Days(, January 1, 1970) Positive Hack Days is the international venue for the unification of progressive forces of the IT industry. It is about innovators interested in information security problems; it is fresh blood and bright...
Georgetown Law: Cybersecurity Law Institute(, January 1, 1970) A day does not go by where cybersecurity is not in the news. In fact, according to a recent national survey conducted by FTI Consulting, cybersecurity is the number one issue on the minds of general counsels...
NSA Mobile Technology Forum (MTF) 2014(, January 1, 1970) The Mobile Technologies Forum is an annual event that attracts SIGINT, Information Assurance, HUMINT, Federal Law Enforcement, Counterintelligence and Government personnel from the United States, Australia,...
CyberMontgomery Forum: Center of Gravity(Rockville, Maryland, USA, May 22, 2014) Cybersecurity will be a major growth engine in the region for many years to come. With solid federal government, industry and academic assets already in place in the region, there is still a need to bring...
Cyber Risk Summit(Washington, DC, USA, May 22, 2014) This one-day leadership conference will provide a discussion forum for business executives, insurance companies and policymakers on more effective private and public responses to cyber risk management.
The Device Developers' Conference: Cambridge(Cambridge, England, UK, May 22, 2014) The Device Developers' Conference is an annual UK event for the developers of intelligent systems and devices. The objective is to provide an event that provides engineers with an opportunity to learn...
Fort Meade Technology Expo(, January 1, 1970) The Ft. Meade Technology Expo is a one-day event held at the Officers' Club (Club Meade) on base. Industry vendors will have the unique opportunity to showcase their products and services to personnel...
CANSEC(, January 1, 1970) CANSEC is Canada's foremost defence tradeshow. A two-day event, CANSEC will feature 120,000 square feet of indoor exhibits by Canada's leading edge defence companies, as well as an outdoor static display.
Grow your brand and increase your customer base by educating our audience about your products, services, and events by advertising on The CyberWire. We’ve built trust with an influential (and often hard to reach) audience of CISOs, CSOs, and other senior execs in the security space, across a wide array of industry verticals. Learn more.
Be a part of the CyberWire story.
People ask us (a lot) how they can support what we do. We have our sponsorships and services, of course, but those are not always within every supporter's financial reach, or it might just not be the right time for you to do those things. That's why we launched our new Patreon site, where we've created a wider variety of support levels, each with some new benefits. Our patrons are important to our future, and we hope you'll consider becoming one. We invite you to become part of the CyberWire story. Become a patron today.