Australian immigration authorities inadvertently expose the personal information of some 10,000 asylum-seekers.
Zeus has been seen sniffing around Salesforce.com. Zeus, which began life as a banking Trojan, has evolved into a variant optimized for attacking SaaS targets.
Researchers continue to expose the leakiness of apps, whether mobile or dating, and note the degree to which potential damage depends on user naïveté.
Community banks in the US are expected to issue more than 4,000,000 new payment cards as the sector recovers from the Target breach.
Microsoft has issued a quick "Fixit" for the IE9/IE10 zero day currently being exploited in the wild. Cisco makes a number of patches available, and Belkin points out that the vulnerabilities in its WeMo line of home automation products have already been patched.
A SANS Institute study describes the state of health care security as "alarming."
Hacking Crew has sold its lawful intercept software to some twenty governments worldwide; the University of Toronto questions whether this is a good thing.
As one expects during the run-up to RSA, industry news flourishes in a brace of VC, M&A, and new product announcements. These will surely continue through next week and beyond, but at least three widespread needs are driving innovation: a need for automated defensive systems to keep pace with malware evolution and drive down labor cost, reliable anonymization for information-sharing, and sound methods of assessing cyber risks.
The recently announced US cyber framework gets positive reviews from NATO, and NIST announces plans for crypto standards.
Today's issue includes events affecting Azerbaijan, Colombia, Egypt, Ethiopia, Hungary, India, Ireland, Israel, Italy, Kazakhstan, Korea, Malaysia, Mexico, Morocco, NATO/OTAN, Nigeria, Oman, Panama, Poland, Saudi Arabia, Sudan, Sweden, Thailand, Turkey, United Arab Emirates, United States, and Uzbekistan..
Our special coverage of RSA Conference 2014 begins with tomorrow's issue. If you're attending RSA, be sure to stop by CyberPoint's booth (#1037 in the South Expo hall) and say hello to the CyberWire's publisher and some of our stringers.
Hacking results in 4 million new cards(Albuquerque Business First) Community banks in the U.S. have reissued more than 4 million credit and debit cards at a cost of more than $40 million since the data breaches at major retailers, the Independent Community Bankers of America said Wednesday
Security Patches, Mitigations, and Software Updates
Microsoft release FixIt for IE9/IE10 Zero Day(Internet Storm Center) Microsoft has published a TechNet article detailing the availability of a "FixIt" for the current IE9/IE10 zero day which has been doing the rounds. Corporate users will presumably have to wait until the availability of the patch which Microsoft say will be released during the monthly patching cycle
Cisco Security Advisories, Responses, and Notices(Cisco Security Intelligence Operations) Cisco Security Advisories are published for significant security issues that directly involve Cisco products and require an upgrade, fix, or other customer action. In all security publications, Cisco discloses the minimum amount of information required for an end-user to assess the impact of a vulnerability and any potential steps needed to protect their environment. Cisco does not provide vulnerability details that could enable someone to craft an exploit. All security advisories on Cisco.com are displayed in chronological order, with the most recently updated advisory appearing at the top of the page
Security vulnerabilities published in CERT advisory fixed(Belkin WeMo) Belkin has corrected the list of five potential vulnerabilities affecting the WeMo line of home automation solutions that was published in a CERT advisory on February 18. Belkin was in contact with the security researchers prior to the publication of the advisory, and, as of February 18, had already issued fixes for each of the noted potential vulnerabilities via in-app notifications and updates. Users with the most recent firmware release (version 3949) are not at risk from these malicious firmware attacks or remote control or monitoring of WeMo devices from unauthorized devices. Belkin urges such users to download the latest app from the App Store (version 1.4.1) or Google Play Store (version 1.1.2) and then upgrade the firmware version through the app
Status of healthcare security: 'Alarming'(FierceHealthIT) The networks and Internet-connected devices of healthcare organizations—from hospitals to insurance carriers to pharmaceutical companies—are being compromised at an "alarming" frequency, according to analysis of malicious traffic by The SANS Institute
India not prepared to handle cyber terrorism threat: EC Council(Economic Times) India may have a burgeoning Internet population but when it comes to cyber attacks, it is ill-equipped to handle sophisticated intrusions as there is a "serious shortage" of skilled professionals, IT security training firm EC Council said
Tangible Security Acquires A&N Associates, Expands Cybersecurity Capabilities(Broadway World) Tangible Security announced today that it has acquired A&N Associates, Inc., headquartered in Columbia, Md., a leader in information assurance and acquisition management services for defense, intelligence, and federal agencies. This is the second acquisition in less than six months that Tangible closes and continues to build out its portfolio of capabilities in the cybersecurity space, supporting its growth strategy announced in January 2013
ThreatStream Raises $4M From Google Ventures To Add Realtime Cybersecurity Intelligence(TechCrunch) ThreatStream, a SaaS-based cybersecurity startup backed by top Cloudera executives, has raised $4 million in Series A funding from investors led by Google Ventures. The other investors participating in the latest round of funding are Paladin Capital Group, Cloudera CEO Tom Reilly and Hugh Nijemanze, former CTO and founder of ArcSight. The new funding will be used to add a new layer of
CloudLock Launches A Fully Cloud-Based Selective Encryption Product(TechCrunch) Cloud security startup CloudLock will launch new encryption product to make it easier for service-as-a-service and cloud platforms to protect sensitive data. Called CloudLock Selective Encryption, the product's launch comes a few weeks after CloudLock announced that it had raised $16.5 million in Series C funding led by Bessemer Venture Partners, bringing its total funding to $28.2 million
Strevus Raises $6.5 Million For Financial Compliance Software(TechCrunch) With new compliance requirements looming for already jumpy banks, startup software developer Strevus has raised $6.5 million for its risk and compliance service. The company raised its first institutional round from lead investor Blumberg Capital and U.S. Venture Partners after picking up seed investments from a who's who of the technology community
Stealthy Security Company Apprity Raises $8 Million(TechCrunch) The stealthy business security company Apprity, launched by two former Oracle employees, has raised $8 million in its first institutional financing. For its first venture round, Apprity turned to seasoned security technology investors Promod Haque, a senior managing partner at Norwest Venture Partners, and Gaurav Garg, a founding partner of Wing Ventures. The last time these two investors came
Facebook's WhatsApp Acquisition Leaves Snapchat Hanging(TechCrunch) With Facebook's massive $19 billion purchase of WhatsApp earlier today, any possible marriage between Facebook and Snapchat appears to be dead. After spending $20 billion on a photo sharing company (Instagram) and messaging company (WhatsApp), can Facebook really justify spending billions more to acquire an ephemeral photo messaging company
Facebook spies on romances, breakups(FierceBigData) Cupid may secretly shoot the arrow that turns people into lovers, but you can count on Facebook to watch every detail of that affair and sell the info to presumably anyone who wants it. The social media giant spun its privacy invading actions on this most intimate of all human affairs as a love story of sorts; they even published a blog series on their findings around Valentine's Day to add an extra dash of sap. "We love love. We hope you love our love for love" says the post on the Facebook Data Science wall. Oh how sweet and oh, what utter nonsense
ThreatTrack Security Introduces Automated APT Remediation(Broadway World) ThreatTrack Security today announced ThreatSecure , the advanced malware protection platform that provides real-time detection and automated remediation of threats that evade traditional signature-based defenses
NATO cybersecurity center praises U.S. framework initiative(Inside Cybersecurity) The new U.S. framework of cybersecurity standards could provide a positive example for other NATO countries seeking to improve cybersecurity by boosting cooperation between the public and private sectors, according to a spokeswoman for the alliance's cybersecurity center
NIST Unveils Crypto Standards Proposal(GovInfoSecurity) Because of concerns of possible National Security Agency meddling with its cryptographic standards, the National Institute of Standards and Technology has issued a draft report proposing revisions in how it develops cryptographic standards
Windows XP's stubborn hold over DHS(FierceGovIT) Windows XP remained the most prevalent desktop operating system within the Homeland Security Department as of March 2013, according to an internal assessment of component compliance with the federal security configuration baseline
Kill Switches: Phones Just The Start(InformationWeek) Mandatory phone kill switches will hasten the arrival of the Surveillance of Everything. Consider these 11 technologies that come with strings attached
LinkedIn Privacy: 5 Safety Tips(InformationWeek) Protect your LinkedIn account by browsing securely, keeping your activity private, and recognizing signs of malicious behavior
The Username Is a Relic. Here's How to Fix It(Wired) This has probably happened to you: You hear about some cool new app or game or service, rush to sign up, and discover that another person has already snagged the username you wanted. It's a bummer and a bad first impression for a new service
Design and Innovation
New website ranks worst global data breaches using Richter-like scale(TechWorld) Target and Adobe hit the 10.0. Data breaches are a bad thing but are some worse than others in a way that can be measured objectively? Encryption firm SafeNet believes its new Breach Level Index (BLI), developed jointly with security analyst Richard Stiennon's IT-Harvest, offers a solution
Research and Development
US boffins turn up the spin on holographic memory(The Register) Alongside the "beat Moore's law" stream of research, computer science boffins have also spent years working on increasing memory density. Now, University of California Riverside researchers have demonstrated a holographic memory based on a phenomenon called spin waves
Academy teams do battle in cyber exercise(Defense Systems) One of the big challenges the Defense Department faces as it expands its cyber operations is manpower. The U.S. Cyber Command and the services plan to add thousands of cyber operators over the next few years, but cyber expertise is in short supply even in the private sector
Greenwald: Clapper statement 'vindicates' Snowden(Washington Post) In an interview with Eli Lake of the Daily Beast, Director of National Intelligence James Clapper made an admission. If the national security apparatus had been more forthcoming about its plans to store mounds of call records of American citizens, the backlash that accompanied the revelations about the program via former National Security Agency contractor Edward Snowden wouldn't have materialized. Clapper to Lake
FCC tries anew to establish net neutrality rules(FierceGovIT) The Federal Communications Commission says it may be able to re-establish net-neutrality requirements on broadband providers through existing authority in the Telecommunications Act of 1996
Litigation, Investigation, and Law Enforcement
BYOD requires IP protections(FierceMobileIT) Intellectual property law seems straightforward enough: an employer has the right to works created by employees in the course of their employment. But when employees are producing work on their own time and their own device things become murky, making bring your own device considerations important
CyberSecurity Innovation Forum(Fairfax, Virginia, USA,
February 20, 2014) Join us for a series of short case study presentations by cybersecurity experts and technology innovators from throughout the region. Presentations will be followed by a panel discussion with plenty of opportunity for discussion and discovery. The focus of the evening will be on cybersecurity innovations that address current and evolving challenges and have had a real, measurable impact
Free OWASP Training and Meet Up(San Francisco, California, USA,
February 24, 2014) OWASP is hosting a special security boot camp for all conference-goers: RSA Conference, Bsides SF, and TrustyCon as well as local developers. The training is recommended for developers who want to learn more about securing their code as well as security professionals who want to become acquainted with the latest web vulnerabilities
RSA Conference USA(San Francisco, California, USA,
February 24 - 28 2014) Hundreds of game-changing interactions will give you an unparalleled diversity of industry insight and information based on best practices, real implementation stories, and detailed case studies. Each year, educational sessions feature new and returning educational tracks you won't find anywhere else
Nellis AFB Technology & Cyber Security Expo(Las Vegas, Nevada, USA,
February 26, 2014) For over 12 years, the Armed Forces Communications & Electronics Association (AFCEA) - Las Vegas Chapter and FBC have been co-hosting the Annual Information Technology Expo at Nellis AFB. As was the case last year, the 2014 event will once again have a Cyber Security theme. This is an excellent opportunity for any technology or cyber company to meet with the personnel at Nellis AFB, as well as the local AFCEA members
Cloud Expo Europe(London, England, UK,
February 26 - 27 2014) Cloud Expo Europe covers everything from hybrid cloud to software defined networks and data centres, from open source cloud to IaaS, from security and governance to cloud applications and from complex hosting to development platforms
Suits and Spooks Security Town Hall(San Francisco, California, USA,
February 27, 2014) Privacy versus Security: An Informed Debate and Discussion to Raise Industry Awareness. Taia Global and our sponsoring companies are hosting our first Suits and Spooks Security Town Hall at the Ritz Carlton San Francisco on February 27, 2014 (7pm-10pm). We are condensing the Suits and Spooks two-day "collision" model into a 3-hour debate and discussion format to help raise awareness about the complexities involved in balancing security objectives with our privacy rights
Trustworthy Technology Conference(San Francisco, California, USA,
February 27, 2014) Join us for the first Trustworthy Technology Conference, to be held on 27 February 2014 at the AMC Metreon Theatre in San Francisco, California. We welcome all security researchers, practitioners and citizens who are interested in discussing the technical, legal and ethical underpinnings of a stronger social contract between users and technology
Creech AFB Technology & Cyber Security Expo(Indian Springs, Nevada, USA,
February 27, 2014) The Armed Forces Communications & Electronics Association (AFCEA) - Las Vegas Chapter, with support from the 432d Wing, will host a Cyber Security Awareness Day & Technology Expo at Creech AFB. This is an excellent opportunity for technology, cyber and tactical technology companies to meet with remote personnel at Creech AFB. At the 1st Annual event held in February 2013 over 100 Creech AFB personnel attended this event. Some of their job descriptions included: Commander, Flight Chief, Communications Officer in Charge, IT Lead, Systems Admin, Wing Training, Information Assurance Officer, Knowledge Management, Section Chief, Avionics, Physical Security, Project Manager, Director and more
Nuclear Regulatory Commission ISSO Security Workshop(Rockville, Maryland, USA,
March 17, 2014) Exhibitors will have the opportunity to showcase cutting-edge products and services available in today's market. All companies specializing in products and services that would benefit the NRC workforce are encouraged to exhibit at this one-day expo. Topics of the workshop and of high interest to attendees include: computer security policy, standards and guidance, cybersecurity, FISMA compliance, and training updates
ICS Summit 2014(Lake Buena Vista, Florida, USA,
March 17 - 18 2014) The 9th Annual North American ICS Security Summit brings together the program managers, control systems engineers, IT security professionals and critical infrastructure protection specialists from asset owning and operating organizations along with control systems and security vendors who have innovative solutions for improving security
27th Annual Federal Information Systems Security Educators' Association (FISSEA) Conference(Gaithersburg, Maryland, USA,
March 19, 2014) The 27th Annual Federal Information Systems Security Educators' Association (FISSEA) Conference will be held at the National Institute of Standards and Technology on March 18-20, 2014, exhibits will be on display March 19 only. This year's theme "Partners in Performance: Shaping the Future of Cybersecurity Awareness, Education, and Training" will focus on developing a better understanding of current information systems/cybersecurity projects, emerging trends, and initiatives. Through numerous high quality sessions, approximately 200 attendees will learn new ways to improve their IT security program and practical solutions to training problems while earning Continuing Professional Education (CPE) credits. The vendor fair gives attendees a tactical look at the products and services available to meet their professional goals
Suits and Spooks Singapore(Singapore,
March 20 - 21 2014) Our first international Suits and Spooks conference will be held in Singapore with a visit to Malaysia on March 20-21, 2014. The focus will be on how multi-national corporations can profitably operate in a globally hostile environment that consists of foreign intelligence collection, mercenary hacker crews, insider threats, and supply chain/vendor vulnerabilities. Our international list of speakers will discuss who the threat actors are, what they're after, and best practices to mitigate the risks
MCT-Congress: Going Mobile with Clinical Trials(Edinburgh, Scotland, UK,
March 20 - 21 2014) It is almost inevitable that mHealth solutions will be adopted across healthcare systems worldwide over the next decade. What is less clear is the impact that mobile solutions are having and could have on the clinical research process
Cyber Security for Energy & Utilities(Abu Dhabi, UAE,
March 23 - 26 2014) Following the rapid evolution of the cyber and digital world, IT Security Directors, Information Security Directors, Chief Security Officers, Chief Information Officers and many more will gather at the 3rd Edition of Cyber Security for Energy & Utilities conference taking place from 23 -26 March 2014 at The Westin Golf Resort in Abu Dhabi, UAE
Veritas 2014(London, England, UK,
March 25 - 27 2014) At Veritas 2014, hear directly from the big data experts in top tier retail finance who are now implementing strategy and starting to yield real commercial value. Experts dedicated to Big Data in the sector will show you how the right approaches can lead to far-reaching results in business model innovation, risk mitigation and identifying new revenue streams. See how Veritas 2014 will help you develop your big data implementation strategy
Cyber Security Management for Oil and Gas(Houston, Texas, USA,
March 26 - 27 2014) Attend to gain cutting-edge information from oil and gas cyber security experts on: Using the very latest in intelligence techniques to find and neutralize the newest threats in time. Preventing security breaches while ensuring your employees, social media and mobile devices operate effectively. Implementing best practices in order to achieve and maintain SCADA and other key systems security. How a "critical infrastructure" designation would impact different aspects of oil and gas cyber security management
March 31 - April 4 2014) SyScan is a deep knowledge technical security conference. It is the aspiration of SyScan to congregate in Asia the best security experts in their various fields, to share their research, discovery and experience with all security enthusiasts in Asia
For a complete running list of events, please visit the Event Tracker on the CyberWire website.
SPONSOR & SUPPORT
Grow your brand and reach new customers.
Grow your brand and increase your customer base by educating our audience about your products, services, and events by advertising on The CyberWire. We’ve built trust with an influential (and often hard to reach) audience of CISOs, CSOs, and other senior execs in the security space, across a wide array of industry verticals. Learn more.
Be a part of the CyberWire story.
People ask us (a lot) how they can support what we do. We have our sponsorships and services, of course, but those are not always within every supporter's financial reach, or it might just not be the right time for you to do those things. That's why we launched our new Patreon site, where we've created a wider variety of support levels, each with some new benefits. Our patrons are important to our future, and we hope you'll consider becoming one. We invite you to become part of the CyberWire story. Become a patron today.