The Organisation for Security and Cooperation in Europe disclosed yesterday that it sustained a denial-of-service attack. Neither attribution nor motive yet, but tensions among former Soviet nations seem a likely contributing cause.
Anonymous (self-identified-but-masked) representative "Che Commodore" threatens some particular World Cup sponsors, among them Budweiser, Coca Cola, Emirates Airlines, and Adidas. Che Commodore claims the recent attack on a Brazilian foreign ministry website was a test run. That particular caper involved data theft by Trojan, but observers still anticipate a denial-of-service run against the World Cup's corporate sponsors.
Cryptographic library GnuTLS patches its recently discovered remote code execution and DDoS vulnerabilities.
Cyber criminals show increasing interest in attacking new retail brands and anyone's human resource departments. They're relatively soft targets with lots of attractive information available for theft. The criminal market also sees a rise in multi-purpose attack kits. Many exploits active in the wild, it's worth noting, are familiar ones, often long patched, but if they still work against the poorly defended, black-market forces make them an irresistible bargain to criminals.
US NSA Director Rogers suggests businesses should "own" the cyber security problem—it lies at the root of their ability to operate. He also thinks there should be more information shared between government and the private sector.
Legislation to enable such sharing is advancing in the US Senate. The recent indictment of the GOZeuS boss shows the possibilities of collaboration (see, for example, Damballa's lessons learned from sinkholing CryptoLocker) but many observers fear these are ephemeral successes.
Today's issue includes events affecting Australia, Austria, Brazil, Canada, China, Germany, Ireland, Kazakhstan, New Zealand, Russia, Sweden, Ukraine, United Arab Emirates, United Kingdom, United States..
Cyber Attacks, Threats, and Vulnerabilities
OSCE website 'hacked'(The Local Austria) The Vienna-based Organisation for Security and Cooperation in Europe said Wednesday its website had been hacked, according to an AFP report
The Human Side of Heartbleed(Schneier on Security) The announcement on April 7 was alarming. A new Internet vulnerability called Heartbleed could allow hackers to steal your logins and passwords. It affected a piece of security software that is used on half a million websites worldwide. Fixing it would be hard: It would strain our security infrastructure and the patience of users everywhere
Hackers Aim Phishing Attacks At New Retail Brands(Investor's Business Daily) As big companies like eBay and Target bolster their defenses following attacks from hackers, experts say that cybercriminals are also targeting other e-commerce and retail firms that could be vulnerable to phishing attacks intended to steal credit-card and other personal data
Report Examines How Attackers Mask Threat Activity(SecurityWeek) Network security firm Palo Alto Networks has released the latest version of its Application Usage and Threat Report, which sheds light on how attackers are exploiting commonly-used business applications to bypass security controls
Google Releases End-to-End Encryption Extension(Threatpost) Google has released an early version of a Chrome extension that provides end-to-end encryption for data leaving the browser. The extension will allow users to encrypt emails from their webmail accounts. The move by Google is another step in the process of making Web communications more secure and resistant to surveillance. The End-to-End extension is
What Do the New Features in OS X Yosemite and iOS 8 Mean For Privacy and Security?(Fortinet Blog) Today Apple announced at their annual Worldwide Developer's Conference (WWDC) their latest versions of their OS X desktop and iOS mobile operating systems. With this announcement came a long list of new features and technologies that as a whole work towards providing a more seamless experience for users of both their mobile and desktop products
Cyber Chief Says Businesses Must 'Own' Cybersecurity Threats(American Forces Press Service) Cybersecurity threats are a vital issue for the nation, and like the Defense Department, businesses must own the problem to successfully carry out their missions, DOD's top cybersecurity expert told a forum of businesspeople today
This Is Why Target Corporation (NYSE:TGT) Fears For Its Wallet(Wall Street PR) In the recent months, Target Corporation (NYSE:TGT) has come to known for the massive data breach that impacted its system during the holiday shopping season. However, more than a negative reputation that the cyber-attack has brought to Target, the company is also worried of possible claims from affected customers
Microsoft Claims WeChat Shuts Down Xiaobing Accounts(China Topics) Global software giant Microsoft Corp claimed its artificial intelligence chatting robot, Xiaobing, has been blocked by WeChat without prior notice, a move described by the American company as a "brutal murder"
CSG Invotas Chosen as 2014 Pipeline Innovation Winner(Wall Street Journal) CSG Invotas, the enterprise security business from CSG International (NASDAQ: CSGS), today announced that is has been selected as the 2014 Pipeline Innovation Award winner in the "Security and Assurance" category
(ISC)²® Announces Recipients of 11th Annual U.S. Government Information Security Leadership Awards(Insurance News Net) (ISC)²® ("ISC-squared"), the largest not-for-profit membership body of certified information and software security professionals with over 100,000 members worldwide, today announced the recipients of its annual U.S. Government Information Security Leadership Awards (GISLA) program during a gathering of federal information security executives at the GISLA Gala in Arlington, Virginia
Products, Services, and Solutions
TrueCrypt "must not die"(Graham Cluley) A new TrueCrypt? We're not really any closer to finding out the real reason why the TrueCrypt project was abruptly shut down last week, but at least some on the internet aren't prepared to see the open source encryption tool disappear without a fight
Splunk Launches Open Data Analytics for Regulations.gov to Answer President Obama's Call to Harness the Power of Open Data(Wall Street Journal) Splunk Inc. (NASDAQ: SPLK), the leading software platform for real-time operational intelligence, today announced eRegulations Insights, a Splunk4Good project utilizing federal open data to collect and analyze data on public comments submitted through Regulations.gov, the portal for Federal rulemaking. eRegulations Insights was developed in response to President Obama's Open Government Initiative and his call for technology leaders to help harness the power of open data. eRegulations Insights is a set of online public dashboards and visualizations designed to help decipher the tone of public response to regulations and legislative proposals, recognize issues of concern within public responses and identify primary influencers who are mobilizing public engagement around proposals
Sqrrl Releases Sqrrl Enterprise 1.4 and New Test Drive VM(Digital Journal) Sqrrl, the software company that develops the most flexible, secure, and scalable NoSQL database platform for building real-time Big Data applications, is announcing the availability Sqrrl Enterprise 1.4 and a new Test Drive Virtual Machine (VM)
Wickr: Putting the "non" in anonymity(Freedom to Tinker) Following the revelations of wide-scale surveillance by US intelligence agencies and their allies, a myriad of services offering end-to-end encrypted communications have cropped up to take advantage of the increasing demand for privacy from surveillance. When coupled with anonymity, end-to-end encryption can prevent a central service provider from obtaining any information about its users or their communications. However, maintaining anonymity is difficult while simultaneously offering a straightforward way for users to find each other
With So Many Older Bugs Around, Why Bother With Zero-Days?(PCMagazine) Don't obsess over zero-day vulnerabilities and the highly sophisticated, targeted attacks. Attackers are more likely to exploit older, known flaws in Web applications, so focus on basic patching and security hygiene instead
Attack Analysis with a Fast Graph(Cisco Blogs) Cyber security analysts tend to redundantly perform the same attack queries with different input data. Unfortunately, the search for useful meta-data correlation across proprietary and open source data sets may be laborious and time consuming with relational databases as multiple tables are joined, queried, and the results inevitably take too long to return. Enter the graph database, a fundamentally improved database technology for specific threat analysis functions. Representing information as a graph allows the discovery of associations and connection that are otherwise not immediately apparent
Another Program To Check For Software That Needs Updating(Gizmo's Freeware) A few days ago I wrote in this column about Secunia PSI, a free utility that helps to advise you which of the programs on your PC needs updating. A couple of you suggested that SUMo (Software Update Monitor) as a program which does a similar job, so I have been taking a look at it
An Introduction to RSA Netwitness Investigator(Internet Storm Center) In many cases using Wireshark to do a network forensics is a very difficult task especially if you need to extract files from a pcap file. Using tools such as RSA Netwitness Investigator can make network forensics much easier. RSA Netwitness Investigator is available as freeware
Why Are Password Crackers "Bad"?(TrendLabs Security Intelligence Blog) Every now and then, we get questions about password crackers. Usually, these questions are something like, why do you detect these password crackers? They're not malicious! Well, now is as as good a time as any to address the topic
Network Security, Build To Fail(Forbes) Early in my information security career I worked as a network security staffer for a large financial institution. While I was there I learned very quickly that a failure would cost a great deal of money for every second the systems were offline. When the Internet banking site went down, as it did on occasion, we would spring into action no matter the time of day and work like people possessed until the systems were back online. I found it strange that this was necessary in the first place. Why were there not redundant systems as part of the design? Why was the site not able to scale under load? This was back before distributed denial of service (DDoS) was in vogue
Design and Innovation
Swede plots end of cash with palm payments(The Local Sweden) Fed up with waiting in line to pay for groceries, an entrepreneurial young Swede has invented a palm payment method which is catching on. He tells The Local why his creation may spell the end for cash and even debit cards
Senate Intel Committee Close to Cyber Bill Agreement(Defense News) Members of the Senate Intelligence Committee are just a few provisions away from reaching consensus on a sweeping new cybersecurity bill that would codify how private companies can report suspicious activity, a leading Senate Republican said on Tuesday
Companies Join 'Reset The Net' To Fight NSA(CIO Today) Big-name opponents of the National Security Agency's (NSA) mass surveillance techniques are joining forces for "Reset the Net," an Internet-wide protest against the U.S. spy agency to be held on June 5. The protest will include a large Thunderclap on Thursday, blanketing social media with an anti-surveillance message
Cyber security row is likely to have fallout(China Daily USA) Despite feeling hugely embarrassed by revelations made by former National Security Agency contractor Edward Snowden, two former US national security advisors said the indictment of five PLA officers for alleged cyber theft of US corporate secrets have negatively impacted the Sino-US military relations
Mounties join crack down on Russian cyber crime(CSO) The Mounties took part in a criminal take down this week that saw a couple of servers seized in Montreal. These systems were being used by criminals, apparently located in Russia, who were running a malware network that was fleecing victims of millions of dollars. A number that has been kicked around in this case is $100 million although it isn't clear if this is an accurate number or something mired in hyperbole
Cyber Wars: Fed and Private Sector Take on Hackers(Bloomberg) CrowdStrike General Counsel Steven Chabinsky and Second Front Systems Founder and CEO Peter Dixon discuss Project Tovar and protecting against cyber criminals. They speak with Trish Regan on Bloomberg Television's "Street Smart"
Top prosecutor probes US spying on Merkel(The Local Germany) Germany's top prosecutor said on Wednesday he had opened an investigation over alleged snooping by the US National Security Agency (NSA) on Chancellor Angela Merkel's mobile phone
Idaho Judge Asks Supreme Court to End NSA's Phone Surveillance(Wall Street Journal) A federal judge in Idaho urged the U.S. Supreme Court on Tuesday to rule against the National Security Agency's surveillance program of telephone records while saying his own hands are tied by legal precedent. Judge B. Lynn Winmill, chief judge of the U.S. District Court in Idaho, dismissed a suit challenging the NSA's controversial program on Tuesday. But, in an eight-page memorandum, he said the Supreme Court should take up
Six years jail for Swedish child porn kingpin(The Local Sweden) A 62-year-old man in Gothenburg has been sentenced to six years in prison for sharing millions of child abuse pictures online in what has been described as Sweden's biggest ever child porn ring bust
For a complete running list of events, please visit the Event Tracker on the CyberWire website.
Global Identity Summit(Tampa, Florida, USA, September 16 - 18, 2014) The Global Identity Summit is focused on identity management solutions for corporate, defense and homeland security communities. This conference and associated exhibition bring together a distinctive,...
International Cyber Warfare and Security Conference(Ankara, Turkey, November 19 - 20, 2014) In-depth discussions will cover: new emerging threats and challenges on cyber warfare, the policy of leading cyber nations in cyber warfare and security, legal aspects of cyber warfare, industrial perspective...
AFCEA West 2015(San Diego, California, USA, February 10 - 12, 2015) Showcasing emerging systems, platforms, technologies and networks that will impact all areas of current and future Sea Service operations.
Coast Guard Intelligence Industry Day(Chantilly, Virginia, USA, April 2, 2015) With a blended focus of defense, homeland security, law enforcement, criminal investigations, intelligence and cyber issues, Coast Guard Intelligence is aggressively looking to collaborate with partners...
NSA SIGINT Development Conference 2014(, January 1, 1970) This classified conference will focus on the preeminent intelligence issues facing those who are tasked with SIGINT as part of their mission. Over 1500 participants from the US intelligence community and...
Cyber Security Summit(Huntsville, Alabama, USA, June 4 - 5, 2014) The North Alabama Chapter of the Information Systems Security Association and Cyber Huntsville Corporation are hosting the 6th annual Cyber Security Summit June 4-5 in the South Hall of the Von Braun Center.
AFCEA Presents: Insider Threat to Small Business(Fairfax, Virginia, USA, June 5, 2014) One of the biggest myths is that "I'm too small for cyber attackers to care about me." This common misperception leads to tremendous vulnerabilities as companies do not understand implications for their...
The Device Developers' Conference: Scotland(Uphall, Scotland, UK, June 5, 2014) The Device Developers' Conference is an annual UK event for the developers of intelligent systems and devices. The objective is to provide an event that provides engineers with an opportunity to learn...
The 2014 Cyber Security Summit (DC Metro)(Tysons Corner, Virginia, USA, June 5, 2014) The Cyber Security Summit, an exclusive conference series sponsored by The Wall Street Journal, has announced their inaugural DC Metro event. The event will connect C-Level & Senior Executives responsible...
MIT Technology Review Digital Summit(, January 1, 1970) The MIT Technology Review Digital Summit examines tomorrow's digital technologies and explains their global impact on both business and society. You'll get insider access to the innovative people and companies...
Cyber 5.0 Conference(Laurel, Maryland, USA, June 10, 2014) The mission of the Cyber Conference is to provide a forum for small and mid-sized businesses in Howard County and the region to access industry and government leaders with current information on cybersecurity...
Global Summit on Computer and Information Technology(, January 1, 1970) The summit is hosting multiple conferences in different areas of Computer & Information Technology. CIT is a major platform for researchers and industry practitioners from different fields of computer...
NRC Cyber Security Seminar/ISSO Security Workshop(Bethesda, Maryland, USA, June 16, 2014) NRC will be hosting its second NRC Semi-Annual All-Hands ISSO Workshop. This workshop will consist of computer security policy, standards, cybersecurity, guidance, FISMA compliance, and training updates.
2014 Spring National SBIR Conference(Washington, DC, USA, June 16 - 18, 2013) SBIR/STTR programs are the nation's largest source of early stage / high risk R&D funding for small business. At this conference you'll learn how to participate and compete for funding in these two programs...
MeriTalk's Cyber Security Brainstorm(Washington, DC, USA, June 18, 2014) This second annual event will take place on Wednesday, June 18 2014 at the Newseum in Washington D.C. The event will bring together Federal cyber security experts to share best practices, collaborate on...
Suits and Spooks New York(, January 1, 1970) Not another hacker conference. Suits and Spooks is a unique gathering of experts, executives, operators, and policymakers who discuss hard challenges in a private setting over two days. Suits and Spooks...
SANSFIRE(Baltimore, Maryland, USA, June 21 - 30, 2014) For more than 10 years, the Internet Storm Center has been providing free analysis and warning to our community. SANSFIRE 2014 is not just another training event. It is our annual "ISC Powered" event.
26th Annual FIRST Conference(Boston, Massachusetts, USA, June 22 - 27, 2014) The Forum of Incident Response and Security Teams (FIRST) is a global non-profit organization dedicated to bringing together computer security incident response teams (CSIRTs) and includes response teams...
Gartner Security & Risk Management Summit 2014(National Harbor, Maryland, US, June 23 - 26, 2014) The Gartner Security & Risk Management Summit is the only time when the entire Gartner analyst and security and risk management community come together in one location to bring the latest research, insights...
AFCEA International Cyber Symposium(Baltimore, Maryland, USA, June 24 - 25, 2014) National security is continuously being redefined as awareness of the cyberspace domain evolves. Cyber threats and challenges grow every day. Successfully defending our networks requires a team approach.
Grow your brand and increase your customer base by educating our audience about your products, services, and events by advertising on The CyberWire. We’ve built trust with an influential (and often hard to reach) audience of CISOs, CSOs, and other senior execs in the security space, across a wide array of industry verticals. Learn more.
Be a part of the CyberWire story.
People ask us (a lot) how they can support what we do. We have our sponsorships and services, of course, but those are not always within every supporter's financial reach, or it might just not be the right time for you to do those things. That's why we launched our new Patreon site, where we've created a wider variety of support levels, each with some new benefits. Our patrons are important to our future, and we hope you'll consider becoming one. We invite you to become part of the CyberWire story. Become a patron today.