Andris Razans, Latvia's ambassador to the US, and Jarno Limnell, an alumnus of Finland's military (now directing cyber security for Intel Security) both offer Breaking Defense a neighbors perspective on Russian cyber operations. The immediate occasion of their remarks is ongoing operations against Ukraine and other targets in the near abroad. Limnell describes the phases one should expect: (1) state-directed patriotic hacktivism—denial-of-service, minor espionage, etc., (2) information operations—marketing in battledress, and (3) sophisticated malware "sleeping" in critical infrastructure. He also deprecates any distinction between cyberwar and war: activities in cyberspace, he observes, are among the "other means" of pursuing political ends Clausewitz defined as war.
The Syrian Electronic Army is back, telling CSO and IDG that their brushes with the Assad-supporting (and supported) cyber gang were unauthorized individual hacks, but that the media outlets' cold response has now made them legitimate targets.
OpenSSL has more problems, the latest revealed by AVG, which announces a CCS injection vulnerability. Users are again advised to patch.
Observers offer insight into cyber underground life. Anonymous, as many note, has undergone a long string of fizzles in its announced operations. Analysts wonder whether the collective is in irreversible decline or about to resurge. The World Cup may tell, but in the meantime, what is one to make of the two Anonymous Verified Badges that have appeared on Facebook? Former Silk Road staffers give the alleged Dread Pirate Roberts mixed reviews (but some love) as a boss.
Tomorrow is Patch Tuesday. Seven Microsoft bulletins are expected.
Today's issue includes events affecting Australia, Austria, Brazil, China, Czech Republic, Denmark, Estonia, European Union, Finland, France, Germany, Hungary, India, Iran, Italy, Latvia, Lithuania, Montenegro, Netherlands, Pakistan, Poland, Turkey, Saudi Arabia, Spain, Sweden, Syria, United Kingdom, United States, and Vietnam..
the CyberWire will provide special coverage of tomorrow's Cyber 5.0 Conference in Howard County, Maryland. We'll be live Tweeting from the event, then following up with a special issue Wednesday.
Some Governments Have Backdoor Access to Listen in on Calls, Vodafone Says(Wired) An undisclosed number of countries have direct backdoor access to the communications passing through the network of telecommunications giant Vodafone, without needing to obtain a warrant, according to a new transparency report released by the company. In these countries, the company noted, Vodafone "will not receive any form of demand for lawful interception access as the relevant agencies and authorities already have permanent access to customer communications via their own direct link"
Aadhaar Data Minefield Threatens to Blow Up in Government's Face(New Indian Express) Your biometric and biographic data collected by Unique Identification Authority of India (UIDAI) for the 12-digit unique Aadhaar number could well be at Fort Meade, the headquarters of NSA, the US spy agency. Intelligence agencies that had forewarned the government two years ago about the vulnerability of Aadhaar data due to involvement of foreign players are livid over latest NSA disclosures that reveal the US is prying on biometric database
NSA Tried to Gain Access to Pakistani Government Database(News Pakistan) The serial on the long tentacles of the National Security Agency (NSA) continues to grow. The NSA intercepts million of people face images circulating on the internet and used for facial recognition software for intelligence, as published on Sunday the New York Times from 2011 documents stolen by Edward Snowden. It is also revealed that NSA tried to access government databases in Pakistan, Iran and Saudi Arabia
AVG reveals yet another OpenSSL security flaw(Beta News) OpenSSL, which runs on the servers for many websites, has been having a rough time in recent weeks. We all learned of the near fatal flaw named Heartbleed, which affected quite a number companies and services on the web. Now a new, albeit less severe, flaw has been discovered. Security researchers at AVG have unveiled what they are calling CCS Injection, which the company terms a vulnerability, but points out that it is not easily taken advantage of
efax Spam Containing Malware(Internet Storm Center) Beware of efax that may come to your email inbox. This week I receive my first efax spam with a source address of "Fax Message […]" which contained a link to www. dropbox. com that contained malware. The link has since been removed
After Godzilla attack, US warns of traffic-sign hackers(Times of India) After hackers played several high-profile pranks with traffic signs, including warning San Francisco drivers of a Godzilla attack, the US government advised operators of electronic highway signs to take "defensive measures" to tighten security
Is Anonymous Dead, or Just Preparing to Rise Again?(Wired) The hacker collective Anonymous and its factions LulzSec and AntiSec drew widespread attention between 2008 and 2012 as they tore loudly through the internet ruthlessly hacking websites, raiding email spools, exposing corporate secrets and joining the fight of the 99 percent. The groups seemed unstoppable as they hit one target after another, more than 200 in all by the government's count. It seemed no one was beyond their grasp
iPhone users in VN safe from recent hacker attacks(VietNamNet) Millions of iPhone users in Vietnam can sigh with relief as BKAV, the best known internet security solution provider in Vietnam, has said that users were not hurt by hacking of many iPhone users in Australia and the US
Two Big Anonymous Hacktivist Pages on Facebook get Verified Badges(HackRead) While surfing Facebook, you must have seen a blue badge indicating verified pages and profiles of famous people such as celebrities, journalists and politicians etc, but looking at verified pages of Anonymous hacktivists was something totally unexpected
Bulletin (SB14-160) Vulnerability Summary for the Week of June 2, 2014(US-CERT) The US-CERT Cyber Security Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. The NVD is sponsored by the Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC) / United States Computer Emergency Readiness Team (US-CERT). For modified or updated entries, please visit the NVD, which contains historical vulnerability information
Security Patches, Mitigations, and Software Updates
WordPress Promises SSL on All Domains by End of 2014(Threatpost) The movement by technology companies to encrypt their respective corners of the Internet continues to gain steam as more and more are enabling SSL and other encryption technologies such as Perfect Forward Secrecy to ward off surveillance and enhance the privacy and security of user data
What we learned from Edward Snowden(Naked Security) Edward Snowden now holds a permanent place in the pantheon of US national security leakers, alongside the likes of Daniel Ellsberg, Julian Assange, and Chelsea Manning
Data Breach Roundup: May 2014(eSecurity Planet) Third-party vendors played a significant part in a handful of data breaches in May. This is why, experts say, companies must ensure vendors are careful with their data
Most people have done nothing to protect their privacy(Help Net Security) Over 260 million people have been victims of data breaches and increased risk of identity theft since the Target revelations, yet nearly 80 percent have done nothing to protect their privacy or to guard their financial accounts from fraud, according to idRADAR
GAO Questions IT Security at U.S. Ports(GovInfoSecurity) The Department of Homeland Security hasn't done enough to secure the IT systems that manage American ports, Congressional auditors say in a new report
The backlash over Snowden could hurt US firms(Microscope) Netscape founder Marc Andreessen has hit the headlines for his comments in a recent interview with CNBC where he labelled Edward Snowden "a traitor". He went further, adding that if someone looked up 'traitor' in the encyclopaedia, they would find a picture of Ed Snowden: "Like he's a textbook traitor. They don't get much more traitor than that"
Stop snooping or face consequences: Microsoft, other tech giants warn U.S. gov't(Tech Times) Microsoft's top lawyer Brad Smith wrote a rather fiery blog post that challenged the U.S. government to "reduce the technology trust deficit it has created." Specifically, Smith wants the government to stop forcing technology companies to provide data about customers outside the U.S., end the bulk collection of phone communications data, reform the Foreign Intelligence Surveillance Court, vow to stop hacking private systems, and reinforce its efforts to increase transparency and privacy protection
Fresh responses emerging to banking security(Microscope) A couple of IT security companies, Tempest Security Intelligence of Brazil and Norwegian company Protectoria, who have ambitions to grow in this country got together at techUK's London HQ to focus on innovations targeting financial institutions
Edward Snowden threw a bucket of hot water on Scandinavia's quest to house the world's data(Quartz) Warmer summers aren't the only thing marching into the Arctic these days—more hot, server-filled data centers are on the way as well. As more companies look to take advantage of colder climates and chilly water to lower the cooling costs of running thousands of servers at full capacity, Scandinavian countries are positioning themselves as data-center locations of choice. However, the geopolitics of surveillance, data privacy and cross-border conflict are melting what were recently relatively calm relations among northern neighbors
FIFA World Cup: Trend Micro goes on offensive to defend fans from Cyber threats(Financial Express) Trend Micro, a global developer of security software solutions, is actively working to help defend against cyber threats related to the 2014 FIFA World Cup Brazil. As the international soccer tournament kicks off on June 12, global attention will be focused on Brazil and the pageantry and spectacle of one of the most popular sporting events
Finmeccanica Opens Cyber Defense Center(Defense News) Italy's Finmeccanica has beefed up its presence in the growing cybersecurity business by opening a cyber attack monitoring and prevention center in central Italy, using a super computer with the power of 30,000 desktop PCs
Steps taken to bring TrueCrypt back to life(FierceCIO:TechWatch) TrueCrypt looks set to come back to life, weeks after an ominous warning was put up on its official website that warned against future use of the popular encryption program. At the same time, a new version of TrueCrypt with its ability to encrypt data hobbled was simultaneously uploaded into its official Source Force page
Tripwire and LifeJourney Launch Virtual Cybersecurity Education Initiative(Digital Journal) Tripwire Inc., a leading global provider of risk-based security and compliance management solutions, today announced that it will lead the Tripwire Cybersecurity Risk Manager LifeJourney Experience for the nation's youth. LifeJourney is a web-based, interactive classroom experience that allows students from middle schools, high schools and colleges to test-drive potential cybersecurity careers by enabling them to live a day in the life of one of America's cybersecurity leaders
ShoreGroup Receives ISO 27001 Certification for Managed Service Security(Digital Journal) ShoreGroup today announced that it has received its ISO 27001 (ISO/IEC 27001) Certification for managed service security. The ISO 27001 Certification, published by the International Organization for Standardization, is the leading international standard for measuring information security management systems (ISMS). The certification was granted by BrightLine CPAs and Associates, an ANAB accredited Certification Body based in the United States
Technologies, Techniques, and Standards
Cryptography Is Fun, But Your Business Calls for Encryption(SmartData Collective) While it's pretty impressive that Nicolas Cage found a map on the back of the Declaration of Independence using only lemon juice and a hair dryer in "National Treasure," our 21st-century techniques for encoding and decoding information are a little more sophisticated
Identify stolen credentials to improve security intelligence(Help Net Security) Data is the heart of an organization, and IT security teams are its protectors. Businesses spend billions of dollars per year setting up fortresses to safeguard data from anyone who dare try to take it. The latest forecast from analyst firm Canalys has IT security spending increasing to $30.1 billion by 2017. Despite this investment, data breaches are on the rise
Are you prepared to manage a security incident?(Help Net Security) It's the year of the breach. Adobe, Target and eBay fell victim to cyber-attacks and 2014 has already seen the Heartbleed bug impact the majority of organizations across the globe. With attacks getting more advanced and hackers getting smarter, businesses across all sectors are potential targets. It's a case of when, not if, your company will be hit
Big Data needs a data-centric security focus(Help Net Security) CISOs should not treat big data security in isolation, but require policies that encompass all data silos if they are to avoid security chaos, according to Gartner
Robots can now officially imitate humans(Quartz) A computer that has convinced humans it is a 13-year-old Ukrainian boy has potentially passed a benchmark for artificial intelligence for the first time
Legislation, Policy, and Regulation
Merkel phone tapping claims "noted": Chinese FM(Xinhua via GlobalPost) China has "noted" that Germany has opened an investigation into claims the United States eavesdropped on German Chancellor Angela Merkel's mobile phone conversations, a Chinese Foreign Ministry spokesman said on Friday
Security ties top Tony Abbott's agenda in US(The Australian) Tony Abbott has put national security at the top of the agenda for his visit to the US this week as he meets the nation's military and intelligence chiefs as well as President Barack Obama
Snowden can't hide fact that America needs the NSA(Daily Journal) For six decades, the National Security Agency has been making codes and breaking codes to give the United States and its allies an edge against foreign adversaries. Hundreds of thousands have served this nation faithfully; 173 of them gave their lives in the line of duty. Such efforts have allowed the nation to defeat threats from those who never tire of trying to harm our people, partners, and way of life
Tech Industry Keeps Pressure on Congress for NSA Surveillance Changes(Associations Now) A year after Edward Snowden revealed the U.S. spy agency's bulk collection of phone and internet user data, Congress is working on legislation to rein in those practices. Tech groups are focusing their lobbying efforts on the Senate, saying a measure the House passed is too watered down
Post-Snowden, Silicon Valley Execs Give U.S. Cyberpolicy a D-minus(IEEE Spectrum) Ten years from now, Edward Snowden's disclosures about NSA surveillance programs will be looked upon as 2013's single most important event with respect to the information technology industry. At least that's the view expressed by Pat Gelsinger, CEO of VMWare, who spoke at a panel on the "Silicon Valley State of the State" held last week on VMWare's Palo Alto, California, campus
Senators demand more accountability at NSA(The Hill) A bipartisan group of senators introduced legislation Thursday that aims to strengthen accountability at the National Security Agency by allowing the president to appoint the inspector general
Refinery security bill passes House(Martinez News-Gazette) Legislation authored by U.S. Rep. Mike Thompson (CA-5) to enhance rail and refinery security passed the U.S. House of Representatives as part of H.R. 4681, the Intelligence Authorization Act for Fiscal Years 2014 and 2015. Thompson's legislation requires the Department of Homeland Security Office of Intelligence and Analysis (DHS I&A) to conduct an intelligence assessment of the security of domestic oil refineries and related rail infrastructure, and to make any recommendations it deems appropriate to protect surrounding communities or the infrastructure itself from potential harm
Content of Premarket Submissions for Management of Cybersecurity in Medical Devices(US FDA via FierceMarkets) This guidance has been developed by the FDA to assist industry by identifying issues related to cybersecurity that manufacturers should consider in preparing premarket submissions for medical devices. The need for effective cybersecurity to assure medical device functionality has become more important with the increasing use of wireless, Internet- and network-connected devices, and the frequent electronic exchange of medical device-related health information
Megadata: What happens when politicians can't pronounce 'metadata'(Washington Post) It's no secret that there can be a disconnect between the technical literacy of some lawmakers and the programs they are charged with overseeing. But the disclosures about government surveillance from documents leaked by former National Security Agency contractor Edward Snowden made a few obscure tech terms more popular on the hill
Montenegro amends National Security Law(Balkans.com Business News) At yesterday's session, the Government of Montenegro approved amendments to the Law on the National Security Agency. Measures proposed by the amendments are aimed at improving the legal framework for the Agency's activities in relation to Montenegro's Euro-Atlantic commitments and meeting the requirements for joining NATO Alliance
The CIA Has Joined Facebook and Twitter(Wall Street Journal) The Central Intelligence Agency showed its hipper side Friday, launching its Twitter presence with a cheeky first tweet: "We can neither confirm nor deny that this is our first tweet"
What are the legal obligations to encrypt personal data?(Help Net Security) A new report by UK-based law firm FieldFisher details legal obligations for encryption of personal data resulting from both industry compliance regimes, such as PCI DSS, national laws and local regulations
Snowden Explains Why He Won't Come Home in First U.S. TV Interview(Wired) In his first interview with a U.S. broadcasting company since going public with revelations about NSA surveillance last year, Edward Snowden responded to his critics on a number of topics including addressing accusations that he's working for Russia, that he failed to go through official channels to register his concerns about the NSA before going public and that he's a coward for not returning to the U.S. to face espionage charges
For a complete running list of events, please visit the Event Tracker on the CyberWire website.
Cyber 5.0 Conference(Laurel, Maryland, USA, June 10, 2014) The mission of the Cyber Conference is to provide a forum for small and mid-sized businesses in Howard County and the region to access industry and government leaders with current information on cybersecurity...
NRC Cyber Security Seminar/ISSO Security Workshop(Bethesda, Maryland, USA, June 16, 2014) NRC will be hosting its second NRC Semi-Annual All-Hands ISSO Workshop. This workshop will consist of computer security policy, standards, cybersecurity, guidance, FISMA compliance, and training updates.
SC Congress Toronto(Toronto, Ontario, Canada, June 17 - 18, 2014) SC Congress Toronto is Canada's premier information security conference and expo experience. Join us for this year's SC Congress Toronto on June 17-18, 2014! The two-day gathering brings industry thought...
MeriTalk's Cyber Security Brainstorm (Washington, DC, USA, June 18, 2014) This second annual event will take place on Wednesday, June 18 2014 at the Newseum in Washington D.C. The event will bring together Federal cyber security experts to share best practices, collaborate on...
MeriTalk's Cyber Security Brainstorm(Washington, DC, USA, June 18, 2014) This second annual event will take place on Wednesday, June 18 2014 at the Newseum in Washington D.C. The event will bring together Federal cyber security experts to share best practices, collaborate on...
SANSFIRE(Baltimore, Maryland, USA, June 21 - 30, 2014) For more than 10 years, the Internet Storm Center has been providing free analysis and warning to our community. SANSFIRE 2014 is not just another training event. It is our annual "ISC Powered" event.
26th Annual FIRST Conference(Boston, Massachusetts, USA, June 22 - 27, 2014) The Forum of Incident Response and Security Teams (FIRST) is a global non-profit organization dedicated to bringing together computer security incident response teams (CSIRTs) and includes response teams...
Gartner Security & Risk Management Summit 2014(National Harbor, Maryland, US, June 23 - 26, 2014) The Gartner Security & Risk Management Summit is the only time when the entire Gartner analyst and security and risk management community come together in one location to bring the latest research, insights...
AFCEA International Cyber Symposium(Baltimore, Maryland, USA, June 24 - 25, 2014) National security is continuously being redefined as awareness of the cyberspace domain evolves. Cyber threats and challenges grow every day. Successfully defending our networks requires a team approach.
INSCOM Cyber Day(Fort Belvoir, Virginia, USA, July 9, 2014) Cyber-industry vendors are invited to participate in the upcoming Cyber Day hosted by the United States Army Intelligence and Security Command (INSCOM), located at Ft. Belvoir. U.S. Army Cyber (AR Cyber)...
2nd Annual Oil & Gas Cyber Security Conference(Houston, Texas, USA, July 15 - 17, 2014) This highly interactive, hands-on forum will break down each potential cyber threat specific to the oil and gas industry, as well as tackle key issues including managing communication between OT and IT...
Security Startup Speed Lunch DC(Washington, DC, USA, July 22, 2014) Our goal is to connect the most promising security startups in the world with decision-makers at aerospace, asset-management, banking, communications, defense, energy, healthcare, government, technology...
SPONSOR & SUPPORT
Grow your brand and reach new customers.
Grow your brand and increase your customer base by educating our audience about your products, services, and events by advertising on The CyberWire. We’ve built trust with an influential (and often hard to reach) audience of CISOs, CSOs, and other senior execs in the security space, across a wide array of industry verticals. Learn more.
Be a part of the CyberWire story.
People ask us (a lot) how they can support what we do. We have our sponsorships and services, of course, but those are not always within every supporter's financial reach, or it might just not be the right time for you to do those things. That's why we launched our new Patreon site, where we've created a wider variety of support levels, each with some new benefits. Our patrons are important to our future, and we hope you'll consider becoming one. We invite you to become part of the CyberWire story. Become a patron today.