Heads up all who produce or trade in oil: Anonymous says it will resume #OpPetrol today. It may fizzle again, or perhaps not: the story is developing.
The lethal (in a business sense) attack on Code Spaces (see yesterday's issue for discussion and links) contains useful if discouraging lessons. The online collaboration platform was probably a target of opportunity, simply proving softer than other marks the criminals prospected. It's also worth reviewing your own security practices if you use a service like Amazon EC2. Note that the attack began with denial-of-service, followed by extortion, completed with data destruction triggered by the company's attempt to remediate compromise of its EC2 credentials. The DDoS itself didn't bring Code Space down — they could have handled DDoS.
DDoS incidents are on the rise (both Move and Ancestry.com sustained them this week) and they're increasingly being used in conjunction with other kinds of attack: observers compare them to smokescreens or misdirection.
Columbia University researchers crawl Google Play apps and find, disturbingly, thousands of authentication tokens in source code. Enterprises take note: the finding has implications for your BYOD policy.
Servers containing Supermicro motherboards are found broadcasting admin passwords in the clear.
More bad news on user security slackness: researchers at Carnegie Mellon, Penn State, and NIST find that many (most) subjects in an experiment were willing to download an unknown executable when offered a small payment (a dollar or less).
California and Missouri court decisions send diverse messages about banks' liability for customer data loss.
Today's issue includes events affecting Brazil, Canada, China, Colombia, France, Germany, Israel, Italy, Kuwait, Qatar, Russia, Saudi Arabia, United Arab Emirates, United Kingdom, United States..
DDoS Attack Puts Code Spaces Out of Business(PC) CodeSpaces.com closed its doors this week, following a 12-hour security breach that completely wiped its servers. Days after Feedly and Evernote were briefly forced offline by hackers demanding a ransom payment, a code-hosting service was run out of business by a similar scheme
Code Spaces Probably A 'Target of Opportunity'(Security Ledger) The spectacular collapse this week of Code Spaces, a cloud-based code repository, may have been the result of a an unspectacular "opportunistic" hack, rather than a targeted operation, according to one cloud security expert
Move says cyberattack caused realtor.com and Top Producer outages(Inman News) Access to realtor.com and Top Producer remains spotty. A "distributed denial of service attack" bombarded realtor.com and other websites operated by Move Inc. with "massive amounts of traffic," causing the extended outages experienced Wednesday, Move said in a statement
At least 32,000 servers broadcast admin passwords in the clear, advisory warns(Ars Technica) Exploiting bug in Supermicro hardware is as easy as connecting to port 49152. An alarming number of servers containing motherboards manufactured by Supermicro continue to expose administrator passwords despite the release of an update that patches the critical vulnerability, an advisory published Thursday warned
Yet Another BMC Vulnerability (And some added extras)(CARISIRT) After considering the matter for the past 6 months while continuing to work with Supermicro on the issues, I have decided to release the following to everyone. On 11/7/2013, after reading a couple articles on the problems in IPMI by Rapid7's HD Moore (linked at the end), I discovered that Supermicro had created the password file PSBlock in plain text and left it open to the world on port 49152
Uh-oh, Yo has major security flaws(Quartz) Yo, the mobile messaging app that quickly rose to popularity this week with a bewilderingly simple premise — the only message it can send is "yo" — has a lot more than that lurking beneath its surface
Slow internet? Maybe you have one of 120,000 vulnerable broadband routers(Sydney Morning Herald) Is your home internet running slow? Is your monthly internet bill larger than you expected? Perhaps your home broadband router is one of the 120,000 used by Australians that is vulnerable to a new type of scam being leveraged by criminals who use them to launch cyber attacks
Prank URL Shortening Service is Good Security Basics Reminder(Infosec Island) Many of us use URL shortening services on a daily basis, especially when dealing with short form communication tools such as Twitter. Of course, it pays to be vigilant when presented with a shortening service link. While it's a useful tool to have, there have always been issues with regards to your possible final destination
Cybercriminals Zero In on a Lucrative New Target: Hedge Funds(New York Times) They say crime follows opportunity. Computer security experts say hedge funds, with their vast pools of money and opaque nature, have become perfect targets for sophisticated cybercriminals. Over the past two years, experts say, hedge funds have fallen victim to targeted attacks. What makes them such ripe targets is that even as hedge funds expend millions in moving their trading operations online, they have not made the same investment in security
Security Patches, Mitigations, and Software Updates
And now a word from the people invading your privacy(Quartz) Last week, as we reported, Apple made a tiny technical change that could make it more difficult for marketers to spy on you. The company changed a setting that broadcasts an iPhone's Media Access Control (MAC) address to any Wi-Fi network within range. Businesses use this to identify a phone and figure out how many times its owner has been in a shop and for how long, or where in the shop she is browsing. The change is that in iOS 8, the iPhone's new operating system due out later this year, your Apple device will broadcast a random "fake" MAC address, which will make tracking somewhat more difficult, unless you actually connect it to a Wi-Fi network
10 Ways To 'Fix' Cybersecurity(Forbes) Security reporter Byron Acohido and I asked ten cyber-experts to offer up their best ideas for stemming the threats we face when it comes to digital security. Note: Almost every one of them muttered something about there being no silver bullets
What Workplace Privacy Will Look Like In 10 Years(Dark Reading) New laws like Europe's "right to be forgotten" in Google search are just the latest examples of how quickly perceptions and practices about personal privacy in the workplace are changing
Cisco's Acquisition Of ThreatGRID Fine-Tunes Cyber Security Division(GuruFocus) Cisco acquires ThreatGRID, a NYC startup, for an undisclosed sum. ThreatGRID will join SourceFire, acquired last year, in Cisco's bid to expand its role in cyber security. ThreatGRID also helps Cisco realize its dream to offer the Internet of Everything to its clients. This acquisition positions Cisco well as a company to buy as its stock will increase in value
FireEye (FEYE) Taps Mandiant's McGee as Privacy Chief; Forms New Global Privacy Group(StreetInsider) FireEye, Inc. (Nasdaq: FEYE) announced the appointment of Shane McGee as chief privacy officer. McGee, previously general counsel and vice president of legal affairs at Mandiant, will assume responsibility for growing and governing a new global privacy program that will establish data protection standards and lead industry improvement initiatives
CSG Invotas Appoints Paul Dorey to Advisory Board(MarketWatch) CSG Invotas, the enterprise security business from CSG International (NASDAQ: CSGS), today announced the addition of Paul Dorey, Visiting Professor in the Department of Mathematics' Information Security Group at Royal Holloway College, University of London, to its advisory board
Products, Services, and Solutions
TrueCrypt mystery — forking weirder than before(Naked Security) Naked Security readers will be well aware of the great TrueCrypt mystery. TrueCrypt is, or was, a long-running software project that claimed to provide strong encryption software that you could use for free on Windows, Linux and OS X
Pen Testing Payment Terminals: a Step-by-Step How-to Guide(Blog: SANS Penetration Testing) There is plentitude of payment terminals out there and the design principles vary quite a bit. The ones I have run into in Finland appear to be tightly secured with no attack surface. At first glance, that is. These generally open only outbound connections and use SSL encryption to protect the traffic. Here, I explain why testing a simple, tightly secured payment terminal is not as simple as one might think
Identity theft consequences and tips to stay secure(Help Net Security) In this interview, Tom Feige, CEO of idRADAR, shares alarming identity theft stories, explains the consequences of getting your identity stolen, offers advice to organizations that want to prevent their employees from becoming victims of identity theft, and more
Authorization model for home automation(Help Net Security) Smartphones promise to play an important role in the management and control of Home Automation (HA) solutions. When things and devices have either no or a constrained user interface (UI), the phone's display becomes more and more relevant to managing devices. Additionally, new capabilities for biometric authentication to the phone such as Apple's Touch ID will help secure these management features
Do you have what it takes to Detect and Respond to Targeted Attacks?(Trend Micro Simply Security ) With the topic of targeted attacks and advanced threats capturing so much attention as of late, you could be forgiven for some initial scepticism on yet another article on the subject. However, despite the justifiable attention to the topic, the truth is that targeted attacks are a major yet relatively unmanaged threat to your data and intellectual property. Before you develop a list of options to the problem, it is crucial to consider the nature of the problem from the eyes of your adversary… that being the attacker
This Tool Boosts Your Privacy by Opening Your Wi-Fi to Strangers(Wired) In an age of surveillance anxiety, the notion of leaving your Wi-Fi network open and unprotected seems dangerously naive. But one group of activists says it can help you open up your wireless internet and not only maintain your privacy, but actually increase it in the process
Girls Who Code kicks off summer immersion program(SC Magazine) A nonprofit focused on equipping young women for opportunities in tech-related fields has launched its 2014 Summer Immersion Program. Started by the organization, Girls Who Code, the program expects to reach 380 high-school girls in classes throughout New York, Boston, Miami, Seattle and the San Francisco Bay Area
Number of STEM College Degrees and Jobs on the Rise(SIGNAL) Here's a little good news for students who not only are college-bound, but who want to or plan to study in the fields of science, technology, engineering and mathematics, or STEM, according to a government watchdog report
China ardently denies cyperspying accusations(EET India) This is first of a three-part series examining the fallout on industry from China's alleged cyber spying. Today we review history: piecing together the evidence of proof that spying and how costly industrial espionage is. Science writer Kevin Fogarty takes an in-depth look for EE Times. Despite years of accusations and mounting
GCHQ promotes collaborative action(SC Magazine) The IA14 Conference in London on Monday concluded with GCHQ director, Sir Iain Lobban, giving an insight into how GCHQ sees its role protecting and supporting UK citizens, industry and the economy
House backs limits on NSA spying(AP via Fox News) House libertarians and liberals banded together for a surprise win in their fight against the secretive National Security Agency, securing support for new curbs on government spying a year after leaker Edward Snowden's disclosures about the bulk collection of millions of Americans' phone records
House Votes To Cut Key Pursestrings For NSA Surveillance(Wired) The House of Representatives may have only passed a puny attempt to reform the NSA's surveillance activities last month. But on Thursday evening it swung back with a surprising attack on a key element of the agency's spying programs: their funding
Unto the Breach(Slate) The FCC chairman shouldn't make government regulation of cybersecurity seem like a last resort
Pentagon cyber unit wants to 'get inside the bad guy's head'(Washington Post) After several years of planning, the Pentagon's Cyber Command is finally beginning to conduct operations such as tracking adversaries overseas to detect attacks against critical computer networks in the United States, according to a senior defense official
Army aware, but wary of cyber warfare challenges(Fort Leavenworth Lamp) Army senior leaders posit that communications technology is being developed and put into use inside the Army before its vulnerability to cyber-attacks has been fully evaluated
Litigation, Investigation, and Law Enforcement
Bank Not Liable for Customer's $440,000 Cybertheft(CIO) A Missouri escrow firm that lost $440,000 in a 2010 cyberheist cannot hold its bank responsible for the loss an appeals court said this week affirming a lower court's previous ruling on the issue
Oil Co. Wins $350,000 Cyberheist Settlement(Krebs on Security) A California oil company that sued its bank after being robbed of $350,000 in a 2011 cyberheist has won a settlement that effectively reimbursed the firm for the stolen funds
FCC issues largest fine in history to company selling signal jammers(The Verge) The Federal Communications Commission is laying down its largest fine ever against a Chinese retailer that's allegedly been selling hundreds of models of illegal signal jammers over at least the past two years. The online retailer, CTS Technology, is being given a fine of $34.9 million, the maximum that the FCC can issue in this instance
Google forced to e-forget a company worldwide(Naked Security) Likely inspired by Europeans winning the right to be forgotten in Google search results last month, a Canadian court has ruled that Google has to remove search results for a Canadian company's competitor, not just in Canada but around the world
For a complete running list of events, please visit the Event Tracker on the CyberWire website.
Detroit SecureWorld(Detroit, Michigan, USA, September 9 - 10, 2014) Two days of cyber security education and networking. Earn 12-16 CPE credits, network with industry peers, and take advantage of more than sixty educational events. Over the past decade SecureWorld has...
St. Louis SecureWorld(, January 1, 1970) Offering two days of cyber security education. Earn 12-16 CPE credits, network with industry peers, and take advantage of more than sixty educational events. Over the past decade SecureWorld has emerged...
Indianapolis SecureWorld(Indianapolis, Indiana, USA, October 1, 2014) A day of cyber security education. Earn 6-8 CPE credits, network with industry peers, and take advantage of more than thirty educational events. Larry Ponemon, Chairman and Founder of the Ponemon Institute,...
Denver SecureWorld(Denver, Colorado, USA, October 16, 2014) A day of cyber security education. Earn 6-8 CPE credits, network with industry peers, and take advantage of more than thirty educational events. Over the past decade SecureWorld has emerged as one of North...
Dallas SecureWorld(Dallas, Texas, USA, October 29 - 30, 2014) Offering two days of cyber security education. Earn 12-16 CPE credits, network with industry peers, and take advantage of more than sixty educational events. Over the past decade SecureWorld has emerged...
Bay Area SecureWorld(Santa Clara, California, November 5, 2014) A day of cyber security education. Earn 6-8 CPE credits, network with industry peers, and take advantage of more than thirty educational events. Over the past decade SecureWorld has emerged as one of North...
Seattle SecureWorld(Seattle, Washington, USA, November 12 - 13, 2014) Offering two days of cyber security education. Earn 12-16 CPE credits, network with industry peers, and take advantage of more than sixty educational events. Over the past decade SecureWorld has emerged...
Suits and Spooks New York(, January 1, 1970) Not another hacker conference. Suits and Spooks is a unique gathering of experts, executives, operators, and policymakers who discuss hard challenges in a private setting over two days. Suits and Spooks...
SANSFIRE(Baltimore, Maryland, USA, June 21 - 30, 2014) For more than 10 years, the Internet Storm Center has been providing free analysis and warning to our community. SANSFIRE 2014 is not just another training event. It is our annual "ISC Powered" event.
26th Annual FIRST Conference(Boston, Massachusetts, USA, June 22 - 27, 2014) The Forum of Incident Response and Security Teams (FIRST) is a global non-profit organization dedicated to bringing together computer security incident response teams (CSIRTs) and includes response teams...
Gartner Security & Risk Management Summit 2014(National Harbor, Maryland, US, June 23 - 26, 2014) The Gartner Security & Risk Management Summit is the only time when the entire Gartner analyst and security and risk management community come together in one location to bring the latest research, insights...
AFCEA International Cyber Symposium(Baltimore, Maryland, USA, June 24 - 25, 2014) National security is continuously being redefined as awareness of the cyberspace domain evolves. Cyber threats and challenges grow every day. Successfully defending our networks requires a team approach.
2nd Annual Oil & Gas Cyber Security Conference(Houston, Texas, USA, July 15 - 17, 2014) This highly interactive, hands-on forum will break down each potential cyber threat specific to the oil and gas industry, as well as tackle key issues including managing communication between OT and IT...
SINET Innovation Summit(New York, New York, USA, August 6, 2013) The purpose of the Innovation Summit is to reinvigorate public private partnership efforts and increase relationships between industry, government and academia that fosters sharing of information and collaboration...
Security Startup Speed Lunch DC(Washington, DC, USA, July 22, 2014) Our goal is to connect the most promising security startups in the world with decision-makers at aerospace, asset-management, banking, communications, defense, energy, healthcare, government, technology...
SPONSOR & SUPPORT
Grow your brand and reach new customers.
Grow your brand and increase your customer base by educating our audience about your products, services, and events by advertising on The CyberWire. We’ve built trust with an influential (and often hard to reach) audience of CISOs, CSOs, and other senior execs in the security space, across a wide array of industry verticals. Learn more.
Be a part of the CyberWire story.
People ask us (a lot) how they can support what we do. We have our sponsorships and services, of course, but those are not always within every supporter's financial reach, or it might just not be the right time for you to do those things. That's why we launched our new Patreon site, where we've created a wider variety of support levels, each with some new benefits. Our patrons are important to our future, and we hope you'll consider becoming one. We invite you to become part of the CyberWire story. Become a patron today.