Colombian authorities continue to round up hackers suspected of gaining illicit access to data concerning government negotiations with FARC.
The Syrian Electronic Army wakes from troubled dreams to hijack Wall Street Journal Twitter accounts and slang security maven Ira Winkler as the real cockroach. (Winkler had called the SEA "cockroaches;" SEA was affronted).
In the UK, MI5 warns systems administrators to expect cultivation, compromise, and recruitment by sparrows and ravens—attractive foreign intelligence agents of appropriate gender. The sheer novelty of the experience is thought to render it particularly effective. The warning is also a useful reminder of how traditional intelligence tradecraft and criminal grifting converge in social engineering. (Compare a LinkedIn catphish's confessions for further insight into the social engineering threat.)
US Federal employees are warned their Thrift Savings Plan accounts may be vulnerable to compromise.
Fresh ransomware (announcing itself with spoofed official warnings as lurid as they are implausible) infests Android.
European telco Orange warns that 1.3 million customers' personal data have been compromised in a breach (the second in three months).
Distributed denial-of-service attacks evolve into misdirection for quieter, more damaging attacks.
US companies retreat from doing security business in Russia as sanctions over Ukraine incursions begin to bite.
Retired US NSA director Alexander follows in his predecessor's media-friendly path. He approves Australia's blocking of Huawei, defends stockpiling of zero-days, and says Snowden may be under Russian control.
Tim Berners-Lee advocates an Internet Magna Carta. Curbs on bulk data collection move closer to a US House vote.
Today's issue includes events affecting Australia, China, Colombia, European Union, France, Germany, Philippines, Russia, Syria, United Kingdom, United States..
Cyber Attacks, Threats, and Vulnerabilities
Colombia raids office that 'spied to undermine peace'(BBC) It is alleged that the emails of President Juan Manuel Santos were also "probably intercepted." Colombian authorities say they have raided an office that illegally spied on rebel and government communication to try to undermine peace talks
Colombian Judge Orders Accused Cyber Spy Held(Latin American Herald Tribune) A man arrested for conducting a clandestine cyber-espionage operation targeting the Colombian government's negotiations with leftist guerrillas will remain in custody pending trial, a judge ordered Wednesday
Confessions of a LinkedIn Imposter: We Are Probably Connected(Tripwire: the State of Security) I have a confession to make. I created a fake profile on LinkedIn and we are probably connected. Curious after receiving several obvious and some not so obvious fake profiles, I did a bit of experimenting creating my own
Feds: You Need to Fix Your TSP Passwords this Weekend(Nextgov) The website of the Thrift Savings Plan, the retirement program for 4.6 million federal employees and retirees, gives identity thieves clues about how to crack users passwords, some security analysts say
Orange warns of Phishing attacks after data breach(CSO) Orange, Europe's fourth largest telecom, has confirmed reports that personal information for 1.3 million customers has been compromised. The breach is the second one in three months, but notification was delayed so that the company could asses the true scale of the problem
Is DDoS smokescreen for real attacks?(Business-Cloud) When companies come under cyber attack, their primary concern is keeping the business running but few do a good enough job of examining what happened
Scam Alert: Your Facebook Accounts will be Permanently Disabled(eHackingNews) We have seen large numbers of facebook posts that promise something, but it turns out to be a scam. Fb users are still believing such kind of posts and blindly following the instructions. So, Cyber criminals are keep coming up with new themes to trick users
Intelligence-driven security has benefits, but beware its limits(TechTarget) Too often, what firms and vendors consider intelligence-driven security amounts only to threat predictions and is not very worthwhile from a strategy standpoint, according to Kim Jones, Senior Vice President and CSO of payment processing provider Vantiv. Instead, companies need to use security data to drive decision-making in order for it truly to be considered "intelligence-driven," he added
Ghost-Hunting With Anti-Virus(FireEye Blog) In October 2012, data security firm Imperva released a controversial report on the efficacy of anti-virus (AV), which concluded that AV solutions only stopped 5 percent of all malware identified. Few reports in the security industry had been as polarizing as this one—many reacting with white-knuckle rage. It was a classic case of Chris Christensen's "Innovator's Dilemma," where old school technologies cling to life, in the face of a new paradigm. Just yesterday, one of the original anti-virus vendors joined the fray in "declaring anti-virus dead" in the Wall Street Journal
Industries on the cyber war front line(Help Net Security) ThreatTrack Security published a study that looks at the security vulnerabilities of two industries most often targeted by cybercrime: energy and financial services
World's Most Advanced Hackers are in Russia and Eastern Europe(Infosecurity Magazine) At Infosecurity Europe 2014, Eleanor Dallaway caught up with Ross Brewer, vice president and managing director for international markets, and Mike Reagan, CMO at LogRhythm to talk insider threats, and the global threat landscape
Tweet your heart out for privacy(ZDNet) Doing what's necessary to protect your own privacy is not easy. Better just to blame someone else for the whole problem. #ResetTheNet!
Steinhafel's departure leaves Target looking for IT redemption(FierceRetailIT) Heads continue to roll at Target (NYSE:TGT) in the wake of its massive data breach. CEO Gregg Steinhafel abruptly resigned and while Target's data breach wasn't the only reason, it certainly was a contributing factor. Steinhafel's sudden departure helps reinforce the growing importance of IT security and systems in the upper reaches of the executive offices
Cyber Insurance Goes Mainstream as Data Security Threats Prevail(Digital Journal) Solace Insurance comments on multi-million dollar threat, potential reputation loss. Recent extensive data breaches have made it evident that no American business is safe from cyber-attacks — Solace Insurance details the nuances of cyber insurance and the steps necessary to secure coverage
Biz Break: FireEye buys a 'black box' to track hackers' movements(San Jose Mercury News) Today: FireEye follows $1 billion Mandiant acquisition with the purchase of a private firm that records all network traffic to track where the bad guys go and what they do. FireEye added another soldier to its mission of helming the most complete network-security offering Tuesday, acquiring nPulse Technologies for about $70 million to act as its "black box" to record attacks from nefarious hackers
Microsoft, Oracle Likely to Stop Working With Russian Banks Over Sanctions(Moscow Times) Leading U.S. IT companies Microsoft, Oracle, Hewlett-Packard and others may be cutting off services to Russian banks and companies to comply with Washington's sanctions over Russia's actions in Ukraine, spreading the same political anxiety that the banking sector has experienced in recent months into the Russian IT market
NSA spy praises Huawei ban(Australian Financial Review) The recently retired director of the United States National Security Agency says Australia was correct to exclude Chinese telecommunications manufacturer Huawei from helping build the national broadband network because of evidence of Chinese espionage against the nation
4chan launches bug bounty program(Help Net Security) In the wake of the recent data breach that spelled the end of art products Canvas and DrawQuest, 4chan founder and owner Chris "moot" Poole has announced that they will be launching the 4chan Vulnerability Disclosure Program
Big Data Security Visionary Joins ThreatStream to Lead Data Strategy(Broadway World) ThreatStream, a next generation cyber intelligence company that enables the disruption of cyber attacks in real-time, today announced the appointment of big data security luminary, Jason Trost (formerly with Endgame, Inc.), to lead its data science vision
McAfee's Back, With Chadder(InformationWeek) Embattled antivirus pioneer John McAfee backs Chadder, an app that promises private communications through server encryption
Seagate Wireless Plus offers advanced cloud backup(Help Net Security) The Seagate Wireless Plus mobile device storage now consists of a family of capacities at 500GB, 1TB and 2TB versions to suit every need along with integration with cloud services, such as Dropbox and Google Drive
Tor Browser v3.6 Released(ToolsWatch) The Tor Browser Bundle lets you use Tor on Windows, Mac OS X, or Linux without needing to install any software. It can run off a USB flash drive, comes with a pre-configured web browser to protect your anonymity, and is self-contained
Technologies, Techniques, and Standards
Blinding users to URLs: Good or bad for security?(CiteWorld) The URL, or Uniform Resource Locator, has always felt like a leftover from the early age of the commercial Internet, an inelegant address for a specific website or (more inelegantly) a specific website page
Improving the URL bar(Jake Archibald) iOS has hidden the pathname of URLs for some time now, but recently Chrome Canary introduced something similar behind a flag. I'm not involved in the development of Chrome experiment at all, but I've got more than 140 characters worth of opinion on it
Security Slice: the Botnet Wars(Tripwire: the State of Security) ZeuS is one of the most infamous botnets in information security history, but recently, a researcher by the name of Xylitol uploaded a video revealing how to successfully exploit a bug in ZeuS in less than sixty seconds. According to Xylitol: "ZeuS is one of the most popular botnets, it's naturally a good hacking target." Who's going to take advantage of the security vulnerabilities in cybercrimeware?
Data Center Security Lessons from Heartbleed and Target(Data Center Knowledge) Data center security is of increasing concern, with data breaches and cyber vulnerabilities more and more in the news headlines. The recent Symantec's threat report highlighted more "zero day" attacks in 2013 than in the two previous years combined. Verizon's Data Breach Investigations Report shows data breached and cyber attacks at levels substantially above previous years
It's World Password Day: Change your passwords(Help Net Security) Today (May 7) is World Password Day — a day dedicated to promoting the use of strong passwords and the creation of good habits when it comes to choosing passwords. However insecure this method of authentication is, it's not going away anytime soon, and people should be educated on how to make the best of it
NSA funds 'science of cybersecurity' research(FCW) The National Security Agency is funding the creation of small laboratories — "lablets" in NSA vernacular — that will support research into the science of cybersecurity at four major universities
Legislation, Policy, and Regulation
Tim Berners-Lee: Worldwide web Magna Carta by 2015(ComputerWeekly) The founder and inventor of the worldwide web, Tim Berners-Lee, has repeated his call for a bill of rights or Magna Carta for the internet, and urged mass action to achieve it in the face of powerful opposing interests
EU Data Protection Regulation: Detection is the best prevention(Help Net Security) The UK government recently published guidelines for companies covering the five basic controls that businesses must follow to ensure a minimum level of protection. The goal of this 'Cyber Security Implementation Profile' is to serve as notice that all companies must ensure that they have defenses in place to protect their intellectual property and the consumer data that they hold. This mirrors similar efforts across the EU. In March the EU parliament voted to implement a new Data Protection Regulation which will seek to eliminate the legal differences in data protection across EU countries
A Bill Drastically Curbing the NSA's Powers Moves a Step Forward(Mashable) A bill to curb the NSA's surveillance powers, including ending its bulk metadata collection program, is moving forward after a House committee voted unanimously in its favor during a markup session on Wednesday. The bill is now one step closer to a floor vote by the full House of representatives
Former NSA Chief Defends Stockpiling Software Flaws for Spying(Wired) The NSA has never said much about the open secret that it collects and sometimes even pays for information about hackable flaws in commonly used software. But in a rare statement following his retirement last month, former NSA chief Keith Alexander acknowledged and defended that practice. In doing so, he admitted the deeply contradictory responsibilities of an agency tasked with defending Americans' security and simultaneously hoarding bugs in software they use every day
The Way the NSA Uses Section 702 is Deeply Troubling. Here's Why.(Electronic Frontier Foundation) The most recent disclosure of classified NSA documents revealed that the British spy agency GCHQ sought unfettered access to NSA data collected under Section 702 of the FISA Amendments Act. Not only does this reveal that the two agencies have a far closer relationship than GCHQ would like to publicly admit, it also serves as a reminder that surveillance under Section 702 is a real problem that has barely been discussed, much less addressed, by Congress or the President
Tales of the Cyber Underground: A Hacker's Life Inside(Infosecurity Magazine) In the latest Tales of the Cyber Underground instalment, Tom Brewster ponders the effect that jail time has on convicted hackers, and talks to cybercriminals who have served prison sentences about their experiences
No, McAfee didn't violate ethics scraping OSVDB(Errata Security) My twitter feed is full of people retweeting this claim that McAfee (the company) violated ethics by scraping [OSVDB]. This is completely wrong: McAfee violated no ethics (nor law)
DEA settles suit alleging government lie-detector abuses(McClatchy) The Drug Enforcement Administration has agreed to pay 14 contractors $500,000 to settle a lawsuit that accuses the agency of illegally requiring them to undergo highly intrusive lie detector tests to keep their jobs as translators
For a complete running list of events, please visit the Event Tracker on the CyberWire website.
US Secret Service Cybersecurity Awareness Day(Washington, DC, May 8, 2014) This Cybersecurity event will be the first of its kind at the USSS. There will be 2-3 opportunities for participating companies to present a 1/2 hour presentation on a Cybersecurity topic of concern to...
HackMiami 2014(Miami Beach, Florida, USA, May 9 - 11, 2014) The HackMiami 2014 Hackers Conference seeks to bring together the brightest minds within the information security industry and the digital underground. This conference will showcase cutting edge tools,...
ISPEC 2014(Fujian, China, May 12 - 14, 2014) The ISPEC conference series is an established forum that brings together researchers and practitioners to provide a confluence of new information security technologies, including their applications and...
GovSec 2014(Washington, DC, USA, May 13 - 14, 2014) GovSec is the nation's premier event for Government, Homeland Security, and Law Enforcement professionals looking for proven strategies and cost effective technology so they can achieve their mission of...
CyberWest(Phoenix, Arizona, USA, May 13 - 14, 2014) Cyber threats affect all industry sectors and impact individuals, businesses and governments. From hacktivists to advanced persistent threats, conducting business on-line exposes individuals, corporations...
FOSE Conference(Washington, DC, USA, May 13 - 15, 2014) Spend 1 day or 3 days at the FOSE conference and leave with actionable information, covering a broad spectrum of trending topics including: Cybersecurity, Cloud and Virtualization, Mobile Government,...
Fraud Summit(Chicago, Illinois, USA, May 14, 2014) From account takeover to payment card fraud and the emerging mobile threatscape, the ISMG Fraud Summit series is where thought-leaders meet to exchange insights on today's top schemes and the technology...
Security BSides Denver 2014(Denver, Colorado, USA, May 16, 2014) Each BSides is a community-driven framework for building events for and by information security community members. The goal is to expand the spectrum of conversation beyond the traditional confines of...
Security Start-up Speed Lunch NYC(New York, New York, USA, May 19, 2014) Our goal for this inaugural event is to connect the most promising security startups in the world with decision-makers at aerospace, asset-management, banking, communications, defense, energy, healthcare,...
CEIC 2014(Las Vegas, Nevada, USA, May 19 - 22, 2014) It's no exaggeration to say that CEIC is the biggest digital-investigations conference of its kind and the only one to offer hands-on lab sessions and training for practical skills development. From sessions...
The Device Developers' Conference: Bristol(Bristol, England, UK, May 20, 2014) The Device Developers' Conference is an annual UK event for the developers of intelligent systems and devices. The objective is to provide an event that provides engineers with an opportunity to learn...
Mobile Network Security in Europe(London, England, UK, May 21, 2014) Following on from two successful events in the United States, this first Light Reading conference on Mobile Network Security in Europe will again focus on the key role of the network in safeguarding the...
CyberMontgomery(Rockville, Maryland, USA, May 22, 2014) Montgomery County, MD is home to over 18 federal agencies including NIST, FDA, NOAA, and the National Cybersecurity Center of Excellence (NCCoE). NCCoE is an exciting addition to Montgomery County's growing...
The Device Developers' Conference: Cambridge(Cambridge, England, UK, May 22, 2014) The Device Developers' Conference is an annual UK event for the developers of intelligent systems and devices. The objective is to provide an event that provides engineers with an opportunity to learn...
CyberMontgomery Forum: Center of Gravity(Rockville, Maryland, USA, May 22, 2014) Cybersecurity will be a major growth engine in the region for many years to come. With solid federal government, industry and academic assets already in place in the region, there is still a need to bring...
SPONSOR & SUPPORT
Grow your brand and reach new customers.
Grow your brand and increase your customer base by educating our audience about your products, services, and events by advertising on The CyberWire. We’ve built trust with an influential (and often hard to reach) audience of CISOs, CSOs, and other senior execs in the security space, across a wide array of industry verticals. Learn more.
Be a part of the CyberWire story.
People ask us (a lot) how they can support what we do. We have our sponsorships and services, of course, but those are not always within every supporter's financial reach, or it might just not be the right time for you to do those things. That's why we launched our new Patreon site, where we've created a wider variety of support levels, each with some new benefits. Our patrons are important to our future, and we hope you'll consider becoming one. We invite you to become part of the CyberWire story. Become a patron today.