Trend Micro warns of a new phishing campaign targeting online shoppers. (They're calling it "Operation Huyao," and trace it to actors in China, but without further attribution.) Unlike traditional phishing, Huyao doesn't depend upon creating a plausible simulacrum of a legitimate site. Instead of creating and posting a bogus copy of site, the campaign uses proxies as relays to legitimate sites, modifying pages only when (and as long as) information theft is required.
Other developments in the criminal cyber market include the effective recycling of well-known techniques and exploits (highlighting the importance of not forgetting old lessons learned the hard way), and the very rapid and inexpensive trade in attack code — the collision attack against the MD5 algorithm, for example, was on the market within ten hours of the relevant Windows update, and it cost just 65 cents. Other corners of the black market are making it easier for semi-skilled skids to deploy and profit from ransomware.
Apple continues to deal with customer dissatisfaction over their Macs' insouciant way of sending sensitive documents to iCloud without so much as a by-your-leave (other than whatever might be implied by a EULA).
The Hacking Team defends its lawful intercept products and its customers' need for them.
The US elections prompt many to worry about the security of electronic voting devices. This election's results were probably unaffected, but clearly this will be a research topic.
Calling for a modus vivendi, Microsoft's general counsel deplores the "privacy arms race" between governments and IT companies.
Today's issue includes events affecting Australia, Canada, China, Ethiopia, Republic of Korea, Netherlands, New Zealand, Russia, United Kingdom, United States.
Dateline Columbia, Maryland: the National Initiative for Cybersecurity Education conference
Interactive National Cybersecurity Workforce Framework(National Institute for Cybersecurity Careers and Studies) The National Cybersecurity Workforce Framework classifies the typical duties and skill requirements of cybersecurity workers. The Framework is meant to define professional requirements in cybersecurity, much as other professions, such as medicine and law, have done
Rethinking Security Education(IT Business Edge) A new Ernst & Young survey found that companies are willing to spend more money on security for their networks and the devices that connect to them. That's the good news
Science, Technology, Engineering and Math: Education for Global Leadership(US Department of Education) The United States has become a global leader, in large part, through the genius and hard work of its scientists, engineers and innovators. Yet today, that position is threatened as comparatively few American students pursue expertise in the fields of science, technology, engineering and mathematics (STEM) — and by an inadequate pipeline of teachers skilled in those subjects. President Obama has set a priority of increasing the number of students and teachers who are proficient in these vital fields
Virtual Competitions(CS2N) CS2N, or Computer Science Student Network, is your center for Computer Science activities, Computer Science competitions, and courses. CS2N provides step-by-step lessons to make programming easy
New Phishing Technique Outfoxes Site Owners: Operation Huyao(TrendLabs Security Intelligence Blog) We've found a new phishing technique targeting online shopping sites that may significantly change the threat landscape for phishing sites. Conventional phishing sites require an attacker to replicate the targeted site; a more accurate copy is more likely to fool intended victims
Check Mate — Sometimes All You Need Are a Bunch of Pawns(Cyactive) The attackers of the "Operation Pawn Storm" group managed to infiltrate government, military and defense contractor networks of the U.S. and of U.S. allies between 2011-2014, by reusing mainly simple phishing methods and well known malware and exploits
Remote control(Economist) In one of his many former lives, Gulliver qualified as a pilot. He therefore exudes an aura of unquestionable confidence when striding into an aircraft cabin, secure in the belief that, if the worst happens and both pilots have the fish, he could take charge of the cockpit and calmly land the plane, Sullenberger-style. Cue the applause
Wi-Fi security vs. government spies(ComputerWorld) Its one thing to be lectured to about Wi-Fi security and quite another thing to see the actual manuals used by government spies
Hacking Team Responds in Defense of Its Spyware(Intercept) Last week, The Intercept published manuals showing the workings of an invasive spyware tool made by the Italian company Hacking Team and sold to authorities in dozens of countries around the world
Hacking Team Defends Spyware, Attacks Researchers' Methods(Threatpost) Privacy advocates and anti-surveillance activists have been taking a close look at the way that some vendors of so-called lawful intercept and surveillance software and hardware systems conduct their business and which customers and governments they sell their wares to. Now, some of those vendors — and the customers they work with — are mounting their own criticisms of the researchers and their tactics
Lookout releases list of 'relentless' mobile threats(AndroidGuys) Lookout, the guys behind some of our favorite mobile security software, is constantly looking at apps from around the world. In fact, they analyze some 30,000 titles per day, always keeping an eye on things. This week sees them compiling its first list of Relentless Mobile Threats to Avoid. As Lookout sees it, these are the sort of threats that anyone and everyone should be aware of and avoid. Even those living in the United States
9 Cyber Security Threats Faced by Big Businesses(Business2Community) In the wake of the major cyber attack on Target Stores, Inc — and as companies large and small continue to assess the damage and fallout caused by the Heartbleed Bug — the big question in the minds of CIO's everywhere is what will the next big cyber threats be? In answer to that question Verizon recently published its 2014 Data Breach Investigations Report. This 60-page document is based on the compilation and analysis of 63,000 security incidents and 1,300 confirmed data breaches, as reported by some 50 companies worldwide. What follows is a summary of the 9 categories of cyber security threats faced by major businesses, as identified in the Verizon report
Hackers Could Decide Who Controls Congress Thanks to Alaska's Terrible Internet Ballots(The Intercept) When Alaska voters go to the polls tomorrow to help decide whether the U.S. Senate will remain in Democratic control, thousands will do so electronically, using Alaska's first-in-the-nation internet voting system. And according to internet security experts, including the former top cybersecurity official for the Department of Homeland Security, that system is a security nightmare that threatens to put control of the U.S. Congress in the hands of foreign or domestic hackers
227,747 new malware samples are created daily(Help Net Security) The growth of malware appears unstoppable. In total, some 20 million new strains were created worldwide in the third quarter of the year, at a rate of 227,747 new samples every day
Security Patches, Mitigations, and Software Updates
Targeted attacks around the globe will escalate(Help Net Security) Experts from Trend Micro believe that targeted attacks campaigns will continue to multiply in 2015, after cybercriminals had noteworthy breaches via targeted attacks in the U.S
3 Important Trends for ICS/SCADA Systems(Recorded Future) Last week, we presented a webinar with the ICS/SCADA experts from Cimation. Industrial control systems (ICS) are the "nervous systems" that manage facilities and operations, everything from robotic assembly lines to HVAC systems to power plants. SCADA is the data-intensive technology at the heart of a modern factory or refinery. This webinar was an "encore" of the Cimation presentation at RFUN 2014, our annual user conference
Mission Secure closes round of seed financing to commercialize cyber security defense technology(GSN) Charlottesville, VA-based Mission Secure Inc. (MSi), a next generation cyber defense technology and solutions provider focused on providing advanced protections for physical systems and autonomous vehicles to the defense and commercial sectors, has announced that it recently closed its seed financing round led by Ballast Fund investors, a private equity firm, along with several high net worth angel investors
Popular messaging apps fail EFF's security review(IDG via CSO) Some of the most widely used messaging apps in the world, including Google Hangouts, Facebook chat, Yahoo Messenger and Snapchat, flunked a best-practices security test by advocacy group the Electronic Frontier Foundation (EFF)
DTCC unveils cyber-threat sharing platform(Financial News) The Depository Trust & Clearing Corporation has unveiled a cyber-threat intelligence sharing platform, as the financial services sector ramps up its defenses against cybercrime
NIBC gives users compliance controls, mobile access(FierceFinanceIT) Forced to meet new regulations, Netherlands-based merchant bank NIBC needed to prove that it was compliant in the way it managed unstructured data. Doing so led to a project it's rolling out on a department-by-department basis, an effort that provides document and email compliance controls while also allowing employees to better access files from mobile devices
CloudPassage Updates World's Leading Software-Defined Security Platform(Marketwired) CloudPassage today announced the immediate availability of the latest release of Halo®, the only software-defined security platform purpose-built for cloud and virtualized infrastructure. The new capabilities offered in the release make it faster, easier and more effective for Global 2000 companies to detect and react to security vulnerabilities in these environments
Kaspersky top as Bitdefender fails in latest security tests(Expert Reviews) Kaspersky Internet Security remains the top-ranked security program, with Norton Security and ESET Smart Security 7 completing the top three. The biggest loser in the latest round of expert testing was Bitdefender Internet Security, which slipped from fourth best to third from last
'Blur' Protects Against Online Tracking(InformationWeek) New tool blocks companies from tracking you online, lets you mask sensitive information such as email, phone number, and credit card information
Dropbox's Drew Houston Responds To Snowden's Privacy Criticism: It’s A Trade-Off(TechCrunch) NSA whistleblower Edward Snowden sparked controversy when he advised consumers (twice) to "get rid of Dropbox" if they want to protect their privacy. Today, Drew Houston, CEO of the cloud storage startup, responded to the accusations. People can do more to encrypt their data, he admitted, but It's "a trade-off between usability/convenience and security," he said. "We offer people choice"
Technologies, Techniques, and Standards
Marrying Monitoring With IAM(Dark Reading) Prevalence of stolen online credentials and rampant password reuse means enterprises must keep better tabs on how credentials are used
Tool Tip: vFeed(Internet Storm Center) I have had a number of occasions lately to use or talk about vFeed from Toolswatch.org (@toolwatch). NJ's written a little gem here; a useful Python CLI tool that pulls CVEs and other Mitre datasets
Workplace Privacy: Big Brother Is Watching(Dark Reading) Companies may have the right to monitor employees who are checking their bank balances or shopping online on corporate networks. The real question is, should they?
6 things we learned from this year's security breaches(CSO) According to the Open Security Foundation, three out of 10 of the all-time worst security breaches happened this year. That includes 173 million records from the NYC Taxi & Limousine Commission, 145 million records at Ebay, and 104 million records from the Korea Credit Bureau. And that's not counting the 1.2 billion user names and passwords reportedly stolen by Russian hackers, or the 220 million records recently discovered stolen from gaming sites in South Korea
How local school districts are protecting student data(KSHB 41) 41 Action News reported how schools are using computers to collect information about kids so they can better identify problems and help overcome obstacles in their education. The fields include student's names, district, gender, date of birth, social security number, disciplinary history and standardized test scores
Legislation, Policy, and Regulation
British official: U.S. tech 'dominates' the Internet(Longview News-Journal) One of Britain's highest-ranking intelligence officials Tuesday castigated U.S. companies that dominate the Internet for providing the "command-and-control networks of choice for terrorists and criminals" and challenged the companies to find a better balance between privacy and security
Microsoft's top legal gun decries privacy 'arms race'(PC World) The conflict between snooping governments seeking to defeat encryption and users demanding ever more robust privacy tools has turned into an arms race — and it's time for arms control talks, Microsoft's general counsel said on Tuesday
NSA director says major hurdles hinder cybersecurity(USA TODAY) The United States faces major cyber threats. But, according to the director of the National Security Agency, the intelligence community has to overcome major hurdles to protect it, from dealing with the demands of privacy advocates to the inability to pay Silicon Valley-level salaries
Panelists explain US information secrecy(Washington Square News) The modern security state, Edward Snowden's leaks and the National Security Agency have been in the public sphere for over a year, and the debate about secrecy continued with three members of the intelligence community on Nov. 3. The panelists discussed the need to withhold some information when dealing with the public at the event hosted by NYU School of Law's Center on Law and Security
We’ve Got Our Eye On You(Middle East Online) There is a deepening structural conflict over the shape and mastery of digital capitalism. The disparate interests ranged against US corporate and state power have gained momentum, but the United States is set on renewing its global dominance
Staff changes at Cyber Command(FCW) Army Sgt. Maj. David Redmond is replacing Air Force Chief Master Sgt. Kevin Slater as command senior enlisted leader for U.S. Cyber Command and senior enlisted adviser for the National Security Agency
Litigation, Investigation, and Law Enforcement
Appeals Court Takes on NSA Surveillance Case(AP via ABC News) Three federal appeals court judges struggled Tuesday over whether the National Security Agency's phone data surveillance program is an intelligence-gathering tool that makes the nation safer or an intrusive threat that endangers privacy
Another day, another data breach(SC Magazine) Tracking down threat actors is no easy feat, and requires an immense amount of research and collaboration. Home Depot and JPMorgan Chase seem to be the top searches that pop up when one Googles "data breaches." But just when you think a particular breach will snag a headline for weeks, another takes its place in what seems like days
For a complete running list of events, please visit the Event Tracker on the CyberWire website.
Newly Noted Events
INTEROP Las Vegas(Las Vegas, Nevada, USA, April 27 - May 1, 2015) Attend Interop Las Vegas, the leading independent technology conference and expo designed to inspire, inform, and connect the world's IT community. In 2015, look for all new programs, networking opportunities,...
FS-ISAC EU Summit 2014(London, England, UK, November 3 - 5, 2014) The Financial Services Information Sharing and Analysis Center (FS-ISAC), is a non-profit association comprised of financial institution members, that is dedicated to protecting the global financial services...
POC2014(Seoul, Republic of Korea, November 4 - 7, 2014) POC (Power of Community) started in 2006 and has been organized by Korean hackers & security experts. It is an international security & hacking conference in Korea. POC doesn't pursue money. POC concentrates...
Open Source Digital Forensics Conference 2014(Herndon, Virginia, USA, November 5, 2014) This conference focuses on tools and techniques that are open source and (typically) free to use. It is a one day event with short talks packed with information. There are both tool developers and users...
Bay Area SecureWorld(Santa Clara, California, November 5, 2014) A day of cyber security education. Earn 6-8 CPE credits, network with industry peers, and take advantage of more than thirty educational events. Over the past decade SecureWorld has emerged as one of North...
Managing BYOD & Enterprise Mobility USA 2014(San Francisco, California, USA, November 5 - 6, 2014) The Managing BYOD & Mobility USA 2014 conference will provide a unique networking platform, bringing together top executives from USA and beyond. They come together not only to address mobility challenges...
RiseCON 2014(Rosario, Santa Fe, Argentina, November 6 - 7, 2014) Rosario Information Security Conference: es el primer y mayor evento de seguridad informática y hacking realizado en la ciudad de Rosario, con nivel y trascendencia internacional
Israel HLS 2014(Tel Aviv, Israel, November 9 - 12, 2014) The third International Conference on Homeland Security will bring together government officials, public authorities, and HLS industry leaders from around the world to share their knowledge and experience.
i-Society 2014(London, England, UK, November 10 - 12, 2014) i-Society 2014 is a global knowledge-enriched collaborative effort that has its roots from both academia and industry. The conference covers a wide spectrum of topics that relate to information society,...
Seattle SecureWorld(Seattle, Washington, USA, November 12 - 13, 2014) Offering two days of cyber security education. Earn 12-16 CPE credits, network with industry peers, and take advantage of more than sixty educational events. Over the past decade SecureWorld has emerged...
AVAR 2014(, January 1, 1970) The 17th Association of anti-Virus Asia Researchers International Conference: Security Down Under. Topics will include case studies of targeted attacks, real-life attack demonstrations, web-inject attacks/code...
ZeroNights 2014(Moscow, Russia, November 13 - 14, 2014) ZeroNights is an international conference dedicated to the practical side of information security. It will show new attack methods and threats, showcase new possibilities of attack and defense, and suggest...
Cyber Security Awareness Week Conference(New York, New York, USA, November 13 - 15, 2014) Get ready for CSAW: the largest student-run cyber security event in the nation, with a research conference that attracts some of the biggest names in the industry, and a career fair with an impressive...
Ground Zero Summit, India(New Dehli, India, November 13 - 16, 2014) Ground Zero Summit (GOS) 2014 in its second year promises to be Asia's largest Information Security gathering and proposes to be the ultimate platform for showcasing researches and sharing knowledge in...
Deepsec 2014(Vienna, Austria, November 18 - 21, 2014) DeepSec is an annual European two-day in-depth conference on computer, network, and application security. This is a non-product, non-vendor-biased conference event. Our aim is to present the best research...
BugCON(Mexico City, Mexico, November 19, 2014) BugCON Security Conference is hardcore technical conference focused on the technical side of the security. Running since 2008 BugCON is the oldest forum where researchers, students and professionals shows...
Navy Now Forum: Admiral Rogers(Washington, DC, USA, November 19, 2014) Leaders from the Navy will present new initiatives in-depth, providing the audience with a thorough knowledge of the Navy's future plans. During the luncheon, military personnel and industry leadership...
International Cyber Warfare and Security Conference(Ankara, Turkey, November 19 - 20, 2014) In-depth discussions will cover: new emerging threats and challenges on cyber warfare, the policy of leading cyber nations in cyber warfare and security, legal aspects of cyber warfare, industrial perspective...
EDSC 2014(Seattle, Washington, USA, November 20 - 21, 2014) EDSC is a security conference focusing on embedded systems, hardware, and anything behind the silicon curtain. Embedded testing is a rapidly expanding area of the security industry staying current is important...
Cyber Security World Conference 2014(New York, New York, USA, November 21, 2014) Welcome to Cyber Security World Conference 2014 where renowned information security authorities and innovative service providers will bring their latest thinking to hundreds of senior executives focused...
Ethiopia Banking and ICT Summit(Addis Ababa, Ethiopia, November 21, 2014) he one day summit is designed to highlight the key Investment opportunities especially in the Banking & ICT Sectors. As an emerging economic capital for the region, Ethiopia is leading the way in industrial...
BSidesVienna(Vienna, Austria, November 22, 2014) BSidesVienna will open it's doors again in 2014. Be part of it and stay tuned
BSidesToronto(Toronto, Ontario, Canada, November 22, 2014) This year the conference is bigger, better, faster and…well, still one day in length but, we have an awesome line up. And no I'm not just paying "lip service"
DefCamp5(Bucharest, Romania, November 25 - 29, 2014) DefCamp is the most important conference on Hacking & Information Security in Central Eastern Europe. The goal is bringing hands-on talks about latest research and practices from the INFOSEC field, gathering...
SPONSOR & SUPPORT
Grow your brand and reach new customers.
Grow your brand and increase your customer base by educating our audience about your products, services, and events by advertising on The CyberWire. We’ve built trust with an influential (and often hard to reach) audience of CISOs, CSOs, and other senior execs in the security space, across a wide array of industry verticals. Learn more.
Be a part of the CyberWire story.
People ask us (a lot) how they can support what we do. We have our sponsorships and services, of course, but those are not always within every supporter's financial reach, or it might just not be the right time for you to do those things. That's why we launched our new Patreon site, where we've created a wider variety of support levels, each with some new benefits. Our patrons are important to our future, and we hope you'll consider becoming one. We invite you to become part of the CyberWire story. Become a patron today.