IS has operated effective information campaigns (particularly effective in recruiting) and now, observers argue, aspires to develop an active hacking capability. This is so far more a matter of a priori probability than indications and warnings, but the possibility bears watching. Security experts and 9/11 commissioners outline trends in state and non-state cyber operations.
Several million Gmail credentials turned up on a Russian Bitcoin forum, but there's apparently less here than meets the eye: Google wasn't breached, says that 98% of the credentials were invalid, obsolete, or fake accounts, and that only a fraction of the remaining credentials could be used to access accounts. Ordinary security precautions with respect to Gmail seem more than sufficient to deal with the residual threat.
VMware patches third-party components in vSphere.
Certificate authorities want Google to give websites more time for upgrades before it expands Chrome safety warnings.
A survey of the financial sector purports to expose its four biggest fears: "a systematic attack on the markets as a whole, manipulation of product data, losing customer data to the extent of losing customer confidence, and employees becoming the weakest links."
In industry news, analysts look at the prominence of NSA and Unit 8200 alumni in, respectively, US and Israeli cyber start-ups. (Former NSA Director Alexander's patent application draws particular interest.)
As the US and Europe tighten restrictions on oil production equipment exports to Russia, Western energy companies would do well to look to the security of their networks: those networks have already been reconnoitered.
Today's issue includes events affecting China, Iraq, Israel, Democratic Peoples Republic of Korea, Republic of Korea, Russia, Syria, United Kingdom, United States.
The CyberWire will be providing special coverage of the 2014 Cyber Security Summit, convening in New York on September 18. Watch for interviews and live coverage of Summit events. We also plan to cover the 5th Annual Billington Cybersecurity Summit in Washington, DC, on September 16, which promises an interesting set of speakers and sessions.
5 Million Gmail accounts hacked…or not(CSO) There it was on the screen staring back at me. The cursor blinked incessantly as I tried to wrap my head around the news. 5 million Gmail accounts had been compromised. I mopped the sweat from my brow with the back of my sleeve as I tried to regain composure. I reached across the desk for the bottle of headache remedy and flicked the cap off. It never seemed to be fastened
Botnet Twists the Knife in iCloud Security (TechNewsWorld) Cybercrooks are preying on widespread fear over iCloud insecurity, luring users to give up the very information they want most to protect — their IDs and passwords. If you get an email from Apple informing you your account has been compromised and you need to click on a link and log in to fix it — just don't. In the meantime, what should Apple do? The short answer: more
Prosecting the Citadel botnet — revealing the dominance of the Zeus descendent: part one(Virus Bulletin) It is unlikely that anyone still thinks that cybercrime is performed by 16-year-old kids who write short pieces of code that wreak havoc all over the world, but if you do still hold that belief, it won't hurt to take a look behind the scenes of a modern botnet operation. Today's botnets show how cybercrime has become a professional 'industry' in which many tactics seen in the legitimate e-commerce and IT service industries are deployed
Uncovering Malicious Browser Extensions in Chrome Web Store(TrendLabs Security Intelligence Blog) Months ago, Google published a blog post informing users of Google Chrome that they cannot install browser extensions from third parties. The reason: security. By only permitting extensions from official Chrome Web Store, Google claims they would be able to police these extensions in order to prevent malicious ones
All About Rogue Mobile Apps: A Conversation with Tim Vert, Cyveillance Mobile Security Expert(Cyveillance Blog) As more organizations release mobile applications to satisfy customer demand for on-the-go services, instances of rogue or spoofed mobile apps are rising. There are a lot of questions when it comes to this evolving sphere of cyber security, so we recently sat down with Tim Vert, a mobile security expert and Manager in Cyveillance's Security Operations Center, to get some answers
2014 — An Explosion of Data Breaches and PoS RAM Scrapers(TrendLabs Security Intelligence Blog) The computer security industry will always remember 2013 as the year the U.S. suffered one of the largest data breaches in history. In a targeted attack, U.S. retailer Target was compromised during the Christmas shopping season using the BlackPOS malware, a PoS RAM scraper family. According to estimates, cybercriminals stole 40 million credit and debit card numbers as well as 70 million personal records of Target shoppers
Russia Versus Wall Street: The JPMorgan Attack(Infosec Institute) JPMorgan Chase is the largest bank in the United States, with total assets of over $2.5 trillion. They reportedly spend about $250 million per year on technical security, or one dollar for every $10,000 they have in assets. They also employ more information security professionals than Google does, about a thousand compared to Google's approximately 400
Security Patches, Mitigations, and Software Updates
Is there any part of government that hasn't been hacked yet?(Nextgov) Cybersecurity has been touted by the Obama administration as one of its top technology priorities over the past several years, but heightened visibility alone has done little to deter adversaries that include state-sponsored hackers, hackers for hire, cyber syndicates and terrorists
The financial industry's biggest cyber fears(MarketWatch) The FBI is investigating cyber attacks on J.P. Morgan Chase and as many as four other banks, according to reports, at a time when (legitimate) paranoia about hacking is becoming a mainstream concern
Cyber loss surveyed(Professional Security) Near half, 48 per cent, of e-commerce/online retail businesses and 41 per cent of financial services organisations have reported losing some type of finance-related information to cybercriminal activities within a 12 month period
Veracode Closes $40 Million Funding Round(SecurityWeek) Veracode, a Burlington, Massachusetts-based provider of web and mobile application security testing solutions, today announced that it has closed a late-stage $40 million funding round led by Wellington Management with participation from previous investors
Ex-NSA Chief's Anti-Hacker Patent Sparks Ethics Questions(Bloomberg) A 5-month-old company in Washington has developed what it calls groundbreaking technology to thwart cyber-attacks before they've been identified — a significant advancement over current systems that react to known threats
Walmart banks on mobile payments, chip-and-PIN(FierceRetail) Walmart (NYSE:WMT) is counting on mobile payments and chip-and-PIN cards to not only improve security of retail transactions, but also make it easier for consumers to buy products
Close to Home: IBM Puts Its Trust in Endpoint Manager, MaaS360(CIO) Remember that commercial where the guy says he?s not just the president of the company, he?s a client, too? Hard to argue with someone who trusts the product that much. Which is why you might want to know that IBM didn?t just develop Endpoint Manager; they use it, too
CAST Launches Software Certification Program(TopTechNews) leading provider of software analysis and measurement technology, today launched the CAST Software Certification Program to provide organizations with standards-based verification of the quality of their critical systems
Want to Limit PCI DSS Scope? Use Tokenization(Infosec Institute) Every organization should follow a proactive rather than a reactive approach to protect against threats, risks and vulnerabilities, to which if their IT infrastructure is exposed can lead to data loss, regulatory penalties, and lawsuits and damaged reputation. Moving on the same lines, to reduce the credit card fraud via its exposure, a standard known as Payment Card Industry Data Security Standard (PCI DSS) was formed. In this article we are going to learn about various ways in which PCI DSS scope can be reduced using Tokenization
A system that facilitates malware identification in smartphones(Alpha Galileo) Malware is a type of malicious program whose general aim is to profit economically by carrying out actions without the user's consent, such as stealing personal information or committing economic fraud. We can find it "in any type of device ranging from traditional cell phones to today's smartphones, and even in our washing machine," explained one of the researchers, Guillermo Suarez de Tangil, from the Computer Science Department at UC3M
The West is prepared to threaten Russia's oil future(Quartz) The US and Europe are on the brink of threatening the heart of the Russian economy: its oil industry. New sanctions would cut off Russia's access to the technology required to drill its richest new fields
Lu Wei: the internet must have brakes(China Media Project) Speaking to a panel on "the future of the internet economy" at the World Economic Forum's 2014 Summer Davos in Tianjin yesterday, Lu Wei, the director of China's State Internet Information Office (SIIO), said there must be "mutual integration" of international rules for internet governance and the national laws of various countries
Implementation of Web portal delays HIPAA audits(FierceHealthIT) The U.S. Department of Health and Human Services' Office for Civil Rights (OCR) has delayed its second round of HIPAA audits while it works to get a Web portal up and running through which entities can submit information
Suits and Spooks London(London, England, UK, September 12, 2014) On September 12th, in London's South bank neighborhood of Southwork, approximately 50 former intelligence officials, corporate executives, and security practitioners from the U.S. and the EU will gather...
Build IT Break IT Fix IT: Fix IT(Online, September 12, 2014) The Build it Break it Fix it security contest is a new security-oriented programming contest held by the Maryland Cybersecurity Center, Cyberpoint, and Trail of Bits. The Build it Break it Fix it security...
NOPcon Security Conference(Istanbul, Turkey, September 16, 2014) NOPcon is a non-profit hacker conference. It is the only geek-friendly conference without sales pitches in Turkey. The conference aims to learn and exchange ideas and experiences between security researchers,...
5th Annual Billington Cybersecurity Summit(Washington, DC, USA, September 16, 2014) The 5th Annual Billington Cybersecurity Summit, a leading conference produced by Billington CyberSecurity, will feature an all-star cast of cybersecurity speakers including Admiral Michael Rogers, Commander,...
SINET Global Summit(London, England, UK, September 16 - 17, 2014) "Advancing Global Collaboration and Innovation." Global Summit focuses on building international public-private partnerships that will improve the protection of our respective homeland's critical infrastructures,...
Cyber Attack Against Payment Processes Exercise 2(Online, September 16 - 17, 2014) FS-ISAC, the Financial Services Information Sharing and Analysis Center will conduct its fifth annual simulated cyber security exercise related to payment processes used by banks, community institutions,...
Global Identity Summit(Tampa, Florida, USA, September 16 - 18, 2014) The Global Identity Summit is focused on identity management solutions for corporate, defense and homeland security communities. This conference and associated exhibition bring together a distinctive,...
Fraud Summit Toronto(Toronto, Ontario, Canada, September 17, 2014) From account takeover to payment card fraud and the emerging mobile threatscape, the ISMG Fraud Summit series is where thought-leaders meet to exchange insights on today's top schemes and the technology...
CSA Congress 2014 & IAPP Privacy Academy 2014(San Jose, California, USA, September 17 - 19, 2014) This year, the CSA and the International Association of Privacy Professionals (IAPP) are combining their Congress US and Privacy Academy events into a conference in the heart of Silicon Valley. This conference...
ICS-ISAC Fall Conference(Atlanta, Georgia, USA, September 17 - 20, 2014) Cybersecurity issues — such as the DHS release of Operation Aurora information; legislation like CISA (S. 2588), CIRDA (H.R. 2952) & H.R. 3696; and the NIST Cybersecurity Framework — can leave...
The 2014 Cyber Security Summit (New York)(New York, New York, USA, September 18, 2014) The Cyber Security Summit, an exclusive conference series sponsored by The Wall Street Journal, has announced their second annual event in New York City. The event will connect C-Level & Senior Executives...
Ft. Meade Technology Expo(Fort Meade, Maryland, USA, September 18, 2014) The Ft. Meade Technology Expo is a one-day event held at the Officers' Club (Club Meade) on base. Industry vendors will have the unique opportunity to showcase their products and services to personnel...
SPONSOR & SUPPORT
Grow your brand and reach new customers.
Grow your brand and increase your customer base by educating our audience about your products, services, and events by advertising on The CyberWire. We’ve built trust with an influential (and often hard to reach) audience of CISOs, CSOs, and other senior execs in the security space, across a wide array of industry verticals. Learn more.
Be a part of the CyberWire story.
People ask us (a lot) how they can support what we do. We have our sponsorships and services, of course, but those are not always within every supporter's financial reach, or it might just not be the right time for you to do those things. That's why we launched our new Patreon site, where we've created a wider variety of support levels, each with some new benefits. Our patrons are important to our future, and we hope you'll consider becoming one. We invite you to become part of the CyberWire story. Become a patron today.