Researchers report that LinkedIn may be exposing user emails.
Freenode warns users it's been breached, and advises them to change their passwords.
An SNMP-based denial-of-service attack is reported to be spoofing Google DNS servers. Mitigation appears, so far, to be largely successful.
Online fraud exacts an increasing cost from retailers, many of whom are, observers assert, rendered vulnerable by their inadequate network security measures.
Brookings publishes a study on "our cyborg future." The breathlessly stated topic suggests the legal complexities surrounding not only implanted networked devices, but also such increasingly ubiquitous personal tools as fitness trackers and smart phones. Not all such devices, the study argues, will be treated the same way by legal systems.
In industry news, SC Magazine looks at the effect Snowden's leaks have had on both the cyber sector and the criminal black market (from a market point-of-view, the effect in both places has been largely bullish).
Apple hangs tough on its approach to data security. Cisco looks at railways and sees a market for Internet-of-things services and security. Comcast denies (with justice, thinks Ars Technica) rumors that it's shutting down Tor users.
NIST issues a draft instruction covering the security of "reproduction devices" — printers, copiers, and the like.
A Russian official frames the content of Russian information operations in the Baltic: Ukraine provides the template.
The latest Snowden leaks prompt calls from German companies for more national control over cloud services. They also prompt reflections on how agencies might direct whistleblowing into less destructive channels.
Today's issue includes events affecting Estonia, European Union, Latvia, Lithuania, Nigeria, Russia, Ukraine, United States.
The CyberWire will also provide special coverage of the 2014 Cyber Security Summit, convening in New York on September 18.
Cyber Attacks, Threats, and Vulnerabilities
LinkedIn Feature Exposes Email Addresses(Krebs on Security) One of the risks of using social media networks is having information you intend to share with only a handful of friends be made available to everyone. Sometimes that over-sharing happens because friends betray your trust, but more worrisome are the cases in which a social media platform itself exposes your data in the name of marketing
Here's What Hackers Can Do With Your CRM Data(Forbes) It is clear why malware writers target such retailers as Home Depot HD +0.6% and Target. It is obvious, if not pathetic, why hackers break into the cloud to find and publish private nude photos of celebrities
SNMP-Based DDoS Attack Spoofs Google Public DNS Server(Threatpost) The SANS Internet Storm Center this afternoon reported SNMP scans spoofed from Google's public recursive DNS server seeking to overwhelm vulnerable routers and other devices that support the protocol with DDoS traffic
Google Apps scripts can be easily misused by scammers(Help Net Security) Andrew Cantino, VP of Engineering at Mavenlink but also a bug hunter in his free time, has discovered that Google Apps Scripts can be misused by attackers to access users' email and other information
Flaw in Android Browser Allows Same Origin Policy Bypass(Threatpost) There's a serious vulnerability in pre-4.4 versions of Android that allows an attacker to read the contents of other tabs in a browser when a user visits a page the attacker controls. The flaw is present in a huge percentage of the Android devices in use right now, and there's now a Metasploit module available to exploit the vulnerability
Worm Illuminates Potential NAS Nightmare(Dark Reading) A researcher at Black Hat Europe hopes to demonstrate a homegrown, self-replicating worm to illustrate major threats to popular network-attached storage systems
Bulletin (SB14-258) Vulnerability Summary for the Week of September 8, 2014(US-CERT) The US-CERT Cyber Security Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. The NVD is sponsored by the Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC) / United States Computer Emergency Readiness Team (US-CERT). For modified or updated entries, please visit the NVD, which contains historical vulnerability information
Why retailers like Home Depot get hacked(CSO) Retailers like Home Depot, which recently suffered a major data breach, have known for years about vulnerabilities in payment systems, but have chosen to ignore them, experts say
Your adviser could be an easy target for cyber crooks(MarketWatch) At a time when security experts, regulators and law enforcement are warning of attacks on the financial sector, more than one-third of registered investment adviser firms don't do risk assessments for cyber threats, vulnerabilities or potential consequences, new data finds
Ready, aim, click(My Broadband) If World War III promises to be digital, we must be as prepared as we can be
Our Cyborg Future: Law and Policy Implications(Brookings) In June 2014, the Supreme Court handed down its decision in Riley v. California, in which the justices unanimously ruled that police officers may not, without a warrant, search the data on a cell phone seized during an arrest. Writing for eight justices, Chief Justice John Roberts declared that "modern cell phones…are now such a pervasive and insistent part of daily life that the proverbial visitor from Mars might conclude they were an important feature of human anatomy"
Cyber Security Professionals are Sheep Awaiting Slaughter(Seculert) In a recent article, New York Times technology reporter Nicole Perlroth recounts a gag that, in one variation or another, is racing its way through the cyber security community as only droll jokes can. It goes like this
System failures cause most large outages of communications services(Help Net Security) The European Union Agency for Network and Information Security (ENISA) published a report about large-scale outages in the electronic communication sector. It provides an aggregated analysis of the security incidents in 2013 which caused severe outages
Joseph DiZinno Named American Systems Identity Intell VP(GovConWire) Dr. Joseph DiZinno, a two-decade FBI veteran and a former executive at BAE Systems, has joined American Systems as vice president of identity intelligence for the Chantilly, Virginia-based government services contractor
Brit to Launch Cyber Attack Product(BusinessWire) Brit PLC ('Brit' or 'the Group'), a market-leading global specialty insurer and reinsurer, has developed a unique insurance service to protect companies operating critical infrastructure and industrial machinery from terrorist and other malicious attacks, such as sabotage, espionage and theft
Draft NISTIR 8023: Risk Management for Replication Devices(NIST) This publication provides guidance on protecting the confidentiality, integrity, and availability of information processed, stored, or transmitted on replication devices (RDs). It suggests appropriate countermeasures in the context of the System Development Life Cycle. A security risk assessment template in table and flowchart format is also provided to help organizations determine the risk associated with replication devices
Emerging cloud threats and how to address them(Help Net Security) As organizations deploy and harness private, community and hybrid clouds, they encounter new types of threats, along with the old ones they've been battling for years
WordPress Security Checklist(Help Net Security) WordPress is not only easy to use, it also comes with many plugins and themes for you to choose from, making it extremely customizable. However, like all other popular platforms, it is also more prone to hacking
Patterns in banking personal identification numbers(FierceBigData) If you've ever wondered about the security of personal identification numbers, or PINs, used in banking, wonder no more. While in theory the 10,000 possible combinations presented in a four digit sequence and chosen randomly by users is good protection for banking accounts and credit cards, it turns out that the human factor weakens the design in practice
Don't Fear the Leaker: Thoughts on Bureaucracy and Ethical Whistleblowing(SSRN) In this brief essay, I argue that rather than trying to eliminate leaks entirely, which experience demonstrates is impossible, we should instead try to channel leaks so that they provide the maximum benefit to transparency while reducing risks to national security and other secrecy concerns. I also offer some preliminary suggestions about how to accomplish this goal
Cyber airmen race to stay ahead of new threats(Air Force Times) As cyber threats increase and become more sophisticated, airmen in the Cyber career field find themselves operating in a fast-paced environment just trying to stay two steps ahead
Tactical Cyber: How to Move Forward(Small Wars Journal) Cyberspace operations, both defensive and offensive, captured the attention of many pundits, military professionals, and interested observers
For a complete running list of events, please visit the Event Tracker on the CyberWire website.
Newly Noted Events
MIRcon 2014(Washington, DC, USA, October 7 - 8, 2014) MIRcon 2014 is the premier information security industry event of the year. The conference is designed to educate innovators and executives battling cyber attackers daily
Hack.lu 2014 (Dommeldange, Luxembourg, October 21 - 24, 2014) Hack.lu is an open convention/conference where people can discuss about computer security, privacy, information technology and its cultural/technical implication on society
FOCUS 14: Empowering the Connected World(Las Vegas, Nevada, USA, October 26 - 27, 2014) FOCUS will offer you a unique opportunity to learn directly from other McAfee users. Hear real-world scenarios from McAfee customers and learn how they maintain the highest standards of security while...
Cyber Job Fair(Baltimore, Maryland, USA, October 29, 2014) ClearedJobs.Net is partnering with CyberMaryland to present the Cyber Job Fair at the CyberMaryland 2014 conference. The Cyber Job Fair is a hiring event for cleared and non-cleared cybersecurity professionals...
Senior Executive Cyber Security Conference(Baltimore, Maryland, USA, October 30 - November 1, 2014) North Star Group, LLC and the Johns Hopkins University's Whiting School of Engineering and Information Security Institute sponsor this senior executive focused cyber security conference.This event is designed...
Healthcare Cyber Security Summit 2014(San Francisco, California, USA, December 3 - 10, 2014) SANS is teaming up with the National Health Information Sharing & Analysis Center (NH-ISAC) to offer the 2nd Annual Healthcare Cyber Security Summit
FloCon 2015(Portland, Oregon, USA, January 12 - 15, 2015) FloCon is an open network security conference organized by Carnegie Mellon University
Security Forum 2015(Hagenberg im Mühlkreis, Austria, April 22 - 23, 2015) The Security Forum is the annual IT security conference in Hagenberg that addresses current issues in this domain. Visitors are offered technical as well as management-oriented talks by representatives...
NOPcon Security Conference(Istanbul, Turkey, September 16, 2014) NOPcon is a non-profit hacker conference. It is the only geek-friendly conference without sales pitches in Turkey. The conference aims to learn and exchange ideas and experiences between security researchers,...
5th Annual Billington Cybersecurity Summit(Washington, DC, USA, September 16, 2014) The 5th Annual Billington Cybersecurity Summit, a leading conference produced by Billington CyberSecurity, will feature an all-star cast of cybersecurity speakers including Admiral Michael Rogers, Commander,...
SINET Global Summit(London, England, UK, September 16 - 17, 2014) "Advancing Global Collaboration and Innovation." Global Summit focuses on building international public-private partnerships that will improve the protection of our respective homeland's critical infrastructures,...
Cyber Attack Against Payment Processes Exercise 2(Online, September 16 - 17, 2014) FS-ISAC, the Financial Services Information Sharing and Analysis Center will conduct its fifth annual simulated cyber security exercise related to payment processes used by banks, community institutions,...
Global Identity Summit(Tampa, Florida, USA, September 16 - 18, 2014) The Global Identity Summit is focused on identity management solutions for corporate, defense and homeland security communities. This conference and associated exhibition bring together a distinctive,...
Fraud Summit Toronto(Toronto, Ontario, Canada, September 17, 2014) From account takeover to payment card fraud and the emerging mobile threatscape, the ISMG Fraud Summit series is where thought-leaders meet to exchange insights on today's top schemes and the technology...
SPONSOR & SUPPORT
Grow your brand and reach new customers.
Grow your brand and increase your customer base by educating our audience about your products, services, and events by advertising on The CyberWire. We’ve built trust with an influential (and often hard to reach) audience of CISOs, CSOs, and other senior execs in the security space, across a wide array of industry verticals. Learn more.
Be a part of the CyberWire story.
People ask us (a lot) how they can support what we do. We have our sponsorships and services, of course, but those are not always within every supporter's financial reach, or it might just not be the right time for you to do those things. That's why we launched our new Patreon site, where we've created a wider variety of support levels, each with some new benefits. Our patrons are important to our future, and we hope you'll consider becoming one. We invite you to become part of the CyberWire story. Become a patron today.