Sony's CEO speaks publicly about the hack his Hollywood unit sustained. (Risk Based Security is keeping a running timeline of the entire episode.) Some observers see the US response, which appears to target North Korea's arms trade as opposed to its cyber activities (well, fair enough — sanctions needn't be directly tailored to a specific capability), as showing limitations of current cyber doctrine.
Morgan Stanley fires an employee who improperly accessed and posted information on some 900 of the firm's wealth management clients.
Reports indicate a group of hackers ("H4LT") have accessed Xbox One's software development kit.
Indonesian hackers of "Gantengers Crew" deface more EC-Council sites — they appear interested merely in counting coup against security advocates.
Google's decision to release information on an unpatched zero-day vulnerability in Microsoft Windows 8.1 receives decidedly mixed reviews.
Carnegie Mellon's CERT/CC warns of vulnerabilities in the UEFI systems and BIOS of some Intel chipsets.
Personalized card company Moonpig pulls its API after reports that vulnerabilities therein left customers exposed for seventeen months.
iCloud's vulnerability to brute-forcing is patched.
Trend watchers predict a surge in cyber-reconnaissance during 2015. Others note the reuse of familiar exploits and attack tactics, and remind all that recognizing a risk doesn't mean you've dealt with it.
Cyber labor shortages are seen driving a "spooks-as-a-service" market.
An alumnus of Russian information operations describes those operations from the inside. (Cyber conflict is both intensional and extensional.) Intel shutters its Russian developers forum.
Lawyers wonder: are the Feds really serious about prosecuting "hacking back?"
Today's issue includes events affecting China, Indonesia, Israel, Democratic Peoples Republic of Korea, Republic of Korea, Moldova, Russia, United Kingdom, United States.
Hackers Deface Two More EC-Council Sub-Domains(HackRead) On January 1st, 2015, a sub-domain of International Council of Electronic Commerce Consultants (EC-Council) website was defaced by Indonesian Gantengers Crew hackers. Now two more sub-domains of the EC-Council has been defaced by same group
CERT Warns of UEFI Hardware Vulnerabilities(Threatpost) The CERT/CC at Carnegie Mellon University today released three advisories warning of vulnerabilities that affect some unified extensible firmware interface (UEFI) systems and the BIOS of some Intel chipsets
Phish out WPA networks' password with Wifiphisher(Help Net Security) Greek computer geek George Chatzisofroniou has released a stable version of Wifiphisher, a tool aimed at automating phishing attacks against WPA networks in order to discover the password needed to access them
MWR InfoSecurity sounds mobile security alarm(MicroScope) The new year has barely started but already users are being urged to be on their guard against security threats they are introducing to their mobile phones via downloading free apps
Identity theft for dummies(Help Net Security) It happened again. Checking into the hotel, I was asked if I can provide my credit card to cover additional expenses (not unusual). However, the receptionist simply wrote my credit card information down on a piece of paper and put it into an unlocked drawer. This, of course, led to a very awkward conversation in my best Spanglish regarding Principle 9 of the PCI-DSS standard
Held for ransom by the digital 'mob'(CSO) Experts say ransomware is the future of consumer cybercrime. But you don't have to be a helpless victim, if you are willing to invest in security
Reconnaissance is the name of the game in 2015(SC Magazine) I was in an airport lounge waiting for my flight to the Middle East when the news broke. Millions of credit card numbers had been exposed over a number of months. How about you? Where were you when you heard about Target? It was just a year ago when the Target breach broke into mainstream media, becoming a reference point for cyber thefts exposing personal financial information. 2014 has been a wakeup call for those outside the world of cybersecurity
Four cyber security risks not to be taken for granted(Help Net Security) It's pretty difficult to make information security predictions, and even more difficult to verify them afterwards: we can only judge the effectiveness of information security by the number of public security incidents that were uncovered, while the majority of data breaches remain undetected
The Biggest Security Threats We'll Face in 2015(Wired) As the clock strikes midnight on the new year, so begins the countdown to a new round of security threats and breaches that doubtless will unfold in 2015. But this year will be a little different. In the past, when we've talked about threat predictions, we've focused either on the criminal hackers out to steal credit card data and banking passwords or on the activist hackers out for the lulz (and maybe to teach corporate victims a lesson)
Are Nonprofit Hospitals Especially Vulnerable to Internet Hacking?(Nonprofit Quarterly) The implementation of electronic health records (EHR) in hospitals across the U.S. has been accompanied by unauthorized access to patient records. Data security firm Websense reports a 600 percent increase in web-based attacks on hospitals in the past ten months. Websense believes that attacks on hospitals will increase in 2015 as more hospitals use EHR more widely and as more patient information is available online
One in 8 users do not believe in cyberthreats: Kaspersky Lab Survey(Times of India) According to a survey carried out jointly by B2B International and Kaspersky Lab, internet users do not believe that cyber-attacks are real. They feel that the threat is exaggerated by Internet security companies. However, this complacency leaves them without any protection against a risk that threatens their data and virtual lives every day
How an acute shortage of cyber talent gave rise to 'spooks as a service'(IT World) At the RSA Security Conference last year, companies large and small were trumpeting the spy agency connections of senior staff as never before. Startups in areas like 'threat intelligence' and endpoint protection touted their executives' experience at three-letter agencies as a precursor to conversations about the scourge of advanced threats and attacks
BAE Systems plans to take on 710 apprentices(Works Management) The number surpasses the record set in the previous year by 142 places and includes 45 places for apprentices who will eventually join companies in BAE Systems' supply chain or work in local engineering companies. The latter are funded under the Government's Employer Ownership Programme
Colorado Springs tech company grows again with Philly-area acquisition(Colorado Springs Gazette) Braxton Science & Technology Group has acquired Gnostech, a 75-employee engineering and consulting company based in the Philadelphia area. It's the second in a series of acquisitions the Colorado Springs-based aerospace firm hopes to make over the next few years
Year in Review: MTN Government(Milsat Review) Commercial companies offering satellite capacity to the U.S. government had a challenging year in 2014, with budget cutbacks and military force reductions overseas combining to reduce demand for bandwidth and end-to-end services
As Vistronix Expands in the National Intelligence Community, John Hassoun Adds CEO to Title(Virtual Strategy Magazine) Vistronix, a leading provider of intelligence and technology solutions to national security agencies in the federal space, is pleased to announce that, effective immediately, John Hassoun will take on the role of Chief Executive Officer (CEO) in addition to his role as Corporate President. Former CEO, Deepak Hathiramani, will retain the role of Chairman of the Board
Soteria Intelligence Combats Social Media Threats to Shopping Malls(Businesswire) Soteria Intelligence is pleased to announce that due to an increase in social media threats related to shopping malls, the company has expanded its research into finding more ways social media can be used to keep mall customers, employees, and property safe
Intrusion Detection Systems: a Primer(eSecurity Planet) Intrusion detection systems can be a key tool in protecting data. This primer can help you determine which kind of IDS is right for you
Why Commercial Clouds Are More Secure than Federal Data Centers(Nextgov) Ever since the Office of Management and Budget issued its cloud first strategy in 2010, the security of cloud offerings has been a major concern for federal IT managers. It is the primary reason the largest share of cloud expenditures in government has been on private clouds
The big password mistake that hackers are hoping you'll make(State of the Net.Net) You're smart. You don't use passwords like the perennial 123456 and qwerty. Or even slightly better ones, like Cassie86 or Cubs1908. Because you put some thought into them, your passwords are better than those, right?
The argument for moving SSH off port 22(Internet Storm Center) An interesting discussion is occurring on reddit on whether Secure Shell (SSH) should be deployed on a port other than 22 to reduce the likelihood of being compromised
"Quite a few Terrorists lost their lives owing to Big Data"(Isreal Defense) A first-ever interview with the Head of the Information Technology Division of ISA, Ronen Horowitz, upon his retirement. How intelligence information is utilized in the era of the Internet, cellular telephones and social networks?
S. Korea, China to hold security talks(Korea Times) South Korea and China were to hold working-level security talks in Seoul Monday to discuss an array of bilateral and regional security issues such as the situation with North Korea, the foreign ministry said
Response to Sony hack reveals limits of U.S. cyber doctrine(Fedscoop) The Obama administration imposed additional sanctions on North Korea Friday in response to the November cyber attack against Sony Pictures Entertainment. The sanctions, which block access to the U.S. financial system, target 10 North Korean government officials, as well as the reclusive regime's military intelligence bureau and state-run arms dealer
Cyber Terrorism as a Strategy(Fabius Maximus) Much as defense experts in 1913 thought more about cavalry than airplanes, today's experts think more about the aircraft carriers and 5th generation fighters (e.g., F-35) than cyberwar and cyberterrorism. But that's changing. To help you stay current about these developments, here's the first chapter in another series about cyberterrorism
FBI Seeks Cyber Special Agents(eSecurity Planet) The aim, according to the Bureau, is to 'protect our nation and the American people from the rapidly evolving cyber threat'
FBI wants cyber sleuths with some muscle(FCW) Applicants heeding the FBI's recent call for new cybersecurity experts had better get to the gym soon, as the agency isn't changing its physical requirements for the new positions
Attkisson sues government over computer intrusions(Washington Post) For months and months, former CBS News investigative correspondent Sharyl Attkisson played an agonizing game of brinkmanship regarding her privacy: She strongly suggested that the federal government was behind a series of intrusions into her personal and work computers, though she has consistently hedged her wording to allow some wiggle room
NSA Reports to the President's Intelligence Oversight Board (IOB)(National Security Agency) Following a classification review, the National Security Agency (NSA) is releasing in redacted form NSA reports to the President's Intelligence Oversight Board (IOB). The release includes quarterly reports submitted from the fourth quarter of 2001 to the second quarter of 2013. The materials also include four annual reports (2007, 2008, 2009, 2010) which are consolidations of the relevant quarterly reports
FBI Waking Up To The Fact That Companies With Itchy Trigger Fingers Want To Hack Back Hacking Attacks(TechDirt)
from the dangerous-ideas dept
It's no secret that some in the computer security world like the idea of being able to "hack back" against online attacks. The simplest form of this idea is that if you're a company under a denial-of-service attack, should you be able to "hack" a computer that is coordinating those attacks to stop them? More than two years ago, an LA Times article noted that some cybersecurity startups were marketing such services. Related to this, when the terrible CISPA legislation was being debated, one concern was that it would legalize such "hack backs" because, among other things, CISPA would grant immunity to companies "for decisions made based on cyber threat information." Some interpreted that to mean that companies would have immunity if they decided to hack back against an attacker
Intel Shuts Down Russian Developer Forums To Comply With Russia's 'Blogger Law'(TechCrunch) Add Intel to the growing list of U.S. tech companies that are changing up some of their policies and business in Russia as a result of the government's tightening reign on Internet use. Citing Russia's new "Blogger Law" that was first introduced last year, Intel has shut down all of its popular Russian-language developer forums
A Bot Just Purchased Fake Passports and Ecstasy(Popular Mechanics) European art collectives got more than they bargained for in their new show: A bot they programmed to make automatic purchases on the Darknet sent back Ecstasy pills and a fake Hungarian passport
For a complete running list of events, please visit the Event Tracker on the CyberWire website.
Cybersecurity World Conference(New York, New York, USA, January 9, 2015) Welcome to Cyber Security World Conference 2015 where renowned information security experts will bring their latest thinking to hundreds of senior business executives and officials focused on protecting...
California Cybersecurity Task Force Quarterly Meeting(Walnut Creek, California, USA, January 20, 2015) The California Cyber Security Task Force serves as an advisory body to California's senior government administration in matters pertaining to Cyber Security. Quarterly Cybersecurity Task Force meetings...
FIC 2015(Lille, France, January 20 - 21, 2015) The International Cybersecurity Forum (FIC) forms part of a thinking and exchange process that aims at promoting a pan-European vision of cybersecurity and strengthening the fight against cybercrime, a...
Data Privacy Day San Diego — The Future of IoT and Privacy(San Diego, California, USA, January 28, 2015) Join the Lares Institute, Morrison & Foerster, and the National Cyber Security Alliance for Data Privacy Day in San Diego. DPD San Diego will bring together privacy luminaries to discuss fundamental issues...
SPONSOR & SUPPORT
Grow your brand and reach new customers.
Grow your brand and increase your customer base by educating our audience about your products, services, and events by advertising on The CyberWire. We’ve built trust with an influential (and often hard to reach) audience of CISOs, CSOs, and other senior execs in the security space, across a wide array of industry verticals. Learn more.
Be a part of the CyberWire story.
People ask us (a lot) how they can support what we do. We have our sponsorships and services, of course, but those are not always within every supporter's financial reach, or it might just not be the right time for you to do those things. That's why we launched our new Patreon site, where we've created a wider variety of support levels, each with some new benefits. Our patrons are important to our future, and we hope you'll consider becoming one. We invite you to become part of the CyberWire story. Become a patron today.