Another self-declared set of ISIS-supporting hacktivists, these from Morocco, hit a target of opportunity, this time in India. Wired looks at the Islamic State's acknowledged success with Twitter and offers the US State Department some advice on how it might respond. Information operations seem particularly challenging — if information operations are essentially marketing in battledress, why do nations with no shortage of marketing talent have such difficulty with them?
The Register, listening to various little birdies, thinks there's less to stories about CIA attempts to compromise iPhones than meets the eye.
Kaspersky releases more circumstantial linguistic evidence linking the Equation Group to some Anglophone agency, probably, they suggest, an American one.
Microsoft's Patch Tuesday re-addressed a vulnerability exploited by Stuxnet. (Stuxnet also returns to the news in stories about the probably non-prosecution of Marine General Cartwright, alleged leaker of US involvement in the exploit.) Some of the patches, however, are reported to be causing users problems: KB 3033929, KB 3002657, and KB 2046049.
The Guardian reconsiders and clarifies allegations that Whisper spies on users who opt out of location tracking: an IP address, the Guardian concludes, is a poor and unreliable surrogate for geolocation.
Dropbox patches its recently reported Android SDK vulnerability.
Cyber industry observers see an increasing tendency to nationalism ("Balkanization") in the sector, alleging a tendency to go easy on the home team.
Hedge funds and law firms are warned that they're hacking targets.
Parliamentary interest in restricting UK encryption wanes.
The US Senate prepares its cyber bill markup.
Today's issue includes events affecting Canada, China, Czech Republic, Germany, India, Iraq, Iran, Israel, Maldives, Morocco, Pakistan, Russia, Syria, Turkey, United Arab Emirates, United Kingdom, United States.
SINET's ITSEF conference opens next Tuesday in Mountain View, California, and the CyberWire will be there to cover it. We'll be live-tweeting from the event, and our editor will be moderating a panel on emerging trends in cyber attack.
Cyber Attacks, Threats, and Vulnerabilities
Cyber attack: Pro-ISIS hackers target Vizag company(Deccan Chronicle) A Moroccan hacking group, claiming to be the supporters of Islamic State, hacked the website of the Visakhapatnam chapter of the Indian Institute on Tuesday and posted comments and a picture supporting extremist organisation
Here's How the US Should Fight ISIS with Social Media(Wired) The Islamic State wants to rule the world. It murders enemies — sometimes in mass, sometimes individually, always brutally. It enslaves and abuses women. It jails everyday joes for smoking, drinking, trading, or speaking their minds. It is a brutal, dead-end regime cloaked in a perverted medieval understanding of one of the world's great religious faiths
Apple Pay: Bridging Online and Big Box Fraud(KrebsOnSecurity) Lost amid the media firestorm these past few weeks about fraudsters turning to Apple Pay is this stark and rather unsettling reality: Apple Pay makes it possible for cyber thieves to buy high-priced merchandise from brick-and-mortar stores using stolen credit and debit card numbers that were heretofore only useful for online fraud
MS Update 3033929 Causing Reboot Loop(KrebsOnSecurity) One of the operating system updates Microsoft released on Tuesday of this week — KB3033929 — is causing a reboot loop for a fair number of Windows 7 users, according to postings on multiple help forums. The update in question does not appear to address a pressing security vulnerability, so users who have not yet installed it should probably delay doing so until Microsoft straightens things out
In our modern surveillance state, everyone can be exposed(Christian Science Monitor: Passcode) Maintaining anonymity against powerful surveillor is nearly impossible. Even the most skilled hackers and spies risk discovery. In an era when everything is tracked and stored, we either need more robust ways of preserving anonymity — or to give up on the idea entirely
2015 Cyberthreat Defense Report(Tenable Network Security) How does your security effectiveness compare? The 2015 Cyberthreat Defense Report from the CyberEdge Group is based on an analysis of 814 survey responses from North American and European IT security professionals. Covering a wide range of issues, the report will help you benchmark your security practices with those of your peers, while also offering insights that address questions such as
Politics intrude as cybersecurity firms hunt foreign spies(Reuters) The $71 billion cybersecurity industry is fragmenting along geopolitical lines as firms chase after government contracts, share information with spy agencies, and market themselves as protectors against attacks by other nations
Cybersecurity Firms Struggle to Keep Up With Threats(Voice of America) Bomb attacks typically grab news headlines. But there are almost invisible activities occurring every day that could create a more widespread and devastating calamity — cyber intrusions into government and corporate information and control systems that could cripple vital services and bring normal commerce to a halt
How hedge funds need to address cybersecurity threats(HedgeWeek) The threat of cyberattacks is growing within the hedge fund community, requiring managers to put in place policies and procedures that address the cybersecurity risks unique to their firm. This goes beyond merely acquiring technology and hoping for the best
Splunk Goes Down Market — Good Move Or Sign Of Weakness?(Forbes) Splunk was one of the early kid of the block in terms of publicly listing a big data company. Their timing was good, the amount of competition in their space is far greater now than it was when they launched. But getting their IPO away was one thing, returning sufficient growth to keep Wall Street happy is another and today sees Splunk SPLK -0.08% launch an initiative aimed at targeting that growth, a new, lighter weight offering for smaller businesses
CyberArk Software Ltd. Announces Pricing of Secondary Offering(BusinessWire) CyberArk Software Ltd. (NASDAQ: CYBR), the company that protects organizations from cyber attacks that have made their way inside the network perimeter, today announced the pricing of a registered secondary public offering of 4,000,000 ordinary shares at a price of $51.00 per share. The underwriters have a 30-day option to purchase up to an additional 600,000 ordinary shares at the public offering price. All of the shares are being sold by CyberArk's shareholders. The Company will not receive any proceeds from the sale of these shares. The offering is expected to close on March 17, 2015, subject to customary closing conditions
Transport for London adopts ultra-secure USB drives(Help Net Security) Transport for London (TfL) has adopted ultra-secure USB flash drives to ensure that its data is protected in the event of the loss or theft of portable devices. DatAshur USB flash drives will now be used as standard by TfL staff for transporting data on the move
Technologies, Techniques, and Standards
Syslog Skeet Shooting — Targetting Real Problems in Event Logs(Internet Storm Center) A common bit of advice that we tend to offer up frequently is "monitor your logs" or "review your logs periodically". However, with daily syslogs — even in a small environment — ranging from 300mb to 5GB, that's no easy task. We've discussed parsing logs out using grep and similar tools in the past, but that assumes that nothing drastic ever happens — you're banking on the fact that anything being logged can wait until you have time to check your logs
Defending Against PoS RAM Scrapers(TrendLabs Security Intelligence Blog) Stealing payment card data has become an everyday crime that yields quick monetary gains. Attackers aim to steal the data stored in the magnetic stripe of payment cards, optionally clone the cards, and run charges on the accounts associated with them. The topic of PoS RAM scraper malware always prompts businesses and retailers to ask two important questions: "How do I protect myself?" and "What new technologies are vendors introducing to protect businesses and consumers?"
FIs urged to improve cyber protection(Global Trade Review) Financial institutions (FIs) should adopt an asset-based approach to cyber risk, as the number of attacks continues to grow, experts say
Don't Panic! Six Steps for Surviving your First Data Breach(Continuity Central) Once you've come to terms with the harsh reality of the world, you come to understand that sooner or later, you will be the victim of a security breach. Chances are that it may not be this month, or even this year, but as the insightful Tyler Durden so shrewdly observed, "On a long enough timeline, the survival rate for everyone drops to zero"
Cyber Compliance Is Not Cyber Protection(Daily Signal) Leading cybersecurity analysts met at the 2015 SecureWorld conference in Boston on March 4 – 5 to discuss the emerging threats and increasingly noticeable drawbacks of cyber regulations. Panelists not only discussed the new, more complex, and difficult-to-detect types of threats, but also agreed that regulatory compliance is the wrong way to strengthen cybersecurity
When it comes to patient data privacy, compliance and security differ(Help Net Security) If a name perfectly underscored a growing issue of concern, it's Anthem. In February, the health insurance plan provider disclosed cyber attackers had breached its IT system for several weeks and obtained consumers' personal data. The message this revelation spread is that healthcare-related organizations are increasingly prime targets for hackers and cyber thieves
DISA looks to FedRAMP high as base for high-plus(C4ISR & Networks) The Defense Information Systems Agency is looking the General Services Administration's FedRAMP high baseline as the starting point for a "high-plus" standard that would pertain to the most highly sensitive data
College asks experts what to teach cyber-security students(WTNH News 8) With hacker attacks on the rise, one local college wants to offer a degree in cyber-security. Naugatuck Valley Community College held a summit this morning with a whole bunch of people who know about internet security, telling officials from NVCC what they should be teaching their students about internet security
Cyber engineering a new pathway to graduation in La.(Shreveport Times) The Louisiana State Board of Education approves Cyber Engineering as one of 11 new graduation pathways in the state, according to a press release. This new pathway will help address the state's growing demand for information technology professionals
Opinion: How to defuse a simmering crypto war(Christian Science Monitor: Passcode) In an Op-Ed provided by our partners at the Information Technology and Innovation Foundation, the director of the Cyber Security Policy and Research Institute at the George Washington University argues that engineering trust can help avoid a new battle over data encryption
Opinion: Obama needs a cyberwar cabinet (+video)(Christian Science Monitor: Passcode) The Sony hack demonstrated that modern warfighting will be defined as much by circuits and networks as by missiles and guns. Therefore, we need a new war cabinet comprised of cybersecurity experts from government and the private sector to ensure the US can respond in real time to the next massive breach
Blog: Cybersecurity Information Sharing a Tool for Situational Awareness(SIGNAL) Knowing the cybersecurity threat might be half the battle toward mitigating problems, but the popular push and mounting trend toward increased information sharing, particularly between industry and the federal government, is not the be all and end all, according to one security expert
Senate Intel panel to mark up cyber bill(The Hill) The Senate Intelligence Committee will mark up controversial cybersecurity legislation in a closed session Thursday, the panel's spokeswoman confirmed
NAFCU Letter to House and Senate Leaders on 2015 Verizon Report — 4 out of every 5 global retailers fail PCI test(Credit Union Insight) On behalf of the National Association of Federal Credit Unions (NAFCU), the only trade association exclusively representing our nation's federal credit unions, I write today to bring your attention to the recently released Verizon 2015 Payment Card Industry Compliance Report. Massive data breaches at our nation's largest retailers have put millions of consumers at risk and have cost credit unions across the country millions of dollars in fraud related investigations and losses, card reissuance costs, and additional card monitoring. Credit unions and their 100 million members continue to believe Congressional action mandating a strong federal data safekeeping standard for merchants is the only way to prevent breaches and make a meaningful difference for consumers
Pakistan's cellphone-registration policy will do little to curb terrorism(Quartz) Following the Dec. 2014 terrorist attack on a school in Peshawar, which killed 133 children, the Pakistani government has announced a number of national measures to fight terrorism in the country. While over 56,000 Pakistanis have been killed in terrorist-related violence since 2003, the measures introduced by the government late last year are some of the most focused actions yet in the attempt to make the country safer
The human cost of phone hacking(We Live Security) How would you feel if a stranger was not only listening to your private voicemail messages, but then taking the information they gleaned from them and using it to write lurid, invasive news stories designed to sell tabloid newspapers?
For a complete running list of events, please visit the Event Tracker on the CyberWire website.
RiSK Conference 2015(Lasko, Slovenia, March 11 - 12, 2015) In recent years RISK conference has become one of the leading events on computer security in the Adriatic region and is attended by engineering as well as executive staff of companies from the region.
B-Sides Vancouver(Vaqncouver, British Columbia, Canada, March 16 - 17, 2015) The third annual Security B-Sides Vancouver is an information security conference that will be held March 16th and 17th. We love to see brand new speakers, seasoned speakers, and everyone in between
Insider Threat 2015 Summit(Monterey, California, USA, March 16 - 17, 2015) The Insider Threat 2015 Summit is about bringing Government and Industry organizations and their cybersecurity leaders together in order to better understand the type of threats that may impact their infrastructure...
2015 North Dakota Cyber Security Conference(Fargo, North Dakota, USA, March 17, 2015) The North Dakota Cyber Security Conference brings together community members from academia, government and industry to share strategies, best practices and innovative solutions to address today's challenges...
Philadelphia SecureWorld(Philadelphia, Pennsylvania, USA, March 18 - 19, 2015) Join your fellow security professional for affordable, high-quality cybersecurity training and education at a regional conference near you. Earn CPE credits while learning from nationally recognized industry...
2015 Cyber Security Summit(McLean, Virginia, USA, March 19, 2015) During Congressman Mike Rogers' "The Code War in America" talk at the June 2013 POC breakfast, he challenged all of us to "recognize that every day U.S. businesses are targeted by governments like China...
BSides Salt Lake City(Salt Lake City, Utah, USA, March 20 - 21, 2015) BSides is a community-driven framework for building events for and by information security community members. The goal is to expand the spectrum of conversation
B-Sides Salt Lake City(Salt Lake City, Utah, USA, March 20 - 21, 2015) B-Sides is a community-driven framework for building events for and by information security community members. The goal is to expand the spectrum of conversation
CarolinaCon-11(Raleigh, North Carolina, USA, March 20 - 22, 2015) CarolinaCon-11 (also hereby referred to as "The Last CarolinaCon As We Know It") will occur on March 20th-22nd 2015 in Raleigh NC (USA). We are now officially accepting speaker/paper/demo submissions...
Cyber Security Conference 2015(Bolton, UK, March 23 - 24, 2015) Cyber Security Conference 2015 is a coming together of the North of England's two most successful Cyber Security Conferences; BEC Information & Data Security Conference and Lancaster University's North...
Fraud Summit Altanta(Atlanta, Georgia, USA, March 24, 2015) ISMG's Fraud Summit is a one-day event focused exclusively on the top fraud trends impacting organizations and the mitigation strategies to overcome those challenges. Highlights of the Atlanta event include...
SPONSOR & SUPPORT
Grow your brand and reach new customers.
Grow your brand and increase your customer base by educating our audience about your products, services, and events by advertising on The CyberWire. We’ve built trust with an influential (and often hard to reach) audience of CISOs, CSOs, and other senior execs in the security space, across a wide array of industry verticals. Learn more.
Be a part of the CyberWire story.
People ask us (a lot) how they can support what we do. We have our sponsorships and services, of course, but those are not always within every supporter's financial reach, or it might just not be the right time for you to do those things. That's why we launched our new Patreon site, where we've created a wider variety of support levels, each with some new benefits. Our patrons are important to our future, and we hope you'll consider becoming one. We invite you to become part of the CyberWire story. Become a patron today.