The pro-Assad Syrian Electronic Army reappears with show-the-flag defacements of Endurance Group hosting companies. Pro-ISIS hackers continue their campaign against small-town-America targets-of-opportunity. Their messaging in this Wisconsin cycle is less fluent and more violent than other sympathizers' cyber vandalism has tended to be. Saudi hackers strike the website of the US Army's Picatinny Arsenal; they appear to have no political sponsors and no motive beyond the lulz.
Nigeria has succeeded in holding elections, despite hacking and widespread bugs in the country's (reportedly untested) biometric identification system, perhaps offering a case study in resilience.
GitHub copes with a large denial-of-service attack. It appears to originate in China, and seems to target anti-censorship tools.
Interpol and Kaspersky identify a threat to the block chain on which cryptocurrencies depend.
Uber logins are appearing for sale on the black market, going price $1 each.
Optus, Australia's second largest telecom, agrees to undergo an independent audit after sustaining three privacy breaches.
Chat-based collaboration platform Slack discloses it was hacked last month, and describes remediation it's undertaking on behalf of its users.
The iOS and OS X library AFNetwork has been patched to fix a man-in-the-middle vulnerability.
A new domain, .bank, expected to appear this summer, is said to be designed to bring more security to financial transactions.
University of Alabama Birmingham researchers announce development of a gesture-based mobile security approach.
Students of globalization paradoxically call for IT autarky in the service of national security.
Europol and the FBI are both really uncomfortable with widespread crypto.
Today's issue includes events affecting Brazil, Canada, China, European Union, Germany, Iran, Israel, New Zealand, Nigeria, Oman, Russia, Saudi Arabia, Syria, United Kingdom, United Nations, United States, and Vietnam.
Dateline Women in Cybersecurity
Women in Cybersecurity 2015(WiCyS) Despite the growing demand and tremendous opportunities in the job market, cybersecurity remains an area where there is significant shortage of skilled professionals regionally, nationally and internationally. Even worse, women's representation in this male-dominated field of security is alarmingly low. Through the WiCyS community and activities we expect to raise awareness about the importance and nature of cybersecurity career. We hope to generate interest among students to consider cybersecurity as a viable and promising career option
Secure and Trustworthy Cyberspace (SaTC)(National Science Foundation) Cyberspace has transformed the daily lives of people for the better. The rush to adopt cyberspace, however, has exposed its fragility and vulnerabilities: corporations, agencies, national infrastructure and individuals have been victims of cyber-attacks. In December 2011, the National Science and Technology Council (NSTC) with the cooperation of NSF issued a broad, coordinated Federal strategic plan for cybersecurity research and development to "change the game," minimize the misuses of cyber technology, bolster education and training in cybersecurity, establish a science of cybersecurity, and transition promising cybersecurity research into practice
CyberCorps: Scholarship for Service (SFS)(National Science Foundation) The CyberCorps: Scholarship for Service (SFS) program seeks proposals that address cybersecurity education and workforce development. The Scholarship Track provides funding to award scholarships to students in cybersecurity. In return for their scholarships, recipients will work after graduation for a Federal, State, Local, or Tribal Government organization in a position related to cybersecurity for a period equal to the length of the scholarship. The Capacity Track seeks innovative proposals leading to an increase in the ability of the United States higher education enterprise to produce cybersecurity professionals
Advanced Technological Education (ATE)(National Science Foundation) With an emphasis on two-year colleges, the Advanced Technological Education (ATE) program focuses on the education of technicians for the high-technology fields that drive our nation's economy. The program involves partnerships between academic institutions and industry to promote improvement in the education of science and engineering technicians at the undergraduate and secondary school levels
Sign Up at irs.gov Before Crooks Do It For You(KrebsOnSecuirty) If you're an American and haven't yet created an account at irs.gov, you may want to take care of that before tax fraudsters create an account in your name and steal your personal and tax data in the process
Famous Adult website Xtube hacked, delivering malware to viewers(HackRead) The viewers at pornographic website XTube should now be aware of using the website as it holds malware, says Malwarebytes Labs. The users are redirected to Neutrino Exploit Kit which contains a Flash vulnerability. The malware is known to be Trojan.MSIL.ED
Malicious XML: Matryoshka Edition(Internet Storm Center) A couple of days ago I received another malicious document (078409755.doc B28EF236D901A96CFEFF9A70562C9155). Unlike the XML file I wrote about before, this one does not contain VBA macros
Symantec Says Malware Could Be Inflating Twitch Viewership(Gameinformer) Online streaming is experiencing a boom period, in terms of audience size and the number of hours those viewers spend watching their fellow gamers play, talk, and entertain. According to a report from antivirus company Symantec, there's more going on with those numbers than you might think
Slack Announced It Got Hacked Sometime In February(Apex Tribune) Slack, the company responsible for developing the eponymous chat-based work platform, announced through a blog update on Friday that it has been the victim of a cyber-attack in February, during which hackers could access user profile information in one of their databases
Slack Confirms App Was Hacked, But Don't Worry, They've Got Your Back(Inquisitr) Slack is a team communication tool that was launched in 2013 by Stewart Butterfield, co-founder of the popular picture-sharing site Flickr. The Slack software was first created by Butterfield's company, Tiny Speck, for use within the company as it worked on the creation of their MMO (massively multiplayer online game) Glitch, but although the game itself is now defunct, the Slack software has become a must-have for businesses, with a reported 8,000 user signups within the first 24 hours of its launch, and 120,000 daily Slack users within its first week
Github is defending itself from a massive cyber attack(Reuters via Business Insider) US coding site GitHub said on Sunday that it was deflecting most of the traffic from a days-long cyber attack that had caused intermittent outages for the social coding site, with the Wall Street Journal citing China as the source of the attack
Securing the Identity of Things (IDoT) for the Internet of Things(M2M Now) In its recent report, The Identity of Things (IDoT) for the Internet of Things, Gartner lays out how it believes the Internet of Things (IoT), or what is often now referred to as the Internet of Everything (IoE), cannot and will not prosper unless organisations knuckle down and come to grips with how to manage multiple identities
Security and the Internet of Things: what you need to know(Memeburn) The Internet of Things — objects and appliances with embedded sensors and chips capable of communicating online — will result in 50 billion devices being connected to the internet by 2020, according to Gartner. From fridges and bathroom scales, to fitness bands and home thermostats, the amount of 'things' connected to the internet is really taking off and it's a very exciting time for everyone. However, for many enterprises and consumers, the excitement of this new realm of connectivity is clouding the fact that, with more devices connected to the network, there comes a new array of security implications
One-in-Six Advocate Prison for CEOs and Board Members After Breaches(Dark Matters) In a recent survey of security professionals conducted at the e-Crime Congress, 16% of respondents said they support laws that would result prison sentences for executives and Boards of Directors for any negligence on their part following a major data breach
Crossing the Cybersecurity Trust Chasm(TechCrunch) Kudos to the President for visiting Silicon Valley last month and drawing the attention of the nation to a new world of continuous cyber attacks
Data Breach Lessons for Security in Human Resources(Dark Matters) The Anthem breach has brought forth class action lawsuits in at least 3 states (Alabama, Georgia, and California), and has spurred employee concerns and demands for a response from Anthem as well as the employer
Firms can't afford to fail at cybersecurity(Crain's Clevelend Business) Several major data breaches made national headlines last year in the bank sector, but it's not the only segment within the overall financial services industry seeing costs mount for cybersecurity
Hoh crosses from Symantec to FireEye(IT Wire) Security vendor FireEye has appointed former Symantec senior sales executive Eric Hoh as the first president of its Asia Pacific Japan business
Infoblox Appoints Alan Conley as Chief Technology Officer(BusinessWire) Infoblox Inc. (NYSE:BLOX), the network control company, today announced that Alan Conley has joined Infoblox as executive vice president and chief technology officer, effective immediately. Conley is responsible for technology strategy and initiatives at Infoblox
Products, Services, and Solutions
Car hacking made cheaper and easier(Help Net Security) Fiddling with your car's innards will soon become easier and cheaper than ever before, as Eric Evenchick has created and made available hardware and software design files for CANtact, an open source CAN bus tool that can be manufactured for less than $100
Protecting Critical Infrastructure from Threats (Process and Control Today) According to research performed by Lloyd's of London insurer, Aegis London, "in the first half of the 2013 fiscal year, the US Department of Homeland Security's Industrial Control Systems-Computer Emergency Readiness Team responded to more than 200 incidents, 53% of which were in the energy and utility sector, and many of them sponsored by states such as China"
Retail, Financial Sectors Team Up on Formal Info-Sharing(Infosecurity Magazine) Retailers are throwing their cyber-hats in with the financial services community when it comes to information-sharing, with the establishment of an intelligence-sharing portal that will link the two industries? key players
The multiple benefits of IT auditing(Help Net Security) Regulatory compliance requirements provide instructions for organizations on how to protect the data of their employees, business operations, and customers that are stored on their servers. The process of satisfying compliance requirements starts with IT auditing, performed either by an internal or external professional auditor using specialized software
Using Web Session Analysis to Prevent Fraud(RSA: Speaking of Security) Every organization that relies on websites and web applications to do business is a potential target for hackers. According to ePayment management company CyberSource, total revenue loss to eCommerce merchants in North America in 2012 amounted to $3.5 billion, up $100 million from the previous year
Mitigating the Consequences of Data Loss with Service Automation(Information Security Buzz) In today's digital age, companies increasingly utilize various external platforms to store and access corporate data. In fact, according to Forbes magazine more than half of all companies in the United States now use some form of Cloud Computing to conduct daily operations
Crowdsourcing your bug bounty program(Help Net Security) In this interview, David Levin, Director of Information Security at Western Union, talks about crowdsourcing their bug bounty program and the lessons learned along the way
Hadoop Security Still Evolving(eSecurity Planet) While organizations' use of Hadoop has become more sophisticated, associated security practices have not kept pace
10 practical security tips for DevOps(Help Net Security) More organizations are embracing DevOps and automation to realize compelling business benefits, such as more frequent feature releases, increased application stability, and more productive resource utilization. However, many security and compliance monitoring tools have not kept up. In fact, they often represent the largest single remaining barrier to continuous delivery
On the Frontlines of Cyber War(Augusta Magazine) By the time you finish this sentence, computer hackers from around the globe will have made at least 1,000 attempts to breach the Pentagon?s electronic wall
Cyber Shield 2015 tests Ohio's Computer Network Defense Team(DVIDS) In March members of the Ohio National Guard Computer Network Defense Team joined other National Guard states? cyber defenders here for Cyber Shield 2015, an exercise designed to develop the defensive skills of the Soldiers and Airmen tasked with securing their organizations? computer networks
Single-use Yahoo Passwords — Good or Bad?(TrendLabs Security Intelligence Blog) Yahoo recently rolled out a new way for users to access their services without entering a password. Their new system uses a cellphone to authenticate the user. Instead of entering a password, the user receives a verification code via text message on their phone. (The user would have provided their phone number to Yahoo when setting this option up.) Once the user receives this code, they enter it on the Yahoo login page and voilà!, they’re logged in
Research and Development
New mobile-malware detection technique uses gestures(IDG via CSO) Mobile malware is a growing problem, but researchers from University of Alabama at Birmingham have figured out a new way of detecting when shady mobile apps get up to no good, such as trying to call premium-rate numbers unbeknowst to a phone's owner
Mathematicians adapt Knapsack Code to take on Quantum-level Cyber Attacks(Scientific Computing) Mathematicians have designed an encryption code capable of fending off the phenomenal hacking power of a quantum computer. Using high-level number theory and cryptography, the researchers reworked an infamous old cipher called the knapsack code to create an online security system better prepared for future demands
Username, password combo may be biggest data breach problem(Fosters) Researchers at the Dartmouth College's Institute for Security, Technology, and Society (ISTS) are exploring the weak links, vulnerabilities and economies of scale that have led to the data breach epidemic, and researchers are urging organizations to eliminate the use of vulnerable legacy identity schemes based on username and passwords combinations as a method of authenticating employees and customers, replacing them with stronger identity technologies opaque to attackers
HARES: Hardened Anti-Reverse Engineering(Assured Information Security, Inc.) This paper provides a technical overview of the HARES software protection research effort performed by Assured Information Security. HARES is an anti reverse-engineering technique that uses on-CPU encryption  in conjunction with Intel x86 TLBsplitting in order to significantly increase the effort required to obtain the clear-text assembly instructions that comprise the target x86 application
US Used Zero-Day Exploits Before It Had Policies for Them(Wired) Around the same time the US and Israel were already developing and unleashing Stuxnet on computers in Iran, using five zero-day exploits to get the digital weapon onto machines there, the government realized it needed a policy for how it should handle zero-day vulnerabilities, according to a new document obtained by the Electronic Frontier Foundation
Leave Facebook if you value your privacy, says EU(Naked Security) Citizens within the European Union (EU) have been advised to close their Facebook accounts if they wish to keep their private information away from the prying eyes of the US security services
Security Clash Grows In U.S., Eases In U.K.(Seeking Alpha) Bottom line: Washington's raising of Beijing's foreign technology restrictions to the WTO and London's acceptance of Huawei equipment could add to pressure on all parties to soften their restrictive actions over use of foreign technology
Before leak, NSA mulled ending phone program(Military Times) The National Security Agency considered abandoning its secret program to collect and store American calling records in the months before leaker Edward Snowden revealed the practice, current and former intelligence officials say, because some officials believed the costs outweighed the meager counterterrorism benefits
The evolving U.S. cybersecurity landscape: what firms want to know(Lexology) Following a year of high-profile data breaches, the Securities and Exchange Commission (SEC) announced on January 13, 2015 that, for the second consecutive year, its Office of Compliance Inspections and Examinations (OCIE) priorities would include a focus on cybersecurity controls.1 The same day, the Obama Administration (Administration) announced two cybersecurity legislative proposals of importance to the financial services industry. Given this expanding focus on cybersecurity, this article: (i) addresses the results of OCIE?s 2014 cybersecurity examination sweep and discusses OCIE?s second wave of cybersecurity exams; (ii) summarizes the Administration's recent legislative proposals; and (iii) suggests questions firms may wish to consider in response to these important developments
Socom tracking money that funds violent extremists(Tampa Tribune) The issue of how violent extremist organizations get their money can't get enough attention. Especially with the growing nexus between groups like the Iranian-backed Hizballah and drug trafficking organizations, who operate in the same shadowy spaces
FBI Pleads for Crypto Subversion in Congressional Budget Hearing(Threatpost) In a House Appropriations subcommittee hearing this morning on the FBI budget for the upcoming fiscal year, FBI Director James Comey was again critical of new encryption features from Apple and Google that he claims would make it impossible for law enforcement to access the contents of mobile device communications
Chairman Wheeler Predicts FCC Will Beat Legal Challenge To Net Neutrality(TehcCrunch) Now that the FCC is the subject of several lawsuits, and its leader, Chairman Tom Wheeler, was dragged in front of Congress repeatedly to answer the same battery of inanity, it's worth checking in to see how the agency is feeling. Is it confident that its recent vote to reclassify broadband under Title II of the Telecommunications Act will hold?
Safari users win right to sue Google over secret cookies(Naked Security) In a landmark case that could determine if Google can be held accountable in the UK, Google has lost an appeal to stop the country's consumers from being able to sue over alleged misuse of privacy settings in Apple's Safari browser
For a complete running list of events, please visit the Event Tracker on the CyberWire website.
Newly Noted Events
Cyber Risk Wednesday: The future of Iranian cyber threat (Washington, DC, USA, April 8, 2015) Join the Atlantic Council's Cyber Statecraft Initiative on April 8, from 4:00 p.m. to 5:30 p.m. for a panel discussion on the Iranian cyber threat and the potential for a drastic escalation of cyber conflicts...
SCADA Nexus 2015(Houston, Texas, USA, September 2 - 4, 2015) SCADA Nexus is an international annual event for ICS and SCADA security professionals and executives to focus on world-wide security concerns. The event is located in Houston, Texas each year at the Hilton...
Automotive Cyber Security Summit(Detroit, Michigan, USA, March 30 - April 1, 2015) The debut Automotive Cyber Security Summit will bring together CTOs, CSOs, Engineers and IT professionals from GM, KIA, Nissan, Bosch, Qualcomm and more for three days of case studies, workshops, panel...
Insider Threat Symposium & Expo(Laurel, Maryland, USA, March 31, 2015) The National Insider Threat Special Interest Group (NITSIG) announced that it will hold FREE 1 day Insider Threat Symposium & Expo (ITS&E) on March 31, 2015 in Laurel, Maryland. The symposium is exclusively...
Kansas City Secure World(Kansas City, Missouri, USA, April 1, 2015) Join your fellow security professional for affordable, high-quality cybersecurity training and education at a regional conference near you. Earn CPE credits while learning from nationally recognized industry...
Coast Guard Intelligence Industry Day(Chantilly, Virginia, USA, April 2, 2015) With a blended focus of defense, homeland security, law enforcement, criminal investigations, intelligence and cyber issues, Coast Guard Intelligence is aggressively looking to collaborate with partners...
10th Annual Cyber and Information Security Research Conference(Oak Ridge, Tennessee, USA, April 7 - 9, 2015) Cyberspace is fundamental to our national prosperity, as it has become critical to commerce, research, education, and government. Realizing the benefits of this shared environment requires that we are...
Cyber Threats Masterclass(Turin, Italy, April 9 - 11, 2015) The United Nations Interregional Crime and Justice Research Institute (UNICRI) is organizing two new courses on emerging threats towards states and citizens with the aim of promoting an in-depth knowledge...
InfoSec Southwest 2015(Austin, Texas, USA, April 10 - 12, 2015) InfoSec Southwest is an annual information security and hacking conference held in Austin, Texas, one of the most interesting and beautiful cities in the United States. By addressing a broad scope of subject-matter,...
Cybergamut Tech Tuesday: Tor and the Deep Dark Web(Elkridge, Maryland, USA, April 14, 2015) This talk will explore the use of Tor and how it relates to garnering useful intelligence. Distinguishing attribution or valuable intelligence from limited event data is difficult. Leveraging external...
NIST IT Security Day(Gaithersburg, Maryland, USA, April 8, 2014) The Office of the Chief Information Officer, OCIO, is hosting NIST IT Security Day as a means to heighten awareness for all NIST users on the many aspects of operational information technology security...
Cyber Security Summit: Industrial Sector & Governments(Prague, Czech Republic, April 14 - 15, 2015) Cyber Security Summit Europe — Industrial Sector & Governments brings together cyber security experts who will share their skills and know-how needed to address highly topical issues such as state-sponsored...
Cyber Security Summit: Financial Services(Prague, Czech Republic, April 14 - 15, 2015) Cyber Security Summit Europe — Financial Services brings together cyber security experts across the financial sector to discuss topical security vulnerabilities as well as bring forward effective...
INTERPOL World 2015(Singapore, April 14 - 16, 2015) INTERPOL World is a new biennial international security trade event which will bring police and other law enforcement agencies together with security solution providers and security professionals from...
Mid-Atlantic ISSA Security Conference 2015(Gaithersburg, Maryland, USA, April 15, 2015) Meeting at the NIST campus, this all-day event, jointly hosted by the ISSA Baltimore, DC, and Northern Virginia chapters, will have 3 concurrent tracks of security professionals discussing the current...
IIT Cyber Forensics and Security Conference and Expo(Wheaton, Illinois, USA, April 17, 2015) All are invited to participate in this multi-track, technical conference that attracts more than 200 professionals, 50 speakers, 20 sponsors, for an intensive one and a half day schedule that includes...
RSA Conference 2015(San Francisco, California, USA, April 20 - 24, 2015) Don't miss this opportunity to join thousands of industry professionals at the premier information security event of 2015
Australian Cyber Security Centre Conference(Canberra, Australia, April 22 - 23, 2015) The Australian Cyber Security Centre (ACSC) will be hosting its first cyber security conference in 2015. We are bringing leading cyber security experts from Australia and abroad to share their expertise.
Security Forum 2015(Hagenberg im Mühlkreis, Austria, April 22 - 23, 2015) The Security Forum is the annual IT security conference in Hagenberg that addresses current issues in this domain. Visitors are offered technical as well as management-oriented talks by representatives...
CyberTexas / CyberIOT(San Antonio, Texas, USA, April 23 - 24, 2015) CyberIOT — Securing the Internet of Things. As more everyday devices become connected to the internet, the need for securing those items becomes critical. CyberTexas will explore the intersection...
INTEROP Las Vegas(Las Vegas, Nevada, USA, April 27 - May 1, 2015) Attend Interop Las Vegas, the leading independent technology conference and expo designed to inspire, inform, and connect the world's IT community. In 2015, look for all new programs, networking opportunities,...
SPONSOR & SUPPORT
Grow your brand and reach new customers.
Grow your brand and increase your customer base by educating our audience about your products, services, and events by advertising on The CyberWire. We’ve built trust with an influential (and often hard to reach) audience of CISOs, CSOs, and other senior execs in the security space, across a wide array of industry verticals. Learn more.
Be a part of the CyberWire story.
People ask us (a lot) how they can support what we do. We have our sponsorships and services, of course, but those are not always within every supporter's financial reach, or it might just not be the right time for you to do those things. That's why we launched our new Patreon site, where we've created a wider variety of support levels, each with some new benefits. Our patrons are important to our future, and we hope you'll consider becoming one. We invite you to become part of the CyberWire story. Become a patron today.