The US released, publicly, revisions to the Vulnerabilities Equities Process (VEP), the policy that governs when and under what circumstances US agencies (in the Intelligence Community, for the most part, especially NSA) will disclose zero-days they discover. The principal effects of yesterday's White House announcement, which has received generally positive reviews, are said be a move toward greater transparency, more accountability, and better stakeholder representation in the process.
Observers see a recent increase in North Korean cyber op-tempo as a possible indication that Pyongyang is preparing to wage a wider cyberwar.
Questions about leaks from NSA (mostly those peddled by the Shadow Brokers) lead to speculation about a mole or moles remaining on the payroll at Fort Meade. Kaspersky Lab (hardly a disinterested party but not to be dismissed out of hand, either) releases the results of an internal study that suggests the much-discussed NSA worker's laptop that was protected by Kaspersky software was in fact riddled with other malware, and that such malicious code, not a Kaspersky security product, was the root cause of any compromise.
Armis Labs reports that Amazon Echo and Google Home are both susceptible to the Bluetooth vulnerability reported earlier this fall as BlueBorne.
Google's Play Store has seen a wave of malicious apps that have succeeded in bypassing the safeguards Mountain View has put in place to protect the store. Dr.Web, Malwarebytes, and McAfee have reported finding three new families of Android malware. ESET has discovered some multi-stage, evasive malware lurking in innocent-appearing apps.
A well-informed cybersecurity strategy is essential to keeping your organization protected, but gathering global intelligence from various sources and locations is difficult. Your organization needs a partner with deep roots in cyber threat intelligence. The LookingGlass digital library (STRATISS) of strategic intelligence reports expands your understanding of the threat landscape and delivers the intelligence your decision makers want to their fingertips. Check out our intelligence here.
ON THE PODCAST
In today's podcast we hear from our partners at Webroot, as David DuFour talks about the importance of communication with the board of directors. Our guest, Roy Katmor from Ensilo, describes how attacks unfold when they use social engineering.
Earn a master’s degree in cybersecurity from SANS(Online, November 21, 2017) Earn a master’s degree in cybersecurity from SANS, the world leader in information security training. Learn more at a free online information session on Tuesday, November 21st, at 1:00pm ET. For complete information on master’s degree and graduate certificate programs, visit www.sans.edu.
Cyber Security Summit: Los Angeles(Los Angeles, California, USA, November 29, 2017) Sr. Level Executives are invited to learn about the latest threats & solutions in Cyber Security on November 29 in Los Angeles. Register with promo code cyberwire50 for half off your admission (Regular price $350).
Google Play Store Sees Sudden Surge of Malicious Apps(BleepingComputer) The Google Play Store is seeing a wave of malware-infested apps like never before. Four separate security companies have reported —or are preparing to release reports— on malware campaigns currently underway via Android apps available on the Play Store.
Ransomware: Ordinypt erpresst deutsche Nutzer(netzwelt) Deutsche Nutzer sollten im Internet derzeit besonders vorsichtig sein. Eine Ransomware namens "Ordinypt" hat es speziell auf deutsche Nutzer abgesehen, warnen die Sicherheitsanalysten von G Data....
Patch Tuesday - Rapid7 Comment(Information Security Buzz) Microsoft has just released their patches for the month of November and Greg Wiseman, Rapid7’s Senior Security Researcher has provided his thoughts below. Greg Wiseman, Senior Security Researcher at Rapid7: “Web browser issues account for two-thirds of this month’s patched vulnerabilities, with 24 CVEs for Edge and 12 for Internet Explorer being fixed. Many of these are …
Oil and Gas Cybersecurity Conference Yields New Insights(Journal of Petroleum technology) Operators, vendors, academics, and government officials offered new insights into meeting the growing incidence of cyber-threats across the industry during the 12th Annual American Petroleum Institute Cybersecurity Conference on 7–8 November in The Woodlands, Texas.
Cybercom Challenges Industry: Be Agile, Precise(U.S. DEPARTMENT OF DEFENSE) At U.S. Cyber Command’s first-ever industry day, Cybercom leaders briefed nearly 400 members of private industry about the command’s acquisition priorities at the National Geospatial-Intelligence
Oxygen Forensic® Detective X Launches with New WhatsApp Extraction Features(Oxygen Forensics) Oxygen Forensics, a worldwide developer and provider of advanced forensic data examination tools for mobile devices, cloud services and drones, today announced that its new flagship product, Oxygen Forensic®® Detective X (version 10), which contains the industry-leading Oxygen Forensic®® Cloud Extractor, has added new WhatsApp extraction features.
SonicWall Launches New Lineup Of Professional Security Services(Channel Partners) Through the Partner Enabled Services Program, partners are vetted, granted status as a SonicWall Authorized Services Partner and given access to training, tools, sales, marketing and technical resources aimed at helping them deliver the new services.
FACT SHEET: Vulnerabilities Equities Process(White House) The newly released Vulnerabilities Equities Process (VEP) Charter spells out how the Federal Government will handle the process that determines whether the Government will notify a private company about a cybersecurity flaw in its product or service or refrain from disclosing the flaw so it can be used for operational or intelligence gathering purposes.
Vulnerabilities Equities Policy and Process for the United States Government(White House) This document describes the Vulnerabilities Equities Policy and Process for departments and agencies of the United States Government (USG) to balance equities and make determinations regarding disclosure or restriction when the USG obtains knowledge of newly discovered and not publicly known vulnerabilities in information systems and technologies.
White House releases new VEP charter(Open Policy & Advocacy) This morning, the White House released a new version of the Vulnerabilities Equities Process (VEP). We want to thank Rob Joyce, and the rest of the NSC staff working on ...
All’s fair in cyberwar(Korea JoongAng Daily) What got President Park Geun-hye interested in “cyber defense” was a short briefing by Korea University professor and cryptology expert Lim Jong-in. When he had three minutes in the 30-minute Ministry of National Defense report to the Blue House in J
Business Cybersecurity Letter(Commonwealth of Pennsylvania Department of Banking and Securities) Deliberate cyberattacks and cyberthreats pose substantial risk to Pennsylvania’s financial infrastructure and national security.
Assange isn’t a dreamer, he’s a destroyer(Times) I remember when Julian Assange was the coolest thing on the planet. Back in 2010, on his first visit to London after his Wikileaks organisation revealed secrets of the US war on terror, I debated...
For a complete running list of events, please visit the Event Tracker on the CyberWire website.
Newly Noted Events
cyberSecure(New York, New York, USA, December 4 - 5, 2017) cyberSecure is a unique cross-industry conference that moves beyond the technology of cyber risk management, data security and privacy. It brings together corporate leaders from multiple function areas...
The 3rd Annual Billington INTERNATIONAL Cybersecurity Summit(Washington, DC, USA, November 21, 2017) The 3rd Annual Billington International Cybersecurity Summit on March 21 in Washington, D.C. at the National Press Club, will attract over 400 attendees at the leading forum on global cybersecurity in...
Aviation Cyber Security(London, England, UK, November 21 - 22, 2017) Join us on November 21/22 in London, England for the Cyber Senate Aviation Cyber Security Summit. We will address key issues such as the importance of information sharing and collaboration, supply chain...
Global Conference on Cyberspace (GCCS)(New Dehli, India, November 23 - 24, 2017) The Global Conference on Cyberspace (GCCS) aims to deliberate on the issues related to promotion of cooperation in cyberspace, norms for responsible behaviors in cyberspace and to enhance cyber capacity...
AutoMobility LA(Los Angeles, California, USA, November 27 - 30, 2017) The Los Angeles Auto Show Press & Trade Days and Connected Car Expo have MERGED to form AutoMobility LA, the new auto industry’s first true trade show. Register to join us in Los Angeles this November.
INsecurity(National Harbor, Maryland, USA, November 29 - 30, 2017) Organized by Dark Reading, the web’s most trusted online community for the exchange of information about cybersecurity issues. INsecurity focuses on the everyday practices of the IT security department,...
INsecurity(National Harbor, Maryland, USA, November 29 - 30, 2017) INsecurity is for the defenders of enterprise security—those defending corporate networks—and offers real-world case studies, peer sharing and practical, actionable content for IT professionals grappling...
Cyber Security, Oil, Gas & Power 2017(London, England, UK, November 29 - 30, 2017) ACI’s Cyber Security - Oil, Gas, Power Conference will bring together key stakeholders from energy majors and technology industries, to discuss the challenges and opportunities found in the current systems.
Cyber Security Summit Los Angeles(Los Angeles, California, USA, November 30, 2017) If you are a Senior Level Executive responsible for making your company’s decisions in regards to information security, then you are invited to register for the Cyber Security Summit: Los Angeles. Receive...
cyberSecure(New York, New York, USA, December 4 - 5, 2017) cyberSecure is a unique cross-industry conference that moves beyond the technology of cyber risk management, data security and privacy. Unlike other cybersecurity events, cyberSecure brings together corporate...
Grow your brand and increase your customer base by educating our audience about your products, services, and events by advertising on The CyberWire. We’ve built trust with an influential (and often hard to reach) audience of CISOs, CSOs, and other senior execs in the security space, across a wide array of industry verticals. Learn more.
Be a part of the CyberWire story.
People ask us (a lot) how they can support what we do. We have our sponsorships and services, of course, but those are not always within every supporter's financial reach, or it might just not be the right time for you to do those things. That's why we launched our new Patreon site, where we've created a wider variety of support levels, each with some new benefits. Our patrons are important to our future, and we hope you'll consider becoming one. We invite you to become part of the CyberWire story. Become a patron today.