The CyberWire Daily Briefing for 11.5.2012
Anonymous commemorated Guy Fawkes yesterday with a wave of attacks on firms and agencies worldwide. The hacktivists' claims are still being sorted out, but Symantec, VMWare, Telecom Italia, and the UK Ministry of Defense appear to be among the victims.
Co-located virtual machines are found vulnerable to a side-channel attack that steals crypto keys. More VMWare ESX source code is leaked online. North Carolina State researchers find an Android smishing (phishing via SMS) vulnerability. Malware targeting Android (and, surprisingly, Nokia's practically abandoned Symbian OS) becomes more prevalent.
More commentary on belated disclosures of compromises: Coca Cola and Chesapeake Energy concealed successful hacks from investors (apparently at law enforcement's request). Oddly, companies are surprised that laid-off employees would steal data as they're shown the door. The US elections today prompt observers to warn about cyber voting fraud and various election-related phishing capers (and other observers sensibly point out that voting fraud is as old as voting).
Mozilla's Firefox will henceforth enforce HTTPS more stringently. Sophos warns of a vulnerability in its security software and plans to issue a patch later this month.
Australia bucks global trends toward increased BYOD adoption. Canada's Communications Security Establishment says "Made in Canada" is no panacea for network security. A surprising entry into the cyber marketplace occurs in Maryland as armored car company Dunbar announces its expansion into cyber security services. Virtualization and cloud migration feature in IT cost-cutting case studies.
US cyber policy moves closer to public-private collaboration. Germany revives its controversial Internet monitoring effort.
Today's issue includes events affecting Australia, Canada, China, Estonia, Germany, India, Republic of Korea, Singapore, United Kingdom, and United States..
Cyber Attacks, Threats, and Vulnerabilities
What's up with the Anonymous hackfest? (Network World) Hackers apparently linked to the hactivist group Anonymous today kept up a hacking spree to dump data they said they stole from Symantec, VMware, PayPal, Hyundai, and the U.S. Department of Energy and Transportation, among others. Symantec says it's still "investigating the recent claims made online regarding the security of our networks," and adds that it has found "no evidence that customer information was exposed or impacted," and "will continue to monitor the situation and aggressively investigate these and any related claims." But at least one other security vendor that's looked at the data dumped online says it does seem to be Symantec employee names and password hashes
Telecom Italia Hacked by Anonymous, 30,000 Credential Sets Stolen (Softpedia) Anonymous hacktivists claim to have breached the systems of Telecom Italia, Italys largest telecommunications company. The hacktivists have stated that the organizations systems are plagued by over 3,000 vulnerabilities and errors that can be leveraged by third parties to access sensitive information. The hacker say theyve gained access to over 30,000 credential sets, including social security numbers, social insurance numbers and user passwords
Hackers Dump 3,400 Accounts Allegedly Stolen from UK Ministry of Defence Site (Softpedia) The controversial hacker collective known as NullCrew claims to have breached the website of the Queen's Harbour Master (QHM. mod. uk), a domain operated by the United Kingdoms Ministry of Defence
Various Australian sites hacked by Anonymous (E Hacking News) Earlier Today, we have reported that the Australian entertainment site GreekCity hacked by Anonymous. As part of Nov 5 protests, Australia Anonymous hackers has attacked more Australia's websites. The affected sites includes Fremantle Arts Centre
PayPal, Symantec, ImageShack, NBC targeted in hacking spree (Help Net Security) The last few days have witnessed a flurry of activity and data leaks from several hacker groups. Anonymous has leaked VMware's ESX Server kernel source code online, and the veracity of the claim
PayPal Denies It Was Hacked By Anonymous (Dark Reading) Hacktivist group claims multiple breaches on Guy Fawkes Day; NBC, Lady Gaga site defaced
Side-Channel Attack Steals Crypto Key from Co-Located Virtual Machines (Threatpost) Side-channel attacks against cryptography keys have, until now, been limited to physical machines. Researchers have long made accurate determinations about crypto keys by studying anything from variations in power consumption to measuring how long it
VMware ESX Source Code Leaked Online -- Again (Dark Reading) A hacker has made source code for VMware's ESX hypervisor available for download. More source code for VMware's ESX hypervisor technology has been leaked onto the Internet
Android Smishing Vulnerability Found in Android Open Source Project Firmware (Threatpost) A vulnerability discovered in the Android Open Source Project enables malicious applications to send SMS messages without user permission across all recent Android platforms. While no exploits are active in the wild, one could be built that could be at the center of various SMS phishing, or smishing, attacks, said Xuxian Jiang, associate professor in the North Carolina State University computer science department
Android, Symbian Malware on the Rise (Threatpost) Yes. You read that headline correctly. F-Secure is talking about the beleaguered and nearly defunct Symbian operating system, upon which Nokia halted nearly all development in February before announcing that it had been put in maintenance mode in September. Despite a nearly 63 percent drop in shipments of Symbian devices in the second quarter of this year and its modest 4.4 percent share of the global smartphone market, Symbian was the new home for 21 variants of malware in Q3, up 17 percent from Q2
Image-stealing malware might lead to blackmailing attempts (Help Net Security) Information-stealing malware targeting random computer users is usually geared towards stealing passwords and financial information by logging pressed keys and taking screenshots
Coca-Cola investors kept in dark after hacking incident (National Post) Chesapeake Energy Corp. also kept mum after cyber attackers made off with files from its investment banking firm about natural gas leases that were up for sale. Each of these cases was detailed to Bloomberg News either by people involved
Data theft a big issue in layoffs (Fierce Finance IT) Layoffs used to be a rather cut-and-dried affair. Banks would round-up employees, maybe give them some time to gather up their personal belongings, and then escort them out. Or they might call a meeting to inform employees that they are being let go, and while they are meeting, have their belongings packed up for them and moved outside of the building
UK organisations fail to address social networking risk (Computer Weekly) Unguarded corporate social media accounts are leaving companies exposed to serious security breaches, a survey of more than 1,000 senior UK executives has revealed. Most respondents (87%) said they use social media strategies to enhance their business, but 45% said they had experienced a security scare as a direct result in the past year, according to the survey by OnePoll on behalf of KPMG. Security scares ranged from a complaint campaign that affected the companys operations or reputation, to a leak of company sensitive information from an internal source
China Most Threatening Cyberspace Force, US, Panel Says (Businessweek) The commission in March released a report by Northrop Grumman Corp. (NOC) that concluded China's cyber capabilities are advanced enough to disrupt U.S. military operations during a conflict over Taiwan. The draft report cites the Northrop Grumman study
Beyond Stuxnet: Preparing for Internet Armageddon (Computer World) Could sophisticated denial of service attacks against American telecommunications carriers and ISPs, perhaps backed by the resources of a hostile foreign power, take down the Internet in the U.S? During an interview for this week's Computerworld cover story (After Stuxnet: The new rules of cyberwar), AT&T chief security officer Ed Amoroso said it hasn't happened yet, but "we need to be prepared" for the possiblity that segments of the Internet backbone could be overwhelmed. The threat is growing in both scale and sophistication. Where AT&T had two people dealing with occasional distributed denial of service (DDoS) attacks a few years ago it now has upwards of 60 full-time staff fighting off a continuous onslaught, Amoroso says
What to watch out For on Election Day (Internet Storm Center) Today (Tuesday) is election day in the US. Many voters have already cast their ballot via absentee and early voting, but the vast majority will vote today. Like any major event, this is likely going to be used and abused in some way online. Here are some of the network security related issues to watch out for
Security Researchers Warn New Jersey's Emergency Email Voting Could Be An Insecure, Illegal Nightmare (Forbes) New Jerseys decision to allow voters stranded by superstorm Sandy to vote by email in Tuesdays election may be an innovative experimental response to a badly-timed natural disaster. But security researchers are warning that the unprecedented move could leave another more political storm in its wake. Over the weekend, New Jerseys lieutenant governor Kim Guadagno announced that voters in some Sandy-hit sections of the state could apply by email for a ballot, fill it out at home, scan it, and email it to voting officials, a measure designed to accommodate voters stranded by storm damage and unable to reach polling places
Election sabotage: A threat much older than hacked e-voting (CSO) Ever since the debacle that was Election 2000, concerns over the accuracy and security of e-voting continues to preoccupy. But history is littered with hints of sabotage that predate the invention of these machines
Security Patches, Mitigations, and Software Updates
Mozilla Adding More Stringent HTTPS Enforcement to Firefox (Threatpost) Firefox BetaMozilla is adding an extra layer of security in its Firefox browser by implementing HTTP Strict Transport Security (HSTS), a mechanism that will force some sites into establishing a secure, HTTPS connection with the browser if its presented with the right certificate
Sophos products and Tavis Ormandy (Naked Security) As a security company, keeping customers safe is Sophos's primary responsibility. As a result, Sophos experts investigate all vulnerability reports and implement the best course of action in the tightest time period possible. Recently, researcher Tavis Ormandy contacted Sophos about an examination he had done of Sophos's anti-virus product, identifying a number of issues
Survey: Half Of Small Biz Not Familiar With PCI Compliance (Dark Reading) New research from ControlScan and Merchant Warehouse underscores need to better educate and support Level 4 merchants' PCI compliance efforts
Cyberheists A Helluva Wake-up Call to Small Biz (KrebsonSecurity) The $180,000 robbery took the building security and maintenance system installer Primary Systems Inc. by complete surprise. More than two-dozen people helped to steal funds from the companys coffers in an overnight heist on May 2012, but none of the perpetrators were ever caught on video. Rather, a single virus-laden email that an employee clicked on let the attackers open a digital backdoor, exposing security weaknesses that unfortunately persist between many banks and their corporate customers
Gartner says EMEA IT spending will grow (Help Net Security) IT spending in Europe, the Middle East and Africa (EMEA) will reach $1.154 trillion in 2013, a 1.4 percent increase from 2012 projected spending of $1.138 trillion, according to Gartne
The Perfect Storm: Managing Identity and Access in the Cloud (BankInfoSecurity.com) The Cloud Security Alliance, the not-for-profit organization dedicated to best-practices in the cloud, recently released new IAM guidance
Future Clouds Will Be Safe, Says Symantec (Windows IT Pro) Can the cloud provider's security match on-premises security
Cyber Priorities Still Trump Big Data, Cloud And Mobile, Study Finds (AOL Government) That was borne out in the findings in a new study released today by a consortium of 18 leading technology providers, known as the Lockheed Martin Cyber Security Alliance. Polled on which initiatives were the top priorities for their agencies, 85% of
White Paper: Cyber Security and Mobility Highest Priorities for Government (Sacramento Bee) Lockheed Martin (NYSE: LMT) and its Cyber Security Alliance partners today announced the results of a collaborative cyber security survey in a new white paper titled "Cyber Security and Transformational Technologies – Keeping Systems and Data Safe"
Australian IT support for BYOD wanes (Fierce Mobile IT) Bucking an international BYOD trend, IT support for BYOD in Australia is waning, according to new research by Forrester
Pentagon Arms Buyer Sees Deal By Congress To Delay Spending Cuts (Reuters) The Pentagon's top arms buyer on Monday said he expected U.S. lawmakers to agree in coming weeks to delay implementation of an additional $500 billion in automatic defense spending cuts that are due to start taking effect in January. Undersecretary Frank Kendall said the Defense Department had begun early planning for the process known as sequestration, which would cut the military's budget by an extra $50 billion a year, on top of over $50 billion in annual cuts already on the books
Made in Canada not a perfect solution to secure new email system, cyber spook says (Montreal Gazette) No matter where the pieces of a new federal email system is built or developed, any commercial product will come with vulnerabilities that could allow hackers to find a way into the governments systems, Canadas top cyber spies say. High-ranking officials in the Communications Security Establishment, the governments ultra-secretive cyber-security agency, told a Senate committee Monday that it will help evaluate every piece of hardware that will go into the governments new email system. The department responsible for the system, Shared Services Canada, has already invoked national security provisions for the purchase of the system that will service more than 40 of the governments heaviest IT-dependent departments
Dunbar to launch division to armor websites against cyber criminals (Baltimore Sun) Hunt Valley company ventures into cybersecurity for banks, retailers. Dunbar Armored has been in the armored-car business for nearly 90 years. But the Hunt Valley-based company now is branching into a new way to protect banks' and businesses' money and valuables: cybersecurity
Lumension Announces The Completed Acquisition Of CoreTrace Corporation (Dark Reading) Acquisition strengthens Lumension's software capabilities, patent/IP portfolio
KEYW provites rise $236M in 3rd Q (CapitalGazette.com) Hanover cyber security firm KEYW Holding Corp.'s profits rose by $236 million in the third quarter of 2012 compared to the same time in 2011
Qualys Inc.: Qualys Announces Third Quarter 2012 Financial Results (4-Traders) Revenue Growth of 21% Year-Over-Year; GAAP EPS of $0.06, Non-GAAP EPS of $0.10; Cloud Platform Expansion Continues to Drive Growth. Qualys, Inc. (Nasdaq:QLYS), a pioneer and leading provider of cloud security and compliance solutions, today announced financial results for the quarter ended September 30, 2012. For the quarter, the Company reported revenues of $23.4 million
US banks walk away from struggling BlackBerry (Finextra) American banks are ditching planned BlackBerry apps as the Canadian brand's market share tumbles in the face of Apple's iPhone and Google's Android, according to Keynote Systems. Chase Bank comes out on top of the Keynote mobile banking scorecard, for its second consecutive win, ahead of Wells Fargo and Bank of America. BB&T has been crowned the winner for text banking, Wells Fargo for mobile Web, Chase for iPhone and BlackBerry apps and Bank of America for its Android app
SAP goes mobile (Fierce Mobile IT) Business management software giant SAP wants to leave the desktop and go mobile, according to Sanjay Poonen, who heads the company's mobile division. Poonen told Business Insider that his firm is focusing on mobile apps and cloud services in order to double the number of software users by 2015. As part of this mobility effort, SAP is revamping many of its enterprise apps to run on mobile devices
Profile: Matthew McCormack, DIA CISO (ExecutiveGov) He also advises the agency's director and chief information officer on information assurance and cybersecurity matters and supports the agency's responsibilities in this area as defined in national, defense and intelligence community policies
SAIC Names Tony Moraco, John Jumper CEOs for New Companies (Govconwire) As part of plans to separate into two independent publicly-traded companies, Science Applications International Corp. (NYSE: SAI) announced Monday an initial set of executive appointments for both firms. By the second half of fiscal year 2014, one company will focus on science and technology in the national security, health and engineering sectors while the other
Products, Services, and Solutions
Cyber security firms looking for students who pass government clearances (Baltimore Business Journal) …Part of the problem is that many students are not aware that their Facebook, Twitter and other social networking accounts can be part of a government background check, said Rick Geritz, chair
ICS-CERT issues search engine and exploit tool alert to critical infrastructure operators (Fierce Government IT) Operators of industrial control systems should be aware that hacktivists have at their disposal search engines that identify Internet-connected systems typically overlooked by mainstream web crawlers as well as easy-to-access low cost or free exploit tools, says the Homeland Security Department
Top tools for BYOD management (IT World) When we tested mobile device management (MDM) last year, the products were largely focused on asset management - provisioning, protecting and containing mobile devices
Developers praise Windows Phone 8 SDK, but virtualization and upgrades rankle (IT World) Tools vendors like greater capabilities SDK brings to smartphone apps, even if new PCs are needed to test code
Standard Chartered Singapore embeds security tokens in cards (Finextra) Standard Chartered Bank's Singapore unit has unveiled a payment card featuring an embedded security token for online transactions. Earlier this year the Association of Banks in Singapore (ABS) outlined plans to start issuing online tokens with enhanced features such as "transaction signing" as part of an industry-wide security push. Standard Chartered says that it is first out the blocks, giving online and mobile banking customers the option to replace their existing credit, debit or ATM cards with the security-token one
How to make big data more useful, reliable and fast (GCN) Government IT managers are looking for tools that make it easier to identify meaningful patterns and statistical trends in far-flung data sets. At the same time, these tools must work well with other technologies in order to help analysts make decisions in real-time. Splunk, a firm that offers tools for collecting and analyzing machine data generated by back-end IT systems, is looking to address these concerns by bringing real-time operational intelligence to big data storage and batch processing
Data Protection in Cloud Applications Thanks to Utimaco's Flexible HSM (The Herald ) In line with Utimaco's theme "As unique as you are", the HSMs are so flexible that they make nearly every cloud application significantly more secure, which is achieved by leveraging applied cryptography. "Data protection and compliance are key needs
PHD Virtual unveils enterprise backup solutions (Help Net Security) PHD Virtual Technologies announced their solutions are well-suited for large enterprise environments as well as small businesses with growing data storage, backup and recovery needs
Protect web browsing sessions on iOS devices (Help Net Security) Quarri Technologies released Quarri Protect On Q (POQ) Mobile for iOS, a web information security solution that enables organizations to protect and control end-user web browsing sessions on iOS devic
New Facebook users will be educated on privacy (Help Net Security) Facebook has announced that when signing up for the social network, new users will be subjected to a more prominent and detailed education about privacy and information sharing
Android vs iOS vs BlackBerry: Which is the most secure holiday gift? (CSO) Which smartphone and tablet OS provide the best security? Steve Hunt and Neohapsis provide a guide for holiday gift-givers. As the holiday season approaches, smartphones and tablets are some of the most in-demand items for anyone with even a hint of gadget love in their DNA. Coverage of these exciting new tools is full of hype about new features (SIRI) and also new fears (Carrier IQ)
Crapware Lives On Windows 8 (InformationWeek) Windows 8 is a clean slate in many ways. But one scourge that is not gone is crapware, a.k.a. bloatware, junkware, trialware, and stupid games that drag down the performance and experience of so many Windows PCs. We asked Acer, Toshiba, Dell, Samsung and Lenovo what they preload on their Windows 8 systems. Some PCs are cleaner than others. The surprise? A Microsoft store might be the best place to buy
Windows Phone 8: 5 BYOD Considerations (InformationWeek) Windows Phone 8 could be a player in the enterprise. These five factors will be key to its success
Quarri Extends Mobile Web Browser Protection to iOS Devices (Virtual-Strategy) Quarri Technologies, a security software company that empowers organizations to keep their sensitive data secure, today announced the release of Quarri Protect On Q Mobile for iOS, the only web information security solution that enables organizations to protect and control end-user web browsing sessions on Apple iOS devices. Protect On Q (POQ) Mobile for iOS provides malware protection and prevents unauthorized copying and saving of information delivered via browsers on iOS smartphones and tablets to prevent confidential data from residing on end-user devices
Does Snapchat offer safe sexting from smartphones, or a false sense of security? (Naked Security) Does Snapchat offer safe sexting from smartphones, or a false sense of security? Millions of teenagers have adopted a smartphone app which has been touted as a way of safely "sexting" and sharing photos
Technologies, Techniques, and Standards
Preventing Infrastructure From Becoming An Insider Attack (Dark Reading) Vulnerable technology supply chains have become a concern of security professionals and politicians alike, but a few steps could help minimize the possibility of attacks. From foreign-built routers and laptops to open-source software, vulnerable technology supply chains have become a concern of security professionals as well as government officials
NARUC on cyber sec, Part Two: maintaining vigilance (Intelligent Utility) Association's focus remains awareness, education. Yesterday we featured the first part of this two-part Q&A with Commissioner Terry Jarrett of the Missouri Public Service Commission, who also chairs the Committee on Critical Infrastructure at the National Association of Regulatory Utility Commissioners (NARUC). (See "NARUC on Cyber Sec: Maintaining Vigilance.") Jarrett answered questions on the role of his committee and NARUC in ongoing cyber security practices, as well as the critical role of training for regulators and their staff
The Perfect Storm: Managing Identity & Access in the Cloud (BankInfoSecurity.com) The Cloud Security Alliance, the not-for-profit organization dedicated to best-practices in the cloud, recently released new IAM guidance
Overcoming the 'Forgetting Curve': How to Improve Passwords (Security Sceptic) Colleague Lance Spitzner wrote an interesting post at Securing The Human titled, The Forgetting Curve - The Importance of Reinforcement. In the post, Lance discusses the Forgetting Curve research by Herman Ebbinghausin in 1885. Many of us have come into contact with this research, which postulates that humans tend to forget half of newly aquired knowledge in a matter of days if they don't make an effort to review what they'd been taught or presented
Passwords are the Weak Link in IT Security (CIO) (Passwords weren't the only fail in last summer's widely publicized "epic hack" of tech journalist Mat Honan -- Amazon, Apple and, to a lesser extent, Google and Honan himself share the blame. But passwords played a part in the perfect storm of user, service provider and technology failures that wiped out Honan's entire digital life. As he concluded in his account of the hack, "Password-based security mechanisms -- which can be cracked, reset and socially engineered -- no longer suffice in the era of cloud computing."The problem is this: The more complex a password is, the harder it is to guess and the more secure it is. But the more complex a password is, the more likely it is to be written down or otherwise stored in an easily accessible location, and therefore the less secure it is. And the killer corollary: If a password is stolen, its relative simplicity or complexity becomes irrelevant
German public sector firm BAG beat data woes with storage virtualisation (Computer Weekly) For the German Federal Office for Freight Transport - BAG - data management was becoming a big problem. As a limited budget forced the IT team to do "more with less", it turned to storage virtualisation to beat data challenges in a cost-effective way
When IT Becomes A One Man Show (InformationWeek) Investment firm Hearthstone laid off its IT team during the economic downturn. CTO Rob Meltz turned to cloud services and virtualization to keep the business running and growing
Smartphone Anti-Theft Database: What's Enterprise Impact? (InformationWeek) Major U.S. phone carriers hope their new database will deter thieves. But experts say the plan won't soothe many enterprise data security concerns
Design and Innovation
For Longer Battery Life, Dumb Down Phones (IEEE Spectrum) Lobotomizing mobile phones would help conserve power in times of trouble—and normal times, too
Scottish-based research to help tackle e-crime (hw.ac) Using quantum physics and tiny light particles to foil hackers and online criminals may sound like the stuff of Bond movies and sci-fi thrillers, but scientists have now successfully demonstrated how to protect finance, retail and other sectors from crippling e-crime. Physicists at Heriot-Watt University and University of Strathclyde have worked with tiny particles of light to create a new way of verifying electronic messages and transactions as authentic, helping address the huge cost of e-crime (205. 4 million in 2011/12 for the UK retail sector alone) and avoiding potentially catastrophic fraud, online hacking and theft of digital data
Imagine iPad, Mac Combined (InformationWeek) Apple's and Google's efforts at mobile devices treat them as a completely new and separate class of devices. Even before them, Microsoft did essentially the same thing with Windows Mobile. Yes, it used the name "Windows" and there were superficial similarities to the real Windows in the UI and the programming, but they didn't fool anybody. Microsoft's great, bold gamble with Windows 8 is that combining tablets and PCs into one class of devices is a winning approach that users will love. At this point we just don't know if consumers will buy in, but if they do, Apple has a big problem. Mac OS and iOS are vastly different beasts. They can't easily take the same approach
Can Technology Help Your Community (Peace Corps) The Peace Corps Innovation Challenge is a global collaboration to develop technology-based solutions to challenges faced by people in the developing world
Research and Development
Science Monday: Why we Can't Predict Everything (IT World) Why Einstein didn't like quantum mechanics
Sandia Labs partner with Northrop Grumman, GE (R & D Magazine) The umbrella CRADAs, which enable Sandia and its partners to pursue multiple projects in a variety of categories, are with Northrop Grumman Information Systems and General Electric Global Research
Lawrence Livermore National Laboratory Wins 2012 National Cybersecurity Innovation Award (Sacramento Bee) The innovation: Combating cyber attacks through real-time sharing of a Master Block List (MBL). The Department of Energy's Lawrence Livermore National Laboratory (LLNL) has won a 2012 U.S. National Cybersecurity Innovation Award for proving that defenders can work together to improve security by combating advanced persistent threats through real-time sharing of reputation data in an operational Master Block List (MBL). Multiple Department of Energy labs and plants actively share block information through the MBL tool
Registration open for 2013 Cyber Analyst Training Programs at Auburn (WLTZ 38 NBC) The eight-week program combines training in critical thinking, briefing and writing skills with National Security Agency-approved Information Assurance courses. "The Cyber Analyst Program at Auburn provides the training needed to address the cyber
Legislation, Policy, and Regulation
Global cooperation must for cyber security: Kapil Sibal (The Economic Times) India has stressed upon the need for greater cooperation and exchange of information among nations to enhance cyber security and to address issues related to the management of the Internet
Report: Draft WH Cyber Order Would Encourage Govt, Private Sector Info Sharing (ExecutiveGov) Citing the Associated Press, Nicole Blake Johnson writes that the executive order will also put the Department of Homeland Security in charge of coordinating with the Pentagon, National Security Agency and other agencies to develop a program for
Governments and companies band together to push cyber protections (Nextgov) Led by a 34-year veteran of the National Security Agency, the Consortium for Cybersecurity Action is proposing a set of 20 proven security controls for automatically immunizing computer systems. "This is about priority," said Tony Sager, who in June
Ex-NSA Official Heads New Global Consortium Issuing Attack-Driven Security (Dark Reading) The Consortium for Cybersecurity Action (CCA) also updated the 20 Critical Security Controls that originated from initial work by the National Security Agency (NSA), with security steps to combat advanced persistent threat (APT)-type attacks
Sharing Cybersecurity to Protect Critical Services (SIGNAL) Efforts to reduce barriers to information sharing in the cyberworld have met with criticism, but some in industry are emphasizing the necessity of swift action
After Stuxnet: The new rules of cyber war (InfoWorld) Michael Hayden, principal at security consultancy The Chertoff Group, was director of the National Security Agency, and then the CIA, during the years leading up to the event. "I have to be careful about this," he says, "but in a time of peace, someone
Wanted: German security developers for new, homegrown spyware (Ars Technica) Older spyware was revealed and suspended in 2011, Berlin says new one is coming. Despite causing a minor political scandal in Germany last year, the government-created "state trojan" program appears to be going strong
Here's What It Looks Like When You're Entered Into A Department Of Homeland Security Data Fusion Center (Business Insider) Starting in 2003, the Department of Homeland Security (DHS) set up a vast network of what it calls "local data fusion centers," 77 in total (or maybe 68, the DHS isn't even sure) — in the hopes of producing solid intelligence on potential terrorists
Cybersecurity: Obama vs. Romney (Bank Info Security) Regardless of who wins the U.S. presidential election, cybersecurity will be a top administration priority. What remains uncertain is how a President Romney would differ from a second-term President Obama on his approach to IT security over the next four years
7 Technologies That Will Make It Easier for the Next President to Hunt and Kill You (Wired Danger Room) Robotic assassination campaigns directed from the Oval Office. Cyber espionage programs launched at the president's behest. Surveillance on an industrial scale. The White House already has an incredible amount of power to monitor and take out individuals around the globe. But a new wave of technologies, just coming online, could give those powers a substantial upgrade. No matter who wins the election on Tuesday, the next president could have an unprecedented ability to monitor and end lives from the Oval Office
5 Election-Day Decisions That Will Impact Startups and the Web (Wired Business) There is more than the race for president that will impact business. We've identified three city and state measures, as well as two races for elected office whose outcomes are likely to affect startups, some very large tech companies and
UK government adopts IT open standards policy (Fierce Government IT) All U.K. national government departments and their agencies are now required to comply with open standards principles outlined in a Nov. 1 document from the Cabinet Office. The open standards policy promotes the use of interoperable information technology systems, data and document formats
New Jersey's ill-considered decsision to permit email voting (Fierce Government IT) In the face of turmoil caused by Hurricane Sandy, a decision by the New Jersey state government to permit those who have been displaced by the storm to submit their votes by email in the Nov. 6 election is a well-intentioned one
California measure would ban anonymous online speech for sex offenders (Ars Technica) Civil liberties groups say Proposition 35 is a "dangerous legislative model"
Litigation, Investigation, and Law Enforcement
Attorney Adds Security Company, State IT Department to Data Breach Lawsuit (Threatpost) A former South Carolina lawmaker has added the data security firm Trustwave and the state's technology department to a lawsuit filed in the wake of a massive data breach at the state's Department of Revenue. The Associated Press reports attorney John Hawkins in an amendment claims Trustwave "violated and failed to comply with the duties imposed upon them to encrypt data and to expeditiously disclose the breach of security
Apple Vs Motorola Mobility: U.S. Judge Dismisses Apple Patent Licensing Lawsuit (TechCrunch) A judge in a U.S court has dismissed a case brought by Apple against Google-owned Motorola Mobility. Apple had complained Motorola was seeking excessive royalties for standards-essential patents. It's another small blow for Apple in its legal war against Android. The patents in question are among the 17,000 acquired by Google when it bought Motorola Mobility last year.
KAPO not to launch criminal proceedings into cyber attack case (Baltic Business News) KAPO has said before that it has identified the individuals who organized a cyber attack against Estonian government websites on October 12 and said that the key person was an underaged person from Vaike-Maarja. According to Harry Puusepp, press
EFF teaches how to file FOIA requests (Help Net Security) The Electronic Frontier Foundation (EFF) has announced a new project that should make it easier for interested parties to search for information the organization received following their Freedom of Information Act
U.S. banks not in position to spot reported flow of dirty money from China, sources say (Trust) There is little that U.S. banks can do to stem the torrent of corruption funds and other illicit money that is reportedly flowing out of China, sources told Compliance Complete. Because U.S. banks may clear related transactions but generally do not have customer relationships with the Chinese originators, "it's going to be awfully difficult for them to detect capital flight or the proceeds of corruption," said Peter Djinis, a former regulatory policy official with the U.S. Treasury Department's Financial Crimes Enforcement Network (FinCEN)."There are more concrete steps you can take when you have a account relationship, because then all the due diligence steps that kick in for private banking would apply, including looking at the nature, amount and source of the funds and trying to identify if they are a politically exposed person," he said
For a complete running list of events, please visit the Event Tracker.
TechExpo Cyber Security Careers (Columbia, Maryland, Nov 1, 2012) Profit from presentations by leading industry figures and networking opportunities designed for serious job-seekers.
Anatomy of an Attack (New York, New York, Nov 15, 2012) Join Sophos security experts in exploring how threats like malware, Trojans, worms and spyware actually work and what you can do to protect your company, even if you're on a tight budget.
ZeroNights (Moscow, Russia, Nov 19 - 20, 2012) ZeroNights is an international conference dedicated to the technical side of information security. The mission of the conference is to disseminate information about new attack methods, threats and defense tools. Another purpose is to create a communication venue for skilled professionals in the field of information security.
Digital Security Summit (Riyadh, Saudi Arabia, Dec 1 - 2, 2012) A major conference to discuss the growing threat to digital security in the Middle East, especially in Saudi Arabia.
Passwords^12 (, Jan 1, 1970) Passwords^12 is a 3-day conference only about passwords & PIN codes. With an "all-star" cast of speakers, including Joan Daemen (AES/SHA3), Jens Steube (alias "atom", hashcat author), Colin Percival (CSO FreeBSD, inventor of scrypt), Simon Marechal (John the Ripper co-developer), Frank Stajano (Cambridge) and many more, this will be the premier event for everything and anything related to password security. Passwords^12 is the first and only conference of its kind, bringing together academic institutions, researchers and security professionals from around the world. It's a not-for-profit and non-commercial conference. No sales personnel, no marketing managers and deep technical talks.
CIO Cloud Summit 2012 (, Jan 1, 1970) The CIO Cloud Summit will help C-level executives better understand the true capabilities of cloud computing and the transformational opportunities it can bring.
BayThreat (Sunnyvale, California, Dec 7 - 8, 2012) The theme for BayThreat is a new spin on the dichotomy of attacking and defending in information security. We're calling out all of the attackers and defenders that are on the front lines of the battle.
e-Crime Congress 2013 (London, England, Mar 12 - 13, 2013) The e-Crime Congress is designed to meet the needs of key stakeholders and decision makers who are responsible for designing and coordinating information security and risk management strategy, safeguarding digital assets and sensitive information, protecting customers, defending against internal or external threats and responding to incidents.
The Future of Cyber Security 2013 (London, England, UK, Mar 21, 2013) Cyber Security and the Citizen 2013 is a one-day conference and exhibition for senior decision-makers of central and local government organisations, NGOs and major private sector enterprises.
25th Annual FIRST Conference (Bangkok, Thailand, Jun 16 - 21, 2013) The annual FIRST conference provides a setting for conference participants to attend a wide range of presentations delivered by leading experts in both the CSIRT field and from the global security community.