The CyberWire Daily Briefing for 11.9.2012
The zero-day PDF exploit found this week defeats Adobe Reader's sandbox protection. It's also priced at $50k on the black market, which analysts say puts it beyond the reach of anyone but wealthy nations and organizations. (Analysts are too optimistic: anyone who could afford, say, a Mustang GT500 or a Jazzercise franchise could buy the exploit.)
The Chinese government hacks Twitter accounts in advance of elections, but their activity is probably unrelated to Twitter's large password reset this week. Verizon researchers point out that data are most vulnerable during processing: data at rest and data in transit can be readily encrypted, not so data being processed.
Post mortems of the recently disclosed Coca Cola exploit reveal how well-intentioned corporate communications enabled more effective phishing. (Observers also note that US Securities and Exchange Commission rules mandating breach disclosure are too supple to be effective. Positive Technologies reports that Siemens control systems remain vulnerable to Stuxnet-like attack. Chevron reveals that Stuxnet also infected its systems.
Microsoft previews next week's Patch Tuesday: Windows 8 and Surface will both receive upgrades. Apple patches a critical flaw in QuickTime.
UNESCO warns that Internet censorship is rising. US Defense officials think Congress will avoid budget sequestration. Huawei says it's on the side of the angels, ready to help protect America against cyber espionage. Foxconn considers offshoring manufacturing to California and Texas.
Canada and the US agree to cross-border cyber cooperation. Australia abandons plans for comprehensive Internet controls. The US punishes Iranian Web censorship with more sanctions.
Notes.
Today's issue includes events affecting Australia, Canada, China, European Union, India, Iran, Republic of Korea, Norway, Spain, United Kingdom, United Nations, and United States..
Cyber Attacks, Threats, and Vulnerabilities
Zero-day PDF exploit reportedly defeats Adobe Reader sandbox protection (Computerworld) Cybercriminals are using a new PDF exploit that bypasses the sandbox security features in Adobe Reader X and XI, in order to install banking malware on computers, according to researchers from Russian security firm Group-IB
Video demonstration: New Adobe Reader zero-day exploit (Help Net Security) Russian based security company Group-IB announced a new zero day vulnerability in Adobe Reader 10 and 11. According to their research, the exploit bypasses Reader's sandbox
Adobe Reader 0-day exploit sold for $50,000 (Help Net Security) The good news is that the exploit costs $50,000 which limits the purchase of it to defense contractors, nation states and some criminal organizations that may be able to recoup the cost of purchase
Cyber War: China Hacks Into Twitter and Censors it Ahead of Chinese Election (PolicyMic) This isn't the first time that China has been caught up in a potential hacking scandal however: in 2010, Google left the Chinese market because of a cyber-attack from within China that is believed to have targeted Chinese human rights activists
Red peril paranoia hits Twitter (The Register) China watchers put two and two together and made five yesterday after pointing fingers at Chinese state-sponsored hackers whom they suspected of trying to break into their Twitter accounts. Several high profile Tweeters from academia, media and elsewhere began suspecting foul play after having their passwords reset and receiving an email with the following message:Twitter believes that your account may have been compromised by a website or service not associated with Twitter. Noting that fellow China watchers had reported similar, several began to suspect the hand of the Chinese authorities
Twitter Resets More Passwords Than Accounts Hacked (Threatpost) An untold number of Twitter users Thursday received suspicious emails alerting them their passwords had been reset following a loosely defined, third-party hack. The emails are apparently legitimate, though they were sent to more than victims of compromised accounts
How hackers scrape RAM to circumvent encryption (ZDNet) Speaking at the company's media day forum in Singapore yesterday, Verizon Business Investigative Response managing principal Mark Goudie said that the various encryption standards today do a good job of protecting data that is at rest, such as data stored on a server or in transit across a network. But in many cases, data is left completely vulnerable during the processing stage."It's hard to process encrypted data. If you want to process the data, you need it unencrypted
Researchers find vulnerability in Call of Duty: Modern Warfare 3 (CSO) Luigi Auriemma and Donato Ferrante of ReVuln also showed a vulnerability in the CryEngine 3 gaming platform
SEC Employees Take Unencrypted Work Computers to Black Hat Conference (Softpedia) Some employees of the US Securities and Exchange Commission (SEC) Trading and Markets Division have failed to encrypt their computers, despite the fact that they contain highly sensitive information. Furthermore, according to reports, they even have even taken the devices to the Black Hat security conference. Reuters informs that the incident forced the agency to spend more than $200,000 (156,000 EUR) to find out if any of the data stored on the devices in question had been compromised
Analysis of a targeted cyber attack (TechRepublic) If you follow security news, you may have seen the report from Bloomberg this week about how Coca-Cola was hacked in 2009, in the middle of an acquisition deal, and never told anyone. The deal was fairly important, involving an attempted $2. 4 billion acquisition of China Huiyuan Juice Group, which eventually fell through for unknown reasons
How hackers tricked Coca-Cola (Fierce CIO: TechWatch) Coca-Cola fell victim to a corporate data breach in 2009 after an executive opened an email with the subject line: "Save power is save money! (from CEO)" and then clicked on a link within, according to an investigation by Bloomberg News. While the subject of the email seems ridiculous from this distance, it didn't to the executive because the company was seeking ways to save on energy at the time, reports Bloomberg's Jordan Robertson.
State Department still vulnerable to WikiLeaks-style breach, say auditors (Fierce Government IT) The State Department has been vulnerable to another breach of diplomatic cables in the 2 years since WikiLeaks created an international incident by posting online hundreds of thousands of U.S. confidential assessments of foreign leaders and states
Siemens industrial software targeted by Stuxnet is still full of holes (IT World) Software made by Siemens and targeted by the Stuxnet malware is still full of other dangerous vulnerabilities, according to Russian researchers whose presentation at the Defcon security conference earlier this year was cancelled following a request from the company
Chevron says hit by Stuxnet virus in 2010 (Phys.Org) Oil giant Chevron was struck by the Stuxnet virus, a sophisticated cyber attack that tore through Iran's nuclear facilities and is believed to have been launched by the United States and Israel. A Chevron spokesman told AFP Thursday that the virus had
James Bond film 'Skyfall' inspired by Stuxnet virus (Fox News) No smartphones. No exploding pens. No ejector seats. No rocket-powered submarines. It's a brave new world," gadget-maker Q tells James Bond in the new film "Skyfall." The new film, released on the 50th anniversary of the storied franchise, presents a gadget-free Bond fighting with both brains and brawn against a high-tech villain with computer prowess Bill Gates would be envious of. What inspired such a villain? "Stuxnet," producer Michael G. Wilson told FoxNews.com
Chris Soghoian on Exploit Sales (Threatpost) Chris SoghoianDennis Fisher talks with Chris Soghoian, a principal technologist at the ACLU, about the developing market for buying and selling exploits and vulnerabilities. Soghoian has been a vocal critic of exploit sales and in this podcast he discusses the reasons why and why he thinks the policymakers in Washington need to get involved
Android malware continues to dominate the mobile threat landscape (Help Net Security) F-Secure recently released the latest version of their Mobile Threat Report which covers Q3 2012. This is the executive summary related to Android threats.
Companies Need Defenses Against Mobile Malware (Dark Reading) While infection rates -- at least in the United States -- remain low, cybercriminals are writing more malware for Android, Symbian and other platforms. At some point, they'll find the right recipe for profit
Symantec: Cyber crooks make millions off ransomware (CSO) Symantec released new research this morning highlighting what it calls a rapid expansion of ransomware scams throughout Western Europe, the United States and Canada. The research conservatively estimates that cybercriminals are extorting over $5 million
Security Patches, Mitigations, and Software Updates
Apple Fixes Critical Flaws in QuickTime 7.7.3 (Threatpost) Quicktime patchApple has fixed nine vulnerabilities in its QuickTime media player software, all of which can be used to execute arbitrary code on vulnerable machines. Several of the flaws are buffer overflows, and users who still run QuickTime should update it as soon as possible
Microsoft Security Bulletin Advance Notification for November 2012 (Microsoft) This is an advance notification of security bulletins that Microsoft is intending to release on November 13, 2012. This bulletin advance notification will be replaced with the November bulletin summary on November 13, 2012. For more information about the bulletin advance notification service, see Microsoft Security Bulletin Advance Notification
Cyber Trends
Restrictions to limit Internet access on the rise, warns UNESCO (Diplo News) The United Nations agency which deals with freedom of expression on the Internet today warned that restrictions directly limiting Internet access appear to be on the rise, and called on governments to implement policies that facilitate broadband connectivity instead of putting up barriers particularly during political developments."Knowledge and ideas today flow in volumes and at speed that we could not have imagined years ago, "regardless of frontier" and at low cost," the Assistant Director-General for Communication of the UN Educational, Scientific and Cultural Organization (UNESCO), Janis Karklins, told participants at the Internet Governance Forum (IGF). "However, barriers to this flow still exist, and new ones continue to emerge
Social networking tops enterprise consumerization security concerns (Infosecurity Magazine) Privacy violations and data theft will be the top security issues organizations need to focus on in 2012, says anti-malware company Panda Security
Infographic: 'How companies track you on the Web' (Help Net Security) Veracode's new infographic illustrates how privacy transference has evolved into a major problem for consumers who willingly give information to businesses online, but do not expect it to be shared
QRishing Study: Curiosity Is the Largest Motivating Factor for Scanning QR Codes (Softpedia) Researchers from the Carnegie Mellon Universitys CyLab have released the results of a study QRishing: The Susceptibility of Smartphone Users to QR Code Phishing Attacks which focuses on phishing attacks that rely on QR (Quick Response) codes. QRishing is a term utilized for phishing attacks initiated via the scanning of QR codes. Such attacks are not new, but in the past period researchers have started examining them because theyre becoming more and more common
Can you trust the cloud? (Help Net Security) Can an organization trust an IT service provided through the cloud? A survey by KuppingerCole showed that cloud security issues (84.4%) and cloud privacy and compliance issues (84.9%) are the major in
IT in the organization: four possible scenarios for the future (Help Net Security) The changing shape of IT is causing CIOs to question the role of IT in the organization. As businesses confront global economic uncertainty, changing market dynamics and cultural discontinuities create
70% of cloud data centers keep customers in the dark about storage locations (Infosecurity Magazine) As more companies turn to the cloud to provide redundancy and back-up services for mission-critical business functions, connectivity and applications, new research has revealed that a full 70% of cloud backup providers do not inform customers of where the data is being physically kept
The gutless wonder of big data (Fierce Big Data) Burson-Marsteller said in 2006 that 62 percent of CEOs rely heavily on gut feelings or intuition when making business decisions, especially when there is no clear direction to choose. If big data has its way, the gut feeling, women's intuition, hunches and other touchy-feely ways of decision making will go the way of the divining rod
Marketplace
Robert Shea: 6-Month Sequestration Delay Could Bring Bargain Deal (ExecutiveGov) Congress will likely delay sequestration cuts for six months, buying time to reach a compromise, a former White House budget director told Federal News Radio. Robert Shea, who was also a member of Republican challenger Mitt Romney's transition team, told the station the compromise will likely be a bargain instead of a grand bargain
Agencies putting cyber priorities first (Centerbeam) Mobile devices, cloud based services, big data and other technology trends have gotten a lot of attention over the past few years. However, a new government-wide study by The Lockheed Martin Cyber Security Alliance showed that federal agencies are still trying to put security first. Integration and management of these different technologies has become more difficult, and Rick Johnson, vice president and chief technology officer at Lockheed Martin Information Systems & Global Solutions, said this brings a twofold challenge for the government: adopting new technology and keeping up with security threats
IT supply chain central to new DoD instruction (Fierce Government IT) Defense Department Chief Information Officer Teri Takai must coordinate with department components to ensure trusted systems and networks, or TSN, concepts are properly implemented, according to DoD instruction issued Nov. 5. This requires the identification and protection of mission-critical functions and components into system engineering, acquisition, logistics and materiel readiness policies, says the document
Assuring State ISOs Have the Right Stuff - Getting Agency Information Security Officers Up to Snuff (Govenment Information Security) A California law requires each of some 120 state agencies to have an information security officer, but not every agency ISO is well-versed in IT security. Before the law took effect two years ago, about 60 percent of state agencies had ISOs; now they all do. But because of a dearth of trained information security professionals, and a lack of money in state coffers, many of the agencies designated other information technology specialists, including some chief information officers, to be their ISOs."Some of them also were not IT classifications, so it kind of brought to light the fact that a lot of the ISOs did not have the skills sets or training to be ISOs," Keith Tresh, director of the California Office of Information Security and state chief information security officer, says in an interview with GovInfoSecurity
Huawei security chief says vendor supports U.S. cyberespionage defense (TechTarget) In remarks Thursday during a wide-ranging panel discussion on critical infrastructure protection, cyberespionage and the theft of intellectual property at the 2012 Cloud Security Alliance Congress, Purdy reaffirmed his company's commitment to
Norman AS Extends Cyber Security Awareness Month into November (MarketWatch) Despite the end of the official Cyber Security Awareness Month, Norman AS, the global leader in threat discovery
EMC India looks to expand big data analytics, cloud computing training (Fierce Big Data) EMC India has announced that it will offer new courses in data science, analytics and cloud computing to help the country address a growing demand in those fields
iPhone maker Foxconn hatching US factory expansion plan? (The Register) Foxconn, the employee-infuriating, child-employing, and brain-damaging manufacturer of kit for Apple, Amazon, Sony, Nintendo, and others, is exploring the possibility of building plants in the US - Detroit and Los Angeles, to be specific
Apple overtaken by Samsung for first time in smartphone market (Telegraph) pple has been knocked off its throne as producer of the world's best-selling smartphone with Samsung's Galaxy S3 overtaking the iPhone 4S for the first time
EHR incentive program pays out more than $7 billion (Fierce Government IT) The electronic health record incentive program, which encourages practitioners to demonstrate meaningful use of EHRs through incentive payments, paid out approximately $7.4 billion from May 2011 to Sept. 30, 2012
FBI looks for mobile biometric capture software (Fierce Government IT) The FBI says it may be in the market for a software that would permit mobile devices to capture biometric data including fingerprints, iris prints and faces
Department of Defense Awards Apriva Contract For Secure VoIP Mobile (VendingMarketWatch) To foster cost savings and faster deployment of commercial technology for voice communications, DISA has adopted the National Security Agency's (NSA) initiative for Mobility Commercial Solutions for Classified (CSfC). This program focuses on using
Boeing Names Ralph Meoni Head of New Electronic Division, Shifts Exec Roles (Govconwire) Boeing (NYSE: BA) announced Wednesday it is rotating seven executive assignments within the defense, space and security segment, with all moves effective Jan. 1. The company said these rotations are part of a growth and affordability strategy started in 2010, which has led to $2.2 billion in savings, according to the release
AT&T to Invest $14B in LTE Network (Govconwire) AT&T will invest $14 billion over three years to expand its LTE network, as it looks to meet demand for new mobile, cloud computing and application services, the company announced Wednesday. "This is a major commitment to invest in 21st century communications infrastructure for the United States and bring high-speed Internet connectivity," said Randall Stephenson, AT&T's CEO
Onteco Corporation, ONTC, Closes Acquisition of Cyber Centers Worldwide Corporation (Sacramento Bee) Onteco Corporation (OTC.QB: "ONTC"), (the "Company", or "Onteco"), announced today that it had closed its acquisition via a share exchange agreement with Cyber Centers Worldwide Corporation, a privately-held Florida corporation
SAIC Pulls in $242M in Healthcare Contracts (Govconwire) SAIC (NYSE: SAI) has won several contracts this quarter totaling approximately $242 million from the government and commercial healthcare industry, the company announced today. "This has been an important quarter for our health solutions team, as we work to unify our commercial healthcare teams and leverage their skills across both the commercial and federal markets"
NJVC's Kevin Jackson Pens Book on Cloud Computing Economic Model (Govconwire) Kevin Jackson, vice president and general manager for cloud services at NJVC, has published a sequel to his 2001 book "GovCloud," where he outlines the characteristics of cloud computing and deployment and delivery models. In "GovCloud II: Implementation and Cloud Brokerage Services," NJVC says Jackson explains how the cloud economic model can help with mission
Trend Micro Reports Third Quarter Results (The Herald) Trend Micro Incorporated (TSE: 4704; TYO 4704), the global leader in cloud security, announced earnings results for the third quarter 2012, ending September 30, 2012. For the third quarter, Trend Micro posted consolidated net sales of 23,836 million Yen (or US $303 million, 78.62 JPY = 1USD). The company posted operating income of 6,108 million Yen (or US $77 million) and net income of 4,196 million Yen (or US $53 million) for the quarter
Air Force Information Assurance Team Recognized For Fast-Track Efforts (AOL Government) This is the last in a series of profiles featuring 2012 U.S. Government Information Security Leadership Award (GISLA) winners. The winners received the awards in October from (ISC)2 a nonprofit serving certified information security professionals and
Products, Services, and Solutions
Targeted Cyber Threat Intelligence Services Launched by Dell SecureWorks (DailyFinance) The Security Risk and Consulting (SRC) team of Dell SecureWorks is launching the new "Enterprise Brand Surveillance" and "Executive Threat Surveillance" services. These services are designed to identify targeted cyber threats from hacktivists
Secure View 3 recovers deleted data from Android phones (Help Net Security) Susteen's Secure View 3 digital forensics product is now able to recover deleted data from the large majority of Android phones. Law enforcement, military and government consultants can now retrieve
YubiKey NEO authentication token released (Help Net Security) Yubico announced the production launch of the YubiKey NEO, a new authentication token that features Near Field Communications (NFC) technology, asymmetric cryptography support and mobile security with
New batch of Trusted Computing Group certified products (Help Net Security) Trusted Computing Group has recently certified four products, including a Trusted Platform Module (TPM) and three products supporting the group's security automation protocol, IF-MAP. STMicroelect
New IronKey hardware-encrypted secure flash drives (Help Net Security) Imation Corp. announced the availability of two new IronKey hardware-encrypted rugged flash drives - S250 and D250 . The IronKey flash drives deliver powerful protection against data loss and are
Despite Windows 8 zero-day, vendors laud security of new Microsoft OS (TechTarget) Though its usability has received mixed reviews in the early going, security vendors are heralding Windows 8, Microsoft's new endpoint platform, as the safest operating system to date. The software giant debuted its new OS Oct. 26, designing Windows 8
5 security issues to watch in Win 8 (ZDNet) Luis Corrons, technical director of Panda Security's Panda Labs, agreed. To target the biggest number of users possible, hackers typically work on malware
10 Hot Enterprise Mobile Apps From Startups (InformationWeek) The soaring use of mobile devices in the enterprise has created a climate for innovation around mobile development, device management, security and productivity enhancement. Entrepreneurs are taking advantage of this climate to launch new products and companies for the B2B mobility market. Among this intrepid bunch, the following 10 companies are working on new and innovative ways to build a better enterprise mobile infrastructure
Skype In The Workspace: 3 Key Facts (InformationWeek) Microsoft's popular Skype videoconferencing service officially goes social with a professional network for SMBs. Here's what you need to know
Technologies, Techniques, and Standards
How To Detect Zero-Day Malware And Limit Its Impact (Dark Reading) An increasing percentage of malware has never been seen before. Here are some tips for stopping it…It was never easy to keep ahead of the cyber bad guys, but with the recent uptick in zero-day malware, things are only getting harder
Remote Diagnostics with PSR (Internet Storm Center) Have you ever been in this situation? Someone calls you for help and tries to explain their problem. They do such a poor job of explaining what they are seeing that you aren't even sure what OS they are using much less how to fix their problem. You wish you had some way of remotely seeing their desktop, but the user is incapable of following instructions required for you to remotely connect to and administer their machine. This is especially frustrating when you are in the identification or containment phase of an incident. Communications is an essential element of handling incidents effectively. When you are in a pinch, here is a new tool to add to your tool belt
Cloud Security Alliance Releases Security Guidance for Critical Areas (MarketWatch) The Cloud Security Alliance (CSA) today released version 1.0 of the "Security Guidance for Critical Areas of Mobile Computing" which provides an assessment of the current
New Risk Assessment Insights - How Healthcare Organizations Can Put NIST Advice to Use (Healthcare Infomation Security) Too many healthcare providers fail to conduct comprehensive, timely risk assessments, as required under HIPAA as well as the HITECH Act, says security consultant Kate Borten, president of The Marblehead Group. But updated risk assessment guidance from the National Institute of Standards and Technology provides useful insights that providers can put to use, she says. The HIPAA Security Rule, as well as the HITECH Act's electronic health record incentive program, require risk assessments
Could a cyber ecosystem automatically defend government networks? (Government Computer News) This is the first a three-part series on building a government cybersecurity ecosystem. Since its inception, the Internet has grown wild, which has spurred innovation, activity and information sharing, but has left security and standards unattended. The result is an online environment where outlaws can roam free
What to Do About DDoS Attacks - Security Experts Offer Banks Tips (Bank Information Security) Leaders at four security technology companies say the distributed-denial-of-service attacks that have hit 10 U.S. banks in recent weeks highlight the need for new approaches to preventing and responding to online outages."Attackers have broadened their toolkits, and DDoS is a not just a blunt instrument anymore," says Jason Malo, a fraud analyst CEB TowerGroup and former DDoS-prevention expert for domain-naming-system registry operator VeriSign. These experts advise banking institutions to:Use appropriate technology, including cloud-based Web servers, which can handle overflow, when high volumes of Web traffic strike;Assess ongoing DDoS risks, such as through tests that mimic real-world attacks;Implement online outage mitigation and response strategies before attacks hit;Train staff to recognize the signs of a DDoS attack
Tackling the Top Mobile Risks - Strategies for Defending the Mobile Environment (Bank Information Security) The two greatest threats facing mobile banking today come from the risky behavior of mobile users, and their download of third-party applications. And while banks and credit unions have little control over users and third-party apps, mobile expert Tom Wills says institutions can take steps to mitigate their risks. Among his top recommendations: mobile transaction limits, enhanced authentication, device fingerprinting and fraud analytics
Tablets Cause Wi-Fi Stress: Truth And Fiction (InformationWeek) Don't fall for vendor scare tactics about an impending iPad-fueled WLAN-a-geddon
Research and Development
Does the Brain Work Logarithmically? (IEEE Spectrum) New research suggests it does, when it's the efficient way to process information
Cambridge big data center opens (Fierce Big Data) The Boston Globe said entrepreneurs in Massachusetts have raised $1 million to open a hack/reduce center in Cambridge today that will focus on big data research. The center will support 150 computer engineers and data scientists
Academia
Mozilla partners with UK charities to promote digital literacy for children (IT Proportal) Mozilla has partnered with charities Nesta and Nominet Trust to launch a programme that will aim to promote digital skills among children across the UK. The 225,000 Digital Makers fund and network will bring together organisations to support projects that target digital literacy for 4- to18-year-olds, the foundation has announced. The initiative comes on the back of a YouGov study commissioned by Mozilla that found that most British children want to learn how to code
Big data has big potential for higher education, but is it ready? (Fierce Big Data) Citing the growth and success of enterprises of all sorts leveraging their stores of data to make better decisions and improve their businesses, Sean Devine wondered in the Huffington Post yesterday why higher education isn't doing the same
Legislation, Policy, and Regulation
Shareholders kept in the dark on data breaches (CSO) SEC has regulations, but there is plenty of room for interpretation
US imposes sanctions on Iran for Internet censorship (Ars Technica) Iran's Communications Minister and Culture Ministry are targeted, among others
Australia comes to its senses, abandons Internet filtering regime (Ars Technica) Canberra says it will use Interpol's "worst of" list to block child abuse sites
Improved capabilities needed to combat cyber-threats to national security, RCMP say (Vancouver Sun) Terrorists are ready to target Canadian IT networks with Internet-based attacks, the RCMP warned Thursday, adding the force needed to better its ability to combat this emerging threat. One area that requires improved capabilities is countering cyber-threats to national security, the Mounties wrote in the forces annual review. Terrorist groups have expressed interest in developing the capabilities for computer-based attacks against Canadas critical infrastructure
US, Canada announce cross-border action plan (SC Magazine) Public Safety Canada and the US Department of Homeland Security launched an action plan last month to back up a February 2011 border security partnership. The two agencies outlined three goals in the action plan: enhanced cyber incident management
Evolving security standards a challenge for cloud computing, expert says (Network World) The proposed EU data-privacy law will play a major role. Any enterprise looking to use cloud computing services will also be digging into what laws and regulations might hold in terms of security and privacy of data stored in the cloud. At the Cloud Security Alliance Congress in Orlando this week, discussion centered on two important regulatory frameworks now being put in place in Europe and the U.S.
Cyber Chief Alexander Issues Call For Action; Outlines Who Does What (AOL Government) Keith Alexander, commander of Cyber Command and director of the National Security Agency said, sketching them out in broad terms for an audience of security professionals yesterday at a symposium in Washington sponsored by Symantec
Security experts push back at 'Cyber Pearl Harbor' warning (PC World) The nation's top national security leaders have convinced President Obama and much of the leadership in Congress that the U.S. is at risk of a "Cyber Pearl Harbor" or "Digital 9/11" if it does not take drastic measures to improve both defensive and offensive cybersecurity capabilities against hostile nation states. But the leaders, Defense (DoD) Secretary Leon Panetta and Homeland Security (DHS) Secretary Janet Napolitano have not, however, convinced every expert in the cybersecurity community, and there is now some increasingly vocal push-back from some of them. Critics argue argue that not only is the threat of a catastrophic cyberattack greatly exaggerated, but that the best way to guard against the multiple risks they agree exist is not with better firewalls or offensive strikes against potential attacks, but to "build security in" to the control systems that run the nation's critical infrastructure
India, UK discuss defence, counter-terrorism (Zee News) Seeking to restore momentum to their bilateral ties, India and UK on Thursday discussed a wide range of issues, including defence and counter-terrorism while agreeing to hold bi-annual talks to tackle threats from cyber crime. External Affairs Minister Salman Khurshid and his British counterpart William Hague, who held comprehensive delegation- level talks here, also deliberated upon the security situation in the region, including Afghanistan and Pakistan. The two sides reviewed progress made to strengthen civil nuclear energy cooperation, both commercially and through their institutions
Does DHS understand bankers? (Fierce CIO: TechWatch) Before you decide what to think about the Department of Homeland Security's latest proposed scheme for information-sharing between the public and private sectors, take a look at Constantine von Hoffman's wry opinion of it at CIO magazine. Hoffman minces no words in skewering the government's "do as I say, not as I do" approach. Under a suggestion lofted by DHS in October, companies within a given vertical could band together to purchase infrastructure that would be shared as needed
DHS: We mainly monitor the social media of government officials (Fierce Government IT) The most common category of individual whose social media activity has been recently monitored by the Homeland Security Department is that of a senior U.S. or foreign government official, says a departmental review
Litigation, Investigation, and Law Enforcement
AT&T Breaching Net-Neutrality Rules Despite Lifting Some FaceTime Restrictions (Wired Threat Level) AT&T continues to breach net-neutrality regulations despite its Thursday announcement that it would begin offering Apple's Facetime service to more of its iPhone and iPad subscribers, digital rights groups said. The nation's second-largest carrier said Thursday it was expanding the
CFTC charges former Goldman trader over $118m loss (Finextra) A former Goldman Sachs trader has been charged by US regulators with bypassing internal systems to conceal an $8. 3 billion position from the bank and defraud it of $118 million. According to the Commodity Futures Trading Commission (CFTC), in late 2007 Matthew Marshall Taylor, while trading a firm account, entered fake e-mini futures trades into the bank's manual trade entry system to conceal and misrepresent the size of his true position
Chinese Cyber Warfare: Has the US Found a Smoking Gun? (Minyanville) According to a leaked draft of the US-China Economic and Security Review Commission's annual report to Congress, obtained by Bloomberg News a week before its scheduled release, Chinese hackers are employing "increasingly advanced types of operations or operations against specialized targets." A US intelligence official interviewed by Bloomberg describes the Chinese as having been "relentless" in its efforts to "blind or disrupt" those targets, which include "deployed US military platforms," as well as "US intelligence and communications satellites, weapons targeting systems, and navigation computers." (Indeed, a report prepared for the Commission last March by Northrop Grumman (NYSE:NOC) determined that China could severely hamper the US military's ability to protect Taiwan in the event of a strike
Trinity Mirror demands hacking allegation details (BBC) "Trinity Mirror newspapers has demanded alleged phone-hacking victims reveal their case, saying it has received no formal claim from their lawyers. Last month former England football boss Sven-Goran Eriksson and three others were said to be taking legal action. Shares in the group, which includes the Daily and Sunday Mirror and The People, fell following the news
Apple now owns the rectangle (The Inquirer) After years of speculation, the US Patent and Trademark Office on Wednesday actually issued a design patent to Apple for rectangular devices with rounded corners. It seems that Samsung's worst nightmare has come true, as the patent, D670,286 covers a "portable display device" and literally appears to give Apple the rights to a rectangle with rounded corners. In basic terms, this means Apple pretty much now owns the rights to the rectangle in the US
For a complete running list of events, please visit the Event Tracker.
Upcoming Events
TechExpo Cyber Security Careers (Columbia, Maryland, Nov 1, 2012) Profit from presentations by leading industry figures and networking opportunities designed for serious job-seekers.
E2 Innovate Conference & Expo (Santa Clara, California, Nov 14 - 15, 2012) E2 Innovate, formerly Enterprise 2.0, brings strategic business professionals together with industry influencers and next-gen enterprise technologies.
Anatomy of an Attack (New York, New York, Nov 15, 2012) Join Sophos security experts in exploring how threats like malware, Trojans, worms and spyware actually work and what you can do to protect your company, even if you're on a tight budget.
ZeroNights (Moscow, Russia, Nov 19 - 20, 2012) ZeroNights is an international conference dedicated to the technical side of information security. The mission of the conference is to disseminate information about new attack methods, threats and defense tools. Another purpose is to create a communication venue for skilled professionals in the field of information security.
Digital Security Summit (Riyadh, Saudi Arabia, Dec 1 - 2, 2012) A major conference to discuss the growing threat to digital security in the Middle East, especially in Saudi Arabia.
Passwords^12 (, Jan 1, 1970) Passwords^12 is a 3-day conference only about passwords & PIN codes. With an "all-star" cast of speakers, including Joan Daemen (AES/SHA3), Jens Steube (alias "atom", hashcat author), Colin Percival (CSO FreeBSD, inventor of scrypt), Simon Marechal (John the Ripper co-developer), Frank Stajano (Cambridge) and many more, this will be the premier event for everything and anything related to password security. Passwords^12 is the first and only conference of its kind, bringing together academic institutions, researchers and security professionals from around the world. It's a not-for-profit and non-commercial conference. No sales personnel, no marketing managers and deep technical talks.
CIO Cloud Summit 2012 (, Jan 1, 1970) The CIO Cloud Summit will help C-level executives better understand the true capabilities of cloud computing and the transformational opportunities it can bring.
BayThreat (Sunnyvale, California, Dec 7 - 8, 2012) The theme for BayThreat is a new spin on the dichotomy of attacking and defending in information security. We're calling out all of the attackers and defenders that are on the front lines of the battle.
e-Crime Congress 2013 (London, England, Mar 12 - 13, 2013) The e-Crime Congress is designed to meet the needs of key stakeholders and decision makers who are responsible for designing and coordinating information security and risk management strategy, safeguarding digital assets and sensitive information, protecting customers, defending against internal or external threats and responding to incidents.
The Future of Cyber Security 2013 (London, England, UK, Mar 21, 2013) Cyber Security and the Citizen 2013 is a one-day conference and exhibition for senior decision-makers of central and local government organisations, NGOs and major private sector enterprises.
25th Annual FIRST Conference (Bangkok, Thailand, Jun 16 - 21, 2013) The annual FIRST conference provides a setting for conference participants to attend a wide range of presentations delivered by leading experts in both the CSIRT field and from the global security community.