The CyberWire Daily Briefing for 11.29.2012
The brief digital ceasefire in Gaza is over, as Israeli and Palestinian hackers again go after one another. The International Atomic Energy Agency breach is now attributed to Iran, or at least its sympathizers. Anonymous threatens Egyptian President Mohamed Morsy, whom it regards as harboring pharaonic ambitions.
A major DNS hack in Romania affecting large companies suggests a security breach in the .ro registry. New financial malware—"Shylock"—avoids reverse engineering by detecting virtual desktops used by researchers.
Two familiar issues—incautious use of email and failure to encrypt data—continue to account for most business cyber vulnerabilities.
Researchers demonstrate anonymous use of cloud-based browsers for big computing tasks (thereby showing a new method of launching large-scale cyber attacks).
The US worries about power grid vulnerability to cyber attack. IEEE wonders if a dumb grid wouldn't be tougher than the smart one wonks aspire to.
US cyber policy makers increasingly consider offensive operations essential to security. A former GCHQ and CESG head says the UK's cyber strategy is failing. US officials try to reassure defense contractors about the "fiscal cliff" and budget cuts, but financial markets look to cyber as a hedge against austerity.
Short uncontacted rain-forest cultures, an anthropologist lives with San Francisco hackers for three years and reports on their tribal ways. US President Obama issues insider-threat policy (details remain secret). China prepares for a trade war with the US as its media charge Cisco with the security issues the US Congress has found in Huawei and ZTE.
Today's issue includes events affecting Australia, Canada, China, Egypt, European Union, India, Iran, Ireland, Israel, New Zealand, Palestinian Territories, Romania, Singapore, Spain, United Kingdom, United Nations, and United States..
Cyber Attacks, Threats, and Vulnerabilities
Despite Ceasefire, Israel-Gaza War Continues Online (Wired Danger Room) The shooting war between Israel and Hamas has stopped. But cyber attacks on Israeli and Palestinian websites have skyrocketed since last week's ceasefire in Gaza took hold
Anti-Israel hackers leak nuclear watchdog email addresses (The Register) The UN's International Atomic Energy Agency (IAEA) has admitted to suffering a data breach that leaked the email addresses of more than 150 people allegedly involved with Israel's nuclear weapons program. A hitherto-unknown hacker group calling itself Parastoo claimed responsibility for the breach in a statement released to Pastebin on Tuesday, saying, "You will be hearing game changing news from us frequently from now on.""Parastoo" is a Farsi word meaning "swallow" as in the bird and it's also a fairly common Persian girls' name. Both facts suggest Iranian involvement with the hack, although Iran is not specifically mentioned in the group's statement
Anonymous threaten Morsy with cyber warfare (Daily News Egypt) An online activist group has threatened President Mohamed Morsy with cyber warfare unless he responds to demands to withdraw his constitutional declaration. A video released on Tuesday, showed a person wearing a Guy Fawkes mask while a computerised voice delivered a statement directed at Morsy. The group claimed, not only will we attack your organisations websites; Anonymous will also make sure that you stand exposed against your people as well as the international community
Attackers hijack the [Romanian] domains of Google, Microsoft, Yahoo, others (CSO) The DNS records for the affected domain names were modified, suggesting a possible security breach at the .ro registry
DNS servers filled with wrong Kool-Aid, big names waylaid in Romania (The Register) A hacker today redirected web surfers looking for Yahoo, Microsoft or Google to a page showing a TV test card by apparently poisoning Google's public DNS system. Punters and organisations relying on Google's free service were affected, rather than the websites themselves being compromised. Visitors to yahoo
Financial Malware Detects Remote Desktop Environments To Evade Researchers (Dark Reading) 'Shylock' malware joins the list of malicious programs enhancing their defenses to avoid analysis by researchers. Like any other group of business people, cybercriminals want to protect their investments
Fake Windows 8 key generators lurk in the wild (Help Net Security) Users who are eager to try out the new Windows 8 but are not keen on buying it should be careful if searching for bootlegged copies or purported key generators online, Trend Micro warns
Malicious ads lead to fake browser updates (Help Net Security) Every now and then, malware peddlers employ the "Your browser is out of date, download the update here" approach to saddling inexperienced users with their malicious wares. StopMalwertising warns
India Latest to be Infected by Gamarue Malware: Trend Micro Report (CIO India) Simple measures like installation of foolproof software and using secure websites help in curtailing the menace of cyber threat. Just stop and think before you click on any links or attachments. Trend Micro Smart Protection already blocks the related
Hacker Posts Phone Numbers of Famous Football Players on Twitter (Softpedia) A hacker has managed to gain access to the phone numbers of several famous football players currently under contract with Spanish teams. According to Sport. ro, the personal phone numbers of Cristiano Ronaldo, Fabio Coentrao, Banega, Jordi Alba, Cristian Tello, Iker Casillas, Cesc Fbregas, Gerard Pique, Pinto, David Navarro, Vicente del Bosque, and even the one of Real Madrid coach Jose Mourinho have been published on Twitter
Online Service Offers Bank Robbers for Hire (Krebs on Security) An online service boldly advertised in the cyber underground lets miscreants hire accomplices in several major U.S. cities to help empty bank accounts, steal tax refunds and intercept fraudulent purchases of high-dollar merchandise. The service, advertised on exclusive, Russian-language forums that cater to cybercrooks, claims to have willing and ready foot soldiers for hire in California, Florida, Illinois and New York. These associates are not mere money mules, unwitting and inexperienced Americans tricked and cajoled into laundering money after being hired for bogus work-at-home jobs
Researcher Owns Internal Network after Victim Opens Email (Threatpost) Security researcher Bogdan Calin found that he could remotely compromise the internal networks of users with default or weak router passwords merely by compelling them to open a legitimate looking email on their iPhone, iPad, or Mac
91 percent of cyberattacks begin with spear phishing email (TechWorld) Some 91% of cyberattacks begin with a "spear phishing" email, according to research from security software firm Trend Micro. Spear phishing is an increasingly common form of phishing that makes use of information about a target to make attacks more specific and personal. These attacks may, for instance, refer to their targets by their specific name or job position, instead of using generic titles like in broader phishing campaigns
Business Professionals Ignoring E-Mail Security Risks (Channelemea) Business professionals will find it easier to meet increasing demands for secure communications with clients from today with the launch of a foolproof, simple and cost effective email encryption solution. Estimates are that around 144 billion emails are sent a day globally by 2. 1 billion users and demands are growing for those handling sensitive information to take increased steps to ensure it does not fall into the wrong hands
Study Finds Unencrypted Payment Data On Business Networks Remains At 70 percent (Dark Reading) SecurityMetrics PANscan finds financial, hospitality, retail industries store most info. SecurityMetrics, a leading provider of payment data security and compliance solutions, today published its second annual Payment Card Threat Report revealing unencrypted PAN (Primary Account Number) storage remains alarmingly high. Virtually no change occurred between 2011 and 2012, with card data storage on corporate systems declining less than one quarter of a percent (.24%). The study exposed that greater than 10% of merchants store magnetic stripe track data, essential for the illegal reproduction of credit and debit cards. Financial, hospitality, and retail industries accounted for 55% of the total unencrypted payment card data storage among businesses tested
Researchers Exploit Cloud Browsers to do Anonymous, Large-Scale Computing (Threatpost) Researchers from two U.S. universities have created a way to anonymously use cloud-based Web browsers to perform large-scale computing tasks - a feat that also demonstrates how hackers might secretly harness massive computing power to launch attacks
Damage from attack on power grid would surpass Sandy (CSO) The U.S. is in urgent need of a nationwide strategy to protect its highly vulnerable electric grid from succumbing to a cyberattack that could cause far more damage than Hurricane Sandy, a recent report said. Terrorists who gained access to any one of a number of key facilities, either through Internet-delivered malware designed to destroy control systems or through a saboteur on the inside, could black out large regions of the nation for weeks or months, the report from the National Research Council said
US Power Grid Vulnerable to Just About Everything (Oil Price) As Washington hunts ill-defined al-Qaeda groups in the Middle East and Africa, and concerns itself with Irans eventual nuclear potential, it has a much more pressing problem at home: Its energy grid is vulnerable to anyone with basic weapons and know-how. Forget about cyber warfare and highly organized terrorist attacks, a lack of basic physical security on the US power grid means that anyone with a gunlike disgruntled Michigan Militia types, for instance--could do serious damage. For the past two months, the US Federal Energy Regulatory Commission (FERC) has been tasked with creating a security strategy for the electric grid and hydrocarbon facilities through its newly created Office of Energy Infrastructure Security
Dumb but Tough Grid (II) (IEEE Spectrum) Last week I suggested that in many places, having a grid that's dumb but really tough may be a higher priority than incorporating the latest in computing and communications. That post attracted a remarkable number of constructive comments, making the subject worth revisiting
Most Americans uninformed about DDoS attacks (Help Net Security) Whether motivated by an extreme form of free expression or criminal intent, distributed denial-of-service attacks (DDoS attacks) are increasingly commonplace worldwide. Yet there remains a universal
Poor BYOD strategy could result in enterprise data loss, warns ISF (Fierce Mobile IT) A poorly implemented BYOD strategy could result in accidental data disclosures due to a porous boundary between work and personal data, and as a result of more business information being held in an unprotected manner on consumer devices, warned the Information Security Forum.
Security Patches, Mitigations, and Software Updates
Microsoft Reportedly Planning OS X-Style Cheap, Annual Windows Updates (TechCrunch) Microsoft might be figuring out that the best way to get users to use its product isn't by charging an arm and a leg for updates and releasing them only once every few years. Redmond is reportedly switching to an approach like that taken by rival Apple, delivering inexpensive, annual updates that are less dramatic but which are designed to get all users on board a unified platform
McAfee releases extra DAT (Internet Storm Center) McAfee released an extra dat this morning. We've received a few emails relating to this, mainly because the formatting on some of the emails wasn't quite what people were expecting. As far as I can tell it is legit. I haven't found any evilness in the PDF linked to from the KB (at least there wasn't anything to find when I checked). The KB also has an updated stinger file to remove the worm from the machine
Channeling the 'offensive mind-set' in cybersecurity (Nextgov) To protect critical networks and national security, the House and Senate are weighing cyber defense legislation and the Obama administration is considering regulations requiring information sharing between government agencies and private businesses. But who should be in charge -- even inside the Pentagon -- remains a big question in all this dithering. The answer depends on how you look at cybersecurity: in terms of offense or defense, military or law enforcement.
UK cyber security - fragmented and failing (Computing) The UK's cyber security strategy was set out to protect national interests by building a trusted and resilient digital environment. But the strategy has been criticised since its inception for being "inadequate" and moving at a "glacial pace". This is despite the government announcing plans to invest 650m over a four-year period from 2010 on the programme
Business cyber security measures 'woefully inadequate' (BCS) The cyber security measures being taken by businesses are "woefully inadequate" according to a new report by antivirus specialist Kaspersky. Its research shows that only 25 per cent of IT specialists think their company is completely protected from cyber threats such as malware, spam and hacking. A further 57 per cent believe they are able to prevent most security threats before they become a problem, although 16 per cent admit to being more reactive and solving problems after they occur
Our Massively Dysfunctional Cyber System (infosec island) Recently I met with two seniors in the cyber community, both have access to the very top of their respective food chains. We talked for about 90 minutes, as a group. Altogether I spent 2 1/2 hours with the one gentleman
$25 tablets, $2 mobile data plans, and zero margins-how the internet is about to gain 3 billion new users (Quartz) Six billion cell phone subscriptions are spread across five billion of the earth's seven billion people, says Suneet Tuli, CEO of Datawind, maker of the world's cheapest tablet computer. Yet only two billion people are connected to the internet, which means three billion people have everything they need to connect to the internet--except a suitable device
10 Top Government Data Breaches Of 2012 (Dark Reading) SQL injection, post-phishing privilege escalation, and poorly secured back-up information all played their part in exposing sensitive government data stores this year. With federal and local government agencies suffering the brunt of Anonymous protests, targeted phishing attacks leading to privilege escalation, and highly effective SQL injection attacks granting wide-scale access to information, citizen privacy definitely took a hit in 2012
Privacy Commissioner labels 2012 the year of the data breach (CSO) Care for personal info like other assets, privacy commissioner Marie Shroff. A clutch of serious events, particularly to do with unintentional release of government-held information, have led privacy commissioner Marie Shroff to label 2012 "the year of the data breach", in her annual report released yesterday
Will Cloud Computing Become a Regulated Industry? (Backup Technology) Luckily, a study by the Cloud Security Alliance (CSA) and Information Systems Audit and Control Association (ISACA) lists changes to "government regulations...and international data privacy" as some of the top concerns of businesses when it comes to the
Unisys sees MDM, MAM convergence trend among customers (Fierce Mobile IT) Among its enterprise customers, Unisys is seeing a trend identified by a number of research firms recently: the convergence of mobile device management and mobile application management into unified mobile enterprise management services. "That is absolutely the trajectory we have been seeing in mobile services. With the growth of enterprise applications, enterprises want to ensure that they have continued supportability, testing, asset tracking and deployment. It has been moving very much toward mobile enterprise management services for the complete life cycle," Barton Hetrick, global product manager for end-user services at Unisys, told FierceMobileIT
BYOD: Why Mobile Device Management Isn't Enough (InformationWeek) Here's what to look for in MDM software and what limitations IT still faces in letting employees use personal devices for work
What GE's $15 Trillion Industrial Internet Needs (InformationWeek) GE makes the case that a more business-oriented 'Internet of things' will spur a productivity boom. Not so fast. Here's a stat sure to become PowerPoint porn in the months ahead: General Electric predicts that the "industrial Internet" could add $10 trillion to $15 trillion to the world economy in the next 20 years. Indeed, $15 trillion is a "wow, that's big" number sure to be dropped into many a presentation, but it's not the most important part of GE's major new report on its industrial Internet vision. The most important part is why GE would bother to calculate this projection and issue such a report. The reason -- beyond the marketing value -- is that GE needs a whole lot of help from other vendors, regulators, financiers and users of technology before this vision and its $15 trillion payoff can come true. This report looks like an attempt to rally an ecosystem
Defense Chiefs Say They Doubt A Fiscal Cliff Deal By End Of Year (Bloomberg Government) The heads of defense contractors Northrop Grumman Corp. and Exelis Inc. said theyre not optimistic the federal government will reach a deal by the end of the year to avoid the so-called fiscal cliff
'Cliff' Talks Bogged Down Over Cost Of Retirement Programs (Washington Post) Negotiations to avert the year-end "fiscal cliff" advanced at a glacial pace Wednesday, with a dispute over how to tackle the soaring cost of federal retirement programs emerging as the latest roadblock to progress
Pentagon Vows To Better Align Profit With Performance (Bloomberg.com) The Pentagon wants to better align profits paid to defense contractors with improved performance, the militarys top weapons buyer told an investors conference
Pentagon Says 'Lot Of Money' Still To Be Made In Arms Business (Reuters.com) The Pentagon's chief weapons buyer on Wednesday reassured industry executives and investors that there was still "a lot of money" to be made in the defense business, despite mounting budget pressures that will limit spending on new arms programs
Five priority areas for future U.S. homeland security focus (Help Net Security) On the heels of the tenth anniversary of the creation of the U.S. Department of Homeland Security (DHS), Booz Allen Hamilton outlined five priority areas for the next decade of homeland security
Internet Security Stocks To Consider As Cyber Attacks Escalate (Seeking Alpha) Cyber attacks, cyber crime and network threats are increasing in volume, intensity, and sophistication as 2013 approaches. Such attacks threaten our national security and do billions of dollars of damage to our economy. 2013 will usher a new set of cyber security challenges as our online economy and businesses continue to grow and broaden
Dell SecureWorks Positioned in the 'Leaders" Quadrant' (4-traders) With thousands of customers worldwide, Dell SecureWorks monitors more than 30 billion cyber events daily, giving the security provider an unparalleled view
Japan's troubled Sharp is seeking investments from Dell, Intel and Qualcomm, say WSJ sources (Quartz) In fragile financial condition, Japanese electronics maker Sharp is in talks with Dell, Intel and Qualcomm to sell equity stakes or bonds in return for a supply of lower-power, higher-resolution display technology that holds promise for mobile devices, according to Wall Street Journal sources. Sharp is separately holding discussions with Taiwanese contract manufacturer Hon Hai Precision Industry about a similar equity deal
CACI Awarded Prime Position on Major Defense Intelligence Agency (MarketWatch) This contract gives CACI the opportunity to further expand its business in the critical area of intelligence analysis. According to John Mengucci,
TASC, Inc. Awarded Prime Contract Position on GSA's IT Schedule 70 (PR Newswire) The U.S. General Services Administration (GSA) has awarded TASC, Inc. an IT Schedule 70 contract. Through GSA's IT Schedule 70, federal agencies can acquire a range of general purpose information technology equipment, software and services. Considered the largest, most widely used federal government acquisition schedule, IT Schedule 70 is a multi-award indefinite delivery/indefinite quantity (IDIQ) vehicle
SAIC Awarded $149 Million Contract By United States Army (Daily Markets) Under the contract, SAIC will provide IT design, implementation and…the United States Army and intelligence community to provide reliable information
CGI Projects Help Clients Collect $2B in Taxes (Govconwire) Six states using CGI Group-provided (NYSE: GIB) collections and tax modernization projects have collected more than $2 billion in additional revenues, the company announced Tuesday. California, North Carolina, Virginia, Hawaii, Kansas and Missouri use the company's benefits-funding model, where CGI starts receiving payment when revenue is generated. The company has led more than 20 major
CSC Names Dana, Rolls-Royce Vet Doug Tracy CIO (Govconwire) Computer Sciences Corp. (NYSE: CSC) has appointed Doug Tracy chief information officer and given him responsibility for managing and transforming the company's worldwide information technology operations. The company said Tracy, formerly vice president and CIO at Dana Holding Corp., will also be responsible for aligning CSC's IT and business strategies and for driving innovation
General Dynamics Promotes 32-Year Vet Sandra Wheeler to Head C4 Systems Tactical Networks (Govconwire) General Dynamics (NYSE: GD) has promoted 32-year company veteran Sandra Wheeler to vice president of tactical networks in the C4 systems business unit, effective Jan. 1, the company announced Thursday
Foreword: Leading and lagging (Financial Times) This is the third year that the Financial Times has produced the US Innovative Lawyers special report. The report includes our unique rankings of law firms that are bringing fresh thinking and practices to solving business problems in America. This year we have had a particularly strong set of submissions to the rankings, from more than 60 law firms and nearly half that number of in-house legal teams across the US
Products, Services, and Solutions
Entrust Solves 3 Major SSL Compliance Challenges With Certificate Discovery Service (Dark Reading) Entrust Discovery includes automatic certificate chain validation email alerts
Desperately Seeking Developers: RIM Offers Appcelerator's 390,000 Titanium Devs Incentives To Port Apps To BlackBerry 10 (TechCrunch) BlackBerry 10 devices are still months away from being launched but RIM is ramping up the noise about its next gen platform. In its latest play, it's hoping to woo app-building platform Appcelerator's 390,000 Titanium cross-platform mobile app developers to port their apps to BlackBerry10 — offering a variety of incentives
The iPhone 5 Clears Its Final Regulatory Hurdle For Launch In China (TechCrunch) Things seem to be on track for the iPhone 5 to meet its December release timeline in Greater China, since the device has now received approval for the final piece in the regulatory puzzle required for it to go on sale. The Wall Street Journal reports that it has now obtained its "network access" license, and the notice mentions China Telecom by name, though not a version of the phone that would
See how well cloud apps are working for your peers (IT World) A new feature from Boundary is designed to give you insight into the app performance that your peers are getting on the same -- and different -- cloud service you use
Gmail integrates Google Drive to allow for 10GB attachments (IT Proportal) Isn't it annoying when you get an error on an email you tried to send because the attachment is too large? Good news Google just tweaked its Gmail service to allow you to email much bigger files. The web giant has announced that it is integrating its cloud storage service, Google Drive, into Gmail, in a move that will let users insert and send files up to 10GB
A look inside the world's cheapest tablet computer, India's $20 Aakash 2 (Quartz) Suneet Tuli, CEO of Datawind, maker of the world's least expensive functional 7? tablet computer, recently stopped by the offices of Quartz to show off the device. The Aakash 2, which we've covered at length, is the size of a Google Nexus 7 tablet and, surprisingly, almost as capable, despite costing just one fifth as much. (Datawind sells the tablets to the Indian government for around $40, and the government either gives them away or re-sells them to students for $20.)
Webroot adds anti-phishing to Web Security Service (Help Net Security) Webroot announced the integration of anti-phishing capabilities into the Webroot Web Security Service, a cloud-based security service. The challenges in the detection of phishing sites demand
Entrust solves SSL compliance challenges (Help Net Security) Finding, managing and analyzing SSL and other digital certificates can be time-consuming, complex and expensive. To help automate and simplify these tasks, Entrust introduces features for the Entrust
Android security and optimization app (Help Net Security) IObit released its Android security and optimization app - Advanced Mobile Care, designed for Android 2.2 and above. The app gives Android users a way to protect their smartphones
Jasper Wireless takes top spot in M2M vendor assessment (Fierce Mobile IT) Jasper Wireless is the top machine-to-machine connected device platform vendor, based on its global footprint, dominant market share and vertical-specific expertise, according to a new competitive assessment report by ABI Research
Is There A Case For Ditching Dropbox? (InformationWeek) Competing vendors who come at CIOs with a "more secure" file sync solution are missing the point. Accurate file sync across many devices, which used to be a heinously complicated process, is now essentially a commodity product. Dropbox and its cloud competitors have been so successful both at attracting customers and building developer ecosystems that people no longer wonder if they should use them, but why their IT organizations don't support them. The day of reckoning is here. User communities are now pushing their CIOs to offer or allow something other than the shared drives of yesterday. It's a huge opportunity for the file sync vendors -- if their strategy is something other than "catch up with Dropbox"
Technologies, Techniques, and Standards
Threats and Security Countermeasures (Dark Reading) "How do you secure a database". I get that question a lot. After 15 years of people asking my reaction is almost instinctual. "How do you secure Big Data environments" is the new people ask. The first time someone asked my gut reaction was to consider what security features we have in relational systems, how they protect data and the database, and then show which facilities are missing from big data clusters
Good Practice Guide for Addressing Network and Information Security Aspects of Cybercrime (ENISA) In 2010 ENISA started its support for operational collaboration between the Computer Emergency Response Teams (CERTs) in the Member States on the one hand and Law Enforcing Agencies (LEA) on the other hand. Various activities have since been launched, including stock takings of legal and operational obstacles that prevent collaboration, advice resulting from that, workshops that brought together members of both communities, consultation with members of both communities, etc. It was soon realised that the process of trust building, tackle obstacles together, discussion and finally working together would need time and active, continuous support from ENISA, CERTs and LEAs, and that ENISA just embarked on a long-term trip to achieve its goals. The document at hand constitutes a work in progress, a snapshot of the current status of ENISAs support for CERTs and LEAs, and includes good practice and recommendations for both communities
If we disable Java, what replaces it? (CSO) If we disable Java, what do we replace it with to ensure we can still get that functionality we've grown dependent on
The key to crypto? It's in the key (GCN.com) The Federal Information Processing Standards specify cryptographic algorithms approved for government use, but any cryptographic scheme is only as secure as the keys used to encrypt and decrypt information. The National Institute of Standards and
Virtualization Security: Protecting Virtualized Environments (Help Net Security) Virtualization changes the playing field when it comes to security. There are new attack vectors, new operational patterns and complexity, and changes in IT architecture and deployment life cycles
Design and Innovation
How Facebook's Top Engineer Is Trying to Read Your Mind (Wired Business) It's been a great year for the Facebook platform, but Mike Vernal wants more. Facebook's director of engineering tells us the social network is trying to pump up user posts, favoring longer stories and content and adding data that will
Research and Development
Geek Researcher Spends Three Years Living With Hackers (Wired) When youre starting off as an anthropologist, you aim is to explore a subculture your peers have yet to uncover, spending years living with the locals and learning their ways. Thats what Gabriella Coleman did. She went to San Francisco and lived with the hackers
Understanding Cloud Failures (IEEE Spectrum) Working under the auspices of the Nanyang Technological University and the Cloud Security Alliance, both in Singapore, and the University of Waikato in New Zealand, we set out to categorize these problems. We studied 11 491 articles from 39 news
iSchool Campus Wants To Bring The Next-Gen Wired Classroom To K12 Education (TechCrunch) Technology is increasingly becoming a part of the classroom experience, particularly thanks to smart devices. Tablets and iPads offer students a more portable, engaging and interactive experience than many of the tools of old, and schools are catching on. The San Diego School District's recent purchase of 26,000 iPads is just one of many recent examples of districts and states pushing to deploy
Khan Academy Brings Its 3,500+ Educational Videos To The iPhone (TechCrunch) Whether or not one believes Khan Academy is helping to reinvent education, it's hard to dispute the fact that Khan (and now his team) are an educational video-producing machine, or that the platform continues to diversify. In part, that started with the release of its iPad app in March. This week, Khan Academy brought its 3,600 videos to the iPhone
Legislation, Policy, and Regulation
White House Issues Insider Threat Policy (Dark Reading) The White House has issued a national insider threat policy and standards to guide federal agencies in the prevention of unauthorized information disclosure. The policy itself, however, hasn't been publicly released. President Barack Obama notified the heads of federal agencies and departments of the new guidelines in a Nov. 21 memo. The policy and related "minimum standards" provide direction to federal programs aimed at deterring, detecting and responding to actions by employees who may pose a threat to national security, according to the memo. In addition to stifling information leaks, the policy seeks to prevent espionage and violent acts against the federal government
U.S. and Canada propose WCIT-12 plenary to limit changes (Fierce Government IT) The United States and Canada say in a joint Nov. 26 proposal sent to the International Telecommunication Union ahead of the planned treaty-writing conference set to meet starting Dec. 3 in Dubai for the revision of regulations controlling international telecommunications that the conference should agree at the onset to limit the scope of changes
Cyber Security: A U.S. Government Priority? (Midsize Insider) Cyber security is a priority for the U.S. Government, according to a new study conducted by Lockheed Martin and its Cyber Security Alliance partners. It found that 85 percent of federal technology leaders and decision makers consider it a matter of great importance. The research, featured recently in the Cloud Times, also noted that other priorities include mobile computing at 39 percent, cloud computing at 26 percent, and big data at 27 percent
Obama administration moves on cyber-security (Security Defence Agenda) The White House has been in talks with various private sector groups as part of the U.S. governments plans to craft an Executive Order that would implement parts of the failed Cybersecurity Act 2012, which twice fell short of the required number of votes to be enacted. Many of the government-led meetings have been with the operators of power plants, water systems, key financial sector assets and other businesses, which would be directly affected by an Executive Order. Top technology innovators, including the Information Technology Industry Council, which represents companies like Apple and Google, had their own sessions, as did public-interest groups including the American Civil Liberties Union and the Center for Democracy and Technology
Navy's Information Dominance, Cyber leaders sign major strategy documents (DVIDS) In a brief signing ceremony in the Pentagon, Vice Adm. Kendall L. Card, deputy chief of naval operations for Information Dominance (N2/N6), (seated left) and Vice Adm. Michael S. Rogers, commander, U.S. Fleet Cyber Command/U.S. Tenth Fleet, take turns
New DoD safeguards for autonomous systems exempt cyber (Fierce Government IT) New rules that the Defense Department issued Nov. 21 to prevent collateral damage from autonomous weapons don't apply to cyber systems. The directive, which exempts "cyberspace systems for cyberspace operations," covers autonomous and semi-autonomous weapon systems. The DoD defines the former as systems that can select and engage targets without human intervention, once activated, while the latter only engage targets that human operators have selected
VanRoekel: Open data policy to be published in early 2013 (Fierce Government IT) The Office of Management and Budget plans to release a governmentwide open data policy in early 2013. According to Federal Chief Information Officer Steven VanRoekel, the policy will be informed by open data initiatives now underway by the Presidential Innovation Fellows. VanRoekel said OMB will "learn from and build on" the fellows' work and by early 2013 it will have distilled takeaways from their efforts into a comprehensive policy for agencies and departments
Litigation, Investigation, and Law Enforcement
Small business point-of-sale systems hacked Subway-style in Australia (Ars Technica) Romanian hacking ring busted after ringing up $30 million in fraudulent charges
Chinese Media Accuse Cisco of Lax Security (Tech News World) China's state-run media could be in the early stages of a wave of attacks against U.S. telecommunications giant Cisco, according to Tech In Asia. A pair of Chinese media outlets -- China Economy and Informatization and the Caijing National Weekly -- singled out Cisco on the same day, calling for the company to be investigated. According to Tech In Asia, the accusations are (a) pretty light on substance, and (b) similar to those made by U.S. officials against Chinese telecommunications companies Huawei and ZTE last month
China Mafia-Style Hack Attack Drives California Firm to Brink (Bloomberg) During his civil lawsuit against the Peoples Republic of China, Brian Milburn says he never once saw one of the countrys lawyers. He read no court documents from Chinas attorneys because they filed none. The voluminous case record at the U.S. District courthouse in Santa Ana contains a single communication from China: a curt letter to the U.S. State Department, urging that the suit be dismissed
S.C. Gov. Nikki Haley takes blame for states data breach (Kansas City) South Carolina Gov. Nikki Haley on Wednesday for the first time accepted personal blame for a massive cyber-attack that stole the Social Security and bank account numbers of millions of South Carolinians, saying she should have done more to ensure the datas security. Haley briefed the states congressional delegation on the almost two-months-long hacking into South Carolina Department of Revenue computer servers by digital thieves, who pilfered the tax returns of 3. 8 million state residents and 700,000 businesses going back to 1998, gaining access to the Social Security numbers and bank accounts of the taxpayers
Revenue's cyber security job vacant for last year (VC Star) The state's tax collection agency operated without a computer security chief for nearly a year before a hacker stole millions of taxpayers' personal data - a breach that could have been prevented with a $25,000 purchase, according to testimony Wednesday before a Senate panel. The hacker could not have accessed the tax returns of 3. 8 million individual filers and 700,000 businesses if the Revenue Department had required more than one password to log into the system remotely, said Marshall Heilman with Mandiant, the computer security firm hired to investigate what happened
Lawsuit possible in NASA laptop theft (Computer World) A group of current and former contractors at NASA's Jet Propulsion Laboratory (JPL) may file a lawsuit due to the possible exposure of personal information stored on an agency laptop stolen last month from a locked car, their lawyer said Wednesday. The laptop, stolen on Oct. 31, stored the personal data of some10,000 NASA employees and contractors. Some members of the group were part of a lawsuit filed against NASA five years ago over what they claimed were overly intrusive background checks the agency was conducting in connection with a mandatory federal smart card credentialing program
How to report a computer crime: Trolling (Naked Security) Do you know how to report a computer crime? Or even who you would report it to? So far, we have looked at phishing and SQL injection attacks, unauthorised email account access and malware in our series of articles on how to report a computer crime
Facebook policy change questioned by Irish government (CSO) The Office of the Irish Data Protection Commissioner has asked Facebook to tweak its proposed policy changes
Apple takes fire from Alcatel-Lucent while reloading for Samsung fight (Fierce Mobile IT) The smartphone market is beginning to resemble the gunfight at the O.K. Corral. An Alcatel-Lucent unit began shooting this week at Apple (NASDAQ: AAPL) and LG Electronics over a patent infringement dispute, while Apple was reloading for its patent fight against Samsung, and Samsung was taking cover from Ericsson
Stop the smartphone patent war madness (Fierce Mobile IT) Is anyone thinking about the smartphone users these days? Judging by all of the patent lawsuits being filed, it would seem the entire industry is focused only on getting a piece of the lucrative smartphone pie
For a complete running list of events, please visit the Event Tracker.
First Annual Maryland Digital Forensics Investigation Conference and Challenge (, Jan 1, 1970) Test your knowledge of digital forensics and cyber investigations. Academic teams of four students from Maryland high schools, community colleges and universities will compete for prizes in the Cyber Crime Case Challenge. Law enforcement officers, public officials and others interested in observing the challenge, attending exciting briefings and the DC3 Digital Forensics Tool Expo are cordially invited to attend. Businesses with an interest in digital forensics (and a lot of them should be) are of course also welcome. Speakers will include Senator Barbara Mikulski, Lieutenant General (Retired) Ken Minihan (NSA), Haden Land (Lockheed Martin), "Mo" Baginski (NSA & FBI), Brigadier General (Retired) Bernie Skoch (CyberPatriot). It promises to be an interesting and exciting event.
Digital Security Summit (Riyadh, Saudi Arabia, Dec 1 - 2, 2012) A major conference to discuss the growing threat to digital security in the Middle East, especially in Saudi Arabia.
Passwords^12 (, Jan 1, 1970) Passwords^12 is a 3-day conference only about passwords & PIN codes. With an "all-star" cast of speakers, including Joan Daemen (AES/SHA3), Jens Steube (alias "atom", hashcat author), Colin Percival (CSO FreeBSD, inventor of scrypt), Simon Marechal (John the Ripper co-developer), Frank Stajano (Cambridge) and many more, this will be the premier event for everything and anything related to password security. Passwords^12 is the first and only conference of its kind, bringing together academic institutions, researchers and security professionals from around the world. It's a not-for-profit and non-commercial conference. No sales personnel, no marketing managers and deep technical talks.
CompTIA Security+ Certification Boot Camp Training Program (Baltimore, Maryland, USA, Dec 3 - 6, 2012) For the cybergamut community, an opportunity to receive Computing Technology Industry Association certification.
tmforum Management World Americas (Orlando, Florida, USA, Dec 3 - 6, 2012) Management World Americas is the only conference covering end-to-end management of digital services and the challenges of running any service provider business. In addition to a full Cable Summit and Executive Roundtables, this year's new interactive conference covers the most critical challenges facing digital business today across five Forums.
Cybergamut Tech Tuesday: Sandboxing goes mainstream (Columbia, Maryland, Dec 4, 2012) An overview of sandboxing as a key security technology.
CIO Cloud Summit 2012 (, Jan 1, 1970) The CIO Cloud Summit will help C-level executives better understand the true capabilities of cloud computing and the transformational opportunities it can bring.
BayThreat (Sunnyvale, California, Dec 7 - 8, 2012) The theme for BayThreat is a new spin on the dichotomy of attacking and defending in information security. We're calling out all of the attackers and defenders that are on the front lines of the battle.
2012 European Community SCADA and Process Control Summit (Barcelona, Spain, Dec 10 - 11, 2012) The European SCADA Summit brings together the program managers, control systems engineers, IT security professionals and critical infrastructure protection specialists from asset owning and operating organizations along with control systems and security vendors who have innovative solutions for improving security. Along with government and research leaders, they are coming together to learn and discuss the principal cyber security risks to control systems and the most effective defenses.
SANS SEC 504 - Hacker Techniques, Exploits & Incident Handling (Linthicum Heights, Maryland, USA, Dec 10 - 14, 2012) Rescheduled after Hurricane Sandy, this SANS Institute program provides information on how to recognize and respond to hacking.
tmforum Big Data Analytics Summit (Amsterdam, Netherlands, Jan 29 - 30, 2012) Bringing together leading service providers, market analysts and all of the big names in Big Data, this forward-looking, education-packed two-day Summit combines keynote perspectives, case studies, debates, panels, interactive sessions and networking opportunities that maximize every participant's opportunity to network and generate ideas that can be implemented immediately.
#BSidesBOS (Cambridge, Massachusetts, USA, Feb 23, 2013) Each BSides is a community-driven framework for building events for and by information security community members. The goal is to expand the spectrum of conversation beyond the traditional confines of space and time. It creates opportunities for individuals to both present and participate in an intimate atmosphere that encourages collaboration. It is an intense event with discussions, demos, and interaction from participants. It is where conversations for the next-big-thing are happening..
TechMentor Orlando 2013 (Orland, Florida, USA, Mar 4 - 8, 2013) Celebrating 15 years of educational events for the IT community, TechMentor is returning to Orlando, Florida, March 4-8, for 5 days of information-packed sessions and workshops. Surrounded by your fellow IT professionals, you will receive immediately usable education that will keep you relevant in the workforce. TechMentor track topics include:Windows PowerShell and AutomationCisco and Networking Infrastructure Windows Server Management Windows Client Management Cloud and Virtualization Identity, Access Management and Security Performance Tuning and Troubleshooting Mobility and BYOD Messaging and Collaboration.
e-Crime Congress 2013 (London, England, Mar 12 - 13, 2013) The e-Crime Congress is designed to meet the needs of key stakeholders and decision makers who are responsible for designing and coordinating information security and risk management strategy, safeguarding digital assets and sensitive information, protecting customers, defending against internal or external threats and responding to incidents.
The Future of Cyber Security 2013 (London, England, UK, Mar 21, 2013) Cyber Security and the Citizen 2013 is a one-day conference and exhibition for senior decision-makers of central and local government organisations, NGOs and major private sector enterprises.
Cloud Connect Silicon Valley (Santa Clara, California, USA, Apr 2 - 5, 2013) Cloud Connect returns to Silicon Valley, April 2-5, 2013, for four days of lectures, panels, tutorials and roundtable discussions on a comprehensive selection of cloud topics taught by leading industry experts.
InfoSec World Conference & Expo 2013 (Orlando, Florida, USA, Apr 15 - 17, 2013) With the primary objective of providing top-notch education to all levels of information security and IT auditing professionals, InfoSec World delivers practical sessions that give you the tools to strengthen your security without restricting your business.
25th Annual FIRST Conference (Bangkok, Thailand, Jun 16 - 21, 2013) The annual FIRST conference provides a setting for conference participants to attend a wide range of presentations delivered by leading experts in both the CSIRT field and from the global security community.