Several new vulnerabilities are discovered, including a new Mac OS X backdoor found in the wild, several zero-days in first-person shooter game engines, and an alleged Windows hole (this last the occasion of friction between Microsoft and Google).
An Indian security company denies involvement in Indian cyber espionage (pointing out that Norman Shark stopped short of attributing exploits to the company).
Following news that the China's PLA has resumed cyber espionage, and preceding high-level US-Chinese talks, yesterday's Blair-Huntsman report on IP theft prompts fresh discussion of Sino-American cyber tensions. Many observers note the report's suggestion that it's time to permit active defense, and several (Crowdstrike prominent among them) advocate very aggressive hacking back.
But the discussion is uncertain, because no one is really sure how to interpret cyber conflict. It's not quite war (at least not always), and many competing analogies suggest themselves: deterrence (fine perhaps against rational state actors, not so fine against hacktivists), law enforcement (as against bandits or drug lords), private war (as between medieval barons, or sanctioned with letters of marque and reprisal). No single framework seems to get it right, but the UK's Defence Academy offers its own attempt at clarity in a new study.
Worries about utilities' vulnerability to cyber attack increase, with some seeing evidence that Iran is targeting US infrastructure. Industrial control system security experts argue that their domain isn't just a special case of information security.
The US Intelligence Community turns to commercial tools. Also in the US, NIST releases a cloud security Reference Architecture.