
The CyberWire Daily Briefing for 6.7.2013
Reports in the Guardian that the US National Security Agency (NSA) is receiving Verizon phone records under warrant are followed by new surveillance revelations.
Late yesterday US Director of National Intelligence James Clapper confirmed the existence of PRISM, an electronic surveillance program conducted under the Foreign Intelligence Surveillance Act. After paying tribute to the value of the information collected, Clapper offered reassurance: "[PRISM] cannot be used to intentionally target any U.S. citizen, any other U.S. person, or anyone located within the United States." Big data connoisseurs think "intentionally" mitigates the reassurance, but Clapper insists PRISM and the Intelligence Community fully respect civil liberties.
The Washington Post reports that NSA has access to servers at Google, Apple, Facebook, Dropbox, Microsoft, Yahoo, Paltalk, and AOL. All but the last two deny cooperating with the agency. (Paltak and AOL haven't commented.) Notably absent from the list is Twitter, consistent with that company's stiff-necked reputation with respect to privacy.
Observers note such electronic surveillance is very widespread globally.
Allegations of pervasive US Internet surveillance have two immediate international implications. First, they render the position of US tech companies in overseas markets difficult—analysts watch for customers bailing to escape NSA's alleged net. Second, they embarrass President Obama before his summit: Chinese spokesmen note PRISM confirms longstanding accusations of American cyber espionage. (Nonetheless, Congress continues advancing legislation against Chinese cyber operations.)
Elsewhere in the world, Britain tries to disentangle itself from Huawei, and Europe prepares to scratch its chronic dirigiste itch by revisiting net neutrality.
Notes.
Today's issue includes events affecting Australia, Bahrain, Belgium, China, European Union, Luxembourg, Netherlands, Russia, United Kingdom, United Nations, and United States..
Cyber Attacks, Threats, and Vulnerabilities
National Security Agency reportedly has total access to servers of nine major tech firms (ITProPortal) Should you think twice about posting that photo to Facebook? According to a new report from The Washington Post, the National Security Agency (NSA) is tapping directly into the servers of nine US Internet firms, including the popular social network
Google, Facebook, Microsoft, others allegedly allow the US government to "watch your ideas form as you type" (Quartz) The Washington Post is reporting that a "horrified" career intelligence office has provided slides detailing a secret US government spying program in which the US National Security Agency (NSA) and the FBI allegedly have direct access to the servers of Microsoft, Yahoo, Google, Facebook, AOL, Skype, YouTube and Apple. (Update: NBC says it has confirmed PRISM's existence with anonymous sources, but "a government official says it is a data collection program rather than a data mining program." Which may be so, though if one collects data, one can always mine it afterwards at one's leisure.) Here are the alleged details, as reported so far by the Post and the Guardian
U.S. Government: Reports About PRISM Contain "Numerous Inaccuracies" (TechCrunch) After the flurry of reports about the NSA's alleged PRISM surveillance program earlier today, the U.S.'s Director of National Intelligence James R. Clapper just released an official statement. According to Clapper, "The Guardian and The Washington Post articles refer to a collection of communications pursuant to Section 702 of the Foreign Intelligence Surveillance Act. They contain numerous
Google, Facebook, Dropbox, Yahoo, Microsoft And Apple Deny Participation In NSA PRISM Surveillance Program (TechCrunch) The Washington Post today reported that Google, Apple, Facebook, Dropbox, Microsoft, Paltalk, AOL (TechCrunch's parent company) and Yahoo participated in the so-called PRISM program which provided the NSA with what looks like virtually direct access to their servers and their users' data. We have now reached out to all of these companies and so far, Facebook, Google and Apple have denied that they
Apple to Yahoo Deny Providing Direct Access to Spy Agency (Bloomberg) U.S. technology providers from Apple Inc. (AAPL) to Yahoo! Inc. (YHOO) said they don't give the U.S. government direct access to their systems, responding to newspaper reports of a top-secret electronic surveillance program
Twitter boosts its privacy cred with its absence from the NSA's surveillance program (Quartz) The list of technology companies allegedly participating in a vast US government surveillance program known as PRISM, which was just reported by the Washington Post and Guardian, is notable for one name that's not on it: Twitter
U.S. Says It Gathers Online Data Abroad (New York Times) The federal government has been secretly collecting information on foreigners overseas for nearly six years from the nation's largest Internet companies like Google, Facebook and, most recently, Apple, in search of national security threats, the director of national intelligence confirmed Thursday night
PRISM is bigger than anything that came before it--but no-one knows how much bigger (Quartz) The mystery surrounding how much domestic spying the US government has been conducting on its own citizens will only intensify in the coming days, as a growing number of the nine major internet companies linked to an alleged top-secret data-mining program deny they had anything to do with it
NSA 'top secret' spying order affects millions of Americans: FAQ (ZDNet) The U.S. government is vacuuming up millions of Verizon customer records on a daily basis, according to a leaked "top secret" court order. Here's everything you need to know. The Guardian newspaper revealed exclusively on Wednesday that the U.S. National Security Agency (NSA) has and continues to vacuum up millions of Verizon customer details, including information on phone calls both within the U.S. and between the U.S. and other countries
How total could US government surveillance be? (Quartz) Amid revelations (confirmed) that the US National Security Agency has been collecting basic data on most of the phone calls made in the US, and new claims (so far strenuously denied) that it can directly pull users' information from most of the biggest online firms, one inevitably wonders what else it might be monitoring
Panopticon at Fort Meade (National Review) Late Wednesday night, the website of the British broadsheet The Guardian broke the news that the National Security Agency (NSA) has been monitoring the phone activity of millions of Verizon cell-phone customers. Under a warrant approved by a Foreign
The NSA whistleblower who guessed exactly what was going on, six months ago (Quartz) Last December in an interview with Russia Today (video above), former NSA crypto-mathematician William Binney disclosed the extent to which he believed the US government was not only capable of, but actively engages in spying on internet data and web activity across the country. Binney said that the FBI has access to the emails of everyone in the US, holds a target list and monitors every email to and from those contained on the list
Always Outmanned, Always Outgunned (Threatpost) We were warned. Over and over again. Not just by privacy advocates and by security experts and by civil liberties organizations and by the guy on the corner in the tin foil hat shouting about the government intercepting his brain waves. We were warned by some of the very people charged with overseeing the administration's efforts to expand its domestic intelligence gathering capabilities. We were warned by politicians
The NetTraveler (AKA 'TravNet') (Securelist) This report describes multiple cyber-espionage campaigns that have successfully compromised more than 350 high profile victims in 40 countries. The focus of the paper is to describe NetTraveler, which is the main tool used by the threat actors during these attacks
#OpTurkey: Anonymous Hacks Fox Entertainment Turkey & Vodasoft, Leaks account (Hack Read) Just an hour ago a well known Anonymous hacker going with the handle of @AnonsTurkey on Twitter has hacked into the official websites of Fox Entertainment Turkey (fox.com.tr) and a Turkish based call center VodaSoft (vodasoft.com.tr). @AnonsTurkey who is very active these days for #OpTurkey, managed to breach the servers of both websites, ending up with leaking confidential information
Supposed zero-day exploit for Plesk (The H) The hacker known as KingCope has taken to the security mailing list Full Disclosure to publish what seems to be a zero-day exploit for Plesk, the hosting software package made by Parallels. KingCope says that the exploit uses specially prepared HTTP
Plesk 0-day: Real or not? (Internet Storm Center) Yesterday, a poster to the full disclosure mailing list described a possible new 0-day vulnerability against Plesk. Contributing to the vulnerability is a very odd configuration choice to expose "/usr/bin" via a ScriptAlias, making executables inside the directory reachable via URLs
Microsoft Cyber-Fraud Sting Reveals Resistant Malware Strain (American Banker) An analysis of Microsoft's (MSFT) takedown of a cyber fraud ring that stole hundreds of millions of dollars from bank accounts brings to light the growing sophistication of malware and keylogger makers, who mostly manage to stay a step ahead of antivirus software designers and corporate security officers
Zeus Bank Malware Surges On Facebook (InformationWeek) Old threat makes a comeback, targeting Facebook users' bank credentials and more
The most sophisticated Android Trojan (SecureList) Recently, an Android application came to us for analysis. At a glance, we knew this one was special. All strings in the DEX file were encrypted, and the code was obfuscated
DoS-in Your Database (Dark Reading) When I started writing SQL, I was never worried about security; I was worried that I would write a bad query that would crash the database. And it was really easy to write SQL that would consume 100 percent of the CPU power or cause disk drives to bottleneck. Queries with outer-joins, cartesian products, and complex comparison operations coupled with full tables scans could pretty much kill any database
Smart TVs vulnerable to a host of attacks (Help Net Security) Smart (connected) TVs are becoming a common fixture in Western world homes, and most users consider it a handy tool and an improvement over the basic television sets of yesterday. But most of them are
Sale of state databases puts patient info at risk (FierceHealthIT) Hospital data compiled by states and sold to researchers, marketers and others could be used to identify patients when combined with other publicly available information, according to a recently published investigation by Bloomberg. The year-long investigation found that public health databases can be paired with news stories and other information to identify patients
Hacked Origin, Uplay, Hulu Plus, Netflix, Spotify, Skype, Twitter, Instagram, Tumblr, Freelancer accounts offered for sale (Webroot Threat Blog) Aiming to capitalize on the multi-billion gaming market, cybercriminals actively data mine their botnets for accounting credentials, not just for popular gaming platforms, but also the actual activation keys for some of the most popular games on the market
Fake Mt. Gox pages aim to infect Bitcoin users (Help Net Security) Mt. Gox is the the largest Bitcoin exchange in the world, and as such it and its users are being repeatedly targeted by attackers. Some two months ago, it battled a massive DDoS attack that was
U.S. Veterans Affairs Dept. repeatedly targeted by foreign hackers (Help Net Security) Conflicting claims were heard at Tuesday's hearing of the House Veterans' Affairs oversight and investigations subcommittee, leaving open the question on whether the Veterans Affairs Department has
UMass Amherst Admits Security Breach (eSecurity Planet) 1,670 patients' protected health information may have been accessed
Cyber attack strikes Raley's grocery chain (SFBay) A major Northern California grocery store chain is urging customers to check their credit card and bank statements after the chain's computers appeared to have been hit in a cyber attack. Officials at Raley's said Thursday a portion of the grocer's
Security Patches, Mitigations, and Software Updates
Microsoft to release five bulletins next week (Help Net Security) Microsoft released advance notification for next week's Microsoft patch and it looks like we're getting only five bulletins. We received several comments on what we can expect on Tuesday
Cyber Trends
Democracy, autocracy, or people's republic: your information is fair game for everyone (Quartz) A headline in this morning's Financial Times informed us that "UK fears grow over China's potential to eavesdrop," in reference to yesterday's release of a British intelligence committee report into the security risk posed by Huawei, the giant Chinese telecoms firm that is now deeply embedded in Britain's telecoms infrastructure. China is a great bogeyman. Surely those of us who live in modern democracies could never trust those secretive communists who spy on their own people and censor candle emoticons. But what China does quite openly, Western governments do through secret yet "entirely legal" programs, as recent bombshells about surveillance by the US National Security Agency have shown. And it isn't just America that is unable to resist snooping. Everyone is at it
Secrecy hampers battle for web (Financial Times) There is an economy you will not find measured in the pages of the FT. It is a place where goods are traded and alliances formed. Margins are high and business is good - there is no tax, no regulation, no crisis nor recession. Growth is assured. It is here that cyber criminals, terrorists and even some governments ply their trade. It is a marketplace where anything from credit card details to an attack on critical infrastructure can be bought and sold
It's not just the US--most countries are spying more on their citizens these days (Quartz) The revelation that the US National Security Agency seems to be collecting the phone records of millions of Verizon customers is shocking, but it's actually part of a growing trend in which governments worldwide are relying on widespread, unrestricted surveillance in the name of national security
Help Needed Desperately For Device Management Says Research (ChannelBiz) A Check Point commissioned report shows companies struggling with mobile device issues
FireEye Announces Australian Cybersecurity Findings (PRWire) FireEye®, Inc., the leader in stopping today's new breed of cyber attacks, has announced findings from a comprehensive survey of the state of Australia's cybersecurity as seen by executives and technical staff across a range of organisations
Most small businesses can't restore all data after a cyber attack (Help Net Security) Almost one-third of U.S. small businesses surveyed by the Ponemon Institute had a cyber attack in the previous year, and nearly three-quarters of those businesses were not able to fully restore their
Publishing the Secunia Country Reports with the State of Private PC Security in the Benelux (NewsWireToday) Secunia, a leading provider of IT security solutions that enable businesses and private individuals to manage and control vulnerability threats, today published the Secunia Country Report for the Netherlands, Belgium and Luxembourg
Marketplace
Will users outside the US disconnect their Google, Facebook, Yahoo, AOL, Microsoft and Apple accounts now? (Quartz) If the Guardian and Washington Post are correct, the US government has direct access to the servers of Google, Facebook, Yahoo, AOL, Skype and Apple, and is pulling data from them which is then filtered for "foreignness." It's a program allegedly designed to look for terrorists who are using these services, but because of the nature of the wide net being cast, it's very likely that it's turning up orders of magnitude more false positives than real terrorists
USAF adding more cyberexperts (UPI) At the end of April, Air Forces Cyber, a component of the U.S. Cyber Command, opened a 46,000-square-foot headquarters and operations center for plans and operations capabilities and coordination with integrated personnel from law enforcement, the
NSA Building $860 Million Data Center in Maryland (Data Center Knowledge) The construction at Fort Meade will see investment of $400 million in fiscal 2013 and $431 million in fiscal 2014. Up to 6,000 workers will be involved in the construction and development phase, the NSA said. Scheduled for completion in 2016, the
Sourcefire, Inc. (FIRE), Symantec Corporation (SYMC): Finding Strength in Security (Motley Fool) As society becomes increasingly tied to the cyber world, threats of cyber attacks and the importance of cyber security becomes all the more important. Today, everything vital to our lives takes place in some form online, a trend that is only expected to continue into the future
Larry Prior Named CSC Defense, Intell Group VP and GM (GovConWire) Larry Prior, former chief operating officer at BAE Systems Inc., has joined Computer Sciences Corp. (NYSE: CSC) as vice president and general manager of the defense and intelligence group
Thomas Kirchmaier Named General Dynamics Advanced Information Systems President (GovConWire) Thomas Kirchmaier Thomas Kirchmaier, formerly a senior vice president and general manager at General Dynamics (NYSE: GD), has been promoted to president of the General Dynamics Advanced Information Systems business unit and vice president of the corporation
Products, Services, and Solutions
Google-like search comes to Hadoop (FierceBigData) Before one can analyze data, one has to find it. In the large, multisource database known as Hadoop, searching for data has never been as easy as it should be, given the contributions of developers who got their start with giant search engines such as Google's. And while some companies have used publicly available data on the basics of Google (NASDAQ:GOOG) search technology to develop similar engines, according to Wired this week, others are taking bigger steps
Tripwire includes web application scanning with IP360 (Help Net Security) Tripwire announced that dynamic web application scanning is now included in IP360. This critical functionality enables customers to detect and prioritize web application vulnerabilities
Lunarline's School Of Cyber Security Offers New Course (Sacramento Bee) Lunarline, Inc., has launched a new course to provide Assessing Network Vulnerabilities
AhnLab Selects Mailshell Anti-Phishing Engine to Enhance AOS' Web Security (PRWeb) AhnLab becomes the fifth major AV provider within the last year to license Mailshell protection from web-based phishing
PC Advisor Awards 2013: Best Security Software (PC Advisor) Bitdefender Internet Security 2013 is an internet security suite that offers excellent protection and a user-friendly interface. Bitdefender does have some mild scanning-speed issues, but otherwise it's an easy-to-use suite that gives you several nice
Juniper Networks Launches New DDoS Protection Solution for Data Centers (Security Week) Juniper Networks this week announced the availability of Junos DDoS Secure, a new offering designed to protect data centers against increasingly complex Distributed Denial of Service (DDoS) attacks
EventTracker Partners with Namtek (SF Gate) EventTracker, a leading provider of comprehensive SIEM solutions, announced today that Namtek Corp. (Namtek) has joined the Solution Partner Program at the Premier level. Namtek will be a value-added reseller of EventTracker's comprehensive suite of SIEM and log management solutions, which offer security, operational, and regulatory compliance monitoring
Technologies, Techniques, and Standards
100% Compliant (for 65% of the systems) (Internet Storm Center) At a community college where I'm helping out whenever they panic on security issues, I recently was confronted with the odd reality of a lingering malware infection on their network, even though they had deployed a custom anti-virus (AV) pattern ("extra.dat") to eradicate the problem. Of course, these days, reliance on anti-virus is somewhat moot to begin with, our recent tally of fresh samples submitted to VirusTotal had AV lagging behind about 8 days or so. If you caught a keylogger spyware, 8 days is plenty to wreak havoc. I usually compare today's AV to the coroner in CSI, he can probably tell what killed you, but won't keep you alive
Are you resilient to the main causes of cloud outages? (TrendMicro Cloud Security Blog) The Cloud Security Alliance recently released a white paper on cloud computing vulnerability incidents spanning the last five years. They looked at more than 11 thousand news articles regarding cloud computing-related incidents to determine the top reasons behind outages. Did you know 64 percent of the outages can be attributed to one of three causes
How to secure your Facebook profile (TrendMicro Countermeasures Blog) Time passes and Facebook changes, this is a law as immutable as gravity. I have updated my Facebook privacy guide from the 2011 edition to give you a step-by-step walkthrough of every important configuration screen and an explanation of how each important function really works
The Challenges and Benefits of Virtualized Environments for Midsize Businesses: A VMware and Trend Micro Q&A (TrendMicro Cloud Security Blog) According to Gartner, midsize businesses[1] account for nearly 40 percent of U.S. server sales.[2] Unlike large enterprises, these organizations have fewer resources to support the deployment and maintenance of new servers in existing IT environments. With the goal of optimizing their entire IT infrastructure, midsize businesses are turning to virtualization
Rogue employees, malware exploits and unauthorized software (Help Net Security) While IT security professionals recognize the threat posed by unwitting employees, many still admit to allowing administrative privileges to go unmanaged, making organizations increasingly vulnerable
Matching Protection Criteria to the Next Wave of Threats (Security Week) It seems that nearly every five years we're faced with a new cycle of threats - from viruses to worms to spyware and rootkits. Today we find ourselves combatting the latest wave - advanced malware, targeted attacks and advanced persistent threats (APTs). While these threats have demonstrated themselves to be more damaging than any in their wake, technologies are available to deal with them. We just need to select the right ones and apply them correctly
Design and Innovation
A brief history of the US government's awful graphic design (Quartz) The revelation that major US technology companies are participating in a National Security Administration surveillance program was shocking enough. And that was before we saw the top-secret slides used by the government to describe the spying operation. They are, to put it mildly, heinously ugly
Academia
New schools competition launched by Cyber Security Challenge UK (InfoSecurity) With Brian Higgins, formerly of the Serious Organized Crime Agency (SOCA) as the first Schools Programme Manager, Cyber Security Challenge UK, the Cabinet Office and industry sponsors have joined forces to bring code breaking into schools
Brown University CISO on education, BYOD and emerging threats (Help Net Security) David Sherry is the CISO at Brown University. He leads the Information Security Group, charged with the development and maintenance of Brown's information security strategy, information security policy
3 Keys To Gamification For Education (InformationWeek) Gamification is hot, but many attempts at educational games fall flat. Designers, parents and teachers should keep these three success factors in mind
EdX Goes Open Source To Woo MOOC Developers (InformationWeek) Will edX's decision to release its full source code attract more contributors to the Harvard/MIT-backed massive open online course platform
Legislation, Policy, and Regulation
China's Huawei and the UK's critical national infrastructure (InfoSecurity) The UK's Intelligence and Security Committee has published a report, not on whether Huawei should be allowed to supply the critical national infrastructure, but how it was allowed to do so in contracts dating back to 2005
What other countries can learn from Britain's experience with China's Huawei (Quartz) Britain finds itself in an uncomfortable position: It doesn't like the fact that Huawei, a large Chinese firm that manufactures telecoms equipment, is deeply embedded in what Britain calls its "critical national infrastructure," which includes energy supply pipelines, transportation infrastructure, water supplies, and telecommunications networks. But there is nothing it can do
EU net neutrality plan coming (FierceGovIT) European Union Digital Agenda Commissioner Neelie Kroes announced that she will soon introduce proposals to the EU College of Commissioners that will prevent Internet service providers in Europe from blocking customers' access to competitors' services
Sweep of digital wiretapping too broad, says human rights report (FierceGovIT) United Nations special rapporteur on free expression Frank La Rue in an unusual report says that governments must update their communications surveillance legal regimes in light of technology that enables states to conduct "simultaneous, invasive, targeted and broad-scale surveillance" to a degree greater than ever before
Task force calls for stronger U.S. international engagement on cyber issues (FierceGovIT) A task force sponsored by the Council on Foreign Relations calls on the United States to build an alliance for cybersecurity with like-minded actors. The task force - charged with making recommendations for the defense of an open global Internet and co-chaired by John Negroponte, a former diplomat and director of national intelligence, and Samuel Palmisano, the former chief executive officer of IBM - issued June 6 a final report
HASC approves anti-China equipment language in fiscal 2014 NDAA (FierceGovIT) The House Armed Services Committee approved June 6 a national defense authorization act for the coming fiscal year that includes language critics say would likely lead to the exclusion of Chinese-manufactured electronic parts from the defense industrial base, including in unclassified networks
NSA surveillance just gave China's president the perfect come-back line (Quartz) The timing for Barack Obama couldn't be worse. Just as he meets for the first time to forge a new diplomatic relationship with his Chinese counterpart, President Xi Jinping, a series of exposes on the secret surveillance programs of the US National Security Agency has presented a major distraction and eroded America's moral high ground
China Claims "Mountains of Data" Pointing to U.S. Hacking (Security Week) After months of accusations that China was backing extensive cyber-espionage operations against the United States, a top Internet security official in China said it had evidence of U.S. was attacking Chinese targets, too. "We have mountains of data, if we wanted to accuse the U.S., but it's not helpful in solving the problem," said Huang Chengqing, director of the National Computer Network Emergency Response Technical Team/Coordination Center of China, known as CNCERT, told the government-run China Daily newspaper on Wednesday
With troops and techies, U.S. prepares for cyber warfare (Reuters) On the site of a former military golf course where President Dwight Eisenhower once played, the future of U.S. warfare is rising in the shape of the new $358 million headquarters for the military's Cyber Command
US prepares for cyber warfare against China and others (Firstpost) Most of Cyber Command's new troops will focus on defence, detecting and stopping computer penetrations of military and other critical networks by America's adversaries like China, Iran or North Korea. But there is an increasing focus on offense as
Opinion: Threat requires a creative response (Financial Times) And, last month, the US Department of Homeland Security issued an alert to US critical infrastructure companies warning of a heightened risk of a destructive cyber attack. Second, distributed denial of service (DDoS) attacks, have become increasingly
Secret Intelligence Fuels US Hacking Fight With China (Businessweek) That's when a set of key intelligence breakthroughs and devastating attacks, including a breach of Google Inc. (GOOG)'s computers, reshaped the White House view of China's cyber spying. Although public information about the breach at
US to freeze assets of hackers, throw them out of the country (ZDNet) Lawmakers in the U.S. have proposed legislation which will deny hackers entry to the United States and freeze the assets of foreign nationals. The Cyber Economic Espionage Accountability Act was revealed on Thursday, and allows U.S. authorities to "punish criminals backed by China, Russia or other foreign governments for cyberspying and theft"
President Obama Visiting Silicon Valley Tonight, As Reports Of NSA's Tech Spying Come To Light (TechCrunch) President Obama's official schedule indicates that he is currently aboard Air Force One and en route to the San Francisco Bay Area for private events being held tonight with some of Silicon Valley's most elite players. The president's visit comes within hours of massive new revelations about the United States National Security Administration's reported collection of personal user data from
James Clapper Clarifies Remarks Over NSA Snooping (National Journal) Director of National Intelligence James Clapper said Thursday that he stood by what he told Sen. Ron Wyden, D-Ore., in March when he said that the National Security Agency does not "wittingly" collect data on millions of Americans
Lawmakers Defend, Criticize NSA Collection Of Phone Logs (Washington Post) Growing evidence of far-reaching federal surveillance of the phone records and Internet activity of millions of Americans reignited the debate Thursday about how aggressively the federal government uses its surveillance powers to protect against terrorist attacks
Agency Knows Much About Public, But We Know Little About It (Washington Post) Charged primarily with electronic spying around the globe, the NSA collects billions of pieces of intelligence from foreign phone calls, e-mail and other communications. But in the past two days, the focus has shifted to its role in compiling massive amounts of the same information on millions of ordinary Americans
On Spying, A Deficit Of Trust (TechCrunch) After it was revealed that the National Security Administration was collecting phone records of every single U.S. call on the Verizon network, even President Obama's most ardent supporters are losing faith that he would usher in a more transparent government. Loyal Democrat, former Vice President and Internet inventor, Al Gore called the NSA's massive spying program "obscenely
Government Needs Legal Framework to Guide Cyber-Defenders: Former CIA Director (Security Week) The former head of the National Security Agency painted a stark picture of government cyber-defenders unable to deal with the current wave of adversaries, not because of a lack of talent, but because legal frameworks defining their roles are not yet in place
Lawmaker: ACA-mandated data hub a privacy nightmare (FierceHealthIT) A data services hub mandated by the Affordable Care Act that will be used to connect state health insurance exchanges with federal agencies poses a significant threat to privacy and security, one Republican lawmaker said this week
Litigation, Investigation, and Law Enforcement
Verizon, others have no choice but to hand over customer data (CSO) Any company receiving a government order for data like mobile phone records must comply to gain immunity from prosecution
The Secret Law Behind NSA's Verizon Snooping (Bloomberg) How, exactly, could the government to order a Verizon division to provide records of all calls -- that's right, all -- to or from the U.S. on an ongoing basis? The answer is secrecy -- but not just in the way you think. It's not only that the highly classified request was made to and approved by a highly classified court. But the legal interpretation of the 2001 Patriot Act that the court appears to have used was itself classified. In other words, there was no way for the public to know what the courts believed the law to mean. And that reality runs counter to the most basic principles of democracy and the rule of law
Who should pay when big data incites panic? (FierceBigData) Falsely shouting "fire" in a crowded movie theater is not just a matter of the limits of free speech, it is a matter of public safety. In some states, Ohio for example, inducing panic is a second degree felony punishable by two to eight years in prison and a $20,000 fine
For a complete running list of events, please visit the Event Tracker.
Upcoming Events
Navigating the Affordable Care Act (Elkridge, Maryland, USA, Jun 12, 2013) A workshop for government contractors, the sessions are expected to have some relevance to health care information security and assurance.
Northern Virginia Technology Council: Security Threats: What Keeps You Awake at Night? (McLean, Virginia, USA, Jun 27, 2013) It's no secret that cybersecurity events are increasing in frequency and intensity. Many of these events are severe and pose significant risk to us as individuals, to our businesses, as well as our economy and national security. We've seen many reports in the press recently of well-funded nation states attempting to pilfer our networks in search of intellectual property. Every day bad guys are trying to gain access to our credit card information and other forms of personal information to steal our money and identities while others brazenly attempt to take over our data and systems and hold them for ransom. How is this happening? What can we do to protect ourselves? This conference addresses these issues.
Pen Test Berlin 2013 (Berlin, Germany, Jun 3 - 9, 2013) SANS Pen Test Berlin 2013 takes place from June 3rd to June 8th in the Radisson Blu Hotel on the bank of Berlin's River Spree. SANS will offer penetration testing courses as well as a series of presentations and social events. The training offers the opportunity to participate in NetWars.
CyCon 2013: 5th International Conference on Cyber Conflict (Tallinn, Estonia, Jun 4 - 7, 2013) CyCon 2013 is an annual NATO Cooperative Cyber Defence Centre of Excellence conference that is conducted with the technical cooperation of the IEEE Estonia Section. CyCon 2013 will focus on the technical, strategic and legal implications of using automatic methods in cyber conflicts. The conference will be organized along two tracks: a Strategic Track and a Technical Track. Legal aspects will be incorporated in these two tracks.
29th Annual INSA William Oliver Baker Award Dinner (Washington, DC, USA, Jun 7, 2013) his year's awardee is General Michael V. Hayden, former Director of the Central Intelligence Agency and the National Security Agency. Registration is now open and tables are available for purchase.
2013 Cybersecurity Innovation Expo (Baltimore, Maryland, USA, Jun 10 - 13, 2013) Do not miss the opportunity to participate in the 2013 Cyber Innovation Forum with active participation from National Institute of Standards and Technology (NIST), the National Security Agency (NSA), and the Department of Homeland Security (DHS). This four-day event will take place at the Baltimore Convention Center on Monday, June 10 - Thursday, June 13 with the exposition taking place June 11-12.
CISSE 17th Annual Colloquium (Mobile, Alabama, USA, Jun 10 - 13, 2013) The Colloquium for Information Systems Security Education will meed in Mobile to discuss topics of great interest to our community, including cyber security education, certification, and accreditation.
3rd annual Cyber Security Summit (, Jan 1, 1970) Over the last 2 years, the summit has gathered 150+ senior Defence, National Security and Industry executives to address current and emerging cyber threats to Australia's security. Now in its 3rd year, ADM Cyber Security aims at: reviewing solutions to the ever increasing level of attacks, whether real or potential, [and] equipping all stakeholders with a wide range of actionable strategies.
NovaSec! (McLean, Virginia, USA, Jun 13, 2013) NovaSec! is Northern Virginia's largest Cybersecurity and physical security networking event of the year. We are bringing together security professionals from commercial and government organizations with members of local Northern Virginia businesses and associations to allow participants to meet, interact on key issues and provide a unified forum to network with likeminded individual.
Suits and Spooks La Jolla 2013 (LaJolla, California, USA, Jun 15 - 16, 2013) Exploring Cyber Warfighting and Threat Mitigation for Corporations and Governments. The original concept for this event was to look at what special operations forces and corporate CERTs or SOCs have in common…it readily became apparent that two broad areas kept coming up: threat mitigation through intelligence and active defense (a.k.a. offense as defense). San Diego is a wonderful location for exploring this theme thanks to its military and high technology industries. The FBI, NCIS, DOD, academia and some cutting edge INFOSEC startups will be represented.
25th Annual FIRST Conference (Bangkok, Thailand, Jun 16 - 21, 2013) The annual FIRST conference provides a setting for conference participants to attend a wide range of presentations delivered by leading experts in both the CSIRT field and from the global security community.
Hack in Paris (Paris, France, Jun 17 - 21, 2013) This five day event will examine forensics, malware analysis, and corporate hacking techniques, and what could be better, it is held at the Euro Disney conference center outside of Paris. It has attracted a stellar lineup of speakers and promises to be a very technical event with heavy emphasis on training. This is its second year.
2013 ICAM Information Day and Expo (Washington, DC, USA, Jun 18, 2013) This day provides a forum for the Identity, Credential and Access Management (ICAM) community to get first-hand information on current identity management and related technologies.
Buzzword Forensics: Mobile is the Future…and the Future is Now (Laurel, Maryland, Sioux Falls, Jun 18, 2013) Digital forensics is evolving, as all forensic sciences must evolve. With the explosive growth of the Internet as context, the discipline of digital forensics has evolved significantly since the last millennium. In today's talk we briefly explore this evolution from the Paleolithic last millennium to our present, and increasingly mobile ecosphere. Mobile device forensics has something old and something new. Open source and commercial tools have had spotty records over the years with respect to mobile device forensics. We will explore some of the similarities and look explicitly at some of the major differences between classic computer forensics and mobile device forensics, using demos of Android forensics as an exemplar. Al Holt, adjunct professor at Towson University, will be the presenter.
NASA National Capital Region Industry Days (Washington, DC, USA, Jun 25 - 27, 2013) This dedicated Information Technology Expo - sponsored by the Office of the Chief Information Officer - will serve as a focal point for NASA personnel to learn about the latest products and advances in the marketplace.
AFCEA International Cyber Symposium 2013 (Baltimore, Maryland, USA, Jun 25 - 27, 2013) Cyber threats and challenges grow every day. Successfully defending our networks requires a team approach. With this in mind, the Cyber symposium will engage the key players, including the U. S. Government, the International Community, Industry and Academia, to discuss the development of robust cyberspace capabilities and partnerships. The AFCEA International Cyber Symposium 2013 focuses on the critical missions of U.S. Cyber Command and the interface with Army Cyber Command, Marine Corps Forces Cyber Command, 10th U.S. Fleet Cyber Command, 24th Air Force Cyber, Department of Homeland Security, U.S. Coast Guard, DoD-CIO, National Security Agency (NSA), Defense Information Systems Agency (DISA), Defense Advanced Research Projects Agency (DARPA), Academia, Industry partners. The operational theme " Defining Full Spectrum Global Cyberspace Operations" will explore the operational security of DoD and Industry Networks, Cyber Operations with Joint and Coalition partners, and discuss the training and development of the cyber workforce.
ShakaCon (Honolulu, Hawaii, USA, Jun 25 - 28, 2013) This is the fifth year this "laid back security conference in paradise" is being held. Some solid presentations and training on malware analysis and penetration testing. After all, what could be better than "sun, surf, and C Shells?" There are intensive training classes on hacking mobile apps and even lock picking (the set of tools is included in the class registration).
American Technology Awards Technology and Government Dinner (Washington, DC, USA, Jun 30, 2013) TechAmerica Foundation hosts its Eleventh Annual Technology and Government Dinner at the Ronald Reagan Building in Washington DC. The dinner continues to serve as the premier Washington, DC technology networking event bringing hundreds of tech industry, congressional, and government leaders together at one venue to celebrate the partnership between industry and government.