The CyberWire Daily Briefing for 6.14.2013
OpIsrael returns as 71 Israeli websites are hacked. OpPetrol, targeting mainly Middle Eastern oil producers, is expected to resurface around June 20.
A hack that gets to webcams via browsers is demonstrated. Android malware evolves better obfuscation. Software companies race to close a newly discovered cross-platform zero-day browser vulnerability.
The US FDA warns of medical device cyber vulnerability and proposes new regulation of the device and hospital IT sectors.
Reports suggest that US Government cyber threat information sharing with companies may have involved a metadata sharing quid pro quo.
As the US Congress continues to discuss NSA electronic surveillance, several Senators express doubts over General Alexander's testimony that the program deflected terrorist attacks. It remains unclear how Congress will ultimately respond to the PRISM affair, but observers (and members of Congress) are questioning the efficacy of legislative intelligence oversight.
Among laws under consideration is one that would restrict contractor access to classified information. (Since policy tends to be debated on Aesopian as opposed to analytical grounds, one might note that Bradley Manning was no contractor.) As details of the leak emerge—thumb drives, much online foreshadowing of leaks—analysts wonder why standard security measures seem to have failed.
PRISM has increased cyber tensions between the US and the EU, and hasn't helped with China, either. Observers also see a baleful impact on what's loosely called "Internet freedom." The case raises other questions, including that of corporate liability for leakers.
"Hacking back," some say, could prompt the return of letters of marque.
Notes.
Today's issue includes events affecting Australia, Canada, European Union, India, Israel, Saudi Arabia, United Kingdom, and United States..
Cyber Attacks, Threats, and Vulnerabilities
#OpIsrael-Reloaded: X-Blackerz Inc Hacks Israeli Hosting Company, Defaces 71 Sites & Leaks Admin Info (Hack Read) A hacker going with the handle of X-Blackerz Inc, supporting Anonymous hackavists on #OpIsrael has hacked into the server of an Israeli based hosting company, ending up with defacing 71 Israeli websites and leaking hosting details online. The hacker left a deface page, along with a message in text and a Youtube video; explaining the reason for attacking Israeli cyber space
Anonymous' #OpPetrol: What is it, What to Expect, Why Care? (TrendLabs Security Intelligence) Last month, the hacker collective Anonymous announced their intention to launch cyber attacks against the petroleum industry (under the code name #OpPetrol) that is expected to last up to June 20. Their claimed reason for this attack is primarily due to petroleum being sold with the US dollar instead of currency of the country where petroleum originates. However, some chatter indicates there was a desire to launch new attacks due to both #OpIsrael and #OpUSA being regarded as ineffective
Smile! Hackers Can Silently Access Your Webcam Right Through The Browser (Again) (TechCrunch) You know those people who put tape over their laptop's webcam to keep digital peeping toms at bay? They're not crazy. A new proof of concept is making the rounds today that demonstrates how a hacker can snap pics off your webcam, right through the browser, with no consent required
Cybercriminals Improve Android Malware Stealth Routines with OBAD (TrendLabs Security Intelligence) We have been seeing apps that exploit vulnerabilities in Android, with most of them attempting to gain higher privileges on user devices. In recent days, a stronger and a far more advanced Android malware named ANDROIDOS_OBAD has come into play. What seems to be a product from the same malware authors behind ANDROIDOS_JIFAKE, ANDROIDOS_OBAD is found to be equipped with ability to avoid being uninstalled from devices and triggers more malicious code
Malware Redirects South Korean Users To Phishing Sites (TrendLabs Security Intelligence) Online banking threats have been prevalent for many years, but recently they seem to be determined to expand beyond their usual targets. In the past few weeks and months, we've seen various attacks target Korean banks using various techniques
AutoRun. Reloaded (SecureList) Recent months have produced little of interest among worms written in Java and script languages such as JavaScript and VBScript. The main reason behind this was the limited proficiency of the virus writers, whose creations were anything but remarkable. However, a couple of malware samples grabbed our attention; their complexity is testimony to the fact that professionals sometimes get involved as well
Microsoft misses Google-found flaw in Patch Tuesday updates (ZDNet) He made the zero-day flaw public, citing Microsoft as being "often very difficult to work with," and "treat[ing] vulnerability researchers with great hostility." The software giant said it was not aware of any attacks and had not issued an advisory
Big browser builders scramble to fix cross-platform zero-day flaw (Register) Browser manufacturers will release an update in the next few weeks to block a new type of malware that exploits a cross-platform flaw that allows attackers access to Mac, PC, mobile, and even games console internet users. "PC, Android, Mac - the
Vast array of medical devices vulnerable to serious hacks, feds warn (Ars Technica) A vast array of heart defibrillators, drug infusion pumps, and other medical devices contain backdoors that make them vulnerable to potentially life-threatening hacks, federal officials have warned
US swaps data with thousands of firms: sources (Sydney Morning Herald) Along with the NSA, the CIA, the FBI and branches of the US military have agreements with such companies to gather data that might seem innocuous but could be highly useful in the hands of US intelligence or cyber warfare units, according to the people
iOS 7 Beta Bug Enables Lockscreen Bypass (Threatpost) An iPhone user in Spain who downloaded the beta version of Apple iOS 7, which was made available Monday, was able to bypass its screen-lock security feature
Obama Appointee Who Heads U.S. Nuclear Security Agency Is Hacked By "Guccifer" (The Smoking Gun) The Obama administration official who heads the agency responsible for maintaining the country's nuclear stockpile as well as securing "loose nukes" worldwide is the latest victim of "Guccifer." Neile Miller, acting administrator of the National Nuclear Security Administration (NNSA) recently had her Facebook account breached by the notorious hacker, who also apparently illegally accessed one of Miller's personal e-mail accounts
Cyberespionage Operators Work In Groups, Process Enormous Data Workloads (Dark Reading) A group of Taiwanese researchers peer into the operations center of a group behind one large espionage campaign. In a study of the lifecycle of cyberespionage attacks, a group of researchers at a Taiwanese security startup have found that the nation's major government agencies encounter a dozen such attacks each day and that the operators behind the attacks have virtual data centers that appear to be processing enormous workloads
Zeus is hiring money mules - just get infected first (Infosecurity Magazine) For cyber criminals, Zeus is the complete package: not only will it steal your money, it now helps the gangs recruit the money mules to get stolen money out of the country and into their own accounts
How cybercriminals apply Quality Assurance (QA) to their malware campaigns before launching them (Webroot Threat Blog) In 2013, the use of basic Quality Assurance (QA) practices has become standard practice for cybercrininals when launching a new campaign. In an attempt to increase the probability of a successful outcome for their campaigns — think malware infection, increased visitor-to-malware infected conversion, improved conversion of blackhat SEO acquired traffic leading to the purchase of counterfeit pharmaceutical items etc. — it has become a common event to observe the bad guys applying QA tactics, before, during, and after a malicious/fraudulent campaign has reached its maturity state, all for the sake of earning as much money as possible, naturally, through fraudulent means
Cyber Trends
Infographic: Canadian Cybercrime Report Card (SC Magazine) A large increase in foreign cybercriminals establishing virtual bases in Canada to command corporate espionage
State-level data governance efforts 'shaky at best' (FierceHealthIT) State level governance efforts for storing and exchanging citizen data--including health information--are "shaky at best," according to Chad Grant, a senior policy analyst with the National Association of State Chief Information Officers
'US infrastructure highly vulnerable to cyber attack' (Business Standard) "On a scale of one to 10, with 10 being strongly defended, our critical infrastructure's preparedness to withstand a destructive cyber attack is about a three based on my experience," Alexander, also in charge of the US military's Cyber Command, wrote
Cyber attacks top banking risk, says Bank of England (ComputerWeekly.com) Reporting on meetings with the UK's top five banks six months ago, Haldane said four had told him cyber attack was their biggest threat, according to Reuters. The fifth bank had since added cyber threats to its list of top risks, Haldane told the
News Analysis: Cyber security - prudence or paranoia? (B&T Marketing & Media) Late last month, Commonwealth Bank chief exexutive Ian Narev told the Group of 100 congress of leading finance executives that the threat of a cyber attack is one of his biggest fears. "The security of our perimeter and our ability to understand what
Cyber-crime devastates global economic growth, world economic powers told (Vancouver Sun) In December 2012, Saudi Arabia blamed unidentified people based outside the kingdom for a cyber-attack on state-owned Saudi Arabian Oil Co. that was aimed at disrupting production from the world's largest exporter of crude. U.S. officials have accused
FireEye release Australian cyber security survey findings (Australian Defence Magazine) FireEye has released their findings from a comprehensive survey of the state of Australia's cyber security as seen by executives and technical staff across
Account Takeover Attempts Nearly Double Over Six Months: Report (Security Week) Account takeover attempts and credit card fraud have nearly doubled over a six month period, ThreatMetrix said, as part of its new Cybercrime Index, which examines Web fraud and provides insight into the prevalence of such attacks
Top 10 Security Myths: Misconceptions and Exaggerations About Threats and Technologies (Security Week) Information security is peppered with several misconceptions and exaggerations about threats facing businesses and the technologies to combat those threats, according to a Gartner analyst. The misconceptions have become "security myths" which are widely held among senior management, business managers, and even among security professionals, Jay Heiser, a Gartner analyst, told attendees at the Gartner Security & Risk Management Summit on Tuesday. Risk perspective is "not rational" and based on information at hand, people can misunderstand or overemphasize risk, Heiser said. This is why people may wind up emphasizing the wrong ideas, worrying over exotic issues instead of thinking about the common-and more likely-risks
Marketplace
0-Day The (Bug) Bounty Hunter (Dark Reading) Companies increasingly offer bug bounties to help find vulnerabilities and threats. This is an opportunity for those looking to get into security. Whenever I go to a conference, inevitably I'll meet a college student or a younger kid interested in security. They want to know how I got to--well, wherever I am--and how they can sit in coffee shops all day. Once I get over the shock that I had already graduated from college before these kids were born, they usually want some guidance on how to get started in the business
Talking cyber security with the UK government (SC Magazine) It is easy to be critical of the government when it comes to cyber security, but the truth is that up against attacks, a lack of funding and an increasingly able adversary, what it is achieving is not all that bad
NASA CIO unable to implement effective IT governance (FierceGovIT) The position of NASA chief information office has limited visibility and control over the agency's information technology investments, resulting in ineffective governance over its 550 IT systems and more than $1.5 billion annual IT spending, finds a June 5 Office of Inspector General report. "NASA's current IT governance model weakens accountability and does not ensure that IT assets across the Agency are cost effective and secure," writes the OIG
Hiring digital 007s (The Economist) A new cyber-industrial complex is rising. Should you worry? "AT BOOZ ALLEN, we're shaping the future of cyber-security," trumpets a recruiting message on the website of Booz Allen Hamilton, a consulting and technology firm. It is hard to argue with that blurb right now. Edward Snowden, the man who revealed he was responsible for leaks about surveillance of American citizens by the National Security Agency (NSA), was a contractor working for Booz Allen. That has turned a spotlight on the extensive involvement of private firms in helping America's spooks to do their jobs. The affair could lead to changes in the way these relationships work
House Republicans block anti-sequestration amendments in defense spending bill markup (FierceGovernment) The House Appropriations Committee marked up the Defense Department spending bill June 12, blocking several amendments from Democrats
Agencies need governmentwide guidance on suspension and debarment process, GAO official says (FierceGovernment) Though the suspension and debarment system has been around for many years, there is little guidance for it, Government Accountability Office Acting Director of Acquisition and Sourcing Management John Neumann said at a June 12 House Government and Oversight Committee hearing
IBM U.S. Job Cuts Reach at Least 1,300, Employee Group Says (Bloomberg) International Business Machines Corp. (IBM), the world's largest computer-services provider, has fired at least 1,300 workers in a round of U.S. job cuts that began yesterday, according to the employee group Alliance@IBM
NSA Leaks Suggest Microsoft May Have Misled Public Over Skype Eavesdropping (Slate) Revelations about the Internet spying system PRISM have put the international spotlight on the extent of the U.S. government's secret surveillance. But the disclosures also raise important questions about the role the world's largest Internet companies played in hoodwinking the public over the controversial spying
Before Edward Snowden, Intel Chief Warned Of Contractor Perils (Huffington Post) As the Edward Snowden leak case reminds us, the United States government has increasingly outsourced its intelligence operations to private firms like Snowden's erstwhile employer, Booz Allen Hamilton, which raked in $1.3 billion from its intelligence
Behind the Curtain: Booz Allen Hamilton and its Owner, The Carlyle Group (The New American) According to writers Thomas Heath and Marjorie Censer at the Washington Post, The Carlyle Group and its errant child, Booz Allen Hamilton (BAH), have a public relations problem, thanks to NSA leaker and former BAH employee Edward Snowden
Special Ops Command Extends Booz Allen's IT Management Deal (Nextgov) The folks in the Special Operations Command's contracting shop evidently have no intention of letting the largest leak of top secret intelligence in history keep it from extending a contract with Booz Allen Hamilton, the employer of the now on-the-lam
GSA awards $150M to Qinetiq North America for software development (Washington Business Journal) Under a potential $150 million blanket purchase agreement, Qinetiq North America will provide IT and software development services to the General Services Administration, the Reston-based federal contractor announced Thursday
AVG Acquires Remote Monitoring and Management Software Firm (Security Week) Internet security software maker AVG Technologies announced that it has entered into an agreement to acquire LPI Level Platforms, a provider of remote monitoring and management software solutions
Sourcefire CEO — Cyber Attacks And The New Cyber Security Model (Forbes) Cyber attacks not only are growing in volume, but in the last year they have hit major companies like Google, Bank of America, Northrop Grumman, Microsoft, Yahoo, AOL, LinkedIn, Tumblr, the Reuters news service and the BBC to name a few. Simply put, the situation is a cause for alarm and in my experience that usually spells an opportunity for investors. That's one of the reasons why the threat of cyber attacks sits in the crosshairs of my Safety & Security PowerTrend, one of my Great 8 PowerTrends that shapes how we invest in my PowerTrend Profits newsletter
Products, Services, and Solutions
Panda Cloud Antivirus 2.2 adds Data Shield, Parental Control and Rescue Boot creator (PC Authority) Bilbao, Spain-based Panda Security has released Panda Cloud Antivirus Free 2.2, a major new version of the company's cloud-based antivirus tool
#Facebook gets #hashtags, which does #WTF to your #privacy? (Naked Security) Oh, boy! Now you won't miss snippets regarding #gameofthrones or the antics of people's #children
TP-LINK announces Archer C7 Wi-Fi router (Help Net Security) TP-LINK released the AC1750 Wireless Dual Band Gigabit Router, Archer C7, that support the 802.11ac standard. Archer C7 operates over both the 2.4GHz and 5GHz bands to give users two dedicated
Log analysis and alert management platform (Help Net Security) RandomStorm has released its new integrated log analysis, HIDS and file integrity platform, StormAgent. StormAgent automates protective monitoring of network hosts, reducing the time needed to sift
Ping Identity updates cloud identity management platform (Help Net Security) Ping Identity announced PingFederate 7, an upgrade to its identity bridge software and Cloud Identity Management Platform. The release delivers standards-based user provisioning, authentication
Automated password management for privileged accounts (Help Net Security) BeyondTrust announced the release of PowerBroker Password Safe, including integration with Retina CS, the company's vulnerability management platform. PowerBroker Password Safe is an automated
HP Gets Its Big Data Act Together (InformationWeek) Hewlett-Packard's 'HAVEn' ecosystem unites Hadoop, Autonomy, Vertica and enterprise security, backed by management software and consulting services
CloudAware Uses Chatter In Amazon Cloud Management (InformationWeek) CloudAware finds Salesforce.com's Chatter social platform a boon to helping companies monitor compliance, performance in Amazon Web Services workloads
Technologies, Techniques, and Standards
Can You Completely Secure Linux? (eSecurity Planet) Top Linux security engineers address whether complete security can ever be achieved with the open source operating system
Letter Of (Cyber) Marque And Reprisal (Dark Reading) The past couple of years have seen a growing base of "hack back" supporters -- with several new businesses around the globe now presenting their services in a similar vein, each advocating more forceful responses to breaches, such as launching denial-of-service attacks against the attackers, hacking botnet command-and-control servers, embedding exploits in pilfered documents, etc., in an effort to mitigate ongoing threats
Encrypted e-mail: How much annoyance will you tolerate to keep the NSA away? (Ars Technica) How to to encrypt e-mail, and why most don't bother
How orgs should handle personal data on IT systems that they don't control (Help Net Security) Organizations should create a privacy program that keeps personal data at arm's length, but under control, according to Gartner, which predicts that by 2019, 90 percent of organizations will have pers
Whose data is it anyway? (FierceBigData) In light of the recent revelation that the NSA is using big data in its surveillance efforts, it is a good time to remember that it is not the only government agency to use this strategy. It's also a good time to ask the burning question of the day: "Whose data is it anyway?" Last year, the TechAmerica Foundation's Federal Big Data Commission report titled "Demystifying Big Data: A Practical Guide To Transforming The Business of Government" revealed multiple use cases from several U.S. government agencies
Cloud data security: Customers and providers share responsibility (TechTarget) The amount of control customers have over public cloud computing services increases as you move down the computing stack, with Software as a Service (SaaS) offering little or no control and Infrastructure as a Service (IaaS) offering the most control. The same goes for security responsibilities in the cloud: With SaaS, the responsibility to secure the platform and infrastructure clearly falls on the provider
20 Critical Security Controls: Control 13–Boundary Defense (Tripwire) Today's post is all about Control 13 of the CSIS 20 Critical Security Controls - Boundary Defense (the last post pertained to Control 12). Here I'll explore the (29) requirements I've parsed out of the control (I used the PDF version, but the online version is here) and offer my thoughts on what I've found
Design and Innovation
Hey Silicon Valley, The British Are Coming (To Learn Your Startup Secrets) (TechCrunch) Doing a startup in Europe is challenging for many reasons. The can-do attitude of Silicon Valley is undoubtedly fuelled in part by the amount of investor money flying around. But that's not the only reason. Failing in the U.S. isn't seen as an end point in the way it can be in Europe. A new U.K. internship programme is aiming to pass that attitude on to 15 grads via Valley startup work placements
Legislation, Policy, and Regulation
Sen. Chambliss: No Intel Reform Likely After NSA Leak Scandal (DefenseNews.com) Congress is unlikely to overhaul the US intelligence community after a Booz Allen Hamilton employee disclosed several highly classified national security programs, says one key senator. Asked Thursday morning by Defense News whether
Intelligence Committee Chair: Court Order Not Needed To Search Metadata (BuzzFeed) Also says Congress will push for legislation to limit how much access contractors have to classified information
Critics question claim that NSA surveillance crucial in 2 cases (Digital Journal) The widespread surveillance programs revealed to the public last week, have prevented dozens of terrorist attacks according to Army General Keith Alexander, head of the US Cyber Command
Harkin questions testimony of National Security Agency commander (Radio Iowa) The head of the National Security Agency told members of a U.S. Senate committee on Wednesday the agency's in-depth surveillance of American citizens has stopped dozens of terrorist attacks. Iowa Senator Tom Harkin remains unconvincedtent
The Lie Of Legislative Oversight (Washington Post) Ron Wyden doesn't want to call the director of national intelligence a liar
Surveillance And Its Discontents (Wall Street Journal) In our age of proliferating nuclear weapons and genetically engineered biotoxins, a country serious about self-preservation must detect potential threats and prevent attacks before they occur, not prosecute them as crimes after the fact. The architecture to protect civilians must therefore include signals intelligence, or surveillance, to obtain actionable information about the plans, actions and capabilities of the decentralized and lethal networks that are al Qaeda and its franchises
Look who's listening (The Economist) America's National Security Agency collects more information than most people thought. Will scrutiny spur change
Pushing The Envelope, NSA-Style (Washington Post) The National Security Agency's recording of U.S. phone data does basically that with the telephone. It records who is calling whom the outside of the envelope, as it were. The content of the conversation, however, is like the letter inside the envelope
The NSA's Big Data Problem (Time) It's still unclear exactly how the National Security Agency (NSA) is carrying out digital surveillance on us. But we know one thing for sure: the government is collecting a whole lot of data
A Promise Of Changes For Access To Secrets (New York Times) If Congress enacted such limits it would force a widespread change in the way many of the country's most delicate intelligence operations are run, and would most likely require the intelligence agencies to hire more staff members of their own to do work that in recent years has increasingly been outsourced. It is unclear how broadly Congress would endorse such changes
Oppose PRISM-like programs today or lose you privacy tomorrow (Help Net Security) I used to work for a telecommunication company. The government had access to call records, although the process for obtaining any information required manual requests and processing. That is why I am not surprised by recent news related to PRISM, an NSA-led initiative to gather intelligence related information from internet providers and communication services providers
The best answer to PRISM's abuses is strong cryptography in the hands of the public (AmericaBlog) Trying to make sense of the official pronouncements about the National Security Agency's PRISM program is like trying to nail Jello to a wall. First, a quick primer. PRISM is a highly classified NSA program whereby the computer servers of nine Internet companies, including Microsoft, Yahoo, Google, Facebook, Skype and YouTube, are tapped by the US government. We now know that the disclosure of PRISM's existence came from disgruntled NSA contractor Edward Snowden
Opening the Surveillance State's Secret Courts (Bloomberg) Are we ready now for that discussion about secrecy? In December, in a holiday-season rush to reauthorize the Foreign Intelligence Surveillance Act, the U.S. Senate shot down several amendments intended to limit the powers the act grants to the government and to scale back the near-total secrecy that it authorizes
Congress Won't Defund PRISM-Style Snooping (Slate) It was largely ignored yesterday, but the House Rules Committee had two chances to strike a blow at the NSA. Both Rep. Alan Grayson and Rep. Tim Huelskamp, a Democrat and a Republican both at the edges of their party conferences, introduced amendments that would have effectively cut the purse strings for--and made it illegal to fund--anything like PRISM
What the NSA got right (FierceBigData) Edward Snowden's revelation about the NSA's daily harvest of cell phone metadata from Verizon upset many Americans. Government officials attempted to soothe the public by explaining that the data would be used to track terrorists and not everyday people. By and large that tactic worked. According to a Washington Post--Pew Research Center poll, 56 percent of Americans consider the NSA's actions acceptable
NSA Surveillance May Have Dealt Major Blow To Global Internet Freedom Efforts (Forbes) The internet has never been a perfect tool for advancing democracy and human rights. Despite the most optimistic techno-utopian projections, the internet has yet to set us free and rid the world of dictators. Critics have been right to warn us of the dangers of a single-minded approach — we should be careful not to overlook the deep historical, economic, and cultural factors that shape the world we live in today. At the same time, it is true that the internet has revolutionized the way we are able to connect with each other. We are no longer limited to our culture and geography, we can now unite around shared interests and values
UK denies wrongdoing and EU demands answers on U.S. surveillance (FierceGovIT) Surveillance programs operated by the federal government have sent shock waves into Europe, as international leaders scramble to take a stance on the issues and demand details from the United States
EU 'assessing U.S. relationship' amid PRISM spying claims (ZDNet) In a letter obtained by ZDNet, the EU justice chief hints at consequences to come for the U.S. government if European citizens were targeted by the NSA's PRISM program
What's Worse: China Hacking Vs. Pentagon Whacking? (Eurasia Review) As the Obama administration imposes gouging cuts on fundamental social spending, the White House is allocating $13 billion for the US Cyber Command, tasked with waging 'offensive cyber strikes' to defend the homeland. In 'Pentagonese' that translates
China deserves explanation of PRISM (GLobal Times) Edward Snowden, the man who blew the whistle on the American National Security Agency's PRISM project, has claimed that the US has been hacking servers in the Chinese mainland and Hong Kong for years. The Chinese diplomatic department should explicitly demand a reasonable explanation from the US government
Short-Circuiting China's Cybersnooping (Washington Times) Persistent activity by Chinese cyberspies reveals just how vulnerable America remains to digital security breaches. In the cyberworld, the playing field has leveled, and the United States, without the fortified cyberprotections to match the threat, remains target No. 1
China's Silence Is Golden On Washington Snooping (Financial Times) But now, for once, silence is golden for Beijing. In a matter of days, the Snowden leaks have turned the dynamics between China and the US over cyber security upside down. If Beijing plays it right, it could look like the victim of a US smear campaign
Keep The Focus On China Cyber Threat (Financial Times) One point must not be lost, however. The great danger of the furore over the NSA in recent days is that it will distract attention from the immense threat from China that US companies face. Yes, the US government must be accountable and transparent when it comes to the surveillance of its own citizens. But the scale of cyber espionage by China against western companies is on an altogether different scale
What we know about CSEC, Canada's eavesdropping agency (CBC.ca) Revelations about the extent of surveillance by the National Security Agency (NSA) in the U.S. have spark interest in the activities of Canada's own, highly secretive agency. Last week, media reports revealed that the NSA collected hundreds of millions
FDA wants tighter cybersecurity for medical devices (FierceMedicalDevices) As concerns about the hackability of medical devices mount around the world, the FDA is proposing tighter regulations for manufacturers, suggesting that companies include cybersecurity information along with clinical data when seeking approval
Federal regulators address rising security risk to medical devices (CSO) The Food and Drug Administration's latest security guidance to medical-device makers reflects the growing risk hackers and malware present to the lives of hospital patients
U.S. prosecutors propose kill switch to stop smartphone thefts (CSO) The kill switch is part of an initiative to reduce thefts, which sometimes involve violence
With data, Baltimore city should fix problems before they even occur: Heather Hudson [Q&A] (Technically Baltimore) Baltimore's first chief data officer says her main priority is organizing city government data into a central data warehouse
Govt rolls out new cyber security framework (I Government) "As India becomes more networked, we will become more vulnerable to cyber attack. Today, we are protected by virtue of being under-networked. As a networked country, coordinating between multiple agencies will becomes a growing challenge," says an
Litigation, Investigation, and Law Enforcement
Why does the public now listen to an U.S. government whistleblower? (Help Net Security) This is not the first time that a government whistleblower has come forward and tried to warn the U.S. public about the surveillance overreach of government agencies, but it was the first time that such revelations had such a global impact and response
Manning Case Challenges Definition of "Whistleblower" (PBS NewsHour) The court martial for Army Pfc. Bradley Manning began on June 3 in Fort Meade, Md. Manning was arrested three years ago for leaking 700,000 classified U.S. government documents to the website WikiLeaks. Manning has pled guilty to some of the lesser
Why Are Massive National Security Breaches So Ridiculously Easy? (The Nation) While attending the the court-martial of Pfc. Bradley Manning in Fort Meade yesterday, I was reminded once again that the biggest security breach in US history was as challenging and intricate as instant coffee. Witness after witness from the
Snowden Used Thumb Drive For Data (Los Angeles Times) Former National Security Agency contract employee Edward Snowden used a computer thumb drive, a portable data storage device that is supposedly barred inside the spying agency, to smuggle highly classified documents out of an NSA facility in Hawaii, according to U.S. officials
While Working For Spies, Snowden Was Secretly Prolific Online (Reuters.com) While working for U.S. intelligence agencies, Edward Snowden had another secret identity: an online commentator who anonymously railed against citizen surveillance and corporate greed
U.S. Officials Fear Leaker Has More Classified Files (Washington Post) A broad assessment of the damage caused by disclosure of documents on classified intelligence programs has concluded that the former National Security Agency contractor who claimed responsibility for the leaks probably obtained dozens of other sensitive files, U.S. officials said Thursday
Leaker's Ties To China Probed (Wall Street Journal) U.S. lawmakers briefed Thursday on the recently revealed NSA surveillance programs trained their fire on the self-described source of the leaks, Edward Snowden, suggesting he may be cooperating with the Chinese government
Hong Kong to Handle Leaker Extradition Based on Law (Bloomberg Law) Hong Kong will deal with any U.S. request to extradite Edward Snowden, the former U.S. government contractor who disclosed secret information, according to the city's legal system, Chief Executive Leung Chun-ying said
Leak from the National Security Agency Prompts Risk Managers to Ask New Questions (Wall Street Journal) News reports on the leak of confidential information from the NSA by a government contractor may cause Risk Managers to ask themselves a new question: What happens when your employee acts as a whistleblower to either the government or another company with whom you have a contract? Until now, the potential claim scenarios often involved an unintentional mistake or random human error
Charges pending againt student suspected in Manchester Regional cyber bullying attack (NorthJersey.com) A student at Manchester Regional High School has been identified as the alleged cyberbully believed to be responsible for launching a series of vulgar online attacks against other students in January, school and law enforcement officials said Thursday
Anonymous Hacker 'ItsKahuna' Pleads Guilty to Hacking into Salt Lake City Police Website (Hack Read) An Anonymous hacker going with the handle of @ItsKahuna on Twitter from Ohio is all set to confess the cyber crime for which he was arrested few days back. He breached the security of one of the websites, which belonged to salt lake police. This site operated for five different cities namely: Utah, California, New York and Missouri. So, at the court he was charged for five different crimes
Bitcoin lovers: This is what it looks like when the US wants to destroy a currency (Quartz) There's a big difference between bringing down a currency and simply trying to regulate it. Today a top US financial crime official said digital currencies like bitcoin shouldn't fear government plans to regulate them like regular old financial institutions
For a complete running list of events, please visit the Event Tracker.
Upcoming Events
Digital Forensics and Incident Response Summit (Austin, Texas, USA, Jul 9 - 10, 2013) The 6th annual Forensics and Incident Response Summit will again be held in the live musical capital of the world, Austin, Texas. The Summit will focus on high quality and extremely relevant content as well as panel discussions in Digital Forensics and Incident Response. The 2013 theme is currently in development as the digital forensics and incident response community is constantly evolving and our content promises to be cutting-edge and relevant to ensure you will be able to utilize the ideas presented when you return to your organization.
Suits and Spooks La Jolla 2013 (LaJolla, California, USA, Jun 15 - 16, 2013) Exploring Cyber Warfighting and Threat Mitigation for Corporations and Governments. The original concept for this event was to look at what special operations forces and corporate CERTs or SOCs have in common…it readily became apparent that two broad areas kept coming up: threat mitigation through intelligence and active defense (a.k.a. offense as defense). San Diego is a wonderful location for exploring this theme thanks to its military and high technology industries. The FBI, NCIS, DOD, academia and some cutting edge INFOSEC startups will be represented.
25th Annual FIRST Conference (Bangkok, Thailand, Jun 16 - 21, 2013) The annual FIRST conference provides a setting for conference participants to attend a wide range of presentations delivered by leading experts in both the CSIRT field and from the global security community.
Hack in Paris (Paris, France, Jun 17 - 21, 2013) This five day event will examine forensics, malware analysis, and corporate hacking techniques, and what could be better, it is held at the Euro Disney conference center outside of Paris. It has attracted a stellar lineup of speakers and promises to be a very technical event with heavy emphasis on training. This is its second year.
2013 ICAM Information Day and Expo (Washington, DC, USA, Jun 18, 2013) This day provides a forum for the Identity, Credential and Access Management (ICAM) community to get first-hand information on current identity management and related technologies.
Buzzword Forensics: Mobile is the Future…and the Future is Now (Laurel, Maryland, Sioux Falls, Jun 18, 2013) Digital forensics is evolving, as all forensic sciences must evolve. With the explosive growth of the Internet as context, the discipline of digital forensics has evolved significantly since the last millennium. In today's talk we briefly explore this evolution from the Paleolithic last millennium to our present, and increasingly mobile ecosphere. Mobile device forensics has something old and something new. Open source and commercial tools have had spotty records over the years with respect to mobile device forensics. We will explore some of the similarities and look explicitly at some of the major differences between classic computer forensics and mobile device forensics, using demos of Android forensics as an exemplar. Al Holt, adjunct professor at Towson University, will be the presenter.
NASA National Capital Region Industry Days (Washington, DC, USA, Jun 25 - 27, 2013) This dedicated Information Technology Expo - sponsored by the Office of the Chief Information Officer - will serve as a focal point for NASA personnel to learn about the latest products and advances in the marketplace.
AFCEA International Cyber Symposium 2013 (Baltimore, Maryland, USA, Jun 25 - 27, 2013) Cyber threats and challenges grow every day. Successfully defending our networks requires a team approach. With this in mind, the Cyber symposium will engage the key players, including the U. S. Government, the International Community, Industry and Academia, to discuss the development of robust cyberspace capabilities and partnerships. The AFCEA International Cyber Symposium 2013 focuses on the critical missions of U.S. Cyber Command and the interface with Army Cyber Command, Marine Corps Forces Cyber Command, 10th U.S. Fleet Cyber Command, 24th Air Force Cyber, Department of Homeland Security, U.S. Coast Guard, DoD-CIO, National Security Agency (NSA), Defense Information Systems Agency (DISA), Defense Advanced Research Projects Agency (DARPA), Academia, Industry partners. The operational theme " Defining Full Spectrum Global Cyberspace Operations" will explore the operational security of DoD and Industry Networks, Cyber Operations with Joint and Coalition partners, and discuss the training and development of the cyber workforce.
ShakaCon (Honolulu, Hawaii, USA, Jun 25 - 28, 2013) This is the fifth year this "laid back security conference in paradise" is being held. Some solid presentations and training on malware analysis and penetration testing. After all, what could be better than "sun, surf, and C Shells?" There are intensive training classes on hacking mobile apps and even lock picking (the set of tools is included in the class registration).
Northern Virginia Technology Council: Security Threats: What Keeps You Awake at Night? (McLean, Virginia, USA, Jun 27, 2013) It's no secret that cybersecurity events are increasing in frequency and intensity. Many of these events are severe and pose significant risk to us as individuals, to our businesses, as well as our economy and national security. We've seen many reports in the press recently of well-funded nation states attempting to pilfer our networks in search of intellectual property. Every day bad guys are trying to gain access to our credit card information and other forms of personal information to steal our money and identities while others brazenly attempt to take over our data and systems and hold them for ransom. How is this happening? What can we do to protect ourselves? This conference addresses these issues.
American Technology Awards Technology and Government Dinner (Washington, DC, USA, Jun 30, 2013) TechAmerica Foundation hosts its Eleventh Annual Technology and Government Dinner at the Ronald Reagan Building in Washington DC. The dinner continues to serve as the premier Washington, DC technology networking event bringing hundreds of tech industry, congressional, and government leaders together at one venue to celebrate the partnership between industry and government.