The CyberWire Daily Briefing 08.02.13

Cyber Trends

Understanding the Global Risk of Cybercrime (SCL) Stewart James seeks to widen awareness of cybercrime issues and counsels the need to consider the real threat cybercrime poses when advising business clients

Is the risk of cyber-warfare overrated? (The Economist) The argument so far has been chiefly semantic, about the definition of warfare. Thomas Rid is not disputing that cyber-attacks are nasty. He is just saying that none so far meet all the (his) criteria for "warfare" which is violent, not metaphorical. The internet is a vector for sabotage, espionage and subversion, but these are less, not more violent when done by computer. Talk of "cyber-warfare" militarises the discussion and distracts from the truly hard questions, about defending society while constraining the intelligence agencies and preserving liberty. Richard Bejtlich attacks that head-on

'Security? We've heard of it': Cloud contracts hazy on security, says Gartner (Computing) Security provisions of commercial cloud services - especially software-as-a-service (SaaS) - are frequently inadequate, with contracts containing "ambiguous terms regarding the maintenance of data confidentiality, data integrity and recovery after a data loss incident", according to analyst group Gartner

Rising cyber-attacks leave firms with huge losses (Standard Digital) Cyber-attacks and security threats to businesses have risen sharply in the recent past, resulting in huge financial losses to firms in Kenya. A report released by the Telecommunications Service Provider of Kenya ( TESPOK) yesterday indicated that most businesses were suffering from recurrent disruptions

Cyber Attacks Endanger Securities Exchange Market (Midsize Insider) Fifty-three percent of the surveyed exchanges said they experienced a cyber attack last year. These attacks may include various methods, but most commonly

Five Points About Cyber Risks that CEOs Must Consider (IT Business Edge) Online threats and cyber crimes increase with intensity and complexity almost daily. Couple this with the fact that nearly all business functions rely on the Internet and IT in some way, and you have big reasons to fear a failure in your company's online defenses

Legislation, Policy and Regulation

FBI said to be taking a hacker approach to spying (C/NET) Using tools to remotely record conversations on Android devices and laptops, the FBI is allegedly taking a cyber tack on surveillance

President Obama's national security team acknowledges for first time that it reads and stores phone records of millions of Americans (New York Daily News) Since it was revealed recently that the National Security Agency puts the phone records of every American into a database, the Obama administration has assured the nation that such records are rarely searched and, when they are, officials target only suspected international terrorists. President Barack Obama's national security team acknowledged for the first time Wednesday that, when investigating one suspected terrorist, it can read and store the phone records of millions of Americans

Senators propose changes on secret intelligence court (Sacramento Bee) Key Democratic leaders in the body have defended the collection of so-called metadata on people's email and phone calls, echoing Obama administration

Dianne Feinstein floats cutting NSA telephone metadata retention down from 5 years (FierceGovIT) The chair of the Senate Intelligence Committee, Sen. Dianne Feinstein (D-Calif.), said July 31 she may seek to reduce the National Security Agency's retention of telephone metadata collected under Section 215 of the Patriot Act down to 2 or 3 years from the current 5 years

The Real Bradley Manning Problem (National Journal) The leaker gets sentenced--and the government still doesn't know how to share intelligence. Now that a military judge has acquitted Pfc. Bradley Manning of aiding the enemy and convicted him of violating the Espionage Act, civil libertarians are breathing a small sigh of relief. But the Obama administration still has a big problem: how to control the flow of information between government agencies so you don't have a system that allows a private stationed in Iraq--or a contractor dating an acrobat in Hawaii--from downloading and distributing secret documents

NSA In The Cross Hairs (USA Today) In a clear signal of slipping political support for the surveillance strategy, President Obama called a meeting Thursday with a group of lawmakers representing both sides of the increasingly divisive debate. They included the NSA's most prominent critics -- Rep. Ron Wyden, D-Ore.; Rep. James Sensenbrenner, R-Wis.; and Sen. Mark Udall, D-Colo.-- and it fiercest supporters -- Sen. Dianne Feinstein, D-Calif., and Rep. Mike Rogers, R-Mich., the respective chairs of the Senate and House intelligence committees

NSA secrets kill our trust (CNN) In July 2012, responding to allegations that the video-chat service Skype -- owned by Microsoft -- was changing its protocols to make it possible for the government to eavesdrop on users, Corporate Vice President Mark Gillett took to the company's blog to deny it. Turns out that wasn't quite true

Snowden Asylum Could Blow Up Nuke Talks (Foreign Policy) It's one of the signature issues of President Obama's second term, and Edward Snowden may have caused it to crack. On Thursday, nuclear arms control advocates shuddered as Washington erupted in rage over Russia's decision to grant temporary asylum to the former NSA contractor. With Republicans in Congress demanding retaliation and White House officials openly casting doubt on a planned Moscow summit, the worry is that Obama's ambitious goal of reducing deployed strategic nuclear weapons by one-third may have just flown out the window

White House 'extremely disappointed' Russia granted Snowden temporary asylum, rethinks summit… (Washington Post) A highly anticipated fall summit between President Barack Obama and Russian President Vladimir Putin could become a casualty of Moscow's defiant decision to grant temporary asylum to National Security Agency leaker Edward Snowden, the White House signaled Thursday after weeks of pressuring and pleading for his return to face prosecutio

Putin Shows Global Mojo to Russians as U.S. Fumes Over Snowden (Bloomberg) Russian President Vladimir Putin is showing his gamesmanship on a global stage by giving his voters what they want with the asylum granted to ex-U.S. contractor Edward Snowden, while leaving the White House flustered

GCHQ plan to spy on "any phone, anywhere, any time" (Computing) British spy agency GCHQ is being paid £100m to spy on behalf of the US secret services, and is developing the capability to spy on "any phone, anywhere, any time". That is the claim arising from the latest set of documents to be released in The Guardian from the US National Security Agency (NSA) whistleblower Edward Snowden

UK Porn Filter Could Also Censor Other Content (Mashable) Last week, UK Prime Minister David Cameron announced that broadband subscribers will be required to declare if they want to maintain access to online pornography. Now, according to several Internet Service Providers (ISPs), the filters may censor even more. According to Open Rights Group, a digital rights organization that spoke with several ISPs scheduled to implement the UK's porn filter, filters can be enabled across a wide range of content, such as file-sharing websites, dating sites and more

The Bugging of South Africa (All Africa) Recent revelations by former National Security Agency (NSA) computer analyst Edwin Snowden that the NSA was undertaking unwarranted mass surveillance of Americans has thrown the communications surveillance activities of governments into sharp relief

CFAA violations key to 2012 Obama victory? (ZDNet) An important tactic of the Obama reelection campaign was likely a violation of Facebook's terms of service, and therefore a violation of federal law. This is yet more evidence that Justice Department interpretations of the Computer Fraud and Abuse Act are unreasonable and need to be curtailed

Products, Services, and Solutions

Protegrity expands enterprise big data protection capabilities (Help Net Security) Protegrity released the Protegrity Data Security Platform 6.5, which expands the Protegrity Big Data Protector capabilities to include support and certification on many Apache Hadoop distributions

NSS Labs unveils Threat Modeling and Threat Forecasting (Help Net Security) NSS Labs announced availability of two new advisory services - Threat Modeling and Threat Forecasting - helping clients to better understand their risk and distill actionable threat intelligence

Free first aid kit for computer viruses (Help Net Security) Avira launched the Avira Rescue System, a software first aid kit for scanning and repairing PC computers that are already infected with malware. It can be downloaded for free onto any CD or USB stick

JT to launch new Cyber-attack prevention service (Channelonline) JT along with the global RAD Group has developed world-class software to prevent Cyber-attacks. In recent years, online security is of worldwide concern

VERIS: A New Database for Sharing Security Incident Information (Infosecurity Magazine) A new community database has been launched by Verizon to help bridge the uncertainty gap in data breach information: what we know and what we need to know. Based on VERIS, it is designed to facilitate the secure sharing of incident information for the good of all

YC Startup True Link Financial Is Out To Help The Elderly Avoid Scammers With Pre-Paid Visa Cards (TechCrunch) It's a heartbreaking and, unfortunately, common story: an elderly man receives a phone call from someone claiming to be his granddaughter asking for him to wire money to get her out of a sticky situation. A late night infomercial offers a deep discount on dishware without mentioning the hundreds of dollars in nonrefundable shipping fees

Technologies, Techniques, and Standards

Security Intelligence and Threat Intelligence are not the same thing (HP) Enigo Montoya said it best in "The Princess Bride" - You keep using that word. I do not think it means what you think it means. The last two months have been interesting. I've found myself in conversations where the phrases "threat intelligence" and "security intelligence" have been used virtually interchangeably without thinking anything of it. Don't get me wrong, I wouldn't dare disparage this behavior too harshly. Some of the people who have done it are at the heads of their respective organizations. Before I really got wrapped into this on a daily basis I was prone to the same mistakes and misspoken phrases

Real-time data analysis increases DDoS defenses (Help Net Security) Real-time analytics are a powerful tool for identifying denial of service attacks and other cyber threats, risks and events

How to monitor the security and compliance of your cloud providers (Smart Business Network) In addition, the Cloud Security Alliance (CSA), a leading organization that evaluates cloud providers, has developed the Cloud Control Matrix (CCM) as part of

Keep your laptop safe while using Wi-Fi hotspots (Help Net Security) The relaxing atmosphere of surfing at the beach makes it easy to forget about the sharks. Connecting to an unsecured network poses serious risks to your laptop and data. In a recent study, Bitdefender

The rise of BYOD: What are the key security risks and how can SMEs overcome them? (ITProPortal) It's no secret that the momentum of the BYOD (bring your own device) trend has surged like a tidal wave across organisations of all sizes and industries recently. In this Q&A we talk with Don Smith, technology director at Dell Secureworks, to discuss the major concerns around BYOD and examine how businesses can overcome these challenges

Layering data? Better check your data supply chain for junk data (FierceBigData) One of the most effective ways to arrive at solid answers and accurate interpretations in big data projects is to layer data from multiple sources. That is unless the data you are importing is inaccurate or even purposefully manipulated

McAfee exec on Mandiant, cyberspies and costs (DeepDiveIntel) The Internet security firm McAfee takes a traditional view on the question of whether private companies should name names when it comes to responsibility for cyber attacks and espionage. Its answer is no. McAfee describes events in dry, geographic terms, without references to governments. It's a quaint approach compared to that of Mandiant, the U.S. cyber forensics company that earlier this year accused a Chinese "cyber espionage unit" of stealing American intellectual property and blamed China for hacking the New York Times. In an interview with Deep Dive, McAfee's Tom Gann explains his company's approach to attribution; its support for a public-private partnership with the U.S. government; and its decision to underwrite a cybercrime and espionage cost study by the Center for Strategic and International Studies, a Washington, D.C., think tank

Marketplace

Finding Maryland's next cyber security darling (Baltimore Business Journal) Industry leaders consider the sale validation of their efforts to promote cyber here. "It's a real affirmation not only of Sourcefire and the good work they were doing

Cyber Command Seeks To Close Gaps in Offensive, Defensive Skills (DefenseNews.com) The Defense Department wants cyber experts who understand both offensive and defensive cyber operations. The barrage of malicious attacks from insider

There is no 'I know what I am doing' trump card in security (Virus Bulletin) NSA activities could make millions avoid US-based services. We have all been there. To continue the product you're working on, you need to get some extra permission: a port needs to be opened, or perhaps some files need to be uploaded onto a protected system. You ask the IT department for this permission and, much to your frustration, they won't give it to you until you've explained in full detail why you need it, and even then they will have to check with their management. "But I know what I'm doing. And my manager says it is fine."

SpiderOak Takes Novel Approach To Data Privacy (InformationWeek) Prism episode has increased interest for cloud services like SpiderOak, which does not keep copies of user encryption keys -- and thus can't provide access to user files. Ethan Oberman has a problem with cloud computing. "A person should be able to use cloud technologies without relinquishing his or her privacy," explained Oberman, CEO of cloud storage service SpiderOak, in a phone interview

Carl Icahn Sues Dell To Keep Buyout Vote On Track (CRN) Investor Carl Icahn sued Dell (NSDQ:Dell) Thursday to prevent the board from further delaying a buyout vote scheduled for Friday at 9 a.m. CST

Dell, buyout group close to new deal ahead of vote (MarketWatch) Dell Inc. DELL +5.06% and the buyout group looking to take the computer maker private are nearing a deal that would raise the price being offered to shareholders in exchange for a change in voting rules so that abstentions aren't counted as no votes

CACI's Recent Intelligence Contracts Worth $425M (Executive Biz) CACI International Inc. revealed that recently awarded contracts with intelligence community customers totaled more than $425 million amid the company's efforts to expand and help bolster national security

SAIC completes $85 million sale of Tysons campus (Washington Business Journal) SAIC recently closed on the $85 million sale of its three-building Tysons Corner headquarters to The Meridian Group, setting the stage for a multimillion-dollar redevelopment of the 18-acre campus in the years ahead

Booz Allen CEO: Snowden 'was not a Booz Allen person' (Washington Post) McLean-based Booz Allen Hamilton reported a more than 13 percent jump in quarterly profit Wednesday and said its government customers have been supportive since the company's former employee Edward Snowden acknowledged leaking government secrets. Booz Allen's chief executive, Ralph W. Shrader, rebuked Snowden's actions on Wednesday in his first public remarks on the topic.Shrader said during a conference call that he has met with Booz Allen employees on the matter

Former NSA analysts start company to research zero-day vulnerabilities in websites (NetworkWorld) Idea behind Synack is making bug-bounty experts from around the globe -- and the NSA -- available for hire. Two former National Security Agency (NSA) computer network operations analysts have set up a company called Synack that is offering to match bug-bounty security experts from around the world -- including from within the NSA on a freelance basis -- to discover zero-day vulnerabilities in websites

Hundreds of UK CSC staff face chop, told to train Indian replacements (The Register) IT giant wants to suck brains amid 750 layoffs. Computer Science Corporation (CSC) workers heading for the chopping block in Britain have been asked to train their replacements in India and the Czech Republic

SAIC President Deborah Lee James Nominated AF Secretary (GovConWire) Deborah Lee James Deborah Lee James, president of Science Applications International Corp.'s (NYSE: SAI) technology and engineering sector, has been nominated by President Barack Obama to serve as Air Force secretary, Defense News reported Thursday

Research and Development

Crypto experts issue a call to arms to avert the cryptopocalypse (Ars Technica) Nobody can crack important algorithms yet, but the world needs to prepare for that to happen. At the Black Hat security conference in Las Vegas, a quartet of researchers, Alex Stamos, Tom Ritter, Thomas Ptacek, and Javed Samuel, implored everyone involved in cryptography, from software developers to certificate authorities to companies buying SSL certificates, to switch to newer algorithms and protocols, lest they wake up one day to find that all of their crypto infrastructure is rendered useless and insecure by mathematical advances

Black Hat: Elliptical curve cryptography coming as smarter algorithms threaten RSA (NetworkWorld) Rapid advances in math techniques signal the eventual demise of the currently standard crypto systems. Within five years the math for cracking encryption algorithms could become so efficient that it may render today's commonly used RSA public key cryptography algorithm obsolete, Black Hat attendees were told. While it might take longer, the end of RSA as an effective tool is inevitable, says Alex Stamos, CTO of the Artemis division of NCC Group. "It almost certainly will happen before we retire," he told the group attending his briefing on the topic

UCLA researcher's breakthrough in encryption by "software obfuscation" (ThinkDigit) A team of computer scientists led by Prof Amit Sahai at UCLA have developed "mathematical jigsaw puzzles" to help encrypt software, protect IP, and prevent reverse-engineering of commercial programs

Security Patches, Mitigations, and Software Updates

Apple to Fix 'Fake USB Charger' Flaw in iOS 7 (Threatpost) Apple claims it will fix a previous disclosed flaw in its mobile operating system that can allow hackers complete access to an iPhone or iPad via a fake USB charger

Carriers hack into their own SIM cards to fix security issue (CNN) CNN reports that the security researcher who detailed a SIM card security flaw that might have put 750 million phones at risk says several carriers have fixed the issue. The hack, revealed last month by Karsten Nohl, the founder of German firm Security Research Labs, exploited a flaw in cards using DES (Data Encryption Standard) to secure data, and allowed the researcher to intercept text messages, make carrier payments, and impersonate the phone's owner

New WordPress and Joomla Updates Available (Sucuri) If you are a WordPress or Joomla user, you better start updating your sites now

Cyber Attacks, Threats, and Vulnerabilities

Syrian Electronic Army Declares War on Twitter After Hackers' Accounts Are Suspended (Softpedia) Twitter has once again started suspending the accounts of the Syrian Electronic Army. The move comes shortly after the pro-Assad hackers hijacked a Thomson Reuters Twitter account and the personal emails of three White House employees

Official Websites of Automobile Giants Fiat and Dodge Australia Hacked by Dr.SHA6H (Hack Read) A well known hacker going with the handle of Dr.SHA6H has hacked and defaced 3 official websites of automobile and motor companies including Dodge, formally the Dodge Division of Chrysler Group, FIAT motors Australia and FIAT New Zealand. The sites were hacked today and left with a deface page and a message in support of people of Syria and against the role of US, UN, Arab countries and governments around

Websites of United Nations Development Programme and UN Volunteers Philippines Hacked by Over-X (Hack Read) The well known Algerian hacker going with the handle of Over-X is back, this time by hacking and defacing 2 official websites of United nations (UN) designated for the Republic of the Philippines. One site belongs to United Nations Development Programme (UNDP) and second site belongs to United Nations Volunteers (UNV), left with a deface page along with a simple note

Website of High Commission of India in Islamabad Hacked and Defaced by Spider64 (Hack Read) An Indian hacker going with the handle of Spider64 has hacked and defaced the official websites of Indian High Commission in Pakistan. The site was hacked today, left with a deface page along with a message but reason for targeting Indian High Commission site was not mentioned anywhere. The message on the deface page was expressed in following words: We have no rules, hacked by Spider64 Link of targeted

Scans for Open File Uploads into CKEditor (Internet Storm Center) We are seeing a lot of scans for the CKEditor file upload script. CKEditor (aka "FCKEditor") is a commonly used gui editor allowing users to edit HTML as part of a web application. Many web applications like wikis and bulletin boards use it. It provides the ability to upload files to web servers. The scans I have observed so far apper to focus on the file upload function, but many scans will just scan for the presence of the editor / file upload function and it is hard to tell what the attacker would do if the editor is found

Gone in 30 seconds: New attack plucks secrets from HTTPS-protected pages (Ars Techica) Exploit called BREACH bypasses the SSL crypto scheme protecting millions of sites. The HTTPS cryptographic scheme, which protects millions of websites, is susceptible to a new attack that allows hackers to pluck e-mail addresses and certain types of security credentials out of encrypted pages, often in as little as 30 seconds

'Malware–infected hosts as stepping stones' service offers access to hundreds of compromised U.S based hosts (Webroot Threat Blog) Malware-infected hosts with clean IP reputation have always been a desirable underground market item. On the majority of occasions, they will either be abused as distribution/infection vector, used as cash cows, or as 'stepping stones', risk-forwarding the responsibility, and distorting the attribution process, as well as adding an additional OPSEC (Operational Security) layer to the campaign of the malicious attacker

Javascript and Timing Attacks Used to Steal Browser Data (Threatpost) Security researchers have been warning about the weaknesses and issues with JavaScript and iframes for years now, but the problem goes far deeper than even many of them thought. A researcher in the U.K. has developed a new technique that uses a combination of JavaScript-based timing attacks and other tactics to read any information he wants from a targeted user's browser and sites the victim is logged into. The attack works on all of the major browsers and researchers say there's no simple fix to prevent it

Hot Knives Through Butter: Bypassing File-based Sandboxes (FireEye) Diamonds are a girl's best friend. Prime numbers are a mathematician's best friend. And file-based sandboxes are an IT security researcher's best friend. Unfortunately, malware authors know this. Aware that researchers are using sandboxes to monitor file behavior, attackers are building sandbox-evading techniques into new advanced persistent threat (APT) attacks — and even using these tricks to resurrect notorious malware classics

Java Back Door Acts as Bot (McAfee) The current threat landscape is often driven by web-based malware and exploit kits that are regularly updated with newly found vulnerabilities. Recently, we received an interesting malware binary-a JAR package that opens a back door for an attacker to execute commands and acts as a bot after infection

More Creative Backdoors – Using Filename Typos (Sucuri) When a site gets compromised, one thing we know for sure is that the attackers will leave some piece of malware in there to allow them access back to the site. We call this type of control capability a backdoor. Backdoors are very hard to find because they don't have to be linked anywhere in the site, they can be very small, and can be easily confused with "normal" code. Some of them have passwords, some are heavily encrypted/encoded and can be anywhere in your site

Bitcoin Miners Use AutoIt-Complied Programs With Antianalysis Code (McAfee) Last year, my colleague Itai Liba blogged about the association between malware and AutoIt, a very convenient environment for malware and tools development. AutoIt allows both easy interface creation for rapid development and full Windows API access for whatever is not directly supported. We have seen an increase in the use of AutoIt scripts by malware authors and other bad guys to achieve their malicious ends

Malicious Bitcoin Miners target Czech Republic (Avast) Today we are going to talk to those of you who use Bitcoin digital currency to pay for a variety of goods and services – along with a warning about yet another source of Bitcoin miners – the sharing services. You may think that if you avoid cracks and keygens while browsing the web you will be safe. Well, we would recommend that you reconsider that position. Recently we found that on the uloz.to file sharing service someone uploaded a lot of fake files containing Bitcoin miners

Security breach at Opscode as attackers download databases (The Register) Attack blocked in five minutes flat. Updated Opscode, the commercial side of the open source Chef configuration management tool beloved by Google, Facebook, and IBM, has warned customers that a flaw in an unnamed third-party application has left its wiki and ticketing system pwned

Ubuntu puts forums back online, reveals autopsy of a brag hacker (The Register) Canonical hardens security, shows Sputn1k_ only wolfed down useless salted hash. Ubuntu Forums are back to normal following a serious hack attack that exposed the usernames, email addresses and hashed passwords of 1.8 million open source users

SIG Australia Hacked (eSecurity Planet) Several user names and clear text passwords were published online

Harbor Freight latest target of cyber attack on credit accounts (WFIE 14News Evansville) An Evansville man learned that he was a victim of credit card fraud after shopping at a local hardware store. Harbor Freight tools is issuing a warning to customers that they have been the victim of a cyber attack, and your credit card information could be in the hands of thieves

SCADA Experts Simulate 'Catastrophic' Attack (Dark Reading) SCADA experts here today demonstrated just how easy it is to commandeer the antiquated networking protocols used in an oil well pumping station and other SCADA environments, causing a simulated oil tank to nearly overflow using spoofed commands to the programmable logic controller (PLC)

Industrial control systems targeted by malicious attackers, research shows (CSO) A researcher uses a network of simulated water pump systems to monitor how frequently industrial control systems are attacked. Attackers are actively targeting Internet-connected industrial control systems (ICS) in an effort to compromise their operation, according to data collected from a global network of honeypot systems that simulate water pumps

Can you spot phishing? Probably not! (CTO Vision) North Carolina State just conducted a study that showed only 7.5% ( yes, that is less than 10%) of the participants were able to identify fake emails. The study also showed that more than 50% of the group missed half of the fake emails and still deleted at least one authentic email. Yet, prior to taking the test, 89% of the participants stated they were "confident" in their ability to differentiate between a legitimate email and one sent by a scam artist

Using Google Image Search to Find Linkedin Invitation Scams (TripWire) I've been getting a lot of fake LinkedIn invitations to connect lately, so I thought I'd share this simple method of separating the real from the fake. Of course, if your gut says it's fake, it probably is. That person you don't recognize who hasn't really filled in much of their profile probably isn't a connection you want or need

New ransomware uses webcam and Homeland Security threat to scare victims (WeLiveSecurity) A new ransomware infection scares its victims by invoking the name of the Department of Homeland Security, and the National Cyber Security Division - and frightens users further by posting a webcam picture of themselves in a pop-up window as it demands money

Is the person sitting next to you a malicious insider? (FierceITSecurity) Insider threats carried out by employees within an organization can cost companies millions of dollars, Patrick Reidy, chief information security officer at the Federal Bureau of Investigation, warned an audience here at the Black Hat security conference

Tracking down a DDoS attacker (FierceITSecurity) A major customer of a Canadian ISP was subjected to a gigabit-plus size distributed denial of service attack that "took down everything," related Robert Masse, security consultant and partner at Swift Identity, at the Black Hat security conference

iOS users can enjoy a 'slick' experience and be spied on as well, says Lacoon researcher (FierceITSecurity) Despite Apple's (NASDAQ: AAPL) reputation for strong iOS security, researchers from Lacoon Mobile Security found that close to half of devices infected with spyphone malware were iOS devices, according to a study revealed here at the BlackHat security conference

Hackers could exploit security hole to launch next BP oil spill (FierceITSecurity) Hackers could exploit a vulnerability in devices controlling oil platforms and intentionally cause an environmental disaster, warned security researchers from Cimation here at the Black Hat security conference

NSA Surveillance Can Penetrate VPNs (Dark Reading) The National Security Agency has a system that allows it to collect pretty much everything a user does on the Internet, according to a report published by The Guardian on Wednesday, apparently even when those activities are done under the presumed protection of a virtual private network (VPN)

US spy agencies eavesdrop on Kiwi (Stuff) The New Zealand military received help from US spy agencies to monitor the phone calls of Kiwi journalist Jon Stephenson and his associates while he was in Afghanistan reporting on the war

The phantom of the boot sector. (Eugene Kaspersky-Nota Bene) In the ongoing battle between malware and anti-malware technologies, there's an interesting game that keeps getting played over and over - king of the castle

Black Hat: Android Master Key Vulnerability Makes Us Safer (eSecurity Planet) When is an Android security flaw a good thing? When it makes us safer, says researcher during his Black Hat presentation. Jeff Forristal, aka Rain Forest Puppy, made headlines around the globe earlier this month when he revealed a new Android master key vulnerability that could potentially put all Android devices at risk of exploitation

The top 10 new reasons to be afraid of hackers (The Verge) The scariest new tricks at this year's twin computer crime conferences, Black Hat and Def Con

Academia

Universities are putting private financial data at risk (Help Net Security) HALOCK found that over 50% of the colleges and universities investigated allow for the transmission of sensitive information over unencrypted (and therefore unprotected) email as an option without

Big data degrees? Oh puh–lease (FierceBigData) Given that the majority of job openings are in tech related fields in the midst of the slowest economic recovery ever, and also given that big data is the big kahuna in tech, it's natural for job hungry people to lunge for a degree in big data. And wherever there is a hungry lunge, equally hungry universities will be there to net the lungers

Litigation, Investigation, and Enforcement

In Defense of Leakers: Snowden and Manning (New Yorker) On the day that Edward Snowden finally left Moscow's airport in a taxi to take up Russia's offer of temporary asylum and the sentencing portion of Bradley Manning's trial continued, it is worth restating what should be obvious. Leaking classified information is a crime, and it can be damaging to the national interest; but, in some circumstances, it can also be a patriotic and useful act that helps bring about necessary reforms

The Government Has Made Its Point (New York Times) The first thing to be said about Bradley Manning's trial is that the entire exercise was unnecessary. There was no real factual dispute, since Manning admitted he had leaked the documents to WikiLeaks, and he offered guilty pleas that would have allowed a sentence of up to 20 years

Latvian foreign minister speaks out against giving up alleged Gozi writer to US (The Register) Latvia has set itself on a collision course with America after the tiny nation's foreign minister said he did not want the alleged creator of the notorious Gozi trojan extradited to face justice in the US

Russian Zuckerberg to Snowden: 'Come work for VKontakte' (The Register) NSA leaker gets job offer from top Slavic social site

Snowden Wins Asylum, WikiLeaks Declares Victory (Foreign Policy) And just like that, Edward Snowden's Moscow airport vacation is over. On Thursday, the NSA leaker's lawyer put him in a taxi and sent him off to a secret location, ending a 39-day stay in Sheremetyevo Airport's so-called "transit zone." Russian migration authorities granted Snowden a one-year temporary asylum, and Anatoly Kucherena, the Russian lawyer who has been assisting his asylum application, proudly displayed a copy of that document for reporters at the airport

Google Pressure Cookers and Backpacks, Get a Visit from the Feds (Atlantic Wire) Michele Catalano was looking for information online about pressure cookers. Her husband, in the same time frame, was Googling backpacks. Wednesday morning, six men from a joint terrorism task force showed up at their house to see if they were terrorists. Which prompts the question: How'd the government know what they were Googling

Google 'pressure cooker,' get a police visit? Maybe not. (Washington Post) The FBI denies a Long Island journalist's claims that a local Joint Terrorism Task Force visited her house after she searched the terms "backpack" and "pressure cooker" on Google. Now the question is: Who did? And, perhaps more importantly, did it actually have anything to do with Google

Employer Tipped Off Police To Pressure Cooker And Backpack Searches, Not Google (TechCrunch) In what might be Medium's first widespread Twitter moment, music writer Michele Catalano used the platform to blog details of an unexpected visit to her home yesterday, from six men she identifies as members of the "joint terrorism task force"

Equifax must pay $18.6 million after failing to fix Oregon woman's credit report (The Oregonian) A jury Friday awarded an Oregon woman $18.6 million after she spent two years unsuccessfully trying to get Equifax Information Services to fix major mistakes on her credit report

Hidden threat: Dirty data leads to damaging lawsuits (FierceBigData) It should be self-evident by now that dirty data, i.e. incorrect data, is harmful to organizations since it leads to bad business decisions and more than a few "terrible, horrible, no good, very bad" days. It should be self-evident but apparently not

BlackBerry reported to FBI over potential privacy and security issues (SC Magazine) German researcher Frank Rieger said in a post that email credentials entered into the BlackBerry 10 email Discovery Service would be sent to RIM Canada servers in clear text if forced SSL was not enabled in mail servers

Design and Innovation

Enterprises warned against first true Google phone, Moto X (CSO) Ease-of-use in the Moto X, such as always-ready microphone for voice actions, likely to tickle consumers — but haunts security pros. The security nightmare corporations face with the bring-your-own-device (BYOD) trend just got worse with the release of Google's new Moto X. With the Android smartphone unveiled Thursday, Google is hoping to lure customers with a personal digital assistant that's easy to use and can guess what information or services people want by reading emails and schedules and tracking search queries. While all this data collection may make the device invaluable, it also should make corporations very nervous

The CyberWire Daily Briefing for 8.2.2013