The CyberWire Daily Briefing for 8.7.2013
news from SINET's Innovation Summit
The Syrian Electronic Army returns to media hacking, this time with a bogus story of a nuclear strike on British broadcaster Channel 4's website. A number of Chinese government sites are defaced by "SultanHalkal" hacktivists, who believe themselves to be thereby striking a blow at both Zionism and Shi'ite Islam that will contribute to "free[ing] Syria."
Zimbabwe's election-theater illustrates how cyber attacks on opposition sites have become a new normal for repressive regimes.
Some observers see China's "secure" OS Kylin as an effective counter to US offensive cyber operations. Others mull what the weekend's breach of Tor anonymity reveals about cyber capabilities.
OpenX ad servers are "pre-compromised" with a remote code backdoor. Weaknesses in Windows phones' authentication render them vulnerable to attack, especially through "rogue" Wi-Fi connections. Users find much to complain about in Chrome's password storage functionality, and warn others to stay clear of it. Prodigy email vulnerabilities worry users (particularly those in Mexico). A security flaw is found in HP printers.
Having heard warnings that the human is the weak leak, it's worth remembering the famous Robin Sage catfish exploit. At DefCon Jordan Harbinger (whose name itself sounds a bit catfishy) described how understanding dating and "charm" enabled him to socially engineer security professionals on LinkedIn.
The market continues to sort out the Snowden affair's effect on US cloud vendors and the US Government's ability to recruit newly-shy cyber talent.
The US administration, counting itself embarrassed by Russia's refusal to extradite Snowden, cancels a planned Obama-Putin summit.
Today's issue includes events affecting China, Germany, India, Ireland, Israel, Latvia, Mexico, New Zealand, Russia, Syria, Uganda, United Kingdom, United States, and and Zimbabwe..
New York: the latest from SINET's Innovation Summit
US Counterintelligence Executive Says NSA Doesn't Have Adequate Resource to Monitor All Communications (Infosecurity Magazine) Presenting the keynote at the 2013 SINET Innovation Summit in New York, August 6th 2013, Frank Montoya Jr., National Counterintelligence Executive, assured the audience that "we don't have the resources" to monitor and evaluate information on all communications when asked about the NSA surveillance programs
CIA's John Mullen Declares People Biggest Threat and Risk Management Best Defense (Infosecurity Magazine) People present the greatest cyber vulnerability and educating them is key to protecting your valuable information, John K. Mullen, senior operations officer at the CIA told the audience at 2013 SINET Innovation Summit in New York, August 6th 2013
SIRIUS (IARPA) The goal of the Sirius Program is to create Serious Games to train participants and measure their proficiency in recognizing and mitigating the cognitive biases that commonly affect all types of intelligence analysis. The research objective is to experimentally manipulate variables in Virtual Learning Environments (VLE) to determine whether and how such variables might enable player-participant recognition and persistent mitigation of cognitive biases
Metaphor Program (IARPA) For decision makers to be effective in a world of mass communication and global interaction, they must understand the shared concepts and worldviews of members of other cultures of interest. Recognizing cultural norms is a significant challenge, however, because they tend to be hidden. Even cultural natives have difficulty defining them because they form the tacit backdrop against which members of a culture interact and behave. We tend to notice them only when they are in conflict with the norms of other cultures. Such differences may cause discomfort or frustration and may lead to flawed interpretations about the intent or motivation of others. If we are to interact successfully on the world stage, we must have resources that will help us recognize norms across cultures. The Metaphor Program will exploit the use of metaphors by different cultures to gain insight into their cultural norms
Integrated Cognitive-Neuroscience Architectures For Understanding Sensemaking (ICARUS) Program (IARPA) Sensemaking refers to the remarkable human ability to detect patterns in data, and to infer the underlying causes of those patterns - even when the data are sparse, noisy, and uncertain. The focus of the ICArUS Program is to understand and model how humans engage in the sensemaking process, both during optimal and suboptimal (biased) performance. Of particular interest are cognitive biases related to attention, memory, and decision making
Cyber Attacks, Threats, and Vulnerabilities
Hackers post story of tactical nuclear strike against Syria on Channel 4 blog (Graham Cluley) Hackers from the Syrian Electronic Army have once again claimed a high profile scalp, compromising the blogs at British broadcaster Channel 4
75 Chinese Government Websites Hacked by SultanHaikal and M3QD4D (Hack Read) Two hackers from different hacking groups going with the handle of SultanHaikal and M3QD4D have hacked and defaced 71 websites owned by the government of China. SultanHaikal left a deface page along with a deface message on his half of 38 sites, where the message was expressed in following words: Ahlussunnah Was Here! Anti Shia, Anti Zionist (Jewish) SultanHaikal, Free Syria
Cyber Attacks Strike Zimbabweans Around Controversial Election (TechWeek Europe) Zimbabweans knocked offline and see data wiped because of slew of cyber attacks last week during the elections, TechWeekEurope learns
China's 'secure' OS Kylin — a threat to U.S offensive cyber capabilities? (ZDNet) Picture a cyber warfare arms race where the participating countries have spent years of building offensive cyber warfare capabilities by exploiting the monoculture on one another's IT infrastructure
Anonymity Smackdown: NSA vs. Tor (Errata Security) In recent news, Tor was hacked -- kinda. A guy hosting hidden services was arrested (with help from FBI), and his servers changed to deliver malware to expose user IP addresses (with help from NSA). This makes us ask: given all the recent revelations about the NSA, how secure is Tor at protecting our privacy and anonymity
Cyber Attack On Tor Could Contain A Secret Message From The NSA (Business Insider) There was a big cyber attack on anonymous online network Tor over the weekend that led to the bust of an alleged child pornography "facilitator" by the FBI
OpenX ad servers "pre–compromised" — official distro contained remote code backdoor (Naked Security) You don't always have to break into someone's web server to get them to deliver your malware for you. You can just break into the server they get their online ads from. Or you can pre-infect the online ad server software so you can own it as soon as it is installed
Windows Phones open to hackers when connecting to rogue Wi–Fi (ZDNet) Microsoft has warned that a vulnerability in Windows Phone operating systems could allow hackers to access your passwords when connected to rogue Wi-Fi hotspots
Weakness in Microsoft Phone Authentication Could Lead to Theft of Credentials (Infosecurity Magazine) A weakness in the wifi authentication process (PEAP-MS-CHAPv2) on Windows Phone 7.8 and 8 could be exploited by an attacker to trick the phone into disclosing its users' domain log-on credentials
Do you save passwords in Chrome? Maybe you should reconsider (ZDNet) Every modern browser lets you save and sync user names and passwords for your favorite websites. Maybe that's not such a good idea. You might want to think twice before you let someone borrow your computer. The most obvious risk of allowing someone else access to your desktop is that they can impersonate you, using any app where you're already signed in. They could send prank messages using your default email client, or profess your undying love for Justin Bieber using your logged-in Twitter account
Chrome's insane password security strategy (Elliott Kember) Chrome does something interesting when you first run it. The other day, I was using Chrome in development for an Ember.js app. I use Safari for day-to-day browsing, but it has a habit of aggressively caching files when I least expect it, so from time to time I switch to Chrome
Prodigy Email Vulnerability Puts Millions of Accounts at Risk (Tripwire) Over the past few weeks I have been working with El Economista on the discovery and disclosure of a massive security hole in Prodigy's (Telmex) mobile email and web based mail systems in Mexico
HP Printer security flaw allows hackers to extract passwords (Graham Cluley) Owners of certain HP LaserJet Pro printers are being advised to protect themselves against a security vulnerability "as soon as possible", after researchers found it was possible to remotely access admin passwords and other information
More malware targeting crypto-currencies: Litecoin stealing Trojan found (WeLiveSecurity) Bitcoin is not the only crypto-currency targeted by malware now that a Trojan designed to steal Litecoins has been discovered
The Malware Archives: PDF Files (MalwareBytes) Chances are you've probably used Adobe Reader before to read Portable Document Format (PDF) files. Adobe Reader--formerly Acrobat Reader--remains the number one program used to handle PDF files, despite competition from others
Reveton Malware Replaces Locked Desktops with Fake AV (ThreatTrack) Here's something a little bit different (okay, entirely different). Reveton is a nasty and well known piece of Ransomware, typically hijacking the desktop with a locked screen and asking victims to pay up "or else". The "or else" usually involves fictitious threats of law enforcement related justice being brought down upon their heads unless they pay up $200 via the scammer's chosen payment method
Digital stakeout of Chinese hacker gang reveals 100+ victims (ComputerWorld) Crew behind 'Comfoo' RAT may have rooted through videoconferencing vendor for ways to watch confidential meetings in government, businesses
Bridgewater Associates Admits Security Breach (eSecurity Planet) Former employees' names, birthdates, Social Security numbers and addresses may have been accessed, along with the same information for any dependents
NullCrew Hackers Hit University of Minnesota (eSecurity Planet) Professors' names, addresses, e-mail addresses and phone numbers were published online
City of Abbotsford Hacked (eSecurity Planet) Residents' names, addresses, bank account numbers and My City Online passwords may have been accessed
Trusteer dismisses HSBC and Natwest bank hacking claims (V3) Trusteer has dismissed reports that criminals are exploiting a vulnerability in its Rapport browser-lockdown technology that is used by leading banks such as HSBC and NatWest
Black Hat: Don't assume safety from "master key" Android vulnerability (SC Magazine) The CTO who disclosed the "master key" Android vulnerability, which allows miscreants to invisibly infect any legitimate app, has presented follow-up research that reinforced how exposed users are to the threat
Medical–Device Flaws Will Take Time To Heal (Dark Reading) Manufacturers are slow to patch up security issues, despite increasing pressure from patients, researchers and federal agencies. Jay Radcliffe takes medical-device security personally. As a senior security analyst for security firm InGuardians, Radcliffe is frequently called upon to give advice on how best to secure medical systems. Radcliffe is also a diabetic and a user of a portable insulin pump. He became interested in medical device security when he discovered that his current pump had a significant safety issue: Replacing the batteries resets the pump, causing data on how much insulin a user has administered to be lost
What Are the Risks of Geo-Location? (McAfee) Using your mobile's built-in global positioning system (GPS) functionality allows location-based services (or geo-location) to locate and publish information about your whereabouts. Applications like Foursquare, Facebook and Yelp allow you to "check in" at places using your mobile phone, and then share your location with friends or on social networks. The application knows where you are because it taps into your phone's GPS longitude and latitude data
Dating guru resurrects Robin Sage by social engineering TS/SCI holders on LinkedIn (CSO) LinkedIn is still the "safest," most-trusted social media site to connect with people, right? One DEF CON presentation proves it could be the riskiest network of all. Jordan Harbinger, co-founder of The Art of Charm, a dating and social dynamics instruction school, isn't a hacker. But he used his basic knowledge of the social scene in order to social engineer people with Top Secret / Sensitive Compartmentalized Information (TS/SCI) clearances on LinkedIn
Cybercrime as a Service (Infosec Institute) Reading about cybercrime, it is very easy to find terms such as attacks-as-a-service, malware-as-a-service and fraud-as-s-Service, that are commonly used to describe the practice of facilitating illegal activities for cybercriminals through the provisioning of services. Security experts working for principal security firms have observed a radical change in the way cybercriminals monetize their activities; instead of earning directly from the sale of illegal products such as malware and exploit kits, the cybercriminals are evolving to respond to a demand in rapid and constant growth
Firefox 23.0 is out - fixes, features and just a tiny bit of frustration (Naked Security) Note to Firefox fans: 23.0 is out. Paul Ducklin, a Firefox fan himself, looks at the many new fixes, one handy new security feature and a nagging frustration in the update
Twitter's Killer New Two–Factor Solution Kicks SMS to the Curb (Wired) When Twitter rolled out two-factor authentication back in May, it hinted that the SMS authentication would be merely a first step in a more robust security solution. Today, WIRED got a better look at the company's just-announced new system that relies on application based authentication-which means it can provide a complete end to end security without relying on third parties or codes sent via SMS
Twitter adds two-step verification to iOS app with latest update (The Verge) After Twitter finally offered its users a more secure way for users to log into their accounts on the web, the social network has updated its iOS app today with two-step verification. The security mechanism requires two different passwords for a user to login: both a traditional password as well as a temporary code sent to your verified mobile phone number. As reputable institutions have embraced Twitter, they've become an attractive target for hackers hoping to deceive the public with malicious or erroneous tweets. High-profile hacks of accounts like The Guardian, AFP, and the Associated Press have occurred in the past
NZ slow to respond to 'industrialised' hacking (New Zealand Herald) The automation of cyber attacks means New Zealand businesses are definitely on the radar. New Zealand businesses have been slow to respond to the worldwide trend in automated cybersecurity attacks, says a US expert. Those views have been endorsed by a local security consultant, who said being far away from the rest of the world was no longer a safety guarantee for New Zealand. Mark Kraynak, senior vice president of Imperva, said modern hacking tools meant cyber criminals can quickly and easily scan the internet for vulnerable websites and launch attacks
Expect more Android security issues in 2013 (Help Net Security) Android vulnerabilities, increased online banking threats and availability of sophisticated, inexpensive malware toolkits are among the growing concerns cited in Trend Micro's Q2 2013 Security Roundup Report
A tipping point for effective corporate security measures? (SC Magazine) It's a truism that a business is only as secure as its weakest point, so businesses should have security systems in place because staff members are going to mess up at some point
Cyber crime costs firms 2.7% of turnover (Irish Times) One incident cost an estimated €135,000, Deloitte survey claims. Digital crime costs Irish organisations an average of 2.7 per cent of their turnover for the year, with a single incident costing an estimated €135,000, a new survey has claimed
Mobile threats and other new directions from Black Hat (GCN) Mobile computing seems to be the new frontier in cybersecurity, edging out the cloud as a fruitful area for research and hacking at last week's Black Hat Briefings. But stealthy persistent threats remain a serious concern and the emerging Internet of Things offers new challenges to privacy
California Breachin' (RSA Speaking of Security) When I first started doing security consulting at the turn of the century, there was a sense among my colleagues (probably apocryphal) that encryption was one of the few things that our least savvy customers knew how to do. As in: "What are you doing to protect your organization and data?" "Well, we use encryption". "What else?" "We use encryption." It seemed as though encryption was one of the things that most people understood, and we instead spent our time uncovering issues in cross site scripting, SQL injection, patch management and server configuration
Spam rises, now counts for 70 per cent of emails (Computing) The past three months have seen a four per cent rise in spam, which now accounts for over 70 per cent of all email activity, according to the latest Spam Report from Kaspersky Lab
Report: NSA spying deals billion dollar knockout to US cloud prospects (The Register) Fourth Amendment? Meh. Privacy? Yawn. Corporate profits? PANIC! Sustained violations of civil liberties at home and abroad? Yawn. The manifestation of Orwell's nightmares? Snooze. The potential loss of scads and scads of money? Egad, we should really do something about this
Top destinations for cyber security pros (Help Net Security) Semper Secure announced the results of its Cyber Security Census. Based on a survey of 500 cyber security professionals from 40 different industries across 43 states, the District of Columbia, and Puerto Rico, and underwritten by Northrop Grumman, NetApp, and MeriTalk's Cyber Security Exchange, the census reveals what motivates today's cyber security professionals as well as how to train and recruit the next generation
Surveillance scandal rips through hacker community (C/NET) The good ol' days of chummy games of "Spot the Fed" at Defcon are finished as hackers and security entrepreneurs plan next steps in the wake of government spying revelations
Calculate your cyber salary (Nextgov) Wired Workplace wrote Monday about a new report finding cybersecurity professionals on average earn $116,000 per year. But is that an accurate reflection of what you should be earning based on your education and experience
CACI Selected for GSA Mobile Device Program (GovConWire) CACI International (NYSE: CACI) has been selected as a vendor for a General Services Administration program that works to help federal agencies acquire mobility services. The company will work to help federal agencies engineer mobile devices, develop applications and build applications hub, CACI said Tuesday
Former DHS Deputy Undersecretary and ICE Assistant Director for Intelligence Joins SE Solutions (Fort Mill Times) Strategic Enterprise Solutions, Inc. (SE Solutions) announced today the addition of former Department of Homeland Security (DHS) Senior Executive, James M. Chaparro, to the company's management team. As Executive Vice President of Strategy, Mr. Chaparro will be assisting the company with its strategic direction and focus on supporting a wide range of homeland security missions
Dell buyout drama could drag on a while (FierceFinance) As expected, Carl Icahn, the activist investor, has taken his fight against the approved Dell buyout proposal to court. He has asked for an expedited proceeding in Delaware, arguing that the Dell board has breached its duties to shareholders by approving a dividend-sweetened offer by Michael Dell and private equity concern Silver Lake
Rising From the Abyss? (GovConWire) As industry dealmakers know, government services and defense deal closings during first half of this year were hollowed out by the double whammy of higher capital gain taxes and advent of sequestration that occurred earlier this year
Products, Services, and Solutions
Shodan: The scariest search engine on the Internet (Razormind) "When people don't see stuff on Google, they think no one can find it. That's not true." That's according to John Matherly, creator of Shodan, the scariest search engine on the Internet
Facebook turns tables on profile stalkers with News Feed tweak (The Register) Facebook has tweaked its News Feed ranking algorithms in a bid to get users spending more time gazing at memes and cat pictures
IOActive launches security intelligence service (Help Net Security) IOActive launched its new Security Intelligence Service, to help arm organizations with prioritized critical security insights based on their business
On the Edge of failure: Ubuntu smartphone looks unlikely to reach crowdfunding goal (The Verge) The Edge, a smartphone that runs a mobile edition of the popular desktop OS Ubuntu, will only get made if would-be users pledge $32 million via the crowdfunding site Indiegogo. With a strict time limit of 30 days, this ambitious campaign needs to average more than $1 million per day, however the first half of that period has seen great initial momentum slow down to a crawl. In its 15 days on Indigegogo, the Edge project has attracted $8.3 million in pledges, leaving it nearly $24 million short
Start–up Defense.Net debuts with anti-DDoS service (NetworkWorld) Co-founder Barrett Lyon says anti-DDos service would serve both enterprise and cloud providers. Start-up Defense.net makes its debut today with the aim of stopping distributed denial-of-service (DDoS) attacks aimed by attackers against both enterprises and cloud service networks
Cylance Announces Availability of Its Infinity Cloud, Transforming Advanced Threat Detection by Applying Science to Security (MarketWatch) Cylance, Inc., a global cybersecurity technology and services company applying science to security, today announced the disclosure of its Infinity(TM) Advanced Threat Cloud engine. Infinity is the first security technology to deliver a revolutionary new threat classification model that is scientifically founded while providing simplistic and user friendly detection of the most advanced threats in the world
Swan Island Networks and Aspiration Software Launch New Cyber Security Awareness Initiative for Government Agencies and System Integrators (PRWeb) Cybero™ cyber security awareness and training services will form a basis for new customized solutions available through Aspiration Software
RSA and Wombat Security Collaborate to Help Organizations Educate Users About Threats to Enterprise Security (Broadway World) Wombat Security Technologies (Wombat), a leading provider of cyber security awareness and training solutions, today announced a global reseller agreement with RSA, The Security Division of EMC, that will help organizations effectively leverage security awareness training so that employees become part of their company's active defense against growing cyber attacks
Procera Launches Virtualized PacketLogic Solutions (Broadway World) Procera Networks, Inc. ( NASDAQ : PKT ), the global Internet Intelligence company, today announced the launch of
Technologies, Techniques, and Standards
How do you stop HTTPS-defeating BREACH attacks? Let us count the ways (Ars Technica) Spoiler alert: some of the fixes aren't going to be pleasant
A Cure Worse than the Disease? (Trend Micro) I was phoned by our PR manager, Funda, to help out with a PR opportunity with Channel 4 News, one of the 3 big national UK broadcasters. A lady living near Birmingham in the English midlands had been caught up in a scam related to her hacked Yahoo account. I was invited to come along to her house where the television crew would interview the lady about her experiences, and me, for the Trend Micro expert view
Multiple certifications ensure need for accrediting bodies to work together (SC Magazine) There is a need for certification companies to work together to enable security professionals to better understand the benefits of them, and gain the most from them
Fighting Spam and Web Site Spoofing Attacks: Lessons Learned from the Traffic Light (Security Trends) An interesting timeline involving the colors red, yellow and green: August 5th, 1914 - the first electric traffic light is installed in Cleveland, OH. driven by the chaos at intersections in cities caused bythe explosion in the number of automobiles on the roads. The system was based on the convention used on railroad signals where red meant danger and green meant safe
Defending Against Pass-the-Hash (PtH) Attacks (Secure Ideas) Pass-the-Hash (PtH) attacks have become probably the most common form of credential attacks used in the hacking community. Especially in Microsoft Windows environments, PtH tools are so popular and easy to use, that many attackers no longer even bother to crack passwords anymore. Why waste the time when an administrator's hash is just as convenient, if not more so, to expand the scope of a breach
Dependability through Assuredness Standard released (Help Net Security) The Open Group announces the publication of the Dependability through Assuredness Standard (O-DA), which will benefit organizations relying on complex systems to avoid or mitigate the impact of failure
SaaS Service Agreements Can Leave Security on the Table (SecurityWeek) Ambiguity often abounds when it comes to the security requirements contained in contracts with software-as-a-service [SaaS] vendors, but there are minimum steps users can take to get what they want, according to industry analyst firm Gartner Inc
Penn State program to boost federal cyber security receives more funding (Penn State) Anna Squicciarini, an assistant professor in Penn State's College of Information Sciences and Technology (IST), and John Hodgson, a project manager in the Applied Research Laboratory (ARL) say they are committed to nurturing students in who are interested in protecting the U.S. government's information infrastructure. A program that they initiated in 2011 to accomplish that goal was recently given a boost by the National Science Foundation (NSF)
BAE Systems' DeEtte Gray encourages private, public sectors to advance STEM education (Washington Business Journal) BAE Systems and the U.S. Army recently held a discussion panel in which DeEtte Gray, president of intelligence and security at BAE, encouraged both the public and private sectors to advance STEM education, WashingtonExec reports
WPI Designated as a Center of Excellence in Cybersecurity Research (WPI) Worcester Polytechnic Institute (WPI) was recently designated as a Center of Excellence in Cybersecurity Research in a program jointly managed by the National Security Agency and the Department of Homeland Security
Legislation, Policy, and Regulation
Uganda sets up unit to fight cyber crime (New Vision) The Uganda Communications Commission has set up a Computer Emergency Response Team (CERT) to improve and secure communication services in the country
India to Outsource Spying on Indians to the Israelis (NewsClick) At a time when the entire world is outraged to find out about USA's secret mass surveillance program run by the NSA, the Indian government is openly and unabashedly contracting a foreign private company to design and implement a mass surveillance program to spy on its own 1.2 billion citizenry. According to a recent news report, 1Verint Systems, an Israeli cyber intelligence solutions provider closely linked to Israeli intelligence services, is soon to get a contract from the Indian government to aid and abet the Department of Telecommunications (DoT) in intercepting encrypted electronic communications in India
Former NSA Chief on Latest Leaked Dragnet Spy Program: It's Real, and It's Spectacular (Slate) Does the NSA really operate a vast database that allows its analysts to sift through millions of records showing nearly everything a user does on the Internet, as was recently reported? Yes, and people should stop worrying and learn to love it, according former NSA chief Gen. Michael Hayden
If Bruce Schneier ran the NSA, he'd ask a basic question: "Does it do any good?" (Ars Technica) Ars asks a tech and legal all-star team how to fix America's security state. For the last two months, we've all watched the news about the National Security Agency and its friends over at the Foreign Intelligence Surveillance Court (FISC), which approves secret orders on behalf of the NSA and other spy agencies. But more often than not, a lot of these articles take the same basic structure: documents provided by NSA leaker Edward Snowden show X, and then privacy advocates and civil libertarians decry X for Y reason
How Obama Can Say "We Don't Have A Domestic Spying Program" Without Lying (TechCrunch) President Obama found himself defending the practices of the National Security Agency to comedian Jay Leno Show last night. "We don't have a domestic spying program," said the Commander-in-Chief. "What we do have is some mechanisms that can track a phone number or an email address that is connected to a terrorist attack. That information is useful." If Obama's denial
Fitting cyber attacks to jus ad bellum — Consequence–based approach Part II (Infosec Institute) The focus of this contribution is placed on two tests which employ the consequence-based approach that, in turn, aims to categorize cyber attacks as a use/threat of force or an armed attack pursuant to UN Charter. Interestingly, such a method within the method reminds me ace little of the Russian matryoshka, where with each opening of a wooden doll the chance to snatch the final surprise is either getting bigger (while the dolls are decreasing in size) or vanishes thunderously at the end
German Minister calls for punishment of US companies involved in NSA spying (Help Net Security) The revelations of mass online spying by US government agencies that involved cooperation from the British and the German governments and intelligence services, as well as the upcoming elections have
Expose Russia's Intelligence Network (USA Today) Last Thursday, Russia granted temporary asylum to NSA leaker Edward Snowden, freeing him from his five weeks of limbo in a Moscow airport. The move was humiliation for the United States. It deserves a proportionate response, but that's not what we've done so far
Litigation, Investigation, and Law Enforcement
Third arrest made in Twitter abuse scandal (V3) A third man has been arrested in connection with Twitter-based rape and bomb threats directed at various high-profile Twitter users
US Reporter Says He Has Huge Cache of Snowden Files (SecurityWeek) Brazil-based American reporter Glenn Greenwald said Tuesday that he had received more than 15,000 secret US government documents from intelligence leaker Edward Snowden
In Rebuke, Obama Cancels Summit with Putin (AP) n a rare diplomatic rebuke, President Barack Obama on Wednesday canceled his Moscow summit with Russian President Vladimir Putin
Edward Snowden: Obama criticises Russia for granting asylum (The Guardian) President says 'cold war mentality' is behind Kremlin's decision to protect NSA leaker rather than hand him over
'Look, give us Snowden' — this Friday's top US–Russia talks revealed (The Register) Obama's highest lieutenants to meet Putin's top brass in military co-op confab. America will hold high-level talks on political and military teamwork with Russia this Friday - despite the latter country's offer of temporary asylum to NSA whistleblower Edward Snowden
Digital Detectives Key to Stopping Internet Crimes (Digital Forensic Investigator) In a locked room on Des Moines Area Community College's Ankeny campus, the state of Iowa stores hundreds of computers, cellphones, tablets and other devices used in criminal activity
Keeping Secrets Secret (Los Angeles Times) NSA surveillance data obtained without a warrant shouldn't be used in criminal prosecutions
Manning's Potential Sentence Cut (Washington Post) Army Pfc. Bradley Manning's possible sentence for disclosing classified information through WikiLeaks was trimmed from 136 years to 90 years Tuesday by a military judge who said some of his offenses were closely related
Latvia to extradite cyber theft suspect to US (Global Post) Latvia agreed Tuesday to extradite a programmer to the United States to stand trial for his alleged role in a global cyber theft ring that broke into a million computers
$1.5 million Cyberheist Ruins Escrow Firm (Krebs on Security) A $1.5 million cyberheist against a California escrow firm earlier this year has forced the company to close and lay off its entire staff. Meanwhile, the firm's remaining money is in the hands of a court-appointed state receiver who is preparing for a lawsuit against the victim's bank to recover the stolen funds
For a complete running list of events, please visit the Event Tracker.
International Conference on Cyber Security (New York, New York, USA, Aug 5 - 8, 2013) The Federal Bureau of Investigation and Fordham University will host the fourth International Conference on Cyber Security (ICCS 2013) on August 5 - 8, 2013 in New York City. ICCS, the White Hat Summit, is an unparalleled opportunity for global leaders in cyber threat analysis, operations and law enforcement to coordinate their efforts to create a more secure world. With the number of cyber threats escalating worldwide, the need for comprehensive security analysis, assessment, and actions has never been greater. Join those working on the front-lines of secure cyber networks at ICCS for the opportunity to learn useful knowledge and share critical intelligence on issues shaping the future of cyber security.
3rd Annual Cyber Security Training Forum (Colorado Springs, Colorado, USA, Aug 6 - 7, 2013) The Information Systems Security Association (ISSA) - Colorado Springs Chapter and FBC, Inc. will once again host the 3rd Annual Cyber Security Training Forum (CSTF). Formerly known as the Cyber Security Training Conference, CSTF is set to convene from Tuesday August 6, 2013 to Wednesday, August 7, 2013 at the DoubleTree by Hilton, Colorado Springs, Colorado.CSTF 2013 will bring together cyber experts from the DoD, federal government, business, research, and academia to address: the latest DoD and government cyber policies, remediation strategies and best practices, the growing impact, and evolution, of cyber threats and how to continue to protect and defend the Global Information Grid (GIG), mobility strategies, cloud & virtualization advancements, and emerging technologies. This will be accomplished through a number of in-depth cyber sessions, hands on live demonstrations, the yearly cyber challenge and government and industry exhibits. Don't miss this educational, and cost effective, cyber event in Colorado Springs, CO..
AFCEA Tinker AFB Information Technology & Cyber Security Expo (Oklahoma City, Oklahoma, USA, Aug 8, 2013) Commercial vendors are invited to Tinker Air Force Base on Thursday, August 8th to exchange information and provide products demonstrations to the military and civilian personnel on base. IT and Information Assurance professionals from Tinker AFB are looking forward learning about the latest cyber security trends and best practices, networking with peers, and sharing remediation strategies.
AIAA Aviation 2013 (Los Angeles, California, USA, Aug 12 - 14, 2013) Leading cybersecurity experts will speak at AIAA AVIATION 2013, being held August 12-14 at the Hyatt Regency Century Plaza, Los Angeles, Calif. Hosted by the American Institute of Aeronautics and Astronautics, the conference will address the risk of the evolving cyber threats to the world's $2.2 trillion commercial aviation enterprise.
Security in Government (SIG) (Canberra, Australia, Aug 12 - 14, 2013) The 25th annual Security in Government (SIG) conference is to be held from 12-14 August 2013 at the National Convention Centre in Canberra. Assistant Director for the National Security Resilience Policy Division in the Attorney General's Department, Robyn Devin said the SIG conference attracted protective security professionals from both the public and private sector.
A Cloud Computing Introduction for Manager (Columbia, Maryland, Sioux Falls, Aug 13, 2013) Cloud computing is becoming popular. More and more Technical Managers and Project Managers will be interacting with cloud computing, either developing clouds, using clouds, or selecting among cloud and non-cloud alternatives to accomplish their projects. This talk provides a brief and basic introduction to cloud computing, what managers need to know about cloud computing, what are some of the myths, and what they need to ask about cloud computing from service providers. The presentation will include selected questions specific to managers associated with government projects and security risks of cloud computing. This non-technical presentation will help managers understand cloud basics and how to ask better questions when a cloud becomes part of your project. Dr. Patrick Allen of Johns Hopkins University Applied Physics Lab will be the presenter.
Resilience Week 201 (San Francisco, California, USA, Aug 13 - 15, 2013) 2013 Resilience Week brings together colleagues across government, academia and industry to facilitate an exchange of ideas dedicated to promising research in resilient systems that will protect cyber-physical infrastructures from unexpected and malicious threats - securing our way of life. Four different symposia will be offered: Resilient Control Systems, Resilient Cyber Systems, Resilient Cognitive Systems, and Resilient Communication Systems. Keynotes will be provided by numerous leading subject matter experts - from agencies including: NSA, DARPA, Sandia National Laboratory, and Office of the Assistant Secretary of Defense for Research and Engineering.
Kirtland AFB/Sandia/DOE Cyber Security Seminar & IT Expo (Albuquerque, New Mexico, USA, Aug 15, 2013) This expo is designed to stimulate exchanges of information between industry partners and Kirtland AFB Information Management Officers', Information Technology personnel, Contracting Officers' as well as end-users, developers, scientists, researchers and project managers in the areas of cyber security and information technology.
National SCADA Conference (Melbourne, Victoria, Australia, Aug 15 - 16, 2013) The 12th Annual National SCADA Conference, Australia's largest and longest running SCADA conference, will bring together many of the luminaries of the Australian and International SCADA community to evaluate and find solutions for the increasing demands of the SCADA environment. The theme for 2013 will be delivering intelligence and improved performance to SCADA networks. The SCADA conference program will deliver fantastic first-hand knowledge from leading international and local SCADA experts with a great mix of burning SCADA issues, case studies, security and real world implementations together with practical advice. The networking opportunities provided coupled with the largest SCADA exhibition in the Southern Hemisphere ensure the National SCADA Conference is a must attend event for Australia's and New Zealand's SCADA Communit.
First International Conference on Cyber-Physical Systems, Networks, and Application (Taipei, Taiwan, Aug 19 - 20, 2013) CPSNA 2013 will focus on core challenges of cyber-physical systems. Given a tight integration of computation and the physical world, cyber-physical systems must compose robust systems, networks, and applications built upon predictable, analyzable, and certifiable models and abstractions. CPSNA 2013 will serve as a forum to discuss new ideas for such core challenges of cyber-physical systems.
SANS Thailand 201 (Bangkok, Thailand, Aug 19 - 31, 2013) SANS hands-on advanced Information Security training is coming to Thailand this August! SANS is bringing our Web App Penetration Testing course to the Crowne Plaza Bangkok Lumpini Park in Bangkok, Thailand.
2013 Cyber Security Division Transition to Practice (TTP) Technology Demonstration for Investors, Integrators, and IT Companies (I3) — West (San Jose, California, USA, Aug 22, 2013) This event will feature eight innovative cybersecurity technologies that have been developed at the Department of Energy National Laboratories and have the potential to strengthen and organization's cybersecurity posture. During this event cybersecurity professionals and technology investors from private industry will learn about these new technologies through presentations, demonstrations, and discussions with the research teams that produced these technologies. In addition, attendees will have an opportunity to schedule a private one-on-one discussion with the Researcher to discuss opportunities for commercializing the technologies and areas of interest to drive further cybersecurity research. Registration closes August 12.
Defense Logistics Agency Tech Expo (Fort Belvoir, Virginia, USA, Aug 20, 2013) Industry exhibitors are invited to showcase and discuss the latest information services and technology to the personnel at the McNamara HQ Complex.
Human Cyber Forensics Forum (Washington, DC, USA, Aug 21, 2013) This forum brings together subject matter experts to discover and share new means of recognizing the human indicators related to cyber intrusions, and the evolution of these human indicators in the coming decades.