The CyberWire Daily Briefing for 1.23.2013
Distributed denial-of-service (DDOS) attacks affected about two-thirds of banks worldwide last year, a Ponemon study finds, with nearly half of them getting hit more than once. The banks find diminished employee productivity the attacks' worst consequence. Poor Internet hygiene is part of the problem: outdated and vulnerable Web apps, old content management systems, and poor security practices (like using "admin" as an administrative password) all enable DDOS campaigns.
Reporters Without Borders is the latest waterholing victim of Internet Explorer and Java vulnerabilities. (Waterholing is to cyber attack what affinity fraud is to financial scamming.)
We see more reports of increasingly powerful password-cracking tools. The US Department of Homeland Security's Industrial Control Systems-CERT warns that a brute-force tool effective against Siemens S7 programmable logic controllers had been demonstrated. Researchers embarrass Kim Dotcom's new venture, Mega, by using cracking tools against confirmation emails.
A Twitter flaw gives third-party applications access to users' direct messages. Skype is exploited to spread the Shylock banking Trojan. Patient records are again exposed to compromise by physical loss of a device, this time at Stanford University.
Cisco confirms a Linksys router vulnerability; they're working on a fix.
China may lead the world in cyber attack traffic, but Russia is the place to go for exploit kits. Microsoft R&D forsakes Korea for China. Huawei continues to work on its image.
After Dawson College expels a student white hat for exposing Omnivox vulnerabilities, Dawson and three other Quebec CEGEPs drop off the Internet internationally (but not in Canada).
Notes.
Today's issue includes events affecting Angola, Australia, Canada, China, Egypt, Germany, Republic of Korea, Russia, Sweden, Tunisia, and United States..
Cyber Attacks, Threats, and Vulnerabilities
Two-Thirds of Banks Hit by DDoS Attacks in Past Twelve Months (Security Bistro) By now most everyone is aware of the Distributed Denial of Service (DDoS) attack campaign targeting nearly a dozen major U.S. banking websites since last fall, but many will be surprised to learn how big a problem DDoS attacks really are for the financial sector. A new study conducted by the Ponemon Institute on behalf of network security provider Corero has found that the majority of banks acknowledge they were subjected to denial of service attacks in the last year, while nearly half indicated they were targeted on more than one occasion. The study, which included 650 security practitioners from 351 banks around the world, reveals that 64% have been targeted by at least one DDoS attack in the last twelve months, while 48% reported being the subject of multiple attacks
DDoS: It's About Internet Insecurity - Why Aren't We Addressing the Core Problem? (Bank Information Security) Over the past few months, distributed-denial-of-service attacks on U.S. banks have garnered great attention. But what we've failed to address is the core problem: Internet insecurity, which enables attackers to wage massive attacks with botnets that continue to grow. I've spoken to many security experts about why DDoS attacks are so successful, and they echo what Mike Smith of Akamai Technologies, an Internet platform provider has to say: "It's an Internet health issue."Outdated and vulnerable versions of Web applications, such as WordPress and Joomla, as well as organizations' own content management systems, make it all too easy for attackers to compromise vulnerable websites and use them as launching pads for attacks aimed at U.S. banks
Reporters Without Borders website abused in malware campaign (CSO) The site was booby-trapped to deliver a backdoor to vulnerable computers using the latest Java vulnerabilities. The website for Reporters Without Borders was booby-trapped to deliver malicious software using the latest Java and Internet Explorer vulnerabilities, security vendor Avast said on Tuesday. Reporters Without Borders, based in Paris, is an international advocate for press freedom. Avast, which discovered the site had been tampered with, said the group's profile makes it "an ideal target."
ICS-CERT issues alert on offline brute-force password tool (Fierce Government IT) An offline brute-force password tool with proof-of-concept exploit code is targeting Siemens S7 programmable logic controllers, according to an alert from the Homeland Security Department's Industrial Control Systems-Cyber Emergency Response Team
SCADA Password-Cracking Tool For Siemens S7 PLCs Released (Dark Reading) Siemens says no bug involved so no patch needed, and is working on simplifying patching overall for its customers. A Russian security researcher has unleashed a brute-force password-cracking tool that can capture passwords for Siemens S7 programmable logic controllers (PLC), which run machinery in power plants and manufacturing sites
Cracking tool milks weakness to reveal some Mega passwords (Ars Technica) Yet another security researcher is poking holes in the security of Mega, this time by pointing out that the confirmation messages e-mailed to new users can in many cases be cracked to reveal their password and take over their Mega accounts. Steve "Sc00bz" Thomas, the researcher who uncovered the weakness, has released a program called MegaCracker that can extract passwords from the link contained in confirmation e-mails. Mega e-mails a link to all new users and requires that they click on it before they can use the cloud-based storage system, which boasts a long roster of encryption and security protections
Investigating clever scamming techniques and their evolution (Help Net Security) Christopher Boyd is a Senior Threat Researcher for GFI Software. Chris has been credited for finding the first instance of a rogue Web browser installing without permission, the first Twitter DIY botnet
Twitter bug gives 3rd-party apps access to users' Direct Messages (Help Net Security) A Twitter bug allowed third-party applications to access Direct Messages of users who signed in to the apps by using their Twitter account, reported IOActive researcher Cesar Cerrudo
Skype becomes a malware minefield (Help Net Security) Skype users should be careful when using the service these days. First CSIS researchers unearthed a campaign misusing Skype to replicate and spread the Shylock banking Trojan with a plugin called
City of Angels Camp Website Hacked and Defaced (Softpedia) The official website of the City of Angels Camp, California, (angelscamp. gov) has been hacked and defaced by a hacker who calls himself Dr. SHA6H, CWN reports. The site has been restored, but the incident once again shows that many US . gov sites still lack proper security measures
Medical Center Reports Stolen Laptop (Lucille Packard Children's Hospital) Lucile Packard Childrens Hospital at Stanford and the Stanford University School of Medicine are notifying patients by mail that a password-protected laptop computer containing limited medical information on pediatric patients was stolen from a physicians car away from campus on the night of January 9, 2013. This incident was reported to Packard Childrens and the School of Medicine on January 10. Immediately following discovery of the theft, Packard Childrens and the School of Medicine launched an aggressive and ongoing investigation with security and law enforcement, and began contacting patients potentially affected
Anonymous Hackers Boycott Mega Services, Call Kim Dotcom a Snitch (Softpedia) The recently launched Mega service has caused a lot of controversy. The site is not working properly, some security issues have been identified and, even Anonymous hackers have turned their back on it, calling Kim Dotcom a snitch. One year ago, when US authorities took down Megaupload, the Anonymous movement was the first to protest
Security Patches, Mitigations, and Software Updates
PayPal Addresses Months-Old SQL Injection Vulnerability, Frozen Accounts (Threatpost) Researchers with Vulnerability Lab today announced mega payment processor PayPal has fixed a flaw on its site that allowed a remote user or a local user with low privileges to compromise a Web application using a blind SQL injection
Support for old Office formats ending soon for Google Docs users (FierceCIO: TechWatch) Support for older Office formats such as .doc, .xls and .ppt used in Office 97 to Office 2003 will be dropped at the end of January 2013 from Google (NASDAQ: GOOG) Docs. This reminder was posted in the Google Apps blog, which warned that users will no longer be able to export to the older file formats after the cut-off date. Instead, it will output the latest Office formats, such as .docx, xlsx and .pptx which are based on HTML
Cisco confirms flaw in Linksys WRT54GL wireless router (FierceCIO: TechWatch) Cisco has confirmed the presence of a security vulnerability in its Linksys WRT54GL Wi-Fi router, which a remote hacker can use to gain full access to the device. DefenseCode first reported the problem in a short announcement posted on the company blog, and noted that multiple Linksys models could have been affected
Cyber Trends
Spam levels plummet as industry takes aim at botnets (CSO) Levels now around 70 percent, Kaspersky says. Global spam levels continued to fall in 2012 and even the number of malicious attachments was on the wane, new figures from Kaspersky Lab have suggested. The fall is relative of course; even with an eight-point drop, spam continued still accounted for a staggering 72 percent of all email during the year, equivalent to tens of trillions of messages moving uselessly and malevolently across the Internet every year
Report: 70 percent Of Exploit Kits Out Of Russia (Dark Reading) Most vulnerabilities used in kits employ older exploits
One-Third of Cyber Attack Traffic Originates in China, Akamai Says (Bloomberg) China has been the top source of cyber-attack traffic since the last quarter of 2011, according to a study by Akamai. About one-third of the world's cyber attack traffic was traced back to China, according to a report by Akamai Technologies to be
Radware Releases Global Security Report - Reveals New Cyber Attack Methods (Daily Markets) In the face of an ever-evolving cyber security landscape, researchers at Radware (NASDAQ:RDWR), a leading provider of application delivery and application security solutions for virtual and cloud data centers, have identified a number of new attack
Are federal agency workers going rogue with personal devices? (CSO) Federal agencies continue to struggle with the question of whether to allow employees to use their personal smartphones and tablets at work under so-called bring-your-own-device (BYOD) policies, according to a survey out this month from the organization Telework Exchange. Out of the 314 federal employees who responded to the survey, 49% said they use their personal devices for work-related tasks, with 93% of these citing they use their own laptop, 64% saying they use their own smartphones and 19% using a personal tablet for work purposes. But while the federal government has made great stride over the years in settling policy and security-requirement issues related to personal laptops used for telework purposes, the same cannot be said for how federal agencies address the newer smartphones and tablets, the Telework Exchange points out. Although 55% of the federal employees who use smartphones or tablets for work bring their own, just 11% of them say their agency has an official BYOD policy at all
Social media made Arab Spring easier, says university article (Fierce Government IT) Social media made it easier for government opponents in Egypt and Tunisia to mobilize mass support during protests in late 2010 and 2011 that became known as the Arab Spring, says a paper spearheaded by Australian academics
Smartphones, tablets increase workers' productivity, survey finds (Fierce Mobile IT) Around 59 percent of knowledge workers said that the use of smartphones and tablets increases their productivity and 27 percent said that working remotely makes work easier, according to an online survey of knowledge workers by platform-as-a-service provider Eccentex
Larger enterprises taking to BYOD, says Good (Fierce Mobile IT) Larger enterprises are the most active in adopting and supporting BYOD, among customers surveyed by mobile device management firm Good Technology. Three quarters of larger enterprises supporting BYOD have 2,000 or more employees, while 46 percent have 10,000 employees or more. For the survey, Good polled 500 of its largest enterprise customers and received a 20 percent to 25 percent response rate
CIOs Clueless About Social? Maybe Not (InformationWeek) One survey does not prove CIOs underestimate the importance of social business. There might be other reasons social ranks low on CIO to-do lists
Marketplace
Why Africa may be the next big enterprise mobility market (Fierce Mobile IT) A number of African countries are investing heavily in 4G LTE networks, which is expected to fuel demand for enterprise mobility, according to a new report by ABI. In a recent example of Africa's rush to develop 4G, Swedish equipment maker Ericsson signed an agreement with Angolan mobile operator Unitel to roll out a 4G LTE network in that country. Under the agreement, Ericsson will design and implement the LTE network, as well as install cell sites
Military Officials Issue Orders To Cut Costs (Washington Post) Bracing for the possibility of steep congressionally mandated budget cuts, senior military officials have issued directives for fiscal retrenchment that include a 30 percent cut for Army base operations this year, personnel reductions and a halt to unnecessary fighter jet swoops during special events
Fed Pay Freeze Vote Postponed (Government Executive) The House will not consider a bill this week that extends the pay freeze for civilian government workers, allowing some time for federal employee advocates to continue their crusade against the measure
We Must Run Government IT Like A Startup (InformationWeek) Government 2.0 is about more than social media. It requires throwing out outdated processes and adopting new models of success
Cisco Futurists Plan For Internet Of Everything (InformationWeek) Cisco foresees connected devices, pervasive sensing and big data will drive need for data scientists to bring order to information overload
Chinese telecom giant Huawei tries on transparency for size to combat black sheep reputation (Quartz) China's Huawei is vying with Swedish equipment maker Ericsson for the title of largest telecom equipment vendor in the world. But one big drag on its ambitions is suspicion by governments in the US and elsewhere that its gear could be used for Chinese espionage, which has effectively blocked Huawei from some of the most lucrative markets
McAfee outlines the future of business security (Help Net Security) McAfee announced its strategy for building upon Security Connected, the framework in which security products and services work together to safeguard businesses with better protection from new types of
Confirmed: IBM is a creaky, old business (Quartz) International Business Machines (IBM) reported earnings today that beat analyst estimates, causing shares to rally more than 3.3% in after hours trading. Earnings, which had been declining for the last few quarters, were flat year-over-year when adjusted for currency discrepancies, as the company brought in $29.3 billion in the fourth quarter. Though investors have reacted positively to the report, they might want to do a reality check: nearly all of IBM's money-making software businesses are a decade old
Microsoft in Talks to Help Finance Dell Buyout (Wall Street Journal) Microsoft Corp. is in discussions about helping to finance a buyout of computer maker Dell Inc., according to a person familiar with the deal deliberations
Virtualization Giant VMware Partners With And Puts $30M Into Data Center Automation Company Puppet Labs (TechCrunch) Puppet Labs, a data center automation company, is announcing today that virtualization giant (and previous investor) VMware has invested $30 million in the company. This brings the company's total funding to $46 million. Puppet Labs' other investors include True Ventures, Cisco, Google Ventures, Kleiner Perkins Caufield & Byers, and Radar Partners. The company declined to reveal the valuation
Blue Cross acquires business intelligence firm Intelimedix (Fierce Big Data) Blue Health Intelligence, a company owned by the Blue Cross Blue Shield Association, has acquired a potential solution for reducing the payer versus provider animosity in health care through analytics. The solution is a company called Intelimedix
KippsDeSanto: CRGT's Guident Buy Shows Private Equity Activity In Govt Market (ExecutiveBiz) CRGT's buy of big data and business intelligence provider Guident is an indicator of increased activity among private equity investors within the government market , according to investment banking firm KippsDeSanto & Co
GE begins big data recruitment push in UK (Fierce Big Data) The job market in the United Kingdom is beginning to improve for software engineers and data scientists as General Electric looks to recruit hundreds from that market as part of a global push to add approximately 8,000 software engineering jobs, according to an article in V3.co.uk this week
Acentia Names Apptis Vet Simon Godwin Strategy, Solutions Lead (Govconwire) Acentia has appointed Simon Godwin, a former senior vice president at Apptis, to serve as senior director of strategy and solutions. Acentia said Godwin will report to Tom Woteki, chief architect of the strategy and solutions organization, and work with the company's business unit leaders on innovation, technical maturity and program growth. Woteki said Godwin
CTC Names Former Kodak Tech Head Vicki Barbur CTO (Govconwire) Concurrent Technologies Corp. has appointed two-decade research and development veteran Vicki Barbur senior vice president and chief technology officer, the company said Tuesday. Barbur, who holds a doctorate in physics from Imperial College at the University of London, will be responsible for setting the company's vision and strategy for its scientific and technical offerings
Former DHS director joins QinetiQ North America (Washington Business Journal) McLean-based QinetiQ North America has added Richard Burke to its team as director of strategic programs, the government services contractor announced. Burke will have responsibilities in the areas of cyber intelligence, agile software development, big data and mobility solutions. Prior to joining QNA, Burke served for eight years in a number of senior positions in the Department of Homeland Security, most recently as a director of the plans division within the Office of Operations Coordination and Planning
Products, Services, and Solutions
GE Boosts Cybersecurity Protections For Industrial Controls (Dark Reading) CAP Software Update, SecurityST Appliance protect industrial controls systems from cybersecurity threats
FIPS Validated Key Management Protects Encryption Keys (Dark Reading) Key management appliance provides certified, tamper-resistant protection for critical encryption keys
RIM Launches BlackBerry Enterprise Service 10 For Government & Corporate Clients (TechCrunch) Research In Motion just announced that BlackBerry Enterprise Service 10 (BES 10), a device management system, is now available for government agencies and corporate clients
Panda Security Wins Best eCommerce Software in Best Customer Experience (PR Newswire) Panda Security, The Cloud Security Company, today announced that it has won top honors in the Best Customer Experience Awards 2012 in the category of eCommerce Software. Sponsored by the Best
New nCircle security appliance cuts vulnerability scan time (Help Net Security) nCircle announced the Device Profiler 4000 (DP 4000), a high performance vulnerability scanning appliance designed to support vulnerability scanning requirements including web application and SCAP
GFI EventsManager now with active monitoring (Help Net Security) GFI Software announced that GFI EventsManager now includes the active network and server monitoring capabilities found in the NetworkServerMonitor solution
Vaultive Announces Availability Through the Rackspace Cloud Tools (Marketwire) Vaultive, a provider of cloud data encryption solutions designed to maintain the control, security and compliance of data processed by cloud-based services, has joined the Rackspace Cloud Tools program. Vaultive is now included in Rackspace's comprehensive catalog of innovative, third-party-developed applications that are compatible with The Rackspace Open Cloud
Fiberlink Listed on the CSA Security, Trust and Assurance Registry (DigitalJournal.com) Fiberlink, the leader in cloud-based solutions for…provider to be listed on the Cloud Security Alliance's (CSA) Security
Jive To Add Business Value To Social Platform (InformationWeek) Jive's spring update will add a host of new features to help enterprises use social tools to further business agenda
Oracle Offers Subscription Pricing For On-Premises IaaS (InformationWeek) Oracle will configure and charge monthly for familiar infrastructure-as-a-service appliances, rather than requiring a large upfront purchase
Sony unveils new 10-inch tablet (FierceCIO: TechWatch) Sony has just unveiled the Xperia Tablet Z, a 10.1-inch Android-based tablet equipped with a high-resolution (1920x1200) display
Analysis: Why Windows RT was doomed from the start (FierceCIO: TechWatch) Neil McAllister from The Register has written a thought-provoking critique about why the ARM-based Windows RT tablet from Microsoft (NASDAQ: MSFT) was "DOA" or dead on arrival. He alluded to the poor sales of Microsoft's flagship Surface tablet over the holiday season, which at an estimated one million, pale in comparison to the sales of Apple's (NASDAQ: AAPL) iPad
Technologies, Techniques, and Standards
Sometimes the best defense is deletion (CSO) Information Governance experts say that while storage coast are down, there's risk -- and cost -- associated with the growing 'data lake'
You Still Stink At Patching Databases (Dark Reading) Only about a fifth of organizations patch their databases within three months and that number's not likely to get better anytime soon, experts say
Taming Data Before It Escapes To The Wild (Dark Reading) As employees adopt cloud services, companies risk losing control of their data, with solutions running the gamut from basic to complex and expensive
Playing In The Sandbox Helps Teach Developers To Nix Vulns (Dark Reading) Using virtual environments, two start-up projects create different ways of showing, not telling, developers how and why to prevent bugs
Go Hack Yourself (Dark Reading) Penetration testing is only the first step of self-inspection--ask internal auditors to scrutinize IT practices beyond compliance to take risk management to the next level
Using Metasploit for Patch Sanity Checks (Internet Storm Center) Earlier last week a reader wrote in and asked us if the patch for MS13-008 [1] [2] had worked. To do a comprehensive patch validation could take a significant amount of time however there are a couple of things you can do to get a quick sanity check
Video: Data mining a mountain of vulnerabilities (Help Net Security) Every day, software developers around the world, from Bangalore to Silicon Valley, churn out millions of lines of insecure code. Veracode used static binary analysis on thousands of applications
How to spot APT attacks (Help Net Security) With the proliferation of Advanced Persistent Threats (APTs), it's paramount for those who are charged with defending the systems and networks of likely targets to know that these attackers often
Cloud security rebuttal: Don't rebuke the many for the sins of the few (CSO) Did CSOonline's 7 deadly sins of cloud computing story lack enlightenment? One well-respected cloud security figure --Christopher Hoff, Chief Architect for Security at Juniper Networks--tweeted a response to the story, saying "Reading stuff like this sucks my will to live""You can't lose data that you don't have," the Westborough resident says
Linking Cyber, Physical Threat Data - Implementing Federal Information Sharing Strategy (Bank Information Security) Sharing information about physical and cyber threats needn't be segregated under the U.S. federal government's National Strategy for Information Sharing and Safeguarding, says Kshemendra Paul, who manages the implementation of the strategy."Our stakeholders all of the time tell us 'We want an integrated view of the threat,'" says Paul, program manager for Information Sharing Environment, or ISE, in an interview with Information Security Media Group. "Something that goes on in the physical world may give you clues on what's going on in the cyber-world and vice versa. There is a nexus there, so that is why people want to look at it in an integrated way
CIO Council updates core competencies (Fierce Government IT) Chief information offices within federal agencies should be able to craft service level agreements with vendors, be knowledgeable about the advantages and disadvantages of cloud computing, asses what metrics best measure public participation in open government and be prepared to talk about how to handle having a private as well as an official social media account, says the CIO Council
4 Steps For Proactive Cybersecurity (InformationWeek) Tired of having malware punch you in the face? The time's not right to hit back, but here are moves to make now
Offensive Cybersecurity: Theory And Reality (InformationWeek) Can you -- and should you -- strike back at attackers? It's a complex question with ethical, legal, technical and practical considerations
3 Tips For Getting Started With Big Data (InformationWeek) Don't dive in head first, says Fed-focused data analytics and cloud provider
Design and Innovation
5 Kinds of Companies That Facebook's New Search Engine Could Crush (Wired Business) Facebook's Graph Search is supposed to turn the social network into one massive engine of discovery. That's good news for Facebook and its investors, but not so great for companies whose bread-and-butter is social interaction
White House Announces National Day Of Civic Hacking, Asks Americans To Solve Problems With Govt Data From NASA And More (TechCrunch) The White House wants you to hack for a better America. Today it announced the National Day Of Civic Hacking on June 1-2 where many government agencies will liberate data for citizens across the U.S. to use to build tech that helps their communities. 27 cities have planned events where hackers will have access to data from The Department of Labor, The Census Bureau, and even NASA's space stats
What Google Does Best Is A Stark Contrast To Apple, According To Larry Page (TechCrunch) Smartphones are the single-fastest-growing consumer electronics segment in the world, and Google and Apple are the most formidable players in the arena. iOS and Android together hold a vast majority of the global market, and both Apple and Google have their own hardware ventures (the iPhone/iPad and the Nexus tablet/smartphone family)
Will big data suppress or inspire the creative process? (Fierce Big Data) Who has the most to lose as the machine learning of big data overwhelms the world of advertising? It would seem the "creatives," whose artful insights into human nature created the industry, have the most to lose as their group demographics grow quaint and their intuitive fingers are lifted from the pulse of the market in favor of hardcore analysis. But wouldn't we all suffer a bit if creativity is supplanted by the black-and-white results of algorithmic outputs? One such creative says it doesn't have to be that way
Research and Development
Microsoft Korea Reportedly Shuts Down Its Seoul-Based R&D Unit (TechCrunch) Microsoft Korea will close its research and development unit by the end of next month, where its Asia R&D Center is based, reports Asiaone (h/t TNW). The company announced last year that its Asia-Pacific R&D Center will be headquartered in Beijing, which represents Microsoft's largest R&D investment outside of the U.S. The company plans to leverage the facility to develop
Academia
Update: Canadian Colleges Go Dark Following Expulsion of Whitehat (Security Ledger) The web sites of a number of Canadian General and Vocational Colleges were unreachable from IP addresses outside Canada on Tuesday, after news spread that Dawson College, in Montreal, expelled a student who uncovered and reported security holes in a web-based student portal used at the school. The web site for Dawson College, dawsoncollege.qc.ca
Dawson student accused of a cyber-attack offered job in IT security (CTV News) Hamed Al-Khabaz was expelled in November after being accused of launching a cyber-attack on the school's website. Al-Khabaz said he stumbled upon a breach in the Dawson College online portal that could have jeopardized the personal information of
Legislation, Policy, and Regulation
Report: Pervasive surveillance undermines trust in government (Fierce Government IT) Increases in surveillance can negatively impact the way individuals feel about government and even cause hostility among citizenry normally not likely to commit crimes, says the U.K. government's Foresight project. Surveillance may cause individuals to act compliant but that, historically, high levels of state surveillance has led many young citizens to become angry and subversive
Russian government wants to strengthen its cyber defense, what's new? (SecurityAffairs) Russian President Vladimir Putin is considered one of the political figures most attentive to the development of a suitable cyber strategy to protect his countries from cyber attacks. Putin is an intelligent man who has always understood the strategic importance of cyberspace, according many experts he has always invested in the development of cyber capabilities, foreign intelligence is sure that he controls one of the most dangerous group of hackers employed in the persecution of dissidents in the past years and in cyber attacks against political opponents. The recent revelation of Red October cyber espionage campaign have alerted governments all around the world, the same Putin has ordered to the authorities to increase the level of protection of government cyber assets from possible cyber attacks, the concerns have increased after the revelation of Kaspersky security firms that has verified that the global cyber espionage campaign has also infiltrated government and embassy computers across the former Soviet bloc
DDoS Attacks as Constitutional Problem: Germany's Experience (Cyveillance) A distributed denial of service (DDoS) attack targets a computer systems resources by flooding it with requests beyond its capacity in hopes of negatively impacting its functionality. Does society consider DDoS attacks a legitimate form of protest? When an anonymously posted petition appeared on the White Houses We the People page and advocated the legalization of DDoS attacks most commentators didnt look to kindly at the idea
US Rulemakers Set Sights on Bank Social Media Activities (Finextra) US supervisory agency the Federal Financial Institutions Examination Council (FFIEC)has issued proposed guidance on the application of consumer protection and compliance laws to bank social media programmes. The FFIEC says that each financial institution should have a risk management programme that allows it to identify, measure, monitor, and control the risks related to social media. It says increased risk can arise from poor due diligence, oversight, or control on the part of the financial institution and has laid down a set of governance principles for banks to follow
Three Facts of Data Security Legislation for the Cloud (CSO Magazine) The Cloud Security Alliance (CSA), which Hoff participates in, put together a cloud security guidance covering three major areas including architecting the
Gillard puts nation on cyber-attack alert (Sydney Morning Herald) Prime Minister Julia Gillard has warned that Australia is a prime target for malicious cyber attacks by hackers and nations. Launching the nation's first national security strategy on Wednesday in Canberra, Ms Gillard flagged the establishment of a new
Issa holds hearing on federal IT procurement (Fierce Government IT) The House Oversight and Government Reform Committee will hold a hearing Jan. 22 on federal information technology reform, with Federal Chief Information Officer Steven VanRoekel set to testify
VanRoekel: Current law sufficient to permit federal IT sucess (Fierce Government IT) Federal agencies don't necessarily need a new information technology reform law to become better in managing projects, said Federal Chief Information Officer Steven VanRoekel while testifying Jan. 22 before the House Oversight and Government Reform Committee
The White House says open data is something other agencies do (Fierce Government IT) Lies, damned lies, and statistics, goes the saying--and here's another one: data, open data, and transparency. My reason for saying so stems from a recent look FierceGovernmentIT took at the White House visitor logs of Steven VanRoekel, the Office of Management and Budget administrator for e-government and information technology--aka the federal chief information officer
Proposed bill would enable mobile phone users to delete app-collected data (Fierce Mobile IT) Proposed legislation in Congress would enable mobile phone users to direct mobile application developers to delete personal data already collected and to stop collecting personal information once the user stops using the application. The APPS Act, which has been proposed in the 113th Congress by Rep. Hank Johnson (D-Ga.), would also require app developers to provide notice of the terms and conditions governing data collection and storage, and require explicit consent from the user for that data collection and storage. Johnson has released a discussion draft of the legislation
New HIPAA rule falls short in protecting mobile patient information (Fierce Mobile Healthcare) With much fanfare, the U.S. Department of Health & Human Services announced the final omnibus rule for the Health Insurance Portability and Accountability Act of 1996 last week. Much has changed in the last decade and a half since HIPAA was passed into law, not the least of which is the use of mobile technology in healthcare
Privacy takes a hit in genetic databases (Fierce Big Data) It has often been said, at least on this page, that the big data future will depend a great deal on how well we protect privacy today. Well privacy--and by association big data--took a big hit in the world of genetics this week, as another loophole was identified, this one potentially serious. It puts at risk the identities of people who contribute their DNA sequences to research projects. In reaction to a new study, the United States National Institute of General Medical Sciences, part of the National Institutes of Health, removed some data from public view. Nature magazine reported on the study published in Science this week by Yaniv Erlich, a human geneticist at the Whitehead Institute for Biomedical Research. It showed that identities were even more vulnerable than identified in research
Litigation, Investigation, and Law Enforcement
Chinese Government To Open Mediation Center For Online Piracy Disputes (TechCrunch) China's Ministry of Industry and Information Technology (MIIT) plans to establish a center that will deal with disputes over intellectual property (IP) and online copyright issues, reports Sina Tech (link via Google Translate
Revenge-porn website victims launch action against Texxxan and GoDaddy (Naked Security) Texxxan.com, GoDaddy ganged up on by revenge-porn website victims. Payback's a b*tch. For one website, that payback's being sought by 17 women claiming invasion of privacy and mental anguish. They want the site shuttered, and they want the lowlives to pay, even if it's just chump change that GoDaddy made from facilitating their humiliation
For a complete running list of events, please visit the Event Tracker.
Upcoming Events
TED X Baltimore: Baltimore Rewired (Baltimore, Maryland, USA, Jan 25, 2013) At our TEDxBaltimore event, TEDTalks video and live speakers will combine to spark deep discussion and connection in a small group. The TED Conference provides general guidance for the TEDx program, but individual TEDx events, including ours, are self-organized.
Data Privacy Day (Various locations, Jan 28, 2013) The National Cyber Security Alliance (NCSA), a non-profit public-private partnership focused on helping all digital citizens stay safer and more secure online, and official coordinator of Data Privacy Day (DPD), is collaborating with many educational institutions, corporations, government and non-profit organizations across the world to make Data Privacy Day on January 28th a success. Data Privacy Day is an international day of awareness to educate everyone to respect privacy and safeguard personal information.
tmforum Big Data Analytics Summit (Amsterdam, Netherlands, Jan 29 - 30, 2012) Bringing together leading service providers, market analysts and all of the big names in Big Data, this forward-looking, education-packed two-day Summit combines keynote perspectives, case studies, debates, panels, interactive sessions and networking opportunities that maximize every participant's opportunity to network and generate ideas that can be implemented immediately.
North American ICS & SCADA Summit (Lake Buena Vista, Florida, USA, Feb 6 - 15, 2013) The Summit brings together the program managers, control systems engineers, IT security professionals and critical infrastructure protection specialists from asset owning and operating organizations along with control systems and security vendors who have innovative solutions for improving security. Along with government and research leaders, they are coming together to learn and discuss the newest and most challenging cyber security risks to control systems and the most effective defenses.
ATMiA US Conference 2013 (Scottsdale, Arizona, US, Feb 19 - 21, 2013) A conference devoted to the design of ATMs, and the future of the ATM industry.
Cybergamut Technical Tuesday: Cloud Security (, Jan 1, 1970) Dr. Susie Cole of Exceptional Software Strategies will discuss cloud security..
#BSidesBOS (Cambridge, Massachusetts, USA, Feb 23, 2013) Each BSides is a community-driven framework for building events for and by information security community members. The goal is to expand the spectrum of conversation beyond the traditional confines of space and time. It creates opportunities for individuals to both present and participate in an intimate atmosphere that encourages collaboration. It is an intense event with discussions, demos, and interaction from participants. It is where conversations for the next-big-thing are happening..
RSA USA 2013 (San Francisco, California, USA, Feb 25 - Mar 1, 2013) RSA Conference continually evolves program offerings to meet the ever-changing needs of our delegates in the dynamic infosec industry.
Nullcon Goa 2013 (Bogmallo Beach Resort, Goa, India, Feb 26 - Mar 2, 2013) An international information security conference that will feature speakers and training. Topics include security and politics, vulnerability elimination, Android hacking, SCADA and smart grid penetration testing, and more.
TechMentor Orlando 2013 (Orland, Florida, USA, Mar 4 - 8, 2013) Celebrating 15 years of educational events for the IT community, TechMentor is returning to Orlando, Florida, March 4-8, for 5 days of information-packed sessions and workshops. Surrounded by your fellow IT professionals, you will receive immediately usable education that will keep you relevant in the workforce. TechMentor track topics include:Windows PowerShell and AutomationCisco and Networking Infrastructure Windows Server Management Windows Client Management Cloud and Virtualization Identity, Access Management and Security Performance Tuning and Troubleshooting Mobility and BYOD Messaging and Collaboration.
Business Insurance Risk Management Summit (New York City, New York, USA, Mar 5 - 6, 2013) The annual Risk Management Summit, now in it its fourth year, provides attendees with focused insight via specific, timely general sessions and strategic, thought-provoking discussions with peers and industry leaders.
CanSecWest 2013 (Vancouver, British Columbia, Canada, Mar 6 - 8, 2013) CanSecWest, the world's most advanced conference focusing on applied digital security, is about bringing the industry luminaries together in a relaxed environment which promotes collaboration and social networking. The conference lasts for three days and features a single track of thought provoking presentations, each prepared by an experienced professional and talented educator who is at the cutting edge of his or her field. We give preference to new and innovative material, highlighting important, emergent technologies, techniques, or best industry practices. It will feature a bigger, enhanced Pwn2own.
e-Crime Congress 2013 (London, England, Mar 12 - 13, 2013) The e-Crime Congress is designed to meet the needs of key stakeholders and decision makers who are responsible for designing and coordinating information security and risk management strategy, safeguarding digital assets and sensitive information, protecting customers, defending against internal or external threats and responding to incidents.
CTIN Digital Forensics Conference (Seattle, Washington, USA, Mar 13 - 15, 2013) Speakers include experts and published authors in the field of digital forensics and cybersecurity. Topics include; Mobile Device Forensics, Internet Forensics, Physical Memory Analysis, Open Source Tools, Data Carving, Registry Forensics, Placing the Suspect Behind the Keyboard, Triage and Live Forensics CDs, and more.
IT Security Entrepreneurs' Forum (ITSEF 2013) (Palo Alto, California, USA, Mar 19 - 20, 2013) Supported by the U.S. Department of Homeland Security, Office of Science and Technology, ITSEF 2013 aims to connect the ecosystem of the entrepreneur: industry, government, and academia. The conference will advance innovation, lead change and build trusted global collaboration models between the public and private sectors to defeat Cybersecurity threats.
The Future of Cyber Security 2013 (London, England, UK, Mar 21, 2013) Cyber Security and the Citizen 2013 is a one-day conference and exhibition for senior decision-makers of central and local government organisations, NGOs and major private sector enterprises.
Cloud Connect Silicon Valley (Santa Clara, California, USA, Apr 2 - 5, 2013) Cloud Connect returns to Silicon Valley, April 2-5, 2013, for four days of lectures, panels, tutorials and roundtable discussions on a comprehensive selection of cloud topics taught by leading industry experts.
An Evening in Cyberspace: Supporting Tomorrow's Cybersecurity Leaders (National Harbor, Maryland, USA, Apr 6, 2013) UMUC is pleased to present An Evening in Cyberspace: Supporting Tomorrow's Cybersecurity Leaders. Join us for this special black-tie event to support the next generation of cybersecurity students. The evening will feature a reception, dinner, keynote and entertainment.
Cyber 1.3 (, Jan 1, 1970) Maj. Gen. Suzanne Vautrinot, USAF, commander, 24th Air Force, and commander, Air Force Network Operations, will discuss the global strategic implications that relate to the cyber domain at the Space Foundation national conference Cyber 1.3, to be held Monday, April 8th, at The Broadmoor Hotel in Colorado Springs, Colorado. Cyber 1.3 is a full-day conference that takes place immediately before the official opening of the 29th National Space Symposium. The conference includes a networking breakfast, a luncheon and concludes with a networking reception, co-sponsored by General Dynamics Advanced Information Systems. Government Executive Media Group is a Cyber 1.3 media co-sponsor.
INFILTRATE 2013 (Miami, Florida, USA, Apr 11 - 12, 2013) INFILTRATE is a deep technical conference that focuses entirely on offensive security issues. Researchers focused on the latest technical issues will demonstrate techniques that you cannot find elsewhere.
InfoSec World Conference & Expo 2013 (Orlando, Florida, USA, Apr 15 - 17, 2013) With the primary objective of providing top-notch education to all levels of information security and IT auditing professionals, InfoSec World delivers practical sessions that give you the tools to strengthen your security without restricting your business.
Infosec Southwest 2013 (Austin, Texas, USA, Apr 19 - 21, 2013) InfoSec Southwest is intended to be a general security and hacking conference with no specific industry or topical focus. As such, nearly all topics (other than vendor pitches) are fair game and the attending audience is expected to span all demographics.
Consumerization of IT in the Enterprise Conference and Expo (San Francisco, California, USA, Jun 2 - 4, 2013) From smartphones to mobile apps, social software and 4G networks, the wave of innovation in the consumer space is transforming the way companies do business, both inside and outside of the enterprise. Over two and a half action packed days, CITE 2013 will bring together IT and business executives, venture capitalists and other practitioners to showcase leading efforts and teach others how to make the most of this transformation.
25th Annual FIRST Conference (Bangkok, Thailand, Jun 16 - 21, 2013) The annual FIRST conference provides a setting for conference participants to attend a wide range of presentations delivered by leading experts in both the CSIRT field and from the global security community.
SECRYPT 2013 (Reykjavik, Iceland, Jul 29 - 31, 2013) The 10th International Conference on Security and Cryptography (SECRYPT 2013) will take place from 29 to 31 July 2013 in Reykjavik, Iceland…The conference will focus on information systems and network security, including applications within the scope of knowledge society in general and information systems development in particular, especially in the context of e-business, internet and global enterprises. It will bring together researchers, mathematicians, engineers and practitioners interested in security aspects related to information and communication.