The CyberWire Daily Briefing for 8.26.2013
A widespread denial-of-service attack on the .cn domain disrupted Internet service throughout China over the weekend. Investigation continues; it's not clear where the attack originated or who perpetrated it.
Sourcing Snowden, Der Spiegel reports that the US NSA compromised a United Nations teleconferencing system in the summer of 2012. The story appears to further damage US relations with Germany; it also highlights the vulnerability of teleconferencing systems to surveillance.
The Nasdaq stock exchange reopened this morning after last week's trading flash freeze. Nasdaq attributes its problems to internal data feed bugs and denies it was attacked. It indeed seems unlikely that Nasdaq sustained a denial-of-service attack (as several observers reflexively concluded Friday), but it's premature to dismiss the possibility of cyber attack.
Various cyber-riots continue from Israel to Pakistan. Azerbaijani hacktivists attack Armenian government sites. Anonymous continues #opGabon, and also seeks to embarrass the US FBI with new (small but irritating) exploits.
FireEye says the MoleRats are behind the PoisonIvy Trojan's current resurgence. (The Middle Eastern group may be trying to deflect suspicion by using a tool commonly associated with China.)
NIST issues medical device wireless security standards, and the market for device security sees new entrants. In other business news, analysts continue to predict surveillance fallout to affect US solution providers.
NSA's annus horribilis continues with petty but embarrassing "LoveInt" revelations. Administration investigative panels meet with skepticism. Senator Feinstein, hitherto an NSA defender, promises a major investigation when Congress reconvenes in two weeks. A Church Commission reprise seems likely.
Today's issue includes events affecting Armenia, Australia, Azerbaijan, Brazil, China, Gabon, Germany, India, Iran, Israel, Japan, Pakistan, Spain, United Arab Emirates, United Kingdom, United Nations, and United States..
Cyber Attacks, Threats, and Vulnerabilities
Major DDoS attacks .cn domain; disrupts Internet in China (ComputerWorld) It's still unclear where the DDoS attack originated from. China's Internet was hit with a major distributed denial of service (DDoS) attack Sunday morning that briefly disrupted and slowed access to sites in the .cn domain
UPDATE 1—U.S. spy agency bugged U.N. headquarters —Germany's Spiegel (Reuters) The U.S. National Security Agency has bugged the United Nations' New York headquarters, Germany's Der Spiegel weekly said on Sunday in a report on U.S. spying that could further strain relations between Washington and its allies
NSA "cracked" UN teleconferencing system — how safe is yours? (Naked Security) German investigative magazine Der Spiegel (The Mirror) has come up with yet another espionage-related allegation about the NSA
Nasdaq Three-Hour Halt Highlights Vulnerability in Market (Bloomberg) The interruption that froze half the U.S. stock market last week began with a routine notice. NYSE Arca is currently experiencing an issue processing customer messages on routed orders in Tape C symbol range 'TACT' through 'ZYY.C,'" read an alert for traders received by Bloomberg News at 10:17 a.m. on Aug. 22. "Will advise." The brevity of the message belied its significance. Computers at the world's biggest exchange operators were having difficulty communicating
Nasdaq CEO Defends Exchange After 'Flash Freeze' (Fox Business) Nasdaq CEO Robert Greifeld in an interview with FOX Business on Friday defended the all-electronic exchange's handling of the three-hour outage dubbed the "Flash Freeze," calling it an internal glitch and easing fears that it was triggered by some kind of cyber attack
Nasdaq Focuses on Pivotal 2 Minutes in Trading Halt (Wall Street Journal) The period foretold just how severe the market's problems were to get. Regulators and exchange officials trying to unravel the cause of last week's Nasdaq Stock Market NDAQ +0.26% failure are focusing on an apparently pivotal two-minute period that foretold just how severe the market's problems were about to get, according to people familiar with the discussions
Nasdaq Outage Explored: 7 Facts (InformationWeek) Security experts dismiss reports that DDoS attack compromised systems in New York City and crashed Nasdaq exchange. But squirrels have not been ruled out
Nasdaq outage: Last straw for retail investors (MSN Money) For many smaller players, the freeze has proved to them that they don't belong in the stock market. "Last straw." Those are the two words I heard everywhere I went this weekend. The Nasdaq outage was the last straw, as it's become clear that the machines have taken over and they simply can't be stopped. That attitude, plus the desire to see someone at the Nasdaq OMX (NDAQ +0.32%) take the fall for Facebook (FB +2.66%) and for this three-hour shutdown, was on one everybody's lips — my conversations tend to skew to the stock market when any event puts stocks back on the front page
Nasdaq technical glitch hits Apple, Facebook and Microsoft [share prices] (Computing) A technical glitch caused the Nasdaq stock market to freeze for three hours, potentially costing shareholders and listed companies millions of dollars. The likes of Apple, Facebook, Intel and Microsoft were all affected by the halt on trading at 12:14pm (EST), with trading partially resuming at 2:45pm (EST) and back online by 3:25pm
Famous Pro-Israeli Platform Israelforum.com hacked and defaced by MadLeets (Hack Read) Newly emerging Pakistani based MadLeets hacking group has been making news for a while now, this time a hacker going with the handle of Invectus has hacked and defaced well known pro-Israeli online forum
Several Armenian Government Ministries Websites Hacked by Azerbaijan hackers (Hack Read) An organization ran by Azerbaijani hackers known as ANTI-ARMENIA.ORG has hacked and defaced high profile Armenian government ministries websites earlier today. The hackers left their deface page showing messages, graphic images and Youtube videos against Armenian government on all hacked websites
Defense Contractor Electronic Corporation of India Hacked, sensitive data & conversations Leaked (Hack Read) Online hackavist Phr0zenMyst who is known for his high profile is back with another hack. This time the hacker has breached into the official website of Indian defense contractor Electronic Corporation of India (ECIL)
#OpGabon: Anonymous hacks, defaces Axa Insurance Group website against its support for Ali Bongo (Hack Read) The online hackavists from Anonymous group are taking #OpGabon to a new level as they have hacked and defaced the official website of a French global investment, retirement, and insurance group AXA (axa-gabon.com) against its support for Gabonese President Ali Bongo. The site was left with a deface page, a message and a YouTube video
MoleRats hackers resurface spreading Poison Ivy malware (V3) The hacking team behind the infamous MoleRats cyber campaign has resurfaced using an evolved version of the Poison Ivy Trojan, according to FireEye
University attaches spreadsheet containing personal data to emails (SC Magazine) Thousands of students are at risk after a spreadsheet containing their personal information was inadvertently attached to a campus-wide email sent out by the University of Mississippi Medical Center (UMC) Accounting Department
When authorities confiscate your electronics: The fate of David Miranda's computer and phone (ZDNet) Top security researchers and hackers on device spyhacks explain how UK police are hacking David Miranda's computer and phone, and what to do if it happens to you
Anonymous VS FBI: Retaliation, leaks data from FBI network, hacks Spanish government over corruption (Hack Read) FBI claims victory over the Anonymous group, this statement has come after a series of arrests from the anonymous group. According to FBI, the last year arrest of 5 members from Lulz security was vital for their command over the anonymous. All the 5 members were key parts of anonymous group and were a threat in the world of internet
Reports of Anonymous' demise are greatly exaggerated (The Inquirer) People representing Anonymous hacktivists have reacted angrily to claims by the US Federal Bureau of Investigation (FBI) that it has been dismantled
REPORT: Millions Of Android Users Vulnerable To Security Breaches (San Francisco Chronicle) Millions of Android smartphone users are susceptible to security vulnerabilities such as viruses and malware, according to an internal bulletin prepared by the Department of Homeland Security and the FBI
Hackers turn from emails to security in homes, cars (Toledo Blade) Danger grows as everday items connect to Internet. Imagine driving on the freeway at 60 mph and your car suddenly screeches to a halt, causing a pileup that injures dozens of people. Now imagine you had absolutely nothing to do with the accident because your car was taken over by hackers. Charlie Miller, a security researcher at Twitter, and Chris Valasek, director of security intelligence at IOActive, a security research company, recently demonstrated car hacks at the Black Hat and DefCon computer security conferences in Las Vegas. The researchers completely disabled a driver's ability to control a vehicle. No brakes. Distorted steering. All with a click of a button. While the demos were with hybrid cars, researchers warn that dozens of modern vehicles could be susceptible
Nearly One–Fifth Of Enterprise Operating Systems Not Fully Patched (Dark Reading) One in five IT professionals say they either have not fully patched their organizations' endpoint operating systems--or they aren't sure if the machines are up-to-date. A fully patched operating system is the "minimum bar" for any organization, says Matt Hathaway, senior product manager with Rapid7, which today released results of a survey of 600 IT pros on their enterprises' endpoint security practices. Some 83 percent say their endpoint OSes are fully patched
The Maginot Line (TechCrunch) I'm sorry to say that I have succumbed to something like schadenfreude. It's not that I really enjoy what is happening these days, what with institutions of the web shutting down, basic civil rights being ignored, and all the rest. It's just that it's all a little poetic
Your emails are all scanned—and that's what you agreed to (Phys.org) According to Nobel Laureate Gabriel García Márquez, "all human beings have three lives: public, private, and secret". It is in our nature to want privacy, yet in the internet age, it has never been easier to access the details of our private lives
Share less, Net users told as criminals prowl on Facebook (FreeNewsPos) With cybercrime on the rise, Malaysians should be more cautious about sharing intimate details of their lives on the Internet, an online security agency warned today
There are no winners in the blame game (Help Net Security) Every time a major security breach makes the headlines, a common reaction happens. Even before the details of the breach are known, the infosec world gets into a frenzy of speculation as to how the attack happened, who conducted it, and whether the attackers were skilled or not. Invariably the conversation focuses onto the company that is the victim of the attack, and it often tends to highlight how stupid, negligent or weak its security defenses were. In effect, we blame the victim for being attacked
Cyber crime: Easy money, lack of deterrents amid slow job market lure Indians into hacking services (The Economic Times) India is fast emerging as a talent hotspot for the global cyber-crime industry amid slow hiring in the traditional software industry, the lure of easy money, and lack of law enforcement, according to computer security experts
Look out for more cyber threats this year (AsiaOne) Phishing has a great impact on cyber threats in the Asia Pacific region - Danny Siew, Trend Micro's Senior Director of Technical Support for APAC said that
Data breach interactive chart shows major increase in security flaws (VentureBeat) If you didn't believe us that hackers have been keeping themselves really busy in the last few years, this interactive graphic might just be the visual proof you need
Mobile security management market to double by 2015 (FierceMobileIT) The mobile security management market segment is forecast by ABI Research to reach the $1 billion mark by 2015, almost twice the amount expected this year
Army network modernization efforts don't capitalize on testing, says GAO (FierceGovIT) "The Army has not yet tapped into the potential to use the NIE to gain insight into the effectiveness and performance of the overall tactical network," finds the Government Accountability Office in an Aug. 22 report.For example, some technology that tested poorly in the development stage was pushed through to operational testing with similarly poor results. Now, Army plans to buy and field the systems, says GAO
Should Software Testing Be Military? (IDGConnect) Software bugs cost the global economy an average of $312 billion a year. Yet there is a virtually ignored unemployed population of systematic, methodical, hard-working, team spirited individuals out there desperate to progress in careers. Perhaps marrying the great swathes of jobless ex-military with the need for rigorous global software testing could achieve an extremely socially responsible and lucrative system
US uses foreign companies for cyber defense (Washington Times) Trusteer, an Israel company, currently serves as the main cyber security provider to 7 of the top ten American banks and nine of the top ten UK firms
DHS kicks off $6B cyber program (Federal Times) John Streufert, director of the National Cyber Security Division at the Department of Homeland Security, is helping guide a massive DHS effort to standardize
ManTech to Compete for $6 Billion in Homeland Security Work (Daily Finance) ManTech International will be taking part in a Department of Homeland Security contract worth up to $6 billion, the Fairfax, Va.-based defense contractor announced Friday
KCG Holds Spot on $6B DHS Cybersecurity Contract (GovConWire) Knowledge Consulting Group has won a spot on the Department of Homeland Security's $6 billion contract meant to provide government agencies with information technology services they can utilize to bolster cybersecurity
HP to Compete on $6B DHS Cybersecurity BPA (GovConExecutive) Hewlett Packard holds a position on a potential $6 billion blanket purchase agreement to provide tools and services for the Department of Homeland Security's cyber defense program
5 Companies That Came To Win This Week (CRN) This week's roundup of companies that came to win include Lenovo ramping up notebook production, Dell winning a storage battle and Yahoo besting Google in U.S. Web traffic (for a month at least). Also, executive moves at HP has the channel optimistic and Intelisys unveiled a new partner program at UBM Channel's XChange event
FDA's guidance for wireless devices sparks business opportunity (FierceMedicalDevices) Barely a week after the FDA issued its final guidance on wireless devices, some already see a small-business opportunity in trying to help device companies navigate the new rules. Global Technology Resources, a Colorado IT operation focused on areas including Big Data, mobile software and system security, said it will partner with healthcare/medical device consultancy Integra Systems in Nevada to help device companies interpret the new requirements and adjust their regulatory submission strategies accordingly
Security firm makes health IT push (Healthcare IT News) As part of this expansion, NJVC has released a three-part series of white papers for healthcare executives on cyber security to help them learn about the breadth
Next Microsoft CEO faces rocky road in easing NSA-fueled privacy worries (CSO) Ballmer's replacement will have to build trust overseas, especially after report Germany advised to not use Windows 8 because of backdoor
U.S. Surveillance Fallout Costing Third–Party Providers (Dark Reading) E-mail encryption provider Lavabit shuts down, Silent Circle shutters its own service, and analysts are forecasting tens of billions of lost revenue for cloud and service providers
Podcast: Made In China, Secured In The U.S. (Security Ledger) We've written a lot about the threat posed by nation-state sponsored hackers to U.S. corporations and the economy. So-called "advanced persistent threat" (or APT) style attacks against corporate and government networks have been linked to the theft of sensitive data and intellectual property
Products, Services, and Solutions
Yahoo Releases Recycled Usernames To Those Who Sent In Requests, Lets You Stalk Your Own For $1.99 (TechCrunch) Today, Yahoo will begin notifying those who requested a particular user ID through the company's newly expanded pool of usernames if their choice has been granted. In case you missed it the first time around: earlier this summer, Yahoo announced it would re-open access to unused Yahoo IDs, and the email addresses associated with them. The plans that were initially met with a bit of controversy
Did you know Twitter shadows every click you make? (Alexander Hanff) So today I was working on some code for a new web site I am about to launch for one of my privacy projects. I wanted a way to be able to log some statistics about my site visitors without retaining any information which might be considered as private, identifying or could be used to track them; these statistics are important for attracting sponsors. As a rule, I always disable logging everything apart from the date/time, requested page and result (whether or not the page was retrieved successfully) in Apache's access log - but this is a little cumbersome to navigate and create meaningful information from. So I decided I wanted to save some statistical data to a database which I can then access and display in a number of useful ways such as tables & charts. I also wanted to know where my users are coming from without retaining their IP address - so I installed a module for Apache called GeoIP which allows me to see which country a visitor is coming from based on their IP address, without actually having to store their IP address
Kaspersky blocks zero–day attacks (IT–Online) Kaspersky Internet Security 2013 for home users delivered a 100% success rate in blocking zero-day threats during a two-month security test
Fingerprint algorithm for Android devices (Help Net Security) Precise Biometrics AB has launched a new software product designed and optimized for embedding fingerprint verification on smartphones and tablets. Precise BioMatch Mobile supports Android, and in
CyanogenMod announces secure phone locating, remote wiping service (Help Net Security) The CyanogenMod team has announced a new service that allows users to locate their lost phones or securely wipe their device (including the contents of the SD card) in case it gets stolen
Box.com forges new cloud security model (ComputerWeekly) The time has come for service providers and consumers to move to a security model better suited to the cloud computing era, says cloud-based content management and collaboration firm Box.com
In surveillance era, clever trick enhances secrecy of iPhone text messages (Ars Technica) "Perfect forward secrecy" comes to iOS and gets a boost on Android. A security researcher has developed a technique that could significantly improve the secrecy of text messages sent in near real time on iPhones. The technique, which will debut in September in an iOS app called TextSecure, will also be folded into a currently available Android app by the same name
Bitdefender launches new Antivirus solution for Mac (HEXUS) Bitdefender®, the award-winning provider of innovative antivirus solutions, has launched a new security solution to enhance protection for Mac users worldwide
What Is Medium? (The Atlantic) The site from Twitter's co-founders is one year old, and still mysterious
Amazon spaffs MYSTERY private Wi–Fi waves all over Apple's orchard (The Register) Web bazaar taunts Cupertino with secret radio tests. Amazon has been testing its own radio network, seeing if Globalstar's private Wi-Fi technology fits the Amazon business model, and if customers would pay for better wireless networking
Technologies, Techniques, and Standards
Top Five Hacker Tools Every CISO Should Understand (Tripwire) As the role of the CISO continues to evolve within organizations towards that of an executive level position, we see a growing emphasis on traditional business administration skills over the more technical skills that previously defined the top security leadership job. Nonetheless, CISOs need to keep abreast of the latest down-in-the-weeds tools and technologies that can benefit their organization's security posture, as well as those tools that are widely available which could be misused by malicious actors to identify and exploit network security weaknesses
NIST proposes supply chain control overlay (FierceGovIT) A new proposed cybersecurity control overlay from the National Institute of Standards and Technology for federal agency supply chain risk management would add a new family of controls that would at minimum require tracking systems or components as they wind their way through the supply chain
Download me II—Removing the remnants of the Web's most dangerous search terms (Ars Technica) According to McAfee's 2008 The Web's Most Dangerous Search Terms, "free" fell into the highest search term risk category. And my previous search for free stuff on the Internet ended ugly. What did I do? I searched for free things, clicked the top links, and initiated the first download on each page. This—no surprise—led me to download a bunch of adware and malware, what McAfee coined as Potentially Unwanted Programs (PUPs). For instance, a search for "free music downloads" (the worst search query from round one) left my desktop littered with them. From my download notes and desktop count, I went from three to 19 programs while adding six Firefox plugins and 12 extensions that made my browser a cluttered array of toolbars and icons. My computer was dogged with PUPs—point proven. Now this was my mess to clean up. Could I do anything to fix my computer, and was it even worth it
When does your browser send a "Referer" header (or not)? (Internet Storm Center) The "Referer" header is frequently considered a privacy concern. Your browser will let a site know which site it visited last. If the site was coded carelessly, your browser may communicate sensitive information (session tokens, usernames/passwords and other input sent as part of the URL). For example, Referer headers frequently expose internal systems (like webmail systems) or customer service portals. There are however a few simple tricks you can apply to your website to prevent the Referer header from being sent
Can Your Antivirus Handle a Zero-Day Malware Attack? (SecurityWatch) Testing signature-based antivirus protection is a snap. You gather hundreds or thousands of known malware samples, run a scan, and note how many your antivirus product detected. However, for a brand-new, zero-day virus (or other type of malware) there's necessarily no signature available. Testing protection against zero-day threats is tough, but the researchers at AV-Comparatives have worked out a technique that satisfies them. Note, though, that not all antivirus vendors approve of this particular test; quite a few opted out of the latest edition, the results of which have just been released
Creating your first cloud policy (Australian Techworld) Finally, look to what other organizations have published and what standards bodies like the Cloud Security Alliance (CSA), National Institute of Standards and
How encryption and tokenization help with cloud services adoption (Help Net Security) Today's CIOs and CISOs are facing continued pressure to adopt the cloud enterprise-wide while managing the increasing operational and security risks associated with it. While the challenge can be
BYOD, cloud transform endpoint security (ITWeb Security) Although for many years endpoint security solutions were targeted at desktop PCs and servers, the explosion of bring your own device (BYOD) and cloud computing has changed the notion of the endpoint and has shifted the focus from protecting devices to protecting the data itself
Design and Innovation
Tech vendors dominate upper echelons of Forbes' innovation list (CRN) Salesforce, Apple, SAP and Citrix among those that made it into list of top 100 most innovative firms in the world
Research and Development
Don't Blink! Eyes Provide Long–Term Identifications (SIGNAL Magazine) Iris scans are a legitimate form of biometric identification over the long term, a new study from the National Institute of Standards and Technology confirms
Next version of the web will have resistance to surveillance at its core (Naked Security) Did you know that yesterday, 23 August 2013, was the World Wide Web's birthday? It is 22 years and one day since the official Internaut Day - the day when Sir Tim Berners-Lee opened up the web to new users and kicked off a global communications revolution
Is That Quantum Computer for Real? There May Finally Be a Test (Wired) In early May, news reports gushed that a quantum computation device had for the first time outperformed classical computers, solving certain problems thousands of times faster. The media coverage sent ripples of excitement through the technology community. A full-on quantum computer, if ever built, would revolutionize large swaths of computer science, running many algorithms dramatically faster, including one that could crack most encryption protocols in use today
Feds spending over $5.1M on facial recognition surveillance program (Ars Technica) Meet DHS' "Biometric Optical Surveillance System," or BOSS. If you thought that license plate readers were fun, just wait until facial recognition gets better. Recall, facial recognition technology famously failed to catch the two Boston bombing suspects earlier this year, and it remains difficult to actually pull off quickly, accurately, and at a distance
Legislation, Policy, and Regulation
Iran's Cyber War: Hackers In Service Of The Regime; IRGC Claims Iran Can Hack Enemy's Advanced Weapons Systems; Iranian Army Official: 'The Cyber Arena Is Actually The Arena Of The Hidden Imam' (MEMRI) The Iranian regime views the cyber arena as an active warzone with the U.S. and its allies, and in recent years has invested substantial efforts in it, for both psychological warfare and physical sabotage of Western infrastructure. The cyber arena is also used by the regime as a tool for spreading its ideology, by exporting the Islamic Revolution and by preparing for the arrival of the Hidden Imam (the Shi'ite messiah)
Defense Posture Review Interim Report (Government of Japan (h/t Team Cymru)) Japan releases national cyber security strategy
Surveillance Revelations Shake U.S.–German Ties (New York Times) Continuing revelations, based on documents leaked by Edward J. Snowden, of sweeping American digital surveillance around the world are rattling the close ties between the United States and Germany
Sen. Dianne Feinstein to pry into spy activity (My Desert) Sen. Dianne Feinstein, a staunch defender of President Barack Obama's surveillance programs, plans to take a critical look at the government's intelligence-gathering activities after Congress returns Sept. 9 from its month-long break. The California Democrat, chairwoman of the Senate Intelligence Committee, has announced plans for a series of hearings to conduct a "major review of all intelligence data-collection programs involving Americans." "This will be the primary order of business for the committee this fall and will be used to develop proposals to increase transparency and improve privacy protections for these vital national security programs," Feinstein said in a recent statement. Critics doubt that the hearings will prompt Congress to end or limit domestic spying
The NSA is losing the benefit of the doubt (Washington Post) He cited a 2009 finding that the court's approval of the National Security Agency's telephone records program was premised on "a flawed depiction" of how the
Oversight board urges national security agencies to update surveillance guidelines (Times Colonist) An independent oversight board reviewing secret U.S. government surveillance programs warned the Obama administration that national security agencies' rules governing surveillance are outdated and need to be revised to reflect rapid advances in technology
NSA analysts deliberately broke rules to spy on Americans, agency reveals (The Guardian) Inspector general's admission undermines fresh insistences from president that breaches of privacy rules were inadvertent. US intelligence analysts have deliberately broken rules designed to prevent them from spying on Americans, according to an admission by the National Security Agency that undermines fresh insistences from Barack Obama on Friday that all breaches were inadvertent
Obama: Team has to build confidence in NSA (USA Today) President Obama says he understands people's concerns about National Security Agency surveillance programs, but privacy protections are working and being improved
Obama: NSA revelations show 'oversight worked' (CNN) President Barack Obama said he believes the latest revelation that the National Security Agency inadvertently collected emails of some Americans shows "all these safeguards, checks, audits, oversight worked."ent
A little more light (The Economist) IN JULY 2012, nearly a year before Edward Snowden escaped to Hong Kong with their secrets, America's spies made a brief and tantalising confession. Under pressure from Ron Wyden, a senator from Oregon, the country's spymaster admitted that the panel of judges that supervises the spooks had "on at least one occasion" halted a surveillance programme on the grounds that it was unconstitutional. Since then the government has battled a lawsuit brought by the Electronic Frontier Foundation, a lobby group, demanding it declassify the court's decision
Three Illusory "Investigations" of the NSA Spying Are Unable to Succeed (Electronic Frontier Foundation) Since the revelations of confirmed National Security Agency spying in June, three different "investigations" have been announced. One by the Privacy and Civil Liberties Oversight Board (PCLOB), another by the Director of National Intelligence, Gen. James Clapper, and the third by the Senate Intelligence Committee, formally called the Senate Select Committee on Intelligence (SSCI)
NSA Paid Tech Companies Millions For Prism (InformationWeek) Leaked documents show taxpayer cost of involving Google, Microsoft and other tech companies in Prism digital dragnet. Who paid the cost of giving the National Security Agency direct access to the systems of nine technology companies, including Facebook, Google, Microsoft and Yahoo? The answer arrived Friday: U.S. taxpayers
U.S. spy agency edges into the light after Snowden revelations (Reuters) There was a time when the U.S. National Security Agency was so secretive that government officials dared not speak its name in public. NSA, the joke went, stood for "No Such Agency." That same agency this month held an on-the-record conference call with reporters, issued a lengthy press release to rebut a newspaper story, and posted documents on a newly launched open website
Litigation, Investigation, and Law Enforcement
UK's Guardian teams up with New York Times over spy files (Times of India) Britain's Guardian newspaper, behind the recent revelations by whistleblower Edward Snowden, has partnered with the US' New York Times for more coverage over the surveillance expose
Snowden suspected of bypassing electronic logs (Anchorage Daily News) The U.S. government's efforts to determine which highly classified materials leaker Edward Snowden took from the National Security Agency have been frustrated by Snowden's sophisticated efforts to cover his digital trail by deleting or bypassing electronic logs, government officials told The Associated Press. Such logs would have showed what information Snowden viewed or downloaded
NSA Analysts Intentionally Abused Spying Powers Multiple Times (Bloomberg) Some National Security Agency analysts deliberately ignored restrictions on their authority to spy on Americans multiple times in the past decade, contradicting Obama administration officials' and lawmakers' statements that no willful violations occurred
In our opinion: Permission, please (Deseret News) On one hand, it should come as little surprise that the National Security Agency secretly cast a broad net over Salt Lake City to intercept private electronic communications during the 2002 Winter Olympic Games. On the other hand, the nature of the surveillance only adds to concerns the NSA has too often leaped past the boundaries of legal propriety in its efforts to thwart terrorism
NSA Admits To Rare Willful Surveillance Violations; Some Employees Spied On Love Interests (International Business Times) The National Security Agency, or NSA, on Friday, admitted to some instances over the last decade when its officials deliberately exceeded the NSA's surveillance authority. "Very rare instances of willful violations of NSA's authorities have been found," the NSA said in a statement, according to the Associated Press
Love, Redactually: Romantic comedies of the National Security Agency (San Jose Mercury News) What would you do if you could eavesdrop on Americans' online communications? For at least a handful of employees of the National Security Agency, you might use it to read up on your potential romantic interests. In a disturbing practice known as LOVEINT – short for love intelligence, just as HUMINT stands for human intelligence – a few analysts at the spy agency have abused their access to the agency's powerful online databases
The Best #NSAPickupLines Ever (TakePart) Mocking the agency's abuse of power becomes a sport for thousands on Twitter
How might the feds have snooped on Lavabit? (Ars Technica) Founder no longer thinks his encrypted e-mail service can withstand secret court orders. In 2004, a 22-year-old technology enthusiast named Ladar Levison hatched a venture that fused his passion for open-source software with his belief that privacy was a fundamental right. Using the OpenSSL cryptography library, the Linux-based operating system, and close to 10,000 programming hours, he built what ultimately became Lavabit, an e-mail service that, when used correctly, made it impossible for even him to read the encrypted messages stored on his servers
What Snowden and Manning Don't Understand About Secrecy (The Atlantic) Government often finds bad reasons to keep information hidden, but the recent indiscriminate leaks are foolish. As an old reporter who has from time to time outed classified information, I have watched the cases of Bradley Manning and Edward Snowden with professional interest
Police probe email hacking claims by Yes Scotland campaigners (The Courier) Attempts have been made to "compromise" multiple email accounts at campaign group Yes Scotland since a police investigation into hacking was launched, sources have claimed
Cyber attack lasted months (Sunday Times) Email accounts linked to the Yes Scotland campaign have been hacked for several months, sources close to an investigation into unauthorised access believe. Thousands of emails are thought to have been vulnerable during the cyber attack which continued until late on Wednesday evening, after the campaign team thought their system was again secure
Beware: Internet gang using explicit videos to lure UAE victims (Emirates 24/7) Victims blackmailed to avoid having their videos published on the web: Abu Dhabi police. The Abu Dhabi Police have exposed an international gang that uses clips and scenes from archived sexual videos and a female voice-over to lure male victims in front of webcams and record them while they participate in indecent behaviour
For a complete running list of events, please visit the Event Tracker.
4th Annual Cybersecurity Summit (Washington, DC, USA, Sep 25, 2013) GEN Keith Alexander, Commander of U.S. Cyber Command, Director of the NSA/Chief, Central Security Service and Dr. Pat Gallagher, Director, NIST are among the distinguished speakers confirmed to keynote at the 4th Annual Cybersecurity Summit on September 25, 2013 at the National Press Club in Washington, D.C.Michael Daniel, White House Cybersecurity Advisor, and Gen. Keith Alexander, Commander U.S. Cyber Command, and Director, NSA, are confirmed to keynote. Cybersecurity topics to be addressed include: the White House Cybersecurity Executive Order, the Cybersecurity Framework and New Emerging Standards for Critical Infrastructure, information sharing, mobile security and BYOD, legislative developments in cybersecurity, big data and cloud cybersecurity, continuous monitoring, cyber situational awareness, and the JIE rollout active defense and cyber warfare. Organized by Billington CyberSecurity™.
SANS Thailand 201 (Bangkok, Thailand, Aug 19 - 31, 2013) SANS hands-on advanced Information Security training is coming to Thailand this August! SANS is bringing our Web App Penetration Testing course to the Crowne Plaza Bangkok Lumpini Park in Bangkok, Thailand.
TechCrunch Disrupt San Francisco (San Francisco, California, Sep 7 - 11, 2013) For the fourth year in a row, TechCrunch Disrupt will take over the San Francisco Design Center Concourse, and we're bringing the hottest startups and best minds in the industry with us. Block off September 7-11 on your calendar, because you're not going to want to miss Disrupt SF 2013. The Hackathon kicks everything off, followed by our main event, which starts every morning with panels of special speakers and guests, one-on-one chats featuring TechCrunch writers and editors, special guest speakers and judges, leading venture capitalists and fascinating entrepreneurs addressing the most important topics facing today's tech landscape. In the afternoons, the Startup Battlefield presentations begin, with the final presentations held on the last day of Disrupt.
SANS CyberCon Fall 2013 (Online, Sep 9 - 14, 2013) With sequestration still in place, organizations are finding themselves with training budgets, but drastically reduced travel budgets. This one-of-a-kind online training event brings SANS' top instructors teaching SANS' top courses to those who can't travel.
15th Annual AT&T Cyber Security Conference (New York, New York, USA, Sep 10, 2013) The AT&T Cyber Security Conference is an annual day-long conference offered by the AT&T Chief Security Office. Combining the expertise of its security experts, the scale and reliability of its global IP network and the innovation of AT&T Labs, AT&T is giving businesses some of the most powerful weapons available today in their battle against cyber security attacks. The conference showcases AT&T's leadership in helping businesses, large and small, manage the increasingly complex and critically important security of their IT networks and assets.
International Common Criteria Conference (Orlando, Florida, USA, Sep 10 - 11, 2013) FBC invites you to participate in the International Common Criteria Conference (ICCC) taking place in Orlando, Florida. This is the first time since 2000 that the ICCC is taking place in the U.S. The ICCC has become the main marketing and meeting opportunity for all those involved in the specification, development, evaluation, and validation or certification of IT security.
GrrCon (Grand Rapids, Michigan, USA, Sep 12 - 13, 2013) Says IT World, "Another hacker conference, this time in Michigan. The schedule looks to be bawdy, brash and anything but dull, with hackers promising to "pwn" you before you leave town. There are also sessions on penetration testing tools and mobile hacking methods."
cybergamut Technical Tuesday: Malware Analysis for the Masses (Columbia, Maryland, USA, Sep 17, 2013) With malware becoming more prevalent, and the pool of capable reversers falling short of overall need, there is a greater need to provide quick and efficient malware analysis for network defense. With modern technology and tools, it's now possible for junior security analysts to gather detailed malware indicators to craft defense and alert signatures. More enticing, all of this can be done with free tools and applications, some written by this presenter.
Shaping the Future of Cybersecurity Education Workshop (Gaithersburg, Maryland, USA, Sep 17 - 19, 2013) The third annual Shaping the Future of Cybersecurity Education Workshop will be held at the National Institute of Standards and Technology (NIST) in Gaithersburg, MD and focus on "Navigating the National Cybersecurity Education Interstate Highway".
NovaSec! (McLean, Virginia, USA, Jun 13, 2013) NovaSec! is Northern Virginia's largest Cybersecurity and physical security networking event of the year. We are bringing together security professionals from commercial and government organizations with members of local Northern Virginia businesses and associations to allow participants to meet, interact on key issues and provide a unified forum to network with likeminded individual.
Strange Loop (, Jan 1, 1970) Meet us in St. Louis, Sept 18-20th, 2013, to make connections with the creators and users of the languages, libraries, tools, and techniques at the forefront of the industry. Find out where we're going…and where we're not. Topics include emerging languages, concurrent and distributed systems, new database technologies, front-end web, and mobile.
ISSA Cyber Security Forum at Ft Belvoir (Fort Belvoir, Virginia, USA, Sep 19, 2013) This event will allow personnel from Fort Belvoir the chance to learn about the latest cyber security trends, network with peers, discuss Army best practices and to view and demo some of the latest cyber security and information technology products/services available today. This is an excellent opportunity for exhibitors to network with key decision makers, cyber, technology, communications and contracting personnel from various commands and tenant units at Fort Belvoir.
CISO Executive Summit (Atlanta, Georgia, USA, Sep 19 - 20, 2013) Be on the forefront of a new global initiative where today's world-class leaders in information security will gather to navigate through international waters. Join these leaders as they follow the wind of change that is sweeping through the IS community motivating today's information guardians to develop a new way of thinking to ensure success in protecting their respective organizations. (At Hacker Halted USA.)
2013 Cyber Security Summit (New York, New York, USA, Sep 25, 2013) The 2013 Cyber Security Summit connects executives responsible for protecting their company's critical infrastructure with innovative product, service and solution providers. The one day event, to be held September 25th at the Hilton in New York City, will showcase the latest tools and resources available to defend against cyber crime on both corporate and government levels. Keynote addresses and interactive panel discussions lead by notable security experts will highlight strategic priorities, risk factors, threats and provide inspirational guidance to prepare and protect from attacks.