The CyberWire Daily Briefing for 8.27.2013
Weekend disruptions to China's Internet have ceased, but no one appears to have any idea of who committed the successful denial-of-service attack. No one who's talking, at any rate: journalists complain the story's being censored.
Dell SecureWorks warns that hacktivists are showing greater variety in their attacks. Palestinian hacktivists use a domain registry attack against Google, and Anonymous (despite braggadocio still sluggish) has significantly increased Pastebin membership.
Researchers attack the Dropbox client, demonstrating that well-obfuscated Python applications can indeed be reverse-engineered.
The Register calls Poison Ivy the AK-47 of remote-access Trojans, useful to state espionage services and script kiddies alike.
Russia continues to serve as a leading hacker talent pool, and Brazil's cyber security fails to keep pace with the country's growing importance to the global economy.
No fresh news on last week's Nasdaq flash freeze, which may or may not have been caused by an attack, but the episode seems to have inflicted significant reputational damage.
Cyber legal talent, like its technical cousin, is in short supply, Cyber talent continues to become pricier.
ARM positions itself for the Internet-of-things by acquiring Sensinode.
New reports detail how Snowden accessed and stole NSA files, and security experts draw lessons any enterprise might apply. (Above all, compartment information and control privileges.)
The US Congress prepares for close scrutiny of electronic surveillance law. General Alexander testifies on the state of US offensive cyber capabilities (they're the best in the world, but other states are catching up).
Lulz snitch Sabu's sentencing is again delayed.
Notes.
Today's issue includes events affecting Australia, Brazil, China, Denmark, European Union, Germany, Israel, New Zealand, Romania, Saudi Arabia, Singapore, United Kingdom, and United States..
Cyber Attacks, Threats, and Vulnerabilities
Service Restored to .cn Domain After Large DDoS Attack (Threatpost) Parts of China's .cn domain are available again after a large DDoS attack made close to a third of the sites registered under that domain unavailable on Sunday
Who Hacked China's Internet Yesterday? (The Atlantic) On Sunday morning, China's Internet was hit with the largest Denial of Service attack it has ever seen, according to China Internet Network Information Center. The assault, which took down sites like Weibo (the Twitter of China), Amazon.cn, and the Bank of China, resulted in a 32 percent drop in Internet traffic—and nobody knows who did it
China Hit with Biggest DDoS Attack in its History (Inforsecurity Magazine) China faced the largest distributed denial-of-service (DDoS) attack in its history over the weekend, leading to a two-to-four hour shutdown of swaths of IP addresses using .cn, China's country code top-level domain
China DDoS attack shows not all TLD servers equally secure (CSO) With new generic domains expected to be operational by next month, worry is smaller ones will have much less security than China's
China Hit by Cyber Attack? Say it ain't so (Trade the Newsroom) Instead, this type of cyber attack involves overwhelming servers with a flood of requests. The server gets overloaded, and this in turns makes the sites hosted on
Dell SecureWorks Warns Of Hacktivists Launching Multiprong Cyberattacks, Not Just DoS Attacks (Dark Reading) Hacktivists also launching SQLi and CSS attacks. Hactivists, disgruntled employees, and other cyber threat actors intent on sabotaging an organization, are expanding their tactics beyond Distributed Denial of Service (DDoS) attacks, warns Dell SecureWorks' Enterprise Brand and Executive Threat Surveillance team. This team is constantly monitoring social media sites, forums, and other public information sources, looking for conversations and other indicators that a customer's brand or its executives might be the target of a cyber-attack. Using their highly honed investigative skills, the team has worked numerous cases where they have obtained solid intelligence of an attack being planned by the threat actors. Dell SecureWorks has then worked with the organizations to quickly shut down the attack before it could happen or implemented countermeasures to block the attack, effectively protecting the organization's infrastructure, assets and brand
Anonymous Document Sharing Site Pastebin Surpasses 1 Million Members, Keeps Growing (TechCrunch) Pastebin officially announced that they've surpassed 1 million registered members since the introduction of the login service two and a half years ago. The service allowed users to log in using social media tools and control the pastes they uploaded to the site. Members can also edit and delete pieces of information they post to the site. Users can still paste items anonymously
Leaked info of Federal Reserve employees was stolen during earlier breach (Help Net Security) Hacker collective Anonymous has apparently leaked a file which supposedly contains personal details of every employee of the US Federal Reserve Bank - names, job titles, email addresses, phone numbers, and more
New Zealand–s Government Communications Security Bureau Targeted by Anonymous (Softpedia) Anonymous hacktivists launched a campaign against the New Zealand government after the world learned that police and spy agencies had been monitoring communications
Google Palestine Defaced Because Palestine Is Shown as Israel on Google Maps (Softpedia) Pro-Palestine hackers have defaced Google Palestine. The attackers are apparently displeased with the fact that Google Maps shows Palestine as being Israel. "Uncle Google we say hi from Palestine to remember you that the country in Google Map not called Israel. It's called Palestine," the hackers wrote on the defacement page
Google Palestine Hacked And Defaced Through A Domain Registry Attack (TechCrunch) Google's primary search domain for Palestine has seemingly been hacked, with the standard Google search interface for the region being replaced by a political message from its hackers. From the information available so far, it doesn't appear that Google's own servers were hacked " instead, it seems that Google's Palestinian domain was hijacked and redirected to another server altogether
American Choral Directors Association Breached, 600+ Login details leaked by @Fr0styFr0ze (Hack Read) A hacker going with the handle of @Fr0styFr0ze on Twitter has breached into the official website of American Choral Directors Association, as a result, login details of 600+ site's users have been leaked online. @Fr0styFr0ze who claims to be a 15 years old kid from France contacted me on Twitter and explained that the hack was actually testing of his skills
Researchers reverse–engineer the Dropbox client: What it means (TechRepublic) There were doubts about being able to reverse engineer heavily-obfuscated applications written in Python. Two researchers have removed all doubt by reverse engineering the immensely popular Dropbox client
Poison Ivy RAT becoming the AK-47 of cyber-espionage attacks (The Register) Just because it's simple to use doesn't mean the user is low-rent. The Poison Ivy Remote Access Tool (RAT) - often considered a tool for novice "script kiddies" - has become a ubiquitous feature of cyber-espionage campaigns, according to experts
Fake Browser Updates Going Rampant (MalwareBytes) The bad guys have been working on social engineering end users with fake 'Critical updates' for all major web browsers. Last month, our friend Chris Boyd over at ThreatTrack Security discovered this new trend while it was still in its infancy (i.e. really terrible looking templates). Well, it seems like the machine is well-oiled now as more and more domains are popping up with those shiny (and ripped off) designs
Rogue antivirus makes users an 'offer they can't refuse' (CSO) Rogue or fake antivirus is the digital equivalent of paying the neighborhood mafia "protection money" to make sure nothing bad happens to your business--the irony being that the only real threat to your business is the neighborhood mafia, and the only thing you have to be worried about is what they will do to your business if you don't pay the
Ransomware victims told NSA's Prism program caught them with child pornography (SC Magazine) Dealers of ransomware are now attempting to frighten victims into paying up by tricking them into believing they've committed illegal online actions that were uncovered by the National Security Agency's Prism surveillance program
Trojan targets Craigslist users with spam (CSO) Malicious app used to hawk mobile spyware on the popular free classifieds site. Craigslist has made some strides over the years in protecting its users from Internet predators, but for some hackers those strides are just another challenge to be surmounted
A review of iOS spyware that threatens user privacy (Doctor Web) Russian anti-virus company Doctor Web has prepared an overview of dangerous spyware applications designed to run under iOS, considered to be the most secure mobile platform. Like similar programs for other OSs, such applications allow attackers to obtain a wide range of personal information: SMS messages, call logs, GPS coordinates, address book records, photographs, etc. In spite of the fact that such products can only operate on jailbroken devices, the threat to personal information is rather severe
Expack continues exploiting Java vulnerability (ZScaler) Exploit kits available in the wild tend to follow a trend by exploiting vulnerabilities reported in various browser components which are commonly deployed. Recently, we have seen an increase in exploitation of a year old vulnerability reported in the JRE component of JAVA (CVE-2012-1723). Exploitation of this vulnerability in JRE allows a attacker to download malware onto a victim's machine and execute it. Let's looks at an analysis of such an exploit kit recently found in the wild
Java Vulnerability Exploit Added to Neutrino Attack Kit (SecurityWeek) Security researchers are recommending Java users upgrade to the latest version due to a new exploit that has made its way into the Neutrino exploit kit
[Video] ThreatVlog, Episode 1: Tor and Apple exploits revealed (Webroot Threat Blog) What is Tor? Is it really secure? What about the Apple App Store approval process? Are all these applications really looked at? In today's episode, Grayson Milbourne covers the exploitation of the Tor network through Firefox and a proof of concept showing just how insecure Apple app testing can be
[Video] ThreatVlog, Episode 2: Keyloggers and your privacy (Webroot Threat Blog) Commercial and black hat keyloggers can infect any device, from your PC at home to the phone in your hand. What exactly are these programs trying to steal? How can this data be used harmfully against you? And what can you do to protect all your data and devices from this malicious data gathering? In this episode of Webroot ThreatVlog, Grayson Milbourne talks about security, your data, and protecting yourself
Phony Adobe Plug-in Malware Bypasses Craigslist Spam Controls (Threatpost) An attacker is going to a lot of trouble to post spam messages to Craigslist. Researchers at Solera Networks have come across an attack where malware is using compromised machines to post poorly worded ads for an Android application marketed at parents for the purposes of monitoring the activities of their teens. The software reportedly tracks the device's location, as well as SMS and phone logs
Phone Hack Could Block Messages, Calls on Some Mobile Networks (Threatpost) By tweaking the firmware on certain kinds of phones, a hacker could make it so other phones in the area are unable to receive incoming calls or SMS messages, according to research presented at the USENIX Security Symposium earlier this month
University of Delaware 72k confidential data hacked through Zero-Day Vulnerability (CyberWarZone) University of Delaware officials have identified the cause of the cyber security breach that resulted in the online theft of confidential information from 72,000 current and former employees. Karl Hassler, associate director of IT Network Systems and Services at the University of Delaware said the breach occurred within third-party software that the university had been using. "It was a vulnerability of software we acquired from a vendor in the Java programming suite so that was zero-day vulnerability and the hackers exploited that," explained Hassler
UPS Spam / UPS Invoice 74458652.zip (Dynamoo) This fake UPS invoice has a malicious attachment…New invoice(s) are available for the consolidated payment plan(s) / account(s) enrolled in the UPS Billing Center. Download the attachment. Invoice will be automatically shown by double click
Personal data for 4 million patients at risk after burglary (Chicago Tribune) Thieves take computers holding personal, not medical, info at Advocate Health Care in Park Ridge
State–Sponsored Attacks against Financial Infrastructure (SC Magazine) Paul de Souza, CSFI-CWD (Cyber Warfare Division), founder and director of the cyber warfare forum initiative, discusses state sponsored cyber attacks against the financial industry and its infrastructure
Comment: Data Retention — The Privacy Threat Hidden in Plain Sight (Infosecurity Magazine) The US may be reeling from revelations surrounding the NSA's PRISM program but, as IVPN's Nick Pearson discusses, the next government program to threaten online privacy may originate from European shores
Security Patches, Mitigations, and Software Updates
OS X 10.8.5 to fix limited 802.11ac Wi-Fi speeds, among other bugs (C/NET) Apple's imminent OS X 10.8.5 update should tackle truncated Wi-Fi speeds in Apple's latest MacBook Air systems
Microsoft will craft XP patches after April '14, but not for you (ComputerWorld) The company could keep shipping updates, even play the pay-to-patch card. Just because Microsoft doesn't plan on giving Windows XP patches to the public after April 8, 2014, doesn't mean it's going to stop making those patches
Cyber Trends
Russia is home of the cracker (Fudzilla) "If you want to hack a phone, order a cyber attack on a competitor's website or buy a Trojan program to steal banking information, look no further than the former
Contractors are now using encrypted calls and texts for legal advice (Nextgov) With economic espionage and domestic surveillance creating a climate of cyber insecurity, some intellectual property attorneys now employ encrypted communications to correspond with federal contractor clients. Tools such as RedPhone, a mobile voice app, and Silent Circle, a text, video and voice service, are among the more user-friendly technologies in use. Civil liberties activists, dissidents and some journalists have long resorted to cryptography to protect information, but some assembly was always required. The new secret message techniques still require trading a little convenience for confidentiality
Brazil Fights Old Malware, Spam, and Underground Market Growth (Trend Micro) As globalization drives Brazilian industries forward, it also invites threats that aim on the weaknesses of growing market economies. Financial crimes have always topped the list of cyber security issues in Brazil, but as the country's economy grows more people are exposed to the perks and problems of the latest computing technologies
Mobile security is presenting a growing threat (Mobile Commerce Press) The latest information released by Trend Micro shows that the landscape is changing due to malware. The Threat Security Roundup from Trend Micro has just been released and it has suggested that issues regarding mobile security threats are starting to change the trends in the overall protection and digital landscap
Marketplace
Cybersecurity And Privacy Specialists In Short Supply (Forbes) Cybersecurity lawyers are highly sought after, but are in short supply. A cover story in the Los Angeles Daily Journal (subscription required) reported that the need for privacy and cybersecurity legal specialists has exploded in California, yet general counsel say there is a shortage of qualified practitioners who can do the job. LinkedIn Corp.'s General Counsel Erika Rottenberg was featured in the story, she speculated that technology companies in Silicon Valley were hiring most of the qualified attorneys, leaving less talent for law firms. Amidst a legal job market in which law graduates are clamoring to find jobs, the demand for privacy and cybersecurity specialists may present an opportunity for the law schools that are nimble enough to respond to the demand
DOD's push for secure mobile comms leverages commercial tools (Defense Systems) Security, always a primary concern for military communications, is becoming more challenging as the growing power of digital technologies helps adversaries intercept and decrypt messages. In response, military planners are moving forward on many fronts, assessing commercial security technologies, biometrics and other technologies as they attempt to equip more warfighters with communications gear
Australian government can't recruit fast enough for open source (ZDNet) The Australian government is seeing a lot more demand for open-source support, according to chief technology officer John Sheridan. The tide is turning with the use of open-source software within the Australian government, according to the chief technology officer John Sheridan, with departments shifting from buying proprietary software to buying support for open-source software such as Drupal
Cybersecurity jobs continue to pay better than others (Nextgov) Demand for cybersecurity professionals continues to climb, and while overall pay for security staff dipped slightly this year, cyber pros are still earning more than their counterparts in general IT jobs, according to a new survey. InformationWeek's 2013 Salary Survey of 682 IT security professionals found the strong market for cyber professionals has nearly erased the gender gap when it comes to pay. The median staff salary declined $2,000, to $95,000, in 2013, while management salaries increased to $120,000, up $5,000 from the previous year
ARM acquires Sensinode for a leg up in the Internet of Things (VentureBeat) Mobile chip design company ARM is targeting devices even smaller than smartphones and tablets. Today ARM announced that it has purchased Sensinode, a Finland-based company that develops and promotes open standards for small connected devices, also known as the Internet of Things. Terms of the deal weren't disclosed
Nasdaq faces cloudy future (FierceFinance) For the once-vaunted Nasdaq, nothing has come easy over the last few years---except problems. It was once considered the future of trading, with an all-electronic, floorless, multiple dealer-driven system that made the NYSE floor look archaic. But that time has passed, and so has its old reputation. No longer considered a technological marvel, it comes across, fairly or not, as less than competent technically and managerially
Everything that's wrong with Microsoft, as told by veterans who abandoned the company (Quartz) It's possible, even likely, that Microsoft is about to enter the darkest period in the firm's history. Darker, even, than July 2000, when it seemed the US government might dissolve the house that Bill built, and force the company to be split into two different companies
SAIC to Help DHS Use Threat Analytics for $6B Cyber Program (GovConExecutive) Science Applications International Corp. will aim to help the Department of Homeland Security bolster the cybersecurity posture of federal civilian ".gov" networks and protect cyber infrastructure under a potential five-year, $6 billion contract
ManTech Gets DHS Contract - Analyst Blog (Nasdaq) Critical software services provider ManTech International Corporation ( MANT ) recently procured a Blanket Purchase Agreement (BPA) from the Department of Homeland Security (DHS) to provide the requisite support to avert cyber threats and integrate security services across a wide range of '.gov'-domain networks
Products, Services, and Solutions
Product Review: CoSoSys Enpoint Protector 4 (SC Magazine) Endpoint Protector 4 from CoSoSys provides endpoint protection through the use of three feature-rich modules. These include Device Control for endpoints, Content Aware Protection for endpoints, and Mobile Device Management. Device Control allows administrators to control what types of devices may be connected to machines on the network. These include USB devices and flash drives, external hard drives and printers, as well as many other devices. Content Aware Protection is a data leakage prevention module that lets administrators define policy to prevent sensitive data from leaving the network through removable media or from being uploaded to the cloud, among other methods
Amazon and Microsoft, beware—VMware cloud is more ambitious than we thought (Ars Technica) Desktops, disaster recovery, IaaS, and PaaS make VMware's cloud compelling
Technologies, Techniques, and Standards
Patch Management Guidance from NIST (Internet Storm Center) The National Institute of Standards and Technology (NIST) released a new version of guidance around Patch Management last week, NIST SP800-40. The latest release takes a broader look at etnerprise patch management than the previous version, so well worth the read
Mac OSX Hardening Tips (NSA Factsheet) The following tips assume that the reader is starting with a default installation of Mac OS X 10.5 (Leopard). These tips may not translate gracefully for previous versions
Kenneth van Wyk: Why mobile apps beat Web apps for privacy (Computerworld) Internet communications are prey to surveillance, but you can better shield them
"thereisnofatebutwhat–wemake""Turbo–charged cracking comes to long passwords (Ars Technica) Cracking really long passwords just got a whole lot faster and easier. For the first time, the freely available password cracker ocl-Hashcat-plus is able to tackle passcodes with as many as 55 characters. It's an improvement that comes as more and more people are relying on long passcodes and phrases to protect their website accounts and other online assets
5 ways to tackle an insufficient HTTPS implementation (Troy Hunt) Earlier this year I wrote about 5 ways to implement HTTPS in an insufficient manner (and leak sensitive data). The entire premise of the post was that following a customer raising concerns about their SSL implementation, Top CashBack went on to assert that everything that needed to be protected, was. Except it wasn't, at least not sufficiently and that's the rub with SSL; it's not about having it or not having it, it's about understanding the nuances of transport layer protection and getting all the nuts and bolts of it right
Protecting Against Leakers (Schneier on Security) Ever since Edward Snowden walked out of a National Security Agency facility in May with electronic copies of thousands of classified documents, the finger-pointing has concentrated on government's security failures. Yet the debacle illustrates the challenge with trusting people in any organization. The problem is easy to describe. Organizations require trusted people, but they don't necessarily know whether those people are trustworthy. These individuals are essential, and can also betray organizations. So how does an organization protect itself
How Snowden got the NSA documents (ZDNet) A report confirms what was likely all along, that Edward Snowden's contractor job gave him unrestricted access to a mountain of sensitive materials for which he had no legitimate need. It's been known for a while that Edward Snowden was a systems administrator for Booz Allen Hamilton doing contract work for the NSA when he obtained the documents which he subsequently leaked to the press. But how did he get at these documents? NBC News has an investigations story on "How Snowden did it" which purports to explain
Getting The Most Out Of A Security Red Team (Dark Reading) When used effectively, a working red team doesn't just help IT security organizations find vulnerabilities in their environments. Red teams can also help organizations prove the need for increased budget in focused areas, substantiate claims of security improvements, and generally sharpen the skills of IT defenders called upon to regularly defend against real-world attack simulations carried out by these in-house "bad guys"
Eric Cowperthwaite on Essential Elements of Risk-Based Security (TripWire) In the first segment of our interview with Eric Cowperthwaite, Chief Information Security Officer at Providence Health & Services, we examined the steps needed to build a foundation for an effective risk-based security management program
Employing Roaming as Backup to Mobile Networks (GovInfoSecurity) Can roaming services be used as a backup for mobile networks that fail? It's an idea being explored by ENISA, the European Network and Information Security Agency
Ed Snowden Covered His Tracks Well; How Many Other NSA Staffers Did The Same? (TechDirt) As we've seen, the NSA's story on "abuses" keeps changing. First there were no abuses at all, then there were a whole lot of abuses (but all unintentional) and now we know that there also were a bunch of intentional abuses. But here's the thing: these are only the abuses that the NSA caught. And, even then it's sketchy. As Marcy Wheeler has detailed, many of the "unintentional abuses" look like they were merely classified that way, when, in reality, they may have been intentional. Thanks to the magic of the NSA's special dictionary, they redefine abuses that exceed legal authority but are "performing the mission that the NSA wants them to perform" not as "abuses" but as "mistakes"
Design and Innovation
State of innovation: Busting the private-sector myth (New Scientist) Forget Silicon Valley entrepreneurs. It is government that should be credited for backing wealth-creating technology. IMAGES of tech entrepreneurs such as Mark Zuckerberg and Steve Jobs are continually thrown at us by politicians, economists and the media. The message is that innovation is best left in the hands of these individuals and the wider private sector, and that the state - bureaucratic and sluggish - should keep out. A telling 2012 article in The Economist claimed that, to be innovative, governments must "stick to the basics" such as spending on infrastructure, education and skills, leaving the rest to the revolutionary garage tinkerers. Yet it is ideology, not evidence, that fuels this image. A quick look at the pioneering technologies of the past century points to the state, not the private sector, as the most decisive player in the game
Vogue Makes A Complete Joke Out Of Google, And Google Doesn't Even Notice (Fast Company) Google Glass just scored a 12-page spread in Vogue's September issue, or what's easily the most influential issue of the most influential publication in all of fashion. You could argue that this is Google's moment, that this single spread (coupled with the DVF show last year) portends a future in which we all wear Glass
Silicon Valley's top startup guru says he wouldn't want to run a startup (ZDNet) Y Combinator's Paul Graham trains entrepreneurs but doesn't want to be one
Crowdfunding platform Kickstarter is launching in Australia and New Zealand 'soon' (The Next Web) Crowdfunding platform Kickstarter is expanding into the Asia-Pacific region after it revealed plans to make its service available in Australia and New Zealand "soon"
AT&T opens latest Foundry facility in Atlanta, focusing on the connected car, home automation and emerging devices (Engadget) If you haven't been paying attention, here's the skinny: US carriers are doing everything they can to expand their horizons, and in the case of Verizon and AT&T, this sense of urgency has led to the creation of numerous innovation labs. In a nutshell, these facilities serve as incubation centers for startups and well-positioned outfits alike that are looking to add cellular connectivity to whatever it is they're hawking
Research and Development
Quantum cryptography is the last, best defense (InfoWorld) When quantum computing finally lands, all encryption will be open -- unless you're protected with quantum cryptography
Open Sourcers Pitch Secure Email in Dark Age of PRISM (Wired) With the specter of government surveillance hanging over this post-PRISM world, people are beginning to wonder if the idea of secure email is complete nonsense
Legislation, Policy, and Regulation
After Cyberattacks, Saudi Steps Up Online Security (Wall Street Journal) One year after a cyberattack targeted state-owned Aramco oil company and its oil exports, Saudi Arabia telecoms and Western IT companies have stepped up online-security offerings to deal with what they say is a surge of Saudi interest - and ongoing attacks on Saudi data. With ample bandwidth, historically lax online security, and no shortage of wealth or political enemies, Saudi Arabia is the second-biggest target in the world for online spam, say Bulent Teksoz and Samer Sidani, Middle East executives for U.S.-based Symantec security consultants
NSA Revelations Prompt Tech Industry to Call for Privacy Safeguards (CIO) Amid the fallout from the revelations of the National Security Agency's wide-ranging electronic surveillance program, several leading technology trade
Still Unclear What Lawmakers Know About NSA Programs (International Business Times) Government officials defend the National Security Agency's surveillance programs by pointing out that members of Congress have been briefed on them
A Tipping Point in the Privacy vs. Security Battle (Kiplinger) The events surrounding 9/11 cleared the way for the government to play down personal freedoms and led to Uncle Sam's secretive and massive effort to collect, review and store previously private data. Americans, and some allies abroad, say it's gone too far and they've have had enough of the National Security Agency's clandestine activities
US Cyber Offense is "The Best in the World" (Federation of American Scientists) The subject of offensive cyber action by the U.S. government was classified for many years and was hardly discussed in public at all. Then several years ago the possibility of U.S. cyber offense was formally acknowledged, though it was mostly discussed in the conditional mood, as a capability that might be developed and employed under certain hypothetical circumstances
NSA director told lawmakers US has 'best' cyber offense, but adversaries catching up (The Verge) Before the US National Security Agency's secret internet and phone spying programs were revealed this summer, the head of the NSA assured lawmakers that the US had the best cyber attack capabilities in the world. "We believe our offense is the best in the world," General Keith Alexander, the NSA's director, said in response to written questions from the House of Representatives submitted after a March hearing. Alexander's answers were just published by the government late last month. Alexander also warned in his responses that "potential adversaries are demonstrating a rapidly increasing level of sophistication in their offensive cyber capabilities and tactics"
Stern new data breach reporting requirement takes hold in EU (SC Magazine) Data breaches are reported nearly every day and one noticeable trend is the occasional delay between when the breach is discovered and when authorities and affected people are notified
Lord Blair: we need laws to stop 'principled' leaking of state secrets (The Guardian) Former Metropolitan police commissioner says 'facilitating terrorism' by leaking should be made explicitly criminal
Paper proposes 'civic switchboards' for public-private cybersecurity cooperation (FierceGovIT) Proposed legislation that would center public- and private-sector cybersecurity collaboration onto a single coordinating entity would fall short in effective engagement, asserts a paper published this month by the Center for Strategic and International Studies
Litigation, Investigation, and Law Enforcement
Feds Back Away From Forced Decryption " For Now (Wired) Federal prosecutors may have dropped demands that a child-porn suspect give up his encryption keys in a closely watched case, but the issue of forced decryption is very much alive and is likely to encompass a larger swath of Americans
Holder pressed on U.S. drug agency use of hidden data evidence (Reuters) Eight Democratic senators and congressmen have asked Attorney General Eric Holder to answer questions about a Reuters report that the National Security Agency supplies the Drug Enforcement Administration with intelligence information used to make non-terrorism cases against American citizens
UN Says Nations Are Barred From Spying on It (ABC News) The United Nations said Monday that it will contact the United States about reports that the National Security Agency hacked its internal communications, and the
How Snowden did it (NBC News) When Edward Snowden stole the crown jewels of the National Security Agency, he didn't need to use any sophisticated devices or software or go around any computer firewall. All he needed, said multiple intelligence community sources, was a few thumb drives and the willingness to exploit a gaping hole in an antiquated security system to rummage at will through the NSA's servers and take 20,000 documents without leaving a trace
Snowden Stayed At Russian Consulate (Washington Post) Before American fugitive Edward Snowden arrived in Moscow in June " an arrival that Russian officials have said caught them by surprise " he spent several days living at the Russian Consulate in Hong Kong, a Moscow newspaper reported Monday
Data Collection Is Illegal, A.C.L.U. Says In Filing (New York Times) In a detailed legal attack on the National Security Agencys collection of Americans phone call data, the American Civil Liberties Union argued in court papers filed Monday that the sweeping data gathering violates the Constitution and should be halted
Five cyber attackers arrested over UK tax fraud (ComputerWeekly) Five men have been arrested in connection with an HM Revenue and Customs (HMRC) investigation into cyber attackers suspected of identity theft and tax fraud
Three charged with stealing source code, data from trading firm (Reuters) Two men have been charged by New York prosecutors with stealing secret computer code from a high-frequency trading firm in an effort to start their own business
Anonymous turncoat Sabu's sentencing delayed, again (SC Magazine) For the second time this year, the sentencing for Anonymous informant Hector 'Sabu' Monsegur has been delayed
BPA employees' personal data hacked; audit findings of hiring problems dribble out (The Oregonian) Rough waters continue at the Bonneville Power Administration, where employees are learning their personal data was released in a cyber attack, and the agency is beginning to detail the extent of problems in its human resources department. The turmoil continues at the Bonneville Power Administration and its parent agency, the U.S. Department of Energy -- this time with a new twist. The DOE, which has been coming down around Bonneville's ears for violations of federal hiring practices, has started informing employees that their personal information was compromised last month after its computer systems were hacked. A total of 14,000 federal employees were affected, including some or all of Bonneville's
For a complete running list of events, please visit the Event Tracker.
Upcoming Events
Wednesday Webcast: Utilizing the Critical Security Controls to Secure Healthcare Technology (webcast, Aug 28, 2013) The development of the SANS Twenty Security Controls is transforming the way companies measure and monitor the success of their security programs while drastically reducing the cost of security. Fifteen of the twenty controls can be automated, some at no cost to the organization, and the data is readily available to be presented in conference rooms and board rooms. Upon implementing, hospitals will have the ability to measure compliance, track progress, and know when they've reached certain goals. The controls are free for use and easy to implement.
Cybersecurity Symposium: "Protect. Defend. Educate." (Linthicum, Maryland, USA, Oct 16 - 17, 2013) The Cybersecurity Symposium being held October 16-17, 2013, will deliver first-class training for government and industry security professionals while simultaneously offering high-level keynote speakers, essential networking opportunities, and an informative technology exposition. The Symposium sessions will have a special emphasis on security challenges facing today's security professionals and cyber awareness training for security professionals responsible for protecting sensitive and classified information from the ever increasing threats of mobile devices, espionage, terrorism, and cyber-attacks to ensure our national security. Register by August 31 to ensure the reduced early bird registration fee. This event is free for government employees and active-duty military personnel. Exhibit space and sponsorship opportunities are also available.
World Congress on Internet Security (London, England, UK, Dec 9 - 12, 2013) The WorldCIS-2013 is an international forum dedicated to the advancement of the theory and practical implementation of security on the Internet and Computer Networks. The inability to properly secure the Internet, computer networks, protecting the Internet against emerging threats and vulnerabilities, and sustaining privacy and trust has been a key focus of research. The WorldCIS aims to provide a highly professional and comparative academic research forum that promotes collaborative excellence between academia and industry.
SANS Thailand 201 (Bangkok, Thailand, Aug 19 - 31, 2013) SANS hands-on advanced Information Security training is coming to Thailand this August! SANS is bringing our Web App Penetration Testing course to the Crowne Plaza Bangkok Lumpini Park in Bangkok, Thailand.
TechCrunch Disrupt San Francisco (San Francisco, California, Sep 7 - 11, 2013) For the fourth year in a row, TechCrunch Disrupt will take over the San Francisco Design Center Concourse, and we're bringing the hottest startups and best minds in the industry with us. Block off September 7-11 on your calendar, because you're not going to want to miss Disrupt SF 2013. The Hackathon kicks everything off, followed by our main event, which starts every morning with panels of special speakers and guests, one-on-one chats featuring TechCrunch writers and editors, special guest speakers and judges, leading venture capitalists and fascinating entrepreneurs addressing the most important topics facing today's tech landscape. In the afternoons, the Startup Battlefield presentations begin, with the final presentations held on the last day of Disrupt.
SANS CyberCon Fall 2013 (Online, Sep 9 - 14, 2013) With sequestration still in place, organizations are finding themselves with training budgets, but drastically reduced travel budgets. This one-of-a-kind online training event brings SANS' top instructors teaching SANS' top courses to those who can't travel.
15th Annual AT&T Cyber Security Conference (New York, New York, USA, Sep 10, 2013) The AT&T Cyber Security Conference is an annual day-long conference offered by the AT&T Chief Security Office. Combining the expertise of its security experts, the scale and reliability of its global IP network and the innovation of AT&T Labs, AT&T is giving businesses some of the most powerful weapons available today in their battle against cyber security attacks. The conference showcases AT&T's leadership in helping businesses, large and small, manage the increasingly complex and critically important security of their IT networks and assets.
International Common Criteria Conference (Orlando, Florida, USA, Sep 10 - 11, 2013) FBC invites you to participate in the International Common Criteria Conference (ICCC) taking place in Orlando, Florida. This is the first time since 2000 that the ICCC is taking place in the U.S. The ICCC has become the main marketing and meeting opportunity for all those involved in the specification, development, evaluation, and validation or certification of IT security.
GrrCon (Grand Rapids, Michigan, USA, Sep 12 - 13, 2013) Says IT World, "Another hacker conference, this time in Michigan. The schedule looks to be bawdy, brash and anything but dull, with hackers promising to "pwn" you before you leave town. There are also sessions on penetration testing tools and mobile hacking methods."
cybergamut Technical Tuesday: Malware Analysis for the Masses (Columbia, Maryland, USA, Sep 17, 2013) With malware becoming more prevalent, and the pool of capable reversers falling short of overall need, there is a greater need to provide quick and efficient malware analysis for network defense. With modern technology and tools, it's now possible for junior security analysts to gather detailed malware indicators to craft defense and alert signatures. More enticing, all of this can be done with free tools and applications, some written by this presenter.
Shaping the Future of Cybersecurity Education Workshop (Gaithersburg, Maryland, USA, Sep 17 - 19, 2013) The third annual Shaping the Future of Cybersecurity Education Workshop will be held at the National Institute of Standards and Technology (NIST) in Gaithersburg, MD and focus on "Navigating the National Cybersecurity Education Interstate Highway".
NovaSec! (McLean, Virginia, USA, Jun 13, 2013) NovaSec! is Northern Virginia's largest Cybersecurity and physical security networking event of the year. We are bringing together security professionals from commercial and government organizations with members of local Northern Virginia businesses and associations to allow participants to meet, interact on key issues and provide a unified forum to network with likeminded individual.
Strange Loop (, Jan 1, 1970) Meet us in St. Louis, Sept 18-20th, 2013, to make connections with the creators and users of the languages, libraries, tools, and techniques at the forefront of the industry. Find out where we're going…and where we're not. Topics include emerging languages, concurrent and distributed systems, new database technologies, front-end web, and mobile.
ISSA Cyber Security Forum at Ft Belvoir (Fort Belvoir, Virginia, USA, Sep 19, 2013) This event will allow personnel from Fort Belvoir the chance to learn about the latest cyber security trends, network with peers, discuss Army best practices and to view and demo some of the latest cyber security and information technology products/services available today. This is an excellent opportunity for exhibitors to network with key decision makers, cyber, technology, communications and contracting personnel from various commands and tenant units at Fort Belvoir.
CISO Executive Summit (Atlanta, Georgia, USA, Sep 19 - 20, 2013) Be on the forefront of a new global initiative where today's world-class leaders in information security will gather to navigate through international waters. Join these leaders as they follow the wind of change that is sweeping through the IS community motivating today's information guardians to develop a new way of thinking to ensure success in protecting their respective organizations. (At Hacker Halted USA.)
2013 Cyber Security Summit (New York, New York, USA, Sep 25, 2013) The 2013 Cyber Security Summit connects executives responsible for protecting their company's critical infrastructure with innovative product, service and solution providers. The one day event, to be held September 25th at the Hilton in New York City, will showcase the latest tools and resources available to defend against cyber crime on both corporate and government levels. Keynote addresses and interactive panel discussions lead by notable security experts will highlight strategic priorities, risk factors, threats and provide inspirational guidance to prepare and protect from attacks.
4th Annual Cybersecurity Summit (Washington, DC, USA, Sep 25, 2013) GEN Keith Alexander, Commander of U.S. Cyber Command, Director of the NSA/Chief, Central Security Service and Dr. Pat Gallagher, Director, NIST are among the distinguished speakers confirmed to keynote at the 4th Annual Cybersecurity Summit on September 25, 2013 at the National Press Club in Washington, D.C.Michael Daniel, White House Cybersecurity Advisor, and Gen. Keith Alexander, Commander U.S. Cyber Command, and Director, NSA, are confirmed to keynote. Cybersecurity topics to be addressed include: the White House Cybersecurity Executive Order, the Cybersecurity Framework and New Emerging Standards for Critical Infrastructure, information sharing, mobile security and BYOD, legislative developments in cybersecurity, big data and cloud cybersecurity, continuous monitoring, cyber situational awareness, and the JIE rollout active defense and cyber warfare. Organized by Billington CyberSecurity™.