The CyberWire Daily Briefing for 9.6.2013
Today's big stories are cyber conflict in Syria and disclosures of NSA/GCHQ cryptologic capabilities.
With respect to Syria, the US FBI has issued warnings concerning the threat posed by the Syrian Electronic Army (SEA), characterized as a "pro-regime hacking group." Cyber operations appear to have begun, well in advance of any international combat action, punitive or otherwise. The SEA has long been active against Western targets, and the Washington Post reports the US State Department has begun providing rebels "tech support," which in this context implies at least means of evading regime censorship and interception.
With respect to NSA's (and GCHQ's) crypto capabilities, the US Office of the Director of National Intelligence (ODNI) says it's "hardly surprising" that intelligence agencies work to defeat adversaries' encryption (and surely one must agree). But ODNI's statement doesn't mollify most commentators, who see these operations as both indiscriminate and destructive of trust.
The capabilities themselves represent no single set of mathematical breakthroughs. They involve some advanced cryptologic tools, but largely rely on a mix of socially engineered and legally compelled backdoors in crypto systems. Such backdoors amount, critics observe, to deliberate flaws. The revelations complicate the already vexed relationship between US tech companies and the Intelligence Community.
Significant declassification of US documents is promised next week, by Justice to plaintiffs in the EFF lawsuit, by the President to his Brazilian counterpart.
In other news, an argument brews up between biometric identity management proponents and critics—it turns on the distinction between registration and identification.
Today's issue includes events affecting Australia, Brazil, Canada, China, Europenan Union, Germany, Israel, Japan, New Zealand, Palestinian Territories, Syria, Thailand, Ukraine, United Kingdom, and United States..
Cyber Attacks, Threats, and Vulnerabilities
Syrian Electronic Army placed on FBI wanted list (ZDNet) The Syrian Electronic Army's hacking campaigns have raised the ire of the FBI. The U.S. Federal Bureau of Investigation (FBI) has officially placed the SEA on an advisory list following a string of attacks on media and government outlets. The FBI calls the SEA a "pro-regime hacker group" that emerged during Syrian anti-government protests in 2011
The U.S. isn't bombing Syria yet. But it is providing tech support to the rebels. (Washington Post) The United States hasn't decided whether to launch airstrikes against the regime of President Bashar al-Assad in Syria. But the Obama administration long ago decided to provide the rebels with another form of assistance: hardware and software to help the rebels communicate more effectively and evade government censorship. In fact, while the White House authorized the CIA to help arm some moderate rebels battling the Assad regime, it hasn't done so yet. So the most significant aid given to the rebels by the United States so far may actually be the influx of communications equipment, censorship and monitoring circumvention software, and technical training sent their way by the State Department
A Better Syria Option: Cyber War (The National Interest Online) Cyber attack is ideal for undercutting Assad's ability to execute strategy, operations, and tactics. Unlike missiles or bombs, it is very unlikely to kill or physically
Cyber Revenge (Wall Street Journal) Tech analyst Rob Enderle stopped by The Wall Street Journal This Morning to explain just how vulnerable we are to a serious cyber-attack by Syria
ODNI STATEMENT on the Unauthorized Disclosure of NSA Cryptological Capabilities (IC on the Record) It should hardly be surprising that our intelligence agencies seek ways to counteract our adversaries' use of encryption. Throughout history, nations have used encryption to protect their secrets, and today, terrorists, cybercriminals, human traffickers and others also use code to hide their activities. Our intelligence community would not be doing its job if we did not try to counter that
US and UK spy agencies defeat privacy and security on the internet (The Guardian) US and British intelligence agencies have successfully cracked much of the online encryption relied upon by hundreds of millions of people to protect the privacy of their personal data, online transactions and emails, according to top-secret documents revealed by former contractor Edward Snowden
N.S.A. Able to Foil Basic Safeguards of Privacy on Web (New York Times) The National Security Agency is winning its long-running secret war on encryption, using supercomputers, technical trickery, court orders and behind-the-scenes persuasion to undermine the major tools protecting the privacy of everyday communications in the Internet age, according to newly disclosed documents
Has the NSA broken our encryption? (ZDNet) Reports of new Edward Snowden leaks of NSA documents claim that "the agency has circumvented or cracked much of the encryption" on which we rely on the Internet. Are we defenseless now? Reports in the Guardian and the New York Times claim that the NSA has cracked much of the encryption used on the Internet. Working in concert with their UK counterpart, the GCHQ, the NSA has used a variety of methods to gain access to data which should be unreadable by outsiders to the conversation. The basis for the reports are (of course) documents leaked by former NSA analyst Edward Snowden
NSA and GCHQ Crack Majority of Encrypted Traffic (Infosecurity Magazine) Given the effort taken by the NSA and GCHQ spy agencies to monitor the greater part of the world's internet traffic, it was never likely that they would simply ignore all of the encrypted traffic. The latest of the Edward Snowden files show that they did not
Snowden lifts veil on code-breaking (Financial Times) US and UK intelligence agencies have targeted widely used methods of encrypting information on the internet, according to the latest leaks by the renegade former NSA contractor Edward Snowden. The disclosures suggest that the agencies have in some cases succeeded in breaking common internet security technologies to read email communications or other data of both companies and individuals, according to computer security experts
Latest Snowden revelation: NSA sabotaged electronic locks (Los Angeles Times) The latest Edward Snowden-powered exposé published by the New York Times, ProPublica and the Guardian is, to me, the most frightening. It reveals that the National Security Agency has moved beyond its historic role as a code-breaker to become a saboteur of the encryption systems. Its work has allegedly weakened the scrambling not just of terrorists' emails but also bank transactions, medical records and communications among coworkers
Let us count the ways: How the feds (legally, technically) get our data (Ars Technica) The NSA and other spies worldwide have come up with an unimaginable matrix. Given that we now know that the National Security Agency (NSA) has the ability to compromise some, if not all of VPN, SSL, and TLS forms of data transmission hardening, it's worth considering the various vectors of technical and legal data-gathering that high-level adversaries in America and Britain (and likely other countries, at least in the "Five Eyes" group of anglophone allies) are likely using in parallel to go after a given target. So far, the possibilities include
On the NSA (Crytpography Engineering) Let me tell you the story of my tiny brush with the biggest crypto story of the year. A few weeks ago I received a call from a reporter at ProPublica, asking me background questions about encryption. Right off the bat I knew this was going to be an odd conversation, since this gentleman seemed convinced that the NSA had vast capabilities to defeat encryption. And not in a 'hey, d'ya think the NSA has vast capabilities to defeat encryption?' kind of way. No, the defeating was a given. We were just haggling over the details
The spooks, the backdoors, reality and the future (Countermeasures-Trend Micro) The NSA and the extent of its interest in cryptographic systems has long been discussed in security and cryptography circles and opinions have already been published regarding unprecedented major breakthroughs in cryptanalytic technologies at The Agency. The fact that the NSA have been pushing Elliptic Curve Cryptography could also be understood as an indicator that they would like everyone to have greater confidence in its security and thus be more likely to use it. It is of course within the bounds of possibility that widespread algorithms such as RSA and Diffie-Hellamn have already been compromised by any agency with such a huge talent pool and corresponding budget. Agencies such as the NSA have the advantage that they are free to use all of the research that comes out of academia, but of course are under no obligation to share their own, particularly if it is seen to confer any national security advantage. Let's not forget that equivalents to both the Diffie-Hellamn and RSA Key Exchange algorithms were actually originally described in Great Britain's GCHQ, but was kept classified, the entirely separate academic discoveries came later. So am I surprised that the NSA has invested large sums and significant numbers of employees in maintaining a cryptographic advantage? Definitely not
How to Protect Yourself Against NSA Snooping, Even If Encryption Is Broken (Softpedia) It should be pretty clear by now that the NSA can and does break or bypass altogether the encryption of communications on the web. But that doesn't mean we're completely in the open, as the NSA can't break all encryption. Even when it can, it usually requires some effort. That means that most people don't have to worry about the NSA snooping into their email communication. That said, the NSA also scoops up Internet traffic in bulk and stores it in case it's needed at a later date or if the encryption can't be broken at the moment. Still, it takes too much effort for the NSA to target random people, and there are ways of making it even harder for them. Cryptography expert Bruce Schneier lists several ways through which you can protect yourself
Why We Published the Decryption Story (ProPublica) ProPublica is today publishing a story in partnership with the Guardian and The New York Times about U.S. and U.K. government efforts to decode enormous amounts of Internet traffic previously thought to have been safe from prying eyes. This story is based on documents provided by Edward Snowden, the former intelligence community employee and contractor. We want to explain why we are taking this step, and why we believe it is in the public interest
Snoops can identify Tor users given enough time, experts say (Ars Technica) Tor leader: "Yes, a big enough adversary can screw Tor users. But we knew that." A recent academic paper shows "that Tor faces even greater risks from traffic correlation than previous studies suggested." In other words, one of the world's best tools for keeping online speech anonymous is at risk in a previously known—but now even clearer—fashion. In the wake of a recent uptick of Tor usage (whether from a botnet or from people inspired by former National Security Agency [NSA] contractor Edward Snowden), a reminder of these risks is certainly germane to today's Internet
Palestine Elite Force Hackers Hit German ISP NetCologne (eSecurity Planet) 15 user names, encrypted passwords, e-mail addresses, registration dates and display names were published online. Hacker Cold z3ro of the Palestine Elite Force hacker group recently claimed to have breached the Cologne, Germany-based telecom provider NetCologne, and published user information on Pastebin
Sykipot–wielding attackers now targeting US civil aviation firms (Help Net Security) The Sykipot backdoor Trojan is not a new threat. First detected over six years ago, its existence and use has been tied almost exclusively with the cyber espionage activities of a group or groups of attackers that are likely to be based in China. The malware itself hasn't changed much throughout the years, and its goal is simple and always the same - once it gains access to a system, it establishes an SSL connection to a C&C server from which additional malware is downloaded, then installed and run on the victim's machine
DIY malicious Android APK generating 'sensitive information stealer' spotted in the wild (Webroot Threat Blog) Back in June, 2013, we offered a peek inside a DIY Android .apk decompiler/injector that was not only capable of 'binding' malicious Android malware to virtually any legitimate app, but also, was developed to work exclusively with a publicly obtainable Android-based trojan horse
Advisory (ICSA-13-248-01) ProSoft Technology RadioLinx ControlScape PRNG Vulnerability (ICS CERT) Lucas Apa and Carlos Mario Penango Hollman, security researchers with IOActive, have identified a weak pseudo-random number generator (PRNG) seed in the ProSoft Technology RadioLinx ControlScape application software. ProSoft Technology has produced a new firmware patch that mitigates this vulnerability
The Mysterious Mevade Malware (TrendLabs Security Intelligence Blog) Since August 19, 2013, there has been remarkable growth in the number of Tor users, which caused much speculation. Was August 19 the starting date to run en masse from the NSA's PRISM project? Were European internet users downloading the latest American cable TV series via Tor only, thus overcoming blockades of sites like the Pirate Bay by European ISPs? Neither was very likely, so some thought a botnet abusing the Tor network to hide its command and control server must be the reason of the sudden increase of Tor users
Sandboxing Fail: 75% of Malware Can Still Sneak Past IPS (Infosecurity Magazine) Even though the next generation of malware is starting to take advantage of non-HTTP infection channels such as global messaging, P2P and social engineering, the tried-and-true attack vector, HTTP, still reigns. New research shows that 80% of current malware continues to leverage HTTP as the primary access point to corporate networks. Worryingly, more than 75% of active HTTP malware, despite it being technically "old school," easily evades traditional intrusion prevention systems
Mule Flood in Japan (SecureList) Money mule recruitment emails are nothing new, for years these have been spammed out all over the globe. What is new though is the recent wave aimed at "English-speaking Japanese residents". It started at the end of July and we have received hundreds of such themed spam emails since then
MegaPWN: major flaw or PR stunt? (Fortinet Security Research) Since an article on MegaPWN got slashdoted on Tuesday, the now infamous tool by software developer Michael Koziarski gathered a significant amount of attention. As often, comments were a mix of "this guy didn't invent anything" (usually laid in a more sarcastic form) and "this is interesting" (usually laid in a more panicked form, involving the NSA). And as often, the moderately technical reader is left wondering if this is a genuine threat to her private data (assuming she hosts it on Mega), or merely a personal PR stunt. At FortiGuard Labs, our position is that somewhat like Firesheep in its days, MegaPWN does not leverage anything new or unknown, but is a ready-made tool that highlights a security issue that most of the public is unaware of. As such, the publicity it is getting is probably useful
New Java and Flash Research Shows a Dangerous Update Gap (Websense Security Labs) Today we're continuing our Java security research series by analyzing other plug-ins, browser extensions and rich internet applications that are commonly exploited. Our previous research indicated that the current state of Java affairs isn't pretty. At that time, ninety-three percent of enterprises were vulnerable to known Java exploits. Nearly 50 percent of enterprise traffic used a Java version that was more than two years out of date. Through Websense ThreatSeeker Intelligence Cloud analysis we now discover
Kaspersky: The iOS Malware Dam Will Break, And It Will Break Hard (Readwrite) Apple may be more impervious to malware attacks, but due to a lack of code-level access, any exploit could be major. Android may dominate mobile market share, but it also comes with a host of ills like fragmentation and, more potently, malware. While the mobile malware threat has been surprisingly light to date, that's starting to change. For now, Android is the malware capital of mobile in part because of its popularity and in part because of its more open approach to engineering. iOS, for its part, is both harder to crack and harder to fix, precisely because it's closed. But according to security expert Eugene Kaspersky, that's bound to change. And when it does, iOS is going to fall hard. Really, really hard
Nasty nuke–lab data–slurper EVOLVES, now feeds off new Java hole (The Register) Latest version of data-stealer targets Uyghur dissidents. A piece of malware linked to attacks against governments and organisations involved in hi-tech industries such as space exploration and nuclear power has been adapted to exploit a recently uncovered Java security flaw. NetTraveler has been outfitted to exploit a recently patched Java bug as part of a watering-hole-style attack involving compromised websites that redirects victims to an attack site hosting exploit code
ALERT: Cyber Hacker (s) Targets Omaha PR Firm (DigitalJournal.com) f your National Marketing/PR Firm takes on high-profile clients, tackling controversial issues — be on high alert for a politically-motivated cyber attack that
Google coding glitch locks Apple iOS users out of on–line accounts (Naked Security) Google has once again found itself all over the IT news for a spot of bother with its security software. A recent Google Authenticator update accidentally removed all your accounts
Ransomware hits Northwoods residents (Florence-forestnews) If your computer screen is suddenly and unexpectedly locked and you are seeing a "Mandiant USA Cyber Security - FBI Department of Defense - USA Cyber
Cyber attack threatens financial information for 7000 MUSC customers (Charleston Post Courier) Leroy Burnell/postandcourier.com/FileMedical University of South Carolina's Ashley River Tower is pictured in this 2008 file photo. MUSC today said a recent
Security Patches, Mitigations, and Software Updates
Microsoft to Patch Dangerous Outlook Hack-by-Preview Bug Next Week (CIO) Microsoft today said it will ship 14 security updates next week to patch critical vulnerabilities in Internet Explorer (IE), Windows, Office and SharePoint, its enterprise collaboration platform
Want privacy? Move to Siberia (FierceITSecurity) If you want privacy, move to Siberia. That is the tongue-in-cheek advice that Eugene Kaspersky, founder and CEO of the Russian anti-virus software firm that bears his name, gave in an interview with the Wall Street Journal. Kaspersky's quip underlies a troubling reality. Technology has enabled governments and other organizations to conduct intrusive surveillance on a massive scale. "There is no more privacy," Kaspersky lamented
The secret society that can't keep a secret (ZDNet) The more we try to keep secrets in the dark the more they come into the light…Technology won't help. It's ironic that with all our technologies for keeping things secret our secrets have a way of coming out into the open. We now know so much about the super-secret NSA and its spying activities that it's as if Spy versus Spy had become a comic reality
The spooks need new ways to keep their secrets safe (Financial Times) Big-government secrets require a lot of secret-keepers. As of October 2012, almost 5m people in the US have security clearances, with 1.4m at the top-secret level or higher, according to the Office of the Director of National Intelligence
Comment: Cybercrime Goes Back to the Future (Infosecurity Magazine) Cybercrime goes back to its roots to infiltrate tomorrow's organizations. Darren Turnbull of Fortinet looks at the importance of a unified approach and sandboxing as a key tactic in the fight against advanced persistent threats
Halamka: Regulatory uncertainty looms large for hospital CIOs (FierceHealthIT) Regulatory uncertainty and a continuing decline in available resources are among a handful of issues John Halamka (pictured), CIO at Boston-based Beth Israel Deaconess Medical Center, anticipates will keep him up at night in the months ahead
Security and IT: Can we Solve 'Separated at Birth' Problem? (SecurityWeek) Quick, what's the hardest part of being a security pariah? None of the other pariahs want to be seen with you. Though a joke, it sums-up how security, within IT, has and continues to operate. From the beginning of IT, security has consistently been a bolt-on afterthought, and we have only ourselves and everyone else to blame. Surely given the pace of virtualization, cloud, and all of the other profound paradigm shifts that are providing rich opportunities, security and IT can reunite (for the first time), a 'rebirth', if you will. Then again, maybe we are letting history repeat itself
Rising use of cloud drives growth in security software (The Nation) Thai providers expand offerings as more firms wake up to increased threat of cyber-attack. Thai companies are providing a broader range of security products and solutions in light of the increasing threat of cyber-attacks on the business sector, with new offerings contributing to estimated security-software market growth of 16 per cent this year
NSA Code Cracking Puts Google, Yahoo Security Under Fire (Bloomberg) Disclosures that the U.S. National Security Agency can crack codes protecting the online traffic of the world's largest Internet companies will inflict more damage than earlier reports of complicity in government spying, according to technology and intelligence specialists
Industry Backlash Against Surveillance Jeopardizes Security" (Nextgov) The private sector's distrust of the National Security Agency following domestic spying revelations could undermine efforts to secure systems running utilities and other vital U.S. industries, former federal civilian and military officials say. NSA, maker of arguably the best encryption tools to protect data, now is attracting more attention for decrypting everyone else's data, after disclosures by ex-NSA contractor Edward Snowden of massive Internet surveillance
CounterTack to Help Defend South Korea from Cyber Attacks (eSecurity Planet) Endpoint security provider CounterTack recently announced a partnership agreement with South Korean information security services provider SK Infosec to defend Korean workstation and server endpoints from cyber attacks
Bill Lietzau Named PAE VP, Deputy General Counsel (GovComWire) Bill Lietzau, formerly deputy assistant defense secretary for rule of law and detainee policy, has joined PAE as vice president and deputy general counsel. He will work with Whit Cobb, who has served as PAE's senior VP and general counsel since February 2012, the company said Thursday
Nancy Laben Named Booz Allen EVP, General Counsel (GovConWire) Nancy Laben, formerly general counsel at engineering and design company AECOM Technologies, has joined Booz Allen Hamilton (NYSE: BAH) as executive vice president and general counsel
HP Wins $56M to Update DoD Security Clearance Systems (GovConWire) HP (NYSE: HPQ) has won a $56 million task order to update personnel security clearance systems at the Defense Department's defense manpower data center. Under the three-year deal, the company will implement applications management services on four systems used to manage the identity verification process for the agency's employees, military personnel, civilians and contractors, HP said Thursday
4 companies that could still buy BlackBerry, and why they probably won't (VentureBeat) BlackBerry BBRY +2.04% may be inching closer to finding a buyer, but the relative dearth of easy candidates seems to have made investors still cautious on the idea - despite the recent share bounce
Would you hire a spammer? (Internet Storm Center) I peruse through my spam folder periodically looking for anything out of the ordinary. I also examine quite closely email that are obviously spam that make it through to my inbox. This one in fact reads a lot like a job application, or a business promotion attempt gone wrong. Unlike a job application it was not addressed to anyone in particular, and was in fact sent to the SANS Internet Storm Center Handlers distribution list. The fact that the handlers are on a spam list I suppose is not surprising. What I find odd is that this person who is looking for work bought a list for the purpose of spamming it! He did not attach a resume (unlike spammer Bernard Shifman) however did place a link to his LinkedIn profile so that the recipients of his spam can read all about his having achieved his MBA. Which made me wonder if they teach spamming at college or university these days? My thoughts on the subject are that spamming is not the way to go when marketing yourself or your business. Also I am fairly certain SANS would not hire a spammer as a 'business analyst'. The handlers list has never been used to advertise any job openings. Which really has me wondering where he got it? Also where would he get the idea that spamming random people on the Internet would help his job search
Products, Services, and Solutions
Qosmos Extends Technical Leadership in Embedded DPI for Physical, SDN and NFV Architectures (Enterprise Apps) Qosmos® today unveiled significant advancements in Deep Packet Inspection (DPI) and network intelligence technology with the latest version of ixEngine®, the most widely used DPI and metadata engine on the market. The newest software includes substantial enhancements in the areas of processing speed, application intelligence and software defined networking (SDN) and Network Functions Virtualization (NFV)
Janrain to shutdown MyOpenID Q1 2014 (CSO) Janrain CEO Larry Drebes has announced that the provider will be shutting down the authentication system in February of next year
ThreatSim to Offer Free Campaign Subscriptions to New Customers This October in Recognition, Support of National Cybersecurity Awareness Month (Digital Journal) ThreatSim, a leading innovator of simulated phishing defense training and awareness solutions, today announced it will offer new customers an entire month of free phishing training this October in support and recognition of National Cybersecurity Awareness Month
This Russian Software Is Taking Over the Internet (Wired) Automattic was replacing the web server software that underpins its popular WordPress blogging platform, and things weren't going well. This was 2008, and the company was intent on moving WordPress to software in line with its open source philosophy. The world's best-known web server, Apache, was the obvious choice, but when engineers started tinkering with the way the software was setup, Apache would crash, especially when WordPress was really busy. "We realized that it wasn't super-stable under production traffic," says Barry Abrahamson, a WordPress "systems wrangler" who helped manage the transition
Technologies, Techniques, and Standards
Secure Crypto: Keys in Memory (RSA Speaking of Security) Keys protect sensitive data and in turn are themselves sensitive data. With applications moving to the cloud, there can no longer be a guarantee of server exclusivity. Hackers can leverage off this in attacks. One attack method is to look at the swap space on disk. If a target application is forced to crash, then there is no opportunity to clean up memory. The disk can then be scanned for unprotected keys. Another type of attack is to reuse the memory. Once again an application is forced to crash and a new application is started that grabs as much memory from RAM as possible. This memory will include the crashed application's data and the attacker scans for unprotected keys
Suspicious activity reports use in fusion centers limited by technology (FierceHomelandSecurity) Fusion centers say an inability to download suspicious activity report data via a federated database search tool or through the FBI's eGuardian tool limits their ability to integrate that data into their analytic processes
New NIST technical specification allows derived PIV authenticiation for mobile devices (FierceGovIT) A new NIST technical publication will allow federal agencies to use chip-based identity authentication in mobile devices as a way of extending personal identity card verification to devices otherwise not equipped for it
Prisons get a new way to stop inmates from using cell phones (GCN) It's hard to keep a bad man down. The Government Accountability Office reported that in 2011 a federal inmate was found running an identity-theft ring from prison using a contraband cell phone. Federal and state prison authorities have confiscated thousands of illegal phones in the past few years, and the Federal Communications Commission and correctional officials say their use poses a public safety risk
Can You Hack A Heartbeat? (InformationWeek) Nymi biometric wristband promises to let you unlock everything from cars to hotel rooms without a PIN or password. It authenticates you using heart rhythms
Busting the Biometric Myth – once and for all (WIKID Systems) Hopefully. Biometrics continue to gather VC money and customers. They promise to be the end-all of two-factor authentication. But are they more like snake-oil. Everyone repeat after me: Biometrics are terrible authenticators. Way too many people, even security and identity people see biometrics as "magic security dust" for two-factor authentication. It is way past time that we, the security community bust this myth. It is important because, unlike spending on firewalls which is insufficient but necessary, biometric infrastructure will need to be ripped out and thrown away. Any VC that is considering investing in a biometric company is wasting money that could be invested in a company that might make a difference
Staying Secure in the Cloud Age (Uptime Systems) The use of cloud computing has changed the way we do business and who we trust with our confidential information. Networks are costly burdens to many companies, so a large number of them are now turning to cloud computing providers for their application and storage needs. If you are considering a move to a cloud service, there are a number of things you need to do to ensure that your identity and information is safeguarded. Here are our top recommendations
Recruitment, training of security pros are key to critical infrastructure protection (FierceITSecurity) Nuclear security experts say other CI firms can learn from nuclear industry best practices
Top languages used in analytics, data mining and data science (FierceBigData) While everyone in the tech end of big data has their favorite language, and their own guess as to which language is the prevailing language in the community, few actual studies have been conducted to see how they actually line up in terms of popularity. Thus, KDNuggets' poll is most welcomed--even if the results are limited to its own readers. At least it is a study that sheds some much needed light on who's on first
Research and Development
Pocket–sized cloud to put privacy back into communications, foul big data collection (FierceBigData) Much of the spying that occurs from our government, other governments and a host of cyber-criminals happens at the server level. Until recently, most thought that server and network protection was the only recourse even though many thought such attempts fall short in completely securing data. But leave it to DARPA to find a work-around. Enter the pocket cloud
Legislation, Policy, and Regulation
NSA's pipe dream: Weakening crypto will only help the "good guys" (Ars Technica) Ruining the foundation of online trust? Just collateral damage to spooks. Ever since Edward Snowden began leaking NSA secrets earlier this year, President Obama has insisted that they weren't "whistleblowing" in any useful sense because they didn't reveal any abuses. Instead, they simply revealed secret programs that were
The NSA's work to make crypto worse and better (Ars Technica) Leaked documents say that the NSA has compromised encryption specs. It wasn't always this way. The mission of the US' National Institute of Standards and Technology, NIST, is to create technical and measurement standards to make US manufacturing and industry more competitive
The US government has betrayed the internet. We need to take it back (The Guardian) The NSA has undermined a fundamental social contract. We engineers built the internet — and now we have to fix it. 'Dismantling the surveillance state won't be easy. But whatever happens, we're going to be breaking new ground.' Government and industry have betrayed the internet, and us. By subverting the internet at every level to make it a vast, multi-layered and robust surveillance platform, the NSA has undermined a fundamental social contract. The companies that build and manage our internet infrastructure, the companies that create and sell us our hardware and software, or the companies that host our data: we can no longer trust them to be ethical internet stewards
EU Parliament told to expect more revelations about NSA spying (PC World) At the start of an inquiry into American government communications surveillance programs Thursday, European parliamentarians (MEPs) were told to expect further revelations of mass spying by the U.S. National Security Agency (NSA). Prominent hacker and Internet activist Jacob Appelbaum told the European Parliament's civil liberties committee (LIBE) that more information about government spying, this time involving private home Wi-Fi, is bound to come to the attention of the public
Obama Promised Answers on Spying by Wednesday: Brazil (SecurityWeek) US President Barack Obama has promised answers by Wednesday to allegations of US spying on Brazil's President Dilma Rousseff, her government said Friday. Obama made the commitment to Rousseff, who met with the US president on Thursday on the sidelines of a G20 meeting in Russia, the Brazilian presidency said in a statement
Litigation, Investigation, and Law Enforcement
Obama did not request Snowden's extradition at meeting: Putin (Reuters) Russian President Vladimir Putin said on Friday after meeting Barack Obama that the U.S. president did not request the extradition of former spy agency contractor Edward Snowden, who has received temporary asylum in Russia
Google, Microsoft pursue transparency lawsuit against government (FierceGovIT) Google and Microsoft are suing the federal government for permission to publish the Foreign Intelligence Surveillance Act requests the companies receive. However, recent negotiations between the tech giants and the Justice Department haven't resolved the legal battle, according to a Microsoft blog post
Sensenbrenner files amicus brief supporting ACLU lawsuit against bulk telephone metadata storage (FierceGovIT) A congressional author of the Patriot Act says Congress never authorized the intelligence community's bulk storage of telephone call metadata, submitting an amicus brief supporting an American Civil Liberties Union lawsuit seeking to have the collection stopped on constitutional grounds
For second time this summer, HHS levies million dollar fine for medical data breach (FierceITSecurity) Affinity Health Plan forgot to erase senstive health data from hard drives of leased photocopiers
For a complete running list of events, please visit the Event Tracker.
GovConnects Business Breakfast: Surviving Sequestration (Elkridge, Maryland, USA, Sep 17, 2013) This Business Breakfast will feature presentations by seasoned professionals in the field of government contracting as they share best practices for dealing with current challenges of doing business in the time of sequestration, and answer CEOs' questions from legal and accounting perspectives. [Editors' note: this event is expected to be devoted essentially entirely to cyber contracting.]
TechCrunch Disrupt San Francisco (San Francisco, California, Sep 7 - 11, 2013) For the fourth year in a row, TechCrunch Disrupt will take over the San Francisco Design Center Concourse, and we're bringing the hottest startups and best minds in the industry with us. Block off September 7-11 on your calendar, because you're not going to want to miss Disrupt SF 2013. The Hackathon kicks everything off, followed by our main event, which starts every morning with panels of special speakers and guests, one-on-one chats featuring TechCrunch writers and editors, special guest speakers and judges, leading venture capitalists and fascinating entrepreneurs addressing the most important topics facing today's tech landscape. In the afternoons, the Startup Battlefield presentations begin, with the final presentations held on the last day of Disrupt.
SANS CyberCon Fall 2013 (Online, Sep 9 - 14, 2013) With sequestration still in place, organizations are finding themselves with training budgets, but drastically reduced travel budgets. This one-of-a-kind online training event brings SANS' top instructors teaching SANS' top courses to those who can't travel.
15th Annual AT&T Cyber Security Conference (New York, New York, USA, Sep 10, 2013) The AT&T Cyber Security Conference is an annual day-long conference offered by the AT&T Chief Security Office. Combining the expertise of its security experts, the scale and reliability of its global IP network and the innovation of AT&T Labs, AT&T is giving businesses some of the most powerful weapons available today in their battle against cyber security attacks. The conference showcases AT&T's leadership in helping businesses, large and small, manage the increasingly complex and critically important security of their IT networks and assets.
First Regional Southeast Conference on Cyber Security for National Security (Charleston, South Carolina, USA, Sep 10, 2013) The First Southeast Regional CS4NS Conference focuses on the immediate need of strengthening the critical cyber infrastructure of our nation. The conference will address the current cyber security state and rank vulnerabilities of our Critical Infrastructure/Key Resources (CI/KR), Internet Infrastructure, and available security resources. Discussions will highlight future development needs and solutions, especially for underserved businesses and government. Overall, CS4NS will answer the question "Are we secure?"
International Common Criteria Conference (Orlando, Florida, USA, Sep 10 - 11, 2013) FBC invites you to participate in the International Common Criteria Conference (ICCC) taking place in Orlando, Florida. This is the first time since 2000 that the ICCC is taking place in the U.S. The ICCC has become the main marketing and meeting opportunity for all those involved in the specification, development, evaluation, and validation or certification of IT security.
Angel Venture Forum: Cyber Security & Healthcare Investment Conference (Washington, DC, USA, Sep 11, 2013) With the increasing adoption of cloud computing, mobile devices and web-based applications, hackers have more opportunities than ever to infiltrate and crash network systems, especially in healthcare, which is increasingly becoming more vulnerable. The two greatest areas of opportunity for investment capital and the start-up community is in healthcare and cyber security. The nexus of these two sectors provides an even greater and more focused set of opportunities for investment. The Angel Venture Forum brings together all star roundtables of experts to opine and discuss the topics and the opportunities herein.
GrrCon (Grand Rapids, Michigan, USA, Sep 12 - 13, 2013) Says IT World, "Another hacker conference, this time in Michigan. The schedule looks to be bawdy, brash and anything but dull, with hackers promising to "pwn" you before you leave town. There are also sessions on penetration testing tools and mobile hacking methods."
cybergamut Technical Tuesday: Malware Analysis for the Masses (Columbia, Maryland, USA, Sep 17, 2013) With malware becoming more prevalent, and the pool of capable reversers falling short of overall need, there is a greater need to provide quick and efficient malware analysis for network defense. With modern technology and tools, it's now possible for junior security analysts to gather detailed malware indicators to craft defense and alert signatures. More enticing, all of this can be done with free tools and applications, some written by this presenter.
Shaping the Future of Cybersecurity Education Workshop (Gaithersburg, Maryland, USA, Sep 17 - 19, 2013) The third annual Shaping the Future of Cybersecurity Education Workshop will be held at the National Institute of Standards and Technology (NIST) in Gaithersburg, MD and focus on "Navigating the National Cybersecurity Education Interstate Highway".
NovaSec! (McLean, Virginia, USA, Jun 13, 2013) NovaSec! is Northern Virginia's largest Cybersecurity and physical security networking event of the year. We are bringing together security professionals from commercial and government organizations with members of local Northern Virginia businesses and associations to allow participants to meet, interact on key issues and provide a unified forum to network with likeminded individual.
Strange Loop (, Jan 1, 1970) Meet us in St. Louis, Sept 18-20th, 2013, to make connections with the creators and users of the languages, libraries, tools, and techniques at the forefront of the industry. Find out where we're going…and where we're not. Topics include emerging languages, concurrent and distributed systems, new database technologies, front-end web, and mobile.
ISSA Cyber Security Forum at Ft Belvoir (Fort Belvoir, Virginia, USA, Sep 19, 2013) This event will allow personnel from Fort Belvoir the chance to learn about the latest cyber security trends, network with peers, discuss Army best practices and to view and demo some of the latest cyber security and information technology products/services available today. This is an excellent opportunity for exhibitors to network with key decision makers, cyber, technology, communications and contracting personnel from various commands and tenant units at Fort Belvoir.
CISO Executive Summit (Atlanta, Georgia, USA, Sep 19 - 20, 2013) Be on the forefront of a new global initiative where today's world-class leaders in information security will gather to navigate through international waters. Join these leaders as they follow the wind of change that is sweeping through the IS community motivating today's information guardians to develop a new way of thinking to ensure success in protecting their respective organizations. (At Hacker Halted USA.)
2013 Cyber Security Summit (New York, New York, USA, Sep 25, 2013) The 2013 Cyber Security Summit connects executives responsible for protecting their company's critical infrastructure with innovative product, service and solution providers. The one day event, to be held September 25th at the Hilton in New York City, will showcase the latest tools and resources available to defend against cyber crime on both corporate and government levels. Keynote addresses and interactive panel discussions lead by notable security experts will highlight strategic priorities, risk factors, threats and provide inspirational guidance to prepare and protect from attacks.
4th Annual Cybersecurity Summit (Washington, DC, USA, Sep 25, 2013) GEN Keith Alexander, Commander of U.S. Cyber Command, Director of the NSA/Chief, Central Security Service and Dr. Pat Gallagher, Director, NIST are among the distinguished speakers confirmed to keynote at the 4th Annual Cybersecurity Summit on September 25, 2013 at the National Press Club in Washington, D.C.Michael Daniel, White House Cybersecurity Advisor, and Gen. Keith Alexander, Commander U.S. Cyber Command, and Director, NSA, are confirmed to keynote. Cybersecurity topics to be addressed include: the White House Cybersecurity Executive Order, the Cybersecurity Framework and New Emerging Standards for Critical Infrastructure, information sharing, mobile security and BYOD, legislative developments in cybersecurity, big data and cloud cybersecurity, continuous monitoring, cyber situational awareness, and the JIE rollout active defense and cyber warfare. Organized by Billington CyberSecurity™.