The CyberWire Daily Briefing for 9.9.2013

Cyber Attacks, Threats, and Vulnerabilities

Hackers publish 165,000 Israelis' information (Israel Hayom) The attacks bear the marks of pro-Syrian hackers from Spain, Canada and Brazil. Hackers leave message deep inside website's code, threatening a massive cyber attack on September 11. A pro-Syrian hacking group breached Israeli and American websites and released the personal information of over 165,000 Israelis. The biggest breach, part of an organized cyberattack on numerous websites over the past few days, was in a website that offered web hosting services. The breached site provided all information on its users, including names, phone numbers, email addresses, home addresses and passwords

Data Shows No Link Between Syrian Electronic Army and Iran (Wall Street Journal) The Syrian Electronic Army is not receiving help from hacking groups linked to Iran, according to a firm that helps large Fortune 500 companies track emerging cyber threats. There's been a considerable amount of speculation about whether the hacking group that recently attacked websites belonging to the U.S. Marine Corps and The New York Times is getting help from outside groups as it ramps up activity and its methodology improves

Beware! Fake CNN emails about USA bombing Syria spread malware (Graham Cluley) Malicious hackers have spammed out an attack designed to infect computers, disguised as a breaking news story about the United States bombing Syria

Chemical Attack in Syria Used as Enticement in Targeted Attack (Symantec) Targeted attacks are a daily occurrence and attackers are fast to employ the latest news stories in their social engineering themes. In a recent targeted attack, delivering a payload of Backdoor.Korplug and caught by our Symantec.cloud services, we observed an attacker taking advantage of a recently published article by the Washington Post in relation to chemical attacks in Syria. The attacker took the full text of the article and used it in their own malicious document in an effort to dupe victims into believing the document was legitimate

Privacy Scandal: NSA Can Spy on Smart Phone Data (Der Spiegel) SPIEGEL has learned from internal NSA documents that the US intelligence agency has the capability of tapping user data from the iPhone, devices using Android as well as BlackBerry, a system previously believed to be highly secure

No, the NSA can't spy on arbitrary smartphone data (Errata Security) The NSA has been exposed as evil and untrustworthy, but so has the press. The press distorts every new revelation, ignoring crucial technical details, and making it sound worse than it really is. An example is this Der Spiegel story claiming "NSA Can Spy On Smartphone Data", such as grabbing your contacts or SMS/email stored on the phone. Update: That was a teaser story, the actual story appearing tomorrow (available here) has more facts and fewer speculations than the teaser story

Did the NSA Subvert the Security of IPv6? (Infosecurity Magazine) Following the Snowden leaks revealing Bullrun – the NSA program to crack the world's encryption — there is an emerging consensus that users can no longer automatically trust any security. Cryptographer and EFF board member Bruce Schneier has given advice on how to be as secure as possible. "Trust the math," he says. "Encryption is your friend. Use it well, and do your best to ensure that nothing can compromise it. That's how you can remain secure even in the face of the NSA." He confirms the growing consensus that Bullrun's greatest success is in subverting the implementations of encryption rather than in the ability to crack the encryption algorithms themselves

Of course NSA can crack crypto. Anyone can. The question is, how much? (Ars Technica) The known unknowns of NSA's crypto cracking. Making and breaking encryption is one of the main roles of a signals intelligence agency. That NSA engages in such activities is not surprising. Aspects of this work aren't even secret: NSA involvement in the development of some cryptographic standards was legally mandated and openly acknowledged

NSA surveillance targeted Google, 2 other private companies, Brazilian TV report says (Cleveland Plain Dealer) The National Security Agency's spying targeted the private computer networks of Google, a company that facilitates most of the world's international bank transfers and Brazil's state-run oil firm Petrobras, according to documents leaked by Edward Snowden, a Brazilian TV report said Sunday night

We never share info with NSA, you can still use internet anonymously: Country Director of Google in Brazil (Hack Read) You can still browse anonymously on the internet and the perception that our emails are being spied is ''wrong'', says Fabio Coelho, Country Director of Google in Brazil. The internet giant was among the companies criticized recently after reports published by British newspaper The Guardian - based on documents leaked by former CIA technician Edward Snowden which had revealed links between these companies and

Google Racing to Encrypt Data Centers in Wake of NSA (PC Magazine) It's widely assumed that if the National Security Agency wants access to your data — you, being a common Web users who isn't armed to the teeth with all sorts of funky security setups and encryption mechanisms — it stands a good chance of getting it

More on the NSA and cryptography (The Economist) IN A recent blog post Babbage speculated what exactly an apparent cryptographic "breakthrough" achieved by America's National Security Agency (NSA) might be. The three possibilities were, in ascending order of likelihood: the development of a quantum computer, some fundamental progress in attacking the mathematics underlying cryptographic algorithms, or else the discovery of flaws in the specific implementations of those mathematics in individual bits of software

Has the NSA broken our encryption? (ZDNet) Reports of new Edward Snowden leaks of NSA documents claim that "the agency has circumvented or cracked much of the encryption" on which we rely on the Internet. Are we defenseless now? Reports in the Guardian and the New York Times claim that the NSA has cracked much of the encryption used on the Internet. Working in concert with their UK counterpart, the GCHQ, the NSA has used a variety of methods to gain access to data which should be unreadable by outsiders to the conversation. The basis for the reports are (of course) documents leaked by former NSA analyst Edward Snowden

NSA Revelations Cast Doubt on the Entire Tech Industry (Wired) Six years ago, two Microsoft cryptography researchers discovered some weirdness in an obscure cryptography standard authored by the National Security Agency. There was a bug in a government-standard random number generator that could be used to encrypt data. The researchers, Dan Shumow and Niels Ferguson, found that the number generator appeared to have been built with a backdoor — it came with a secret numeric key that could allow a third party to decrypt code that it helped generate

'Back door' spying claims set to hit tech groups (Financial Times) A range of US hardware and software companies are in danger of being dragged into the widening scandal over internet surveillance, following the latest leaks from Edward Snowden, the former National Security Agency contractor. The leaked documents include NSA claims that it has collaborated with technology companies to plant "back doors" into their systems — or ways for the agency secretly to penetrate systems without the users' knowledge

A new, secure and free Internet…Dream on (ZDNET) Bruce Schneier thinks we (engineers) should re-engineer the Internet to make it harder for governments to conduct surveillance. This is just silly. If we aren't willing to re-engineer it to stop criminals we sure won't do so to stop governments

Turkish Ministry of Food, Agriculture and Livestock website hacked by Black Angels (Hack Read) A hacker going with the handle of Black Angels has hacked and defaced two official websites of Turkish government ministry of Food, Agriculture and Livestock along with its International Training Center website earlier today. Hacker's identity remains anonymous as he leaves a deface page along with a video message on both hacked websites

Backdoor brute–forces Joomla and WordPress sites (Help Net Security) A recently discovered backdoor with brute-forcing capabilities that are used against Joomla- and WordPress-managed blogs has shown, once again, the importance of keeping your content management system

Anatomy of a phish—a "generic mass targeted attack" against WordPress admins (Naked Security) Naked Security reader Lisa Goodlin is a website designer and a WordPress user. She was recently targeted by cybercrooks trying to phish her WordPress credentials, and though the phish ended up being comical rather than threatening, there were some useful lessons to be learned

Android Trojans gain botnet distribution, new code (CSO) Obad malware grows through zombie net, while Hesperbot takes a new tack on banking malware. A dangerous Trojan that targets Google's Android mobile operating system has gained new nefarious capabilities even as a new banking malware takes aim at the OS, according to security researchers. Kaspersky Lab reported that mobile botnets are being used to distribute the Obad.a Trojan, which can gain administrative rights on an Android device—allowing its masters to do pretty much anything they want with a handset. Meanwhile, Eset revealed that a bad app it discovered earlier this month—Hesperbot—is actually a mobile banking Trojan along the lines of Zeus and SpyEye, but with significant implementation differences that make it a new malware family

Sophisticated, 'potent' trojan targets online bank users (ZDNet) A new trojan has been discovered by security researchers, who say that although similar to the infamous Zeus and SpyEye, "Hesperbot" is a potent member of a new malware family

Spy Service Exposes Nigerian 'Yahoo Boys' (Krebs on Security) A crude but effective online service that lets users deploy keystroke logging malware and then view the stolen data remotely was hacked recently. The information leaked from that service has revealed a network of several thousand Nigerian email scammers and offers a fascinating glimpse into an entire underground economy that is seldom explored. At issue is a service named "BestRecovery" (recently renamed PrivateRecovery). When I first became aware of this business several months ago, I had a difficult time understanding why anyone would pay the $25 to $33 per month fee to use the service, which is visually quite amateurish and kludgy (see screenshot at right)

Bad routers trigger outage at cloud service provider Intermedia (FierceCIO: TechWatch) Cloud service provider Intermedia suffered network problems early this week that took down its entire network for a number of hours. According to Intermedia CEO Phil Keon, abnormalities were observed in the company's core routing equipment at about 7am EST on Tuesday, September 3. By 8am, company technicians started systemically rebooting affected network devices to restore network connectivity, which was completed by 3.30pm in the afternoon

Chinese Cyberspies Are Hacking Into America's Small Businesses, But Not For The Reason You'd Think (Huffington Post) A wide range of small businesses and institutions -- from pizza restaurants and medical clinics to synagogues and universities -- have been both victims and unwitting accomplices in sophisticated cyber espionage campaigns being carried out by hackers in China, security researchers told The Huffington Post. For years, Chinese cyberspies have been quietly hacking computers at such places, but not to steal their data, researchers say. Rather, they have taken over their PCs and used them to disguise attacks against other companies

Scammers pop up in Android's Calendar App (Webroot Threat Blog) Over the last couple of days, we've intercepted a rather interesting fraudulent approach that's not just successfully hitting the inboxes of users internationally, but is also popping up as an event on their Android Calendar apps. How is this possible? Fairly simple

Sykipot Malware Now Targeting Civil Aviation Information (Dark Reading) An older malware exploit called Sykipot has recently been reworked to steal data on the civil aviation sector in the United States, researchers say. According to a new blog from researchers at Trend Micro's TrendLabs, the retooled attack appears to be an intelligence-gathering operation. "The intentions of this latest round of targeting are unclear, but it represents a change in shift in objectives or mission," the blog states

Security Patches, Mitigations, and Software Updates

Vulnerability Reported in Sophos Web Appliance (Internet Storm Center) Sophos has reported a combination of vulnerabilties that can be used to perform a remote privilege escalation and gain unauthorised privileged access to the the device…If automatic updating is enabled the fix should be applied without further intervention

Microsoft to release 14 bulletins patching Office, Windows, IE and .NET (Help Net Security) September's edition of Microsoft's patch Tuesday advance notification has emerged in all its glory. A hefty 14 bulletins are in the offing, split equally between the MS Office family and Windows OS

Cyber Trends

Why a cyberwar won't happen (New Scientist) Talk of combat in the fifth domain has become a fixture in Washington. But let's not use that as an excuse to quash a free internet, says a war studies academic. Exactly two decades ago, the RAND Corporation, an influential think tank, proclaimed that "cyberwar is coming!" In 2005, the US Air Force declared it would now "fly, fight, and win in cyberspace". The future of war would surely play out in that fifth domain, on top of land, sea, air and space. Dark warnings of "Cyber Pearl Harbor" soon became a staple of Washington discourse

Saudi enterprises need a new approach as cybercrime rises (Al Arabiya) Approximately 54 percent of IT professionals in the GCC admit that their organizations had a minimum of one cyber security incident in the past 12 months, according to a GBM survey. Cybercrime is on the rise across the Middle East and in Saudi Arabia, and protecting against cyber threats is an ongoing management challenge for organizations in the country. A recent annual survey by Gulf Business Machines (GBM) has found that approximately 45 percent of IT professionals in the GCC admit that their organizations had at least one IT security incident that they were aware of in the last 12 months. There are many weaknesses in traditional cyber security models, but there are also new and improved solutions arising in the market

Is mobile privacy a bigger concern than a phone's brand? (Help Net Security) A new Harris Interactive study provides a valuable barometer on current consumer perceptions and mobile privacy trends by examining issues, such as data collection, geo-location tracking, mobile advertising

Small businesses' BYOD practices leave them one cyber attack away from bankruptcy (V3) Inadequate bring-your-own-device (BYOD) policies are leaving small to medium-sized businesses open to attack by cyber criminals, according to security firm AVG. AVG's SMB general manager Mike Foreman said despite progress in educating SMBs about basic network security, they are still woefully under-informed about the threats they face when using consumer devices, such as smartphones and tablets, for work purposes

Willis: Smaller Companies Staying Silent on Cyber Risk (Property Casualty 360) Large companies are more robustly embracing cyber risk disclosure than smaller corporations, shows a Willis study of data culled from U.S. public company filings in response to a U.S. Securities and Exchange Commission call for e-exposure reporting

Estimated HIPAA compliance time toll a whopping 32.8 million hours (FierceHealthIT) Healthcare organizations will spend 32.8 million hours complying with the modified HIPAA omnibus rule, according to the Department of Health and Human Services' Office for Civil Rights. The bulk of that time--30.655 million hours--involves the dissemination and acknowledgement of privacy practices at provider offices, a notice published in the Federal Register reveals

IT Life: Security Down The Years (TechWeek Europe) Craig Kensek has been doing security since the "I Love You" virus was doing the rounds. Craig Kensek is senior manager at security firm AhnLab. He's been 27 years in the industy, with previous stints at Blue Coat, AVG, McAfee and trend Micro, so he lives and breathes security and storage. What has been your favourite project so far? I'll mention a trio. I was involved with rolling out one of the first web-based storage management consoles. It was in alpha/beta and didn't work on one particular flavour of Unix. We put the box it was running on behind the curtain, told people at the event it was running on that flavour, and still ended up rebooting whenever people weren't around

Marketplace

NEC sets up research facility in Singapore (ZDNet) NEC opens research facility in Singapore to tap analytics and big data technologies to resolve infrastructure challenges locally and globally, with special focus on safety, security, and smart energy

Northrop Grumman to Develop Cyber Visualisation Tools as Part of UK Research Programme (Wall Street Journal) Northrop Grumman Corporation (NYSE: NOC) has been retained by the Defence Science and Technology Laboratory (Dstl) to carry out a further phase of development of the N.Guru Cyber Situational Awareness System, the software application for the visualisation of cyber events for decision makers

Guidance Software: Everyone Sold But The Insiders (Seeking Alpha) Guidance Software, Inc. (GUID) provides a digital infrastructure in order to collect and preserve evidence for investigative purposes, while providing a verifiable process for presenting evidence in discovery. Their software was recognized by Gartner as a leader in e-discovery and is used in 65% of Fortune 100 companies and 40% of Fortune 500 companies

May the Sourcefire be with ANZ partners (TechDay) Cyber-security solutions provider Sourcefire has today announced increased momentum of partners and distributors throughout Australia and New Zealand, and the wider Asia Pacific region. Selecting Sourcefire as partner of choice, the recent appointment of WhiteGold Solutions as a distributor in ANZ is among the key milestones that have contributed to the company's growing partner footprint throughout the region

Mass. cyber security firms untangle Web attacks (Boston Herald) A string of high-profile hackings over the last year has turned out to be a boon to Bay State companies that specialize in cyber security

General Dynamics to Provide Cyber Security Tools and Services to Increase Security of .gov Networks (Wall Street Journal) General Dynamics Information Technology, a business unit of General Dynamics (NYSE: GD), is one of 17 companies selected to provide cyber security services to the U.S. Department of Homeland Security (DHS) and other government agencies, including state and local entities as well as the defense industrial base sector, through a blanket purchase agreement issued by the General Services Administration (GSA). The five-year Continuous Diagnostics and Mitigation agreement has a potential value of $6 billion to all awardees if all options are exercised

DLT Wins DLA Symantec Software License Maintenance Order (GovConWire) DLT Solutions has won a $12,375,152 delivery order from the Defense Logistics Agency to help maintain Symantec software licenses acquired by the Marine Corps

CCSi to Offer Agencies Nexum Cyber Products Under NIH Govt-Wide Contract (Executive Biz) Creative Computing Solutions will offer Nexum's cybersecurity and networking products to federal agencies under a government-wide contract awarded by a National Institutes of Health office

Products, Services, and Solutions

Microsoft's picture–authentication welcomed given password fatigue (CSO) But while an alternative for consumers, picture-passwords a poor choice in enterprises because they do not work with Active Directory

Anonymous user authentication from LaunchKey (Help Net Security) LaunchKey introduced anonymous user authentication capabilities as part of its technology platform that kills passwords. The new multi-factor authentication technology architected by LaunchKey

SpydrSafe Mobile Security 2.0 released (Help Net Security) SpydrSafe 2.0 integrates with and leverages iOS 7's new native application management capabilities. In addition, it delivers an array of proprietary, advanced security features, not natively available

Free asset tracking for SMBs (Help Net Security) GFI Software announced Free Asset Tracking Forever, a no-charge component of the GFI Cloud suite of cloud-based IT management services that enables organizations to audit and asset manage servers and

Honeywell launches API for cloud-connected thermostat (Business Cloud News) Honeywell is looking to attract developers building value-added services atop its wifi-enabled thermostats. Consumer product and engineering conglomerate Honeywell on Thursday announced the launch of an API programme that will enable development partners to build applications that integrate with the company's thermostat products

Fast USB 3.0 flash drives from Toshiba (Help Net Security) Toshiba Electronics Europe has launched an updated range of Super Speed USB 3.0 flash memory USB drives. The TransMemory-EX IITM drives feature increased read and write speeds and are available with

Nokia Looking To Bring Quantum Cryptography To Smartphones (Ubergizmo) As it stands the security on our mobile phones isn't as tight as it should be. There are ways for hackers to bypass the lock screen, and for those who don't bother

Technologies, Techniques, and Standards

SSL is broken. So what? (Internet Storm Center) It is hard to ignore the recent news about government sponsored internet surveillance campaigns, which are alleged to involve decrypting SSL traffic. In light of these news, should you do anything differently? Does it matter to your network and how? Even if today only a small group possesses the knowledge and resources to decrypt SSL, chances are that this secret will leak like so many and the resources required to apply the techniques will only get cheaper and in turn become available to well funded advisories like organized crime. The information once decrypted may also be at risk from being compromised by anyone who compromised the organization that now holds the data. So does it matter? First of all, I don't think there is "proof" at this point that SSL in itself has been broken. SSL and the encryption algorithms it negotiates have seen many implementation issues in the past, and it is fair to assume that broken implementations, bad random number generators and sub-optimal configurations make breaking "real live" SSL a lot easier then it should be based on the strength of the underlying algorithms. Additionally, in many high profile attacks, SSL wasn't the problem. The end point or the SSL infrastructure was compromised instead and as a result, the encryption algorithm didn't matter

How to foil NSA sabotage: use a dead man's switch (The Guardian) Registering for nothing-to-see-here deadlines could help to sound the alert when a website has been compromised. 'The deliberate sabotage of computers is an act of depraved indifference to the physical security and economic and intellectual integrity of every person alive.' The more we learn about the breadth and depth of the NSA and GCHQ's programmes of spying on the general public, the more alarming it all becomes. The most recent stories about the deliberate sabotage of security technology are the full stop at the end of a sentence that started on 8 August, when the founder of Lavabit (the privacy oriented email provider used by whistleblower Edward Snowden) abruptly shut down, with its founder, Ladar Levison, obliquely implying that he'd been ordered to secretly subvert his own system to compromise his users' privacy

How Not To Be Paralyzed By NSA Revelations (Forbes) This semester at the University of Utah I am teaching Communication 5620, International Communication. In our Thursday sessions, we do a round-up of weekly news items from the previous week, chosen by the students, that relate to international communication. Not surprisingly, most of the stories chosen for this week related to revelations of NSA surveillance, as well as cyber attacks surrounding the conflict in Syria. In turn, this sparked a number of questions and a discussion about what can be done to protect our online privacy

Yes, the NSA Hacked Encryption — But You Have a Defense (The Atlantic Wire) In light of the revelation that the NSA has a variety of ways of accessing encrypted information, we reached out to the Electronic Frontier Foundation for their thoughts on what it meant for personal online communication. For example, could hackers take advantage of the NSA's encryption back doors to access your information? Well, no, hackers aren't much more likely to be looking at what you do online than they already are. You should do more to protect your privacy from them anyway

It's Probably Your Fault the NSA Can Crack Your Encryption (CSO) The world of information security is once again aflutter with news that the NSA can "break" Internet encryption, but perhaps you're at least partially to blame. The NSA is making headlines once again thanks to new revelations from fugitive whistleblower Edward Snowden. Snowden claims that efforts to encrypt communications are incapable of preventing access by the NSA, but at least one security expert maintains that this claim is probably exaggerated, and that you may play a significant role in allowing the NSA to "break" your encryption

What Enterprises Can Learn from NSA Encryption Cracking (Sci-Tech Today) The new revelations about the NSA cracking most Internet encryption tools should be starting a conversation among enterprises around just what constitutes strong cryptography, and how to implement it securely. That includes avoiding vendor-locked encryption that is susceptible to NSA influence, said CloudLock's Kevin O'Brien

Despite NSA Advances, the Internet Still Holds Some Secrets (Wall Street Journal) Internet users likely still have options to keep their digital secrets from prying eyes, even if the National Security Agency can now subvert much of the encryption on the Internet, cybersecurity experts and cryptologists say

NSA Hackers Prove Internet Security Has No Clothes. Enter Quantum Mechanics. (Technorati) Stories continue to leak the extent to which the National Security Agency can look at even the most secure of our banking, shopping, real estate, legal and other transactions across the Internet

Beware of backups that come back to bite you (InfoWorld) The problem with packrat backups is that you never know when or where they're going to pop up. Last week I wrote about rsync and how it can be used for a wide variety of tasks. One of the main uses, of course, is for backups -- and not just poor-man's backups. In many cases, using a hard-link rsync backup scheme from one storage array to another can be extremely useful. It can even be better than "standard" backup schemes

5 Signs Of Trouble In Your Network (Dark Reading) Whether to improve performance, gather business intelligence, or detect security threats, log management boils down to three steps: Collect the logs, store the data, and analyze the data to identify patterns

Why planning is key to combating cyber threats and attacks (The Guardian) There is no foolproof way to prevent a cyber attack, but it is possible for organisations to strengthen their defences. Last month's cyber security report by Kent University offered a startling insight into the challenges faced in combating escalating cyber threats. According to the research, about 9 million Brits saw their online accounts hacked in the past year, with 8% of the population claiming to have lost money as a result. While the debate over the wider economic impact of cyber crime continues, there is little doubt that the annual cost to the UK public and private sectors is well into the billions, with some estimates putting the figure as high as £27bn

Protect yourself and don't regret using social media (Help Net Security) Those who have ruined their reputations and damaged their careers after posting inappropriate material on social networks include politicians, movie and sports stars as well as teachers, police office

Understanding and defending against Denial of Service attacks (Help Net Security) Denial of Service (DoS) attacks continue to be on the rise, which is no surprise given our ever-growing dependency on Web-based services, coupled with the fact that these attacks are relatively cheap

How to Prevent Child Identity Theft Part Two: What Business Can Do (Huffington Post) A recent Panda Security research report found that 31 percent of PCs have been infected with malware. Many of these malware strains are designed to give a

Decisions or Disgrace? The purpose of breach notification and why I think we're doing it wrong. (Verizon Security Blog) Few would argue that mandatory notification laws have changed public and professional awareness of data breaches over the last 5 to 10 years. We hear about many more of them these days, and compiled listings are available should we wish to look further. But is this the ultimate purpose of breach notification - that we know they exist and track them in a list? I think not

Design and Innovation

Hey Japan, What's Up With Your Startup Culture? (Fast Company) When Americans hear "entrepreneur," we think visionary young techie out to change the world. When Japanese hear it, they think "selfish, greedy, untrustworthy criminal." Why? And how can Japanese young people get back the creative spirit of the '50s? Terra Motors, maker of the iPhone-compatible electric scooters which are out to replace gas motorcycles all over Asia, says times are changing

Research and Development

US Looking Overseas to Help Prop Up R&D (DefenseNews) Facing budget pressures that could limit agency spending and industry reticence at investing company funds, the US Defense Department is looking at how it can join with overseas partners, both countries and companies, to support research and development (R&D)

Quantum Networking a Step More Practical (Geeks are Sexy Technology News) British researchers have successfully tested a method of quantum cryptography that that could make it a more practical system for large-scale communication

Academia

Learning Real–World Intelligence Analysis (SIGNAL Magazine) Officials at Auburn University, Auburn, Alabama, are developing a program that allows students from any academic discipline to work closely with the U.S. intelligence community in a variety of actual national security-related problems. The university is on track to begin offering a minor in intelligence analysis in the relatively near future and a major in the next five years

NSA names Auburn University a center of excellence in cyber operations (OANow) Auburn University is one of four universities selected by the National Security Agency to carry the designation of a National Center of Academic Excellence in Cyber Operations. Joining Auburn are Carnegie Mellon University, Mississippi State University and the Air Force Institute of Technology

Legislation, Policy, and Regulation

Doubts raised about independence of White House panel on NSA privacy (Miami Herald) President Barack Obama has announced the names of the five members of a task force to examine the National Security Agency's controversial collection of Internet and cell phone records, but privacy and open government advocates say they don't believe the panel is likely to be very critical of the NSA program. At the time Obama announced the panel's creation Aug. 9, anger at the extent of the NSA collection efforts was at its height, and the president's move was intend to calm growing congressional calls for curbs on the program. Obama said the panel would be made up of outside experts and would review the government's use of its intelligence-gathering capabilities and whether it adhered to constitutional standards

Bill would ban NSA encryption tactics (Boston Globe) After disclosures about the National Security Agency's stealth campaign to counter Internet privacy protections, a congressman has proposed legislation that would prohibit the agency from installing "back doors" into encryption, the electronic scrambling that protects e-mail, online transactions, and other communications. US Representative Rush D. Holt Jr., a New Jersey Democrat who is also a physicist, said Friday that he believed the NSA was overreaching and could hurt American interests, including the reputations of US companies whose products the agency may have altered or influenced

Long–shot bill forbidding NSA backdoors in encryption has renewed attention (Ars Technica) Introduced in July, the Surveillance State Repeal Act's provisions now seem more urgent. In the wake of revelations that the National Security Agency (NSA) has broken through many Internet privacy protections, Representative Rush D. Holt (D-NJ) has introduced legislation to prohibit the NSA from building backdoors into encryption mechanisms, according to The New York Times. While Rep. Holt actually introduced the legislation to the House in July under the name "Surveillance State Repeal Act," recent news may bring this bill more attention

Obama talks with Mexico, Brazil leaders on NSA (WDEF) The White House said Friday that President Obama discussed the National Security Agency's surveillance programs with the presidents of Mexico and Brazil while at the G-20 summit in Russia

Thousands in German anti–NSA protest (Global Post) Thousands took to the streets in Berlin Saturday in protests against Internet surveillance activities by the US National Security Agency and other intelligence agencies, and the German government's perceived lax reaction to them

Ten Things We've Learned About The NSA From A Summer Of Snowden Leaks (Forbes) "The truth is coming, and it cannot be stopped," Edward Snowden told readers of the Guardian in June. At the time, just a few weeks into the publication of documents that the 30-year-old former National Security Agency contractor had siphoned from his workstation in Hawaii, that prophetic statement might have seemed like grandstanding. But close to three months later, the collection of Snowden's revelations has grown to the megaleak proportions of WikiLeaks' Cablegate or Daniel Ellsberg's Pentagon Papers, with no end in sight. For those who watch the watchers, Snowden may well have become the most important leaker of the 21st century

Crypto Rebels (Wired) It's the FBIs, NSAs, and Equifaxes of the world versus a swelling movement of Cypherpunks , civil libertarians, and millionaire hackers. At stake: Whether privacy will exist in the 21st century. The office atmosphere of Cygnus Support , a fast-growing Silicon Valley company that earns its dollars by providing support to users of free software, seems like a time warp to the days when hackers ran free. Though Cygnus is located in a mall-like business park within earshot of US 101, it features a spacious cathedral ceiling overhanging a cluttered warren of workstation cubicles arranged in an irregular spherical configuration. A mattress is nestled in the rafters. In a hallway behind the reception desk is a kitchen laden with snack food and soft drinks. Today, a Saturday, only a few show up for work. The action instead is in a small conference room overlooking the back of the complex —a "physical meeting" of a group whose members most often gather in the corridors of cyberspace. Their mutual interest is the arcane field of cryptography — the study of secret codes and cyphers. The very fact that this group exists, however, is indication that the field is about to shift into overdrive. This is crypto with an attitude, best embodied by the group's moniker: Cypherpunks

Political Cypherpunks Trumps Apolitical Cryptography (Cryptome) What is striking about discussion on the two cryptography mail lists, both set up to minimize discussing political and social issues to avoid cypherpunks acceptance of them, is the tentative reconsideration of those issues due to Snowden's revelations, miniscule as they are

net.wars: Snooping as a service (Newswireless) We've known for years that the early 1990s crypto wars were at best only partially won and at worst completely lost. The key point: whether government could continue to control the deployment of strong cryptography, first via the International Traffic in Arms Regulations preventing export, and second through key escrow, ensuring that any deployed cryptographic systems had a government-accessible back door. When, in 1991, Phil Zimmermann wrote PGP and it got uploaded onto the Internet, it was widely believed that both prongs were doomed. Later, Zimmermann commented that the three-letter agencies could have utterly discredited his work by walking up to him on a stage, shaking his hand, and giving him a medal. Instead, the FBI investigated him for an intimidating while

Law and Cyber Expert: NSA's Anti–Encryption Efforts Compromise U.S. Security (Newswise) U.S. National Security Agency efforts to overcome encryption of online data weaken American security, undermine the government's duty to protect its own cyberinfrastructure and suggest intelligence agencies may not be cooperating at nearly the levels they promised to in a post-9/11 world, says Indiana University legal and cybersecurity expert Fred H. Cate

Conspiracy Theories and the NSA (Schneier on Security) I've recently seen two articles speculating on the NSA's capability, and practice, of spying on members of Congress and other elected officials. The evidence is all circumstantial and smacks of conspiracy thinking -- and I have no idea whether any of it is true or not -- but it's a good illustration of what happens when trust in a public institution fails

A new, secure and free Internet…Dream on (ZDNET) Bruce Schneier thinks we (engineers) should re-engineer the Internet to make it harder for governments to conduct surveillance. This is just silly. If we aren't willing to re-engineer it to stop criminals we sure won't do so to stop governments

The Cowboy of the NSA (Foreign Policy) Inside Gen. Keith Alexander's all-out, barely-legal drive to build the ultimate spy machine. On Aug. 1, 2005, Lt. Gen. Keith Alexander reported for duty as the 16th director of the National Security Agency, the United States' largest intelligence organization. He seemed perfect for the job. Alexander was a decorated Army intelligence officer and a West Point graduate with master's degrees in systems technology and physics. He had run intelligence operations in combat and had held successive senior-level positions, most recently as the director of an Army intelligence organization and then as the service's overall chief of intelligence. He was both a soldier and a spy, and he had the heart of a tech geek. Many of his peers thought Alexander would make a perfect NSA director. But one prominent person thought otherwise: the prior occupant of that office

US spy chief cancels visit to Dutch internet security conference (Dutch News) The controversial director of America's National Security Agency has cancelled a visit to the Netherlands next week because he is too busy, news agency ANP said

INFORMATION WARFARE: The New Russian Cyber War Force (Strategy Page) In early 2013 the U.S. Cyber Command (USCYBERCOM) announced that it was forming more offensive cyber–teams and would have at least 40 of them by

Indian spooks snooping without ISP knowledge (The Register) 'Lawful Intercept and Monitoring' systems don't sound very lawful. India's authorities are carrying out wide-ranging and indiscriminate internet surveillance of their citizens thanks to secret intercept systems located at the international gateways of several large ISPs, according to The Hindu

Litigation, Investigation, and Law Enforcement

Electronic Frontier Foundation forces NSA to reveal surveillance documents (ITPro) Internet rights organisation wins court order to unearth spy files. A freedom of information lawsuit by internet rights group the Electronic Frontier Foundation (EFF) has forced the release of hundreds of documents relating to spying carried out by the National Security Agency (NSA) that stretch back at least nine years

White House convinced court to loosen NSA constraints (Richmond Times–Dispatch) The Obama administration secretly won permission from a surveillance court in 2011 to reverse restrictions on the National Security Agency's use of intercepted phone calls and e–mails, permitting the agency to search deliberately for Americans' communications in its massive databases, according to interviews with government officials and recently declassified material

Court: Being 'Electronically Present' Can Make You Liable (McAfee) A recent ruling by the New Jersey Court of Appeals has sparked a nationwide debate over exactly who is liable when an accident is caused by a distracted driver. According national reports, the court considered the claim of two victims who both lost their legs when a texting teen driver ran into their motorcycle. While they previously settled with the driver, the couple also sued the person texting the driver claiming that she with was 'electronically present' and thus, equally responsible for causing the accident

Decision to Publish Against Government Request Was 'Not a Particularly Anguished One' (New York Times) The New York Times has come under fire in the past for agreeing to government requests to hold back sensitive stories or information, but it bucked such requests in publishing a front-page article in Friday's paper

For a complete running list of events, please visit the Event Tracker.

Upcoming Events

TechCrunch Disrupt San Francisco (San Francisco, California, Sep 7 - 11, 2013) For the fourth year in a row, TechCrunch Disrupt will take over the San Francisco Design Center Concourse, and we're bringing the hottest startups and best minds in the industry with us. Block off September 7-11 on your calendar, because you're not going to want to miss Disrupt SF 2013. The Hackathon kicks everything off, followed by our main event, which starts every morning with panels of special speakers and guests, one-on-one chats featuring TechCrunch writers and editors, special guest speakers and judges, leading venture capitalists and fascinating entrepreneurs addressing the most important topics facing today's tech landscape. In the afternoons, the Startup Battlefield presentations begin, with the final presentations held on the last day of Disrupt.

SANS CyberCon Fall 2013 (Online, Sep 9 - 14, 2013) With sequestration still in place, organizations are finding themselves with training budgets, but drastically reduced travel budgets. This one-of-a-kind online training event brings SANS' top instructors teaching SANS' top courses to those who can't travel.

15th Annual AT&T Cyber Security Conference (New York, New York, USA, Sep 10, 2013) The AT&T Cyber Security Conference is an annual day-long conference offered by the AT&T Chief Security Office. Combining the expertise of its security experts, the scale and reliability of its global IP network and the innovation of AT&T Labs, AT&T is giving businesses some of the most powerful weapons available today in their battle against cyber security attacks. The conference showcases AT&T's leadership in helping businesses, large and small, manage the increasingly complex and critically important security of their IT networks and assets.

First Regional Southeast Conference on Cyber Security for National Security (Charleston, South Carolina, USA, Sep 10, 2013) The First Southeast Regional CS4NS Conference focuses on the immediate need of strengthening the critical cyber infrastructure of our nation. The conference will address the current cyber security state and rank vulnerabilities of our Critical Infrastructure/Key Resources (CI/KR), Internet Infrastructure, and available security resources. Discussions will highlight future development needs and solutions, especially for underserved businesses and government. Overall, CS4NS will answer the question "Are we secure?"

International Common Criteria Conference (Orlando, Florida, USA, Sep 10 - 11, 2013) FBC invites you to participate in the International Common Criteria Conference (ICCC) taking place in Orlando, Florida. This is the first time since 2000 that the ICCC is taking place in the U.S. The ICCC has become the main marketing and meeting opportunity for all those involved in the specification, development, evaluation, and validation or certification of IT security.

Angel Venture Forum: Cyber Security & Healthcare Investment Conference (Washington, DC, USA, Sep 11, 2013) With the increasing adoption of cloud computing, mobile devices and web-based applications, hackers have more opportunities than ever to infiltrate and crash network systems, especially in healthcare, which is increasingly becoming more vulnerable. The two greatest areas of opportunity for investment capital and the start-up community is in healthcare and cyber security. The nexus of these two sectors provides an even greater and more focused set of opportunities for investment. The Angel Venture Forum brings together all star roundtables of experts to opine and discuss the topics and the opportunities herein.

GrrCon (Grand Rapids, Michigan, USA, Sep 12 - 13, 2013) Says IT World, "Another hacker conference, this time in Michigan. The schedule looks to be bawdy, brash and anything but dull, with hackers promising to "pwn" you before you leave town. There are also sessions on penetration testing tools and mobile hacking methods."

cybergamut Technical Tuesday: Malware Analysis for the Masses (Columbia, Maryland, USA, Sep 17, 2013) With malware becoming more prevalent, and the pool of capable reversers falling short of overall need, there is a greater need to provide quick and efficient malware analysis for network defense. With modern technology and tools, it's now possible for junior security analysts to gather detailed malware indicators to craft defense and alert signatures. More enticing, all of this can be done with free tools and applications, some written by this presenter.

GovConnects Business Breakfast: Surviving Sequestration (Elkridge, Maryland, USA, Sep 17, 2013) This Business Breakfast will feature presentations by seasoned professionals in the field of government contracting as they share best practices for dealing with current challenges of doing business in the time of sequestration, and answer CEOs' questions from legal and accounting perspectives. [Editors' note: this event is expected to be devoted essentially entirely to cyber contracting.]

Shaping the Future of Cybersecurity Education Workshop (Gaithersburg, Maryland, USA, Sep 17 - 19, 2013) The third annual Shaping the Future of Cybersecurity Education Workshop will be held at the National Institute of Standards and Technology (NIST) in Gaithersburg, MD and focus on "Navigating the National Cybersecurity Education Interstate Highway".

NovaSec! (McLean, Virginia, USA, Jun 13, 2013) NovaSec! is Northern Virginia's largest Cybersecurity and physical security networking event of the year. We are bringing together security professionals from commercial and government organizations with members of local Northern Virginia businesses and associations to allow participants to meet, interact on key issues and provide a unified forum to network with likeminded individual.

Strange Loop (, Jan 1, 1970) Meet us in St. Louis, Sept 18-20th, 2013, to make connections with the creators and users of the languages, libraries, tools, and techniques at the forefront of the industry. Find out where we're going…and where we're not. Topics include emerging languages, concurrent and distributed systems, new database technologies, front-end web, and mobile.

ISSA Cyber Security Forum at Ft Belvoir (Fort Belvoir, Virginia, USA, Sep 19, 2013) This event will allow personnel from Fort Belvoir the chance to learn about the latest cyber security trends, network with peers, discuss Army best practices and to view and demo some of the latest cyber security and information technology products/services available today. This is an excellent opportunity for exhibitors to network with key decision makers, cyber, technology, communications and contracting personnel from various commands and tenant units at Fort Belvoir.

CISO Executive Summit (Atlanta, Georgia, USA, Sep 19 - 20, 2013) Be on the forefront of a new global initiative where today's world-class leaders in information security will gather to navigate through international waters. Join these leaders as they follow the wind of change that is sweeping through the IS community motivating today's information guardians to develop a new way of thinking to ensure success in protecting their respective organizations. (At Hacker Halted USA.)

2013 Cyber Security Summit (New York, New York, USA, Sep 25, 2013) The 2013 Cyber Security Summit connects executives responsible for protecting their company's critical infrastructure with innovative product, service and solution providers. The one day event, to be held September 25th at the Hilton in New York City, will showcase the latest tools and resources available to defend against cyber crime on both corporate and government levels. Keynote addresses and interactive panel discussions lead by notable security experts will highlight strategic priorities, risk factors, threats and provide inspirational guidance to prepare and protect from attacks.

4th Annual Cybersecurity Summit (Washington, DC, USA, Sep 25, 2013) GEN Keith Alexander, Commander of U.S. Cyber Command, Director of the NSA/Chief, Central Security Service and Dr. Pat Gallagher, Director, NIST are among the distinguished speakers confirmed to keynote at the 4th Annual Cybersecurity Summit on September 25, 2013 at the National Press Club in Washington, D.C.Michael Daniel, White House Cybersecurity Advisor, and Gen. Keith Alexander, Commander U.S. Cyber Command, and Director, NSA, are confirmed to keynote. Cybersecurity topics to be addressed include: the White House Cybersecurity Executive Order, the Cybersecurity Framework and New Emerging Standards for Critical Infrastructure, information sharing, mobile security and BYOD, legislative developments in cybersecurity, big data and cloud cybersecurity, continuous monitoring, cyber situational awareness, and the JIE rollout active defense and cyber warfare. Organized by Billington CyberSecurity™.