The CyberWire Daily Briefing for 9.13.2013
Syria's civil war spawns more hacktivism and state-inspired attacks, with effects so far appearing minor. Al Arabiya reports the regime's news agency SANA was attacked, and the SEA was active at mid-week against Israeli targets. Other Syrian hacktivists hit UN, German, and Slovene targets with page defacements. The US FBI continues to warn of SEA activity, and the US House Intelligence Committee bluntly associates Iranian cyber operations with the Syrian conflict.
Boxer malware has been found in QR codes. Two do-it-yourself hacking tools are described: one's a robot adaptable to brute-forcing security measures, the other is a "cheap toy" that can be used against lower-end home security systems.
Smart Grid News worries the power industry isn't taking Aurora attacks (which cycle circuit breakers to induce out-of-phase conditions in AC equipment) seriously enough.
Cloud industry representatives dismiss recent demonstration of Windows data volume vulnerability as representing a "negligible" risk. The Mevade botnet seems, happily, to have done itself a disservice by moving to Tor—the shift drew crippling amounts of attention.
Corera thinks breach notification rules reduce the stigma of reporting an attack.
Industry news includes acquisitions by Intel and Extreme Networks, a Lockheed Martin hiring spike (for NATO work), layoffs at Brocade, and new venture funding for cyber firms. Dell goes private as Twitter goes public.
The US seeks (slightly red-faced) to smooth relations with Brazil. DNI Clapper has some kind words for Snowden (really) and predicts Congressional overhaul of surveillance policy.
Yahoo data request orders will be partially declassified.
Notes.
Today's issue includes events affecting Brazil, European Union, Germany, Iran, Israel, Russia, Slovenia, Syria, United Kingdom, and United States..
Cyber Attacks, Threats, and Vulnerabilities
Syria state news agency under hacker attack (Al Arabiya) State news agency SANA said on Friday it and other government websites in conflict-plagued Syria have come under attack by hackers, complicating access to their sites. It did not specify the origin of the attacks
Anonymous, Syrian hackers target Israel on 9/11 (Washington Times) Hackers claiming to be affiliated with Anonymous launched a widespread cyber attack on Israeli citizens, government institutions, and corporations on Wednesday, according to Internet chatter and postings from the self-described hackers. The attack is purportedly being carried out by a nebulous group of hackers who claim affiliation with both Anonymous and the Syrian Electronic Army (SEA), which supports embattled President Bashar al Assad
FBI Wary of Syrian Cyber Attacks (NBC Chicago) The Federal Bureau of Investigation is urging the public to keep alert and watch for malicious online behavior as the world watches the unfolding situation in Syria. New cyber threats are emerging that could impact the daily lives of millions of Americans
House Intel Panel Leaders Urge Syria Vote, Warn of Iranian Cyber Attacks (Defense News) Two powerful US lawmakers said Washington must maintain the threat of force as leverage against Russia and Syria, and warned Iran is hitting America's financial system with cyber strikes
Official websites of Avira Anti–Virus Slovenia & United Nation Armenia hacked by Dr.SHA6H (HackRead) A profile Syrian hacker going with the handle of Dr.SHA6H has hacked the official website of German based Avira antivirus software company designated for Republic of Slovenia and official website of United Nation (UN) in Armenia. The hacker left a deface page along with a message on both hacked websites against Syrian conflict
North Korea Likely Behind New Targeted Attacks On South Korea (Dark Reading) A new wave of targeted attacks on South Korean organizations contains multiple signs that the attacks are likely coming from the North, according to new research. Kaspersky Lab exposed a cyberespionage campaign, dubbed Kimsuky, aimed at spying on and stealing information from South Korean think-tank organizations
City of Durham, North Carolina's Official Website hacked, hacker threatens to kill Obama (HackRead) A sub-domain which belongs to the official website of City of Durham, North Carolina U.S has been hacked and defaced by a hacker going with the handle of Raven. The identity of hacker remains unknown but intentions are clear as the site was left with a deface page along with a message against the U.S president Obama
Boxer Found Lurking Behind QR Codes (ThreatTrack Security Labs) QR codes, a type of matrix barcode that originated in Japan, have boomed in the West and in some parts of Asia a few years ago. Companies are impressed by how their current and prospected clients can connect with them with ease that they made it part of their marketing strategy. The biggest (literally), most memorable execution of the QR code to date was by employees of Facebook at the roof of their headquarters. Unfortunately, online criminals have used QR codes to lead users to sites where malicious software can be downloaded onto their devices
DIY Robots Make Brute–Force Security Hacks Possible (IEEE Spectrum) Many common types of software security systems only function because they assume that nobody has the time, interest, or energy to use brute force approaches to crack them. Take your phone, for example: it (probably) has a four digit number to unlock it. A human would likely not bother to try out all 10,000 combinations since it would be super boring, but robots don't get bored, so this sort of security doesn't dissuade them
$20 'Toy' Deactivates Cheap Home Alarms, Opens Doors (Slashdot) mask.of.sanity writes "Cheap home alarms, door opening systems and wireless mains switches can be bypassed with low-cost and home-made devices that can replicate their infrared signals. Fixed-code radio frequency systems could be attacked using a $20 'toy', or using basic DIY componentry
The all–too–real cyberthreat NOBODY is prepared for (Aurora) (Smart Grid News) Quick Take: I'm far from a security expert and I don't even play one on TV. But I do have lots of friends who are knowledgeable and several of them think the electric power industry is overlooking the biggest cyberthreat of all. Some context – most national and international security experts now predict a major cyber attack on the United States within the next five years. Many of them believe the electric power grid will be a primary target. And many of those believe the Aurora vulnerability is (currently) the easiest way to attack the grid
Programmer exploits Windows vulnerability in cloud-based services (NetworkWorld) Amazon Web Services targeted in demo; industry rep calls threat 'negligible'. Windows data volumes (meaning virtual machine hard-drives) in public clouds such as Amazon Web Services can be copied and have their access credentials modified, allowing a hacker to glean insights into the data, a programmer has reported. Programming author and consultant Jeff Cogswell identified the security vulnerability and showed how he executed a hack of his own data in a story titled "The Windows flaw that cracks Amazon Web Services" posted on Slashdot.com. His conclusion: Don't store sensitive information in the cloud, even if it is encrypted
How The Massive Tor Botnet 'Failed' (Dark Reading) The Tor-based 'LazyAlienBiker' — a.k.a. Mevade — botnet's attempt to evade detection using the anonymous Tor network ultimately exposed it. The decision by the operators of the so–called Mevade botnet to use the Tor network for masking their command-and-control (C&C) infrastructure actually backfired. The botnet, which had been in operation since at least 2009, began moving its infrastructure en masse to Tor in mid–August, just after the start of the Edward Snowden leaks about the NSA's widespread spying operations and unrest in Syria. Millions of new Tor clients sparked speculation of a post-NSA anonymity bump or Syrian civil war fallout. But last week, The Tor Project confirmed that the major uptick in Tor traffic was due to a botnet
Moving to Tor a Bad Move for Massive Botnet (Threatpost) MEvade, the massive botnet using Tor as a communication protocol, may have moved operations to the network in order to hamper potential takedown efforts, but according to security researchers, the move just served to shine a spotlight on the botnet's activities. Rather than hide traffic from bots to command and control servers, moving to Tor by the millions just alerted researchers and Tor's handlers that something was amiss. The botnet went undetected—possibly for years—and then suddenly because it caused a spike in Tor usage in a matter of days, the botnet was outed
When friendly 'from' names become enemies (ITWorld) I am constantly amused and amazed by the ingenuity shown by fraudsters. Their recent use of friendly email 'from' names is not an exception. What makes the attack exceptional, though, is how it is born out of the confluence of several entirely unrelated trends of computing
Officials warn of spoofed health exchange websites (GCN) As states set up their online health insurance marketplaces ahead of an October deadline, officials are watching for look-alike websites that can lead consumers to be the victims of fraud or simply confusion. States are on the lookout for websites created by interest groups, private insurance companies and sometimes scammers that have similar Web addresses and the appearances of the official state exchange websites. Officials are intervening in some cases and trying to make sure consumers are able to spot a fake site before they give out private information
Multiple NASA websites hacked (Fox News) Nearly a dozen NASA websites run from the heart of Silicon Valley were hacked on Tuesday and remain offline days later, following a politically motivated digital broadside against the space agency. "My understanding is the entire NASA Ames Center had a hack attack that took the website down," spokesman JD Harrington told FoxNews.com. However, another NASA spokesman later denied that the entire center was taken down, instead saying that the attack was of a much smaller scope
Conexis Mistakenly Exposes Personal Data of 13,000 Virginia State Employees (eSecurity Planet) All those affected are being provided with free access to credit monitoring and identity theft protection services
Back to school sales…or not (PandaLabs) Summer is almost over, kids are going back to school and we can find many type of offers to buy new computers, software... and cyber-criminals will try to take advantage of this too. Recently we have spotted yet another family of a ransomware (police virus). While the behavior was really similar to other families, in this case the main difference that attracted my attention was the price: usually they ask for around US$100, this time the price was really cheap
NSA Vs. Your Smartphone: 5 Facts (InformationWeek) No, the NSA can't magically hack all iPhones and smartphones, but just like malware developers, it has more than a few tricks up its sleeve for retrieving data stored on mobile devices
NSA disguised itself as Google to spy, say reports (C/NET) If a recently leaked document is any indication, the US National Security Agency — or its UK counterpart — appears to have put on a Google suit to gather intelligence…Google provided a short statement to Mother Jones reporter Josh Harkinson in response to his questions on the matter: "As for recent reports that the US government has found ways to circumvent our security systems, we have no evidence of any such thing ever occurring. We provide our user data to governments only in accordance with the law"
WA Consumer Watchdog Warned that Scammers Using Malware and Webcams to Blackmail Internauts (SPAMFighter) According to a warning issued by West Australian (WA) consumer watchdog, fraudsters are employing malware and webcams to capture pictures of their victims and then threatening them while posturing as Police, as per news published by Adelaidenow.com.au on 5th September, 2013
Security Patches, Mitigations, and Software Updates
Why all the errors in Microsoft updates lately? (ZDNet) September makes 3 months in a row that Microsoft has issued buggy patches, 3 of which had to be pulled from distribution. Perhaps Microsoft has too many products to have one patch cycle. About a month ago I wrote a column celebrating the great things that Patch Tuesday has done for customers and the industry. I still believe in it, but I couldn't have picked a worse time to write it. In the weeks that followed, Microsoft customers have experienced a reign of error under Windows Update. A few days after my column appeared, Microsoft was forced to withdraw two August patches, beginning with a patch for Outlook Web Access in Exchange Server. The buggy code in this patch turns out, ironically, to be written by Oracle, but that's neither here nor there: Microsoft delivered it as part of their product and it caused problems on Exchange Server 2013. The second patch they withdrew was for ADFS (Active Directory Federation Services), but they re-released it a few days later
Cyber Trends
Capgemini/HP Report Reveals Half Of Companies Inadequately Test Mobile Apps & Security (Dark Reading) World Quality Report1 shows many organizations still struggle to demonstrate the true value of their testing function to the business. Capgemini, one of the world's foremost providers of consulting, technology and outsourcing services, and Sogeti, its local professional services division, today released the findings of the fifth World Quality Report1. The report, published in conjunction with HP, reveals that application Testing and Quality Assurance (QA) now accounts for almost a quarter of IT spend, as many organizations undergo the process of digital transformation and reliable software applications become increasingly critical to their operations and reputation
Medical ID Theft Spreads (Dark Reading) 1.8 million Americans have been victims of medical identity fraud — including some from their own family members — new report finds. Identity theft isn't just credit- and debit-card account or Social Security number theft anymore: Cybercriminals are targeting health insurance and other personal information to peddle or execute medical fraud for surgeries, prescription drugs, and medical equipment. A new report published Thursday shows how quickly this medical identity theft is growing, with 1.84 million Americans falling victim to this form of fraud
Cyber breach notification rules will help end stigma associated with disclosing attacks, says Corero boss (Out-Law) The stigma associated with owning up to having being the victim of a cyber attack will diminish as a result of new rules requiring companies to formally disclose breaches, according to a network security expert
U.S. wrongly prioritizes cyber offensive, says Rid (FierceGovIT) Investments in offensive cybersecurity weapons don't necessarily make domestic networks any safer, warned Thomas Rid, a reader in war studies at London's King's College. Cyber weapons capable of causing kinetic harm, such as the Stuxnet virus exacted on Siemens industrial control systems, require specificity in their coding because targets tend to be unique
Marketplace
Intel Has Acquired Natural Language Processing Startup Indisys, Price "North" Of $26M (TechCrunch) Intel has made another international acquisition in its push into artificial intelligence technology: it has bought Indisys, a Spanish startup focused on naturual language recognition. The terms of the deal have not been disclosed but sources close to it tell TechCrunch that it is "north" of €20 million ($26 million). It comes just two months after news broke that Intel acquired Omek, an Israeli maker of gesture-based interfaces, reportedly for about $40 million
Extreme Networks To Buy Enterasys For $180M, Double Its Size (CRN) Extreme Networks Thursday announced plans to acquire fellow networking vendor Enterasys for $180 million, a move that will not only double Extreme's annual revenue and significantly strengthen its R&D muscle but also help it nip at the heels, more aggressively than ever, of networking titans like Hewlett-Packard (NYSE:HPQ) and Cisco (NSDQ:CSCO)
Brocade lays off 300 to pursue SDNs (ComputerWorld) A SDN is taking a toll on Brocade. The data center networking company last week laid off 300 employees, or about 6.7% of its global workforce. Headcount is now 4,180
Lockheed Martin recruits coder army for Nato and Ministry of Justice projects (V3) Lockheed Martin announced the expansion just after securing a $100m (£63.2m) IT contract to design the network infrastructure for Nato's new headquarters in Brussels. Lockheed will maintain the Nato network for five years after completion
Mobile Pwn2Own Offers $300k for Zero Days (Threatpost) It's a good time to be a security researcher. If you have the time and talent to find vulnerabilities in widely deployed applications, there is a lot of money out there for the taking, and not just from the bug bounty programs and regular exploit buyers. The latest iteration of the Pwn2Own hacking contest, which has run at the CanSecWest conference in Vancouver for several years, will take place at the Japanese version of the conference in November, and the targets will be the most popular mobile platforms. The prizes for the contest reflect the changing nature of the vulnerability landscape, and the fact that there is far more competition for good vulnerabilities-both out in the open and on the underground-than there has been before
Procera Networks Receives Another Multi-Million Dollar Follow–On Order From Tier 1 Western European Operator (Digital Technology) Procera Networks, Inc. (NASDAQ: PKT), the global Internet Intelligence company, today announced it has received another multi-million dollar expansion order from a Tier 1 service provider in Western Europe. This customer previously selected the PacketLogic™ PL20000 following extensive competitive product evaluation and testing that included many stand-alone and integrated competitors. This large subsequent expansion order was placed in quick succession to an order that was announced in early August. Once again this highlights the ability of Procera's solutions to install quickly and scale on demand, with the PL20000 being the industry's highest performing Intelligent Policy Enforcement system available in the market today. Procera expects to recognize the revenue from this follow-on order in the second half of 2013
Cloud-provider Virtustream lands $40 million from SAP (Washington Business Journal) Virtusteam Inc., a Bethesda-based cloud infrastructure provider, on Tuesday announced $40 million in funding from enterprise software giant SAP AG, the lone investor in the Series D round
SAP Acquires Predictive Analytics Provider KXEN (GovConWire) SAPSimplified Acquisition Procedures / Special Application Program AG (NYSE: SAPSimplified Acquisition Procedures / Special Application Program) has acquired predictive analytics service provider KXEN as part of efforts to expand offerings for customers to handle large volumes of data
Pamela Craig Joins VMware Board of Directors (GovConWire) Pamela Craig, formerly chief financial officer at Accenture (NYSE: ACN) for five years, has joined VMware's board of directors and will also serve as a member of the mergers and acquisitions committee
FireEye Appoints Steve Pataky as Vice President of Worldwide Channels and Alliances (MarketWatch) FireEye Inc., the leader in stopping the new breed of cyber attacks, today announced the appointment of Steve Pataky as vice president of worldwide channels and alliances, which was effective on August 26. In his position, Pataky is tasked with heightening the relationships between FireEye and its expanded ecosystem of resellers, distributors, and partners that sell and implement the FireEye threat protection platform
Leidos Leadership Outlines Future Business Plans; John Jumper Comments (GovConWire) John Jumper Executive leaders of what will become Leidos Holdings (NYSE: LDOS) leadership have outlined plans for the company after it renames itself from Science Application International Corp. (NYSE: SAIC)
SAIC Senior Leaders Share Post-Spinoff Goals with Investors (GovConWire) Senior leaders of the future Science Applications International Corp. discussed the company's plans Wednesday as that business prepares to spin offOffice Forms Facilitator from SAIC, which is being renamed Leidos
Shareholders tell Mike 'Just Do It': Dell to go PRIVATE for $24.9bn (The Register) Michael has a 'single minded purpose'…Dell shareholders have given the green light to Mickey D to take the company he founded nearly three decades ago private — again. Approval from investors was never really in doubt after activist investor Carl Icahn, who seems more interested in Apple, revealed that he and partner SAM had given up the ownership battle, clearing the way for Texan Mike
Inside Twitter's plan to go public as quickly and quietly as it can (Quartz) Twitter would like to go public as quietly as possible. And to do that, it will go public as quickly as possible, too. The clock started yesterday when the company tweeted that it had filed paperwork for an IPO. But the confidential filing actually happened a few weeks ago, according to someone who was briefed on the process. The US Securities and Exchange Commission (SEC) has nearly completed its review of the document, which means Twitter could make it public within the next few weeks, much sooner than would ordinarily be expected
Why a deal for MoPub was the finishing touch Twitter needed to prepare for its IPO (Quartz) Twitter just announced its long-awaited and much-hyped initial public offering (IPO) on, predictably, Twitter. But just four days before, it was doing something else: acquiring MoPub, a mobile ad serving platform and marketplace, for $350 million in Twitter shares
Three Startups Whose Technology Helped the NSA Mine the Cloud (Technology Advice) The NSA has been known to incorporate cutting edge technology into their digital surveillance programs, allowing them to not only gather massive amounts of data from the cloud, but also to analyze it. As we've covered before, the NSA has been able to crack most standard encryption protocols including those used to secure global banking and finance information. This is due partially to the vast amount of server power the NSA data centers command. But the agency has also proven adept at incorporating new startup technology into its arsenal. Below are three tech companies whose technology has helped the NSA mine data from the cloud, and keep their own secrets under wraps
20% Of CIA Job Applicants Linked To Al Qaida, Other Terrorists (Investors.com) War On Terror: At the same time a number of reports show al-Qaida growing in strength, contrary to the president's claims it's been "decimated," the terror group has penetrated CIA headquarters. That's the latest shocking revelation from NSA leaker Edward Snowden's classified document dumps. They reveal at least one in five applicants for CIA positions have had significant ties to terror groups Hamas, Hezbollah and even al-Qaida. Far from being "on the run," America's top enemy is working tirelessly to infiltrate our top security agencies
57% of college students think their Facebook postings aren't vile at ALL! (Naked Security) Too bad that 69% of recruiters report finding candidates whom they wouldn't let step through the door, thanks to social media evidence of drinking, drugs, bad-mouthing previous employers, lying on their resumes or a host of other sins
Products, Services, and Solutions
Find Out How Secure Your Agency's Mobile Devices Are (Nextgov) Are security concerns holding back your agency's mobility strategy? Mobile Work Exchange on Thursday launched the Secure Mobility Hot Zone, a new self-assessment tool that can help you or your agency determine potential mobile security risks. The group launched the new tool at their fall Town Hall meeting in Washington
Apple's Fingerprint ID May Mean You Can't 'Take the Fifth' (Wired) There's a lot of talk around biometric authentication since Apple introduced its newest iPhone, which will let users unlock their device with a fingerprint. Given Apple's industry-leading position, it's probably not a far stretch to expect this kind of authentication to take off. Some even argue that Apple's move is a death knell for authenticators based on what a user knows (like passwords and PIN numbers). While there's a great deal of discussion around the pros and cons of fingerprint authentication — from the hackability of the technique to the reliability of readers — no one's focusing on the legal effects of moving from PINs to fingerprints
Facebook privacy application manages who sees your posts (Help Net Security) AVG announced its first privacy app built on the Facebook API, AVG CrowdControl. The app allows users to manage who sees their default posts for improved privacy without deleting personal contacts
BitSight launches information security risk rating service (Help Net Security) BitSight launched a cybersecurity offering that delivers ratings on the information security effectiveness of organizations. The ratings, which are based on externally visible network behavior, are generated
SAML 2.0 two–factor SSO without usernames or passwords (Help Net Security) WWPass released Unified Security Manager, a virtual appliance that provides user authentication for applications that support Security Assertion Markup Language (SAML) 2.0. Unified Security Manager's
Military–grade solution to protect industrial control systems (Help Net Security) Organisations will now be able to bring their industrial control systems technology into the modern era and realise the benefits of increased connectivity while also reducing the risk of cyber attack
Safeguard your info and monitor Facebook activity with BullGuard Identity Protection (Help Net Security) BullGuard released BullGuard Identity Protection, a new suite of security tools designed to guard against the growing number of threats that target internet and social media users
Technologies, Techniques, and Standards
Protecting Critical Infrastructure by Identifying Pathways of Exposure to Risk (Technology Innovation Management Review) Increasingly, our critical infrastructure is managed and controlled by computers and the information networks that connect them. Cyber-terrorists and other malicious actors understand the economic and social impact that a successful attack on these systems could have. While it is imperative that we defend against such attacks, it is equally imperative that we realize how best to react to them. This article presents the strongest-path method of analyzing all potential pathways of exposure to risk – no matter how indirect or circuitous they may be – in a network model of infrastructure and operations. The method makes direct use of expert knowledge about entities and dependency relationships without the need for any simulation or any other models. By using path analysis in a directed graph model of critical infrastructure, planners can model and assess the effects of a potential attack and develop resilient responses
What to Do About Password-Sharing? (Lenny Zeltser on Information Security) Sometimes people share passwords. This practice might stem from the lack of support for unique user account in some applications. Even more importantly, the reasons for password-sharing have to do with convenience and social norms. Technologists are starting to recognize the opportunity to account for these real-world practices in their products
Countering Attacks Hiding In Denial–Of–Service Smokescreens (Dark Reading) Noisy attacks are increasingly camouflaging more subtle exploits, but a well-structured incident response and third-party providers can help limit the noise. Denial-of-service attacks have long been considered the blunt wooden club of online hazards, a multi-gigabit stream of shock and awe. Yet, increasingly the noisy attacks are being used to hide more subtle infiltrations of a target's network. A number of financial institutions, for example, have been targeted by distributed denial-of-service (DDoS) attacks immediately following a wire transfer, according to security firms familiar with the cases. The attacks, generated by computers infected with the DirtJumper DDoS malware, attempt to disrupt any response to the fraudulent transfer of funds, which are usually in the six-figure dollar range, according to a report by Dell Secureworks published in April
New Industrial Control Systems Cyber Security Certification in Development (Sacramento Bee) Global Information Assurance Certification (GIAC), a leading provider of cyber security certifications, and representatives from a global industry collaborative announce today that they have formed a community initiative to establish an open body of knowledge for Process Control Design and Information Technology Security. The objective of the collaborative, involving organizations which design, deploy, operate, and maintain industrial automation and control system infrastructure, is to develop a vendor-neutral certification to be known as the Global Industrial Cyber Security Professional (GICSP) to debut this fall. The GICSP will be available to candidates in late November 2013
Should employees be punished for sloppy cyber security? [POLL] (Naked Security) Assume that it's time for Bob's performance review. Bob's boss says he's a great addition to the team. Easy to work with! And the sales numbers? Hot mama, Bob's smokin'! Mr. Bob surely has worked himself toward a big, fat raise! Or not. Bob would have gotten a raise, that is, but he got fooled by a phishing email and unwittingly invited the bad guys in through the front door, torpedoing Widget Industries Ltd's multimillion-dollar investment in security systems
Analysis: The Federalist IT Papers (Nextgov) Few chief information officers would look to the founding fathers for information technology leadership advice. In fact, many would be skeptical of insights from men who did their best work with a quill pen and communicated only by letters or in-person meetings. This is partly because IT leaders often underestimate the importance of effective governance and overestimate the importance of technology in business technology decisions
Why gamification and big data go hand–in–hand (CMO) We look at the rise of gamification techniques in marketing and customer loyalty and provide examples of how organisations are using the methodology to find new levels of engagement with consumers and employees
Regardless of the NSA, you still need encryption (ComputerWorld) It seems as though everywhere you turn lately, another story breaks revealing information about PRISM and Edward Snowden. And it just keeps coming. Snowden's latest disclosure builds on the story that not only has the NSA partnered with cloud service providers to bypass encryption and access data on their international clients, but also that they have 'cracked much online encryption.' What does this mean for your security team? Should you quit using encryption
Design and Innovation
Apple is no longer an innovative company, says the man who helped Steve Jobs design the Mac (Quartz) Hartmut Esslinger knows a thing or two about industrial design and what it's done for Apple. He worked directly with Steve Jobs to establish a "design language" that was used on the Macintosh line of computers for over a decade. Esslinger's iconoclastic firm had already designed over 100 products for Sony when he signed an exclusive, $1-million-a-year contract with Apple in 1982
These days, Apple is more like a fashion label than an electronics company (Quartz) When Apple launched the iPhone 4 in 2010, the company's website featured large images of the device with the text "This changes everything. Again." Change has been a constant refrain in Apple's marketing over the years. The famous 1984 Macintosh ads framed the computer as an agent of revolution. And the "Think Different" ads of the 1990s implied that purchasing one of these underdog machines put you in the same company as other misunderstood genius underdogs. But it goes back further than that, too. Ads for the Apple II and the business-oriented Apple III in the early 1980s compared their power to that of famous inventors of ages past, including Henry Ford, Thomas Jefferson, and Ben Franklin, among others
Research and Development
AF Chief Scientist Prioritizes Satellites, Cyber (Military.com) The Air Force's first female chief scientist sees a future where satellites are at risk of falling under attack, cyber attacks are common place, and precision lasers mounted to aircraft are a primary weapon
Academia
University of Maryland, Northrop Grumman announce launch of nation's first cybersecurity honors program, Sept. 25 (Your Defense News) The University of Maryland and Northrop Grumman will jointly announce the launch of the Advanced Cybersecurity Experience for Students (ACES), the nation's first cybersecurity honors program for undergraduates, at a special event on Wednesday, September 25, 2013, from 10:30-11:30 a.m. in the Stamp Student Union Atrium on the University of Maryland College Park Campus
UMD, Parsons Partner to Help Produce Future Cybersecurity Professionals (UMD Right Now) The University of Maryland and Parsons, an engineering, construction, technical, and management services firm, have partnered to provide academic scholarships to current and future undergraduate students in the UMD Honors College Advanced Cybersecurity Experience for Students (ACES). Through a gift from Parsons, 24 scholarships will be awarded to high-achieving students during the next three years. In addition to the scholarships, Parsons will provide professional insights to students, as well as exposure to varied career options in the field of cybersecurity
Grissom High School's cyber security program featured on NPR (al.com) The NPR piece focuses on the Huntsville school district's partnership with the U.S. Army Cyber Command. The partnership puts the district together with the
Legislation, Policy, and Regulation
Clapper: Snowden case brings healthy debate; more disclosures to come (Los Angeles Times) James Clapper, the director of national intelligence, said Thursday that Edward Snowden's disclosures of secret surveillance programs at home and abroad have generated a useful public debate on the trade-offs between privacy and national security. "I think it's clear that some of the conversations this has generated, some of the debate, actually needed to happen," Clapper told a defense and intelligence contractor trade group. "If there's a good side to this, maybe that's it"
Congress will rein in NSA's domestic snooping, predicts top U.S. intel official (Washington Times) Congress will curtail or even shut down the National Security Agency's domestic snooping program over concerns that it violates Americans' privacy, the top U.S. intelligence official predicted Thursday. "It's very clear that — to the extent we get to keep these tools at all — they're going to be legislatively amended," Director of National IntelligenceJames R. Clapper said, referring to the NSA's warrantless domestic data-gathering exposed by former agency contractor Edward Snowden
No talk of changing NSA spy tactics at meeting of new surveillance review panel — report (Russia Today) A new review panel created by President Barack Obama to analyze possible reforms for US government surveillance spoke mainly of tech companies concerns, not National Security Agency spying overreach, during its first meeting. Attendees of the meeting early this week told the Guardian newspaper discussions were mostly based around the apprehensions and interests of major technology firms. Little about public privacy or real changes to the mass global phone and internet data collection programs was involved
Recriminations, Pendulum Swings, and What is Probably Happening at NSA (Lawfare) This is speculation. I have no hard facts or evidence to support it. But I am convinced to a moral certainty that NSA is scaling back certain collection. That is not something I say with pleasure or triumph but, rather, with frustration, sadness, and worry
US to Brazil: 'Legitimate questions' about NSA (Island Packet) President Barack Obama's national security adviser conceded there are legitimate questions about U.S. spying on its allies, the White House said Wednesday as it sought to sooth Brazil's concerns about far-reaching surveillance by the National Security Agency. A White House meeting between Susan Rice and Brazil's foreign minister, Luiz Alberto Figueiredo, constituted the latest attempt by the Obama administration to stem the damage to foreign relations inflicted by revelations by NSA leaker Edward Snowden. But it was not immediately clear whether that damage had been repaired
Brazilian politicians want to interview Snowden about NSA's spying on their country (Washington Post) The foreign relations and defense commission of Brazil's lower house has authorized an official trip by legislators to go to Moscow to interview National Security Agency leaker Edward Snowden about spying on Brazil. However, officials say no date has been set and it would require the approval of Russian authorities for the Brazilian delegation to speak with Snowden
EU debates NSA surveillance impact and media freedom (Help Net Security) The impact of US National Security Agency and other surveillance programs on EU citizens' privacy and media freedom and the lack of democratic oversight of these programs were the key concerns voiced
Backdoor dealings (The Economist) Covertly weakening the security of the entire internet to make snooping easier is a bad idea. "PROPERLY implemented strong crypto systems are one of the few things that you can rely on," declared Edward Snowden, the former computer technician at America's National Security Agency (NSA) responsible for leaking a trove of documents about his erstwhile employer's activities, in an online question-and-answer session in June. The latest revelations, published on September 5th by the Guardian, the New York Times and ProPublica, explain his careful choice of words. Many cryptographic systems in use on the internet, it seems, are not "properly implemented", but have been weakened by flaws deliberately introduced by the NSA as part of a decade-long programme to ensure it can read encrypted traffic
Winnefeld: New DOD IT Enterprise Will Bring Transformation (Department of Defense) He noted that U.S. Cyber Command has designated three kinds of teams to operate around the clock: National mission teams that will support the Department
Indianapolis arms against cyber attacks (WISH TV) Public safety officials in Indianapolis have joined a national conversation on how to protect citizens and businesses from cyber attacks. The city's public safety director, Troy Riggs, returned early Thursday from a forum on the issue in Washington, D.C
Litigation, Investigation, and Law Enforcement
Govt to declassify parts of secret order requiring Yahoo to turn over customer data (Washington Post) The federal government says it will declassify parts of a 2008 secret court order that required Yahoo to turn over customer data under the National Security Agency's PRISM data-gathering program. In a filing Thursday with the Foreign Intelligence Surveillance Court, the Justice Department said that the declassification would make possible the publication of "much of the court's opinion and order." But the department said that some of the information in the opinion must remain classified and would be redacted
Reporter talks about what it was like working with Snowden (Ars Technica) Washington Post reporter says it's a "core duty" to publish leaker's NSA cache. One of the journalists entrusted with former National Security Agency contractor Edward Snowden's vast trove of documents said in an interview on Wednesday that it's important to remember what the famed leaker could have done but didn't
6 Whopping Government Misstatements About NSA Spying (Wired) Whistleblower Edward Snowden's leaks about NSA spying have set off a fierce global debate about security and privacy in the internet age. The revelations of the United States performing mass surveillance on an international scale have also unleashed an avalanche of government misstatements aimed at defending, or even denying, the NSA's dragnet surveillance. We've gone through them and picked out some of the biggest whoppers
Court ruling a warning to companies on workers' Facebook privacy (CSO) Decision expected to be influential because few courts have tackled how law such as the Stored Communications Act applies to social media. A recent federal court ruling is a warning to companies that workers' non-public Facebook postings are private and uninvited employers have no right to read them. The ruling, handed down last month, stemmed from a lawsuit filed by a paramedic against Monmouth-Ocean Hospital Service Corp. (MONOC) in New Jersey. Deborah Ehling was disciplined after posting on her Facebook wall a comment criticizing Washington, D.C., paramedics' handling of a deadly shooting at the U.S. Holocaust Memorial Museum
Anti–Spam Lawsuits Rarely Win, As Highlighted By A Recent Loss By Spam Arrest (Forbes) People hate receiving spam, but most people stopped obsessing about spam a decade ago or more. In the interim, anti-spam filters have improved dramatically. Still, some anti-spammers hate spam so passionately-or, perhaps, hope to put a little coin in their pockets-that we still see a steady stream of lawsuits against email marketers. For the most part, those lawsuits don't win; in the past half-decade, repeat anti-spam plaintiffs have rarely won in court. A recent ruling in a case brought by Spam Arrest demonstrates just how hard it's gotten to win anti-spam lawsuits-and why we're not likely to see many successful anti-spam lawsuits in the future
Kim Dotcom's Mega-Lawsuit Could Make Him a Multi–Millionaire Again (Wired) File-sharing tycoon Kim Dotcom has a plan to become a multi-millionaire again: He's filed a seven-figure lawsuit against the New Zealand government over the spectacular 2012 assault on his mansion, and the electronic spying that preceded it
12 arrested over hacking plot to steal millions from Santander bank (Graham Cluley) Hackers are alleged to have planted a hardware device in a bank, with the intention of stealing millions of pounds. But to pull off such a plot, they would need to have had someone physically access the targeted computer. Learn more about the scheme, and how companies can best prevent similar attacks happening to them
Insider tied to Vodafone breach in which 2 million records were compromised (CSO) An insider has been linked to a breach at Vodafone in Germany, resulting in the loss of 2 million records. According to Vodafone, there is a heightened risk of Phishing attacks against the impacted customers. In a statement to CSO, a Vodafone spokes person said that a "sophisticated and illegal intrusion into one of its servers in Germany," and that the attack appears to have been executed by someone inside the company. An individual has been identified by the police, and their assets have been seized, but there was no further information available by deadline. Speculation by local media in Germany has pointed to a sub-contractor who worked with the telecom giant's administration system as the key suspect
Police probe second news group over phone hacking (Naked Security) Police are investigating yet another British newspaper group in the phone hacking scandal that was brought to us courtesy of the now-defunct News of the World and its parent company News Internationa
For a complete running list of events, please visit the Event Tracker.
Upcoming Events
SANS CyberCon Fall 2013 (Online, Sep 9 - 14, 2013) With sequestration still in place, organizations are finding themselves with training budgets, but drastically reduced travel budgets. This one-of-a-kind online training event brings SANS' top instructors teaching SANS' top courses to those who can't travel.
GrrCon (Grand Rapids, Michigan, USA, Sep 12 - 13, 2013) Says IT World, "Another hacker conference, this time in Michigan. The schedule looks to be bawdy, brash and anything but dull, with hackers promising to "pwn" you before you leave town. There are also sessions on penetration testing tools and mobile hacking methods."
cybergamut Technical Tuesday: Malware Analysis for the Masses (Columbia, Maryland, USA, Sep 17, 2013) With malware becoming more prevalent, and the pool of capable reversers falling short of overall need, there is a greater need to provide quick and efficient malware analysis for network defense. With modern technology and tools, it's now possible for junior security analysts to gather detailed malware indicators to craft defense and alert signatures. More enticing, all of this can be done with free tools and applications, some written by this presenter.
GovConnects Business Breakfast: Surviving Sequestration (Elkridge, Maryland, USA, Sep 17, 2013) This Business Breakfast will feature presentations by seasoned professionals in the field of government contracting as they share best practices for dealing with current challenges of doing business in the time of sequestration, and answer CEOs' questions from legal and accounting perspectives. [Editors' note: this event is expected to be devoted essentially entirely to cyber contracting.]
Shaping the Future of Cybersecurity Education Workshop (Gaithersburg, Maryland, USA, Sep 17 - 19, 2013) The third annual Shaping the Future of Cybersecurity Education Workshop will be held at the National Institute of Standards and Technology (NIST) in Gaithersburg, MD and focus on "Navigating the National Cybersecurity Education Interstate Highway".
NovaSec! (McLean, Virginia, USA, Jun 13, 2013) NovaSec! is Northern Virginia's largest Cybersecurity and physical security networking event of the year. We are bringing together security professionals from commercial and government organizations with members of local Northern Virginia businesses and associations to allow participants to meet, interact on key issues and provide a unified forum to network with likeminded individual.
Strange Loop (, Jan 1, 1970) Meet us in St. Louis, Sept 18-20th, 2013, to make connections with the creators and users of the languages, libraries, tools, and techniques at the forefront of the industry. Find out where we're going…and where we're not. Topics include emerging languages, concurrent and distributed systems, new database technologies, front-end web, and mobile.
ISSA Cyber Security Forum at Ft Belvoir (Fort Belvoir, Virginia, USA, Sep 19, 2013) This event will allow personnel from Fort Belvoir the chance to learn about the latest cyber security trends, network with peers, discuss Army best practices and to view and demo some of the latest cyber security and information technology products/services available today. This is an excellent opportunity for exhibitors to network with key decision makers, cyber, technology, communications and contracting personnel from various commands and tenant units at Fort Belvoir.
CISO Executive Summit (Atlanta, Georgia, USA, Sep 19 - 20, 2013) Be on the forefront of a new global initiative where today's world-class leaders in information security will gather to navigate through international waters. Join these leaders as they follow the wind of change that is sweeping through the IS community motivating today's information guardians to develop a new way of thinking to ensure success in protecting their respective organizations. (At Hacker Halted USA.)
CCBC Leadership Seminar Luncheon: Cyber Awareness: What Employers Need To Know (Owings Mills, Maryland, USA, Sep 20, 2013) , no later than September 13, 2013.
2013 Cyber Security Summit (New York, New York, USA, Sep 25, 2013) The 2013 Cyber Security Summit connects executives responsible for protecting their company's critical infrastructure with innovative product, service and solution providers. The one day event, to be held September 25th at the Hilton in New York City, will showcase the latest tools and resources available to defend against cyber crime on both corporate and government levels. Keynote addresses and interactive panel discussions lead by notable security experts will highlight strategic priorities, risk factors, threats and provide inspirational guidance to prepare and protect from attacks.
4th Annual Cybersecurity Summit (Washington, DC, USA, Sep 25, 2013) GEN Keith Alexander, Commander of U.S. Cyber Command, Director of the NSA/Chief, Central Security Service and Dr. Pat Gallagher, Director, NIST are among the distinguished speakers confirmed to keynote at the 4th Annual Cybersecurity Summit on September 25, 2013 at the National Press Club in Washington, D.C.Michael Daniel, White House Cybersecurity Advisor, and Gen. Keith Alexander, Commander U.S. Cyber Command, and Director, NSA, are confirmed to keynote. Cybersecurity topics to be addressed include: the White House Cybersecurity Executive Order, the Cybersecurity Framework and New Emerging Standards for Critical Infrastructure, information sharing, mobile security and BYOD, legislative developments in cybersecurity, big data and cloud cybersecurity, continuous monitoring, cyber situational awareness, and the JIE rollout active defense and cyber warfare. Organized by Billington CyberSecurity™.