The CyberWire Daily Briefing 09.17.13

Summary

By The CyberWire Staff

Yesterday's reports of a Belgacom hack are confirmed, along with a possible motive: Belgacom operates undersea telecom cables serving much of the Middle East. The Belgian press accuses GCHQ and NSA because they're capable, well resourced, and, well, much in the news—so far a largely a priori attribution. (Whoever committed it, the Belgacom attack is surely more sophisticated than the attempt by divers to cut the SEA-ME-WE 4 cable off Alexandria back in March of this year.)

Iran opened, then promptly shut down, access to Twitter and Facebook. This was no thaw, just a glitch soon corrected. Iran learned the importance of social media to information operations a few years ago when dissidents made effective use of Twitter during 2009's Green Revolution false dawn; other regimes in the region haven't been dull pupils. The Financial Times offers an overview of relevant national policies.

The BEAST cryptographic attack, thought effectively blocked by client- and server-side mitigations, is apparently still in business: enterprises should guard against man-in-the-middle attacks.

Tor seems increasingly infested by botnets and criminal activity.

Recent warnings of financial markets' vulnerability are reiterated as High-Tech Bridge claims it's found a cross-scripting vulnerability at Nasdaq. Quartz reports that high-speed automated trading has effectively created "a secret financial market only robots can see."

In industry news, China's ZTE prepares a major push into the European cloud market. Splunk acquires BugSense. NSA is apparently a customer of gray-market zero-day vendor VUPEN.

Some disturbing proof-of-concept research addresses the feasibility of dopant-level hardware Trojans.

Notes.

Today's issue includes events affecting Australia, Belgium, Brazil, Canada, Chile, China, Egypt, France, Germany, India, Iran, Ireland, Israel, Pakistan, Palestinian Authority, Switzerland, Syria, Taiwan, Turkey, United Kingdom, United States, and and Yemen..

Selected Reading

Cyber Trends

Real names, real problems: Pseudonymity under siege (IT World) As online services incorporate facial recognition and other biometric technologies to identify users, the notion of participating online using a name not found on your government-issued ID may become a quaint relic of the early Internet

OSINT: You Don't Need to Work for the NSA or GCHQ to Spy on People (Infosecurity Magazine) While the world has been hearing about the surveillance techniques of the spy agencies in the US and UK, the capabilities available to anyone through Open Source Intelligence (OSINT) products have been quietly expanding. A year ago, Jester (th3j35t3r) discussed his 'warbag' of OSINT tools used for data 'collection and collation,' and mentioned products such as Maltego, Creepy and Spokeo. Now, writing in yesterday's Police Oracle in the UK, former policeman and now private investigator Neil Smith gave his own tips and tricks for OSINT. "Police officers and staff often think I want access to police systems to find out information on people but I do not

Social engineering and Phishing attacks are getting smarter, but are employers? (CSO) Study says employers are engaging in awareness training initially, but not all of them are examining the results

Reelection Statistics, Predictability, Big Data Drinking Games and Other Things I Learned This Week (Privacy Perspective) Today, Forbes' Kashmir Hill reported on the work of a man going by the name of "Puking Monkey." This creative electronics tinkerer hacked into his RFID-enabled toll booth pass--a great feature for travelers, especially for us up here in the Northeast who regularly must pass through countless toll booths--and configured it to alert him whenever it was being read. What he discovered was that all over New York City, his E-Z Pass was being tracked--and not just by toll booths

What Would a Real Cyberwar Look Like? (Slate) Dark warnings exaggerate and distort the real risks. Exactly two decades ago, the RAND Corp., an influential think tank, proclaimed that "Cyberwar is Coming!" In 2005 the U.S. Air Force declared it would now "fly, fight, and win in cyberspace." The future of war would surely play out in that fifth domain, on top of land, sea, air, and space. Dark warnings of "Cyber Pearl Harbor" soon became a staple of Washington discourse

Interview: Does Cyber Terror Need to Be Violent to Be Considered a 'War'? (Asia Society) You use Prussian theorist Carl von Clausewitz's conventional notion of war to support your argument that there is essentially no such thing as "cyber war." Doesn't the definition of war continue to evolve? Can cyber attacks be defined as low-grade acts of war? War evolves, no doubt. Humans, unfortunately, constantly find new means to injure and kill each other. Airpower was not around when Clausewitz wrote On War. Nuclear weapons were more than a century away. Battlefields were not IED–infested. So I can't see a good reason why an innovation that has never injured or killed a single human being — cyber-attacks — should prompt us to rethink the notion of war if the Blitz and Hiroshima didn't. Any actual use of force needs to be violent, or potentially violent

Mass Surveillance: A Turning Point in Internet History (Circle ID) So far, the debate on mass surveillance has dwelt on the immense resources made available to the agencies (NSA in the US, GCHQ in the UK), on the technological advantage that enables them to access any data and bypass encryption, and on the lack of proper oversight in those two countries. But in order to make their voices heard by their elected representatives, Internet users around the world need to have an even more complete view of the emerging reality: why have these agencies been allowed to stray far beyond democratic principles, and why for so long? Why have oversight and control been so utterly ineffective? The grievous actions of these agencies might well have continued to escape public attention, had they not been exposed by Edward Snowden

Legislation, Policy and Regulation

DIGITS: Ambivalence on civil liberties, terrorism (Salon) When it comes to the balance between civil liberties and the war on terrorism, Americans seem to want the best of both worlds. By an almost 20-point margin in a recent poll, they say it's more important for the government to protect the rights and freedoms of citizens than to keep the public safe from terrorism. Yet by an equally large margin, they say it is sometimes necessary to sacrifice rights and freedoms in order to stop terrorists

Real privacy means oversight (Toronto Globe and Mail) A steady stream of revelations from U.S. National Security Agency whistle-blowing continues to trickle out, and Canada's most secretive intelligence agency made a cameo appearance last week

Confusion at DHS over social media use by investigators (FierceHomelandSecurity) Law enforcement and intelligence officers at the Homeland Security Department have used social media in investigations, but there's not enough guidance to prevent inappropriate activity, the DHS office of inspector general says

Fractured DHS congressional oversight has real world consequences, says report (FierceHomelandSecurity) Fractured congressional oversight of the Homeland Security Department has real world consequences beyond consuming large amounts of DHS officials' time, finds an unofficial task force that includes prospective Homeland Security secretary Thad Allen and the two co-chairs of the 9/11 Commission

National operations center difficult to do without consolidated DHS headquarters, says CRS (FierceHomelandSecurity) Establishment of a national operations center capable of coordinating Homeland Security Department component response to large disasters will be difficult to do in the absence of a consolidated headquarters, says the Congressional Research Service

Products, Services, and Solutions

Utimaco Launches New High-End HSM Series: CryptoServer CSe (Dark Reading) The German manufacturer of Hardware Security Modules (HSMs) launches its new product series SafeGuard CryptoServer CSe. The CSe–Series follows from the extremely successful high–end CS–Series-offering twice the performance and maximum security while keeping total cost of ownership to a minimum

Secure Cellphone Maker GSMK Talks Cryptography In A Post–Snowden World (TechCrunch) In a world where your every move is tracked, what would you pay for a secure cellphone? Dr. Björn Rupp is willing to bet it's about $3,500. His company, GSMK Cryptophone builds cellphones that are secure from the ground up. Running a home-brew version of Android, they allow for completely secure, end-to-end communication with most, if not all, of the smartphone features the security–conscious

'HoneyDocs' lays irresistible bait for hackers (IT World) Police in Austin, Texas, set up sting operations with cars they have under surveillance, watching for thieves to break into them. Marcus J. Carey's Web service, HoneyDocs — born in the same city — uses the same concept, only with computer files

Boeing Offers Improved Cybersecurity Training and Simulation Tool (Newsroom America) New software developed by Boeing [NYSE: BA] for its Cyber Range-in-a-Box (CRIAB) cybersecurity training tool creates more-realistic virtual environments up to six times faster than previous versions, making the training more effective while decreasing costs

Deep packet inspection key in Intel network aggregation demo (FierceBroadbandWireless) Leipzig, Germany-based ipoque said its deep packet inspection (DPI) software library can be used to help mobile operators classify Internet traffic at the application level, in turn enabling them to provide delay-sensitive apps--such as mobile video and VoIP--with all necessary bandwidth across Wi-Fi, 3G and LTE networks, simultaneously

Google Voice is improving its voicemail security (Graham Cluley) In an attempt to make it harder for people to hack into your voicemail, Google is introducing a couple of new security features to its online telephone service — Google Voice

Post–NSA revelations, Android encrypted texting service released (ZDNet) Following a release last year for iOS devices, startup Wickr has launched an encrypted text messaging service suitable for Android-based smartphones and tablets. Wickr's encrypted text messaging service is now available for Android-based smartphones and tablets following bombshell media leaks documenting the National Security Agency's surveillance programs. The San Francisco-based firm now offers free, international messaging for both Android and iOS platform users, according to a press release

Juniper Accelerates Launch Of Contrail SDN Controller (CRN) Looking to accelerate its push into the burgeoning software-defined networking (SDN) space, Juniper Networks (NSDQ:JNPR) Monday announced the availability of its long-touted Contrail SDN controller, roughly nine months ahead of schedule

Technologies, Techniques, and Standards

A Random Diary (Internet Storm Center) The current discussion about breaking encryption algorithm has one common thread: random number generators. No matter the encryption algorithm, if your encryption keys are not random, the algorithm can be brute forced much easier then theoretically predicted based on the strength of the algorithm. All encryption algorithms depend on good random keys and generating good random numbers has long been a problem

CMaaS: the government fightback against modern cyber threats intensifies (Trend Micro Simply Security) We all know the information security landscape is ever changing - a cursory look back at the biggest threats facing IT chiefs even 24 months ago will tell us that. Today's cyber criminals are more sophisticated, motivated and well-resourced than ever before and they're looking to compromise virtually every part of our infrastructure. This requires a new approach to security; one which will enable us to react and defend against cyber threats on a continuous basis

Beyond the Honey Pot (CFO) While some of the biggest companies are looking to go on the attack against cyber criminals, others may find they can get a bigger bang out of common-sense risk management

Proof–based system to secure the car (Help Net Security) The digital systems in today's connected car, including engine, infotainment and telematics systems, provide communications, numerous conveniences, information, safety, maintenance, security and are advancing towards driver minimalist features and even completely self-driving vehicles

Goodbye, Encryption; Hello, FOSS (Linux Insider) Few would deny that the world has changed since the National Security Agency's PRISM surveillance program was revealed, and not for the better. Here in the Linux blogosphere, FOSS fans have been mulling the implications ever since the unsettling news broke back in June, but just recently things have taken on an even darker cast

Proposed changes to WHOIS system called 'extremely disquieting' (CSO) ICANN plan for closed domain name record system criticized over putting too much power into one group's hands. A working group for Internet regulators is under severe criticism for a proposal that would put an end to the openness of the current WHOIS system for domain name registration records

New guidelines aid organisations in improving security teams (SC Magazine) In light of evolving cyber crime, hacktivism and insider threats, the Security for Business Innovation Council (SBIC) - an independent group of security experts from Global 1000 enterprises — has released a report on what it takes for an organisation to create an elite security team

Cloud computing still a security concern: CIOs (CSO) IT leaders taking a conservative approach to the increasingly popular cloud model. Two Australian CIOs are taking a cautious approach to cloud computing, citing fears about the security of cloud service providers. Speaking at the Security Insights forum - hosted by CIO and CSO - Ramsay Health Care CIO Mick Campbell said that the health provider has taken a conservative approach to cloud computing. So far the organisation has only put its email system into the cloud

Private cloud is ill–advised and archaic says AWS boss (ZDNet) Private cloud offers few of the benefits of public cloud services and many of the costs of running on-premise infrastructure says AWS SVP Andy Jassy. Private clouds are often sold as an inevitable stop over for companies on the way to adopting public cloud services. But — perhaps unsuprisingly — the boss of the world's largest public cloud services provider Amazon Web Services disagrees. Private clouds offer "none of the benefits" of public cloud services and many of the costs of running an in-house infrastructure, according to AWS SVP Andy Jassy

How to securely erase an iPhone (ZDNet) Before you hand over your old iPhone to someone else to enjoy, you want to make sure that all your data has been securely erased

Is The Perimeter Really Dead? (Dark Reading) Despite naysayers, many security experts believe perimeter defenses have relevance when deployed as a part of defense-in-depth. Even while mobile, cloud, and software services are blurring the lines of corporate IT boundaries through deperimeterization, enterprises still continue to spend increasing amounts of security budget on perimeter protection. The question is, are they wasting their money? It's one of the most contentious questions in security -- perhaps only behind the one about the usefulness of antivirus. So it is no surprise that the answers are varied

UK Cryyptographers Call for Outing of Deliberaterly Weakened Protocols, Products (Threatpost) A group of cryptographers in the UK has published a letter that calls on authorities in that country and the United States to conduct an investigation to determine which security products, protocols and standards have been deliberately weakened by the countries' intelligence services. The letter, signed by a number of researchers from the University of Bristol and other universities, said that the NSA and British GCHQ "have been acting against the interests of the public that they are meant to serve"

Marketplace

Government cyber security programs mandated to go commercial (Security Info Watch) DHS initiative seeks to 'leap frog' government technology advances into the private sector. Recent congressional hearings have called attention to the need for better cooperation between government agencies and the private sector. An excellent example of how to fulfill that goal of successful public/private partnerships is demonstrated by the work of the Transition to Practice Program (TTP) at the Department of Homeland Security (DHS) Science & Technology (S & T) Directorate

ZTE plans expansion in European cloud computing market (ZDNet) Despite widespread security worries, the Chinese firm is pushing ahead with plans to tap into cloud computing markets based in Europe

NSA Bought Exploit Service from VUPEN (Threatpost) The U.S. government-particularly the National Security Agency-are often regarded as having advanced offensive cybersecurity capabilities. But that doesn't mean that they're above bringing in a little outside help when it's needed. A newly public contract shows that the NSA last year bought a subscription to the zero-day service sold by French security firm VUPEN

Cisco Jumping into Managed Security Services (Channelnomics) Count Cisco Systems among the vendors now offering managed services. The networking giant that holds an extensive portfolio of security technology announced last week it is spinning up a managed security services division to support enterprise and government accounts

Splunk Acquires BugSense, A Platform For Analyzing Mobile Data (TechCrunch) Splunk has acquired BugSense, a mobile analytics platform used by developers to improve app performance and improve quality. Terms of the deal were not disclosed. The transaction is expected to close during Splunk's 2014 fiscal third quarter which ends in October

Hightail buys adeptCloud to make file storage safer in the cloud (VentureBeat) File storage company Hightail acquired security company adeptCloud today, continuing its quest to compete with major name is the cloud file-sharing industry

Mary Galligan Joins Deloitte as a Security Practice Director (GovCon Wire) Mary Galligan, a 25-year FBI veteran and the first female special agent in charge for the bureau's New York field office, has joined Deloitte & Touche LLP as a director in the firm's security and privacy practice

Raytheon names John D. Harris Vice President of Business Development and CEO of Raytheon International, Inc. (MarketWatch) Raytheon Company RTN -0.30% announced today that it has appointed John D. Harris II vice president of Business Development and Chief Executive Officer of Raytheon International, Inc., effective immediately. Harris succeeds Thomas M. Culligan, who has announced plans to retire from Raytheon, effective December 31. Culligan will serve as a senior advisor to the company during the interim period prior to his retirement

Goldman Sachs to lead Twitter IPO effort (FierceFinance) There's been some confusion as to which banks will handle the Twitter IPO. As the smoke clears, it looks like Goldman Sachs has won the lead spot, with Bank of America Merrill Lynch, Morgan Stanley and JPMorgan Chase also playing major roles. The list of all underwriters will ultimately be very long, as this will be a huge deal. There's a lot of fee revenue to go around fortunately

Research and Development

Fast Scanning To Fuel "Golden Age" Of Global Flaw Finding (Dark Reading) A network scanner designed from scratch by three University of Michigan researchers can scan the entire IPv4 Internet in about 45 minutes, drastically reducing the speed at which such scans can be accomplished. Announced at last month's USENIX Security conference, the scanner, dubbed ZMap, uses a modular approach to scanning to speed the process, the pseudo-random selection of IP addresses to avoid overwhelming small networks and validation of the responses to by a separate system to verify the results. The researchers—Zakir Durumeric, Eric Wustrow, and J. Alex Halderman—used the scanner to track protocol use on the Internet, find systems vulnerable to HTTPS weak key flaw, and discovered unadvertised services. Without fast scans of the Internet, many types of research would be infeasible, says Durumeric, a PhD candidate in computer science at the University of Michigan

"Chemical Trojans" baked into circuits could offer invisible way to steal secrets (We Live Security) "Hardware Trojans" could be baked invisibly into circuits by attackers, allowing them to grab secret keys from computer components without fear of detection — even by advanced inspection systems using optical microscopes. The "Trojan" circuits could be used to steal secrets even from highly secure environments such as military installations or banks. The proposed Trojans would not differ from "real" chips in any of their metal components or polysilicon layers — instead, attackers would alter the "doping" of crystals in a few transistors. "Dopants" are trace impurities used to alter the electrical properties of crystals

Encrypted Heartbeats Keep Hackers from Medical Implants (MIT Technology Review) A way to secure implanted devices requires anyone trying to reprogram your defibrillator to touch you first. More than 300,000 wireless electronic medical devices are implanted in people every year in the U.S. Implanted medical devices like defibrillators and insulin pumps now include wireless connections to let doctors or technicians update software or download data—but such improvements could open the door to life-threatening wireless attacks

Massive data analysis fraught with challenges, says National Research Council (FierceGovIT) Federal agencies with missions related to science and technology are funding research that aims to build capabilities for the analysis of massive data, says a new book published by the National Research Council. While authors did not recommend where agencies should increase grant money, they did outline emerging challenges and opportunities agencies should be aware of as massive data analysis becomes a more popular federal-funding area

Academics Launch Fake Social Network to Get an Inside Look at Chinese Censorship (MIT Technology Review) New research shows China's online censorship relies on a competitive market where companies vie to offer the best speech-suppressing technology and services. Nine years after Mark Zuckerberg quit Harvard to build Facebook, one of the university's political science professors, Gary King, decided this year it was time to launch his own social media site. But King didn't set up his Chinese social network to make money; instead, he wanted to get an insider's view of Chinese censorship, which relies on Internet providers censoring their own sites in line with government guidelines. King won't disclose his site's URL, to protect people involved with his project

Security Patches, Mitigations, and Software Updates

Patch expert wants Ballmer to get to the bottom of buggy Windows, Office updates (IT World) A Microsoft MVP and Windows expert has sent company CEO Steve Ballmer a letter asking him to look into the worrisome trend of releasing sub-standard patches

Apple Fixes 30 Bugs iwth OS X Mountain Lion, Safari Patches (Threatpost) Apple pushed a handful of patches late last week and updated its OS X Mountain Lion to 10.8.5, improving "stability, compatibility and security" issues and fixing 30 different vulnerabilities in the operating system

Cyber Attacks, Threats, and Vulnerabilities

Mid East undersea fibre telco hacked: US, UK spooks in spotlight (The Register) Belgacom infiltrated for past 'two years', cables run through Syria and other hot spots. Belgian telco Belgacom — which operates vital undersea communications cables — says its internal network was compromised, possibly by foreign spooks. Phone and data connections from international hot spots, such as Syria and Yemen, pass through submarine fibre lines handled by Belgacom International Carrier Services (BICS). Security experts suspect the Belgian biz was been infiltrated by state-backed hackers — and NSA and GCHQ have emerged as the prime suspects. Journalists in Belgium

Well that was quick: Iran blocks Facebook and Twitter again after brief "glitch" (Fast Company) On Monday, Iranians had a brief taste of the social media the rest of the world has access to before the country's censorship portcullis clanged down again this morning, with the authorities citing a "technical glitch." The news will come as a big disappointment to Twitter users in the country, who were rejoicing at what they thought was a lifting of the country's firewall, which limits access to many Western sites. Thomas Erdbrink, Tehran bureau chief for the New York Times, tells the story in his tweets

Social media becomes weapon in Middle East propaganda battles (Financial Times) "If you can't beat 'em, join 'em" seems to be the Turkish government's new approach to Twitter, which it had earlier blamed as "the worst menace to society". The ruling Justice and Development Party (AKP) has enlisted thousands of supporters to take to the internet, training about 6,000 people to set out the "correct" version of events, using outlets such as Facebook, Twitter and Instagram

Social networks: a threat source and a business resource (Kaspersky Lab Business) The middle of August was marked by several reports of Facebook security issues, all of them quite scandalous. Even though they didn't cause any catastrophic consequences for the users, they should not be underestimated. They are another reason for talking about the safety (or hazards) of social media from the point of view of corporate network administrators

V. O. Chidambaram Port Trust India Website Hacked by Sudanese Hackers (HackRead) A Sudanese hacker going with the handle of Al Max Hacker has hacked a high profile official website of V. O. Chidambaram Port Trust based in a port city and a Municipal Corporation in Thoothukudi district of the Indian state of Tamil Nadu

Official Website of Pakistan International Airlines (PIA) Hacked and Defaced by Ch3rn0by1 (HackRead) The official website of Pakistan International Airlines (PIA) has been hacked and defaced by a Pakistani hacker going with the handle of Ch3rn0by1 from P4K-M4D-HUNT3-Z group. The hacked site belongs to the call center of the Pakistan International Airlines (PIA) was hacked today, left with a deface page along with a note on the home page. The message was expressed in following

Not so fast on BEAST attack mitigations (Threatpost) The BEAST cryptographic attack, once thought to be largely mitigated, has two things conspiring against it to make breaches potentially possible again. Not only has a server-side mitigation essentially been rendered moot by recent research into the RC4 cryptographic protocol, but Apple has yet to enable by default a client-side mitigation into its Safari browser that would keep BEAST at bay, according to research done by Qualys director of application research Ivan Ristic

Oracle Java fails at security in new and creative ways (Naked Security) Oracle Java, easily the most attacked and successfully exploited browser plugin, is on my radar again after finding new ways to fail at security. The first sign of trouble recently was posted on Jerry Jongerius's site, Duckware. He described the embarrassingly broken code signing implementation in the Java Runtime Environment (JRE)

Do you trust your waiter? Hacked bank–card reader TEXTS your info to crims (The Register) Handy money-laundering now bundled with tampered sales terminals. Video A Russian-speaking man casually shows on camera how he can download a punter's bank-card details and PIN from a hacked card reader

Revoyem ransomware sinks to new low (Threatpost) A strain of the Revoyem ransomware, also known as DirtyDecrypt, is aggressively spreading beyond Germany and Great Britain, the first two countries in which it was spotted back in March. A researcher who goes by the handle Kafeine reports on his Malware Don't Need Coffee website that Revoyem is being aggressively distributed internationally

Fake "new voicemail" notification targets Android WhatsApp users (Help Net Security) Malware peddlers have decided to bank on the popularity of the WhatsApp cross-platform IM app for smartphones in order to get users to install malicious apps on their devices, Trend Micro researchers warn

Security Flaw Shows Tor Anonymity Network Dominated by Botnet Command and Control Traffic (MIT Technology Review) The Tor anonymity network is championed as a tool for freedom of speech and anonymity. But the reality is depressingly different, say Internet researchers who have analysed the network's traffic using a security flaw

Who's on Tor? Dissent, bots or porn? (ZDNet) I don't know what the designers of Tor, a network and software used to facilitate anonymous Internet use, really intended when they built it. The PR answer is that they were promoting free speech, but if they were really creating a platform for concealing criminal activity they would have gone about it the same way. Tor is one of those Internet services, like BitTorrent, which is designed to live on without any central administration at all. This enhances — so the theory goes anyway — the anonymity, security and resilience of the network. There's no site for the government or anyone else to shut down that will bring down Tor, nor would it be easy — again, so the theory goes — for the government or any other party to determine who is doing what on Tor

Cypersecurity pro on Nasdaq website: 'I needed 10 minutes to hack' (New York Daily News) Ilia Kolochenko, head of Swiss information security company High-Tech Bridge, says he's repeatedly warned Nasdaq.com that hackers could steal users' browser history or confidential data, but claims the exchange has done nothing to fix the problem. 'It is quite frightening when you think about it,' he says

Security company says Nasdaq waited two weeks to fix XSS flaw (IT World) A Swiss security company said the Nasdaq website had a serious cross-site scripting vulnerability for two weeks before being fixed on Monday, despite earlier warnings

The secret financial market only robots can see (Quartz) What if someone told you the stock market crashed and spiked 18,000 times since 2006, and you had no idea? That's the contention of a group of scientists who study complex systems after analyzing market data, collected by Nanex, since the advent of high-speed trading. While the fallout of computerized algorithms has been seen before, including the infamous 2010 "flash crash," when markets lost nearly 10% of value in just a few minutes, that same kind of sudden volatility is going on all the time, unseen

Fatal crypto flaw in some government–certified smartcards makes forgery a snap (Ars Technica) With government certifications this broken, the NSA may not need backdoors. Raising troubling questions about the reliability of government-mandated cryptography certifications used around the world, scientists have unearthed flaws in Taiwan's secure digital ID system that allow attackers to impersonate some citizens who rely on it to pay taxes, register cars, and file immigration papers

ZeuS/ZBOT: Most Distributed Malware by Spam in August (TrendLabs Security Intelligence Blog) In our 2Q Security Roundup, we noted the resurgence of online banking malware, in particular the increase of ZeuS/ZBOT variants during the quarter. While ZeuS/ZBOT has been around for some times, its prevalence shows that it is still a big threat to end users today

New trend: spam via prepaid cell data plans (MainSleaze) I've recently been complaining to DNA, Elisa and TeliaSonera about a few particularly persistent Finnish B2B mainsleaze spammers in their network. These responses are very enlightening

What CISOs must learn from Bitcoin and a research team at Georgia Tech (Help Net Security) It has been an eventful time in the mobile world with two recent breaking stories revealing vulnerabilities in the security infrastructure for Android and iOS respectively. While vastly different in their nature, both point to a fundamental lesson that CISOs in an increasingly mobile world cannot ignore — when it comes to encryption, read the fine print. Otherwise you may find yourself up the proverbial creek without a paddle (i.e., remediation strategy)

Warning over Garda logo cyber scam (Independent) A cyber crime scam using the logo for An Garda Siochana to con money has become one of the largest and most sophisticated of its kind, it has been claimed

Hackers Post Adult Video on Website of Chile's Ministry of Agriculture (Softpedia) Hackers of Anonymous Chile have published an adult video on the official website of Chile's Ministry of Agriculture. Besides the video, the attackers have also published links to advertise their Facebook and Twitter accounts

£50 Amazon Gift Card Phish makes use of Data URI Technique (ThreatTrack Security Labs) Be wary of emails landing in mailboxes claiming to offer up "complimentary £50 gift cards" from Amazon. The mails, which claim to come from redeemATamazon(dot)co(dot)uk

Thad Cochran Twitter hacked (Politico) On Monday night, the account of Sen. Thad Cochran (R-Miss.) tweeted out what appeared to be a junk link, for losing weight. "Quickly burn off 2+ inches of stomach fat while losing up to 30 lbs of fat in less than 28 days with [link redacted]" Cochran tweeted

Angry Brazilian whacks NASA to put a stop to…er, the NSA (The Register) 'Facepalm' doesn't even begin to describe this one. Multiple NASA websites were defaced last week by a Brazilian hacktivist who may have misread the sites' URLs, because he wasn't protesting about the US space agency giving joyrides to inhuman stowaways — he was protesting against NSA spying

James Lyne: Everyday cybercrime — and what you can do about it (TED) How do you pick up a malicious online virus, the kind of malware that snoops on your data and taps your bank account? Often, it's through simple things you do each day without thinking twice. James Lyne reminds us that it's not only the NSA that's watching us, but ever-more-sophisticated cybercriminals, who exploit both weak code and trusting human nature

Academia

(ISC)² Foundation Announces 2013 Information Security Scholarship Recipients (Dark Reading) Three European recipients of scholarships that foster next generation of cybersecurity professionals and research

California school district hires online monitoring firm to watch 13,000 students (Ars Technica) The way Chris Frydrych tells it, monitoring schoolkids' public social media posts and then reporting questionable activities about them daily to school officials is an unquestionable net positive. So his new startup, Geo Listening, does just that. Geo Listening looks for social media posts that deal with depression, despair, online bullying, hate speech, or other words and phrases that may indicate a possible violation of school codes of conduct—whether it's by a student or someone in and around a school's location. Last month, Geo Listening even signed a deal with the Glendale Unified School District

UNO prof gets $87K cybersecurity training grant (Miami Herald) NEW ORLEANS -- A computer science professor at the University of New Orleans has won an $87,000 federal grant to train about 15 high-school teachers from Louisiana, Mississippi and Alabama in cybersecurity as part of a pilot program to get more college students to major in the subject

Litigation, Investigation, and Enforcement

Supreme Court Weighs When Online Speech Becomes an Illegal Threat (Wired) The Supreme Court is being asked to decide when an online threat becomes worthy of prosecution, in what could be the first internet speech case to reach the high court's docket for the 2013-2104 term beginning next month

Snowden Uproar Demoralizes Cyber Warriors: Ex–NSA Chief Hayden (Breaking Defense) Media outcry and public uproar over the Edward Snowden revelations have created a deeply demoralizing backlash against the US intelligence community and paralyzed key cybersecurity initiatives, former CIA director Gen. Michael Hayden said today

Fear of 'legal consequences' drove Hopkins' blog controversy (Baltimore Sun) When an interim engineering dean at the Johns Hopkins University asked a well–known cryptography professor to remove a blog post about the National Security Agency from university servers, he said he did so because he feared "legal consequences"

FBI takeover of Tor server leads to arrest (SC Magazine) The testimony of an FBI agent against 28-year-old Irishman Eric Marques - arrested and charged with distributing child pornography online via the anonymous Tor network — all but confirmed that the FBI was involved in exploiting a Firefox vulnerability that aided in the investigation. With charges originating in the United States, Marques — said to be a dual citizen of Ireland and the United States, and the world's largest-ever distributor of child pornography via his Freedom Hosting service — is awaiting an extradition hearing after being denied bail in high court on Thursday, according to reports

Police nab Argentinian teen who hacked money transfer and gambling websites (Naked Security) Argentinian police have arrested a teenager, dubbed "the superhacker", who was allegedly bleeding $50,000 (£31,500) per month out of international money transfer and gambling websites

China broadcasts confession of Chinese–American blogger (Washington Post) Chinese state television on Sunday broadcast a startling video of a famous blogger in handcuffs, renouncing his Web posts and saying how dangerous the Internet would be if left uncontrolled by the government

Design and Innovation

Pictures Make Sense of Big Data (Wall Street Journal) Most people have trouble recalling strings of numbers that are longer than their phone numbers. So how do we begin to comprehend a hundred rows of data, let alone a thousand or a million or a billion rows? That's the dilemma so many companies face, thanks to technology advances that make it easier to routinely collect enormous amounts of data

Industry Events

For a complete running list of events, please visit the Event Tracker on the CyberWire website.

upcoming Events

GovConnects Business Breakfast: Surviving Sequestration (Elkridge, Maryland, USA, September 17, 2013) This Business Breakfast will feature presentations by seasoned professionals in the field of government contracting as they share best practices for dealing with current challenges of doing business in the time of sequestration, and answer CEOs' questions from legal and accounting perspectives. [Editors' note: this event is expected to be devoted essentially entirely to cyber contracting.]

Shaping the Future of Cybersecurity Education Workshop (Gaithersburg, Maryland, USA, September 17 - 19, 2013) The third annual Shaping the Future of Cybersecurity Education Workshop will be held at the National Institute of Standards and Technology (NIST) in Gaithersburg, MD and focus on "Navigating the National Cybersecurity Education Interstate Highway".

NovaSec! (McLean, Virginia, USA, June 13, 2013) NovaSec! is Northern Virginia's largest Cybersecurity and physical security networking event of the year. We are bringing together security professionals from commercial and government organizations with members of local Northern Virginia businesses and associations to allow participants to meet, interact on key issues and provide a unified forum to network with likeminded individual.

Strange Loop (, January 1, 1970) Meet us in St. Louis, Sept 18-20th, 2013, to make connections with the creators and users of the languages, libraries, tools, and techniques at the forefront of the industry. Find out where we're going…and where we're not. Topics include emerging languages, concurrent and distributed systems, new database technologies, front-end web, and mobile.

ISSA Cyber Security Forum at Ft Belvoir (Fort Belvoir, Virginia, USA, September 19, 2013) This event will allow personnel from Fort Belvoir the chance to learn about the latest cyber security trends, network with peers, discuss Army best practices and to view and demo some of the latest cyber security and information technology products/services available today. This is an excellent opportunity for exhibitors to network with key decision makers, cyber, technology, communications and contracting personnel from various commands and tenant units at Fort Belvoir.

CISO Executive Summit (Atlanta, Georgia, USA, September 19 - 20, 2013) Be on the forefront of a new global initiative where today's world-class leaders in information security will gather to navigate through international waters. Join these leaders as they follow the wind of change that is sweeping through the IS community motivating today's information guardians to develop a new way of thinking to ensure success in protecting their respective organizations. (At Hacker Halted USA.)

CCBC Leadership Seminar Luncheon: Cyber Awareness: What Employers Need To Know (Owings Mills, Maryland, USA, September 20, 2013) , no later than September 13, 2013.

cybergamut Technical Tuesday: Malware Analysis for the Masses (Columbia, Maryland, USA, September 17, 2013) With malware becoming more prevalent, and the pool of capable reversers falling short of overall need, there is a greater need to provide quick and efficient malware analysis for network defense. With modern technology and tools, it's now possible for junior security analysts to gather detailed malware indicators to craft defense and alert signatures. More enticing, all of this can be done with free tools and applications, some written by this presenter.

2013 Cyber Security Summit (New York, New York, USA, September 25, 2013) The 2013 Cyber Security Summit connects executives responsible for protecting their company's critical infrastructure with innovative product, service and solution providers. The one day event, to be held September 25th at the Hilton in New York City, will showcase the latest tools and resources available to defend against cyber crime on both corporate and government levels. Keynote addresses and interactive panel discussions lead by notable security experts will highlight strategic priorities, risk factors, threats and provide inspirational guidance to prepare and protect from attacks.

4th Annual Cybersecurity Summit (Washington, DC, USA, September 25, 2013) GEN Keith Alexander, Commander of U.S. Cyber Command, Director of the NSA/Chief, Central Security Service and Dr. Pat Gallagher, Director, NIST are among the distinguished speakers confirmed to keynote at the 4th Annual Cybersecurity Summit on September 25, 2013 at the National Press Club in Washington, D.C.Michael Daniel, White House Cybersecurity Advisor, and Gen. Keith Alexander, Commander U.S. Cyber Command, and Director, NSA, are confirmed to keynote. Cybersecurity topics to be addressed include: the White House Cybersecurity Executive Order, the Cybersecurity Framework and New Emerging Standards for Critical Infrastructure, information sharing, mobile security and BYOD, legislative developments in cybersecurity, big data and cloud cybersecurity, continuous monitoring, cyber situational awareness, and the JIE rollout active defense and cyber warfare. Organized by Billington CyberSecurity™.

The Monktoberfest (Portland, Maine, USA, October 4, 2013) Our speakers will explore how social trends can change the way we build and use technology, and how technology in turn can change the way we socialize.

Suits and Spooks NYC 2013 (New York, New York, October 5, 2013) Since the landscape is foggy, the threat actors numerous and hard to identify, and the attacks proliferating on a daily basis, the focus of the next Suits and Spooks conference will be to identify non-state aggressors in cyberspace. About twenty speakers will present briefings over two days on hackers, citizen militias, and other non-state entities operating in the Middle East, China, Russia, Pakistan, India, Iran, Africa, South America, the United States (yes - we have non-gov threat actors domestically), and other parts of the world. One of our panel moderators will be Joel Brenner (former National Counterintelligence Executive at the Office of the Director of National Intelligence and former Senior Counsel at the NSA).

Forensics and Incident Response Summit EU (Prague, Czech Republic, October 6 - 13, 2013) The Summit will focus on high quality and extremely relevant content as well as panel discussions in Digital Forensics and Incident Response. In addition, we encourage you to take every opportunity to make the most of this event from attending the Summit to registering for one or more of the post-summit training classes taught by SANS' top-rated instructors and course authors. Additional events such as DFIR Netwars, evening talks and the SANS Community Night will be taking place during that week too. This event promises to bring together the leading minds in digital forensics and incident response in the EU, as well as many other practitioners from a wide cross section of industries and company sizes. You will be able to share with all of them your challenges and find out new solutions that work, techniques and approaches you didn't even know existed.

CyberMaryland 2013 (Baltimore, Maryland, USA, October 8 - 9, 2013) Join cybersecurity leaders, luminaries and rising stars at CyberMaryland 2013. This two-day event at the epicenter of the nation's cybersecurity innovation and education, will create opportunities for networking and idea sharing amongst the many cyber leaders and professionals across the country, including: federal, state and local government agencies, academic institutions, cybersecurity entrepreneurs, and industry leaders of research and development. CyberMaryland 2013 will address the biggest challenges facing America, including future innovation to meet the security challenges facing our country; collaboration across industry, government and educational institutions; and the development of a generation of cyber-warriors. Surrounding all of these issues is a constantly evolving business framework to provide efficient and effective solutions in a time frame that anticipates and mitigates current and future threats.

2013 Maryland Cyber Challenge (Baltimore, Maryland, USA, October 8 - 9, 2013) Held in conjunction with Cyber Maryland and intended to let students and young professionals showcase their cybersecurity skills, Maryland Cyber Challenge offers competition in three divisions: high school, college, and professional. Orientation sessions for teams in each of three divisions -- high school, collegiate and industry and government professionals -- will be held at UMBC in July and August. Two qualifying rounds will be conducted online using SAIC's Cyber Network Exercise System.

AFCEA Hill AFB Technology & Cyber Security Expo (Ogden, Utah, USA, October 9, 2013) The purpose of this first-time event is to allow base personnel the opportunity to learn about the latest computer security trends, network with peers, share remediation strategies and to view and demo some of the latest cyber security and information technology products/services available today..

International Conference on Cyber–Enabled Distributed Computing and Knowledge Discovery (Shanghai, China, October 10 - 12, 2013) International Conference on Cyber-enabled distributed computing and knowledge discovery -promotes research and development of the cyber-related technology. It is unique and significant that spans through cyber-enabled data mining and knowledge discovery, distributed and parallel computing, cyber security, cloud computing, pervasive computing, mobile computing, Internet, wireless networks, cognitive systems, cyber information process, information discovery, e-health via cyber network, e-science, web technology, and network performance and tools. The research and development in these areas have received extensive attention in both the academia and industry to provide ubiquitous services for users. Various hardware and software designs, algorithms, protocols, simulations, and test-bed, and implementations are developed for distributed computing in an interconnected and distributed network environment. The purpose of CyberC is to provide a forum for presentation and discussion of innovative ideas, research results, applications and experience from around the world as well as highlight activities in the related areas.

VizSec 2013 (Atlanta, Georgia, USA, October 14, 2013) VizSec brings together researchers and practitioners in information visualization and security to address the specific needs of the cyber security community through new and insightful visualization techniques.

Hack-in-the-Box Security Conference 2013 (Kuala Lumpur, Malaysia, October 14 - 17, 2013) The 11th annual HITB Security Conference (16th/17th October) will be a triple track offering featuring keynotes by Andy Ellis, Chief Security Officer at Akamai and Joe Sullivan, Chief Security Officer at Facebook. This year's event also features all new 2-day training courses (14th/15th October) on a wide variety of topics including Android exploitation, extreme web hacking, infrastructure security, exploiting injection flaws and a special iOS security course by the world famous Evad3rs team. The full speaker list and conference agenda will be released after the Call for Papers closes on the 25th of July.

USDA Cyber Security Symposium and Expo 2013 (Washington, DC, USA, October 15, 2013) The Cybersecurity Expo, running in conjunction with the Summit, will allow exhibitors the opportunity to provide live demos and share information with government personnel and industry partners. Summit topics will focus on today's vulnerabilities, incidents, security lifecycle, risks and mitigations; it will also identify ways to work together and build a solid security foundation program to meet future challenges and trends in cyber security..

SNW Fall 2013 (Long Beach, California, USA, October 15 - 17, 2013) SNW is the world's largest independently produced conference series focused on the evolution of architecture for a new world of mobility, Big Data and business agility. Produced by Computerworld -- and co-owned by Computerworld and the Storage Networking Industry Association (SNIA) -- SNW remains unbiased and vendor agnostic. Unlike events focused on a specific vendor agenda and product portfolio, SNW provides a forum of open thought leadership and practical education that defines the spectrum of storage, data and infrastructure solutions available to a highly qualified audience of enterprise technology decision-makers.

Hexis Exchange (Athens, Greece, October 16 - 17, 2013) Attendees will have the opportunity to participate in a knowledge exchange of the latest enterprise security topics through expert led business and technology forums, hands-on sessions, and training. Such topics will include: emerging cybersecurity threats, big data management, advanced analytics, government regulation & compliance, and data retention challenges & solutions.

Cybersecurity Symposium: "Protect. Defend. Educate." (Linthicum, Maryland, USA, October 16 - 17, 2013) The Cybersecurity Symposium being held October 16-17, 2013, will deliver first-class training for government and industry security professionals while simultaneously offering high-level keynote speakers, essential networking opportunities, and an informative technology exposition. The Symposium sessions will have a special emphasis on security challenges facing today's security professionals and cyber awareness training for security professionals responsible for protecting sensitive and classified information from the ever increasing threats of mobile devices, espionage, terrorism, and cyber-attacks to ensure our national security. Register by August 31 to ensure the reduced early bird registration fee. This event is free for government employees and active-duty military personnel. Exhibit space and sponsorship opportunities are also available.

Nuclear Regulatory Commission Cyber Security Conference & Expo (Rockville, Maryland, USA, October 17, 2013) This one-day conference will consist of cyber sessions in the NRC Auditorium given by government and industry speakers. Exhibit tables will be set-up just outside the Auditorium and companies will have the opportunity to demo their latest technologies to NRC's IT personnel.

13th Industrial Control Systems Cyber Security Conference (Atlanta, Georgia, USA, October 21 - 22, 2013) Industrial Control Systems (ICS) operate the infrastructures of electric power, water, chemicals, manufacturing, transportation, defense, etc. and link the digital and physical worlds. Their cyber security presents challenges that are distinct from securing traditional IT systems. The conference is attended by control & operations engineers and their IT counterparts from critical infrastructure industries, by ICS and security vendors, and by universities. Run under the Chatham House rules of confidentiality, the conference discusses ICS cyber incident case studies, provides regulatory updates, discusses solutions in the form of policies and procedures, presents demonstrations of hacking ICS and ICS protocols, and provides a status of ICS security solution field demonstrations.

Cloud Connect (Chicago, Illinois, USA, October 21 - 23, 2013) Cloud Connect returns to Chicago October 21-23, 2013 with an all new program built around the leading cloud platforms. Cloud Connect provides the independent guidance IT professionals need to successfully build, operate and manage the cloud, and the tools to measure application performance and business metrics.

cybergmut Technical Tuesday: Cyber Security Strategy — Why We're Losing and What's Needed to Win (Columbia, Maryland, USA, October 22, 2013) CrowdStrike's Steve Chabinsky of CrowdStrike explains the situation. Everybody seems to be spending more on cybersecurity, but with questionable return on investment. In fact, the problem clearly is getting worse, and current strategies show no indication of reversing that trend. This non-technical presentation explores the typical cyber risk environment, considers the proper balance and likely effectiveness of threat deterrence, vulnerability mitigation, and consequence management to reduce cyber risk, and examines the current and evolving roles of government agencies and the private sector in addressing the problem. Backed by powerful, real-world examples of threat actor tactics, this presentation will help managers develop a better understanding of how their current security approach is most likely to succeed or fail over time, and what strategies are the most likely to shift the advantage to the good guys. cybergamut is co-hosting this event with the Maryland Chapter of InfraGard.

Cyber Security Seminar and IT Expo at Peterson AFB (Colorado Springs, Colorado, USA, October 22, 2013) The Cyber Security Seminar and IT Expo is a one-day event held on-site where industry vendors will have the opportunity to display their products to personnel attending briefings concerning the latest updates in Cyber Security Awareness. This is an excellent and unique opportunity to meet IT personnel from USNORTHCOM, NORAD, Army Space Command, USSPACECOM, and the 21st Space Wing all in one day.

Joint Federal Cyber Summit 2013 (Washington, DC, USA, October 23 - 24, 2013) This collaborative government wide event is truly one of a kind, with speakers and attendees anticipated to represent more than 10 federal government agencies. Information sharing will be accomplished through keynote speakers on both days, along with numerous targeted breakout sessions (including a session with a federal CISSO panel), hands on live demonstrations, and industry exhibits.

2013 ACT–IAC Executive Leadership Conference (Williamsburg, Virginia, USA, October 27 - 29, 2013) Advances in technology and massive increases in data available can both challenge and transform Government mission performance. ELC-2013 focuses on how to make this transformation a reality, in and for agencies. We will hear from nationally prominent speakers and work across government and industry to learn new ideas and techniques. Four mission-oriented tracks will focus on initiatives for driving results using data and the "Innovate, Deliver, Protect and Analyze" paradigm that is at the heart of the Government's strategic vision.

SAP NS2: National Security Solutions Summit (Falls Church, Virginia, USA, October 29, 2013) Join us for a day of learning and networking focused on how to advance U.S. national security and homeland security through I.T. innovation. Top-notch speakers will address the new challenges facing U.S. national security and critical infrastructure -- as well as powerful, affordable technologies that are available today to tackle those challenges while saving money and simplifying operations. Learn how your organization can run faster, smarter, leaner in the most secure environments -- with world-class, breakthrough solutions that are bold alternatives to business as usual.

Regional Cyber Security Forum & IT Day (CSFI) — Hawaii (Honolulu, Hawai'i, USA, October 30, 2013) 2013 marks the 10th anniversary of National Cyber Security Awareness Month and FBC will host the 1st Annual Cyber Security Forum & IT Day (CSFI) at Fort Shafter - Club Hale Ikena to coinside with the anniversary, and activities surrounding this month. The goal of CSFI is to raise cyber security awareness, and to promote best practices in cyber while allowing DoD personnel and industry partners the opportunity to share the most up to date remediation strategies. The event will feature four educational cyber sessions to go along with an exhibit hall..

NSA Hawaii — Cyber Security, Intelligence & IT Day (Honolulu, Hawai'i, USA, October 30, 2013) Be a part of the 1st Annual Cyber Security, Intelligence and IT Day set to take place at the new National Security Agency (NSA) Hawaii Rochefort facility. The event will be hosted by NS/CCS Hawaii Technology Directorate and will focus on Cyber Security, Big Data and Cloud Computing. There are other areas of interest listed below as well. This is an extremely unique opportunity to network with NSA personnel in Hawaii at their location. Educational sessions will be provided to attendees to coincide with government and industry exhibits.

Sponsor & Support

Grow your brand, generate leads, and fill your funnel.

With the industry’s largest B2B podcast network, popular newsletters, and influential readers and listens all over the world, companies trust the CyberWire to get the message out. Learn more.

The CyberWire Daily Briefing for 9.17.2013