The CyberWire Daily Briefing for 9.23.2013
Normal Middle Eastern and South Asian cyber rioting aside, the major international story as the week begins involves continuing exploitation of Internet Explorer vulnerabilities. One campaign in particular, "DeputyDog," is particularly active in Japan and China. It's apparently using some of the same hosting infrastructure that enabled February's attack on Bit9.
An iOS7 lockscreen flaw enables hackers to exploit stolen iPhones to make free phone calls (free to the crooks—the phones' legitimate owners are stuck with the tab). Germany's Chaos Computer Club claims to have defeated the iPhone 5s fingerprint sensor (reward pending other researchers' verification of the claim). Apple issues some fixes as it works on others.
The cyber criminal economy continues to advance in sophistication (market for infected botnets, DYI DoS) without giving up its low-end commodities (fake followers, adware). Australia has become an important transit point for cyber crime. "Chop-shop" electronics show the (severe) limitations of static approaches to supply-chain security like certification.
CSO runs a good brief account of what makes SCADA security particularly challenging. The US Energy Department announces contracts for grid security R&D.
In industry news, European insurers awaken to the cyber protection market. FireEye rang NASDAQ's opening bell Friday; its IPO beats expectations. BlackBerry announces disappointing earnings and major layoffs as a much-anticipated product launch is deferred. Huawei spurns US and expands in Europe.
The EU considers a common privacy law. The US Presidential surveillance panel is widely criticized (we think prematurely) as tame and supine. LinkedIn faces a class-action privacy lawsuit.
Today's issue includes events affecting Australia, Bangladesh, Belgium, Brazil, Burundi, Canada, China, European Union, France, Germany, India, Ireland, Israel, Japan, Jordan, Democratic Peoples' Republic of Korea, Republic of Korea, Pakistan, Palestinian Territories, Romania, Russia, South Africa, Spain, Switzerland, Syria, Turkey, United Arab Emirates, United Kingdom, and United States..
Cyber Attacks, Threats, and Vulnerabilities
AnonGhost Hacks and Defaces 75 Israeli Websites (HackRead) The online hacktavist AnonGhost has hacked and defaced 75 Israeli websites from 15th to 19th September. AnonGhost left a deface page along with a message on all hacked websites, displaying message against Israel. The deface page was left with following words: Dont panic Israel, we are the same people and now we are back to punish you again. These are just some bombs of resistance.. We are anongost and we
Cyber War Continues as Indian Hacker Hacks Bangladeshi Prime Minister Office Website (Hackread) Famous Indian hacker going with the handle of Yamraaj has hacked and defaced one of the official website of Bangladeshi Prime Minister Office dealing with the NGO Affairs Bureau (NGOAB) along with three other high profile Bangladeshi government websites. Hacker left his deface page along with a simple note on all hacked sites. The note was expressed in following words: Hacked by Yamraaj! Yamraaj was here
Pakistani Hackers Defaces Google, Google Images and Google Translator Domain for Burundi (HackRead) A Pakistani hacktivist group going with the handle of Team Madleets have hacked and defaced five (5) official Google domains designated for Republic of Burundi few minutes ago. The defaced domains include 3 Google Search Engine domains, Google Images and Google Translator. All domains were defaced by three different hackers from Team Madleets going with the handle of 1337, H4x0r Hussy and Invectus, left
Palestine Ministry of Justice Website Hacked and Defaced by Jordanian Hacker (HackRead) A Jordanian hacker going with the handle of Evil–Jo has hacked and defaced the official website of Palestine Ministry of Justice yesterday night. Hacker left a deface page along with a message on the hacked website but reason for targeting the Ministry of Justice websites was not mentioned anywhere. However, hacker did bashed admin for poor site security
Operation DeputyDog: Zero–Day (CVE–2013–3893) Attack Against Japanese Targets (FireEye Blog) FireEye has discovered a campaign leveraging the recently announced zero-day CVE-2013-3893. This campaign, which we have labeled 'Operation DeputyDog', began as early as August 19, 2013 and appears to have targeted organizations in Japan. FireEye Labs has been continuously monitoring the activities of the threat actor responsible for this campaign. Analysis based on our Dynamic Threat Intelligence cluster shows that this current campaign leveraged command and control infrastructure that is related to the infrastructure used in the attack on Bit9
Threat Level Yellow: Protection recommendations regarding Internet Explorer exploits in the wild (Internet Storm Center) FireEye has posted Operation DeputyDog: Zero-Day (CVE-2013-3893) Attack Against Japanese Targets, which describes the campaign they've discovered leveraging the recently announced zero-day CVE-2013-3893. The writeup includes details and samples. The Internet Storm Center is beginning to see increased evidence of exploits in the wild regarding Microsoft Security Advisory 2887505. Accordingly, we're moving the InfoCon up to Yellow
DeputyDog attack targets latest IE zero day (Register) Security researchers have spotted two new targeted attack campaigns aimed at organisations in Japan, China and elsewhere in Asia, one of which exploits a
Q&A: Attackers target Internet Explorer zero–day flaw (USA TODAY) Attackers are using this zero day security hole to target IE 8 and IE9f. It's called a zero day because there is no patch for the vulnerability right now, though
Another iOS 7 lockscreen hole opens up — call anywhere in the world for free! (Naked Security) Another iOS 7 lockscreen bypass has surfaced: this one lets you call anywhere in the world for free. OK, not really "for free" — someone has to pay, and that's the owner, who probably assumed that the phone lock actually locks the phone part of the phone
Chaos Computer Club claims to have "cracked" the iPhone 5s fingerprint sensor (Naked Security) The biometrics team of Germany's well-known Chaos Computer Club claims it has "cracked" Apple's Touch ID system. From a fingerprint left on glass, the team claims to have used a technique documented by the CCC back in 2004 to produce a "fake finger"
7 ways to beat fingerprint biometrics (IT World) Apple's embrace of finger scanning technology in the iPhone could be a breakthrough moment for biometrics. But finger scanners are no panacea. Here are 7 ways hackers have figured out to fool them
BLYPT: A New Backdoor Family Installed via Java Exploit (TrendLabs Security Intelligence Blog) Recently, we have observed a new backdoor family which we've called BLYPT. This family is called BLYPT because of its use of binary large objects (blob) stored in the registry, as well as encryption. Currently, this backdoor is installed using Java exploits; either drive-by downloads or compromised web sites may be used to deliver these exploits to user systems. Our research shows that the servers behind these attacks are mainly centered in Romania and Turkey
Tens of thousands of fake Twitter accounts passed off and sold as 'followers' (Virus Bulletin) After initial takedown, more efforts put into making new fake accounts look genuine. Virus Bulletin's research into a scam selling fake Twitter accounts being passed off as 'followers' has helped in the takedown of more than 45,000 such accounts - but has also showed that the scammers are upping their game
Cybercriminals sell access to tens of thousands of malware-infected Russian hosts (Webroot Threat Blog) Today's modern cybercrime ecosystem offers everything a novice cybercriminal would need to quickly catch up with fellow/sophisticated cybercriminals. Segmented and geolocated lists of harvested emails, managed services performing the actual spamming service, as well as DIY undetectable malware generating tools, all result in a steady influx of new (underground) market entrants, whose activities directly contribute to the overall growth of the cybercrime ecosystem. Among the most popular questions the general public often asks in terms of cybercrime, what else, besides money, acts as key driving force behind their malicious and fraudulent activities? That's plain and simple greed, especially in those
Cybercriminals experiment with 'Socks4/Socks5/HTTP' malware–infected hosts based DIY DoS tool (Webroot Threat Blog) Based on historical evidence gathered during some of the major 'opt-in botnet' type of crowdsourced DDoS (distributed denial of service) attack campaigns that took place over the last couple of years, the distribution of point'n'click DIY DoS (denial of service attack) tools continues representing a major driving force behind the success of these campaigns. A newly released DIY DoS tool aims to empower technically unsophisticated users with the necessary expertise to launch DDoS attacks by simultaneously utilizing an unlimited number of publicly/commercially obtainable Socks4/Socks5/HTTP-based malware-infected hosts, most commonly known as proxies
Yet another 'malware–infected hosts as anonymization stepping stones' service offering access to hundreds of compromised hosts spotted in the wild (Webroot Threat Blog) The general availability of DIY malware generating tools continues to contribute to the growth of the 'malware-infected hosts as anonymization stepping stones' Socks4/Socks5/HTTP type of services, with new market entrants entering this largely commoditized market segment on a daily basis. Thanks to the virtually non-attributable campaigns that could be launched through the use of malware-infected hosts, the cybercrime underground continues to seek innovative and efficient ways to integrate the inventories of these services within the market leading fraudulent/malicious campaigns managing/launching tools and platforms. Let's take a peek at one of the most recently launched services offering automatic access to hundreds of
Australia main conduit for cyber attacks (Sydney Morning Herald) According to a report by cyber security firm Trend Micro, 32 per cent of targeted attacks in the second quarter of 2013 involved a command and control server
Adware, 2013–style, still thrives (ZDNet) Adware hasn't been a topic of much discussion in years, but it's still out there. Ad injector software inserts ads into the web pages you view, modifying the structure of the page. These ads are sold to legit advertisers through a web of networks, exchanges, and other intermediaries
The Hidden Dangers of Chop–Shop Electronics (IEEE Spectrum) Clever Counterfeiters sell old components as new, threatening both military and commercial systems
Extent of NSA metadata swoop suggests access to Indian operators (The Hindu) As fresh details emerge regarding the extent of the National Security Agency's snooping on India, the mystery of roughly 6.2 billion bits of metadata accessed
Security Patches, Mitigations, and Software Updates
Apple releases iOS 7.01, fixing iPhone 5S fingerprint sensor bug (Graham Cluley) Apple has released an update to its iOS 7 smartphone operating system, fixing a bug in its fingerprint scanner
Apple works to plug security hole in iOS 7 (FierceMobileIT) Apple is working on a fix to security hole in iOS 7, which enables a hacker to bypass the lockscreen on iOS devices, reports AllThingsD. Once an attacker is able to bypass the lockscreen, he or she is able to access an iPhone or iPad user's stored photos, as well as the email and web services accounts the owner uses to share the photos, the report explained
Identifying The Big Dogs Of Cyber War (Cyberwarzone) Over the last decade Internet security firms (especially Kaspersky Labs and Symantec) have been increasingly successful at identifying the hacker organizations responsible for some of the large-scale hacker attacks on business and government networks. The latest group to be identified is from China and has been called Hidden Lynx. This group appears to contain 50-100 hackers (as identified by their coding style) and is believed to be largely responsible for a large scale espionage campaign ("Operation Aurora) in 2010 and is still active
5 'more' reasons SCADA security is fragile (CSO) Industrial control systems (ICS), like any complex system, are vulnerable to accidents and attacks. These systems that help maintain our way of life are fragile and in many cases are unable to mitigate cyber attacks
Data Exfiltration in Targeted Attacks (TrendLabs Security Intelligence) Data exfiltration is the unauthorized transfer of sensitive information from a target's network to a location which a threat actor controls. Because data routinely moves in and out of networked enterprises, data exfiltration can closely resemble normal network traffic, making detection of exfiltration attempts challenging for IT security groups
Consumers Consider Data More Valuable Than Their Devices (The Herald) Kaspersky Lab's study revealed that following a cyber attack, more than 60 per cent of victims are unable to retrieve all the data that had been compromised
Big Problems In Big Data (SecurityWeek) Hi, my name is Mike, and I'm a big data skeptic - especially when it comes to security. It's pretty clear this puts me in the minority, especially among the noise-makers - the Rolling Thunder Big Data Revue is in full swing, passing through airports and filling billboards all over town. I don't mean to be Mr. Grinch, but I can't shake the feeling that our industry is like a dog chasing a car — heaven knows what we'll do if we catch it! I don't mean to overplay my hand. Big data isn't a bad idea — I just see a mismatch between the hopes and the likely near-term delivery. Just look at recent history — it's not saying all that much to suggest that SIEM deployments haven't been the source of joy and endless security boon that was hoped for. (Too much doggle in the boon, perhaps? No, that'd be a step too cynical.) Here's the problem: data mountains need data mountaineers. The data won't analyze itself
Apple Hacker: Mobile Malware Threat Overrated (InformationWeek) Android and iOS exploit expert Charlie Miller says businesses have more pressing security concerns than today's minuscule amount of mobile malware. So says veteran vulnerability hunter and exploit writer Charlie Miller, who's an expert at finding new and innovative ways to own people's Android and iOS devices. At last year's Black Hat conference in Las Vegas, for example, he demonstrated how a malicious near-field communication (NFC) tag, when brought within a few centimeters of an Android device, could be used to exploit several vulnerabilities and take control of the smartphone
Would you like fries with that iPhone? (FierceMobileIT) With employees bringing their own hardware, chief information officers are increasingly becoming service providers for the enterprise, observed panelists at GigaOm's Structure: Europe conference being held this week in London. CIOs need to accept that they no longer have control over IT infrastructure, advises Jon Collins, an analyst with Inter Orbis and GigaOm Research
Protecting energy infrastructure from cyber attack (Energy Global) US Energy Secretary Ernest Moniz has announced awards totalling US$ 30 million for the development of tools and technologies to strengthen protection of the country's electricity grid and oil and gas infrastructure from cyber attacks. Energy organisations in California, Georgia, New Jersey, North Carolina, Tennessee, Virginia and Washington State are going to start developing new systems and frameworks as well as services that will advance the US DOE's plans for a more resilient energy delivery and control system
Energy Dept. gives Pullman company $13 million grant (KREM) The U.S. Energy Department just rewarded Schweitzer Engineering Laboratories a multi-million dollar award. The Pullman company is tasked with developing technologies to better protect the nation's electric grid from cyber-attack
Microsemi licenses security IP from cryptography research (EE Herald) Microsemi has licensed Security IP from Cryptography Research of Rambus to build tamper-resistant semiconductor chips for certain government applications
European insurers discover cyber protection market (Bangkok Post) But above all, it's a major cost factor. Informing those affected by any cyber attack can be very costly," Lienau said. And it can also seriously damage a company's
We don't enable backdoors in our crypto products, RSA tells customers (Ars Technica) RSA, the security firm that confirmed two of its products by default use a crucial cryptography component reportedly weakened by the National Security Agency
Is 'Shadow' the creepiest startup ever? No, CIA investment Palantir still owns that crown (Telegraph) Shadow. It's the kind of name Jonathan Franzen would give to a startup in a heavy-handed satire on the internet culture he so thoroughly misunderstands. In fact, it could have been ripped straight out of Dave Eggers' new novel, The Circle, which kicks out at Google, Facebook and the over-sharing culture that has young people by the throat. And yet, Shadow is nowhere near as creepy as the name suggests or an article headlined "Is Shadow the most sinister startup ever?" tries to claim. All Shadow has is a perception problem
CSC Secures Government Contract — Analyst Blog (NASDAQ) Computer Science Corporation ( CSC ) has been chosen by the U.S. Department of Homeland Security to provide cyber security solutions for government
FireEye's debut signal red hot interest in cyber security (Business Spectator) "This is good for everybody in security," George Kurtz, CEO of cyber security start-up CrowdStrike, said of the FireEye IPO. "It shows that there are a lot of legs in
Why Price FireEye IPO Above Market Range? (Bloomberg) FireEye Chairman and CEO David Dewalt discusses the company's IPO with Mark Crumpton on Bloomberg Television's "Money Moves"
FireEye: Got Everything That A Security Firm Needs, Except The Profits. (Seeking Alpha) FireEye (FEYE) is offering 14,000,000 shares of its common stock in the price range of $15 and $17 per share. The expected listing date is September 20, 2013 on NASDAQ Global Select Market. (Source: IPO prospectus)
BlackBerry expects $1B loss, will slash staff, reduce handset range (IT World) BlackBerry lost close to $1 billion in the July to September quarter as users abandoned its once-dominant platform
BlackBerry BBM for Android and iOS launch scuppered by unofficial app release (Graham Cluley) Another PR nightmare for BlackBerry, as its BBM for iOS and Android launch is halted after an unreleased version of the BBM for Android app was posted online
BlackBerry Nears the End as Jobs Disappear and Losses Mount (Wired) After a year during which investors first gave BlackBerry another chance, then threw up their hands, shares have plunged again on more bad news
BlackBerry's tough spot: Keep enterprises, find buyer pronto (ZDNet) BlackBerry will have to sell itself quickly if it has much hope keeping enterprise customers in the fold. Analysts expect the Z10 meltdown to impact the company's mobile device management dreams
Hundreds riot at Foxconn's China factory (ZDNet) Armed workers at a Foxconn factory in China fight with counterparts from another province, resulting in dozens hospitalized and three reportedly killed, according to media reports. But the hardware manufacturer denies the deaths
More Than 1 in 5 Cyber Jobs Vacant at Key DHS Division (Nextgov) More than one in five jobs at a key cybersecurity component within the Homeland Security Department are vacant, in large part due to steep competition in recruiting and hiring qualified personnel, according to a new report by the Government Accountability Office
ILS takes pole position in ABI's M2M security market assessment (FierceMobileIT) ILS Technology is the top vendor in the machine-to-machine security market, followed by Axeda and Sierra Wireless, according to a competitive market assessment conducted by ABI Research
Huawei to create 5,500 jobs in Europe, rebels against 'groundless' exile from US (ZDNet) In a bid to expand its reach in Europe, the Chinese telecommunications equipment manufacturer is due to embark on a hiring spree
NSA spying fiasco sending customers overseas (ComputerWorld) NSA spy program cold lead to loss of business for some hosting vendors, experts say. The spectacle of National Security Agency contractor Edward Snowden exposing the covert spying nature of US federal officials has sent ripple waves through the technology industry — especially in the outsourcing arena
This is how the fear of government snooping takes its toll on tech companies (Quartz) Two very different technology offerings were dropped on Thursday because of fears that the US and China might be trying to spy on the customers using them
SAIC executive preparing to take the reins (Washington Post) Moraco, who previously headed SAIC's intelligence, surveillance and reconnaissance group, will lead one of the new companies, a government services
Products, Services, and Solutions
BT Launches Virtual CSO Service (Security Week) BT has launched a new managed security service designed to provide customers with the full development, management and operation of an enterprise information security team
Oracle's Ellison promises 'ungodly' database speed with new in–memory option (InfoWorld) Oracle CEO Larry Ellison has thrown his gauntlet down in the burgeoning market for in-memory computing, announcing a new option for Oracle's flagship database at the OpenWorld conference in San Francisco. The in-memory option delivers "ungodly" performance improvements, Ellison claimed, and targets both transactional and analytic workloads
Freescale launches gateway platform for the 'internet of things' (VentureBeat) Freescale and Oracle are announcing an initiative to create standards for gateways that can deal with a flood of data from devices associated with the "internet of things." The internet of things refers to the vision of instrumenting everyday devices with sensors and connectivity so that they can send data over the internet that can be crunched in excruciating detail to gain insights about our homes, businesses, or environment
Nirvanix cloud storage shutdown put off until at least 15 October (CloudPro) Aorta Cloud's efforts to keep enterprise cloud storage service up and running should guarantee data access for some time yet. UK-based Aorta Cloud has assured Nirvanix customers that it is working on guaranteeing the continuity of the firm's services beyond 15 October
Postal Service Prepares to Sell Email Encryption (Nextgov) As reports of mail workers monitoring letters surfaced this summer, the U.S. Postal Service was applying to trademark merchandise aimed at preventing snoops — outside the government — from hacking online communications. The potential product line underscores the struggle agencies face in balancing privacy and national security — all while trying to keep the government funded
Firefox burns Chrome in our trustworthy browser poll (Naked Security) About a month ago I asked Naked Security readers: Which web browser do you trust? Your answer was emphatic: it's Firefox, and it accrued almost twice the number of votes of its nearest rival, Google Chrome
Google offers Quickoffice for free (FierceMobileIT) Google (NASDAQ: GOOG) is making Quickoffice, a mobile app for editing Microsoft Office files, available to iOS and Android users for free. All users need is a Google account
Technologies, Techniques, and Standards
Collaboration is key in enterprise security puzzle (ComputerWeekly) Collaboration is the key to successful information security. For example, UK national threat intelligence became much richer when it was expanded to include other government departments, according to former MI5 chief Eliza Manningham-Buller
Tips on Managing Incident Investigations (GovInfoSecurity) Faced with the growing threat of breaches, cyber-attacks and fraud, more organizations are ramping up their efforts to build robust incident response strategies that identify how an investigation would proceed and what data would need to be collected
Dolloping out Threat Intelligence (Dark Reading) There's a saying that too much of a good thing can be bad for you. We normally apply it to things like ice cream and chocolate, but the saying also applies to the threat intelligence world. You'd think that by doubling or even quadrupling the number of streaming intelligence feeds in to your organization you'd be better off - better informed and more secure - unfortunately you're likely to be wrong
3 Steps To Keep Down Security's False-Positive Workload (Dark Reading) A high rate of false positives is a problem that affects many types of security systems, but a few proactive steps can help cut them down to size
Choosing, Managing, And Evaluating A Penetration Testing Service (Dark Reading) The right pen testing service can make your data more secure. The wrong one could introduce risk. Here's how to tell the difference
DIY security: Cool tools you can build yourself (IT Wolrd) DIY electronics is entering a golden age with the help of powerful, cheap, programmable devices like the Arduino micro controller and Raspberry Pi mini computer. But the DIY potential of these new platforms isn't limited to consumer applications. Here's a look some security tools you can make yourself
Industry Launches Global Certification Effort Targeting Critical Infrastructure (Help Net Security) It's no secret that critical infrastructure is at risk from aging, legacy technology, a lack of up-to-date security practices and a lack of professional training. But a new collaborative has been established to develop a vendor-neutral certification for industrial control security. The snappily-named Global Industrial Cyber Security Professional (GICSP) certification will be developed by a new industry collaborative, in conjunction with the Global Information Assurance Certification (GIAC)
Google's Plan To Kill Cookies (InformationWeek) Google proposes anonymous identifier for advertising, or AdID, to replace cookies used by third–party marketers. Google would benefit — but would consumers
Defending Against Watering–Hole Attacks (Akamai) A researcher at Cisco Systems published a blog post yesterday that Akamai customers and the larger security community should be aware of. The subject: "watering–hole" attacks. It's something Cisco researchers — and Akamai's CSIRT team — have been tracking for some time. In May, Threat Research Engineer Jaeson Schultz wrote about the increasing popularity of the attack technique. He wrote at the time, "Watering Hole" attacks, as evidenced by the recent attack involving the U.S. Department of Labor, are becoming increasingly popular as alternatives to attacks such as Spear Phishing. In a "Watering Hole" attack, the attacker compromises a site likely to be visited by a particular target group, rather than attacking the target group directly. Eventually, someone from the targeted group visits the "trusted" site (A.K.A. the "Watering Hole") and becomes compromised"
Design and Innovation
Companies get worse at truly innovating the more financial analysts cover them (Quartz) The more financial analysts cover a company, the worse it is at innovating. That's one hypothesis you could arrive at by reading Harvard professor Clayton Christensen's classic business tome The Innovator's Dilemma. Now researchers Jack He and Xuan Tian have lent statistical support to the idea, with a study tracking more than 2,000 publicly listed US companies over 12 years that measured innovation through the number of patents filed and the number of times each patent was cited in academic papers
'HopHacks' puts Hopkins students' skills on display (Baltimore Sun) A 36-hour, sleepless, caffeine-fueled, mad-rush of computer programming
NYU–Poly hacking competition promotes cybersecurity (NYU Washington Square News) The event, sponsored by Google, Facebook and the Department of Homeland Security, capped off NYU-Poly's Cyber Security Awareness Week in an effort to
Legislation, Policy, and Regulation
Rather than walling off from NSA, Brazil should welcome whistleblowers (NetworkWorld) Rather than seal itself off from the U.S.-centric Internet, Brazil would more effectively fight spying by the National Security Agency by welcoming whistleblowers like former NSA contractor Edward Snowden, an expert says. Eli Dourado, a member of the U.S. delegation to the World Conference on International Telecommunications (WCIT) last December, said Friday that Brazil's anger over learning that its president, state-owned oil company and citizens were spied on is understandable. However, the country's solution is "exactly backwards."
European Commission calls for single privacy law in wake of PRISM snooping (Naked Security) The European Commission is hoping to restore trust and growth in the data-driven economy with new cross-national data protection laws
Close Ties Between White House, NSA Spying Review (ABC News) Stung by public unease about new details of spying by the National Security Agency, President Barack Obama selected a panel of advisers he described as independent experts to scrutinize the NSA's surveillance programs to be sure they weren't violating civil liberties and to restore Americans' trust. But with just weeks remaining before its first deadline to report back to the White House, the review panel has effectively been operating as an arm of the Office of the Director of National Intelligence, which oversees the NSA and all other U.S. spy efforts
The NSA Review Panel Is An Even Bigger Joke Than We Previously Thought (TechCrunch) Today the AP reported that President Barack Obama's promised NSA review panel is channeling the entity that it is supposed to inspect, hiding behind layers of government bureaucracy and obfuscating its work
Making The Case For The NSA — at Last (Wall Street Journal) President Obama says he wants a debate on surveillance, but until recently only critics have been heard. This month, voices on the other side emerged to correct the record on how the National Security Agency operates. That's important. The last time the government restricted surveillance and intelligence sharing in the name of privacy, in the 1990s, the result was 9/11
NSA posts opening for privacy officer (Hillicon Valley) The National Security Agency has posted a job opening for a privacy and civil liberties officer. The position was first mentioned last month, when President Obama outlined his plans to bring more transparency to the NSA surveillance programs. A White House press release said the agency was "taking steps to put in place a full time Civil Liberties and Privacy Officer"
The Effects Of The Snowden Leaks Aren't What He Intended (KERA News) Edward Snowden's leaks about the NSA's secret surveillance program have pushed the agency to expedite planned reforms ahead of schedule, according to NSA officials. An official assessment of the damage caused by news leaks about government surveillance programs suggests that terrorist groups are changing their communication methods in response to the disclosures, according to officials at the National Security Agency
Close the NSA's Reagan–Era Collection Loophole (Defense One) There are several ways to report on anxiety we ought have about the documents that Edward Snowden leaked and the others that the intelligence community has protectively and proactively disclosed. You can constantly question the National Security Agency's motivations, or assume, a priori, malevolent motivations and then turn your conclusions about those motivations into a catalyst for inducing fear in your audience. Or you can try and identify specific problems, describe their effects, and then propose ways to remedy them
Founder Of Stealthy Security Firm Endgame To Lawmakers: Let U.S. Companies 'Hack Back' (Forbes) Chris Rouland hasn't spoken in public much since he created the secretive cybersecurity contractor known as Endgame five years ago. But he broke his long silence Wednesday to voice a request to lawmakers: Give government agencies and private firms more power to retaliate against those who hack them
What Europe can teach us about keeping the Internet open and free (Washington Post) In a Washington Federal courtroom earlier this month, Verizon squared off against the Federal Communications Commission. At issue was the concept of net neutrality — the notion that all Internet traffic, no matter where it's going or who it came from, should be treated the same. Internet service providers say the rule makes it hard to manage network load at peak hours. Supporters say that if the FCC's net neutrality rule is overturned, it could harm competition and consumer choice online, as companies who cut deals with incumbent broadband providers gain a leg up over those who can't afford to pay their fees
Federal agency charged with security checks has been urged to improve standards (Washington Post) Aaron Alexis, the Navy Yard shooter who had received secret-level security clearance for his work for the military, was one of roughly 2 million individuals whose backgrounds are scrutinized annually by the Office of Personnel Management, which handles security checks for more than 100 federal agencies
Workers at USIS, which vetted Alexis and Snowden, felt pressure to do more, faster (Washington Post) When Ileana Privetera started working for the contractor USIS, the firm that vetted National Security Agency leaker Edward Snowden and Navy Yard shooter Aaron Alexis, it sounded like the perfect job. A mother, she would have flexible hours for her family, and she would be helping the country by running background checks on people who were doing the government's most critical jobs
Litigation, Investigation, and Law Enforcement
More FOIA Requests Made for NSA Computer Exploits Contracts (Softpedia) Where is the NSA shopping for exploits? Last week, we learned that the NSA purchased a 12-month subscription for VUPEN's exploits service. MuckRock, the organization that brought the collaboration between the US government and the controversial security firm to light, has made other similar requests
Linkedin denies it hacked user accounts (Inquirer) The firm has responded to a class action lawsuit. It said that the accusations are baseless. Linkedin senior director of litigation Blake Lawit wrote a blog post entitled "Setting the Record Straight on False Accusations"
LinkedIn users sue over service's "hacking" of contacts and spammy ways (Naked Security) Four users have filed a class action lawsuit over the way LinkedIn harvests email addresses without permission and then sends them marketing blurb
Bank robbers pose as IT guys, rig device to slurp £1.3m from Barclays (Naked Security) A gang of eight is now in custody, after one of them pretended to be an IT engineer and hooked a KVM switch onto a bank computer to siphon off the funds
Verizon's lack of transparency 'disappointing', says cyber–rights group (Sydney Morning Herald) A Verizon executive's dismissal of attempts by US technology companies to reveal US government snooping is "disappointing" but not surprising given the
For a complete running list of events, please visit the Event Tracker.
cybergamut Technical Tuesday: Malware Analysis for the Masses (Columbia, Maryland, USA, Sep 17, 2013) With malware becoming more prevalent, and the pool of capable reversers falling short of overall need, there is a greater need to provide quick and efficient malware analysis for network defense. With modern technology and tools, it's now possible for junior security analysts to gather detailed malware indicators to craft defense and alert signatures. More enticing, all of this can be done with free tools and applications, some written by this presenter.
2013 Cyber Security Summit (New York, New York, USA, Sep 25, 2013) The 2013 Cyber Security Summit connects executives responsible for protecting their company's critical infrastructure with innovative product, service and solution providers. The one day event, to be held September 25th at the Hilton in New York City, will showcase the latest tools and resources available to defend against cyber crime on both corporate and government levels. Keynote addresses and interactive panel discussions lead by notable security experts will highlight strategic priorities, risk factors, threats and provide inspirational guidance to prepare and protect from attacks.
4th Annual Cybersecurity Summit (Washington, DC, USA, Sep 25, 2013) GEN Keith Alexander, Commander of U.S. Cyber Command, Director of the NSA/Chief, Central Security Service and Dr. Pat Gallagher, Director, NIST are among the distinguished speakers confirmed to keynote at the 4th Annual Cybersecurity Summit on September 25, 2013 at the National Press Club in Washington, D.C.Michael Daniel, White House Cybersecurity Advisor, and Gen. Keith Alexander, Commander U.S. Cyber Command, and Director, NSA, are confirmed to keynote. Cybersecurity topics to be addressed include: the White House Cybersecurity Executive Order, the Cybersecurity Framework and New Emerging Standards for Critical Infrastructure, information sharing, mobile security and BYOD, legislative developments in cybersecurity, big data and cloud cybersecurity, continuous monitoring, cyber situational awareness, and the JIE rollout active defense and cyber warfare. Organized by Billington CyberSecurity™.
Information Security Conference (Charleston, West Virginia, USA, Oct 2, 2013) On October 2, the WVOT Office of Information Security and Controls, will be sponsoring a no-charge information and cyber security awareness event at the Charleston Civic Center. The agenda will offer an energizing morning of highly informative sessions. Free posters, calendars, bookmarks, and other security-themed items will be available. The event is open to the public, however registration priority will be given to public sector officials and employees.
The Monktoberfest (Portland, Maine, USA, Oct 4, 2013) Our speakers will explore how social trends can change the way we build and use technology, and how technology in turn can change the way we socialize.
Suits and Spooks NYC 2013 (New York, New York, Oct 5, 2013) Since the landscape is foggy, the threat actors numerous and hard to identify, and the attacks proliferating on a daily basis, the focus of the next Suits and Spooks conference will be to identify non-state aggressors in cyberspace. About twenty speakers will present briefings over two days on hackers, citizen militias, and other non-state entities operating in the Middle East, China, Russia, Pakistan, India, Iran, Africa, South America, the United States (yes - we have non-gov threat actors domestically), and other parts of the world. One of our panel moderators will be Joel Brenner (former National Counterintelligence Executive at the Office of the Director of National Intelligence and former Senior Counsel at the NSA).
Forensics and Incident Response Summit EU (Prague, Czech Republic, Oct 6 - 13, 2013) The Summit will focus on high quality and extremely relevant content as well as panel discussions in Digital Forensics and Incident Response. In addition, we encourage you to take every opportunity to make the most of this event from attending the Summit to registering for one or more of the post-summit training classes taught by SANS' top-rated instructors and course authors. Additional events such as DFIR Netwars, evening talks and the SANS Community Night will be taking place during that week too. This event promises to bring together the leading minds in digital forensics and incident response in the EU, as well as many other practitioners from a wide cross section of industries and company sizes. You will be able to share with all of them your challenges and find out new solutions that work, techniques and approaches you didn't even know existed.
CyberMaryland 2013 (Baltimore, Maryland, USA, Oct 8 - 9, 2013) Join cybersecurity leaders, luminaries and rising stars at CyberMaryland 2013. This two-day event at the epicenter of the nation's cybersecurity innovation and education, will create opportunities for networking and idea sharing amongst the many cyber leaders and professionals across the country, including: federal, state and local government agencies, academic institutions, cybersecurity entrepreneurs, and industry leaders of research and development. CyberMaryland 2013 will address the biggest challenges facing America, including future innovation to meet the security challenges facing our country; collaboration across industry, government and educational institutions; and the development of a generation of cyber-warriors. Surrounding all of these issues is a constantly evolving business framework to provide efficient and effective solutions in a time frame that anticipates and mitigates current and future threats.
2013 Maryland Cyber Challenge (Baltimore, Maryland, USA, Oct 8 - 9, 2013) Held in conjunction with Cyber Maryland and intended to let students and young professionals showcase their cybersecurity skills, Maryland Cyber Challenge offers competition in three divisions: high school, college, and professional. Orientation sessions for teams in each of three divisions -- high school, collegiate and industry and government professionals -- will be held at UMBC in July and August. Two qualifying rounds will be conducted online using SAIC's Cyber Network Exercise System.
AFCEA Hill AFB Technology & Cyber Security Expo (Ogden, Utah, USA, Oct 9, 2013) The purpose of this first-time event is to allow base personnel the opportunity to learn about the latest computer security trends, network with peers, share remediation strategies and to view and demo some of the latest cyber security and information technology products/services available today..
International Conference on Cyber–Enabled Distributed Computing and Knowledge Discovery (Shanghai, China, Oct 10 - 12, 2013) International Conference on Cyber-enabled distributed computing and knowledge discovery -promotes research and development of the cyber-related technology. It is unique and significant that spans through cyber-enabled data mining and knowledge discovery, distributed and parallel computing, cyber security, cloud computing, pervasive computing, mobile computing, Internet, wireless networks, cognitive systems, cyber information process, information discovery, e-health via cyber network, e-science, web technology, and network performance and tools. The research and development in these areas have received extensive attention in both the academia and industry to provide ubiquitous services for users. Various hardware and software designs, algorithms, protocols, simulations, and test-bed, and implementations are developed for distributed computing in an interconnected and distributed network environment. The purpose of CyberC is to provide a forum for presentation and discussion of innovative ideas, research results, applications and experience from around the world as well as highlight activities in the related areas.
VizSec 2013 (Atlanta, Georgia, USA, Oct 14, 2013) VizSec brings together researchers and practitioners in information visualization and security to address the specific needs of the cyber security community through new and insightful visualization techniques.
Hack-in-the-Box Security Conference 2013 (Kuala Lumpur, Malaysia, Oct 14 - 17, 2013) The 11th annual HITB Security Conference (16th/17th October) will be a triple track offering featuring keynotes by Andy Ellis, Chief Security Officer at Akamai and Joe Sullivan, Chief Security Officer at Facebook. This year's event also features all new 2-day training courses (14th/15th October) on a wide variety of topics including Android exploitation, extreme web hacking, infrastructure security, exploiting injection flaws and a special iOS security course by the world famous Evad3rs team. The full speaker list and conference agenda will be released after the Call for Papers closes on the 25th of July.
USDA Cyber Security Symposium and Expo 2013 (Washington, DC, USA, Oct 15, 2013) The Cybersecurity Expo, running in conjunction with the Summit, will allow exhibitors the opportunity to provide live demos and share information with government personnel and industry partners. Summit topics will focus on today's vulnerabilities, incidents, security lifecycle, risks and mitigations; it will also identify ways to work together and build a solid security foundation program to meet future challenges and trends in cyber security..
SNW Fall 2013 (Long Beach, California, USA, Oct 15 - 17, 2013) SNW is the world's largest independently produced conference series focused on the evolution of architecture for a new world of mobility, Big Data and business agility. Produced by Computerworld -- and co-owned by Computerworld and the Storage Networking Industry Association (SNIA) -- SNW remains unbiased and vendor agnostic. Unlike events focused on a specific vendor agenda and product portfolio, SNW provides a forum of open thought leadership and practical education that defines the spectrum of storage, data and infrastructure solutions available to a highly qualified audience of enterprise technology decision-makers.
Hexis Exchange (Athens, Greece, Oct 16 - 17, 2013) Attendees will have the opportunity to participate in a knowledge exchange of the latest enterprise security topics through expert led business and technology forums, hands-on sessions, and training. Such topics will include: emerging cybersecurity threats, big data management, advanced analytics, government regulation & compliance, and data retention challenges & solutions.
Cybersecurity Symposium: "Protect. Defend. Educate." (Linthicum, Maryland, USA, Oct 16 - 17, 2013) The Cybersecurity Symposium being held October 16-17, 2013, will deliver first-class training for government and industry security professionals while simultaneously offering high-level keynote speakers, essential networking opportunities, and an informative technology exposition. The Symposium sessions will have a special emphasis on security challenges facing today's security professionals and cyber awareness training for security professionals responsible for protecting sensitive and classified information from the ever increasing threats of mobile devices, espionage, terrorism, and cyber-attacks to ensure our national security. Register by August 31 to ensure the reduced early bird registration fee. This event is free for government employees and active-duty military personnel. Exhibit space and sponsorship opportunities are also available.
Nuclear Regulatory Commission Cyber Security Conference & Expo (Rockville, Maryland, USA, Oct 17, 2013) This one-day conference will consist of cyber sessions in the NRC Auditorium given by government and industry speakers. Exhibit tables will be set-up just outside the Auditorium and companies will have the opportunity to demo their latest technologies to NRC's IT personnel.
13th Industrial Control Systems Cyber Security Conference (Atlanta, Georgia, USA, Oct 21 - 22, 2013) Industrial Control Systems (ICS) operate the infrastructures of electric power, water, chemicals, manufacturing, transportation, defense, etc. and link the digital and physical worlds. Their cyber security presents challenges that are distinct from securing traditional IT systems. The conference is attended by control & operations engineers and their IT counterparts from critical infrastructure industries, by ICS and security vendors, and by universities. Run under the Chatham House rules of confidentiality, the conference discusses ICS cyber incident case studies, provides regulatory updates, discusses solutions in the form of policies and procedures, presents demonstrations of hacking ICS and ICS protocols, and provides a status of ICS security solution field demonstrations.
Cloud Connect (Chicago, Illinois, USA, Oct 21 - 23, 2013) Cloud Connect returns to Chicago October 21-23, 2013 with an all new program built around the leading cloud platforms. Cloud Connect provides the independent guidance IT professionals need to successfully build, operate and manage the cloud, and the tools to measure application performance and business metrics.
cybergmut Technical Tuesday: Cyber Security Strategy — Why We're Losing and What's Needed to Win (Columbia, Maryland, USA, Oct 22, 2013) CrowdStrike's Steve Chabinsky of CrowdStrike explains the situation. Everybody seems to be spending more on cybersecurity, but with questionable return on investment. In fact, the problem clearly is getting worse, and current strategies show no indication of reversing that trend. This non-technical presentation explores the typical cyber risk environment, considers the proper balance and likely effectiveness of threat deterrence, vulnerability mitigation, and consequence management to reduce cyber risk, and examines the current and evolving roles of government agencies and the private sector in addressing the problem. Backed by powerful, real-world examples of threat actor tactics, this presentation will help managers develop a better understanding of how their current security approach is most likely to succeed or fail over time, and what strategies are the most likely to shift the advantage to the good guys. cybergamut is co-hosting this event with the Maryland Chapter of InfraGard.
Cyber Security Seminar and IT Expo at Peterson AFB (Colorado Springs, Colorado, USA, Oct 22, 2013) The Cyber Security Seminar and IT Expo is a one-day event held on-site where industry vendors will have the opportunity to display their products to personnel attending briefings concerning the latest updates in Cyber Security Awareness. This is an excellent and unique opportunity to meet IT personnel from USNORTHCOM, NORAD, Army Space Command, USSPACECOM, and the 21st Space Wing all in one day.
Joint Federal Cyber Summit 2013 (Washington, DC, USA, Oct 23 - 24, 2013) This collaborative government wide event is truly one of a kind, with speakers and attendees anticipated to represent more than 10 federal government agencies. Information sharing will be accomplished through keynote speakers on both days, along with numerous targeted breakout sessions (including a session with a federal CISSO panel), hands on live demonstrations, and industry exhibits.
2013 ACT–IAC Executive Leadership Conference (Williamsburg, Virginia, USA, Oct 27 - 29, 2013) Advances in technology and massive increases in data available can both challenge and transform Government mission performance. ELC-2013 focuses on how to make this transformation a reality, in and for agencies. We will hear from nationally prominent speakers and work across government and industry to learn new ideas and techniques. Four mission-oriented tracks will focus on initiatives for driving results using data and the "Innovate, Deliver, Protect and Analyze" paradigm that is at the heart of the Government's strategic vision.
SAP NS2: National Security Solutions Summit (Falls Church, Virginia, USA, Oct 29, 2013) Join us for a day of learning and networking focused on how to advance U.S. national security and homeland security through I.T. innovation. Top-notch speakers will address the new challenges facing U.S. national security and critical infrastructure -- as well as powerful, affordable technologies that are available today to tackle those challenges while saving money and simplifying operations. Learn how your organization can run faster, smarter, leaner in the most secure environments -- with world-class, breakthrough solutions that are bold alternatives to business as usual.
Regional Cyber Security Forum & IT Day (CSFI) — Hawaii (Honolulu, Hawai'i, USA, Oct 30, 2013) 2013 marks the 10th anniversary of National Cyber Security Awareness Month and FBC will host the 1st Annual Cyber Security Forum & IT Day (CSFI) at Fort Shafter - Club Hale Ikena to coinside with the anniversary, and activities surrounding this month. The goal of CSFI is to raise cyber security awareness, and to promote best practices in cyber while allowing DoD personnel and industry partners the opportunity to share the most up to date remediation strategies. The event will feature four educational cyber sessions to go along with an exhibit hall..
NSA Hawaii — Cyber Security, Intelligence & IT Day (Honolulu, Hawai'i, USA, Oct 30, 2013) Be a part of the 1st Annual Cyber Security, Intelligence and IT Day set to take place at the new National Security Agency (NSA) Hawaii Rochefort facility. The event will be hosted by NS/CCS Hawaii Technology Directorate and will focus on Cyber Security, Big Data and Cloud Computing. There are other areas of interest listed below as well. This is an extremely unique opportunity to network with NSA personnel in Hawaii at their location. Educational sessions will be provided to attendees to coincide with government and industry exhibits.