The CyberWire Daily Briefing for 9.24.2013
India's Telecom and IT Minister dismisses Snowden-derived allegations that Indian domestic communications were subject to US surveillance. De Standaard reports background to alleged GCHQ hack of Belgacom.
Compromised media sites in Japan continue to lead victims to watering holes distributing DeputyDog malware.
Some early-stage Python source code for a Bing-based SQL injection attack has been observed. Elsewhere, large-scale phishing campaigns continue: FDIC-themed emails are directing victims to malware-dropping urls, and fake DivX plug-ins direct those in search of "funny videos" to malware disguised as image files. Apple accounts are increasingly attractive targets for scammers.
An unofficial Android iMessage app routes the traffic of its unwary customers through Chinese servers, the thought of which ought to make the unwary warier.
Schneider Electric fixes a lingering issue with hard-coded credentials in its industrial control system products' firmware.
Attacks on critical infrastructure, particularly energy infrastructure, are up. This trend leads analysts to revisit last year's Saudi Aramco hack for lessons learned.
In industry news, BlackBerry halted trading yesterday, then announced its intention to be acquired by Fairfax Financial for $4.7 billion. Observers claim BlackBerry, once worth $83 billion, suffered in a technologically mature market where disruptive innovation had become difficult. (FireEye's shiny IPO presents a striking contrast with BlackBerry's low-ball acquisition.)
More concerns over hardware supply chain security surface. Steganography makes its periodic reappearance as an approach to communication security.
US Senators continue bipartisan woofing at NSA. China unblocks online media in its Shanghai free-trade zone. US FDA won't regulate most medical IT.
Today's issue includes events affecting Belgium, Brazil, Canada, China, European Union, Germany, India, Japan, Kenya, South Africa, United Kingdom, and United States..
Cyber Attacks, Threats, and Vulnerabilities
Edward Snowden NSA Scandal: 'Agency Might Have Accessed Domestic Networks of Indian Carriers' (International Business Times) The US National Security Agency is likely to have accessed the domestic networks of Indian mobile operators, as it received about 6.2 billion bits of metadata through its Boundless Informant programme in one month, according to a newspaper report
Belgacom—On the brink of catastrophe (De Standaard via Matthijs R. Koot) Here is a careful English translation of this original article by Peter De Lobel and Nikolas Vanhecke in Belgian news paper De Standaard. Hyperlinks and parts in  are mine. ON THE BRINK OF CATASTROPHE (2013-09-21) Ping. It's Friday the 13th. Around 11 o'clock in the morning, the IT consultants that Belgacom employs at its largest customers in the private and public sector receive a message. The message doesn't say much, except for an urgent request to cancel all appointments of that forenoon. An "emergency conference call" will take place instead
Compromised Japanese Media Sites Serving Exploits for Latest IE Zero Day (Threatpost) The latest Internet Explorer zero day is being used in a watering hole attack where local media sites in Japan have been compromised and serving exploits. The targets are government, high tech and manufacturing workers
Attacks Using Microsoft IE Exploit Tied to Hacking Crew Linked to Bit9 Breach (SecurityWeek) Security researchers at FireEye have observed a campaign targeting organizations in Japan that is leveraging the Internet Explorer zero–day Microsoft warned users about last week. The campaign has been dubbed 'Operation DeputyDog', and is believed to have begun as early as August 19. According to FireEye, the attackers behind the operation may be the same ones involved in last year's attack on Bit9 — a group researchers at Symantec recently identified as a hacking crew called Hidden Lynx
Hackers leveraging IE zero–day used watering hole attacks to compromise users (SC Magazine) Hackers booby trapped popular websites in Japan to exploit a zero-day flaw in Internet Explorer, researchers found. According to FireEye, the targeted attacks prompted Microsoft's warning to users last week: that an unpatched vulnerability in IE (CVE-2013-3893) was being exploited by saboteurs
Unpatched Internet Explorer vulnerability details emerge (ZDNet) The same gang that compromised whitelisting security vendor Bit9 many months ago appears responsible for a targeted campaign in Japan using an unexploited vulnerability in Internet Explorer. We know a lot more about the unpatched vulnerability in Internet Explorer that Microsoft announced last week. Microsoft released a great deal of technical detail on it, and now network security firm FireEye has details on the targeted attacks that employed it
Cybercriminals experiment with Android compatible, Python-based SQL injecting releases (Webroot Threat Blog) Throughout the years, cybercriminals have been perfecting the process of automatically abusing Web application vulnerabilities to achieve their fraudulent and malicious objectives. From the utilization of botnets and search engines to perform active reconnaissance, the general availability of DIY mass SQL injecting tools as well as proprietary malicious script injecting exploitation platforms, the results have been evident ever since in the form of tens of thousands of affected Web sites on a daily basis. We've recently spotted a publicly released, early stage Python source code for a Bing based SQL injection scanner based on Bing "dorks". What's the potential of this tool to
"FDIC: Your business account" themed emails serve client–side exploits and malware (Webroot Threat Blog) Cybercriminals are mass mailing tens of thousands of malicious Federal Deposit Insurance Corporation (FDIC) themed emails, in an attempt to trick users into clicking on the client-side exploits serving and malware dropping URLs found in the bogus emails. Let's dissect the campaign, expose the portfolio of malicious domains using it, provide MD5s for a sample exploit and the dropped malware, as well as connect the campaign with previously launched already profiled malicious campaigns
Fake DivX Plugin Leads to Malware Disguised as Image File (Softpedia) In case you're looking for funny videos online, beware of websites that urge you to install a DivX plugin. Experts have found a scam that uses this trick to distribute malware. According to ThreatTrack Security researchers, when users visit the shady video websites, they're informed that the DivX plugin is missing
Apple's a tasty phishing target for scammers (PC World) Spam volumes took a usual seasonal drop in August, but phishing spiked, including a noticeable interest in hijacking Apple accounts. Spam averaged 67.6 percent of all emails in August, down 3.6 percentage points compared to July, wrote Kaspersky Lab analysts Tatyana Shcherbakova and Maria Vergelis in a blog post. But 5.6 percent of those spam emails contained malicious attachments, an increase of 3.4 percentage points over a month prior
A Weird Twitter Bug Is Screwing Up The Internet (Business Insider) There's a weird bug making its away around the Internet that automatically downloads a torrent file of Twitter's "Tweet" button when visiting certain websites. You may have seen it on sites like TechCrunch and Business Insider
German hackers crack Apple fingerprint technology (CSO) It didn't take long for the hacking community to crack Apple's fingerprint recognition system, Touch ID. A German hacking group, Chaos Community Club, announced that they'd managed to fool the fingerprint scanner in the iPhone 5S with techniques generally used to defeat similar technologies in the market
Why I Hacked Apple's TouchID, And Still Think It Is Awesome. (Lookout) By now, the news is out —TouchID was hacked. In truth, none of us really expected otherwise. Fingerprint biometrics use a security credential that gets left behind everywhere you go on everything you touch
Security Concerns Abound Over Unofficial Android iMessage App That Uses Chinese Servers To Process Data (TechCrunch) An unauthorised app that lets Android users chat on Apple's closed iMessage network is causing a big stir. It's had viral downloads in the tens of thousands amid claims that it could be spreading malware; but the Chinese developer who developed the app tells us everything is cool
iMessage for Android. Be careful what you trust! (Graham Cluley) A new app, which claims to bring Apple's proprietary iMessage chat service to Android users, is raising concerns. The free app, called iMessage Chat, is available in Google's official Android Play store, and appears to allow Android users to instant message with their iPhone/iPad/Mac-owning buddies
A short overview of Android banking malware (Help Net Security) As more and more people use their mobile phones to do their online banking, money transfers, and so on, cyber crooks wielding banking malware are increasingly turning to targeting mobile users. "Banking Trojans on mobile were largely successful targeting older generation operating systems like J2ME and Blackberry, but haven't made the headway they'd probably like to on Android and iOS," says Malwarebytes' Armando Orozco
Columbia University Medical Center Admits Data Breach (eSecurity Planet) Columbia University Medical Center (CUMC) recently began notifying 407 medical students that their names and Social Security numbers had been inadvertently released to Columbia students, faculty and staff by e-mail
Security Patches, Mitigations, and Software Updates
Fandroids at pranksters' mercy: Android remote password reset now live (Register) Google says 'don't be evil', but it never said we couldn't be mischievous. Android users can now lock their handsets from afar as Google enables what looks like the perfect feature for office pranksters
ICS Vendor Fixes Hard-Coded Credential Bugs Nearly Two Years After Advisory (Threatpost) Nearly two years after a security researcher published details of the hard-coded credentials that ship with a slew of industrial control system products made by Schneider Electric, the company has released updated firmware that fix the problems. The vulnerabilities, which were discovered by researcher Ruben Santamarta and published in December 2011, affect dozens of products
Google to Block Many Plug-Ins Starting in 2014 (Threatpost) Google is planning a major changes in the way that Chrome handles many plug-ins. Beginning early next year, Chrome will no longer support the old Netscape Plug-In API and will block plug-ins that use it. Eventually, that will mean that some plug-ins such as Google Earth, Microsoft Silverlight and others eventually will be blocked by
Apache Upgrade Repairs Struts, Fixes Two Vulnerabilities (Threatpost) Developers behind the Apache Struts framework have released an update that fixes two vulnerabilities. Creators of the open-source web application framework are encouraging users to upgrade to Struts 188.8.131.52 immediately
It's time for Microsoft Lifecycles to enter Internet Time (ZDNet) The problems in this month's Patch Tuesday updates are likely related to the huge variety of complex products Microsoft supports. Microsoft can only make things better by making upgrades an easier sell for enterprises
Destructive Attacks On Oil And Gas Industry A Wake-Up Call (Dark Reading) Some 30,000 or so hard drives were scrapped and replaced with new ones last year on Saudi Aramco's internal corporate network after a massive cyberattack destroyed data on the oil and natural gas company's Windows machines. While the massive attack didn't directly affect Saudi Aramco's oil production and exploration systems, it raised the stakes for the increasingly targeted oil and gas industry and also raised concerns of possible market fallout from such attacks.
Critical infrastructure risks still high (CSO) Attacks are up, sharply, and experts say some utilities may not even know they've been compromised. Cyber attacks on the nation's critical infrastructure (CI) are up — way up, particularly in the energy sector. The Department of Homeland Security's (DHS) Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) reported earlier this year that there were a third more cyber incidents (111) reported by the energy sector in the six-month reporting period ending in May than in the previous 12 months (81)
Tech Companies Preparing for When, Not If, Cyber Attacks Occur: Survey (SecurityWeek) According to the results of a survey conducted by Silicon Valley Bank, the majority of technology and healthcare companies view cyber security as a serious threat to both their data and business continuity, and just over one-third are completely confident in the security of their information in a survey of more than 200 technology company executives
Three Top Cybersecurity Risks for Banks (American Banker) Cyber threats are increasing at a rapid rate and banks are going to have to work quickly — and spend significant resources — to keep pace, according to two top banking regulators dealing with the issue
Cyber crime becomes prominent in SA (ITWeb) The surge in volumes of mobile devices in SA has meant increasing numbers of South Africans are enjoying wider access to the Internet. But it also places consumers at greater risk of becoming potential victims of financial scams. This is according to Kevin Hurwitz, CEO at Wonga.com SA, who says cyber crime is becoming an increasing problem globally, and is becoming more prominent in SA as more people become connected
"Watering holes" join Java as a major threat to corporate security, says F-Secure (ZDNet) What are today's main malware threats across PCs and mobiles? F–Secure has just released its Threat Report for the first half of 2013
UMBC cyber incubator expansion attracts regional entrepreneurs (BizJournals) "We're getting more and more inquiries and tenants from out of state," says Ellen J. Hemmerly, executive director of bwtech@UMBC Research and Technology Park. How can you tell Maryland is becoming a hotbed for cyber security business? Ellen J. Hemmerly said it's obvious from the companies looking into University of Maryland, Baltimore County's technology incubator
SEC Allows General Solicitation, Effective Today: What Changed And What To Watch Out For (TechCrunch) Today, the U.S. Securities Exchange Commission's final rules allowing general solicitation went into effect. In the fundraising context, general solicitation means publicly advertising the fact that you're raising money. Previously, this was a big no-no
KEYW Announces Award of New Air Force and Navy Contracts (MarketWatch) KEYW Corporation KEYW +1.30% announced today it has received several new contracts in the Sensors and Processing Systems Division of its Government Products Sector. These awards expand its technology portfolio of airborne ISR and mapping capabilities with automated processing, exploitation, and dissemination for the Warfighter and the Intelligence Community
Blackberry in $4.7bn takeover deal with Fairfax (BBC News) Struggling smartphone maker Blackberry has agreed in principle to be bought by a consortium led by Fairfax Financial for $4.7bn
BlackBerry Signs Letter Of Intent To Go Private For $9 Per Share In Deal Valued At $4.7 Billion (TechCrunch) Today BlackBerry announced a $9 per share offer for its outstanding stock, a deal worth around $4.7 billion. The $9 per share price is a slight premium over its current stock price, which traded at $8.23 before it was halted pending the news
Cheat sheet: Here are the bits of BlackBerry investors want to flip for a profit (QUartz) Unless another buyer is found, BlackBerry is going to sell itself to Fairfax Financial, which already owns 10% of the company, with backing by Bank of America Merrill Lynch and BMO Capital Markets, the company just announced. The price? $4.7 billion, which is in line with previous estimates for the value of BlackBerry. But what exactly does that money get BlackBerry's buyers
BlackBerry's Descent Begets Cheapest Tech Deal: Real M&A (Bloomberg) BlackBerry Ltd., once valued at $83 billion, may be stuck with the cheapest valuation ever for a North American technology or telecommunications takeover
Z10: The phone that sank a company (FierceMobileIT) BlackBerry (NASDAQ: BBRY) bet that the slick new all-touch Z10 would become the firm's new flagship smartphone, giving it the edge to regain its position in the consumer smartphone market lost to Apple (NASDAQ: AAPL) and Samsung
BlackBerry Never Had a Chance: Mobile Innovation Is Over (Wired) Could it be that the end of BlackBerry isn't just about the end of BlackBerry, but the end of anything radically different in mobile, period
FireEye: No Great Investment At First Look (Seeking Alpha) FireEye (FEYE) made its public debut on Friday, September 20th. Shares of the virtual machine based security platform ended their first day with gains of 80% at $36.00 per share. Given the insane momentum following the public offering, the valuation has gone stratospheric, based on price/sales multiples. While growth is spectacular, it is already slowing down as operating spending has gone out of control. I remain on the sidelines with a slightly bearish stance
SAIC executive preparing to take the reins (Washington Post) As McLean-based Science Applications International Corp. prepares for its split into two public companies this week, Tony Moraco is readying for his first opportunity at the chief executive spot
Insider Selling: Charles Constanti Sells 2,500 Shares of Procera Networks Stock (PKT) (WKRB) Procera Networks (NYSE:PKT) CFO Charles Constanti sold 2,500 shares of the stock in a transaction dated Friday, September 20th. The stock was sold at an average price of $15.02, for a total value of $37,550.00. Following the transaction, the chief financial officer now directly owns 35,300 shares in the company, valued at approximately $530,206. The transaction was disclosed in a document filed with the SEC, which is available at this link
Symantec promotes former Morse man for EMEA channel push (CRN) Former Morse exec Mark Nutt has been promoted by Symantec to vice president of EMEA partner management as the vendor looks to grow its footprint further in the region
Products, Services, and Solutions
Wave Cloud Adds Encryption Management Support for FileVault and BitLocker (SecurityWeek) Wave Systems launched Wave Cloud 2014 this week, the newest release of its cloud–based service for endpoint encryption management. Wave Cloud 2014 now enables enterprises to manage self–encrypting drives (SEDs), along with Windows BitLocker and Apple's FileVault management, all in the cloud and through a single console
Linux rootkit detector adds hardware punch to security scanning (GCN) Sometimes even the most robust software-based security is vulnerable to rootkit infection. The stealthy programs can get into the heart of a computer, gaining control for malicious purposes, and sometimes remain hidden while doing so. Software monitoring is at a disadvantage because it too can become a target of the malware. It's kind of like hunting sharks while swimming through the same water. You might find the shark, but you might get bitten, too
Adding An Eye–Tracker To An Android (IEEE Spectrum) Last April Denmark-based start-up The Eye Tribe demonstrated prototype eye-tracking technology for mobile devices. Its system bounces infrared light off the user's pupils; that's not particularly new; The Eye Tribe's twist is using existing processors in a device to process the tracking data
Deep Security and SecureCloud ready to secure traditional and cloud-era workloads on Citrix CloudPlatform 4.2 (Trend Micro Simply Security) Here at Trend Micro we take great pride in our industry partnerships. We've been able over the years to team up with some of the world's leading IT vendors to build out truly transformative and impactful solutions. Citrix is one of our most trusted partners - a company whose virtualization and cloud solutions perfectly intersect with Trend Micro's ongoing mission to secure our customers' journey to the cloud
Security updates could slow Navy's computer network (Navy Times) Sailors who have suffered through recent slow connectivity or limited access to parts of the Navy's computer network should know the Navy's top cyberwarriors are aware of the problem. In fact, they've caused it. On purpose
Protect Electronic Devices with Secure Authenticator's Strong Symmetric–Key Cryptography (Wall Street Journal) Designers can better protect their IP using the DeepCover Secure Authenticator (DS28C22) from Maxim Integrated Products, Inc. (NASDAQ: MXIM). The DS28C22 is a highly secure cryptographic solution for a host controller to authenticate peripherals or embedded designs, and it offers encrypted communication as an added benefit
Teen privacy "eviscerated" by planned Facebook changes (Naked Security) A coalition of US groups that advocate for teenagers is crying foul over proposed changes to Facebook policy that would rubber-stamp the use of teenagers' names, images and personal information to endorse products in advertisements
Cisco enhances safety and security solutions (Help Net Security) Cisco announced enhancements to its portfolio of safety and security solutions with video surveillance architectures and new Internet of Things (IoT) enabled solutions that ease management of millions of connected cameras and devices
Investigating the security of the Firefox OS (Help Net Security) Firefox OS is Mozilla's foray into the mobile operating system field and promises a more adaptive mobile OS. But as mobile threats, in particular in the Android platform, has gained momentum, the question in everyone's mind is — how safe is it
HP unveils new family of next-generation firewall appliances (Help Net Security) HP unveiled its new family of HP TippingPoint Next-Generation Firewall (NGFW) appliances to further protect customers from threats introduced by mobile and cloud computing
Strange but true: Companies say stop using our security products, cops say use iOS 7 (ComputerWorld) Today's strange but true security news includes security companies warning customers to stop using their security products and cops handing out flyers about iOS security upgrades
Kvasir: Penetration Data Management for Metasploit and Nexpose (Security Street) Data management is half the battle for penetration testing, especially when you're auditing large networks. As a penetration tester with Cisco's Advanced Services, I've created a new open source tool called Kvasir that integrates with Metasploit Pro, Nexpose, and a bunch of other tools I use regularly to aggregate and manage the data I need. In this blog post, I'd like to give you a quick intro what Kvasir does - and to invite you to use it with Metasploit Pro
Technologies, Techniques, and Standards
The unreal deal: How to ID phony phones, counterfeit CPUs, and other tech traps (PC World) Counterfeit tech carries significantly higher consequences than a fake Rolex or a hastily copied handbag. Hapless individuals and business owners can find themselves stuck with tens of thousands of dollars of useless fakes pawned off as the real thing. A phony app masquerading as the real deal can infect your business's devices with malware, opening the door for even more damage. And at the very worst, counterfeit products have been implicated in serious injuries and even deaths, such as when poorly made fake power adapters electrocuted several iPhone users
Why hacking the iPhone 5s fingerprint reader is no big deal (InfoWorld) Biometric solutions can't match simpler forms of authentication — and they're not intended to, despite the iPhone 5s hype
Penetration Testing For Beginners (Dark Reading) As experienced networking professionals with beginner security skills seek to dip their toes in the waters of penetration testing, step one is to look at their network infrastructures through the eyes of an attacker
Lack of Security Expertise? App–Analysis Services Could Help (Dark Reading) For companies developing their own in-house applications or Web services, vulnerabilities need to be found and fixed before deploying code — or firms risk a breach. In 2012, for example, poor input validation for databases put SQL injection on top of the short list of vulnerability-related attacks, with the three largest breaches compromising nearly 20 million records, according to the State of Software Security Report released annually by application-security firm Veracode. While the tools are available to solve the problems, developers are still focused on features over security
4 New Ways to Smuggle Messages Across the Internet (IEEE Spectrum) SkyDe, StegTorrent, StegSuggest, and WiPad make hiding messages in plain sight—steganography—untraceable
How do you spell "PSK"? (Internet Storm Center) In my line of work, there is a lot of uses for a random sting of text. Things like: VPN Preshared Keys, RADIUS or TACACS "shared secrets," Windows Service Account Passwords, [and] Administrative accounts (Windows local or domain Administrator, in some cases root in *nix). You get the picture. Strings that you need to key once, or once per instance. In most cases, these are strings that after creation, you don't neccesarily need to know what they are, you just need to know how to change them
Encryption is still the best defense, despite NSA code–cracking (ComputerWorld) Though the National Security Agency spends billions of dollars to crack encryption codes, security experts maintain that, properly implemented, encryption is still the best way to secure data. Citing documents leaked by former NSA contract employee Edward Snowden, U.K. newspaper The Guardian and other media outlets have reported that the NSA and its British counterpart, the GCHQ, have cracked encryption algorithms that are widely used to protect online communications, banking and medical records, and corporate data
Banks Plan National Cyber–Attack Drill (Bank Info Security) More than 1,000 banks will test their incident response strategies by participating in a simulated cyber-attack exercise. SWACHA's Dennis Simmons says the drill, which is open to more participants, will help bolster defenses
Nfsight with Nfdump and Nfsen (Toolsmith) I've been spending a fair bit of time reading, studying, writing, and presenting as part of officer candidate training in the Washington State Guard. When I'm pinned I may be one of the oldest 2nd lieutenants you've ever imagined (most of my contemporaries are Lieutenant Colonels and Colonels), but I will have learned beyond measure. As much of our last drill weekend was spent immersed in Army operations, I've become quite familiar with Army Field Manuals 5–0 The Operations Process and 1–02 Operational Terms and Graphics. Chapter 2 of FM 1-02, Section 1 includes acronyms and abbreviations, and it was there I spotted it, the acronym for command, control, and communications countermeasures: C3CM. This gem is just ripe for use in the cybersecurity realm, and I intend to be the first to do so at length. C2 analysis may be good enough for most, but I say let's go next level. Initially, C3CM was most often intended to wreck the command and control of enemy air defense networks, a very specific Air Force mission. Apply that mind–set in the context of combating bots and APTs and you're onboard. Our version of C3CM, therefore, is to identify, interrupt, and counter the command, control, and communications capabilities of our digital assailants
BroIDS with Logstash and Kibana (Toolsmith) In Part 1 of our C3CM discussion we established that, when applied to the practice of combating bots and APTs, C3CM can be utilized to identify, interrupt, and counter the command, control, and communications capabilities of our digital assailants
Preparing for Notorious Cyber Attack Dates: Five Steps to Secure Your Network (IT Business Edge) Several dates throughout the year are notorious for wreaking havoc on businesses via denial of service (DoS) attacks, data breaches and even malware or botnet assaults. As anniversaries such as September 11th near, rumors about coordinated cyber attacks on American websites increase. Because of these potential risks, it's imperative that businesses tighten their network security measures in order to protect themselves from potential intrusion or disruption, which can result in profit-loss and tarnished user confidence
Is your status update also a red flag for danger? (Help Net Security) In this digital age when our whole lives are online, it is no surprise that security has become an increasing concern of many. Whilst you're busy worrying about your privacy settings on Facebook and whether your boss is able to see your status updates, there are more pressing issues at hand. Your social media profile that you so religiously update daily with your latest purchases and your check-ins to fancy restaurants makes you a perfect target for cyber criminals
Securely Configuring a Wireless Router (Kaspersky Lab Daily) That wireless router in your living room is essentially the hub for your entire home network. Nearly all of your devices are going to route through it and into you modem in order to connect to the Internet. If you don't secure the router properly, then all the things that connect wirelessly to it are potentially vulnerable to attack
How to protect corporate data from angry ex–employees (NetworkWorld) Surveys show companies lose millions due to hacks by disgruntled former workers. The vast majority of employees who leave a company are honest, upstanding corporate citizens. But you never know when someone might leave on bad terms and then attempt to hack back into your corporate systems
How to register more than five fingerprints on the iPhone 5s (IT World) Here's a cool trick to register as many fingerprints as you want on the new iPhone 5s' Touch ID
(ISC)² Congress Addresses Security's People Problems (Dark Reading) There are many conferences and get-togethers around cybersecurity every year, but only a few would be considered "mandatory" by the whole community of security professionals. The RSA Conference, held each year in San Francisco, offers the industry's biggest exhibit floor and a chance to see security products in action. Black Hat USA, held annually in Las Vegas, is where the smartest and best security researchers come to reveal vulnerabilities and share knowledge on potential threats
Get to the Point! Questions You Should Ask Every Security Vendor (SecurityWeek) Here's a concept that may help security vendors shorten sales cycles and gain a more captive and receptive audience amongst prospective buyers - Get to the point. The process of talking in circles and using buzz words and jargon such as "operational efficiency" and "increased functionality" is not a new phenomenon in the world of technology, but it does seem to be on the rise in the security industry
Research and Development
U.S. Government Grants More Money to Lock Down Cybersecurity in Energy (Automation World) The Department of Energy has announced 11 new grants totaling more than $30 million to develop technology to help the energy sector enhance its cybersecurity
Student Monitoring: Where Does Safety Begin and Privacy End? (McAfee) In an effort to curb cyber bullying, suicide, and obscenities online, a California school district has hired a company to monitor students' social media posts. According to national news reports, the company, Geo Listening, will be monitoring student accounts that are already public on popular teen sites such as Facebook, Instagram, Ask.fm, Vine, Flickr, and Twitter
SafeGov Calls for Greater Controls Over the Use of Google Services in European Schools (InfoSecurity Magazine) The low cost of Chromebooks coupled with the 'free' use of Google Apps and their in-built capacity for collaborative work threatens to revolutionize computing in schools. But SafeGov is warning that it may come at the unacceptable cost of the privacy of a vulnerable section of society: schoolchildren
Legislation, Policy, and Regulation
Democratic, GOP senators seek inspector general review of NSA surveillance (Washington Post) A bipartisan group of senators is calling for the inspector general of the intelligence community to do a comprehensive review of spying by the National Security Agency. Nine members of the Judiciary Committee, led by Chairman Patrick Leahy and top Republican Charles Grassley, sent a letter Monday to the inspector general seeking a review of two programs collecting data on telephone and Internet usage. The programs were authorized under the U.S. Foreign Intelligence Surveillance Act and the USA Patriot Act
Baker on Cybersecurity Post–Snowden (Lawfare) James A. Baker, who for a long time ran the Office of Intelligence Policy Review in DOJ (which focused on FISA), and more recently worked in the Deputy Attorney General's Office on cyber issues, gave a Constitution Day address at Dickinson College. The speech is about "national security and the Constitution as it relates to the collection of intelligence information for cyber-security purposes" - a topic that, as he notes, "has received far too little attention in the recent debates about government surveillance post-Edward Snowden." I highly recommend that anyone interested in surveillance reform or cybersecurity read this speech
The NSA's actions create distrust (SC Magazine) Over the past few weeks, we've seen news coming out of the Edward Snowden leaks that we've been able to either shrug off or become perturbed by, depending on the details of each leak. But this past week, new information was revealed regarding a serious violation of trust. This time, reactions from security professionals are anything but middle of the road. ProPublica and The Guardian have reported that the National Security Agency (NSA) used its influence among U.S. and international standards bodies to create a purposefully weak encryption standard that it could compromise as needed. You read that right
Indigenous European cloud needed to defeat NSA surveillance, says report (FierceGovIT) A report commissioned by the European Parliament urges the European Union to encourage development of local cloud computing capacity based on open source software as a way of safeguarding against U.S. intelligence community surveillance
Bruce Schneier: NSA Spying Is Making Us Less Safe (MIT Technology Review) The security researcher Bruce Schneier, who is now helping the Guardian newspaper review Snowden documents, suggests that more revelations are on the way
Offensive Cyber Capabilities at the Operational Level (CSIS) At present, the defense policy landscape is replete with arguments, many of which are ultimately based in the lack of a common vision among both elites and within the broader population about the role of the U.S. military in the future. Cyber operations are one element of these debates, though much of the discussion has centered around how best to defend against a growing cyber threat, the role of the Defense Department in that defense, and tensions between civil liberties and security interests. Occasionally, greater attention is paid to questions about the U.S. use of cyber offensively, which brings with it questions of precedent, deterrence, international norms, and a host of other challenges. But it is also apparent that U.S. leaders have already approved the use of offensive cyber capabilities, though under tight restrictions. While not ignoring this larger context, the specific question this project sought to examine in greater depth is whether the Defense Department should make a more deliberate effort to explore the potential of offensive cyber tools1 at levels below that of a combatant command
FBI's Comey focused on violent home-grown extremists, global spread of terrorism (Washington Post) The new FBI director, James B. Comey, said Thursday that terrorism has become his biggest concern as he settles into the job, with the twin threats of "metastasizing" al-Qaeda affiliates worldwide and the emergence of home-grown violent extremists in theUnited States
Federal cyber security pros lack confidence in FISMA (Help Net Security) A report by MeriTalk and NetApp examines the state of cyber security at Federal agencies and looks at whether the Federal Information Security Management Act (FISMA) is hurting or helping agencies improve cyber security and protect data
Does profit motive affect security clearance investigations? (Washington Post) In the wake of the Washington Navy Yard killings — 12 dead plus the shooter — President Obama called for an examination of the security clearance process
Time to tighten up on security clearances (My San Antonio) The phone rang and the caller identified himself as an investigator conducting a background check to update a high-level security clearance. He asked if he could speak to me, within the next 24 hours, regarding the "individual concerned." The investigation had "high priority"
China will unblock Facebook, Twitter and The New York Times to boost its new free trade zone (Quartz) China's ambitious Shanghai Free Trade Zone is designed to welcome foreign investment and open up an attractive yuan-denominated financial sector to the rest of the world. But it's hard to boast about free trade credentials behind the Great Firewall of China, so media outlets and social networks that are banned elsewhere in China will be available in the zone, the South China Morning post reported today, citing unnamed government sources
Caribbean, Latin American leaders likely to discuss spying, development at U.N. meeting (Miami Herald) Last week, Brazilian President Dilma Rousseff cancelled a U.S. state visit over allegations that the National Security Agency listened into her conversations and spied on state-run oil company Petrobras
Booting Up: New NSA Data Farm Takes Root In Utah (KERA News) The National Security Agency won't say exactly when it will fully rev up its newest and biggest data farm in the Salt Lake City suburb of Bluffdale, Utah. There will be no "grand opening" or celebratory barbecue outside the sprawling facility, which is five times the size of the Ikea down the road
Feds Rule Most Mobile Medical Apps Don't Need Regulation, but Some Will (All Things D) The Food and Drug Administration on Monday issued a series of rules governing which types of medical apps for mobile devices will require government oversight. In creating the new structure, the FDA said it tried to balance between protecting consumers while not standing in the way of apps that can transform health care by allowing patients to better diagnose and monitor their health
Litigation, Investigation, and Law Enforcement
Amicus Curiae Brief of Dropbox, Inc. In Support of Service Providers' Motions to Publish Information About National-Security Requests (US Foreign Intelligence Surveillance Court) Dropbox, Inc ("Dropbox") respectfully submits this amicus curiae brief to support the motions filed by Google, Microsoft, Yahoo, and Facebook (the "Service Providers") seeking the Court's permission to publish the number of national–security requests they have received and the number of users affected by those requests. Dropbox has an interest in these motions because the government has told Dropbox that it isn't allowed to publish exactly how many national–security requests, if any, it receives. Instead, the government will permit Dropbox to provide information about national–security requests only if those requests are lumped together with regular law–enforcement requests and, even then, only in bands of 1,000. Because Dropbox received fewer than 100 regular law-enforcement requests last year, reporting in the government's format would decrease Dropbox's ongoing transparency efforts
How a Crypto 'Backdoor' Pitted the Tech World Against the NSA (Wired) In August 2007, a young programmer in Microsoft's Windows security group stood up to give a five-minute turbo talk at the annual Crypto conference in Santa Barbara. It was a Tuesday evening, part of the conference's traditional rump session, when a hodge-podge of short talks are presented outside of the conference's main lineup. To draw attendees away from the wine and beer that competed for their attention at that hour, presenters sometimes tried to sex up their talks with provocative titles like "Does Bob Go to Prison?" or "How to Steal Cars — A Practical Attack on KeeLoq" or "The Only Rump Session Talk With Pamela Anderson"
Whistle-blower Edward Snowden 'wears disguise, in danger': Lawyer (Economic Times) US intelligence leaker Edward Snowden is living under guard at a secret address in Russia and sometimes emerges in disguise, although he remains in such danger that even a family visit could jeopardise his security, his lawyer said Monday
LinkedIn Finds Itself in an Email Privacy Mess, Claims Users Knew (Fast Company) LinkedIn has found itself in the middle of an embarrassing kerfuffle over how well it treats its users' privacy: A new lawsuit alleges the company is complicit in abusing the contacts list of each user, spamming them with unwanted messages
Westgate Terror Attack: what is the nature of our Intelligence System? (Daily Nation) The National Security Intelligence Service (NSIS) was established early in 1998 as a more professional outfit from the discredited and defunct Special Branch. There is no way terrorists can come directly from Kismayu and attack us right in the heart of Nairobi without someone in the intelligence community being aware. Buying and installing security systems that work well in the US or Israel will not address our unique national security threat profile. First things first; my heartfelt condolences to the victims and prayers for the security agents battling terrorists that have dared to strike at Kenya. And by targeting a high-end, better secured facility like the Westgate Mall, they seem to suggest that they can indeed hit us anytime, anywhere they deem fit
This hacker might seem shady, but throwing him in jail is bad for everyone (Washington Post) On Friday, the U.S. government filed its brief in the appeal of Andrew "Weev" Auernheimer, who was convicted of federal hacking charges for downloading hundreds of thousands of customer e-mail addresses from AT&T's Web site. The government says the conviction was proper, but many security researchers and civil liberties advocates argue that the conviction would set a dangerous precedent. Confused? Read on
For a complete running list of events, please visit the Event Tracker.
Securing the Internet of Things Summit (San Francisco, California, USA, Oct 21, 2013) The Internet of Things is still in its infancy and the security community has a chance to build in new approaches to security if we get started now. More secure embedded operating systems and applications, more scalable approaches to continuous monitoring and threat mitigation and new ways of detecting and blocking active threats are evolving and can be tremendously effective. SANS is looking to bring together community talent and ideas to develop new solutions, demonstrate security technology that already works and to provide a force multiplier to making the Internet of Things be more secure than the first phases of Internet evolution.
cybergamut Technical Tuesday: Malware Analysis for the Masses (Columbia, Maryland, USA, Sep 17, 2013) With malware becoming more prevalent, and the pool of capable reversers falling short of overall need, there is a greater need to provide quick and efficient malware analysis for network defense. With modern technology and tools, it's now possible for junior security analysts to gather detailed malware indicators to craft defense and alert signatures. More enticing, all of this can be done with free tools and applications, some written by this presenter.
2013 Cyber Security Summit (New York, New York, USA, Sep 25, 2013) The 2013 Cyber Security Summit connects executives responsible for protecting their company's critical infrastructure with innovative product, service and solution providers. The one day event, to be held September 25th at the Hilton in New York City, will showcase the latest tools and resources available to defend against cyber crime on both corporate and government levels. Keynote addresses and interactive panel discussions lead by notable security experts will highlight strategic priorities, risk factors, threats and provide inspirational guidance to prepare and protect from attacks.
4th Annual Cybersecurity Summit (Washington, DC, USA, Sep 25, 2013) GEN Keith Alexander, Commander of U.S. Cyber Command, Director of the NSA/Chief, Central Security Service and Dr. Pat Gallagher, Director, NIST are among the distinguished speakers confirmed to keynote at the 4th Annual Cybersecurity Summit on September 25, 2013 at the National Press Club in Washington, D.C.Michael Daniel, White House Cybersecurity Advisor, and Gen. Keith Alexander, Commander U.S. Cyber Command, and Director, NSA, are confirmed to keynote. Cybersecurity topics to be addressed include: the White House Cybersecurity Executive Order, the Cybersecurity Framework and New Emerging Standards for Critical Infrastructure, information sharing, mobile security and BYOD, legislative developments in cybersecurity, big data and cloud cybersecurity, continuous monitoring, cyber situational awareness, and the JIE rollout active defense and cyber warfare. Organized by Billington CyberSecurity™.
Information Security Conference (Charleston, West Virginia, USA, Oct 2, 2013) On October 2, the WVOT Office of Information Security and Controls, will be sponsoring a no-charge information and cyber security awareness event at the Charleston Civic Center. The agenda will offer an energizing morning of highly informative sessions. Free posters, calendars, bookmarks, and other security-themed items will be available. The event is open to the public, however registration priority will be given to public sector officials and employees.
The Monktoberfest (Portland, Maine, USA, Oct 4, 2013) Our speakers will explore how social trends can change the way we build and use technology, and how technology in turn can change the way we socialize.
Suits and Spooks NYC 2013 (New York, New York, Oct 5, 2013) Since the landscape is foggy, the threat actors numerous and hard to identify, and the attacks proliferating on a daily basis, the focus of the next Suits and Spooks conference will be to identify non-state aggressors in cyberspace. About twenty speakers will present briefings over two days on hackers, citizen militias, and other non-state entities operating in the Middle East, China, Russia, Pakistan, India, Iran, Africa, South America, the United States (yes - we have non-gov threat actors domestically), and other parts of the world. One of our panel moderators will be Joel Brenner (former National Counterintelligence Executive at the Office of the Director of National Intelligence and former Senior Counsel at the NSA).
Forensics and Incident Response Summit EU (Prague, Czech Republic, Oct 6 - 13, 2013) The Summit will focus on high quality and extremely relevant content as well as panel discussions in Digital Forensics and Incident Response. In addition, we encourage you to take every opportunity to make the most of this event from attending the Summit to registering for one or more of the post-summit training classes taught by SANS' top-rated instructors and course authors. Additional events such as DFIR Netwars, evening talks and the SANS Community Night will be taking place during that week too. This event promises to bring together the leading minds in digital forensics and incident response in the EU, as well as many other practitioners from a wide cross section of industries and company sizes. You will be able to share with all of them your challenges and find out new solutions that work, techniques and approaches you didn't even know existed.
CyberMaryland 2013 (Baltimore, Maryland, USA, Oct 8 - 9, 2013) Join cybersecurity leaders, luminaries and rising stars at CyberMaryland 2013. This two-day event at the epicenter of the nation's cybersecurity innovation and education, will create opportunities for networking and idea sharing amongst the many cyber leaders and professionals across the country, including: federal, state and local government agencies, academic institutions, cybersecurity entrepreneurs, and industry leaders of research and development. CyberMaryland 2013 will address the biggest challenges facing America, including future innovation to meet the security challenges facing our country; collaboration across industry, government and educational institutions; and the development of a generation of cyber-warriors. Surrounding all of these issues is a constantly evolving business framework to provide efficient and effective solutions in a time frame that anticipates and mitigates current and future threats.
2013 Maryland Cyber Challenge (Baltimore, Maryland, USA, Oct 8 - 9, 2013) Held in conjunction with Cyber Maryland and intended to let students and young professionals showcase their cybersecurity skills, Maryland Cyber Challenge offers competition in three divisions: high school, college, and professional. Orientation sessions for teams in each of three divisions -- high school, collegiate and industry and government professionals -- will be held at UMBC in July and August. Two qualifying rounds will be conducted online using SAIC's Cyber Network Exercise System.
AFCEA Hill AFB Technology & Cyber Security Expo (Ogden, Utah, USA, Oct 9, 2013) The purpose of this first-time event is to allow base personnel the opportunity to learn about the latest computer security trends, network with peers, share remediation strategies and to view and demo some of the latest cyber security and information technology products/services available today..
International Conference on Cyber–Enabled Distributed Computing and Knowledge Discovery (Shanghai, China, Oct 10 - 12, 2013) International Conference on Cyber-enabled distributed computing and knowledge discovery -promotes research and development of the cyber-related technology. It is unique and significant that spans through cyber-enabled data mining and knowledge discovery, distributed and parallel computing, cyber security, cloud computing, pervasive computing, mobile computing, Internet, wireless networks, cognitive systems, cyber information process, information discovery, e-health via cyber network, e-science, web technology, and network performance and tools. The research and development in these areas have received extensive attention in both the academia and industry to provide ubiquitous services for users. Various hardware and software designs, algorithms, protocols, simulations, and test-bed, and implementations are developed for distributed computing in an interconnected and distributed network environment. The purpose of CyberC is to provide a forum for presentation and discussion of innovative ideas, research results, applications and experience from around the world as well as highlight activities in the related areas.
VizSec 2013 (Atlanta, Georgia, USA, Oct 14, 2013) VizSec brings together researchers and practitioners in information visualization and security to address the specific needs of the cyber security community through new and insightful visualization techniques.
Hack-in-the-Box Security Conference 2013 (Kuala Lumpur, Malaysia, Oct 14 - 17, 2013) The 11th annual HITB Security Conference (16th/17th October) will be a triple track offering featuring keynotes by Andy Ellis, Chief Security Officer at Akamai and Joe Sullivan, Chief Security Officer at Facebook. This year's event also features all new 2-day training courses (14th/15th October) on a wide variety of topics including Android exploitation, extreme web hacking, infrastructure security, exploiting injection flaws and a special iOS security course by the world famous Evad3rs team. The full speaker list and conference agenda will be released after the Call for Papers closes on the 25th of July.
USDA Cyber Security Symposium and Expo 2013 (Washington, DC, USA, Oct 15, 2013) The Cybersecurity Expo, running in conjunction with the Summit, will allow exhibitors the opportunity to provide live demos and share information with government personnel and industry partners. Summit topics will focus on today's vulnerabilities, incidents, security lifecycle, risks and mitigations; it will also identify ways to work together and build a solid security foundation program to meet future challenges and trends in cyber security..
SNW Fall 2013 (Long Beach, California, USA, Oct 15 - 17, 2013) SNW is the world's largest independently produced conference series focused on the evolution of architecture for a new world of mobility, Big Data and business agility. Produced by Computerworld -- and co-owned by Computerworld and the Storage Networking Industry Association (SNIA) -- SNW remains unbiased and vendor agnostic. Unlike events focused on a specific vendor agenda and product portfolio, SNW provides a forum of open thought leadership and practical education that defines the spectrum of storage, data and infrastructure solutions available to a highly qualified audience of enterprise technology decision-makers.
Hexis Exchange (Athens, Greece, Oct 16 - 17, 2013) Attendees will have the opportunity to participate in a knowledge exchange of the latest enterprise security topics through expert led business and technology forums, hands-on sessions, and training. Such topics will include: emerging cybersecurity threats, big data management, advanced analytics, government regulation & compliance, and data retention challenges & solutions.
Cybersecurity Symposium: "Protect. Defend. Educate." (Linthicum, Maryland, USA, Oct 16 - 17, 2013) The Cybersecurity Symposium being held October 16-17, 2013, will deliver first-class training for government and industry security professionals while simultaneously offering high-level keynote speakers, essential networking opportunities, and an informative technology exposition. The Symposium sessions will have a special emphasis on security challenges facing today's security professionals and cyber awareness training for security professionals responsible for protecting sensitive and classified information from the ever increasing threats of mobile devices, espionage, terrorism, and cyber-attacks to ensure our national security. Register by August 31 to ensure the reduced early bird registration fee. This event is free for government employees and active-duty military personnel. Exhibit space and sponsorship opportunities are also available.
Nuclear Regulatory Commission Cyber Security Conference & Expo (Rockville, Maryland, USA, Oct 17, 2013) This one-day conference will consist of cyber sessions in the NRC Auditorium given by government and industry speakers. Exhibit tables will be set-up just outside the Auditorium and companies will have the opportunity to demo their latest technologies to NRC's IT personnel.
13th Industrial Control Systems Cyber Security Conference (Atlanta, Georgia, USA, Oct 21 - 22, 2013) Industrial Control Systems (ICS) operate the infrastructures of electric power, water, chemicals, manufacturing, transportation, defense, etc. and link the digital and physical worlds. Their cyber security presents challenges that are distinct from securing traditional IT systems. The conference is attended by control & operations engineers and their IT counterparts from critical infrastructure industries, by ICS and security vendors, and by universities. Run under the Chatham House rules of confidentiality, the conference discusses ICS cyber incident case studies, provides regulatory updates, discusses solutions in the form of policies and procedures, presents demonstrations of hacking ICS and ICS protocols, and provides a status of ICS security solution field demonstrations.
Cloud Connect (Chicago, Illinois, USA, Oct 21 - 23, 2013) Cloud Connect returns to Chicago October 21-23, 2013 with an all new program built around the leading cloud platforms. Cloud Connect provides the independent guidance IT professionals need to successfully build, operate and manage the cloud, and the tools to measure application performance and business metrics.
cybergmut Technical Tuesday: Cyber Security Strategy — Why We're Losing and What's Needed to Win (Columbia, Maryland, USA, Oct 22, 2013) CrowdStrike's Steve Chabinsky of CrowdStrike explains the situation. Everybody seems to be spending more on cybersecurity, but with questionable return on investment. In fact, the problem clearly is getting worse, and current strategies show no indication of reversing that trend. This non-technical presentation explores the typical cyber risk environment, considers the proper balance and likely effectiveness of threat deterrence, vulnerability mitigation, and consequence management to reduce cyber risk, and examines the current and evolving roles of government agencies and the private sector in addressing the problem. Backed by powerful, real-world examples of threat actor tactics, this presentation will help managers develop a better understanding of how their current security approach is most likely to succeed or fail over time, and what strategies are the most likely to shift the advantage to the good guys. cybergamut is co-hosting this event with the Maryland Chapter of InfraGard.
Cyber Security Seminar and IT Expo at Peterson AFB (Colorado Springs, Colorado, USA, Oct 22, 2013) The Cyber Security Seminar and IT Expo is a one-day event held on-site where industry vendors will have the opportunity to display their products to personnel attending briefings concerning the latest updates in Cyber Security Awareness. This is an excellent and unique opportunity to meet IT personnel from USNORTHCOM, NORAD, Army Space Command, USSPACECOM, and the 21st Space Wing all in one day.
Joint Federal Cyber Summit 2013 (Washington, DC, USA, Oct 23 - 24, 2013) This collaborative government wide event is truly one of a kind, with speakers and attendees anticipated to represent more than 10 federal government agencies. Information sharing will be accomplished through keynote speakers on both days, along with numerous targeted breakout sessions (including a session with a federal CISSO panel), hands on live demonstrations, and industry exhibits.
2013 ACT–IAC Executive Leadership Conference (Williamsburg, Virginia, USA, Oct 27 - 29, 2013) Advances in technology and massive increases in data available can both challenge and transform Government mission performance. ELC-2013 focuses on how to make this transformation a reality, in and for agencies. We will hear from nationally prominent speakers and work across government and industry to learn new ideas and techniques. Four mission-oriented tracks will focus on initiatives for driving results using data and the "Innovate, Deliver, Protect and Analyze" paradigm that is at the heart of the Government's strategic vision.
SAP NS2: National Security Solutions Summit (Falls Church, Virginia, USA, Oct 29, 2013) Join us for a day of learning and networking focused on how to advance U.S. national security and homeland security through I.T. innovation. Top-notch speakers will address the new challenges facing U.S. national security and critical infrastructure -- as well as powerful, affordable technologies that are available today to tackle those challenges while saving money and simplifying operations. Learn how your organization can run faster, smarter, leaner in the most secure environments -- with world-class, breakthrough solutions that are bold alternatives to business as usual.
Regional Cyber Security Forum & IT Day (CSFI) — Hawaii (Honolulu, Hawai'i, USA, Oct 30, 2013) 2013 marks the 10th anniversary of National Cyber Security Awareness Month and FBC will host the 1st Annual Cyber Security Forum & IT Day (CSFI) at Fort Shafter - Club Hale Ikena to coinside with the anniversary, and activities surrounding this month. The goal of CSFI is to raise cyber security awareness, and to promote best practices in cyber while allowing DoD personnel and industry partners the opportunity to share the most up to date remediation strategies. The event will feature four educational cyber sessions to go along with an exhibit hall..
NSA Hawaii — Cyber Security, Intelligence & IT Day (Honolulu, Hawai'i, USA, Oct 30, 2013) Be a part of the 1st Annual Cyber Security, Intelligence and IT Day set to take place at the new National Security Agency (NSA) Hawaii Rochefort facility. The event will be hosted by NS/CCS Hawaii Technology Directorate and will focus on Cyber Security, Big Data and Cloud Computing. There are other areas of interest listed below as well. This is an extremely unique opportunity to network with NSA personnel in Hawaii at their location. Educational sessions will be provided to attendees to coincide with government and industry exhibits.