The CyberWire Daily Briefing for 9.30.2013
Iranian hackers (state-sponsored, according to reports) are said to have breached an unclassified US Navy network. Cyber-rioting continues in the Indian subcontinent.
WordPress vulnerabilities are being exploited to create a DDoS botnet. Researchers also discern malware brute-forcing user credentials from WordPress.
The Internet Explorer zero-day exploit appears more widespread than thought. Email encrypted with widely used PGP software is, says PGP's creator, fatally vulnerable to interception. Yahoo's recycled names continue to raise security issues (and analyst hackles).
The Mevade Trojan endemic to Tor has its roots in a much older threat. Spearphishing remains an imperfectly addressed threat to power grid security. CIO runs down seven "devious" hacking techniques.
Analysts discern a hacktivist shift toward social networks. Dark Reading foresees a breakdown in online commerce's trust model. Wearable devices prompt inevitable speculation about novel threats and vulnerabilities.
Industry news is dominated, in the US at least, by the possibility of a "Government shutdown" at midnight; experts explain what this might actually mean. Cyber skills continue to be scarce and expensive, and more employers are seen willing to reach out to "hackers" with dodgy backgrounds to fill skills gaps. In Maryland, bwtech@UMBC graduates its first start-up class: AccelerEyes, Five Directions and Oculis Labs. Down I-95, Virginia's Center for Innovative Technology pushes similar innovation through the Mach37 accelerator.
Congressional deliberation over NSA surveillance continues. The US and Japan move toward closer cyber collaboration. Britain moves toward a national cyber warfare reserve force.
The FBI begins investigating last week's breach of major data brokers.
Notes.
Today's issue includes events affecting Brazil, Canada, European Union, France, Germany, India, Iran, Japan, Pakistan, South Africa, Switzerland, Taiwan, Thailand, United Kingdom, and United States..
Cyber Attacks, Threats, and Vulnerabilities
Iranian Hackers infiltrated US Navy computers (Hacker News) The Wall Street Journal reported that Iranian hackers have successfully penetrated unclassified US Navy computers, the allegations were made by US officials that consider the attacks a serious intrusion within the Government network
Free Kashmir Says Pakistani Hackers after Hacking and Defacing 20,000 Indian Websites (Hack Read) Two Pakistani hackers going with the handle of Dr@cul@ and Muhammad Bilal have hacked and defaced twenty thousand (20,000) Indian websites against Indian government and in support of alleged freedom movement in Indian administrated Kashmir. All sites were left with a deface page along with a message in support of Kashmir, asking Indian government to leave Kashmir or the hackers will keep on attacking Indian
The Official NUST SEECS subdomain hacked by Hasnain Haxor (HackersPost) The official subdomain of NUST SEECS has been hacked and defaced by a hacker with the handle "Hasnain Haxor". The hacker is from the hacking group Pakistan Haxors Crew (PHC). NUST School of Electrical Engineering and Computer Science (NUST-SEECS, formerly NUST Institute of Information Technology, is the biggest and top school in Islamabad, Pakistan. Mobilink Career Blog, FATA secretariat
Over 100 Thailand Government Websites Hacked and Defaced (Softpedia) Hackers have breached a server that hosts websites from Thailand. As a result, they've defaced 234 websites, over 100 of which are owned by the government of Thailand
Hackers launch huge DDoS attack using WordPress websites (ITProPortal) Thousands of WordPress websites are being used to carry out a huge cyber attack campaign in the form of a distributed denial of service [DDoS] attack. The Hacker News reports that hackers have targeted "a large number" of sites on the WordPress platform after successfully compromising some 90,000 servers way back in April 2012 and in the process have created a WordPress botnet
Malware With Bruteforce Capabilities (abuse.ch) Today I came across an interesting piece of malware that attacks websites that are running WordPress by trying to guess the users credentials using brute-force methodology. Arbor already did an analysis of this threat in the beginning of September which they have published under the name Fort Disco. However, the brute-force attacks issued by Fort Disco is not limited to Content Management Systems (CMS)
IE zero–day vulnerability exploited more widely than previously thought (ComputerWorld) A recently announced and yet-to-be-patched vulnerability that affects all versions of Microsoft Internet Explorer (IE) has been exploited in targeted attacks against organizations in Taiwan since the beginning of July, according to security researchers
Old Mac malware uncovered (ZDNet) Icefog, a Mac version of Windows malware, is a year old but only recently discovered by Kaspersky. It was used experimentally in the far east, bundled with the legitimate program Img2icns. In a report on the Icefog APT (Advanced Persistent Threat) Kaspersky Lab reveals that the authors created a Mac program to connect to their botnet. It was used in limited, experimental attacks in the far east, primarily in South Korea and Japan
Email surveillance could reveal journalists' sources, expert claims (Guardian) Phil Zimmermann, the creator of the email encryption software PGP, has warned that anyone who uses consumer email services needs to be aware of the threats of exposing their metadata to eavesdroppers
Yahoo proves it has a reckless and moronic attitude to email security (Graham Cluley) The new owners of recycled Yahoo email accounts are receiving private emails, containing personal information, not intended for them. None of this would have happened if Yahoo hadn't initiated the reckless, harebrained scheme in the first place
Tor–using Mevade botnet is stealthy new version of old threat (Help Net Security) The Mevade Trojan and botnet have gained unexpected notoriety when it turned out that the majority of the recent, sudden and massive uptick in Tor users was the result of it adding Tor as a method of
Why You Need To Pay Attention To The Slow HTTP Attack (Acunetix) Okay, I admit, I haven't been stressing enough to people just how critical the Slow HTTP vulnerability really is. The Slow HTTP flaw is present on practically every Apache-based system I test and can facilitate denial of service (DoS) conditions rendering even the most resilient web environments useless
New anti-malware drive focuses on 'EvilGrab' (ComputerWorld) A new malware targeting governments in Asia and Europe has recently been discovered by Trend Micro. Called EvilGrab, the malware is found to be the object of the new anti-APT (advanced persistent threat) campaign that targets security software and uses a system's audio and visual components to seize information after monitoring the data
EE hit by weekend of outages (ComputerWeekly) Users of the EE mobile network were affected by outages over the weekend, with little explanation offered up by the operator. Customers were unable to access mobile data up and down the country, with some of the problems falling over into Monday morning
"One click, then boom": Spear–phishing could "black out" energy companies, expert warns (We Live Security) Spear–phishing attacks on energy companies are becoming increasingly sophisticated, an expert has warned — and all it takes is one lucky strike to cause devastating damage to the power grid, or to companies which supply oil and gas
The Ghost in the (Portable) Machine: Securing Mobile Banking (TrendLabs Security Intelligence Blog) Online banking is one of the many tasks that have been made more convenient by mobile technology. Now, users can purchase products and/or services, pay their bills and manage their finances from anywhere, and anytime. However, there are threats against mobile banking exist, which need to be addressed and secured against
7 Sneak Attacks Used By Today's Most Devious Hackers (CIO) Most malware is mundane, but these innovative techniques are exploiting systems and networks of even the savviest users
Fake "You Sent a Mobile Payment" PayPal Emails Used in Phishing Scam (Softpedia) In case you receive an email from PayPal informing you that a mobile payment has been made from your account to JD Sports, take a good look at it, as it might have nothing to do with PayPal. Cybercriminals are abusing the payment processor's reputation in a phishing scam
Scam Alert: Facebook "Unblock Government" Emails Point to Phishing Site (Softpedia) Beware of emails that appear to come from Facebook bearing the subject "Unblock Government" (misspelled as "goverment")! The fake notifications are designed to lure users to a phishing website
PayPal phishers bite via hacked dog training website (Graham Cluley) Beware PayPal phishing emails, and make sure that your own websites aren't vulnerable to hackers who might embed malicious code and webpages
Online dating scam costs lovelorn Canadian $500k (Naked Security) The rise of online dating has been spotted by cyber-crooks looking to exploit every weakness of the web-using world. Poor "Tony" lost $500,000 (CAD) to online scammers after being pulled into a complex, long-term fake romance con by a man he met on a dating site
ICG America Acknowledges Security Breach (eSecurity Planet) Attackers had access to the company's payment processing system from January 2, 2013 through August 2, 2013
State Farm Admits Insider Data Breach (eSecurity Planet) A call center employee misused at least 11 customers' credit card numbers
Insider Incident Leads Breach Roundup (HealthCareInfoSecurity) In this week's breach roundup, Holy Cross Hospital in Fort Lauderdale, Fla., is notifying 9,900 patients that a former employee inappropriately accessed their records with the apparent intent to commit fraud. Also, Virginia Tech reports that a computer server containing job application information was illegally accessed, exposing information on 145,000
Cyber Trends
Social Networks Are the New Battleground of the Cyber-Activist, According to Panda Security PandaLabs Report (PR.com) Panda Security, The Cloud Security Company, has just published the results of its Quarterly Report for Q2 2013, drawn up by PandaLabs. One of the main conclusions that can be drawn from this global study is that malware creation reached record levels in the second quarter of the year. In this context, Trojans continued to account for most infections. Additionally, the report shows a worrying increase in malware targeting the Android platform, and discuses some of the major stories concerning cyber-war and cyber-espionage
Cyber Execs' Competing Priorities are Often aT Odds with Each Other (Nextgov) Cybersecurity executives are faced with such a broad range of complex challenges that their priorities — from staffing to training to technology — are often at odds with each other, according to a new report. A survey of more than 1,600 C-level executives from around the world by (ISC)², Booz Allen Hamilton and Frost and Sullivan, found that top security executives are faced with a number of critical, yet often paradoxical, security challenges
Financial markets next big cyber target, says US expert (ComputerWeekly) Manipulation of international financial markets will be the next evolution of cyber crime, according to Scott Borg, chief of the US Cyber Consequences Unit. There is a limit to the amount of money criminals can make through theft and credit card fraud, he told a joint session of the ASIS International and (ISC)2 annual congresses in Chicago
Security industry in 'rut,' struggling to keep up with cybercriminals (CSO) Experts agree hackers are winning but some are hesitant to blame it on a lack of new technology, however. Dramatic changes are needed in multiple fronts if the security industry hopes to move ahead of cybercriminals, who are continuously finding new ways to breach corporate systems, experts say. Some technology pros say the industry needs to develop new technologies and architectures that send hackers back to the drawing boards
Commerce In A World Without Trust (Dark Reading) The trust model underlying online commerce has been threatened by the constant attacks on information providers used to authenticate consumers. Is the Internet as secure as it needs to be anymore? Trust is kind of a squishy concept. If you refer back to the definition from our pals at Merriam-Webster, trust is the "belief that someone or something is reliable, good, honest, effective, etc." Reliable? Honest? Sounds great, right
Future malware could harm bytes, bone and brain (CSO) Wearable devices raise risks for damages from bad actors. Wearable computers and use of augmented reality could increase the consequences of cyber attacks for people in the near future, according to a report released this week by a pair of cyber security organizations
Lack of SA skills leads to cyber attack risk (News24) A lack of skills in the computer security sector doesn't bode well for South African companies to protect themselves from cyber attacks, a security company has asserted
Marketplace
On Brink Of Shutdown, All Quiet At Capitol (Washington Post) The U.S. government appeared on Sunday to be on the verge of shutting down for the first time in nearly two decades as House leaders were running out of time and options to keep it open
The Obscure Law That Governs Shutdowns (Government Executive) If rogue Republicans do not relent over the budget impasse by October 1, whatever pandemonium happens next will largely be governed by a federal statute you likely have never heard of: the Antideficiency Act. You can call it the "anti-deadbeat" law — a collection of statutory and administrative provisions, really — that forbid federal officials from entering into financial obligations for which they do not have funding, like paying the salaries of their employees or buying the things they need to run the government. It's also the law that wisely permits certain "essential" government functions — like the military and the courts, for example — to keep operating even in the absence of authorized legislative funding. Predictably, there aren't many legal experts who have built careers around the Antideficiency Act, but I managed to corral a few. The most important messages they offer are these: 1) It's not just present federal work that's affected by the shutdown, it's future work, too; and 2) shutting down the federal government is terribly wasteful and expensive because of the re-start costs involved. That's the point made by the acclaimed dean of Antideficiency Act scholars, University of Baltimore Law Professor Charles Tiefer ("For obscure details," he told me, "you've come to the right guy")
DHS Adds 30 Businesses to $22B EAGLE II Vehicle (GovConWire) The Department of Homeland Security has selected 30 businesses to develop, implement and maintain technology for DHS mission and business functions under the department's seven-year, $22 billion Enterprise Acquisition Gateway for Leading Edge Solutions II contract vehicle
Would you hire a hacker to run your security? 'Yes' say Brit IT bosses (The Register) We don't have enough securo bods in the industry either, reckon gloomy BOFHs. More than two in three IT professionals would consider ex-hackers for security roles, providing they have the right skills to do the job, a survey has found. In addition, 40 per cent of respondents to CWJobs' survey of 352 IT bods reckoned there aren't enough skilled security professionals in the UK technology industry
Skills in demand: Incident response professionals (SC Magazine) Companies who leverage the cloud have concerns over the security of their data. The migration has increased demand for incident response pros, including reverse engineers and malware analysts
NSA Internet Spying Sparks Race to Create Offshore Havens for Data Privacy (Wall Street Journal) Firms Tout 'Email Made in Germany' as More Secure; Brazil Wants Its Own Servers
Palantir Technologies raises $196.5 million (Chicago Tribune) Data-analytics company Palantir Technologies has raised $196.5 million, the company disclosed Friday in a regulatory filing
Northrop Grumman, bwtech@UMBC Graduate First Three Companies from Cyber Cync Program (Wall Street Journal) Northrop Grumman Corporation (NYSE: NOC) and the University of Maryland, Baltimore County's Research Park Corporation - also known as bwtech@UMBC - hosted a ceremony today for the first graduating class of the Cyber Cync Program: AccelerEyes, Five Directions and Oculis Labs
Virginia Cybersecurity Program Targets Startup Businesses (GovConWire) The nonprofit Center for Innovative Technology has launched a public-private cybersecurity program for Virginia businesses to receive an initial investment and make presentations to professional investors. The MACH37 Cyber Accelerator is targeted to cyber startups and will comprise of two 90-day sessions per year, Gov. Bob McDonnell's office said Sept. 12
Who Will Stay, and Who Will Go? (Wall Street Journal) Five are in, and five are out! Since the last round of eliminations, the founders have documented a typical day in their lives and endured "hot seat" questioning from two SOTY mentors. Today, the top ten become the final five, one of which will soon be named WSJ Startup of the Year
Products, Services, and Solutions
BlackBerry mulling Messenger expansion to more platforms beyond Android, iOS (FierceMobileIT) BlackBerry (NASDAQ:BBRY) said it is considering extending its signature Messenger chat service to other platforms beyond Google's (NASDAQ:GOOG) Android and Apple's (NASDAQ:AAPL) iOS
Ars takes a look at the tools of the surveillance trade (Ars Technica) We also talk about the merits of purple and Google's new real-life delivery service
Metasploit creator seeks crowd's help for vuln scanning (The Register) Security outfit Rapid7 has decided that there's just too much security vulnerability information out there for any one group to handle, so its solution is to try and crowd-source the effort. Announcing Project Sonar, the company is offering tools and datasets for download, with the idea that the community will provide input into the necessary research
John McAfee wants to sell you a $100 gadget that blocks the NSA (The Verge) Part–time fugitive and antivirus software founder John McAfee has a new invention he's working on. After spending some of his time filming a drug-fueled video tutorial to uninstall the antivirus program he helped create, McAfee now believes he can outsmart the NSA. Speaking at the San Jose McEnery Convention Center on Saturday, McAfee unveiled his grand plan to create a "D–Central" gadget that communicates with smartphones, tablets, and laptops to create decentralized networks that can't be accessed by government agencies
Protect high–value transactions on iOS and Android (Help Net Security) SecureKey introduced its enhanced cloud-based briidge.net Connect multi-factor authentication service. This latest version of briidge.net Connect incorporates the new briidge.net Connect Mobile SDK, which enables developers to easily add robust multi-factor authentication capabilities into iOS and Android mobile apps
Cyberoam launches next-generation firewall appliances (Help Net Security) Cyberoam unveiled Next-Generation Firewalls (NGFW) in its NG Series appliances. Cyberoam NGFW come with Layer 8 Identity-based technology for actionable intelligence and controls that offer complete security controls over L2-L8 for future-ready security in enterprises
Insurer Allianz adds cyber–crime response specialists from Incoming Thought to its policy cover (bobsguide) The insurance giant Allianz has grown its cyber response team to fight financial crime, distributed denial of service (DDoS) and other such malfeasance by partnering with specialists at Incoming Thought. The information security consultancy will provide experts to help the insurance firm's clients recover from a cyber-attack
Microsoft Security Essentials: Aiming low? (ZDNet) Microsoft has offered a free consumer security product for years, but is it good enough for you? It's certainly better than nothing, but it's way short of the best products
TCC releases new encryptor for secure voice and cross-network conferencing (MENAFN) Technical Communications Corp. TCCO said it has released its HSE 6000 radio headset and telephone encryptor to secure the land mobile radio voice communications of public safety special operations, and telephone-to-radio conferencing between commanders and field forces, enabled by TCC's innovative X-NCrypt Cross Network Cryptography
Non–NIST Cipher Suite (Silent Circle) One of the most upsetting things about the recent revelations about the NSA's shenanigans is that it has apparently devoted US$250M to suborning international standards. (One of the very upsetting things about these revelations is that there are several most upsetting things.) Over the last few weeks, just about everyone in the standards and crypto business has been looking over the crypto with an eye towards seeing what the NSA might have subverted
Silent Circle will "move on" from NSA–associated encryption standards, but is that necessary? (Gigaom) The secure communications firm will bring in default replacements for widely-used encryption standards that came out of the U.S. National Institute of Standards and Technology (NIST). However, at least one security expert thinks this may be "a trifle of an overreaction"
Technologies, Techniques, and Standards
Tech Insight: Top 4 Problem Areas That Lead To Internal Data Breaches (Dark Reading) External data breaches (think: Anonymous) and internal data leaks (think: Edward Snowden) have enterprises questioning and rethinking their security programs. Are they doing enough to protect their data? Are their security controls effective? Would they be able to respond appropriately to a data breach and contain it quickly
Do you have your network perimeter secured against downloading malicious content? (Internet Storm Center) Information security professionals take very seriously the network perimeter and tend to put in place several devices to enforce access control to network resources like firewalls, IPS, content filtering devices including antimalware functionality and network access control. But there are two specific variables that can increase a lot the risk of external compromises: Administrative privileges in desktop computers: Many types of business software do not have implemented the principle of requiring the least privileges. That us why now a significant percentage of companies grant Administrator privileges to users, where their use is not monitored in detail
Simplify security but tighten management to keep virtual desktops in check: Imation (CSO) Built-in encryption makes removable USB-based desktop images intrinsically more secure against loss or compromise than conventional desktops, but a virtual-desktop expert warns that companies must still look to two-factor authentication and innovations such as biometrics to ensure security is easy enough that employees won't circumvent it
Continuous monitoring has great promise, says IA specialist (ComputerWorld) Continuous monitoring is fast becoming a security buzzword, but it is a way for security professionals to regain lost ground, according to Bill Hargenrader, information assurance manager at Booz Allen Hamilton
The impact of false positives on web application security scanners (Help Net Security) Ferruh Mavituna is the CEO at Mavituna Security and the Product Architect of Netsparker. In this interview he discusses what impact false positives have on web application security scanners and what his team is doing to deliver false positive free scans
Cyber attack retaliation a bad idea, says international panel (ComputerWeekly) Retaliatory cyber attacks are not a good idea, an international panel has told attendees of a joint session of the ASIS International and (ISC)2 2013 annual congresses in Chicago. Although security practitioners' ability to trace the source of cyber attacks is improving, they said it is seldom possible to do this with total certainty, particularly in the most sophisticated attacks
Cloud Security Alliance releases Cloud Controls Matrix 3.0 (Help Net Security) The Cloud Security Alliance (CSA) released the CSA Cloud Control Matrix (CCM) 3.0, the standard for assessing cloud centric information security risks. It expands its control domains to address
F1 champions Red Bull battle constant threats of cyber attacks and data theft (V3) Triple championship-winning Formula One team Infiniti Red Bull Racing faces constant challenges from both internal and external threats as its technological developments provoke the interest of amateur hackers and rival teams. In response to questions from V3 on a visit to the Red Bull team's headquarters in Milton Keynes, CIO Matt Cadieux (pictured) explained that the intensely competitive and secretive nature of Formula One technology means he has to ensure his networks are in complete lockdown so no "bad apples" could ever walk away with technical data and give it to another team
Buffering SSL encryption to combat today's emerging threats (TechRepublic) Next-generation firewalls should include intrusion prevention (IPS), the ability to decrypt and inspect SSL sessions in real time, and the ability to visualize and control application traffic as it crosses the network
Five Tips for Measuring Progress in Information Security (Tripwire) In my post on Measuring and Reporting on Vulnerability Risk, I talked about how rankings and categories make for some easy to understand graphs, but they tend to fail at meaningfully measuring progress over time. It's tempting to use the standard output of your information security products as the basis for tracking progress, but counting the numbers of highs, mediums and lows simply isn't an accurate a representation overall progress
Could agencies avoid disaster in a Nirvanix–like cloud shutdown? (GCN) The collapse of cloud storage vendor Nirvanix — and the stampede by its customers to recover their data — illustrates why government agencies need sound exit and migration strategies in place before moving any data to the cloud. Upfront due diligence will help agencies if they have to move massive amounts of data on short notice from one cloud service provider to another
Research and Development
Why Recommendation Engines Are About To Get Much Better (InformationWeek) Expanding data sources, including social media sources, are making recommendation engines much more powerful. Amazon.com certainly deserves credit for bringing the term "recommendation engine" into the general lexicon. But recommendation engines have expanded well beyond consumer-facing shopping sites like Amazon as programmatic ways of making accurate recommendations
New proof–of–concept tool detects stealthy malware hiding in graphics cards (PC World) As anti-virus solutions become more robust and Microsoft becomes better at plugging Windows vulnerabilities, malware designers have to get more creative about attacking PCs and servers. One wide-open avenue of attack: hardware components like graphics and network cards. Yes, you read that right
Academia
New Penn State Homeland Security Programs Leader Predicts Evolution in Threats and Changes in Education (Digital Journal) In just the last two years, the nation has experienced deadly man-made and natural disasters, including the Boston Marathon bombing, Hurricane Sandy and wildfires. And as terrorism and organized crime continue to converge, information technology security challenges, threats to information integrity, identity theft and cyber-attacks will further increase, predicts Alexander Siedschlag, Penn State's new chair of online homeland security programs
Legislation, Policy, and Regulation
Report: NSA tracks social ties on Facebook (New Press) The National Security Agency has used its massive collections of electronic data to create a graphic analysis of some American citizens' social connections including travel, location, associates and even Facebook ties, a published report said Saturday
NSA should put all Americans' phone records in a lockbox for later search, director says (Syracuse Post=Standard) The National Security Agency wants to collect more phone records so they can be examined at need, the agency's director told a Senate committee that wants to limit NSA's authority to gather such information. Gen. Keith Alexander's made the assertion Thursday during a Senate Intelligence Committee hearing after Sen. Mark Udall, D-Colo., asked him if the NSA wants "the phone records of all Americans," the Huffington Post reported. According to the Post, Alexander replied: "I believe it is in the nation's best interest to put all the phone records into a lockbox that we can search when the nation needs to do it, yes"
Rights groups plan anti–NSA surveillance rally in D.C. (ComputerWorld) ACLU, EFF, Mozilla among nearly 100 organizations planning event on 12th anniversary of U.S. Patriot Act
US Lawmakers Seek Surveillance Reform (Voice of America) U.S. senators in both parties are proposing changes in the way the National Security Agency collects information as it hunts for terrorists and other threats. Some lawmakers want to limit or end the bulk collection of telephone and email records
Why the nation needs a US Cyber Force (Boston Globe) IN THE early 1980s cyber fiction film, "War Games," a young hacker played by Matthew Broderick almost managed to start World War III when he accidentally nearly launched nuclear strikes against the Soviet Union. It seemed unlikely in those relatively primitive days before the widespread use of the Internet, but it foreshadowed the emerging era of the profound intersection of national security and the cyber world. If we think of cyber as we did of aviation a little more than 100 years ago, we are just now on the beach at Kitty Hawk
Japan, US to Discuss Strengthening Cybersecurity: Reports (SecurityWeek) Japan and the United States will discuss strengthening defenses against cyber-attacks, reports said Monday, as Tokyo looks to play a more active role in global security. At talks in Japan later this week, the foreign and defence ministers from both countries will undertake their first review for 15 years of how their security alliance operates
Hammond's £500m new cyber army: As he reveals top-secret Whitehall bunker for the first time, Defence Secretary says future wars will be fought with viruses (Daily Mail) A new 'cyber strike force' costing up to Hammond's £500m new cyber army: As he reveals top-secret Whitehall bunker for the first time, Defence Secretary says future wars will be fought with viruses500 million is being secretly built by Britain to wage war with a regiment of computer geeks instead of bombs and bullets. Fighter planes, warships and regiments face being replaced by futuristic cyber assaults using lethal computer worms and viruses to wipe out enemy targets
Britain's new cyberwar strike capabilities may just be political posturing (Quartz) Britain's defense minister Philip Hammond made a startling statement yesterday: "We are developing a full-spectrum military cyber capability, including a strike capability, to enhance the UK's range of military capabilities." This is not the first time a government has admitted to developing such capabilities. But it is the first time one has explicitly said it will seek to use it for offensive purposes. In the past, calls for offensive capabilities have been just that: proposals
As governments wage cyber wars, Europe stays away (CNBC) Governments across the world are engaged in cyber-attack campaigns against one another, while European administrations have so far fore-sworn any involvement in offensive online attacks, according to a new report by cyber security firm FireEye. FireEye says that "cyber weapons" are now part of the arsenal governments can use in real-world conflicts
Game apps under fire from consumer law makers (Naked Security) The UK's Office of Fair Trading has investigated how apps and browser-based games comply with consumer law. Alarmed by their findings, they're recommending new developer guidelines around in-app purchases and language inciting children to pay for in-game rewards
FDA's mobile medical apps guidance: Our advisors weigh in (FierceHealthIT) While the U.S. Food and Drug Administration unveiled its long-awaited final guidance on the regulation of mobile medical applications on Monday, some in the healthcare industry weren't sure it went far enough. For instance, Bradley Merrill Thompson, who serves as general counsel for the mHealth Regulatory Coalition, said the final guidance was porous in some areas, such as the definition of what are regulated; disease intended uses compared to unregulated, wellness intended uses; and the exact meaning of an accessory to a medical device
Litigation, Investigation, and Law Enforcement
Microsoft releases latest Law Enforcement Requests Report — no Skype content handed over (Naked Security) Microsoft has published its second Law Enforcement Requests Report, covering the first half of 2013. The quick summary: not much increase over last year's numbers
What did the detention of David Miranda achieve? (ComputerWorld) The physical transport of data shouldn't matter. But sometimes it does. The recent detention of David Miranda, partner of The Guardian newspaper journalist Glenn Greenwald, has created yet another furore, instigating much indignation and re-igniting the debate on the ethics of Prism
Edward Snowden e–mail provider Lavabit faced 'pen register' order (Politico) Lavabit—the e-mail provider that shut down last month in a surveillance-related dispute with the federal government—was faced with a "pen register" order that could have been used to obtain information in real-time when National Security Agency leaker Edward Snowden logged into his account and might even have been used to seek his password
LexisNexis confirms data breach; FBI investigating (Bradenton Herald) LexisNexis, one of the country's largest collectors of personal information on individuals and businesses, said it is trying to determine whether hackers may have gained access to Social Security numbers, background reports and other details on millions of Americans during a data breach earlier this year
Qaeda Plot Leak Has Undermined U.S. Intelligence (New York Times) As the nation's spy agencies assess the fallout from disclosures about their surveillance programs, some government analysts and senior officials have made a startling finding: the impact of a leaked terrorist plot by Al Qaeda in August has caused more immediate damage to American counterterrorism efforts than the thousands of classified documents disclosed by Edward Snowden, the former National Security Agency contractor
£1.01 billion kept out of cybercrooks' hands, claim UK e-cops (Naked Security) The UK's Police Central e-crime Unit (PCeU) is claiming to have kept an astonishing £1.01 billion out of the hands of cybercrooks over the past two-and-a-half years. But just how accurate is that figure? John Hawes investigates
Two youngsters arrested for different DDoS attacks (Help Net Security) Following the massive DDoS attack against anti-spam outfit Spamhaus earlier this year, a 35-year-old Dutch citizen believed to be Sven Kamphuis, the owner and manager of Dutch hosting firm Cyberbunker, was arrested in Spain because he was suspected of having participated in the attack
Google To Be Punished In France For Failing To Pare Back Its Overreaching Privacy Policy (TechCrunch) Google is facing sanctions in France after it failed to amend its privacy policy to comply with French data protection law within a timetable set out by the national regulator. France's data privacy regulator, the CNIL, said Friday it intends to initiate "a formal procedure for imposing sanctions" — which could include a fine — after a three-month deadline to comply with its requirements passed without Google making any changes
Facebook finally wins $3 million payout in Power Ventures spam lawsuit (Naked Security) Power Ventures lured Facebook users into handing over access to their contact lists, then spammed everyone they knew with emails urging them to join their site. Now that Facebook has won its five-year legal battle, has it earned back some trust
Legal pitfalls lurk in common enterprise BYOD practices (FierceMobileIT) Legal pitfalls could lurk in common enterprise BYOD practices, such as remote wiping of data and tracking of employee-owned devices. This is the warning from Route 1, a digital security and identity management firm, in a recent white paper. Route 1 stresses that the practice of remotely wiping personal devices if they are lost or stolen and the GPS tracking of their devices are "legally ambiguous"
For a complete running list of events, please visit the Event Tracker.
Upcoming Events
cybergamut Technical Tuesday: Location Based, Context Aware Services for Mobile — Today and Tomorrow by Guy Levy–Yurista, Ph.D. (available at various nodes, Nov 12, 2013) As we continue to grow our dependence on mobile devices in our daily routine from taking pictures to delivering corporate documents, the contexts in which these devices are acting becomes increasingly important. Mobility today does not only take into account who the user is but where they are, when they are there, why they go there, what they're interested in, and what they're going to do. As our smart phones evolve, they are growing into a contextual engine that will not be just our personal assistant, but also our best friend providing us with all our information needs at the right time and in the right place.
InfoSecIndy (Indianapolis, Indiana, USA, Apr 26 - 27, 2014) Join us on April 26-27, 2014 in Indianapolis, Indiana for the premier Midwest Information Security and Digital Forensics Conference.
Information Security Conference (Charleston, West Virginia, USA, Oct 2, 2013) On October 2, the WVOT Office of Information Security and Controls, will be sponsoring a no-charge information and cyber security awareness event at the Charleston Civic Center. The agenda will offer an energizing morning of highly informative sessions. Free posters, calendars, bookmarks, and other security-themed items will be available. The event is open to the public, however registration priority will be given to public sector officials and employees.
NSU Hosts FBI Presentation on National Cyber Security Awareness (Fort Lauderdale, Florida, USA, Oct 3, 2013) GSCIS Hosts the Federal Bureau of Investigation (FBI) Special Agents special presentation on "National Cyber Security Awareness." RSVP at the link.
The Monktoberfest (Portland, Maine, USA, Oct 4, 2013) Our speakers will explore how social trends can change the way we build and use technology, and how technology in turn can change the way we socialize.
Suits and Spooks NYC 2013 (New York, New York, Oct 5, 2013) Since the landscape is foggy, the threat actors numerous and hard to identify, and the attacks proliferating on a daily basis, the focus of the next Suits and Spooks conference will be to identify non-state aggressors in cyberspace. About twenty speakers will present briefings over two days on hackers, citizen militias, and other non-state entities operating in the Middle East, China, Russia, Pakistan, India, Iran, Africa, South America, the United States (yes - we have non-gov threat actors domestically), and other parts of the world. One of our panel moderators will be Joel Brenner (former National Counterintelligence Executive at the Office of the Director of National Intelligence and former Senior Counsel at the NSA).
Forensics and Incident Response Summit EU (Prague, Czech Republic, Oct 6 - 13, 2013) The Summit will focus on high quality and extremely relevant content as well as panel discussions in Digital Forensics and Incident Response. In addition, we encourage you to take every opportunity to make the most of this event from attending the Summit to registering for one or more of the post-summit training classes taught by SANS' top-rated instructors and course authors. Additional events such as DFIR Netwars, evening talks and the SANS Community Night will be taking place during that week too. This event promises to bring together the leading minds in digital forensics and incident response in the EU, as well as many other practitioners from a wide cross section of industries and company sizes. You will be able to share with all of them your challenges and find out new solutions that work, techniques and approaches you didn't even know existed.
CyberMaryland 2013 (Baltimore, Maryland, USA, Oct 8 - 9, 2013) Join cybersecurity leaders, luminaries and rising stars at CyberMaryland 2013. This two-day event at the epicenter of the nation's cybersecurity innovation and education, will create opportunities for networking and idea sharing amongst the many cyber leaders and professionals across the country, including: federal, state and local government agencies, academic institutions, cybersecurity entrepreneurs, and industry leaders of research and development. CyberMaryland 2013 will address the biggest challenges facing America, including future innovation to meet the security challenges facing our country; collaboration across industry, government and educational institutions; and the development of a generation of cyber-warriors. Surrounding all of these issues is a constantly evolving business framework to provide efficient and effective solutions in a time frame that anticipates and mitigates current and future threats.
2013 Maryland Cyber Challenge (Baltimore, Maryland, USA, Oct 8 - 9, 2013) Held in conjunction with Cyber Maryland and intended to let students and young professionals showcase their cybersecurity skills, Maryland Cyber Challenge offers competition in three divisions: high school, college, and professional. Orientation sessions for teams in each of three divisions -- high school, collegiate and industry and government professionals -- will be held at UMBC in July and August. Two qualifying rounds will be conducted online using SAIC's Cyber Network Exercise System.
AFCEA Hill AFB Technology & Cyber Security Expo (Ogden, Utah, USA, Oct 9, 2013) The purpose of this first-time event is to allow base personnel the opportunity to learn about the latest computer security trends, network with peers, share remediation strategies and to view and demo some of the latest cyber security and information technology products/services available today..
NSU's Raising Savvy Cyber Kids with Ben Halpert (Fort Lauderdale, Florida, USA, Oct 10, 2013) Ben Halpert is an award-winning author of several books for diverse audiences. The Savvy Cyber Kids At Home: The Family Gets A Computer (October, 2010) is a picture book that teaches the concepts of online safety and privacy to preschool children. The Savvy Cyber Kids At Home: The Defeat of the Cyber Bully (October, 2011) teaches children how to appropriately respond to a cyber bully before playing in the virtual world. All Savvy Cyber Kids books are available in English, Spanish, German, and French. For those in the business field, Ben has published Auditing Cloud Computing: A Security and Privacy Guide (July 2011) through John Wiley & Sons. RSVP at the link.
International Conference on Cyber–Enabled Distributed Computing and Knowledge Discovery (Shanghai, China, Oct 10 - 12, 2013) International Conference on Cyber-enabled distributed computing and knowledge discovery -promotes research and development of the cyber-related technology. It is unique and significant that spans through cyber-enabled data mining and knowledge discovery, distributed and parallel computing, cyber security, cloud computing, pervasive computing, mobile computing, Internet, wireless networks, cognitive systems, cyber information process, information discovery, e-health via cyber network, e-science, web technology, and network performance and tools. The research and development in these areas have received extensive attention in both the academia and industry to provide ubiquitous services for users. Various hardware and software designs, algorithms, protocols, simulations, and test-bed, and implementations are developed for distributed computing in an interconnected and distributed network environment. The purpose of CyberC is to provide a forum for presentation and discussion of innovative ideas, research results, applications and experience from around the world as well as highlight activities in the related areas.
VizSec 2013 (Atlanta, Georgia, USA, Oct 14, 2013) VizSec brings together researchers and practitioners in information visualization and security to address the specific needs of the cyber security community through new and insightful visualization techniques.
Hack-in-the-Box Security Conference 2013 (Kuala Lumpur, Malaysia, Oct 14 - 17, 2013) The 11th annual HITB Security Conference (16th/17th October) will be a triple track offering featuring keynotes by Andy Ellis, Chief Security Officer at Akamai and Joe Sullivan, Chief Security Officer at Facebook. This year's event also features all new 2-day training courses (14th/15th October) on a wide variety of topics including Android exploitation, extreme web hacking, infrastructure security, exploiting injection flaws and a special iOS security course by the world famous Evad3rs team. The full speaker list and conference agenda will be released after the Call for Papers closes on the 25th of July.
USDA Cyber Security Symposium and Expo 2013 (Washington, DC, USA, Oct 15, 2013) The Cybersecurity Expo, running in conjunction with the Summit, will allow exhibitors the opportunity to provide live demos and share information with government personnel and industry partners. Summit topics will focus on today's vulnerabilities, incidents, security lifecycle, risks and mitigations; it will also identify ways to work together and build a solid security foundation program to meet future challenges and trends in cyber security..
SNW Fall 2013 (Long Beach, California, USA, Oct 15 - 17, 2013) SNW is the world's largest independently produced conference series focused on the evolution of architecture for a new world of mobility, Big Data and business agility. Produced by Computerworld -- and co-owned by Computerworld and the Storage Networking Industry Association (SNIA) -- SNW remains unbiased and vendor agnostic. Unlike events focused on a specific vendor agenda and product portfolio, SNW provides a forum of open thought leadership and practical education that defines the spectrum of storage, data and infrastructure solutions available to a highly qualified audience of enterprise technology decision-makers.
Hexis Exchange (Athens, Greece, Oct 16 - 17, 2013) Attendees will have the opportunity to participate in a knowledge exchange of the latest enterprise security topics through expert led business and technology forums, hands-on sessions, and training. Such topics will include: emerging cybersecurity threats, big data management, advanced analytics, government regulation & compliance, and data retention challenges & solutions.
Cybersecurity Symposium: "Protect. Defend. Educate." (Linthicum, Maryland, USA, Oct 16 - 17, 2013) The Cybersecurity Symposium being held October 16-17, 2013, will deliver first-class training for government and industry security professionals while simultaneously offering high-level keynote speakers, essential networking opportunities, and an informative technology exposition. The Symposium sessions will have a special emphasis on security challenges facing today's security professionals and cyber awareness training for security professionals responsible for protecting sensitive and classified information from the ever increasing threats of mobile devices, espionage, terrorism, and cyber-attacks to ensure our national security. Register by August 31 to ensure the reduced early bird registration fee. This event is free for government employees and active-duty military personnel. Exhibit space and sponsorship opportunities are also available.
NSU Healthcare Cyber Security Summit (Fort Lauderdale, Florida, USA, Oct 17, 2013) In today's modern healthcare systems, data is everywhere, including sensitive patient data that needs to be secured and monitored. Join top healthcare security professionals from Nova Southeastern University, AccessData, and RSA to hear about current regulations that affect healthcare companies of all sizes, ways to protect sensitive data, and learn techniques to monitor access for suspicious activity. If you are responsible for the privacy or security of your company's healthcare data, you will benefit from presentations from these leading experts in the field. NSU's Chief Information Security and HIPAA Security Officer, John Christly, will examine the threats to the privacy and security of todays' modern healthcare operations. You will also hear from experts from AccessData and RSA on how to detect and prevent data breaches. RSVP at the link.
Nuclear Regulatory Commission Cyber Security Conference & Expo (Rockville, Maryland, USA, Oct 17, 2013) This one-day conference will consist of cyber sessions in the NRC Auditorium given by government and industry speakers. Exhibit tables will be set-up just outside the Auditorium and companies will have the opportunity to demo their latest technologies to NRC's IT personnel.
Securing the Internet of Things Summit (San Francisco, California, USA, Oct 21, 2013) The Internet of Things is still in its infancy and the security community has a chance to build in new approaches to security if we get started now. More secure embedded operating systems and applications, more scalable approaches to continuous monitoring and threat mitigation and new ways of detecting and blocking active threats are evolving and can be tremendously effective. SANS is looking to bring together community talent and ideas to develop new solutions, demonstrate security technology that already works and to provide a force multiplier to making the Internet of Things be more secure than the first phases of Internet evolution.
13th Industrial Control Systems Cyber Security Conference (Atlanta, Georgia, USA, Oct 21 - 22, 2013) Industrial Control Systems (ICS) operate the infrastructures of electric power, water, chemicals, manufacturing, transportation, defense, etc. and link the digital and physical worlds. Their cyber security presents challenges that are distinct from securing traditional IT systems. The conference is attended by control & operations engineers and their IT counterparts from critical infrastructure industries, by ICS and security vendors, and by universities. Run under the Chatham House rules of confidentiality, the conference discusses ICS cyber incident case studies, provides regulatory updates, discusses solutions in the form of policies and procedures, presents demonstrations of hacking ICS and ICS protocols, and provides a status of ICS security solution field demonstrations.
Cloud Connect (Chicago, Illinois, USA, Oct 21 - 23, 2013) Cloud Connect returns to Chicago October 21-23, 2013 with an all new program built around the leading cloud platforms. Cloud Connect provides the independent guidance IT professionals need to successfully build, operate and manage the cloud, and the tools to measure application performance and business metrics.
cybergmut Technical Tuesday: Cyber Security Strategy — Why We're Losing and What's Needed to Win (Columbia, Maryland, USA, Oct 22, 2013) CrowdStrike's Steve Chabinsky of CrowdStrike explains the situation. Everybody seems to be spending more on cybersecurity, but with questionable return on investment. In fact, the problem clearly is getting worse, and current strategies show no indication of reversing that trend. This non-technical presentation explores the typical cyber risk environment, considers the proper balance and likely effectiveness of threat deterrence, vulnerability mitigation, and consequence management to reduce cyber risk, and examines the current and evolving roles of government agencies and the private sector in addressing the problem. Backed by powerful, real-world examples of threat actor tactics, this presentation will help managers develop a better understanding of how their current security approach is most likely to succeed or fail over time, and what strategies are the most likely to shift the advantage to the good guys. cybergamut is co-hosting this event with the Maryland Chapter of InfraGard.
Cyber Security Seminar and IT Expo at Peterson AFB (Colorado Springs, Colorado, USA, Oct 22, 2013) The Cyber Security Seminar and IT Expo is a one-day event held on-site where industry vendors will have the opportunity to display their products to personnel attending briefings concerning the latest updates in Cyber Security Awareness. This is an excellent and unique opportunity to meet IT personnel from USNORTHCOM, NORAD, Army Space Command, USSPACECOM, and the 21st Space Wing all in one day.
Joint Federal Cyber Summit 2013 (Washington, DC, USA, Oct 23 - 24, 2013) This collaborative government wide event is truly one of a kind, with speakers and attendees anticipated to represent more than 10 federal government agencies. Information sharing will be accomplished through keynote speakers on both days, along with numerous targeted breakout sessions (including a session with a federal CISSO panel), hands on live demonstrations, and industry exhibits.
NSU's 12 Simple Cybersecurity Rules For Your Small Business (Fort Lauderdale, Florida, USA, Oct 24, 2013) In this presentation twelve simple and inexpensive techniques for protecting small businesses from cyber threats will be discussed. While complex and expensive solutions exist to improve the security of information technology most of these products are not designed for the specific needs of small businesses. The techniques that will be discussed in the presentation are designed to address the most common threats encountered by small businesses without requiring significant expertise and expense. RSVP at the link.
2013 ACT–IAC Executive Leadership Conference (Williamsburg, Virginia, USA, Oct 27 - 29, 2013) Advances in technology and massive increases in data available can both challenge and transform Government mission performance. ELC-2013 focuses on how to make this transformation a reality, in and for agencies. We will hear from nationally prominent speakers and work across government and industry to learn new ideas and techniques. Four mission-oriented tracks will focus on initiatives for driving results using data and the "Innovate, Deliver, Protect and Analyze" paradigm that is at the heart of the Government's strategic vision.
SAP NS2: National Security Solutions Summit (Falls Church, Virginia, USA, Oct 29, 2013) Join us for a day of learning and networking focused on how to advance U.S. national security and homeland security through I.T. innovation. Top-notch speakers will address the new challenges facing U.S. national security and critical infrastructure -- as well as powerful, affordable technologies that are available today to tackle those challenges while saving money and simplifying operations. Learn how your organization can run faster, smarter, leaner in the most secure environments -- with world-class, breakthrough solutions that are bold alternatives to business as usual.
Regional Cyber Security Forum & IT Day (CSFI) — Hawaii (Honolulu, Hawai'i, USA, Oct 30, 2013) 2013 marks the 10th anniversary of National Cyber Security Awareness Month and FBC will host the 1st Annual Cyber Security Forum & IT Day (CSFI) at Fort Shafter - Club Hale Ikena to coinside with the anniversary, and activities surrounding this month. The goal of CSFI is to raise cyber security awareness, and to promote best practices in cyber while allowing DoD personnel and industry partners the opportunity to share the most up to date remediation strategies. The event will feature four educational cyber sessions to go along with an exhibit hall..
NSA Hawaii — Cyber Security, Intelligence & IT Day (Honolulu, Hawai'i, USA, Oct 30, 2013) Be a part of the 1st Annual Cyber Security, Intelligence and IT Day set to take place at the new National Security Agency (NSA) Hawaii Rochefort facility. The event will be hosted by NS/CCS Hawaii Technology Directorate and will focus on Cyber Security, Big Data and Cloud Computing. There are other areas of interest listed below as well. This is an extremely unique opportunity to network with NSA personnel in Hawaii at their location. Educational sessions will be provided to attendees to coincide with government and industry exhibits.