The CyberWire Daily Briefing 10.10.13

Summary

By The CyberWire Staff

Network Solutions is investigating possible connections between a denial-of-service attack it suffered and a recent wave of Website defacements by KDMS Team pro-Palestinian hacktivists.

Anti-regime Syrian hacktivists join the Mideastern trend of vandalizing the American Midwest: Dr.SHA6H hits Mansfield, Ohio.

A Turkish education ministry site is compromised for malware distribution. The motive here seems apolitical theft.

An IE zero-day first observed attacking Japanese and South Korean organizations last month now seems to have been used against US targets as well.

WhatsApp encryption vulnerabilities continue to draw attention (and adverse criticism).

An exploit attacking the popular proprietary CMS vBulletin has been observed in the wild. vBulletin has released a workaround.

As expected, the arrest of "Paunch" by Russian authorities has caused the bottom to drop out of the market for the Blackhole exploit kit. Criminals are shopping elsewhere.

The FBI's arrest of the alleged Dread Pirate Roberts (né Ross Ulbricht, allegedly) has been followed by other Silk Road arrests in the UK and Sweden, but this hasn't trimmed all the Dread Pirates' customers' sails. Although "drug kingpins" are "spooked," low-end druggies vow vengeance against the FBI as small-fry dealers seek to form a new black market bazaar. Other observers draw opsec lessons from the Dread Pirate's downfall.

In industry news, CACI buys Six3 from GTRC in a cyber market push. Cisco sees its SourceFire buy as a key part of its own future.

General Alexander defends the NSA (and calls for information sharing). The New Republic shows him some surprising love.

Notes.

Today's issue includes events affecting Argentina, Brazil, Canada, China, Egypt, European Union, France, Germany, Ireland, Japan, Republic of Korea, Malaysia, Palestinian Territories, Russia, Singapore, South Africa, Sweden, Syria, Taiwan, Turkey, United Kingdom, United Kingdom, and United States..

Selected Reading

Cyber Trends

Malaysian security goes mainstream (CSO) What I observed during my time in Malaysia was that because of the rapid economic growth across multiple business verticals within the country there is an "eyes wide open" approach to information security

41% of cyber fraud victims never get money back (Gadget) A recent Kaspersky Consumer Security Risks Survey has revealed that about 41% of users who lost their money as the result of financial cyber-fraud failed to get a single cent returned to them

Juniper study: 80% of smartphones still unprotected from malware, attacks (ZDNet) Smartphones (and tablets) are just open hotspots for trouble waiting to happen if their owners don't take precautions immediately

Mobile security trends, concerns and misperceptions (Help Net Security) PayPal and the National Cyber Security Alliance unveiled the results from a new Zogby Poll highlighting the latest trends, concerns and misperceptions around mobile security and commerce

Report indicates insider threats leading cause of data breaches in last 12 months (CSO) Other results shed light on data security budget allocation and increased responsibility for security groups

After Prism revelation there is nowhere to hide (ComputerWeekly) Whistleblower Edward Snowden has focused the media and government spotlight on cyber espionage, but revelations about the US Prism internet surveillance programme cannot be dismissed by UK business as being of little or no relevance

Legislation, Policy and Regulation

NSA Director Stresses Importance of Information Sharing for Cybersecurity (Main Justice) Gen. Keith B. Alexander said his forensics teams can tell companies how bad cyber attacks are, but by the time the government gets involved, the attacks have already been successful and the damage is obvious

In speech to telecom industry, NSA's Alexander criticizes coverage of surveillance (Washington Post) Gen. Keith Alexander, head of the National Security Agency and the military's Cyber Command, on Wednesday asked the telecommunications industry to help set the record straight on what he believes is a media mischaracterization of government surveillance programs

We Need an Invasive NSA (The New Republic) Ever since stories about the National Security Agency's (NSA) electronic intelligence-gathering capabilities began tumbling out last June, The New York Times has published more than a dozen editorials excoriating the "national surveillance state." It wants the NSA to end the "mass warehousing of everyone's data" and the use of "back doors" to break encrypted communications. A major element of the Times' critique is that the NSA's domestic sweeps are not justified by the terrorist threat they aim to prevent

NSA tries to regain industry's trust to work cooperatively against cyber–threats (Washington Post) A drop in Americans' trust in the government is making the difficult task of public-private cooperation against cyber-threats even more difficult. And that has officials such as Gen. Keith B. Alexander, director of the National Security Agency, scrambling to shore up confidence in his agency, whose image has taken a beating in the wake of leaks about its surveillance programs by former NSA contractor Edward Snowden

NSA saves zero–day exploits for high–value targets (Ars Technica) The National Security Agency has a wide-ranging menu of software exploits at its disposal to tailor the right attack to the targets it wants to monitor, according to a blog post published Wednesday by security expert Bruce Schneier. While the program allows analysts to operate in almost absolute secrecy, the NSA's pursuit of an expansive surveillance program has largely defeated those efforts, his essay concludes

What the Government Does with Americans' Data (Brennan Center for Justice, NYU School of Law) After the attacks of September 11, 2001, the government's authority to collect, keep, and share information about Americans with little or no basis to suspect wrongdoing dramatically expanded. While the risks and benefits of this approach are the subject of intense debate, one thing is certain: it results in the accumulation of large amounts of innocuous information about law-abiding citizens. But what happens to this data? In the search to find the needle, what happens to the rest of the haystack

GOP senator 'very close' to introducing cybersecurity bill (The Hill) Sen. Saxby Chambliss (Ga.), the top Republican on the Senate Intelligence Committee, said Tuesday that he is "very close" to introducing legislation that would encourage companies and the government to share information about cyberattacks

Declassified FBI files detail secret surveillance team (Russia Today) The Federal Bureau of Investigation has turned over new documents detailing how the FBI collects cell phone location information about criminal suspects, but most of the secretive program will remain under wraps for now. The latest trove of documents was published this week by the Electronic Privacy Information Center, a DC-based public interest research group that specializes in issues involving surveillance and security

MI5's Andrew Parker lives in a different world (Guardian) The new MI5 chief's recent defence of security services does not stand up in my experience, or in that of my client Shaker Aamer. It has often been said that MI5 operates in a shady, parallel world. Unfortunately, the recent public comments of Sir Andrew Parker, the new head of MI5, makes it all too clear that he does not live in the same world as the rest of us. Thirty years in MI5 have apparently left him a little short on perspective

Agencies face 'catch–22' in planning for cyber threats (Federal News Radio) The online ecosystem of apps and mobile devices is creating a perfect storm of incoming threats and financial challenges. Hord Tipton, executive director of the information security non-profit (ISC)² and the former chief information officer of the Interior Department, told In Depth with Francis Rose recently that agency executives and chief experience officers are in a constant state of "security catch-22"

Army looks to consolidate electronic and cyber operations (FierceGovernmentIT) The Army hopes it can improve the capabilities of cyber operations, electronic warfare and electromagnetic spectrum network operations by encouraging collaboration among them, said Col. Carmine Cicalese, chief of Army cyberspace and information operations during a recent television appearance

AT&T: The Internet is awesome, so let's get rid of phone regulations (Ars Technica) Astroturf group pushes AT&T agenda to deregulate telecom

Dateline

Hall of Fame Class of 2013 (National Cyber Security Hall of Fame) Five new members were inducted into the National Cyber Security Hall of Fame last night

National Cyber Security Hall of Fame inducting five (NetworkWorld) Pioneers in information system security, intrusion detection among those honored

Contests help teens to be 'cyber guardians' (Sydney Morning Herald) At Baltimore's Loyola Blakefield prep school, a team of students meets after classes to practise for the Maryland Cyber Challenge being held this week. At the event, they'll have to debug viruses from their computers and defeat mock attacks by cyber criminals played by IT professionals

Ruppersberger happy to see progress on Senate cybersecurity bill (Federal News Radio) One member of the House is happy to see the leaders of the Senate Intelligence Committee making progress toward finalizing its version of the cyber sharing bill

Lockheed Martin Mentors Build Next Generation of Cyber and Stem Professionals in LifeJourney Program (Lockheed Martin) Lockheed Martin [NYSE: LMT] has joined forces with the new LifeJourneyTM mentoring program to inspire the nation's youth to consider careers in cyber security and other Science, Technology, Engineering and Mathematics (STEM) fields. Lockheed Martin experts in data scientology and cyber architecture are serving as LifeJourney mentors to help students understand the interesting opportunities and the skills necessary to get internships and future jobs in related professions

Products, Services, and Solutions

BeyondTrust Releases Network Security Scanner With Unlimited Vulnerability Assessment (Dark Reading) Retina Network Security Scanner includes targeted scan profiles for security, compliance, and systems administrators

Unisys Unveils Stealth Solution to Protect Enterprises from Mobile Cyber Threats (FierceMobileIT) Unisys Corporation (NYSE: UIS) announced today the availability of its Unisys Stealth(TM) for Mobile solution to address the major security concerns facing enterprises as growing numbers of their employees use consumer devices at work

Lavasoft Announces Release of the All New Ad–Aware 11 (Fort Mill Times) Lavasoft, the original anti-spyware company, today released Ad-Aware 11, a comprehensive redesign of its award-winning anti-malware software. Ad-Aware 11 gives consumers peace of mind while using their computers at work or at play by protecting their private data and securing their computer against all forms of online threats including viruses, spyware and adware

Bitdefender launches GravityZone–in–a–Box to protect virtual, physical and mobile environments of Small to Medium Businesses (Sacramento Bee) Enterprise class-security management console changes the game for SMB. Bitdefender, the creator of leading antimalware solutions, today launched GravityZone-in-a-Box to protect and improve performance for small and medium-sized businesses that require security solutions for virtual, physical and mobile environments from a consolidated management platform

Intel debuts gateway 'middlemen' for Internet of Things (PC World) Intel on Tuesday launched a family of intelligent gateways for the so-called Internet of Things, providing a series of middlemen, so to speak, between embedded sensors and the data they will store and analyze in the cloud

Twitter tries out a way to make breaking news stand out from noise (Fast Company) Twitter is famous for being a brand new font of breaking news as well as being one of the first ways news is shared with the world--the Hudson river aircrash being the prime example of this. But with so many users sharing so many details, opinions, links, photos and trivia alongside genuine news items that come from private and official news sources it can be hard to spot what's news and what's not. This may explain the new @eventparrot account, which direct messages breaking news items into the private messages inbox of its followers

A New Postal Privacy Product (Schneier on Security) The idea is basically to use indirection to hide physical addresses. You would get a random number to give to your correspondents, and the post office would use that number to determine your real address. No security against government surveillance, but potentially valuable nonetheless

Technologies, Techniques, and Standards

Six steps to better Facebook privacy management (CSO) Recent changes have made it even more difficult to keep your Facebook account private. In fact, it's now easier than ever for your profile to be found via search engines and other methods. Here are six steps that you can take today to keep your profile, and its contents, as private as possible

Embrace Your Inner Risk Adviser (Dark Reading) Bridging the gap between security and IT and the business side requires teamwork on building a risk profile

Top 15 Indicators Of Compromise (Dark Reading) Unusual account behaviors, strange network patterns, unexplained configuration changes, and odd files on systems can all point to a potential breach

Cyber security takes discipline (The Lane Report) Policies, training are essential with new employees accessing data via mobile devices. Judging by frequent headlines about stolen credit card numbers and hacker attacks, companies face cyber security threats from literally around the world. But are Kentucky companies doing enough to keep their information — and customers' data — safe

Once a target, always a target: A second look at awareness training in action (ComputerWorld) The one constant about user awareness training is that the awareness part is supposed to stick with you. Learning how to spot one type of phishing email is only good for that particular email, thus the concept of awareness is learning to trust your gut when something looks suspicious

Risk considerations: Tracking services monitor your every move (CSO) Tracking services offer no real value to the business, but they exist on networks both large and small, and administrators are often unaware of their presence

This Map By Nokia Shows All Windows Phones With Language Set To "Chinese" In Asia And Europe. (Geoawesomeness) Companies owns a lot of Big Data about their business and their customers. More and more they start to realize that and use it in their advantage. This particular map made by Nokia HERE in Berlin shows spatial distribution of all Windows Phones with language set to "Chinese". With market penetration close to 10% on average worldwide this map gives you good estimation on what is the density of Chinese people around Eurasia, which particularly interesting outside China. Any census data or migration office will not be able to show it and definitely not on such a scale

More security to fortify medical devices (Healthcar Finance News) A non-profit organization focused on Internet security is looking to develop a set of benchmarks to protect medical devices from potentially fatal cyber attacks

Google pays coders to improve open–source security (CNET) A new program aims to build deeper security mechanisms into open-source software. Perhaps it'll keep security experts from contracting with nefarious hackers or the NSA instead

Open source software is more secure than you think (SC Magazine) According to a recent survey by Black Duck Software, there are more than one million unique open source projects today, with a projected growth of around two million by 2014. Open source is growing in the enterprise, but oftentimes when people think of open source, they are concerned about the potential security issues. But, those security concerns are merely myths. So, what is the reality when it comes to open source software security

It Was DPR, in the Tor HS, With the BTC (Hacker OPSEC) Give it to me straight, dr the grugq. Generally, it appears that Ross Ulbricht was applying his economic and techno–libertarian philosophy to real life. As his project grew, his security posture improved — too late. The most serious mistakes that Ross Ulbricht made were made during the period Jan 2011 – Oct 2011

Creating And Maintaining A Custom Threat Profile (Dark Reading) Threat intelligence is only useful if it's tailored to your specific organization. Here are some tips on how to customize. Security researchers and vendors are developing a wealth of new data on threats and exploits in the wild. Organizations can tap into this data through the use of threat intelligence feeds, but all too often these feeds are served up in a generic fashion -- identical for all customers, no matter what their industry, size, location or other distinguishing characteristics

Is Your Data As Safe As You Think? More Than Meets The Eye In the Cyber World (The Business Monthly) Consider the plight of a new company, particularly, how it handles its data. Fledgling companies often have very little value and may have to take significant risks, and outsource almost everything in the process, to get off the ground. These days, much of whatever data they have ends up in the cloud. But is this truly secure

The Nature of Data Analysis Hasn't Changed, "Big" or Not (Red Owl Analytics) Bigger data is better data, right? So, why are so many people struggling to make sense of their giga-, peta-, and exabytes of data? Perhaps it's worth taking a step back before moving forward; the tenets of data analysis haven't changed in the 35 years since John W. Tukey's Exploratory Data Analysis (1977) appeared in bookstores, even if technology has

Can You Trust NIST? (IEEE Spectrum) Revelations that the NSA undermined the U.S. standards agency leave cryptographers feeling queasy. The National Institute of Standards and Technology (NIST) has an image problem. Last month, revelations surfaced indicating that the National Security Agency (NSA) may have planted a vulnerability in a widely used NIST-approved encryption algorithm to facilitate it's spying activities. And cryptographers are also questioning subtle changes that might weaken a new security algorithm called Secure Hash Algorithm-3, or SHA-3. Encryption experts say NIST's reputation has been seriously undermined but that the security community would like to continue using it as a standards body if it can show that it has reformed

Marketplace

Six CEOs who can't believe Washington is being so stupid (Quartz) Who said big corporations control the government? Corporate America couldn't be more annoyed at the ongoing government shutdown and threat of a looming default. And, as we predicted, CEOs from some of the country's most influential companies are making it clear they want it resolved

The government's shrinking shutdown (Politico) The longer the government shutdown goes on, the smaller it seems to get

Shutdown standoff shows signs of a thaw (Wall Street Journal) The partisan logjam that has paralyzed the capital showed signs of easing Wednesday, as conservative Republicans warmed to the idea of a short-term increase in the country's borrowing limit and House GOP leaders prepared for their first meeting with President Barack Obama since the government shutdown began

Fort Meade transforming from Army base to cyber city (Washington Post) The growth in Fort Meade and the arrival of Cyber Command is rapidly reshaping the surrounding area. Cafe Joe is one of the gathering spots for cyber workers in Annapolis Junction, Md. Even before noon, the parking lot is packed and the line nearly snakes out the door at Café Joe near Fort Meade

NSA Hid Explosions, Delays at $1.2 Billion Spy Compound (Nextgov) While the government was nearing a shutdown and bracing for a default, a $1.2 billion National Security Agency supercomputer homestead in Utah, built to ingest surveillance data, reportedly was spending hundreds of thousands of dollars to replace fried equipment

CACI to Buy Six3 Systems for $820M in Cyber, C4ISR Push (GovConWire) CACI International (NYSE: CACI) has agreed to acquire McLean, Va.-based national security contractor Six3 Systems from private equity firm GTCR for $820 million in a move to grow CACI's footprints in the cybersecurity, intelligence and C4ISR markets. The transaction is subject to regulatory approvals and is scheduled to close during CACI's fiscal second quarter, which ends in December 2013, CACI said Wednesday

U.S. contractor CACI to buy intelligence firm Six3 Systems (The West Australian) CACI International on Wednesday said it would buy Six3 Systems Inc from private equity firm GTCR for about $820 million (514.8 million pounds) to strengthen its intelligence support services to the U.S. government, the company's largest ever acquisition

GTCR Announces Sale of Six3 Systems: Deal Reinforces Value of GTCR's Leaders Strategy™ (MarketWatch) GTCR, a leading private equity firm, announced today it has signed an agreement to sell its portfolio company, Six3 Systems, Inc. ("Six3"), to CACI International Inc CACI, a leading provider of information solutions and services to government customers, for $820 million

Chambers: Cisco Will Win Tech's Next Elimination Round (InformationWeek) Cisco CEO says half the top tech vendors won't "exist in a meaningful way" in a few years. John Chambers told me he had a message for InformationWeek's readers: Don't underestimate Cisco. Almost two months after announcing plans to cut 5% of its workforce as it "realigns resources" to focus on fast-growing businesses such as cloud, mobile and data center, the Cisco CEO sat down with me on Oct. 2 for a 30-minute interview before his keynote address at Interop New York

Cisco Closes Sourcefire Buyout — Analyst Blog (Nasdaq) Networking equipment maker, Cisco Systems Inc. ( CSCO ), recently completed the acquisition of cyber security firm, Sourcefire, Inc. ( FIRE ), for $2.7 billion. The company paid $76 per share in cash for Sourcefire

Cisco Execs: Sourcefire Deal Bolsters Security Portolio (eWeek) As the tech vendor closes the $2.7 billion Sourcefire deal, Cisco officials say it gives their firewall and intrusion-detection capabilities a boost. Cisco Systems' $2.7 billion acquisition of cyber-security company Sourcefire on Oct. 7 could significantly boost its growing security business, a key part of the tech vendor's efforts to expand its networking roots to become an enterprise IT solutions and services provider

Exclusive: Alibaba CEO says company has decided not to list in Hong Kong (Reuters) Chinese e–commerce company Alibaba Group Holding Ltd ALIAB.UL has decided not to list on the Hong Kong stock exchange, Chief Executive Jonathan Lu told Reuters on Thursday. The company had planned to list in Hong Kong under a structure that would allow its "partners" — a group of founders and senior employees — to keep control over the makeup of its board

Your Playstation 4 may be built by Chinese students in the worst internship ever (QUartz) Foxconn believes that students are the future, at least judging by its deal with China's Xi'an Institute of Technology to expose more than 1,000 of them to the educational experience of working on an assembly line (link in Chinese) for Sony's forthcoming Playstation 4

General Dynamics to develop anti–cyber attack system for DND (Ottawa Business Journal) Ottawa-based General Dynamics Canada, has been awarded a $3.7 million contract to develop an automated computer network defence system for the Department of National Defence

Brian Honan appointed Special Advisor to Europol Cybercrime Centre (Help Net Security) BH Consulting, a specialist firm in information security consulting, today announced that its CEO Brian Honan has been appointed as a Special Advisor on Internet Security to Europol's European Cybercrime Centre (EC3)

Microsoft pays out its first $100,000 bug bounty (Naked Security) Microsoft marked yesterday's tenth anniversary of Patch Tuesday by awarding a security bounty of $100,000 to a researcher at a UK company

BlackBerry tries to hold enterprise software, services fort; Customers wary (ZDNet) Is BlackBerry on its last legs or set to emerge as a leading enterprise mobility management company? Customers are mixed on the company's prospects

BlackBerry Reportedly Leaning Towards Breaking Up Assets As Fairfax Deal In Doubt (TechCrunch) Canada's beleaguered smartphone pioneer BlackBerry is apparently warming to the idea of a break-up, Bloomberg reports, as the Fairfax Financial buyout bid for the entire company looks a little more uncertain due to a failure to secure the appropriate amount of funding, or partners to help them do so

The Layoffs Have Begun at BlackBerry (All Things D) BlackBerry wasted little time in embarking on the layoffs it announced last month. On Monday, the company began handing out termination notices to 300 employees at its Waterloo, Ontario, headquarters

HP Admits What We Already Knew: Microsoft Is At War With Its OEM Partners (TechCrunch) HP stated the obvious today, clearing the air a bit in the world of personal computing, not to mention other areas of the technology industry. Microsoft, it said, is now a competitor to its business. Of course, we knew this

When it Comes To Landing A Top Job At Twitter, That Degree in French Literature Might Not Be So Worthless After All (Forbes) In addition to all the details revealed in Twitter's filing for an initial public offering last week, we now know at least two other things about CEO Dick Costolo. First, he's not above using comedian Carrot Top to denigrate his critics. And second, Twitter's lack of women in its leadership ranks stems from Costolo's unwillingness to add token women to his team after failing to find qualified candidates

PRISM break: seeking privacy, customers defect from US cloud providers (ITWeb) In June, thanks to one of its now former and very famous employees blowing the whistle, the news broke that America's National Security Agency (NSA) was using a program, code-named PRISM, to spy on e-mails, Internet phone calls, file transfers, photos, videos and other data from large Internet companies, including Google, Facebook, YouTube, Microsoft, Skype and Apple, as well as collecting the telephone records of millions of ordinary Americans who are not even suspected of crimes

Security Patches, Mitigations, and Software Updates

BlackBerry Patches Smartphones, Tablets (Industrial Safety and Security Source) BlackBerry issued security patches Tuesday for remote code execution vulnerabilities in Adobe Flash Player that affect new BlackBerry Z10s and Q10s smartphones, and PlayBook tablets. Remote code execution holes enable attackers to gain control of the compromised device or system

Another botched Black Tuesday: KB 2878890 patch brings back two–year–old KB 951847 — repeatedly (InfoWorld) Microsoft's four-month body count: 23 bad patches. It's past time for Microsoft to improve the quality of its Automatic Updates

Cyber Attacks, Threats, and Vulnerabilities

Pro–Palestine DNS hack under investigation (ZDNet) After taking down services including AVG, RedTube and Alexa and claiming responsibility, pro-Palestinian hacking group KDMS Team is under investigation by Network Solutions

City of Mansfield Website Defaced by Syrian Hacker (Softpedia) The Syrian hacker Dr.SHA6H has breached and defaced the official website of the City of Mansfield (ci.mansfield.oh.us), located in the US state of Ohio

Websites of Cities in the Brazilian States of São Paulo and Minas Gerais Hacked (Softpedia) Argentinian hackers of Team Hacking Argentino have defaced several subdomains of the government portals operated by the Brazilian states of São Paulo and Minas Gerais

Hacked Turkish Government Website Used to Distribute Malware (Softpedia) Another Turkish government website has been hacked. However, this time, hacktivists have nothing to do with it

IE Zero–Day Attacks Target U.S. Firms, Government Unit (CRN) An Internet Explorer zero-day flaw believed to have been used in an attack limited to Japan and Korea also appears to have been used against several firms and a government entity in the United States, according to new analysis of the threat

New type of cyber–attack targets govt bodies, firms (Yomiuri Shimbun) At least 20 organizations, including central government bodies such as the Agriculture, Forestry and Fisheries Ministry, along with major companies, came under a new type of targeted cyber-attack in August and September, where some computers were found to have been infected with a virus that steals confidential information, it has been learned

Unexpected IE Zero Day Used in Banking, Gaming Attacks (Threatpost) This was a two-for-one deal that Windows administrators could have done without. Already expecting one patch for an Internet Explorer zero-day being actively exploited, admins got fixes for two zero days instead yesterday as part of Microsoft's October 2013 Patch Tuesday security updates

WhatsApp mobile messaging app in the firing line again over cryptographic blunder (Naked Security) Popular mobile messaging software WhatsApp is in the firing line again for another security SNAFU. A Dutch researcher has pointed out that its session encryption breaks a cardinal rule: a one-time pad is supposed to be a *one* time pad!

Critical WhatsApp crypto flaw threatens user privacy, researchers warn (Ars Technica) Messages sent over Wi-Fi and other public channels can be decrypted using known methods. A security researcher said he has found an encryption flaw that makes it possible for adversaries to decrypt communications sent with WhatsApp, a cross-platform smartphone app that processes as many as 27 billion instant messages each day

Dangerous vBulletin exploit in the wild (Help Net Security) vBulletin is a popular proprietary CMS that was recently reported to be vulnerable to an unspecified attack vector. vBulletin is currently positioned 4th in the list of installed CMS sites on the Internet. Hence, the threat potential is huge

Moscow cops cuff suspect in Blackhole crimeware bust (Register) $50-a-day malware kit set miscreants back more than priciest software licence. The infamous Blackhole Exploit Kit has gone dark following the reported arrest in Russia of a suspect whom police believe is linked to the malware

Shadowy drug fans threaten FBI agents, vow to 'avenge' Silk Road shutdown (Register) How dare lawmen close our illegal underground online drug shop? Dark web hoodlums linked to the underground drugs bazaar Silk Road are preparing to launch revenge attacks on the FBI agents involved in the shutdown of the site

Digital 'activists' scramble to build Silk Road 2.0, but drug kingpins are spooked (Register) We can hardly find a dealer, moan Blighty drug users. Former Silk Roaders say they are preparing to open new anonymous online drug bazaars after last week's collapse of the illicit Tor marketplace. Meanwhile, drug dealers appear to have taken fright after the takedown of the hidden website

Fraudsters Promise Airplane Seat Upgrade; Steal Passwords (Hot for Security) Travelers who fly from New York to Las Vegas on Wednesday, October 16th, may fall victim to the most recent malicious spam shower on the Internet where criminals hunt credentials of fresh FTP accounts

Colonial Properties Acknowledges Data Breach (eSecurity Planet) An undisclosed number of names and Social Security numbers may have been accessed

Security Breach Exposes 18,000 Canadians' Personal Information (eSecurity Planet) Names, addresses, birthdates, marital status and assessment information may have been exposed when an unencrypted SD card was stolen

Vodafone Germany Suffers Another Data Breach, Customer Information Exposed (Softpedia) Vodafone Germany has admitted suffering yet another data breach. This time, it doesn't involve any hackers. Instead, a temporary employee dumped documents containing sensitive customer information in the trash

Academia

There's no such thing as being "good" or "bad" at math (Quartz) As an American, I was in the minority in my PhD program--and I was at Columbia University. That's because I studied economics, a so-called quantitative subject. During graduate school, my fellow Americans in law school or business school often remarked about what a math genius I must be. Then came their confession

MD cyber security firm CEO wins Outstanding Alumni of the Year (Retriever Weekly) The UMBC Alumni Association has selected Jeehye Yun (BS Computer Science, '97) as the 2013 Outstanding Alumnus for Engineering and Information Technology. She will be presented with the award on October 10 at an awards ceremony in the Albin O. Kuhn Library

Litigation, Investigation, and Enforcement

Judge won't delay NSA surveillance lawsuit (Politico) A federal judge in San Francisco has turned down the Justice Department's request to halt a surveillance-related lawsuit because of the partial government shutdown

FBI Struggles To seize 600,000 Bitcoins From Alleged Silk Road Founder (Liberty Crier) The FBI has found that seizing an anonymous decentralised peer-to-peer currency was trickier than it seemed, following the Bureau's bust of the international drugs marketplace, Silk Road

Law enforcement hunt Silk Road sellers (CSO) The latest arrests stemming from the takedown of the infamous Silk Road sends a strong message that sellers on illicit marketplaces in the hidden Web are not safe from the law

Silk Road leads to eight arrests in US, UK, Sweden (Naked Security) Eight more people have been arrested in the wake of the shutdown of Silk Road, the online, illegal-drug bazaa

Police requests DNS provider to take down criminal site, CEO asks for court order (Help Net Security) Mark Jeftovic, the CEO of Toronto-based domain registrar and managed DNS provider EasyDNS, has published a (second) letter his company received from UK's Police Intellectual Property Crime Unit asking them to suspend access to a domain that is allegedly "making illicit financial gains for the criminals operating it"

GoDaddy Pulls Lavabit's Security Creds Because The FBI Got Ahold Of Its Encryption Keys (Forbes) Two months ago, email company Lavabit abruptly shut down. The email service known to be used by NSA whistleblower Edward Snowden has been down ever since. Its homepage has been replaced by a note from founder Ladar Levison explaining that he "refused to be complicit in crimes against the American people." It was a mysterious shut down at the time, but since then, thanks to court documents becoming public, the full story has come out. And that story coming out has resulted in Lavabit having its Internet security credentials revoked

Several IT workers among "Operation Payback" indicted suspects (Help Net Security) The latest batch of Anonymous hacktivists who took part in the 2010 Operation Payback against copyright organizations, law firms, US politicians, and financial and e–payment organizations, has been indicted last week in Virginia

Three Indicted for Theft of Source Code from Trading Firm (eSecurity Planet) The three are accused of stealing proprietary trading strategies and source code for their own use

Phishing Fraudster Sentenced in the UK to 5 Years and 6 Months (Softpedia) The UK's recently launched National Crime Agency (NCA) has announced the sentencing of its first offender. The conviction is the result of an investigation carried out by the agency's National Cyber Crime Unit (NCCU)

Interpol to house its digital crime centre in Singapore (Times of India) Singapore is all set to get International Criminal Police Organization (INTERPOL's) global complex for innovation next year

Twitter Finds Out That Free Speech Doesn't Mean The Same Thing Everywhere (Forbes) Twitter's finding out what a lot of companies do as they grow out of their home markets: that the rest of the world isn't quite the same as home. And in Twitter's case we're specifically seeing interesting new problems around their traditionally highly robust attitude to free speech. The basic fact is that the rest of the world simply does not have the same protections for free speech as the US: and Twitter's internal standards seem to be higher even that those US ones anyway

The Dangers of Surveillance (Harvard Law Review) From the Fourth Amendment to George Orwell's Nineteen Eighty-Four, our culture is full of warnings about state scrutiny of our lives. These warnings are commonplace, but they are rarely very specific. Other than the vague threat of an Orwellian dystopia, as a society we don't really know why surveillance is bad, and why we should be wary of it. To the extent the answer has something to do with "privacy," we lack an understanding of what "privacy" means in this context, and why it matters. Developments in government and corporate practices have made this problem more urgent. Although we have laws that protect us against government surveillance, secret government programs cannot be challenged until they are discovered. And even when they are, courts frequently dismiss challenges to such programs for lack of standing, under the theory that mere surveillance creates no tangible harms, as the Supreme Court did recently in the case of Clapper v. Amnesty International. We need a better account of the dangers of surveillance

Legal Fears Put Mobile Backups In Spotlight (Dark Reading) Users regularly put their most important mobile data in the cloud via with file-sharing and backups, but that's risky to the business

Samsung Gets No Love on Import Ban From Obama Administration (CIO) Competitor Apple saw a similar import ban overturned by the U.S. president. U.S. President Barack Obama's administration has upheld an import ban on some older-model Samsung Electronics smartphones and tablets after the U.S. International Trade Commission determined they infringed Apple patents

Dumbest Identity Thief Ever? (Forbes) Was your last airline flight a disaster? Then you might be heartened to learn of an identity thief who had an even worse day flying the friendly skies of United Airlines. And deservedly so. According to a lawsuit the U.S. filed last week, a forgetful fraudster left his wallet behind at the United ticket counter in the Tallahassee Regional Airport in May. An airline manager went through the wallet to find the identity of the owner and instead of an ID, found 13 debit cards issued in 13 different names, none of which matched any recent airline passenger. The manager called the Tallahassee police, who, through video surveillance and other records, figured out who the passenger was and that he had flown to Ft. Lauderdale

Design and Innovation

Light Point Security: a Software 'Jail' for Malware? (Wall Street Journal) Imagine browsing the Internet from your desktop without any of the content actually touching your computer. That's what Light Point Security LLC allows users to do to protect their computers from Web-based malware, or malicious software, such as viruses and worms

German accelerator's latest batch takes aim at health, personal data, and education (VentureBeat) Deutsche Telekom-backed Hubraum today kicked off the next round of its accelerator program in Berlin and revealed the seven startups taking part. The latest batch of teams includes health technology startups, an online education startup, a digital identity provider and a service that lets users monetize their own personal data

Top BlackBerry 10 developers quit to form a new design company (The Verge) A reunion for The Astonishing Tribe. Some of the biggest names behind BlackBerry 10 have departed their ailing employer for the seemingly greener pastures of the startup world. Seven designers who were brought on by BlackBerry after it acquired their previous employer, The Astonishing Tribe (TAT), back in 2010, have left to form their own design group called Topp. TAT specialized in interface design, and its employees were initially responsible for polishing up BlackBerry's tablet-specific operating system. Since then, the TAT designers who left for Topp say that they became the "key players" in designing and developing BlackBerry 10

Industry Events

For a complete running list of events, please visit the Event Tracker on the CyberWire website.

upcoming Events

KMWorld 2013 (, January 1, 1970) KMWorld 2013 is a must-attend event for those concerned with improving their organizations' bottom line, business processes, and productivity, as well as streamlining operations, and accelerating development and innovation in their evolving enterprises. It offers a wideranging program especially focused to meet the needs of executives, and strategic business and technology decision-makers. Attendees learn how to maximize their technology investments through practical information and case studies; build relationships with speakers and thought leaders from around the world; and create flexible, competitive enterprises.

Forensics and Incident Response Summit EU (Prague, Czech Republic, October 6 - 13, 2013) The Summit will focus on high quality and extremely relevant content as well as panel discussions in Digital Forensics and Incident Response. In addition, we encourage you to take every opportunity to make the most of this event from attending the Summit to registering for one or more of the post-summit training classes taught by SANS' top-rated instructors and course authors. Additional events such as DFIR Netwars, evening talks and the SANS Community Night will be taking place during that week too. This event promises to bring together the leading minds in digital forensics and incident response in the EU, as well as many other practitioners from a wide cross section of industries and company sizes. You will be able to share with all of them your challenges and find out new solutions that work, techniques and approaches you didn't even know existed.

NSU's Raising Savvy Cyber Kids with Ben Halpert (Fort Lauderdale, Florida, USA, October 10, 2013) Ben Halpert is an award-winning author of several books for diverse audiences. The Savvy Cyber Kids At Home: The Family Gets A Computer (October, 2010) is a picture book that teaches the concepts of online safety and privacy to preschool children. The Savvy Cyber Kids At Home: The Defeat of the Cyber Bully (October, 2011) teaches children how to appropriately respond to a cyber bully before playing in the virtual world. All Savvy Cyber Kids books are available in English, Spanish, German, and French. For those in the business field, Ben has published Auditing Cloud Computing: A Security and Privacy Guide (July 2011) through John Wiley & Sons. RSVP at the link.

International Conference on Cyber–Enabled Distributed Computing and Knowledge Discovery (Shanghai, China, October 10 - 12, 2013) International Conference on Cyber-enabled distributed computing and knowledge discovery -promotes research and development of the cyber-related technology. It is unique and significant that spans through cyber-enabled data mining and knowledge discovery, distributed and parallel computing, cyber security, cloud computing, pervasive computing, mobile computing, Internet, wireless networks, cognitive systems, cyber information process, information discovery, e-health via cyber network, e-science, web technology, and network performance and tools. The research and development in these areas have received extensive attention in both the academia and industry to provide ubiquitous services for users. Various hardware and software designs, algorithms, protocols, simulations, and test-bed, and implementations are developed for distributed computing in an interconnected and distributed network environment. The purpose of CyberC is to provide a forum for presentation and discussion of innovative ideas, research results, applications and experience from around the world as well as highlight activities in the related areas.

VizSec 2013 (Atlanta, Georgia, USA, October 14, 2013) VizSec brings together researchers and practitioners in information visualization and security to address the specific needs of the cyber security community through new and insightful visualization techniques.

Hack-in-the-Box Security Conference 2013 (Kuala Lumpur, Malaysia, October 14 - 17, 2013) The 11th annual HITB Security Conference (16th/17th October) will be a triple track offering featuring keynotes by Andy Ellis, Chief Security Officer at Akamai and Joe Sullivan, Chief Security Officer at Facebook. This year's event also features all new 2-day training courses (14th/15th October) on a wide variety of topics including Android exploitation, extreme web hacking, infrastructure security, exploiting injection flaws and a special iOS security course by the world famous Evad3rs team. The full speaker list and conference agenda will be released after the Call for Papers closes on the 25th of July.

USDA Cyber Security Symposium and Expo 2013 (Washington, DC, USA, October 15, 2013) The Cybersecurity Expo, running in conjunction with the Summit, will allow exhibitors the opportunity to provide live demos and share information with government personnel and industry partners. Summit topics will focus on today's vulnerabilities, incidents, security lifecycle, risks and mitigations; it will also identify ways to work together and build a solid security foundation program to meet future challenges and trends in cyber security..

SNW Fall 2013 (Long Beach, California, USA, October 15 - 17, 2013) SNW is the world's largest independently produced conference series focused on the evolution of architecture for a new world of mobility, Big Data and business agility. Produced by Computerworld -- and co-owned by Computerworld and the Storage Networking Industry Association (SNIA) -- SNW remains unbiased and vendor agnostic. Unlike events focused on a specific vendor agenda and product portfolio, SNW provides a forum of open thought leadership and practical education that defines the spectrum of storage, data and infrastructure solutions available to a highly qualified audience of enterprise technology decision-makers.

Hexis Exchange (Athens, Greece, October 16 - 17, 2013) Attendees will have the opportunity to participate in a knowledge exchange of the latest enterprise security topics through expert led business and technology forums, hands-on sessions, and training. Such topics will include: emerging cybersecurity threats, big data management, advanced analytics, government regulation & compliance, and data retention challenges & solutions.

Cybersecurity Symposium: "Protect. Defend. Educate." (Linthicum, Maryland, USA, October 16 - 17, 2013) The Cybersecurity Symposium being held October 16-17, 2013, will deliver first-class training for government and industry security professionals while simultaneously offering high-level keynote speakers, essential networking opportunities, and an informative technology exposition. The Symposium sessions will have a special emphasis on security challenges facing today's security professionals and cyber awareness training for security professionals responsible for protecting sensitive and classified information from the ever increasing threats of mobile devices, espionage, terrorism, and cyber-attacks to ensure our national security. Register by August 31 to ensure the reduced early bird registration fee. This event is free for government employees and active-duty military personnel. Exhibit space and sponsorship opportunities are also available.

NSU Healthcare Cyber Security Summit (Fort Lauderdale, Florida, USA, October 17, 2013) In today's modern healthcare systems, data is everywhere, including sensitive patient data that needs to be secured and monitored. Join top healthcare security professionals from Nova Southeastern University, AccessData, and RSA to hear about current regulations that affect healthcare companies of all sizes, ways to protect sensitive data, and learn techniques to monitor access for suspicious activity. If you are responsible for the privacy or security of your company's healthcare data, you will benefit from presentations from these leading experts in the field. NSU's Chief Information Security and HIPAA Security Officer, John Christly, will examine the threats to the privacy and security of todays' modern healthcare operations. You will also hear from experts from AccessData and RSA on how to detect and prevent data breaches. RSVP at the link.

Nuclear Regulatory Commission Cyber Security Conference & Expo (Rockville, Maryland, USA, October 17, 2013) This one-day conference will consist of cyber sessions in the NRC Auditorium given by government and industry speakers. Exhibit tables will be set-up just outside the Auditorium and companies will have the opportunity to demo their latest technologies to NRC's IT personnel.

Securing the Internet of Things Summit (San Francisco, California, USA, October 21, 2013) The Internet of Things is still in its infancy and the security community has a chance to build in new approaches to security if we get started now. More secure embedded operating systems and applications, more scalable approaches to continuous monitoring and threat mitigation and new ways of detecting and blocking active threats are evolving and can be tremendously effective. SANS is looking to bring together community talent and ideas to develop new solutions, demonstrate security technology that already works and to provide a force multiplier to making the Internet of Things be more secure than the first phases of Internet evolution.

13th Industrial Control Systems Cyber Security Conference (Atlanta, Georgia, USA, October 21 - 22, 2013) Industrial Control Systems (ICS) operate the infrastructures of electric power, water, chemicals, manufacturing, transportation, defense, etc. and link the digital and physical worlds. Their cyber security presents challenges that are distinct from securing traditional IT systems. The conference is attended by control & operations engineers and their IT counterparts from critical infrastructure industries, by ICS and security vendors, and by universities. Run under the Chatham House rules of confidentiality, the conference discusses ICS cyber incident case studies, provides regulatory updates, discusses solutions in the form of policies and procedures, presents demonstrations of hacking ICS and ICS protocols, and provides a status of ICS security solution field demonstrations.

Cloud Connect (Chicago, Illinois, USA, October 21 - 23, 2013) Cloud Connect returns to Chicago October 21-23, 2013 with an all new program built around the leading cloud platforms. Cloud Connect provides the independent guidance IT professionals need to successfully build, operate and manage the cloud, and the tools to measure application performance and business metrics.

cybergmut Technical Tuesday: Cyber Security Strategy — Why We're Losing and What's Needed to Win (Columbia, Maryland, USA, October 22, 2013) CrowdStrike's Steve Chabinsky of CrowdStrike explains the situation. Everybody seems to be spending more on cybersecurity, but with questionable return on investment. In fact, the problem clearly is getting worse, and current strategies show no indication of reversing that trend. This non-technical presentation explores the typical cyber risk environment, considers the proper balance and likely effectiveness of threat deterrence, vulnerability mitigation, and consequence management to reduce cyber risk, and examines the current and evolving roles of government agencies and the private sector in addressing the problem. Backed by powerful, real-world examples of threat actor tactics, this presentation will help managers develop a better understanding of how their current security approach is most likely to succeed or fail over time, and what strategies are the most likely to shift the advantage to the good guys. cybergamut is co-hosting this event with the Maryland Chapter of InfraGard.

Cyber Security Seminar and IT Expo at Peterson AFB (Colorado Springs, Colorado, USA, October 22, 2013) The Cyber Security Seminar and IT Expo is a one-day event held on-site where industry vendors will have the opportunity to display their products to personnel attending briefings concerning the latest updates in Cyber Security Awareness. This is an excellent and unique opportunity to meet IT personnel from USNORTHCOM, NORAD, Army Space Command, USSPACECOM, and the 21st Space Wing all in one day.

Hack.lu 2013 (Luxembourg, October 22 - 24, 2013) Hack.lu is an open convention/conference where people can discuss about computer security, privacy, information technology and its cultural/technical implication on society.

Joint Federal Cyber Summit 2013 (Washington, DC, USA, October 23 - 24, 2013) This collaborative government wide event is truly one of a kind, with speakers and attendees anticipated to represent more than 10 federal government agencies. Information sharing will be accomplished through keynote speakers on both days, along with numerous targeted breakout sessions (including a session with a federal CISSO panel), hands on live demonstrations, and industry exhibits.

NSU's 12 Simple Cybersecurity Rules For Your Small Business (Fort Lauderdale, Florida, USA, October 24, 2013) In this presentation twelve simple and inexpensive techniques for protecting small businesses from cyber threats will be discussed. While complex and expensive solutions exist to improve the security of information technology most of these products are not designed for the specific needs of small businesses. The techniques that will be discussed in the presentation are designed to address the most common threats encountered by small businesses without requiring significant expertise and expense. RSVP at the link.

BREAKPOINT 2013 (Melbourne, Australia, October 24 - 25, 2013) Over two days, 14 world-renowned speakers front Breakpoint to share their knowledge on a full range of security issues, from unpublished research to the latest trends in information security.

Ruxcon (Melbourne, Australia, October 26 - 27, 2013) Ruxcon is a computer security conference that aims to bring together the best and the brightest security talent within the Aus-Pacific region. The conference is a mixture of live presentations, activities and demonstrations presented by security experts from the Aus-Pacific region and invited guests from around the world. Ruxcon is widely regarded as a leading computer security conference within Australia attracting all facets of the security landscape from industry, academics, to enthusiasts.

2013 ACT–IAC Executive Leadership Conference (Williamsburg, Virginia, USA, October 27 - 29, 2013) Advances in technology and massive increases in data available can both challenge and transform Government mission performance. ELC-2013 focuses on how to make this transformation a reality, in and for agencies. We will hear from nationally prominent speakers and work across government and industry to learn new ideas and techniques. Four mission-oriented tracks will focus on initiatives for driving results using data and the "Innovate, Deliver, Protect and Analyze" paradigm that is at the heart of the Government's strategic vision.

FIRST Energy Symposium (Leesburg, Virginia, USA, October 28 - 29, 2013) Recent reports have shown that the Energy Sector has seen a large increase in the reported number of cyber attacks. The need to protect against threats and improve upon incident management has never been greater. Many control systems are already networked and are target of sophisticated attacks. Organizations will benefit from having a specialized team to work on detection and handling of cyber attacks, analyzing incidents and sharing information with other security organizations. The FIRST Symposium will focus on lessons learned from attacks and technology and sector specific security aspects. Strong emphasis will be given to organizational issues like creation and operation of incident response teams.

SAP NS2: National Security Solutions Summit (Falls Church, Virginia, USA, October 29, 2013) Join us for a day of learning and networking focused on how to advance U.S. national security and homeland security through I.T. innovation. Top-notch speakers will address the new challenges facing U.S. national security and critical infrastructure -- as well as powerful, affordable technologies that are available today to tackle those challenges while saving money and simplifying operations. Learn how your organization can run faster, smarter, leaner in the most secure environments -- with world-class, breakthrough solutions that are bold alternatives to business as usual.

RSA Conference Europe (Amsterdam, the Netherlands, October 29 - 31, 2013) Information security today isn't optional. It's business-critical. Over three days, RSA® Conference Europe 2013 imparts the must-know actions to manage growing cyber threats. With over 60 sessions spanning 10 hours, attend the educational and networking event that builds your knowledge and furthers your career.

Regional Cyber Security Forum & IT Day (CSFI) — Hawaii (Honolulu, Hawai'i, USA, October 30, 2013) 2013 marks the 10th anniversary of National Cyber Security Awareness Month and FBC will host the 1st Annual Cyber Security Forum & IT Day (CSFI) at Fort Shafter - Club Hale Ikena to coinside with the anniversary, and activities surrounding this month. The goal of CSFI is to raise cyber security awareness, and to promote best practices in cyber while allowing DoD personnel and industry partners the opportunity to share the most up to date remediation strategies. The event will feature four educational cyber sessions to go along with an exhibit hall..

NSA Hawaii — Cyber Security, Intelligence & IT Day (Honolulu, Hawai'i, USA, October 30, 2013) Be a part of the 1st Annual Cyber Security, Intelligence and IT Day set to take place at the new National Security Agency (NSA) Hawaii Rochefort facility. The event will be hosted by NS/CCS Hawaii Technology Directorate and will focus on Cyber Security, Big Data and Cloud Computing. There are other areas of interest listed below as well. This is an extremely unique opportunity to network with NSA personnel in Hawaii at their location. Educational sessions will be provided to attendees to coincide with government and industry exhibits.

Sponsor & Support

Grow your brand, generate leads, and fill your funnel.

With the industry’s largest B2B podcast network, popular newsletters, and influential readers and listens all over the world, companies trust the CyberWire to get the message out. Learn more.

The CyberWire Daily Briefing for 10.10.2013