The CyberWire Daily Briefing for 3.13.2013

Cyber Attacks, Threats, and Vulnerabilities

Cyber attack stops access to JPMorgan Chase site (Chicago Tribune) The consumer banking website of JPMorgan Chase & Co was unavailable to some users on Tuesday as the company tried to deal with a denial-of-service cyber attack that slowed access for some customers. The latest problems on Chase.com came as

Issue with SWFUploader Could Lead to XSS Vulnerabilities, Content Spoofing (Threatpost) Many versions of SWFUpload – an applet that combines Flash and JavaScript that's used in millions of websites, including WordPress sites– are vulnerable to content spoofing and a cross-site scripting vulnerability that could lead to the takeover of accounts, according to reports this week

The Great Hotmail, Outlook Outage Of 2013 Continues As Downtime Passes 12 Hour (TechCrunch) Shortly after 4:00pm EDT on March 12 some Hotmail users took to Twitter, reporting they couldn't access their mail. Microsoft responded at 5:35pm confirming the service outage and stating that they were working on restoring the service. Well, it's been over 12 hours since then, and Microsoft's email services are still down for some

Malware Writers Want Your Google Play Developer Account (eSecurity Planet) According to Brian Krebs, a malware developer is offering $100 for verified accounts. Krebs on Security's Brian Krebs reports that a malware developer recently announced on an online forum that he was willing to pay $100 for verified Google Play developer accounts, which can be used to make malware seem like a legitimate app

Mega-hack of celebrities exposes social security numbers, credit reports, and more (Naked Security) What connects Kim Kardashian, US Vice President Joe Biden, Hillary Clinton, Mel Gibson, Michelle Obama, Ashton Kutcher, Jay Z, Beyonc, Paris Hilton, Britney Spears, Sarah Palin, Hulk Hogan, Donald Trump and Arnold Schwarzenegger? They, and other public figures, appear to have had their personal information and credit reports (including social security numbers, details of their mortgages, addresses, and details of their credit card and banking details) published by a group of hackers on a new website. Clearly alarm bells have rung about the danger of identity theft

Free credit report site appears to be source for celebrity data (Computer World) A website that provides U.S. consumers with a free annual credit report appears to have been the source used by hackers to download those of celebrities including BeyoncA(c) and government officials including Federal Bureau of Investigation Director Robert Mueller. On Tuesday, a website called "Exposed. su" published Social Security Numbers, previous addresses, and birthdates of a range of well-known people, including former Secretary of State Hillary Clinton, Jay Z, Michelle Obama, Vice President Joe Biden, Hulk Hogan, Donald Trump and U.S. Attorney General Eric Holder, among others

PayPal privates exposed after breach on SECURITY shop (The Register) Antivirus firm Avast has said that it was not responsible for a breach on a website of a German reseller selling its security products that resulted in the apparent leak of the payment details of thousands of consumers over the weekend. Turkish hacker Maxn3y defaced avadas. de on Saturday (archive here) before dumping what the hacker claimed were customer details online

Anonymous hackers bring down extreme-right website in Italy (Gazzetta del Sud) Italians from the international hacker collective Anonymous have brought down the site of the extreme-right group CasaPound, calling on the government to break up the group completely. "It must be closed, in the name of the Constitution," said an online petition directed at President Giorgio Napolitano, accusing the group of "Fascism and Nazism". CasaPound, which has been linked to many armed and bloody confrontations with leftists and minorities in recent years, campaigned for seats in parliament in national elections last month but was unsuccessful

Zoosk asks users to reset passwords following mass leak (Help Net Security) Online dating service Zoosk is urging some of its users to change their passwords following the leaking of a list of some 29 million passwords that seemingly contains theirs

Remote administration tool used to spy on female users (FierceCIO: TechWatch) Ars Technica this week ran a lengthy investigative piece on a disturbing subculture of men who make use of remote administration tool, or RAT, to spy on women through the Internet

Evernote criticized for substandard security (FierceCIO: TechWatch) You've probably heard about how hackers recently broke into Evernote and stole email addresses and usernames, and salted and hashed passwords belonging to its customers. As a result, the company was forced to reset some 50 million passwords belonging to its users, which resulted in the online note-taking service gaining front-page coverage around the world

Security Patches, Mitigations, and Software Updates

Microsoft Security Bulletin Summary for March 2013 (Microsoft Security Tech Center) This bulletin summary lists security bulletins released for March 2013. With the release of the security bulletins for March 2013, this bulletin summary replaces the bulletin advance notification originally issued March 7, 2013. For more information about the bulletin advance notification service, see Microsoft Security Bulletin Advance Notification

Microsoft releases four critical bulletins (Help Net Security) In terms of volume, the March Patch Tuesday is about average, with seven bulletins -- four rated "critical" and three rated "important." In technical terms though we are seeing some interesting vulnerabilities that definitely rate higher-than-average

Microsoft Patch Tues Misses Pwn2own Flaws (eSecurity Planet) Microsoft fixes "evil maid" flaw but lets others that have been publicly demonstrated remain for now. Microsoft is out with its March Patch Tuesday update, issuing seven security bulletins dealing with flaws in Internet Explorer, Office, Silverlight and Windows

Security updates available for Adobe Flash Player (Adobe Security Bulletin) Adobe has released security updates for Adobe Flash Player 11.6.602.171 and earlier versions for Windows and Macintosh, Adobe Flash Player 11.2.202.273 and earlier versions for Linux, Adobe Flash Player 11.1.115.47 and earlier versions for Android 4.x, and Adobe Flash Player 11.1.111.43 and earlier versions for Android 3.x and 2.x. These updates address vulnerabilities that could cause a crash and potentially allow an attacker to take control of the affected system

Cyber Trends

Security Leader Says U.S. Would Retaliate Against Cyberattacks (New York Times) The chief of the military's newly created Cyber Command told Congress on Tuesday that he is establishing 13 teams of programmers and computer experts who could carry out offensive cyberattacks on foreign nations if the United States were hit with a major attack on its own networks, the first time the Obama administration has publicly admitted to developing such weapons for use in wartime

Pentagon Plans To Add 13 Offensive Teams To Combat Online Threat (Washington Post) The Pentagon's Cyber Command will create 13 offensive teams by the fall of 2015 to help defend the nation against major computer attacks from abroad, Gen. Keith Alexander testified to Congress on Tuesday, a rare acknowledgment of the military's ability to use cyberweapons

U.S. Steps Up Alarm Over Cyberattacks (Wall Street Journal) The nation's top spies warned Tuesday of the rising threat of cyberattacks to national and economic security, comparing the concern more directly than before to the dangers posed by global terrorism

Spy Chief Says Little Danger of Cyber Pearl Harbor in Next Two Years (Wired) Contrary to much of the fear-mongering that has been spreading through the nations capital on cybersecurity matters lately, the director of national intelligence bucked that trend on Tuesday when he told a senate committee that there was little chance of a major cyberattack against critical infrastructure in the next two years. DNI James Clapper was a singular voice of reason when he told the Senate Select Committee on Intelligence that lack of skills on the part of most attackers and the ability to override attacks on critical infrastructure with manual controls would make such attacks unfeasible in the near future. He also said that nation states that might have the skills to pull off such an attack lack the motive at this point

Hackers Attack Bank Minutes After NSA Chief Warns Senate About Hackers Attacking Banks (The Atlantic Wire) Gen. Keith Alexander, director of the National Security Agency, took the stand in front of the Senate Armed Services Committee on Tuesday and an ambitious expansion of the Pentagon's Cyber Command. "We've seen the attacks on Wall Street over the last six months grow significantly," Alexander told the senators, explaining that denial of service (DOS) attacks are the most common assault on banks' websites. "And if you look at industry, especially the anti-virus community and others, they believe it's going to grow more in 2013. And there's a lot that we need to do to prepare for this"

China claims it's willing to talk to U.S. about cybersecurity (CNet) The U.S. and China both say they want to directly discuss the issue of cybersecurity, but the odds of an open discussion are slim at best. The Chinese government today responded to a U.S. invitation to enter into a dialogue with the U.S. over acceptable behavior in cyberspace, Reuters reported. At a daily news briefing, Foreign Ministry spokeswoman Hua Chuying said that "China is willing, on the basis of the principles of mutual respect and mutual trust, to have constructive dialogue and cooperation on this issue with the international community including the United States to maintain the security, openness, and peace of the Internet

Chinese 'Hackers' Is A Misnomer. They're Spies. (Wall Street Journal) The U.S. is under cyber attack from a hostile regime. Forceful American digital counterattacks are in order

Inside The World Of A Chinese Hacker (Los Angeles Times) The blog provides a rare peek into the secretive hacking establishment of the Chinese military, which employs thousands of people in what is believed to be by far the world's largest institutionalized hacking operation

China Hack Attacks: Play Offense Or Defense? (InformationWeek) The Chinese government has been blamed for launching cyber-espionage APT attacks against U.S. businesses. In this debate, two security experts examine how business should respond. How should U.S. businesses respond to allegations that the Chinese government has been waging cyber espionage using advanced persistent threat (APT) attacks since at least 2006? Security firm Mandiant recently threw down the gauntlet about these types of attacks, tracing exploits of 141 businesses -- across 20 industries -- to a single group based in China, which it dubbed "APT1." The existence of such groups isn't in dispute

Who are the enemies of the Internet? (Help Net Security) In their latest report on online surveillance, Reporters Without Borders have named Bahrain, China, Iran, Syria and Vietnam as "state enemies" of the Internet due of their continuous and intensive efforts at spying on journalists, bloggers, human rights defenders and political dissidents. The French-based international non-governmental organization that advocates freedom of the press and freedom of information also considers five big private-sector companies as "corporate enemies," because they sell products that are liable to be (and have been) used by governments to violate human rights and freedom of information

Cyber Attackers' Tactics Outpace Companies' Responses (Bloomberg) The average cost of responding to cyber-attacks probably exceeds $10 million for companies with more than 1000 employees, said Lawrence Ponemon

DDoS, Malware Attacks Cost Victims Thousands Of Dollars A Day (Dark Reading) More than 80 percent of attacks against U.S. organizations come from U.S.-based IP addresses. New eye-popping data shows the cost of cyberattacks to victim organizations: DDoS attacks spend as much as $6,500 per hour to recover from them, and spend $3,000 a day for up to 30 days recovering from malware infections

Spam Levels Almost Double In February (Dark Reading) According to Eleven Research Team, spam volume rose by 92.2 percent compared to previous month

The Internet Needs a Plan B (Wired Business) Danny Hillis is one of the earliest internet users. He registered the third domain name ever, Think.com ("I thought, so many interesting names, maybe I should register a few other names? Nahh that wouldn't be very nice.") Clutching a gray book about an inch thick on stage, Hillis described those early days. "This is everyone who had an internet address in 1982," Hillis told the crowd at TED 2013 on Wednesday. "It had your name, address and phone number. You were actually listed twice, because it was also indexed by internet address. We didn't all know each other, but we all kind of trusted each other." If you could do it, Hillis estimates today's internet directory would be 25 miles tall. As Hillis has watched the internet grow in size and importance in the last three decades, he has also watched its vulnerability grow. "We have taken a system essentially built on trust, and we have expanded it way beyond its limits." Why that vulnerability is so frightening to Hillis is that so many things we don't imagine as being connected to the internet actually are

Whither whistleblowing: Where have all the leaking sites gone? (Ars Technica) Remaining WikiLeaks clones offer lessons for the future. On February 3, 2013, Balkanleaks released the "Buddha dossier," a massive trove of secret documents from the national police archive. The cache was the Bulgaria-based transparency site's most significant release so far this year. It underscored suspicions that the country's prime minister, Boyko Borisov, had ties to organized crime

Point-of-sale cyber security: hacking the check-out (Engineering and Technology) As point-of-sale systems embrace mainstream software, they will have to deal with the security threats that come with it. After all, what cybercriminal wouldn't go after Windows-based devices handling credit and debit cards

2013 will be the year of larger scale big data adoption (Help Net Security) After a few years of experimentation and early adopter successes, 2013 will be the year of larger scale adoption of big data technologies, according to Gartner, Inc

Passive sensors to transform healthcare outside of hospitals (FierceMobileHealthCare) Over the next decade, passive sensors will play a growing and more significant role in healthcare, according to a new report from the California Healthcare Foundation

Global mHealth app services market to reach $26 billion by 2017 (FierceMobileHealthCare) Within the next four years, the mobile healthcare services market will begin the commercialization phase and reach $26 billion worldwide as smartphone apps enable the mHealth industry to monetize these services, according to an announcement about a new report by mobile research firm research2guidance

Marketplace

Budget Fight Threatens US Cyber Command's Growth (InformationWeek) Testifying before the Senate Armed Services Committee, Alexander said that because a third of Cyber Command's workforce is civilian, the organization could be hard hit by one-day-a-week civilian furloughs that military officials have said will begin in

McCain: House Spending Plan Has $6.4 Billion In Earmarks DoD Doesn't Want (Defense News) A U.S. House-passed federal spending measure that would fund the Pentagon and the rest of the government for the remainder of the year contains $6.4 billion in special interest items not requested by the Defense Department, Sen. John McCain said Tuesday

Pentagon Open To Mergers If They Have Long-Term Benefit: Carter (Reuters) Deputy U.S. Defense Secretary Ashton Carter on Tuesday said he expected an increasing number of mergers and acquisitions in the defense industry in coming years, given a downturn in military spending and uncertainty about funding for weapons programs

Frank Kendall: Pentagon In Sequestration Damage Limitation Mode (ExecutiveGov) The Defense Department is in damage limitation mode as it seeks to manage the effects of automatic budget cuts under sequestration, the Pentagon's lead weapons buyer said Tuesday. Frank Kendall, undersecretary for acquisition, technology and logistics, told an audience at the Newseum in Washington he is concerned the contracting industry is losing professionals because of the cuts. Kendall is "still hoping sequestration will be overturned," he said at the conference on defense budget uncertainty sponsored by McAleese & Associates and Credit Suisse…Deputy Secretary Ashton Carter told attendees the Pentagon is required to work through $487 billion in cuts. Carter said he expects merger-and-acquisition activity to pick up within the contracting industry. Kendall also said the Pentagon will seek to change its definition of low price technically acceptable as it is difficult to define what technically acceptable is. "In some cases we will pay more for more value," he said

CeBIT 2013 Video: One minute With Catalin Cosoi From BitDefender (TechWeekEurope) Catalin Cosoi, chief security strategist at Softwin, explains how to beat the hackers in the long run. Last week at CeBIT exhibition in Hanover brought together hundreds of thousands of technology enthusiasts. Dozens of security software companies displayed their wares on the show floor, among them Softwin, the developers of BitDefender

Northrop Team Wins $214M For DISA Command, Control Update (GovConWire) A team of contractors led by Northrop Grumman (NYSE: NOC) has won a potential $214 million task order to update a joint command and control system for the Defense Department. The potential 54-month task order's base year is worth $58 million and the team won the order through the Defense Information Systems Agency's Encore II contracting vehicle, Northrop said Tuesday

Engility Adding 100 Workers For Navy IT, Engineering (ExecutiveBiz) Engility Corp. plans to hire about 100 new employees and nearly double its Charleston, S.C. office space to support the company's contract work for the U.S. Navy in the region. The company currently employs around 150 individuals to provide software support and information technology services to the Charleston-based Space and Naval Warfare Systems Center Atlantic, Engility said Monday…Smeraglinolo said the company will hire new employees for positions in business analysis, software development, Oracle E-Business suite, information assurance and engineering

Seven more win spots on $22B EAGLE II contract (Washington Technology) The Homeland Security Department has awarded seven more contracts under its $22 billion Enterprise Acquisition Gateway for Leading Edge Solutions II contract vehicle, or EAGLE II…The winners are: PPT Solutions (team: CohesionForce Inc., Culpepper Veterans Associates, Davis-Paige Management Systems LLC, DESE Research Inc.), Dynamic Security Concepts (team: Broadpoint Technologies, Computer Network Assurance, K4 Solutions, Sphinx Solutions), Testpros Inc. (team: Institute for Data Research Inc.), PCI Strategic Management LLC (team: DMC Consulting, Dynamic Technology Group, Lloyd Clark LLC, Secure Innovations LLC), Gnostech Inc. (team: RNB Technologies, Infinity Systems Engineering LLC, Apex Data Systems), Mason Harriman Group (team: Master Key Consulting, AEGIS.net Inc., Endeavor Systems Inc.), Global Network Systems of Maryland Inc. (team: CTGi, KT Consulting – NV Inc., MTS Technologies, Rainbow Data Systems)

Prolexic Selected for DDoS Mitigation Services by Australia's Number One Job Search Website (MarketWatch) Prolexic, the global leader in Distributed Denial of Service (DDoS) protection services, announced today that Seek.com.au, Australia's leading employment website, has selected Prolexic to provide DDoS detection and DDoS protection services. With 21 million site visitors each month, the Australian owned and operated website provides access to information on 120,000 jobs, as well as current insights into local labor markets and research on employment trends

Cloud Security Alliance Appoints Optimus As New Master Training Partner For The Middle East (PR Urgent) Optimus Technology and Telecommunications, a leading regional Value Added Distributor (VAD) of IT and telecommunications products, today announced that the Cloud Security Alliance (CSA) has named the company as a new Master Training Partner (MTP) for the Middle East region. Optimus will develop and train partners across the region and help promote the Certificate of Cloud Security Knowledge (CCSK) program. Additionally, with this new partnership agreement, Optimus further strengthens its partnership with CSA, becoming one of the first two MTPs for CSA globally. The new CSA MTP program will help accelerate worldwide access and adoption of the CCSK certification

Christine Bailey Joins Accenture As Deputy Federal CFO (GovConWire) Christine Bailey, a former chief financial officer at L-3 Communications' (NYSE: LLL) MPRI division, has joined Accenture (NYSE: ACN) as deputy CFO for its federal services subsidiary, GovCon Wire has learned. Bailey joined MPRI in June 2011 as senior vice president and CFO, holding responsibility for the division's financial planning, accounting, and contractual practices

IT Age Discrimination: You're Not The Dinosaur (InformationWeek) In response to my last column, in which I suggested there's a big difference between employer age discrimination and employees' failure to keep their skills current, I heard from quite a few readers who insisted I was missing the point. Their prevailing viewpoint: There's an "open secret" that big companies tailor their hiring and layoff practices to replace senior IT staffers with less expensive ones, irrespective of the talent they're losing

Products, Services, and Solutions

SpiderOak Unveils Crypton 'Zero-Knowledge' Application Framework (Dark Reading) Crypton makes it possible to build cryptographically secure applications

SQN Banking Systems Now Offering Cloud-Based Fraud Detection (Dark Reading) SENTRY applications will be offered as a cloud-based, SaaS model

Open NAC Integrates With All BYOD Solutions (Dark Reading) Bradford Networks launches Network Sentry SmartEdge Platform

Google rolls out initiative to help hacked sites (CNet) With its new informational series, the Web giant aims to answer questions about why a site was hacked, what malware may have been used, and how to wipe the site clean of bugs. It's not pretty when a Web site gets a "this site may be compromised" or "this site may harm your computer" status note. Many webmasters and Web site owners can be at a loss of what to do in these situations

Check Point Rolls Out Threat Emulation Software Blade (Dark Reading) Check Point is today announcing a new Threat Emulation…vice president of products at Check Point Software Technologies

Bluebox Labs Releases Android Malware Analysis Tool (Digital Journal) Enabling the identification of malware is a part of Bluebox Labs' ongoing ... proper security analysis – this often leads to undetected malware making it to

First direct silicon-to-photonics-based router family (Help Net Security) Compass-EOS announced r10004, the first in a family of next-generation, core-grade modular routers. The r10004 is three times smaller than comparable core routers and supports a mix of 100GbE

Trend Micro Unveils Complete End User Data Protection Solutions (Sacramento Bee) Trend Micro introduces a new and complete end user protection suite, adding comprehensive…creating new entry points for cyber-espionage and data loss

Chrome OS left unhacked at Pwnium 3 (FierceCIO: TechWatch) Security researchers failed to break the latest version Google's (NASDAQ: GOOG) Chrome OS at the Pwnium 3 hacking contest held last week at CanSecWest in Vancouver, Canada. Despite an extension of the deadline from the original 2 p.m. to 5 p.m., the $3.14159 million in prize money was left untouched, according to a blog post update on Google+

Most interesting products at RSA Conference 2013 (Help Net Security) The RSA Conference held each year in San Francisco is the biggest security event in the world, attracting tens of thousands visitors and (this year) over 350 exhibitors. Not all of the companies showcasing their offerings on the expo floor have come prepared to release new solutions, but among those who have, here are the ones whose announcements and presentations garnered the most attention

Technologies, Techniques, and Standards

Tech Insight: Securing Cisco IP Telephony (Dark Reading) Learning about IPT hacking may not seem to be high on the list of IT concerns, but you ignore or underestimate it at your own risk

Cloud Security Standards: What You Should Know (eSecurity Planet) A confusing collection of cloud security standards can make it tough to evaluate cloud provider security. Enterprises continue to be drawn to the cloud, where data and application management is outsourced to a third party in charge of hardware infrastructure. The cloud has matured to where it now comprises

Chess CAPTCHA - a serious defence against spammers? (Naked Security) Spammers are told they have to solve a chess puzzle before they can leave junk messages

Wipe the drive! Stealthy Malware Persistence Mechanism - Part 1 (Internet Storm Center) At Shmoocon 2013 Jake Williams (@MalwareJake) and I gave a presentation entitled "Wipe the Drive". The point of the presentation was that you should always wipe the drive and reinstall the OS after a confirmed malware infection. We all know wiping the drive is the safest move but there are business pressures to simply remove the known malware and move on. Also, because we are security professionals there is often an expectation that we are able to remove all the malware. But, in my and Jake's opinion, relying on a "clean scan" from antivirus products isn't the best approach. The time and effort required to accurately analyze the capabilities of malware and conduct forensic analysis to determine if those capabilities were used is usually not in the cards. There is always an element of risk management, but whenever you possibly can, just wipe the drive. To illustrate the point we began developing a list of ways that malware or an active attacker on your computer can make small configuration changes to you machine. The changes create a mis-configuration that makes the target exploitable or set events in motion that will cause the target to automatically get re-compromised in the future. There are a very large number of changes and misconfigurations that attackers can make but our talk focused around eight of them. The only criteria for these techniques is that they launch a process in an unusual way and ideally they don't have any processes running (so you can avoid detection by memory forensics). I will discuss a few of the methods we came up with and how you might detect these changes. First let's talk about file extension hijacking

Lindsay Sorenson: Bank offers mixed message on security (Post rescent) I received a letter from my bank, warning me of the many sneaky ways ones personal information can be stolen. The literature provided many helpful suggestions for avoiding financial identity theft. It recommended hiding or destroying any record of a personal identification number for debit cards, explained how to use your body to block any number-punching at the ATM and mentioned how to conceal money as the ATM spits it out at you or as you walked out of the bank lobby

Ditching Java, Reader and Flash for sake of security (FierceCIO: TechWatch) In the face of widespread attacks against a number of types of plug-in software, Brad Chacos of PC World did an experiment to see if it is possible to go without Java, Adobe Reader, and Flash--and their respective browser plug-ins. To that end, Chachos managed to spend more than a week, and outlined the "mixed, but incredibly illuminating" results in an article here

Design and Innovation

U.S. Spies Want to Play Alternate-Reality Games (For Work, They Swear) (Wired Danger Room) Alternate reality games are no longer just for geeks and corporations that want to sell you stuff. America's intelligence agents now think these interactive games could make for a better way to study human behavior

SAP Opens Singapore-Based Co-Innovation Lab (TechCrunch) SAP just opened another co-innovation lab, this time in Singapore. The lab is its 21st globally, and the fourth in the Asia-Pacific region. The German software giant hopes it will allow member organizations to have a space to experiment with different hardware and software combinations, and provides its cloud infrastructure to them to back this. The aim, it says, is to encourage the creation of

Qualcomm learning how to incubate new technologies (IT World) Qualcomm has a big, well-funded research and development operation, but its program for commercializing new innovations is still a learning experience for the wireless chip maker

Legislation, Policy, and Regulation

Australian government to write big data strategy (Computer World) The federal government will release a big data strategy this winter, Australian Government CIO Glenn Archer said Wednesday at an Australian Information Industry Association (AIIA) summit in Canberra. The Australian Government Information Management Office (AGIMO) plans to release a big data issues paper this Friday, opening a three-week consultation period to collect feedback from industry and the public, said Archer, who replaced Ann Steward as the Australian CIO in December. A draft big data strategy is expected in May, followed by the final report in June or July, he said

UK develops global cyber security capacity, supported by the International Cyber Security Protection Alliance (ICSPA) (ICSPA) ICSPA leads early development of framework to boost defences against cybercrime and security attacks around the worldThe UK Government is creating a framework of global resources and expertise on cyber practice, which countries around the world will be able to draw on to tackle the range of cyber-threats and challenges. The framework will be developed by the International Cyber Security Protection Alliance (ICSPA), a business-backed, not-for-profit, global organisation that provides assistance to countries and their law enforcement agencies. ICSPA leads early development of framework to boost defences against cybercrime and security attacks around the worldLONDON 13 March 2013 The UK Government is creating a framework of global resources and expertise on cyber practice, which countries around the world will be able to draw on to tackle the range of cyber-threats and challenges

Security agency tells Europe to find alternative to risky email (EurActiv) European governments and businesses should investigate alternative communication channels to e-mail in the longer term after a string of alarming attacks, the EUs cyber security agency warned today (13 March) in a special alert. The European Network and Information Security Agency (ENISA) issued the so-called Flash Note in the wake of recent major cyber-attacks, calling for Europes businesses and governments to take urgent action to combat emerging cyber-attack trends. The report cites three clear attacks against EU government and "critical infrastructure" targets in the first three months of this year

Medal For Drone Pilots, Cyberwarriors Is On Hold (Washington Post) Defense Secretary Chuck Hagel has ordered the military to stop production of a controversial new medal pending a 30-day study of whether the award for drone pilots and cyberwarriors should outrank medals given for battlefield bravery

Litigation, Investigation, and Law Enforcement

Skype in hot water over failure to let French police eavesdrop (Naked Security) French telecom regulators have suggested that Skype could face charges for failing to register as a telecom and do all the things that French telecoms are supposed to do - for example, let French police eavesdrop on calls

Apparel Company Files Landmark Lawsuit Against Visa in PCI Dispute (Threatpost) A Tennessee-based footwear and apparel company has filed a $13 million lawsuit against Visa for what it considers random, subjective penalties for being out of compliance with the Payment Card Industry (PCI) standard the credit card company regulates

Ten Major Cybercrime Busts (Threatpost) Politicians, security researchers and others involved in the fight against cybercrime often compare the situation to efforts to combat traditional organized crime. Some of the tricks and tactics are comparable, and so are the motives, but there's one major difference between the two groups: Cybercriminals have virtually no fear of being caught. The chances of a cybercriminal being caught, prosecuted and actually serving time in prison are incredibly small, especially in relation to the volume of cybercrime activity occurring today

JPMorgan data leak linked to seventh insider trading conviction (Finextra) The Financial Services Authority has achieved the seventh conviction in an insider trading investigation centred around the leaking of price sensitive data from JPMorgan Cazenove. In a prosecution heard at Southwark Crown Court Richard Joseph, age 43, has been found guilty of six counts of conspiracy to deal as an insider. He has been sentenced to four years on each count, which will be served concurrently

For a complete running list of events, please visit the Event Tracker.

Upcoming Events

A Dialogue on Cyber Warfare from Legal and Corporate Perspectives (New York, New York, USA, Apr 16, 2013) Conversation on Cyber Warfare and the LawThe Journal of Law & Cyber Warfare in partnership with the Columbia Society of International Law is honored to host this first cutting edge conference on the complex issues of cyber warfare.States are faced with the multi-faceted challenges of cyber warfare. No longer confined to the world of technology professionals and spies, these threats are a growing part of the daily lives of corporations and individuals. The constitution and legislation are both scarce and obsolete and the bench and the bar lack the resources and expertise to decide or advocate on these issues.

CTIN Digital Forensics Conference (Seattle, Washington, USA, Mar 13 - 15, 2013) Speakers include experts and published authors in the field of digital forensics and cybersecurity. Topics include; Mobile Device Forensics, Internet Forensics, Physical Memory Analysis, Open Source Tools, Data Carving, Registry Forensics, Placing the Suspect Behind the Keyboard, Triage and Live Forensics CDs, and more.

Google and University of Maryland Cybersecurity Seminar (College Park, Maryland, USA, Mar 14, 2013) Dr. Ari Juels, Chief Scientist of RSA, The Security Division of EMC, and Director of RSA Laboratories, will discuss "Aggregation and Distribution in Cloud Security." His talk will feature information on cloud computing and virtualization, a key supporting technology. Cloud computing offers flexibility and agility in the placement of resources. Certain risks, however, arise from cloud services' tendency to aggregate sensitive data and workloads. He will discuss side-channel attacks resulting from the co-location of disparate tenants' virtual machines (VMs) on hosts and the vulnerabilities posed by databases aggregating the authentication secrets, e.g., password hashes, of numerous users. Conversely, cloud computing offers new opportunities to distribute data. Dr. Juels will also describe a new, research-driven RSA product that splits sensitive data across systems or organizations, removing the single points of compromise that otherwise naturally arise in cloud services.

Department of Homeland Security 6th Annual Industry Day (Washington, DC, USA, Mar 18, 2013) The Department of Homeland Security (DHS) will be hosting its 6th Annual Industry Day to provide advanced acquisition planning information to industry. DHS Industry Day will consist of two sessions, the morning session will be procurement-centric with an emphasis on procurement issues, policies and programs. The afternoon session will be Chief Information Officer (CIO) IT-centric. Both sessions will provide acquisition information concerning specific program areas.

IT Security Entrepreneurs' Forum (ITSEF 2013) (Palo Alto, California, USA, Mar 19 - 20, 2013) Supported by the U.S. Department of Homeland Security, Office of Science and Technology, ITSEF 2013 aims to connect the ecosystem of the entrepreneur: industry, government, and academia. The conference will advance innovation, lead change and build trusted global collaboration models between the public and private sectors to defeat Cybersecurity threats.

The Future of Cyber Security 2013 (London, England, UK, Mar 21, 2013) Cyber Security and the Citizen 2013 is a one-day conference and exhibition for senior decision-makers of central and local government organisations, NGOs and major private sector enterprises.

SANS Cyber Threat Intelligence Summit (Washington, DC, USA, Mar 22, 2013) Conventional network defense tools such as intrusion detection systems and anti-virus focus on the vulnerability component of risk, and traditional incident response methodology presupposes a successful intrusio…Network defense techniques which leverage knowledge about these adversaries - known as cyber threat intelligence - can enable defenders to establish a state of information superiority which decreases the adversary's likelihood of success with each subsequent intrusion attempt…The goal of this summit will be to equip attendees with knowledge on the tools, methodologies and processes they need to move forward with cyber threat intelligence. The SANS What Works in Cyber Threat Intelligence Summit will bring attendees who are eager to hear this information and learn about tools, techniques, and solutions that can help address these needs.