The CyberWire Daily Briefing for 5.14.2013
Moxie Marlinspike claims the Saudi government is looking for ways of monitoring encrypted Internet communications. Elsewhere in the Middle East the US Government believes it sees increased attempts to penetrate US power companies.
Bloomberg discloses accidental Internet posting of traders' private messages.
The Philippines-Taiwan cyber riot (prompted by a Taiwanese fisherman's death in an encounter with the Philippine Coast Guard) continues.
Symantec sees Francophone organizations prepped to receive malware by a phone call asking them to check an invoice. Sophos reports bogus Amazon messages in the UK—they carry a Trojan payload.
The cyber criminal economy continues to mirror its legitimate counterpart: there's now an online recruiting service for money mules.
The recent watering hole attack on the US Department of Labor (now found to have extended to the Agency for International Development) was more sophisticated than initially thought. It appears to have served as reconnaissance for subsequent attacks (yet to be executed).
A denial-of-service attack on a testing service delays statewide exams in Indiana (US) schools.
In cyber trends, analysts mull the prospects of "threat-centric" and offensive approaches to security. RAND, which was present at the creation of nuclear deterrence, publishes an appreciation of the feasibility of cyber deterrence.
Adobe and Microsoft will both release patches later today.
Politico reports that US Defense Secretary Hagel will announce civilian furloughs sometime today. The UK Ministry of Defense weighs a major acquisition overhaul.
Endpoint vulnerabilities prompt new interest in app sandboxing and anthropomorphic security.
New Zealand discusses its emerging cyber policy.
Notes.
Today's issue includes events affecting Cambodia, Canada, China, France, India, Iran, Israel, Republic of Korea, Democratic Peoples Republic of Korea, Luxembourg, Malaysia, New Zealand, Philippines, Romania, Russia, Saudi Arabia, Sierra Leone, Taiwan, United Kingdom, and United States..
Cyber Attacks, Threats, and Vulnerabilities
Dear hacker: Please help us eavesdrop on our customers (Ars Technica) Saudi telecom seeks help monitoring encrypted Twitter data according to e-mails. Mobily, a Saudi Arabian telecommunications company with 4.8 million subscribers, is working on a way to intercept encrypted data sent over the Internet by Twitter, Viber, and other mobile apps, a security researcher said Monday. Moxie Marlinspike, the pseudonymous cryptographer who has identified several security bugs in the secure sockets layer protocol used to protect website transactions, said he learned of the project after receiving an e-mail from company officials. Carrying the subject line "Solution for monitoring encrypted data on telecom," it said the project was required by "the regulator." Marlinspike believed this meant the government of Saudi Arabia
Bloomberg accidentally posted private terminal messages online (Quartz) Bloomberg says it accidentally posted on the internet more than 10,000 private messages that traders sent each other on their Bloomberg terminals. The new revelation, reported by the Financial Times, will undoubtedly escalate the furor over Bloomberg's handling of data that its customers consider to be confidential
OpPhilippines: Anonymous Taiwan launched cyber war against Philippines (E Hacking News) The Philippines cyber space is again facing another cyber war. Following the cyberattack from China, Malaysia hackers, now the Taiwan hackers have started the cyber war against Philippines. The operation named #OpPhilippines has been launched by the Anonymous Taiwan. The attack comes after Philippine Coast Guard killed Taiwanese fisherman. EHN was notified about the cyberwar by pinoyhacknews."Philippine coastguard killed taiwanese unarmed fishermen is injustice and unforgivable. Philippine government
It's better to call ahead before sending malware, Symantec finds (CSO) French-speaking organizations are receiving bogus calls asking them to check an invoice, which is actually malware
Attackers Target Older Java Bugs (Threatpost) It's no secret that Java has moved to the top of the target list for many attackers. It has all the ingredients they love: ubiquity, cross-platform support and, best of all, lots of vulnerabilities. Malware targeting Java flaws has become a major problem, and new statistics show that this epidemic is following much the same pattern as malware exploiting Microsoft vulnerabilities has for years
Outbreak! Fake Amazon UK emails spammed out, delivering malware (Naked Security) Although there has been increased talk recently on drive-by-downloads and compromised websites being used to deliver malware, it's worth remembering that email-based malware is far from dead
Bank Internet Links Can Give Hackers Keys to Vaults (Tech News World) Willie Sutton once said that he robbed banks because that's where the money was. If Sutton were living today, he might have made the career move to hacker.That would allow him to do what he liked to do best -- steal money -- on a global scale, which is what a ring of bank robbing hackers have been doing. Eight of the alleged cybercrooks were arrested in the U.S. last week.The ring used prepaid credit cards issued by a bank in the United Arab Emirates. They hacked into banking systems to increase
Data breach in ATM fraud outside our environment, says ElectraCard (Business Standard) Pune-based ElectraCard Services (ECS) said on Sunday that a data breach in a series of ATM fraud attacks in December last year appears to have happened outside of its "processing environment".Last week, US authorities had brought to light a $45-million global cyber heist involving ECS and another company, enStage Inc, which operates from Bangalore. The two firms had processed card payments for two West Asian banks that were hit in the theft, according to people familiar with the situation
New Prenda letter threatens to tell neighbors about porn accusations (Ars Technica) Sprawling case may be porn troll's "last stand," but it looks massive
Regional Medical Center at Memphis Acknowledges Security Breach (eSecurity Planet) WREG Memphis reports that the Regional Medical Center at Memphis (the MED) is notifying almost 1,200 physical therapy patients who were treated at the MED between May 2012 and January 2013 that their names, account numbers, birthdates, Social Security numbers, home phone numbers, and reasons for needing physical therapy may have been exposed (h/t PHIprivacy.net).According to the MED, the data was exposed when an employee accidently attached a list of medical records to three unsecure e-mails
Barracuda Warns of Auto Wrap Scam (eSecurity Planet) Barracuda Labs researchers say they've recently seen an increase in the volume of a long-running scam that leverages spam e-mails promising weekly payments in exchange for the right to wrap the recipient's car in an ad for a popular product such as Monster Energy Drink, Coca-Cola or Budweiser."Monster Energy Drink seeks people -- regular citizens, licensed drivers to go about their normal routine as they usually do, only with a big advert for 'Monster Energy Drink' plastered on your car"
Indiana University Health Arnett Suffers Security Breach (eSecurity Planet) On May 10, Indiana University Health Arnett began notifying some of its patients that their personal data may have been exposed when an employee's password-protected laptop was stolen from the employee's car a month earlier, on April 9, 2013 (h/t PHIprivacy.net).According to Arnett, e-mails stored on the laptop may have contained patient names, birthdates, medical record numbers, diagnoses, dates of service and physicians' names. The Lafayette Journal and Courier reports that the laptop contained
Lake Zurich mayor's email hacked and a Fake Message that he wants $1700 circulated (Hackers News Bulletin) Lake Zurich Mayor Thomas Poynton's email account was hacked Saturday with a message that went out claiming he was mugged in the Philippines and needed $1,700 to return home."So far, I've been aware of it 52 times today," said Poynton, alluding the number of calls he received regarding the email sent from his account. About Lake Zurich from WikipediaLake Zurich (Swiss German/Alemannic: Zürisee; German: Zürichsee) is a lake in Switzerland, extending southeast of the city of Zurich. It is also known
New trends in the underground market, the offer of cybercrime (SecurityAffairs) The monitoring of the criminal underground is essential to understand the dynamics of cybercrime and related offer on the black market. At fixed intervals I decided to take a look at what is happening in the underground black market analyzing how evolves its offer and the related sales models. In the last months it has been assisted to the consolidation of the model of sale known as Cybercrime-as-a-Service in which sellers provide products and services to conduct every kind of cybercrime
No money mule, no problem: Recruitment website kits for sale (Help Net Security) A valuable asset in the fraud world, money mules enable cybercriminals to cash out stolen money. After cybercriminals take over a victim's account, they enlist the help of a third person (a mule) to retrieve the money and send it to them in an untraceable way
Cyber attack delays ISTEP (Journal Courier) Bogus service requests reportedly overload system. A denial of service attack on ISTEP+ test vendor CTB/McGraw Hill caused headaches Monday for districts closing in on completing this year's test. The online test is in week three after the testing window was extended to May 15 following widespread test outages during its first week
USAID Workers Also Targeted by DoL Watering Hole Attackers (Threatpost) One of the nine sites serving malware tied to the recent watering hole attack on the U.S. Department of Labor was located in Cambodia and has ties to the United States Agency for International Development (USAID)
Labor Department hackers more sophisticated than most (CSO) The hackers who hijacked a U.S. Labor Department website were as interested in gathering data for their next attack as they were in stealing information from their victims, security experts say.The attack, reported last week, started with compromising the web server that ran the site and then inserting a malware payload that would be decoded when a visitor's browser attempted to render specific Web pages. The exploit targeted a previously unknown vulnerability on Microsoft's Internet Explorer 8
Bahraini banks could face cyber-attacks: Expert (Business Insurance) Tony Tesar, CEO at financial security specialist Le Beck International Ltd. in the Middle East, has warned smaller Bahraini banks that they may face the kind of cyber-attack that hit two banks in the Middle East leading to $45 million being stolen
Middle Eastern Hackers Attacking U.S. Power Companies (Popular Science) Middle Eastern hackers have been attacking U.S. utility companies and trying to gain control of their computer systems, the Washington Post and the New York Times reported recently.Customers haven't seen any effects from the attacks, but the U.S. government has certainly noticed. The Department of Homeland Security sent out an alert to companies last week, the Washington Post found.U.S. officials aren't sure if the hackers are state-sponsored, or if they're unauthorized criminals
US claims Mid East as source of new cyber intrusions on its energy companies (Press TV) According to the report, while the US Department of Homeland Security has emphasized on the need to expand its 'cyber security force' by as many as "600 hacking specialist to keep pace with the rising number of threats," it has been struggling in the
Energy Sector Orgs: How Would You Know if You Were Secure Enough? (Smart Grid Security) Along with my friend and IBM colleague Jeff Katz, I was recently cited in an article by a new publication called Breaking Energy. One of the things they captured was this statement:[Legislators and regulators] hear statements that the grid is not secure enough…That begs the question: how would you know? how do you know how secure it is now?If one was hellbent on better securing the grid, how would define your destination and how you know you were making progress towards it? Sorry so many
Security Patches, Mitigations, and Software Updates
Fixes For Microsoft, Adobe Zero Days Out For Patch Tuesday (Dark Reading) Adobe and Microsoft are planning on releasing Patch Tuesday fixes for two separate zero-day vulnerabilities that are targeted by exploits in the wild
Cyber Trends
The Need For Threat-Centric Security (Threatpost) Defenders are at an asymmetric disadvantage when it comes to defending their networks. Attackers spend every minute of their day focused exclusively on penetrating your network to accomplish their mission...and opportunities abound
The offensive approach to cybersecurity, motivations and risks (SecurityAffairs) Cybersecurity goes to the offensive, law enforcement and private companies are discussing the possibility to adopt an offensive approach to defend their assets from the continuous cyber attacks.The press is getting used to news of cyber attacks against companies and government agencies, to date, the trend of the representatives of the cybersecurity of these entities is to pursue a defensive approach in the face of threats
Cyberattack Capabilities and Cyberdeterrence (RAND) The U.S. military exists not just to fight and win wars but also to deter them and even dissuade others from preparing for them. Deterrence is possible only when others have a good idea of what the U.S. military can do. Such acknowledgment is at the heart of U.S. nuclear deterrence strategy and, to a lesser extent, our maintaining strong mobile conventional forces that can intervene almost anywhere on the globe. Cyberattack capabilities, however, resist such demonstration, for many reasons, not least of which is that their effects are very specific to details of a target system's software, architecture, and management. But the fact that cyberattack capabilities cannot easily be used to shape the behavior of others does not mean they cannot be used at all. This report explores ways that cyberattack capabilities can be "brandished." It then goes on to examine the obstacles to doing so and sketches some realistic limits on our expectations
Cyber-attacks against US corporations on the rise (NDTV) A new wave of cyber-attacks is striking American corporations, prompting warnings from federal officials, including a vague one issued last week by the Department of Homeland Security. This time, officials say, the attackers' aim is not espionage but
Companies unprepared for cyber attacks (Guernsey Isle News) Channel Islands' companies are at risk of incurring significant expense dealing with the aftermath of a cyber attack. As a UK government commissioned survey reveals the number of cyber attacks hitting businesses has soared in the past year and it is
Cyber crooks getting smarter - but users aren't (iTWire) As Chief Technical Officer of security vendor Trend Micro, he's seen it all. He is currently in Australia for Trend Micro's Evolve series of industry conferences. He believes IT security has changed dramatically in recent years, and made users' jobs
Consumers still ignoring malware protection (Info Security Magazine) As many as 58.2 million American adults had at least one malware infection that affected their home PCs' features or performance in the past year - a fact that collectively cost nearly $4 billion for repairs
Marketplace
NSA Asks Open Source Developers to Help Protect Agency Cloud (Executive Gov) The National Security Agency has started developing a cloud computing platform intended to help secure the government's network infrastructure, FedScoop reported Friday
US Investment in Cyber-Security Equal to Nuclear Strategy (IB Times) First and foremost, they allow data collection for intelligence and computer network attack purposes. Second, they can be employed to constrain an adversary's actions or slow response time…Despite The Pentagon's accusations against China, as
U.K. Weighs Military-Spending Shift (Wall Street Journal) Britain's defense ministry is weighing whether to outsource the purchase and servicing of all the military equipment used by its armed forces, a bid to save costs that would be a first by a Western government
Stimson Center: DoD Could Trim $1 Trillion Without Eroding Combat Power (Defense News) The Pentagon could save double the amount of cuts mandated under sequestration and avoid eroding its combat power, says a report released Monday
Defense Agency Will Use Sequester, Other Cuts To Make Big Changes (GovExec) The Defense Logistics Agency is using the current budget environment to its advantage, leveraging the culture of cuts into transformative changes at the Pentagons logistics arm
Pentagon furloughs planned at 11 days (Politico) Defense Secretary Chuck Hagel plans to announce Tuesday the Pentagon will furlough about 800,000 civilian employees to pay for budget cuts under sequestration, but for just 11 days, not 14 as previously contemplated, a senior Defense official told POLITICO
Still No Word On Defense Furloughs (GovExec) The Defense Department had not announced a final decision on departmentwide furloughs by late afternoon Monday, as the Navy pushed to exempt shipyard workers from any involuntary unpaid leave
2014 Budget Request: DoD IT and DISA (FierceGovernmentIT) The Defense Department's fiscal 2014 budget proposal includes $39.6 billion for information technology, shows an overview from the departmental office of the chief information officer released earlier this month
BlackBerry Coup at US Department of Defense (ZimEye) The US Department of Defense (DOD) has given the nod for the use of BlackBerry devices on the DOD network
Bloomberg admits surveillance of executives' terminals (FierceFinance) In the early days of Bloomberg, when the company was fighting a guerilla war to colonize desktops across the industry, the power and sheer technical wizardry of the terminals were new and unique. People loved them. In this networked era, the rising power of all those now-ubiquitous terminals has given rise to a new concern: do the terminals allow Bloomberg to essentially spy on users
AhnLab brings anti-North Korean hacker APT services to UK (V3) Korean security vendor AhnLab has announced plans to spearhead its expansion into the Western market with a new UK office
Birmingham start up combats cyber attacks against businesses (WBRC) Gary Warner, a cyber attack analyst at UAB will be working with the company. Warner says each day there are thousands of spam attacks on businesses trying to get information about your bank account. "The important thing to understand is if your company
Northrop Grumman Joins Department of Homeland Security Program to Bolster Cyber Protections for U.S. Critical Infrastructure (Sacramento Bee) Northrop Grumman Corporation (NYSE: NOC) has signed a memorandum of agreement with the Department of Homeland Security (DHS) that will enable the expansion of cybersecurity protections for the nation's critical infrastructure. Northrop Grumman is now starting the security accreditation process which is required before approval to operate as a commercial services provider under the DHS Enhanced Cybersecurity Services (ECS) program
Lancope Joins Cloud Security Alliance To Help Protect Next-Generation Infrastructure (MarketWatch) Company to bring in-depth expertise in network visibility and security intelligence to organization
CRGT Inc. and Veritas Capital Honored at ACG National Capital 2013 Corporate Growth Awards Gala (Sacramento Bee) CRGT Inc. and Veritas Capital were recognized with the 2013 Corporate Growth Award for Private Equity Deal of the Year for their acquisition of the Federal Division of CIBER, Inc., by the National Capital Chapter of ACG (Association for Corporate Growth). The winners were announced at a black tie gala on April 18, 2013
This Taiwanese electronics manufacturer is challenging Foxconn's supremacy (Quartz) Cheap labor and a bevy of strong suppliers have been the hallmarks of success for Chinese electronics maker Foxconn. But lately, some of its disciples have been hopping the nearest strait to Taiwan, where a company called Pegatron will give up almost all of its profits in exchange for the privilege of manufacturing your next iPad Mini or Microsoft Surface
Should IT Security Be Professionalized? (Bank Info Security) Should the IT security field be professionalized? It's not such an easy question to answer, says Ronald Sanders, the former human capital officer at the U.S. Office of the Director of National Intelligence. Sanders, a vice president at the business consultancy Booz Allen Hamilton, is a member of a National Academy of Sciences panel that's exploring the ramifications of professionalizing IT security practitioners
Cyber Command Inspires New CBS Series (Patch.com) They've done shows based on police departments, crime scene investigation units, the FBI and Navy detectives. Now television producers are using U.S. Cyber Command as inspiration. The network CBS announced that it will have a new show this fall
Products, Services, and Solutions
Sophos Rolls Out New Unified Threat Management Connected (Dark Reading) Sophos today announced the availability of Sophos UTM Connected, the latest version of its award-winning UTM (unified threat management solution). This release introduces expanded UTM managed endpoint protection with unique Web in Endpoint functionality, broader wireless coverage for large scale wireless deployments and higher performance networking
RSA Offers Blueprint To Help Secure The Borderless Enterprise (Dark Reading) RSA, The Security Division of EMC™ (NYSE: EMC), today released a new RSA™ Technology Brief urging IT organizations to modernize their thinking and approach toward Identity and Access Management (IAM). In the Brief, "Adaptive IAM: Defending the Borderless Enterprise," RSA outlines why IAM systems are on the front lines of defense against cyber attacks and how traditional solutions must be reinvented to keep up with the demands of the enterprise and the reality of today's threat environment
Cyber Security Startup Lucent Sky's CLEAR Makes Securing Web Sites A Breeze (TechCrunch) One of the most nervewracking and tedious parts of developing a Web site is making sure that it is safe from data theft and other security breaches. Taipei-based startup Lucent Sky's mission is to make cyber security easier for developers. The company says its software CLEAR is the first commercially available program for automatic application vulnerability mitigation
HBGary Addresses Malware With Next-Gen Release Of Responder Pro (Dark Reading) Responder™ Pro is the de facto industry standard Windows™ physical memory and automated malware analysis solution. Malware delivery and rootkit
TELEHOUSE America and Seccuris Form Strategic Alliance to Offer Cloud Security Services (Wall Street Journal) TELEHOUSE America and Seccuris Form Strategic Alliance to Offer Cloud Security Services. Partnership Provides TELEHOUSE America Customers With Access to Seccuris' OneStone Cloud Security Service
Lookout will intercept privacy-invading mobile ad networks, apps (PCWorld) According to a study released by Bitdefender in March, the number of adware apps for Android devices increased by 61 percent during a five-month period ending in January. In the U.S. in particular, the number of adware apps increased by 35 percent
Technologies, Techniques, and Standards
Use A Human Trust Model For Endpoints (Dark Reading) Use anthropomorphic references to engage your brain and strengthen your approach to security. Have you ever used a feminine pronoun when talking about a boat? What about a computer program? Have you ever resented your computer after you felt it "intended" to lose your work? (I will refrain from linking to a YouTube video showing someone beating their office computer.) People endowing inanimate objects with human characteristics is commonplace today. I believe it's also a useful approach when dealing with security design, controls, and analysis. Just as analogies and metaphors aid in helping the brain process new information, thinking of your endpoints as having human intentions (regardless of whether a real one is there at the moment) is also a very useful aid because it engages the two ancient almond-shaped regions of your brain called the amygdala
Is Application Sandboxing The Next Endpoint Security Must-Have? (Dark Reading) Virtualized containers expected to catch on in the enterprise, but the technology has its weaknesses, too. With the onslaught of zero-day attacks continuing to increase the barrage of unanswered threats against endpoints, there's a growing contingent of security advocates championing the addition of a virtualized container layer in the endpoint security mix. Analyst predictions are rosy for the virtual containerization market to grow as a security niche and enterprises are certainly clamoring for a way to help them beat the signature-defense hamster wheel
3 Big Mistakes In Incident Response (Dark Reading) The incident response specialist investigating a recent breach of a government services firm was convinced the attack he was investigating was the handiwork of a group of Chinese hackers. The type of malware he found was commonly associated with that group of attackers, so he concentrated his efforts on cleanup and analysis of the malware, ultimately missing the real danger: the attackers had abandoned the malware and had since commandeered the victim company's administrative tools
Is your laptop still unencrypted? Perhaps 7 seconds of CCTV might change your mind (Naked Security) Here's a video that might make you think twice about taking your laptop out into the world unencrypted. This is "data theft" in the most literal sense
So what passwords are those ssh scanners trying? (Internet Storm Center) If you run an ssh server (especially if you still run it on the default port), you've no doubt had plenty of folks scan your machine and do password guessing attacks against it. BTW, you'll never get in mine that way, I only allow public/private key authentication, but that is beside the point here. I've done a couple of other reports analyzing passwords, and I really like pipal by Robin Wood for much of the analysis (you can grab it from here). I've been running a kippo ssh honeypot for the
Why $45M in Stolen Cash Still Won't Get Rid of Hackable ATM Cards (Wired) When eight thieves allegedly withdrew nearly $3 million from New York City ATMs in less than a day, the hard part wasn't finding an ATM card. By the time the astonishing heist was under way, the difficult work of hacking prepaid debit card accounts and stripping the withdrawal limits was long done. After that, coding the magnetic stripes on the backs of plastic cards with the hacked account numbers was no big deal. Brooklyn U.S. Attorney Loretta Lynch said conspirators in the global scheme, which netted $45 million from ATMs around the world, were able to use gift cards, old hotel keys, expired credit cards--anything with a magnetic stripe on the back
Can mobile devices be more secure than PCs? (Help Net Security) Mobile devices continue to fight an inaccurate perception that they're not as secure as traditional PCs. Entrust believes that mobile devices, when properly managed and protected, can be a highly secure platform for digital identities and online transactions
Former DuPont Security Chief: Safeguarding Data Is A Daily Struggle (CRN) Two-factor authentication and tighter controls around intellectual property are the only ways to safeguard a company's critical assets, according to a longtime security expert
Biometrics: A new intelligence discipline (Defense News) That's the telltale record most commonly left behind by bomb-makers and thieves. The databases of fingerprints are vast: The FBI has 110 million fingerprint records; the Defense Department, 9.5 million; and the Department of Homeland Security, 156 million
Your Business Is Never Too Small For A Cyber Attack, Here's How To Protect Yourself (Forbes) Roughly 60% of small businesses close within six months of a cyber attack. The fact is, if you're in business, you're a target. If you're on the Internet, you're already under attack. Companies today face what's known as an advanced persistent threat
Design and Innovation
From STEM to STEAM: A Carnival Ride Into Engineering (IEEE Spectrum) Lots of folks have been trying for years to figure out how to get today's kids interested in Science, Technology, Engineering, and Math (STEM) careers. A pair of serial entrepreneurs--Brent Bushnell, profiled in Spectrum's 2012 Dream Jobs Special Report, and Eric Gradman, whose latest venture is Two-Bit Circus--think efforts so far have been missing something--art. So they're mixing in art with engineering to create a new acronym, STEAM, and a new venture, the STEAM Carnival
Facebook's first funder just backed TransferWise, a startup that's like an ancient Islamic money transfer system (Quartz) Peter Thiel is known for his canny investments. He was the first outside investor in Facebook, and look how that turned out. So it is cause for excitement in British tech circles that the first European investment by Thiel's Valar Ventures is in TransferWise, a London-based start-up that hopes to do for remittances what Skype did to long-distance dialling. That analogy is particularly apt because Taavet Hinrikus, a co-founder, was an early Skype employee. And Thiel knows his way around online money transfers; he co-founded PayPal
Research and Development
It's official: Password strength meters aren't security theater (Ars Technica) Does your password go up to 11? Probably not. But one day it could. If you've ever been nagged about the weakness of your password while changing account credentials on Google, Facebook, or any number of other sites, you may have wondered: do these things actually make people choose stronger passcodes? A team of scientists has concluded that the meters do work--or at least they have the potential to do so, assuming they're set up correctly
D-Wave's quantum optimizer pitted against traditional computers (Ars Technica) D-Wave generally comes out on top, but there are some mixed results. Back in 2007, a company called D-Wave made waves by claiming it had built a 16-bit quantum computer at a time when most academic labs could only manage a handful of bits. What they demonstrated, however, wasn't a quantum computer in the sense that most people use the term. The company has since started calling its device a "quantum optimizer." Although it's not a general-purpose quantum computer, the hardware does seem to be capable of tackling some computationally hard challenges
Academia
SAC receives security designation from Homeland Security (San Antonio Business Journal ) San Antonio College has been designated as a National Center of Academic Excellence in Information Assurance by the National Security Agency and the Department of Homeland Security. The designation for 2-year academic institutions covers the years
Legislation, Policy, and Regulation
For a supposedly tech-savvy country, India has some worryingly weird ideas about the internet (Quartz) This week in wonky internet news from India, the Delhi High Court asked the government why children--defined as anyone under the age of 18--were allowed to open accounts on social networking sites. The court was responding to a petition filed last year by KN Govindacharya, a 70-year-old former politician
Integrated Intelligence Center helps governments address physical, cyber security (Security Director News) How clear are the boundaries separating physical and cyber security in 2013? According to Rich Licht, executive director for the Integrated Intelligence Center (IIC), not very clear at all."I think there's very little distinction anymore because so much of what happens in the physical world has a cyber connection," Licht says. "Any compromise to computers controlling dams, power grids, water supplies, telecommunications centers will have a physical consequence"
New Zealand spotlights cyber - security reforms at FutureGov Forum (Futuregov) New Zealands Department of Prime Minister and Cabinet is leading the charge on cyber-security reforms with a raft of data protection strategies currently being rolled out by this peak agency.Details about this strategy and the next steps to reforms are being shared by Paul Ash, the departments manager for national cyber-security policy.Paul Ash delivers a keynote address at the industrys flagship FutureGov Forum New Zealand being held Tuesday 28th May in Wellington
Tough Times at Homeland Security (New York Times) A new wave of cyberattacks is hitting American companies at a particularly vulnerable time for the Department of Homeland Security, the federal agency charged with fending them off. That is because the department has been grappling with the departures of its top cybersecurity officials. In the last four months, Jane Holl Lute, the agency's deputy secretary; Mark Weatherford, the top cybersecurity official; Michael Locatis, the assistant secretary for cybersecurity; and Richard Spires, the chief information officer, have all resigned
After Hackers Pwn Twitter, New York State Beefs Up Its Cyber Security (Village Voice) The report turned out to be erroneous--it was just a state contractor doing some work while on vacation in Russia and Germany--but briefly caused a panic that reached the FBI and Department of Homeland Security…In New York's case, the advisory
Patient ID with the swipe of a license? (FierceHealthIT) Headed to the doctor's office in Texas? Soon, you may be able to bring only your driver's license. A bill proposed in the Texas state Senate calls for providers to be able to swipe licenses electronically to obtain patient information
Litigation, Investigation, and Law Enforcement
Hacker Andrew Auernheimer Placed In Solitary Confinement For Tweeting From Prison (TechCrunch) Andrew "Weev" Auernheimer has been placed in "administrative segregation," prison shorthand for solitary confinement for "investigative purposes." Supporters believe he was locked down and given no Internet access because of his ability to send Tweets to a third party who relayed them on his private account. Auernheimer has not sent electronic messages since April 8
'Food porn' Instagram photo of fancy steak/mac and cheese dinner leads IRS to identity thieves (Naked Security) Identity thieves can't help but brag about all the food they consume with the money they're stealing…Too bad their smarts aren't as big as their appetite
Obama Administration Secretly Obtains Phone Records of AP Journalists (Wired) The Department of Justice secretly obtained phone records for reporters and editors who work for the Associated Press news agency, including records for the home phones and cell phones of individual journalists, apparently in an effort to uncover a leak
Government admits seizing two months of AP phone records (The Register) The Associated Press reports that government investigators seized two months-worth of telephone records from its staff last year and hid that fact until now."There can be no possible justification for such an overbroad collection of the telephone communications of The Associated Press and its reporters," said CEO Gary Pruitt in a letter sent to Attorney General Eric Holder
Victim fell prey to 'phishing' scam and lost £1 Million to fraudsters (E Hacking News) This is another incident that reveals why you should be careful on the Internet. A British woman fell prey to a phishing scam and lost her £1million life savings.The victim unwittingly handed over her personal details to fraudsters after receiving a bogus bank notification email.Tamer Abdelhamid, the fraudster who stole the personal data then sold the info to Nigerian national, Rilwan Oshodi. A 26 year old woman from Sierra Leone used the data to change the bank details by pretending to be the
Canada's Montfort Hospital Sued for $40 Million Over Data Breach (eSecurity Planet) The Toronto Sun reports that Ottawa's Montfort Hospital is being sued for $40 million by a group of patients whose personal data was exposed in a recent security breach (h/t PHIprivacy.net).An unencrypted USB drive was lost late last year that contained more than 25,000 patients' names, summary data on services provided, dates of service, and health service provider coes.The lawsuit accuses the Montfort Hospital of breach of contract, breach of privacy, and violating its own bylaws and Ontario's
UK taxmen, police and spies look at Bitcoin threat (Financial Times) Bitcoin has come on to the radar of the UK government, with officials gathering in London on Monday to discuss the security threats and tax concerns posed by the digital currency.About 50 civil servants from HM Revenue & Customs, the Serious Organised Crime Agency, Home Office and GCHQ the intelligence listening service held a one-day conference which examined how Bitcoin works and how criminals might seek to exploit the electronic cash system, which is currently unregulated by any financial
Police unable to decrypt iPhones, asks Apple to do it (Help Net Security) Court documents from a drug trial in Kentucky have revealed that the U.S. federal Bureau of Alcohol, Tobacco, Firearms and Explosives nor any other U.S. local, state, or federal law enforcement agency are able to break the hardware encryption on an iPhone 4S device or higher, so they have resorted to asking Apple to do it for them
Kotarski: The snoop factor is shocking (Calgary Herald) In October 2008, a 39-year-old former U.S. navy linguist who worked at a National Security Agency (NSA) centre in Georgia went on ABC News and blew the whistle on himself and his fellow NSA operators for listening in on the private conversations of hundreds of American aid workers and soldiers calling home to the United States from Iraq
FBI says more cooperation with banks key to probe of cyber attack (The Economic Times) The FBI last month gave temporary security clearances to scores of US bank executives to brief them on the investigation into the cyber attacks that have repeatedly disrupted online banking websites for most of a year. Bank security officers and others were brought to more than 40 field offices around the country to join a classified video conference on "who was behind the keyboards," Federal Bureau of Investigation Executive Assistant Director Richard McFeely told the Reuters Cybersecurity Summit on Monday
FEMA privacy practices needs improvement, find auditors (FierceGovernmentIT) The Federal Emergency Management Agency initially believed it possessed 430 unauthorized information technology systems after declaring a 2 week amnesty in March 2012 for their owners to come forward and report them
Gang arrested for Rolex rampage using pwned Amex Black card (CSO) Five men have been arrested by British police after allegedly going on an extravagant APS500,000 ($775,000) spending spree using a compromised American Express Black card. It's unusual for the Police Central e-Crime Unit (PCeU) to release details of crimes involving only a single victim but this must have stood out as an unusually targeted attack
For a complete running list of events, please visit the Event Tracker.
Upcoming Events
GovSec (Washington, DC, USA, May 13 - 15, 2013) GovSec is the nation's premier event for Government, Homeland Security, and Law Enforcement professionals looking for proven strategies and cost effective technology so they can achieve their mission of protecting our communities, critical infrastructures, and key assets. The conference includes sessions devoted to cyber security.
cybergamut Technical Tuesday: Identifying TLS/SSL Encrypted Network Exploitation Activity Using Traffic Externals (Columbia, Maryland, USA, May 14, 2013) Jeff Kuhn of CACI describes recently completed CACI research using adaptive data analytics to distinguish encrypted exploitation activity from legitimate network traffic based on traffic externals in a real world environment.
Thriving in the Post-Sequestration GovCon Era (McLean, Virginia, USA, May 14, 2013) The Potomac Officers Club is hosting a summit for GovCon executives and government leaders to collaborate and share ideas on how to navigate a new era involving sequestration. At least five speakers, each experts in the intersection between the public and private sector, will discuss what is to come after the automatic budget cuts known as sequestration dissipate. Confirmed speakers include: Frank Kendall (Defense Undersecretary for Acquisition, Technology and logistics), Robert Hale (Defense Department Comptroller), Jim McAleese (founder of McAleese & Associates), Pierre Chao (managing partner and co-founder of Renaissance Strategic Advisors), and Stephen Fuller (George Mason University professor and director at the Center for Regional Analysis).
Second Maryland Cybersecurity Center Symposium (MC2) (College Park, Maryland, USA, May 14 - 15, 2013) Drawing on regional experts of national and international acclaim, MC2's second Annual Cybersecurity Symposium will showcase the latest research, trends, and topics in cybersecurity, including: keynote addresses by Dr. Fred Schneider, Randy Sabett, Dr. Kathleen Fisher and Dr. Steve Bellovin; tutorials by MC2 faculty and corporate partners; and Tech Talks by MC2 faculty. The MC2 Symposium program will broaden your knowledge, skillset, and awareness of cybersecurity problems and directions, and the event is sure to present unique opportunities to connect with colleagues across academia, industry, and the state and federal government.
FOSE (Washington, DC, May 14 - 16, 2013) FOSE is the premier event for government technology professionals interested in innovative, effective tools and solutions allowing you and your agency or organization to advance your mission. From IT managers and buyers to CIOs and other technology management professionals, FOSE has the right products, people and solutions for you in one very accessible location.
7th Annual INSA IC Industry Day (Springfield, Virginia, USA, May 15, 2013) This annual event is held at the TS/SCI level in cooperation with ODNI as a comprehensive forum for IC leaders to relate their budget priorities to industry. The theme of this year's IC industry day is Intelligence Program Priorities in a Budget Constrained Environment and will feature keynote addresses from DNI James Clapper, Dr. Roger Mason, ODNI, and Letitia Long, Director, NGA. Registration opens Wednesday, March 27.
Hack Miami (Miami, Florida, USA, May 17 - 19, 2013) The HackMiami 2013 Hackers Conference seeks to bring together the brightest minds within the information security industry and the digital underground. This conference will showcase cutting edge tools, techniques, and methodologies that are at the forefront of the global threatscape.
CEIC 2013 (Orlando, Florida, USA, May 19 - 22, 2013) The largest digital-investigations conference of its kind and the only one to offer hands-on lab sessions for practical skills development. CEIC offers relevant and practical information from expert speakers. It will be of interest to anyone interested in cyber forensics and e-discovery. Former Director of Central Intelligence Michael Hayden will deliver the keynote.
IEEE Symposium on Security and Privacy (San Francisco, California, USA, May 19 - 22, 2013) Since 1980, the IEEE Symposium on Security and Privacy has been the premier forum for the presentation of developments in computer security and electronic privacy, and for bringing together researchers and practitioners in the field. Papers offer novel research contributions in any aspect of computer security or electronic privacy. Papers may represent advances in the theory, design, implementation, analysis, or empirical evaluation of secure systems, either for general use or for specific application domains. (Co-located with the IWCC and Web 2.0 Security and Privacy.)
U.S. Department of State Mobile Computing Forum (Washington, DC, USA, May 23, 2013) The U.S. Department of State's Bureau of Information Resource Management will host an educational forum and IT Expo, themed "Mobile Computing," reflecting their mission to empower diplomacy, consular services and development, by providing access to information and technology solutions anytime and anywhere. The U.S. Department of State has over 69,000 users worldwide at 285 posts with approximately 40,000 remote access users! Small businesses and prime contractors with products and services in Mobile Computing are invited to share information about their companies.
International Workshop on Cyber Crime (IWCC) (San Francisco, California, USA, May 24, 2013) The aim of this workshop is to bring together the research accomplishments provided by the researchers from academia and the industry. The other goal is to show the latest research results in the field of digital forensics and to present the development of tools and techniques which assist the investigation process of potentially illegal cyber activity. We encourage prospective authors to submit related distinguished research papers on the subject of both: theoretical approaches and practical case reviews. (Co-located with the IEEE Symposium on Security and Privacy.)
Web 2.0 Security and Privacy (San Francisco, California, USA, May 24, 2013) The goal of this one-day workshop is to bring together researchers and practitioners from academia and industry to focus on understanding Web 2.0 security and privacy issues, and to establish new collaborations in these areas. (Co-located with the IEEE Symposium on Security and Privacy.)
Maryland/DC Celebration of International Trade (Linthicum, Maryland, USA, May 21, 2013) Join Maryland exporters and international business experts as they celebrate International Trade Week. Hosted by the Maryland/DC District Export Council this event is a content rich celebration of international trade. Participate in expert discussions lead by manufacturers, legal, financial, transportation and industry experts as well as government leaders in eight vertical tracks for a total of 24 highly interactive 90 minute sessions.
IEEE-Cyber 2013 (Nanjing, China, May 26 - 29, 2013) This conference will cover cyber physical systems, cyber control and automation, cyber robotics, and the Internet of things.
Cyber Security @ CeBIT (Sydney, New South Wales, Australia, May 28 - 30, 2013) The Cyber Security Conference will serve as a platform where all those involved in securing and governing ICT within an organisation can discuss the newest challenges and strategies. The event is a must-attend for CIOs, CSOs, CISOs, Chief Risk Officers, Heads of Governance and Compliance and IT Directors. It is predicted that security service spending in Asia-Pacific will reach $7 billion in 2015, so ensure that you are investing in the best technologies for your business by joining us at the Cyber Security Conference on 28 May 2013 and hearing from leading financial institutions, retailers, airlines, telecoms companies and government.
Private Sector Crossovers: Protecting People, Property and Information (, Jan 1, 1970) With its annual cyber conference on May 29, the Howard County Chamber of Commerce and its GovConnects initiative will offer expert speakers on cyber security and efforts to protect government agencies and private industry. There will be opportunities for informal networking and formal, targeted match-ups for businesses interested in making connections with government contractors and agencies.
Cyber Security for the Chemical Industry (Franfurt, Hessen, Germany, May 29 - 30, 2013) It is becoming increasingly more important than ever to be aware of the latest cyber threats, and equipped to protect your company from them. In addition to physical security, these industries are faced with the ever-increasing risk of cyber attacks to their DCS and SCADA infrastructure networks as well as their R&D networks. These attacks can have a costly affect not only on profits, but also corporate reputation.
DGI Cyber Security Conference & Expo (Washington, DC, 2013, May 30, 2013) Data security threats continue to increase in number and sophistication. The growing use of collaborative technologies - from mobile devices and social media to virtualization and cloud computing - will continue to be one of the most significant factors impacting the security landscape. For these reasons, the federal government has increased efforts to minimize and prevent cyber security attacks, and will continue to place significant focus on securing the nation's cyber infrastructure.