The CyberWire Daily Briefing 07.28.14
Cyber operations in Israel and the Palestinian Territories have become relatively quiet recently (reports of Anonymous-led #OpSaveGaza browser performance degradation aside) but Israeli security agencies prepare for a post-Ramadan surge in attacks.
The pro-Russian (probably Russian controlled) CyberBerkut gang publishes what it claims are internal emails from a colonel assigned to Ukraine's Ministry of Defense. Their content renders them implausible, particularly given recent Ukrainian advances into insurgent territory. Twitter blocks access to @b0ltai, a persistent burr under the Russian government's saddle. MH17 scams proliferate.
"Anonymous Kenya," which Kenyan authorities call an Indonesian hacktivist group, hijacks Kenyan military Twitter accounts to criticize Kenyan operations against Somali pirates and jihadists.
Attacks on Indian firms cause observers to question the state of that country's cyber preparedness.
Android apps pose security risks, with as many as one in ten thought to be malicious. Trend Micro believes it understands the flaws in Android's security model.
Google bots and other Internet scanning activity concern security researchers.
More research on the threat of network steganography is out.
Ransomware advances in sophistication, and its criminal business models co-evolve with the technology.
A new criminal service offers to drain your competitors' Google AdWords budgets.
Security workarounds for TAILS are announced, but a full patch remains aspirational. Journalists and other TAILS users consider what the threat to anonymity means for them.
Key industries receive cyber security grades.
The Aspen Security Forum displays much current US thought on cyber security.
China calls for international cyber cooperation as it raids Microsoft offices.
Today's issue includes events affecting Australia, Canada, China, European Union, Germany, India, Indonesia, Israel, Italy, Kenya, Latvia, Palestinian Territories, Poland, Russia, Spain, Ukraine, and United States.
Cyber Attacks, Threats, and Vulnerabilities
Israel to intensify cyber security as end of Ramadan approaches (Jerusalem Post) IDF, Shin Bet preparing to deal with activities of hackers from around the Muslim world, Gaza Strip in coming days
No sign of Anonymous cyber attack on Israel Friday (USA Today) The hacking group Anonymous said it planned to launch a concerted attack against Israel on Friday, but as night fell little had happened
Israeli watchdog confirms recent cyber attacks have badly affected the Internet browsing (HackRead) Anonymous hackers along with other elite hackers from around the world have been attacking Israeli cyber space for ages, but since the beginning of Israeli attacks on Gaza there has been a massive increase in such attacks under the banner of #OpSaveGaza. This has been accepted by Israeli based newspaper Haaretz and Israeli homeland security website itself
Hackers claim to leak Ukrainian Ministry of Defense emails (HackRead) Hackers from Cyber Berkut group are claiming to hack and leak personal emails belonging to Colonel V.M. Pushenko. of the Ukrainian Ministry of Defense
Officer who leaked information to Russian special services found in ATO headquarters (Kyiv Post) The Ukrainian security services have found in the headquarters of the anti-terrorist operation (ATO) an officer who passed secret information on the holding of the operation in the Donbas to Russian special services, Deputy Secretary of the National Security and Defense Council Mykhailo Koval has said
Twitter "Blocks" Access to Russia's Most Infamous Hackers (Global Voices) Russia's Twitter users no longer have access to @b0ltai, an account belonging to a hacker collective that has leaked several internal Kremlin documents to the Internet over the past seven months. The hacker group, which RuNet Echo profiled last month, has published stolen emails belonging to high-profile members of the Russian government, inside reports on the state of Russian politics, and the Kremlin's instructions to state-controlled TV news channels
Cybercriminals Exploiting Malaysia Airlines Flight MH17 Tragedy (SecurityWeek) The crash of the Malaysia Airlines flight MH17 in eastern Ukraine on June 17 continues to make headlines, making it a perfect event for cybercriminals to leverage in their malicious campaigns
'Anonymous Kenya' group hacks government Twitter accounts (CSO) Kenyan officials say government sites hit by Indonesian hacker. Hack calls government security preparedness into question
Indian Firms Hit by Fresh Wave of APT Attacks (Infosecurity Magazine) Spearphishers use geopolitical content to trick users into opening malicious attachments
An IT emperor with no clothes, India lays bare to cyber attacks (Times of India) Ironically for a country that is seen as an IT superpower, India is stunningly vulnerable to cyber attacks. Our approach to the exponential growth of cyber crime and warfare is marked by ignorance and nonchalance. This has to change quickly to avoid catastrophe
Almost 1 in 10 Android apps are now malware (Help Net Security) Cheetah Mobile Threat Research Labs analyzed trends in mobile viruses for Q1 and Q2 of 2014. Pulling 24.4 million sample files they found that 2.2 million files had viruses, roughly 9% of the total. Compared to previous years, this is a 153% increase from the number of infected files in 2013
Open Socket Poses Risks To Android Security Model (TrendLabs Security Intelligence Blog) The security of the Android platform is based on its sandbox and permission protection mechanism, which isolates each app and restricts how processes can communicate with each other. However, because it is designed to be open to include other open source projects like Linux and OpenSSL, it can inherit many features as well as vulnerabilities
Criminals ride Google coattails in DDoS attacks (CSO) Cybercriminals are pretending to be Google web crawlers in launching distributed denial of service attacks against websites
"Internet scanning project" scans (Internet Storm Center) A reader, Greg, wrote in with a query on another internet scanning project. He checked out the IP address and it leads to a web site, [redacted], which states: "Hello! You've reached the Internet Scanning Project"
'Masquerading': New Wire Fraud Scheme (BankInfoSecurity) A new impersonation scheme is taking aim at business executives to perpetuate ACH and wire fraud, says Bank of the West's David Pollino, who explains steps institutions should take now to protect their customers
This Emerging Malware Sends Secret Messages and is Practically Impossible to Detect (Nextgov) As if computer malware that steals your data weren't enough, now there's a new kind to worry about: Malware that does it via covert messages that are practically impossible to detect. And it's becoming more prevalent, according to a new paper by researchers at the Warsaw University of Technology, the National Research Council of Italy, and Fraunhofer FKIE, a private information security research institute
Hidden and Uncontrolled — On the Emergence of Network Steganographic Threats (Arvix) Network steganography is the art of hiding secret information within innocent network transmissions. Recent findings indicate that novel malware is increasingly using network steganography. Similarly, other malicious activities can profit from network steganography, such as data leakage or the exchange of pedophile data. This paper provides an introduction to network steganography and highlights its potential application for harmful purposes
Andromeda bot spreads Tor-using CTB-Locker ransomware (SC Magazine) Last week a security researcher posted that the Angler Exploit Kit was delivering new ransomware advertised as CTB-Locker — now researchers with Kaspersky Lab have identified the Tor-using threat being spread by another malware known as Andromeda bot
New type of ransomware bucks established trends (Help Net Security) Ransomware is now one of the fastest growing classes of malicious software, says Kaspersky Lab researcher Fedor Sinitsyn. This should not comes as a surprise, when we know that 35 percent of those who get infected by it end up paying the ransom
Critroni — Newest Addition to Encrypting Ransomware (Webroot Threat Blog) In my last blog post about a week ago, I talked about how Cryptolocker and the like are not dead and we will continue to see more of them in action. It's a successful "business model" and I don't see it going away anytime soon. Not even a few days after my post a new encrypting ransomware emerged. This one even targets Russians! Presenting Critroni. This newest edition of encrypting ransomware uses the same tactics of contemporary variants including: paying through anonymous tor, using Bitcoin as the currency, changing the background, dropping instructions in common directories on how to pay the scam
New backdoor 'Baccamun' spreads through ActiveX exploit (SC Magazine) Attackers using a newly discovered backdoor program, called "Baccamun," are spreading the malware via an ActiveX exploit, researchers revealed
Hackers exploiting Internet Explorer to expose security flaws on a huge scale (Guardian) Exploits can expose software and security systems, researchers warn, helping hackers attack remote machines undetected
Service Drains Competitors' Online Ad Budget (Krebs on Security) The longer one lurks in the Internet underground, the more difficult it becomes to ignore the harsh reality that for nearly every legitimate online business there is a cybercrime-oriented anti-business. Case in point: Today's post looks at a popular service that helps crooked online marketers exhaust the Google AdWords budgets of their competitors
10 new social media scams to watch out for (CSO) Scams on social networks are nothing new, but they're constantly changing to keep up with and take advantage of the latest apps, trends, and news. Here are some of the most recent scams that are making the rounds
Anatomy of an iTunes phish — tips to avoid getting caught out (Naked Security) Do you know how to ride a bicycle? It's easy, isn't it? But do you remember how hard it turned out to be when you first tried?
Beware of Wi-Fi when using E-tax: Bitdefender (ARN) Security vendor recommends online vigilance during busy tax submission period
9 New Ways You Can Be Hacked (Fox Business) Do you know all the ways you can be hacked? My guess is you don't
Real hacks of critical infrastructure are occurring — information sharing is not working (Control Global) I gave a presentation on ICS cyber security at Cyber Endeavor 2014 at the Naval PostGraduate School and discussed both Aurora and Project Shine. Aurora is a PHYSICAL gap in protection of the electric grid that with the exception of very few utilities, is not being mitigated. Project Shine identifies control systems and control system devices directly connected to the Internet. The DOE representative at Cyber Endeavor stated that many of the control system devices found by Project Shine were just garage door openers and utilities were doing a good job on Aurora
The Top 5 Most Brutal Cyber Attacks Of 2014 So Far (Forbes) In 2014, cyber attacks and data breaches don't look like they're going to slow down. We've seen high-end data breaches of large companies, with data, personal records and financial information stolen and sold on the black market in a matter of days
Security Patches, Mitigations, and Software Updates
TAILS Team Recommends Workarounds for Flaw in I2P (Threatpost) The developers of the TAILS operating system say that users can mitigate the severity of the critical vulnerability researchers discovered in the I2P software that's bundled with TAILS with a couple of workarounds, but there is no patch for the bug yet
Siemens Patches Five Vulnerabilities in Simatic System (Threatpost) Siemens released an update for two builds of its SIMATIC automation system this week, addressing a quintet of vulnerabilities, four of which are remotely exploitable
Firefox adds anti-malware file reputation service (ZDNet) Firefox has blocked known phishing and malware sites for some time. Now it will check reputation on individual files and soon use file signatures
Cybersecurity Grades Released for Key Industries (IT Business Edge) Traditionally, the complex world of cybersecurity has been left solely to information security professionals to defend the organization's sensitive information and systems. But the recent spate of high profile data breaches and warnings from regulators has caught the attention of C-level executives and board members. Cybersecurity is no longer just a technical issue as a breach can have a major impact on the viability of an organization — loss of brand reputation, jobs, customers and partners, and most importantly a negative impact on the bottom line
Global Survey: NSA, Retail Breaches Influenced Corporate Security Strategies the Most (Fort Mill Times) The majority of organizations cite privileged account takeover as the most difficult stage of an attack to detect, respond and remediate
BYOD Programs Leave Several Security Holes Open (eWeek) Just 21 percent of more than 1,100 IT security practitioners said their organizations have fully implemented BYOD policies, processes and infrastructure, according to a Vectra survey
IoT Security the New Solution Vertical, Drives Faster Adoption of M2M (PCC) With more equipments and consumer appliances catching up with the Internet of Things (IoT) and becoming M2M connected, complimentary technologies and solutions are also surfacing to complement and accelerate the development of the IoT and its adoption in industry and consumer segments
DOE learned cyber lessons 'the hard way' — deputy secretary (Energy Wire) Criminal hacking is the most "pervasive and ominous" threat facing the nation, Department of Energy Deputy Secretary Daniel Poneman said yesterday here as he recounted a spate of cyberattacks against federally funded national laboratories
Mobile security: A mother lode of new tools (Computerworld) Long, complex passwords that must be input on tiny screens, often while on the move: Such hassles make password-based security unworkable in a mobile world. But change is coming, thanks to an industrywide backlash that gave rise to a gold rush of new technologies
Cyber-Attacken in Deutschland (All About Security) Jedes fünfte Unternehmen konnte seine IT-Systeme aufgrund eines Angriffes für einen ganzen Arbeitstag nicht mehr betreiben
State security a challenge for global firms, says KPMG (ComputerWeekly) Global companies are being forced to pioneer international privacy standards as they face a growing number of government requests to access customer data, says consultancy KPMG
Microsoft exec: Snowden disclosures have hurt the American IT business (Aspen Daily News) As Edward Snowden's disclosures about the U.S. government's data-collection programs reverberate throughout the world, American information-technology companies have a tougher sales pitch to make to international clients, a Microsoft executive said Thursday at the Aspen Security Forum
Microsoft Exec Says Company Has Never Been Asked to Backdoor a Product (Threatpost) One of Microsoft's top security executives said the company has never been asked by the United States government to build a backdoor into any of its products, and if the company was asked, it would fight the order in the courts
The Geneva Contention: Silent Circle, KoolSpan and selling security abroad (Washington Business Journal) Silent Circle sells both mobile hardware and software to a global customer base, aimed at keeping its users' voice and data communications secure and private. So does KoolSpan
Israeli CyberSec Sector Copes with War (GovInfoSecurity) Providers deal with Hamas rocket attacks, Army call up
IDC MarketScape Names IBM a Leader in Worldwide Managed Security Services (MarketWatch) IBM (NYSE: IBM ) today announced that it has been named a leader in the new IDC MarketScape: Worldwide Managed Security Services 2014 Vendor Assessment
Researcher sat on critical IE bugs for THREE YEARS (The Register) VUPEN waited for Pwn2Own cash while IE's sandbox leaked
CYREN WebSecurity Service to be Offered by AvailaSoft in APAC Region (Jakarta Post) CYREN (NASDAQ: CYRN), a global provider of cloud-based security solutions, today announced it signed AvailaSoft as a CYREN WebSecurity distribution partner based inHong Kong
ArcSight Co-Founder Joins Threat Intelligence Startup (SecurityWeek) ThreatStream, a security startup that offers a SaaS-based cyber security intelligence platform, announced this week that Hugh Njemanze, former co-founder, CTO and executive vice president of research and development at ArcSight, has taken the role as chief executive officer
Products, Services, and Solutions
Avast vs AVG vs Microsoft Security Essentials — Top Free Antivirus Comparison (THe Fuse Joplin) Making sure that your computer is protected is an important part of your everyday work on your computer. You need to keep your PC safe from harm, especially if you are still running the old and outdated Windows XP operating system. There are many however, that use this old version of windows, mainly because of their computer's limitations and incapability towards upgrading to a fresher edition of Windows
Trustport Antivirus is Commendable But Needs More Advanced Features (Streetwise Tech) If you have used AVG and Bitdefender in your computer system, then Trustport is a combination of the two. According to various lab tests, it is good at identifying threats. While using an antivirus software that combines the best features of AVG and Bitdefender, Trustport still lacks advanced features that every computer system needs, which the best antivirus applications have and maintained their position at the top
General Dynamics Fidelis enhancing its XPS cyber-protection service (UPI) General Dynamics Fidelis has joined the Microsoft Active Protections Program to offer faster and more comprehensive defenses against cyber-attacks
AVG announces AVG Cleaner for Android (Voxy) AVG Technologies N.V. (NYSE: AVG), the online security company for 187 million active users, have announced the release of AVG Cleaner for Android 2.1 on the Google Play store. The refreshed app features enhanced battery life functionality and has been integrated into AVG Zen so customers can easily tune-up and check the performance status of their PC, Mac and mobile devices at any time, all from their PC or Android device
Securing Banking Apps (Mobile Enterprise) Customers Bancorp, Inc. has strengthened the security of its mobile banking application via Malauzai Software, a provider of mobile banking SmartApps for community financial institutions, and Trusteer, an IBM company
Technologies, Techniques, and Standards
DHS reaches out and touches the infrastructure cybersecurity circle (CA Technologies Blog) The Department of Homeland Security is raising awareness about the new National Institute of Standards Technology Framework. What will it take for organizations to adopt?
How the Recent Tails Operating System Vulnerability Affects Journalists and SecureDrop (Freedom of the Press Foundation) On Wednesday afternoon, vulnerability and exploit research firm Exodus Intelligence disclosed a security vulnerability that would allow an attacker to deanonymize a user of Tails, the operating system that many journalists rely on to communicate securely with sources and that we have written about before. Tails is also integral to SecureDrop, our open-source whistleblower submission system, so we wanted to clarify if and how the vulnerability affects users of this system
Until the Tails privacy tool is patched, here's how to stay safe (ComputerWorld) Patches are ready for IP2, the vulnerable component in Tails, but it's not clear when Tails will update
A new cyber exercise: Test your security team's incident response capabilities (Government Technology) The Michigan Cyber Civilian Corps, state and local government cyber analysts and the West Michigan Cyber Security Consortium participated in an attack-defend-respond tabletop exercise in a virtual city called Alphaville, which exists within the Michigan Cyber Range. Here's why it matters to a town near you
Panopticlick reveals the cookie you can't delete (Naked Security) Cookies are an essential part of the way the web works and occupy a pivotal position in the online privacy arms race. Organisations who want to track and profile people give them cookies and users who don't want to be tracked disable or delete them
Can a machine detect sarcasm? Yeah, right (InfoWorld) Applying analytics to social media? Good luck — not all words can be taken at face value. Natural language processing helps, but it's no panacea
Hackers only need to get it right once, we need to get it right every time (SC Magazine) Hackers only need to find one weak point to steal valuable information. On the flip side, you need to account for every possible vulnerability across your entire infrastructure. Doesn't seem fair, but it's the world we live in — we must band together, think like the bad guys and take action to protect what matters
Cyber Attacks Happen: Build Resilient Systems (InformationWeek) You can't stop all attacks or build the perfect defense system. The higher-level objective is resilience
The evolution of backup and disaster recovery (Help Net Security) In this interview, Amanda Strassle, IT Senior Director of Data Center Service Delivery at Seagate Technology, talks about enterprise backup issues, illustrates how the cloud shaping an IT department's approach to backup and disaster recovery, and much more
Preventing Corporate Account Takeover (BloombergTV) 41st Parameter & FBI Security Advisor Frank Abagnale, Jr., and 41st Parameter Founder Ori Eisen discuss corporate account takeovers, the growing number of cyber-security threats and how companies can secure their accounts
Noodling about IM protocols (A Few Thoughts on Cryptographic Engineering) The last couple of months have been a bit slow in the blogging department. It's hard to blog when there are exciting things going on. But also: I've been a bit blocked. I have two or three posts half-written, none of which I can quite get out the door
9 tips for communicating your BYOD policy (Help Net Security) If an IT department creates a BYOD policy and no one at the company knows about it, does it actually make an impact? I'll spare you the suspense — the answer is no
Passera (GitHub) A small tool to turn any entered passphrase into a strong secure password, allowing you to easily use different strong passwords for different websites without storing them
Wardriving with Kismet and WAPMap (Shortbus Ninja Security) I have written this Python script to parse .netxml files output by Kismet and then return a CSV file that can be uploaded to Google Mapping Engine. This will simplify war driving campaigns by allowing vulnerable networks (WEP or Open) to be easily mapped on Google Maps
Questions to ask vendors to gauge their commitment to “secure products” (Senki) What follows is something that has evolved over the years as a "check list" for the operator (and the vendor). This checklist can be used in RFPs or with any vendor. It can also be used as a conversation map with the existing vendors to shape the conversation. It will work with service providers, enterprise networks, industrial networks, etc. The checklist also provides a map for new vendors to help them know what customers would expect. Please provide feedback and questions. This checklist will be improved over time
Payment Card Data Theft: Tips For Small Business (Dark Reading) For small businesses looking to reduce their exposure to data theft the good news is the advantage of being small
Design and Innovation
Internet of Things: 4 Security Tips From The Military (Dark Reading) The military has been connecting mobile command posts, unmanned vehicles, and wearable computers for decades. It's time to take a page from their battle plan
How to implement a self-destruct feature into free trial software? (Ars Technica) A 14-day free trial is a nice idea but it has some practical problems
Here's what automakers have to gain from connecting cars to the internet (Quartz) Carmakers from Detroit to Seoul are talking up their efforts to build "connected cars" — cars with in-built mobile connectivity
When China stops copying Western tech giants is when they should start worrying (Quartz) Why do some of China's biggest tech companies engage in the sincerest form of flattery? This week Lei Jun, the chief executive of Xiaomi — recently rebranded internationally as Mi — stood on stage in a black T-shirt and jeans and announced a new smartphone with a notable resemblance to the iPhone in front of a slide that said "one more thing"
If you want to be rich and powerful, majoring in STEM is a good place to start (Quartz) The standard narrative today is that science, technology, mathematics, and engineering (STEM) education is important because we need more data scientists, engineers, and STEM professionals. But promoting STEM education is critical for another reason: it teaches creative problem solving, which is widely applicable and more necessary than ever today. STEM education is linked to success not only in STEM fields, but in many other disciplines and even among many of the world's most wealthy and powerful people
Calling all cybersecurity pros: The NSA wants you. (US News) In recent years, it has become abundantly clear that the U.S. is facing a concerning shortage of cyber security experts. In response to this crisis, the NSA, which is the largest employer of such professionals, has taken dramatic measures. The agency's solution? To attract and recruit the next generation of cyber pros, as well as prepare them to tackle the potential security challenges that lie ahead
UMBC student wins cybersecurity scholarship (Technical.ly Baltimore) Rising senior Victoria Lentz was one of 11 winners of a scholarship aimed at supporting women interested in cybersecurity. Only 10-15 percent of the cybersecurity workforce is female, according to a recent study
Legislation, Policy, and Regulation
Chinese pressure just shuttered Hong Kong's version of the Huffington Post (Quartz) A popular pro-democracy Hong Kong news site abruptly shut down this weekend, another sign of escalation as the city girds for a showdown between demonstrators demanding universal suffrage and Chinese authorities unwilling to cede more control over Hong Kong
Best way to fight cyber threat (China Daily) Instead of desperately distracting attention from the NSA's espionage by accusing China, the US should seek cooperation
Xi: Respect cyber sovereignty (China Daily) Chinese leader stresses increasing responsibilities of emerging nations
AusCERT chief steps down (SC Magazine via IT News) Organisation now reports directly into Queensland University. The general manager of Australia's computer emergency response team (AusCERT) Graham Ingram has left the organisation after 12 years of service Read more:
NSA director: Cyber attacks need international norms (Aspen Daily News) Nations around the world need to come together and establish international standards that regulate cyber attacks, said Richard Ledgett, deputy director for the National Security Agency at The Aspen Security Forum on Saturday
ODNI General Counsel Robert Litt and NSA General Counsel Rajesh De Participate in an Aspen Security Forum Panel Discussion on Liberty and Security (Aspen Security Forum via IC on the Record) We are still in the post-9/11 era, but we are also in the post-Edward Snowden era. Citizens' expectation that the government will protect them from security threats is unchanged, but they are much less willing now than they were in the immediate aftermath of the terror attacks to grant the government virtual carte blanche to do what it thinks is necessary to respond to these threats. What is the "right" balance between security and liberty?
Collateral damage of Snowden leaks being felt in cyber, public trust (Federal News Radio) The National Security Agency's top lawyer said the disclosures from former contractor Edward Snowden not only hurt U.S. intelligence gathering capabilities, but also created a gap in the trust relationship between the agency and Congress
4 senators raise alarm about NSA collection of Americans' e-mails, phone calls (Washington Post) Four Democratic senators have sent a letter to the director of national intelligence expressing concerns about the scope of the collection of Americans' e-mails and phone calls under a National Security Agency program that targets foreigners overseas
On NSA's Subversion of NIST's Algorithm (Lawfare) Of all the revelations from the Snowden leaks, I find the NSA's subversion of the National Institute of Standards's (NIST) random number generator to be particularly disturbing. Our security is only as good as the tools we use to protect it, and compromising a widely used cryptography algorithm makes many Internet communications insecure
Silicon Valley sees hope in battle against NSA (The Hill) Tech companies and civil liberties groups are becoming more optimistic that the Senate will take major steps to rein in the National Security Agency this year
Technology Cost and Complexity Killing U.S. (SIGNAL) Advanced systems hinder as much as help
Congress finally passes cell phone unlocking bill (Ars Technica) House gives in, passes the Senate version that unlocking activists preferred
When the Administration Asks Itself to Declassify (Federation of American Scientists) In preparing its recent report on the Section 702 surveillance program, the Privacy and Civil Liberties Oversight Board (PCLOB) demonstrated an unusual mode of declassification, in which one executive branch agency asks another agency to declassify information
Reflections on the NYDFS Bitcoin Proposal and the Right of Privacy (Money and State) Today, as human society progresses onward, Coinmap broke 5,000 global business listings, South African payment processor Payfast enabled their 30,000 merchants to accept Bitcoin, and the NY Dept. of Financial Services made financial privacy a crime, supported (at least superficially) by some leaders in the Bitcoin industry
Litigation, Investigation, and Law Enforcement
Why Intelligence Whistleblowers Can't Use Internal Channels (The Atlantic) Imagine a CIA agent who witnessed behavior that violated the Constitution, the law, and core human rights protections, like torturing a prisoner. What would we have her do? Government officials say that there are internal channels in place to protect whistleblowers, and that intelligence employees with security clearances have a moral obligation to refrain from airing complaints publicly, via the modern press. In contrast, whistleblowers like Daniel Ellsberg, Chelsea Manning and Edward Snowden — as well as journalistic entities like the Washington Post, The Guardian, and the New York Times — believe that questionable behavior by intelligence agencies should sometimes be exposed, even when classified, partly because internal whistleblower channels are demonstrably inadequate
NSA: Less need now for Snowden deal (Politico) A top National Security Agency offficial says there's less need now for the U.S. Government to cut a deal with leaker Edward Snowden than there was after his wave of surveillance disclosures began more than a year ago
Plaintiffs file opposition to government’s motion to dismiss NSA spying case (Legal Newsline) The plaintiffs in a class action lawsuit against the National Security Agency and other government entities for allegedly spying on American citizens have filed an opposition to the defendants' motion to dismiss
Hacker Breached NOAA Satellite Data on a Contractor's PC (Nextgov) National Oceanic and Atmospheric Administration satellite data was stolen from a contractor's personal computer last year, but the agency could not investigate the incident because the employee refused to turn over the PC, according to a new inspector general report
EBay faces class action suit over data breach (PCWorld) EBay faces a class action suit in a U.S. federal court over a security breach earlier this year
Human Rights Court Approves Extradition of Gozi Malware Suspect to U.S. (SecurityWeek) The European Court of Human Rights (ECHR) ruled on Thursday that a Latvian man suspected of being involved in the creation of the Gozi banking Trojan would not be exposed to a real risk of ill-treatment if he were to be extradited to the United States
Chinese National Denied Bail on Charges of Hacking Boeing Network (Linkis) A Canadian court denies bail to a man accused by the U.S. Department of Justice of hacking into defense contractor Boeing's network
Chinese authorities raid several Microsoft offices (Gigaom) It's not clear why the company is being investigated, but based on earlier statements by the Chinese government it is most likely to do with the security of Windows
Chinese Regulators Visit Microsoft Offices: Dow Jones (AFP via SecurityWeek) Officials from China's corporate regulator paid visits Monday to software giant Microsoft's offices in four cities in the country, Dow Jones Newswires reported, citing people familiar with the matter
Bendert Zevenbergen: what's right about the right to be forgotten? (Imperica) The Right to be Forgotten, most well-known as a European court ruling against Google, is a big and contentious issue for search engines, publishers, ISPs, and consumers. To some, they finally have the power to manage their reputation in open communications. To others, it's a restrictive process which limits freedom of expression
On The Importance Of Forgetting (TechCrunch) The ongoing debate about Europe's so-called 'right to be forgotten' ruling on search engines has shone a light onto a key pressure point between technology and society. Simply put the ability of digital technology to remember clashes with the human societal need to forgive and forget
Nobody seems quite sure how Spain's new "Google tax" will work (Quartz) On July 22 Spain passed a law (link in Spanish) called the canon AEDE, after the acronym for Spain's daily newspapers' association. The law has been dubbed the tasa Google ("Google tax") in the Spanish press and gives these publishers the right to seek payment from any site that links to their content with a "meaningful" description of the work
Google is playing catch-up on cybercrime with Project Zero (My Broadbnd) Google's new Project Zero team adds some welcome muscle in the fight against cybercrime
Agencies Still Plugging Gaps in Smart Card Security (Nextgov) The Department of Health and Human Services was too lax in issuing smart ID cards to new employees and failed to deactivate them in a timely manner when workers left the agency, according to a new audit from the department's inspector general office
CBI arrests hacker who stole Microsoft keys worth lakhs (Zee News) CBI Friday nabbed an alleged hacker who entered into systems of software giant Microsoft to steal product keys worth lakhs and is feared to have compromised some government websites as well in the process
Indian Hacker Arrested for Breaking into Microsoft Website, Stealing Product Keys (Softpedia) Microsoft continues the struggle to reduce piracy across the world, and as part of its global efforts the company collaborated with the Indian authorities to arrest an individual who reportedly hacked its servers and stole several product keys for its software
GMU Grad Muneeb Akhter Investigated for Hacking Gift Cards (NBC Washington) A young Fairfax County computer whiz is the target of a federal probe after he boasted to a co-worker that he'd figured out how to add value to prepaid gift cards without paying for it
Toddler dad case hinges on digital sleuthing (Atlanta Journal-Constitution) Justin Ross Harris, the father of a toddler who died after police say he was left in a hot car for about seven hours, sits for his bond hearing Everyone, from prosecutors to the defense, knows Justin Ross Harris caused the death of his toddler son, Cooper, last month by leaving him in a hot car for seven hours
For a complete running list of events, please visit the Event Tracker.
Black Hat USA 2014 (, Jan 1, 1970) Black Hat USA is the show that sets the benchmark for all other security conferences. As Black Hat returns for its 17th year to Las Vegas, we bring together the brightest in the world for six days of learning, networking, and skill building. Join us for four intense days of Trainings and two jam-packed days of Briefings.
SHARE in Pittsburgh (Pittsburgh, Pennsylvania, USA, Aug 3 - 8, 2014) LEARN: Subject-matter experts and practitioners are on-hand at SHARE events to discuss major issues facing enterprise IT professionals today. FOCUS: SHARE provides leading-edge technical education on a variety of topics. Whether you are an IT manager, IT architect, systems analyst, systems programmer or in IT support, SHARE offers focused sessions to benefit all job roles. ENGAGE: At SHARE events, you will experience a wide variety of formal and informal networking opportunities that encourage valuable peer-to-peer interaction
STOP. THINK. CONNECT. Two Steps Ahead: Protect Your Digital Life Tour (Clarksville, Tennessee, USA, Aug 5, 2014) The National Cyber Security Alliance (NCSA), a non-profit public-private partnership focused on helping all digital citizens stay safer and more secure online, is coming to TK with its STOP. THINK. CONNECT. Two Steps Ahead: Protect Your Digital Life Tour to educate consumers and businesses about adding layers of security to their everyday online activities
4th Annual Cyber Security Training Forum (Colorado Springs, Colorado, USA, Aug 5 - 6, 2014) The Information Systems Security Association (ISSA) — Colorado Springs Chapter and FBC, Inc. will co-host the 4th Annual Cyber Security Training Forum (CSTF). CSTF is set to convene from Tuesday August 5, 2014 to Wednesday, August 6, 2014 at the DoubleTree by Hilton, Colorado Springs, Colorado.
BSidesLV 2014 (Las Vegas, Nevada, USA, Aug 5 - 6, 2014) We have an amazing array of speakers each year, covering topics such as Penetration Testing, Forensics, Incident Response, Risk, and everything in between. We have a Lockpick Village, the Squirrels in a Barrel World Championship Social Engineering Capture The Flag, uncensored talks, and proximity to the other big InfoSec conferences in the world.
Passwords14 (Las Vegas, Nevada, USA, Aug 5 - 6, 2014) Passwords is the first and only conference of its kind, where leading researchers, password crackers, and experts in password security from around the globe gather in order to better understand the challenges surrounding digital authentication, and how to adequately address them.
DEF CON 22 (Las Vegas, Nevada, USA, Aug 7 - 10, 2014) The annual hacker conference, with speakers, panels, and contests. Visit the site and penetrate to the schedules and announcements.
South Africa Banking and ICT Summit (Lusaka, Zambia, Aug 8, 2014) The South Africa Banking and ICT Summit is the exclusive platform to meet industry thought leaders and decision makers, discover leading edge products and services and discuss innovative strategies to implement these new solutions into your organization.
SANS Cyber Defense Summit and Training (Nashville, Tennessee, USA, Aug 13 - 20, 2014) The SANS Institute's Cyber Defense Summit will be paired with intensive pre-summit hands-on information security training (August 13-18). This event marks the first time that SANS will conduct a training event and Summit that brings together cyber defense practitioners focused on defensive tactics as opposed to offensive approaches to thwart cyber attackers and prevent intrusions.
AFCEA Technology & Cyber Day (Tinker AFB, Oklahoma, USA, Aug 21, 2014) The Armed Forces Communications & Electronics Association (AFCEA) — Oklahoma City Chapter will once again host the 10th Annual Information Technology & Cyber Security Day at Tinker AFB. This is the only event of its kind held at Tinker AFB each year. This annual event allows exhibitors the opportunity to network with key information technology, cyber security, communications, engineering, contracting personnel and decision makers at Tinker AFB. Over 250 attendees participated in the 2013 event and we expect the same level of attendance in 2014.
Resilience Week (Denver, Colorado, USA, Aug 19 - 21, 2014) Symposia dedicated to promising research in resilient systems that will protect critical cyber-physical infrastructures from unexpected and malicious threats—securing our way of life.
c0c0n: International Information Security and Hacking Conference (, Jan 1, 1970) c0c0n, previously known as Cyber Safe, is an annual event conducted as part of the International Information Security Day. The Information Security Research Association along with Matriux Security Community is organizing a 2 day International Security and Hacking Conference titled c0c0n 2014, as part of Information Security Day 2014. c0c0n 2013 was supported by the Kerala Police and we expect the same this year too. Various technical, non-technical, legal and community events are organized as part of the program. c0c0n 2014 is scheduled on 22, 23 Aug 2014.
The Hackers Conference (New Delhi, India, Aug 30, 2014) The Hackers Conference is an unique event, where the best of minds in the hacking world, leaders in the information security industry and the cyber community along with policymakers and government representatives on cyber security meet face-to-face to join their efforts to cooperate in addressing the most topical issues of the Internet Security space. This is the third edition of the Conference. Following the huge success of the conference last year the current edition of the conference brings back to you all the knowledge, all the fun in a better, grander way.