The CyberWire Daily Briefing 08.07.14

Las Vegas: the latest from Black Hat USA 2014

Briefings — August 6-7 (Black Hat USA 2014) [Black Hat's repository of text and slide decks from keynotes and presentations]

Separating Cybersecurity Hype from Reality (Townhall) The big players in the global information-security industry are intermingling with computer hackers this week at the annual Black Hat conference in Las Vegas. Even Chris Inglis, who stepped down as the deputy director of the National Security Agency earlier this year, is scheduled to attend the conference in his new capacity as an advisor to the American security-intelligence company Securonix. The purpose of the event is to reveal and discuss new threats and research in the field of cybersecurity

Salted Hash: Live from Black Hat USA (Day 3) (CSO) Day three at the hacking confab, and the transition to DEF CON 22 begins

The Illegitimate Milliner's Guide to Black Hat (Dark Reading) A less-than-honest "Abe" goes undercover to get a behind-the-scenes look at Black Hat and its infamous attendees

Dan Geer Touts Liability Policies For Software Vulnerabilities (Dark Reading) Vendor beware. At Black Hat, Dan Geer suggests legislation to change product liability and abandonment rules for vulnerable and unsupported software

Treat Computer Hacks Like Disease Epidemics (Bloomberg View) A cybersecurity guru who works for the U.S. Central Intelligence Agency's venture capital arm has suggested a wholesale solution to the problem of malicious hacking: Treat vulnerabilities as if they are disease outbreaks and make cures publicly available at government expense. This is a brute force approach that would change the rules of what is currently a game of cops and robbers

Legal Divide Between Security Research and Cybercrime Remains Murky (Threatpost) In his keynote address at Black Hat Wednesday, Dan Geer, the CISO of In-Q-Tel and a respected security luminary noted that the industry has never been closer to the forefront of corporate and government policy decision making. Despite this, security research remains a dangerous business for those who seek out bugs in software systems and face prosecutions and lawsuits as a result

Security expert calls home routers a clear and present danger (Ars Technica) In Black Hat Q&A, In-Q-Tel CISO says home routers are "critical infrastructure"

Network-attached storage devices more vulnerable than routers, researcher finds (IDG via CSO) A security review of network-attached storage (NAS) devices from multiple manufacturers revealed that they typically have more vulnerabilities than home routers, a class of devices known for poor security and vulnerable code

Black Hat 2014: Hacking the Smart Car (IEEE Spectrum) Walk into a BMW, Infiniti or Cadillac showroom, and you might see a host of enticing new cars. Chris Valasek, on the other hand, sees targets for an attack

Prevasive OTA Carrier Controls Exploitable on a Massive Scale (Threatpost) Device manufacturers and service providers quietly maintain a pervasive level of remote control over the devices they sell to consumers so they can push over-the-air (OTA) updates for a variety of reasons, but problematically one popular product that enables this type of control is poorly secured and knowledgeable attackers can exploit it in order to compromise affected smart phones, basebands, laptops and other electronic devices

Hackers confused Iranian scientist by blaring AC/DC in nuke lab (Crowdfunding Today) Call it black hacker humor. With a twist. During a thoroughly detailed and far ranging talk about hacking and malware propagation at the Black Hat conference attended by 2,000 in a massive conference room at the Mandalay Bay Wednesday, legendary computer security visionary Mikko Hypponen had a funny story to tell

Using Military Strategy to Fight Cyber Battles (eSecurity Planet) What does the Library of Sparta have to do with modern IT security? Military strategies are increasingly common in cybersecurity — and with good reason

Cyber Attacks, Threats, and Vulnerabilities

Israel-Hamas conflict sparks surge in DDoS attacks (ZDNet) In a perfect example of how politics can influence cyberattacks, new research reveals how the Israel-Hamas conflict is changing the security landscape.

Iran-Linked Botnet Helps Drive Cyber-Attacks Against Israel Up By 500% (International Business Times) Cyber-attacks against Israel have increased 500% in the last month with a new report suggesting a powerful botnet controlled by an pro-Islamic Iranian group of hackers being used as part of an Anonymous-backed cyber-campaign

Record-breaking data breach highlights widespread security flaws (San Jose Mercury News) In what appears to be the biggest data breach ever, a Russian gang reportedly has stolen 1.2 billion user names and passwords and more than 500 million email addresses from 420,000 websites

Russian Gang Steals 1.2 Billion User Credentials in Biggest Ever Hack (Infosecurity Magazine) A Russian cybercrime gang has managed to stockpile a treasure trove of over 1 billion online log-in credentials, the largest ever discovered, raising serious questions over the basic security levels of many websites

CyberVor hacking gang steals 1.2 billion usernames and passwords (We Live Security) Somewhere in a small city in south central Russia, a group of men in their twenties have got away with what some are describing as one of the biggest cyber-heists in history

The tip of the iceberg? Why massive Russian cyber attack should be a wake-up call (Infosecurity Magazine) It's rare that information security stories break through into the mainstream press. The eBay data breach and Gameover Zeus takedown are two rare examples from 2014. Yet to this exclusive list was added another on Wednesday when news broke that a Russian cybercrime gang had amassed a staggering 1.2 billion user name and password combinations and 500 million email addresses from poorly protected sites

Russian data breach coincides with security conference (USA TODAY) It's never good when news breaks that a Russian crime ring has amassed a cache of 1.2 billion username and password combinations

True or not, Russian 'hack of the century' means the password is now obsolete (Silicon Republic) If proven true, the data heist by a Russian cybercrime gang should send a shiver down the spine of every person on the planet with a username and password

Massive security breach: Time to change your password practices (Detroit Free Press) OK, now it's really time to change your password

Q&A on the Reported Theft of 1.2B Email Accounts (Krebs on Security) My phone and email have been flooded with questions and interview requests from various media outlets since security consultancy Hold Security dropped the news that a Russian gang has stolen more than a billion email account credentials. Rather than respond to each of these requests in turn, allow me to add a bit of perspective here in the most direct way possible: The Q&A

Security firm that revealed "billion password" breach demands $120 before it will say if you're a victim (Graham Cluley) I've been chased all day by the media, wanting to get my view on the New York Times story claiming that a Russian gang has been found sitting on a mountain of over one billion stolen usernames and passwords

U.S. Homeland Security contractor reports computer breach (Reuters) A company that performs background checks for the U.S. Department of Homeland Security said on Wednesday it was the victim of a cyber attack, adding in a statement that "it has all the markings of a state-sponsored attack"

Top gov't spyware company hacked; Gamma's FinFisher leaked (ZDNet) The maker of secretive FinFisher spyware — sold exclusively to governments and police agencies — has been hacked, revealing its clients, prices and its effectiveness across an unbelievable span of apps, operating systems and more

APT Group Hijacks Popular Domains to Mask C&C Communications: FireEye (SecurityWeek) Researchers at FireEye have examined a new campaign in which advanced persistent threat (APT) actors used some clever techniques to avoid being detected

TSA Checkpoint Systems Found Exposed On The Net (Dark Reading) Researcher Billy Rios exposes new threats to airport security systems

Oracle Database Redaction 'Trivial to Bypass' (Threatpost) David Litchfield for many years was one of the top bug hunters in the game and specialized in causing large-scale headaches for Oracle. When he decided to retire and go scuba diving, there likely were few tears shed in Redwood City. Litchfield recently decided to resurface, which is good news for the security community and users but may not cause a celebration among Oracle engineers

Blue Coat Uncovers New Malvertising Attack Leveraging Major Ad Network to Deliver CryptoWall Ransomware (Broadway World) Blue Coat Systems, Inc., the market leader in business assurance technology, recently uncovered a malvertising attack that is leveraging major legitimate ad networks such as ads.yahoo.com to drive a CryptoWall Ransomware campaign. In malvertising attacks, cyber criminals gain legitimacy for their ad servers within ad networks and then serve malicious ads to high-profile sites. The ads appear legitimate but deliver malware or other unwanted software to the unsuspecting user

Magnitude Exploit Kit Backend Infrastructure Insight — Part I (Trustwave SpiderLabs Anterior) In our recently released Trustwave Global Security Report Online and previous Magnitude blog post, A Peek Into the Lion's Den — The Magnitude [aka PopAds] Exploit Kit, we detailed our discovery of one of the more prevalent exploit kits seen these days, showed an inside look at the control panel and analyzed the kit's activity over one month

Windows OS loophole resurfaces, says Kaspersky (Economic Times) IT security firm Kaspersky Cyber security firm Kaspersky today claimed it has detected an old, widely known vulnerability that was used in a cyber attack to sabotage Iran's nuclear programme in some versions of Windows platform across 19 million computers, including in India

Zero-day hits Symantec endpoint products (The Register) Soak those connections, download those patches

PayPal left red-faced after more security holes found in two factor authentication (Lumension) Just over a month ago, security researchers revealed that one of PayPal's primary mechanisms to protect accounts from hackers had been fundamentally flawed for years

Australia Post scam email linked to Russian phishing site (CNET) A scam email, linked to a Russian phishing site, has been warning Australia Post customers that they need to pay to retrieve an uncollected parcel

Chinese TV channel hacked while on air (SC Magazine) Hacktivists in China put anti-government messages up over broadcast programmes while Wenzhou TV station was on air

Security Patches, Mitigations, and Software Updates

Cisco IOS Software and Cisco IOS XE Software EnergyWise Crafted Packet Denial of Service Vulnerability (Cisco) A vulnerability in the EnergyWise module of Cisco IOS and Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause a reload of the affected device. The vulnerability is due to improper parsing of crafted EnergyWise packets destined to an affected device. An attacker could exploit this vulnerability by sending a crafted EnergyWise packet to be processed by an affected device. An exploit could allow the attacker to cause a reload of the affected device. Cisco has released free software updates that address this vulnerability

Internet Explorer begins blocking out-of-date ActiveX controls (IEBlog) As part of our ongoing commitment to delivering a more secure browser, starting August 12th Internet Explorer will block out-of-date ActiveX controls. ActiveX controls are small apps that let Web sites provide content, like videos and games, and let you interact with content like toolbars. Unfortunately, because many ActiveX controls aren't automatically updated, they can become outdated as new versions are released. It's very important that you keep your ActiveX controls up-to-date because malicious or compromised Web pages can target security flaws in outdated controls to collect information, install dangerous software, or by let someone else control your computer remotely

Cyber Trends

Can Healthcare Execs Be Security Experts Too? (InformationWeek) Trying to teach healthcare professionals security technologies is a risky idea. It's far easier to teach healthcare to security experts

Wi-Fi users not concerned about hotspot security (ComputerWeekly) General attitudes to Wi-Fi and mobile security are lax, according to the findings of Ofcom's Communications Market Report 2014

Skills gap leaves UK vulnerable to cyber attack, says business (Financial Times) Business chiefs have warned that a skills gap is leaving the UK vulnerable to cyber attack, as statistics show that fewer than 0.6 per cent of recent graduates are working in cyber security

UK cyber security body warns of IT security flaws and risks posed by malware (Out-Law) Weak passwords and unpatched software is enabling hackers to use organisations' own servers as the hosts of cyber attacks, the UK's National Computer Emergency Response Team (CERT-UK) said

UAE records highest computer breaches across the Middle East (Khaleej Times) Symantec said a three-year investigation showed a new attack group conducted a prolonged and sophisticated cyber espionage campaign

Marketplace

Like Vegas in August, mobile security is hot at Black Hat August (FierceMobileIT) Mobile security is a hot topic at the Black Hat security conference being held this week in Las Vegas

Russian hackers steal more than 1 billion passwords. Security firm seizes opportunity. (Washington Post) For security firms, a major online security breach is a potential marketing opportunity

Why Dell Comes Out Clean While China Blacklists Apple, Microsoft (The Street) U.S. computer maker Dell has found a way to beat China's rap against American tech companies over alleged security risks: pre-install a Chinese operating system on most of its machines sold in China

Facebook buys PrivateCore, a security startup built by ex-Googlers (Venture Beat) Facebook has acquired PrivateCore, a security startup focused on encryption and malware prevention, according to a blogpost by PrivateCore chief Oded Horovitz

Secure Cloud Provider FireHost Fills Two Key Posts — Adds New Chief Marketing Officer, Head of EMEA Business (Broadway World) FireHost, the secure cloud provider, has hired two security and cloud veterans to further guide the company as it continues its high-growth momentum. The company has named Steve Lesem as chief marketing officer and Eleri Gibbon as vice president of EMEA (Europe, Middle East and Africa). The appointments strengthen FireHost's international presence and help expand its market presence for compliance- and security-driven businesses

Covertix Hired Galina Datskovsky, Ph.D, CRM as the CEO of Covertix, North America (IT Business Net) Covertix, a cyber-security software solution for enterprise file protectionnamed Galina Datskovsky, Ph.D., CRM as the new Chief Executive Officer of its North American operations

Products, Services, and Solutions

Website encryption boosted by Google promotion of HTTPS (SC Magazine) The latest change in Google's search engine optimisation (SEO) algorithm looks set to boost the uptake of encryption for websites by rating sites using HTTPS higher than those with HTTP

FishNet Security Expands Testing Capabilities With $5M Cloud-Based Lab (Power Engineering) FishNet Security, North America's largest independent information security solutions provider, announces the opening of a state-of-the-art, cloud-based technology testing lab in the company's newly expanded St. Paul office. The "cLab" is a $5 million investment that allows FishNet Security, its partners and customers to vet technologies in a virtual IT environment using simulated network conditions and attack scenarios. During the product selection phase, customers can test technologies and configurations prior to purchase to improve deployment time and reduce risk

AdaptiveMobile to Showcase Powerful, Cloud-Based Mobile Security Management (MSM) Platform for the Enterprise at the Gartner Catalyst Conference (Broadway World) AdaptiveMobile, the leader in mobile security, today announced that it will demo the AdaptiveMobile Enterprise Mobile Security Management (MSM) platform, a comprehensive, cloud-based mobile security solution for the enterprise, at the Gartner Catalyst Conference on August 11 in San Diego. AdaptiveMobile Enterprise MSM provides a security anchor for IT and security departments needing protection in a corporate ecosystem that is always-on, in constant movement, and that involves employees, contractors, partners, customers and others using multiple connection points for access

Eset Smart Security and Eset Nod32 Antivirus 8 Beta released (Neowin) NOD32 for Windows is the best choice for protection of your personal computer. Almost 20 years of technological development enabled ESET to create state-of-the-art antivirus system able to protect you from all sorts of Internet threats. ESET Smart Security boasts a large array of security features, usability enhancements and scanning technology improvements in defense of your your online life

Microsoft Security Essentials or Norton Antivirus which gives the best protection? (Gamer Headlines) There are several antivirus software that you can use to keep the data on your computer safe. Two of such software that you can go for are Microsoft Security Essentials and Norton Antivirus. Although both of them could be used to achieve the same goals, there are quite a number of differences between them. Below is a comparison of the two so that you can make the right choice of antivirus for your laptop or PC

WWPass Introduces Hacker-Proof Mobile Multi-Factor Authentication and Privacy Protection System for Business (Digital Journal) Combining unmatched security and convenience, WWPass® has launched a mobile version of its patented, unbreakable, cloud-based, multi-factor authentication and privacy protection system. WWPass technology encrypts user data, fragments and disperses it across 12 separate global locations in the cloud, making it inaccessible to identity thieves, producing an unmatched level of security. Instead of providing a username and password to retrieve the data and access secure networks and servers, users connect a physical PassKey token to the USB port or NFC reader to authenticate. With PassKey for Mobile, Android mobile device users can turn their device into a mobile token via Wi-Fi or Bluetooth technology for the most secure, multi-factor authentication available on the market today

A10 Networks and Webroot Partner to Extend Web Classification to A10 Thunder ADCs (CNN Money) A10 customers can satisfy security and regulatory requirements by decrypting SSL traffic while excluding traffic to regulated data and sensitive sites like banking and healthcare

FireEye Announces Advanced Risk Assessment Services for Insurance Industry (MarketWatch) Industry-Leading Cybersecurity Technologies and Services Power New Program to Help Brokers and Underwriters Gauge and Minimize Client Exposure to Cyber Risks

ManTech Cyber Solutions International, Inc. Announces Advanced Visibility and Rapid Discovery of Endpoints with Active Defense™ 2.0 (MarketWatch) Active Defense 2.0 analyzes and detects malicious code in memory and helps to pinpoint compromised systems in order to eliminate threats

CGI accredited for cyber security evaluations by CESG (SC Magazine) CGI has become the only test lab in the UK able to perform common criteria tailored assurance scheme (CTAS), commercial product assurance (CPA), security evaluations, and CESG assured services (CAS) evaluations following approval by CESG, the UK Government National Technical Authority for Information Assurance. "These accreditations are the latest in a long line of such schemes that CGI UK has invested in. We see these schemes as an important part of establishing our credentials, especially amongst Government clients," Andrew Rogoyski, head of cyber security at CGI in the UK told SCMagazineUK

Ionic Security wants to turn the way we think about protecting our data on its head… (Decrypted Tech) The thought of a network breach or targeted attack is what keeps most systems admins up at night and constantly irritated to boot. The need to man the walls and make sure the moat is filled all the time is exhausting and nearly impossible in today's moderns and increasingly distributed networks and business models. It makes the thought of a breach not a "what if", but a "when". This is becoming the new way of thinking about security. As we have talked about in the past people are no longer thinking they can keep everyone out, but are concentrating on quickly identifying and mitigating the inevitable breach

Risk I/O Threat Management Platform to Include Verisign iDefense Zero-Day Vulnerability Intelligence (Digital Journal) Risk I/O, the leading vulnerability threat management platform announced today that they have licensed Verisign's iDefense vulnerability intelligence reports which will be included and fully integrated into Risk I/O's threat processing engine. Verisign's vulnerability, attack and exploit data includes unpublished zero-day vulnerabilities collected from over 30,000 products and 400 technology vendors which will be incorporated into the Risk I/O platform

DISA OKs BlackBerry's Multi-Platform Enterprise Service for Defense Personnel (ExecutiveGov) The Defense Information Systems Agency has approved BlackBerry's multi-platform containerization system for use by Defense Department employees

Securonix Releases Industry's First Enterprise Class Real-Time Security Analytics Platform at Black Hat 2014 (Digital Journal) Securonix LLC, the industry-leading platform for security analytics and intelligence, today announced the general availability of Securonix Security Intelligence Platform 4.6, the company's flagship software platform for enterprise security analytics and intelligence. This new release brings the power of Securonix's purpose built security analytics into a real-time detection and response across an enterprise environment — network devices, applications, databases, and hosts

Technologies, Techniques, and Standards

In Fight With Hackers, We Are on Our Own (New York Times) Call it the hack whipsaw. A computer security company — it is rarely a government entity — comes out with a new report. Millions of stolen passwords. Tens of millions. No, hundreds of millions

FireEye and Fox-IT Announce New Service to Help CryptoLocker Victims (CNN Money) New site provides free decryption keys to those still impacted by the ransomware following its takedown

CipherShed (CyberPunk) CipherShed is free (as in free-of-charge and free-speech) encryption software for keeping your data secure and private. It started as a fork of the now-discontinued TrueCrypt Project

Securing VoIP systems (Infosec Institute) Download & Resources Sign up for our newsletter to get the latest updates. View our FREE mini-courses! View our FREE mini-courses! Voice over Internet Protocol (VoIP) is a methodology and group of technologies for the delivery of voice communications and multimedia sessions over Internet Protocol (IP) networks, such as the Internet. VoIP communication has reduced the cost of international calls dramatically allowing people to dial ISD calls with a cheaper cost. In this growing era of smartphones everyone carries a VoIP application in their pocket to make cheap calls

Web-Fu — Chrome extension for pentesting web applications (Kitploit) Chrome extension for pentesting web applications. Web-fu Is a web hacking tool focused on discovering and exploiting web vulnerabilitites

Data Breach Response Planning 101 (HackSurfer) Don't think in terms of "if" you'll suffer a data breach, but rather, "when." Once you establish this mindset, it's time for you to develop a response plan. After all, a security system that's impenetrable has yet to be invented

A change of approach is needed in advanced threat protection (Pro Security Zone) Sourcefire's Sean Newman comments on advanced threat detection and the need for organizations to move away from traditional protection methods

8 Tips to Stay Safe Online (Webroot Threat Blog) Yesterday, the New York Times published an exclusive story on what many are stating to be the largest series of hacks ever, all revealed by Hold Security in their latest report. With a report of over 1.2 billion unique username-password combinations and over 500 million e-mail addressed amassed by a Russian hacker group dubbed CyberVol (vol is Russian for thief). While the reactions among the security industry are mixed, with some researchers raising a few questions of the masterwork behind the hack, the story does bring to the public's attention the necessity of strong, personal, online security policies for all aspects of the connected life

5 Steps To Supply Chain Security (Dark Reading) The integrity of enterprise data is only as strong as your most vulnerable third-party supplier or business partner. It's time to shore up these connection points

Sending Mixed Messages With Passwords (TrendLabs Security Intelligence Blog) The biggest security headache that consumers face on a regular basis may well be… the password. You need one to do just about anything online nowadays. This makes them very valuable targets of theft — as the news that "1.2 billion" passwords were stolen highlights. Unfortunately, remembering passwords for all the sites that people use every day can be a challenge

Mitigating the Risk of Backdoor Attacks (BankInfoSecurity) The exploit of backdoors has been linked to recent attacks waged against the retail industry, including the third-party attack on Target Corp

Simulators solving cyber training challenges (C4ISR & Networks) Soldiers on the battlefield, with bombs exploding nearby and rifle fire coming from somewhere in the middle distance, is in no position to learn how to use the computing and communications systems that their lives might depend on. The time for training — thoroughly — is long before their boots hit the dirt

U.S. Military Plugs Into Social Media for Intelligence Gathering (Wall Street Journal) Defense Intelligence Agency head says online postings played crucial role in Ukraine jet shootdown investigation

Design and Innovation

Meet the Puzzle Mastermind Who Designs Def Con's Hackable Badges (Wired) Def Con is one of the world's biggest hacker conventions, an annual gathering of security experts, cryptographers and at least a few people who could surreptitiously drain your bank account if they wanted. They come to Las Vegas to learn about the latest computer vulnerabilities and exploits, show off their skills, and hack or crack anything that can be hacked and cracked — including the conference badges

Research and Development

Bottom Up! Tool Transfers Unclassified Data to Classified Networks (SIGNAL) The Tactical Army Cross Domain Sharing device will connect the unclassified Rifleman Radio to the classified Nett Warrior system, autonomously sharing critical soldier location information for improved situational awareness on the battlefield. A small form factor device that will allow communications from low-level unclassified networks up to high-level secret classified networks has completed the development stage and is in the process of transferring to its new program. Created at the Communications-Electronics Research, Development and Engineering Center (CERDEC), the Tactical Army Cross Domain Information Sharing (TACDIS) tool is an easy-to-connect cable that will enhance situational awareness at the top to protect troops at the tactical edge

Blame bad science on profit-making journals (Quartz) Imagine you're a scientist. You're interested in testing the hypothesis that playing violent video games makes people more likely to be violent in real life. This is a straightforward theory, but there are still many, many different ways you could test it. First you have to decide which games count as "violent." Does Super Mario Brothers count because you kill Goombas? Or do you only count "realistic" games like Call of Duty? Next you have to decide how to measure violent behavior. Real violence is rare and difficult to measure, so you'll probably need to look at lower-level "aggressive" acts — but which ones?

Academia

Mount Allison student becomes first Canadian to present at international cryptography conference (Sackville Tribune-Post) Mount Allison University honours computer science and math student Karen Korstanje recently presented her research at the Fourth International Workshop on Cryptography, Robustness, and Provably Secure Schemes for Female Young Researchers (CrossFyre 2014)

Legislation, Policy, and Regulation

Forgot Your Password? Don't Worry, the Kremlin Has It. (Global Voices) If you are officially recognized as a blogger in Russia, your name will soon appear on a state "blogger registry." Only a handful of names have appeared on the list since its launch last Friday, but there's no telling how many bloggers Russia's communications agency, Roscomnadzor, will add to its records

China has neutralized the social media threat (Quartz) For the past four years, China's government and its far-reaching bureaucracy have embarked on campaign to take back China's weibo microblog scene from the masses, who have been using social media services to expose corrupt officials, circulate news, and air their opinions

In Bipartisan Achievement, Meehan-Led Cyber Bills Pass House (National Journal) The House of Representatives today passed groundbreaking cybersecurity legislation co-sponsored by Congressman Patrick Meehan (PA-07). Meehan chairs the House Homeland Security Committee's Subcommittee on Cybersecurity, Infrastructure Protection and Security Technologies

Buy All the Cybersecurity Vulnerabilities: Black Hat Keynote (eSecurity Planet) Black Hat keynote speaker Dan Geer has some radical ideas to reshape modern security, including a suggestion that the United States purchase security vulnerabilities and make them public

CIA Insider: U.S. Should Buy All Security Exploits, Then Disclose Them (Wired) To increase the security of the internet and computers, the government should corner the market on zero-day vulnerabilities and exploits, offering top-dollar to force out all other buyers. At least, that's what Dan Geer thinks, and his opinion matters. Geer is chief information security officer at the CIA's venture capital arm In-Q-Tel, which invests in technologies that help the intelligence community

'We've Got To Wake Up': Frank Kendall Calls For Defense Innovation (Breaking Defense) "We've been complacent," Frank Kendall said. For decades, the Pentagon's top weapons buyer said yesterday, the US has assumed its forces will be better equipped than any foe, but that's increasingly in doubt: "Our technological superiority is very much at risk, there are people designing systems [specifically] to defeat us in a very thoughtful and strategic way, and we've got to wake up, frankly"

Litigation, Investigation, and Law Enforcement

Edward Snowden's not a one-off: US.gov hunts new secret doc leaker (The Register) Poor old Julian Assange — whistleblower went straight to Glenn Greenwald

Snowden is FREE to ESCAPE FROM RUSSIA, say officials (The Register) But he can stay put for another 3 years if he really wants to

CIA Didn't Really Hack Senate Computers (Nextgov) CIA personnel probably didn't commit a hacking crime by rummaging through congressional computers used to research the agency's torture activities, former federal attorneys and scholars say

Electronic discovery & information governance — tip of the month: managing the risks and costs associated with enterprise social networks (Lexology) An international company has decided to launch an enterprise social network to facilitate a more collaborative work environment. The Chief Data Officer is tasked with forming and leading a committee to assess any risks associated with the implementation of the new technology, to encourage employee participation and to develop policies and procedures for the governance of the enterprise social network

Microsoft cyber-tip gets Pa. man arrested on child-porn charges (Philly.com) A recent arrest in Texas revealed that Google checks email for child porn, using sophisticated image-comparing technology. Now the arrest of an Eastern Pennsylvania man shows that Microsoft also does such screenings

Why The Gmail Scan That Led To A Man's Arrest For Child Porn Was Not A Privacy Violation (TechCrunch) No one will argue against the outcome of a case which saw a man arrested on child pornography charges, after Google tipped off authorities about illegal images found in the Houston suspect's Gmail account. But the nature of how the discovery came about led some to questions about the methodologies used behind the scenes. Was Google actively scanning Gmail for illegal activity?

For a complete running list of events, please visit the Event Tracker.

Upcoming Events

Black Hat USA 2014 (, Jan 1, 1970) Black Hat USA is the show that sets the benchmark for all other security conferences. As Black Hat returns for its 17th year to Las Vegas, we bring together the brightest in the world for six days of learning, networking, and skill building. Join us for four intense days of Trainings and two jam-packed days of Briefings.

SHARE in Pittsburgh (Pittsburgh, Pennsylvania, USA, Aug 3 - 8, 2014) LEARN: Subject-matter experts and practitioners are on-hand at SHARE events to discuss major issues facing enterprise IT professionals today. FOCUS: SHARE provides leading-edge technical education on a variety of topics. Whether you are an IT manager, IT architect, systems analyst, systems programmer or in IT support, SHARE offers focused sessions to benefit all job roles. ENGAGE: At SHARE events, you will experience a wide variety of formal and informal networking opportunities that encourage valuable peer-to-peer interaction

DEF CON 22 (Las Vegas, Nevada, USA, Aug 7 - 10, 2014) The annual hacker conference, with speakers, panels, and contests. Visit the site and penetrate to the schedules and announcements.

South Africa Banking and ICT Summit (Lusaka, Zambia, Aug 8, 2014) The South Africa Banking and ICT Summit is the exclusive platform to meet industry thought leaders and decision makers, discover leading edge products and services and discuss innovative strategies to implement these new solutions into your organization.

SANS Cyber Defense Summit and Training (Nashville, Tennessee, USA, Aug 13 - 20, 2014) The SANS Institute's Cyber Defense Summit will be paired with intensive pre-summit hands-on information security training (August 13-18). This event marks the first time that SANS will conduct a training event and Summit that brings together cyber defense practitioners focused on defensive tactics as opposed to offensive approaches to thwart cyber attackers and prevent intrusions.

Resilience Week (Denver, Colorado, USA, Aug 19 - 21, 2014) Symposia dedicated to promising research in resilient systems that will protect critical cyber-physical infrastructures from unexpected and malicious threats—securing our way of life.

AFCEA Technology & Cyber Day (Tinker AFB, Oklahoma, USA, Aug 21, 2014) The Armed Forces Communications & Electronics Association (AFCEA) — Oklahoma City Chapter will once again host the 10th Annual Information Technology & Cyber Security Day at Tinker AFB. This is the only event of its kind held at Tinker AFB each year. This annual event allows exhibitors the opportunity to network with key information technology, cyber security, communications, engineering, contracting personnel and decision makers at Tinker AFB. Over 250 attendees participated in the 2013 event and we expect the same level of attendance in 2014.

c0c0n: International Information Security and Hacking Conference (, Jan 1, 1970) c0c0n, previously known as Cyber Safe, is an annual event conducted as part of the International Information Security Day. The Information Security Research Association along with Matriux Security Community is organizing a 2 day International Security and Hacking Conference titled c0c0n 2014, as part of Information Security Day 2014. c0c0n 2013 was supported by the Kerala Police and we expect the same this year too. Various technical, non-technical, legal and community events are organized as part of the program. c0c0n 2014 is scheduled on 22, 23 Aug 2014.

Build IT Break IT Fix IT: Build IT (Online, Aug 28, 2014) The Build it Break it Fix it security contest is a new security-oriented programming contest held by the Maryland Cybersecurity Center, Cyberpoint, and Trail of Bits. The Build it Break it Fix it security contest aims to teach students to write more secure programs. The contest evaluates participants' abilities to develop secure and efficient programs. The contest is broken up into three rounds that take place over consecutive weekends. During the Build It round, builders write software that implements the system prescribed by the contest. In the Break It round, breakers find as many flaws as possible in the Build It implementations submitted by other teams. During the Fix It round, builders attempt to fix any problems in their Build It submissions that were identified by other breaker teams. Each round will respectively start on August 28th, September 4th, and September 12th

The Hackers Conference (New Delhi, India, Aug 30, 2014) The Hackers Conference is an unique event, where the best of minds in the hacking world, leaders in the information security industry and the cyber community along with policymakers and government representatives on cyber security meet face-to-face to join their efforts to cooperate in addressing the most topical issues of the Internet Security space. This is the third edition of the Conference. Following the huge success of the conference last year the current edition of the conference brings back to you all the knowledge, all the fun in a better, grander way.