The CyberWire Daily Briefing 08.08.14
The Ukrainian prime minister's office and at least ten of the country's embassies abroad report being victims of an (apparently) Russian cyber espionage campaign. The malware reportedly belongs to the Turla family (a.k.a. Snake, a.k.a. Oroboros) and Ukraine is far from the only target. While Turla has hit predictable Western networks in France, Germany, Belgium, and the US, it appears to devote a great deal of attention to the former Soviet republics of the near abroad.
Kaspersky reports solving Turla's hitherto mysterious infection mechanism: a related campaign Kaspersky calls "Epic" makes the initial penetration. Symantec views Turla as principally a diplomatic cyber espionage tool, although aerospace and pharmaceutical companies have also been subject to its ministrations. The campaign used a mix of zero-day and known exploits.
The other big cyber story remains CyberVor's big criminal score of login credentials. The Russian gang apparently used botnets and SQL injection attacks to scavenge usernames and passwords from vulnerable sites. How serious the crimewave ultimately proves remains controversial. Everyone agrees something big was stolen, but estimates of consequences vary widely, from a universal password death knell to marketing opportunities for security companies. Most would like to see more details from Hold Security, the company that announced the theft.
Investors continue to look for better ways of assessing cyber risk, especially but not exclusively when looking at mergers and acquisitions.
IBM and BlackBerry look like (very preliminary) winners in the newly restricted Chinese market.
US Intelligence may have at least two more unidentified moles.
Notes.
Today's issue includes events affecting Australia, Belarus, Belgium, Brazil, Canada, China, France, Germany, India, Iran, Iraq, Italy, Japan, Kazakhstan, Netherlands, Poland, Romania, Russia, Saudi Arabia, Switzerland, Tajikistan, Turkey, Ukraine, United Kingdom, United States, Uzbekistan, and and Yemen.
Las Vegas: the latest from Black Hat USA and DefCon 2014
Briefings — August 6-7 (Black Hat USA 2014) [Black Hat's repository of text and slide decks from keynotes and presentations]
Podcast: Black Hat News Wrap (Threatpost) Dennis Fisher, Mike Mimoso and Brian Donohue discuss the news from day one of Black Hat, including the Dan Geer keynote, attacks on mobile broadband modems and carriers' control of mobile phones
Lack of adequate control system security is 'shocking' and 'insane' (Help Net Security) The lack of adequate security for industrial control systems (ICS) is "shocking" and "insane," asserts Stefan Luders, computer security officer at European scientific research center CERN
Companies at Black Hat conference warned on cyber risk disclosure (Financial Times) An argument is raging about whether companies should be forced to disclose cyber attacks, as cyber security experts warn that retailers, hotels and airports across the US have gaping holes in their online security
No Fixes In Sight For Satellite Terminal Flaws (Dark Reading) At Black Hat USA, a researcher who in April revealed weaknesses in popular satellite ground terminal equipment found on air, land and sea, demonstrates possible attack scenarios
Carriers' remote control software continues to put some mobile devices at risk (CSO) Security researchers have identified serious vulnerabilities in carrier-mandated remote management software installed on mobile devices
Mobile broadband modems are 'easy to attack,' says researcher (FierceMobileIT) Mobile broadband modems, used by business travelers and others to get 4G speeds on their laptops, are vulnerable to web-based attack, warned Andreas Lindh, security analyst with ISecure Sweden, during a session at the Black Hat security conference
Expert Warns of Chip-and-PIN Pitfalls (Threatpost) The inevitable changeover from magnetic strip-based payment cards to EMV, or chip-and-PIN, is coming for consumers and merchants in the United States. And coming along with it are a raft of weaknesses and real-world attacks that shoot holes in the presumption that EMV will remedy credit card fraud
Researchers Use Automated Tools to Discover Malware Lineage (eWeek) Using a collection of pattern-matching techniques, researchers from security firm Invincea have created a system to better classify malware and identify code reuse among cyber-criminals
When Good USB Devices Go Bad (Dark Reading) Researchers offer more details about how USB devices can be leveraged in attacks
Heartbleed, GotoFail Bring Home Pwnie Awards (Dark Reading) The Pwnie Awards celebrate the best bug discoveries and worst security fails
How to Use Your Cat to Hack Your Neighbor's Wi-Fi (Wired) Late last month, a Siamese cat named Coco went wandering in his suburban Washington, DC neighborhood. He spent three hours exploring nearby backyards. He killed a mouse, whose carcass he thoughtfully brought home to his octogenarian owner, Nancy. And while he was out, Coco mapped dozens of his neighbors' Wi-Fi networks, identifying four routers that used an old, easily-broken form of encryption and another four that were left entirely unprotected
10 ways to get noticed at Black Hat (CSO) Some of the more eccentric members of the security industry show up for Black Hat each year, making it tough to stand out in the enormous crowd that flocks to Las Vegas for the A-list conference. But each year vendors manage to come up with gimmicks and gizmos that attract the throngs to their booths to hear a spiel or give up their contact information so they can receive sales calls when they get home. Here are some noteworthy examples from Black Hat 2014
Cyber Attacks, Threats, and Vulnerabilities
Ukraine PM's office hit by cyber attack linked to Russia (Financial Times) Dozens of computers in the Ukrainian prime minister's office and at least 10 of Ukraine's embassies abroad have been infected with a virulent cyber espionage weapon linked to Russia
Huge cyber spy campaign against hundreds of government and military targets uncovered (South China Morning Post) Hundreds of military and government targets hit in Europe and the Middle East
Turla cyber-espionage campaign puzzle solved (Help Net Security) Turla, also known as Snake or Uroburos is one of the most sophisticated ongoing cyber-espionage campaigns. When the first research on Turla/Snake/Uroburos was published, it didn't answer one major question: how do victims get infected?
The Epic Turla Operation (SecureList) Solving some of the mysteries of Snake/Uroburos
Turla: Spying tool targets governments and diplomats (Symantec Connect) A cyberespionage campaign involving malware known as Wipbot and Turla has systematically targeted the governments and embassies of a number of former Eastern Bloc countries. Trojan.Wipbot (known by other vendors as Tavdig) is a back door used to facilitate reconnaissance operations before the attackers shift to long term monitoring operations using Trojan.Turla (which is known by other vendors as Uroboros, Snake, and Carbon). It appears that this combination of malware has been used for classic espionage-type operations for at least four years. Because of the targets chosen and the advanced nature of the malware used, Symantec believes that a state-sponsored group was behind these attacks
Attackers Used Multiple Zero-Days to Hit Spy Agencies in Cyber-Espionage Campaign (SecurityWeek) The campaign, called Epic Turla, targeted intelligence agencies, government institutions, embassies, military groups, education institutions, and research and pharmaceutical companies in more than 45 countries, the security firm said on Thursday
Kaspersky Lab Reveals a Look Inside Cyber-Espionage (TopTechNews) Where do cyberattacks come from, and what is their methodology? New research from Kaspersky Lab sheds light on those common questions, using a cyber-espionage operation as an example. Researchers at Kaspersky say they've kept tabs on an operation that was able to find its way into two spy agencies and hundreds of government and military targets in Europe and the Middle East over the past eight months
What Do Hackers Do With Your Stolen Info? (Bloomberg TV) A gang of hackers in Russia has amassed 1.2 billion sets of looted user names and passwords, according to a U.S. data security company
Attack method used by Russians to harvest more than 1B credentials is gaining popularity (FierceITSecurity) The attack method used by a Russian crime syndicate to steal more than 1 billion user credentials is gaining popularity among cybercriminals, warns Marc Gaffan, co-founder and chief business officer with Incapsula
CyberArk comments on Russian cyber gang steals 1.2bn usernames and passwords (Technuter) A Russian group has reportedly hacked 1.2 billion usernames and passwords, belonging to over 500 million email addresses, according to a report by Hold Security
Russian Hackers Probably Have Your Passwords. Now What? (TechCrunch) By now you've seen Tuesday's New York Times report that a security firm found a Russian hacking ring had pilfered 1.2 billion user name and password combinations and more than 500 million email addresses
'Staggering' data breach of 1.2B usernames and passwords could worsen: Expert (Fox News) The massive data breach revealed this week could be even worse than initially feared, warns a cybersecurity expert
Massive Russian hack has researchers scratching their heads (IT World) Many questions remain after a security company said it had uncovered a huge database of stolen online credentials
Disclosure of Russian password hack seems like fake antivirus scam (CSO) There were plenty of hyperbolic, sky-is-falling headlines yesterday about news that a Russian criminal organization has amassed over a billion compromised passwords. The information was vague and scarce on details, though, and accompanied by a pitch to sell a service from a virtually unknown security vendor. The whole thing feels like a marketing stunt, or a fake antivirus scam perpetrated on a global level
The Marketing of Security Threats: How Major Threats Get 'Sold' for Maximum Effect (BankInfoSecurity) Major information security warnings these days - from the newest banking Trojan or ransomware variant to the latest group of Chinese hackers or Russian cybercriminals — are often slickly marketed, with the announcements carefully timed
Two new variants of Gameover Zeus banking Trojan identified (Computing) Gameover Zeus, the banking Trojan whose communications network was taken down by international coordination at the beginning of June, has been resurrected, with two new variants identified in the wild by security software company Bitdefender
Critical WordPress plugin bug affects hundreds of thousands of sites (Ars Technica) Custom Contacts Form is vulnerable to remote takeover exploits
Attack Harbors Malware In Images (Dark Reading) 'Lurk' click-fraud campaign now employing steganography. Steganography long has been a tool in the intelligence community and most recently terror groups, but a cyber crime gang has been spotted using the stealth technique of embedding information or code inside digital images
More Details Regarding the Gizmodo Brazil Compromise (TrendLabs Security Intelligence Blog) At the tail end of July, we wrote about Gizmodo Brazil being compromised by cybercriminals in order to lead visitors into downloading backdoor malware into their machine. This is of course a very big deal, since it is a rather large and noteworthy website being hacked into — but it's par for the course for the region, seeing as the modus operandi of criminals that target Brazilian users typically resort to compromised websites and hosts in order to host malware and phishing pages
How hackers used Google in stealing corporate data (ComputerWorld) Poisoned Hurricane secrets revealed
Mr. Hack: Googlebot's Unruly Alter Ego (Incapsula Blog) In the first post of this two-part series, we shared our insights into Googlebot's activity and behavior patterns. However, no overview of Googlebot activity would be complete without a mention of Googlebot imposters, who assume Googlebot's identity to gain privileged access to websites and online information
Hacker Redirects Traffic From 19 Internet Providers to Steal Bitcoins (Wired) Among all the scams and thievery in the bitcoin economy, one recent hack sets a new bar for brazenness: Stealing an entire chunk of raw internet traffic from more than a dozen internet service providers, then shaking it down for as many bitcoins as possible
Hacker makes $84k hijacking Bitcoin mining pool (Guardian) Researchers investigated after their own Bitcoin mining pool was tapped, though how hackers accessed ISP infrastructure is still not known
Hacking for Bitcoins: The Underground Economy, Pt. 6 (Symantec Connect) Once touted as a single currency to rule them all, the peer-to-peer cryptocurrency known as Bitcoins have seen their reputation damaged by a number of high-profile examples of them being stolen, devalued, laundered, and used to illegal activities worldwide. While it could be argued that traditional currency has had its share of looters throughout history, the volatility of Bitcoins based on a smaller circulation quantity is cause for concern. Below, we highlight three dangers facing this new method of payment
Will Bitcoin Succeed? (Trend Micro CTO Insights) When you work for a security company, sometimes people think you must know everything there is to know about technology. So sometimes I get asked, "Will Bitcoin and other cryptocurrencies succeed?"
Smart grid attack scenarios (understand the threat to defend against it) (SmartGridNews) Quick Take: It's a war out there — literally. Hackers from hostile countries target the U.S. power grid every day. That's why I wanted to run this adaptation of a recent blog post from Trend Micro, an IT security company. I previously shared their view of the ways to attack a smart meter. This article explains how those attacks could extend to the entire grid
Security Patches, Mitigations, and Software Updates
OpenSSL Security Advisory: Information leak in pretty printing functions (CVE-2014-3508) (OpenSSL) A flaw in OBJ_obj2txt may cause pretty printing functions such as X509_name_oneline, X509_name_print_ex et al. to leak some information from the stack. Applications may be affected if they echo pretty printing output to the attacker. OpenSSL SSL/TLS clients and servers themselves are not affected
Microsoft Security Bulletin Advance Notification for August 2014 (Microsoft Security TechCenter) This is an advance notification of security bulletins that Microsoft is intending to release on August 12, 2014
IE plays security catch-up, will block outdated Java plug-ins (ComputerWorld) An update to IE 8 through IE 11 next week will introduce a new warning when users try to run an outmoded Java ActiveX control
Support for old versions of Internet Explorer to be dropped — in 2016 (Ars Technica) In 18 months, only the newest version of IE on each version of Windows will be supported
Microsoft blocking of old ActiveX not enough (ZDNet) It's a good thing that IE will warn you before running outdated versions of important ActiveX controls, but it's such a small thing compared to what Microsoft could do
How Google plans to encrypt the web (Naked Security) Today Google announced that websites using HTTPS, the secure version of HTTP, will have a better chance of ranking well in Google searches than those that don't
Cyber Trends
Cyber-attack disclosures rarely offer actionable information (FierceCIO) Despite increased public pressure and government legislation on organizations to report IT security incidents, those disclosures rarely include differentiated or actionable information
SEC Commissioner Highlights Need For Cyber-Risk Management In Speech At New York Stock Exchange (mondaq) As we've previously reported, cyber risks are an increasingly common risk facing businesses of all kinds. In a recent speech given at the New York Stock Exchange, SEC Commissioner Luis A. Aguilar emphasized that cybersecurity has grown to be a "top concern" of businesses and regulators alike and admonished companies, and more specifically their directors, to "take seriously their obligation to make sure that companies are appropriately addressing those risks"
What investors need to know about cybersecurity: How to evaluate investment risks (IRRC Institute) Companies are increasingly vulnerable to incoming cybersecurity threats from new directions and adversaries. Attacks in the form of "hacktivism," corporate espionage, insider and government threats, terrorism, and criminal activity can cost an organization time, resources, and irreparable harm to their reputation if not handled appropriately. Investors can examine corporate disclosures and engage with management to better consider the potential implications of Cybersecurity when assessing investment options. It's more than a technology issue in the back office; it's a critical business issue that can dramatically impact company's competitive position
Cybersecurity: Why It's Got to Be a Team Sport (BankInfoSecurity) Listening to Tony Sager, one might recall the days of the Cold War, when the threat of a nuclear holocaust felt scary and real, but America knew its sole enemy. "The government's job was to save us from the bad guys out there," says Sager, who spent most his 30-plus-year government career as an information assurance leader at the National Security Agency
Expert: Cyber Breaches are 'Greatest Criminal Threat of 21st Century' (GovTech) s cyber-criminals become more sophisticated, Anthony Roman, president of risk-management firm Roman and Associates, says they are capable of hitting elements that keep society's autonomy and infrastructure functioning
A Holistic Approach to Security (BankInfoSecurity) No single security solution is enough to defend against today's multifaceted exploits. So it's time for a new holistic and cooperative approach to information security, says Bob Hansmann of Websense
Advanced persistent threat? Not so much, says researcher (FierceITSecurity) The term advanced persistent threat, or APT, is a misnomer because most APT attacks are anything but advanced, says John Pirc, chief technology officer at security testing firm NSS Labs
The Internet of Things Brings Far-Reaching Security Threats (CIO) Bringing new devices online at home and in the enterprise raises a host of security concerns that will require a more hands-on CIO and an organizational rethinking
Study: Government and businesses not deploying enough email authentication technology (FierceGovernmentIT) The majority of U.S. businesses and government agencies do not take adequate steps to secure their email and ensure that customers and business partners can tell if emails coming from their domains are genuine or forged, a new report finds
Marketplace
Professionalizing Cybersecurity: A path to universal standards and status (Pell Center for International Relations and Public Policy) This report addresses the widening gap between the supply of qualified information security professionals and the demand for skilled workers to secure critical infrastructure and cyberspace. It seeks to shed light on the current status of the cybersecurity labor market, which is best characterized as a fog of competing requirements, disjointed development programs, conflicting definitions of security roles and functions, and highly fragmented, competing, and often confusing professional certifications
US National Security Agency, Struggling to Recruit Top Talent, Turns to Silicon Valley (Reuters via NDTV) The US National Security Agency is turning to Silicon Valley for topflight talent, but first it has to rebuild trust
IBM offers cloud-based services to Chinese firms to address security concerns (Reuters via Investing.com) International Business Machines Corp said on Thursday it would provide cloud-based risk analysis for a Chinese financial data firm in a deal that executives heralded as a model for future business in China, where state-owned enterprises are increasingly shunning foreign technology on security grounds
After China's Government Bans Purchases Of Apple Devices, Is BlackBerry In Catbird Seat? (Seeking Alpha) According to Bloomberg News, the Chinese government has excluded Apple, Inc. (NASDAQ:AAPL) devices from the list of products that can be purchased with government money due to security issues. At least ten Apple products - including iPads and MacBooks - were excluded from a list compiled by the Ministry of Defense and National Development and Reform Commission
Microsoft's cloud contracts approved by European privacy authorities (Microsoft Trustworthy Computing) A big milestone was achieved this week. The Article 29 Working Party, a collection of 28 European Union data protection authorities, announced that Microsoft's contractual approach to enterprise cloud services is in line with EU data protection law
Protectionism a Growing Threat for Cross-Border M&As (American Lawyer) Cross-border megamergers are getting tougher for law firms and their corporate clients because of broadening definitions of national interest, Am Law 100 mergers and acquisition experts say
Gemalto to Acquire SafeNet for $890 Million (SecurityWeek) European security firm Gemalto said on Friday that it has agreed to buy data protection firm SafeNet for $890 million in cash
Encryption boom in Germany follows revelations of National Security Agency's spying abilities (The Republic) Revelations about the National Security Agency's electronic eavesdropping capabilities have sparked anger in Germany and a boom in encryption services that make it hard for the most sophisticated spies to read emails, listen to calls or comb through texts
Still not enough market demand for Windows 8 apps: Bitdefender (ARN) Security vendor is hesitant to put its security product on Windows Marketplace due to lack of market adoption
Square Will Now Pay Hackers For Reporting Bugs Responsibly (TechCrunch) If you consider yourself something of a white hat hacker, listen up: you've got a new service to poke at without fear of getting hauled into court, and it's a big one
Jack Huffard, Tenable Co-Founder, on Changing the 'Hacker' Discourse and Staying Abreast of Disruptive Cyber Trends (WashingtonExec) It took more than Old Bay and blue crabs to get Jack Huffard to leave the Boston tech scene and say a more permanent goodbye to his Carrolton, Ga. hometown, to co-found a cybersecurity company in Maryland just over 10 years ago
CSG Invotas Names Gary McGraw to Advisory Board (MarketWatch) CSG's Groundbreaking Enterprise Security Business Selects Renown Author and Industry Expert to Complement Accomplished Team of Advisors
ThreatTrack Security Appoints Michael Conlon as Vice President of Global Channels (Providence Journal) ThreatTrack Security — a leader in malware protection solutions that identify, stop and remediate advanced threats, targeted attacks and other sophisticated malware designed to evade traditional cyber defenses — today announced the appointment of Michael Conlon as vice president of Global Channels
Products, Services, and Solutions
Yahoo to Release End-to-End Encryption for Email Users (Threatpost) Yahoo plans to enable end-to-end encryption for all of its Mail users next year. The company is working with Google on the project and the encryption will be mostly transparent for users, making it as simple as possible to use
Top 5 Antivirus Apps for Android (Business News Daily) If you use your smartphone for business, security is a top concern. Failure to install a good antivirus app can have serious consequences, putting your device at risk for infection by corrupt apps and malware. Not only could that stop your phone from functioning properly, but it can also compromise sensitive company or client data stored on your phone or tablet. Fortunately, there's are a ton of good security apps that can lock down your Android device and keep it safe from rogue applications. Whether you can get by with a free security app, or want to invest in a more robust paid antivirus suite, here are five of the best on Android
The best free antivirus software for PC (PC Gamer) The last thing you want on your PC is a virus. The second-to-last thing you want on your PC is antivirus software that slows down your computer when you're gaming. Spending money on your antivirus software doesn't guarantee that you're getting the best, either. These days, there are a ton of free antivirus options, and many of them will keep your computer perfectly safe from the trojans and spyware and adware that lurk on the Internet
Take Control of Your Privacy Settings on Twitter with AVG PrivacyFix (WhaTech) AVG Technologies N.V. (NYSE: AVG), the online security company for 182 million active users, today announced a number of updates to its flagship AVG PrivacyFix application, including extending its scope to the popular social network Twitter and enabling users to assess their 'worth' to the key networks in terms of targeted advertising value
FortyCloud Upsizes Clientele Through Collaboration W/ Rackspace (CloudWedge) FortyCloud, an Israeli cloud security startup with offices in US, has joined forces with Rackspace. The firm will provide a comprehensive security solution to all Rackspace customers through Rackspace Marketplace. This network security-as-a-service works independently, although it is interoperable with Rackspace cloud services
FireEye Announces Release of Incident Response & Computer Forensics, Third Edition (CNN Money) Latest version of expert security guide addresses rapidly-changing incident response landscape
Could the Judge of the Future be Silicon-Based? (American Lawyer) It's unsettling, really. While Colin Rule was the director of online dispute resolution for eBay Inc. from 2003 to 2011, he helped develop a system that managed 60 million disputes per year. Ninety percent of those disputes were settled without any human intervention
SnoopWall Launches Free Privacy App to Detect and Block Cyber Criminals, Snoops, Spies and Online Predators (Broadway World) SnoopWall, the world's first counterveillance software company, announced today the release of Privacy App for Android platform mobile devices. The launch coincides with the two of the world's leading cybersecurity and computer hackers' conferences held in Las Vegas, Nevada, Black Hat 2014 and DefCon 2014
Foursquare app tracks your location by default whenever your phone is on (Naked Security) Foursquare, makers of the popular app that lets you "check in" wherever you go, unveiled a new version this week that the company hopes will make it the go-to service for local search
Prioritizing vulnerabilities to close gaps where it matters (Help Net Security) Core Security announced the latest version of the Core Attack Intelligence Platform, which consolidates, prioritizes and validates the overwhelming quantity of vulnerabilities identified by scanners
Technologies, Techniques, and Standards
Checking for vulnerabilities in the Smart Grid System (Internet Storm Center) SCADA systems are not composed the same way as regular IT systems. Therefore, the risk and vulnerability assessment cannot be performed as it is done for any other IT system. The most important differences are
GICSP: Deconstructing SANS Institute's new ICS security cert (TechTarget) A new SANS Institute certification, GICSP, could prove useful to industrial control system (ICS) security professionals. Expert Ernie Hayden explains the certification and how to prepare for the exam
What is HTTPS and why does Google like it so much? (Quartz) Google has announced it will give sites using encryption a higher rank in its search algorithms. Particularly, it singled out HTTPS, which it characterizes as "industry-leading security"
Academia
SWSIS program awards cybersecurity scholarships to women (Help Net Security) Responding to a shortage of cybersecurity professionals across the United States and a dearth of women in the field, Applied Computer Security Associates (ACSA) and the Computing Research Association's Committee on the Status of Women in Computing Research (CRA-W) announced the winning recipients of the 2014 Scholarship for Women Studying Information Security (SWSIS)
FBI hosts 'CyberCamp' for high school students (Charlotte Observer) This FBI manhunt is for young talent
SMU Named National Center Of Excellence In Cyber Defense Education (Dallas South News) SMU has been re-designated a National Center of Academic Excellence in Information Assurance/Cyber Defense Education through 2021 by the National Security Agency (NSA) and the U.S. Department of Homeland Security, underscoring the record of successful work in this area by the Lyle School of Engineering
Legislation, Policy, and Regulation
Cyber defender Brandis is proving unfit for purpose (ZDNet) The minister responsible for leading cabinet discussions about Australia's cybersecurity can't even explain a web address. May God have mercy on our souls
Abbott's national security failure (Business Spectator) Proper 'process' might sound like bureaucratic jargon but a prime minister ignores it at his or her peril. Applied to cabinet, it includes making sure ministers have all the facts. Importantly, it requires having present for the discussion all those who should be in the room
Cyber security: Canada pokes a dragon (Trustifier) There were media reports last week about a cyber attack against the National Research Council in Ottawa. The attack origins were supposedly traced back to China. The Canadian Government huffed and puffed and went ahead and admonished China publicly for catching their hand in the fortune cookie jar. Predictably, China denied the whole thing
China will keep spying. Canada must respond with skill, not rhetoric (Globe and Mail) Ottawa's allegation that "a highly sophisticated Chinese state sponsored actor" targeted computers at Canada's National Research Council threw a wrench into Foreign Minister John Baird's visit to Beijing this week. We're assured that his exchange with his Chinese counterpart was "full and frank." We could use some of some of that frankness here in Canada
The Canadian Government Is Now Fully in the Cyberwar Battlefield (Motherboard) After Chinese hackers spent the last month infiltrating Canada's National Research Council (NRC), an organization presiding over some of the countries most cherished scientific research and development, Canadians have been looking for assurances it won't happen again
Former top brass say cyberspace key in new defense rules (Japan Times) As Japan and the U.S. work toward a historic upgrade of bilateral defense cooperation guidelines for the first time in 17 years, the biggest tasks for the two allies may be dealing with China's growing military and economic might while also keeping an eye on events in North Korea and its unpredictable leader
Danzig: Focus on cyber 'existential' threats undermines U.S. preparedness (Inside Cybersecurity) Washington's recurring tendency to label cyber attacks an "existential" threat to the United States exaggerates the danger and fails to focus attention on managing significant cyber risks to critical infrastructure and U.S. national security, according to Richard Danzig, a key administration adviser and author of a recent cybersecurity study
It's not you, it's me: committee of cryptographic experts tries to crack NIST/NSA relationship (Access) In response to stories in the New York Times, ProPublica, and the Guardian that the National Security Agency ("NSA") was undermining encryption standards, The Visiting Committee on Advanced Technology (VCAT) released a report that called for increased transparency and internal expertise at the National Institute for Standards and Technologies ("NIST"). The VCAT reviews and makes recommendations regarding general policy for the National Institute of Standards and Technology. The VCAT formed a Committee of Visitors ("COV") in mid-April to review the relationship between NIST and the NSA
1st IO Command (Land) welcomes new commander (Belvoir Eagle) Col. Jayson M. Spade took command of the 1st Information Operations Command (Land) from Col. Jon N. Leonard II during a ceremony July 31, at Long Parade Field on Fort Belvoir
Litigation, Investigation, and Law Enforcement
Evidence of another Snowden-like mole is worrying Feds (Naked Security) Last year, Edward Snowden disappeared. Eventually, he turned up in Russia. Since then, the US government has been trying to answer a crucial question: is Snowden a lone wolf, or are other Edward Snowdens out there, leaking ever more classified documents?
The US Intelligence Community has a Third Leaker (Schneier on Security) Ever since The Intercept published this story about the US government's Terrorist Screening Database, the press has been writing about a "second leaker"
FBI Probes Cyber Attack on US DHS Contractor (CBR) The FBI has started a probe into reported cyber attack on Virginia-based company US Investigations Services which was working as contractor with US Department of Homeland Security (DHS) to check backgrounds of officials
Ex-Citadel Worker Pleads Guilty to HFT Data Theft (BusinessWeek) A former Citadel LLC employee pleaded guilty to stealing data from the Chicago investment firm and high-frequency trading computer code from another company
Man arrested in Utah university breach affecting 1,200 (SC Magazine) Up to 1,200 students, faculty and staff at Webster State University (WSU) in Utah might have had personal information compromised earlier this year and the man suspected of the breach has been nabbed
UK piracy police arrest man suspected of running proxy server (Ars Technica) Don't try to bypass Internet blocking orders
For a complete running list of events, please visit the Event Tracker.
Upcoming Events
SHARE in Pittsburgh (Pittsburgh, Pennsylvania, USA, Aug 3 - 8, 2014) LEARN: Subject-matter experts and practitioners are on-hand at SHARE events to discuss major issues facing enterprise IT professionals today. FOCUS: SHARE provides leading-edge technical education on a variety of topics. Whether you are an IT manager, IT architect, systems analyst, systems programmer or in IT support, SHARE offers focused sessions to benefit all job roles. ENGAGE: At SHARE events, you will experience a wide variety of formal and informal networking opportunities that encourage valuable peer-to-peer interaction
DEF CON 22 (Las Vegas, Nevada, USA, Aug 7 - 10, 2014) The annual hacker conference, with speakers, panels, and contests. Visit the site and penetrate to the schedules and announcements.
South Africa Banking and ICT Summit (Lusaka, Zambia, Aug 8, 2014) The South Africa Banking and ICT Summit is the exclusive platform to meet industry thought leaders and decision makers, discover leading edge products and services and discuss innovative strategies to implement these new solutions into your organization.
SANS Cyber Defense Summit and Training (Nashville, Tennessee, USA, Aug 13 - 20, 2014) The SANS Institute's Cyber Defense Summit will be paired with intensive pre-summit hands-on information security training (August 13-18). This event marks the first time that SANS will conduct a training event and Summit that brings together cyber defense practitioners focused on defensive tactics as opposed to offensive approaches to thwart cyber attackers and prevent intrusions.
Resilience Week (Denver, Colorado, USA, Aug 19 - 21, 2014) Symposia dedicated to promising research in resilient systems that will protect critical cyber-physical infrastructures from unexpected and malicious threats—securing our way of life.
AFCEA Technology & Cyber Day (Tinker AFB, Oklahoma, USA, Aug 21, 2014) The Armed Forces Communications & Electronics Association (AFCEA) — Oklahoma City Chapter will once again host the 10th Annual Information Technology & Cyber Security Day at Tinker AFB. This is the only event of its kind held at Tinker AFB each year. This annual event allows exhibitors the opportunity to network with key information technology, cyber security, communications, engineering, contracting personnel and decision makers at Tinker AFB. Over 250 attendees participated in the 2013 event and we expect the same level of attendance in 2014.
c0c0n: International Information Security and Hacking Conference (, Jan 1, 1970) c0c0n, previously known as Cyber Safe, is an annual event conducted as part of the International Information Security Day. The Information Security Research Association along with Matriux Security Community is organizing a 2 day International Security and Hacking Conference titled c0c0n 2014, as part of Information Security Day 2014. c0c0n 2013 was supported by the Kerala Police and we expect the same this year too. Various technical, non-technical, legal and community events are organized as part of the program. c0c0n 2014 is scheduled on 22, 23 Aug 2014.
Build IT Break IT Fix IT: Build IT (Online, Aug 28, 2014) The Build it Break it Fix it security contest is a new security-oriented programming contest held by the Maryland Cybersecurity Center, Cyberpoint, and Trail of Bits. The Build it Break it Fix it security contest aims to teach students to write more secure programs. The contest evaluates participants' abilities to develop secure and efficient programs. The contest is broken up into three rounds that take place over consecutive weekends. During the Build It round, builders write software that implements the system prescribed by the contest. In the Break It round, breakers find as many flaws as possible in the Build It implementations submitted by other teams. During the Fix It round, builders attempt to fix any problems in their Build It submissions that were identified by other breaker teams. Each round will respectively start on August 28th, September 4th, and September 12th
The Hackers Conference (New Delhi, India, Aug 30, 2014) The Hackers Conference is an unique event, where the best of minds in the hacking world, leaders in the information security industry and the cyber community along with policymakers and government representatives on cyber security meet face-to-face to join their efforts to cooperate in addressing the most topical issues of the Internet Security space. This is the third edition of the Conference. Following the huge success of the conference last year the current edition of the conference brings back to you all the knowledge, all the fun in a better, grander way.