The CyberWire Daily Briefing 08.11.14

Las Vegas: the latest from Black Hat USA and DefCon 2014

What happens in Vegas: Black Hat and Def Con in pictures (Ars Technica) Ars spends a week in Sin City and keeps Wi-Fi turned off on its phones

The Sadness of the Wise IT Security Pro (HealthcareInfoSecurity) Observations from Black Hat Security Conference

The clash of cultures between Black Hat and Defcon hacker events (Venture Beat) Hordes of security professionals, hackers, federal agents and media invaded Las Vegas this week to attend the Black Hat and Defcon conferences

U.S. intel officials see no proof — yet — that Snowden leaks are behind Chinese & Russian crackdowns (exclusive) (Venture Beat) American intelligence officials lack evidence that leaks from former National Security Agency contractor Edward Snowden are behind the Russian and Chinese governments' heavy crackdowns on U.S. tech giants

Snowden leaks prompt firms to focus cyber security on insider threats (Los Angeles Times) At this week's Def Con hacker gathering in Las Vegas, Tess Schrodinger sounded almost annoyed

Salted Hash: Live from DEF CON — Social Engineering (CSO) In this update, we tackle a topic that has always been part of DEF CON

Salted Hash: Line Jumping at DEF CON 22 (CSO) Today starts the final phase of Hacker Summer Camp, and Salted Hash will be wandering the halls — albeit a bit slowly — to offer random bits of coverage from DEF CON 22

DefCon: You cannot 'cyberhijack' an airplane, but you can create mischief (SC Magazine) It is not possible to hack a plane and take control of the aircraft, but creating some mischief is still possible, according to speakers at DefCon 22. Hacking a plane and taking control of the aircraft is a considerably scary prospect, but two speakers at DefCon 22 in Las Vegas quashed the notion and put worries to rest

Black Hat: Airport security equipment at risk (SC Magazine) While the Transportation Safety Administration and the Department of Homeland Security are very exacting in the specifications for airport security equipment must meet, x-ray machines, trace detection scanners, time and attendance clocks and the like all have backdoors and other vulnerabilities that can be exploited

Researcher Finds Potholes In Vehicle Traffic Control Systems (Dark Reading) Hundreds of thousands of road traffic sensor and repeater equipment at risk of attack, researcher says

Small IoT Firms Get A Security Assist (Dark Reading) BuildItSecure.ly, an initiative where researchers vet code for small Internet of Things vendors, in the spotlight at DEF CON 22

Yahoo CISO Details Challenge of Security at Scale (eSecurity Planet) Security vendors focus on banks not Web-scale companies, says Yahoo CISO Alex Stamos

Oracle Database 12c's data redaction security smashed live on stage (The Register) Microsoft should school Ellison on safeguarding privates, says infosec bod

Crypto Daddy Phil Zimmerman says surveillance society is DOOMED (The Register) We've been here before when we defeated slavery and the absolute monarchy

Father of PGP encryption: Telcos need to get out of bed with governments (Ars Technica) Zimmermann's Silent Circle working with Dutch telco to deliver encrypted calls

Encryption Keeps Your Data Safe. Or Does It? (SecurityWatch) In the post-Snowden era, many people have come to believe that the only way to maintain privacy is through encrypting everything. (Well, as long as your encryption doesn't use the flawed RSA algorithm that gave the NSA a backdoor.) A fast-moving session at the Black Hat 2014 conference challenged the assumption that encryption equals safety. Thomas Ptacek, co-founder of Matasano Security, noted that "nobody who implements cryptography gets it completely right," and went on to demonstrate that fact in detail

Smart Nest thermostat easily turned into spying device (Help Net Security) At this year's edition of the Black Hat security conference, a group of researchers has shown how extremely easy is to hack into the smart thermostats manufactured by Nest

Want a safe car? Check its cyber safety rating (CNET) At the Defcon hackers convention, a security research group proposes an automobile cyber safety rating system that could go far beyond hacking cars

Automakers Openly Challenged To Bake In Security (Dark Reading) An open letter sent to automobile manufacturer CEOs asks carmakers to adopt a proposed five-star cyber safety program

Forget Car Hacking: Phone Calls and Web Bots Are the True Security Threat (Motherboard) Take a stroll through the Black Hat sales floor, where the nation's premier security conference is taking place this week, and you'll inevitably find some marketing types wearing tinfoil hats sucking down the cold, overly-processed air. It's their idea of 'fun' corporate irony. But it does reflect some truth: there's a lot of paranoia zipping around the gaudy halls of the Mandalay Bay hotel in Las Vegas

US 911 service needs emergency upgrade and some basic security against scumbags (The Register) 12-year-old spoofs system to try and get Justin Bieber shot

Animal hackers: War Kitteh sniffs out insecure Wi-fi networks (The Guardian) Def Con hacking convention showcases new security role for cats and dogs, but projects are no joke

John McAfee In Crazytown (TechCrunch) "The press has portrayed me alternately as a mad genius or a mad psychotic genius," began the infamous John McAfee, speaking at Def Con — and why break that streak now? I must admit: when he's crazy, he's crazy like a fox. Ultimately, though, as insane and riveting as his tale is, what's most interesting to me is the way he has weirdly come to symbolize his audience

Cyber Attacks, Threats, and Vulnerabilities

Moroccan hackers hack Saratoga County, New York website against Israeli bombings (HackRead) The famous Moroccan hackers going with the handle of Moroccan Agent Secret have hacked and defaced U.S. government owned Saratoga County, New York website under the banner of #OpSaveGaza

Polish embassy in Ukraine computers under Russian cyber attack (Polskie Radio) Ukrainian PM's Office in Kiev plus 10 embassies in the Ukraine capital, including Poland's, have been under cyber attack from hackers connected to Russia, UK media reports

Intelligence Service spokesperson: Romanian institutions targeted in large scale cyber-attack (ACTMEDIA) Some public institutions of Romania are the target of a large-scale cyber-attack, said the spokesperson of the Romanian Intelligence Service (SRI), Sorin Sava

More than 40 governments hit by suspected Russian-state cyber attack (SC Magazine) A likely Russian state cyber-attack has hit a Western European government ministry, a US medical organisation and more than 45 Eastern Bloc and Middle East governments, according to new information from Kaspersky and Symantec

Will Putin go for cyber revenge? (Philly.com) Vladimir Putin is mad and has vowed revenge. Will it include a cybercrime wave directed at the West? And if yes, has it already begun?

Cyber-Security Expert Warns Of 'False Flag' Digital Attacks (Forbes) When a soldier comes under sniper fire, it's very difficult to know where the shots are coming from. But when it comes to war fought online, it's often a piece of cake to work out where an attack comes from. It's finding out who did it that's the hard bit

Security breach in NIC, critical data at risk (Hindustan Times) A major security breach of the National Informatics Centre (NIC), which runs all the emails of senior officials and websites of all central government departments, allowed hackers to issue several fraudulent digital certificates, raising global concerns about India's net security practices

Don't dismiss barrage of spam, security experts warn (Minneapolis Star Tribune) Monitor your inbox and change passwords in light of Russian hack attack

On sale: False sense of Internet security, for the low, low price of $120 (InfoWorld) Is your name among the stash of 1.2 billion stolen passwords? An Internet security firm can tell you — for pennies per day!

Hold and catch fire: Debating ethical data breach notification policy (Tech Target) When a breach occurs, it's common practice to share the information with victims — both the users and the companies involved. However, Hold Security's billion-password hack disclosure hasn't followed standard procedure

Major Security Breach Disclosure Restarts Debate (IT Business Edge) Yesterday, Sue Marquette Poremba, writing on IT Business Edge about the alleged breach of over a billion personal records by a Russian gang, brought up the long-running question of the treatment of security breach disclosures

FinFisher Government Spy Software Secrets Revealed by Hackers (Tripwire: The State of Security) A company called Gamma International has suffered a serious security breach, resulting in hackers posting its confidential data on the web for anyone to download

FinFisher hack: The Bahrain Logs (InternetProtectionLabs) On August 3rd, a hacker was able to obtain 40 GB of data from Gamma Group. Gamma Group is the producer of the notorious FinFisher malware that allows attackers to take over a target's computer, allowing the attacker access to the entire system, including turning on the webcam and microphone to spy on more than just the files present

Hacking is simple, says author claiming role in breach of spyware firm (Ars Technica) DIY guide provides instructions for carrying out similar muckraking exploits

IBM uncovers Android banking vulnerability; consumers turned off by security fears (Finextra) One-in-ten banking apps are wide open to a malicious drive-by hacking exploit that exposes user credentials when visiting bug-laden websites

Android "Heart App" virus spreads quickly, author arrested within 17 hours (Naked Security) SophosLabs has been following an interesting Android malware story over the past week. The malware goes by the name XX神器 (XXshenqi) in Chinese, or the Heart App, as it calls itself in English

Yahoo ads network helps hackers spread CryptoWall ransomware (Graham Cluley) When I speak to computer users about the worst malware threats they've encountered, many seem particularly rattled by ransomware

Facebook Malware: Protect Your Profile (InformationWeek) Malicious "Color Change" app has resurfaced on Facebook, compromising thousands of profiles. Here's what to do if you're infected

Misconfigurations Expose Organizations to Serious Risks (Norse Blog) From the Norse DarkWolf Research Team: The following are some details on two of this week's most active/observed IPs. In reviewing our data and the trending activity of some potentially malicious actors, we noticed two IP addresses in Canada which were creating a whole lot of noise for a Linux high availability cluster protocol

Weekly Exploit Report—a few interesting ones to be aware of (Alert Logic Blog) This weekly report discusses some of the more interesting vulnerabilities found and provides information you can use to patch your impacted systems appropriately. If there is not a patch available make sure to check for signatures or patterns that you can use to build content for your compensating security controls

Bitdefender says that Rihanna Sex Tape on Social Media is Simply Virus (Spamfighter News) Security firm Bitdefender has released a report saying that the sex tape starring Barbadian singer Rihanna and her long time beau is spreading on social networking websites is in reality a computer virus

Bitcoin 'Conspiracy Theory' Alleges Virtual Currency is NSA or CIA Project (International Business Times) Digital currency bitcoin, which has experienced sudden growth in terms of usage and value, has been criticised by many and some have labelled it as a ponzi scheme

Security Patches, Mitigations, and Software Updates

Microsoft has announced the latest round of security improvements for Azure (WinBeta) In a blog post on the Trustworthy Computing blog, Microsoft details how they are making Microsoft Azure more secure. The latest improvements help keep their customer's data safe from attackers. Specifically, Microsoft is implementing the latest TLS/SSL protocols to keep data in transmission more secure. By adding Perfect Forward Secrecy (PFS) connections to Azure, it will have more secure keys to encrypted data

Microsoft brings Internet Explorer's security into the 21st century (Naked Security) Internet Explorer (IE) will finally catch up with rival browsers next week when it begins blocking out-of-date ActiveX controls

Yahoo Is Making It Harder for the NSA to Read Your Emails (TIME) Encryption will help your messages stay private

Cyber Trends

Watch That New Glucose Meter (LinkedIn) Apparently not just engineers are in demand at technology companies. According to the Reuters news service Samsung, Google and Apple are all hiring medical scientists with the hope of getting into the lucrative blood-sugar tracking market, estimated to be worth $2 Billion by 2017 by GlobalData. But if the devices — smart watches, for example — are marketed to diabetics, then the US Food and Drug Administration (FDA) will have to be involved. Experts predict these companies will first announce the products as fitness and health related , and not market them as medical devices

Verizon's Paul Pratley Outlines Threat Patterns Facing Finance, Insurance Industry (ExecutiveBiz) Paul Pratley, global investigations manager in the Verizon RISK team, has outlined the key threat patterns the finance and insurance industry is facing as they work to protect client and enterprise data

Big Data, Little Security (CFO) At many companies, big-data systems lack the security seen in other enterprise software

Marketplace

Inside The Crumbling Microsoft-China Love Affair (Worldcrunch) An antitrust investigation by Beijing authorities into the U.S. software giant was many months in the making, and may signal the end to a two-decade relationship built on billion-dollar deals

China's Huawei, Unwelcome in the U.S., Finds Favor in Canada (Bloomberg BusinessWeek) For years, Huawei Technologies has been a pariah in the U.S. The House Permanent Select Committee on Intelligence in 2012 issued a report concluding that its ties to the Chinese government pose a threat to U.S. national security and that Americans should avoid buying from the company, China's biggest maker of telecom-networking equipment

IBM Obtains a Cloud Computing Security Contract from a Large Chinese Financial Data Provider (GreatResponder) IBM's security contact from a Chinese financial company in the domain of cloud computing would open up new dimensions for the American technology firms in near future

IBM-Apple app deal for businesses hits snag as China spurns iPad (Gulf News) China represents an increasingly important market for IBM's handheld device business

Apple iPads and MacBook Pros banned for Chinese government use (Naked Security) China's escalating anti-US tech rampage already includes banning Windows 8 for use in government offices, raiding Microsoft and partner Accenture's offices in China as part of an anti-trust investigation, and calling iPhones hazardous to state security

IBM Acquires Cloud Security Services Provider Lighthouse Security Group (IBM) Simplifies identity protection in the age of mobile, social and cloud

Gemalto to Buy Data Protection Firm SafeNet for $890 Million (Re/code) Gemalto NV, the digital security company that makes smart chips for mobile phones, bank cards and biometric passports, will buy U.S.-based data protection specialist SafeNet for $890 million, it said on Friday, in a move set to boost its earnings and reach

Summit Research: It's Time To Defend FireEye (Benzinga) On Friday, Summit Research Partners wrote a note to clients defending FireEye (NASDAQ: FEYE) following its second quarter results on August 5 and subsequent 11 percent decline the following trading day

Proofpoint Coverage Initiated by Analysts at Wells Fargo & Co. (PFPT) (Ticker Report) Investment analysts at Wells Fargo & Co. initiated coverage on shares of Proofpoint (NASDAQ:PFPT) in a note issued to investors on Friday, TheFlyOnTheWall.com reports. The firm set an "outperform" rating on the stock

Network Rail gears up against growing threat of cyber attacks (IT Governance) Network Rail may soon be bracing itself for an onslaught of cyber attacks as it steps up efforts to increase its reliance on technology over the next three to five years

Security firm scouts Black Hat for part-time hackers (Los Angeles Times) At this week's Black Hat conference in Las Vegas, companies from around the world came to recruit the brightest minds in cybersecurity and offer them full-time jobs

Facebook invades your personality, not your privacy (Financial Times) The company has no power to make us happy or sad but it will not hesitate if it helps earnings

FishNet Security Presented With F5 Partner of the Year Award at Agility 2014 (MarketWired) For the second consecutive year FishNet Security is recognized for outstanding sales, service and technology investments

Products, Services, and Solutions

On Point: Cloud Security Products Make Debut (Channelnomics) CloudLink Technologies, a leader in cloud security and data encryption management, announced the availability of CloudLink SecureVM solution for Microsoft Azure, enabling Azure customers to manage the encryption of Windows and Linux-based virtual machines…Catbird, a leader in security policy automation and enforcement for private clouds and virtual infrastructure, announced the forthcoming availability of its flagship cloud security and compliance solution, Catbird 6.0, with security policy automation for OpenStack

eScan Internet Security Suite with Cloud Security receives AV-TEST certification (Parda Phash) eScan, one of the leading Anti-Virus and Content Security Solution providers has bagged the latest AV-TEST certification for their Home user product, eScan Internet Security Suite with Cloud Security. The product proved 100% effective against harmful malware attacks, inclusive of web and e-mail threats during the test that was conducted in May and June 2014

ManTech upgrades enterprise malware defense platform (GCN) Government IT managers are always looking for ways to stay ahead of cybersecurity threats. To address the increasing need for enterprise threat detection tools, ManTech updated its Active Defense endpoint malware protection platform to better streamline detection and incident response

End-to-end encryption hardware for unsecure networks (Help Net Security) x.o.ware has debuted the ExoNetTM VPEx Gateway and its companion product, the ExoKey Secure Communications Extension, this week at Black Hat USA 2014

Mocana offers an alternative to OpenSSL on Apache web servers (Help Net Security) At the Black Hat conference, Mocana debuted its enterprise-grade NorthStar secure connectivity solution for Apache web servers, a highly secure, drop-in replacement for the vulnerability-prone and widely adopted OpenSSL stack

Unified solution for dynamic mitigation of cyberattacks (Help Net Security) ForeScout Technologies, provider of pervasive network security solutions for Global 2000 enterprises and government organizations, and ThreatStream, a cyber intelligence company that enables the disruption of cyberattacks in real time, today announced a partnership and plans to enable the ThreatStream OPTIC platform to interoperate with ForeScout's CounterACT platform

IronTree partners with Panda to deliver unique SaaS offering for SMEs (Panda Security) IronTree has extended its range of cloud services to include Panda Cloud Fusion, delivering comprehensive security, management and support into one easy-to-use solution

BAE Systems Applied Intelligence enhances its award-winning technology to help global companies combat increasing threat from money laundering (MENAFN Press) BAE Systems Applied Intelligence today unveils its enhanced NetReveal Anti-Money Laundering (AML) suite of solutions, which offers an end-to-end service that will help clients address ever more rigorous regulatory requirements. The updated suite builds upon the award-winning solution that was recognised by CEB TowerGroup as being a best in class provider for Anti-Money Laundering. It will offer current and prospective clients a range of new capabilities that will enhance their ability to prevent money laundering and terrorist financing, and manage compliance obligations

Kaspersky AntiVirus 2015 vs Bitdefender AntiVirus Plus 2015 — Which Can You Trust Better? (The Fuse Joplin) Who, in our days, doesn't have at least a computer in their house? If you're reading this, you probably have one too. Well, you know that when you first buy the computer, first thing that crosses your mind is that you need to find a good antivirus. An antivirus has become now a mandatory part of a computer, that's if you don't want to get overwhelmed with viruses from ads or so on. Today we thought we would cover two of the most talked about in this category: the Kaspersky Antivirus 2015 and the Bitdefender Antivirus Plus 2015. But now, which one do you choose?

Securonix Releases Industry's First Enterprise Class Real-Time Security Analytics Platform at Black Hat 2014 (MarketWired) Securonix LLC, the industry-leading platform for security analytics and intelligence, today announced the general availability of Securonix Security Intelligence Platform 4.6, the company's flagship software platform for enterprise security analytics and intelligence. This new release brings the power of Securonix's purpose built security analytics into a real-time detection and response across an enterprise environment — network devices, applications, databases, and hosts

Technologies, Techniques, and Standards

Turns Out Your Complex Passwords Aren't That Much Safer (Wired) When the computer security company Hold Security reported that more than 1.2 billion online credentials had been swiped by Russian hackers, many people were worried — and justifiably so. Hold isn't saying exactly which websites were hit, but with so many credentials stolen, it's likely that hundreds of millions of ordinary consumers were affected

De-identification effective in maintaining patient privacy if done right (FierceHealthIT) As hospitals and healthcare organizations adopt new ways to store and share data, privacy and security of the information is a top priority — and with that comes de-identification of data

Insider threat program training starts with Security 101 (Federal New Radio) The concept of putting an insider threat program (ITP) in place is to provide greater attention to protecting an organization's assets — personnel, data, information systems and networks — from the malicious insider

How to Prevent Automated Cloud Fraud: Black Hat (eWeek) It's possible to build a cloud botnet using free trials, but thanks to a new effort from security firm Bishop Fox, there is now a framework to limit the risk

Emerging networking technology used by Apple, Cisco will frustrate firewalls (IT World) Multipath TCP improves performance but hampers security

Verifying preferred SSL/TLS ciphers with Nmap (Internet Storm Center) In last year or two, there has been a lot of talk regarding correct usage of SSL/TLS ciphers on web servers. Due to various incidents more or less known incidents, web sites today should use PFS (Perfect Forward Secrecy), a mechanism that is used when an SSL/TLS connection is established and symmetric keys exchanged. PFS ensures that, in case an attacker obtains the server's private key, he cannot decrypt previous SSL/TLS connections to that server. If PFS is not used (if RSA is used to exchange symmetric keys), then the attacker can easily decrypt *all* previous SSL/TLS connections. That's bad

Botnets: What are They, and How can You Protect Your Computer? (CollaboristaBlog) Chances are that every day your email address receives more than its fair share of spam messages. With luck you have good spam-filtering technology in place which (hopefully) is blocking most of the unwanted email and allowing only legitimate messages through

Cookies with Secure Flag: Undesired Behavior in Modern Browsers (Infosec Institute) When a cookie has secure flag set, it will only be sent over secure HTTPS, which is HTTP over SSL/TLS. This way, the authentication cookie will not be disclosed in insecure communication (HTTP). It turns out, however, that an insecure HTTP response can overwrite a cookie with secure flag in modern browsers. As a consequence, insecure HTTP traffic can have an impact on secure HTTPS traffic, which doesn't look good from a security point of view. This undesired behavior is the subject of this article

How to Harden SSH with Identities and Certificates (Magnus Deininger) Whether you just need to feel in power or you actually use shells for day-to-day tasks, the Secure Shell [SSH] is probably the most important administrative access tool to your servers. It's also one of the least secured mission-critical services on most UNIX servers. Why? Because for some reason people are still using mere passwords to protect their root accounts. That's not quite as bad as using telnet, but not by too much. You might as well be using plain FTP to transfer data to your server… oh, wait, that's another article

Meet WordHound, the tool that puts a personal touch on password cracking (Ars Technica) Free software automates the process of waging highly targeted crack attacks

The art and science of detecting emerging threats (Help Net Security) In this interview, Stephen Huxter, COO at Darktrace, talks about the challenges involved in detecting emerging threats, Recursive Bayesian Estimation, the evolution of AI, and more

Lessons Learned From the Demise of Code Spaces (HackSurfer) Nearly two months ago a worst-case scenario hit Code Spaces: a cyber-attack that forced the business to close its doors

Seniors' Role in Cyber Security Risk Management (ClickSSL) Cyber security is now not a secret for anyone, perhaps you might encounter with words like cyber crime, hacking, web security in your daily newspaper, online news, blog, magazine, etc. Due to nasty afflux of cyber threat, organizations must take strict action against these culprits or they may have to face critical time for their business. We habitually come to see millions of data breaches occur because of structural and organizational issues. Organizations are facing holdup in ceasing cyber crime in a complete manner. Thus, it seems difficult to carry risk management oriented Cyber security model. Even after spending millions of dollars cyber security has not achieved its true mark and senior leaders in organization should have to understand that global economy is still affected with cyber crime

Use Russian hackers to demand better security (TechTarget) The hijack of 1.2 billion passwords got the world's attention this week. CIOs struggling to enforce security should take advantage

How to report identity theft: UAB online security expert offers tips in wake of massive data breach (al.com) In the wake of a massive online security breach perpetrated by Russian computer hackers — perhaps the largest ever — it is all the more important for consumers to know how to report identity theft

Design and Innovation

Call For Entry: CREATING CONNECTIONS (Maryland Art Place) Maryland Art Place (MAP), in partnership with CyberPoint International is pleased to announce an open 'Call to Artists'. As an extension of MAP's annual IMPRINT Project, MAP is working with CyberPoint to offer a unique opportunity to female visual artists of the greater Baltimore metropolitan area. Collectively, MAP and CyberPoint wishes to commission a new work of art as well as license the image of that new work of art. The image of that artwork will be reproduced in a limited edition and presented to the guests of CyberPoint's Women in Cyber Security reception on October 29th, 2014

Data artist in residence: Why your data needs an artist's touch (IT World) A growing number of companies are looking at new ways to display their data and turning to the art world for assistance

What Apple's secret in-house university teaches employees about good design (Quartz) At the top-secret internal training sessions that Apple offers to its employees, the message boils down to this: Be more like Picasso and less like Google. That's the takeaway from an excellent New York Times report on Apple University, as the iPhone maker's training program is known, which drafts in Ivy League professors and features tailor-made courses for incoming acqui-hires like Dr. Dre of Beats

'NSA Proof' Keyless Security System Software hits Kickstarter (HackRead) NSA Proof security software assures data encryption making hacking impossible without passwords

Research and Development

Internet Of Things: Batteries Not Required (InformationWeek) University of Washington researchers have devised a battery-free way to connect low-powered devices and sensors to the Internet

How to fight and prevent cyber-attacks: University of New Orleans gets $400K for study (Times-Picayune) University of New Orleans researchers will develop tools to fight large-scale cyber-crime as part of a $400,000, three-year grant from the National Science Foundation, the campus said Friday

Academia

Want a tech job? Study this. Advice from Mozilla, Reddit, Tumblr and more (Washington Post) Aaron Saunders, chief executive of Clearly Innovative, took a traditional route to a tech career: He earned a computer science degree at Ohio Wesleyan, studied marketing and information technology en route to an MBA from NYU, then hopped through jobs as an application architect for Lotus Development, a designer of Web strategy for Time Warner Cable, and a manager for the redesign of an e-commerce site

At 'Cyber Challenge,' The Best Hacker Wins (CBS) This week, the biggest-ever cyber attack — targeting more than 400,000 websites — became the latest reminder of how vulnerable we are online

How to turn every child into a "math person" (Quartz) Last month, the US Math Team took second place in the International Math Olympiad — for high school students — held in Cape Town, South Africa. Since 1989, China has won 20 out of 27 times (including this year), and in the entire history of the Olympiad, the US Math Team has won only 4 out of 55 times, so second place is a good showing. According to the American Mathematical Association website: "team leader Loh noted that the US squad matched China in the individual medal count and missed first place by only eight points"

Legislation, Policy, and Regulation

Australia's national security proposals will criminalise journalists, says union (The Guardian) Media Entertainment and Arts Alliance joins media companies to warn of 'chilling effect' on Australia's public-interest journalism

'Don't censor history' — Wiki chiefs (Future Intelligence) Online encyclopedia founder Jimmy Wales has launched a counter attack against the European Court of Justice's 'right to be forgotten'

NRC cyber security breach a 'wake-up call,' Ottawa tech CEO says (Ottawa Citizen) The president of an Ottawa startup tech firm affected by the cyber attack on the National Research Council says the data breach should serve as a "wake-up" call to government about cyber security

Judges for National Security (Wall Street Journal) The director of the Administrative Office of the U.S. Courts, which represents the entire federal judiciary, blasts Sen. Leahy's NSA bill

Editorial: Cyber threats call for a culture change (Federal Times) Recent headlines remind us we have a long way to go in protecting sensitive data

Retiring DIA Director Michael Flynn Warns Against Nat'l Defense, Security 'Shortcuts' (ExecutiveGov) The U.S. should continue building its national defense and security posture as it faces threats that are increasing in both number and intensity, Army Lt. Gen. Michael Flynn urged officials present at his retirement ceremony

Litigation, Investigation, and Law Enforcement

Russian Hacking Case Highlights Lack of Global Cyber Cops (Wall Street Journal) Security experts debate how to police and disclose data breaches

Microsoft Offices in China Raided for a Second Time (eWeek) With a new round of raids that have ensnared Microsoft partner Accenture, the Chinese government takes a closer look into the software giant's dealings in the country

Accenture caught up in Microsoft China antitrust probe (ZDNet) Chinese regulator visits Accenture's Dalian office to access Microsoft-related documents as part of an ongoing anti-monolopy investigation on the software vendor. The U.S. consulting firm insists it's "not part of the antitrust probe"

China is shocked — shocked! — at the suggestion that it is bullying foreign companies (Quartz) China's anti-trust regulator is insisting that contrary to appearances, both foreign and domestic companies are fair game in its recent crackdown

Irish Bookie Follows Stolen Client Cache to Ontario Basement (Bloomberg via the Washington Post) Jason Ferguson said the job was straightforward: buy a gambling company's client data and flip it to a rival who could use the information to win new customers

Did a spy agency screw The Intercept? (Columbia Journalism Review) For better and for worse, trust is key to coverage of the national security beat

China spies — sex to cyber (Toronto Sun) Sex-and-spying award winner? China's nominee is surely Katrina Leung, codenamed Parlour Maid. She'd pocketed $1.7 million in FBI money to spy on China by the time Washington figured out she was moonlighting as a double agent for Beijing — while bedding two senior FBI counterintelligence officers, in the process. Now, that's dexterity

UAE youth in 'honey traps' via dating sites (Emirates 24/7) 33 complaints of blackmail have been received in the first six months of this year: Abu Dhabi Police

For a complete running list of events, please visit the Event Tracker.

Newly Noted Events

Security Essen 2014 (Essen, Germany, Sep 23 - 26, 2014) Security Essen will offer the whole world of security and fire protection technology under one roof with a comprehensive overview of new security technologies and security concepts. From mechanical security technology, fire protection and IT security via security systems for outdoor sites and video surveillance right up to solutions for reporting hold-ups, burglary and theft, trade visitors will be able to obtain extensive information

Upcoming Events

SANS Cyber Defense Summit and Training (Nashville, Tennessee, USA, Aug 13 - 20, 2014) The SANS Institute's Cyber Defense Summit will be paired with intensive pre-summit hands-on information security training (August 13-18). This event marks the first time that SANS will conduct a training event and Summit that brings together cyber defense practitioners focused on defensive tactics as opposed to offensive approaches to thwart cyber attackers and prevent intrusions.

Resilience Week (Denver, Colorado, USA, Aug 19 - 21, 2014) Symposia dedicated to promising research in resilient systems that will protect critical cyber-physical infrastructures from unexpected and malicious threats—securing our way of life.

AFCEA Technology & Cyber Day (Tinker AFB, Oklahoma, USA, Aug 21, 2014) The Armed Forces Communications & Electronics Association (AFCEA) — Oklahoma City Chapter will once again host the 10th Annual Information Technology & Cyber Security Day at Tinker AFB. This is the only event of its kind held at Tinker AFB each year. This annual event allows exhibitors the opportunity to network with key information technology, cyber security, communications, engineering, contracting personnel and decision makers at Tinker AFB. Over 250 attendees participated in the 2013 event and we expect the same level of attendance in 2014.

c0c0n: International Information Security and Hacking Conference (, Jan 1, 1970) c0c0n, previously known as Cyber Safe, is an annual event conducted as part of the International Information Security Day. The Information Security Research Association along with Matriux Security Community is organizing a 2 day International Security and Hacking Conference titled c0c0n 2014, as part of Information Security Day 2014. c0c0n 2013 was supported by the Kerala Police and we expect the same this year too. Various technical, non-technical, legal and community events are organized as part of the program. c0c0n 2014 is scheduled on 22, 23 Aug 2014.

Build IT Break IT Fix IT: Build IT (Online, Aug 28, 2014) The Build it Break it Fix it security contest is a new security-oriented programming contest held by the Maryland Cybersecurity Center, Cyberpoint, and Trail of Bits. The Build it Break it Fix it security contest aims to teach students to write more secure programs. The contest evaluates participants' abilities to develop secure and efficient programs. The contest is broken up into three rounds that take place over consecutive weekends. During the Build It round, builders write software that implements the system prescribed by the contest. In the Break It round, breakers find as many flaws as possible in the Build It implementations submitted by other teams. During the Fix It round, builders attempt to fix any problems in their Build It submissions that were identified by other breaker teams. Each round will respectively start on August 28th, September 4th, and September 12th

The Hackers Conference (New Delhi, India, Aug 30, 2014) The Hackers Conference is an unique event, where the best of minds in the hacking world, leaders in the information security industry and the cyber community along with policymakers and government representatives on cyber security meet face-to-face to join their efforts to cooperate in addressing the most topical issues of the Internet Security space. This is the third edition of the Conference. Following the huge success of the conference last year the current edition of the conference brings back to you all the knowledge, all the fun in a better, grander way.