The CyberWire Daily Briefing for 1.24.2014
Chinese media continue to blame the country's recent Internet outage on hacktivists (Falun Gong prominently mentioned in dispatches), but outsiders aren't so sure: they think that in this case the Great Firewall may have jammed itself.
The Assad's Syrian Electronic Army is back, and it's after CNN Twitter accounts. (They were quickly ejected.) InfoSecurity Magazine runs an SEA overview that predicts the state-coordinated group will become more active in 2014.
Neiman Marcus releases more information on its part of the BlackPOS/Kaptoxa campaign. The US FBI warns retailers to expect more of the same. Industry observers think Target's cyber insurance policy may not hold up if the insurers find compliance issues in the company's security posture.
Researchers at Sweden's Karlstad University find a small number of Tor exit relays sniffing traffic and conducting man-in-the-middle attacks, thus reminded us that "anonymous" isn't synonymous with "secure."
The researcher who developed it has published the Chrome eavesdropping exploit. Google dismisses it as a stunt, and no real threat.
Krebs reports that Foscam IP cameras and baby monitors are vulnerable to exploitation by snoops with access to their IP address.
Crowdstrike's 2013 retrospective continues to draw attention, particularly in its conclusions that fifty groups dominate global cyber crime, and that Russia is engaged in a sustained campaign targeting the energy sector.
Attention small businesses: Cisco patches its widely reported unauthorized access vulnerability.
McAfee observes a disturbing rise in security-aware malware, showing again the inadequacy of legacy perimeter and signature-based defenses.
The European Court scrutinizes GCHQ.
Notes.
Today's issue includes events affecting Australia, Brazil, Canada, China, European Union, France, Israel, Bailiwick of Jersey, Netherlands, Poland, Russia, Sweden, Syria, Taiwan, United Arab Emirates, United Kingdom, and United States..
Cyber Attacks, Threats, and Vulnerabilities
China Blames Massive Internet Blackout On Hackers (InformationWeek) Evidence about the 45-minute outage points to botched censorship operation, not hackers, security experts say
China's Great Firewall blamed for eight-hour Internet blackout (CSO) The extraordinary Internet outage that left hundreds of millions of Chinese Internet users unable to access the web on Tuesday afternoon lasted for eight hours and spread its effects across the globe, monitoring firm Compuware has reported
Syrian group hacks CNN social media accounts (AFP via Yahoo!News) The Syrian Electronic Army claimed responsibility for hacking some of US broadcaster CNN's social media accounts. The network said the compromised accounts included its main Facebook page, its Twitter page and blogs for "The Situation Room" and "Crossfire"
Syrian Electronic Army Escalated Tactics Over 2013; Poised for More this Year (InfoSecurity Magazine) The hacktivist group known as the Syrian Electronic Army was a particularly active adversary in the second half of 2013, and remains one of the top global threat actors to watch in the coming year as the Syrian conflict drags on — not least because of the group's ability to morph its techniques to keep things interesting
Target Breach: 5 Unanswered Security Questions (InformationWeek) Investigators have yet to explain how Target was hacked, whether BlackPOS malware infected its payment servers, and whether the same gang also struck other retailers
Exclusive: FBI warns retailers to expect more credit card breaches (Reuters) The FBI has warned U.S. retailers to prepare for more cyber attacks after discovering about 20 hacking cases in the past year that involved the same kind of malicious software used against Target Corp in the holiday shopping season
Neiman Marcus confirms and apologizes for data breach (UPI via TMCnet) U.S. retailer Neiman Marcus said Thursday a major breach of customer data from mid-July through October resulted in about 2,400 individual thefts
Don't Be the Next Target (SecureState) Target's $100 million policy is likely to be worthless if it is determined (and it will be) that they were not compliant. However, let's assume for a minute that Target's policy is actually deemed valid, and not determined to be voided by misrepresentation. For example, if Target is able to demonstrate that there were no gaps in their security controls, and that every precaution was taken to prevent this type of breach, they would still be covered by the multiple policies they have and would potentially be subject to less severe regulatory fines
Neiman Marcus data breach affects up to 1.1M customer cards (The New York Post) Luxury department store giant Neiman Marcus said that cyber thieves quietly lifted as many as 1.1 million customers' cards during a four-month period last year
Small number of malicious Tor exit relays snooping on traffic (Threatpost) A small number of Tor exit relays are misbehaving, conducting man-in-the-middle attacks and monitoring encrypted traffic from users of the anonymity network
The Inside Story of Tor, the Best Internet Anonymity Tool the Government Ever Built (Bloomberg BusinessWeek) Last year, Edward Snowden turned over to the Guardian, a British newspaper, some 58,000 classified U.S. government documents. Just a fraction of the files have been made public, but they outline the National Security Agency's massive information-collection system. They've thrown light onto the methods of an arm of the government used to working in the shadows and started an intense debate over national security and personal liberty
Chrome Eavesdropping Exploit Published (Threatpost) The developer of the annyang speech recognition JavaScript library has published exploit code for a bug in Google's Chrome browser that could allow a malicious website to eavesdrop using a computer's microphone long after a visitor has left a website
Google Dismisses Chrome Browser Microphone Snooping Exploit (Dark Reading) A researcher has released an exploit that abuses flaws he discovered in Chrome that could allow an attacker to snoop on phone calls or other conversations at your desktop, but Google says it's compliant with W3C
Malware infects Android-run devices via PCs (Help Net Security) Researchers have recently discovered a PC Trojan whose ultimate goal is to compromise the target's Android-running smartphone or tablet with information-stealing malware
Most top 500 Android mobile apps have security and privacy risks (Help Net Security) After testing the top 500 Android applications, MetaIntell identified that approximately 460 of those 500 Android applications (available in apps stores such as Amazon, CNET, GETJAR, and Google Play)
Bug Exposes IP Cameras, Baby Monitors (KrebsonSecurity) A bug in the software that powers a broad array of Webcams, IP surveillance cameras and baby monitors made by Chinese camera giant Foscam allows anyone with access to the device's Internet address to view live and recorded video footage, KrebsOnSecurity has learned
"Give" me Coins" website hacked, 10K Litecoins worth $230k stolen (eHackingNews) One of the largest Litecoin mining pools "Give Me Coins" website (give-me-coins.com) has been hacked. 10,000 Litecoins worth $230,000 have reportedly been stolen
'Watering holes' become popular attack vector for targeted attacks (FierceITSecurity) CrowdStrike report says watering holes have a number of advantages over spearphishing
Global cybercrime dominated by 50 core groups, CrowdStrike report finds (CSO) Cybercrime in 2013 was dominated by a core of around 50 active groups, including Russian and Chinese 'threat actors' whose activities are only now coming to light, a report from monitoring firm CrowdStrike has found
Energy Sector Under Attack (Industrial Safety and Security Source) A cyber espionage campaign targeted hundreds of organizations from Europe, America and Asia and it appears the Russian government is behind it, researchers said. IT security firm CrowdStrike said Russia has been launching cyber attacks in an effort to steal sensitive information which it can use to gain an economic advantage over its opponents
Health data breach count tops 800 (FierceHealthIT) The "wall of shame" for health data breaches at the Department of Health and Human Services has seen a lot of action this month
Howard schools recover from possible cyber attack (The Baltimore Sun) Howard County Public School System officials said last week that Internet outages that persisted for nearly a week earlier in the month were caused by a possible cyber attack. Internet outages started occurring the first week in January, according to emails from various schools in the county, and continued until about Monday, Jan. 13
Phishing via Social Media (Internet Storm Center) The use of social media as an attack vector is nothing new; We've all seen plenty of stories in the media of fake FaceBook profiles such as the one for American Admiral James Stavridis back in 2012 [1]. This tends to mean we're more wary of Facebook and Twitter, but many of us still use LinkedIn as it is a great tool to build out professional networks, tap in to like-minded groups or be stalked approached by recruiters
T-Mobile: Hack May Have Revealed Personal Information (TechnoBuffalo) T-Mobile is reportedly gearing up to reveal that personal information may have been exposed in an "authorized access" incident, according to a report published Thursday. The details were provided by CSO, which discovered a letter that was recently published by the California Attorney General. The letter suggests T-Mobile discovered the breach back on Nov. 26, 2013, so we're not quite sure why details are only surfacing now
Keygens For Engineering, Scientific Software Leads To FAKEAV (TrendLabs Security Intelligence Blog) In the past few weeks, we have seen increasing numbers of infections related to the TROJ_GATAK, especially in the North American region. This malware family is not particularly well known; we discussed it in 2012 in relation with file infectors that were hitting Dutch users
Breach Among Largest Ever in Canada (GovInfoSecurity) Health data breaches involving unencrypted devices aren't just an American problem. The recent theft of an unencrypted laptop from an IT consultant working for Medicentre Family Health Care Clinics in Edmonton has resulted in what is believed to be one of the largest health data breaches ever reported in Canada
Security Patches, Mitigations, and Software Updates
Cisco WAP4410N Wireless-N Access Point — PoE/Advanced Security (Cisco) Just Released! Fix for the Unauthorized Access Vulnerability in WAP4410N
Apple patches many vulnerabilities in iTunes (ZDNet) 25 vulnerabilities are addressed in the new version 11.1.4. 24 of them affect only the Windows version of iTunes
Cyber Trends
Security-Aware Attacks: The Bad Guys Just Got a Whole Lot Smarter (McAfee) In the battle between cybercriminals and security companies, the threat of escalation has always been present. Until recently, most malware attacks could be avoided by blocking known or suspicious file types before they entered the network
Top 10 DDoS attack trends (Help Net Security) Prolexic Technologies, a provider of DDoS protection services, published its top 10 attack trends for 2013. Throughout the year, metrics were collected from all DDoS attacks launched against the
IT managers not confident their firms could pass security compliance audit (FireceITSecurity) DataMotion survey finds disconnect between IT, non-IT employees
The Cybersecurity Risk Paradox (Microsoft Security Intelligence Report Special Edition) Around the globe, societies are becoming increasingly dependent upon information and communications technology (ICT) which is driving rapid social, economic, and governmental development. Yet with this development, new threats to digital infrastructures have emerged
12 privacy-destroying technologies that should scare you (CSO) Technology is not evil, only its use or misuse. But in the case of this dirty dozen, the potential for abuse is frightening
Cloud computing: Powerful tool for cyberattacks? (CIOL) As cyber warfare against enterprises grows more brutal by the year, cloud computing technology is also at risk for cyber attacks such as malware and phishing, which have increased the demand for technologies to combat these threats
Citigroup CEO Corbat: Threat of Cyber Attack Is Real (Value Walk) In an interview to appear on FOX Business Network's (FBN) Countdown to the Closing Bell (3PM/ET), Citigroup Inc (NYSE:C) CEO Michael Corbat speaks with anchor Liz Claman about the company's recovery. Corbat says, "I think when we look back, we've done a pretty monumental transformation of the company" and that "we feel like we've got the right business model and the right mix of businesses." Corbat also comments on cyber security saying, "I think the threat of cyber security is absolutely real" and that this is "an area where we dedicate a lot of resources, people, hours, money, to making sure that we've got the best technology
CEOs in the dark about cyber-attacks (Real Business) A Lancope, Inc. report, entitled "Cyber Security Incident Response: Are we as prepared as we think?", shows that while security threats are imminent, CEOs and other members of the management team are in the dark about potential cyber-attacks against their companies
Cyber criminals find new avenues to steal data [Gulf News (United Arab Emirates)] (Gulf News) The top security story in 2013 was no doubt that of the National Security Agency (NSA) whistle-blower Edward Snowden. His revelations about the breach of user privacy by the US government have had a ripple effect
Leon Panetta warns of 'crippling' cyber attack in Monterey speech (The Monterey Herald News) Former Defense Secretary Leon Panetta, in a wide-ranging speech at the Monterey Conference Center on Thursday, said cyber attacks are the "most dangerous potential threat" to the United States
Financial Data Leads The Malicious Spam Hit List For Third Year In A row (Dark Reading) In some spam categories commercial advertising is being gradually displaced by criminal mailings
Socially Engineered Behavior To Blame For Most Security Breaches (Dark Reading) KnowBe4 analysis shows effectiveness of security awareness training on employees
Industry leaders meet to discuss threat of Cyber attacks (IFCfeed) JT will be taking part in, and co-sponsoring, a breakfast seminar organised to debate and review a growing problem which is fast becoming one of biggest threats to businesses of all types today
Marketplace
European financial services turn to IAM products to provide secure access (FierceITSecurity) The European financial services market for identity and access management products is forecast by Frost & Sullivan to increase at a 31.2 percent compound annual growth rate through 2018
Cost of contact center fraud is rising for enterprises, customers (FierceITSecurity) Enterprises are turning to new technologies, combining voice biometrics, predictive analytics, location-based capabilities
Increasing cyberthreats to push energy security market past $200B by 2015 (FierceITSecurity) Smart grid technology opens up more opportunities for attackers, warns TechNavio
Three security startups you should keep an eye on (NetworkWorld) Skyfence, Zimperium, Bluebox Security target cloud and mobile security respectively
Is cybersecurity the right job for you? (FCW) Headlines, reports and keynote addresses describing a cybersecurity workforce crisis continue to dominate the IT security landscape, with thousands — even hundreds of thousands — of open positions for cyber pros. Are you one of the many IT workers looking to make the jump, only to fall short of getting hired? It's all too common, and there are some surprising reasons why
Cyber warriors: The next generation (Defense Systems) The U.S. military has always taken cyber operations seriously, dealing with constant scans, probes and attacks on its networks, dating to the early days of the Internet. But the breadth of the issue really hit home in 2008, following an incident that became known as "Operation Buckshot Yankee"
Facebook awards $33,500 bounty for critical flaw (Help Net Security) Facebook has announced that it has awarded $33,500 — their biggest bug bounty payout to date — to a Brazilian security researcher that discovered a remote code execution flaw affecting Facebook's
Pentagon says it didn't buy 80,000 new BlackBerry phones (CNET) Not so fast, BlackBerry investors — the government now says it did not make any new purchases from the struggling smartphone maker
Booz Allen keeps place on DISA contract (Federal Times) Booz Allen Hamilton will continue working under a DISA contract that had originally gone to another company. Booz Allen Hamilton is a major player in the Pentagon's efforts to enable more defense contractors to share cyber threat data with the government
Raytheon announces cyber technical research competition winner (PRNewswire) Raytheon UK has announced that MWR InfoSecurity is the first winner of its technical research competition aimed at SME (Small Medium Enterprise) in the cyber security domain. The competition's £40,000 prize, recognising research into an analysis tool to detect rogue code in Android applications, was presented at the "Agile Innovation for Cyber Security Boot Camp" hosted by the UK government's Department for Business, Innovation and Skills
KCG Secures First DHS Continuous Diagnostics and Mitigation Task Order under $6B Cyber Contract (Webwire) Knowledge Consulting Group (KCG), one of the largest privately held cybersecurity services firms in the United States, announced that it has been awarded the first task order off of the Department of Homeland Security (DHS) Continuous Diagnostics and Mitigation (CDM) contract vehicle. The task order is to deliver solutions from McAfee and BDNA, and has a total value of $8,543,986
Lunarline, Inc. Honored with SmartCEO's Future 50 Award (Digital Journal) One of the nation's top cyber security firms recognized for outstanding growth & leadership
Cyber-Defense Specialist Gets Backing Of Major Smartphone Manufacturer And Launches New Approach To Mobile Security Threats (Dark Reading) Zimperium launches two products to protect organizations from advanced persistent threats on mobile
Qualcomm Buys Massive Palm, iPaq And Bitfone Patent Portfolio From HP (TechCrunch) Is Qualcomm preparing for the revival of the personal digital assistant? The San Diego-based Qualcomm just announced that it has acquired 1,400 patents from HP covering Palm, iPaq and Bitfone patents and pending patents. It's unclear how many are from each portfolio, but Qualcomm just made a big leap in owning a chunk of patents covering the fundamentals of mobile operating system
Overlooked lessons from Mandiant's $1B acquisition (Washington Technology) When Mandiant was acquired by FireEye at the end of 2013, I made little note of the $1 billion deal. The transaction seemed too commercial in nature
Products, Services, and Solutions
Antivirus Products Show Off Under Windows 8.1 (PC Magazine) Flu season is in full swing, and you've probably had your flu shot. But is your computer protected against viruses? Throughout the chilly November and December of 2013, researchers at AV-Test ran two dozen antivirusand security suite products through a barrage of tests. They've just released the latest results, identifying which products excelled in several different criteria. If you're considering which security product to choose, or considering switching from your current protection, you'll want to check these results
Microsoft Offers Choice In Cloud Storage Location Nation (Forbes) Responding to customer concerns over NSA spying, Microsoft (NASDAQ:MSFT) will be allowing non-U.S. customers to store their data in the company's cloud data centers in other countries
Panda Security Adds Cloud Cleaner to RMM Platform (eWeek) The platform is specifically designed to disinfect latest-generation viruses, such as zero-day attacks and targeted attacks
Do you need solid-gold domain name security? (ZDNet) Network Solutions is opting their high-profile customers in to a $1,850 service to super-lock domains. Make sure they don't think you're in the 1%
Smartworld offers cyber attack testing (Trade Arabia) Smartworld, a leading master systems integrator and ICT service provider, has launched a new testing service that aims to prepare and protect local businesses and government agencies from cyber attacks
Skyfence Protects Cloud Apps against Account Hijacking, Insider Attacks and Data Theft (Virtual Strategy) Skyfence Networks, the company that automates cloud app protection, today emerged from stealth mode and announced the Skyfence Cloud Gateway. Founded by former executives from Imperva and Websense, Skyfence enables organizations to protect against the leading threats identified by the Cloud Security Alliance (CSA): account/service traffic hijacking and malicious insiders. Skyfence integrates threat prevention, activity monitoring and compliance management to secure and prevent data theft on any cloud app
Startup Tackles Security Through Microsoft Active Directory (Dark Reading) New company Aorato identifies potential threats by monitoring traffic from ubiquitous Active Directory
Technologies, Techniques, and Standards
The Power to Decide (MIT Technology Review) What's the point of all that data, anyway? It's to make decisions
Stop Being "Reasonable" — Rationalize Your Security Efforts (Security Today) Commercially reasonable efforts refer to actions defined by what similar persons would do as judged by the community. This judgment is based on the common average of the community, so in times of crisis or great waves of change, the collective knowledge from community to community will be different. Communities that measure, watch and continue to learn are more aware than communities that do not value these traits
Best practices to help prevent online data breaches (Help Net Security) The Online Trust Alliance (OTA) recommended a series of best practices to help prevent online data breaches and other exploits. Leveraging preliminary year-end data from the Open Security Foundation
ENISA: Industrial Control Systems require coordinated capability testing (Help Net Security) EU's cyber security Agency ENISA published a new report to give advice regarding the next steps towards coordinated testing of capability of the often outdated Industrial Control Systems (ICS) for
Are our passwords really that bad? And does it really matter? (Naked Security) We are, as a species, very bad at learning from our mistakes — and/or very lazy
Penetration testing: Accurate or abused? (Help Net Security) According to a recent Ponemon study, since 2010 cybercrime costs have climbed 78% and the time required to recover from a breach has increased 130%. On average, U.S. businesses fall victim to two successful attacks per week where their perimeter security defenses have been breached
How To Get The Most Out Of Risk Management Spend (Dark Reading) Getting the most bang for your security buck through risk management investments
6 Tips for Stronger Encryption (Dark Reading) In the wake of revelations about NSA backdoors in encryption systems, organizations must do everything they can to ensure their encryption is as strong as possible
What the Target Breach and Edward Snowden Tell Us About Network Controls (Defense One) Target. Even the brand name lends itself to hacking. It's like painting a bright red bull's-eye on a big, juicy company with lots of money and information, just waiting to be stolen. And it was
Design and Innovation
New Israeli Security Tech Reads Your Mind (iHLS) 9/11 was the catalyst for many HLS technologies. Shabtai Shoval, founder of SDS (Suspect Detection Systems), following the terror attack, asked himself whether the event couldn't have been foreseen and prevented
Taking stock of the Dutch tech cluster: What The Netherlands needs to win the European startup scene (The Next Web) As a startup hub, Amsterdam grabs the same amount of attention as the girl with braces at the high school dance. Slowly but surely, however, we have a quietly emerging 'ecosystem' (as it is often called in tech lingo)
Academia
Cal Poly dedicates new lab for cybersecurity education (The San Luis Obispo Tribune) Cal Poly is aiming to prepare a new wave of experts to fight cyber terrorism, hacking, and identity theft with the unveiling of a new laboratory
Roberts first UNO graduate to earn a masters in Information Assurance (Dakota County Star) When Justin Roberts graduated from South Sioux City in 2008, he headed toward Omaha and started working on a degree that didn't exist yet at the school. On December 21, 2013 he graduated from the University of Nebraska-Omaha with a Master's of Science in Information Assurance — being the first student to graduate from UNO with this degree
Legislation, Policy, and Regulation
Don't let privacy trump security (Newsday) Ten years ago this July, the 9/11 Commission Report cited the failure of U.S. intelligence agencies to "connect the dots" leading to the terrorist attack — the job the National Security Agency is charged to do. The ongoing discussion about privacy, security and the NSA's programs has been important and should continue. However, we must not compromise security programs that allow us the very freedom to openly engage in this debate
BT chief rounds on Cameron over 'murky' snooping (The Times of London) David Cameron faced calls yesterday from the head of BT to clarify the "murky" world of data collection by the security services
Secure the Future of the Internet (Brookings) In 2014, President Obama should pursue policies guaranteeing an open, free-market Internet, write Peter W. Singer and Ian Wallace. Instead of waiting out the international blowback from Edward Snowden's NSA revelations, the president needs to lead a new strategy against those governments who want to regulate the way the global Internet is run
Free Speech in the Era of Its Technological Amplification: A letter to John Stuart Mill about the limits of what may be shown or said on the Web (MIT Technology Review) Greetings, Pale Ghost. I don't know what news reaches you in the afterlife—whether there is a gossipy daily bulletin, the Heavenly Gazette, filled with our doings; or if new arrivals bring stories of developments on Earth; or if you still care about us at all—but much has changed since you died in 1873. Some of those changes would gratify your liberal spirit; still others, vex. A few would baffle
This is what we should be asking our intel officials: Where is today's William Colby? (Foreign Policy) William Colby began his career in the Office of Strategic Services in World War II. Following the war, he joined the Central Intelligence Agency where he would eventually rise to be the director of central intelligence (DCI), having run the highly controversial Phoenix Program in Vietnam along the way. Mr. Colby's ascension to DCI came at the nadir of the CIA's history
Congresswoman Clarke's Statement on Bipartisan Commitment to Cybersecurity (Targeted News Service Via Acquire Media NewsEdge) Rep. Yvette Clarke, D-N.Y. (9th CD), has issued the following news release: Congresswoman Yvette D. Clarke issued the following statement on bipartisan efforts in Congress to improve cybersecurity which have resulted in a bill that would increase collaboration between federal agencies and private companies to protect our information and require additional monitoring of potentially vulnerable systems
Security professionals welcome government's child cyber safety proposals (ComputerWorld) Proposals are a "promising start", says Symantec director of government affairs
House committee approves cyber security notification bill (WAVE 3 News) The state auditor said legislation that cleared a House committee on January 23 would give Kentucky one of the strongest cyber security laws in the country
FIC 2014: French defence minister calls for unified front against cyber crime (ITProPortal) Jean-Yves Le Drian, the French Minister for Defence, has called for an international response to cybercrime, and announced the beginning of a €1 billion programme over a number of years to prepare France against the emerging threat of cyber war
Thou shalt not Tweet in an ungodly way, Church of England tells worshippers (The Telegraph) Preaching the message of modern communication, the Church of England is asking its clergy and staff to spread the world through Twitter — in a way God would approve of
Litigation, Investigation, and Law Enforcement
Justify GCHQ mass surveillance, European court tells ministers (The Guardian) Judges order government to provide submission about whether spying activities violated European convention on human rights
The territorial skirmish between China and Taiwan has now gone virtual (Quartz) A new territorial dispute is emerging between China and Taiwan. But this time the territory is in cyberspace. As we explained yesterday, the Internet Corporation for Assigned Names and Numbers (ICANN), which manages the internet's addressing system, recently added Chinese characters to the mix of possible "generic top-level domains." That puts .政府 (zhengfu, pronounced "jung-foo"), which means "government," up for grabs
Social Media: Protecting Trade Secrets and Proprietary Information (JD Supra) The ability of employees to steal trade secrets, reveal customer lists, and expose proprietary business information with the press of a button is frightening. In over 85 percent of trade-secret cases, the alleged misappropriator is someone the trade-secret owner knows, typically either an employee or a business partner
Companies settle over false data security framework compliance claims (SC Magazine) Twelve U.S. companies have agreed to settle Federal Trade Commission (FTC) charges, which accuse the firms of falsely claiming to comply with an international data security framework
The U.S. Crackdown on Hackers Is Our New War on Drugs (Wired) Before Edward Snowden showed up, 2013 was shaping up as the year of reckoning for the much criticized federal anti-hacking statute, the Computer Fraud and Abuse Act ("CFAA"). The suicide of Aaron Swartz in January 2013 brought the CFAA into mainstream consciousness, so Congress held hearings about the case, and legislative fixes were introduced to change the law
Holder: I'm Open to 'Conversation' With Snowden (TIME) But the attorney general says clemency is out of the question
Edward Snowden: "Not all spying is bad" (WSTP) "Not all spying is bad," former government contractor Edward Snowden declared in an online Q&A Thursday afternoon. However, the former contractor who exposed sweeping National Security Agency surveillance programs maintains that the NSA's bulk data collection is unnecessary and doing more harm than good
Snowden considers returning to the US, and the "permanent record" (Ars Technica) In an online Q&A session, former NSA contractor-turned-whistleblower Edward Snowden answered 13 questions posed by Twitter users. The questions he considered ranged from the reasoning behind his leaks, to his hope for what the future of American intelligence programs may look like
Snowden Answers Our Burning Data Collection Question: What's The Worst That Could Happen? (TechCrunch) National Security Agency whistleblower Edward Snowden is answering the Internet's burning questions. Surprisingly, he was even gracious enough to answer my question: "What's the worst and most realistic harm from bulk collection of data? Why do you think it outweighs national security?" Snowden, who was granted protection in Russia from American prosecution, has been somewhat press-averse, only holding a few select media interviews. This time, he went directly to netizens to respond to President Obama's big national security speech last week
13 Indicted in $2M Bluetooth Skimmer Scam (Threatpost) Thirteen men were indicted this week for allegedly using Bluetooth-enabled skimmers to steal more than $2 million from customers at gas stations across the Southern United States between 2012 and 2013
Prisoner rats himself out with Facebook selfie of cell-grown cannabis (Naked Security) One of the most stupid selfies ever: a Polish prisoner's photo, taken on a contraband mobile phone smuggled into the prison, showing a lush, equally contraband and definitely illegal cannabis plant he grew from seed in his cell
For a complete running list of events, please visit the Event Tracker.
Upcoming Events
"Cyber Threat Landscape": How the FBI is counteracting the current threats (, Jan 1, 1970) Donald J. Good, FBI Section Chief Cyber Operations and Outreach Section, will offer first-hand awareness of how the FBI works with other government agencies and the private sector to counteract the current cyber threat scenario.
Cybertech — Cyber Security Conference and Exhibition (Tel Aviv, Israel, Jan 27 - 29, 2014) Cybertech Israel, the first event of its kind, will present world-leading companies in the field of cyber defense alongside young companies that offer unique solutions to advance the discipline of cyber security. The conference will focus on commercial problem-solving strategies and solutions for cyber infrastructure experts across multiple sectors: energy, utilities, finance, defense, R&D, manufacturing, service sectors, health, government, telecommunications, transportation and more.
U.S. Census Data Protection & Privacy Day (Suitland, Maryland, USA, Jan 28, 2014) The Census Bureau's Privacy Compliance Branch of the Policy Coordination Office is hosting a Data Protection and Privacy Day on January 28. This event is intended to provide a forum for Census employees and contractors to discuss current data protection and privacy policy and to generate ideas to help evolve the current policies . The event will feature various participants from the U.S. Census Bureau as well as other government agencies and industry.
2014 Cybersecurity Innovation Forum (Baltimore, Maryland, USA, Jan 28 - 30, 2014) The 2014 Cybersecurity Innovation Forum (CIF) is a three-day event, sponsored by the National Cybersecurity Center of Excellence (NCCoE) with DHS, NIST, and NSA as primary participating organizations. The CIF will cover the existing threat landscape and provide presentations and keynotes on current and emerging practices, technologies and standards. The 2014 CIF will provide action-oriented outputs to fuel voluntary principle-driven consensus-based standards efforts, create opportunities for industry growth and drive research activities, and define use cases for subsequent exploration, which in turn will feed back into the subsequent CIF's, continually evolving the state of the art.
Cyber Training Forum at NGA (Springfield, Virginia, USA, Feb 4, 2014) The 2014 Cyber Security Training Forum (CSTF) will take place at the NGA East Campus in Springfield, VA. This event is designed to provide education and training to the NGA Workforce, the Intelligence Community, and Industry. The CSTF will include keynotes, breakout sessions, and cyber security demonstrations from industry.
U.S. Department of Commerce Technology Expo (, Jan 1, 1970) Department of Commerce is interested in hearing from you! The OCIO Office is specifically looking for speakers on Vulnerability Management and Implementation of Continuous Monitoring. Please contact your FBC representative to submit an abstract today.
Cyber Security 2014 (, Jan 1, 1970) The threats and the opportunities conference brings together over 150 business leaders, senior decision makers, business development managers and IT professionals from across the whole defence and security supply chain, from Prime Contractors, through tier 1 and tier 2 suppliers, SMEs and those at the front of R&D and the development of new and innovative products and services. The event will provide a unique opportunity for those within the whole supply chain to understand both the current and future threat of Cyber Security on the supply chain and what action will need to be taken to mitigate these and ensure we are fit to compete in the future — both as businesses and as a country. Organisations who have confirmed their attendance include: RBS, Finmeccanica Selex, Thales, MOD, Scottish Government, Lockheed Martin UK, BAE Systems and others.
Security Analyst Summit 2014 (Punta Cana, Dominican Republic, Feb 9 - 13, 2014) The Kaspersky Security Analyst Summit (SAS) is an annual event connecting anti-malware researchers and developers, global law enforcement agencies and CERTs and members of the security research community. The goal is to learn, debate, share and showcase cutting-edge research, new technologies and discuss ways to improve collaboration in the fight against cyber-crime.
FBI HQ Cloud Computing Vendor Day (, Jan 1, 1970) As part of its FAR mandated market research efforts and in order to keep FBI employees informed of new products, technologies and services available in the industry, ITED has been tasked with organizing four 'Vendor Days' a year focusing on technology that can enhance current IT capabilities. These market research events will enhance exposure for all Department of Justice (DOJ)/Federal Bureau of Investigation (FBI) employees to new products and services and to have an opportunity to interact directly with the industry. Vendor days are for demo purposes only and are designed to facilitate FBI market research efforts. Attending vendors shall make all inquiries concerning pending or future FBI requirements to the cognizant FBI contracting officer.
New FFIEC Guidelines on Social Media: 3 Things You Need to Know (, Jan 1, 1970) We'll take an in-depth look at the new Federal Financial Institutions Examination Council (FFIEC) guidelines on social media and consumer compliance risk, and how they may impact your organization. We'll break down nearly 20 pages of dense government material, distilling the key topics for legal, compliance, risk and finance professionals.
RSA Conference USA (San Francisco, California, USA, Feb 24 - 28, 2014) Hundreds of game-changing interactions will give you an unparalleled diversity of industry insight and information based on best practices, real implementation stories, and detailed case studies. Each year, educational sessions feature new and returning educational tracks you won't find anywhere else.
Nellis AFB Technology & Cyber Security Expo (, Jan 1, 1970) For over 12 years, the Armed Forces Communications & Electronics Association (AFCEA) - Las Vegas Chapter and FBC have been co-hosting the Annual Information Technology Expo at Nellis AFB. As was the case last year, the 2014 event will once again have a Cyber Security theme. This is an excellent opportunity for any technology or cyber company to meet with the personnel at Nellis AFB, as well as the local AFCEA members.
Trustworthy Technology Conference (, Jan 1, 1970) Join us for the first Trustworthy Technology Conference, to be held on 27 February 2014 at the AMC Metreon Theatre in San Francisco, California. We welcome all security researchers, practitioners and citizens who are interested in discussing the technical, legal and ethical underpinnings of a stronger social contract between users and technology.
Creech AFB Technology & Cyber Security Expo (, Jan 1, 1970) The Armed Forces Communications & Electronics Association (AFCEA) - Las Vegas Chapter, with support from the 432d Wing, will host a Cyber Security Awareness Day & Technology Expo at Creech AFB. This is an excellent opportunity for technology, cyber and tactical technology companies to meet with remote personnel at Creech AFB. At the 1st Annual event held in February 2013 over 100 Creech AFB personnel attended this event. Some of their job descriptions included: Commander, Flight Chief, Communications Officer in Charge, IT Lead, Systems Admin, Wing Training, Information Assurance Officer, Knowledge Management, Section Chief, Avionics, Physical Security, Project Manager, Director and more.