Baltimore: the latest from CyberMaryland 2014
CyberMaryland Conference (Federal Business Council) See the CyberMaryland 2014 agenda here
How NSA Director Wants to Build an IoT Security Coalition (eWeek) Admiral Michael Rogers is preparing a coalition of government, military and commercial interests to fight a global cyber war if necessary
Maryland's cyber security strategy: Avoid boneheaded mistakes (Baltimore Business Journal) State and local governments can't prevent hackers from trying to break into its systems. But they can make sure employees don't make the task any easier for attackers
Why startups shouldn't just take money from anyone who's offering it (Baltimore Business Journal) Raising money is an important step to getting any startup off the ground — but it's not the most important
DBED inks cyber partnership with Dutch security cluster (Technical.ly Baltimore) The Hague Security Delta includes more than 400 Dutch companies
Cyber Attacks, Threats, and Vulnerabilities
Are the White House Hackers Gone? (Nextgov) Efforts to suppress abnormal behavior on an unclassified White House network continue, according to Obama administration officials
White House Hack: A Lesson Learned (GovInfoSecurity) Breach detection just as important as perimeter defense
Huawei accused of hacking and forging government documents in South Sudan, raises security concerns (Telecomtiger) Chinese telecom major Huawei is again in trouble for breaching cyber security on International level. This time it is accused of forging government documents and hacking government emails in South Sudan, according to a report published in Epoch Times
Xiaomi servers allegedly prone to zero-day attack that steals confidential data (Tech 2) Following reports of the security loophole in Xiaomi phones that causes them to send user data, including the user's IMEI, phone number, and phonebook contacts to remote servers, now a Taiwanese security expert has raised another security alarm against Xiaomi devices. According to the expert, Xiaomi devices are vulnerable to zero-day attacks which can compromise attacked systems or steal confidential data
Sony Xperia Smartphones Spying On Users, Sending Data in China (HackRead) Sony Xperia devices are found to be spying on its users and believed to be sending all the user data to their servers in China
Computer Spies Target Control Systems Made by GE, Siemens (Wall Street Journal) Disclosure underscores risk of connecting public utilities to Internet to make them more efficient
What you need to know about the Drupal vulnerability CVE-2014-3704 (CSO) Do you use Drupal for your personal website? Does your company use Drupal? Can't recall the last time it was patched? It is a safe bet to assume that you've already been compromised. Here's what to do next
Shellshock Attacks Stack Up (Dark Reading) Organizations are unable to keep up with patching processes and find incident response practices lag in wake of Bash bug
Brazilian Fraudsters Hit US Banks with Fake EMV Card Transactions (Infosecurity Magazine) A concerning pattern of credit- and debit-card fraud from Brazil is targeting US financial institutions, with big implications for banks implementing the smart-card approach to card security known as EMV, or chip-and-PIN
Free government-penned crypto can swipe identities (The Register) Beware of Australians bearing gifts
Cyber crime tool automates monetization of stolen payment cards (Help Net Security) Cyber criminals who have acquired stolen payment card information and wish to make the most of them can now simply buy professional-looking software that will automate the sending of stolen card charges to multiple gateway processors
How bots and zombies work, and why you should care (Naked Security) We regularly write about "bots", or "zombies," malicious programs that let cybercriminals take over your computer from afar
Beware of the malware walking dead (SC Magazine) It's Halloween — goblins, ghouls and ghosts gather in haunted houses and corporate offices alike. In security, while we've spent a good portion of 2014 focused on trick-or-treaters of the "advanced persistent threat" and "cybercrime" varieties, this Hallows Eve might be a good time to remind ourselves that zombies can be just as deadly. By zombies, I mean recycled tools and techniques from years gone by that have come back from the dead and are increasingly used in modern attacks
Smart meter hacking risk (Electronics Weekly) Auditing firm KPMG warned of smart meter security risks at the Westminster Energy, Environment and Transport Forum
You May Have Opened the Door to Your Biggest Business Threats (CMS Wire) The challenges you'll face when integrating video into your CMS
Hackers Probing the Financial System Show Reason to Worry (Bloomberg) Hackers are testing the financial system's cyber defenses, and they can boast of some alarming success
Epidemic of medical data breaches leaking our most sensitive information (Naked Security) We're all sick of data breaches and privacy intrusions, with just about every new day bringing new stories of shops, banks and restaurants leaking epic amounts of customer information and celebrities having their intimate snaps spread around the internet
Bulletin (SB14-300) Vulnerability Summary for the Week of October 20, 2014 (US-CERT) The US-CERT Cyber Security Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. The NVD is sponsored by the Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC) / United States Computer Emergency Readiness Team (US-CERT). For modified or updated entries, please visit the NVD, which contains historical vulnerability information
Security Patches, Mitigations, and Software Updates
Vulnerabilities found in more command-line tools, wget and tnftp get patches (CSO) The critical Shellshock vulnerabilities found last month in the Bash Unix shell have motivated security researchers to search for similar flaws in old, but widely used, command-line utilities
Microsoft patches GroupMe 'full account' hijack hole (The Register) Researcher rates Redmond after rapid responds to rathole reveal in Group TXTing app
Microsoft releases stopgap POODLE protection for Internet Explorer (CSO) Next Patch Tuesday is Nov. 11, but a Fixit tool disables SSL 3.0 in the meantime
Android 5.0 Lollipop Upgrades Encryption, Application Control (Threatpost) Google, like most technology companies in this climate, is fighting for the security and privacy of its users' data on several fronts. With a mobile application ecosystem that invites trouble and government demands for user content and information continuing to rise
Cyber Trends
Cyber-Attackers Speeding Up Exploits of Known Software Flaws (eWeek) Increasing evidence suggests that the time between the public disclosure of a security flaw and its widespread exploitation is shrinking
Amid High-Profile Breaches and Shellshock Disclosure, Solutionary SERT Q3 Threat Intelligence Report Reveals Inadequate Levels of Incident Response Preparedness (Marketwired) 67 percent of Shellshock signatures tied to known malicious sources; top ISPs continue to be used as malware hosts
Emerging Cyber Threats Report 2015 (Georgia Institute of Technology) Over the last year, information and technology have become more tightly intertwined in our lives
Welcome To My Cyber Security Nightmare (Dark Reading) Happy Halloween. Here are three chilling scenarios that will keep even the most hardened infosec warrior awake all night
Digital Life in 2025: Cyber Attacks Likely to Increase (Pew Research Center) Experts believe nations, rogue groups, and malicious individuals will step up their assaults on communications networks, targeting institutions, financial services agencies, utilities, and consumers over the next decade. Although most expect there will be more attacks, many predict effective counter moves will generally contain the damage. Some say there is now and will continue to be a 'Cold War' dynamic that limits severe harm due to the threat of mutually assured disruption. Some say the threat is 'exaggerated'
Futurology: The Cyber Attack Might Be Coming (US News and World Report) In 2004, experts predicted a devastating attack by 2014. It hasn't happened, but are we in the clear?
Major cyberattack coming, experts warn (The Hill) Cybercrime costs the global economy an estimated $400 billion a year, and as it grows in scale and sophistication, law enforcement is having to do the same
How Y2K Changed the Field of Cybersecurity Technology (Security Magazine) When looking at the cyber technology market over the past 15 years, it is evident that the catalyst for cyber evolution was Y2K. Prior to the Y2K frenzy, "cybersecurity" was masked in the systems engineering function, and external threats consisted of hackers looking to leverage free computing capabilities with very little focus on information/data access or network destruction
CurrentC Scuffle With Apple Pay Highlights Consumers' Security Concerns (Forbes) This week's skirmish over digital wallet turf brought out the real apprehension shoppers feel over data security
The security threat of unsanctioned file sharing (Help Net Security) Organisational leadership is failing to respond to the escalating risk of ungoverned file sharing practices among their employees, and employees routinely breach IT policies and place company data in jeopardy, say the results of the "Breaking Bad: The Risk of Unsecure File Sharing" report by Intralinks Holdings and Ponemon Institute
Marketplace
Company boards 'not prepared' for cyber attacks (Financial Times) Cyber attacks are a growing threat to businesses but board-level executives do not have a grip on the problem, according to investors and industry experts
Why Big Banks Are Cracking Down on Law Firm Security Gaps (Cyveillance Blog) Even before this summer's spate of breach announcements by some of the country's biggest institutions, financial industry regulators had begun urging banks — and their vendors — to step up their cyber security programs. Various regulatory bodies, including the Securities and Exchange Commission (SEC), the Financial Industry Regulatory Authority, are now seeing increasing urgency in examining the preparedness of brokerages, banks, and credit unions for dealing with cyber threats, according to an article last week in the New York Times
Retailers Now Actively Sharing Cyberthreat Intelligence (Dark Reading) The retail industry's R-CISC has been up and running for four months now and is looking for more retailers to sign up
Retailers accuse credit unions of talking smack about card breaches (Ars Technica) Letter calls out credit unions for spreading "misleading" info to media, Congress
The Bill for Cybersecurity: $57,600 a Year (Bloomberg BusinessWeek) Hackers have made the Internet a scary place to do business, as recent headlines attest. Big companies have been hacked. Small companies have been hacked. As the Pew Research Internet Project reported earlier this week, cyberattacks are likely to get worse
Motorola is now officially part of Lenovo (Ars Technica) Lenovo and Motorola say they will continue to ship stock Android devices
Lockheed plans new health IT acquisition (Washington Technology) Lockheed Martin is acquiring Systems Made Simple, a health IT company that just cracked the Washington Technology Top 100 for the first time this year
Endgame Reports Record Growth for 2014; Adds Two New Executives (PRNewswire) Endgame, Inc., a leading provider of security intelligence and analytics solutions that give enterprises real-time visibility and actionable insight across their digital domains, today announced record growth for 2014. In the first three quarters of 2014
Fortscale Joins McAfee Security Innovation Alliance (Fort Mill Times) Company is showcasing Its User Behavior Analytics Solution at FOCUS14 McAfee Security Conference in Las Vegas
Products, Services, and Solutions
Facebook announced it is now providing direct access to its service over the TOR network (VentureBeat) In an early morning blog post, no doubt targeted at overseas users, Facebook is experimenting with providing direct access to it social network over TOR network
Petition targets Apple over 'spyware' in OS X Yosemite (CSO) Spotlight results spark privacy concerns
McAfee security products to gain integrated threat intelligence feeds (TechTarget) Customers and partners like the new effort by the Intel-owned security vendor to integrate threat intelligence feeds with all of its existing products, but analysts are leery of lacking threat intelligence standards
Top 10 Municipal Government Selects HawkEye G for Advanced Threat Protection (Nasdaq) Hexis Cyber Solutions (Hexis), a wholly-owned subsidiary of The KEYW Holding Corporation (Nasdaq:KEYW), and a provider of advanced cybersecurity solutions for commercial companies and government agencies, today announced that HawkEye G has been selected by a top 10 U.S. municipal government for advanced threat detection and automated malware removal. This municipal government will also deploy HawkEye AP to collect, store, and analyze mass quantities of event data
CBTS Advanced Cyber Security Earns the NSA's Prestigious Cyber Incident Response Accreditation (BusinessWire) CBTS, a leading technology solutions provider, today announced that its Advanced Cyber Security division has earned the National Security Agency's (NSA) Cyber Incident Response Assistance (CIRA) certification. The NSA uses this new accreditation to show that they have vetted the people, policies, and procedures of an organization and declared them to be the state-of-the-art capabilities needed for rapid cyber security support to high-level government agencies
Policy Patrol 10 Boosts Email Security And Threat Prevention For Exchange (Business Solutions) Red Earth Software, developers of email management solutions, recently released Policy Patrol version 10, the latest version of their email security software for Microsoft Exchange Server. Policy Patrol 10 offers increased protection from email security risks with improved anti-phishing and integrated multi anti-malware scanning, along with an improved user interface and new dashboard
Technologies, Techniques, and Standards
NIST Guide to Cyber Threat Information Sharing open for comments (Help Net Security) NIST has announced the public comment release of Draft Special Publication (SP) 800-150, Guide to Cyber Threat Information Sharing
Biggest ever cyber security exercise in Europe is underway (Help Net Security) More than 200 organisations and 400 cyber-security professionals from 29 European countries are testing their readiness to counter cyber-attacks in a day-long simulation, organised by the European Network and Information Security Agency (ENISA)
Chip & PIN vs. Chip & Signature (KrebsOnSecurity) The Obama administration recently issued an executive order requiring that federal agencies migrate to more secure chip-and-PIN based credit cards for all federal employees that are issued payment cards. The move marks a departure from the far more prevalent "chip-and-signature" standard, an approach that has been overwhelmingly adopted by a majority of U.S. banks that are currently issuing chip-based cards. This post seeks to explore some of the possible reasons for the disparity
Next-generation malware: Think like the enemy and avoid the car alarm problem (SC Magazine) When it comes to enterprise security, one rule remains constant — attacks will continue to increase in sophistication and attackers will seek to outmaneuver existing defenses. Next-generation malware attacks are VM evasive, can come via social engineering or physical delivery (a USB drive), and be targeted to a specific folder, or application, that a business is known to use regularly. Some attacks have the ability to hide in plain sight, lulling sandboxing technologies into thinking that they are benign until a pre-programmed date. Multi-state and multi-vector attacks, coming from different places, are an increasingly common tactic of next-gen malware
Anything You Post Can and Will Be Used Against You (Tripwire: The State of Security) Undoubtedly, we've all found ourselves surfing the web for answers when we stumble upon someone we know, posting something that piques our curiosity on social media. After all, isn't that one of its purposes?
CSAM Month of False Postives — False Positives from Management (Internet Storm Center) Often the start of a problem and its solution is receiving a call from a manger, project manager or other non-technical decision maker. You'll know going in that the problem is absolutely real, but the information going in might be a total red herring
3 ways to make your Gmail account safer (Naked Security) Following on from our detailed guide to securing your webmail, here's a quick breakdown of how to make the most important fixes, for users of Google's Gmail
Design and Innovation
Changing the Way We Fight Malware (Security Watch) Microsoft is sitting on an absolute gold mine of information. The Malicious Software Removal Tool (MSRT) running on billions of computers worldwide and every Windows Update process sends a ton of non-personal telemetry back to Microsoft Central. This data could help antivirus companies and academic researchers develop better ways to fight malware. In a keynote speech for the 9th IEEE International Conference on Malicious and Unwanted Software (Malware 2014 for short), Microsoft's Dennis Batchelder explained just what the software giant plans to do with all that data and it's not what you might expect
Hacker Dreams Up Crypto Passport Using the Tech Behind Bitcoin (Wired) If bitcoin's true believers ever found their tax-free libertarian utopia, Christopher Ellis could be in charge of the passport office
My Fascination with Daniel Krawisz and his Negative Stance on Altcoins (Bitcoin Magazine) Daniel Krawisz has made a name for himself as the philosophical opponent to competing currencies. He takes issue specifically with competing crypto currencies such as Litecoin, Dogecoin, and other alternatives to Bitcoin
10 open source tools to make Docker even more powerful (IT World) Better management, Web front ends, improved visibility into container apps — the Docker ecosystem is evolving quickly, thanks to its vibrant open source community
Research and Development
Cars, toasters, medical devices add to DHS's cyber headaches (Federal News Radio) Cars, medical devices and even toasters are among the facets of life that are quickly becoming Internet based. This is why the Homeland Security Department already is working on cybersecurity technologies for these and many other everyday devices
Experts warn that using big data to predict terrorist threats won't work (FierceHomelandSecurity) Canada is considering beefing up surveillance laws to collect more information about its citizens, who travel abroad, and share it with international partners as a way to spot and prevent home-grown terrorism. But experts say there's no evidence that such methods can actually work
Academia
IBM Boosts Cyber Security Education Efforts (eSecurity Planet) IBM is investing in outreach to universities in a bid to better educate future security professionals
Students Attend CSI CyberSeed Challenge (Syracuse University iSchool Newsroom) Last week, four students from the School of Information Studies (iSchool) ) traveled to the University of Connecticut to compete in the CSI CyberSeed Capture the Flag Challenge
Legislation, Policy, and Regulation
Nato frontline in life-or-death war on cyber-terrorists (Guardian) From attackers trying to bring down planes to criminals targeting banks, the danger is growing
Proposed bill calls for more oversight and accountability for Canada's electronic spy agency (Ottawa Citizen) There will be a second reading of the CSEC Accountability and Transparency Act this afternoon in the House of Commons (as this is being posted)
U.S. Chamber Warns Cyberattack Disclosures Could Hurt Corporate Profits (Wall Street Journal) Chamber tells SEC mandatory disclosures could 'paint a target' on companies' backs
US military to secure cyberspace (Mybroadband) The US military is looking to flex its muscles in cyberspace as a "deterrence" to hackers eyeing American targets
VA Buckles Down On Cyber Security, Program Management (InformationWeek) Agency refocuses IT priorities on data protection, on-time project delivery to overcome past poor performance
Litigation, Investigation, and Law Enforcement
Rogers downplays NSA moonlighting controversy (Fedscoop) One of the first things Adm. Mike Rogers did when he took the helm as the 17th director of the National Security Agency was ask his staff to find ways to, in his words, "create a more permeable membrane" between the private sector and the agency so stronger partnerships could be developed. Now, just six months later, it seems that membrane may have some holes that allowed a couple of senior agency officials to keep one foot in the NSA and its secrets, and the other foot in private enterprise with all of its monetary temptations
'Whistleblowers do incredible damage to US intelligence' (Russia Today) When it comes to dealing with terrorism US intelligence community feels like it operates with one hand tied behind their back because of whistleblowers like Snowden and Manning, intelligence analyst Glenmore Trenear-Harvey told RT
Colombian Senate to Examine Peace Process Sabotaging Attempts PDF Imprimir E-Mail (Prensa Latina) Colombian senator Iván Cepeda assured he will promote a debate on the attempts to jeopardize the peace process in Havana between the government and the guerrilla FARC-EP
AOL Releases Transparency Report, Lobbies for USA Freedom Act (Threatpost) Noting that Saturday was the 13th anniversary of the passage of the USA PATRIOT Act, the Web giant AOL this week released its latest transparency report, detailing estimations of how many Foreign Intelligence Surveillance Act (FISA) orders and National Security Letters (NSLs) it's received in the last six months
Police vs cartels in the high-tech battle to stop cybercrime (CNN) Cybercrime costs the global economy an estimated $400 billion a year, and as it grows in scale and sophistication, law enforcement is having to do the same
What cops need to know about Apple's iOS 8 lockout (Forensic Focus) In mid-September, Apple rolled out iOS 8 for users of the more recent models of the iPhone, iPad, and Mac computers
NYPD Commissioner vows to push against Apple, Google smartphone encryption (HackRead) NYPD Commissioner Bill Bratton has vowed to push for legislation against the two tech giants after they announced new operating systems that come with encryption, preventing access to law enforcement officers
Secret Manuals Show the Spyware Sold to Despots and Cops Worldwide (Intercept) When Apple and Google unveiled new encryption schemes last month, law enforcement officials complained that they wouldn't be able to unlock evidence on criminals' digital devices. What they didn't say is that there are already methods to bypass encryption, thanks to off-the-shelf digital implants readily available to the smallest national agencies and the largest city police forces — easy-to-use software that takes over and monitors digital devices in real time, according to documents obtained by The Intercept
Pirate Bay co-founder faces up to six years in jail (ComputerWeekly) Pirate Bay co-founder Gottfrid Svartholm Warg faces up to six years in jail after being convicted of hacking computers in Denmark