The CyberWire Daily Briefing 12.18.14

Cyber Attacks, Threats, and Vulnerabilities

U.S. Said to Find North Korea Ordered Cyberattack on Sony (New York Times) American officials have concluded that North Korea was "centrally involved" in the hacking of Sony Pictures computers, even as the studio canceled the release of a far-fetched comedy about the assassination of the North's leader that is believed to have led to the cyberattack

State-sponsored or not, Sony Pictures malware "bomb" used slapdash code (Ars Technica) Malware was just good enough to do the job, perhaps what North Korea intended

US reportedly blaming North Korea for Sony Pictures hack. But why? (Graham Cluley) The New York Times is reporting that the White House is pointing the finger of blame at North Korea for the hack of Sony Pictures

The Evidence That North Korea Hacked Sony Is Flimsy (Wired) Today Sony canceled the premiere of "The Interview" and its entire Christmas-Day release of the movie because of fears that terrorists might attack theaters showing the film

U.S. Said Set to Blame North Korea for Sony Cyber Attack (Bloomberg) U.S. officials plan to announce this week that North Korea is behind the cyber-attack that crippled Sony Pictures Entertainment computers and forced the studio to pull "The Interview," a person briefed on the FBI probe said

If North Korea hacked Sony, hit his cronies where they hurt — their wallets (Reuters) Moviemakers strive to outdo themselves with fantastic plots, super-heroes and special effects. But the hack of Sony Pictures Entertainment this month proves that, even in Hollywood, reality is still stranger than fiction

North Korean Role in Sony Hack Presents Quandary for U.S. (Wall Street Journal) U.S. officials' conclusion that Pyongyang was behind the hacking attack on Sony Pictures has raised the difficult question of how Washington should respond to an aggressive act by a foreign government

International Law and Cyber Attacks: Sony v. North Korea (Just Security) It could only happen in the movies. A major Hollywood company produces a film starring well-known comedic actors which involves the tongue-in-cheek assassination of the leader of a remote and rather bizarre dictatorship. The "supreme leader" apparently orders a secret group of cyber warriors calling themselves "The Guardians of Peace" (in actuality, the State-run "Bureau 121") to retaliate by attacking the company's IT system. Data is destroyed, sensitive personal data and highly embarrassing emails are made public and, worst of all, the script for the new James Bond movie is leaked. The international community is outraged, with some pundits calling it "war," while others claim that the operation has crossed the armed attack threshold thereby allowing the United States to respond forcefully. Send in the 7th Fleet

Five biggest theater chains pull 'The Interview' over threats (USA TODAY) The country's five biggest theater chains will not screen The Interview due to hacker threats, multiple sources say

Setting the wrong precedent: Top theater chains drop Sony's 'The Interview' after threats (CSO) With a single message, Sony's attackers have won

The Sony hack is unprecedented — and the entire corporate world should take note (Quartz) So it's official: Sony has pulled The Interview from its scheduled release on Christmas Day…But the decision to formally pull the film is still hugely significant because the hackers are getting what they wanted

Feds Confirm North Korea Connection to Sony/The Interview Cyber Attack (IGN) Meanwhile, Sony says it has no DVD or VOD plans for the film

DHS Not Ready to Torpedo 'The Interview' Opening (Roll Call) International troublemakers Seth Rogen and James Franco may be ready to run for cover from the mystery hackers who've brought Sony to its horribly bruised knees, but the feds see no reason (yet) to deprive moviegoers of a few laughs on Christmas

Sony Cancels Movie, US Confirms North Korea Involvement, But Were Bomb Threats Empty? (Dark Reading) After the Sony hackers issue threats of physical violence and 9/11-style attacks, The Interview is being killed before it even premieres. But would the attackers have really blown up theaters?

North Korea-Based Thriller With Gore Verbinski And Steve Carell Canceled (Deadline Hollywood) EXCLUSIVE: The chilling effect of the Sony Pictures hack and terrorist threats against The Interview are reverberating. New Regency has scrapped another project that was to be set in North Korea. The untitled thriller, set up in October, was being developed by director Gore Verbinski as a star vehicle for Foxcatcher star Steve Carell. The paranoid thriller written by Steve Conrad was going to start production in March. Insiders tell me that under the current circumstances, it just makes no sense to move forward. The location won't be transplanted. Fox declined to distribute it, per a spokesman

Sony Pictures Employees Now Working In An Office "From Ten Years Ago" (TechCrunch) "It's been different for everyone," she said. She was upbeat, optimistic, even after finding out her bank account information had been traded on a black market website. She was worried her identity had also leaked. She imagined her private information on some forum somewhere and shuddered. She had a right to be concerned

Snapchat's Evan Spiegel 'Angry' and 'Devastated' Over Email Leak (re/code) Snapchat CEO Evan Spiegel has been dragged into the Sony cyberattack, and he's pretty upset about it

Syrian Electronic Army Hacks Intl. Business Times website For Biased Article (HackRead) The pro-Bashar Al Assad hackers from Syrian Electronic Army hacked the official website of online news publisher International Business Times (IBT) earlier today against an article posted on the site claiming "The Syrian Army Is Shrinking, And Assad Is Running Out Of Soldiers"

Is ISIS Trying To Unmask Syrians With Malware? (Forbes) It's not for certain, but a report today has suggested the Islamic State of Iraq and Syria (ISIS) or its supporters are trying to [identify and locate] citizen journalists critical of its actions. The aim of the attacks on the Raqqah is being Slaughtered Silently (RSS) campaign group was to unmask its operators' location. As reports have indicated ISIS has brutally shut down any form of activism in Ar-Raqqah, any information on RSS' whereabouts could put their lives in danger, according to the report by Citizen Lab, a research group primarily focused on digital attacks targeting activists

Hacked emails reveal China's elaborate and absurd internet propaganda machine (Quartz) "NOTICE: We request every internet commenter carry out the following task today," begins an email from the supervisor. It's just another day in the propaganda department of Zhanggong, a district in southeast China's modestly sized city of Ganzhou. Employees and freelancers are paid to post pro-government messages on the internet, part of a broader effort to "guide public opinion," as the Chinese Communist Party frequently puts it

ICANN targeted by Spear Phishing attack, several systems impacted (CSO) ICANN says that multiple employees had their credentials compromised

New ransomware avoids hitting the same victim twice (CSO) A new strain of ransomware, OphionLocker, generates a unique hardware identifier for each new infected machine so that it can avoid hitting the same victim twice

Your Browser is (not) Locked (Microsoft Malware Protection Center) Most ransomware has a binary file that needs to be executed before it can infect your PC. Ransomware usually relies on social engineering or exploits to infect unsuspecting users. However, some malware authors are bypassing this requirement with a new trick — browser lockers

Xsser Malware Targeting iOS, Android Devices (SecurityWeek) Researchers at Akamai Technologies released an advisory today about a mobile remote access Trojan (mRAT) used to target iOS and Android devices

Watch that Pin: Trojans Are Now Using Pinterest (Cyveillance) New Trojans targeting banks in South Korea have been using Pinterest as a command and control channel

Security Firm Faults Coolpad Software (Nasdaq) Silicon Valley online security firm Palo Alto Networks Inc. said some mobile phones made by Chinese smartphone maker Coolpad Group Ltd. contain software that allows the handset vendor to install applications onto users' phones without their knowledge, raising privacy and security concerns

CyActive Analysis Reveals Staggering 35 Reused Components in Top Five Malware Attacks of 2014 (PRNewswire) Following a year of massive security breaches that targeted some of the world's largest financial and retail institutions as well as governments and militaries, cyber security startup CyActive today released "Cyber Security's Infamous Five of 2014". The comprehensive analysis identifies the top five malware that returned the highest ROI for hackers with the least effort per dollar — achieved by recycling code and using the same methods from previous malware attacks to once again inflict damage. All in all, there were 35 reused components in the top five attacks

The New Target for State-Sponsored Cyber Attacks: Applications (Ars Technica) Skilled hackers are now using simple web application vulnerabilities like SQL Injection to take over database servers. Are you prepared to defend against this new type of threat actor?

Application Threat and Usage Report 2014 (Help Net Security) The Application Usage And Threat Report provides an analysis of applications and their link to cyber threats within the enterprise

Researchers confirm multiple Google App Engine security sandbox bypasses (Help Net Security) Polish firm Security Explorations, which announced last week that they found over 30 serious security issues in the Java security sandbox of the Google App Engine (GAE), has been permitted by Google to continue their investigation

Malvertising: 5 Lessons for Companies & Employees (InformationWeek) We could expect more from this repackaged e-threat

Security Patches, Mitigations, and Software Updates

Google starts blocking badly behaving Gmail extensions (Help Net Security) How to deal with untrustworthy third-party add-ons that could endanger your own users? Prevent them from loading — if you can

Cyber Trends

The Ultimate Goal of Digital Attacks (Trend Micro: Simply Security) For the final blog post in the series supporting the release of our Q3 Threat Roundup "Vulnerabilities Under Attack" I was asked to write "an analysis of security challenges faced by users." Fortunately I have the source material of the Threat Roundup to stick to because really, that's a subject deserving of a series in its own right

Cybersecurity Breaches Making Users More Savvy, but Vulnerabilities Persist (SIGNAL) Sensational data breaches such as the recent hacking of Sony Pictures Entertainment, in which employees' personal information such as Social Security numbers, salary details and emails not only were stolen but publicly disseminated, make for great headlines and capture people's attention — mainly because the public can relate to the breaches. The headline-grabbing attack leaves people thinking that this could happen to them

December 25: The Day Internet of Things Devices Go Online En Masse (Fast Company) This Christmas, experts have worried about the way that the "Elf on the Shelf" conditions their kids to accept a surveillance state. But the actual monitors are more likely to be under the tree: For kids, the RC helicopter gets connected to a smartphone and the cute little robot has to get set up with its own social network to the list. And it's the same with gifts to adults: the Wi-Fi-enabled coffee maker, the smart watch that gives you weather and traffic alerts or a smart home kit that lets you turn off the lights or shut off your water with the touch of a button

Emerging Threats in the APT World: Predictions for 2015 (Sys-Con) For several years now, Kaspersky Lab's Global Research and Analysis Team (GReAT) has shed light on some of the world's biggest Advanced Persistent Threat (APT) campaigns, including Red October, Flame, NetTraveler, Miniduke, Epic Turla and Careto/Mask

IBM Security Study: Cyber Break-ins Overwhelming Enterprises' Defenses (The VAR Guy) A new IBM survey of enterprise chief information security officers, security executives and CIOs indicates a majority believe they are outgunned by a rising tide of external threats

Fears over the IT security of new banks are overblown (ComputerWeekly) Challenger banks such as PayPal, as well as internet giants such as Google, are perceived to be less secure than traditional banks when it comes to protecting personal data. But is this the case?

Banks use lots of cloud services but are unaware (ComputerWeekly) A survey of US banks has revealed they underestimate the scale of cloud use on their networks

Business interrupted: Telstra reveals Australia's security breach impact (ZDNet) Nearly a quarter of Australian organisations have suffered an interruption to their business due to an IT security attack or breach over the past 12 months, according to new research by Telstra

Cyber, intellectual property fraud on the rise in India: Deloitte (Business Standard) Latest study shows the nature of frauds is increasingly getting sophisticated

Marketplace

Should Your Company Get Cybersecurity Insurance? (Inc.) More and more companies are buying insurance to protect themselves from the financial disaster caused by data breaches like the one Sony suffered

Security appliances continue growth trajectory (IT-Online) According to the International Data Corporation (IDC) Worldwide Quarterly Security Appliance Tracker, both factory revenue and unit shipments continued to grow in the third quarter of 2014 (3Q14). Worldwide vendor revenue grew 10% year over year to nearly $2,4-billion for the 20th consecutive quarter of positive growth

Medical Device Cybersecurity: One-off or Overall Strategy? (Veracode) According to recent data from MarketsandMarkets, the market for portable medical devices will be worth $20 billion by 2018. One key factor in this growth is the "availability of a wide range of medical software applications" that allows manufacturers and health agencies to custom-design medical devices to meet specific needs

Will Smartwatches' Vulnerability to Hackers Be a Big Setback? (Wall Street Cheat Sheet) Smartwatches communicate constantly with smartphones, passing information about text messages, meetings, Facebook notifications, and biometric measurements back and forth countless times a day. But researchers have shown that all of those communications may not be as secure as we'd like to believe. A vulnerability that exists due to the way the Android Wear operating system handles Bluetooth communications leaves users' messages, biometric data, and any other information passed between the smartwatch and a paired Android smartphone susceptible to interception by hackers

New England security group shares threat intelligence, strives to bolster region as cybersecurity mecca (Network World) Core members of the Advanced Cyber Security Center meet twice monthly to discuss the latest threats

Palo Alto Networks Overtakes Fortinet In Network Security Market (CRN) Palo Alto Networks overtook Fortinet in the network security market, taking third place in IDC's Worldwide Quarterly Security Appliance Tracker

CIO Review Names NIKSUN in the Top 50 IoT Companies (BusinessWire) NIKSUN well-positioned in protecting the Internet of things

Teradata acquires archival app maker RainStor (ZDNet) The deal marks Teradata's fourth acquisition in the last six months, as the company aims to round out its portfolio of services that run on top of Hadoop

Riverbed agrees to private equity buyout (MicroScope) Thoma Bravo and Ontario Teachers' Pension Plan are to buy network and application performance specialist Riverbed for $21 per share

Security firm Edgewave nabs $8M to help smaller businesses track threats (VentureBeat) Cyber security firm Edgewave, has raised another $2 million in funding, bringing its total Series A round to $8 million

Rapid7 Receives $30 Million Investment to Accelerate Growth and Strong Traction of New Security Data Analytics and Strategic Services Offerings (Rapid7) Rapid7, a leading provider of security analytics software and services, today announced that it has received $30 million in additional funds from its long-standing investors, Bain Capital and Technology Crossover Ventures (TCV). The stockholders increased their investment in Rapid7 to enable the Company to maximize on the incredible growth opportunity presented by its latest innovative technology and strategic security services, which help customers radically improve security incident detection and speed response, and build better enterprise security programs. Interest in these offerings has been so compelling that Rapid7's leadership and investors capitalized on a timely opportunity to further the development of the solution and market while continuing to drive innovation in the Company's core threat exposure management portfolio

Blue Coat Cloud Security Service and Threat Intelligence Solutions Win Information Security 2014 Readers' Choice Awards (Marketwired) Blue Coat Cloud Service and WebPulse named as industry-leading security solutions by users

Sansa Security Announces Membership in the Thread Group (Marketwired) Sansa Security, a leading provider of embedded security technologies, today announced that it has joined the Thread Group, an industry organization dedicated to market education and product certification for Thread, a low-power, wireless mesh networking protocol designed to easily and securely connect hundreds of devices in the home

IOActive Expands Vehicle Security Service Practice (Dark Reading) Vehicle security researcher Charlie Miller joins IOActive Advisory Board

LightCyber Appoints Gonen Fink as CEO, Spearheads Active Breach Detection Market (PRNewswire) LightCyber, a leading provider of Active Breach Detection solutions, announced today that Gonen Fink was recently appointed as the company's CEO. The company also announced the establishment of its global sales and marketing headquarters in Los Altos, CA, as well as the expansion of R&D operations in Israel

AXON Ghost Sentinel, Inc. Names Michael Markulec as President & CEO (PRWeb) AXON Ghost Sentinel, Inc. (AGS) announced that its Board of Directors has appointed Michael Markulec as President & CEO, effective immediately. Mr. Markulec assumes the CEO role previously held by Kent Murphy who will become Chairman of AGS's board of directors, and President's role from Hugh Brooks who will now lead product development

Products, Services, and Solutions

Crowdstrike: On a Mission to Find Malware-Free Attacks (eSecurity Planet) Crowdstrike CTO Dmitri Alperovitch explains how his company's newest Falcon platform improves security with detection and prevention

Google Chrome tops list for security vulnerabilities… and it's not a bad thing (PC Pro) A report from software vulnerability experts Secunia has revealed that security flaws in Google Chrome rose from 64 in August 2014 to 162 in October of the same year. Fellow web browser Avant was next highest-listed software product with 159, before the figures fell sharply with iTunes' comparatively low number of 83 vulnerabilities

NuSource Financial to Partner with Blue Ridge AppGuard® Software Solution for ATM Security (PRNewswire) Blue Ridge Networks, an established cybersecurity provider, announces a partnership with NuSource Financial to incorporate AppGuard security on Automated Teller Machines (ATMs)

Cimcor's CimTrak Enhances Support for Amazon Linux AMI (Virtual Strategy Magazine) CimTrak 2.0.6.18 has new features that support Amazon's Linux AMI-based cloud services

Gemalto enables KDDI to offer secure high-definition audio services over LTE network (Nasdaq) Gemalto (Euronext NL0000400653 GTO), the world leader in digital security, announces it will provide KDDI with its UpTeq multi-tenant LTE SIM to secure their Voice over LTE (VoLTE) services. KDDI is a leading operator in Japan with 40 million subscribers

Lastline Adds OS X Support and Unlimited 10 Gbps Sensors in 6.0 Release of Its Breach Detection Platform (Dark Reading) Lastline next-generation sandboxing, threat intelligence and breach event correlation engineered to handle 20x increase in evasive malware

Cryptomathic and OMA Emirates to improve Himalayan Bank's card issuing (BBR) Nepal-based Himalayan Bank has implemented Cryptomathic's data preparation system, CardInk and OMA Emirates' personalisation software, NanoPerso, into its production environment to facilitate the issuance of its entire debit and credit card portfolio

CertainSafe Ultra-Secure, File Sharing is Honored in PC Magazine's Coveted 'Technical Excellence Award in Security' (PRNewswire via Broadway World) CertainSafe, a global provider of highly secure data security solutions, today announced that it was named to PC Magazine's 2014 Technical Excellence Awards in the category of Security, which features "breakthroughs that will change the future"

German Security as a Service Company Deploys CYREN Technology (PRNewswire) CYREN (NASDAQ: CYRN) today announced that Hamburg, Germany-based secucloud GmbH will integrate CYREN Embedded Antivirus and URL Filtering technology into its family of Elastic Cloud Security System (ECS²) solutions

Hitachi Solutions Signs Distributor Agreement With vArmour (Sys-Con Media) vArmour brings east-west virtual protection to Japanese enterprises with a single security platform

Esentire Releases Cybersecurity Documentation Framework Featuring Infosec Policy, Incident Response Guidance (Dark Reading) Culled from years of industry expertise, this Information Security Policy Framework provides Registered Investment Advisors the means to proactively document and manage their defense posture while responding to due diligence and regulatory requirements

Barracuda Taps Bugcrowd to Manage Bug Bounty Program, Promotes Responsible Disclosure (Broadway World) Bugcrowd, the innovator in crowdsourced security testing for the enterprise, today announced the launch of Barracuda's revamped Security Bug Bounty Program on the Bugcrowd platform

Norton Security 2015 Review: One Size Fits All (Tom's Guide) A good antivirus program is a critical part of any PC software suite, and one of the best options is Norton Security 2015, which includes a sleek, well-organized interface, a top-notch antivirus engine and many other security and privacy features

Arxan Integrates With IBM Security AppScan and Trusteer Products (MarketWatch) Arxan Technologies, the industry-leading provider of application protection solutions, has announced expanded solutions for IBM Security's AppScan and Trusteer products

Stop Waiting For File Encryption With TrueCrypt Alternative By Jetico (Herald Online) Jetico, leading developer of security software, has announced the immediate availability of BestCrypt Container Encryption version 9.0. Jetico's long-trusted file encryption offers a unique advantage in its TrueCrypt alternative by delivering instant access to dynamic containers. Already fully compatible with Windows® 8, this new version allows users to encrypt files on Windows® 10 Technical Preview

Recorded Future Launches New Cyber Threat Insights Report: Valuable context for defenders (CTOvision) Recorded Future has launched a new free service for cyber defenders which I am finding valuable for situational awareness. This new cyber daily provides technical indicators and context around vulnerabilities making them more understandable and helping put them in context. My view is their report can be helpful to both security executives and more operational and tactical defenders since it can help both prioritize actions and discuss the need to mitigate specific concerns

HideIPVPN — One of the Simplest VPN Tunnelling Solutions out there (HackRead) Have you heard of HideIPVPN? We hope you will have for sure if you have ever asked experts about a good, effective and easy to use VPN Tunnelling solution

Technologies, Techniques, and Standards

Public comment sought on NIST draft on developing metrics to select cloud providers (FierceGovernmentIT) The National Institute of Standards and Technology is seeking public comment on a new draft guide that could help government agencies and other organizations make better decisions in choosing the right cloud computing provider for them

Hey, You, Get Off of My Cloud! Cloud Security Basics (B2C) Lately, it seems like everyone is "in the cloud"; big corporations, small businesses — you name it. But as we've learned time and time again, great technological advances don't come without security risks. Though it's quickly been adopted by organizations all over the spectrum, cloud computing is still a fairly new concept and, as with anything new in our technological age, it can take a while for security measures and legal policies to catch up. For now, that means it's your job to make sure your information, and that of your customers, is protected

Design and Innovation

Google Releases End-to-End Chrome Extension to Open Source (Threatpost) Google yesterday announced that it has released the source code for its End-to-End extension for Chrome to open source via GitHub

Complex Solutions to a Simple Problem (KrebsOnSecurity) My inbox has been flooded of late with pitches for new technologies aimed at making credit cards safer and more secure. Many of these solutions are exceedingly complex and overwrought — if well-intentioned — responses to a problem that we already know how to solve. Here's a look at a few of the more elaborate approaches

BlackBerry Classic arrives touting what's old is new again (ZDNet) Dubbed the BlackBerry Classic, the Canadian tech giant is emphasizing an intentional return to the drawing board as one of the biggest selling points here

Research and Development

Attack on classical cryptography system raises security questions (Phys.org) How secure is completely secure? In the world of secure communication, a scheme may be completely secure until it's not — that is, until an attack is proposed that reveals a weak spot in the scheme. This is what's currently going on for Kish key distribution (KKD), which claims to derive total and unconditional security using classical rather than quantum techniques, thus avoiding the complexity and expense of quantum cryptographic schemes. But now a new paper has uncovered a vulnerability in KKD that enables an eavesdropper to correctly determine more than 99.9% of the transmitted bits. Fortunately, countermeasures may exist to protect against this attack and regain the system's security

IARPA to Discuss Cyber Attack Forecast Modeling Program with Industry (ExecutiveGov) The Intelligence Advanced Research Projects Activity will hold a proposers' day next month to discuss an upcoming industry competition for work to develop cyber risk prediction and detection methods

DHS cyber division opens up on R&D (FCW) While the Department of Homeland Security regularly spins off other federal agencies' technologies into the private sector for further development, it has also been doing the same — with less fanfare — for DHS-developed cybersecurity technologies

Kaprica Security Chosen by DARPA To Help Improve Vehicle Security (PRNewswire) Kaprica Security™ Inc., an expert in the field of cyber security, mobility and cloud software, has been awarded a Department of Defense (DOD) contract to strengthen U.S. military-vehicle and related connected-car security systems

Academia

Girls Who Code Expands To Get More Young Women In Computer Science Majors (TechCrunch) The computer science gender gap struggle in Silicon Valley is real. A mere 17 percent of Google's tech workers are women. It's 15 percent at Facebook. Similar stats can be found at most of the larger tech companies

Legislation, Policy, and Regulation

OAS Begins Supporting Suriname in the Development of a National Cyber Security Plan (SKNVibes) The Organization of American States (OAS) today concluded a two-day mission in Suriname for preparatory meetings geared towards information gathering to assist in the development of a National Cyber Security Plan. This mission consisted of an initial assessment of the current cyber security situation in the country, through the convening of stakeholders from a number of sectors, such as government, civil society, academia, and critical infrastructure operators. Facilitated by OAS experts, discussion groups were organized to identify cyber security gaps and needs

Obama signs $1.1T spending bill into law (Military Times) President Obama signed the $1.1 trillion federal spending measure into law Tuesday, officially ending any threat of a government shutdown over the holidays

Congress sets limits on overseas data collection (Washington Post) A little-noticed provision in the Intelligence Authorization Act passed by Congress last week puts restrictions on spy agencies' ability to keep communications collected overseas, but critics say it does not go far enough to protect Americans' privacy

DoD allows vetted commercial cloud services for sensitive unclassified data, updated guidance says (FierceGovernmentIT) The Defense Department can use commercial cloud services to host sensitive unclassified data as long as providers meet certain security requirements, according to a Dec. 15 memo that provides updated guidance from Acting Chief Information Officer Terry Halvorsen

NACS Sends Letter Addressing Errors in Recent Testimony (National Association of Convenience Stores) Earlier this week NACS sent a joint trade association letter to Thomas Curry, Comptroller of the Currency, in response to some inaccurate testimony his agency provided during a cybersecurity hearing in the Senate Banking Committee on December 10. The testimony, offered by Valerie Abend, senior critical infrastructure officer from the Office of the Comptroller of the Currency (OCC), was startlingly uninformed about the way the payment card system allocates data breach liability and did not address the focus of the hearing: enhancing cybersecurity coordination to protect the financial sector

Making the Internet a utility — what's the worst that could happen? (Ars Technica) A cable lobby lawyer reveals the industry's darkest fears

Litigation, Investigation, and Law Enforcement

Agencies not always leveraging FedRAMP correctly in cloud contract language, say GSA officials (FierceGovernmentIT) Two and a half years in, the Federal Risk and Authorization Management Program, which aims to help agencies and departments more quickly and securely procure cloud services, is being adopted in pockets across the federal government, but not always correctly, said General Services Administration officials during a Dec. 16 press briefing

Health Care Industry Puts a Price Tag on Unpatched Software (WindowsITPro) Last week it was reported that federal regulators have issued a sanction against an Alaskan mental health service provider, due to, of all things, not being up-to-date on software patches. Fined $150,000 by HIPAA, Anchorage Community Mental Health Services failed to apply available software patches and was subsequently infected with malware that led to personal information being absconded from 2,700 individuals

GAO: DOD doesn't know if testing ranges are vulnerable to foreign firm spying (Stars and Stripes) The Defense Department does not know whether its hundreds of testing and training ranges in the U.S. are vulnerable to spying by foreign entities doing business near those properties, according to a report released Tuesday by the Government Accountability Office

Microsoft and Jakarta police team up to educate public on dangers of pirated software (Tech in Asia) In a report by Akamai Technologies last year, Indonesia was ranked as the number one source of hacking-related traffic in the world, overtaking China. The country is also a place where pirated software is used ubiquitously by individuals and businesses alike. Because pirated software often contains malicious malware, the widespread use of inauthentic software in Indonesia brings large potential threats each day to the nation's digital infrastructure

Activist group sues San Diego Police Department over "stingray" records (Ars Technica) Cops produced just one heavily redacted document, and nothing else

Cops illegally nailed webcam to utility pole for 6 weeks to spy on house (Ars Technica) A federal judge on Monday tossed evidence that was gathered by a webcam — turned on for six weeks — that the authorities nailed to a utility pole 100 yards from a suspected drug dealer's rural Washington state house

Navy engineer pleads not guilty to charges (Daily Press) A York County man accused of attempting to send to Egypt sensitive designs for the nation's newest aircraft carrier pleaded not guilty Wednesday to the two federal charges against him

Teenager pleads guilty to massive Spamhaus DDoS attack (Naked Security) A 17-year-old London schoolboy who was arrested last year has pleaded guilty to a distributed denial of service (DDoS) attack of unprecedented ferocity launched against the Spamhaus anti-spam service and internet exchanges, including the London Internet Exchange

For a complete running list of events, please visit the Event Tracker.

Newly Noted Events

National Cybersecurity Center Of Excellence (NCCOE) Speaker Series: Security In A Cyber World (Rockville, Maryland, USA, Jan 14, 2015) The National Cybersecurity Center of Excellence (NCCoE) Speaker Series showcases global thought-leaders to highlight critical cybersecurity issues of national importance. The keynote speaker will be Chris Inglis, former Deputy Director of the National Security Agency

Upcoming Events

Cyber Security Division 2014 R&D Showcase and Technical Workshop (Washington, DC, USA, Dec 16 - 18, 2014) The cybersecurity threat continues to evolve and in order to keep ahead of the threat, new cutting-edge cybersecurity technologies are needed. DHS S&T's Cyber Security Division (CSD) is funding many R&D efforts through academia, small businesses, industry and government and national labs. Each year CSD gathers these researchers along with our stakeholders and partners to present the status of the research CSD is funding, enable collaboration among the researchers and government agencies, and to connect the technologies to transition partners. This year, we are excited to include an R&D Showcase featuring 11 innovative technologies selected from the CSD portfolio that addresses today's complex cybersecurity challenges and have the potential for transition into the marketplace

Cybersecurity World Conference (New York, New York, USA, Jan 9, 2015) Welcome to Cyber Security World Conference 2015 where renowned information security experts will bring their latest thinking to hundreds of senior business executives and officials focused on protecting the information of today's enterprises and government agencies, respectively. Cyber security experts will discuss topics such as protecting individuals and companies against cyber-attacks, cyber security in the Internet of Things age, biometrics as the future of security, risks brought by mobile computing, and protecting corporate and national infrastructure against foreign attacks

FloCon 2015 (Portland, Oregon, USA, Jan 12 - 15, 2015) FloCon is an open network security conference organized by Carnegie Mellon University

FIC 2015 (Lille, France, Jan 20 - 21, 2015) The International Cybersecurity Forum (FIC) forms part of a thinking and exchange process that aims at promoting a pan-European vision of cybersecurity and strengthening the fight against cybercrime, a priority for the European Union as stated in the Stockholm Programme for 2010–2015. Its objective is to open up the cybersecurity debate by bringing together security and risk management experts with non-specialists to enable them to compare viewpoints and lessons learnt

4th Annual Human Cyber Forensics Conference: Exploring the Human Element for Cloud Forensics (Washington, DC, USA, Jan 21 - 22, 2015) The Human Cyber Forensics Conference addresses the human element of cyber. Presentations will look at the tradecraft and efforts required to identify, understand, navigate, and possibly influence human behavior within and across networks. The conference will bring together subject matter experts to discover and share new means of recognizing human related cyber indicators, and the evolution of these human indicators in the coming decades. The Human Cyber Forensics Conference will focus on such topics as insider threat, next generation social engineering, progressive communications, neuroscience, social cognition, social media, and neuro-ethics

Cyber Security for Critical Assets: Chemical, Energy, Oil, and Gas Industries (Houston, Texas, USA, Jan 27 - 28, 2015) Cyber Security for Critical Assets Summit will connect Corporate Security professionals with Process Control professionals and serve to provide a unique networking platform bringing together top executives from USA and beyond. They are coming together not only to address the continuing cyber threats and set precautions framework, but most importantly to provide necessary tools, insights and methodological steps in constructing a successful secure policy. These policies will after all protect the critical assets needed to safeguard their company assets

Data Privacy Day San Diego — The Future of IoT and Privacy (San Diego, California, USA, Jan 28, 2015) Join the Lares Institute, Morrison & Foerster, and the National Cyber Security Alliance for Data Privacy Day in San Diego. DPD San Diego will bring together privacy luminaries to discuss fundamental issues facing consumers and business, including in-depth panel discussions on privacy, the Internet of Things (IoT), and many other critical topics