The CyberWire Daily Briefing for 2.10.2014
The National reports that Dubai police social media accounts were hijacked by hacktivists over the weekend.
Reporters at the Sochi games say Russian authorities are clamping down on their use of private Wi-Fi. (Observers in the diplomatic press argue that cyber threats to the Olympics—so far more adumbrated than arrived—should motivate Russia and the US to closer security collaboration.)
The San Francisco Chronicle reports network intrusions hit medical device makers Medtronic, Boston Scientific and St. Jude Medical during 2013. The hackers appear to have been after intellectual property, and the compromises may have endured for several months. (The article cites a source "close to the companies," but no corporate disclosures.)
Barclays Bank suffers a breach that may have sent some 27,000 customers' data to dodgy "spank shops" trading commodities at inflated and thus effectively worthless levels.
New point-of-sale threats are discovered. Analysts debate whether Target's breach was in fact due to a "billing system" connection with Fazio Mechanical. In any case, network segmentation remains sound practice. Chip-and-pin systems may offer in-store protection, but may also (argue some security specialists) bring with them increased online vulnerabilities.
Ransomware's continued spread (with new stories of its unpleasant consequences for a law firm) serves as a reminder of another sound practice: regular backup.
Sophos buys Cyberoam. Telecommunications M&A chatter is up for Deutsche Telecom and Alcatel-Lucent, down for Sprint.
US collegiate cyber competitions see state and regional run-ups to national events. (Rose-Hulman, for example, just took the Indiana prize.)
US surveillance policy's evolution continues.
Notes.
Today's issue includes events affecting China, European Union, France, Italy, Republic of Korea, Russia, Turkey, United Arab Emirates, United Kingdom, and United States..
Cyber Attacks, Threats, and Vulnerabilities
Dubai Police social media accounts hacked (The National) A message posted on the Dubai Police's official Twitter account at about 7.30pm read: "Dubai Police is spying on you, Isn't it fair that we the people do the same back"
Sochi security forbids journalists to use private Wi-Fi (Help Net Security) The Winter Olympics in Sochi are under way, and we have already written about the cyber risks awaiting visitors and viewers. But what about the ones awaiting the visiting media representatives? Yahoo! Sports' reporter Charles Robinson has shared a few interesting tweets last week
Hackers break into networks of 3 big medical device makers (San Francisco Chronicle) Hackers have penetrated the computer networks of the country's top medical device makers, The Chronicle has learned
Whistle-blower blows whistle on Barclays Bank (InfoSecurity Magazine) A Snowden-style finance whistleblower, who seems to have grown a conscience, has blown the whistle on Barclays bank for the loss and subsequent mis-use of 27,000 files of detailed personal data on customers and potential customers. Those files reached the hands of rogue traders known as 'spank shops'
Researchers discover new point-of-sale malware, JackPOS (SC Magazine) Researchers with cyber intelligence company IntelCrawler have discovered a new point-of-sale (POS) malware known as JackPOS, which is said to have code similar to the RAM-scraping POS malware known as Alina
Disagreement on Target Breach Cause (GovInfoSecurity) Security experts are debating how the breach of Fazio Mechanical Services Inc., a refrigeration vendor that serves Target Corp., may have played a role the retailer's point-of-sale malware attack (see Target Vendor Acknowledges Breach). The Target attack late last year exposed some 40 million credit and debit cards and personally identifiable information about 70 million consumers
HVAC Integrator's 'Billing' Connection Led to Target Breach (Threatpost) The HVAC contractor linked to the Target breach says the only data connection between the two companies was a billing system. ICS experts, meanwhile, decry the security of bridges between IT and facilities systems
Shift to EMV cards expected to increase online fraud (CSO Salted Hash) Change to chip-and-pin cards may reduce in-store fraud, but increase problems online, say experts
Hotel data breach went undiscovered for nine months (CNBC) White Lodging Services, the company that manages hotels in eight states victimized by a customer data breach, said in a statement Thursday it first learned of the nine-month malware attack on Jan. 16, more than two weeks before the news was made public
Mass domain hijack leaves Reg reader angry with 123-Reg (The Register) 'I had to sort everything by myself' alleges irate chap
Darkleech + Bitly.com = Insightful Statistics (Sucuri Blog) This post is about how hackers abuse popular web services and how this helps security researches obtain interesting statistics about malware attacks
Cryptolocker scambles US law firm's entire cache of legal files (ComputerWorld) Trojan looked like voicemail attachment
LINKUP—First ransomware Trojan that modifies DNS settings to mine Bitcoins forcefully (Hacker News) Till now we all have heard about the ransomware malware that encrypts your files or lock down your computer and ask for a random amount to be paid in a specified duration of time to unlock it. Emsisoft has detected a new piece of malware called "Linkup", dubbed as "Trojan-Ransom.Win32.Linkup" that doesn't lock your computer or encrypts files; rather it blocks your Internet access by modifying the DNS settings, with the ability to turn your computer into a Bitcoin miningrobot
Linkup ransomware blocks internet access, mines Bitcoins (SC Magazine) The malware analysis team at Emsisoft has uncoverd ransomware, called Linkup, that commandeers DNS servers that computers use to connect to the internet and can then mine for Bitcoins
Facebook bug prevents revocation of app permissions (Help Net Security) Developers working for privacy software vendor MyPermissions claim to have discovered a critical vulnerability in Facebook's code. The flaw can be exploited to make it impossible for users to revoke
Bogus Facebook "Look Back" video pages spread malware (Help Net Security) If you are a regular Facebook user, chances are good that you have already watched a couple of "Look Back" videos compiled by your friends. Maybe you have even considered making one yourself and sharing
Many Apache websites running old, vulnerable software (ZDNet) According to Netcraft, which surveys publicly-accessible web servers, millions of websites still appear to be using vulnerable versions of Apache, including versions which are no longer supported
Anatomy of a poisoned image: colour-coded JavaScript! (Naked Security) You may have read recently about a newly-discovered attack that involves injecting codeinto your browser using poisoned image files
Warning: Sham "My Army Benefits" Site Could Steal Your Credentials (Nextgov) Military investigators are alerting members of the Army about an unofficial benefits site that purports to offer users unclaimed benefits and then bags their credentials
Revealed: the personal data for sale on your old phone (4News) Exclusive: Two of the UK's largest pawn brokers are selling second-hand phones which still contain texts, photos, bank details and more, from their previous owners, Channel 4 News can reveal
This iPhone-Sized Device Can Hack A Car, Researchers Plan To Demonstrate (Forbes) Auto makers have long downplayed the threat of hacker attacks on their cars and trucks, arguing that their vehicles' increasingly-networked systems are protected from rogue wireless intrusion. Now two researchers plan to show that a few minutes alone with a car and a tiny, cheap device can give digital saboteurs all the wireless control they need
Study: Pentagon fuel supply at risk of hack (FCW) The Pentagon should take a page from the Department of Homeland Security's cyber defense playbook for energy infrastructure to guard against electronic assault on its fuel supply chain, according to a new study
Bank of America Customers Targeted in Massive Bredo Malware Distribution Campaign (Softpedia) Security researchers at AppRiver have spotted an interesting malware distribution campaign that leverages a massive volume of traffic in an effort to evade filtering engines
Attacking home routers via JavaScript (Security P0wnies) We have recently noticed submissions on Wepawet that try to access local IP addresses. This is of particular interest since the attacker's intention is to tamper with the configuration of the victim's home router
Nielsen Company Acknowledges Data Breach (eSecurity Planet) An undisclosed number of employees' names and Social Security numbers were accidentally exposed
Security Patches, Mitigations, and Software Updates
Microsoft Patch Tuesday — no critical fixes for XP, but that's by fortune, not by design! (Naked Security) Here's a quick run-down of what you'll face in the February 2014 Patch Tuesday update from Microsoft, which comes out tomorrow. There are just five bulletins this month, with two of them critical
Cyber Trends
The changing face of advanced malware detection (TechTarget) In the escalating arms race against advanced malware, many organizations require defenses to protect enterprise networks in real time that go beyond desktop endpoint virus scanners and network-based intrusion prevention products
The Internet is broken—act accordingly. (Threatpost) Costin Raiu is a cautious man. He measures his words carefully and says exactly what he means, and is not given to hyperbole or exaggeration. Raiu is the driving force behind much of the intricate research into APTs and targeted attacks that Kaspersky Lab's Global Research and Analysis Team has been doing for the last few years, and he has first-hand knowledge of the depth and breadth of the tactics that top-tier attackers are using
It turns out people are better at protecting their privacy than companies would like (Quartz) The struggle between Facebook, Google and their users has led to an unexpected result, contends a new book on privacy: Every time social networks force openness on their users, people become much more guarded in what they share, leading internet giants to push for yet more openness
What is mobile malware? Mobile ad networks muddy the answer (TechTarget) What is mobile malware? The question may seem straightforward, but a new report sheds light on a growing debate among mobile security experts over how broadly to define malicious activity on mobile devices
Shall We Play a Game? (SecurityWeek) I've been driving critical infrastructure cyber security for over a decade now, and I rarely frame the risks in terms of cyber warfare, cyber terror, and similar terms. That's because, as a technologist, I tend to focus on the Critical System Infrastructure (industrial networks, process control, etc.) rather than the Critical National Infrastructure (industries and services such as energy, agriculture, and transportation) that these system support. To me, "cyber war" always seemed something rooted in cold-war era Hollywood movies, where "the only winning move is not to play"
Participating in the Eternal Cycle of Cybersecurity (Lenny Zeltser on Information Security) When engaged in a fight, it's natural to ask yourself whether you are winning or losing. However, in the context of cybersecurity, this question might not make sense, because it presupposes that the state of winning exists
Mobility is the weakest security link (Help Net Security) Surveying more than 750 security decision makers and practitioners, a CyberEdge Group report found that more than 60 percent had been breached in 2013 with a quarter of all participants citing a lack
Trends in web application security (Help Net Security) Despite web application vendors being more responsive and releasing security patches much faster than in 2012, new research revealed that it is still taking an average of over two weeks for critical
Secret video and audio recordings a legal minefield for employers (CSO Salted Hash) Thanks to smartphones and wearable technology such as Google Glass recording illegal or inappropriate conversations and behavior in the office couldn't be easier. If your company has a BYOD policy this could spell disaster
Gauging 'Internet of Things' Risk: U.S. Top Spymaster Voices Concern About Securing 'Things' (Info Risk Today) The term "Internet of Things" has been around for a half decade or so, although "things" connected to the Internet are as old as the network of networks itself. But in the past few months, the Internet of Things has gained more attention, and the cybersecurity and privacy implications are only beginning to be addressed in many quarters
Tech innovation vs. the surveillance state: How it's playing out in Washington (Tech Republic) Alex Howard recaps the key takeaways from three recent tech events held in Washington, D.C., and contends that data and IT innovations shouldn't be at the expense of U.S. citizens' freedoms
Maintaining PCI Compliance is a Big Challenge for Most Companies (CIO) A majority of companies that achieve annual compliance with the Payment Card Industry Data Security Standard fail to then maintain that status, leaving them vulnerable to breaches
Marketplace
Watchdog reviews Wall St. firms' efforts to curb cyber attacks (Reuters via the Chicago Tribune) Wall Street's Financial Industry Regulatory Authority is looking at the measures that brokerages are taking to protect their businesses and customers against cyber security threats, the industry-funded regulator said
A hearty welcome to all Cyberoamers! (Naked Security) Today, Sophos announced that it has acquired Cyberoam, a fellow player in the network security market. So we'd like to send out a big "Hello" and say, "Welcome to Sophos, all Cyberoamers"
Tim Cook says Google wasn't committed to Motorola (The Verge) In a new interview with The Wall Street Journal, Apple CEO Tim Cook was asked for his thoughts on Google's pending sale of Motorola to Lenovo. "I wasn't surprised," Cook said, calling the deal "a logical transaction." Cook pointed out that Motorola was a financial disaster for Google — a point many others have raised as reason enough for a sale. But Apple's chief executive also took a shot at Mountain View, describing Motorola as something that Google wasn't "committed to"
Alcatel-Lucent In Talks To Sell Enterprise Business (CRN) Alcatel-Lucent this week said it's in talks with Chinese investment firm China Huaxin to sell its enterprise business, confirming years of speculation that the French telecom and networking company is seriously weighing a sale of its commercial unit
Deutsche Telekom continues push in central Europe by buying its own Czech subsidiary (ZDNet) The German telco is building out its central European portfolio, amid speculation further buyouts are on the way
Sprint reportedly second-guessing T-Mobile deal (C/Net) After facing an intense level of opposition from regulators, Sprint's leadership is taking a look at whether a deal makes sense
Thales Starts Cybersecurity, Info Systems Business Line; Richard Moulds on Securing Enterprise & Cloud Data (GovConWire) Thales Group has established a new business line within its secure communications and information systems global unit to offer cybersecurity products to customers in the critical infrastructure, research and financial services industries
Kaspersky Lab Fires Up Partners, Anticipates Double-Digit Growth in 2014 (CRN) Kaspersky Lab executives told partners that the security vendor is experiencing great gains in 2014, fueled in part by interest in mobile security and the firm's client management capabilities
BAE Systems thunders into cyber battlefields (Mail Online) Barely a day goes by without cyber-attacks hitting the headlines. Whether personal financial information is stolen by hackers, tech geeks infiltrate government systems or denial of service attacks hit cash machines, information security is a major worry
Is We Energies prepared for a cyber-attack? Analyst asks (Milwaukee Business Journal) Is the parent company of We Energies prepared if a cyber-attack would hit its power distribution system? The threat of cyber-attacks has the attention of Wisconsin Energy Corp
Snowden Scandal Leading to Seismic Change in Global IT Industry (Business Korea) Edward Snowden, who exposed the indiscriminate information gathering by the National Security Agency (NSA) of the United States, employed a cheap and easily-available program to get access to the confidential information of the NSA
Cyveillance Appoints New Vice Presidents To Management Team (Sacramento Bee) Strategic hires include VP of Human Resources Joan Schwartz and VP of Sales Doug Dangremond
Products, Services, and Solutions
New Metasploit Payload Improves Clipboard Monitoring (CSO) The Metasploit Framework has added a crafty new feature to Meterpreter, Metasploit's custom exploit payload, which improves clipboard monitoring
Android antivirus gets stronger in latest round of testing (ITProPortal) Every few months, AV-Test releases the results of their Android malware protection testing. In this round of testing, the independent German lab pitted Android security apps against thousands of malware samples. The results? More good news for Android
Procera Networks service plan assurance enables quality, transparency (MENAFN) Procera Networks, Inc. PKT said it has announced its "Service Plan Assurance," the industry's first service plan quality and transparency solution
Mobile security based on heartbeat to be used by Bitcoin (Mobile Commerce News) Bitcoin has already changed the way companies, businesses, and governments think of currency, and now it's working on altering the way that mobile security verifies identities, through the use of a wearable biometrics through the use of a user's heartbeat
Mt. Gox blames account freeze on Bitcoin-wide vulnerability (The Verge) Bitcoin exchange Mt Gox first halted withdrawals two days ago, spurring a selling panic and furious speculation
Kaspersky Lab Unveils Certified Service Provider Program, Support Packages (CRN) Kaspersky Lab unveiled a Certified Service Provider Program, enabling partners that meet the minimum training requirements to sell the same professional services offered by Kaspersky Lab systems engineers
LinkedIn shutting down its controversial Intro service. Good news for those who care about privacy (Graham Cluley) When LinkedIn introduced a new service called Intro in October last year, I made my opinion pretty clear: "No thanks. My email security is too important"
Wickr Is The Messaging App You'll Turn To If Snapchat Screws Up Again (Business Insider Australia) Nico Sell is an entrepreneur and privacy advocate who co-founded Wickr, an app for sending and receiving self-destructing messages. If the description stopped there, you'd probably decry it as a Snapchat knockoff. It's just not. The comparison is laughable
Blackboard mobile app not among those with data harvested from NSA (CM Life) Mobile applications — including games and those used for navigation — have been targets of personal data collection by National Security Agency
DISA Rolls Out Version One of Unclassified Mobility Capability (SIGNAL) The Defense Information Systems Agency (DISA) has deployed the initial version of its unclassified mobility capability, which will provide military and civilian Defense Department personnel with access to a wide selection of mobile devices, applications and services
MobilityShield Reveals New Solution for Secure Mobile SharePoint Connectivity (Street Insider) SharePointShield enables users to safely use Microsoft SharePoint on mobile devices outside the organization to prevent Active Directory credentials theft and block DoS, DDoS and brute-force attacks
Pwn Pad 2014 Community Edition Now Available (PwnExpress) Yes, it's true! You've all (mostly) been waiting patiently and now the Pwn Pad 2014 community edition is available for download
Technologies, Techniques, and Standards
How CFOs Can Face The Threat Of Cyber Crime (Forbes) Cyber threats are a serious problem for businesses, and boards, investors and finance executives are sitting up and taking notice
Data Breach Notifications: Time For Tough Love (InformationWeek) Target and Neiman Marcus came clean quickly about their data breaches, but most business don't. It's time for standards — and fines
Behind the Scenes: Trapping Russian Hackers (NBC News) NBC News' Richard Engel creates a "honeypot" to test the likelihood of getting hacked while traveling in Russia
Details Behind the NBC Honeypots: Part 2 (Trend Micro Simply Security) Recently, I was asked by NBC to participate in an experiment to deploy honeypots in Moscow, Russia, to see how fast they would be compromised. Taking a few steps from my previous blog, this post is intended to clarify some items; in addition an accompanying white paper will discuss the technical details behind the incidents that occurred
NBC News takes heat over Sochi phone hacking report (Fox News) Despite claims by security experts that its story was "misleading" and "fraudulent," NBC News on Friday defended its report that electronics taken to the Winter Olympics in Sochi can be instantly hacked — telling FoxNews.com its story was designed to show in general how easily a non-expert can fall victim
Fixing the math in the wake of Snowden's NSA surveillance reveal (TechTarget) One of the responses to early salvos of former NSA contractor Edward Snowden's surveillance releases was "trust the math." That's how security veteran Bruce Schneier put it in a posting to his blog site. Snowden himself, when answering reader questions on theGuardian website, said, "Encryption works. Properly implemented strong cryptosystems are one of the few things that you can rely on"
Sophisticated phishing: How to stay safe and save money (TechTarget) In this webcast, Johanne B. Ullrich, dean of research for the SANS Technology Institute, focuses on spear phishing and the automated clearing house fraud and demonstrates new ways attackers can swipe millions of dollars without using malware
Mandiant Highlighter 2 (Internet Storm Center) In previous dairy I discussed the basic usage of Mandiant Highlighter .In this diary I will discuss some other features
Design and Innovation
Some Mobile Apps Add Anonymity to Social Networking (MIT Technology Review) Social-networking apps that eschew real names are gaining ground
Academia
Computer Data Security Competition (WHO TV13) Ever since cyber crooks stole massive amounts of customer's private data from Target, people have become increasingly concerned about their confidential information. The National Cyber Defense competition in Ames hoped to teach students ways to protect others
Lockheed Martin Cyber Security Classes at Montgomery College Start Feb. 11, 2014! (eBiz Alert) For the first time, Montgomery College and industry giant Lockheed Martin join together to meet the nation's growing demand for cyber security professionals. Register now to benefit from this exciting partnership where you will learn from the industry's leading experts in secure software development
Shunned as NSA Advisers, Academics Question Their Ties to the Agency (Chronicle of Higher Education ) Philip Hanlon, a mathematician who is president of Dartmouth College, served on the advisory board of the National Security Agency, where he says
Legislation, Policy, and Regulation
Sochi Threat: Russia-U.S. Need to Cooperate on Cyber Terror (The Diplomat) Threats by Caucasus Anonymous should encourage the two countries to work together
EU discovers that privacy laws can be abused. By someone other than the EU. (Volokh Conspiracy) You've got to hand it to the Turks. Just when it seemed that the European Union would never see the danger (as opposed to the opportunity) of abusive privacy laws, the Turkish Parliament adopted one that caused even the EU to choke. According to the Wall Street Journal, the law is a prime candidate for
France to invest 1 billion euros to update cyber defences (OODA Loop) France unveiled plans on Friday to bolster long-neglected defences against cyber attacks, with 1 billion euros ($1.36 billion) of investment foreseen to bring the country's technology up to speed with NATO partners
Italy plans crackdown on internet hate (The Local (Italian edition)) Politicians from the Democratic Party (PD) will this week propose a new law to tackle internet hate speech, following high-profile attacks against leading politician Laura Boldrini
RFI — Telephony Metadata Collection Program (IC on the Record) In his remarks on January 17, 2014, President Obama announced a number of actions with regards to certain intelligence activities, including the bulk collection of telephony metadata under Section 215. As part of this effort, the President directed the development of "options for a new approach that can match the capabilities and fill the gaps that the Section 215 program was designed to address without the government holding this metadata". Consistent with this direction, the Office of the Director of National Intelligence is seeking information about whether existing commercially available capabilities can provide for a new approach to the government's telephony metadata bulk collection program under Section 215 of the USA Patriot Act, without the government holding the metadata
NSA claims its phone spying program collects only 20% of U.S. calls (VentureBeat) U.S. officials are now claiming that the National Security Agency's highly controversial phone spying program isn't nearly as intrusive as originally reported
What Key NSA Overseers Don't Know About the Phone Dragnet (The Atlantic) Was a widely held belief about the surveillance state bunk all along? Is the National Security Agency collecting and storing data on fewer telephone calls than we thought? So say reports in the Wall Street Journal, Washington Post, and New York Times. "Although intelligence officials have indicated since last summer that the National Security Agency was vacuuming up nearly every American telephone record for counter-terrorism investigations," the L.A. Times reports in its version, "officials acknowledged Friday that the spy agency collects data from less than a third of U.S. calls because it can't keep pace with cellphone usage"
Insiders: The Value of Snowden's Disclosures Was Not Worth National Security Damage (National Journal) Experts' views appear to contrast with those of American public
'The Day We Fight Back' movement takes stand against gov't mass surveillance (FierceBigData) It's no secret that NSA and other government agencies at home and abroad are not met with public cheers. There's a movement afoot this week to take a more organized approach to pushing back against such surveillance. It's called "The Day We Fight Back" and that day is February 11th. So far "dozens of major websites and organizations" are taking part, according to the movement's email to me and its webpage. Participants include an odd set of bedfellows ranging from EFF, ACLU, Reddit and GreenPeace to DailyKos (from the political left) and the Koch Brothers' group Freedom Works (from the political right). Here's what's going on
Rep. Peter King: Security Reforms At The NSA Will Prevent Future Snowdens (TechCrunch) Following a stinging report in the New York Times explaining how Edward Snowden was able to collect his trove of top-secret government documents, Rep. Peter King (R-N.Y) this morning took to the Sunday show Face The Nation to make the following claim (full transcript): "A lot that have has been changed; there is monitoring now of what goes on. Snowden would not be able to do it again in the
What do government security pros think? (Help Net Security) Tripwire and the Government Technology Research Alliance (GTRA) announced the results of a U.S. government cybersecurity survey that evaluated the attitudes and responses of 111 security and compliance professionals from U.S. government agencies and contractors
Cyber bill denies DHS new authority (Federal Times) The Department of Homeland Security would not be able to receive any new cybersecurity authority under legislation passed unanimously Feb. 4 by the House Homeland Security Committee
New DHS secretary cites 'good progress' on cybersecurity, plans for industry outreach (Inside CyberSecurity) The Obama administration is making "good progress" implementing presidential guidance on cybersecurity for critical infrastructure and plans to engage further with industry to improve collaboration between the public and private sectors, Department of Homeland Security Secretary Jeh Johnson said Friday
It's High Time America Redefines 'Homeland Security' (Slate) As Congress sets its agenda for hearings and legislation relating to homeland security, we can anticipate some of the issues it will address. Expect discussion about whether al-Qaida is on the run or on the rebound, new legislative initiatives on how to deal with the continuing threat in cyberspace, beefing up security on the border, and the National Security Agency's collection of metadata, to name just of few. These should be matters of great public interest, and they are. According to recent public opinion polls, 75 percent of Americans see terrorist attacks in the United States as a continuing threat, although they are close to evenly divided on whether the government can do more to stop them. But as legislators work their way through these matters, here are some fundamental issues of threat, risk, public expectation, and the protection of liberty and privacy that merit debate
California Kill Switch Bill Targets Phone Thieves (InformationWeek) California bill directs mobile hardware makers to include a way to disable stolen communications devices. Will privacy concerns be addressed
Litigation, Investigation, and Law Enforcement
Secret court approves Obama's small tweaks to phone metadata collection (Ars Technica) Foreign Intelligence Surveillance Court ruling to be published soon
Media sometimes try, fail to keep NSA's secrets (AP via the Washington Post) News organizations publishing leaked National Security Agency documents have inadvertently disclosed the names of at least six intelligence workers and other government secrets they never intended to give away, an Associated Press review has found
Edward Snowden made use of simple software: Bested NSA with low-cost tools (New York Times via the Boston Globe) Intelligence officials investigating how Edward J. Snowden gained access to roughly 1.7 million of the country's most highly classified documents say they have determined that he used inexpensive and widely available software to "scrape" the National Security Agency's networks, and he kept at it even after he was briefly challenged by agency officials
Snowden accused of using hacking's greatest weapon to access NSA files: wget (CSO) Exfiltrated data said to be using previously unknown port 80. Experts remain amused by media hype. Classify this one as FUD
Glenn Greenwald Will Basically Dare American Authorities to Arrest Him (The Wire) Following several months of insinuation that he is a criminal or an accomplice to a crime, journalist Glenn Greenwald told Salon's Brian Beutler that he plans to return to the United States, essentially on a dare. "I'm going to go back to the U.S. for many reasons, but just the f—king principle is enough," Greenwald said. "On principle I'm going to force the issue"
FTC Approves Final Order Settling Charges Against TRENDnet, Inc. (Federal Trade Commission) Following a public comment period, the Federal Trade Commission has approved a final order settling charges that electronics company TRENDnet, Inc.'s lax security practices led to the exposure of the private lives of hundreds of consumers on the internet for public viewing
Google forced to show privacy fail message on homepage (ZDNet) A French judge has refused to suspend an order obliging Google to publish a notice saying it had been fined for breaches of the French data protection act
Alleged Silk Road Kingpin Pleads Not Guilty, Says Hi to His Mom (The Daily Beast) 29-year-old Ross Ulbricht, who stands accused of running an expansive online underground drug market, appeared in federal court — while his family struggled to keep their composure
UK woman jailed for trolling herself, trying to pin it on family (Naked Security) Michelle Chapman, thought to be the first person in the UK to have been prosecuted for such a crime, confessed to taking out fake profiles in family members' names and sending herself hundreds of abusive messages, often of a "very unpleasant sexual nature"
Testimony opens in Dallas cyber attack case (Luzerne County Citizens' Voice) A hearing was held Thursday in the Luzerne County Courthouse to determine whether a Dallas High School sophomore should be suspended for allegedly launching a cyber attack that nearly crashed the school district's web server
Source: Defense Minister failed to act on reports of election interference (The Hankyoreh) Lawmaker calling for appointment of special prosecutor to handle case of Cyber Command's alleged interference in 2012 elections
French journalist "hacks" govt by inputting correct URL, later fined $4,000+ (Ars Technica) A Google search turned up public files that Olivier Laurelli is accused of publishing
Home Depot Employees Arrested for Insider Breach (eSecurity Planet) As many as 20,000 employees' personal information may have been exposed
St. Louis Man Fined $110,000 for Participating in DDoS Attack (eSecurity Planet) Christopher Michael Sudlik was also sentenced to 36 months of probation and 60 hours of community service
For a complete running list of events, please visit the Event Tracker.
Upcoming Events
National Collegiate Defense Cyber Competition (, Jan 1, 1970) Registration for the 2014 CCDC season is underway! Visit your region's website or contact your regional for registration and competition information.
Security Analyst Summit 2014 (Punta Cana, Dominican Republic, Feb 9 - 13, 2014) The Kaspersky Security Analyst Summit (SAS) is an annual event connecting anti-malware researchers and developers, global law enforcement agencies and CERTs and members of the security research community. The goal is to learn, debate, share and showcase cutting-edge research, new technologies and discuss ways to improve collaboration in the fight against cyber-crime.
The Insider Threat: Protecting Data and Managing Risk (Online, Feb 11, 2014) As recent events have demonstrated, the threats from inside government have the potential to be more harmful than the hacking activities of our enemies. Protecting sensitive government information from unauthorized disclosures by insiders, whether intentional or due to negligence, is becoming a huge priority across the board. No matter how sophisticated your training program is, some employees will intentionally or unintentionally commit the negligent discharge of classified information.
NovaSEC! Pre-RSA Rally (, Jan 1, 1970) This unique forum allows participants to meet, interact on key issues and provide a unified forum to network with likeminded individuals and creates an opportunity to cultivate a strong and integrated community that demonstrates the Northern Virginia region's size, scope and impact on the Country's cyber landscape. This particular event will take place one week before the annual RSA Conference in San Francisco. We view this as an opportunity for security professionals to network and discuss current security topics that will be highlighted at the RSA Conference. Plenty to talk about in 2014 for sure! So whether you are going to RSA or not this is the place to connect socially with your peers.
FBI HQ Cloud Computing Vendor Day (, Jan 1, 1970) As part of its FAR mandated market research efforts and in order to keep FBI employees informed of new products, technologies and services available in the industry, ITED has been tasked with organizing four 'Vendor Days' a year focusing on technology that can enhance current IT capabilities. These market research events will enhance exposure for all Department of Justice (DOJ)/Federal Bureau of Investigation (FBI) employees to new products and services and to have an opportunity to interact directly with the industry. Vendor days are for demo purposes only and are designed to facilitate FBI market research efforts. Attending vendors shall make all inquiries concerning pending or future FBI requirements to the cognizant FBI contracting officer.
New FFIEC Guidelines on Social Media: 3 Things You Need to Know (, Jan 1, 1970) We'll take an in-depth look at the new Federal Financial Institutions Examination Council (FFIEC) guidelines on social media and consumer compliance risk, and how they may impact your organization. We'll break down nearly 20 pages of dense government material, distilling the key topics for legal, compliance, risk and finance professionals.
Free OWASP Training and Meet Up (San Francisco, California, USA, Feb 24, 2014) OWASP is hosting a special security boot camp for all conference-goers: RSA Conference, Bsides SF, and TrustyCon as well as local developers. The training is recommended for developers who want to learn more about securing their code as well as security professionals who want to become acquainted with the latest web vulnerabilities.
RSA Conference USA (San Francisco, California, USA, Feb 24 - 28, 2014) Hundreds of game-changing interactions will give you an unparalleled diversity of industry insight and information based on best practices, real implementation stories, and detailed case studies. Each year, educational sessions feature new and returning educational tracks you won't find anywhere else.
Nellis AFB Technology & Cyber Security Expo (, Jan 1, 1970) For over 12 years, the Armed Forces Communications & Electronics Association (AFCEA) - Las Vegas Chapter and FBC have been co-hosting the Annual Information Technology Expo at Nellis AFB. As was the case last year, the 2014 event will once again have a Cyber Security theme. This is an excellent opportunity for any technology or cyber company to meet with the personnel at Nellis AFB, as well as the local AFCEA members.
Cloud Expo Europe (, Jan 1, 1970) Cloud Expo Europe covers everything from hybrid cloud to software defined networks and data centres, from open source cloud to IaaS, from security and governance to cloud applications and from complex hosting to development platforms.
Suits and Spooks Security Town Hall (, Jan 1, 1970) Privacy versus Security: An Informed Debate and Discussion to Raise Industry Awareness. Taia Global and our sponsoring companies are hosting our first Suits and Spooks Security Town Hall at the Ritz Carlton San Francisco on February 27, 2014 (7pm-10pm). We are condensing the Suits and Spooks two-day "collision" model into a 3-hour debate and discussion format to help raise awareness about the complexities involved in balancing security objectives with our privacy rights.
Trustworthy Technology Conference (, Jan 1, 1970) Join us for the first Trustworthy Technology Conference, to be held on 27 February 2014 at the AMC Metreon Theatre in San Francisco, California. We welcome all security researchers, practitioners and citizens who are interested in discussing the technical, legal and ethical underpinnings of a stronger social contract between users and technology.
Creech AFB Technology & Cyber Security Expo (, Jan 1, 1970) The Armed Forces Communications & Electronics Association (AFCEA) - Las Vegas Chapter, with support from the 432d Wing, will host a Cyber Security Awareness Day & Technology Expo at Creech AFB. This is an excellent opportunity for technology, cyber and tactical technology companies to meet with remote personnel at Creech AFB. At the 1st Annual event held in February 2013 over 100 Creech AFB personnel attended this event. Some of their job descriptions included: Commander, Flight Chief, Communications Officer in Charge, IT Lead, Systems Admin, Wing Training, Information Assurance Officer, Knowledge Management, Section Chief, Avionics, Physical Security, Project Manager, Director and more.