San Francisco: the latest from RSA 2014
A walk through the RSA Conference 2014 expo, part 3 (Help Net Security) The conference is slowly winding down, but companies are still here and actively sharing their vision of security to the dedicated infosec pros. Here's another look at the show floor
RSA Cybersecurity Conference Sees Record Attendance (Top Tech News) The large hall of Moscone Center in San Francisco, site of the RSA Conference 2014 this week, was filled with vendors hawking new technologies to thwart malware makers, hackers, identity thieves and other online miscreants. Automated threat warning and incident response were big themes this year
Podcast: RSA Wrap-Up — Day 2 (Threatpost) Dennis Fisher and Mike Mimoso run down the news from day two of the RSA Conference, including the new FBI director's speech and preview Trusty Con
[TrustyCon] RSA rebel conference TrustyCon sells out despite 'dirty tricks' (The Register) Raises $20,000 for EFF, and support for some in security industry
[TrustyCon] EMC, RSA, NSA, @TrustyCon, and "dirty tricks" (ComputerWorld) The RSA (NYSE:EMC) Conference was boycotted yesterday by TrustyCon attendees. A range of speakers criticized the company's alleged cosy links with the NSA, arguing that the industry badly needs a huge dose of trustworthiness
[TrustyCon] Lavabit Case May Be One of Many in Coming Years (Threatpost) The Lavabit case, which saw the secure email provide's owner shut the company down after being forced to hand over to the government the encryption key that protected his users' data, may seem like an extreme reaction to a unique situation. But, experts say it's likely that there will be similar situations in the near future, and technology providers an users should change the way they think about what the threats to their data may be
[TrustyCon] Fixing Trust Through Certificate Transparency (Threatpost) The security of data being transmitted over the Web relies on a large number of moving parts, from the integrity of the machine sending the data, to the security of the browser, to the implementation of encryption, to the fragility of the certificate authority system. Experts have been spending the best part of the last decade trying to address many of these issues, but there are still a number of hard problems to solve
[TrustyCon] Are Automated Update Services the Next Surveillance Frontier? (Threatpost) As more Web-based services are encrypted, privacy advocates are concerned the next wave of aggressive surveillance activity could target automated update services that essentially provide Internet companies root access to machines
Surveillance allegations leave cyber security industry divided (Financial Times) The cyber security industry's annual conference was split in two this week after RSA was accused of co-operating with the US National Security Agency's mass surveillance programme
NSA Too Focused On Perimeter Defense, Clarke Says (InformationWeek) The Former White House cybersecurity adviser says the NSA's focus on perimeter security made it vulnerable to insider Edward Snowden
Hackers get better, while IT security falls further behind, says Verizon (FierceITSecurity) Hackers are getting better at what they do while the security community is not keeping up, according to preliminary results from the Verizon 2014 Data Breach Investigation Report released this week at the RSA Conference
RSA: Enterprise Security's Sucker Punch (eSecurity Planet) Addressing RSA attendees, IDC analysts detail outlook for the current and future IT security landscape. At IDC's annual analyst breakfast meeting at the RSA conference here, analysts discussed the mindset of IT executives toward security, which one analyst described as "My Eyes Glaze Over"
CISOs who fail to plan for breaches before they occur might need to look for another career, says panel (FierceITSecurity) Chief information security officers who fail to plan for data breaches and other security incidents before they occur will not be CISOs for long. That was the conclusion of a panel of CISOs and other IT security experts at the RSA Conference being held here this week
Cloud security concerns are overblown, experts say (Computer World) RSA panel compares enterprise fears of cloud security to early, now eased, concerns about virtualization technology
44% of companies don't have a cloud app policy in place (Help Net Security) After interviewing 120 RSA Conference attendees, Netskope announced the results of the survey on information security professionals' use of cloud apps
IBM Software Vulnerabilities Spiked In 2013 (InformationWeek) Most code flaws still involve non-Microsoft products, and overall patching speed has improved, study presented at RSA conference finds
Stealthy attacks multiply and victims turn to spooks-as-a-service (IT World) As the list of victims of sophisticated cyber attacks expands, so does the need for high-priced talent to help investigate and recover from those attacks. The latest solution: hosted services offering access to cyber intelligence and incident response to customers who lack it
Big Data A Big Focus Of Security Analytics Products (Dark Reading) At the RSA Conference this week, vendors pitched big the importance of properly leveraging big data to improve security
Smartphone app for RSA security conference puts users at risk, researchers say (Ars Technica) The firm said to put an NSA-developed backdoor into its code has more problems
Security firm discloses Apple iOS "malicious profile" vulnerability impact on MDM (CSO) At the RSA Conference today, security start-up Skycure plans to disclose a vulnerability in Apple iOS devices that can impact mobile-device management (MDM) systems running on them
DB Networks Wins Multiple 2014 Info Security Products Guide Global Excellence Awards and Grand Trophy for Contributions to IT Security (Broadway World) DB Networks, an innovator of behavioral analysis in database security, today announced that Info Security Products Guide, the industry's leading information security research and advisory guide, has named the DB Networks IDS-6300 as a winner of the 2014 Global Excellence Awards in the following five awards categories
OPSWAT Releases GEARS for Advanced Threat Detection and Endpoint Compliance (Digital Journal) OPSWAT today announced the official release of GEARS, a cloud-based solution that provides IT and security professionals with advanced threat detection and compliance enforcement for both remote users and managed devices
Intelligent Cybersecurity for the Real World (Cisco Blogs) Security trends and innovation are in the spotlight this week at the annual RSA Conference in San Francisco. With the rapidly expanding attack surface and increasingly sophisticated attackers, the event is a must for insights on how the industry can meet this pace of change, evolve and defend against advanced threats. Solving our customers' toughest security challenges is our number one priority…For starters, we're delivering new product innovation by adding Advanced Malware Protection (AMP) to our Web and Email Security Appliances and Cloud Web Security. We are calling this "AMP Everywhere"
Encryption key management system gains award at RSA (Pro Security Zone) Thales KeyAuthority gains InfoSecurity product accolade as the best encryption product as part of global excellence awards
Webroot delivers APT protection for enterprises (Help Net Security) Webroot announced the release of BrightCloud Security Services and BreachLogic Endpoint Agent, two cloud-based security offerings designed to help enterprises address the explosive growth and increasing sophistication of online threats, particularly targeted attacks such as "spearphishing" and advanced persistent threats (APTs)
Android, iOS solution reveals data-leaking apps (Help Net Security) Your mobile device knows everything about you. But how well do you know your mobile device? Beginning today, savvy consumers can truly take control of their personal information on their devices — by installing viaProtect from viaForensics
TraceSecurity Enhances TraceCSO To Simplify IT GRC Management (Dark Reading) Customers will see improvements in key features, new functionality, and other enhanced performance metrics
Cyber Attacks, Threats, and Vulnerabilities
Anonymous Declares Cyberwar on Countries Found Disturbing Peace in Ukraine (HackRead) The online Anonymous Hacktivist has released a video message in which it has declared cyberwar on countries and organizations, posing a threat to freedom and independence of Ukraine. The operation has been named as "Operation Ukraine" (#OpIndependence). A 4:37 minute video message highlights several aspects of Ukrainian crisis such as international interference and divided mindset
CryptoLocker Now Comes In The Mail (SecurityWatch) Earlier this month Brian and I both wrote about ransomware and the threat it poses to both business and individual computer users. Now, if further evidence is needed of how the problem continues to grow, it appears that there is a large run of CryptoLockered-emails appearing, purporting to have come from Royal Mail
Two in five Brits cough up for CryptoLocker ransomware's demands (The Register) Cowed victims hand over thousands rather than install basic security measures
Fake "Payment Certificate" Notifications Used to Deliver Cross-Platform RAT (Softpedia) Experts warn that individuals in the United Kingdom and the United Arab Emirates are being targeted in a spam campaign that's designed to distribute the Java remote access Trojan (RAT) dubbed JRAT
Notorious "Gameover" malware gets itself a kernel-mode rootkit… (Naked Security) Zeus, also known as Zbot, is a malware family that we have written about many times on Naked Security. We've covered it as plain old Zbot. We've covered the Citadel variant, which appeared when the original Zbot code was leaked online. We've even written about the time it pretended to be a Microsoft fix for CryptoLocker, a completely different strain of malware. Currently, the most widespread Zbot derivative is the Gameover bot, also known as Zeus P2P because of its use of peer-to-peer network connectivity for command and control
ZeuS Downloader Runs in January, Crashes the Rest of the Year (TrendLabs Security Intelligence Blog) A few weeks ago, we received a rather unusual malicious attachment, which we detect as TROJ_UPATRE.SMAI. This particular attachment, when uncompressed and executed, displays the following error message
Phishing Alert: Hotmail Customers Have Been Upgraded to Outlook.com (Softpedia) Cybercriminals are trying to trick Hotmail users into handing over their credentials with fake emails that purport to come from "The Microsoft account team"
How emails can be used to track your location and how to stop it (Naked Security) A new, free Google Chrome browser extension called Streak lets email senders using Google accounts see when recipients open email
SpyEye and Tilon banking malware have the same author(s) (Help Net Security) When first discovered by Trusteer in 2012, the Tilon banking malware received its name because of some similarities with the Silon banking Trojan
Preying On A Predator (Dark Reading) Mac OS X Snow Leopard is perfectly positioned to be the next target for cybercriminals
Businesses told to lockdown Bitcoin wallets against malware threat (CSO Salted Hash) Malware designed to steal digital currency from Windows PCs has risen with Bitcoin value since beginning of last year, says study
Alaska Communications Acknowledges Data Breach (eSecurity Planet) Current and former employees' names, addresses, birthdates and Social Security numbers may have been accessed
Lost USB Drive Exposes Hong Kong Hospital Patients' Data (eSecurity Planet) The unencrypted drive contained 92 patients' personal information, along with data on drug prescriptions
Security Patches, Mitigations, and Software Updates
About the security content of QuickTime 7.7.5 (Apple Support) This document describes the security content of QuickTime 7.7.5
Cyber Trends
Action is needed as snooping becomes world phenomenon (The National) We are living in a golden age of phone tapping. All over the world, there are headlines about snooping, both legal and illegal, and how to protect yourself from it
Wake-up call over cyber insurance (Professional Security Magazine) Power companies are reportedly being refused insurance for cyber attacks, despite a rise in demand
Why Co-ops Should Take Note of Cyber Framework (ECT.coop) The Obama administration's voluntary framework for cyber security, finalized after significant collaboration with the private sector, should be studied by all electric cooperatives
Hacks on Gas: Energy, Cybersecurity, and U.S. Defense (James A. Baker III Institute for Public Policy, Rice University) Cybersecurity in the energy sector can trace its start to an account (that may or may not be true) about U.S. involvement in a computer-based attack on the energy infrastructure of the Soviet Union during the Cold War. Elements of the incident are described in the memoir of Thomas C. Reed, an official in the administration of President Ronald Reagan and a former National
Reconnaissance Office director
Ethical hacking field grows as companies fear hackers (Canadian Press via Global News) John Zabiuk disassembled his parents' TV at age six, taught himself computer programming as a teen and, as a post-secondary student, hacked into his school's system on a lark
America is the prime target of international cyberattacks (Quartz) The United States has been cyberattacked by governments and criminal organizations a lot more than any other country. At least that's the conclusion of a study released this morning of 40,000 online attacks against customers of the cyber-forensics company FireEye
Canadians confident, concerned about cyber attacks: Study (IT World Canada) Leaders of Canadian organizations are more confident than American, British and Australian they can beat back targeted Internet attacks, according to a new survey
Third-party programs responsible for 76% of vulnerabilities in popular software (Help Net Security) Third-party programs are responsible for 76% of the vulnerabilities discovered in the 50 most popular programs in 2013, say the results of Secunia's Vulnerability Review 2014, which is based on a sampling of the company's seven million PSI users
5 Reasons Security Certifications Matter (Dark Reading) There's a lot of buzz around how certs aren't important. I'm calling BS, and here's why
Wanted: A Mahan for Cyberspace (Real Clear Defense) This year marks an important but likely overlooked anniversary — 100 years since the death of Alfred Thayer Mahan. A notable military officer and scholar, Mahan revolutionized military strategy and security policy with his 1890 book The Influence of Sea Power Upon History
Marketplace
Al Kinney: HP to Help DHS Acquire Security Software for Cyber Defense (GovConWire) Hewlett-Packard (NYSE: HPQ) will provide licenses for two application security products to 33 U.S. government civilian organizations under a Department of Homeland Security-run cyber defense program
Carlo Zaffanella: General Dynamics Aims to Centralize TSA Screening Tech (GovConWire) General Dynamics Advanced Information Systems (NYSE: GD) will work with the Transportation Security Administration to integrate security equipment with enterprise services under an $8.2 million task order
Commtouch Completes Name Change To CYREN (Dark Reading) Company adopted new name as part of transformation into provider of cloud-based information security solutions
Mt. Gox loses customers' bitcoins, files for bankruptcy (MarketWatch) Missing bitcoins have market value of $473 million
Leaked: Just before Bitcoin catastrophe, MtGox dreamed of riches (Ars Technica) The exchange site also said it would need "influential lobbyists" going forward
The Future of Bitcoin After the Mt. Gox Incident (SecureList) No doubt it's been a crazy week for anyone even remotely interested in Bitcoin. Mt. Gox, once the largest Bitcoin marketplace out there, has shut down, putting a bitter end to an almost month-long situation in which all withdrawals were halted because of "technical issues"
The Future of Bitcoin Exchanges: Comments From a Mt. Gox Competitor (IEEE Spectrum) Mt. Gox, the Japan-based exchange which until recently handled the majority of trades between Bitcoin and fiat currencies, went offline this Tuesday, hours after the media got its hands on a document (supposedly leaked from within Mt. Gox) that described the company as insolvent and preparing for bankruptcy. Panic quickly spread among traders many of whom are still waiting for reimbursement from the exchange
Pentagon wants contractor to pick propaganda audiences (USA Today) Military officials are moving ahead with a plan to pick potential target audiences for U.S. propaganda and see if the messages work, according to a newly released Pentagon document
Bloomberg clamps down with data-access policies after scandal (CSO) The financial data and news company develops in-house access controls after controversy over journalists seeing client information
Products, Services, and Solutions
KoolSpan and Trustonic Announce Global Partnership; Introduce Secure Voice and Data Solutions Built on TEE Enhanced Smart Devices at Mobile World Congress 2014 (Digital Journal) KoolSpan, Inc. announced today at Mobile World Congress (MWC) in Barcelona, Spain, a strategic partnership to enable KoolSpan's TrustCall® secure voice communication with the Trustonic™-base Trusted Execution Environment (TEE)
Procera Networks and Qwilt Partner to Launch Online Video Delivery and Analytics Solution for Network Operators (CEN) Enables seamless delivery and management of OTT video traffic, improved subscriber GOE and network insights
Jericho Systems Technology Used to Demonstrate Attribute Based Access Control (ABAC) for the Department of Homeland Security (Broadway World) Jericho Systems Corporation, the pioneer in externalized authorization software for enterprise environments, announced that its technology was successfully used to demonstrate dynamic access control and Attribute Based Access Control (ABAC) to members of the Department of Homeland Security (DHS) and U.S. Congressional staffers
M2Mi to Participate in the Software Assurance Program from the Department of Homeland Security (PRWeb) Machine-to-Machine Intelligence (M2Mi) Corporation today announced its intention to further enhance the resilience and security of the M2M Intelligence® platform by utilizing software assurance tools and resources as part of the Software Assurance program hosted by the Department of Homeland Security (DHS)
Enterprise-level UTM for home and small offices (Help Net Security) WatchGuard Technologies announced the WatchGuard Firebox T10 Unified Threat Management (UTM) solution, a network security appliance that allows enterprises to extend powerful network security to small office home office (SOHO) environments
Catbird Partners With Trapezoid (Dark Reading) Combined solution will leverage Trapezoid Marker to meet 24 FISMA controls
Technologies, Techniques, and Standards
Security researchers urge tech companies to explain their cryptographic choices (CSO) Researchers signed an open letter outlining 10 transparency principles for companies to regain user trust following surveillance revelations
After Target: Fighting fraud from the hackers' perspective (CBS News) When a client phones up security incident response management firm Mandiant, senior services consultant Jason Rebholz says, "it's already too late; something's already happened"
Surprise: There's really no need to conceal your email address from spammers (Quartz) A few months ago, I did the unthinkable: I posted my email address on the internet
DDoS and BCP 38 (Internet Storm Center) Quite often on many lists we will hear the term Best Current Practice (BCP) 38 bandied about and further recommendations to implement (See NANOG Mailing list archive). Some will say 'it will aid in DDoS mitigation' and even others will even state 'All Internet Service Providers (ISP) should implement this.' Now before the philosophical discussions ensue in the comments, it might be a good idea to discuss, technically, what it is? And perhaps what it can do
Cybersecurity in the Golden State (Office of the Attorney General, State of California) California is at the center of the digital revolution that is changing the world. Because of work done by companies right here in our home state, we are more connected — and empowered — than ever before. But we are also increasingly vulnerable
OpenID Foundation launches the OpenID Connect Standard (Help Net Security) The OpenID Foundation announced today that its membership has ratified the OpenID Connect standard
Academia
Protecting Student Privacy While Using Online Educational Services: Requirements and Best Practices (Privacy Technical Assistance Center, US Department of Education) The U.S. Department of Education established the Privacy Technical Assistance Center (PTAC) as a "one-stop" resource for education stakeholders to learn about data privacy, confidentiality, and security practices related to student-level longitudinal data systems and other uses of student data
University of Maryland sets concrete cybersecurity goals in wake of data breach (Help Net Security) The individuals affected in the recent data breach at the University of Maryland will be getting five instead of one year of free credit monitoring, the University's president Wallace D. Loh stated in an additional statement issued in the wake of the breach
Legislation, Policy, and Regulation
Why British intelligence got an eyeful while spying on Yahoo users (Quartz) British intelligence has been spying on millions of Yahoo users who are not suspected of any wrongdoing, and has collected and stored a huge number of images from Yahoo webcam chats
Outgoing NSA chief Keith Alexander signals openness to surveillance reform (The Guardian) General Keith Alexander, testifying before the Senate armed services committee for what could be the final time as head of the NSA, told senators that one option under consideration in the Obama administration's deliberations about revamping the NSA's surveillance programs was to "get only that data" relating to terrorist communications
Cost of NSA surveillance hard to define (FierceGovIT) Surveillance by the National Security Agency costs the United States in terms of direct costs to American taxpayers to pay for it, costs to lost opportunities in the American Internet industry, costs to foreign relations work and costs to Internet security, said Anne-Marie Slaughter, president and chief executive of the New America Foundation. But pegging a dollar value on it is a difficult exercise, said panelists during a Feb. 25 event hosted by the think tank in Washington
A Key NSA Overseer's Alarming Dismissal of Surveillance Critics (The Atlantic) The NSA's inspector general mischaracterized Edward Snowden's critique of the agency in remarks at Georgetown
Internet guffaws at senator's quixotic proposal to ban Bitcoin (Ars Technica) "I am concerned…Americans will be left holding the bag on a valueless currency"
Litigation, Investigation, and Law Enforcement
Dropbox seems to be trying to head off privacy lawsuits as it prepares for an IPO (Quartz) Online storage company Dropbox is widely expected to emerge soon as one of the most anticipated Silicon Valley public offerings this year. And as it does, privacy worries are coming to the forefront
Consumer Sentinel Network Data Book for January - December 2013 (Federal Trade Commission) The Consumer Sentinel Network (CSN) is a secure online database of millions of consumer complaints available only to law enforcement
Texas appeals court says police can't search your phone after you're jailed (Ars Technica) Looking at your texts is not like searching your pockets, judges say