The CyberWire Daily Briefing for 3.12.2014
Both FireEye and Eugene Kaspersky downplay cyber war between Ukraine and Russia. FireEye thinks the level of cyber activity in the region is at the background-noise level. Kaspersky sees conflict, but regards it as hacktivism rather than state-directed activity—thus, a cyber riot, not a cyber war. We're not seeing the widespread, disruptive cyber attacks that characterized earlier Russian operations against Estonia and Georgia (FireEye suggests this shows the Russian organs' increased PR savvy). The early stages of the conflict did, however, see cyber tools used for battlespace isolation. The Snake cyber espionage framework also appears active against Ukrainian targets. (There's no credible attribution of Snake, yet, to anyone other than the Russian government.)
DoubleThink reports finding a WhatsApp for Android vulnerability that exposes chat conversations.
Sucuri traces a very large denial-of-service attack to exploitation of WordPress's Pingback feature. The application layer exploit hijacked some 162,000 legitimate WordPress sites into a DDoS-capable botnet.
Observers see Target's lack of a CSO as contributing to the retailer's data breach. US consumers and payment providers continue to hash out preventive measures; Europe, perhaps lulled by widespread chip-and-pin technology, remains blasé.
The Internet turns 25, and Tim Berners-Lee calls for a Web user bill of rights.
In the US, Senator Feinstein (D-California, and lead intelligence watchdog) accuses the CIA of illegal intrusion into Senate networks. It's simplistic to dismiss her concerns as the "Merkel Effect": such (alleged) intrusion undermines oversight of the Intelligence Community, which Feinstein has cited as an adequate safeguard against surveillance overreach.
Notes.
Today's issue includes events affecting Estonia, European Union, Georgia, India, Ireland, Japan, New Zealand, Russia, Ukraine, United Kingdom, and United States..
Cyber Attacks, Threats, and Vulnerabilities
Crimea — The Russian Cyber Strategy to Hit Ukraine (Infosec Institute) The year 2014 started with a diplomatic crisis in Crimes and Ukraine. The tension rose just after the 2014 Ukrainian revolution, in which the government of President Viktor Yanukovych was ousted after a popular revolt in Kiev. In the region there are groups contrary to the protest that desire the integration of Crimea with Russia, and these groups are opposed to others consisting of Crimean Tatars and ethnic Ukrainians which supported the revolution. The deposed president Yanukovych during the days of revolution covertly requested the intervention of the Russian military to stabilize the internal situation of Ukraine
Intel Analysts Dissect the Headlines: Russia, hackers, cyberwar! Not so fast. (FireEye) Claims of a cyber attacks, website defacements, sophisticated Russian malware, and even "cyberwar" have hit front pages since the conflict in Crimea heated up. With all the noise, it's hard to know what has actually occurred, and even tougher to interpret the consequences of the potential activity. Here's our take on the major cyber activities that have been reported throughout the Russia-Ukraine crisis
Eugene Kaspersky: Russia Ukraine Cyber Attacks Probably Not State Sponsored (TechWeekEurope) Eugene Kaspersky criticises espionage and cyber warfare, saying that countries should be working together to fight cybercrime, but reckons it's hacktivists involved this time
Masked Russians seized our gear: Norway journos (The Local (Norwegian Edition)) Masked guards seized computers and storage devices from three Norwegian journalists on Tuesday and labelled them as spies as they attempted to leave the Crimean peninsula for mainland Ukraine
Hole In WhatsApp For Android Lets Hackers Steal Your Conversations (TechCrunch) As part of what is predominantly an Android security issue, a CTO and consultant has discovered a vulnerability in WhatsApp encryption that could allow another app to access and read all the chat conversations in the WhatsApp app
A Trojan is circulating through Facebook Messenger (The Inquirer) Targets users pretending to be a Facebook friend with a 'LOL' and a fake image file
Hackers turn 162,000 WordPress sites into DDoS attack tools (V3) Hackers have hijacked more than 162,000 legitimate WordPress sites, connecting them to a criminal botnet and forcing them to mount distributed denial-of-service (DDoS) attacks, according to security firm Sucuri
WordPress pingback abuse blamed for massive DDoS attack (CSO Salted Hash) On Monday, Daniel Cid, the CTO of Sucuri, said in a blog post that his company recently mitigated a DDoS attack that leveraged more than 162,000 legitimate WordPress installations. The attack was possible because of the pingback function in the XML-RPC implementation used by WordPress
Large DDoS Attack Brings Wordpress Pingback Abuse Back Into Spotlight (CIO) Attackers exploited the pingback feature in WordPress to use 160,000 WordPress sites as DDoS proxies, researchers from Sucuri said
BB10's 'dated' crypto lets snoops squeeze the juice from your BlackBerry — researcher (The Register) BEAST will attack your sensitive web traffic, warns poster
Twitter goes down — but there's no place now for the Internet to freak out (VentureBeat) Uh-oh, looks like there's trouble in the Twitter land and other sites that hook in to the social network. This morning the service went down, initially without explanation and later "for maintenance." Features like Twitter cards were not working perfectly by 11:41 a.m. PT
Grand Theft Auto V Release Stirs Spam (Trend Micro Threat Encyclopedia) Game enthusiasts and fans of Grand Theft Auto need to be wary of the latest spam run we spotted, which capitalized on the said game
Timken Company Acknowledges Data Breach (eSecurity Planet) 4,987 names, birthdates, genders and Social Security numbers were exposed
Target's Data Breach Raised Few Alarms in Europe (Collections & Credit Risk) Three months after coming to light, the massive exposure of 40 million card accounts at Target Corp. still has the payments industry and consumers talking about what should be done to prevent this happening again. In the United States, that is
Target did not have CISO to oversee information security prior to massive breach (FierceITSecurity) Like Sony before it, Target did not have a chief information security officer overseeing security prior to its massive data breach that compromised 40 million credit and debit card accounts, and personal information on 70 million more shoppers, in November and December of last year
Don't be the next Target (FierceITSecurity) We can only wonder why Target, which handles millions of credit and debit card transactions every day, did not have a chief information security officer before its massive data breach that resulted in lost customers and profits
200 million consumer records left exposed in Experian security oversight (ZDNet) Smooth words and a fake identity gave one man the power to compromise millions of private financial records belonging to U.S. consumers
New techniques used to steal cyber-info (Yomiuri Shimbun via the Daily Herald) Cyber-attacks designed to steal valuable business information are becoming more refined and diverse
On the trail of Advanced Persistent Threats… (Naked Security) SophosLabs expert Gabor Szappanos has written a highly-recommended report entitled "Advanced Persistent Threats - the new normal?" Szappi explains how exploits once seen only in APTs are appearing ever more widely in money-making malware, and why that puts us all at ever greater risk
Security Patches, Mitigations, and Software Updates
Patch Tuesday wrap-up, March 2014 — critical fixes from Microsoft and Adobe (Naked Security) Five updates from Microsoft, with two of them critical, including an APB for Internet Explorer users. One critical from Adobe, making that three must-get Flash fixes in just over a month. Don't delay. Patch today
Many non-security updates released for Windows and Office (ZDNet) It's Patch Tuesday, so Microsoft released many non-security updates in addition to the security patches. Windows 8.1 gets an even dozen
Is Microsoft really risking its reputation by retiring Windows XP? (FierceCIO: TechWatch) As administrators and IT managers are no doubt aware, Microsoft will stop shipping security updates for Windows XP after April 8, 2014. As I wrote previously, this comes after an incredible run of more than 12 years, which is substantially longer than other desktop operating systems such as
Adobe issues non-critical Flash update (ZDNet) A new version of Flash fixes two vulnerabilities in the Windows, Mac and Linux versions. They're not super-high priority
Joomla Fixes Critical SQL Injection Vulnerability (Threatpost) The open-source content management framework Joomla pushed out version 3.2.3 of its product last week, fixing a SQL injection zero-day vulnerability that could have let attackers steal information from databases or insert code into sites running the CMS
Cyber Trends
Web@25: Sir Tim Berners-Lee urges the world to protect his creation (V3) Sir Tim Berners-Lee has called on web users around the world to show their support for keeping the internet a free and open platform, to mark 25 years of the web's existence
Reestablishing trust in the Internet (Help Net Security) "The next phase of the internet will be data-centred and connectivity driven. Cloud computing, big data, the Internet of Things; tools which support manufacturing, education, energy, our cars and more. The internet is no longer about emails," said Neelie Kroes, European Commissioner responsible for the Digital Agenda, in her speech at CeBIT 2014 in Hanover on Monday
The NSA, Snowden, and the Internet's Offensive Future (Threatpost) Despite everything that has transpired in the last year, Edward Snowden sounded calm, reflective and in some ways wistful yesterday discussing the fallout and consequences of the multitude of NSA programs and methods he's revealed. Snowden bemoaned the fact that the NSA specifically and the intelligence community in general have shifted its focus to offensive operations, implying that defense should be focus. But now that those agencies have the tremendous offensive powers they've accumulated in the last decade, they're never giving them back
The browser's resized future in a fragmented www world (The Register) The safe option in a native jungle
Leon Panetta Warns of Cyber Pearl Harbor: and a CTO gives him a polite earful (CTO Vision) Leon Panetta spoke today at the Symantec government conference in DC. No matter what your politics are, I hope you see this man as a great American who always puts country above himself. I believe that. He has spent his entire adult life proving that
The Internet of Things Needs Anti-Virus Protection (Slate) As the Internet of Things grows and more devices than ever have network connectivity baked in, you might start to wonder what protects all of these smart home appliances and media streaming dongles against hacks. The answer: pretty much nothing. Companies can release security updates or patches when they learn about vulnerabilities in their devices, but who is going to do a software update on their refrigerator
Internet of things will drive forward lifestyle innovations (ComputerWeekly) Internet-connected devices have been predicted to become popular for many years, but the emergence of the internet of things (IoT) has been held back by many issues — the main one being cost
Forget the Internet of things…this is the Internet of crap (CSO Salted Hash) Unless we begin to treat all of our devices, boxes, technologies, etc. as hostile by default, we will continue to find ourselves cleaning-up the havoc wrought by adversaries with poor intentions and friends with good ones
Resolving the Critical Infrastructure Cybersecurity Puzzle (SIGNAL) Isolation measures to address vulnerabilities will not work well with vulnerable systems
Guest Column: Protecting power grid must be priority (Montgomery Advertiser) Revelations about the cyber theft of customer data at Target and Neiman Marcus are just the most recent reminders about the threat to the United States of cyber attacks. But invasive and costly attacks on businesses and all of us as customers may not even be the most worrisome threats
SME cloud — blanket security or security blanket? (ComputerWeekly) Small and medium-sized enterprises (SMEs) are as vulnerable to security threats as their larger counterparts. Everyone uses the same internet, much of the same software and has the same vulnerabilities from employee mishap or attacks on valuable data. Yet the SMEs does not normally have the luxury of a full-time IT security specialist, let alone the budget for bullet-proof specialist security systems
Infographic: Mobile policies fail to keep pace with device use in healthcare (FierceMobileIT) Doctors are increasingly using mobile devices to provide patient care, yet many healthcare organizations do not have a mobile technology policy in place, according to a recent survey by the Healthcare Information and Management Systems Society
Do organizations care about data protection? (Help Net Security) Most consumers just don't believe that the personal and financial data they submit to corporations is safe. That's the unmistakable takeaway from a new snap poll conducted by HyTrust
UK's top 100 online brands often allow lax password security, research finds (TechWorld) Apple scores top marks, Urban Outfitters comes bottom
Cyber-crime cost Irish economy €350m in 2013 (Independent) One in five of us a victim of €350m cyber-crime spree
Big Data still 'a new frontier' for most of the public sector (CSO) NSA surveillance technology is cutting edge, but for most of the government, Big Data analytics is a promise unfulfilled
Marketplace
Mergers, Spinoffs, Cyber Security, Disaster Planning and Executive Pay among Top Issues at 2014 Shareholder Meetings According to BDO USA, LLP (Herald Online) As the 2014 annual meeting season begins, shareholders will be focused on both opportunities and threats. After slumping through January and early February, the stock market has bounced back and is within shouting distance of new highs, but mixed economic data on hiring, exports, housing and manufacturing, coupled with worries about emerging markets are cause for potential concern. This unsettled climate should make for an interesting annual meeting season this Spring. BDO USA, one of the nation's leading accounting and consulting firms, has compiled the following list of topics that corporate management and boards of directors should be prepared to address in connection with 2014 annual meetings
Cisco, Check Point, Fortinet top growing security appliance market, says IDC (FierceITSecurity) The top three security appliance vendors—Cisco, Check Point and Fortinet—all gained market share in the fourth quarter of 2013, according to the latest stats from IDC
Startups dominate SMB cloud security market, says ABI (FierceIT Security) Startups dominate the security services market for small and medium-sized businesses using the public cloud, according to ABI Research
Security Services Cater To SMBs (Dark Reading) Cloud and managed security services are headed down market with simpler interfaces masking their enterprise heritage
Global Digital Solutions Files Form 8-K, Announces Unsolicited Letter of Intent to Acquire Remington Outdoor Company, with Estimated Annual Sales of $1.25 Billion and a P (Broadway World) Global Digital Solutions, Inc. (OTC-QB: GDSI), a company that is positioning itself as a leader in providing cyber arms manufacturing, complementary security and technology solutions and knowledge-based, cyber-related, culturally attuned social consulting in unsettled areas
What does the Bit9 and Carbon Black merger mean for businesses? (TechRadar) Bit9 recently merged with Carbon Black, a move that, in the newly-formed company's words, makes it the only one capable of detecting advanced threats on endpoints and servers to provide incident responses in seconds
Stealthy Enterprise Security Company Niara Raises $9M From Index And NEA (TechCrunch) We hear that Niara is playing in a similar space to Mandiant, focusing on companies and enterprises that have succumbed to security attacks. Niara
Jericho Systems to Research Data Privacy for U.S. Department of Homeland Security (Broadway World) Jericho Systems to Research Data Privacy for U.S. Department of Homeland SecurityJericho Systems Corporation, developers of EnterSpace Decisioning Service (ESDS) technology for externalized dynamic access control and content filtering, has executed a Broad Agency Announcement (BAA) contract with the U.S. Department of Homeland Security (DHS) Science and Technology Directorate to use fine-grained access control policies and data labels to secure sensitive and personally identifiable data at DHS fusion centers
Inspired by Key West, KEYW tackles cybersecurity, intelligence (Capital Gazette) Len Moodispaw does not consider himself a "big company" person, so when Northrup Grumman bought the firm he was working for, he decided to start his own business
You've already been hacked. Here's why it's okay (Fortune) Newly appointed AVG chief executive Gary Kovacs on simplicity, Mark Twain, and what to do in a world where you've already been hacked
Attracting cyber security talent a 'challenge' for police — Cyber Crime Unit's Andy Archibald (Computing) The public sector — and the police force in particular — is struggling to attract top cyber security talent to help protect the public from hackers and cyber criminals because security professionals can often get far better salaries in the private sector.
Michael Mullen, 25-Year Secret Service Vet, Named Cyveillance Security Services VP; Scott Kaine Comments (GovConWire) Michael Mullen, former assistant to the special agent in charge at the U.S. Secret Service, has joined QinetiQ subsidiary Cyveillance as vice president of security services
Steve Pataky, Vice President of FireEye Worldwide Channels and Alliances, Named as One of CRN's 50 Most Influential Channel Chiefs (MarketWatch) FireEye, Inc. FEYE -0.16%, the leader in stopping today's advanced cyber attacks, announced today that Steve Pataky has been recognized on the CRN 2014 Channel Chiefs list and has been named as one of this year's 50 Most Influential
Products, Services, and Solutions
Protecting data against unwanted surveillance (Help Net Security) Network security has been in the spotlight more than ever the past few months, and for good reason. We've seen many scary headlines that have put the pressure on security professionals — and also raised the stakes
Check Point Next Generation Threat Prevention Appliance (SC Magazine) The Threat Prevention Appliance from Check Point Technologies provides a solid security platform that can be customized with the addition of several software blades
Google Glass offers additional security to ATM users (Help Net Security) Taking photos with a wink, checking one's calendar with a glance of the right eye, reading text messages — the multinational cooperation Google wants to make it possible with Google Glass. But what IT experts celebrate as a new milestone makes privacy groups skeptical. So far, few people have access to the prototype to test how it can be used in daily life
Technologies, Techniques, and Standards
White House's Cybersecurity Framework Highlights Need for Preparedness (National Law Review) The White House recently announced the official launch of the Cybersecurity Framework, which provides voluntary guidelines for both public and private organizations operating as part of the "critical infrastructure" to create or improve upon their defenses and response protocols for cyber-attacks. The framework was drafted as a result of the President's February 12, 2013 Executive Order 13636 called for the development of a "prioritized, flexible, repeatable, performance-based, and cost-effective approach" for assisting organizations responsible for "critical infrastructure services" to manage cybersecurity risk. In October, the U.S. Department of Commerce's National Institute of Standards and Technology released a Preliminary Framework. The release of the Preliminary Framework was followed by a 45-day public comment period
Public outreach accelerates on cyber framework amid questions about measuring success (Inside Cybersecurity) Obama administration public outreach is in high gear one month after release of the framework of cybersecurity standards, although the metrics for measuring the effectiveness of the campaign remain in question
Breaking Kryptonite's Obfuscation: A Static Analysis Approach Relying on Symbolic Execution (Diary of a Reverse Engineer) Kryptonite was a proof-of-concept I built to obfuscate codes at the LLVM intermediate representation level. The idea was to use semantic-preserving transformations in order to not break the original program. One of the main idea was for example to build a home-made 32 bits adder to replace the add LLVM instruction. Instead of having a single asm instruction generated at the end of the pipeline, you will end up with a ton of assembly codes doing only an addition
Is it the ISP's Fault if Your Home Broadband Router Gets Hacked? (ISP Review) As consumers we have a right to be huffy at our ISPs when something goes wrong. But is the Internet provider still to blame if, as in the recent cases of AAISP and now PlusNet, your home broadband router ends up being hijacked by a DNS redirection exploit
Unbalanced Security is Increasing Your Attack Surface (TripWire: The State of Security) In the first article in the series, we talked about how when you don't understand your attack surface, too much security can actually make you more vulnerable and undermine the efficiency of your organization's operations. Now we will look at problems caused by unbalanced security, which will lead us to the third and final installment on security solutions that fight for the same resources
Can we test protection against targeted attacks? (Naked Security) In my day job as a tester of anti-malware solutions, I often get asked the same question: how do I plan to test against Advanced Persistent Threats, aka APTs? These threats are very different from your everyday malware, and testing protection against them turns out to be a very different kind of
Think data breach won't happen to you? Why we need to close the gap between perception and reality (CSO) Closing the gap between perception and reality of data breach is necessary to discuss and advance real solutions to the challenge of protecting people and information
Design and Innovation
Use this jargon to describe your startup—and you're sure to annoy journalists (Quartz) As tech journalists, our job is to decipher the lingo that startup entrepreneurs love to throw around at events like SXSW
How Facebook and Twitter built the best employee training programs in Silicon Valley (Quartz) Training employees and managers is essential at any company but particularly for startups. Yet many avoid it because it seems too hard or expensive
Research and Development
How to Eat Your Entropy and Have it Too — Optimal Recovery Strategies for Compromised RNGs (International Association for Cryptologic Research) Random number generators (RNGs) play a crucial role in many cryptographic schemes and protocols, but their security proof usually assumes that their internal state is initialized with truly random seeds and remains secret at all times. However, in many practical situations these are unrealistic assumptions: The seed is often gathered after a reset/reboot from low entropy external events such as the timing of manual key presses, and the state can be compromised at unknown points in time via side channels or penetration attacks. The usual remedy (used by all the major operating systems, including Windows, Linux, FreeBSD, MacOS, iOS, etc.) is to periodically replenish the internal state through an auxiliary input with additional randomness harvested from the environment. However, recovering from such attacks in a provably correct and computationally optimal way had remained an unsolved challenge so far. In this paper we formalize the problem of designing an efficient recovery mechanism from state compromise, by considering it as an online optimization problem
Partnership Promises to Prevent Cloud Computing Problems (SIGNAL) The U.S. Army, government agencies and the private sector fund university research
Legislation, Policy, and Regulation
Japan preps new law to bolster government cyber defences (The Register) Government systems attacked every thirty seconds
US Cyber Command Nominee Adopts Open Approach at Confirmation Hearing (Defense News) When US Army Gen. Keith Alexander submitted written answers to questions for his confirmation hearing to head the newly created US Cyber Command in 2010, he avoided publicly answering all or part of 29 questions, instead providing his responses to Congress in a classified document
NSA nominee backs protection for companies in any cyber law (Reuters via the Chicago Tribune) President Barack Obama's nominee to head the National Security Agency and U.S. Cyber Command said on Tuesday liability protection for corporations that share information with intelligence agencies is crucial in any new U.S. cybersecurity legislation
NSA nominee promotes cyberwar units to Senate (New York Times via the Columbus Dispatch) All of the major combat commands in the U.S. military soon will have dedicated forces to conduct cyberattacks alongside their air, naval and ground capabilities, Vice Adm. Michael S. Rogers, President Barack Obama's nominee to run the National Security Agency, told the Senate yesterday
Encryption makes you an NSA target expert warns (SlashGear) Following Edward Snowden's call for internet users to encrypt everything as a matter of course is likely to make you an even bigger target for the NSA, activist journalist Glenn Greenwald has warned, arguing that the stance inside the spying agency is that those protecting their data are inherently suspicious. "If you want to hide what you're saying from them" Greenwald said during a video appearance at SXSW this week, "it must mean that what you're saying is a bad thing," the former Guardian writer said the National Security Agency's assumptions
Who Wants To Unplug The NSA? Not Arizona's State Agencies (Forbes) Revelations last spring that the National Security Agency secretly gathered information on the communications of millions of Americans have led to a groundswell of legislation aimed at reining in government surveillance. But the response of state agencies in Arizona, one of the states where a popular anti-spying bill is furthest along, indicates unauthorized collection of personal information is deeply entrenched at both the state and federal levels
US, UK and Indian bodies named among worst online spies (Economic Times) US National Security Agency, India's Centre for Development of Telematics, and the UK's GCHQ have been named among the worst online spies by a non-profit group for implementing censorship and surveillance
GCSB dismisses whistleblower claims (Radio New Zealand News) The Government's external spying agency is denying it had help from the United States National Security Agency in rewriting the law governing the way it operates
Senate panel 'very close' to cyber bill (The Hill) Lawmakers on the Senate Intelligence Committee are getting "very close" to a new cybersecurity bill, according to the panel's top Republican
FCC task force will better intersect technology, health (FierceMobileHealthCare) Federal Communications Commission Chairman Tom Wheeler announced March 5 the launch of a new Connect2Health Task Force, which aims to use the agency's expertise to better intersect broadband connectivity, advanced technology and health
Gaps in State Dept. oversight of security training (FierceGovernment) Before traveling to certain dangerous countries, State Department employees are supposed to undergo security training, but the department doesn't always ensure they do so
Litigation, Investigation, and Law Enforcement
Feinstein: CIA searched Intelligence Committee computers (Washington Post) The head of the Senate Intelligence Committee on Tuesday publicly accused the CIA of secretly removing documents from computers used by her panel to investigate the agency's controversial interrogation program and said that an internal agency investigation of the action has been referred to the Justice Department for possible criminal prosecution
CIA Hack Scandal Turns Senate's Defender of Spying Into a Critic (Wired) It's quite a change to hear Dianne Feinstein, the powerful chair of the Senate Select Committee on Intelligence, express outrage over warrantless and potentially illegal government spying
Edward Snowden critiques Dianne Feinstein remarks (Politico) National Security Agency leaker Edward Snowden called out Sen. Dianne Feinstein after her fiery floor speech Tuesday assailing the CIA, calling her anger hypocritical
How CIA snooped on Senate Intel Committee's files (Ars Technica) It's easy to search someone's network when you hired the IT department
Guest Post: The Elephant in the Room: The FBI (Just Security) Commissions, oversight boards, and review groups are all the rage these days. Recent weeks have seen hundreds of pages of reports evaluating American intelligence agencies, and there's a promise of more to come. These reports have recommended dozens of modifications affecting all three branches of government. But there's an integral part of the surveillance state that has thus far largely escaped the current scrutiny: the FBI. And while failure to "connect the dots" is an oft-cited flaw within the intelligence community, not insisting on examining more closely the FBI's surveillance activities represents a similar flaw by those outside the intelligence community
Snowden Isn't Exactly a "Traitor," Says the Top Nominee for NSA Director (Motherboard) In stark contrast to Edward Snowden's appearance yesterday in front of an SXSW crowd, Vice Admiral Michael Rogers, the man likely to take over the helm of the National Security Agency, today testified in front of the Senate armed services committee to talk about his vision for the future of US cyber defense
Spy Chief Assures Bar Association that NSA Respects Attorney-Client Privilege (Wall Street Journal Law Blog) The outgoing head of the National Security Agency has a message to the nation's lawyers: Your clients' secrets are in safe hands
The NSA won't shut up about Snowden, but what about the spy who stole more? (The Guardian) Why the incoming NSA chief needs to crack down on international espionage, not worthy whistleblowing
Tech Companies Shine Some Light on National Security Requests (MIT Technology Review) "Transparency reports" reveal insights about the requests made in the name of national security—including information that was previously kept secret
Australian telcom fined less than $10k for privacy violations (SC Magazine) An Australian telecommunications and media company was fined $9,161.18 (AU$10,200) for violating privacy laws as a result of a data breach affecting 15,775 of its customers
Judge freezes all of MtGox's US assets, lets class-action suit continue (Ars Technica) CEO, MtGox firms accused of fraud: "He is those companies and they are him"
For a complete running list of events, please visit the Event Tracker.
Upcoming Events
SANS Security West (, Jan 1, 1970) SANS Security West will arm information security professionals with the necessary insight to prepare their organization for today and the future. Attendees will have the opportunity to advance their information security skill set by learning innovative ideas and techniques to fend off today's most challenging cyber threats as well as emerging threats.
CanSecWest (, Jan 1, 1970) CanSecWest, the world's most advanced conference focusing on applied digital security, is about bringing the industry luminaries together in a relaxed environment which promotes collaboration and social networking. The conference lasts for three days and features a single track of thought provoking presentations, each prepared by an experienced professional and talented educator who is at the cutting edge of his or her field. We give preference to new and innovative material, highlighting important, emergent technologies, techniques, or best industry practices.
Nuclear Regulatory Commission ISSO Security Workshop (, Jan 1, 1970) Exhibitors will have the opportunity to showcase cutting-edge products and services available in today's market. All companies specializing in products and services that would benefit the NRC workforce are encouraged to exhibit at this one-day expo. Topics of the workshop and of high interest to attendees include: computer security policy, standards and guidance, cybersecurity, FISMA compliance, and training updates.
ICS Summit 2014 (Lake Buena Vista, Florida, US, Mar 17 - 18, 2014) The 9th Annual North American ICS Security Summit brings together the program managers, control systems engineers, IT security professionals and critical infrastructure protection specialists from asset owning and operating organizations along with control systems and security vendors who have innovative solutions for improving security.
27th Annual Federal Information Systems Security Educators' Association (FISSEA) Conference (, Jan 1, 1970) The 27th Annual Federal Information Systems Security Educators' Association (FISSEA) Conference will be held at the National Institute of Standards and Technology on March 18-20, 2014, exhibits will be on display March 19 only. This year's theme "Partners in Performance: Shaping the Future of Cybersecurity Awareness, Education, and Training" will focus on developing a better understanding of current information systems/cybersecurity projects, emerging trends, and initiatives. Through numerous high quality sessions, approximately 200 attendees will learn new ways to improve their IT security program and practical solutions to training problems while earning Continuing Professional Education (CPE) credits. The vendor fair gives attendees a tactical look at the products and services available to meet their professional goals.
Security Policy Reform Implications for Industry: Maintaining Momentum for Transformational Change (Chantilly, Virginia, USA, Mar 20, 2014) Join INSA's Security Policy Reform Council for Security Policy Reform Implications for Industry: Maintaining Momentum for Transformational Change at the SI Organization in Chantilly, VA. This unclassified, but sensitive Symposium will be off the record, and will bring together stakeholders from the executive and legislative branches as well as their counterparts in the private sector. Following unprecedented attention on the security clearance process in 2013, 2014 promises to be a year of consequence to a fundamental aspect of how the IC carries out its mission. This Symposium will provide attendees an opportunity to participate in the current debate and learn about future technologies that will influence security policies and procedures.
Suits and Spooks Singapore (, Jan 1, 1970) Our first international Suits and Spooks conference will be held in Singapore with a visit to Malaysia on March 20-21, 2014. The focus will be on how multi-national corporations can profitably operate in a globally hostile environment that consists of foreign intelligence collection, mercenary hacker crews, insider threats, and supply chain/vendor vulnerabilities. Our international list of speakers will discuss who the threat actors are, what they're after, and best practices to mitigate the risks.
MCT-Congress: Going Mobile with Clinical Trials (Edinburgh, Scotland, UK, Mar 20 - 21, 2014) It is almost inevitable that mHealth solutions will be adopted across healthcare systems worldwide over the next decade. What is less clear is the impact that mobile solutions are having and could have on the clinical research process.
Cyber Security for Energy & Utilities (, Jan 1, 1970) Following the rapid evolution of the cyber and digital world, IT Security Directors, Information Security Directors, Chief Security Officers, Chief Information Officers and many more will gather at the 3rd Edition of Cyber Security for Energy & Utilities conference taking place from 23 -26 March 2014 at The Westin Golf Resort in Abu Dhabi, UAE.
Veritas 2014 (, Jan 1, 1970) At Veritas 2014, hear directly from the big data experts in top tier retail finance who are now implementing strategy and starting to yield real commercial value. Experts dedicated to Big Data in the sector will show you how the right approaches can lead to far-reaching results in business model innovation, risk mitigation and identifying new revenue streams. See how Veritas 2014 will help you develop your big data implementation strategy.
Black Hat Asia (, Jan 1, 1970) Black Hat is returning to Asia for the first time since 2008, and we have quite an event in store. Here the brightest professionals and researchers in the industry will come together for a total of four days--two days of deeply technical hands-on Trainings, followed by two days of the latest research and vulnerability disclosures at our Briefings.
SEC Cybersecurity Roundtable (Washington, DC, USA, Mar 26, 2014) The Securities and Exchange Commission today announced that it will host a roundtable next month to discuss cybersecurity and the issues and challenges it raises for market participants and public companies, and how they are addressing those concerns.
Cyber Security Management for Oil and Gas (, Jan 1, 1970) Attend to gain cutting-edge information from oil and gas cyber security experts on: Using the very latest in intelligence techniques to find and neutralize the newest threats in time. Preventing security breaches while ensuring your employees, social media and mobile devices operate effectively. Implementing best practices in order to achieve and maintain SCADA and other key systems security. How a "critical infrastructure" designation would impact different aspects of oil and gas cyber security management.
ISSA Colorado Springs — Cyber Focus Day (Colorado Springs, Colorado, USA, Mar 27, 2014) Join us for the Information Systems Security Association (ISSA) — Colorado Springs Chapter — Cyber Focus Day set to take on Thursday, March 27, 2014 at Colorado Technical University (CTU).
CyberBiz Summit (Linthicum, Maryland, USA, Mar 28, 2014) Learn first-hand how to get your cyber business started, how to raise capital, and what to do to make it happen. Join us for four informative sessions, networking and breakfast at the BWI Westin on Friday, March 28th.
Corporate Counter-Terrorism: the Role of Private Companies in National Security (Washington, DC, USA, Mar 28, 2014) The 2014 American University Business Law Review Symposium will address the growing role of corporate America in governmental counter-terrorism programs, including the bulk metadata and PRISM surveillance initiatives. John Carlin, Assistant Attorney General for National Security, will deliver the keynote. Other speakers will include current and senior officials from the Justice Department, National Security Agency, Office of the Director of National Intelligence, FBI, DHS, Google, and Microsoft.
SyScan 2014 (Singapore, Mar 31 - Apr 4, 2014) SyScan is a deep knowledge technical security conference. It is the aspiration of SyScan to congregate in Asia the best security experts in their various fields, to share their research, discovery and experience with all security enthusiasts in Asia.
Interop Conference (, Jan 1, 1970) Interop Conference sessions help you find actionable solutions to your current IT headaches and plan for future developments.