The CyberWire Daily Briefing for 3.14.2014
As the Russian government asserts a right to military intervention in Ukraine, unidentified hackers bring down the Russian President's and Central Bank's websites. Speculation turns to Anonymous Caucasus as possibly responsible, although there's no shortage of other internal opposition to the regime, either, as recent official blocking of dissident sites suggests. Accusations of Ukrainian involvement are curiously absent from Russian statements. In the US, Director NSA nominee Rogers tells the Senate that Ukraine is under cyber attack, but primly declines to say by whom while speaking in an unclassified session.
Target says it received warning of its data breach during the event's early stages, but decided not to take action. This is not evidence, by itself, of irresponsibility. The problem is a common one: too many security warnings—with a high incidence of false positives, an absence of well-structured assessments of relative risk, and dependence upon human watchstanders—create a glare that can obscure significant threats. (Globalization note: a security team in Bangalore passed the warning in question to Target headquarters in Minneapolis.)
Dr. Web identifies a Trojan, "Rbrute," that infects Wi-Fi routers to spread Sality malware.
Adobe, Ubuntu, RedHat, and Google issue various patches or security upgrades.
Industry analysts find Pwn2Own usefully disillusions those who think their software invulnerable. Blackstone acquires Accuvant. (ISC) ² advises addressing security workforce shortages by creating entry-level positions and building a pipeline to fill them.
The crisis in Ukraine snarls US-Russian cyber security talks. The EU enacts new data protection rules.
The CIA-Senate dispute proves legally murky.
Notes.
Today's issue includes events affecting Canada, China, European Union, France, Germany, India, Russia, Ukraine, United Kingdom, and United States..
Cyber Attacks, Threats, and Vulnerabilities
Hackers down Russian presidential site in 'powerful cyber-attack' (Russia Today) Unidentified hackers brought down the Russian presidency's site and the Central Bank's web page in a wave of online attacks. The website is now operational for most users
20 million reasons the Kremlin just blocked a bunch of opposition websites (Quartz) With tensions rising over Crimea, Russia yesterday blocked a number of opposition websites. One of them is the blog of Alexei Navalny, an opposition leader currently under house arrest, who is known for publishing documents about official corruption online. In response to the censorship, he published what he says are his blog's traffic statistics (link in Russian) for the past 12 months, showing 20 million unique visitors (note that it's not possible for us to verify this independently). Assuming most of them are from Russia, it's a not-insignificant chunk of the country's population of 143 million—good reason for the authorities to be worried
NSA Nominee Confirms Ukraine is under Cyberattack (Nextgov) A top U.S. military official said Tuesday he believes hackers are attacking Ukrainian computer and communications networks—but he declined to point the finger at Russia. "In an open unclassified forum, I'm not prepared to comment on the specifics of nation-state behavior," Vice Adm. Michael Rogers told the Senate Armed Services Committee when asked whether Russia is using cyberattacks against Ukraine
Inside Turla: US military's worst cyber breach (Gadget) G-Data and BAE Systems have released information on the cyber espionage operation codenamed Turla. Furthermore, Kaspersky's has found a connection between it and the already existing Agent.BTZ malware, which took the Pentagon over a year to eradicate it from the U.S. military's networks
Target says it declined to act on early alert of cyber breach (Reuters) Target Corp's security software detected potentially malicious activity during last year's massive data breach, but its staff decided not to take immediate action, the No. 3. U.S. retailer said on Thursday. "With the benefit of hindsight, we are investigating whether if different judgments had been made the outcome may have been different," company spokeswoman Molly Snyder said in a statement
Why Target is as much a victim as to blame for cyber attacks (Digital Journal) If you were one of those people that got a phone call out of nowhere stating that your account has been compromised, you're well aware that Target has been the victim of recent cyber attacks
Rbrute Trojan hacks Wi-Fi routers to help spread Sality (Help Net Security) Researchers from Russian AV company Dr. Web have recently analyzed a Trojan that hacks Wi-Fi routers in order to facilitate the spreading of the infamous Sality malware family
Malicious advertising offers broad reach and quick rewards for malware perpetrators (CSO) Dynamic, expanding advertising scene opening juicy targets for Internet bandits
DDoS attacks using NTP amplification soar, warns Prolexic (FierceITSecurity) Distributed denial of service attacks using network time protocol amplification surged 371 percent in February, warns DDoS protection service firm Prolexic Technologies
110,000 Wordpress Databases Exposed (CSO) For years now I've been writing my various blog posts and I have used many different kinds of CMS platforms right back to posting using VI back in the 90s. My favourite platform that I've used to create content has been Wordpress by far. I can almost here the security folks cringe. Yes, it is a massive headache to lockdown. But, I fight on as the user experience makes the pain worthwhile
Incorrect mobile numbers undermine One-Time Password security, survey finds (Techworld) A small but persistent percentage of SMS One-Time Passwords (OTPs) sent by two-factor authentication systems never reach users because organisations have no way of spotting incorrect mobile numbers, new research has suggested
Commercial Windows-based compromised Web shells management application spotted in the wild — part two (Webroot Threat Blog) Sticking to good old fashioned TTPs (tactics, techniques and procedures), cybercriminals continue mixing purely malicious infrastructures with legitimate ones, for the purpose of abusing the clean IP reputations of networks, on their way to achieving positive ROI (return on investment) for their fraudulent activities. For years, this mix of infrastructures has lead to the emergence of the 'malicious economies of scale' concept, in terms of efficient abuse of legitimate Web properties, next to the intersection of cybercriminal online activity, and cyber warfare
CTO of WordPress-based business downplays pingback DDoS risks (CSO Salted Hash) Jason Cohen, founder and CTO of WP Engine, says the news surrounding DDoS attacks launched from WordPress' pingback function have been incorrectly and unfairly characterized by the media
Hacker who Snowdenized ethical hacking site also grabbed email control (Naked Security) The hacker behind the pasting of Edward Snowden's mug onto the EC-Council's site also managed to send a password-reset to its cloud-based enterprise email and get control of some customers' accounts
Morrisons supermarket hit by MASSIVE staff payroll data robbery (The Register) Details of 100,000 staffers leaked online, sent to local paper
Cybercriminals Tell Users They Might Have Cancer to Trick Them into Installing Malware (Softpedia) Cybercriminals have hit a new low. They're telling users they might have cancer just to trick them into installing a piece of malware on their computers
NYC MTA Data Breach Exposes 15,000 Employees' Info (eSecurity Planet) A CD containing Social Security numbers, birthdates and salary information was found in a refurbished PC sold at a major retailer
UCSF Medical Center Admits Third Data Breach in Four Months (eSecurity Planet) Unencrypted computers containing 9,986 people's personal and health information were stolen in early January
The Smart Car will be hacked (ReadWrite) Connected cars are computers on wheels, and before long they'll do most everything our phones and tablets do now—store personal data, finalize transactions, play games. Oh, and catch viruses and other malware
Thoughts on Exploiting Trust and Targeting Security's Weakest Link (CSO) Social engineering, including Phishing, is my favorite form of attack. Hands down, it's the most cost effective, and often the simplest method of cracking an organization's defenses
Study Shows Phone 'Metadata' is Highly Sensitive (Threatpost) The term metadata and the implications of its collection and analysis have been one of the key points in the debate surrounding the NSA's broad surveillance programs over the last year. Legislators, policy makers and others continue to argue about whether metadata can actually reveal anything about the people behind the phone numbers, but researchers
Security Patches, Mitigations, and Software Updates
Security update available for Adobe Shockwave Player (Adobe Security Bulletin) Adobe has released a security update for Adobe Shockwave Player 12.0.9.149 and earlier versions on the Windows and Macintosh operating systems. This update addresses a critical vulnerability that could potentially allow an attacker to remotely take control of the affected system. Adobe recommends users of Adobe Shockwave Player 12.0.9.149 and earlier versions update to Adobe Shockwave Player 12.1.0.150 using the instructions provided in the "Solution" section below
USN-2147-1: Mutt vulnerability (Ubuntu Security Notice) The mutt mail client could be made to crash or run programs as your login if it opened a specially crafted email
Red Hat's Fedora 21 brimming with security, crypto upgrades (InfoWorld) Changes to Fedora, like smart card access control and systemwide policy for cryptography, could end up in Red Hat Enterprise Linux
Google Play update adds enhanced security options for app purchases (Phandroid) A new version of the Google Play Store is arriving for Android users, giving folks more control over security measures surrounding app purchases. Users can now decide how often the Play Store will ask for password confirmation, adding a layer of protection against the happy fingers of a child
Windows XP Goes Dark: 5 Things To Expect (InformationWeek) Microsoft customers face Windows XP's end-of-service deadline. How much will you suffer from the lack of support
For Windows XP, the end is nigh (Boston Globe) I drive a 12-year-old Ford, and why not? It's quiet and comfy, and it gets me there. Lots of people feel the same way about software. Almost 30 percent of the world's desktop computers run Microsoft Corp.'s Windows XP, an operating system introduced in 2001. About 40 percent of the PCs at The Boston Globe still run XP, and so do 95 percent of the world's automatic teller machines, according to ATM maker NCR
Sailing the Seas of Digital Detritus (CSO) Much like the hundreds of discarded satellites and assorted rocket pieces that circle the planet high above our heads, the Internet is littered with junk. I'm not talking about people taking pictures of EVERY single meal that they sit down to eat. Rather, broken and/or forgotten websites. For the last couple days I've been sailing along the tubes of the Internet looking for broken sites and there is no shortage
Cyber Trends
High-Risk Security Vulnerabilities Identified During Reviews of Information Technology General Controls at State Medicaid Agencies (US Department of Health and Human Services) High-risk security vulnerabilities we identified during previous, restricted reviews of information system general controls at 10 State Medicaid agencies (State agencies) raise concerns about the integrity of the systems used to process Medicaid claims. The integrity of the State agencies' Medicaid systems depends on the effectiveness of the information system general controls, which are critical to the reliability, confidentiality, and availability of Medicaid data. Without effective general controls, State agencies are not able to adequately safeguard sensitive Medicaid systems and data
Healthcare industry advised to do more thorough risk analyses (CSO) Recent study indicates growing list of risks for healthcare security, prompting experts to call for the improved analyses
Obamacare Vs. Patient Data Security: Ponemon Research (InformationWeek) Healthcare professionals worry that healthcare regulations mandating patient data exchange are luring more data thieves, says Ponemon study
Electric-Grid Attack Fuels Sniper-Versus-Hacker Debate (BusinessWeek) U.S. energy regulators' efforts to harden the power grid against snipers and terrorists are fueling a debate over whether they're diverting resources from other threats, like cyber attacks
Ponemon and AccessData Study Reveals Majority of Organizations Unable to Effectively Respond to and Resolve a Cyber-Attack (Open PR) AccessData, the leader in incident resolution solutions, and the Ponemon Institute released new findings focused on the current state of incident response and threat intelligence and how both can be improved to better benefit organizations. The report, Threat Intelligence & Incident Response: A Study of U.S. & EMEA Organizations, sponsored by AccessData, surveyed 1,083 CISOs and security technicians in the United States and EMEA about how their company handles the immediate aftermath of a cyber-attack and what would help their teams more successfully detect and remediate these events
Cyberspace: What is it, where is it and who cares? (Armed Forces Journal) Assured access to cyberspace is a key enabler of national security, so the answer to the question in the title is: we should all care. Two of the defining characteristics of a strong, modern, industrial nation are economic prosperity and a credible defense. The ability to use cyberspace has become indispensable to achieving both of these objectives
Social media scams rampant. Water is wet. (CSO) I'm rather amused reading this article in the Globe and Mail today about social media scams. It talks about how people are falling for scams on social media sites time and again. While my initial reaction is to scoff, I have to constantly remind myself that these scams, social media based or otherwise, continue to work. Why? People are greedy, gullible and easily swayed in many cases. They want that $250 gift card for completing a survey or a free set of Ginsu knives for providing their banking details
Enterprises Harness Social Networking for Increased Agility and Responsiveness, Finds Frost & Sullivan (FierceITSecurity) The need to enhance communication and collaboration in the workplace to increase employee engagement, accelerate decision-making, and boost overall productivity is driving the global enterprise social networking market. Organizations are integrating purposeful social collaboration functionality into workflows to dynamically connect people and information at the appropriate time, instead of relying solely on legacy collaboration tools utilized in traditional static use cases
Today's IT Organization—Delivering Security, Value, and Performance Amid Major Transformation (Proviti) If there is one word to describe the state of IT organizations in 2014, it is transformation
Bruce Schneier on Incident Response and His Next Book (Ars Technica) Bruce Schneier explains the role that incident response technology should play in the modern IT security landscape
Convergence of SIEM and Forensics (InfoSecurity Magazine) Sometimes technology areas that once seem distinct converge. Indeed, there was a time when the term convergence was used, without qualification, to refer to the coming together of IT and traditional telephone networks, something that for many is now just an accepted reality
Marketplace
Cyber, IT Bright Spots in Defense Budget (National Defense Magazine) The Pentagon's budget proposal for fiscal year 2015 includes $5.2 billion for cyber security. But when intelligence agencies are added to the mix, the amount nearly doubles, according to new estimates
Record prizes for Pwn2Own and Pwnium contestants (Help Net Security) The results of the first day of the traditional Pwn2Own hacking contest at the CanSecWest Conference currently taking place in Vancouver are in, and the losers are Adobe, Microsoft and Mozilla
IE 11 Stands Up to Pwn2Own Exploit Attempt (Threatpost) Browser exploits continue to make news at Pwn2Own, but one that failed stood out in particular
Keen Team of China Takes Down Safari and Flash at Pwn2Own (Threatpost) Keen Team, a group of Chinese hackers, took down Apple Safari and Adobe Flash at the annual Pwn2Own contest
Pwn2Own: The perfect antidote to fanboys who say their platform is safe (Ars Technica) Despite huge leaps in secure code, nothing is immune when hackers are motivated
Accuvant to be acquired by the Blackstone Group (SC Magazine) In a deal that is reported to be worth $225 million, the Blackstone Group will buy a majority of the stake in cyber security firm Accuvant from investment firm Sverica International
Solving The Security Workforce Shortage (Ars Technica) To solve the skills shortage, the industry will need to attract a wider group of people and create an entirely new sort of security professional
Former DISA Vice Director Joins DB Networks Board (Newsfactor) DB Networks, an innovator of behavioral analysis in database security, today announced that Maj. Gen. James David Bryan, U.S. Army (Ret.) has joined its board of advisors. In this new role, Mr. Bryan will provide insight and counsel as the company takes its behavioral analysis technology for database security into new growth markets
Products, Services, and Solutions
Google encrypts search; bad news for NSA, China (The Washington Post via Herald Net) Googling the words "Dalai Lama" or "Tiananmen Square" from China long has produced the computer equivalent of a blank stare, as that nation's government has blocked websites that it deemed politically sensitive
Google gives UK government "super flagger" status for YouTube (Computing) Google has granted the UK security services privileged 'super flagger' status over YouTube videos, enabling the government to demand instant screening of videos it deems threaten national security
Skybox Security Introduces Vulnerability Center (Broadway World) Skybox Security Introduces Vulnerability CenterSkybox Security, the leading provider of risk analytics for cyber security, today launched the Skybox Vulnerability Center, a free online resource for IT security practitioners that includes access to the Skybox Vulnerability Database, one of the most advanced vulnerability databases in the industry. Users can search the Skybox Vulnerability Database by vendor, category, severity, date, CVE number and more, and drill down for special details on specified vulnerabilities
Validian Launches Next Generation of Intrusion Prevention (Wall Street Journal) Validian Corp. (OTCQB:VLDI), first-to-market with next generation cyber security technology that provides secure access of critical applications and secure access, transfer and storage of digital information on wired, wireless and mobile networks over the Internet, announced today that it has launched its next generation Intrusion Prevention System, which is the first technology in the market to actually prevent cyber attacks that result from breaching critical applications, and the improper access and theft of valuable digital information
Apple iPhones Could Thwart Thieves, Attackers (Dark Reading) Apple patent application suggests the company is looking to add personal security features to its mobile devices
Cloud-based wireless network monitoring (ProSecurityZone) Smaller businesses now have access to wireless monitoring, security and management tools available in a cloud computing model thereby avoiding hardware dependence
Product integration for critical infrastructure protection compliance (ProSecurityZone) Suite of products available from Tripwire enabling utility companies to achieve compliance with NERC Critical Infrastructure
Technologies, Techniques, and Standards
Your Cloud Was Breached. Now What? (InformationWeek) You're not happy. You just experienced a breach. Here's how to keep calm and secure your cloud
Ensure compliance with Windows BitLocker encryption using MBAM 2.0 (TechTarget) Before you can use MBAM 2.0 to manage Windows BitLocker encryption across multiple computers, follow these tips on deploying and administering it
MBAM 2.0 simplifies large-scale Microsoft BitLocker implementations (TechTarget) Ensuring encryption compliance across multiple machines gets easier with MBAM 2.0, which enables enforcement and management of Microsoft BitLocker
IT can tackle Windows configuration with a well-planned desktop audit (TechTarget) Enforcing Windows policies across the enterprise seems like a pain, but a few desktop audit practices can help IT reach its configuration goals
Enemy at the gates? Antimalware screens unlucky coder's software (TechTarget) This week, a developer asks our expert why antimalware protection is deleting his software. The cause might not be bad code, and there is recourse
The paranoid's survival guide, part 2: Protect your privacy on social, mobile and more (ComputerWorld) Here's how to minimize your personal data footprint when messaging, on social media, and using mobile apps
Guide to ERM: Risk Governance (Willis Wire) What should a board expect from management regarding risk and resiliency? As a part of strong enterprise risk management practice the board of directors should consider the following
Don't Confuse Email with Social Media in the Workplace (Willis Wire) There is a quite a bit (rightfully) being written about the challenges of addressing social media related employment actions (hiring / firing); I've written some of these myself
Will Self-Encrypting Drives Help Stop Data Breaches? (PC Magazine) In light of all the security breaches last year, companies are looking for ways to protect their own and their clients' data. Samsung claims that self-encrypting drives are the solutions to better security software protection. In a recent infographic, the company outlines a few reasons why self-encrypting drives are better for businesses
Involving the C-suite in risk management (FCW) As the world becomes more digitized and interconnected, the door to emerging threats and proprietary data leaks has opened wider. The number of security breaches affecting enterprises across numerous industries continues to grow, seemingly every day. Once a topic restricted to the IT organization, security is now unquestionably a C-suite priority. A strong plan for risk management throughout the organization has become essential
Design and Innovation
The World's Richest Ex-Hackers (Forbes) Long before he was the two-hundred-and-second richest person on the planet, Jan Koum was just another curious kid with a wardialer
Academia
Government to give kids cyber security lessons (TechRadar) The UK government thinks it is wise to train 11-14 year old cyber security skills under its plans for new higher-level and advanced apprenticeships
Eighty Invited to Compete in 2014 NJ Cyber Aces State Championship at Brookdale March 22 (Atlantic Highlands Herald) Eighty men and women of various ages and backgrounds will compete in a face-to-face competition at Brookdale Community College March 22 for a chance to train for a career in cybersecurity at the New Jersey Cyber Aces Academy at Brookdale
Legislation, Policy, and Regulation
U.S.-Russian cybersecurity talks face uncertainty amid Ukrainian crisis (Inside Cybersecurity) The turmoil in Ukraine has cast a shadow of uncertainty over the next chapter of U.S.-Russian cybersecurity talks, which last year led to the creation of a White House-Kremlin cybersecurity crisis hotline — thus far, never used, according to U.S. officials
Progress on EU data protection reform now irreversible following European Parliament vote (European Commission) The European Parliament today cemented the strong support previously given at committee level to the European Commission's data protection reform (MEMO/13/923 and MEMO/14/60) by voting in plenary with 621 votes in favour, 10 against and 22 abstentions for the Regulation and 371 votes in favour, 276 against and 30 abstentions for the Directive). The reports of MEPs Jan-Philipp Albrecht and Dimitrios Droutsas, on which members of the European Parliament voted, are a strong endorsement of the Commission's data protection reform and an important signal of progress in the legislative procedure. The data protection reform will ensure more effective control of people over their personal data, and make it easier for businesses to operate and innovate in the EU's Single Market
New EU cybersecurity law avoids making big Internet companies report breaches (NetworkWorld) Breach rule extends only to companies that own, operate or provide technology for critical infrastructure facilities
Europe Approves New Data Protection Law with Punitive Fines (CIO) European politicians voted overwhelmingly on Wednesday in favor of new laws safeguarding citizens' data
La CNIL actualise ses conseils sur le paiement en ligne (Le Monde Informatique) La Commission nationale de l'informatique et des libertés a décidé de mettre à jour ses recommandations sur le paiement en ligne qui avaient été émises il y a plus de 10 ans et a mis l'accent sur la confidentialité des données relatives aux cartes bancaires
Foreign Officials In the Dark About Their Own Spy Agencies' Cooperation with NSA (The Intercept) One of the more bizarre aspects of the last nine months of Snowden revelations is how top political officials in other nations have repeatedly demonstrated, or even explicitly claimed, wholesale ignorance about their nations' cooperation with the National Security Agency, as well as their own spying activities. This has led to widespread speculation about the authenticity of these reactions: Were these top officials truly unaware, or were they pretending to be, in order to distance themselves from surveillance operations that became highly controversial once disclosed
Stop mass surveillance now or face consequences, MEPs say to US (Help Net Security) Parliament's consent to the EU-US trade deal "could be endangered" if blanket mass surveillance by the US National Security Agency does not stop, members of European Parliament said on Wednesday, in a resolution wrapping up their six-month inquiry into US mass surveillance schemes
Key NSA Defender Wants to End Bulk Data Collection (National Journal) Dutch Ruppersberger has a plan to overhaul the controversial spying program
Feinstein Shifts Slow-Burning Anger From Guns to Spies (Roll Call) Few senators wait until their 80s, or the start of their third decade in office, to have their breakout moment. But that's what this past year has been for Dianne Feinstein
It's time for Obama to take a side in the battle between the CIA and the Senate (The Week) He can start by demanding that a report on Bush-era interrogation methods be declassified
Senate sets up departure of top CIA lawyer by lifting block on successor (The Guardian) Confirmation of Caroline Krass had been put on hold by Senate to gain leverage against CIA in procuring post-9/11 documents
NSA Director nominee wants every branch of the military to have a dedicated cyber attack force (Engadget) It seems like President Obama was pretty serious about that cyber attack list he drew up last year — his nominee candidate for NSA Director, Admiral Michael Rogers, just told the Senate that the military is building several new cyber combat units. Rogers, who is slated to both take over at the NSA and head the United States Cyber Command, spent several hours answering to the Senate Armed Services Committee this week
U.S. Military Given Secret "Execute Order" on Cyber Operations (FAS) Last June, the Chairman of the Joint Chiefs of Staff issued a classified "execute order" to authorize and initiate a military operation. The nature, scope and duration of the military operation could not immediately be determined — even the title of the order is classified — but it evidently pertains to the conduct of military cyberspace activities. The existence of the previously undisclosed execute order was revealed last week in a new Air Force Instruction
NSA says "indiscriminate" Facebook hacking allegations "are simply false" (Ars Technica) Spooks "only support lawful and appropriate foreign intelligence operations"
Zuckerberg to Obama: 'I'm frustrated' (MarketWatch) Facebook CEO reacts to report that the NSA used Facebook for spying
Bill Gates: 'No admiration' for Edward Snowden (Politico) Gates said some details about government surveillance are best left secret. Microsoft founder Bill Gates says despite his concerns about privacy, he has no "admiration" for National Security Agency leaker Edward Snowden
Surveillance And Security Companies Set Up Zero-Day Exploit Portals For Governments To Use In 'Offensive' Actions (TechDirt) Just under a year ago we wrote about Gamma International's use of Mozilla's trademark to trick people into installing surveillance malware from the company. A post from Privacy International points out the company has now set up what it calls the "Finfly Exploit Portal" providing
New NSA chief explains agency policy on "zero-day" exploits to Senate (Ars Technica) Most discovered bugs are revealed to vendors, but some kept for attacks, he says
NSA: Our zero days put you at risk, but we do what we like with them (ZDNet) NSA chief nominee US Navy Vice Admiral Michael S Rogers details some of the procedures it follows for disclosing or withholding its trove of zero day flaws
Justifying New Federal Cyber Campus (InfoRiskToday) When President Obama proposed spending $35 million to design a federal cyber campus to promote a "whole-of-government" approach to cybersecurity incident response, the administration provided scant details on the initiative buried deep in its $3.9 trillion fiscal year 2015 budget proposal
JIE not a program of record, says Takai (FierceGovIT) Defense Department effort to restructure its information technology infrastructure is not a program of record, although it is subject to program of record-like oversight, said DoD Chief Information Officer Teri Takai
DHS seeks to erase database walls, but filter searches (FierceGovIT) An effort to create an internal data mining and search capability encompassing multiple Homeland Security Department databases will be constrained by a system that filters results according to employee authorization to see certain kinds of data, says the department privacy office
Litigation, Investigation, and Law Enforcement
CIA-Senate dispute raises murky legal, policy issues; no guarantee of criminal prosecution (AP via the Greenfield Daily Reporter) A fight between the Senate and the CIA over whether crimes were committed in the handling of sensitive classified material appears unlikely to be resolved in the courts, legal experts say
Senator's claims of CIA violating computer fraud act shaky, legal expert says (CSO) Establishing CFAA liability could be uphill task for Sen. Dianne Feinstein
In two key cases, activists now ask judge to order NSA metadata preservation (Ars Technica) After FISC reverses itself, EFF also asks Feds to disclose what was deleted
BT caught in data gaffe drama: Whistleblower squeals over alleged email fail (The Register) Britain's privacy watchdog probes 'likely breach'. BT is being investigated by the UK's data regulator after a whistleblower exposed evidence that allegedly showed the one-time national telco's customer email accounts were being compromised by spammers, The Register has learned
NY Judge Questions Rare Arrest In Trade Secret Theft Case (Law360) New York Supreme Court Judge Jeffrey K. Oing on Wednesday questioned whether hedge fund Two Sigma Investments LLC had gone too far by seeking the arrest of a former analyst accused of stealing trade secrets, saying other employers might now copy the tactic and try to jail ex-workers in such disputes
For a complete running list of events, please visit the Event Tracker.
Upcoming Events
SOURCE Boston 2014 (, Jan 1, 1970) The purpose of SOURCE Conference is to bridge the gap between technical excellence and business acumen within the security industry. SOURCE fosters a community of learning where business and security professionals come together to gain knowledge and skills, network with peers, and advance their careers and professional development. SOURCE enables individuals, teams, and organizations to leverage information to improve decision-making, optimize performance, and achieve business objectives.
SOURCE Dublin 2014 (, Jan 1, 1970) SOURCE Dublin combines cutting-edge business, technology, and application security presentations, providing security experts and industry professionals the opportunity to share insights and develop future business prospects.
CanSecWest (, Jan 1, 1970) CanSecWest, the world's most advanced conference focusing on applied digital security, is about bringing the industry luminaries together in a relaxed environment which promotes collaboration and social networking. The conference lasts for three days and features a single track of thought provoking presentations, each prepared by an experienced professional and talented educator who is at the cutting edge of his or her field. We give preference to new and innovative material, highlighting important, emergent technologies, techniques, or best industry practices.
Nuclear Regulatory Commission ISSO Security Workshop (, Jan 1, 1970) Exhibitors will have the opportunity to showcase cutting-edge products and services available in today's market. All companies specializing in products and services that would benefit the NRC workforce are encouraged to exhibit at this one-day expo. Topics of the workshop and of high interest to attendees include: computer security policy, standards and guidance, cybersecurity, FISMA compliance, and training updates.
ICS Summit 2014 (Lake Buena Vista, Florida, US, Mar 17 - 18, 2014) The 9th Annual North American ICS Security Summit brings together the program managers, control systems engineers, IT security professionals and critical infrastructure protection specialists from asset owning and operating organizations along with control systems and security vendors who have innovative solutions for improving security.
27th Annual Federal Information Systems Security Educators' Association (FISSEA) Conference (, Jan 1, 1970) The 27th Annual Federal Information Systems Security Educators' Association (FISSEA) Conference will be held at the National Institute of Standards and Technology on March 18-20, 2014, exhibits will be on display March 19 only. This year's theme "Partners in Performance: Shaping the Future of Cybersecurity Awareness, Education, and Training" will focus on developing a better understanding of current information systems/cybersecurity projects, emerging trends, and initiatives. Through numerous high quality sessions, approximately 200 attendees will learn new ways to improve their IT security program and practical solutions to training problems while earning Continuing Professional Education (CPE) credits. The vendor fair gives attendees a tactical look at the products and services available to meet their professional goals.
Security Policy Reform Implications for Industry: Maintaining Momentum for Transformational Change (Chantilly, Virginia, USA, Mar 20, 2014) Join INSA's Security Policy Reform Council for Security Policy Reform Implications for Industry: Maintaining Momentum for Transformational Change at the SI Organization in Chantilly, VA. This unclassified, but sensitive Symposium will be off the record, and will bring together stakeholders from the executive and legislative branches as well as their counterparts in the private sector. Following unprecedented attention on the security clearance process in 2013, 2014 promises to be a year of consequence to a fundamental aspect of how the IC carries out its mission. This Symposium will provide attendees an opportunity to participate in the current debate and learn about future technologies that will influence security policies and procedures.
Suits and Spooks Singapore (, Jan 1, 1970) Our first international Suits and Spooks conference will be held in Singapore with a visit to Malaysia on March 20-21, 2014. The focus will be on how multi-national corporations can profitably operate in a globally hostile environment that consists of foreign intelligence collection, mercenary hacker crews, insider threats, and supply chain/vendor vulnerabilities. Our international list of speakers will discuss who the threat actors are, what they're after, and best practices to mitigate the risks.
MCT-Congress: Going Mobile with Clinical Trials (Edinburgh, Scotland, UK, Mar 20 - 21, 2014) It is almost inevitable that mHealth solutions will be adopted across healthcare systems worldwide over the next decade. What is less clear is the impact that mobile solutions are having and could have on the clinical research process.
Cyber Security for Energy & Utilities (, Jan 1, 1970) Following the rapid evolution of the cyber and digital world, IT Security Directors, Information Security Directors, Chief Security Officers, Chief Information Officers and many more will gather at the 3rd Edition of Cyber Security for Energy & Utilities conference taking place from 23 -26 March 2014 at The Westin Golf Resort in Abu Dhabi, UAE.
Veritas 2014 (, Jan 1, 1970) At Veritas 2014, hear directly from the big data experts in top tier retail finance who are now implementing strategy and starting to yield real commercial value. Experts dedicated to Big Data in the sector will show you how the right approaches can lead to far-reaching results in business model innovation, risk mitigation and identifying new revenue streams. See how Veritas 2014 will help you develop your big data implementation strategy.
Black Hat Asia (, Jan 1, 1970) Black Hat is returning to Asia for the first time since 2008, and we have quite an event in store. Here the brightest professionals and researchers in the industry will come together for a total of four days--two days of deeply technical hands-on Trainings, followed by two days of the latest research and vulnerability disclosures at our Briefings.
SEC Cybersecurity Roundtable (Washington, DC, USA, Mar 26, 2014) The Securities and Exchange Commission today announced that it will host a roundtable next month to discuss cybersecurity and the issues and challenges it raises for market participants and public companies, and how they are addressing those concerns.
Cyber Security Management for Oil and Gas (, Jan 1, 1970) Attend to gain cutting-edge information from oil and gas cyber security experts on: Using the very latest in intelligence techniques to find and neutralize the newest threats in time. Preventing security breaches while ensuring your employees, social media and mobile devices operate effectively. Implementing best practices in order to achieve and maintain SCADA and other key systems security. How a "critical infrastructure" designation would impact different aspects of oil and gas cyber security management.
ISSA Colorado Springs — Cyber Focus Day (Colorado Springs, Colorado, USA, Mar 27, 2014) Join us for the Information Systems Security Association (ISSA) — Colorado Springs Chapter — Cyber Focus Day set to take on Thursday, March 27, 2014 at Colorado Technical University (CTU).
Financial Incentives for Cybersecurity Businesses (Elkridge, Maryland, USA, Mar 27, 2014) Learn the details and take the opportunity to ask questions of leading experts on how to apply for tax credits (Cyber Tax Credits, Research Tax Credits, Security Clearance Tax Credits, Secured Space Tax Credit) and the latest details on the Maryland Small Business Financing Authority's newest program for small businesses looking for investment dollars.
CyberBiz Summit (Linthicum, Maryland, USA, Mar 28, 2014) Learn first-hand how to get your cyber business started, how to raise capital, and what to do to make it happen. Join us for four informative sessions, networking and breakfast at the BWI Westin on Friday, March 28th.
Corporate Counter-Terrorism: the Role of Private Companies in National Security (Washington, DC, USA, Mar 28, 2014) The 2014 American University Business Law Review Symposium will address the growing role of corporate America in governmental counter-terrorism programs, including the bulk metadata and PRISM surveillance initiatives. John Carlin, Assistant Attorney General for National Security, will deliver the keynote. Other speakers will include current and senior officials from the Justice Department, National Security Agency, Office of the Director of National Intelligence, FBI, DHS, Google, and Microsoft.
SyScan 2014 (Singapore, Mar 31 - Apr 4, 2014) SyScan is a deep knowledge technical security conference. It is the aspiration of SyScan to congregate in Asia the best security experts in their various fields, to share their research, discovery and experience with all security enthusiasts in Asia.
Interop Conference (, Jan 1, 1970) Interop Conference sessions help you find actionable solutions to your current IT headaches and plan for future developments.