The CyberWire Daily Briefing for 3.28.2014
As the Russo-Ukrainian conflict appears dangerously close to entering a new kinetic phase encompassing eastern Ukraine, the nongovernmental think tank US Cyber Consequences Unit publishes a retrospective on the cyber aspects of the crisis.
IsraelDefense blames Hamas for a recent malicious SMS campaign, and warns that mass media channels are in the crosshairs of politically motivated hacktivists.
The multi-purpose, cross-platform Zorenium bot now affects iOS systems. "Cribit" ransomware, now delivered by a Windows Trojan, is demanding payment in Bitcoins. Several other cyber capers try to give criminals access to a range of crypto currencies.
Good news: the recently discovered Microsoft Word/Outlook zero-day seems not to affect Word Pad. Bad news: Trend Micro finds a new family of worms, "CRIGENT," a.k.a. "PowerWorm," using Windows PowerShell to infect Word and Excel files.
Researchers at Northeastern University warn that careless GUI development practices are dramatically increasing endpoint attack surfaces.
Cisco patches vulnerabilities in its Internetwork Operating System Software.
Another call for better information sharing appears in the INSA Cyber Council's Cyber Intelligence Task Force's new white paper advocating more attention to strategic intelligence.
Wired thinks the lawsuit two banks filed this week against Target and its security assessment partner Trustwave will ("finally") expose the limitations of security audits.
The financial sector has the reputation of being more cyber-savvy than most. But smaller financial advisor practices may be an exception—industry sheet Financial Planning warns a single breach can kill a practice.
US President Obama's telephony metadata collection reforms are scrutinized, to mixed reviews.
Notes.
Today's issue includes events affecting Australia, China, European Union, Israel, Japan, Democratic Peoples Republic of Korea, Republic of Korea, Malaysia, Palestinian Territories, Russia, Syria, Turkey, Ukraine, United Kingdom, United Nations, and United States..
Cyber Attacks, Threats, and Vulnerabilities
A Cyber History Of The Ukraine Conflict (Dark Reading) The CTO for the US Cyber Consequences Unit offers a brief lesson in Russian geopolitics and related cyber flare-ups, and explains why we should be concerned
Hamas' Cyber Attack (IsraelDefense) Threatening messages were sent to Israelis' mobile phones, including subscribers of IsraelDefense
The Next Target: Mass Media Channels (IsraelDefense) You thought that Hamas' cyber attack on Israeli media last week is a unique case? Well, Ram Levi uncovers the truth behind the recent attacks on media outlets around the world, a threat the World Economic Forum named — "digital firestorm"
Defense Ministry Foils Hacking Attempts (The Chosunilbo) A hacking attempt on March 22 targeting the network at the Defense Ministry's press room prompted authorities to block access, the military cyber command said Thursday
Zorenium bot can now hit iOS users as well (Help Net Security) If all the claims included in the adverts for the multi-platform, multi-purpose piece of malware called Zorenium are true, it could very well have a considerable impact on a large number of users, and become a favorite tool for cyber crooks
Windows trojan packs punch, downloads ransomware "Cribit" (SC Magazine) Users infected with a Windows trojan may be in for another devious surprise — ransomware that encrypts computer files and demands Bitcoin payment to decode the data
Cerberus app users warned about data breach (Help Net Security) Users of the Cerberus anti-theft Android app have been receiving warnings from the Cerberus Security Team, urging them to change their password as they have been reset in the wake of a data breach
Hosting company describes security scare aimed at Bitcoin accounts (CSO Salted Hash) Attackers intercepted password-reset emails by manipulating Chunk Host's third-party email service
Word and Excel Files Infected Using Windows PowerShell (TrendLabs Security Intelligence Blog) Malware targeting Word and Excel files has been around for some time, but we recently encountered a new malware family, CRIGENT (also known as "Power Worm") which brings several new techniques to the table
MS Word zero day does not affect WordPad (ZDNet) WordPad, the free, simple word processor that comes with Windows, is not vulnerable to the zero day RTF bug affecting Word
GUI Vulnerabilities Expose Information Disclosure, Privilege Escalation (Threatpost) Developers are creating countless information disclosure and privilege escalation vulnerabilities by misusing elements of various graphical user interfaces as a mechanisms for access control, according to a new research paper from the Northeastern University College of Computer and Information Science
NTP Amplification, SYN Floods Drive up DDoS Attack Volumes (Threatpost) There has been a steady but dramatic increase in the potency of distributed denial of service (DDoS) attacks from the beginning of 2013 through the first two months of this year. In large part, reason for this rise in volume has to do with the widespread adoption of two attack methods: large synchronization packet flood (SYN flood) attacks and network timing protocol (NTP) amplification attacks
Philips Smart TVs riddled with security and privacy flaws, researcher reveals (Graham Cluley) A researcher has discovered that so-called Smart TVs from Philips suffer from a number of serious security flaws that could allow hackers to steal information from attached USB sticks, play pornographic movies as a prank, and hackers access viewers' online accounts
Lookout Warns of Litecoin-Mining Android Malware (eSecurity Planet) The malware leverages infected devices to mine for Litecoin, Dogecoin and Casinocoin
'Coinkrypt' malware mines cryptocurrencies on Android (CSO Salted Hash) But the simple malware is likely to run a battery down, or worse, cause a phone to overheat
Hackers Using Hijacked Phones to Mine Cryptocurrencies Are Wasting Their Time (Motherboard) Security firms have discovered Android apps that are laden with malware to turn your phone into a cryptocurrency mining machine, all for the benefit of someone else and to the detriment of your device. It's of course a ridiculously inefficient way to get your hands on some digital currency—there's a reason students have been hijacking university supercomputers to mine dogecoins—but that doesn't seemed to have stopped someone trying it
An Important Flight MH370 Question: Was Computer Hacking Involved? (Forbes) (Note: This guest post was written by a China-based former military aviator who has held a commercial pilot's license for more than 30 years and asked to remain anonymous.) Malaysia announced this week that flight MH370 ended in the Indian Ocean. In the months to come, the "why" of this horrific tragedy doesn't matter to the rest of the flying public so much as "how" it happened
Here's How They'll Piece Together What Happened to Flight MH370 (Wired) The southern Indian Ocean is a vast, desolate and hostile place churned by relentless currents and vicious storms. It is rarely traversed by air or sea, and anything lost there may never be found. That includes Malaysia Airlines Flight 370
Attacks Rise On Network 'Blind' Spot (Dark Reading) Interop speaker says DDoS attacks are not the only forms of abuse on the Domain Name Server
Data Breach Exposes Firefighters' Personal Information (eSecurity Planet) Names and Social Security numbers were mistakenly exposed to all department personnel
Multiple Pinterest Accounts Hacked, Flooded With Butt Pics (TechCrunch) If you log onto Pinterest and see that one of your friends has suddenly developed a fixation with weight loss ads and butt pics like the ones below, don't click on the pins. Multiple accounts have been hacked over the last hour and flooded with spam. We've emailed Pinterest for comment
War of the Bots: When DVRs attack NASs (Internet Storm Center) While looking at the latest honeypot data for what is happening with Synology devices, I did notice one particular agressive IP connecting to a number of our honeypot IPs. At first, I figured it may just be a new Shodan scan (got tons of them in the honeypot). But when I connected to port 443 using openssl, I saw a rather interesting SSL certificate being sent
Targeted malware replacing attacks of opportunity: Webroot (CSO Salted Hash) Webroot estimates 80 percent of malware on the Internet are attacks of opportunity
Infographic: A phishing email's route through the corporate network (Help Net Security) For years, even decades, computer security has been seen as a technical problem that requires a technical solution. In recent years, enterprises have plowed billions of dollars into technology solutions, only to find that the frequency and cost of breaches have hardly dropped at all
Are cybercriminals targeting your tax return? (Help Net Security) Iovation is advising businesses and consumers about how to protect data and personal information to avoid identity theft during tax season
Security Patches, Mitigations, and Software Updates
Cisco patches six security flaws that posed DoS cyber attack risk (V3) Cisco has plugged six flaws in its Internetwork Operating System (IOS) Software that could theoretically be exploited by hackers to launch cyber attacks on its customers
Cyber Trends
Strategic Cyber Intelligence Is Essential To Business Security, INSA Says (Homeland Security Today) A new white paper from the Intelligence and National Security Alliance (INSA) Cyber Council's Cyber Intelligence Task Force said while there's been much attention directed towards the tactical, on-the-network cyber domain, there's a "need for more resources to be focused on strategic information requirements and planning, and concentrates on organizations' accurate, strategic cyber intelligence assessment processes"
Strategic Cyber Intelligence (Intelligence and National Security Alliance) In a September 2013 white paper, "The Operational Levels of Cyber Intelligence," the Intelligence and National Security Alliance (INSA) proposed definitions for the strategic, operational, and tactical levels of cyber activity. While there has been much emphasis on tactical cyber intelligence to help understand the "on-the-network" cyber-attacks so frequently in the news, there has been little discussion about the strategic and operational levels in order to better understand the overall goals, objectives, and inter-relationships associated with these tactical attacks. As a result, key consumers such as C-suite executives, executive managers, and other senior leaders are not getting the right type of cyber intelligence to efficiently and effectively inform their organizations' risk management programs. This traditionally tactical focus also hampers the capability of the cyber intelligence function to communicate cyber risks in a way that leaders can fully interpret and understand
FireEye Releases Comprehensive Analysis of 2013 Zero-Day Attacks; Impact on Security Models (MarketWatch) FireEye, Inc. FEYE +1.43%, the leader in stopping today's advanced cyber attacks, today announced the release of "Less Than Zero: A Survey of Zero-day Attacks in 2013 and What They Say About the Traditional Security Model." Through an analysis of the eleven zero-day vulnerabilities discovered in 2013 by FireEye — by far the most discoveries of any security company that year — the paper provides context around the advanced threats these vulnerabilities enable as well as guidance to enterprises on mitigating these hidden problems
Will Target's Lawsuit Finally Expose the Failings of Security Audits? (Wired) On Monday, two banks suing Target for their losses also included Trustwave in their suit, the security firm that certified last September that Target's networks and data-handling tactics were in tip-top security shape — just two months before crooks made
Flying Naked: Why Most Web Apps Leave You Defenseless (Dark Reading) Even the best-funded and "mature" corporate AppSec programs aren't testing all their web applications and services. That leaves many applications with no real security in place
Analysis of three billion attacks reveals SQL injections cost $196,000 (Help Net Security) NTT Innovation Institute has announced the release of its Global Threat Intelligence Report (GTIR), which raises awareness with C-level executives and security professionals alike that when the basics of security are done right, it can be enough to mitigate and even avoid the high-profile security and data breaches
Marketplace
Advisors Beware: Single Data Breach 'Can Bring Down' a Practice (Financial Planning) In the face of a range of cyber threats that are increasing both in volume and sophistication, investment advisors need to shore up their digital defenses, taking steps to elevate security as a business priority and share more information about attacks with relevant authorities
Australian cyber security firm setting up shop at UMBC tech park (Baltimore Business Journal) Australia and Baltimore may have very little in common when it comes to geography. But that isn't stopping one cyber security executive from moving his family to Baltimore so he can expand his company
CyberSecurity Malaysia, BAE Systems Tie Up To Develop Capability, Capacity In Cyber Security (Bernama) CyberSecurity Malaysia and BAE Systems Applied Intelligence Limited (BAE Systems) have inked a memorandum of understanding (MoU) to establish a general framework for potential future collaboration in the field of cyber security
Products, Services, and Solutions
DataWalker for Oracle v1.0 in the wild (ToolsWatch) DataWalker for Oracle is a data unloader and block examiner tool. It can be used by DBAs to recover data or by forensic examiners to look for evidence after a breach
Two-factor authentication — a handy list of who offers it (and who doesn't) (Graham Cluley) A new website encourages more services to integrate two-factor authentication, and raises awareness of the additional security users can enable to better protect their accounts
Technologies, Techniques, and Standards
UK plans to professionalise infosec are too rigid, says (ISC) ² (ComputerWeekly) Government plans to establish an "approved standard" and to potentially underwrite "chartered" status for UK cyber security professionals are "worrying", says John Colley, managing director for (ISC) ² Europe
Addressing Cyberattacks via Positive Enforcement Model (SecurityWeek) As more and more details about the Target breach have emerged, security experts, bloggers and media have focused on why Target failed to react to alerts from zero day malware point products that allegedly provided indication there was malware in the network
Social Media Monitoring and Compliance: Five Best Ways to Navigate Complexity in the Workplace (Cyveillance Blog) Businesses have a lot to juggle these days. Detecting physical threats against facilities, employees, customers, executives, and suppliers is one obvious example. The list continues to grow with managing network security alerts and devices, preparing for sophisticated DDoS attacks, guarding sensitive IP and data against leaks and breaches, and protecting employees from social engineering attacks. Brand integrity, distribution control, phishing, and fraud detection add further to the complexity of managing online and offline environments
For ATMs, why not Windows 8? (ZDNet) Banks are only now getting around to replacing Windows XP on their ATMs with Windows 7, but why bother? Windows 8 should work at least as well and has a longer support life
3 Tools for Enforcing Password Policies (Dark Reading) User passwords are often a weak link in the corporate security chain. How can security pros make users adhere to strong password policies?
Diceware passwords now need six random words to thwart hackers (Ars Technica) Five isn't enough anymore because password cracking is frighteningly effective
How to build stronger password hashes? Hold a contest (InfoWorld) A new contest proposes to spur innovation in hashing methods used to secure passwords and other sensitive data
Fort Belvoir hosts new Cyber Defense Training Program (Belvoir Eagle) Fort Belvoir played host to the Cyber-Digital Master Gunner Solution Course from March 3-21. The course, a new three-week pilot program developed by U.S. Army Communications-Electronics Command's Field Support Branch, invited Soldiers and network professionals from U.S. Army Cyber Command and the 1st Information Operations Command (Land), to participate in hands-on training in the increasingly important fields of offensive and defensive network activity, such as hacking and scanning for enemy vulnerabilities
Design and Innovation
Ford's connected car revs up with APIs and external app developers (TechTarget) Ford Motor Co. has been getting the mobility trend for a while now. But in its endeavor to build the smartest connected car around, the automaker is taking mobile to another level. "How do we take the experiences customers have on mobile devices and bring them into the vehicle?" Jim Buczkowski, director of electrical and electronics systems for Ford Motor Co., said at Xconomy Forum's "Mobile Madness 2014: The Next Disruptors"
Facebook Joins Google In The Hunt For The Future (TechCrunch) We now live in an era when Mark Zuckerberg speed-dials Obama, controls fleets of drones, brokers $19 billion acquisitions in a week, and buys whole virtual worlds. Facebook's mission has changed. While once it was solely "to make the world more open and connected", it's expanded to also "give people the power to share." And nothing is too crazy if it brings Facebook one step closer to that goal
Is the Oculus Rift sexist? (Quartz) In the fall of 1997, my university built a CAVE (Cave Automatic Virtual Environment) to help scientists, artists, and archeologists embrace 3D immersion to advance the state of those fields. Ecstatic at seeing a real-life instantiation of the Metaverse, the virtual world imagined in Neal Stephenson's Snow Crash, I donned a set of goggles and jumped inside. And then I promptly vomited
Research and Development
Quantum Cryptography Protocol To Beef Up Cybersecurity (Asian Scientist) Quantum technology could make fundamental contributions in enhancing the security of web communications, researchers say
AlephCloud Receives Patent for Maintaining Security and Privacy of Content Placed in the Cloud (Fort Mill Times) AlephCloud today announced that it has received U.S. Patent #8681992 for an encryption breakthrough that allows content to be shared among multiple parties in the cloud while keeping it secure and private from even application and infrastructure providers
New Platform Protects Data from Arbitrary Server Compromises (Threatpost) Researchers are in the midst of rolling out a secure new platform for building web applications that can protect confidential data from being stolen in the event attackers gain full access to servers
Forecasting When Hashtags Will Go Viral (IEEE Spectrum) The structure of early sharing behavior is a good predictor of virality
Legislation, Policy, and Regulation
When Is a Tor Block Not a Tor Block? (EFF) As Turkey prepares for elections on Sunday, Turkish Prime Minister Recep Tayyip Erdoğan continues to double down on Internet censorship. A week after Turkish ISPs blocked Twitter Turkey's telecommunications authority has blocked YouTube. The block began to be rolled out hours after a leaked recording published anonymously on YouTube purported to show a conversation in which Turkey's foreign minister, spy chief, and a top general appear to discuss scenarios that could lead to a Turkish attack against militants in Syria
Turkey now trying to block YouTube as social media crackdown continues (Ars Technica) Attempts to keep people from hearing embarrassing audio recording keep failing
China to Boost Cybersecurity (Wall Street Journal) China's defense ministry said it would take measures to boost cybersecurity after reports this week alleging the U.S. spied on Chinese technology company Huawei Technologies Co. and several Chinese leaders
UN raps US civil rights record on secret programs (AP via the Houston Chronicle) A U.N. panel has found serious shortcomings in the United States' civil rights record, with experts citing Thursday a lack of adequate oversight and transparency in national security programs dealing with everything from electronic surveillance to targeted drone killings and secret detentions
NSA director defends spying on other countries (Fox News) The outgoing director of the National Security Agency says other nations "fully comprehend" the agency's methods and mission in acquiring data
Obama Says Plan Will End NSA Bulk Data Sweep (AFP via SecurityWeek) President Barack Obama put forward a plan Thursday to end bulk collection of telephone records, aiming to defuse a controversy over the government's sweeping surveillance activities on millions of Americans
Background Conference Call by Senior Administration Official on the Bulk Telepone Metadata Program (IC on the Record) Thank you so much. Hi, everyone. Thanks for joining. We wanted to get you together for a quick call on statements — you either have these or about to receive — on the President's decision on the Section 215 Bulk Metadata Program. As you'll see, the President has decided that the best path forward is for the government not to collect or hold this data in bulk, but instead the data would remain at telephone companies
Statement from DNI Clapper on Ending the Section 215 Bulk Telephony Metadata Program (IC on the Record) Today, President Obama announced his proposal for ending the Section 215 Bulk Telephony Metadata Program. The President's proposal will, with the passage of legislation, ensure that we have the information we need to meet our intelligence requirements while protecting civil liberties and privacy and being as transparent as possible
Feinstein endorses end to NSA surveillance (Visalia Times-Delta) One of the strongest supporters of the Obama administration's domestic surveillance activities said Tuesday she supports President Barack Obama's new proposal to end the program in its current form
House NSA plan a better solution: Opposing view (USA Today) Back on Jan. 17, President Obama defended the National Security Agency (NSA) telephone metadata program as lawful and necessary to protect the USA
Experts say NSA rules leave privacy vulnerable (AP via Dawn) Cyber security experts are questioning whether President Barack Obama can make good on his assurance that US intelligence agencies aren't spying on "ordinary folks"
How the NSA would get phone data under Obama administration's new plan (Ars Technica) Just because phone companies keep the data doesn't mean NSA won't have broad access
Using Metadata to Catch a Whistleblower (Huffington Post) With Obama recently announcing his plans to amend the electronic surveillance program at the National Security Agency, it is a good time to look more closely at what the NSA has been doing with some of the data it has been collecting on Americans for the last decade or so. But first some background
Feds want an expanded ability to hack criminal suspects' computers (Ars Technica) Proposed rules to let one judge authorize "remote access" essentially anywhere
Feds unveil new road map for critical cybersecurity (Westechester County Business Journal) More information sharing and voluntary collaboration between government and the private sector without additional federal regulations is needed to reduce the risk of cyberattacks on the natio's critical infrastructure, cybersecurity experts said at a recent forum on the Fordham University Westchester campus
No dedicated state and local grants for NIST cybersecurity framework adoption (FierceGovIT) State and local operators of critical infrastructure won't get a dedicated grant program to foster adoption of a cybersecurity framework the government released earlier this year — not unless Congress approves legislation allowing it, said a Homeland Security Department official
Obama administration considers proposing limited liability protection for cyber threat sharing (FierceGovIT) Whether to propose extending limited liability protection to companies sharing cyber threat information is under consideration within the Obama administration, a top civilian cybersecurity official said Wednesday
Commerce Dept. critical of liability protection as cybersecurity framework incentive (FierceGovIT) Liability protection as an incentive for private sector adoption of the cybersecurity framework under development by the National Institute of Standards and Technology requires further study, says the Commerce Department in a discussion paper that takes a skeptical view of the need for protection against tort claims and other possible private sector incentives
Spotlight: Liability protection unresolved cyber threat sharing impediment, says Alexander (FierceGovIT) A significant unsolved challenge to cyber threat information sharing between the federal government and the private sector is how to address liability, said outgoing National Security Agency head Gen. Keith Alexander
DHS official touts machine-to-machine cyber threat data sharing (FierceGovIT) A Homeland Security official touted his department's use of a machine-to-machine format for sharing cyber threat information during a March 7 hearing
Armed Services panel clears NSA-Cyber chief, deputy Defense secretary (The Hill) The Senate Armed Services Committee approved a slew of nominees on Wednesday, including Vice Adm. Michael Rogers as the head of the National Security Agency and U.S. Cyber Command and Robert Work as deputy defense secretary
New cyber unit spans all SDF services (Yomiuri Shimbun) The Defense Ministry has set up a special unit to protect the information systems of the Self-Defense Forces against cyber-attacks
Surveillance technology companies are arms dealers, says researcher (FierceGovIT) Technology companies that market tools for the surveillance of citizens are hurting civil society in much the same way as weapons traffickers, says Rebecca MacKinnon, senior research fellow at the New America Foundation
Litigation, Investigation, and Law Enforcement
Europol Dismantles Online Fraud Gang (eSecurity Planet) Hundreds of victims in more than 15 countries were affected by the scam
Senator says Snapchat 'hiding something' by skipping data breach hearing (Naked Security) Snapchat has drawn fire from US Senator Jay Rockefeller, the powerful chairman of the Senate Committee on Commerce, Technology, and Transportation, for refusing to testify in a hearing on data breaches
How do the FBI and Secret Service know your network has been breached before you do? (CSO) Knock, knock! Secret Service here. "Is this your customer payment card data?" By all accounts, many of the massive data breaches in the news these days are first revealed to the victims by law enforcement, the Secret Service and Federal Bureau of Investigation (FBI). But how do the agencies figure it out before the companies know they have been breached, especially given the millions companies spend on security and their intense focus on compliance? The agencies do the one thing companies don't do. They attack the problem from the other end by looking for evidence that a crime has been committed
Boston Bomber slipped past while spelling glitch tripped up the law (Naked Security) The old data-quality maxim "garbage in, garbage out" proves true yet again in the case of the Boston Marathon bomber, who, a Congressional report confirms, slipped through the border when a database failed to suggest an alternative name spelling
After seven years, exactly one person gets off the gov't no-fly list (Ars Technica) New report on terrorism "blacklists" suggests it won't be easier the next time
Cybercrime loses its right to silence (Financial News) In 2012, the director general of MI5 revealed that a London-listed company had lost £800 million as a result of a state-backed cyber attack. The company in question has not been publicly identified and no disclosures were made to the market. Why was the market not notified?
Government Requests for Google User Data Continue to Climb (Threatpost) While the number of requests for user information that Google receives from governments around the world continues to rise—climbing by 120 percent in the last four years—the company is turning over some data in fewer cases as time goes on. Google received more than 27,000 requests for user information from global law enforcement agencies in the last six months of 2013 and provided some user data in 64 percent of those cases
YouTube to be monitored by British security (Irish Times) Google has given officials special access to its video site
Google: We didn't access Arrington's Gmail account to identify leaker (Help Net Security) In the wake of the revelation that Microsoft has accessed a blogger's Hotmail account in order to discover the identity of an employee who leaked company trade secrets, TechCrunch founder Michael Arrington took to his blog and stated that he was "nearly certain" that, a few years ago, Google accessed his Gmail account for the same purpose
Richard Clarke: Snowden Should Be in Prison (Dark Reading) Former White House cybersecurity advisor Richard Clarke says that although the NSA's domestic intelligence data collection has been too broad, there is no evidence that NSA has yet used this data for ill and that Edward Snowden has jeopardized the United States' national security
Manning lawyer wants leak conviction reversed (AP via WAAY TV) Convicted leaker Chelsea Manning is asking an Army general to reverse her conviction and 35-year prison sentence for sending reams of classified information to WikiLeaks
Former Qwest CEO Joe Nacchio Tells Story of Fight Against NSA, SEC (Fox Business) In his first interview since being released from prison, former Qwest Communications CEO Joe Nacchio appeared on FBN's Opening Bell with Maria Bartiromo to tell his story of a fight against the National Security Agency and allegations of insider trading
Univ. Of Md. President Testifies To Senate About Security Data Breach (CBS Baltimore) The University of Maryland president testifies on Capitol Hill about the widespread data breach that exposed hundreds of thousands of people's personal information
Ex-Microsoft worker arrested after passing Windows 8 trade secrets to blogger (Graham Cluley) A former employee of Microsoft has been accused of stealing trade secrets related to Windows 8 from the company, and passing them to a technology blogger
BlackBerry Ltd (BBRY) CEO to Take Legal Action Against Product Leakers (OppTrends) John Chen, CEO of BlackBerry Ltd (NASDAQ:BBRY) (TSE:BB) said he is prepared to file charges against individuals who will leak information on the upcoming products of the company. He emphasized that he takes the privacy of the company seriously
Mt. Gox creditors want to force Karpeles to testify in the US (IT World) Creditors of failed Bitcoin exchange Mt. Gox are trying to force its CEO Mark Karpeles to go to the U.S. for questioning related to a fraud lawsuit
US school to fork over $70K for hassling sixth-grader about Facebook posting (Naked Security) Riley Stratton was forced to hand over her Facebook and email passwords and, with a police officer in the room, school officials searched her Facebook page for an alleged conversation she had with a boy about sex. Is this a grade-school version of prosecutorial overreach?
For a complete running list of events, please visit the Event Tracker.
Upcoming Events
Security BSides Denver 2014 (Denver, Colorado, USA, May 16, 2014) Each BSides is a community-driven framework for building events for and by information security community members. The goal is to expand the spectrum of conversation beyond the traditional confines of space and time. It creates opportunities for individuals to both present and participate in an intimate atmosphere that encourages collaboration. It is an intense event with discussions, demos, and interaction from participants. It is where conversations for the next-big-thing are happening.
c0c0n: International Information Security and Hacking Conference (, Jan 1, 1970) c0c0n, previously known as Cyber Safe, is an annual event conducted as part of the International Information Security Day. The Information Security Research Association along with Matriux Security Community is organizing a 2 day International Security and Hacking Conference titled c0c0n 2014, as part of Information Security Day 2014. c0c0n 2013 was supported by the Kerala Police and we expect the same this year too. Various technical, non-technical, legal and community events are organized as part of the program. c0c0n 2014 is scheduled on 22, 23 Aug 2014.
Veritas 2014 (, Jan 1, 1970) At Veritas 2014, hear directly from the big data experts in top tier retail finance who are now implementing strategy and starting to yield real commercial value. Experts dedicated to Big Data in the sector will show you how the right approaches can lead to far-reaching results in business model innovation, risk mitigation and identifying new revenue streams. See how Veritas 2014 will help you develop your big data implementation strategy.
Black Hat Asia (, Jan 1, 1970) Black Hat is returning to Asia for the first time since 2008, and we have quite an event in store. Here the brightest professionals and researchers in the industry will come together for a total of four days--two days of deeply technical hands-on Trainings, followed by two days of the latest research and vulnerability disclosures at our Briefings.
Cyber Security Management for Oil and Gas (, Jan 1, 1970) Attend to gain cutting-edge information from oil and gas cyber security experts on: Using the very latest in intelligence techniques to find and neutralize the newest threats in time. Preventing security breaches while ensuring your employees, social media and mobile devices operate effectively. Implementing best practices in order to achieve and maintain SCADA and other key systems security. How a "critical infrastructure" designation would impact different aspects of oil and gas cyber security management.
Financial Incentives for Cybersecurity Businesses (Elkridge, Maryland, USA, Mar 27, 2014) Learn the details and take the opportunity to ask questions of leading experts on how to apply for tax credits (Cyber Tax Credits, Research Tax Credits, Security Clearance Tax Credits, Secured Space Tax Credit) and the latest details on the Maryland Small Business Financing Authority's newest program for small businesses looking for investment dollars.
ISSA Colorado Springs — Cyber Focus Day (Colorado Springs, Colorado, USA, Mar 27, 2014) Join us for the Information Systems Security Association (ISSA) — Colorado Springs Chapter — Cyber Focus Day set to take on Thursday, March 27, 2014 at Colorado Technical University (CTU).
Corporate Counter-Terrorism: the Role of Private Companies in National Security (Washington, DC, USA, Mar 28, 2014) The 2014 American University Business Law Review Symposium will address the growing role of corporate America in governmental counter-terrorism programs, including the bulk metadata and PRISM surveillance initiatives. John Carlin, Assistant Attorney General for National Security, will deliver the keynote. Other speakers will include current and senior officials from the Justice Department, National Security Agency, Office of the Director of National Intelligence, FBI, DHS, Google, and Microsoft.
CyberBiz Summit (Linthicum, Maryland, USA, Mar 28, 2014) Learn first-hand how to get your cyber business started, how to raise capital, and what to do to make it happen. Join us for four informative sessions, networking and breakfast at the BWI Westin on Friday, March 28th.
Cyber Saturdays (Laurel, Maryland, USA, Mar 29, 2014) Are you a community college student with an interest in network security or information assurance? Would you like to test your skills in a fast-paced game environment? If so, one if Capitol College's upcoming Cyber Saturdays could be a great way to spend part of your weekend.
Interop Conference (, Jan 1, 1970) Interop Conference sessions help you find actionable solutions to your current IT headaches and plan for future developments.
SyScan 2014 (Singapore, Mar 31 - Apr 4, 2014) SyScan is a deep knowledge technical security conference. It is the aspiration of SyScan to congregate in Asia the best security experts in their various fields, to share their research, discovery and experience with all security enthusiasts in Asia.
InfoSec World Conference & Expo 2014 (, Jan 1, 1970) With the primary objective of providing top-notch education to all levels of information security and IT auditing professionals, InfoSec World delivers practical sessions that give you the tools to strengthen your security without restricting your business.
NIST IT Security Day (Gaithersburg, Maryland, USA, Apr 8, 2014) The Office of the Chief Information Officer, OCIO, is hosting NIST IT Security Day as a means to heighten awareness for all NIST users on the many aspects of operational information technology security and networking at home and in the office. This event's objective is to educate users on IT security and related topics. The event will feature guest speakers on general and technical IT security topics and tutorials on internal services and products.
IT Security Entrepreneurs Forum (ITSEF) 2014 (, Jan 1, 1970) IT Security Entrepreneurs Forum (ITSEF) is SINET's flagship event, designed to bridge the gap between the Federal Government and private industry. ITSEF brings unique value to the Cybersecurity community by providing a venue where entrepreneurs can meet and interact directly with top government agency and industry officials in an open and collaborative environment. This SINET community of interest and trust facilitates broadened awareness of the government's challenges, needs, and its future direction regarding Cybersecurity, while shining a spotlight on the entrepreneurs and their innovative technologies that are helping to address and solve today and tomorrow's security challenges.
Defensive Cyberspace Operations & Intelligence Conference (, Jan 1, 1970) Two days of presentations, workshops, training, and networking on defensive operations and intelligence activities in cyberspace. Speakers from government, universities, and industry will share their insights with participants.
SOURCE (, Jan 1, 1970) The purpose of SOURCE Conference is to bridge the gap between technical excellence and business acumen within the security industry. SOURCE fosters a community of learning where business and security professionals come together to gain knowledge and skills, network with peers, and advance their careers and professional development. SOURCE enables individuals, teams, and organizations to leverage information to improve decision-making, optimize performance, and achieve business objectives.
2014 GovCon Cyber Summit (McLean, Virginia, USA, Apr 9, 2014) The U.S. Computer Emergency Readiness Team (US-CERT) noted that last year federal networks saw a substantial increase in hacking incidents, with 48,000 attacks reported by agencies. In recognition of this fact, and to help emphasize the importance of a secure framework, the Obama administration released the Cybersecurity Cross-Agency Priority (CAP) Goal to help agencies improve secure performance through network consolidation, strong identity management, and continuous monitoring. Agencies are implementing new procedures and technologies to shore up defenses before it's too late, and it's clear that the federal government is not going to stop in their increased efforts to minimize and prevent cyber security attacks. Bottom line, the federal government will continue to place significant focus on securing the nation's cyber infrastructure and it's having an impact on the entire GovCon community.
Women in Cybersecurity Conference (Nashville, Tennessee, USA, Apr 11 - 12, 2014) WiCyS is an effort to bring together women (students/faculty/researchers/professionals) in cybersecurity from academia, research and industry for sharing of knowledge/experience, networking and mentoring. Any individual or organization interested in recruitment/retention of women in this field and/or diversification of their cybersecurity workforce is especially encouraged to get involved.
NSA Procurement in today's business arena (Elkridge, Maryland, USA, Apr 16, 2014) An opportunity to gain inside perspective on market trends in NSA Procurement. The guest speaker will be William Reybold, National Security Agency's Deputy Senior Acquisition Executive (SAE), who manages all Agency procurements, from off-the -shelf supplies to developing and deploying large, highly technical, and complex new system. He is directly accountable for delivery of all major systems acquisitions and includes as part of the organization, the NSA Contacting Group.
Suits and Spooks San Francisco (, Jan 1, 1970) S3+: Surveillance, Security, Sovereignty and other Critical Issues. Not another hacker conference. Suits and Spooks is a unique gathering of experts, executives, operators, and policymakers who discuss hard challenges in a private setting over two days. CFP is now open. If you're interested in being a speaker at Suits and Spooks San Francisco, please send an email with your topic title, short abstract, and your bio by February 15th.
US News STEM Solutions: National Leadership Conference (, Jan 1, 1970) The STEM crisis in the United States demands solutions—and nowhere is the search more concentrated than at U.S. News STEM Solutions. Now in its third year, this premier national leadership conference is an outcome-focused forum for the entire network of experts, advocates and change-makers who are proactively working to fill jobs now and advance the future of the STEM workforce. More than a broad-based discussion of the issues, this year's conference will zero in on tangible results, real successes and collaborative strategies that are already moving the needle. If you have a vested interest in the development of the STEM pipeline, make your voice heard where it will have the most impact.
East Africa Banking and ICT Summit (Kampala, Uganda, Apr 25, 2014) The global event series for Banking and ICT Summit enters its third year. The summit will continue to provide delegates with technical & practical sessions, lectures and showcase for banking and ICT innovations, and unique networking opportunities.
National Collegiate Defense Cyber Competition (, Jan 1, 1970) Registration for the 2014 CCDC season is underway! Visit your region's website or contact your regional for registration and competition information.
InfoSecIndy (Indianapolis, Indiana, USA, Apr 26 - 27, 2014) Join us on April 26-27, 2014 in Indianapolis, Indiana for the premier Midwest Information Security and Digital Forensics Conference.
United States Cyber Crime Conference 2014 (, Jan 1, 1970) This is the only event of its kind that provides both hands-on digital forensics training and an interactive forum for cyber professionals to network. The conference covers the full spectrum of topics facing defenders as well as law enforcement responders. All aspects of computer crime will be covered, including intrusion investigations, cyber crime law, digital forensics, information assurance, along with research and development, and testing of digital forensic tools.
Infosecurity Europe 2014 (, Jan 1, 1970) Infosecurity Europe is Europe's number one Information Security event. Featuring over 350 exhibitors, the most diverse range of new products and services, an unrivalled education programme and over 12,000 visitors from every segment of the industry, it's the most important date in the calendar for Information Security professionals across Europe.