The CyberWire Daily Briefing for 4.9.2014
news from SINET ITSEF 2014
Yesterday's sessions encompassed several interesting topics.
During the "Guidance for Startups: Evaluating and Working with Enterprise Prospects" workshop, cyber entrepreneurs received the following advice: To sell into a large enterprise, start with a sponsor champion and have a simple value proposition that differentiates you from the field. Address a well-defined and readily understood pain-point, and don't try to do too much. Build relationships at various levels within the prospective customer's organization. Include the CFOs: they control the money. The real (as opposed to apparent) key decision-makers are usually not a company's CISO or CIO. The best strategy is to secure an early adopter willing to offer references, and then make sure you deliver what you promise.
The workshop on "Hyperconnectivity" featured a very informative panel discussion. Panelists unanimously agreed that current privacy regulations don't adequately address the growing connectivity arriving with today's Internet-of-things. Many privacy issues surround Internet appliances getting, holding, and exposing personal information (consider, for example, information derived from map and mobile device programs). People enter personal information into devices and applications without thinking that they're exposing that information to, effectively, the world. Users tend to be either naïve or uncaring until some incident causes them to suffer from that exposure. (Then they become aware and start to care.) Panelists suggested we need more innovation in awareness-based security as opposed to the current barrier-based approach. We should begin with the assumption that data will be shared, and then work to protect those data's contents and foster awareness of what's being shared. And, as elsewhere, automation would help: we need automated tools to handle data protection.
In the "CyberSecurity Automation" workshop, panelists Peter Fonash (Chief Technology Officer, Cybersecurity and Communications, US Department of Homeland Security) and Phillip Quade (Chief Operating Officer, Information Assurance Directorate, US National Security Agency) described toolsets for Active Cyber Defense and a plug-and-play tools framework for interoperability and automation. The Department of Homeland Security particularly emphasized the importance of automated information sharing. Cyber defense generally needs quick, rapid command and control once an intrusion is detected. The panel emphasized that the solution is not more trained cyber experts, but rather better use of automated techniques to keep pace with rapidly advancing cyber threats. The US Federal Government plans to solicit industry input to a new reference architecture for Active Cyber Defense.
SINET ITSEF 2014 continues today, and we'll publish a final wrap-up issue on the conference tomorrow.
#OpIsrael concludes with Israeli authorities dismissing the campaign as a nuisance, but warning that Israel and others cannot always assume such efforts will be so readily contained. Various Anonymous factions count coup against members of the Knesset and some ministerial offices.
Russian insiders, in what lawyers would hardly regard as an admission against interest, suggest to the Indian defense community that recent hacks of HAL and Sukhoi were mounted from (by?) the United States.
The Heartbleed vulnerability continues to roil enterprises worldwide. The Atlantic Wire and the Verge offer good rundowns of Heartbleed's significance. (Executive summary from the Wire: "You'll have to change all of your passwords, and temporarily avoid any site that is known to be vulnerable.") Many other experts offer detailed advice tailored to particular communities and their concerns.
FireEye draws attention to the ease with which state-of-the-art malware evades file-based sandboxing.
The New York Times describes the risks to which surprising and largely unexamined connections expose even well-defended enterprises.
Yesterday's obsequies for Windows XP include much rumination on why XP will continue to haunt us, and what can be done to lay its ghosts.
The energy sector continues to worry about its exposure to cyber attack: problems getting cyber insurance are particularly disturbing. So is closer regulatory scrutiny, and that's not confined to energy companies.
Financial markets scrutinize cyber companies: Symantec takes advice on fending off shareholder activism; investors try to decode FireEye's share price fluctuations.
Privacy advocates apparently gain ground in the US Congress and Administration.
Today's issue includes events affecting Australia, Brazil, Colombia, India, Indonesia, Israel, New Zealand, Nigeria, Russia, United Kingdom, United States, and and Yemen..
Mountain View: the latest from SINET ITSEF 2014
IT Security Entrepreneurs Forum (ITSEF) 2014: Forum (SINET) SINET ITSEF's Forum continues today, April 9, with keynote addresses by Alejandro Mayorkas, Deputy Secretary, US Department of Homeland Security, who will give us a perspective from DHS, and Kjetil Nilsen, Director General, Nasjonal Sikkerhetsmyndighet (NSM - Norway's National Security Authority) who will speak on the "Nordic Cybersecurity Model of Trust." Much interesting talk yesterday touched on challenges and opportunities facing cyber start-ups, and conference participants will be able to continue the discussion during focused table sessions
Cyber Attacks, Threats, and Vulnerabilities
#OpIsrael: Israeli Ministry of Agriculture Domain Hacked, 100+ other crushed down by Anonymous (HackRead) Year 2014 begin with a warning from online hacktivists Anonymous in which it warned Israel to get ready for a massive cyber attack on 7th April 2014 under the banner of #OpIsrael. The attack included distributed denial-of-service (DDoS) attack on thousands of Israeli government and private domains, leaking personal details and defacing websites
'Cyber attack' hits Knesset — 18 MKs hacked (Jerusalem Post) Hacking perpetrated by 'Anonymous, not Silvanonymous,' presidential candidate's office says, ruling out political rivals as culprits
Did US Hackers Target and Leak Su-30 MKI Faulty Display problems on purpose? (INN via Indian Defense) Russian Cyber Command (RCC) which claimed to have Hacked Indian embassy in Moscow and leaked documents which HAL had faxed to Russian company highlighting problems related to Faulty Display of sukhoi 30 MKI might actually have been handy work of US cyber warriors backed by US government hinted Russian Defence officials recently
What You Need to Know About Heartbleed, the New Security Bug Scaring the Internet (The Atlantic Wire) What should you know about Heartbleed, a recently uncovered security bug? The shortest version: You'll have to change all of your passwords, and temporarily avoid any site that is known to be vulnerable. That sounds a bit alarmist, we know, but now that internet and security experts know a little more about the security vulnerability, it's becoming more and more clear that Heartbleed is nothing to mess with
Why Heartbleed is the most dangerous security flaw on the web (The Verge) The 'catastrophically bad' bug has left Yahoo, Imgur, and countless other services vulnerable
Did the Heartbleed bug leak your Yahoo password? (Graham Cluley) The so-called Heartbleed security flaw found in the OpenSSL cryptographic software library, has created shockwaves for internet companies and users worldwide, and saw some firms scrabbling to fix and update their servers and software
Vendors and administrators scramble to patch OpenSSL vulnerability (CSO) Since news of the OpenSSL bug started to spread on Monday, administrators and vendors have made a mad scramble to patch the Heartbleed bug
Dear readers, please change your Ars account passwords ASAP (Ars Technica) Recovery from the critical Heartbleed crypto bug enters the password reset phase
What Bitcoin Users Need To Know About Heartbleed (TechCrunch) If you're using a bitcoin wallet or an online wallet or exchange, heartbleed could be a very real problem for you and your BTC. Luckily, things have finally settled down after a few days of panic and there are few very easy ways to ensure you're protected
Heartbleed vendor notifications (Internet Storm Center) As people are running around having an entertaining day we thought it might be a good idea to keep track of the various vendor notifications. I'd like to start a list here and either via comments or sending it let us know of vendor notifications relating to this issue. Please provide comments to the original article relating to the vulnerability itself, and use this post to only provide links to vendor notifications rather than articles etc about the issue
Indonesia's Largest Telecom Provider Leaks Large Portions of the Global Routing Table (CircleID) Earl Zmijewski from Renesys reports: Yesterday, Indosat, one of Indonesia's largest telecommunications providers, leaked large portions of the global routing table multiple times over a two-hour period
Cybercriminals use sophisticated PowerShell-based malware (CSO) Two separate threats that use malicious Windows PowerShell scripts were identified in the past few weeks by malware researchers
Hot Knives Through Butter: Evading File-based Sandboxes (FireEye) With organizations facing a deluge of cyber attacks, virtual-machine sandboxing has become a popular tool for quickly examining legions of files for suspicious activity. These sandboxes provide isolated, virtual environments that monitor the actual behavior of files as they execute. In theory, this setup enables security professionals to spot malicious code that evades traditional signature-based defenses. But sandboxes are only as good as the analysis that surrounds them. By themselves, sandboxes can only monitor and report file activity, not analyze it. And unfortunately for organizations that rely on them the file-based sandboxes used by many vendors are proving oblivious to the latest malware. Attackers are using a variety of techniques to slip under the radar of these sandboxes, leaving systems just as vulnerable as they were before
Hackers Lurking in Vents and Soda Machines (New York Times) They came in through the Chinese takeout menu. Unable to breach the computer network at a big oil company, hackers infected with malware the online menu of a Chinese restaurant that was popular with employees. When the workers browsed the menu, they inadvertently downloaded code that gave the attackers a foothold in the business's vast computer network. Security experts summoned to fix the problem were not allowed to disclose the details of the breach, but the lesson from the incident was clear: Companies scrambling to seal up their systems from hackers and government snoops are having to look in the unlikeliest of places for vulnerabilities
DARPA-Funded Researchers Help You Learn To Hack A Car For A Tenth The Price (Forbes) When Chris Valasek and Charlie Miller began their car hacking research nearly two years ago, they had to spend more than $50,000 on a used Ford Explorer and Toyota Prius. They shelled out thousands more on repairs and insurance. Then Miller spent an extra $1,000 or so to replace his lawn mower and repair his house after he digitally disabled the SUV's brakes, sending it crashing through his garage
KnowBe4 Issues CryptoDefense Warning — Ransomware is Worse than CryptoLocker (Dark Reading) KnowBe4 alerts computer users of new ransomware, how to avoid infection and how to avoid being caught up in a cyber-gang war
Calling all hackers: the end of Windows XP support could herald new security risks (Deutsche Welle) After almost 13 years, Microsoft has ended support for its popular Windows XP operating system. It could be a curse for developing countries where XP is still common — and a blessing for hackers
Windows XP Diehards Face The Music (InformationWeek) Some Windows XP holdouts make late-breaking pushes to upgrade — to Windows 7, not Windows 8.1
Windows XP: Why It Won't Die (InformationWeek) Arbitrary OS upgrade mandates don't make sense in the real world, some Windows XP organizations say
Windows XP Plug Pulled: 5 Questions (InformationWeek) After 12 years, Windows XP officially becomes an unsupported OS. Here's what you need to know, from old PCs to dicey ATMs
Few European ATMs upgraded to Windows 7 (ZDNet) A research report indicates that Europe is far behind the US in moving ATMs from Windows XP. Less than 1 percent of ATMs in Europe are running Windows 7
Windows XP is Dead: Not Every Company Got the Memo (NBC News) The popular operating system Windows XP is about to become a lot less secure, yet a surprisingly high number of enterprises still expect to run parts of their business on the software, analysts say
New Details Released in Cyber Attack that Defrauded Adventist Church of Half a Million US Dollars (Adventist News Network) New details have been released in the ongoing investigation of a sophisticated cyber theft that defrauded the Seventh-day Adventist Church of approximately US$500,000 during the span of a four-week period late last year
Pro-Life Group Hit by Cyber Attack (New Zealand Catholic) Family Life International New Zealand's Facebook pages have been attacked, forcing the organisation to pull them down to get rid of the filth.
BigMoneyJobs[dot]com Hacked (eSecurity Planet) Hacker ProbablyOnion leaked 36,802 names, addresses, phone numbers, e-mail addresses and plain text passwords
Florida School District Publishes Employees' Social Security Numbers Online (eSecurity Planet) The data was included in a document that was inadvertently made available online for two years
Kaiser Permanente Acknowledges Three-Year Data Breach (eSecurity Planet) A company server was infected with malware in the fall of 2011, but the infection wasn't detected until two months ago
Security Patches, Mitigations, and Software Updates
Don't delay. Get your Microsoft and Adobe security patches while they're hot (Graham Cluley) Another Patch Tuesday, means another round of security updates from Microsoft and Adobe, designed to fix critical vulnerabilities in their software
Microsoft Security Bulletin MS14-017 — Critical (Microsoft Security TechCenter) Vulnerabilities in Microsoft Word and Office Web Apps Could Allow Remote Code Execution
Microsoft releases final security updates for Windows XP (Help Net Security) So this is it, the last hurrah for the once beloved XP, the last kick at the can for patching up the old boat. Sure, by today's standards it's a leaky, indefensible, liability, but, do you even remember Windows 98? Or (*gasp*) ME? At least we can all finally put IE 6 to rest, once and for all, the final excuse for corporate life-support has been pulled, except for legacy apps built so poorly that they depend on IE 6 and are "too costly" to replace
Why ending user support for Microsoft XP is the right thing to do (Help Net Security) Today is the day that Microsoft's well-documented plans to end support for Windows XP comes into fruition, and with roughly 30 per cent of all desktop computers worldwide still running the operating system, that could mean a lot of people are left with little to no security on their PCs or laptops
If you love someone, upgrade them from XP (We Live Security) Sting famously sang "If you love someone, set them free." Here's my suggested improvement: "If you love someone, upgrade them from XP." It's not actually such an odd connection to make. Way back in October 2001, Sting gave a free concert in New York's Bryant Park to "celebrate the launch of Microsoft Windows XP"
Security updates available for Adobe Flash Player (Adobe Security Bulletin) Adobe has released security updates for Adobe Flash Player 126.96.36.199 and earlier versions for Windows and Macintosh and Adobe Flash Player 188.8.131.526 and earlier versions for Linux. These updates address vulnerabilities that could potentially allow an attacker to take control of the affected system. Adobe recommends users update their product installations to the latest versions
Siemens Ruggedcom Addresses BEAST Flaw in WiMax Products (Threatpost) The BEAST attack on some TLS implementations made major news when it was disclosed, showing that attackers could intercept and decrypt SSL-protected sessions in real time, breaking a significant portion of the confidentiality model of the protocol. Vendors rushed to patch and implement mitigations. That was in 2011. Nearly three years later, Siemens is pushing
IDF 'cyber-chief' Moscovitch: Today's online attackers are gaining on the defenders (Jerusalem Post) At National Security Studies annual cyber confab, Maj.Gen. says trying to predict the expansion of cyber warfare is problematic
The Danger Signs Are Adding Up (Huffington Post) No one should be surprised that the world of cybersecurity and its associated blame game is continuing unabated. Several interesting incidents have happened in the past two weeks that bear highlighting
Energy companies need insurance cover for cyber attack 'time bomb' (Reuters) Energy companies have no insurance against major cyber attacks, reinsurance broker Willis said on Tuesday, likening the threat to a "time bomb" that could cost the industry billions of dollars
Why some insurers are dumping utilities. And how "the convergence of all things security" can help (Smart Grid News) Why the smart grid needs "security intelligence." BBC News recently posted a thought-provoking piece explaining why many energy companies (including power and utilities) are being turned down for insurance policies to cover cyber-attacks. The net: audits of existing defense and protection strategies "concluded that protections were inadequate"
Critical Infrastructure Cyber Security: An Interview with Mr. Vincent Beck (Journal of Energy Security) Question: The National Institute of Standards and Technology (NIST) recently released its 'Framework for Improving Critical Infrastructure Cyber Security'. For those who are not involved in cyber-security or cyber-defense on an active basis, could you elaborate on what this document aims to achieve and improve upon? Further are there gaps in protecting critical energy infrastructure that are not addressed in this document? If so, how would you propose that these gaps be bridged?
'Ransomware' cases to spike (The Australian) Consumers and businesses have been warned to brace themselves for a deluge of "ransomware" attacks, malicious software that encrypts files and demands payment of hundreds or thousands of dollars to decrypt them
Internet security: Cyber-criminals more cunning in attacks (New Zealand Herald) Cyber-criminals are planning their "hits" more carefully and the attacks are lasting longer than ever — and many New Zealanders are leaving themselves exposed to cyber threats on their computers, mobiles and social networks
Dark Market Zero-Days 'Selling Regularly For $50k-$100k' (TechWeek Europe) Symantec researchers tell TechWeek that dark market crooks are getting big bucks from selling zero-days, despite the rise of legitimate bug bounties
Businesses create IT security blind spots (Help Net Security) New research shows that 54 percent of companies in the UK are using incorrect metrics when trying to determine their IT security status, providing a false picture of the organization's vulnerabilities and risk, driving the wrong behavior
One third of phishing attacks aimed at stealing money (Help Net Security) According to data collected as part of Kaspersky Lab's 'Financial cyber threats in 2013' study, cybercriminals are trying harder than ever to acquire confidential user information and steal money from bank accounts by creating fake sites mimicking financial organizations
A security advisor's perspective on the threat landscape (Help Net Security) In this interview, Sean Sullivan, the Security Advisor at F-Secure Labs, talks about threats he's seen during his career, iOS vs. Android security, security awareness and threat evolution
What's Worse: Credit Card Or Identity Theft? (Dark Reading) When it comes to data loss, it's time for the conversation to shift from credit cards to personal information like Social Security numbers, home addresses, and your favorite flavor of ice cream
One Year Later: The APT1 Report (Dark Reading) One of the most positive impacts of APT1 is the undeniable rise in the stature of the threat intelligence industry. "Threat Intelligence" is the SIEM, the NAC of 2014
Exclusive: Symantec to hire banks for advice, activism defense — sources (Reuters) Anti-virus and security software maker Symantec Corp, which recently fired its chief executive amid declining sales and fierce competition, is in the process of hiring banks to help advise on strategy and defend against possible activist investors, according to several people familiar with the matter
FireEye Inc (FEYE) Bounces On Analyst Upgrade (ValueWalk) FireEye Inc (NASDAQ:FEYE) a cyber-threat management company, has received a key upgrade from analysts at Wedbush. In a report dated April 8, 2014, analyst Sanjit Singh has upgraded the stock from Neutral to Outperform but cut his price target from $72 to $62 a share
FireEye Shares Have Been Clobbered — Is It a Buy Yet? (Motley Fool) Shares of FireEye (NASDAQ: FEYE ) have dropped as much as 49% since reaching a peak of $97.35 on March 5. Despite the sell-off, industry fundamentals remain very good, and the integration with Mandiant appears to be progressing well as the company separates itself from competitors like Symantec (NASDAQ: SYMC ) and Intel (NASDAQ: INTC ). Is this a buying opportunity?
Richard Clarke: SRA to Help GSA Run Data Encryption, Sharing Setup (GovConWire) SRA International has won a potential five-year, $22 million contract to help the General Services Administration manage a web portal that government agencies use to secure online information
Twitter buys Android lock-screen app startup (FierceMobileIT) Twitter has acquired Cover, an Android lockscreen app startup, for an undisclosed consideration, the Wall Street Journal reports
Microsoft creates Brazil business unit to focus on cyber defense (BNAmericas) Microsoft has created a business unit in Brazil to serve the justice and public security segments which will target, among other subjects, cybersecurity and cyberdefense
DDos Security Providers Countering Cyber Attacks on Internet Startups (The VAR Guy) Security providers including Cloudflare, Akamai and Arbor Networks, specializing in blunting denial-of-service attacks, are helping new Internet-based businesses survive ransom threats by cybercriminals to crash their businesses
Why Network Security Vendors Should Stay Away From End Point Security, and Vice-Versa (Forbes) There would be many more successful security companies if their founders and leaders had a better understanding of the IT security space
Nigeria: CWG, Mag Tech Move to Curb Cyber Attacks in Financial Sector (All Africa) In an attempt to reduce the level of threat and Cyber- attack in the financial sector, Computer Warehouse Group (CWG PLC), and MAG Tech, a specialized information security and intelligence company, recently organized information security session in Lagos
Products, Services, and Solutions
Software helps police manage lawful access to forensics info (GCN) Forensic lab managers can now enforce policies for extracting data based on user profiles or department policies. Mobile forensic tech developer Cellebrite Inc. updated its Universal Forensic Extraction Device (UFED) Permission Management software to offer administrative support at logical, file system or physical levels of extraction
Cryptography Research and Fairchild Semiconductor Sign Patent License Agreement for DPA Countermeasures (Wall Street Journal) Cryptography Research, Inc. (CRI), a division of Rambus Inc. (NASDAQ:RMBS), and Fairchild Semiconductor Corporation (NASDAQ: FCS) today announced they have signed a patent license agreement allowing for the use of CRI's patented inventions in Fairchild's integrated circuits. With CRI's patented technology, Fairchild's tamper-resistant integrated circuits are more securely protected against differential power analysis (DPA) and related attacks. This license also covers software developed by Fairchild's customers when utilized on Fairchild's licensed integrated circuits
Yahoo email anti-spoofing policy breaks mailing lists (CSO) In an attempt to block email spoofing attacks on yahoo.com addresses, Yahoo began imposing a stricter email validation policy that unfortunately breaks the usual workflow on legitimate mailing lists. The problem is a new DMARC (Domain-based Message Authentication, Reporting and Conformance) "reject" policy advertised by Yahoo to third-party email servers
Technologies, Techniques, and Standards
Applying the scientific method to software testing (TechTarget) How does the scientific method apply to software testing? Christin Wiedemann: Software testing can always benefit from a more structured approach. The scientific method isn't really one set of methods, but a larger set of guiding principles
When does more data trump clean data? (TechTarget) The days of scrubbing data until it's squeaky clean are quickly becoming a luxury, especially as IT departments answer the business' call to arms for more speed and more agility. But providing real-time data use raises a fundamental question for CIOs: Just how clean is clean enough? Experts like Farzad Mostashari, former national coordinator of health information technology for the U.S. Department of Health and Human Services, have persuasively argued that the solution to dirty data is more dirty data. Adding data "provides you with context," he said at an information quality conference last summer. Others, like Michael Berry, analytics director for TripAdvisor's business operations, think otherwise. Those who believe they don't need to worry about clean data because they have so much data "are just wrong," he said at a predictive analytics event last fall
Incident response lessons from Facebook's red team exercises (TechTarget) I read about how Facebook's security staff was recently involved in "red team exercises," which seemed to be an in-depth attack simulation to test its incident response protocol. Could you give some advice on how other organizations could go about enacting similar tests? How far would you say is too far in such a simulation?
Does Your Organization Need a Chief Trust Officer? (eSecurity Planet) Many organizations today have a chief information security officer (CISO), and a growing number also have chief privacy officers. A few organizations are adding another C-level executive, one who is responsible
Ways to prevent or keep your child safe from cyber-bullying (CBS42) It's a problem that's harming more and more children every day. With the majority of kids online these days, cyberbullying is becoming a topic no parent should ignore. From receiving threatening texts and emails, harmful comments on social media, or even someone posing as your child to portray them in a bad light; cyber-bullying is destroying kid's lives, and even pushing some take their own lives
How to raise children on the internet (Quartz) My wife and I have developed an open approach to raising children. As a result, the rise of the internet, Facebook, Twitter, etc. has been especially interesting. It has worked well for us. We have no restrictions on content built into any of the devices or websites. Instead, here are the rules that we have imposed
Research and Development
Cryptography Could Add Privacy Protections to NSA Phone Surveillance (MIT Technology Review) Cryptography could enforce limits on data collected for surveillance data while still permitting agencies to do their jobs, argues a Microsoft researcher
Kaspersky Lab Patents Method for Detecting Malware That Conceals its Presence in the System (Kaspersky Lab) Kaspersky Lab has obtained a patent for a method of detecting malware that has been masked by rootkits — special programs capable of altering the outcomes of system functions. Patent no. 8677492, issued by the US Patent and Trademark Office, describes the operation of a security solution with a special module that duplicates some functions of the operating system's (OS) kernel. This ensures that the security solution has reliable information even if the OS is infected with a rootkit
Online cryptography competition starts Thursday (Daily Record) The Kryptos Codebreaking Challenge, developed by Central Washington University mathematics professor Stuart Boersma and Western Oregon University Cheryl Beaver mathematics professor, is centered on the cryptanalysis, or breaking, of ciphers, or secret writing
Legislation, Policy, and Regulation
Colombia Prepares New Cyber Security Strategy (Nearshore Americas) The Colombian government is drawing up a new cyber defense strategy to deal with the growing rate of cyber attacks, as the Andean country continues to use information technology to overhaul its education and healthcare sectors
UK says investigating spy and police agencies' use of private data (Reuters via the Chicago Tribune) Britain's law enforcement and intelligence agencies may be overusing authorisations to access private communications data, the official who regulates the activity said on Tuesday, declaring he had begun an investigation into the matter
Lawmakers push US attorney general for NSA surveillance changes (PCWorld) Several U.S. lawmakers on Tuesday urged the nation's attorney general to curtail the National Security Agency's collection of overseas electronic communications, saying President Barack Obama's promise to revamp a surveillance program focused on U.S. telephone records didn't go far enough
Obama privacy chief wants NSA phone-snooping program to end now (Ars Technica) Watchdog expects "short transition" period from constitutionally suspect surveillance
At Naval Academy, Clinton calls on leaders to balance technology, privacy (Baltimore Sun) In Annapolis talk, former president says surveillance shouldn't trump liberty
Director of National Intelligence hopeful increased security, audits can stop leaks (WTOP) "Tag the data, tag the people." Director of National Intelligence James Clapper says that's the "bumper-sticker mantra" of a key part of the intelligence community's plan to prevent another catastrophic release of information like the one former NSA contractor Edward Snowden pulled off last year. The extent of the damage revealed in the numerous programs, sources and methods Snowden farmed out to journalists and activists may not be fully known for years, according to experts
FTC Privacy Enforcement Power Wins Court Blessing (InformationWeek) The agency's claim against Wyndham Hotels for poor data security practices has been allowed to proceed
Consumers fed up with data breaches, and the government is listening (FierceITSecurity) High-profile data breaches at Target, Neiman Marcus, and most recently Experian, have received the attention of federal agencies, Congress and state legislatures and state attorneys general. Consumers are fed up with the lax information security approaches of major companies and that unhappiness is being felt in government at all levels
Making Retailers Liable for Damages from Hacking (Top Tech News) More fallout from the Target data breach: Now California lawmakers say retailers should be held liable for such hacks. One bill would shift the responsibility for any data breach from the banks and credit card issuers to the retail businesses where the breach occurred. The measure may create the year's biggest business dispute
Utah law shields electronic device locations and communication content (SC Magazine) Utah enacted the first-ever legislation to regulate both government access to electronic devices' location information and electronic communications content last week
Litigation, Investigation, and Law Enforcement
Snowden's Lawyer, Whistleblowers Converge At USC (Neon Tommy) Three prominent whistleblowers spoke at noon Tuesday at the University of Southern California's Annenberg School of Communication and journalism, kicking off a two-day American Whistleblower Tour Event
Fort Hood opens debate about secrecy of medical records (The Hill) Army officials say one thing that could have helped prevent last week's shooting at Fort Hood is better information sharing with commanders about the mental and behavioral health histories of incoming soldiers
Facebook data scraped, people profiled as "jerks" and scammed by Jerk.com, FTC says (Naked Security) Aww, a sweet photo, depicting the intimate family moment of a mother nursing her child, put up by a new website
For a complete running list of events, please visit the Event Tracker.
InfoSec World Conference & Expo 2014 (, Jan 1, 1970) With the primary objective of providing top-notch education to all levels of information security and IT auditing professionals, InfoSec World delivers practical sessions that give you the tools to strengthen your security without restricting your business.
IT Security Entrepreneurs Forum (ITSEF) 2014 (, Jan 1, 1970) IT Security Entrepreneurs Forum (ITSEF) is SINET's flagship event, designed to bridge the gap between the Federal Government and private industry. ITSEF brings unique value to the Cybersecurity community by providing a venue where entrepreneurs can meet and interact directly with top government agency and industry officials in an open and collaborative environment. This SINET community of interest and trust facilitates broadened awareness of the government's challenges, needs, and its future direction regarding Cybersecurity, while shining a spotlight on the entrepreneurs and their innovative technologies that are helping to address and solve today and tomorrow's security challenges.
Defensive Cyberspace Operations & Intelligence Conference (, Jan 1, 1970) Two days of presentations, workshops, training, and networking on defensive operations and intelligence activities in cyberspace. Speakers from government, universities, and industry will share their insights with participants.
SOURCE (, Jan 1, 1970) The purpose of SOURCE Conference is to bridge the gap between technical excellence and business acumen within the security industry. SOURCE fosters a community of learning where business and security professionals come together to gain knowledge and skills, network with peers, and advance their careers and professional development. SOURCE enables individuals, teams, and organizations to leverage information to improve decision-making, optimize performance, and achieve business objectives.
2014 GovCon Cyber Summit (McLean, Virginia, USA, Apr 9, 2014) The U.S. Computer Emergency Readiness Team (US-CERT) noted that last year federal networks saw a substantial increase in hacking incidents, with 48,000 attacks reported by agencies. In recognition of this fact, and to help emphasize the importance of a secure framework, the Obama administration released the Cybersecurity Cross-Agency Priority (CAP) Goal to help agencies improve secure performance through network consolidation, strong identity management, and continuous monitoring. Agencies are implementing new procedures and technologies to shore up defenses before it's too late, and it's clear that the federal government is not going to stop in their increased efforts to minimize and prevent cyber security attacks. Bottom line, the federal government will continue to place significant focus on securing the nation's cyber infrastructure and it's having an impact on the entire GovCon community.
2014 Computer Security Day (Eugene, Oregon, USA, Apr 11, 2014) The Fourth Computer Security Day at the University of Oregon will feature a slate of distinguished speakers from academia, industry, and government, discussing current challenges and future opportunities in cybersecurity. The range of topics will be broad and diverse, ranging from examining future trends in computer security, to understanding cybersecurity within the federal government, to exciting new research in authentication mechanisms and securing systems and data. There will be plenty of opportunities to engage with the speakers and other attendees.
Women in Cybersecurity Conference (, Jan 1, 1970) WiCyS is an effort to bring together women (students/faculty/researchers/professionals) in cybersecurity from academia, research and industry for sharing of knowledge/experience, networking and mentoring. Any individual or organization interested in recruitment/retention of women in this field and/or diversification of their cybersecurity workforce is especially encouraged to get involved.
NSA Procurement in today's business arena (Elkridge, Maryland, USA, Apr 16, 2014) An opportunity to gain inside perspective on market trends in NSA Procurement. The guest speaker will be William Reybold, National Security Agency's Deputy Senior Acquisition Executive (SAE), who manages all Agency procurements, from off-the -shelf supplies to developing and deploying large, highly technical, and complex new system. He is directly accountable for delivery of all major systems acquisitions and includes as part of the organization, the NSA Contacting Group.
Suits and Spooks San Francisco (, Jan 1, 1970) S3+: Surveillance, Security, Sovereignty and other Critical Issues. Not another hacker conference. Suits and Spooks is a unique gathering of experts, executives, operators, and policymakers who discuss hard challenges in a private setting over two days. CFP is now open. If you're interested in being a speaker at Suits and Spooks San Francisco, please send an email with your topic title, short abstract, and your bio by February 15th.
US News STEM Solutions: National Leadership Conference (, Jan 1, 1970) The STEM crisis in the United States demands solutions—and nowhere is the search more concentrated than at U.S. News STEM Solutions. Now in its third year, this premier national leadership conference is an outcome-focused forum for the entire network of experts, advocates and change-makers who are proactively working to fill jobs now and advance the future of the STEM workforce. More than a broad-based discussion of the issues, this year's conference will zero in on tangible results, real successes and collaborative strategies that are already moving the needle. If you have a vested interest in the development of the STEM pipeline, make your voice heard where it will have the most impact.
East Africa Banking and ICT Summit (Kampala, Uganda, Apr 25, 2014) The global event series for Banking and ICT Summit enters its third year. The summit will continue to provide delegates with technical & practical sessions, lectures and showcase for banking and ICT innovations, and unique networking opportunities.
National Collegiate Defense Cyber Competition (, Jan 1, 1970) Registration for the 2014 CCDC season is underway! Visit your region's website or contact your regional for registration and competition information.
InfoSecIndy (Indianapolis, Indiana, USA, Apr 26 - 27, 2014) Join us on April 26-27, 2014 in Indianapolis, Indiana for the premier Midwest Information Security and Digital Forensics Conference.
United States Cyber Crime Conference 2014 (, Jan 1, 1970) This is the only event of its kind that provides both hands-on digital forensics training and an interactive forum for cyber professionals to network. The conference covers the full spectrum of topics facing defenders as well as law enforcement responders. All aspects of computer crime will be covered, including intrusion investigations, cyber crime law, digital forensics, information assurance, along with research and development, and testing of digital forensic tools.
Infosecurity Europe 2014 (, Jan 1, 1970) Infosecurity Europe is Europe's number one Information Security event. Featuring over 350 exhibitors, the most diverse range of new products and services, an unrivalled education programme and over 12,000 visitors from every segment of the industry, it's the most important date in the calendar for Information Security professionals across Europe.