Cyber Attacks, Threats, and Vulnerabilities
The Heartbleed Bug (Heartbleed Bug (h/t Bruce Schneier)) The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs)
Heartbleed disclosure timeline: who knew what and when (Sydney Morning Herald) Who knew about Heatbleed first? We detail the timeline. Ever since the "Heartbleed" flaw in encryption protocol OpenSSL was made public on April 7 in the US there have been various questions about who knew what and when
How Heartbleed Happened, The NSA And Proof Heartbleed Can Do Real Damage (Forbes) Last week during the Heartbleed chaos I wrote two articles, one outlining how to stay safe and the other explaining what heartbleed actually is. As we enter this week it is clear that we are far from out of the woods, indeed I will shortly explain why Heartbleed is going to be around for some time to come, but now that a great deal of patching and password re-setting has occurred it seems like a good time to reflect on a few of the recent revelations
Canadians' Tax Data Stolen in Heartbleed Breach (AFP via SecurityWeek) Personal data for as many as 900 Canadian taxpayers was stolen after being made vulnerable by the "Heartbleed" bug, officials in Ottawa said on Monday
Mumsnet becomes first known UK victim of Heartbleed bug (ComputerWeekly) Parenting website Mumsnet is the first known UK victim of hackers exploiting the recently discovered Heartbleed bug
US government warns over Heartbleed hacker attempts (ITPro) The US government has warned businesses to be on alert for hackers seeking to steal data exposed by the "Heartbleed" bug, as a German programmer took responsibility for the widespread security crisis
Computer hacking expert says more bad news to come from Heartbleed (The Canadian Press via City News Toronto) The fallout from the Heartbleed bug could go far beyond just 900 social insurance numbers compromised at the Canada Revenue agency
BlackBerry Messenger and Secure Work Space affected by Heartbleed security flaw in OpenSSL (Computing) BlackBerry, the maker of security-hardened smartphones, is the latest vendor to be affected by the Heartbleed bug in the OpenSSL stack
Vicious Heartbleed bug bites millions of Android phones, other devices (Ars Technica) Not the exclusive province of servers, Heartbleed can hack end users too
Android devices await Heartbleed fix (BBC) Millions of Android devices remain vulnerable to the Heartbleed bug a week after the flaw was made public
Heartboned: Why Google needs to reclaim Android updates (ZDNet) Despite the best efforts of Google, last week's Heartbleed events show that much work remains before Android is up to par on its updating process
Heartbleed's Intranet & VPN Connection (Dark Reading) How the game-changing crypto bug affects internal servers, clients, and VPN networks — and what to do about it
Heartbleed flaw still exists at Disqus, ShareThis, and 46 other cloud apps (CSO) The Heartbleed storm is still in full force. A week after the initial disclosure of the critical flaw in OpenSSL, a new threat dubbed Reverse Heartbleed has also been identified, and many vulnerable sites and applications are still scrambling to patch and update
Heartbleed Impacting the Deep Web? (Trend Micro Simply Security) News of this week's massive and far reaching OpenSSL vulnerability "Heartbleed" has put all of us on our heels. In what I would call the equivalent of an Internet oil spill, individuals and organizations are scrambling to discover how to clean up this mess and get on with business as usual. This will not be trivial or a quick fix. I say this with conviction as I personally know the challenges of keeping large amounts of highly complex infrastructure patched and secure to support both revenue and critical business operations
Heartbleed Poses Risk to Clients and the Internet of Things (Symantec Connect) While most of the focus on Heartbleed has been on vulnerable public websites, the bug affects much more than this. While most popular sites are no longer vulnerable, this does not mean that end-users can drop their guard
Heartbleed Especially Risky for SMBs (eSecurity Planet) Enterprises with IT security staffs should find it easy to implement the patch for the Heartbleed vulnerability. But small companies may struggle to protect their websites and customers, experts say
With Heartbleed, IT Leaders Are Missing the Point (CIO) If our checks and balances are so fragile that a typo can obliterate all meaningful security, we have some fundamental things to fix
9 expert opinions on the 'Heartbleed Bug' (SC Magazine) Considered one of the most significant internet security vulnerabilities to date — affecting websites, emails, direct messages and other communications utilizing SSL/TLS encryption — the 'Heartbleed Bug' quickly made headlines around the world. Security experts have plenty to say about the vulnerability, and we've compiled the opinions of some of them in this slideshow
Crimeware Helps File Fraudulent Tax Returns (Krebs on Security) Many companies believe that if they protect their intellectual property and customers' information, they've done a decent job of safeguarding their crown jewels from attackers. But in an increasingly common scheme, cybercriminals are targeting the Human Resources departments at compromised organizations and rapidly filing fraudulent federal tax returns on all employees
Flash SMS Flaw in iOS Can Be Exploited to Make the Lock Screen Unresponsive (Softpedia) Romanian security researcher Bogdan Alecu has identified a Flash SMS (Class 0) flaw in iOS that can be exploited to make the SpringBoard lock screen unresponsive. The expert has described an attack scenario in which the bug can be leveraged by cybercriminals
Arbitrary Code Execution Bug in Android Reader (Threatpost) The Android variety of Adobe Reader reportedly contains a vulnerability that could give an attacker the ability to execute arbitrary code on devices running Google's mobile operating system
Threats in the Cloud — Part 2: Distributed Denial of Service Attacks (Microsoft Security Blog) Organizations that operate or use Internet connected services such as websites, portals and Cloud services need to be aware of threats that can disrupt service. In the first part of this series I discussed Domain Name System (DNS) attacks and their potential to disrupt services and infect large volumes of users with malware. This article discusses Distributed Denial of Service (DDoS) attacks using insights from the latest volume of the Microsoft Security Intelligence Report
Hackers may have accessed details of 500,000 considering cosmetic surgery (The Guardian) Initial inquiry forms submitted online to Harley Medical Group may have been accessed in cyber-attack, firm says
Remember Ellie Mae's cyber attack? It didn't happen (Housingwire) Company says no evidence of malicious attack found after investigation
LaCie Acknowledges Year-Long Data Breach (eSecurity Planet) Customers who made online purchases between March 2013 and March 2014 are affected
VFW Hacked (eSecurity Planet) A hacker believed to be from China accessed 55,000 VFW members' names, addresses and Social Security numbers
Security Patches, Mitigations, and Software Updates
INFOCon Green: Heartbleed — on the mend (Internet Storm Center) We are going back to INFOCon Green today. Things have stabilized and the INFOCon is used to indicate change. Awareness of Heartbleed is well saturated and Internet teams everywhere appear to be responding appropriately
Akamai admits its OpenSSL patch was faulty, reissues keys (IT World) Researcher Willem Pinckaers found a hole in Akamai's OpenSSL code tweak, used for a decade, in 15 minutes
VMware reveals 27-patch Heartbleed fix plan (The Register) Go buy your vSysadmins a big choccy egg: their Easter is in peril
Heartbleed Defense-in-Depth Part #1: Preventing Admin Session Hijacking (Duo) This post is the first of a blog mini-series (is that even a term?) around the Heartbleed vulnerability and some of defense-in-depth techniques we've had in place for years that helped mitigate its impact
Google issues patch for Android icon permissions attack (ComputerWorld) FireEye found malware that could change other icons, sending victims to phishing sites
Jetpack pushes update to close critical security hole (Help Net Security) The developers of Jetpack, one of the most widely used WordPress plugins, are urging users to download and implement the latests versions that fix a critical security bug
Cyber Trends
Farm machines harvest Big Data, reap privacy worries (Ag Professional) Steps away from a replica of the revolutionary 1837 steel plow at tractor company John Deere's headquarters sits a combine as big as a tank and packed with computer wizardry that harvests huge volumes of valuable data as it gathers crops
U.S. retailers to share cyber threat data after Target attack (Reuters via the Chicago Tribune) U.S. retailers are planning to form an industry group for collecting and sharing intelligence about cyber security threats in a bid to prevent future attacks in the wake of last year's big attack on Target Corp
Electric Grid Safety Hinges on Partnership and Information Sharing (infosec island) Electric utilities have been focused on improving the safety and reliability of the complex and dynamic electric grid for years, testified Sue Kelly, president and CEO of the American Public Power Association (Public Power) at a Senate Energy and Natural Resources Committee hearing today. Kelly testified on behalf of investor-owned, cooperatively owned, and publicly owned utilities, as well as independent generators and Canadian utilities. The industry's top priority is to protect critical power infrastructure from cyber and physical threats by partnering with all levels of government and sharing critical information, she said
Raoul Chiesa — from cybercrime to state-sponsored hacking (Security Affairs) Raoul Chiesa gives us his view on the current cyber threat landscape, from Snowden's case to the links between cyber crime and state-sponsored hacking
Big data is not about petabytes, but complex computing (FierceBigData ) You've heard me and several others repeatedly say that the term big data is unfortunate because it's really not about the size of the data, but about the complexity of the computing. In other words, big data tools are not contained to usage where there are petabytes of data. Those tools are useful with just about any sized data if you're doing complex computing with it. Here's why
Behind the Machine's Back: How Social Media Users Avoid Getting Turned Into Big Data (The Atlantic) To prevent being tracked by algorithms, we've begun thinking like algorithms
Chinese Military Increases Scope of Cyberattacks on the US (Epoch Times) After several major cyberattacks were traced to the Chinese military in February 2013, hackers in China's People's Liberation Army (PLA) have not only continued their attacks against the United States, but they are attacking on an even larger scale, and with greater frequency
America Is a Sitting Duck for Cyberattacks (US News and World Report) The private sector's Internet infrastructure is very vulnerable
Protecting Your Company's Reputation in a Heartbleed World (Forbes) The Heartbleed vulnerability claimed its first known victim: at least 900 Canadian taxpayers, who had their personal data compromised in the middle of tax season. Canada's tax agency made the announcement today, after temporarily shutting down its online access last Wednesday to deal with the vulnerability
Marketplace
UAE Telecommunications Regulatory Authority & Huawei to Outline Vision for National Broadband Networks (Zawya) With the rapid advancement of information & communication technologies (ICT) ushering in a new era of digital connectivity across the region, Huawei—a leading global ICT solutions provider—in association with the UAE Telecommunications Regulatory Authority (TRA) have confirmed plans to host the UAE's first Huawei Broader Way Forum 2014, examining how national broadband initiatives are expected to transform the region's socio-economic landscape in the years ahead. The full-day conference will take place on April 29, 2014, at the Radisson Blu Royal Hotel in Dubai, UAE
Luring The Elusive Cyber Security Pro (InformationWeek) Struggling to find scarce IT security talent? Make sure your hiring managers understand the certifications and match candidates for skills fit — not just credentials
GSA plans new online purchasing information repository (FierceGovIT) The General Services Administration will create an online repository containing data on much agencies have paid for particular goods and services, an April 9 GSA blog post says
Qualifying Cyber Command Staff is Harder than You Think (NextGov) The Coast Guard Cyber Command aims to qualify a couple of service members for what Pentagon officials have said will be a 2,000-member force within the next two years
Wurldtech and ENCS Enter into Partnership to Strengthen Cyber Security for Critical Infrastructures (gnomes) Wurldtech Security Technologies (Wurldtech) and the European Network for Cyber Security (ENCS) have signed a partnership agreement to improve collaboration and strengthen cyber security for critical infrastructures
James Kilbride on Security's Role in Cloud Adoption, General Dynamics' Work to Integrate Technology with Business Viewpoints & (ExecutiveBiz) General Dynamics Advanced Information Systems, James Kilbride deploys the capabilities of the firm's Cyber and Intelligence Solutions division to help government customers advance their missions
The Herjavec Group announces $250M Expansion with Acquisition of Dallas Cyber Security Integrator (IT Business Net) Robert Herjavec, Founder and CEO of The Herjavec Group (THG) and star on ABC's Shark Tank, is pleased to announce the acquisition of privately held Galaxy Tech, a Dallas based leading security integrator with key clients in every US state. Following the April 15 close, Galaxy Tech will be rebranded as THG and represents its seventh acquisition in the past decade
Twitter Acquires Analytics Co. Gnip to Better Package Its Trove of Data (Wired) Twitter just agreed to buy its long-time partner Gnip, a data company that anaylizes and sells Twitter data to a host of third parties companies. Gnip is the largest provider of social data in the world
Is Imperva's Guidance an Indication to Avoid Cyber-Security Stocks? (The Motley Fool) In a rather ugly Thursday for the broader market, shares of Imperva (NYSE: IMPV) were particularly crushed following disappointing guidance. The security software vendor lost nearly half of its valuation, and in the process affected the stock prices of peers like Palo Alto Networks, FireEye (NASDAQ: FEYE), Fortinet (NASDAQ: FTNT), and Proofpoint. Yet, given this performance, combined with that of the last month, are these losses overdone, or are they just getting warmed up
Products, Services, and Solutions
These Sites Tell Which Of Your Accounts Have Been Hacked (Forbes) Heartbleed, the massive flaw in web encryption recently made public, is just one of the unending stream of vulnerabilities that enables hackers to steal personal details and passwords from companies with which you do business
DuckDuckGo is the Anonymous Alternative to Google (PhoenixTS) Google rules the world, but what about the other search engines? Do you know about ixquick, Alhea, Contenko, Dogpile, blekko, or DuckDuckGo? Do you have the time to create your own search engine with Yacy?
Out in the Open: Inside the Operating System Edward Snowden Used to Evade the NSA (Wired) When NSA whistle-blower Edward Snowden first emailed Glenn Greenwald, he insisted on using email encryption software called PGP for all communications. But this month, we learned that Snowden used another technology to keep his communications out of the NSA's prying eyes. It's called Tails. And naturally, nobody knows exactly who created it
Gmail does scan all emails, new Google terms clarify (The Guardian) The search company has modified its terms of service to specifically state that 'automated systems analyse your content'
Technologies, Techniques, and Standards
Open Source Software Is the Worst Kind Except for All of the Others (CircleID) Heartbleed, for anyone who doesn't read the papers, is a serious bug in the popular OpenSSL security library. Its effects are particularly bad, because OpenSSL is so popular, used to implement the secure bit of https: secure web sites on many of the most popular web servers such as apache, nginx, and lighttpd
How to keep your tax return safe from the Heartbleed bug (Quartz) Looking for a silver lining in the mess stirred up by the discovery of a major flaw in the software used by many internet sites to encrypt your passwords and other private data? Good news: The so-called "Heartbleed" bug has delayed tax day. But only if you're Canadian
How to Create Awareness of the Insider Threat (CSO) Snowden causes companies to consider doing what was unthinkable
Electric grid security standards too broad, says trade group (FierceGovernmentIT) A one-size-fits-all approach to security throughout the electric grid risks diverting resources from the most crucial facilities, the head of the American Public Power Association said during a Senate hearing April 10
'Baby Teeth' In Infrastructure Cyber Security Framework (Dark Reading) NIST's modest effort to improve lax security around IT infrastructure in airports, utilities, and other critical areas now heads to Congress. Don't hold your breath
Inside a Cyber Emergency Kit (Wall Street Journal) From "zero day exploits" and "ransomware" to "end of life" and "insider threats," cyber attackers are constantly coming up with new ways to attack systems, and also are finding new systems to attack
How to mitigate tracking risks: wrap your phone in tinfoil, quit Google (Ars Technica) In new book, Julia Angwin wants to live a modern life while frustrating the NSA
Is your agency ready for the cloud security deadline in June? (NextGov) A deadline for federal agencies to adhere to the government's baseline cloud security standards and changes to the standards themselves are both fast approaching
Research and Development
TrueCrypt audit finds "no evidence of backdoors" or malicious code (Ars Technica) Crypto prof: "Nothing terrible is in there, so that's reassuring"
Detecting criminal organizations in mobile phone networks (ScienceDirect) The study of criminal networks using traces from heterogeneous communication media is acquiring increasing importance in nowadays society. The usage of communication media such as phone calls and online social networks leaves digital traces in the form of metadata that can be used for this type of analysis
Quantum gate could link multiple qubits into single computer (Ars Technica) Photons could enable networking between multiple qubits
Why nobody can tell whether the world's biggest quantum computer is a quantum computer (Quartz) For the past several years, a Canadian company called D-Wave Systems has been selling what it says is the largest quantum computer ever built. D-Wave's clients include Lockheed Martin, NASA, the US National Security Agency, and Google, each of which paid somewhere between $10 million and $15 million for the thing. As a result, D-Wave has won itself millions in funding and vast amounts of press coverage—including, two months ago, the cover of Time
Academia
Former NSA head to speak at Norwich commencement (Burlington Free Press) The man in charge of the National Security Agency while it secretly monitored the communications of foreign leaders and millions of Americans will be the 2014 commencement speaker at Norwich University, the school announced Monday
University adds optional security increase to online accounts (Daily Wildcat) University Information Technology Services is taking steps to prevent online theft of information by adding an additional layer of security to websites used by UA students and staff
Stay Classy, BU: Maintaining Professionalism in an Online World (The Quad) The idea of a work-life balance isn't a new concept (but if you've never heard of it, check out this awesome TED Talk). It's the age-old question that every worker asks at some point in their career: how do I balance the demands of my personal life with the demands of my professional life?
Northrop Grumman Engineering Competition Encourages Students to Focus on Science and Technology Careers (MarketWatch) Students from Antelope Valley area high schools proved on April 5 that imagination and dedication can ignite innovation. Competing in the annual Northrop Grumman NOC +0.01% High School Innovation Challenge (HSIC), the students took on an engineering problem with limited budget, resources and time. The challenge is modeled each year after a current Northrop Grumman program or engineering capability
Virginia Students Test Cyber Skills in 2014 Governor's Cybersecurity Cup Challenge (News Channel 6) Eight teams from Virginia schools high schools competed in the final match of the 2014 Governor's Cybersecurity Cup Challenge, a state-wide cyber competition that offers students real hands-on learning experience in cyber defense
Legislation, Policy, and Regulation
Director of National Intelligence pushes for transparency among security agencies (Red and Black) The Director of National Intelligence for the United States federal government, delivered a lecture on the importance of intelligence integration and transparency Monday morning in the University of Georgia Chapel
Did the NSA know about Heartbleed all along? (Christian Science Monitor) The National Security Agency hasn't exactly been in the Internet's good graces following revelations about its extensive surveillance efforts, and a new report says the agency knew about the Heartbleed bug before everyone else, but kept it secret for its own use. How likely is the claim?
Trove of Software Flaws Used by U.S. Spies at Risk (Bloomberg BusinessWeek ) Two people familiar with the matter said that the agency was aware of the flaw and had used it as part of the intelligence gathering toolkit, as reported by Bloomberg News last week
Heartbleed denial reveals loophole for NSA spying (ComputerWeekly) The US National Security Agency has denied it knew about or exploited the Heartbleed security flaw, but government officials have revealed a loophole that would allow such actions
Heartbleed Suspicion And NSA Denial Show Why NSA's Dual Offense/Defensive Role Must End (TechDirt) We've talked for a while how dangerous and ridiculous it is that the NSA has a dual role as both handling "offensive" attacks and (supposedly) stopping incoming attacks in a "defensive" role. While technically, the NSA is supposed to be handling the "defensive" side while the US Cyber Command handles the offensive, there is no real separation between the two. The US Cyber Command is headquartered within the NSA and is run by the same person. Despite multiple recommendations to split the roles, the White House refuses to do so. Meanwhile, the NSA itself has been doing more and more offensive work anyway
The Policy Tension on Zero-Days Will Not Go Away (Lawfare) The proposition that NSA should under no circumstances stockpile zero-day vulnerabilities, but should in all cases disclose them in order to perfect defenses, apparently has appeal in some quarters. It is based on at least two false assumptions
Peter King States His Case in Quest to Be Intelligence Committee Chairman (National Journal) Contender claims he's leaving Boehner alone and focusing on staying in the news
Vital to beef up cyber security (New Straits Times) ACT NOW: Asean must lay an intellectual foundation and framework to preserve security in a borderless domain
Pakistan mulls cyber security bill to keep NSA at bay (The Register) Calls for founding of National Cyber Security Council
Litigation, Investigation, and Law Enforcement
Edward Snowden on Pulitzer winners: 'Their work has given us a better future' (The Guardian) NSA whistleblower praises Guardian and Washington Post after pair share Pulitzer prize for public service
Rep. King: 'Awarding the Pulitzer to Snowden enablers is a disgrace' (The Hill) Rep. Peter King (R-N.Y.) on Monday blasted the decision to award Pulitzer Prizes to the two major newspapers that exposed the National Security Agency's surveillance operations through documents leaked by Edward Snowden
Amerigroup data discovered in a suspect's possession — may affect 74,000 others (HackSurfer) Law enforcement in Florida was searching a suspect's car when they found printed screenshots of 183 clients' info, including "full name, social security number, date of birth, [and] city and state of residence." Investigation of the potential source revealed that over 74,000 additional records may have also been compromised
General denies clemency in Manning case (Politico) Turning aside calls for clemency, an Army general has approved the 35-year prison sentence imposed on Pfc. Chelsea (Bradley) Manning for a massive leak of military and diplomatic data to Wikileaks, the Army announced Monday
Dutch Teenager Who Tweeted Threat At American Airlines Arrested, Police Say (BuzzFeed) Rotterdam police announced arrest, but no charges have been filed. Her Twitter account has since been deleted
Zeus Malware: A Continuing Threat (BankInfoSecurity) Indictment of nine highlights fraud risk
FBI Arrests Trio For Microsoft Xbox Hacking (The Smoking Gun) A group of alleged hackers has been charged with breaking into the computer systems of the U.S Army, Microsoft, and several other firms to steal pre-release copies of popular video games like "Call of Duty," simulation software for Apache attack helicopter pilots, and confidential data that was used to create counterfeit versions of the Xbox gaming system, The Smoking Gun has learned
Bulgarian Credit Card Fraud Gang Dismantled (eSecurity Planet) 25 people were arrested, and 250 skimming devices, 2,000 blank credit cards and more than 50,000 Euros in cash were seized