The CyberWire Daily Briefing 08.03.15
Researchers and analysts describe the reciprocal reinforcement of information operations and battlefield success.
US-Ukrainian military cooperation revives interest in "electronic warfare," with its irreducible cyber dimension (and cyber operators have much to learn from practitioners of the older discipline).
An Angler variant has been found infecting point-of-sale systems.
"Windows 10 upgrade" emails are ransomware vectors, warns Cisco.
TrueCrypt, abandoned by its makers, resurfaces in a Trojanized variant directed against Russian-speaking targets.
Researchers claim that customer feedback tool Aptean SupportSoft can be exploited to steal credentials and other sensitive information.
The demonstrated Jeep-hack and subsequent vehicle recall by Fiat-Chrysler (now under investigation by the US National Highway Traffic Safety Administration) as well as similar vulnerabilities reported in GM's OnStar system continue to trouble consumers and industry. And on Friday the US Food and Drug Administration warned hospitals to stop using Hospira's Symbiq infusion pumps: they may be vulnerable to remote exploitation. Lloyd's report on the cyber vulnerability of power grids — disturbing enough — is criticized on technical grounds: perhaps the report should have been even more disturbing.
The Royal Bank of Scotland says a service outage last week was the result of a hack.
Businesses are warned against third-party risks.
The New York Times reports the US has decided upon some unspecified retaliation against China for the OPM breach and other cyber capers. US officials repeat their familiar "impose-costs-on-hackers" policy, but also talk about establishing an international cyber-deterrence regime.
Italian authorities suggest a terrorist connection in the Hacking Team breach.
Today's issue includes events affecting China, Germany, India, Iraq, Israel, Italy, Japan, Kenya, Nigeria, Pakistan, Russia, Syria, Tunisia, Ukraine, United Arab Emirates, United Kingdom, United States, and and Vietnam.
Cyber Attacks, Threats, and Vulnerabilities
Media coverage of terrorism 'leads to further violence' (Guardian) Clear link claimed between reports of atrocities and follow-up attacks
We Didn't Kill ISIS. We Made Them Stronger. (Daily Beast) The terror army took on the world's superpower — and is still standing. No wonder they're drawing fresh recruits from around the globe
Electronic Warfare: What US Army Can Learn From Ukraine (Defense News) The US military has for weeks been training Ukrainian forces in US tactics, but the commander of US Army Europe says Ukrainian forces, who are fighting Russian-backed separatists, have much to teach their US trainers
A variant of the Angler Exploit Kit used to infect PoS Systems (Security Affairs) Experts at Trend Micro discovered that cyber criminals are exploiting the popular Angler Exploit kit to find and infect PoS systems
Your Files Are Encrypted with a "Windows 10 Upgrade" (Cisco Blogs) Adversaries are always trying to take advantage of current events to lure users into executing their malicious payload. These campaigns are usually focussed around social events and are seen on a constant basis. Today, Talos discovered a spam campaign that was taking advantage of a different type of current event
Trojanised TrueCrypt serves up malware to Russian-speaking targets (Graham Cluely) Until discontinued under mysterious circumstances last year, the open-source encryption tool TrueCrypt was pretty much the first choice for computer users looking to keep the contents of their hard drive out of the reach of unauthorised parties
Major Security Bug In Aptean's Customer Response System Puts User Data At Risk (TechCrunch) A bug discovered by security researchers Eric Taylor and Blake Welsh can change a standard customer feedback system called Aptean SupportSoft into a method for hackers to grab passwords, credit card information and usernames. Taylor and Welsh have also been able to inject code into chat sessions that makes small windows appear when a customer service chat session is initiated
Medical Infusion Pumps Vulnerable to Cyber Attack, FDA Warns (Newsmax Health) The U.S. Food and Drug Administration on Friday advised hospitals not to use Hospira Inc's Symbiq infusion system, saying a security vulnerability could allow cyber attackers to take remote control of the system
Cyber attack hits RBS and NatWest online customers on payday (Guardian) Banking group says Distributed Denial of Service attack prompted flood of complaints from customers
Ruthless hackers ransom banks with mobile malware (Computer Business Review) Ultimatums from hackers could cost financial organisations tens of thousands of dollars
Beware of UAE markets: Hackers target companies to fib stock prices (Albawaba) A group of cybercriminals with financial markets expertise has been discovered hacking companies across the globe, according to analysts from FireEye, a computer security company
AntiVirus Firm BitDefender Hacked; Turns Out Stored Passwords Are UnEncrypted (Hacker News) Forget about Financial services and Online shopping websites, but at least we expect from Security Firms and Antivirus vendors to keep our personal and Sensitive data Encrypted and Secured
Is Bitdefender a Heartbleed Victim (Check and Secure) As you can read on the site "hackerfilm.com", the Romanian anti-virus producer Bitdefender has fallen victim to a cyber attack. Marius Buterchi, the US spokesman for the company, confirmed that a data breach had taken place, but reassured listeners that the company had already taken reactive measures
Researchers Create First Firmware Worm That Attacks Macs (Wired) The common wisdom when it comes to PCs and Apple computers is that the latter are much more secure. Particularly when it comes to firmware, people have assumed that Apple systems are locked down in ways that PCs aren't
INVESTIGATION: Nigerian Hacking Governors Forum: Amaechi, Akpabio, Uduaghan hacked phones too (Premium Times) The governor of Bayelsa state, Seriake Dickson, is not the only politician hacking phones and intercepting communication of political peers and rivals in Nigeria
Chris Hadnagy on the Def Con hackers posing as your coworkers (Christian Science Monitor Passcode) At a conference famous for its hackers, one of the most popular events requires no technical skill whatsoever. Rather than breaking into computers, contestants try to trick companies' well-meaning employees to give out valuable information
Michael Schrenk on stealing data your company gives away for free (Christian Science Monitor Passcode) In advance of his presentation at the Def Con conference in Las Vegas, Passcode spoke with Schrenk about the insider information he's paid to glean from the open Internet — and how companies can better protect themselves from having their inside plans exposed or used against them by competitors
Cybertheft is more than stolen identity (San Diego Source) "Our research team at UCSD needs a large number of bogus credit cards in order to buy illegal products from international criminals," was the message that Stefan Savage, Ph.D. shared with a group of Chancellor's Associates at the Faculty Club in June. That may seem like a strange study program for a group of undergraduates
City faced cyberattacks amid chaos and unrest on the streets (Baltimore Sun) As Baltimore remained under curfew after riots over Freddie Gray's death, a cyberattack knocked out the city's website while hackers who sympathized with protesters on the streets threatened to target the government's computer systems, according to newly released documents
Hacking-as-a-Service Makes Everyone Attack Capable (Dark Matters) Hacking-as-a-Service (HaaS) is fast becoming a business enterprise driven by consumer demand, as well as a competitive development of quality goods and services
Bulletin (SB15-215) Vulnerability Summary for the Week of July 27, 2015 (US-CERT) The US-CERT Cyber Security Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week
Cisco: Attackers innovating, evading defenses in first half of 2015 (SC Magazine) Attackers are relaying command-and-control communications through Tor and the Invisible Internet Project, the report showed. Increasingly innovative threat actors are becoming faster at attacking, quicker at adapting, and better at evading detection, according to Cisco's 2015 Midyear Security Report
Bugcrowd's Inaugural State of Bug Bounty Report Highlights Bourgeoning Economy of Bug Bounties (IT Business Net) Study conducted from 2013 to 2015 draws data from over 37,000 submissions
The Technical Limitations of Lloyd's Cyber Report on the Insurance Implications of Cyberattack on the US Grid (Infosec Island) The recent Lloyd's report on cyber implications of the electric grid serves a very important need to understand the insurance implications of a cyber attack against the electric grid. There have already been more than 250 control system cyber incidents in the electric industry including 5 major cyber-related electric outages in the US. There have been numerous studies on the economic impact of various outage durations, but they have not addressed issues associated with malicious causes. Consequently, there is a need to address the missing "malicious" aspects of grid outages. Unfortunately, I believe the technical aspects of the hypothesized attack in the Lloyd's study are too flawed to be used
Hacking Critical Infrastructure: A How-To Guide (Defense One) Cyber-aided physical attacks on power plants and the like are a growing concern. A pair of experts is set to reveal how to pull them off — and how to defend against them
After car hack, Internet of Things looks riskier (Boston Globe) Car-hacking example reveals vulnerabilities
Kenya's education sector raises alarm over cyber insecurity (ITWeb Africa) Stakeholders in Kenya's education sector have expressed concern over increasing cases of cyber insecurity and fraud
The Weakest Link in the Supply Chain: Beware of Third Party Hacks (Comilion) There's a shift happening in the world of cybercrime. This shift is towards using indirect attacks where hackers use compromised data, such as login credentials from individuals or smaller companies within a supply chain, to then access companies higher up the chain and ultimately infiltrate mass numbers of user accounts and their Personally Identifying Information (PII) therein. You can describe this attack as using a 'stepping stone' principle, hopping from an easier target, to breach a more lucrative company
Industry's 'New IP' Revolution Could Stall Federal Network (SIGNAL) A paradigm shift once again highlights gaps between the government and commercial enterprises
Complacency — The Biggest Cyber Risk to Construction and Real Estate Companies (Willis Wire) Stories of cyber attacks reported on television or in newspapers invariably point to anarchist groups, disgruntled techies or bored geeks, holed up in their parents' lofts. Successful attacks cannot happen without geeks and technology, but the threats faced by corporates are focused mainly on financial gain
Cyber insurance market to hit US$10 billion by 2020 (Help Net Security) Continued and sustained cyberattacks are having a ruinous effect on enterprises and driving up the cost of incident response. With over 900 million reported records exposed in 2014, more companies are seriously starting to consider transferring risks to insurance providers
Cybersecurity Becoming a Major Industry For Investors (Nasdaq) Over the last several weeks, a variety of data breaches have brought attention to cybersecurity shortcomings in a variety of places, namely the Office of Personnel Management, Ashley Madison, Jeep, and United Airlines. In addition to highlighting various network failures, these hacks have also shown the extent to which our personal information and safety are wrapped up in technology. This level of exposure, in turn, speaks to the growing demand for better cybersecurity offerings as companies that experience hacks lose significant credibility among consumers, business clientele and investors alike
Finance: Get smart with cyber security stocks (Phuket Gazette) The recent New York Stock Exchange (NYSE) trading halt triggered a brief rush into cyber security stocks on renewed fears of yet another serious hack attack
Cybersecurity Is Dominated by Startups In The US, With Israel A Distant Secon (CB Insights) As cybersecurity startups innovate to meet an expanding number of online security threats, they're attracting increased attention from investors. 2014 was a record year for private-company funding in the space. We used CB Insights data to understand the regions and markets attracting the most cybersecurity funding
Sophos comes out fighting with its first results since floating (MicroScope) Sophos has come out of the gates running, releasing its first earnings report since it floated in June
Meet the Vietnamese smartphone maker gunning to be the next Apple (C|Net) Road Trip 2015: BKAV, which made its money selling security software, is the first to design and build a smartphone in Vietnam. The question is, will anyone buy it?
IBM: New business lines falter as old ones die (Geekzone) IBM's reinvention as a software and services business still serves as an object lesson in turning troubled technology companies around. It switched from dependence on mainframe and servers to selling software, services and outsourcing
L-3 Evaluating Future of VIP Jet Conversions, Cyber Unit (Wall Street Journal) L-3 Communications Holdings Inc. said Thursday that it was evaluating a business that converts big commercial jets for VIPs after running up charges of more than $100 million on two existing contracts, and may also sell or spin off its $1 billion cybersecurity unit
Nice Systems To Sell Physical Security Unit To Battery Ventures, Trims 2015 View (RTT News) Nice Systems (NICE) agreed to sell its Physical Security business unit to technology investment firm Battery Ventures for a total consideration of up to $100 million, comprising of $85 million in cash and up to additional $15 million based on future performance
Windstream Recognized in Two Gartner's 2015 Magic Quadrant Reports (Nasdaq) Windstream Positioned in the Disaster Recovery as a Service and Cloud-Enabled Managed Hosting, NA Magic Quadrants
Products, Services, and Solutions
How does security in Microsoft Edge compare to the competition? (IT Pro Portal) The Internet Explorer replacement Microsoft Edge is one of the headline features of Windows 10
Windows Defender — What you need to know about Microsoft Security Essentials (Boosh Articles) The latest Windows release, Windows 10 comes in with a lot more promising features, including a revamped Internet Explorer and improved security from Windows Defender, the revamped Microsoft Security Essentials
Sophos introduces cloud-based secure web gateway (Times of Oman) Sophos recently announced the availability of Sophos Cloud Web Gateway, a cloud-based secure web gateway that delivers advanced protection for users, devices and data across multiple operating systems, regardless of their location. The addition of secure web gateway to Sophos Cloud integrates technology from Mojave Networks, which Sophos acquired in October 2014
Silent Circle embraces Google Android for Work scheme to boost enterprise appeal (V3) Silent Circle, the Switzerland-based developer championing mobile encryption and privacy with its Blackphone handset, has announced a new enterprise focus by teaming up with Google's Android for Work programme
simplicam® Announces New Security Upgrades (BusinessWire) ArcSoft's home monitoring Wi-Fi camera is upgraded with improved security, giving simplicam customers even more peace of mind when they're away from home
Exostar Deploys Continuous Network Monitoring from Tenable Network Security to Enhance Security Across Cloud Services (Tenable Network Security) Leading SaaS security company deploys SecurityCenter Continuous View to attain the most comprehensive and accurate view of its international, multi-tenant cloud environment
Google Inc Personalized Encryption Keys Might Put An End To Cloud Hacking (Bidness Etc.) Google allows enterprise users to create personalized encryption keys that even Google itself cannot access, putting the onus of cloud data security on the users
Northrop Grumman-Developed Stealthy Data Link Validated as Combat Ready with US Marine Corps (PR Newswire) Fifth-generation Multifunction Advanced Data Link allows coordinated tactics and integrated engagement in high-threat environments
Infoblox Extends Its Enterprise-Grade Network Services to the AWS Cloud (MarketWatch) Infoblox Inc. BLOX, +0.60% the network control company, today introduced Infoblox DDI for Amazon Web Services (AWS), a virtual appliance that extends the Infoblox solution for enterprise-grade network services and security to the AWS Cloud
Whitewood Encryption Systems® Introduces the Entropy Engine™, the World's Most Cost-Effective, Quantum-Powered Random Number Generator (BusinessWire) The Entropy Engine employs quantum mechanics to solve the problem of entropy generation, the critical foundation to all cryptographic systems currently in use today. It is designed for applications that employ encryption, digital signing, PKI, crypto-currency and digital payments
Startup Spotlight: BrightPoint Security's Threat Intelligence Management (eSecurity Planet) BrightPoint Security enables organizations to share threat intelligence with peers — a tactic that has worked well for cybercriminals, points out the company's CEO
Technologies, Techniques, and Standards
The Need for Third Party Risk Management (Legaltech News) Organizations have to establish third party risk management strategies in order to mitigate the potentially huge financial and reputational fallouts from insecure partnerships
Alert (TA15-213A) Recent Email Phishing Campaigns — Mitigation and Response Recommendations (US-CERT) Between June and July 2015, the United States Computer Emergency Readiness Team (US-CERT) received reports of multiple, ongoing and likely evolving, email-based phishing campaigns targeting U.S. Government agencies and private sector organizations. This alert provides general and phishing-specific mitigation strategies and countermeasures
Best Practices to Protect You, Your Network, and Your Information (US-CERT) The National Cybersecurity and Communications Integration Center (NCCIC) and its partners responded to a series of data breaches in the public and private sector over the last year, helping organizations through incident response actions, conducting damage assessments, and implementing restoration and mitigation actions
What can we learn from JPMorgan's insider breaches? (CIO) User behaviors can expose bad actors before it's too late
Important Advice on Surviving an Employee Data Breach (IT Business Edge) Recent large data breaches involving the loss of sensitive employee information is signaling a shift in the security landscape. Hackers are no longer focusing solely on credit card information and financial data alone to sell on the black market. Instead, cyber thieves driven by different goals are now targeting a wider variety of information, from password credentials and employment records, to potentially damaging email exchanges that could be used as blackmail or to damage brand reputation
Protect your information after a data breach (USA Today) Sooner or later, we will all have our private information exposed, says Greg McBride, financial analyst at Bankrate.com
Using the COSO Framework to Mitigate Cyber Risks (Wall Street Journal) Cyber risks cannot be avoided, but such risks can be managed better through careful design and implementation of appropriate controls. Using the internal control framework issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) as a guide, organizations can build preventive and detective controls aimed at mitigating cyberthreats to an acceptable level
Phish or Be Phished? The Choice is Yours (KnowBe4) It is mid-2015. By now, we have all seen incoming emails claiming we have been bequeathed a huge sum of money from a Nigerian Prince, or we have won a foreign lottery we never entered. Most employees have seen these scam emails long enough to know they are not real
Debunking Myths: Application Security Checklists Suck (Infosec Island) There is a pervasive sentiment amongst the security community about checklists: they suck. We?ve all seen inflexible audit checklists that seem to be highly irrelevant to the specific system being audited
Physical Security Industry Adopts Social Media Monitoring (Source Security) Private security professionals and law enforcement personnel are leveraging social media as a physical security tool to identify security threats and prevent crime
Back Doors: Are You Prepared? (Tripwire: the State of Security) "Honey… Did you make sure you locked the basement door and activated the security system? I can't wait to get to the Big Rock Campground, the kids are going to love the waterslide…" Sound familiar?
Hacking Team and other breaches as security lessons learned (We Live Security) If you are in charge of defending IT systems you know there's a big difference between an attacker who is trying to steal payment card data and an aggressive assault by folks who wants to expose your internal emails and trash your servers and/or reputation. In the last twelve months we've seen a number of high profile attacks that were not straightforward grabs for monetary instruments or intellectual property (although there were plenty of those as well). So what can we learn from these aggressive attacks, like the one on the Italian "security" company called Hacking Team, or AshleyMadison, and SonyPictures?
Report found many cyber security breaches start with weak password (Northwest Herald) Stop reading this article. Stop, right now and go change the passwords on your sensitive accounts. (But come back when you're done)
Your Security Policy Is So Lame (Internet Storm Center) Every person should avoid lame security policies because of the lack of clarity they leave behind. Often times we find ourselves forced into creating security policies due to compliance requirements. Is there a way to lean into this requirement and get value beyond the checkbox? I certainly think so and would like to share some ideas on how you can do this as well
Design and Innovation
Can the Wyvern programming language improve Web app security? (TechTarget) A new programming language called Wyvern is helping developers use multiple languages in one app securely
Drawing Lessons From July's Jeep Hack (TechCrunch) If you were anywhere near the internet in late July, you probably read the news: Charlie Miller and Chris Valasek, two security researchers who specialize in hacking cars, figured out how to remotely take control of a Jeep
The cyber-mechanics who protect your car from hackers (New Scientist) A couple of weeks ago, a small team of security researchers gathered near a car parked outside one of their company's buildings. The vehicle was on loan to them from a carmaker, and the goal was to find out how hackable it was
Grassroots Group Strives For Wireless Computer Security (SIGNAL) Unsung technologists might be heroes if they can safeguard increasingly accessible systems
Machine Learning And Human Bias: An Uneasy Pair (TechCrunch) "We're watching you." This was the warning that the Chicago Police Department gave to more than 400 people on its "Heat List." The list, an attempt to identify the people most likely to commit violent crime in the city, was created with a predictive algorithm that focused on factors including, per the Chicago Tribune, "his or her acquaintances and their arrest histories — and whether any of those associates have been shot in the past"
The difference between newspaper and online ads ( Graham Cluley) With online mags like The Verge claiming "the mobile web sucks" and others showing that no, it's the The Verge website that sucks because it's so plastered with ads and trackers, technology journalist Charles Arthur has hit the nail right on the head
When Innovation Fails (IEEE Spectrum) We are too quick to chase wild and crazy innovation and too slow to implement obvious, practical ideas
Research and Development
Gerogia Tech Receives $4.2 Million Grant to Battle Cyber Threats (Global Atlanta) A $4.2 million grant has been awarded to researchers at the Georgia Institute of Technology?s College of Computing in an effort to develop programs that will improve cybersecurity, especially for online banking, shopping and trading transactions
Collaboration Research Puts the 'I' in Team (SIGNAL) Lab personnel aim to maximize group performance through technology
Securing Today's Data Against Tomorrow's Quantum Computers (MIT Technology Review) Quantum computers are still a distant prospect, but Microsoft researchers say we should strengthen online encryption against them now
Cardiff research centre to tackle terrorism via social media (BBC) A new research centre exploring how terrorism can be tackled through social media and new technology will be launched in Cardiff
Cyber Boot Camp: Lessons Learned (Dark Reading) What happens when 50 young people spend a week in the trenches with cybersecurity researchers from ESET? One picture is worth a thousand words. Here are seven
Legislation, Policy, and Regulation
European Union gets serious about data protection (Business Insurance) Upcoming law tightens cyber breach enforcement
How to Secure India's Sacred Cyber Space (New Indian Express) Writing 2,500 years ago, Sun Tzu declared in his military treatise The Art of War: "Supreme excellence consists of breaking enemy's resistance without fighting". It is a tribute to the Chinese military strategist's genius that his dictum holds good even today after a couple of millennia
U.S. Decides to Retaliate Against China's Hacking (New York Times) The Obama administration has determined that it must retaliate against China for the theft of the personal information of more than 20 million Americans from the databases of the Office of Personnel Management, but it is still struggling to decide what it can do without prompting an escalating cyberconflict
Pentagon seeks cyberweapons strong enough to deter attacks (Los Angeles Times) The nation that brought the world the mushroom cloud is now hard at work on a new project: coming up with cyberweapons so strong that their very existence would deter foreign governments from attacking U.S. databases and crucial computer systems
Locked and Loaded With Cyber (SIGNAL) Officials discuss cyber as a weapon
Can real-world rules be applied to cyber response? (Defense Systems) When it comes to defining responses to attacks in the cyber domain, the Defense Department's policies are still in flux. But officials appear to be shaping the cyber domain in the same scope as the physical, kinetic world. "We're still working our way through this," Adm. Mike Rogers, head of both the National Security Agency and U.S. Cyber Command, said at the Aspen Security Summit last week
Should the US engage in espionage for economic gain? (Christian Science Monitor Passcode) Passcode was the exclusive media partner at an event on economic espionage hosted by the Atlantic Council think tank. Here's what we learned
US response to China's hacking shows double standard: Analyst (PressTV) China's alleged theft of personal information of millions of American employees is embarrassing while Washington's response to the hacking indicates "double standard hypocrisy" in US foreign policy, a geopolitical commentator in Missouri says
Strengthening & Enhancing Federal Cybersecurity for the 21st Century (The White House) From the beginning of the Administration, the President has made it clear that cybersecurity is one of the most important challenges we face as a Nation. It is also an ever-growing and constantly changing challenge. For years, whenever I've spoken with private and public sector leaders, I've regularly asked them how much time they spend on cyber and related issues. And each year, the answers have been a higher proportion of their time than the year before. Today, any responsible leader of an organization — public or private sector — is dedicating significant attention and resources to addressing evolving cyber threats. And for good reason
House bill would give DHS greater powers to defend against hackers (The Hill) A new House bill would give the Department of Homeland Security (DHS) more legal authority to defend government networks from hackers
Legislation Introduced to Enhance Government Cybersecurity (FedSmith) Congressman Michael McCaul (R-TX) has introduced legislation designed to strengthen the government's cybersecurity defenses in light of the recent data breaches that hit the Office of Personnel Management and left the personal data of millions of current and former federal workers at risk
CISA could turn into extremely messy floor fight (Washington Examiner) As the final work week begins before summer recess, it remains unclear whether the Senate will manage to tackle a major cybersecurity information-sharing bill before leaving town
Crypto Tools Export: Commerce Department Withdraws Proposal, Promises Rewrite (Forbes) The U.S. Department of Commerce has been deluged the last two months with comments from the cryptography community, after the Department?s Bureau of Industry Standards (BIS) issued proposed new export regulations covering, among other items, "encryption and cryptanalysis" tools. These regulations were resoundingly criticized as potentially barring the export of standard security testing tools
Hacking Team Leak Could Lead to Policies Curtailing Security Research (eWeek) While the disclosure of Hacking Team's marketing of zero-day flaws has roiled the security community, the reaction of policy makers could have a lasting impact on legitimate security research
Why We Really Should Ban Autonomous Weapons: A Response (IEEE Spectrum) We welcome Evan Ackerman's contribution to the discussion on a proposed ban on offensive autonomous weapons. This is a complex issue and there are interesting arguments on both sides that need to be weighed up carefully. This process is well under way, and several hundred position papers have been written in the last few years by think tanks, arms control experts, and nation states. His article, written as a response to an open letter signed by over 2500 AI and robotics researchers, makes four main points
PSC Calls on OPM to Protect 21.5 Million Breach Victims (Professional Services Council) The Professional Services Council wrote to Acting OPM Director Beth Cobert yesterday calling for action to protect the 21.5 million people affected by the second OPM data breach
Army opening new cyber center at Redstone Arsenal (AL.com) The U.S. Army will open a cyber campus at Huntsville's Redstone Arsenal, the Aviation and Missile Research, Development and Engineering Center announced
Litigation, Investigation, and Law Enforcement
Could other models be vulnerable to the Fiat Chrysler hack? (Christian Science Monitor) The National Highway Traffic Safety Administration has launched an inquiry into the supplier of Fiat Chrysler's hacked radio systems
Warrantless mobile phone location tracking heads to Supreme Court (Ars Technica) Will the justices rule for the government or Fourth Amendment privacy?
Taking Warrantless Location Tracking to the Supreme Court (ACLU) A petition submitted to the Supreme Court could settle a key question about the extent of our privacy rights in the digital age
German politicians urge chief prosecutor to resign over treason probe (Deutsche Welle) There have been growing calls from the SPD and Die Linke for Germany's federal prosecutor to step down. The outrage stems from an investigation into two bloggers accused of publishing state secrets
Germany pauses treason investigation into Netzpolitik.org journalists (Ars Technica) Thousands take to the Berlin streets in support of the site and press freedom
The FBI Is Not Equipped To Protect America From Cyber Threats, New DOJ Investigation Reveals (Inquisitr) A report recently released by the United States Department of Justice shows that FBI staffing is problematic for combating cyber threats. Though the Bureau began an official cyber-security program in 2012, and the government released the Next Generation Cyber Initiative a partner to the White House's National Cyber Security Initiative that same year, there simply aren't enough FBI employees to handle the job and it is all due to lack of funding
Clinton e-mail disclosure slowed by security concerns (Boston Globe) Dozens of e-mails that traversed Hillary Clinton's private, unsecure home server contain national security information now deemed too sensitive to make public, according to the latest batch of records released Friday
Classified info on Clinton server, thumb drive violation of law, national security lawyer says (Fox News) Classified emails on Hillary Clinton's personal server, and a back-up copy on a thumb drive held by her lawyer David Kendall, appear to be a violation of the U.S. code governing the unlawful removal and storage of classified information, according to a leading national security lawyer
Former Hacking Team developer reportedly in contact with a terrorist group (IDG via CSO) An individual who did work for Hacking Team was in contact with hackers working for a terrorist organization, and disgruntled employees — who deny the charge — were planning to sell an antidote to the spyware vendor's surveillance software, an Italian newspaper reported Friday
Italian police shutter Dark Web marketplace (IDG via CSO) Italian police have shut down a Dark Web marketplace offering illegal goods ranging from child pornography to forged luncheon vouchers, and seized 11,000 bitcoin wallets worth about 1 million euros, authorities said Friday
MtGox bitcoin chief Mark Karpeles arrested in Japan (BBC) Japanese police have arrested the CEO of the failed company MtGox, which was once the world's biggest exchange of the virtual currency, bitcoin
The Mt.Gox Arrest Is The End Of The First Age Of Bitcoin (TechCrunch) The former head of bitcoin exchange Mt.Gox, Mark Karpeles, screwed a lot of early adopters. It is unclear at this point how much Karpeles allegedly lost or took, but the Japanese police are claiming he lost about $387 million while Mt. Gox was in business
Breach victims' ruling causes uncertainty (Business Insurance) Court backs lost time, money as damage
The cyber threat from within: the computer fraud and abuse act as a weapon against theft of confidential information by departing employees (Lexology) Almost daily, we hear about cyber attacks on big businesses and government agencies. But the attacks are not isolated to the big entities. Your business's most valuable trade secret information more than likely resides in an electronic database that is vulnerable. Yet probably the greatest threat to that database may come from within: your own employees
Enjoy your tiny payout: The weird world of tech class action lawsuits (ITworld) Class action lawsuits: they make millions for lawyers, but often leave tech plaintiffs with nothing to show for it but tiny checks and miscellaneous geegaws. Here are some of the weirdest
For a complete running list of events, please visit the Event Tracker.
Black Hat USA (Las Vegas, Nevada, USA, Aug 1 - 6, 2015) Black Hat — built by and for the global InfoSec community — returns to Las Vegas for its 18th year. This six day event begins with four days of intense Trainings for security practitioners of all levels (August 1-4) followed by the two-day main event including over 100 independently selected Briefings, Business Hall, Arsenal, Pwnie Awards, and more (August 5-6)
ISSA CISO Forum: Third Party Oversight (Las Vegas, Nevada, USA, Aug 2 - 3, 2015) The CISO Executive Forum is a peer-to-peer event. The unique strength of this event is that members can feel free to share concerns, successes, and feedback in a peer only environment. Membership is by invitation only and subject to approval. Membership criteria will act as a guideline for approval. Invitations can be made by a CISO Members or ISSA Management. Guest, renewing, and new members are all subject to approval
BSides Las Vegas (Las Vegas, Nevada, USA, Aug 4 - 5, 2015) BSides Las Vegas is an Information/Security conference that's different. We're a 100% volunteer organized event, put on by and for the community, and we truly strive to keep information free. There is no charge to the public to attend BSidesLV. Our costs are covered by our generous donors and sponsors, who share our vision of free dissemination of information. The conversations are getting more potent and the "TALK AT YOU" conferences are starting to realize they have to change. BSidesLV is making this happen by shaking-up the format
Defcon 23 (Las Vegas, Nevada, USA, Aug 4 - 7, 2015) DEF CON has been a part of the hacker community for over two decades. See the organization's website for more information
3rd Annual Psyber Behavioral Analysis Symposium (Fort Meade, Maryland, USA, Aug 11, 2015) The 3rd Annual Psyber Behavioral Analysis Symposium is hosted by the NSA/CSS Threat Operations Center and the FBI Behavioral Analysis Unit-2/Cyber Behavioral Analysis Center. The goal of the Symposium is to provide U.S. and Second Party Intelligence Communities (IC) a forum to present and collaborate on Human Science-based projects and research. This event attracts a multi-disciplinary government audience from across the IC and Second Party Partner organizations
USENIX Security (Washington, D.C., USA, Aug 12 - 14, 2015) The USENIX Security Symposium reunites researchers, practitioners, system administrators, system programmers, and others specialists interested in the latest advances in the security and privacy of computer systems and networks
5th Annual Cyber Security Training & Technology Forum (CSTTF) (Colorado Springs, Colorado, USA, Aug 19 - 20, 2015) The Information Systems Security Association (ISSA) Colorado Springs Chapter and FBC, Inc. will once again co-host the 5th Annual Cyber Security Training & Technology Forum (CSTTF). CSTTF 2015 will bring together cyber experts from the DoD, federal government, business, research, and academia to address a variety of current cyber topics
Decepticon 2015 (Cambridge, England, UK, Aug 24 - 26, 2015) Decepticon brings together researchers and practitioners in the detection and prevention of deception. Previously, deception research has been fragmented across conferences in many different disciplines, sub-disciplines and countries. To cover the great diversity of approaches to deception research, our scientific committee has members covering several domains
AFCEA OKC Technology & Cyber Security Day (Oklahoma City, Oklahoma, USA, Aug 27, 2015) FBC and the Armed Forces Communications & Electronics Association (AFCEA) Oklahoma City Chapter will be partnering once again to host the annual Technology Day & "Scholarship" Golf Tournament at Tinker AFB. This is the only Technology Day held at Tinker AFB each year. The annual Technology Day allows exhibitors the opportunity to have access to information technology, communications, cyber, engineering, and contracting personnel at Tinker AFB. Over 300 attendees participated in the 2014 Technology Day and we expect the same level of attendance in 2015
Power Grid Cyber Security Exchange 2015 (San Diego, California, USA, Aug 30 - Sep 1, 2015) The Power Grid Cyber Security Exchange will take a deep dive into the cyber security strategies, innovative approaches and strategic planning necessary to balance the competing priorities of today's technology and information security executives. This program is tailored to utility executives and industry stakeholders that are responsible for addressing threat intelligence, analysis and monitoring; network architecture; and cyber incident response
2015 HTCIA International Conference & Training Expo (Orlando, Florida, USA, Aug 30 - Sep 2, 2015) Bringing together experts from all over the world to share their latest research and techniques related to cybersecurity, incident response and computer forensics
ICFP 2015 (Vancouver, British Columbia, Canada, Aug 31 - Sep 2, 2015) ICFP 2015 provides a forum for researchers and developers to hear about the latest work on the design, implementations, principles, and uses of functional programming. The conference covers the entire spectrum of work, from practice to theory, including its peripheries