We wrap up our coverage of OASIS's Borderless Cyber 2015 conference with today's issue. You'll find a complete report on the second day's proceedings linked below (and here). (Our report on the conference's first day is available online here.) Please watch OASIS's own conference site, where presentation materials will soon be available.
These by now are surely dog-bites-man stories, and fast on their way to becoming evergreens, but they remain worthy of attention. Forbes summarizes the activity of Iron Tiger, a Chinese cyber espionage operation discovered and named by Trend Micro. Iron Tiger's activity against US military targets is called "advanced, persistent, and ongoing." And as the US DNI claims that Russia is preparing a campaign against US industrial control networks, F-Secure reports that the Russian services have used Duke malware for espionage since at least 2008. (Duke is another dog-bites-man story: Russian security services are collaborating with criminal gangs to accomplish espionage goals.)
A large number of significant patches have been released, including fixes from Cisco, Apple, WordPress, ISC, and VMWare (and a hat tip to US-CERT for noting these).
The still immature cyber insurance market draws more attention, this week from lawyers noting that cyber policies, while they have an upside for businesses, also bring with them new risks.
In industry news, HP announces 30,000 layoffs. The company is looking for cost savings through automation and outsourcing.
FS-ISAC announces a cyber threat information sharing agreement with US Federal Reserve Banks.
The crypto wars proceed apace in US policy circles: Justice wants backdoors, but almost no one else seems to agree, and the White House is beginning to feel pro-encryption pressure.
US Federal CIOs see a "silver lining" in the OPM hack: it's easier to get resources. (The hundreds of millions whose data were exposed may see this as tarnished silver.)
Today's issue includes events affecting Australia, Belgium, China, Estonia, Iran, Iraq, New Zealand, Russia, Syria, United Kingdom, and United States.
Today we're covering the Sixth Annual Billington Cybersecurity Summit. Full coverage of the proceedings will appear in tomorrow's CyberWire. We're also live-tweeting the event, #cyber6th.
Borderless Cyber 2015 (OASIS) OASIS, in collaboration with The World Bank, will bring together public and private sector security professionals from around the world to evaluate, debate, and collaborate on cyber security best practices and tools
Challenges and Opportunities: Information Sharing in a Borderless Domain (Day Two) (The CyberWire) Borderless Cyber 2015 concluded at the World Bank in Washington, DC, yesterday. Organized by OASIS, the not-for-profit open standards organization, the conference addressed the challenges and opportunities cyber information sharing presents internationally. Of particular interest in the second day's proceedings were discussions of obstacles to information sharing, the successful transition of STIX/TAXII to non-governmental governance, and the complex security implications of the Internet-of-things
Chinese Cyber Attacks On US Military Interests Confirmed As Advanced, Persistent And Ongoing (Forbes) A high-level hacking group dubbed Iron Tiger has been observed stealing trillions of bytes of confidential data from the United States government, US defense contractors and related companies in the United States and abroad, security company Trend Micro reports
DNI: Russians Hacked U.S. Industrial Control Nets (Washington Free Beacon) Moscow setting up cyber command, warfare units
Russia has been using the Duke malware family to spy on other countries since 2008, says F-Secure (Graham Cluley) The Russian Federation has been in cahoots with a cyberespionage gang tasked with collecting intelligence from foreign governments and affiliated organisations via "smash-and-grab" hacking attacks designed to steal as much data as possible in the shortest period of time
ATM malware for stealing payment cards discovered (Engineering and Technology) A new piece of malware designed to infect cash machines to steal payment cards and card-holders' information has been discovered by American cyber-security researchers
To hack an Android phone, just type in a really long password (CNN Money) The latest Android phone flaw is sheer stupidity
The rise of repeated "low and slow" DDoS attacks (Help Net Security) There's been a significant change in the nature of DDoS attacks that is leaving businesses exposed to data breaches and malware
Container security concerns escalate (Help Net Security) 86% of IT decision makers say their companies already deploy containers, or they plan to do so within a year, according to Twistlock. Of these, 35% said containers are already broadly deployed across their networks
230,000 new malware samples detected each day (Help Net Security) PandaLabs has confirmed a record increase in the creation of new malware samples
Significant Threats to Data Security Lurk Within, Professionals Say (BusinessWire) Poll of human resource experts shows widespread concern of internal threats to cybersecurity
What happens when the hackers get hacked: inside the hackers-for-hire business (Information Age) Data from the Hacking Team breach provides a fascinating glimpse into the highly secretive world of the professional surveillance industry
Cisco Releases Security Updates (US-CERT) Cisco has released updates to address vulnerabilities in Prime Collaboration Assurance, Prime Collaboration Provisioning, and TelePresence Server software. Exploitation of these vulnerabilities could allow a remote attacker to escalate privileges, obtain sensitive information, or cause a denial-of-service condition
Apple Releases Security Updates for OS X Server, iTunes, Xcode, and iOS (US-CERT) Apple has released security updates for OS X Server, iTunes, Xcode, and iOS to address multiple vulnerabilities. Exploitation of some of these vulnerabilities may allow a remote attacker to take control of an affected system
Internet Systems Consortium (ISC) Releases Security Updates for BIND (US-CERT) ISC has released security updates to address vulnerabilities in BIND. Exploitation of these vulnerabilities may allow a remote attacker to cause a denial-of-service condition
VMware Releases Security Update (US-CERT) VMware has released a security update to address a Lightweight Directory Access Protocol (LDAP) certificate validation vulnerability in vCenter Server. Exploitation of this vulnerability may allow an attacker to obtain sensitive information
WordPress 4.3.1 Security and Maintenance Release (WordPress) WordPress 4.3.1 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately
Persistent XSS flaw in SharePoint 2013 revealed, patched (Help Net Security) Among the vulnerabilities patched earlier this month by Microsoft is an important one that endangers users of Microsoft SharePoint 2013, a web application platform in the Microsoft Office server suite that combines a variety of capabilities
Microsoft details how Device Guard fights malware in Windows 10 (Help Net Security) As Windows 10 was being prepared for release, Microsoft presented many new security features (and we've written about some) to be included in the new version of the popular OS
Microsoft expands identity security through new Azure AD features (Windows IT Pro) Today Microsoft's Brad Anderson, Corporate Vice President for Enterprise Client and Mobility, announced over on his In The Cloud blog two new capabilities that the company is making available through its Azure Active Directory service
The new art of war: How trolls, hackers and spies are rewriting the rules of conflict (Tech Republic) Cyberwar isn't going to be about hacking power stations. It's going to be far more subtle, and more dangerous
Industrial security awareness continues to remain low (Help Net Security) While traditional manufacturing industries were not designed with security in mind, the proliferation of networks and devices, disparate communication channels, and the use of off-the-shelf software has thrust cybersecurity into the spotlight
Encryption: Whose keys are they, anyway? (Help Net Security) Over the past year, encryption has been showing up in a number of unlikely places
Users want data leakers hit by fines and compensation claims (MicroScope) The channel should be at the forefront of leading efforts to encourage users to get on top of data breaches as users express frustration with current situation
Cyber Attacks From Middle East Increasing (National Defense) Cyber attacks originating from Middle Eastern countries such as Syria and Iran are expected to increase over the next several years, said one defense expert Sept. 16
Australia a top-10 attacker as cybercrims target mobile-commerce growth (CSO) Mobile usage surged in the second quarter to the point where mobile devices accounted for 31 percent of all transactions, according to new research that pegged Australia in the global top 10 for attack origins and warns of an increased mobile-security threat as cybercriminals respond to changing usage patterns with intense targeted attacks
'Hackers' at 20 (Christian Science Monitor Passcode) How a 20-year-old, mostly inaccurate flop predicted the future, reshaped sci-fi, and won over the real hacker community
Cyberinsurance: Protective or Perilous? (Legaltech News) While it's not a replacement for IT security, cyberinsurance creates a second line of defense to mitigate cyber incidents. But it can also pose new problems
HP to lay off 30,000 employees, turn to more automation and outsourcing (FierceCIO) HP announced Tuesday that it will be cutting 25,000 to 30,000 jobs in the Hewlett Packard Enterprise division
Kaspersky, Prodata win Belgian govt security contract (Telecompaper) Kaspersky Lab and integrator Prodata Systems have won a contract to provide security services to Belgian state institutions such as the police and public prosecutors
TRU Staffing Partners Expands Cybersecurity Practice, Acquires Kennett Group (Legaltech News) TRU Cyber, led by Jeff Scarpitti, will focus explicitly on cybersecurity staffing and career management
FS-ISAC Announces Arrangement with Federal Reserve Banks to Share Threat Intelligence (Dark Reading) The Financial Services Information Sharing and Analysis Center (FS-ISAC) today announced an arrangement with the Federal Reserve Banks to provide direct access to FS-ISAC security threat information to over 10,000 of their financial institution customers
BT Tests Banks with New Ethical Hacking Service (Infosecurity Magazine) Global telecoms and services giant BT has launched its first ethical hacking service for financial institutions, backed by non-profit information assurance body CREST
ObserveIT Intros Insider Threat Platform (Channel Partners) Today, ObserveIT, the leader in user activity monitoring and analytics, announced the release of ObserveIT 6.0, which provides the first insider threat platform to protect enterprises from data loss, fraud and IP theft across third-parties, privileged users and business users
Optiv Security Goes Vertical With Launch Of Dedicated Financial Services Practice (CRN) Optiv Security has launched a dedicated practice to tackle the continued cybersecurity challenges faced by the financial services industry, the company said Wednesday
IID Launches 'Rapid Insight,' Safe Browsing Tool (Dark Reading) Fortune 100 companies and government agencies already using Rapid Insight to gather contextual information about threats
iovation Launches Enhanced Search and Reporting Capabilities for Online Fraud Detection (Sys-Con Media) Centralizes and correlates iovation's threat intelligence with customer transactional data; ensures faster and more effective fraud determination
DomainTools' Iris interface speeds up cybercrime investigations (IDG via CSO) The vast amount of data collected by the company will be easier to sort through with the new platform
Secude announces a new release of halocore, its flagship data protection solution for SAP users (EIN News) Halocore enables SAP customers to identify sensitive data exports with context-aware classification, track and analyze all download activity from SAP applications, and prevent potential data loss
Koolspan announces reseller agreement with Samsung Electronics America (Koolspan) KoolSpan, Inc., a leading provider of interoperable secure voice and messaging solutions for mobile devices, today announced that Samsung Electronics America, Inc. has selected KoolSpan to further enhance enterprise mobility for business customers in the U.S
Encryption project issues first free SSL/TLS certificate (IDG via CSO) Let's Encrypt plans to distribute certificates more widely in the next couple of months
Trustwave Unveils New Cloud-Based Secure Mobility Platform (MarketWired) Delivers security to proactively protect and defend businesses' fleets of mobile devices
What the military learned from OPM (FCW) In the wake of the mammoth Office of Personnel Management breach, the Defense Department joined the rest of the federal government in some serious cybersecurity introspection and improvement
8 Lessons to Learn from the Sony Breach (Security Magazine) Last year, Sony Pictures Entertainment suffered one of the largest and most public cybersecurity breaches in history
Forecasting a Breach Is Like Finding a Needle in a Haystack — Not That Tough (IBM Security Intelligence Blog) This year has seen plenty of breaches, and it's not even over yet. Numerous reports show that the number of breaches in 2015 has rivaled 2014, but not many of them are making the evening news — other than the recent hack of Ashley Madison — because breaches are sadly becoming commonplace
Should risk management planning include root cause analysis? (TechTarget) Incorporating root cause analysis in risk management planning could be beneficial to developing a security plan, but is it the best time for it?
DDoS prevention: The latest means and methods (Tech Target) Last year distributed denial-of-service attacks, also known as DDoS, rose to record levels of not just frequency but also strength
The cost of a data breach and how to avoid paying it (SC Magazine) As cyber-attacks become increasingly common, it's important that businesses understand the true cost of data breaches
Why background screening is vital for IT security (Help Net Security) Which security controls are the most important in thwarting cyber crime against businesses? Anti-malware? Physical security? According to a recent survey, people are a main concern
Here's why complex security and endusers don't mix (Sophos) Security is really all about your endusers. And that's a problem, because when one user does something wrong, it has the potential to bring down the whole company
Galois to Support DARPA's Data Privacy Research Program (GovConWire) Galois in Portland, Oregon, has won a $6.8 million contract to help the Defense Advanced Research Projects Agency conduct data privacy and privacy science studies
China is trying to get US tech companies to agree to a strange pledge (Reuters via Business Insider) China is asking some U.S. technology firms to directly pledge their commitment to contentious policies that could require them to turn user data and intellectual property over to the government
David Thompson: Adversaries Aware of US' Space, Cyberspace Dependence (ExecutiveGov) Maj. Gen. David Thompson, vice commander for Air Force Space Command, has discussed the growing role of space and cyberspace in military operations with Air Force Times in an interview published Saturday
FBI, DOJ want tech industry to find workaround to 'warrant-proof' encryption (Christian Science Monitor Passcode) At an event in Washington Tuesday hosted by Passcode, a top FBI official asked the tech sector to develop solutions for law enforcement to access secure data with a warrant — a notion technologists said would weaken security for everyone
Obama faces growing momentum to support widespread encryption (Washington Posgt) White House officials have backed away from seeking a legislative fix to deal with the rise of encryption on communication devices, and they are even weighing whether to publicly reject a law requiring firms to be able to unlock their customers' smartphones and apps under court order
Why the U.S. Doesn't Deserve a Back Door to Your Data (Slate) Because it can barely keep its own data safe
SEC to Start Second Round of Cyber Exams, Issues Risk Alert (ThinkAdvisor) OCIE exams to include 'more testing to assess implementation of firm procedures and controls'
Senators ask automakers for cyber security details (Business Insurance) Two U.S. senators have asked the world's biggest automakers for information on steps they have taken
Federal CIOs see silver lining in OPM data breach (Federal News Radio) After more than a decade of trying to convince, cajole and warn non-IT executives and employees about the dangers of not paying close attention to cybersecurity, the Office of Personnel Management's massive data breach may have just done the trick
Army surges cyber team development (C4ISR & Networks) The Army's cyber evolution continues with the fielding of cyber protection teams: highly trained groups of soldiers that will target emerging threats
Jeb Bush says people need to stop "demonizing" the NSA (Naked Security) Among the Republican candidates for US president, Jeb Bush is something of a cybersecurity policy wonk
Data Breach Liability and Outsourcing Relationships (New York Law Journal) In August 2015, a group known as the "Impact Team" leaked the customer records of some 32 million users of AshleyMadison.com, the "most famous website for discrete encounters between married individuals"
Overview of Requirements for Responding to a Data Breach (National Law Review) With the ever-changing complexity of state data breach notification laws, companies facing a data breach need resources that will help them understand the issues
With Clinton's Private Server, 'Didn't Break Laws' Doesn't Mean 'Kept Top Secret Emails Safe' (Huffington Post) One can abide by the law and simultaneously behave in an immoral or unwise manner
Google found guilty of violating antitrust laws (Naked Security) Yandex — the "Google of Russia" — has prevailed in getting the country's antimonopoly watchdog agency to rule that Google has abused its dominant position in the market with Android
Russian national pleads guilty to breaking into corporate networks, stealing 160M credit cards (FierceGovernmentIT) In what the Justice Department says is the largest scheme of its kind ever prosecuted in the United States, a Russian national pleaded guilty Sept. 15 to breaking into the corporate computer networks of NASDAQ, Dow Jones, 7-Eleven and JetBlue, among others, and compromising more than 160 million credit card numbers that resulted in hundreds of millions of dollars in losses
I must not tweet defamatory comments… I must not tweet defamatory comments… I must not.… (Naked Security) When I was a lad — a long time ago now — my school still employed corporal punishment
Kim Dotcom of Megaupload will finally face the music over extradition (Naked Security) It seems like ages since we last wrote about Kim Dotcom
Cyber attack testing case closed by FDLE, no suspects identified (Orlando Sentinel) The cyber attacks against Florida's school testing system this spring likely were orchestrated by computer hackers outside the United States, though the state's top law enforcement agency has closed its investigation without identifying any suspects
For a complete running list of events, please visit the Event Tracker.
SANS Institute: Information Security Training (Las Vegas, Nevada, USA, Sep 12 - 21, 2015) Information security training in Las Vegas from SANS Institute, the global leader in information security training. At SANS Network Security 2015, SANS offers more than 40 hands-on, immersion-style security training courses taught by real-world practitioners. The site of SANS Network Security 2015, September 12 - 21, is Caesars Palace, the majestic Las Vegas hotel
Hacker Halted 2015 (Atlanta, Georgia, USA, Sep 13 - 18, 2015) EC-Council Foundation's flagship information security conference, Hacker Halted, will unite some of the greatest minds in information security, as industry experts address the latest threats and vulnerabilities plaguing the virtual world. Hacker Halted will also feature several highly technical and advanced workshops that cover the most current security topics and will include EC-Council's most sought after certification classes. Hacker Halted runs concurrently with the invitation-only Global CSO Forum
Detroit Secure World (Detroit, Michigan, USA, Sep 16 - 17, 2015) Join your fellow security professional for affordable, high-quality cybersecurity training and education at a regional conference near you. Earn CPE credits while learning from nationally recognized industry experts on many diverse topics such as: Risk Mitigation, Malware Detection, Digital Forensics, Cloud Security, Privacy, Big Data, PCI Compliance, Security Metrics, Encryption, Mobile Device Management, Incident Response, and much more. Risk management and enterprise cyber defense strategies figure among the agends
Cyber Security Summit: New York (New York, New York, USA, Sep 17, 2015) The Cyber Security Summit provides an exclusive business environment to meet with Senior Executives who are seeking innovative solutions to protect their business & critical infrastructure. Delegates at the Cyber Security Summit are prequalified based on their willingness to meet with Solution Providers and proven ability to purchase products and services
6th Annual Billington Cybersecurity Summit (Washington, DC, USA, Sep 17, 2015) Join key leaders and decision makers from government, military and the private sector at this one-day intensive networking event as participants focus on the next generation of solutions to ensure this nation's cybersecurity
Hacker Halted (Atlanta, Georgia, USA, Sep 17 - 18, 2015) Hacker Halted is a global series of computer and information security conferences presented by EC-Council. The objective of the Hacker Halted conferences is to raise international awareness towards increased education and ethics in IT security
Cyber Security Summit: New York (New York, New York, USA, Sep 18, 2015) The Cyber Security Summit provides an exclusive business environment to meet with Senior Executives who are seeking innovative solutions to protect their business & critical infrastructure. Delegates at the Cyber Security Summit are prequalified based on their willingness to meet with Solution Providers and proven ability to purchase products and services
Data Breach Investigation Summit (Dallas, Texas, USA, Sep 21 - 26, 2015) Data Breaches are occurring at an alarming rate and increasing in their scope, frequency and impact and they don't discriminate by industry, geography or organization size. When a breach occurs, organizations, agencies and individuals need to learn how to more effectively, identify/detect that the breach has occurred, respond to the breach in an effective and timely manner, investigate the breach, and prevent/defend the organization from future breaches
St. Louis SecureWorld 2015 (St. Louis, Missouri, USA, Sep 22 - 23, 2015) Join your fellow security professional for affordable, high-quality cybersecurity training and education at a regional conference near you. Earn CPE credits while learning from nationally recognized industry experts on many diverse topics such as: Risk Mitigation, Malware Detection, Digital Forensics, Cloud Security, Privacy, Big Data, PCI Compliance, Security Metrics, Encryption, Mobile Device Management, Incident Response, and much more. The security implications of the Internet-of-things will be among the topics discussed
OWASP APPSECUSA (San Francisco, California, USA, Sep 22 - 25, 2015) The premier gathering of developers, security experts and technologists to discuss cutting edge approaches to secure web applications
MeriTalk: Cyber Security Brainstorm (Washington, DC, USA, Sep 23, 2015) Co-locating with the NIST Cloud Security Working Group, this MeriTalk Brainstorm has an excellent program lined up, featuring keynote speakers Allison Tsiumis (Section Chief, Cyber Intelligence Section, FBI), and the father of the internet, Vint Cerf
