Welcome to Cyber News Tidbits 4​U​ !

Here are updated news compilations from the Cyber Security Community

Topic headers (+++):

+++   SD/SoCAL items of interest / opportunities
+++   Likely KEY news you can use (might be impactful in some way)
+++   Other items of  FYI /FYSA level interest (skim as you have time, or the topic suits you (efficiencies, ways to do business, etc)
+++   Threats / bad news stuff / etc.

22 February 2014

+++   SD/SoCAL items of interest / opportunities



+ Feb 27 –  How Employees Accidentally Compromise Security: Operational Security in the Cyberspace Domain. 11:30 AM to 1:00 PM (PST)…     Speaker: Cecilia Anastos, Founder Meta Enterprises


+Feb 27 – Business and Technical Innovations in Healthcare (5:30)




+  Mar 6 – SD ISC2 Monthly meeting – cloud / services security.  Data protection at its best.  (6 PM)


+ Mar 11 –  Leveraging Social Media for Healthcare


+ Mar 20 – OWASP – Scared Straight – Lance James, Head of Cyber Intelligence, Deloitte & Touche


+ Mar 20-21 –  2014 ASIS region conference – critical infrastructure  protection


*** Mar 28  (Fri)  – SD IEEE Cyber SIG –Cyber Security Entrepreneur Workshop ***

All day event –  Focus is on ‘doing’ cyber that really matters versus continuing to admire the problem…  If your company has an innovative / disruptive security technology…  contact me.



+ Apr 1-3 – CompTIA Annual Member Meeting .. Rancho Bernardo Inn


+ Apr 22-24 –  C4ISR Symposium




(all links work, I went to them all myself..  you may need to cut and paste in browser…)


+++  Likely news you can use…


+ Beware of Vulnerable Anti-Theft Applications

What if your computer ran an anti-theft software you never activated? A software that can make your PC remotely accessible. A software that you can’t delete, even by physically replacing the hard drive. Sounds like a modern urban legend. However, it turns out that it’s true.



+  Protecting Enterprise Information on Mobile Devices, Using Managed Information Containers

Managed information container products are an option for protecting business information and applications on mobile devices, but their effectiveness depends on the use case. We examine the technology’s strengths and weaknesses, and summarize the features of 21 major products available today.



+ States defend turf from feds on data breach rules

With no federal law on data breaches, most states created their own rules to ensure companies alert residents when hackers seize their personal information. But as massive breaches at Target and Neiman Marcus revive congressional interest in a national notification standard, states are warning Washington: Don’t trample on our turf. “States have been the leaderes, the cops on the beat defining what is reasonable and not reasonable for their own states and heading up investigations on data breach cases for as long as there have been such things,” said Maryland Attorney General Doug Gansler. “It’s almost always a local issue. … We actually get things done.”



+ Can derived credentials turn a phone into an ID manager?

Smartphones and tablets give users the ability to extend their workplaces far from their home offices. But concerns about security, especially within government, limit what many are allowed to do with these devices while untethered from their desks. Civilian and defense policymakers are now advancing the idea of derived credentials as a way to use mobile devices as a common platform for remote authentication. But implementing it is proving to be problematic.



+  Enterprise vulnerability management not keeping pace with cloud and mobility

Despite an increased focus on zero-day exploits, traditional vulnerability management solutions are unnecessarily exposing most to security threats that could be mitigated through continuous monitoring (CM), according to Forrester Consulting. Commissioned by Tenable Network Security, the report found that consumerization, mobility, and cloud computing are increasingly the hallmarks of the extend enterprise, and as a result, periodic snapshot vulnerability scanning cannot effectively address the dynamic nature of today’s extended enterprise environments. About 70% of those surveyed scan monthly or less – even though the access environment may be changing daily for endpoints.



+ Multiple Vulnerabilities in Adobe Flash Player Could Allow Remote Code Execution (APSB14-07)

Multiple vulnerabilities have been discovered in Adobe Flash Player that could allow an attacker to remotely take control of the affected system. Adobe Flash Player is a multimedia platform used to add animation and interactivity to web pages. Successful exploitation could result in an attacker gaining the same privileges as the logged on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Failed exploit attempts will likely cause denial-of-service conditions.



+ Multiple Vulnerabilities in Google Chrome Could Allow Remote Code Execution

Multiple vulnerabilities have been discovered in Google Chrome that could result in several issues including remote code execution. Google Chrome is a web browser used to access the Internet. These vulnerabilities can be exploited if a user visits, or is redirected to, a specially crafted web page.  Successful exploitation of these vulnerabilities could result in an attacker gaining the same privileges as the affected application. Depending on the privileges associated with the application, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights <



+  Need for Real-time and Actionable Security Intelligence

“enterprise organizations must build an information security architecture capable of reacting to changes in the threat landscape as they occur. This type of design must be based upon timely security intelligence and security operations automation, helping to take the lag time and guesswork out of security decisions…Norse is one of a handful of independent security intelligence providers that is designing and building its services with this design for emerging enterprise security requirements.”



+ Risk Based Security Data Breach Report – Very good overview of 2013 breaches!!!



+ Understanding Your Organization’s Attack Surface

Today, briefing senior executives and board-level leaders on cybersecurity risk is a standard CISO job requirement. Research shows that skilled communication about cybersecurity risks with non-technical executives is a key indicator of likely success, and often a CISO’s greatest challenge. So how can you accurately depict the state of your organization’s security in a way that everyone can understand? Applying analytics to your attack surface may provide significant help.

*              What is meant by “attack surface”

*              Design goals for attack surface analytics

*              How to reduce risk to your attack surface using existing and emerging technologies

*              What cybersecurity information the C-suite executives and boards want



+   Strategy: Protecting Your Enterprise From DNS Threats

DNS is the world’s largest distributed database, and it’s increasingly being used as a launchpad for attacks. In this Dark Reading report, we ­provide a detailed examination of the ever-looming DNS threat, as well as advice and recommended …



+ Incentivizing the Cybersecurity Framework

Getting Industry to Adopt the Recommended Best Practices…  Incentives, in cybersecurity framework parlance, encompass a wide range of offerings or conditions that promote adoption of the framework. Incentives could include technical and public policy measures that improve cybersecurity without creating barriers to innovation, economic growth and the free flow of information.   The voluntary cybersecurity framework, as issued last week, did not include any incentives



+ Hackers targeted key U.S. industries through compromised websites

The Homeland Security Department last year alerted dozens of critical infrastructure operators that attackers might have accessed their networks by tainting external websites that personnel had visited. The detail was disclosed in an annual summary of efforts undertaken by the DHS Industrial Control Systems Cyber Emergency Response Team, which aids utilities, banks, and other key U.S. sectors whose business networks government officials have deemed essential to national and economic security. This type of malicious campaign – known as a watering hole attack – takes advantage of vulnerabilities in Web software to insert code that can then infiltrate the computers of site visitors.



+  Email Still Rocks! Social, Surprisingly, Stinks! |

At conversions. Email rocks at conversions.   And despite all the hype associated with Facebook and Twitter, and massive amount of funds that most companies have allocated to social in their quest for magical money, sadly the impact on economic outcomes remains disappointing.   In fact email conversion rates are nearly 40 times (!) that of Facebook and Twitter.    While Google+ was not covered in the study, it is likely that it delivers similar outcomes



+  Cyber security: the solutions aren’t working?

Despite the money being poured into keeping companies protected from cyber threats in the UK, data breaches only seem to be getting greater in frequency. Are the security solutions not working?   In many cases, the breaches were due to poor management of the security technology, such as missing software and security patches, misconfigured security software, weak passwords, or security systems not being monitored to detect attacks,’ he says.





+  Health and Human Services IG to Examine Networked Medical Device Security

The US Department of Health and Human Services (HHS) Office of Inspector General (OIG) plans to take a close look at the security of certain medical devices. The review will be a part of a broader look at security issues in healthcare as laid out in the Fiscal Year 2014 HHS OIG Work Plan. The OIG wants to find out if hospitals have adequate security controls in place to safeguard patient information on networked medical devices, such as dialysis machines and medication dispensing systems.

The OIG also plans to examine the security of the Affordable Care Act website and the security and privacy posture of organizations participating in the HITECH electronic health records program.

FY 2014 HHS OIG Work Plan:



+  Mobile Apps Don’t Detect Phony SSL Certificates

Phony SSL certificates currently being used pose a significant risk to people conducting online banking on smartphones. There appear to be dozens of the fake certificates allowing attackers possessing them to conduct man-in-the-middle attacks to steal data from users who believe they have legitimate connections to banks, shopping sites, and social networks. The certificates are not signed by trusted authorities, so major browsers will detect them, but users conducting banking and other transactions through apps and other non-browser software could be vulnerable.



+  US Intelligence warns on Counterintelligence and cyber espionage

Intelligence officials now view the threat from counterintelligence, foreign spying and the leaking, as the No. 2 danger facing the country.  Top U.S. Intelligence officials released a new Worldwide Threat Assessment Report during a Senate hearing last week, they highlighted the top risks to national security. Let’s give a look to the list, cybersecurity  is still perceived as a need for Homeland security, it is the greatest threat for a second year, the effects of cyber campaigns conducted by foreign state-sponsored hackers are significant and represent a serious threat



+ The next big step for cellular networks isn’t 5G. It’s the cloud



+  Android iBanking Trojan Source Code Leaked Online

The Head of knowledge delivery and business development for RSA’s FraudAction Group, Daniel Cohen warned users about the new threat via a company blog on Thursday, that explains everything about the malware app, called iBanking.  iBanking, a new mobile banking Trojan app which impersonates itself as an Android ‘Security App’, in order to deceive its victims, may intimidate a large number of users as now that its source code has been leaked online through an underground forum



+   Put Security Into a Realistic Perspective

The framework is not perfect, but it sets the stage for further improvements to protect critical assets. Even though some of us believe this is progress, keep in mind, there are and always will be detractors who feel that another ‘framework’ or anything short of mandatory compliance is a waste of time and effort. To be fair to the naysayers, a framework provides little actual protections if voluntary recommended practices and guidelines are not implemented. However, if the risk is calculated as a function of threats, vulnerabilities, impact and likelihood of actually happening is low, then any substantial cost of implementing security is hardly justified. And let’s not kid ourselves, implementing security, such as the top 20 security controls, while effective, is not low cost.



+    Pentagon Budget Stuck in Last Century as Warfare Changes

Defense Seen Growing With Dubious Weapons Despite Automatic Cuts..  The Obama administration foresees 21st century wars fought with fewer boots on the ground and more drones in the air, while the Pentagon continues buying weapons from the last century.    In his Feb. 12 State of the Union address, President Barack Obama said America no longer needs to deploy tens of thousands of troops to occupy nations or meet the evolving threat from new extremist groups. Cyber-attacks are the “rapidly growing threat,” he said Nevertheless, the defense budget contains hundreds of billions of dollars for new generations of aircraft carriers and stealth fighters, tanks that even the Army says it doesn’t need and combat vehicles too heavy to maneuver in desert sands or cross most bridges in Asia, Africa or the Middle East.   “There’s a fundamental need to have a conversation about what kind of military we need to have and what we should expect it to do,” Andrew Bacevich, a West Point graduate and former Army colonel who now teaches at Boston University, said in an interview.    In the absence of such a conversation, the Pentagon faces the prospect of $500 billion in automatic cuts over the next decade, beginning March 1, with no consensus on what to trim. Instead, the budget is driven largely by champions of existing programs in Congress, the defense industry and the uniformed services. As a result, predicts Bacevich: “The behemoth of an entity called the Pentagon is not going to shrink.”





+++  FYI / FYSA  Items of interest…


+ FBI snoops…   FBI’s search for ‘Mo,’ suspect in bomb threats, highlights use of malware for surveillance

The FBI’s elite hacker team designed a piece of malicious software that was to be delivered secretly when Mo signed on to his Yahoo e-mail account, from any computer anywhere in the world, according to the documents. The goal of the software was to gather a range of information — Web sites he had visited and indicators of the location of the computer — that would allow investigators to find Mo and tie him to the bomb threats.

Such high-tech search tools, which the FBI calls “network investigative techniques,” have been used when authorities struggle to track suspects who are adept at covering their tracks online. The most powerful FBI surveillance software can covertly download files, photographs and stored e-mails, or even gather real-time images by activating cameras connected to computers, say court documents and people familiar with this technology.



+  Reporting From the Web’s Underbelly

Interview with Brian Krebs, writer of the cybercrime blog Krebs on Security, which was the first to reveal the data breach at Target and other retailers last year



+ U.S. Running Out Of Allies On Cyber Battlefield

International cyber policy and enforcement, and ownership over the Internet are thorny topics that will be tackled at the 2014 RSA Conference



+ Army, Navy using big data to increase energy savings

The Army and Navy are using big data analytics to identify energy savings opportunities in more than 650 worldwide facilities, with a target of making half of all Navy buildings net-zero energy by 2020, producing as much energy as they consume.  The services contracted with Washington, D.C.-based Sain Engineering to conduct energy audits at specified buildings through 2014 using analytics technology expected to reduce audit time by 80 percent



+  Data Security In 4 (Relatively) Easy Steps

The key to success in information security is finding the “right” information in all the data you aim to protect.  The problem with these types of reports is that they don’t provide enterprises a real-time view of their networks. They look at all the data inside the company but not the specific information that helps security managers make the best decisions. This creates the potential for a blind spot at the moment network threats are occurring — and an overwhelming volume of raw data that is nearly impossible to process quickly



+ How Forbes Responded to the Recent Attack

“”FYI – This is a great read for incident handlers and offers lessons that can be applied in your own organization””

Forbes Media Chief product Officer Lewis DVorkin describes in detail how responded to a recent attack against its publishing system that compromised user login credentials and hindered contributors’

ability to publish stories. The attack began on February 13 and persisted through the next day. The attacker or attackers provided information to Forbes making clear that they had gained access to the company’s publishing platform. Forbes locked down the publishing platform while making adjustments to security and twice attempted to reopen the system, only to discover that the attack was still ongoing.

The company decided to shut down the publishing process for the weekend. was still available to the public the whole time, but was not able to post new content. The company mapped computers in the New York office to a “safe haven” server and established a special mailbox where contributors could submit posts. Forbes used social media to let readers know about the attack and is contacting users, urging them to change their passwords.



+ Target Breach Has Cost Banks and Credit Unions More than US $200 Million

The Target breach that affected more than 40 million payment cards has cost financial institutions more than US $200 million so far. That figure comes from information released by the Consumer Bankers Association and the Credit Union National Association. There are doubtless additional costs incurred by financial institutions that are not members of either association. The costs are those associated with issuing replacement cards for customers affected by the breach. The Target breach exposed personal information of as many as 110 customers.$200m/



+              DOD launches new spectrum strategy

In the long term, the Pentagon will look to replace legacy systems with more “militarily effective” technologies.  DOD officials described a strategy that will serve as the initial push to become more efficient in the use of spectrum while collaborating with industry to strike a balance between national security and economic interests competing for bandwidth.



+   FBI, International Law Enforcement Officials Share Insights On Fighting Cybercrime

Officials from the FBI, Netherlands, Interpol, and other agencies on the fight to track and catch cybercriminals around the globe.. We need to get closer to the kingpins,” said Peter Zinn, senior advisor for the Dutch National Cyber Crime Unit, last week at the Kaspersky Security Analyst Summit in Punta Cana, Dominican Republic. “We are making progress, but we’re definitely not there.”


+  Abusing Cloud Services For Cybercrime

At the RSA conference, researchers will discuss how a lack of anti-automation protections allow attackers to take advantage of free cloud services



+ History of  cybercrime through the ages. Probably useful for “setting the table” discussions how we got here, graphical examples showing the magnitude of change, anecdotal and data evidences presented, too.

===========  other cyber crime papers of interest



+ NIST Releases Draft Proposal for Revising Cryptographic Standard    Development

The National Institute of Standards and Technology (NIST) has released a draft of a proposal to revise the way it develops cryptographic standards. The proposal is a response to concern that the NSA had a hand in the development of earlier standards; NIST is committed to making the standard development process transparent, open, and impartial.



+ The need for time-based security in critical infrastructure

After several discussions with experts in the industry on the topic of active trust management, the question of “why do we need such a trust model?” coupled with “why not use the current processes of network control used commonly in IT networks?”



+ KPN strikes deal with Silent Circle to offer encrypted phone calls

Dutch telecom operator KPN has struck a deal with encrypted communications provider Silent Circle to start offering its Dutch, German and Belgian customers encrypted phone calls and text messages. The move by KPN, the first telecom provider that is going to resell Silent Circle’s services, reflects growing concern about U.S. spying and surveillance following disclosures by former U.S. National Security Agency contractor Edward Snowden. KPN has obtained exclusive rights to offer the services in its home markets, it said Wednesday. Besides the Netherlands, KPN operates in Germany with E-Plus and in Belgium with Base.



The SMAC Stack — Creating Opportunities, Driving Disruption.

Social, Mobile, Analytics and Cloud (SMAC)  have broad potential to provide huge business value, while simultaneously presenting potentially overwhelming challenges. The rapid technology changes supporting SMAC and the overall complexity involved demand a systematic approach to building out your SMAC capability.



+  How big data could help the U.S. predict the next Snowden

National Intelligence Director James Clapper, at Tuesday’s Senate Armed Services Committee hearing, asserted (again) that malevolent insiders with access to top secret material, like Edward Snowden, constituted a top threat to our nation’s national security. The lawmakers agreed and pressed Clapper to explain how he was changing the practices within his office and across the intelligence community to prevent another Snowden-scale data breach. One key step that Clapper outlined: our nation’s top intelligence folks will become subject to much more surveillance in the future.




+ Tech industry praises cybersecurity framework from White House

Members of the tech industry heralded the White House’s announcement of a set of voluntary guidelines for businesses to improve their cybersecurity posture, suggesting that the document could spur private-sector operators of critical infrastructure to prioritize the issue within their firms. The administration’s cybersecurity framework offers a far-ranging template for businesses in various sectors of the economy, including core functions such as threat identification and response, assessment tools and guidance for aligning security with a company’s business objectives.



+ Where do you draw the line on securing critical infrastructure?

Recent multistage attacks against high-value targets confirm what we should already know: It is difficult if not impossible to set limits on what kind of infrastructure is critical enough to receive cybersecurity attention.



+ LinkedIn privacy: 5 safety tips

Earlier this month, LinkedIn killed a controversial feature called “Intro,” which embedded LinkedIn profiles into emails received by iPhone users. While LinkedIn defended the feature, it ultimately disabled it after drawing criticism from some security experts who were worried it could open up users to hackers. While LinkedIn dropped Intro before it could cause problems, it’s equally important for users to take control and understand their privacy and security settings in order to make smart decisions about what information to share, which links to click, and what features to opt-in to. Here’s a look at five steps you can take to be safer and smarter in using LinkedIn.



+ Stop Unauthorized Access With IAM Security

Role management is the process of assigning user access per role instead of per individual. A role management strategy can create effective streamline governance, improve productivity, and align agency goals. How can an IAM strategy maintain user status and privileges all within a secure environment?  for an in-depth look at role and policy models, collaboration efforts, and secure identity manager solutions. Additional management questions to be answered include:



+  Towards a Unified Homeland Security Strategy: An Asset Vulnerability Model

The attacks of September 11, 2001, exposed the vulnerability of critical infrastructure to precipitating domestic catastrophic attack through asymmetric means.  In the intervening decade, the Department of Homeland Security (DHS) has struggled to develop a coherent infrastructure protection program. Various reviews reveal a program that is fragmented, uncoordinated, and adrift.  The central difficulty has been in developing a risk assessment formulation to adequately inform strategic investment decisions. Without an appropriate measure, DHS is unable to (1) assess current protective status, (2) evaluate future protective improvement measures, or (3) justify national investments.  This paper examines current DHS infrastructure protection programs and the underlying challenges to developing an adequate risk assessment formulation. It then addresses these challenges before introducing an Asset Vulnerability Model (AVM) to overcome them and help provide strategic direction.  It draws on insight from earlier research in game theory suggesting a coordinated defense for both critical infrastructure and domestic stockpiles of chemical, biological, radiological, and nuclear (CBRN) agents. It concludes by proposing a policy framework supporting interagency coordination protecting both sets of assets under a unified homeland security strategy.



+ FIDO Alliance Publishes Authentication Standards; First Products Unveiled

The Fast Identity Online (FIDO) Alliance, a consortium of nearly 100 security vendors and enterprises that proposes to create a standard method for user authentication, published its first specifications for industry review. Proponents of the FIDO guidelines, which are designed to help systems find the most effective method of authenticating a user, say the new specifications will pave the way for the replacement of passwords, which are frequently lost, stolen, or hacked



+ Broad adoption of SIEM technology

Broad adoption of SIEM technology is being driven by the need  to detect threats and breaches, as well as by compliance needs. Early breach discovery requires effective user activity, data access and application activity monitoring … Vendors are improving threat intelligence and security analytics



+ A Deeper Look At The Data

Find out what types of cloud apps are in use and what the top cloud computing threats are.


+ White House cyber framework focuses on flexibility, risk for critical infrastructure providers

Now that the National Institute of Standards and Technology and the Homeland Security Department released the cybersecurity framework for critical infrastructure providers Wednesday, agencies have until May to figure out how it fits into their regulations. Executive branch agencies will review existing regulatory guidance and rules in their oversight areas, and in May propose changes that are prioritized and based on risk to mitigate threats and vulnerabilities, said Michael Daniel, the White House’s cybersecurity coordinator during an event in Washington.



+  Obama’s new cybersecurity guidelines lack a workforce plan

There’s at least one thing missing from the National Institute of Standards and Technology’s new presidentially-mandated cybersecurity framework: a plan to bolster the nation’s cybersecurity workforce and address the ongoing shortage of skilled cyber staff. While the framework represents a positive step forward, it’s still deficient in addressing what is often the root cause for lower security incident preparedness – a shortage of qualified information security professionals, W. Hord Tipton, executive director of (ISC)2, told Wired Workplace.



+ Mobile App Security Needs Improvement

Increasingly, products must interact with outside devices and software. From photography to home automaton, it’s becoming far more difficult to build things that work inside a walled garden. Today, a product or app is merely a cog in much bigger wheel of integrated machines and code. Mobility, clouds and the demand for big data exacerbate this trend.


+  Apps, Privacy and Your Data: BlackBerry Releases Privacy Guidance for Third-Party App Developers

technology continues to advance, vendors’ protection measures must also evolve so that customers remain protected from the security and privacy challenges created by innovation. At BlackBerry®, we implement layers of protection into every device and service to help ensure customers receive a unique level of security and privacy that they can depend upon every day. With malicious and privacy-infringing third-party apps increasing every year, BlackBerry is proactively developing and evaluating additional measures and techniques to provide comprehensive protection for customers and their data



+  –Microsoft Expands Multi-Factor Authentication to All Office 365  Subscribers

All subscribers to Microsoft’s Office 365 suite now have multifactor authentication. Microsoft made the decision to expand the feature’s availability from subscribers with administrative roles to strengthen “the security of user logins for cloud services.” There is no additional cost for the authentication feature.

[This could be huge if Microsoft, Google, Twitter, Facebook, etc. all really actively nudge consumer users to start using the text messaging second factor. Many of those consumers are also employees who hated hardware tokens for authentication at work, but have been feeling the personal pain of compromised passwords at home. …]





+++  THREATs  / bad news stuff / etc…



+  Attack Detection is Time Consuming

A Ponemon Institute study found that most companies believe that detecting cyberattacks takes too long. Eight-five percent of the more than 1,000 CISOs and security technicians who responded also said that they did not have a way to prioritize security incidents. More than 60 percent said that they received too many alerts from a variety of security products, many of which do not work well with other products.

[ Many only put in security devices to satisfy an audit or compliance requirement. Therefore no thought or planning go into what exactly is required and how to configure these tools to be most effective. CSOs need to realize no matter how good their defenses are there will be a breach at some stage. To effectively deal with that requires planning, preparation and ongoing testing of the effectiveness of those plans.]



+ Sophisticated Careto Malware Targets Government, Energy Companies,  Financial Firms

Sophisticated malware called Careto, also known as The Mask, has been used in international espionage operations since at least 2007, according to Kaspersky Lab. Careto is a suite of tools that can be used to compromise machines and steal information. Initial infection occurs when users receive a spear phishing email. If the recipients click on the provided link, they are sent to a website that scans their computers for vulnerabilities and attempts to infect them. There are versions of the malware tailored for Windows, Mac OS X, and Linux, and there may be versions for iOS and Android, according to Kaspersky. The malware has been used to target specific organizations in government, energy, finance, and research.



+  Fake SSL Certificates Uncovered: The Tip of the Iceberg and Weaponized Trust

Cybercriminals are moving faster than we think to weaponize the core element of trust on the Internet: digital certificates. The many fake certificates identified by Netcraft are just the tip of the iceberg. Cybercriminals are amping their attacks on trust because the results are so powerful.   Already over a quarter of Android malware are enabled by compromised certificates and there are hundreds of trojans infecting millions of computers designed to steal keys and certificates for resale and criminal use. Today a stolen certificate is worth over 500 times more than a credit card or personal identity



+ Microsoft Windows Crash Reports Reveal New APT, POS Attacks

Researchers discover zero-day attacks after studying the contents of various “Dr. Watson” error reports..  Researchers at Websense — who recently exposed weaknesses in Microsoft’s Windows crash reports that could be abused by attackers or spies — today released free source code online for enterprises to employ the crash reports for catching potential security breaches in their organizations. The researchers next week at the RSA Conference in San Francisco will release indicators of compromise for the two attack campaigns that can be incorporated into intrusion prevention systems.     Alex Watson, director of security research for Websense, says his team spotted a targeted attack waged against a mobile network provider and a government agency, both outside the U.S., as well as a Zeus-based attack aimed at the point-of-sale system of wholesale retailers. In both cases, the attacks have been suspended and the command-and-control infrastructures disrupted.   “We wanted to prove that we can detect zero-day or unknown [attacks] by a little information in crash reports,”



+  New Zeus Variant Targets

New attack shows the adaptability of Zeus and the challenges of policing an ever-expanding network perimeter..  Best known as a banking Trojan, a recently discovered attack shows that Zeus has turned a new page. Instead of going after banking credentials, this new version is focused on software-as-a-service (SaaS) applications. According to SaaS security vendor Adallom, the malware was targeting user credentials for in what appears to be a targeted attack that began on a computer in an employee’s home



+ –ICS-CERT Report Says Many Attacks on Critical Infrastructure Go Undetected

A report from the Department of Homeland Security’s (DHS’s) Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) says that many attacks against the networks of organizations that operate elements of the US’s critical infrastructure remain undetected because of insufficient detection and logging. ICS-CERT recommends that organizations improve their incident detection, monitoring, and response capabilities and that they report incidents to develop a broader understanding of attacks. Some of the most common method of initiating breaches were watering-hole attacks (planting malware on a site that targeted users are likely to visit); spear phishing, and SQL injection.

“”  Lack of a clear security view into ICS networks and on devices results in unbounded attacker free time.  ICS networks are special-purpose networks that can be understood and managed well enough to determine predictability.  Being able to detect unnecessary communications and attempts to exploit weaknesses in protocols and software should be a priority along with outbound filtering and monitoring.””



+ 6  tips to combat Advanced Persistent Threats

APTs are also no longer solely the domain of nation-states with vast resources, nor are they focused only on espionage or attacks against military and other government entities. They are “living” on networks in IT, energy, news, telecom, manufacturing and other sectors of the economy.  But according to a number of security experts, while it will probably never be possible to eliminate them entirely, it is possible to detect APTs and minimize the damage they cause.   “There are solutions &mdash the sky is not falling,” says Wade Williamson, senior security analyst at Palo Alto Networks. “A lot of times security folks use APTs as an excuse for failure, but it shouldn’t be. There are technologies that can help.”   Williamson is among those who also argue that detecting and defending against APTs effectively will take more than technology. In general, he says, “the biggest change we need is not one of tactics, but strategy. Security must evolve to become a very creative discipline



+  –Windows Crash Report Analysis Reveals New Advanced Persistent Threat    and Point-of-Sale Attacks

Websense’s analysis of Microsoft Windows crash reports has turned up evidence of a new advanced persistent threat attack and a new point-of-sale (POS) attack. Websense recently revealed that Windows crash reports could be abused by attackers because the system reports log data in cleartext. Websense has now released free source code that allows companies to analyze crash reports to detect breaches.



+  –University of Maryland Database Breach Affects More Than 300,000   Students and Staff

University of Maryland President Wallace D. Loh has disclosed a breach of a university database that compromised personal information of more than 300,000 students and staff members. The incident affects anyone who was associated with the university’s College Park and Shady Grove campuses dating back to 1998. The exposed data include birth dates, Social Security numbers (SSNs) and school ID numbers, but not financial, academic, or health data. Forensic investigators are examining the breached files and logs. University CIO Brian Voss said the intruder copied the information in the database.



+  Java-based malware driving DDoS botnet infects Windows, Mac, Linux devices

Researchers have uncovered a piece of botnet malware that is capable of infecting computers running Windows, Mac OS X, and Linux that have Oracle’s Java software framework installed.   The cross-platform HEUR:Backdoor.Java.Agent.a, as reported in a blog post published Tuesday by Kaspersky Lab, takes hold of computers by exploiting CVE-2013-2465, a critical Java vulnerability that Oracle patched in June. The security bug is present on Java 7 u21 and earlier. Once the bot has infected a computer, it copies itself to the autostart directory of its respective platform to ensure it runs whenever the machine is turned on. Compromised computers then report to an Internet relay chat channel that acts as a command and control server.



+  –Flaw in Asus Routers is Being Exploited to Access Connected Drives

A vulnerability in Asus routers could be exploited to access data stored on devices connected directly to the router through the USB port on the back. The flaw was disclosed in June 2013; at that time, Asus said it “was not an issue.” Devices could be accessed even when users do not deliberately enable services to make hard drive contents available over the Internet. The Asus vulnerability has been exploited thus far by someone who placed text file warnings about the situation on the vulnerable drives. The Asus attack together with the Linksys worm suggests that attackers are starting to turn their attention to routers.

[The last couple of weeks have been bad for multiple types of routers/devices connected to public networks. Mass exploitation of Linksys, Synology, AVM’s Fritzbox, and ASUS Routers, just to name the few that come to mind. Consumer level devices without the ability to receive automatic patching should probably not have the ability to be administered remotely.]



+  Inside the FCC’s plan to take on hackers

Until now, fighting hackers has mainly been the domain of law enforcement, intelligence services and the military. But the Federal Communications Commission, an agency better known for approving wireless mergers and regulating phone companies, intends to create a vastly expanded role for itself on cybersecurity, current and former agency officials say. The exact nature of that role has yet to be decided, the officials said. Options range from helping telecommunications companies implement a major cybersecurity framework released Wednesday by the Obama administration to writing new rules on network reliability. In addition, the commission may lean on a recent federal court decision on net neutrality to pursue other forms of national security-related oversight.



+Hackers mount denial-of-service attack with computer clock tool

Hackers used a weakness in the Internet system that sets the time on computers’ clocks in order to overload a victim’s servers with traffic, in what is reportedly the largest-ever such cyberattack. The common hacking method is called a distributed denial-of-service (DDoS) attack, in which Web services receive so much traffic that they either slow down or crash. Matthew Prince, co-founder and CEO of DDoS-protection company CloudFire, reported the “very big” DdoS attack via a tweet on Monday evening.



+  Hackers circulate thousands of FTP credentials; New York Times among those hit

Hackers are circulating credentials for thousands of FTP sites and appear to have compromised file transfer servers at The New York Times and other organizations, according to a security expert. The hackers obtained credentials for more than 7,000 FTP sites and have been circulating the list in underground forums, said Alex Holden, chief information security officer for Hold Security, a Wisconsin-based company that monitors cyberattacks.



14 February 2014


+ Feb 20 – OWASP – BSIMM (Building Security In Maturity Model.. Mike Rodriguez,


+ Feb 20  –  Panel on “Snowden – hero or traitor”  (by SOeC)

(also note : Edward Snowden Is Nominated For The Nobel Peace Prize  )



*** Mar 28  (Fri)(revised date)  – SD IEEE Cyber SIG –Cyber Security Entrepreneur Workshop ***

All day event –  Focus is on ‘doing’ cyber that really matters versus continuing to admire the problem…  If your company has an innovative / disruptive security technology… contact me.

+ Mar 20 – OWASP – Scared Straight – Lance James, Head of Cyber Intelligence, Deloitte & Touche



Apr 22-24 –  C4ISR Symposium




+++  News you you can likely use…


+ Feds Launch Cyber Security Guidelines For U.S. Infrastructure Providers

The White House on Wednesday released the first version of its cyber security framework for protecting critical infrastructure. Critics say these voluntary guidelines enshrine the status quo


+ IGs to propose cyber maturity model to better gauge federal cyber health

Federal auditors recognize the government needs a better way to truly measure how agencies are protecting their computers and networks. The current approach varies too much across the government. It relies on special publications, a 10-year-old law and negotiations with agency chief information officers. But change may be on the horizon. Both the Council of the Inspectors General on Integrity and Efficiency and the National Institute of Standards and Technology are considering ways to close the gap between the auditors and agencies over the most important metrics to more accurately evaluate the security of the government’s computer networks and systems.



+  Disagreement on Target Breach Cause…..    Experts Debate Whether Third-Party Breach to Blame

YA THINK???   Of course as protecting data / PII / privacy is  a shared responsibility!!!

Security experts are debating how the breach of Fazio Mechanical Services Inc., a refrigeration vendor that serves Target Corp., may have played a role the retailer’s point-of-sale malware attack (see Target Vendor Acknowledges Breach). The Target attack late last year exposed some 40 million credit and debit cards and personally identifiable information about 70 million consumers.       Target had announced in late January that its massive data breach was the result of hackers stealing electronic credentials from one of its vendors. Then last week, Fazio Mechanical Services revealed it was the victim of a “sophisticated cyber-attack operation.”  But security experts disagree on whether it’s plausible that a vendor breach could have paved the way, on its own, to the malware attack against Target



What You Need to Know About the Big Data Issue These days, you’re probably hearing a lot of hype about “big data.” Vendors are currently hawking a wealth of new tools, all of which promise to help your organization unlock previously inaccessible insights from your proprietary information. There is no doubt that big data, i.e., organization-wide data that’s being managed in a centralized repository, can yield valuable discoveries that will result in improved products and performance — if properly analyzed..



+ Experts warn of coming wave of serious cybercrime

The rash of attacks against Target and other top retailers is likely to be the leading edge of a wave of serious cybercrime, as hackers become increasingly skilled at breaching the nation’s antiquated payment systems, experts say. Traditional defenses such as installing antivirus software and monitoring accounts for unusual activity have offered little resistance against Eastern European criminal gangs whose programmers write malicious code aimed at specific targets or buy inexpensive hacking kits online. Armed with such tools, criminals can check for system weaknesses in wireless networks, computer servers or stores’ card readers.



+ Generating Value From Big Data Analytics

Many enterprises are moving quickly to adopt “big data analytics” – specifically, the application of advances in analytics techniques to the rapidly-expanding pool of information that enterprises have at their disposal to enable better decision making.  As this trend of adoption continues, information security, risk and audit professionals are likely to become increasingly aware of the possible technical and operational risk that may arise as a result of adoption in their enterprises. However, non-adoption can also carry its own risk – particularly in the arena of business competitiveness.   To analyze risk holistically, practitioners need to evaluate both technical risk and the business risk, in equal measure. Understanding the “use case” – the reasons why big data analytics is appealing from a business perspective – can help ensure that both angles are considered and practitioners are helping their enterprises remain maximally competitive.





+ Using Risk Assessment to Prioritize Security Tasks and Processes

Dark Reading report, we explain how risk assessment techniques can inform the process of ­prioritizing security tasks and processes, and recommend steps security pros can take to glean and apply pertinent data based on their own ­enterprise’s …


+ Watchdog groups push Senate, White House on Data Act

Organizations as diverse as the Sunlight Foundation and Gun Owners of America want the legislation passed without the changes proposed by OMB.


+  –North Carolina Law Firm Loses “All Documents” to Cryptolocker

A law firm in North Carolina has reported losing all of its legal documents to the Cryptolocker ransomware, even though the company tried to pay the US $300 ransom. Because the firm’s IT staff attempted to decrypt the files, by the time the decision was made to pay the ransom, the three-day ransom deadline period had expired.


+ IT by the Numbers: The True Cost of Poor Protection,64fa85b,651401e&dni=105883739&rni=18558021&

Cloud computing…mobile devices…web applications…virtualization. It seems there are backdoors into your systems from every direction. For every new threat discovered, another security company comes on the scene, offering you the latest and greatest antivirus software, sometimes for free. But is it really such a bargain? It’s time to look beyond cost and start considering value. This eBook provides an overview of a new approach to evaluation of anti-malware solutions — Total Cost of Protection — that takes into consideration protection, performance, management, support, and price.


+  How Do You Know When You Need More Security?

This eBook that brings together insights on today’s hacker threat, compliance issues, and the need for security assessments to learn how to improve your security operations to keep pace with the evolving threat landscape.



+ Cyber crime increases

Traditional defenses such as installing antivirus software and monitoring accounts for unusual activity have offered little resistance against Eastern European criminal gangs whose programmers write malicious code aimed at specific companies or buy inexpensive hacking kits online. Armed with such tools, criminals can check for system weaknesses in wireless networks, computer servers or stores’ card readers.



+  Cyactive’s anti-malware technology aims for the ‘dark heart’ of computer bugs — the damaging code hackers keep recycling

An Israeli start-up claims it may be able to put an end to the viruses, malware, and trojan horses that cost the world economy hundreds of billions of dollars a year. Not only does Cyactive <>  say it can stop viruses that are already “in the wild,” currently causing damage, but according to CEO & Co-Founder, Liran Tancman, it can beat them most of them even before they are invented.   The secret? Viruses are overwhelmingly evolutionary, not revolutionary. “Much of the code found in even major attacks is reused over and over again in new attacks,” Tancman said. “There has actually never been a virus that did not draw substantially on malware that was already in existence





+++  OTHER Items of interest as you have time, …


+  Advanced Persistent Threats, or APT’s, are a growing concern in the security industry. APT’s differentiate themselves from other types of hacking activities by targeting a specific organization for a specific target, often extremely high pay-off data.

Symantec’s Security Threat Report 2013



+  Defense Plans Secret Global Social Media Data Mining Project Based in Europe

Project aims to ‘identify violent extremist influences.’


+ Marines May Ditch DISA for Private Cloud to Host Combat Support System

Service also wants a single systems integrator for 15 personnel systems.


+ How Big Data Could Help the U.S. Predict the Next Snowden

DNI James Clapper wants intelligence workers put into a big data cloud the U.S. can surveil, and it just might work


+ Study: Most Security Pros Unsure If They Could Handle A Breach

Security pros not confident in their ability to quickly find the source of a breach and remediate it, study says


+ Verizon Report: Many Organizations Still Fall Short On PCI Compliance

Ongoing PCI compliance is up, but many enterprises still aren’t meeting requirements, Verizon study says


+  Practicing Safe Data: Mobile Security Policy & Best Practices

learn how to develop an enforceable mobile security policy and practices to secure your corporate data.


+ AFCEA West 2014 On Scene Report Day Two

Panel: Information Dominance Roundtable

The United States will be hampered in dealing with a resurgent China unless it can take the myriad intelligence data it collects and uses it to understand the nation’s thinking, the director of intelligence for the Joint Chiefs of Staff said at an `Information Dominance Roundtable’ that kicked of Wednesday’s WEST 2014 gathering at the San Diego Convention Center.

Information dominance “involves not just the ability to collect and transfer large amounts of data regarding military, commercial, social and economic networks, but a deep understanding of a potential adversary’s’ strategies, mindsets and intent,” said Navy Adm. Paul Becker, who serves as the Joint Chief of Staff’s intelligence chief. “We are often at an information deficit to discern what elements are most important regarding potential adversaries strategies, mindsets and intent in certain A2/AD (anti-access, area-denial) environments.”


+ DHS sees a wave of information sharing as the key to raising all cyber boats

The Homeland Security Department is trying to raise all boats as the wave of cyber threats and attacks continues to increase. The goal is to strengthen both private and public sector computer networks by bringing everyone up to at least the same basic level of security. Phyllis Schneck, the deputy undersecretary for cybersecurity in the National Protection and Programs Directorate at DHS, said when everyone exercises better cybersecurity, there is more data to pull from so the understanding of the threats and vulnerabilities increases.



+  Connected cars: Apps, networks and storage on wheels

Advances in traffic safety networks will be driven by the integration of transportation data across the crowd, the mobile phone network and the vehicles themselves, according to researchers.


+ Social platform for sharing cyberthreat intell goes live


+ 7 Reasons Federal Cybersecurity Hires Will Grow


+ Secure The Cloud .. ‘Cloud security’ needn’t be an oxymoron. Here’s how to get it right


+ 12 Successful Entrepreneurs Share the Best Advice They Ever Got

Being a successful entrepreneur frequently involves a series of missteps and mistakes before finally nailing the right idea or business. The difference, for many, between giving up and persisting through the toughest times can be getting advice from people who have done it before — and being smart enough to listen.


From investor Mark Cuban’s dad telling him that there are no shortcuts to Lululemon founder Chip Wilson’s realization that people actually enjoy helping others, we asked 12 successful entrepreneurs to share the best advice they ever got, discovering the lessons that stick with them to this day.



+ Disconcerting Report on cybersecurity for US Government entities (lack of cyber hygiene!!!)

Over 48,000 successfully cyber attacks breached the US defense, they were caused  by the failure to employ very basic security measures, weak passwords, unpatched software and inadequate controls are the principal causes of the incidents observed to US government infrastructure reporting to the Department of Homeland Security


+ Agencies experiencing a widening cybersecurity reality gap

Inconsistency among how inspectors general review agency cybersecurity is causing a reality gap. The progress many agencies are making to secure their systems is not reflected in the annual reports auditors submit to Congress. And this disconnect causes uncertainty around just how well protected federal computers and networks are from attacks. A recent State Department cybersecurity management alert epitomizes the challenges agencies and IGs face in deciding just how secure their computers are.



+ Critical Infrastructure Cybersec Bill Heads to House Floor (February 6, 2014) The National Cybersecurity and Critical Infrastructure Protection Act unanimously passed the House Homeland Security Committee and now heads to the full House of Representatives. The bill would require the Department of Homeland Security to codify cybersecurity standards for government and critical infrastructure systems.



+ The 5 DNS Security Risks That Keep You Up at Night

When it comes to keeping your domain name server (DNS) secure, do you know what you’re up against? Read this white paper to learn five of the most pervasive DNS threats that you need to be thinking about, and how to keep them from creating a performance or security nightmare.



+++  THREATs  / bad news stuff / etc…



+  Tere Was Another Big Cyber Heist — And That’s a Troubling Sign



+ Researchers Uncover ‘The Mask’ Global Cyberspying Operation

Rare Spanish-speaking cyberespionage campaign usurps Flame as most sophisticated spy attack to date…


+  Sophisticated spy tool ‘The Mask’ rages undetected for 7 years

Researchers have uncovered a sophisticated cyber spying operation that has been alive since at least 2007 and uses techniques and code that surpass any nation-state spyware previously spotted in the wild. The attack, dubbed “The Mask” by the researchers at Kaspersky Lab in Russia who discovered it, targeted government agencies and diplomatic offices and embassies, before it was dismantled last month. It also targeted companies in the oil, gas and energy industries as well as research organizations and activists. Kaspersky uncovered at least 380 victims in more than two dozen countries, with the majority of the targets in Morocco and Brazil.


+ Navy tackles network vulnerabilities

The Navy is addressing cyber vulnerabilities found in its Consolidated Afloat Networks and Enterprise Services and detailed in a recent report, according to a Navy spokesman. More than 400 cyber vulnerabilities across dozens of DoD programs, including CANES, were identified in an annual report by the Defense Department’s Office of the Director for Operational Test and Evaluation found . The report noted that as of November 2012, CANES had 29 category one vulnerabilities and 172 less severe vulnerabilities.



+  A multi-agency government task force looking into cyberattacks against retailers says it has not come across evidence suggesting the attacks are a coordinated campaign to adversely affect the U.S. economy. In a two-page report, the National Cyber Investigative Joint Task Force says the global implications of the retail attacks and the economic impact to private business and individual citizens cannot be overstated. The report obtained by the Associated Press does not identify the retailers by name, but it comes after recent attacks on Target and Neiman Marcus.



+ Sochi Olympics cybersecurity threats cited by U.S. in travel alert

The United States on Friday issued a fresh travel alert for Americans attending the Sochi Winter Olympics, citing cybersecurity threats and warning them to have “no expectation of privacy” using Russian communications networks. The U.S. State Department’s alert – coming the same day that Turkish security forces in Istanbul seized a Ukrainian man accused of trying to hijack an airliner and redirect it to Sochi – updates one issued two weeks ago. “U.S. travelers should be aware of cybersecurity threats and understand that they have no expectation of privacy when sharing sensitive or personal information utilizing Russian electronic communication networks,” the Department said.



+  DDoS Attack Hits 400 Gbit/s, Breaks Record

A distributed denial-of-service NTP reflection attack was reportedly 33% bigger than last year’s attack against Spamhaus


+ TSA Carry-On Baggage Scanners Easy To Hack

Researchers reveal weak security that could allow malicious insiders or attackers to spoof the contents of carry-on baggage


+   Detecting Car Hacks

One of the ways that they were able to take control of the systems in the cars was by sending large numbers of controller area network (CAN) packets to the system. The idea is to have their packets win a race to the computer so that the ECU accepts their instructions rather than the legitimate ones. Miller and Valasek said that detecting their attacks is simple and easy to do


+ Multiple vulnerabilities have been discovered in Microsoft’s web browser, Internet Explorer, which could allow an attacker to take complete control of an affected system. Successful exploitation of these vulnerabilities could result in an attacker gaining elevated privileges on the system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.


+  A vulnerability has been discovered in Adobe Shockwave that could allow an attacker to remotely take control of the affected system. Adobe Shockwave is a multimedia platform used to add animation and interactivity to web pages. Successful exploitation could result in an attacker gaining the same privileges as the logged on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Failed exploit attempts will likely cause denial-of-service conditions.


+ California proposes mandatory kill-switch on phones and tablets

Politicians and law enforcement officials in California will introduce a bill on Friday that requires all smartphones and tablet PCs sold in the state be equipped with a digital “kill-switch” that would make the devices useless if stolen. The bill is a response to a rise in thefts of portable electronics devices, often at knife or gunpoint, being seen across the state. Already half of all robberies in San Francisco and 75% of those in Oakland involve a mobile device and the number is rising in Los Angeles, according to police figures.


+  Snowden Used Low-Cost Tool to Best N.S.A

Using “web crawler” software designed to search, index and back up a website, Mr. Snowden “scraped data out of our systems” while he went about his day job, according to a senior intelligence official. “We do not believe this was an individual sitting at a machine and downloading this much material in sequence,” the official said. The process, he added, was “quite automated.”



+ FBI Issues Solicitation for Malware

The FBI is calling for cybersecurity experts to send them all the samples of malware they have to be used for research. The FBI will pay for the malware samples. The request comes from the FBI Investigative Analysis Unit of the Operational Technology Division, and notes that “the collection of malware from multiple industries, law enforcement, and research sources is critical to the success of the IAU’s mission to obtain global awareness of the malware threat.”

6 February 2014


+ Feb 7 – Internet of Things (IoT) – two iOT startups presenting their products

+ Feb 11 –   SecureSanDiego –  all day – (by ISC2) – Using Threat Intelligence  (Brandon Dunlap & others)

+ Feb 20 – OWASP – BSIMM (Building Security In Maturity Model.. Mike Rodriguez,

+ Feb 20  –  Panel on “Snowden – hero or traitor”  (by SOeC)

(also note : Edward Snowden Is Nominated For The Nobel Peace Prize  )

+ Feb  11-13 – AFCEA West…  Great  C4ISR venue! Lots to see and network, AND the Don IT venue  isat the same time..

+ Feb 16 – INCOSE – third annual San Diego Engineering Night at the USS Midway Museum – benefits SD STEM!



*** Mar 14 (Fri)  – SD IEEE Cyber SIG –Cyber Security Entrepreneur Workshop ***

All day event –  Focus is on ‘doing’ cyber that really matters versus continuing to admire the problem…  If your company has an innovative / disruptive security technology… contact me.

+ Mar 20 – OWASP – Scared Straight – Lance James, Head of Cyber Intelligence, Deloitte & Touche




Apr 22-24 –  C4ISR Symposium




+++  Likely news you can use…


++  VERY COOL mobile security app… (from a  local startup in SD too…;-))

It’s called – Appriva  Privacy Maximizer from



House Committee OKs Cybersecurity Bill

The House Committee on Homeland Security unanimously approved on Wednesday H.R. 3696, the National Cybersecurity and Critical Infrastructure Protection Act of 2013. The bill was sent to the full House for consideration. The committee said in a statement that the Act “addresses the cyber threat by giving the Department of Homeland Security (DHS) the tools to secure our nation in cyberspace, while protecting privacy and civil liberties and prohibiting any new regulations at DHS.”   The bill codifies several cybersecurity efforts already in progress; beefs up others, like the National Cybersecurity and Communications Integration Center; and focuses on partnerships with the private sector. It is intended to be budget neutral.



+ Critical infrastructure cyber bill moves forward

The bipartisan measure would codify numerous existing government cybersecurity efforts. the measure would formalize numerous existing government cybersecurity efforts, such as information-sharing initiatives between the public and private sectors and assessments of the cyber workforce. It would also strengthen the National Cybersecurity and Communications Integration Center and prohibit new regulatory authorities at agencies, particularly the Department of Homeland Security.



+ Critical Infrastructure Protection: More Comprehensive Planning Would Enhance the Cybersecurity of Public Safety Entities “Emerging Technology” Report to the Congressional Requesters



+ Senate cybersecurity report finds agencies often fail to take basic preventative measures (.. you KNOW the poor hygiene fact that it alone causes over 85% of “ALL” security incidents… right?)

The message broadcast in several states last winter was equal parts alarming and absurd: “Civil authorities in your area have reported that the bodies of the dead are rising from their graves and attacking the living. . . . Do not attempt to approach or apprehend these bodies, as they are considered extremely dangerous.” The reported zombie invasion was not something out of the “The Walking Dead.” It was the federal Emergency Alert System under control of hackers — who exploited weaknesses that are disturbingly common in many critical systems throughout government, according to a Senate cybersecurity report set for release Tuesday.



+ Hill report skewers agencies’ cybersecurity practices

Some of the most troubling issues have been at DHS, the agency charged with leading federal cybersecurity efforts.



+ Despite Spending $65 Billion on Cybersecurity, Agencies Neglect Basic Protections

A report by Sen. Tom Coburn, R-Okla., takes agencies to task for failing to patch software and perform other fundamental security steps.  (can you say LACK of  enforced cyber CM / HYGIENE? Even congress gets this…)



+  DHS revs up its part of the cyber executive order

The Homeland Security Department will take the first step to move from theory to practice under President Barack Obama’s cyber executive order. DHS’ National Protections and Programs directorate in two weeks will launch a voluntary program for companies to improve the security of their computers and networks. “We will be launching what we call the voluntary program on Feb. 14, enabling companies of all sizes to follow some basic cybersecurity policies and due care that have been designed through the framework by the best scientists in the private sector and the government that we have,” said Phyllis Schneck, the deputy undersecretary for cybersecurity at NPPD, in an exclusive interview with Federal News Radio.

– updated policy

– SIX acquisition recommendations:

– FINAL comments by a LOT of companies, see their cyber perspectives!!!~




+ Intrusion detection app ‘trained’ to spot malicious behavior

Mobile security company Zimperium releases an Intrusion Protection System app that uses artificial intelligence to recognize and block malicious behavior.



+ The Current State of Mobile Security – According to GovLoop’s recent survey eighty-six percent of government employees are using a mobile device to accomplish primary work functions.

That number will only go up in the future and hence mobile security has become paramount for government agencies. See the current state of mobile security and what the future holds in our newest in depth report:*Zuc*2jqA8M/GuidetoMobileSecurityinGovernmentFINAL.pdf

The guide serves as a two way document: one part required reading for C-Level leadership and one part reading for anyone trying to understand the critical issues and nuances surrounding the secure use of mobile devices. In the guide you’ll find:

*             Results from a survey of 255 government employees.

*             Expert insights from three of the most respected leaders in mobile security.

*             Sample user ‘Rules of Behavior’ from the Bureau of Alcohol, Tobacco, Firearms and Explosives.

*             6 Steps for Securing a Mobile Enterprise from NIST.

*             A Mobile Security Cheat Sheet.



+ Magic Quadrant for Security Information and Event Management .. The security information and event management (SIEM) market is defined by the customer’s need to analyze security event data in real time.

Broad adoption of SIEM technology is being driven by the need to detect threats and breaches, as well as by compliance needs  Early breach discovery requires effective user activity, data access and application activity monitoring. Vendors are improving threat intelligence and security analytics.



+ Continuous Security Monitoring: The Challenge of Full Visibility

SCM, a must do of course, but DISA’s $6B effort,  cyber scope. ..seems  overkill on trends.. etc.. has issues, seems there needs to be a simpler wat…


+ Why Canada is where smart VC money is going in 2014.. SO…  How can we change that?



+  20 Security Startups To Watch

Cloud security, mobile security, advanced behavioral detection and a few other surprises mark this latest crop of newcomers as companies to watch


+   By 2017, There Will Be 3.9 Billion Mobile Subscribers

With the scope of the digital universe continually expanding, the opportunity (or challenge) for an organization is to execute a strategy to most effectively participate in, exploit, and derive ongoing value from the expansive digital world. To evaluate and ultimately better facilitate this, many organizations are specifically defining a digital strategy as part of, or in addition to, their overall general business strategy. Read this white paper to gain a roadmap for creating a digital strategy that helps to ensure consistent and relevant brand image and user engagement across touchpoints.

(load into browser… link does not always work from email)



+  Network Monitoring and Troubleshooting for Dummies

Introduce you to common network performance management issues and give you a new way of looking at solving them. This perspective allows you to see your network from your users’ point of view, namely, the services and applications they use and their experience with them. Of course, you can still get down to the other flow and packet levels, but macro-level visibility is a key differentiator in your ability to monitor and troubleshoot network performance efficiently.





+++  OTHER Items of interest as you have time, …



+ NIST draft standard details approximate matching

The National Institute of Standards and Technology’s draft publication SP 800-168, Approximate Matching: Definition and Terminology, provides a description of approximate matching and includes requirements and considerations for testing. Approximate matching is a technique designed to identify similarities between two digital artifacts or arbitrary byte sequences such as a file



++ How APIs will drive agency PaaS adoption – ..AND the “IoT”, where sensors rule!!!

Government agencies will move to fully embrace platform as a service this year, driven by mobile, open data and the advent of simple, lightweight APIs.



+ big data infograph… COOL…



+ SANS  Critical Security Controls Draft Version 5.0 – GREAT reference of top 20 IA controls!!!



+ Data breaches a hot topic on the Hill

Committees in both houses of Congress are holding hearings this week on the recent spate of consumer data breaches, and legislative proposals being discussed would bring more business data under the jurisdiction of federal rules. The scope of the breaches, with as many as 110 million Target customer records and more than 1 million credit card files at Nieman Marcus, is generating significant activity among legislators and regulators. But it remains to be seen how much appetite exists in Congress to increase the scope of the federal rules governing data containing personally identifiable information.



+  What feds can learn from Coca-Cola’s data breach

Coca-Cola is the latest corporate victim in a string of high-profile data breaches, but unlike the malware-assisted attacks that compromised millions of Neiman Marcus and Target customers’ private information, the beverage giant’s plight has some clear lessons for federal agencies. Coca-Cola’s breach, first reported Jan. 24 by the Wall Street Journal, involved a former employee stealing company laptops containing the unencrypted personal information of about 74,000 people. The government can learn three major lessons in mobile security, according Tony Busseri, CEO of Route1, a digital security and identity management company that works with the departments of Defense, Homeland Security and Energy.




+ US Legislators Introduce Data Privacy and Breach Notification Bill (February 3, 2014) Members of the US Senate Commerce, Science, and Transportation Committee have introduced a bill that would establish a federal standard for consumer data protection and data breach notification. The legislation calls for the Federal Trade Commission (FTC) to issue security standards for companies that retain consumers’ personal and financial data. In the event of a breach, the bill would require companies to notify affected customers within 30 days in most cases.

[Editor’s Note : There is a lot of wording in this proposal beyond national requirements for breach reporting. Having the FTC define national privacy-related breach reporting standards would be a good thing but adding more security “standards” and more layers of reporting requirements, and “encouraging” the use of specific technologies will divert resources away from security to just more compliance reporting.

—  There have been almost identical bills circulating on Capitol Hill for more than five years.  I and many others have spoken to Congressional members and their staffs for years about this issue, yet there’s not been a substantive bill passed on cybersecurity for more than ten years.  It appears reporting surrounding recent retail breaches has gotten their attention.  One specific issue contained herein, standards in breach reporting, would be very helpful to those global companies that now have to navigate scores of state laws.  It’s a complex issue, but designing and implementing a better, common way to share threat intelligence will go a long way in enabling better defenses and identifying adversaries, helping to mitigate the consequences of data breach.  Let’s hope there’s something valuable that comes from this.]



+ Cybersecurity experts warn Target data breach only the beginning



+ Are you ready for the next big cyber deadline?

Your agency’s information security continuous monitoring (ISCM) strategy required for the Feb. 28 deadline from the Office of Management and Budget. Or are you? While most agencies by now have considered and documented their CDM approach according to National Institute of Standards and Technology Special Publication 800-137, those strategies actually may not hold water in light of the Nov. 18 memo M-14-03, Enhancing the Security of Federal Information and Information Systems from OMB. These new requirements must be reconciled along with the previous ones from NIST, OMB and the concept of operations in less than a month.



+ 71% of workers consider switching jobs…. Great overview!!!  Actively looking or open to new opportunities (AS I AM… leaving government…;-))



+  The “Next” Approach To Network Security

In the past, traditional network defenses took an all or nothing approach to blocking high-risk traffic. With the shift to functionality forward applications and web technologies, that approach is no longer possible.

Because so much of today’s network content is application-centric, network defense must understand specific application behaviors, how users interact with applications, and how to define and enforce security policy accordingly.

to discover how to breakdown current technology silos and overcome these network challenges:

*              Grounding network security products and services

*              Better integration of network security technologies

*              Keeping up with the demands, being able to both consume provide information

*              And more!



+ Secure Browser Alternatives On The Rise

The sandboxed browser on the desktop, the disposable browser session from the cloud, and now a high-security browser that by default blocks third-party cookies and online ads are all options…



+ NAC Comes Back

BYOD and advanced malware help resuscitate NAC – network access control



+ NASA has ‘significant problems’ with $2.5B IT contract  (.. so we are not alone.. even the best have issues…)

An IG report blames poor implementation by HP and inconsistent oversight by NASA as major obstacles to fulfilling the contract.



What World War II Code Breaking Tells Us About Cybersecurity

Consider the humans but rely on the data.



+ This Company Says Its Technology Could Have Detected Snowden’s Intrusions

U.K. cyber official forgoes sweet pension to sell what he thinks is a groundbreaking cybersecurity system



Mobile Application Management: An Interactive eGuide

There’s no question that mobility is taking over in the enterprise. But employees today don’t only want to use the mobile device of their choice to do their jobs, they also want a full complement of well-designed mobile apps. This trend is putting pressure on IT departments to find the time, resources, and talent to develop, manage, and support mobile apps. These apps must meet user requirements for ease of use and speed, take advantage of mobile platforms, and match the performance and security standards of traditional applications.

In this eGuide, InfoWorld along with sister publications CIO, CSO, and Computerworld examine the state of mobile app development and management in the enterprise. Read on to learn the latest advice and newest approaches to making mobile apps work for your organization.


+ The Most Valuable Lesson I’ve Learned as a CEO

I was recently invited to join the CEO of a Silicon Valley tech company for a fireside chat at his annual global leadership summit. He’s been interviewing other CEOs at the event for years as he and his team value hearing the perspectives, experiences, and best practices of other companies. He did a great job moderating and I truly enjoyed the event.

One of the questions he asked is one I get frequently: What’s the most valuable lesson you’ve learned as CEO?

My answer was simple: Don’t leave the pitcher in the game for too long.



+ The networked car is no longer just an idea; it will be mandated … uses LIDAR  too

For the last two years, automakers and the U.S. Department of Transportation have been investigating the idea of cars talking to once another, putting thousands of Wi-Fi connected smart vehicles on a track in at the University of Michigan to see if they could cooperate with another and avoid accidents. Apparently the feds are convinced that the technology is ready for prime-time because on Monday, the National Highway Traffic Safety Administration said it is kicking off a process that will one day make inter-networking a requirement in all new vehicles



+  Marble Security ( ) ,  which provides the key elements for MDM.

-An easy to use app that scans the device for malicious applications and also detects jail broken and rooted devices.

-A secure VPN service that isolates users from network attacks on any Wi-Fi, cellular, or wired network.

-Encrypted communications and security services to protect users from malware and other dangerous sites.

-The ability for the IT to manage deployments including setting policies, running risk reports and dashboards to track devices, users and apps.






+++  THREATs  / bad news stuff / etc…

+ RC3 Begins to Support Promoting Regional Cybersecurity Initiatives

SEE their call to action / open letter for details!!!



+ James R. Clapper, Director of National Intelligence: Worldwide Threat Assessment to the Senate Select Committee on Intelligence,  January 29, 2014

This is the testimony of James R. Clapper, Director of National Intelligence. On January 29, the U.S. Senate Select Committee on Intelligence held an open hearing on Current and Projected National Security threats against the United States. These open hearings occur yearly, and quite a few areas of threat are on the rise, including cyber, counterintelligence, counterspace, and Transnational Organized Crime. They concluded that global threats in the cyber realm are a growing trend, and our increased reliance on cyberspace and digital networks as a nation will create growing risks to our use of digital infrastructure. Exploiting and disrupting our online activities will likely increase, the Select Committee concluded; biggest threats will come from Russia and China.


+ GameOver Zeus Authors Try A New Tactic: Encryption

Authors of malicious GameOver Zeus exploit dodge detection with new encryption scheme .. authors are “encrypting their EXE file so that as it passes through your firewall, Web filters, network intrusion detection systems, and any other defenses you may have in place, it is doing so as a non-executable ‘.ENC’ file.”



+ World’s Top 10 Most Famous Hackers



+ Ethical challenges of the Internet of Things

Privacy and security implications of the internet of things.

The Federal Trade Commission (FTC) has requested comments regarding “the consumer privacy and security issues posed by the growing connectivity of consumer devices, such as cars, appliances, and medical devices,” in anticipation of a November 21 public workshop on “the Internet of Things.”[



3 Ways to Limit Unwanted Cyberattacks

The weakest IT devices across all industries today are mobile devices, which include smartphones, tablets and wearable devices



+ Possible Belarus link to ObamaCare raises concerns about cyber attack

U.S. intelligence agencies last week urged the Obama administration to check its new healthcare network for malicious software after learning that developers linked to the Belarus government might have helped produce the website, raising fresh concerns that private data posted by millions of Americans will be compromised



+ A Guide To Finding Security Holes For Fun And Profit

Paying developers to find bugs is all the rage these days. GitHub just announced a bug bounty program offering ethical hackers $5,000 rewards for discovering vulnerabilities in its platform. This comes just a week after Facebook paid out a $33,500 reward to a researcher who uncovered a security hole.


+ 2014’s Hacking Pain is Cyber Security’s Gain

First it was Target TGT +1.43% that got hacked over the Christmas holiday and that has the company bracing for a fierce backlash after it disclosed that over 70 million credit cards and other customer data was “compromised.” That’s a pretty sour way to close out the year, particularly if you are Gregg Steinhafel the Chairman and CEO of Target, but to think Target was the only company to get hacked in 2013 would be naive. Some of the bigger hacks in during 2013 including LivingSocial, Washington state Administrative Office of the Courts, Evernote,, and one of the internal websites of the Federal Reserve



+ Cyber Risks at the Sochi Olympics

Government Security News reports that Myers is a security analyst at ESET, an anti-virus company based in Slovakia that provides anti-malware and anti-phishing software solutions for mobile devices, desktops, and laptops. ESET is one of the leading providers of anti-virus software throughout Western Europe; it also has locations across North America, Latin America, and Asia.

“There was actually a denial of service attack that hit the Olympics website during the 2012 London Olympics and cybercriminals threatened to turn off the lights during the opening event,” Lisa explains.



+ 2014 Sochi Olympics: A Patchwork of Challenges

Center for Strategic and International Studies (Washington, D.C.)




+ -LabMD Shuts its Doors Amid FTC’s Data Breach Investigation. The CEO of LabMD, an Atlanta-based medical laboratory, said the company has ceased operations due to the US Federal Trace Commission’s (FTC’s) aggressive pursuit of its investigation of LabMD for alleged data security issues stemming from a breach. Michael Daugherty says that the FTC has overreached its authority in the course of the investigation.

The case started in 2010 when a peer-to-peer (P2P) network monitoring service found a 1,700-page LabMD billing document on one of the networks it was monitoring. The data affected 9,000 patients and included Social Security numbers (SSNs) and treatment codes. LabMD has challenged the FTC’s authority in court, claiming that the Commission cannot use a section of the FTC act that prohibits unfair and deceptive practices to impose penalties on companies for data breaches.

SO.. data breaches ARE serious stuff..

[Editor’s Note This is like a vermin-infested restaurant closing its doors because the health department fined it for unsanitary conditions. Other than notifying affected patients and actually fixing the deficiencies that lead to them exposing patient information, LabMD would have had to undergo 10 external audits over the next 20 years – annoying, but hardly financially onerous..]

1 February 2014

+++   SD/SoCAL items of interest / opportunities


Feb 7 – Internet of Things (IoT) – two iOT startups presenting their products

Feb 11 –   SecureSanDiego –  (by ISC2) Using Threat Intelligence  (Brandon Dunlap & others)


Feb  11-13 – AFCEA West…  Great  C4ISR venue!

Feb 16 – INCOSE – Engineering Night at the USS Midway Museum – benefits SD STEM!


Feb 20  –  Panel on “Snowden – hero or traitor”  (by SOeC)

(also note : Edward Snowden Is Nominated For The Nobel Peace Prize  )


MARCH events

*** Mar 14 (Fri)  – SD IEEE Cyber SIG –Cyber Security Entrepreneur Workshop ***

whole day event –  Focus is on ‘doing’ cyber that really matters versus continuing to admire the problem…  If your company has an innovative / disruptive security technology…  contact me.



+++  Likely key news you can use (re: might be impactful in some way)


+ Air Force Researchers Plant Rootkit In A PLC (just what we need, government developing malware to affect our CIP industries)

Rogue code and malicious activity could go undetected in many of today’s programmable logic controllers, The rootkit didn’t require major resources to develop, either: It took an AFIT graduate student less than four months to reverse-engineer a PLC and write the prototype rootkit, and cost about $2,000 overall to develop



+  Big Data – Stumbling Blocks That Faceplant Security Analytics Programs

Understanding the people and process problems that get in the way of analytics effectiveness… While much of the focus on emerging security analytics programs tends to fixate on the data science, algorithms, and technology that makes it all possible, people and process plays as much of a role in analytics as it does in any other facet of security



+ Startup Confer Launches Cyberthreat Prevention Network

New company Confer takes on endpoint security problem with sensors that feed into threat intelligence network.  Confer is tackling the endpoint security problem by instrumenting each device with a sensor that feeds data into a threat intelligence network.  The new company launched last week with $8 million in first-round funding from Matrix Partners and North Bridge Venture Partners.   Confer has built what it calls a “cyberthreat prevention network” that collects and stores information about current threats as well as the behavior of known attackers.


+ NIST drops privacy appendix from cybersecurity framework.. ??? WHY drop this –  it was a GREAT effort???

The final draft of the critical infrastructure cybersecurity framework under development by the National Institute of Standards and Technology for nearly a year will not include a separate appendix for privacy controls. In an update on the framework’s status published about a month before the final draft’s anticipated Feb. 13 release date, NIST says industry comments show that its methodology for addressing privacy and civil liberties concerns created by corporate cybersecurity programs “did not generate sufficient support.” Industry sources speaking on background said NIST introduced the privacy appendix as a framework element late in the development process, something that caused trepidation and uncertainty. They also said the informative controls proposed by NIST, nearly all taken from the new privacy appendix of the NIST catalog of security controls, provoked concerns over corporate liability, particularly in the event of a data breach.



+ The economics of a national cyber immune system

Inexpensive attacks can yield great returns for the bad guys, while the defenders work with limited budgets and have to be right every time. taking partnerships to the next level — boosting them into a national cyber immune system — means making efforts like DHS’s Cyber Information Sharing and Collaboration Program more than just anecdotal examples.



+ Global Shortage Of Security Professionals Amid Raised Threat Level

Cisco annual security report highlights Web, Java, Android abuse. Applications and websites littered with malware. Multinational companies’ computers sending suspicious traffic. Android the main target of mobile malware writers. A global shortage of more than 1 million security professionals.  And all of this amid another growth year for overall vulnerabilities and threats — by 14 percent year over year since 2012, according to Cisco’s newly published 2014 Annual Security Report




+ DHS Warns Contractors of Data Breach

The US Department of Homeland Security (DHS) has notified contractors that sensitive data belonging to their companies, including private documents and bank account information, were compromised in a security breach. The incident affects at least 114 companies that bid on a DHS Science and Technology Division contract last year.



+ Lack of stronger cyber security may cost global economy $3 trillion: report

Failure to boost cyber security could cost the world economy a staggering $3 trillion as new regulations and approaches to deal with destructive attacks would stifle innovation, according to a report. With the recent proliferation of cyber-attacks, corporate executives need to devote increasing attention to protecting information assets and on-line operations, said the report released on Monday by the World Economic Forum (WEF) in collaboration with global consultancy McKinsey & Company. Titled ‘Risk and Responsibility in a Hyperconnected World,” the report cautioned that there could be increased cyber-attacks if there is a failure to strengthen capabilities for deterring such activities.



+ White House launches big data, privacy review

The White House has launched a comprehensive review of the growing use big data analytics and its potential impact on the future of privacy. As part of the effort, the President’s Council of Advisors on Science and Technology (PCAST) will conduct an in-depth study that explores the technological dimensions of the intersection of big data and privacy, according to president Obama’s counselor John Podesta, who is leading the review.



+ Industry group advocates linking cloud, cybersecurity planning

An IT industry group led by former Office of Management and Budget e-government administrator Karen Evans says it’s time for the federal government to interconnect the three major IT initiatives it has been driving along largely separate tracks for the last decade: cloud, cybersecurity and mobile computing. The group,, called for a new approach for integrating the rollout of these technologies to help government agencies get the benefits of cloud services while meeting cybersecurity requirements at the same time.



+ FBI warns retailers to expect more credit card breaches

The FBI has warned U.S. retailers to prepare for more cyber attacks after discovering about 20 hacking cases in the past year that involved the same kind of malicious software used against Target Corp in the holiday shopping season. The U.S. Federal Bureau of Investigation distributed a confidential, three-page report to retail companies last week describing the risks posed by “memory-parsing” malware that infects point-of-sale (POS) systems, which include cash registers and credit-card swiping machines found in store checkout aisles. “We believe POS malware crime will continue to grow over the near term, despite law enforcement and security firms’ actions to mitigate it,” said the FBI report, seen by Reuters.



+ Homeland Security makes cybersecurity a managed service

The Department of Homeland Security’s Einstein 3 intrusion prevention system, launched last summer, raised the bar for security technology capable of operating at carrier-grade network levels, rather than just within the enterprise. Einstein is a managed security service delivered through Internet service providers that serve executive-branch civilian agencies. Through a public-private collaboration, DHS provides custom signatures to federal agencies’ ISPs to block malicious traffic, both incoming and outgoing. Moving analysis of government Internet traffic to ISPs for security purposes was controversial when Einstein 1 was deployed in 2004, but it was merely an early step in what Tim Sullivan, CEO of security firm nPulse Technologies, said is the inevitable move of cybersecurity to a managed service.



+ Data breaches jump five-fold in 2013

SEATTLE – Well north of 740 million records were exposed in 2013, making it the worst year in terms of data breaches recorded. That’s a very conservative number derived by analyzing approximately 500 breaches listed on the Privacy Rights Clearinghouse Chronology Data Base, according to the Online Trust Alliance. That list is comprised of publicly disclosed data breaches and includes the 40 million records Target disclosed losing on Dec. 13. Target’s official estimate is now up to 110 million. And many of the breach cases listed for 2013 show an unknown or undisclosed number of records taken. So 740 million is a low number. CyberTruth video: Retailers mum about data breaches.



Massive German hack sees one fifth of population’s passwords stolen



House HS Subcommittee Passes Legislation To Protect Critical Infrastructure From Cyber Attack





+++  OTHER Items of interest as you have time, or the topic suits you (efficiencies, ways to do business, etc)


–Verizon Releases Transparency Report

Verizon has released its transparency report for 2013, which shows that the US government made more than 321,000 requests for user data in that calendar year. Verizon is the first telecommunications company to publish a transparency report. Of those 321,000 requests, at least 6,000 were court orders for real-time metadata.



+ 2014 Outlook: How Cybersecurity will evolve

To meet an ever-changing threat, the United States needs to fundamentally shift the cybersecurity equation




+  White House seeks to defang transparency bill

The chief Senate supporter of the Digital Accountability and Transparency Act says the proposed changes are unacceptable, and he is backed by open-government advocates.


+ How to Hire an MSSP

Considering trusting a managed security services provider to be ­vigilant about your company’s well-being? Here’s how to successfully evaluate, select, and manage a hired security gun.



+ 6 ways to build security into acquisition

report released on Jan. 29 lays out six recommendations for incorporating security standards into the government’s acquisition process, including one that would ensure agencies do business only with companies that meet baseline security standards.  The report’s recommendations include:

■ Institute baseline cybersecurity requirements as a condition of contract award for acquisitions that present cyber risks.

■ Include cybersecurity in acquisition trainings, including training for government contractors.

■ Develop common cybersecurity definitions for federal acquisitions.

■ Institute a federal acquisition cyber risk management strategy.

Require suppliers or resellers to purchase from original equipment manufacturers, their authorized resellers, or other trusted sources.

■ Increase government accountability for cyber risk management.



+  DDoS Just Won’t Die

Record-breaking 309 Gbps distributed denial-of-service attack reported, and attackers continue to employ new ways of flooding and overwhelming struggling targets


+ Moving to the cloud? Learn from CBP’s mistakes

CTO Wolf Tombe’s four years of early-adopter experience provides a host of hard-learned lessons.



+ Data centric security…We all  need to frame privacy by design..



+ Cyber-Defense Specialist Gets Backing Of Major Smartphone Manufacturer And Launches New Approach To Mobile Security Threats



+ Strategy: Social Is a Business Imperative

As compelling as social business is, many organizations have not adopted social products or processes. In this report, we ­examine why social business cannot be ignored and recommend how companies can pave the way for success.



+ Every company will revolve around software: How many will succeed?



Top Mobile Application Threats: The Big Three,61b5173,61d55fb&dni=102453619&rni=18558021&

This white paper takes a look at three of the top mobile application security threats facing businesses today and provides recommendations on how to mitigate the risk.




+++  Threats / bad news stuff / etc..



+  McAfee Labs’ 2014 threat predictions.

A view of what’s expected in 2014:

*              The BYOD trend is fueling attacks on mobile devices that will target enterprise infrastructures.

*              Cybercrime exploits will become more difficult to detect than ever before.

*              Nearly all major social media platforms will be subject to theft of user authentication credentials for the purpose of extracting user identity data.



Georgia Tech: Emerging Cyber Threats Report


Sophos: Security Threat Report 2014


Websense: 2014 Security Predictions


Symantec: 2014 Predications




+ What does NSA fallout mean for cyber



+ Microsoft Maps Out Malware Haves And Have-Nots

Some countries suffer disproportionately from malware infections and cybercrime, and Windows XP could exacerbate the problem



+ Point-Of-Sale System Attack Campaign Hits More Than 40 Retailers

Tor-camouflaged ‘ChewBacca’ payment card-stealing Trojan doesn’t appear to be related to Target, RSA researchers say


+  Target Hackers Tapped Vendor Credentials

Investigators suspect that BMC software, Microsoft configuration management tools, and SQL injection were used as hacking tools and techniques in Target’s massive data breach



+ Multiple Vulnerabilities in Google Chrome Could Allow Remote Code Execution

Multiple vulnerabilities have been discovered in Google Chrome that could result in several issues including remote code execution. Google Chrome is a web browser used to access the Internet. These vulnerabilities can be exploited if a user visits, or is redirected to, a specially crafted web page. Successful exploitation of these vulnerabilities could result in an attacker gaining the same privileges as the affected application. Depending on the privileges associated with the application, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Comments are closed.