Welcome to Cyber News Tidbits 4​U​ !

Here are updated news compilations from the Cyber Security Community

Topic headers (+++):

+++   SD/SoCAL items of interest / opportunities
+++   Likely KEY news you can use (might be impactful in some way)
+++   Other items of  FYI /FYSA level interest (skim as you have time, or the topic suits you (efficiencies, ways to do business, etc)
+++   Threats / bad news stuff / etc.



Cyber security is serious business for us all – so ACT accordingly!

Special note… I distilled what I consider to be the key wide / long ranging cyber opportunities into one slide  (PDF link below) (you know me, it’s jam packed..)
SO… let me know if you want to play in any of them.. blue text items at the bottom of the slide… cyber insurance, privacy by design, etc  :

7 March 2014

+++   SD/SoCAL items of interest / opportunities



+ Mar 10 – SD IEEE Consultants meeting.    Consultants: You Say You’re Unique, But Are You?

AT  Giovanni’s Pizza Restaurant,  9353 Clairemont Mesa Boulevard,  San Diego, CA 92123


+ Mar 11 –  Leveraging Social Media for Healthcare


+ Mar 20 – OWASP – Scared Straight – Lance James, Head of Cyber Intelligence, Deloitte & Touche


+ Mar 20-21 –  2014 ASIS region conference – critical infrastructure  protection


+ Mar 27 – SD ISSA – PCI & Emerging Technologies


* Mar 28  (Fri)  – SD IEEE Cyber SIG –Cyber Security Entrepreneur Workshop *

All day event –  Focus is on ‘doing’ cyber that really matters versus continuing to admire the problem / threats…

Developments in US cybersecurity policy – what can affect you” –  Tom Tierney – Vice-President for Government Relations in the IEEE-USA and is also currently the chairman of Department of Commerce’s Emerging Technologies and Research Advisory Committee

 “The Hitchhiker’s Guide to Cyber Law”   –  Justine Phillips – Cyber Attorney

FBI Forensics – How business gets hacked – really! “ – Tim Hamon – Senior FBI Forensics investigator,

“ Power industry cyber needs  – from an IOU perspective”  –  Doug Rhoades –  Chief IA Engineer at SCE

—   “AND”   Many innovative / disruptive cyber products – over a dozen cool capabilities / companies!!!

To wrap up.. What Really Matters Panel –  Cover what works, capabilities still needed, etc  – (members:  Milt Lohr (Ceradyne, Inc., pervious DepSecDef) ,  Gary Hayslip (SD City CISO) ,  Araceli Gomes (Verizon Cyber Ambassador), Jeff Debrosse (Websense R&D director) and Mike Davis (Cyber consultant) )

(Great  value  too – $49 all day / food & drinks..  @  SD Coleman University on Balboa Ave,  92123)




+ Apr 1-3 – CompTIA Annual Member Meeting .. Rancho Bernardo Inn


+ Apr 2 – Be a Good Neighbor  (Cyber & More!)  5:30 PM to 8:00 PM PDT

CyberTECH and Securing Our eCity Foundation are inviting you to join them for an evening of FUN while raising awareness and funds that will benefit the following local San Diego programs: Rescue Mission, CyberHive Veterans for Tech and e3 High School !


+ Apr 9 – Internet of Things Meetup – By CyberTECH


+ Apr 17 – CyberTECH & CyberHive “Startup Table Breakfast”


+ Apr 22-24 –  C4ISR Symposium


+ Apr 25 – SD ISSA – Behind the scenes of the APT1 report and a look back at the attack trends of 2012



8-17  – SANS. Security West


((  Good link to major security conferences  world wide  ))





(admin note  – all links work, I checked them all myself..  you may need to cut and paste in browser…)


+++  Likely news you can use…


+  Apple reveals unprecedented details in iOS security

An updated Apple whitepaper on iOS security delves into an unprecedented amount of detail about the security architecture and features of the company’s mobile OS for devices such as the iPhone and iPad. Security professionals and IT consultants are praising both the company’s transparency and its approach to protecting iOS devices, Internet security and users’ data.     The 33-page “iOS Security” whitepaper is dated February 2014, and is




+ Out in the open: A new programming language with built-in privacy protocols

Facebook founder and CEO Mark Zuckerberg knows what it’s like. His online privacy was compromised in 2011, and it happened on the online social network that he invented.. The flaw could have had serious consequences for other users had it not been quickly fixed. Any application that stores personal data such as photos is vulnerable to bugs that accidentally expose private information. Human error is inevitable. But an MIT PhD student named Jean Yang wants to make these coding mistakes as rare as possible with new privacy-centric programming language called Jeeves.




+ Microsoft lets agencies test government-only cloud

Microsoft has begun giving a select group of federal customers the chance to put Microsoft’s new government-only cloud service through a series of private tests. “The processes, people, technology, and infrastructure are all in place. We want real-world test loads,” for a shakedown cruise, said Greg Myers, VP of federal sales, in announcing the news Tuesday at Microsoft’s US Public Sector Federal Executive Forum in Washington. Although Microsoft’s commercial Azure cloud offering has received authority to operate under the FedRAMP program for cloud services, the new government platform — announced last fall and called Azure for Government — has not yet been certified.



+  DDoS cyber attacks get bigger, smarter, more damaging

Crashing websites and overwhelming data centers, a new generation of cyber attacks is costing millions and straining the structure of the Internet. While some attackers are diehard activists, criminal gangs or nation states looking for a covert way to hit enemies, others are just teenage hackers looking for kicks. Distributed Denial of Service (DDoS) attacks have always been among the most common on the Internet, using hijacked and virus-infected computers to target websites until they can no longer cope with the scale of data requested, but recent weeks have seen a string of particularly serious attacks.



+ Social platform for sharing cyberthreat intell goes live

IID’s ActiveTrust threat sharing platform combines social networking with binding contracts to create a secure environment in which agencies and enterprises feel comfortable sharing information about cyberthreats.



+ Wireless Patient Vital Signs Monitoring

EMS workers monitor a patient’s vital signs using large, heavy equipment with numerous wires and instruments. This can create entanglement and snag hazards that can be overwhelming and confusing, while taking up precious space in emergency response vehicles. DHS S&T has been working with Sotera Wireless, Inc. to develop a wireless body-worn device that measures vital signs and sends data to a tablet device that can then wirelessly interface with a hospital, dramatically improving ambulatory patient care. On December 3 and 4, 2013, the First Responder Group conducted an operational field assessment the Wireless Patient Vital Signs Monitoring Device, which is based on a commercial system (ViSi Mobile) that Sotera had already been developing. The device was adapted to meet specific operational requirements identified by first responders. For the field assessment, two emergency room doctors, two firefighters/EMTs, a SWAT paramedic, a local paramedic, and a trauma nurse convened in San Diego, CA, where they performed hands-on assessments of the device in several emergency medical scenarios, including a simulated car accident and ambulance transport. All participants emphasized that the device will advance the safety, effectiveness, and efficiency of emergency patient care.



+   Cybersecurity gets a boost from the National Guard

A $46 billion annual business of protecting infrastructure from cyberattacks largely revolves around the federal government. But within the past year, efforts have ramped up to bring federal-level cybertools and resources to state and local governments — and the National Guard may be the vehicle for driving that collaboration. The feds have been trying to go at cybersecurity alone for years, but they’re finally coming around and including states and localities, said Heather Hogsett, director of the National Governors Association’s (NGA) homeland security and public safety committee. Last year, the NGA backed a bill called the Cyber Warrior Act of 2013, which would have directed the Department of Defense to establish “Cyber and Computer Network Incident Response” teams composed of National Guard members in each state.




+  CyberCom Chief Alexander Lays Down Cyber Red Line; Destroy A Network, Risk War

On the day that China’s president took personal charge of his country’s new cyber body, pledging to make the People’s Republic of China a “cyber power,” the outgoing head of America’s Cyber Command laid out a clear red line that, if crossed, could lead to war.  “If it destroys government or other networks, I think it would cross that line,” Army Gen. Keith Alexander, head of both Cyber Command and the National Security Agency, told the Senate Armed Services Committee today when asked what level of cyber “attack” would potentially cause America to go to war.    The question of what might spark a war in the event of cyber intrusions is extremely sensitive. For most of the last 15 years the United States denied it even possessed offensive cyber capabilities to respond to an attack, although we have had them for at least most of the last decade



+ Cyber-security concerns create new business opportunities

But according to cyber security expert P.W. Singer, who spoke Monday at a University of South Florida cyber security symposium, consumers don’t have to take it lying down.  “Instead of acting like there’s nothing that we can do, we need to understand the space,” said Singer, co-author of “Cybersecurity and Cyberwar: What everyone needs to know.”  “Because we’re all using the internet and basically dealing with the simple measures that we can (use to) protect ourselves.”



+ GSA wants civilian cybersecurity center in D.C. region

The General Services Administration is seeking $35 million as part of President Barack Obama’s proposed 2015 budget to establish a civilian cybersecurity center in the D.C. metro area that would enable more collaboration between various federal agencies.

GSA Administrator Dan Tangherlini told reporters Tuesday that the idea is to bring experts from federal agencies — such as the Department of Homeland Security and Department of Justice — together in shared space instead of being spread over multiple D.C.-area buildings.



+ Feds Look To Big Data On Security Questions

Government IT leaders believe continuous monitoring and advanced analytics can help agencies better understand their networks and security   The new report — (   ) based on conversations with18 federal government IT leaders with expertise in big data, cybersecurity, and operations — found that agencies are exploring the opportunities and threats emerging at the intersection of their big data and cybersecurity initiatives



+   Pentagon CIO points to in-phone security

Defense Department CIO Teri Takai is urging industry to develop mobile devices that can be quickly certified by the Pentagon and that use derived credentials on users’ phones in lieu of Common Access Cards. “We’re going to need to work with industry to make sure that as we look at derived credentials, as we look at a different way of authenticating, which we knew we were going to get to, that you are in fact investing in providing more and more security in that derived credential,” Takai said at FedScoop’s fourth annual MobileGov Summit on Feb. 27.



+ RSA 2014: Insider threat detection tools critical to detection success

Whether an enterprise is just starting to build a program to mitigate the risk of insider threats or has had the program in place for years, without solid insider threat detection tools, an organization’s program has little chance of success. That was a key message offered by Daniel Velez, director of defense programs with Raytheon Oakley Systems, who spoke Wednesday at RSA Conference 2014 about the fundamentals of successful insider threat management programs. Velez said insider threat detection tools, which generally fall under the label of data loss prevention or endpoint monitoring products, are tools deployed to endpoints to monitor how users are interacting with data; they apply policy-based technical controls that prevent users from doing such things as forwarding a sensitive email to a personal account or copying proprietary data to a thumb drive.



+ Less Risk, More Reward: Managing Vulnerabilities in a Business Context

Network security can be both an organization’s savior, and its nemesis. How often does security slow down the business? But security is something you can’t run away from. Today’s cyber-attacks have a direct impact on the bottom line, yet many organizations lack the visibility to manage risk from the perspective of the business. This quandary is a common balancing act that organizations must manage without truly understanding the impact to the bottom line. Traditionally, network security revolves around scanning the servers for vulnerabilities, reviewing them and the risk to the server by drilling down through the reporting to assess how vulnerabilities could be exploited, and then looking at how those risks can be remediated. Looking at vulnerabilities in this technical context leaves a lot to be desired in terms of actual impact on the business. These risks can be put into two groups. There is the security risk, which is about compromise. How can the network be compromised and what would happen if the vulnerability was exploited? What damage would be done, and what information could be lost? Assessing these types of risk is usually the domain of the infosecurity team. The second type of risk is operational. How the business is impacted by addressing the vulnerabilities. This area of security is usually managed by the IT team, who will plan downtime to patch or upgrade the server. But with planned downtime comes unplanned downtime too, as often a fix won’t go according to plan and the fix can create a whole new set of issues for the network….






+++  FYI / FYSA  Items of interest…


+  Android Becomes the Dominant Player in Spreading Mobile Malware

you an android user? Then this report is going to be revealing for you, and will tell you about what is going behind your Smartphone and how your Smartphone is at risk. With the evolution of Smartphone, the malware growth is also on the rise. Here, I tried to focus on emerging techniques of malware and its growth through +++ Fortinet 2014 threat report carried out by its FortiGuard Labs.



+  When start-ups don’t lock their doors

Young tech companies have a long list of to-dos. Signing up users and raising money are usually at the top of the list. Much further down? Data security. That neglect has recently come back to bite many hot new applications and web services — and their users — and has them rushing to improve their products after breaches and holes were discovered. “There’s so much focus on acquiring customers and delivering products and services that security is not top of mind,” said Tripp Jones, a partner at August Capital, a Silicon Valley venture capital firm. Half-joking, he added: “For many companies, a security breach would almost be a nice problem to have in some cases. It means you have enough customers for someone to care.”



+  Opening new doors: Why IBM spent $1bn on security firm Trusteer | ZDNet

IBM is putting its recent Israeli security acquisition  Trusteer to good use. The $1bn buyout of the Israeli financial security startup <>  is giving IBM “a large footprint on the client side, and helping them with client cyber security, especially as IBM expands its cloud offering,” said Trusteer CTO Amit Klein.



+ How this one innocuous tweet could hack a bank account

One inane tweet from mid-2012 was enough to start a chain reaction of information-gathering that could have rivaled the work of a government intelligence agency. And with that dossier of data, a hacker could have ended up ruining one man’s life




Calculate the total cost of protection by considering the sum of all costs associated with deployment, including protection, performance, management, support, and price.

A novel way to consider the price for inadequate protection



+              IAM for the Real World: Identity Governance eBook

Managing identity and access across the enterprise is difficult enough, and even simple provisioning can be tough. Factor in regulating compliance and navigating complex IT and user environments, and you?re looking at pretty sizable challenge.



+  95% of bank ATMs face end of security support  – Windows XP NOT supported!!!

Banks everywhere are in a race against time to upgrade their ATMs before they become hot targets for hackers.

An estimated 95% of American bank ATMs run on Windows XP, and Microsoft is killing off tech support for that operating system on April 8. That means Microsoft (MSFT, Fortune 500) will no longer issue security updates to patch holes in Windows XP, leaving those ATMs exposed to new kinds of cyberattacks



+ The future of data security

Criminals after payment card data are advanced and persistent in their attacks and we have to be just as advanced and persistent in our defenses, relying not just on one layer of protections but many. No longer do we have the luxury of assuming our efforts are good enough, or that security just falls into one part of the business. This new frontier requires a cultural shift that builds security awareness and responsibility into every single job description across an organization – an approach that anticipates the breakdown of every defense you’ve put up and then has a backup plan for mitigating when attacks do happen.  With ‘password’ unbelievably still the most common password used and the recently released 2014 Verizon PCI Compliance Report detailing that more than 80 percent of breaches of confidential consumer information in 2012 involved compromised passwords, it’s clear that we can do a much better job protecting our consumer data. Businesses and consumers alike have a significant role in making this happen and government can play a constructive role as well.  The PCI Security Standards Council believes that government should focus on streamlining data breach notification laws, improve public-private collaboration, encourage information sharing and provide more resources for law enforcement activities.



+  VPN flaw makes Android Jelly Bean and KitKat susceptible to hijacking

According to the latest security advisory from Computer Emergency Response Team of India (CERT-In), the flaw which is present in Jelly Bean and KitKat flavours of the Android operating system could allow hackers to bypass security configurations of a VPN and transmit the data shared within the network to a third-party server.

The advisory also mentions that unencrypted communication within such networks can be intercepted by hackers, effectively defeating the purpose of using a VPN. Israeli security researchers were the first to find the vulnerability while testing Samsung’s KNOX enterprise security suite for Android on the Galaxy S4, but later found that it was present on all devices running the mentioned Android versions.



+ Medical Device Security: The Hurdles – Analysis of the Pain Points and the Progress

Healthcare providers, manufacturers and regulators are becoming increasingly aware that networked medical devices face emerging cyberthreats. So they’re finally beginning to take action to address those issues. Still, many hurdles remain.   “2014 is an inflection point for medical device security,” said Dale Nordenberg, M.D., founder of the Medical Device Innovation,



+ The Web of Things – IEEECS

The Internet of Things (IoT) is an extension to the current Internet that enables connections and communication among physical objects and devices (see the September 2013 Computing Now theme for more on IoT and its role in ubiquitous sensing). Estimates suggest that there will be 50 billion devices and people connected and leveraging the vision and technology behind IoT by 2020. A related term that’s currently somewhat in vogue is Internet of Everything (IOE), which recognizes the key role of people, or citizen sensing (such as through online social media), to complement the physical sensing implied by IoT.   The term Web of Things (WoT) goes beyond the focus on the Internet as the mode of exchanging data, instead bringing in all resources and interactions involving devices, data, and people on the Web. Correspondingly, it brings into focus a wide variety of challenges and opportunities while paving a way to a variety of exciting applications for individuals to industries



+  DARPA Chip Aims to Secure Electronics Throughout the Supply Chain

It aims to solve the long-standing problem of forged electronic parts.  The Pentagon is experimenting with computer chips inside parts for defense systems and other electronics, such as iPhones, that would identify compromised or counterfeit components.   The ID chips would self-destruct if outsiders replicate, or “reverse engineer,” the chips to try to outsmart them.   The four-year effort is expected to involve multiple developers tapped by the military’s testing arm, the Defense Advanced Research Projects Agency.   The Supply Chain Hardware Integrity for Electronics Defense, or SHIELD, technology is meant to solve the long-standing problem of forgery in the chain of custody. Contractors are subject to a growing number of rules to counter the threat of faulty parts. But Pentagon officials and vendors admit efforts have been slow going.



+ U.S. utilities need industry group focused on cyber defense: report

U.S. utilities would benefit from an independent group to set industry-wide guidelines on combating cyber threats, according to a think-tank report released on Friday that was co-authored by a former director of the Central Intelligence Agency. The report, from the Bipartisan Policy Center, said a new independent organization could bring together the disparate interests in the sector to help manage cybersecurity for the nation’s electric grid, and help to deal with threats such as new malware that could be targeted at plants’ information technology systems.,0,5167122.story



+  How to Fund Enterprise Cybersecurity: CISO Tips

How do you get corporate funding for cybersecurity when it’s so challenging to measure and report ROI to your C suite and board of directors? This was one of the many topics discussed by chief information security officers on several panel sessions we attended last week at the RSA Conference in San Francisco. During a session entitled “Aligning Cyber Security Personnel & Processes,” Greg Schaffer, CISO of Circumference Group and a former Fidelity Investments CSO, summed up the dilemma this way: “The fact that you haven’t had an incident is not an indication that you are secure. The fact that you have had an incident is not an indication that you’re less secure.” How do you find the right metrics to report to your business-side executives? We can draw some lessons from the process outlined by Gary Gagnon, senior VP, CSO, and corporate director of cybersecurity for Mitre Corp. His team provides a monthly executive-level metric report featuring seven or eight briefing charts. He explained these charts and the information they show….



+  DHS lays out cyber framework details

Intrusion detection and prevention, netflow analysis and firewall monitoring are among the services that will be provided to states and territories.  DHS will work with the Center for Internet Security Multi-State Information Sharing and Analysis Center (MS-ISAC) to provide intrusion detection and prevention, netflow analysis and firewall monitoring to states and territories — at no cost to the recipients, Schneck wrote.




+++  THREATs  / bad news stuff / etc…


+  Phony SSL Certs Spoof Google, Facebook, GoDaddy, others

Dozens of phony SSL certificates were discovered this week mocking legitimate certs from banks, e-commerce sites, ISPs and social networks. If a user stumbled over one of the bogus certificates on a mobile device it could put them at risk for a man-in-the-middle attack.  Disguised as official certificates from Google, Facebook, GoDaddy, YouTube and iTunes, just to name a few, the certs aren’t signed, so it’s unlikely they’ll dupe anyone using a conventional browser.


+  Major companies underreport cyber-risks

Large technology and telecommunications providers are twice as concerned about cyber-risks from outsourcing vendors and are twice as likely to report those concerns in public financial documents than the vast majority of the Fortune 1000, new research has found.  According to the study, “Willis Special Report: 10K Disclosures – How Technology and Telecom Companies Describe Their Cyber Liability Exposures,” released today by Willis Group Holdings plc, the technology and telecommunications companies that provide the infrastructure services for all other sectors of the economy disclosed concerns about cyber-risks stemming from outsourced vendor services at a significantly higher rate than other members of the Fortune 1000



+ RSA Conference mobile app has vulnerabilities, researchers say

A mobile application designed to make it easier for RSA Conference 2014 attendees to navigate the event and interact with their peers exposes personal information, according to researchers from security firm IOActive. The IOActive researchers who looked at the app identified a half-dozen security issues, including one that allowed man-in-the-middle attackers to potentially inject rogue code into the app’s login screen to steal credentials, said Gunter Ollmann, chief technology officer at IOActive, in a blog post.



+  Bitcoin bank Flexcoin shuts after hacking theft

Flexcoin, a Canada-based bitcoin bank, said it was closing down after losing bitcoins worth about $600,000 to a hacker attack enabled by flaws in its software code. Flexcoin said in a message on its website that all 896 bitcoins stored online were stolen on Sunday. Its collapse came after Mt. Gox, once the world’s dominant bitcoin exchange, filed for bankruptcy protection in Japan and said it may have lost some 850,000 bitcoins due to hacking.



+ Malware-lobbing hackers seize 300,000 routers

More than 300,000 home and small-office (SOHO) routers have been compromised by hackers and are being used to distribute massive quantities of spam and malware. Florida-based security firm Team Cymru sounded that alarm Monday in a research report into the router takeovers, which it’s been tracking since January. Hacked routers have been found everywhere from the United States to Russia, although the largest quantity were traced to Vietnam, India, Turkey, Thailand, and Columbia. Team Cymru has shared its findings with multiple law enforcement agencies, and tried to contact all affected manufacturers, which it said include D-Link, Micronet, Tenda, and TP-Link, among others.



+ FBI plans malware-tracking system to alert users

The director of the FBI said last week that the agency plans to introduce a malware-analysis system later this year that will let businesses and the public, report newly identified malware attacks, upload malware samples and receive reports on them.  Speaking at the RSA Security Conference in San Francisco, FBI Director James Comey didn’t spend much time discussing this newly proposed interactive malware-analysis system, but he did say it would be derived from something the FBI already uses called “Binary Analysis Characterization and Storage System.” This is an internal malware-analysis tool used by the FBI in its own cybercrime investigations. Comey said the new system for interaction with the public would be called “Malware investigator.” He didn’t go into great detail about how it would work, but said the idea behind it is to treat malware and viruses much like “fingerprints and DNA” that let the FBI identify crime suspects.    “Later this year we’ll roll out Malware Investigator



+  Target Begins Security And Compliance Makeover

Security gets a higher exec profile at the beleaguered retailer in the wake of its massive data breach as Target starts the road to reorganizing its security and compliance operations



+ Ukraine hit by cyberattacks: Head of Ukraine security service

Ukraine’s telecommunications system has come under attack, with equipment installed in Russian-controlled Crimea used to interfere with the mobile phones of members of parliament, the head of Ukraine’s SBU security service said on Tuesday. “I confirm that an IP-telephonic attack is under way on mobile phones of members of Ukrainian parliament for the second day in row,” Valentyn Nalivaichenko told a news briefing. “At the entrance to (telecoms firm) Ukrtelecom in Crimea, illegally and in violation of all commercial contracts, was installed equipment that blocks my phone as well as the phones of other deputies, regardless of their political affiliation,” he said.

Cyberattacks rise as Ukraine crisis spills to Internet… The crisis in Ukraine has spread to the Internet, where hackers from both sides are launching large cyberattacks against opposing news organizations. Security experts say that they are currently witnessing unusually large denial-of-service attacks, also called DDoS attacks, in which hackers flood a website with traffic to knock it offline. The attacks have been directed at both pro-Western and pro-Russian Ukrainian news sites. In at least one case, hackers successfully defaced the website of the Kremlin-financed news network Russia Today, replacing headlines and articles containing the word “Russia” with the word “nazi.”



+  Critical crypto bug leaves Linus, hundreds of apps open to eavesdropping

Hundreds of open source packages, including the Red Hat, Ubuntu, and Debian distributions of Linux, are susceptible to attacks that circumvent the most widely used technology to prevent eavesdropping on the Internet, thanks to an extremely critical vulnerability in a widely used cryptographic code library. The bug in the GnuTLS library makes it trivial for attackers to bypass secure sockets layer (SSL) and Transport Layer Security (TLS) protections available on websites that depend on the open source package. Initial estimates included in Internet discussions such as this one indicate that more than 200 different operating systems or applications rely on GnuTLS to implement crucial SSL and TLS operations, but it wouldn’t be surprising if the actual number is much higher. Web applications, e-mail programs, and other code that use the library are vulnerable to exploits that allow attackers monitoring connections to silently decode encrypted traffic passing between end users and servers.



+ –FBI Director Says Online Crime is Increasingly Sophisticated?

Speaking at the RSA security conference in San Francisco, FBI director James Comey said, “Terrorism remains the FBI’s top priority. But in the not too distant future, we anticipate that the cyber threat will pose the number one threat to our country.” The FBI has already begun amassing malware samples in a database known as BACSS (Binary Analysis, Characterization, and Storage System). A declassified version of the database will be made available to agency security partners later this year. Comey said that they want “to make BACSS the same kind of repository that [they] have long maintained for fingerprints, criminal records, and DNA.”

[Note  Of course, that is what the FBI was saying on September 10th, 2001. National law enforcement’s focus will change as crimes change, and having the US national law enforcement agencies get back to playing a major role in cyber security is a good thing because the problem is more of a cybercrime problem than a warfare problem. That said, rather than having the FBI build more databases I’d like to see them focus on increasing human intelligence and the cyber-skills of the agent force – the traditional parts of law enforcement that tend to actually reduce crime the most.  BACSS is comparable to the Fingerprint and DNA databases only to the extent that it is a database.  Entries do not point to individuals and entries in it do not create a presumption of guilt.]


2 March 2014

+++ SD/SoCAL items of interest / opportunitiesMAR
+ Mar 6 – SD ISC2 Monthly meeting – cloud / services security. Data protection at its best. (6 PM)
Mitchell International 6220 Willow Creek Rd. San Diego, California 92131
Light refreshments will be provided.+ Mar 11 – Leveraging Social Media for Healthcare Mar 20 – OWASP – Scared Straight – Lance James, Head of Cyber Intelligence, Deloitte & Touche Mar 20-21 – 2014 ASIS region conference – critical infrastructure protection*** Mar 28 (Fri) – SD IEEE Cyber SIG –Cyber Security Entrepreneur Workshop ***
All day event – Focus is on ‘doing’ cyber that really matters versus continuing to admire the problem… If your company has an innovative / disruptive security technology… contact me.

+ Apr 1-3 – CompTIA Annual Member Meeting .. Rancho Bernardo Inn

+ Apr 22-24 – C4ISR Symposium

(all links work, I went to them all myself.. you may need to cut and paste in browser…)

+++ Likely news you can use…

+ Welcome to the New I.T.
So what can IT learn about how to respond in this age of consumer-driven innovation?
•Users don’t want to wait, especially if they know a service can and should be faster.
•Users know what they want, and they are the best people to describe their needs.
•Users want to share their experiences, good and bad.
•IT can learn from users, and can put that knowledge to work to improve services.
•IT can benefit from reduced friction with users, reduced downtime, increased productivity, and more time directed to other valuable projects

More Than 100 Flavors Of Malware Are Stealing Bitcoins
Specialized form of malware empties electronic wallets of digital currency, and antivirus often misses it. RSA CONFERENCE 2014 — San Francisco — For just $35, you can buy a popular, specialized malware tool that steals Bitcoins and other such electronic currency — and researchers have unearthed more than 100 different malware families that specialize in this form of theft.

Solving The Security Workforce Shortage
To solve the skills shortage, the industry will need to attract a wider group of people and create an entirely new sort of security professional… In recent years, CISOs have succeeded in getting more boardroom buy-in for security tools and staff. According to (ISC)2’s most recent Global Information Security Workforce Study, two-thirds of C-level managers believe their security departments are too small. Employers are interested in expanding their security staff, but they can’t find people to fill the positions.

+ Big data under the surface at Mobile World Congress
The Mobile World Congress (MWC) is about mobile devices and the hottest new handheld devices – from smartphones to tablets to wearables. You’ll get the latest on the Samsung S5, Nokia, and LG, and Intel chipset news, but if you look a bit deeper, you’ll also see that data is a big theme within and around the show. Many of this year’s MWC programs revolve around the relationships between us and our devices, and understanding and utilizing the growing quantities of data produced by our digitally-connected possessions.

+ House passes FITARA (again)
The House passed the Federal IT Acquisition Reform Act on a Feb. 25 voice vote. The bill has been modified since its passage in the House as part of the defense bill in June 2013. Its core of consolidating authority to hire and make budget decisions around a department-level CIO is still intact, however. Under FITARA, government agencies would have a single CIO, appointed by the president and reporting to the agency head, with more authority over IT executives at component agencies than is typically the case. The bill has been expanded to include the Department of Defense.
Under FITARA, government agencies would have a single CIO, appointed by the president and reporting to the agency head, with more authority over IT executives at component agencies than is typically the case. The bill has been expanded to include the Department of Defense.
“There are more than 250 identified CIOs in the federal government, yet none possess the necessary authority to effectively manage IT investments

+ Privacy concerns swirl around TSA Pre-check program
The Transportation Security Administration is greatly expanding its expedited airport screening program called Pre-check for millions of passengers, although security and privacy experts continue to raise concerns about the program.

+ China boosts cybersecurity efforts, strives to become ‘Internet power
China is bolstering its efforts on cybersecurity with a new high-level committee that aims to turn the nation into an “Internet power,” the country’s official state media said last week.
Chinese President Xi Jinping is leading the new government body, which first met on Thursday. Xi was quoted as stating that cybersecurity and information technology had become a matter of national security. “Without cybersecurity there is no national security, without information technology there is no modernization,” Xi added

+ DHS seeks assessment of cybersecurity market for smaller companies
The Department of Homeland Security wants to know more about the state of the market for affordable cybersecurity protection for small and medium-sized businesses. In a request for information released Feb. 20, DHS said it wants to learn more about the roll the cybersecurity industry might play in helping such companies adopt the Cybersecurity Framework released by the National Institute of Standards and Technology earlier this month. The move is part of a voluntary program called the Critical Infrastructure Cyber Community, which seeks to connect companies, especially those that handle critical infrastructure, with available resources to secure and protect operations and networks.

+ The next security perimeter? You’re wearing it.
The idea of wearable technology is not new to government. In the military, the concept of using hands-free technology to integrate soldiers in the field into mobile ad hoc networks is part of the Defense Department’s vision of network-centric warfare. But what happens when unmanaged personal or wearable devices are brought into the workplace to connect with the enterprise network? The result is another layer of security concerns for agencies that still are struggling with the challenges presented by the bring-your-own-device movement.

+ 2013 Global Encryption Trends Study by Ponemon Institute & Thales Security
•Business unit leaders are gaining influence over their company’s use of encryption solutions.
•Employee mishap is considered the main threat to sensitive and confidential data.
•The main driver for using encryption is lessening the impact of data breaches.
•The most salient threats to sensitive or confidential data is: Employee mistakes at 27% (while hackers is only 13%)
•Discovering where sensitive data resides in the organization is a huge burden

+ 96 Percent Of Applications Have Security Vulnerabilities
Nearly all applications tested have security flaws, Cenzic study says; information leakage is chief culprit
This figure has dropped slightly — the same study turned up flaws in 99% of apps in 2011 and 1012 — but the vulnerabilities remain nearly ubiquitous. In fact, the median number of vulnerabilities per application found in this year’s study – 14 – is actually greater than it was in the previous year – 13.

+ The Best Medical Device Companies of 2013
With the S&P Healthcare Equipment Select Industry Index up 32% this past year, it’s clear that the industry performed well in 2013 — but which stocks were the biggest winners? Some of the best performers outpaced the index significantly last year, and, in this series, I review five of the biggest movers. So far I’ve discussed why diabetes device maker Dexcom and cardiovascular device plays Cardiovascular Systems and Abiomed made big moves last year.
This time we cover NuVasive, a maker of minimally invasive products for spine fusion surgery that competes against Medtronic, Stryker, and Zimmer

+ Calls continue for Congressional action on cybersecurity
The Obama administration may have issued a framework to help protect companies from cyberattacks, but that doesn’t mean that the issue is off of Congress’s plate. In fact, top tech officials said on Wednesday that the effort out of the Commerce Department could help spur new legislation to protect computer networks. “My hope is that because of this framework, it creates a motivating force and an action-forcing event to get Congress to take on the events of this that still require public policy,” said Dean Garfield, head of the Information Technology Industry Council, at an event at the Brookings Institution.

+ Retailer data breaches hit millions of Calif. accounts
SAN FRANCISCO — California is one of the few states that requires companies to report data breaches involving 500 or more customers, and the numbers are going up. In 2012, the first year reports were required, the state logged 131 breaches. In 2013 that number climbed to 170. Those two years worth of breaches represent the exposure of personal information for more than 20 million customers. Because of that, state Attorney General Kamala Harris on Thursday elevated cybersecurity to a major focus of the state’s top crime-fighting agency. Retail breaches were the biggest problem in 2013. Data thefts at Target and LivingSocial, Inc., alone each affected about 7.5 million California customer accounts.

+ SBIR sites of interest – good sources

+++ FYI / FYSA Items of interest…

+ Verizon Shares Glimpse Into Upcoming 2014 Data Breach Investigations Report
Breach data for upcoming Verizon report comes from some 50 contributing organizations from 95 nations, including Eastern European and Latin American CERTs

Lessons Learned From The Target Breach
The time is ripe for organizations to take a long, hard look at how they manage employee access and secure sensitive data in cloud environments.. According to the Wall Street Journal’s Joel Schectman, “So far, seven financial institutions have filed class action suits against Target alleging the retailer didn’t adequately protect customer data.” The litigation will make the data breach even more expensive for Target than it already is.

+ Boeing is making a spy phone that self-destructs
Boeing has filed papers with the FCC to develop a smartphone for people in the business of secrets. The phone, simply called “Black,” will run an Android-variant operating system, be compatible with other technology, and – like any good spy phone – will self-destruct if you figure out its secrets. This filing comes two years after the original news leaked that the company was working on a smartphone, which will support all the world’s major communications (GSM, LTE, and WCDMA), storage (USB, HDMI, SIM), and wireless (Bluetooth, Wi-Fi) standards.,2/

+ Lawmakers Call for New Cyber Security Laws. – Several Senators are calling for the creation of a select Congressional committee to shepherd through cyber security legislation designed to better protect the U.S. from cyber attacks. Sen. John McCain, R-Ariz. and Sen. Angus King, I-Maine, raised the issue Feb. 27 in a Senate Armed Service Committee hearing on U.S. Strategic Command and U.S. Cyber Command. “Both McCain and King made reference to an earlier failed effort to strengthen cyber security — the Cybersecurity Act of 2012 — which ran into procedural trouble getting passed through the Senate…

+ Fixing Trust Through Certificate Transparency – The security of data being transmitted over the Web relies on a large number of moving parts, from the integrity of the machine sending the data, to the security of the browser, to the implementation of encryption, to the fragility of the certificate authority system. Experts have been spending the best part of the last decade trying to address many of these issues, but there are still a number of hard problems to solve. One of the most difficult of these is the way that users and browsers interact with the CA system and how the CAs handle certificate issuance and attempts to tamper with the system. ….

Health law cybersecurity challenges
As the Obama administration raced to meet its self-imposed deadline for online health insurance markets, security experts working for the government worried that state computer systems could become a back door for hackers. Documents provided to The Associated Press show that more than two-thirds of state systems that were supposed to tap into federal computers to verify sensitive personal information for coverage were initially rated as “high risk” for security problems. Back-door attacks have been in the news, since the hackers who stole millions of customers’ credit and debit card numbers from Target are believed to have gained access through a contractor’s network.

+ Privacy concerns swirl around TSA Pre-check program
The Transportation Security Administration is greatly expanding its expedited airport screening program called Pre-check for millions of passengers, although security and privacy experts continue to raise concerns about the program. More than 55 million travelers have enjoyed a brisker walk through expedited screening, which includes Pre-check, since the program began in October 2011. Pre-check participants typically get through checkpoints faster by keeping on their shoes and jackets, and leaving laptops and small containers of liquids in their carry-on bags. After starting with frequent fliers, the program is now open to general travelers who can pass a background check.

+ Pentagon to ask for more cyber spending in next budget
The Pentagon’s cyber budget will get a boost as part of the department’s fiscal 2015 budget request, Defense Secretary Chuck Hagel said Tuesday. “We are adjusting our asset base and our new technology,” the Pentagon’s top official said, adding that the department will increase spending to help improve its cyber capabilities, including a larger focus on cyber security, intelligence gathering, and reconnaissance. The department’s budget request will be released March 4, as part of the Obama administration’s budget, and the secretary is expected to offer a preview Monday..

+++ THREATs / bad news stuff / etc…

+ US Attorney General Pushes for Federal Breach Notification Law. US Attorney General Eric Holder is urging legislators to enact a law that would establish a national breach notification standard, noting that such legislation would better allow people to protect themselves from identity theft and would aid law enforcement investigations. The law would also hold entities that fail to adequately protect sensitive data accountable. While banks and hospitals are subject to federal data breach laws, other companies, such as retailers have no such standard.
Forty-six US states and the District of Columbia each have their own versions of breach notification laws. In a letter to Congress last month, the National Retail Federation reiterated its support for a national breach notification standard.

+ Pony Botnet Steals Digital Wallets and Account Access Credentials (February 24, 2014) Botnet malware known as Pony steals digital wallets from computers it infects. In all, the thieves have stolen about US $220,000 worth of virtual currency. Eighty-five digital wallets were pilfered between September 2013 and January 2014. The affected currencies include Bitcoins, Litecoins, Primecoins, and Feathercoins. The malware also stole access credentials for 725,000 website, FTP, secure shell, remote desktop, and email accounts.

World’s biggest cyberattack detected, 360 million accounts, 1.25 billion email addresses hacked
LONDON: An internet security firm has stumbled upon a “mind boggling” and “Godzilla-sized” cache of personal data put up for sale on the online black market by hackers.
One of the hacker attacks stole over 105 million records making it the single largest data breach in cybercrime history. The trove included credentials from more than 360 million accounts and around 1.25 billion email addresses. The discovery was made by cybersecurity firm Hold Security. “These credentials can be stolen directly from your company but also from services in which you and your employees entrust data. In October 2013, Hold Security identified the biggest ever public disclosure of 153 million stolen credentials from Adobe Systems. One month later we identified another large breach of 42 million credentials from Cupid Media,” the firm said

+ China’s President Will Lead a New Effort on Cyber Security- *”New York Times,” February 27th- President Xi Jinping is presiding over a new working group on cybersecurity and information security, China announced on Thursday, a sign that the Communist Party views the issue as one of the country’s most pressing strategic concerns. The government said Mr. Xi and two other senior leaders, Prime Minister Li Keqiang and Liu Yunshan, a member of the Politburo Standing Committee, would help draft national strategies and develop major policies in a field that might include protecting national secrets and developing digital defenses, among other goals. “Efforts should be made to build our country into a cyberpower,” Mr. Xi said in a statement released after the first meeting of the group on Thursday, according to the official Xinhua News Agency….

+ Apple security flaw could allow hackers to intercept emails
A major flaw in Apple Inc software for mobile devices could allow hackers to intercept email and other communications that are meant to be encrypted, the company said on Friday, and experts said Mac computers were even more exposed. If attackers have access to a mobile user’s network, such as by sharing the same unsecured wireless service offered by a restaurant, they could see or alter exchanges between the user and protected sites such as Gmail and Facebook. Governments with access to telecom carrier data could do the same.

+ South Korea Plans to Develop Cyberweapons to Use Against North Korean Nuclear Facilities
South Korea’s defense ministry says that it plans to develop Stuxnet-like cyberweapons to use against North Korea’s nuclear facilities. The defense ministry told the government of its plan earlier this month. At least one expert has warned that using cyberweapons against critical infrastructure could have unforeseen consequences.

+ Malicious apps in Google Play store grow 388 percent
Between 2011 and 2013, the percentage of malicious apps in the Google Play store increased by nearly fourfold, from 2.7 percent in 2011 to 12 percent in 2013. Over that same period of time, the number of malicious apps that Google removed dropped from 60 percent to 23 percent. The decline in removal of malicious apps could be explained by the fact that malware purveyors are using methods of infection that elude traditional detection tools.

+ New Tinder security flaw exposed users’ exact locations for months
Internet security researchers in New York say that a flaw in Tinder, the super-popular hookup app, made it possible to find users’ precise location for between 40 and 165 days, without any public notice from the company. Tinder—which connects flirty smartphone users with others nearby—is supposed to show users roughly how close they are to each other. Distance is rounded to the nearest mile, a safe-seeming threshold that has helped the app become addictive to both sexes. In October, however, researchers at Include Security discovered that Tinder servers were actually giving much more detailed information—mileage to 15 decimal places—that would allow any hacker with “rudimentary” skills to pinpoint a user’s location to within 100 feet. Depending on the neighborhood, that’s close enough to determine with alarming accuracy where, say, an ex-girlfriend is hanging out.

Comments are closed.