Welcome to Cyber News Tidbits 4​U​ !

Here are updated news compilations from the Cyber Security Community.

Another weekly security news gram… (almost 2 weeks’ worth, so…  it is jammed packed):

Topic headers (+++):

1 +++   Key security news you can likely use (may be impactful in some way)     
2 +++   Other items of general FYI / FYSA level interest   
3 +++  Threats / bad news stuff / etc..  AND…
4 +++   SD/SoCAL items of interest / opportunities   (send me your SD meetings!) 

Ciao Mike Cyber security is serious business for us all – so ACT accordingly!

FYI – I am now available for: organizational risk management, effective cyber security solutions, PM,

Systems / SoS / I&I engineering, V&V / C&A / TE&C,  ETC…;-))

Qualifications and Experience background

(admin note  – all links should work, I checked them all myself..  you may need to cut and paste link into browser…)

MAY 31

+++  News you can likely use…



+  U.S. companies seek cyber experts for top jobs, board seatsCISOs RULE…;-))

Some of the largest U.S. companies are looking to hire cybersecurity experts in newly elevated positions and bring technologists on to their boards, a sign that corporate America is increasingly worried about hacking threats.  JPMorgan Chase & Co, PepsiCo Inc, Cardinal Health Inc, Deere & Co and The United Services Automobile Association (USAA) are among the Fortune 500 companies seeking chief information security officers (CISOs) and other security personnel to shore up their cyber defenses, according to people with knowledge of the matter.   arge corporations have recently hired CISOs for between $500,000 and $700,000 a year, according to Matt Comyns, global co-head of the cybersecurity practice at search firm Russell Reynolds Associates. Compensation for CISOs at some technology companies with generous equity grants have reached as high as $2 million, he said.  In comparison, CISOs who have been with a company for five or more years are on $200,000 to $300,000 per year




+ Lack of Threat Intelligence puts CISOs Jobs at Risk

In the moments immediately following a cyberattack, are you confident that your agency would be able to provide an accurate incident briefing to your CEO and board of directions? Understanding the importance of threat intelligence helps improve an agencies rate of response and ability to gather time sensitive details surrounding an incident as quickly as possible.   In this whitepaper, researchers surveyed over one thousand IT and IT security practitioners in the United Stated and EMEA to see what they would do in the face of a cyberattack…  Ponemon – Threat Intelligence & Incident Response: A Study of U.S. & EMEA Organizations



+ Samsung moves to upstage Apple with new biometric data platform

Samsung is building a “data bank” of people’s biometric information that app developers and researchers can plug into to create clever, health-related services – ideally for Samsung devices. Following the release of its Gear Fit wearable fitness tracker, its new SAMI platform, overseen by a former director of Apple’s Siri, is another step for Samsung into the increasingly consumerized healthcare space, and one that sees it pre-empt what may be a similar, health-related announcements from Apple  next week at its WWDC conference for developers.



The Building Security In Maturity Model  (seems a decent effort to be aware of, if not join…)

The BSIMM is designed to help you understand, measure, and plan a software security initiative. The BSIMM was created by observing and analyzing real-world data from 67 leading software security initiatives


+   National Initiative for Cybersecurity Education (NICE) releases draft of the National Cybersecurity Workforce Framework 2.0

(NICE developed the National Cybersecurity Workforce Framework (the Workforce Framework) to define the cybersecurity workforce and provide a common taxonomy and lexicon by which to classify and categorize workers.  The draft of Version 2.0 is available in spreadsheet format at the NICCS portal here:


+ A CISO’s Strategy for Winning Funding



+  New banking Trojan ‘Zberp’ offers the worst of Zeus and Carberp

A new computer Trojan that targets users of 450 financial institutions from around the world appears to borrow functionality and features directly from the notorious Zeus and Carberp malware programs. The new threat, dubbed Zberp by security researchers from IBM subsidiary Trusteer, has a wide range of features. It can gather information about infected computers including their IP addresses and names; take screen shots and upload them to a remote server; steal FTP and POP3 credentials, SSL certificates and information inputted into Web forms; hijack browsing sessions and insert rogue content into opened websites, and initiate rogue remote desktop connections using the VNC and RDP protocols.


+ New framework for SCADA being developed by DARPA

ARPA has been working hard on their High-Assurance Cyber Military System (HACMS). The High-Assurance Cyber Military System will allow them to secure SCADA systems



+ Everything Is Broken —  (a bit of a RANT, but some good points too)


+ Messaging 3.0



+  Leveraging threat intelligence to stay one step ahead








+++  FYI / FYSA  Items of interest…



+ Google takes steps to comply with EU’s ‘right to be forgotten’ ruling

Google has taken the first steps to meet a European ruling that citizens can have objectionable links removed from Internet search results, a ruling that pleased privacy campaigners but raised fears that the right can be abused to hide negative information. The balance between privacy and the freedom of information has been a hot topic in Europe, whose citizens enjoy some of the world’s strictest data protection laws, especially after last year’s revelations about the extensive global surveillance programs run by the United States. Google, which processes more than 90 percent of all Web searches in Europe, said on Thursday that it had made available a webform through which people can submit their requests, but did not say how soon it would remove links that meet the criteria for being taken down.



+ U.S. Cyber Command wants DISA to take greater role in DoD cyber defense

U.S. Cyber Command is in talks with the Defense Information Systems Agency to give DISA more day-to-day responsibilities for defending DoD networks from cyber threats. The precise division of labor between the two DoD organizations is a long way from being sorted out, but Adm. Michael Rogers, who took over as commander of U.S. Cyber Command two months ago, said his preferred approach would involve the creation of a Joint Force Headquarters at DISA. The organization would absorb a significant amount of DoD’s workload with regard to defensive cyber operations and would play a supporting role to U.S. CYBERCOM.



+  Guard Data in Government Environments by Implementing Continuous Diagnostics and Mitigation

s government agencies continue to face increasingly hazardous IT security threats, they are constantly challenged to keep these threats at bay while protecting sensitive—and often classified— data. Read this whitepaper to learn more on the implementation of continuous diagnostics and mitigation, which is designed to facilitate an automated approach to evolving network and systems cybersecurity.



+ NIST Special Publication (SP) 800-101 Revision 1, Guidelines on Mobile Device Forensics.

SP 800-101 Rev. 1 can be found on the CSRC SPs page:


+  –Microsoft’s myBulletins Dashboard

Microsoft has launched a dashboard for systems administrators that displays which Microsoft patches are available for the products their company currently uses. myBulletins is available on Microsoft’s Technet website. The new product does not offer notifications or advisories about unpatched vulnerabilities.



+  -FTC Wants Transparency and Accountability From Data Brokers  (who sell YOUR PII / personal data!)

US Federal Trade Commission (FTC) is seeking legislative and best practices changes to encourage transparency and accountability from data brokers. Data brokers collect information from many sources, most of the time without consumer’s knowledge. The FTC has asked Congress to consider legislation that would give consumers more control over their data.

FTC Data broker Report:

[NOTE – The Court of Justice of the European Union just ruled that Google has to give people the “right to be forgotten” and delete information from search indices and caches upon request. The FTC report is addressing similar issues. What it comes down to: the search and data broker industry is really all about collecting user information to target lucrative advertising – it is the “Mad Men” of the 21st century, a US-centric reference to when the television generation of advertising firms began to use computers to target their ads. Transparency is certainly needed, and end users should have more say in what happens to their data – i.e., Opt In – is an important goal!]



+++  AND , NOW How to get ahead of all the data brokers and NSA fiascos AND privacy issues therein??? 

Join our effort to finesse our cyber model for the “Privacy by Design (PbD)” initiative – based on solid data centric security methods…

SO…  SKIM our preliminary draft slides and let us know your thoughts… …   all backed up by an overall business risk management approach…



+ final reminder For you “BD” types….  SeaPort Enhanced Event – SPAWAR CHENG (N00024-14-R-3283)   NOTE – I just left SPAWAR, so I know a little background, et al…I have a pretty good overall SPAWAR HQ ‘fact sheet I can give you… ..TA… Cyber.. MA.. just ask me…;-))

Cyber Security, Information Assurance and Technical Authority support services for SPAWAR Office of the Chief Engineer (CHENG) (SPAWAR 5.0) and various C4ISR programs.  This task order provides architecture, analysis, interoperability assessments, engineering, and technical management services.  The level of effort is estimated to be 88 FTEs per year.



+ eBay demonstrates how NOT  to respond to a huge data breach

Losing control of more than 100 million customers’ information is an increasingly common corporate crisis. Flubbing the public revelation of that breach and failing to tell most of your customers represents a more special form of train wreck. In the wake of eBay’s revelation earlier this week that it had lost as many as 145 million customers’ data, eBay users and security response professionals say they’ve been increasingly angered and amazed at the company’s ham-fisted public response to an incident that’s already sparked multiple government investigations. EBay’s mistakes include taking days to post a notice about the breach on and confusing users as to whether their PayPal accounts had also been affected..



+  Healthcare cybersecurity worse than retail:



+ Cyber security – The bullseye of the storm | Analysis | The Lawyer


+ Data “Centered” – Focusing Security to Combat the Rise in Data Center Attacks






+++  THREATs  / bad news stuff / etc…


+ –iPhones and iPads Held Hostage

Some owners of iPhones and iPads have found their devices held hostage by malware that locks them until the demand, usually about US $100, is paid. The attacker exploited the Find My iPhone feature to launch the attack, which has mainly affected people in Australia. While it is not clear how the attacker obtained the information used to launch the attacks, there is speculation that it was obtained in a breach and it would affect users who use the same set of credentials for multiple accounts. Apple denied that its iCloud service has been breached. Apple Australia recommends that users change their Apple ID passwords.



+  Another recent ATM skimming attack

in which thieves used a specialized device to physically insert malicious software into a cash machine may be a harbinger of more sophisticated scams to come.



+  “Newscaster” Espionage Campaign Targeted Diplomatic and Military     Information

A cyber espionage campaign that has been operational for three years, believed to be emanating from Iran, used phony social media accounts to target US and Israeli journalists, diplomats, military personnel and others and steal access credentials for their email accounts. The effort appears to be aimed at unearthing information about the US’s posture on nuclear diplomacy with Iran. The campaign has been dubbed “Newscaster,”  because it involved setting up a dummy news outlet to make friends requests on social networks seem legitimate.



+ U.S. organizations STILL falling behind in fight against cyber crime, study says

A new report finds that American businesses and institutions are failing to meet the cybersecurity threat posed by hackers at home and abroad. “One thing is very clear: The cybersecurity programs of U.S. organizations do not rival the persistence, tactical skills, and technological prowess of their potential cyber adversaries,” finds the 2014 U.S. State of Cybercrime Survey. “Today, common criminals, organized crime rings, and nation-states leverage sophisticated techniques to launch attacks that are highly targeted and very difficult to detect.” Syria, Iran and Russia are cited as a “a particularly pernicious threat.”



+ Heartbleed tested agency readiness

Agencies that were most active in achieving government-wide cybersecurity goals had an easier time mitigating the threat posed by the Heartbleed vulnerability, said Ari Schwartz, director for privacy, civil liberties and cybersecurity policy at the White House. Systems that had implemented basic hygiene in keeping with the Cross-Agency Priority Goal faced less risk from the Heartbleed vulnerability in the open source security software OpenSSL than those who were lagging behind, Schwartz said at a May 28 cybersecurity event held by AFCEA’s Washington, D.C., chapter.


+ Sacrebleu! French spooks snoop on US execs’ docs

State-sponsored French hackers are probably the most “capable” of stealing the business secrets of American companies, after China, according to former CIA director and defense secretary, Robert Gates. In a video interview with CNN’s Fareed Zakaria sponsored by the Council on Foreign Relations, Gates made the surprising revelation that in France, “government and business have operated hand-in-hand since the time of Louis XIV”. “What we accuse China of doing – stealing American companies’ secrets and technology – is not new nor is it done only by the Chinese,” said Gates. “There are probably a dozen or 15 countries that steal our technology in this way. In terms of the most capable next to the Chinese are probably the French, and they’ve been doing it a long time.”



+ U.S. Justice Department law enforcement operation to seize control over the Gameover ZeuS botnet

The U.S. Justice Department is expected to announce today an international law enforcement operation to seize control over the Gameover ZeuS botnet, a sprawling network of hacked Microsoft Windows computers that currently infects an estimated 500,000 to 1 million compromised systems globally. Experts say PCs infected with Gameover are being harvested for sensitive financial and personal data, and rented out to an elite cadre of hackers for use in online extortion attacks, spam and other illicit moneymaking schemes.


+ Chinese Hackers Show Humans Are Weakest Security Link – several solid points.. you know most of them….  But lacking in execution!



+   RAT in a Jar: A Phishing Campaign Using Unrecom

Over the past two weeks, we have observed an increase in attack activity against the U.S. state and local government, technology, advisory services, health, and financial sectors associated with this campaign. Attacks have also been observed against the financial sector in Saudi Arabia and Russia.

As Unrecom is a comprehensive multi-platform Java-based remote access tool, currently not detected by most AntiVirus products, it presents a risk to a large number of potential victims, regardless of operating system.. PDF file on threat





+++   SD/SoCAL items of interest / opportunities





10-11 –  CIPP Training – Andy Serwin and Michael Cox



12 – Joint ISACA/ ISSA/ AITP Event   –  CIO’s Dilemma: Securing the Internet of Things @ Qualcomm Auditorium



16 – 18 – 18th Annual Colloquium for Information Systems Security Education

The Colloquium recognizes that the protection of information and infrastructures that are used to create, store, process, and communicate information is vital to business continuity and security. The Colloquium’s goal is to work together to define current and emerging requirements for information assurance education and to influence and encourage the development and expansion of information assurance curricula, especially at the graduate and undergraduate levels


19 – OWASP Monthly Chapter meeting –  Aaron Portnoy, /VP of Research at Exodus Topic: Web Auditing: A Binary Perspective –  6PM


26 – Monthly SD ISSA meeting




17 – OWASP Monthly Chapter meeting – Tracy Reed / Log based web app attack detection

Comments are closed.