Welcome to Cyber News Tidbits 4​U​ !

Here are updated news compilations from the Cyber Security Community

Topic headers (+++):

+++   SD/SoCAL items of interest / opportunities
+++   Likely KEY news you can use (might be impactful in some way)
+++   Other items of  FYI /FYSA level interest (skim as you have time, or the topic suits you (efficiencies, ways to do business, etc)
+++   Threats / bad news stuff / etc.



 (admin note  – all links should work, I checked them all myself..  you may need to cut and paste link into browser…)


A couple of Highlights of the week


+ Google Embraces Docker, The Next Big Thing In Cloud Computing

Google is putting its considerable weight behind an open source technology that’s already one of the hottest new ideas in the world of cloud computing. You can think of it as a shipping container for things on the internet–a tool that lets online software makers neatly package their creations so they can rapidly move them from machine to machine to machine. On the modern internet–where software runs across hundreds or even thousands of machines–this is no small thing. Google sees Docker as something that can change the way we think about building software, making it easier for anyone to instantly tap massive amounts of computing power.



+ IoT Revenue to Hit $7.1 Trillion In 2020

A transformation is underway that will see the worldwide market for IoT solutions grow from $1.9 trillion in 2013 to $7.1 trillion in 2020


+ Cybersecurity market to near $77 billion

According to a forecast by market research firm Visiongain.”With attackers able to strike from anywhere and inflict damage on a significant (but often unnoticed) scale, the threat has never been greater to the reams of knowledge held by governments and enterprise,”. “There is also the threat to military information sharing networks representing a significant challenge: in an era of increased integration between systems and platforms, the very webs which act as force multipliers could collapse. Efforts to counter these extensive vulnerabilities are presently ongoing to an impressive degree, and the speed of these developments is not expected to lessen unduly.


Privacy still matters – to your quality of life, job, and business… Even if you think “I’ve got nothing to hide” (which is a misplaced view, it’s not about secrets, but the choice of anonymity, especially of decision)

Join our effort in socializing a cyber model that supports and facilitates “Privacy by Design (PbD).

TWO things you should be all in on..  NIST’s Cybersecurity Framework and Protecting privacy is the new cyber message that resonates best.    If you want to see what Cyber 4 PbD is all about, skim our high level overview brief, then we can share our deep dive technical paper as desired…

Besides PII, HIPAA, PCI, compliance, ETC.. even IoT needs privacy, so… (re: the “IoT Privacy Summit” in Silicon Valley on 10 July    )

SO — what are you waiting for in putting PbD into your capabilities?  Then stand out – are you the competition or following them?  Skim our updated high-level brief for more insight, then engage  (we have a PbD workshop in SD on 1 Aug!)





+++  Cyber Security News you can likely use…



Is There Value in the Right To Be Anonymous?

Amidst the talk about the right to be forgotten, Jedidiah Bracy, CIPP/US, CIPP/E, examines a Virginia Supreme Court case about another right for online users in this Privacy Perspectives post on “the right to anonymous commenting.” Bracy writes about a company suing “to unmask seven commenters who allegedly left highly critical comments,” noting the company does not believe the posters are even customers. Writing that anonymity is “often wrongfully used to perpetuate racist, sexist and other derogatory commentary” and can mask negative reviews by competitors or even highly positive reviews by current employees, he suggests, “the closer we all get to pseudonymous reviews, and the further we get from purely anonymous reviews, the more likely we are to trust the source.”



+ Researchers use big data to get around encryption   (going around crypto is way easier than breaking it…)

Companies are racing to encrypt their data to block hackers and government spies. But researchers have found that data mining techniques can get around one widely used version of the technology. Researchers from the University of California at Berkeley and Intel say they were able to use statistical models to infer what pages were visited on 10 websites that contain sensitive information and use a standard encryption technology. The sites include those operated by the Mayo Clinic, Planned Parenthood, Kaiser Permanente, Wells Fargo, Bank of America, Netflix, YouTube and the American Civil Liberties Union.



+A start-up with a way to filter botnet traffic gets funding

Botnets, networks of infected zombie computers that operate at the whim of their controller, are arguably one of the nastiest scourges of the Internet. But security researchers believe they’ve found a way to filter bot traffic from the real thing for good. Last October, the well-known security researcher Dan Kaminsky, Michael J. J. Tiffany, Ash Kalb and Tamer Hassan took their small security start-up, White Ops, out of stealth, publicly claiming they had developed technology that could differentiate between so-called “bots” and real people. Eight months later, they’ve secured the confidence of new investors at Paladin Capital Group and Grotech Ventures, who together invested $7 million in their antifraud start-up.



+ Hospital Networks Are Leaking Data, Leaving Critical Devices Vulnerable  (this applies to ALL of  us!)

Two researchers examining the security of hospital networks have found many of them leak valuable information to the internet, leaving critical systems and equipment vulnerable to hacking. The data, which in some cases enumerates every computer and device on a hospital’s internal network, would allow hackers to easily locate and map systems to conduct targeted attacks. In at least one case, a large health care organization was spilling info about 68,000 systems connected to its network. At this and every other facility that was leaking data, the problem was an internet-connected computer that was not configured securely. Quite often, the researchers found, these systems also were using unpatched versions of Windows XP still vulnerable to an exploit used by the Conficker worm six years ago.



+ Halvorsen echoes Rogers’ call to complete JIE  (for all you DoD / federal types… JIE approach is ‘IT’ (as an EA / approach at least).. so get on board – yesterday..)

Pentagon officials have some practical questions to wrestle with before getting on with the business of deploying a department-wide IT platform, Acting Defense Department CIO Terry Halvorsen said June 25. “I would love to be able to stand up here and say [the Joint Information Environment] will be done tomorrow,” Halvorsen told an AFCEA cybersecurity conference in Baltimore. “It’s not going to get done tomorrow. First of all, we couldn’t define what JIE is by tomorrow.”  There is no timeline for deploying JIE to all geographies and military branches, according to a DOD official, but U.S. Cyber Command and NSA Director Adm. Michael Rogers said a day earlier that the ability of DOD to thwart cyberattacks rests in part on JIE being up and running.



+ Context Relevant Automates Machine Learning for Data Scientists

Context Relevant is using machine learning tools to help data scientists automate quant behavior that previously required rare experts and months to tackle. It’s one thing to secure talented data scientists, it’s entirely another to equip them for success. Enter Context Relevant, a fast growing and in-demand startup that is offering automated predictive analytics software to help data experts build the solutions to financial services’ most complex big-data problems. It’s one thing to secure talented data scientists, it’s entirely another to equip them for success. Enter Context    Context Relevant’s solution uses machine learning and off-the-shelf behavior analytic models that help the data scientist speed through the foundational processes.



+ Decades-Old Vulnerability Threatens ‘Internet Of Things’

A newly discovered bug in the pervasive LZO algorithm has generated a wave of patching of open-source tools such as the Linux kernel this week.  A 20-year-old bug has been discovered in a version of a popular compression algorithm used in the Linux kernel, several open-source libraries, and some Samsung Android mobile devices. And the researcher who found the flaw says it also could affect some car and aircraft systems, as well as other consumer equipment running the embedded open-source software.  Patches for the integer overflow bug, which allows an attacker to cripple systems running the so-called Lempel-Ziv-Oberhumer (LZO) code with denial-of-service type attacks as well as remote code execution, were issued the past few days for the Linux kernel,



+ 10 Ways To ‘Fix’ Cybersecurity – (Forbes – to key points from 10 cyber SMEs)

Security reporter asked ten cyber-experts to offer up their best ideas for stemming the threats we face when it comes to digital security. Note: Almost every one of them muttered something about there being no silver bullets.



+ FDA to stop regulating some medical device software

Hmmmm… not sure this is a good thing.  Other article says hospitals are leaking data?   What of enterprise security aspects?   aggregate risks?



+ The Akamai State of the Internet Report – 1st Qtr 2014

Gain insight into the latest Internet trends impacting online business. Delivers over 2 trillion Internet interactions and defends against multiple DDoS attacks each day. This provides us with unique visibility into Internet connection speeds, broadband adoption, mobile usage, outages, and attacks.



+ Battling The Bot Nation  – doing it  for profit

Online fraudsters and cyber criminals — and even corporate competitors — rely heavily on bots, and an emerging startup aims to quickly spot bots in action.  There are massive distributed denial-of-service (DDoS) attacks that saturate a targeted website or network with unwanted traffic and knock it offline — and then there are what renowned security expert Dan Kaminsky calls “resource-based DDoS” attacks that his startup White Ops increasingly is catching in action.—threats/battling-the-bot-nation/d/d-id/1278835?_mc=NL_DR_EDT_DR_weekly_20140626&cid=NL_DR_EDT_DR_weekly_20140626&elq=146f19e924544f069ce236a76b9f03d2&elqCampaignId=5441



+ QDR – Quadrennial Defense Review – Good insights into what DoD / government (and all of use) should attend to on cyber security..

+  Executive Summary of 2014 Quadrennial Defense Review

Given this dynamic funding and risk environment, the 2014 Quadrennial Defense Review (QDR) is principally focused on preparing for the future by rebalancing our defense efforts in a period of increasing fiscal constraint. The 2014 QDR advances three important initiatives. First, it builds on the Defense Strategic Guidance, published in 2012, by outlining an updated defense strategy that protects and advances U.S. interests and sustains U.S. leadership. Second, the QDR describes how the Department is responsibly and realistically taking steps to rebalance major elements of the Joint Force given the changing environment. Third, the QDR demonstrates our intent to rebalance the Department itself as part of our effort to control internal cost growth that is threatening to erode our combat power in this period of fiscal austerity. We will protect the health of the All-Volunteer Force as we undertake these reforms

+ 2014 QDR Presumes Future Includes More Risk, Less Money

The final QDR report outlines three broad themes: an updated defense strategy, the rebalance of the joint force and the department’s commitment to protecting the all-volunteer force… lay out an updated strategy that has three basic pillars,” the deputy undersecretary said.  The first pillar is protecting the homeland, she said.  Building global security is the second pillar in the strategy, she said. This includes things such as building partnership capacity, joint exercises, military-to-military engagement and port visits, she explained.  “And really, the goal of that part of our strategy is to try to deter conflict at the earliest point possible,” Wormuth said, “to try to prevent coercive behavior, for example, and to sort of proactively and positively shape the environment, so that we’re trying to prevent conflict rather than having to deal with it after it’s already manifested.”  The third pillar of the strategy is projecting power and winning decisively, she said.

+ QDR –  full document



+ Cybersecurity Lessons from Former FBI Director

Robert Mueller describes how security initiatives within the Bureau are applicable to financial services.  When asked – “What is the FBI doing to prevent the next terrorist attack?”  Mueller, a former attorney accustomed to confronting crimes – not preventing them – had no answer. In the years that followed, the President’s simple question sparked a realignment of priorities within the FBI to address potential threats before they become reality. The same process is relevant to financial services companies battling a rapid growth in cybercrime



+  2014: The Year Extortion Went Mainstream

The year 2014 may well go down in the history books as the year that extortion attacks went mainstream. Fueled largely by the emergence of the anonymous online currency bitcoin, these modern-day shakedowns are blurring the lines between online and offline fraud, and giving novice computer users a crash course in modern-day cybercrime.



+  Insider Threats Pose Unique Cyber Challenges

Agencies are aware of the need for cyber defense within their infrastructure to protect from insider threats; however it is important for organizations to recognize what data is most at risk for being targeted. Defining the top IT risk scenarios can greatly help agencies analyze and monitor anomalies to enhance the prevention of insider threat attacks. Checkout this informative Q&A to gain valuable insights from an industry expert in the field of cybersecurity and insider threats

also, 2014 CyberThreat Defense Report

Cyberattacks are evolving as quickly as are. The 2014 report from CyberEdge provides concrete examples of the actual preparedness level of organizations and what the future of IT security might look like



+ Emerging Tech Risks Present Opportunities and Challenges for Producers

Cyber insurance is currently a $2 billion market, according to Betterley Risk Consultants Inc., and most cyber insurers report consistent premium growth in the double digits. Even so, only one-fifth to one-third of companies has any sort of cyber coverage in place, according to the Ponemon Institute. “The cyber risk insurance market is still a small market that gets more talk than action, but it is a significant growth opportunity for brokers,” Capitalizing on that opportunity starts with education. “Businesses must truly realize that they have potential exposure in their own operations. Only after such awareness develops do insureds become interested in buying the coverage,” according to Patricia A. Borowski, senior vice president at the National Association of Professional Insurance Agents.

“The biggest challenge is getting small- and medium-sized businesses to understand that cyber risk is important to insure,

+++   We developed a “cyber actuarial table” to help structure a dialogue between clients and insurers… let me know if you want to help finesse and socialize this key tool!!!)



+ Israel Claims $3B in Cyber Exports; 2nd Only to US

“Israeli exports of cyber-related products and services last year reached $3 billion, some 5 percent of the global market and more than all other nations combined apart from the United States, according to Israel’s National Cyber Bureau (NCB).



+ 16 Entrepreneurs Share 16 Reasons Startups Fail


+ Google Developers – good site for help / methods…

Products (APIs, SDKs, etc)   showcase other developers products, communities of interest, etc..





+++  FYI / FYSA  Items of interest…


+ Continuous monitoring: Closer than you think   (YES on using SCM – CDM… yet is FREE from DHS really so?  What of all the lateral requirements, et al?)

If you were offered free tires for your car or a tune-up, which would you take? One seems far more valuable than the other, but the answer would depend on the car’s needs. If your current tires are perfectly adequate, then the tune-up for your misfiring engine would be the smarter choice. That question simplifies the complex choices federal agencies face with the “free” assistance offered by the Department of Homeland Security for its Continuous Diagnostics and Mitigation (CDM) program.  Certainly, credit goes to DHS for bringing continuous monitoring from concept to reality and relieving budget-squeezed agencies of much of the cost burden for the transition. But how will agencies use those “free” resources from DHS? Will they choose products that fill missing gaps in their CDM migration, or could they unknowingly duplicate what they already own and end up with tires they didn’t really need?


NOTE – For another look at a FREE tool (in alpha / beta state…)  see enclosed brief…  think of the SCM, ACAS, CMRS, HBSS like functions in a capability not tied to DHS / federal entities / requirements… AND  it does V&V / C&A POA&Ms too!  (called “ESA” enhanced situational awareness)



+  Major ruling shields privacy of cellphones  (updated from last week, BUT a good thing – to start – yet who else can snoop your  data???   Be more secure with Cyber 4 PbD!)

In a sweeping victory for privacy rights in the digital age, the Supreme Court on Wednesday unanimously ruled that the police need warrants to search the cellphones of people they arrest. While the decision will offer protection to the 12 million people arrested every year, many for minor crimes, its impact will most likely be much broader. The ruling almost certainly also applies to searches of tablet and laptop computers, and its reasoning may apply to searches of homes and businesses and of information held by third parties like phone companies.



+ Senate’s version of FISMA update cleans up around the cyber edges

The biggest barrier for agencies to move to a more dynamic approach to cybersecurity is not the almost 12-year-old law that governs how they protect federal systems. Rather, it’s the Office of Management and Budget circular that implements the Federal Information Security Management Act’s that’s the real problem. This is why Senate lawmakers’ plans to update FISMA center not on making continuous monitoring the law of the land, but actually rescinding a key section of Circular A-130 immediately and requiring OMB to issue interim guidance.



+ Court-Compelled Hard Drive Decryption Does Not Violate Fifth Amendment Rights, says Mass. High Court

In what could be a landmark ruling for users of encryption everywhere, the Massachusetts Supreme Judicial Court (MSJC) ruled on June 26, 2014, that the court can compel a person to decrypt the contents of their hard drives, and that the Fifth Amendment, which provides protection against self-incrimination does not apply. From the viewpoint of the defendant, this may seem to be a clear violation of his Fifth Amendment rights. He would theoretically know the contents of his computers and know they might incriminate him. Therefore, to turn them over in a format that they can be entered into evidence could easily be viewed as self-incrimination. However, the court saw this situation differently. The court looked specifically at whether or not entering a password into a computer to decrypt its contents was an act of self-incrimination. The court ruled 5-2 that entering the password does not imply that the defendant created the documents on the computer or had sole control of them at all times, and therefore it was not testimony.



+ Science DMZ: Faster, more secure high-performance computing  (NOW that should keep your techie’s pacified – their own sandbox!)

University or government scientists often demand high performance computing resources, which means researchers need access to ever larger datasets and a way to collaborate with widely dispersed teams of scientists. To create an environment to facilitate such compute-intensive work, USDA’s Agricultural Research Service is expected later in June to award a contract for the construction of a Science DMZ network. The Department of Agriculture is just the latest in a growing number of government agencies to use the concept. While many organizations deploy a DMZ (after the term “demilitarized zone”) to harden their regular business networks using security devices such as firewalls, Science DMZs have special needs that require their own specific designs. And it’s not something that can be created with high-speed connections alone.



+ Governments bear the brunt as targeted attacks rise

Kaspersky Lab report claims 12% of organizations globally were hit last year. Some 12% of organizations globally experienced at least one targeted attack last year, a noticeable increase from previous years, with the government and defense sector the most frequently affected, according to new research from Kaspersky Lab. The Russian internet security firm surveyed 4,000 IT managers from across 27 countries to compile its 2014 IT Security Risks report.It revealed that the number of firms affected by targeted attacks rose from 9% or lower in the 2012 and 2013 reports to 12% in the current study.



+ The DoD Cybersecurity Policy Chart  (great overview of ALL the MANY policies)

The goal of the DoD Cybersecurity Policy Chart (downloadable via the hyperlinked icon below) is to capture the tremendous breadth of applicable policies, some of which many cybersecurity professionals may not even be aware, in a helpful organizational scheme. The use of color, fonts and hyperlinks are all designed to provide additional assistance to cybersecurity professionals navigating their way through policy issues in order to defend their networks, systems and data. At the bottom center of the chart is a legend that identifies the originator of each policy by a color-coding scheme. On the right hand side of the Cybersecurity Policy Chart, there are boxes, which identify key legal authorities, federal/national level cybersecurity policies, and operational and subordinate level documents that provide details on defending the DoD Information Network (DoDIN) and its assets. Links to these documents can be found in the Chart



+ Researchers go inside HackingTeam mobile malware, command infrastructure  (the criminal threats go beyond the best malware there is (automated too)  and continue into sophisticated communications and control methods too)

Controversial spyware commercially developed by Italy’s HackingTeam and sold to governments and law enforcement for the purpose of surveillance, has a global command and control infrastructure and for the first time, security experts have insight into how its mobile malware components work. Collaborating teams of researchers from Kaspersky Lab and Citizen Lab at the Munk School of Global Affairs at the University of Toronto today reported on their findings during an event in London. The breadth of the command infrastructure supporting HackingTeam’s Remote Control System (RCS) is extensive, with 326 servers outed in more than 40 countries; the report also provides the first details on the inner workings of the RCS mobile components for Apple iOS and Android devices.



+ Healthcare Firm pays Big Bucks for Breach

They paid a $4.8 million settlement (the biggest HIPAA settlement to date) after the electronic records of 6,800 patients (including vital stats, medications and even lab results) were accidentally leaked into cyberspace.

The leak was caused when a Columbia University doctor (who developed applications for CU as well as NYP) attempted to deactivate a computer server that was personally owned; the server was on the network that contained patient data.The server lacked technical safeguards, and there’s evidence that neither organization had made any efforts, prior to the data breach, to ensure that the server was properly protected.


+ APT vs AET – The Security Industry’s Dirty Little Secret

The debate over advanced evasion techniques (AETs)  vs APTs in general (good reference doc)



+ High-Assurance Cyber Military Systems (HACMS)

he goal of the HACMS program is to create technology for the construction of high-assurance cyber-physical systems, where high assurance is defined to mean functionally correct and satisfying appropriate safety and security properties…  [  This seems like an effort to latch on to for ICS / SCADA security!?  Make work for commercial too.. BUT, not sure of a new a formal language to specify all one’s SCADA equipment.   The technology exists now to secure all this stuff but it isn’t economically feasible to use it yet }



+ Net Neutrality Retreat Threatens Cloud Growth

A proposal to undermine net neutrality by allowing ISPs to charge for “fast lane” traffic would create competitive barriers for businesses and stymie cloud adoption.



+ White House Releases Big Data And Privacy Report, DATA Act Becomes Law

Marketers know that when you’re dealing with big data, you have to answer a lot of BIG questions – and the regulations, expectations and consequences surrounding every one of them continue to grow more and more complex.   After all, big data is not – and has never been – solely about technology. You can’t resolve all your big data questions with some hi-tech fix-it-and-forget-it solution. Big data is about so much more. It’s about capabilities. It’s about potential. And most importantly, big data is about PEOPLE.  It seems that message is starting to sink in with marketing teams, business leaders –and with legislators, too. In fact, last month, the White House offered some valuable guidance via its much-anticipated big data and privacy report titled, Big Data: Seizing Opportunities, Preserving Values. The 79-page document is the culmination of a 90-day study designed to examine:

• How big data will transform the way we live and work,

• How the public and private sectors can maximize the benefits of big data while minimizing its risks and

• How big data can help grow the economy, improve health and education and make the U.S. safer and more energy efficient.


+ Security Risks from Remote-Controlled Smart Devices


+ Emergence of a New Security Trend  – Legal firms need to step up too!


Enhanced Data Security Measures in the Legal Community


+++  Several white papers of interest..

Maximizing the Speed of Business and Innovation


Big Five in Overdrive: Are State and Local Networks Ready?:


Stopping Zero-Day Exploits for Dummies:


Viewpoint: Getting the Edge on Insider Threats:





+++  THREATs  / bad news stuff / etc…



+ Hacker tactic: Holding data hostage  (come on now, you KNOW that cryptolocker type malware is now rampant.. on mobile devices too – doing the cyber hygiene basics minimizes that threat… (re: have restore points / images, back-up data off the device, minimize SysAdmin privileges on end devices, run frequent scans, use SCM/SIEM!!!)

The perpetual cat-and-mouse game between computer hackers and their targets is getting nastier. Cybercriminals are getting better at circumventing firewalls and antivirus programs. More of them are resorting to ransomware, which encrypts computer data and holds it hostage until a fee is paid. Some hackers plant virus-loaded ads on legitimate websites, enabling them to remotely wipe a hard drive clean or cause it to overheat. Meanwhile, companies are being routinely targeted by attacks sponsored by the governments of Iran and China. Even small start-ups are suffering from denial-of-service extortion attacks, in which hackers threaten to disable their websites unless money is paid.

(CryptoLocker is most often spread through booby-trapped email attachments, but the malware also can be deployed by hacked and malicious Web sites by exploiting outdated browser plugins.  As one example, for the protection processes available, a team from enterprise consulting firm released the CryptoLocker Prevention Kit – a comprehensive set of group policies that can be used to block CryptoLocker infections across a  domain)



+ Law Enforcement Agencies Using Spyware for Mobile Device Surveillance

Researchers have uncovered a mobile spyware product known as Remote Control System (RCS), which is being sold by an Italian company to police around the world. RCS can intercept and record communications from devices running Android, iOS, Windows Mobile, Symbian, and BlackBerry operating systems. There are at least 320 command-and-control servers for RCS in more than 40 countries.

(NOTE : Hmmm, unless they have a warrant this seems to fly in the face of the unanimous Supreme Court ruling on cell phones.  Having said that – someone will state this is pre-arrest and the ruling is post-arrest:]



+  As Stuxnet Anniversary Approaches, New SCADA Attack Is Discovered

F-Secure has unearthed a new attack against industrial control systems that goes after European targets, using rare infection vectors.  Nearly four years since Stuxnet broke onto the scene, F-Secure has discovered another series of attacks against industrial control systems — this time aiming at mostly European organizations. The attackers’ ultimate motives are unclear. Researchers suspect they are simply gathering intelligence in preparation for a more serious attack.   The attackers are infecting SCADA and ICS systems with the HAVEX remote access tool (mostly used for information gathering), using a unique infection vector.



+  –Havex Malware Targets SCADA Systems

A report from F-Secure says that attackers intent on infiltrating industrial control systems are breaking into websites of companies that provide software to those organizations and planting a remote access Trojan known as Havex in their installation files. The organizations running the industrial control systems then download the poisoned software, which gives the attackers a foothold in their systems. The attack has been detected on the websites of three northern European companies, two of which provide remote management software.

[NOTE: The addition of an OPC exploit module to the Havex Trojan and observed delivery tactic of watering-holes using ICS supply chain related websites, exemplifies the newest chapter in the book of ICS cyber threats.  The impact of the OPC exploit is two-fold –

1) targeting OPC gives the attackers a wide swath as it is a common solution designed to exchange data between diverse control systems, and

2) it allows attackers to gather the necessary information on connected ICS devices to select appropriate payloads and perform a successful follow-on attack.  This form of directed attack raises the importance of ICS defenders deploying improved defenses and gaining the necessary knowledge and skills to respond effectively.

AND –  The issue here is “supply chain management,” not SCADA.]



+ Luuuk Bank Theft Scheme Used Man-in-the-Browser Attack

A bank theft scheme dubbed Luuuk stole 500,000 euros (US $681,000) from 190 account holders at an unnamed European bank in just one week. The thieves used a man-in-the-browser attack to steal account credentials and transferred stolen funds into accounts controlled by money mules. The thieves likely took advantage of one-time passcodes and skimmed the money at the same time that the legitimate customers were conducting online transactions. Luuuk targeted people in Italy and Turkey. The scheme was discovered in January 2014 when Kaspersky Lab found a command-and-control server for malware used to conduct man-in-the-browser attacks. Within days it had been wiped and shut down.

[NOTE  The use of one time passwords is not a “silver bullet.”  In order to effectively resist electronic account takeover, OTPs must be combined with out-of-band transaction confirmations and appropriate back-office controls.  However, OTPs do raise the cost of attack and narrow the window of vulnerability.  They are an essential control.]



+  Heartbleed update: Fixes plateau  (minimize your data vulnerability to most structural / transport flaws – use Cyber 4 PbD!)

Two months after the OpenSSL flaw known as Heartbleed was discovered, related remediation efforts have slowed. But several information security experts have lauded businesses’ rapid response to the threat, noting that they’ve installed related fixes – which are still being released – much more quickly than usual. Lately, however, the pace of Heartbleed-related patching has decreased, according to Robert David Graham, CEO of Atlanta-based Errata Security. “Two months after Heartbleed, 300k systems still vulnerable – unchanged from last month,” he tweeted June 21, based on his scans of servers that are running a vulnerable version of OpenSSL, which is an open-source implementation of the SSL and TLS protocols that’s used to secure data sent between clients and servers.



+  PayPal two-factor authentication broken  (older news that does not get better with age…;-((

PayPal has temporarily disabled two-factor authentication for its mobile apps while it works on a patch for a newly discovered flaw that bypasses the security feature. Two-factor authentication, a more secure way method for users to log into applications securely, increasingly is being added as an extra layer of protection to protect users in the case of password theft. That feature is an option with PayPal’s mobile apps, and researchers say a vulnerability in — a PayPal API that uses OAuth for authentication and authorization — is flawed and does not enforce two-factor authentication on the server while authorizing a user. PayPal’s web application does not contain the flaw.



+ Hackers take down World Cup site in Brazil  (***  you have taken DDoS seriously, have minimal mitigations in place???)

Hackers made good on their threat to take down the 2014 World Cup site in Brazil. Anonymous, the loose hacker collective, appears to have successfully taken down the site, which was offline for several hours Friday evening. The hacker group Anonymous Brasil has started a hacking campaign – Operation Hacking Cup, or #OpHackingCup – to protest poverty, corruption and police brutality. Offline, activists have struggled to make their voices heard, but online, hackers have begun a series of distributed denial-of-service, or DDoS, attacks and have defaced websites.



+ WordPress Vulnerability

A vulnerability in the WebShot feature of the TimThumb image resizing plug-in on WordPress could be exploited to execute code. The WebShot feature lets the tool take screenshots of websites. Users can protect their sites by disabling the WebShot feature of TimThumb. The plug-in is disabled by default, but can become automatically enabled by certain themes and plug-ins.



+  Cloud-Based POS Software- “New Target For Hackers”

IntelCrawler, a cyber threat intelligence firm from Los Angeles, has identified new-targeted attacks on cloud-based POS software, used by grocery stores, retailers and other small businesses using web browsers like Internet Explorer, Safari, and/or Google Chrome.  Front office systems support integration options with credit card readers, barcode scanners, cash drawers, and receipt printers. Back office utilizes Cloud-based POS services; merchants are able to stores data and reporting available in public infrastructure and accessible remotely as well as through mobile devices (e.g., Android, iOS, etc.).   Compromised cloud-based POS service providers allow alterations to gift card information, even the ability to create gift cards for themselves and discount vouchers for any customer. In addition, bad actors have the ability to gain access to employee management subsystems, which could be also used for internal fraud.



+ Putter Panda Targeting U.S. Defense

Putter Panda is a determined adversary group, conducting intelligence-gathering operations targeting the Government, Defense, Research, and Technology sectors in the United States, with specific targeting of space, aerospace, and communications.



+ Zeus Alternative “Pandemiya” Emerges In Cybercrime Underground

A new banking Trojan being promoted in underground forums as an alternative to the popular and widely used Zeus Trojan has the potential to become a pervasive threat. Called Pandemiya, the new Trojan is similar to Zeus in that it allows cyber-criminals to steal form data, login credentials, and files from infected computers, according to RSA’s Fraud Action team. Much like Zeus, Pandemiya also has a modular design, making it quite easy for cyber-criminals to expand and add functionality, Uri Fleyder, cybercrime research lab manager at the RSA Research Group.




+++   SD/SoCAL items of interest / opportunities




1 – Provided by IEEE Cyber SIG / Various Security groups – all day – – Privacy by design workshop – a cyber model & why you must be part of this initiative!  (at Coleman University –  AM Technical approach… PM public discussions)

+++  Help move SD forward in cyber –  DOING security vs admiring the problem…. SO engage and help out on cyber 4 PbD!!!



NOV 1 –

Started planning “BigDataDay 4 SD” around SAT, 1 November..

WE went to the one in LA and it was great…   the organizer will help us do that here… likely our three tracks will be:

–  Technical =  Hadoop/Hbase/NoSQL;

–  Data science = predictive analytics, etc

–  Applications = actual products, etc.. Privacy / data security. ..


Highlight of the week

(I pick a couple of items of likely notable interest / high potential value….)

+ The Supreme Court just restricted software patents. Here’s what that means….

+ Company Revenue Map – where the real $$$ is…by state

+ Framework: Collaborative Economy Honeycomb   this is a great info / org sharing Venn diagram… as THAT is how cyber is done…collaborative relationships with an integrated package… ;-))

+ The Critical Numbers You Need to Know for Business Success  (for all you nonMBA types)

+++  Cyber Security News you can likely use…

+ Supreme Court Toughens Business Process Patent Test

Unanimous ruling says that an “abstract idea” isn’t patent-eligible just because computers are used to apply it.

In what some legal experts are calling a landmark decision that could make it harder to obtain and uphold business process patents, the US Supreme Court on Thursday unanimously rejected patents on abstract ideas implemented on a computer.

+ Manage Sensitive Information and Prevent Data Breaches  (good overall process view!)

Preventing a data breach starts with knowing where your sensitive information exists and our software makes it both simple and affordable to not only find confidential data, but also protect it from leakage and theft.

Discover…   Classify…   Remediate…  Monitor…  Report…

+ AT&T breach allowed customer data to be used to unlock smartphones

Personal information, including Social Security numbers and call records, was accessed for an unknown number of AT&T Mobility customers by people outside of the company, AT&T has confirmed. The breach took place between April 9-21, but was only disclosed this week in a filing with California regulators. While AT&T wouldn’t say how many customers were affected, state law requires such disclosures if an incident affects at least 500 customers in California.

+ Wave of DDoS attacks down cloud-based services – Yes, a threat topic upfront – so DO something about DDOS now too!!!

The popular Feedly news and information aggregator service continues to struggle to get back up and running today after suffering a powerful distributed denial-of-service (DDoS) attack that it says included the attackers demanding ransom. Feedly officials said that they had no intention of paying the attackers to curtail the attack, and that they were working with law enforcement officials and other victims of DDoS attacks by the same group. The note-taking app service Evernote and the music-streaming service Deezer have acknowledged they were hit by attacks this week, with Evernote alerting its customers this morning. Both of those services are back up and running.

+ The Problem With Cyber Insurance       (while most agree, we have a draft cyber actuarial table to start structured discussion on doing this.. if you want to play – ask me!)

Insurers have yet to develop an — evidence-based method —  to assess a company’s cyber risk profile. This has resulted in high premiums, low coverage, and broad exclusions.   Cyber insurance is one of the fastest growing segments in the insurance industry. With the tremendous increase in data breaches, companies are looking for insurance products to cover them in the event of a loss. As the Boston Globe recently reported, one in three companies now has insurance coverage against cyber losses. Last year 20% more cyber insurance policies were sold than in 2012, according to a Marsh LLC report.


A recent New York Times article touted cyberinsurance as the “fastest-growing niche in the [insurance] industry today.” Nicole Perlroth and Elizabeth Harris report: “[A]fter the breach at Target, its profit was cut nearly in half—down 46 percent over the same period the year before—in large part because the breach scared away its customers.” These enormous costs to brand reputation make it difficult for companies to get as much cyber risk coverage as they want, and the demand is only growing. The Times cites statistics showing a 21 percent increase in demand for cyberinsurance policies from 2012 to 2013, with total premiums reaching $1.3 billion

 Facebook to track what users do on other sites   =  MORE privacy erosion…;-((

Facebook will soon start tracking what users in the U.S. do not just on Facebook but also on other websites and apps to more effectively target them with ads. The practice is common – even for some ad networks Facebook partners with – but the social network had previously based its ads mainly on what people did on Facebook, such as what pages they liked. Users “want to see ads that are more relevant to their interests,” Facebook said in an announcement about the changes Thursday. For those weary of Facebook analyzing even more about their online behavior, the company offered this: “If you don’t want us to use the websites and apps you use to show you more relevant ads, we won’t. You can opt out.”

+ British spy agencies are said to assert power to intercept web traffic  =  and even MORE privacy erosion…;-((

In a broad legal rationale for collecting information from Internet use by its citizens, the British government has reportedly asserted the right to intercept communications that go through services like Facebook, Google and Twitter that are based in the United States or other foreign nations, even if they are between people in Britain. The British position is described in a draft summary of a report to be released Tuesday by Privacy International and other advocacy groups. The summary, seen by The New York Times, says the findings are based on a government document that the groups obtained through a lawsuit.

+ Transforming the web into a HTTPA ‘database’  – NOW were talking…. New ways to minimize data misuse…

Researchers at MIT’s Decentralized Information Group (DIG) are developing a new protocol they call “HTTP with Accountability,” or HTTPA, designed to fight the “inadvertent misuse” of data by people authorized to access it. Believing the solution to data misuse or leakage may be more transparency rather than increased obscurity, HTTPA will automatically monitor the transmission of private data and allow the data owner to examine how it’s being used. The traditional response of placing tighter restrictions on access could undermine useful data sharing, the researchers, under Web founder Tim Berners-Lee, say. Instead of adding restrictions, HTTPA will automatically monitor the transmission of private data and allow the data owner to examine how it’s being used.

+  Right-To-Be-Forgotten Decision Has Nothing To Do With Right To Be Forgotten

In the weeks following the European Court of Justice (CJEU) decision on the so-called “right to be forgotten,” reactions have varied among stakeholders. And today, Google announced it will begin removing links to online content in Europe by the end of June, according to The New York Times. Now that enough time has passed since the decision, Profs. Vagelis Papakonstantinou and Paul de Hert have ruminated on its implications. In this post for Privacy Perspectives, Papakonstantinou and de Hert “calmly assess what the CJEU decision really is and is not about,” suggesting it “has nothing to do with a ‘right to be forgotten’” at all..

Google Ready to Comply With ‘Right to Be Forgotten’ Rules in Europe

+ What Workplace Privacy Will Look Like In 10 Years

New laws like Europe’s “right to be forgotten” in Google search are just the latest examples of how quickly perceptions and practices about personal privacy in the workplace are changing.  Ralph’s pajamas gently vibrate him awake. While he is still in bed, he gestures into the air, bringing up a computer interface woven into his pajamas. With a swipe of his hand, he opens his personal space and checks his biometric dashboard to find out how many steps he needs to walk today to reach his weight loss goal and whether his cholesterol has dropped.   After a quick shower, he gets dressed, accessorizing with his smart computing vest, which automatically starts his ultra-dark roast coffee brewing the moment he puts it on. A father of three, he gestures to open his private family view, which is showing live video feeds of his kids waking up. Interrupted by an alert from his car about traffic delays, he grabs a cup of coffee and heads for the garage, where he slides into his car office, closes his personal spaces with a gesture, and opens his business calendar to prepare for work.

+ People Want To Protest lack of privacy —Make It Easy for Them.  (YES, this is what our cyber model for ‘privacy by design” DOES!)

A blog post on Freedom to Tinker –  Arvind Narayanan talks about using encryption as protest. As he points out, in computer science, privacy-enhancing technologies (PETs) using crypto are generally used to protect anonymity or confidentiality against an adversary. But Narayanan also connects us with the thinking of Helen Nissenbaum on the political and ethical theory of obfuscation, which is “a strategy for individuals, groups or communities to hide; to protect themselves; to protest or enact civil disobedience, especially in the context of monitoring, aggregated analysis and profiling.”   Going further, Narayanan looks at “the hypothesis that users of encryption tools also have protest and civil disobedience in mind, instead of (or in addition to) self-defense or anonymity

+ Privacy, big data and the public good: frameworks for engagement   good overview!

+ So Far, Big Data Is Small Potatoes

+ We’re all being mined for data – but who are the real winners?  (Good article… lots of history. .. current status, various perspectives on the whole Big Data mind set…

+ 10 More Powerful Facts About Big Data  – another view

How big is big data’s impact? Check out part two of our fact fest on big data’s trends and trials.–/d/d-id/1278598?_mc=NL_IWK_EDT_IWK_daily_20140618&cid=NL_IWK_EDT_IWK_daily_20140618&elq=5f381c524a984b6391e23632c98ee63b&elqCampaignId=5061

 2014 Internet Security Threat Report  –  (always good to skim where the threats are / will come from)

One of the major challenges for government agencies in 2014 has been how to prepare for government-targeted attacks, including, zero-day vulnerabilities, data breaches and E-crime and malware tactics.

Download this report for insights and analysis into the leading threat activity and breaches facing agencies today.

•       3 most important trends of 2013

•       Comprehensive 2013 security timeline

•       Cybersecurity recommendations and best practices

+  Mandiant also released a new detailed report titled “M-Trends 2014 Threat Report”  (another look at the bad stuff!)

It describes actors, means and tactics behind principal attacks conducted in the recent months. The report consolidated data on principal cyber threats and also highlights emerging global threat actors targeting different industries.    The threats are even more sophisticated, organizations face increasing difficulties to identify the threats and discover a breach on their systems. The industries that most of all have suffered attacks are Financial Services and Media & Entertainment


+++  FYI / FYSA  Items of interest…

+ ‘Human error’ contributes to nearly all cyber incidents, study finds

Even though organizations may have all of the bells and whistles needed in their data security arsenal, it’s the human element that continues to fuel cyber incidents occurring, according to one recent study. The “IBM Security Services 2014 Cyber Security Intelligence Index,” a report that includes cyber security data on close to 1,000 of IBM Security Services’ clients located in 133 countries, indicates that “human error” is involved in more than 95 percent of the security incidents investigated in 2013.

+ White House Maker Faire: 10 Cool Inventions

More than 100 exhibitors of all ages gathered at the White House to show off their inventions. Check out some of the intriguing innovations.

The president also announced that the Small Business Administration, through its $2.5 million Accelerator competition, is calling upon communities to support startup accelerators and “maker spaces” for entrepreneurs. The SBA will work with the Patent and Trademark Office (USPTO) to raise awareness and cultivate a new generation of inventors

+ The Internet of government things

In many corners of the tech world, the Internet of things is an abstract concept still in the development stage. The federal government has spent more than $300 million on Internet of things-related research in the last five years, and this week officials hailed it as the next wave of innovation. At the SmartAmerica Expo on June 11 in Washington, D.C., U.S. Chief Technology Officer Todd Park and GSA Administrator Dan Tangherlini pegged the Internet of things as a tool that could dramatically change the way government delivers services. GSA is already using early stages of IoT technology. Through the GSALink initiative, thousands of sensors constantly monitor and measure energy use in federal buildings.

+Cyber Boot Camp for Tomorrow’s Cyber Defenders  GREAT JOB SD / SOeC!!!

On June 16, select students from three different San Diego high schools converged on the ESET building in Little Italy for a week of intensive education in the art of defending computer systems. They call it Cyber Boot Camp, and two dozen students will experience five days of hands-on instruction, plus lectures from leading cyber security experts from San Diego companies as well as local and national law enforcement.

Right now, there is a critical shortage of people with the skills and training required to defend computer systems against the growing ranks of criminals who range from well organized gangs of cyber criminals to terrorists, plus a complex mix of state and non-state players. Addressing that shortage, through improvements in education and career guidance, is vital to the future health of our digital economy.

+ US cyber official: Treat IT architecture as a weapon

If the Defense Department wants to improve cybersecurity it needs to get a handle on its IT infrastructure and start treating it more like a weapons system, the U.S. Cyber Command’s former deputy commander said this week. Speaking at AFCEA NOVA’s Navy IT Day on June 11, Marine Corps Lt. Gen. Jon M. Davis, who finished a two-year stint as deputy commander this month, highlighted several areas that the Cyber Command has been working to improve. First is the overall defense architecture. The Defense Department’s networks were not designed to be plug-and-play, and tended to be modified by officers without any specific blueprints in mind. The end result is that the networks could not be easily mapped.

+ Cybersecurity a key bilateral issue for White House, and not just with China

The Justice Department’s indictment last month of five Chinese military officers for alleged cyber-espionage sent a shockwave through Sino-American relations, surprising some cybersecurity experts and leaving all to divine Washington’s next move on the issue. China reacted furiously, canceling a bilateral cyber working group and, through its state media, labeling U.S. tech firms like Facebook and Microsoft threats to state security. But a senior White House official is sanguine on the prospects of China rejoining the dialogue and points to recent cooperation with the Australian government as evidence of the administration’s intent in global cyberspace.

+ Insider Threats: Are You At Risk?

It’s not easy to discover the malicious insider. Cyber threats of all types are more difficult to detect than ever before, thanks to more efficient and intelligent malicious software, increased use of mobile devices, the volume of network activity and the explosion of cloud computing. See whitepaper for insights into the latest security tools and big data analytics agencies are using to detect and mitigate insider threats

+  Open-Source Tool Aimed At Propelling Honeypots Into the Mainstream

Free software automates the setup, management of honeypots for enterprises.

Researchers have built a free open-source honeypot software program aimed at propelling the hacker decoys into security weapons for everyday organizations.

The Modern Honey Network (MHN) software, created by the Google Ventures-backed startup ThreatStream, automates much of the process of setting up and monitoring honeypots, as well as gleaning threat intelligence from them. An API allows it to integrate with IDSes, IPSes, application-layer firewalls, SIEM, and other security tools to set up defenses against attacks it detects.

 DISA & a commercial  STIG viewer..   (If you do ST&E / C&A –  check these out…)

Commercial STIG viewer – Permanent, user-friendly URLs!     DoD 8500 Controls hotlinked in      Historic versions of each STIG (back to 2012)     Excel, JSON and XML exports of every STIG!       NIST SP 800-53 Controls browsable added

DISA STIG viewer…  First  install the STIG Viewer JAR file  and

Then import the applicable STIG zip files from here

+ How the mobile threat landscape is challenging companies’ ability to respond

+ Critical Times Demand Critical Skills – An analysis of the skills gap in information security by (ISC)2

A whitepaper derived from the (ISC)2 Global Information Security Workforce Study:

+ How NOT  To Respond To A DDoS Attack

Common mistakes made by victims of distributed denial-of-service attacks.

Distributed denial-of-service (DDoS) attacks just won’t go away. Just ask the news and information aggregator service Feedly, which suffered waves of attacks over a three-day period last week that kept the site struggling to restore service.    Feedly is hardly alone. DDoS attacks occur regularly, many not so high-profile as that of a software-as-a-service firm or a financial services provider. There’s no magic bullet to prevent a DDoS attack. Security experts and DDoS protection service providers say it’s all about preparation and proper mitigation strategy.

+ HP Aims To Revolutionize Computing with ‘The Machine”

HP Relevant Products/Services has introduced an entirely new computing architecture dubbed “The Machine” that it says can process data Relevant Products/Services intelligently using far less energy and space. With the massive amount of data being moved to the cloud Relevant Products/Services increasing every day, The Machine could be the ticket to solving the challenges of cloud computing — managing and analyzing all that information.

+  The Big Three Part 2: Incident Detection

id you know that less than one out of five security incidents are detected by the organization being affected? Most organizations only find out they’ve experienced an information security incident when law enforcement comes knocking on their door, if they find out about it at all, that is. And what is more, security compromises often go undetected for months and months before they are finally discovered. This gives attackers plenty of time to get the most profit possible out of your stolen information, not to mention increasing their opportunities for further compromising your systems and the third party systems they are connected to.

Of the Big Three strategies for fighting modern cyber-crime, (incident detection, incident response and user education and awareness), incident detection is by far the hardest one to do well

+++  THREATs  / bad news stuff / etc…

+ First Major Mobile Banking Security Threat Hits the U.S.

Kaspersky Lab discovered that a breed of malware targeting mobile devices called Svpeng had made its way from Russia to the U.S. The malware, which targets Android devices, looks for specific mobile banking apps on the phone, then locks the phone and demands money to unlock it.

+  Attack Possibilities By OSI Layers – GREAT DDoS guide & tables!

+  Millions of LinkedIn Users at Risk of Man-in-the-Middle Attack

The popular professional network, LinkedIn has left hundreds of millions of its users exposed to Man-in-the-Middle (MitM) attack due to the way the site uses Secure Sockets Layer (SSL) encryption in its network.

No doubt, LinkedIn is using HTTPS connection for user login pages, but they are not using HTTP Strict Transport Security (HSTS) technology that prevents any communications from being sent over HTTP, instead send all communications over HTTPS. cording to researchers at Israel-based Zimperium Mobile Threat Defense, the poor implementation of HTTPS/SSL allows a hacker to intercept a user’s communication by replacing all “HTTPS” requests with its non-encrypted form, “HTTP”, known as “SSL stripping” attack.

+ Gmail bug could have exposed every user’s address

Until recently, anyone may have been able to assemble a list of every Gmail account in the world. All it would have taken, according to one security researcher’s analysis, was some clever tweaking of a web page’s characters and a lot of patience.

Oren Hafif says that he found and helped fix a bug in Google’s Gmail service that could have been used to extract millions of Gmail addresses, if not all of them, in a matter of days or weeks. The trick would not have exposed passwords or otherwise allowed easy access to those accounts, but could have left users vulnerable to spam, phishing or password-guessing attacks. The bug may have existed for years.

+Cybercriminals targeting cloud-based PoS systems via browser attacks

Attackers are targeting vulnerabilities in major Web browsers to compromise cloud-based point-of-sale (PoS) systems, according to cyber threat intelligence firm, IntelCrawler. The malware, called POSCLOUD by IntelCrawler, targets cloud-based PoS software commonly used by grocery stores, retailers, and other small businesses, the company wrote in a report released Wednesday. Unlike most PoS malware, POSCLOUD doesn’t bother with RAM scraping to intercept payment card information before the system gets a chance to encrypt the data. Instead, the malware relies on keylogging and stealth screenshots to steal personal information and financial data, which are then sold on underground forums to identity thieves, IntelCrawler said.

+ XSS flaw in TweetDeck leads to spread of potential exploits

A cross-site scripting bug in Twitter’s TweetDeck tool caused trouble for many users on Wednesday, and potentially opened up many other users to XSS attacks. A researcher tweeted the vulnerability early Wednesday morning, setting off a wave of online conversation and eventually leading to downtime at TweetDeck, which is Twitter’s tool for tracking online postings. TweetDeck reported that it had fixed the vulnerability about four hours after it was reported, but subsequently took the service down to assess the damage. Service was restored less than six hours after the original vulnerability disclosure, but by that time, many users had unknowingly tweeted out code that could lead to future XSS attacks.

+ Fake dot-gov webmail used in phishing scam to hack EPA and Census staff

A Nigerian man has admitted to compromising the email accounts of federal employees to order agency office products that he then sold on the black market, according to newly filed court papers. Abiodun Adejohn and conspirators cheated government supply vendors out of almost $1 million worth of goods through the scheme. The hackers broke into the accounts through a series of impersonations targeting Environmental Protection Agency and Census Bureau staff. First, they sent the employees “phishing” emails purporting to be from government agencies that contained links to seemingly legit agency webmail login pages. But the webpages actually stole usernames and passwords the employees entered.

+  –Chinese Spies Stockpiling Critical Infrastructure Vulnerabilities

A man in China using the online handle UglyGorilla appears to have gained access to the network of a Northeastern US utility company. The intruder copied schematics and security guard memos, sought out systems that regulate natural gas flow. The man, who is one of five people indicted last month by the US Justice Department (DOJ), appears to have been on a scouting mission to prepare for possible cyber warfare. The group that he is part of has allegedly been focused on SCADA systems, looking for flaws that could be exploited to manipulate availability of utilities and mapping physical infrastructure. The strategy is compared to the stockpiling of nuclear weapons during the Cold War.

[NOTE:: What is not being emphasized enough here is that our current defenses are stopping virtually none of these actors from gaining footholds, we are rarely seeing them from inside the target, and we have little confidence that we can remove them.  ICS end-users need to re-think maintaining credentials and leveraging services on the less trusted and more accessible enterprise network.  The only way to maintain a secure and therefore reliable and predictable ICS is to rely on secure architecture & practices, deploy real-time monitoring tools, and equip your engineers and security staff with the knowledge and methods to manage the integrity of your operational technology]

+ Pentagon cyber unit wants to ‘get inside the bad guy’s head’

+ Cybercriminals Zero In on a Lucrative New Target: Hedge Funds

 Hacking Airwaves with Fruit Part 1: WiFi Pineapple

If you’re doing any wireless penetration testing these days, odds are you have a WiFi Pineapple Mark IV from Hak5 in your toolkit. If you’re not a professional penetration tester or are just starting out with wireless hacking, the Pineapple is a device that will save you a considerable amount of headaches and is easily the best “all-in-one” tool for the job.

+ Air-Gapped Networks Can Be Hacked from Afar – WE sent this before…

Breaching air-gapped networks is not new, but researchers at Ben Gurion University discovered that an attack can be devised using a mobile phone placed in close proximity to the target system.  An air-gapped system is physically isolated from insecure networks and it has no access to the public Internet, so in theory it cannot send or receive data; such a measure is generally taken in the case of classified military networks, nuclear power plant controls and other sensitive areas.

+++   SD/SoCAL items of interest / opportunities


23 –  1:30-2:30 (MON – free)  Roundtable Discussion: The Future of Robotics & Autonomous Systems?

26 –  SD ISSA – lunch meeting – Automating Security Risk Management using IT GRC


12-15 – Esri National Security Summit

When a disaster strikes, knowing what you need and how to find it can be the key factor that saves lives, resources, and critical infrastructure = GIS.

17 – OWASP Monthly Chapter meeting – Tracy Reed / Log based web app attack detection

18 – IEEE / Various Security groups – all day – – Privacy by design workshop – a cyber model & why you must be part of this initiative!  (at Coleman University –  AM Technical approach… PM public discussions)

+++  Help move SD forward in cyber –  engage and help out on cyber 4 PbD!!!


11-14 – Gartner Catalyst  –  Harness the Power of IT Convergence

18 –  USENIX Summit on Gaming, Games and Gamification in Security Education (3GSE ’14)

20-22 – 23rd USENIX Security Symposium


Highlight of the week


+ BIG DATA – whatever you think of it or it is, there is clear opportunity / resources in the DATA sector…    I went to the “BigDataCamp-LA” yesterday and it was very well attended and high value (besides being free …)

— So.., we’re working with the organizers to do a “BigDataCamp for SDin the fall

LA had three tracks.. Hadoop, NoSQL and data science,  SD proposes (1) Hadoop/NoSQL, (2) data science and (3) Applications (privacy & security, novel tools & products, ETC) …   As a better track alignment for SD – being task / outcome oriented  – and making stuff happen – let me know if you want to help SD “DO” DATA…


+ PRIVACY that matters – a cyber model for “Privacy by Design (Pbd) – and why you REALLY need to be aware and play!

Cyber 4 PbD workshop on Friday 18 July – all day at Coleman University…

AND THIS week, Tue, 17th at 6 PMAn overview of Cyber 4 PbD at the ISC2 Chapter meeting…

AT – Mitchell International Inc…  6220 Greenwich Dr..   San Diego, CA 92131



+++  Cyber Security News you can likely use…



+ Updated 20 Critical Controls Interactive Spreadsheet  (this is a pretty cool all-in-one spreadsheet!)



+ Information Risk Maturity Index Says We’re Aware But Not Ready

A new study from PwC and Iron Mountain shows that businesses are having trouble balancing the need for data insight and the need for data security. Information risk programs are in their late adolescence, still trying to find themselves. On the Information Risk Maturity Index, created by PwC and Iron Mountain, businesses in North America and Europe are only rating a 58.8 out of 100. The dilemma, according to PwC and Iron Mountain’s study, is that “organizations expect to gain an information advantage through the exploitation of their information, but must protect it from internal and external threats,” and they have not yet learned to balance the two.



+ Mission impossible? Malwarebytes invents software that blocks zero-day attacks          

US firm Malwarebytes has announced a security product it believes can do something that has eluded even the best-resourced security firms in the business – block all zero-day attacks known and unknown against popular Windows applications. Called Anti-Exploit, the new software is an application developed by a startup Malwarebytes acquired a year ago called ZeroVulnerabilityLabs, founded by ex-Panda Security software engineer, Pedro Bustamente. The germ of the development dated back to an early version of the software that appeared in 2012.



+ U.S. telecom chief tells industry to lead on cybersecurity

he top U.S. telecom regulator on Thursday told communications companies to take the lead in fortifying their networks against cyberattacks, saying they can do more to bolster security short of new government regulations.

In his first major speech devoted fully to cybersecurity, Federal Communications Commission Chairman Tom Wheeler urged the private sector to “step up to assume new responsibility and market accountability for managing cyber risks” before the FCC weighs a regulatory approach to the problem. “The private sector-led effort must be more dynamic than traditional regulation and more measurably effective than blindly trusting the market or voluntary best practices to defend our country,



+ Cloud Security Law, An Overview  (GREAT overview!)

Gartner sees: the cloud as a: “style of computing where scalable and elastic IT-related capabilities are provided as a service to customers using Internet technologies.”

Government sees: Enforcement of specific statutes:   HIPAA    CAN-SPAM (Commercial messaging)    GLB (Financial services)    COPPA (Children)    Compliance—Federal Guidelines     NIST

Federal Trade Commission…..    Primary federal enforcer.

Liability Equals:    Common Law 101      Duty     Breach    Causation   Injury/Harm    Defenses    Damages.



+ Cybersecurity a top priority in Senate appropriations bill

Cybersecurity provisions emerged as a leading theme in the fiscal 2015 appropriations bill for the Commerce Department, Justice Department and science agencies. Projects designed to beef up security for government systems, target malefactors in cyberspace, conduct research and encourage the growth of cybersecurity professions and businesses all held their own. The FBI is maintaining the around-the-clock incident-response National Cyber Investigative Joint Task Force and will continue an agent-training program that gives the FBI authority and expertise for incidents affecting government systems, utilities, classified defense contractor systems and banks. The Justice Department is set for an increase to fund 25 new positions, including nine attorneys to prosecute cybercrime cases.



+ How Well Do Tech Companies Protect Your Data From Snooping    (good look at some large web sites)

What happens to your information online? Is it safe? Is it private?

The answers depend in part on what services you use. So we set out to help you figure out the answers for yourself.   Fortunately for you, we are not the only ones asking these questions. The Electronic Frontier Foundation surveyed big tech companies and asked them what kinds of encryption they’ve been using. And last week Google started naming and shaming email providers who were not encrypting email messages as they passed between companies



+SQL injection attacks haunt retailers

Retail and other industries that accept payment cards for transactions say the infamous SQL injection attack is either intensifying or remaining status quo. In a new Ponemon Institute report on SQL injection and the recent massive retail breaches at Target, Michaels, and other big-box stores, some 53% of respondents say they believe SQL injection was one element of these high-profile breaches, where sensitive and confidential customer information was stolen. Nearly half say SQL injection attacks are occurring at the same rate as always, while 38% say these attacks are increasing. Just 13% of the nearly 600 respondents say SQL injection attacks are decreasing.



+ Is Your BYOD Program Violating HIPAA?

Healthcare employees use their personal smartphones for work, causing a major headache for IT staff who maintain HIPAA compliance. Practitioners and patient correspondence is mandatory so banning BYOD is out of the question, leaving IT folks and the organization at risk. Solving this puzzle requires a data-centric approach to BYOD security



+ –FCC Chairman Urges Private Companies to Take Responsibility for Cyber   Security

FCC chairman Tom Wheeler said private sector companies must do better than current efforts that have been pushed forward by established voluntary frameworks. Wheeler said, “the network ecosystem must step up to assume new responsibility and market accountability for managing cyber risks.” If there is not measurable improvement, Wheeler did not rule out the possibility of calling for government regulations. The FCC plans to check whether companies have implemented the framework recommendations, which were developed in 2011, and whether or not they have been effective. The FCC will also look into better ways to help companies share information about cyber threats.



+ ONLINE PRIVACY Survey: Consumers Won’t Trade Privacy for Convenience  (LOTs of privacy statistics!)

While users worldwide are “thrilled by the ease and convenience of their smartphones and Internet services,” they aren’t willing to trade their privacy for more of it, The New York Times reports. That’s according to a new survey of 15,000 consumers in 15 countries conducted by EMC Corporation. Fifty-one percent of respondents said they aren’t willing to trade “some privacy,” while 27 percent said they are. Forty-one percent said they “believe the government is committed to protecting” their privacy, while 81 percent said they expect privacy to erode over the next five years. “Consumers worldwide seem to strongly agree with the notion that there should be laws ‘to prohibit businesses from buying and selling data without my opt-in consent’—87 percent,” the report states.



+ The Internet’s Next Big Idea: Connecting People, Information, and Things.. (IoT and everything)

In the early 1990s, a Web page consisted of crude, rainbow-colored, text-filled boxes that “hyperlinked” to more text. Today, your Internet-enabled smartphone not only gives you access to libraries’ worth of information, but also helps you navigate the physical world. Cyber-physical systems, also called the Internet of Things, are the next big advance for our use of the web. They allow complex systems of feedback and control that can help a robot coordinate with a dog or human in a search-and-rescue operation or help health care providers evaluate the recovery of patients after they leave the hospital.

The Internet of Things is still in its infancy. To mature, it will require public-private collaboration across disciplines and economic sectors. …. demonstrating what’s needed to make the Internet of Things a reality. At the event, 24 teams representing more than 100 organizations from academia, industry and government who responded to the fellows’ SmartAmerica Challenge  (several companies with great demos… partner with on maybe???)




+++  FYI / FYSA  Items of interest…


+ FCC Wants More Cybersecurity Collaboration, Less Regulation

n a speech to the American Enterprise Institute, FCC Chairman Tom Wheeler outlined principles for a market based approach.   FCC Chairman Tom Wheeler on Thursday laid out his vision of the Federal Communications Commission’s role in network security, calling for a more market-based approach, with industry assuming responsibility and leadership.    The new approach he described would be based on collaboration rather than regulation, but Wheeler noted that the FCC still has regulatory authority to back up its goals.



+ US Industry Joins Together in Praising Cyber Risk Management Framework

Twenty-three associations representing nearly every industry sector of the U.S. economy are applauding the Obama administration’s support for a dynamic and flexible approach to addressing cybersecurity risk. .. he emphasized the administration’s view that the National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity (framework) should remain collaborative, voluntary, and innovative over the long term…



+  Cybersecurity top concern for federal CIOs, CISOs, says TechAmerica survey

Improving cybersecurity emerged as the top priority again for federal chief information officers and chief information security officers, according to an annual survey from industry group TechAmerica. Other top concerns were modernizing or transforming IT operations and migrating to cloud and mobile services. Sixty-three percent of respondents said cybersecurity issues were one of their top three priorities – more than twice as much as other mentioned priorities, according to the report released June 5. Two-thirds said threats to their organizations rose by at least 10 percent in the last year. Not surprisingly cybersecurity and IT security were cited as top challenges along with workforce and budgetary issues.



+ New FedRAMP security controls issued

One day after the deadline for cloud service providers to assess their offerings against the government’s baseline cloud security standards, the Federal Risk and Authorization Management Program, known as FedRAMP, released new security controls and templates for agencies and CSPs to follow as they navigate the initiative’s updated requirements. Friday’s updates reflect changes to the National Institute of Standards and Technology Special Publication (SP) 800-53 security control baseline that went into effect last year and represent the “largest release of information” from the FedRAMP program management office since the initiative’s inception two years ago, according to program manager Matt Goodrich.



+Who needs Heartbleed when many dot-govs don’t even encrypt communications?

More than a quarter of federal websites are not properly configured with software to prevent intruders from intercepting data entered by citizens, according to a new study. Federal sites in general scored 10 percent lower than online banking services and social media networks at site security and server configuration, researchers at the Online Trust Alliance discovered. The study, released Wednesday, looked at 50 cabinet-level and other high-traffic, consumer-oriented federal websites, as well as purported federal sites set up by fraudsters. Phishing emails luring citizens to the bogus sites also were examined.



+ NIST guidance helps agencies break from static IT system reauthorization cycle

In a November 2013 memorandum, the Office and Management and Budget told agencies they could abandon a security reauthorization process required every three years in favor of ongoing authorization of information systems. Now, the National Institute of Standards and Technology is advising agencies on how exactly to make that transition. OMB Memorandum M-14-03 discarded the static reauthorization requirements outlined in OMB Circular A-130, while asking NIST to make sense of a new process for agencies. In a recently published supplemental guidance, NIST says no new guidance is needed. Instead, instruction for the ongoing authorization that agencies need already exists in portions of five special publications – NIST pulled them together and added analysis in the supplemental guidance.



+ Banks: Credit card breach at P.F. Chang’s

Nationwide chain P.F. Chang’s China Bistro said today that it is investigating claims of a data breach involving credit and debit card data reportedly stolen from restaurant locations nationwide. On June 9, thousands of newly-stolen credit and debit cards went up for sale on rescator[dot]so, an underground store best known for selling tens of millions of cards stolen in the Target breach. Several banks contacted by KrebsOnSecurity said they acquired from this new batch multiple cards that were previously issued to customers, and found that all had been used at P.F. Chang’s locations between the beginning of March 2014 and May 19, 2014.



+ Infosecurity – Watch Out For Sneaky Cyber Attacks, M&A Firms Warned

FireEye claims attackers are out to compromise businesses involved in acquisitions for IP gain or access to sensitive info on the deal.  APT prevention firm FireEye has warned businesses involved in mergers and acquisition (M&A) activity of a growing risk from online attackers focused on either stealing IP or lifting sensitive corporate information about the deal.  The M&A market is currently booming, but often under-reported is the widespread cyber espionage activity which occurs when two high profile companies look to merge, threat intelligence analys


+Adobe, Microsoft push critical security fixes

Adobe and Microsoft today each released updates to fix critical security vulnerabilities in their software. Adobe issued patches for Flash Player and AIR, while Microsoft’s Patch Tuesday batch includes seven update bundles to address a whopping 66 distinct security holes in Windows and related products. The vast majority of the vulnerabilities addressed by Microsoft today are in Internet Explorer, the default browser on Windows machines. A single patch for IE this month shores up at least 59 separate security issues scattered across virtually every supported version of IE. Other patches fix flaws in Microsoft Word, as well as other components of the Windows operating system itself.



+ –ACLU Map Shows States Where Law Enforcement Has Stingray Technology (tracking Cell phones!)

The American Civil Liberties Union (ACLU) has published a map showing which states’ law enforcement agencies have cell site simulators. The controversial technology often identified as Stingray, which is actually the trademarked name of a specific device made by a Florida-based company, is confirmed to be owned by law enforcement agencies in 15 US states. Use of the technology in other states has been neither confirmed nor denied. The Harris Corporation, which manufactures Stingray, has required law enforcement agencies that purchase the technology to sign non-disclosure agreements, which prohibit the agencies from even discussing whether or not the have/use the devices and certainly from explaining them.

[…Great point in the synopsis that not all cell phone Man In The Middle, (MITM), devices are manufactured by Harris. There are a growing variety of vendors selling these and since 2010, the plans to make one for less than two thousand dollars have been available. So, cell phone MITM is not just for governments anymore. If someone wants to simply intercept calls as opposed to MITM, (WARNING illegal in the US), a scanner, such as a Radio Shack Pro-2005 can do the job. I am surprised the market for encrypted cell phones isn’t bigger, the technology is available at a reasonable price. But I guess people are getting used to the concept of a total loss of privacy…]



+  –Target Hires First CISO

Target has hired a chief information security officer (CISO), the first in the company’s history. Brad Malorino was named Target Senior Vice President and CISO. Malorino was CISO at General Electric, and more recently, chief information security and information technology risk officer at General Motors. The aftermath of the massive Target breach last year saw the resignation of former Target CEO Gregg Steinhafel and the firing of its former CIO Beth Jacobsen.

[….Hiring a CISO is a great step, though I question the chain of command.  Having a CISO report to the CIO is the digital equivalent of having the auditor report to the CFO.  The CIO in a corporation is responsible for delivering capabilities throughout the organization in an effective and efficient way, and I believe this reporting structure presents an inherent conflict which could impact security. I would much rather see the CISO in a company report to the CSO or the CRO, who have a very different mission and perspective….]



+ Where Are We Now? The Era of Trade Surveillance Automation

“For the first time compliance and surveillance people are demanding access to data instead of running away in fear from it.”

The history of trade surveillance tools may not sound interesting, but Bill Nosal, head of strategic product management, SMARTS, NASDAQ OMX, begs to differ. At the Wall Street & Technology Analytics Edge event, Nosal wove a story of surveillance that demonstrated the leaps and bounds the industry has made in the last two years. The steep innovation curve surveillance is still climbing.



+  Officials at the (NIST) have announced plans to establish two new research Centers of Excellence

to work with academia and industry on issues in forensic science and disaster resilience. NIST plans to hold merit competitions to establish the centers, tentatively planned to be funded at up to $4 million a year for five years. NIST Centers of Excellence are meant to provide multidisciplinary research centers where experts from academia, industry and NIST can work together on specific high-priority research topics.



+   New NIST guidance planned as part of federal info policy

The National Archives and Records Administration is leading a plan to create new standards for controlled unclassified government information that includes new NIST guidance and changes to the Federal Acquisition Regulation.

In consultation with more than 150 government entities, NARA has come up with a list of 22 categories and 85 subcategories that are considered CUI under the law. These include copyright and patent information, personally identifiable information, raw census data, intelligence and law enforcement data, and information systems vulnerabilities. These are maintained in NARA’s CUI Registry.



+   Kids To Hack Corporate Crime Caper Case At DEF CON

The Social Engineering Capture the Flag contest for kids is now an official DEF CON contest.

Call it a life-sized DEF CON version of the game Clue. That’s how Christopher Hadnagy, the mastermind behind the fourth annual Social Engineering Capture the Flag Contest for DEF CON Kids and chief human hacker at, describes this year’s contest, which will be held during the famed adult DEF CON hacker conference in Las Vegas.   This year’s “Who Dunnit? A Social Engineering Corporate Crime!” is part and parcel of the official DEF CON conference’s competitions. It previously piggybacked off DEF CON Kids, now known as R00tz.—threats/kids-to-hack-corporate-crime-caper-case-at-def-con/d/d-id/1269662?_mc=NL_DR_EDT_DR_daily_20140613&cid=NL_DR_EDT_DR_daily_20140613&elq=2c8dbd626f9742cda16adc34886ef84e&elqCampaignId=4858




+ Robots take on World Cup security

From the battlefield to the playing field, robots are increasingly being used to secure high-profile events, like this year’s World Cup.



+ Mobile Security: Pinches Speak Louder Than Passwords  (great overall / c-suite guidance!)

Risk and security professionals hold the analgesic for the pains the C-Suite is feeling when it comes to mobile security. Being willfully locked away for a week on Amelia Island, Fla., with hundreds of members of the long-standing and influential Financial Services – Information Sharing & Analysis Center (FS-ISAC), gave me a good opportunity to gather, probe, reassess, and reconstitute a variety of assumptions, perspectives, and philosophies surrounding mobile security.



+ How Apple’s new software makes it harder for retailers to track your movements

Most consumers know that their shopping is being tracked online; but many don’t realize how easy smartphones have made similar tracking possible in your local mall. Now, Apple has taken measures to stop the practice that lets stores track shoppers by way of a unique code generated by a phone’s wireless Internet connection. Consumers will see those changes when Apple’s new operating system, iOS 8, hits iPhones this fall. Retailers have kept tabs on consumers by tracking the unique code that smartphones send out when trying to connect to wireless networks, known as a MAC address. Under Apple’s new system, the code will be randomized, making it impossible for stores to identify iPhone users in this way, though phones running other operating systems would still be trackable.



+  ISTR: Internet Security Threat Report

The Government Internet Security Threat Report provides an overview and analysis of the year’s global threat activity. The report is based on data from Symantec’s TM Global Intelligence Network, which Symantec analysts use to identify, analyze, and provide commentary on emerging trends in the threat landscape. Symantec has the most comprehensive source of threat data in the world through the Global Intelligence Network which contains 41.5 million attack sensors and records thousands of events per second. This network monitors threat activity in more than 157 countries through a combination of enterprise and consumer products and services as well as outside data. Security analysts use big data aggregation and correlation to determine threat activity, deliver comprehensive security protection, and recommend countermeasures



+ Worldwide cost of cybercrime estimated at $400 billion

A new analysis out today found that the global impact of cybercrime adds up to amounts larger than those of the national income in many countries, coming to an estimated total of more than $400 billion. Compiled by the Center for Strategic International Studies (CSIS) on behalf of McAfee with the help of a team of economists and intellectual property experts, the report, “Net Losses: Estimating The Global Cost Of Cybercrime <>(video) ,” found that the cost of cybercrime to the US economy alone equaled approximately $100.4 billion, or 0.64% of the US gross domestic product.$400-billion/d/d-id/1269527?_mc=RSS_DR_EDT





+++  THREATs  / bad news stuff / etc…


+ FCC unveils ‘new regulatory paradigm’ for defeating hackers

In recent months, the Federal Communications Commission has quietly worked to expand its role among federal agencies charged with protecting the nation’s networks from cyberattack. On Thursday, the agency sought to take the lead again, unveiling a new regulatory model aimed at helping phone companies and other telecommunications firms defend themselves from malicious hackers. Under the plan, companies such as AT&T, Verizon, Sprint and others are being asked to voluntarily shore up their networks and to develop a system for ensuring the work is done on schedule. The FCC is also exploring how to bring companies together to research new technologies to thwart hackers and to study the state of the nation’s cybersecurity workforce.



+  New Commercialized Trojan Takes Fresh Approach To Password-Stealing

Unlike most banking malware of today, new Pandemiya skips the Zeus source code and starts from scratch.

Security researchers with RSA reported today that they found a new commercial Trojan malware program in the wild that is one of the first of its kind in a long while to not be based on source code from common variants of commercialized malware like Zeus or Carberp. Called Pandemiya, the malware offers features and functionality similar to its predecessors, with one key difference in how it injects code and behaves on infected machines. Its authors have started marketing the Trojan for between $1,500 and $2,000, depending on the plug-in add-ons chosen by black-market customers—threats/new-commercialized-trojan-takes-fresh-approach-to-password-stealing/d/d-id/1269550?_mc=NL_DR_EDT_DR_daily_20140611&cid=NL_DR_EDT_DR_daily_20140611&elq=dbe439579eb941c880dfa36ceb3bc3d3&elqCampaignId=4701



+ Real Time Endpoint Compliance for Continuous Diagnostics and Mitigation

federal agencies must take a proactive approach to information and network security due to increasing cybersecurity threats. Read this whitepaper to learn more about a flexible automated framework for effective continuous monitoring and mitigation


+ New Framework to Test UK Banks’ Cyber Security

A vulnerability testing framework launched by the Bank of England, CBEST will offer “a controlled, bespoke, intelligence-led penetration test against financial institutions’ critical systems.” The customized penetration tests will be developed with information gathered by the government and security companies. Financial organizations will have the opportunity to consult with experts to help them strengthen their security weaknesses.

[…Raising the bar on what can be called a “penetration test” is a good thing, but a lot of what is proposed here is really trying to turn pen testing into more audit-like engagements, with requiring enterprise maturity assessments and multiple documents, etc. Especially in the financial industry, more pages of audit results in cut-and-paste standardized formats will have zero correlation to increased security. The most valuable pen test engagements seem to involve more “bespoked-ness” not less…]



+  CrowdStrike Identifies Another Chinese Espionage Group

The five members of China’s People’s Liberation Army who were indicted last month for allegedly breaking into systems of US companies and stealing sensitive information “are just the very tip of the iceberg,”   according to security company CrowdStrike co-founder George Kurtz. A report from CrowdStrike identifies another group in China that has conducted attacks aimed at stealing information from European, Japanese, and US governments, military contractors, and research and technology companies. This particular group has been infiltrating networks for at least seven years. Employees at the targeted companies, which have not been named, received emails with attached PDFs that claimed to be invitations to relevant conferences, but which actually infected their computers with malware, allowing the group to access the compromised machines and worm their way through the networks. US intelligence agencies are currently tracking activity of more than 20 such groups in China, according to current and former US officials.



+ TweetDeck scammers steal Twitter IDs via OAuth

Scammers are abusing Twitter’s TweetDeck tool as part of a scheme that has roped in thousands of Twitter users, according to Bitdefender. The scammers, believed to be from Turkey, are profiting from users’ desire to increase their Twitter following. In the past month, the scammers have registered dozens of sites dedicated to the scheme and promoted them through Twitter Trends. On the site, the scammers ask the victims for a Twitter username and lure them with an offer to purchase new followers or get them for free. Those who click on the free option get 20 followers immediately. Those who pay the premium are promised 100 to 5,000 new followers a day for five days. To get the new followers, users must authorize the TweetDeck. In the process, the scammers make off with the users’ authentication tokens and receive TweetDeck’s permissions without the users’ knowledge.



+ World Cup websites struck down by DDoS attacks  (is YOUR company protected against DDOS???  At least minimally???)

Various websites associated to the World Cup have been struck by a distributed denial of service (DDoS) attack ahead of the tournament’s opening match on Thursday.  The official government World Cup website has been down for more than a day, as well as the websites of some host states. Hacking collective Anonymous has claimed responsibility for the attacks.   The hacker group has published a list of over 60 websites that have successfully taken down and are still offline at the time of writing, including as the Brazil website of recording giant Universal Music



+ Chinese military responsible for some cyber attacks on U.S. federal systems, DoD says

The Defense Department said some cyber attacks to federal and other global computer systems can be “attributable directly to the Chinese government and military,” in its annual report to Congress. The wide-ranging report, which covers China’s military and security developments for 2013, said the cyber intrusions focused on “exfiltrating” – essentially stealing – information from U.S. diplomatic, economic and defense sectors. “The information targeted could potentially be used to benefit China’s defense industry, high-technology industries, policymakers’ interest in U.S. leadership thinking on key China issues, and military planners’ understanding of U.S. defense networks, logistics, and related military capabilities that could be exploited during a crisis,” according to the DoD report.



+ China Putter Panda APT Attacks on space Linked to PLA Unit

With indictments still fresh against a handful of Chinese nationals accused of hacking American companies and stealing intellectual property, another branch of the People’s Liberation Army and allegedly one of its officers have been outed for cyberespionage against U.S. and European aerospace and satellite companies. Unit 61486 of the PLA Third General Staff Department 12th Bureau, code named Putter Panda by American security company CrowdStrike, is alleged to have carried out APT-style espionage campaigns, exfiltrating data from a number of unnamed companies in the space and defense industries.  CrowdStrike’s report on Putter Panda also connects a number of dots to identify an individual named Chen Ping, also known as cpyy, as the person who registered domains associated with the espionage campaign. The report also points overlaps in intelligence and information sharing between Unit 61486 and Unit 61386, commonly known as the Comment Crew, which was identified by Mandiant in its APT1 report.



+ Meet The “Minerva Research Initiative” – The Pentagon’s Preparation For “Mass Civil Breakdown”

what does China know that the US doesn’t. As it turns out, nothing…    Because long before China was practicing counter-riot ops using rubber bullets, all the way back in 2008 the US Department of Defense was conducting studies on the dynamics of civil unrest, and how the US military might best respond. The name of the project: “Minerva Research Initiative” and its role is to ” “improve DoD’s basic understanding of the social, cultural, behavioral and political forces that shape regions of the world of strategic importance to the U.S.”    The Guardian which first revealed the details, reports that, “The multi-million dollar programme is designed to develop immediate and long-term “warfighter-relevant insights” for senior officials and decision makers in “the defense policy community,” and to inform policy implemented by “combatant commands.”



+++  News you can likely use…


+ Great Reference Graphic (InfoGraph) To Keep Your Brain Engaged On All Elements Of Big Data

If you are an analyst, enterprise architect, CIO, CTO, CISO, CFO or even a business executive seeking insights into the nature of modern data solutions you will find the poster below to be a fantastic resource.  Download and print and post on your wall to periodically review and to continue to ensure you are thinking of the many related elements of analytical solutions.



+ Days after a federal seizure, another type of ransomware gains ground

It has been mere days since federal agents seized control of computer networks used by hackers to infect victims with CryptoLocker, a piece of malware known as “ransomware,” which encrypts the contents of computing devices so hackers can demand a ransom to decrypt it. Now security researchers are seeing an influx of another form of ransomware, called Cryptowall. In April, criminals began advertising RIG, a so-called exploit kit, which automates the exploitation of software vulnerabilities. For $60 a day or $300 a week, criminals could use it to infect victims’ machines with 8 to 12 percent success rates, according to advertisements. Almost immediately, security researchers began noticing the kits being used across the Internet, in many cases to distribute Cryptowall.





+ Your customer’s high cost of privacy

This writer has said numerous times tha””  t privacy is waning and dying. Partly because we have allowed it with our bazillion posts to social and partly because of the shift from print advertising to digital. During that shift, lots of creative types figured out how to figure you out and get inside your digital head. But all at a cost of your privacy…    Arwa Mahdawi in the Gurdian brilliantly posed “Privacy isn’t dead, but it’s getting very expensive.” So true.???  “”Consumers should not have to be tech savvy or have a lot of money or make impractical lifestyle changes in order for their private information to be leak-proof.”” OF COURSE….  So get behind “privacy by design!!!”



+ Quantifying privacy: A week of location data may be an ‘unreasonable search’

When does the simple digital tracking of your location and movements – the GPS bleeps from most of our smartphones – start to be truly revealing? When do the data points and inferences that can be drawn from it strongly suggest, say, trips to a psychiatrist, a mosque, an abortion clinic, a strip club or an AIDS treatment center?

The answer, according to a new research paper, is about a week, when the data portrait of a person becomes sufficiently detailed to qualify as an “unreasonable search” and a potential violation of an individual’s Fourth Amendment rights.



+ Privacy is important to everyone – individuals to organizations – as THAT security message sells well!!!

— SD IEEE / various security groups are hosting a Cyber model for Privacu by Design (PbD) on Friday 18 July – save the date    The AM will be more of a technical review / finessing the mechanics – the PM will be a public discussion and impact session.  Held at Coleman University – NO COST – YOUR company really needs to be part of this PbD initiative, so check it out!  Engage now and be part of the next BIG thing in cyber… DO something and quit just admiring the problem…



+ What Can You do Differently to Guard Against Threats From Rapidly Evolving Mobile Malware?

One hundred percent of the top 100 paid Google Android mobile applications have been hacked. Fifty six percent of the top 100 paid Apple iOS apps have been hacked. In today?s business climate, you cannot avoid going mobile. So, what do you need to do differently? This white paper discusses the risks that accompany mobile computing and applications and explains how IBM Security AppScan can help you determine vulnerabilities early in the application development cycle to eliminate vulnerabilities malware can exploit.



+ At WWDC, Apple is set to make push into monitoring health and home

Apple is unlikely to introduce new devices this week, the things that most excite customers and investors these days. But the company is expected to dive deeper into two new areas: connected health and the so-called smart home. Along with operating system updates for mobile and desktop machines, Apple plans to introduce a new health-tracking app at its annual Worldwide Developers’ Conference on Monday, according to a person briefed on the product, who spoke on the condition of anonymity because the plans were confidential. Apple is also expected to make an announcement about its efforts with connecting to so-called smart home devices, or home appliances that can be wirelessly controlled with a smartphone, like light bulbs, thermostats or door locks.



+ Twitter releasing trove of user data to scientists for research

Twitter has a 200-million-strong and ever-growing user base that broadcasts 500 million updates daily. It has been lauded for its ability to unsettle repressive political regimes, bring much-needed accountability to corporations that mistreat their customers, and combat other societal ills (whether such characterizations are, in fact, accurate). Now, the company has taken aim at disrupting another important sphere of human society: the scientific research community. Back in February, the site announced its plan-in collaboration with Gnip-to provide a handful of research institutions with free access to its data sets from 2006 to the present. It’s a pilot program called “Twitter Data Grants,” with the hashtag #DataGrants.



+ MQTT – the Message Queuing Telemetry Transport Protocol –  if you do “IoT” you need to do M2M securely!

This note provides guidance for organizations wishing to deploy MQTT in a way consistent with the NIST Framework for Improving Critical Infrastructure cybersecurity.  The OASIS MQTT TC is producing a standard for the Message Queuing Telemetry Transport Protocol compatible with MQTT V3.1, together with requirements for enhancements, documented usage examples, best practices, and guidance for use of MQTT topics with commonly available registry and discovery mechanisms.


+ Password breaches: End-user carnage is unspoken heartache

Hear the chorus: Digital life must evolve beyond passwords. See the reality: eBay, Spotify, Avast, Adobe, Yahoo, Target, Twitter, Zappos <> , Gawker, Sony, Apple (twice), Fox, CBS,, LinkedIn, eHarmony,, Neiman Marcus Group Ltd., and Michaels Stores Inc. All hacked. I know I’ve missed many, but there likely will be more to add in a few weeks or even days. From a corporate perspective, the reputation backlash and financial hit from a password or data breach has become so stifling that Spotify reacted this week to the theft of a single user’s data by asking nearly 40 million other customers to change their passwords. The end-user carnage? Unknown because losing your personal data can easily turn into 20-miles of uncharted broken glass. Password breaches torture end-users more so than the company, merchant or service. Stolen passwords are sold on the black market and new hacks come at users from unexpected and unusual angles, and with the original hacked company too obscured by the trail of tears to be tagged with liability.



+  Malware creation breaks all records! 160,000 new samples every day

Great view of all the various malware and types…





+++  FYI / FYSA  Items of interest…



+ NIST tells agencies how to get ready for continuous monitoring

The National Institute of Standards and Technology is providing agencies with the steps needed to transition to a more dynamic cybersecurity environment. As agencies continue to move toward real-time risk management, NIST released additional guidance for updating the information system authorization process. NIST’s supplemental guidance builds on the Office of Management and Budget’s information system continuous monitoring (ISCM) process, detailed in a November 2013 memo. In that guidance, OMB gave agencies until 2017 to implement this new approach to securing their systems and data.



+  Supplemental Guidance on Ongoing Authorization: Transitioning to Near Real-Time Risk Management

NIST announces the release of Supplemental Guidance on Ongoing Authorization: Transitioning to Near Real-Time Risk Management. This publication responds to Office of Management and Budget (OMB) Memorandum M-14-03, Enhancing the Security of Federal Information and Information Systems, that directed NIST to publish guidance establishing a process and criteria for federal agencies to conduct ongoing assessments and ongoing authorization. This is the first of three major updates to NIST guidance supporting the Risk Management Framework and the full transition to ongoing authorization by employing best practices in information security continuous monitoring. The second publication, an errata update to NIST Special Publication 800-37, Revision 1, Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach, will be released on June 10, 2014.



+ The big three… what MAY stop the malware intrusion?

Information security techniques certainly are improving. The SANS Top Twenty Critical Controls, for example, are constantly improving and are being adopted by more and more organizations. Also, security hardware devices and software applications are getting better at a steady rate. But the question we have to ask ourselves is: are these improvements outpacing or even keeping up with the competition? I think a strong argument can be made that the answer to that question is NO! Last year there were plenty of high profile data loss incidents such as the Target debacle. Over 800 million records were compromised that we know of, and who knows how many other unreported security breaches of various types occurred?  I think we should start looking at the situation more realistically and shift the focus of our efforts into strategies that have a real chance of improving the situation. And to me those security capabilities that are most likely to bear fruit are incident detection, incident response and user education and awareness; the Big Three



+ They hack because they can

The Internet of Things is coming… to a highway sign near you? In the latest reminder that much of our nation’s “critical infrastructure” is held together with the Internet equivalent of spit and glue, authorities in several U.S. states are reporting that a hacker has once again broken into and defaced electronic road signs over highways in several U.S. states. Earlier this week, news media in North Carolina reported that at least three highway signs there had apparently been compromised and re-worded to read “Hack by Sun Hacker.” Similar incidents were reported between May 27 and June 2, 2014 in two other states, which spotted variations on that message left by the perpetrator, (including an invitation to chat with him on Twitter).



+  When you’re planning to rob the Russian cyber mob, you’d better be smarter than they are!

be sure that you have the element of surprise, that you can make a clean getaway, and that you understand how your target is going to respond. Today’s column features an interview with two security experts who helped plan and execute this week’s global, collaborative effort to hijack the Gameover Zeus botnet, an extremely resilient and sophisticated crime machine that helped an elite group of thieves steal more than $100 million from banks, businesses and consumers worldwide



-+ Google’s Transparency Report Lists Providers that Do and Do Not Support eMail Encryption

Google’s transparency report will now include a list of which service providers encrypt email to and from Gmail and which do not. An announcement on Google’s blog noted that “Gmail has always supported encryption in transit by using transport layer security (TLS), and will automatically encrypt … incoming and outgoing emails if it can. The important thing is that both sides of an email exchange need to support encryption for it to work.”

 –Google Testing eMail Encryption Plug-in

Google is testing a tool for its Chrome browser that allows users to encrypt their email. The End-to-End plug-in uses OpenPGP to encrypt, decrypt, digitally sign, and verify messages in Chrome. The plug-in is currently in alpha testing mode and is not yet available in the Chrome Web Store.



+ GAO: Agencies can’t always prove they respond to breaches

About 65 percent of the time, federal departments did not have sufficient evidence of the steps they took to respond to cyber incidents, according to federal auditors. They often were able to show the extent of the breach, but not the severity of the impact to agency operations, Government Accountability Officials said. One mistake highlighted in a report GAO released on Friday: An agency learned from the Homeland Security Department that system login credentials at two divisions may have been compromised. When agency personnel responded, they “mistyped the potentially compromised credentials for one component,” didn’t respond when that component asked for clarification, and failed to follow up with the other component when no one there responded to an alert, Gregory Wilshusen, director for GAO information security issues, said in the audit.



+ Secret global strike kills 2 malicious web viruses – YEAH… strike one against the evil criminals!!!

Federal agents over the weekend secretly seized control of two computer networks that hackers used to steal millions of dollars from unsuspecting victims. In doing so, the Justice Department disrupted the circulation of two of the world’s most pernicious viruses and turned a 30-year-old Russian computer hacker into a most-wanted fugitive. The strike, coordinated with the European authorities, was aimed at malware called GameOver Zeus, which is known to steal bank information and send it to overseas hackers, and CryptoLocker, which burrows into computers and encrypts personal data. The hackers then demand a ransom to unlock the files.



+ Automating cybersecurity

If only computers themselves were smart enough to fight off malevolent hackers. That is the premise of an ambitious two-year contest with a $2 million first prize, posed to the world’s computer programmers by the Defense Advanced Research Projects Agency, better known by its acronym, Darpa. It is the blue-sky, big-think organization within the Defense Department that created a precursor of the Internet in the late 1960s and more recently held a contest that spurred development of self-driving cars. Michael Walker, the Darpa cybersecurity program manager who is running the contest, imagines a future in which sensors on computer networks could detect intruders, identify the flaws that let them in, and automatically make the necessary repairs, all without a human computer expert lifting a finger.



+ Facebook Privacy: 10 Settings To Check

Facebook’s latest privacy changes include a number of welcome improvements. Learn how to tweak your settings for the least exposure.






+++  THREATs  / bad news stuff / etc…


+ warrant for cybercrime mastermind – UK

More than 15,000 in the UK may already be infected by ‘Gameover Zeus’

The virus could cost the British economy millions, experts warn

The software can also lock computers and demand a ransom to unlock

Russian Evgeniy Mikhailovich Bogachev accused of being virus mastermind

Alleged gang also consists of British criminals, according to prosecutors

But he may never be arrested as Russia do not extradite accused criminals to other countries



+  New bug found in widely used OpenSSL encryption

Security experts are still trying to plug the hole left by Heartbleed, the bug found in the widely used OpenSSL encryption protocol, with some 12,000 popular domains still vulnerable, according to AVG Virus Labs. Now they have something else to worry about. On Thursday, the OpenSSL Foundation issued a warning to users that a decade-old bug that makes it possible for an attacker to conduct a so-called man-in-the-middle attack on traffic encrypted with OpenSSL. The advisory warns users that someone could use the bug to intercept an encrypted connection, decrypt it, and read the traffic.

[note If you are using OpenSSL, stop and breathe. These guys are on it; you are going to be fine. If you are NOT using OpenSSL the big question is whether your implementation is secure:

These latest vulnerabilities, together with the earlier Heartbleed issues and the ending of the Truecrypt project, are a good reminder that not all code is fully secure. Just because something is Opensource with its source code available to be read by thousands of eyes does not automatically mean that all bugs, particularly security bugs, will be detected. One of the latest OpenSSL vulnerabilities has been around for over 10 years. As with any systems or software deployed in your environment carry out your own risk assessment of it before deploying it and ensure you have vulnerability management strategy to manage any issues that may arise…..



+ China escalating attack on Google

The authorities in China have made Google’s services largely inaccessible in recent days, a move most likely related to the government’s broad efforts to stifle discussion of the 25th anniversary of the crackdown on pro-democracy demonstrators in Tiananmen Square on June 3 and 4, 1989. In addition to Google’s search engines being blocked, the company’s products, including Gmail, Calendar and Translate, have been affected. This is not the first time China has taken aim at Google and its users there. The authorities in China blocked Google for 12 hours in 2012, according to, an independent censorship-monitoring website, which published ablog post about the recent problems on Monday. But the recent crackdown is more severe, and there was no indication of how long it would last.



+ Meet “Cupid,” the Heartbleed attack that spawns “evil” Wi-Fi networks

It just got easier to exploit the catastrophic Heartbleed vulnerability against wireless networks and the devices that connect to them thanks to the release last week of open source code that streamlines the process of plucking passwords, e-mail addresses, and other sensitive information from vulnerable routers and connected clients.   Dubbed Cupid, the code comes in the form of two software extensions. The first gives wireless networks the ability to deploy “evil networks” that surreptitiously send malicious packets to connected devices. Client devices relying on vulnerable versions of the OpenSSL cryptography library can then be forced to transmit contents stored in memory. The second extension runs on client devices. When connecting to certain types of wireless networks popular in corporations and other large organizations, the devices send attack packets that similarly pilfer data from vulnerable routers.



+Six governments tap Vodafone calls

The world’s second-biggest mobile phone company Vodafone revealed government agencies in six unidentified countries use its network to listen to and record customers’ calls, showing the scale of telecom eavesdropping around the world. The United States and Britain both came in for global scrutiny and criticism after Edward Snowden, a former contractor with the U.S. National Security Agency (NSA), disclosed their vast phone, email and internet surveillance operations. But Vodafone, which has 400 million customers in countries across Europe, Africa and Asia, said in its “Disclosure Report” on Friday that countries in its reach are using similar practices.



+ Some Dude Hacks Microwave, Puts Manufacturers to Shame  (of course he did,,, CARS, almost everything else too!)



+ New attack methods can ‘brick’ systems, defeat Secure Boot, researchers say

The Secure Boot security mechanism of the Unified Extensible Firmware Interface (UEFI) can be bypassed on around half of computers that have the feature enabled in order to install bootkits, according to a security researcher. At the Hack in the Box 2014 security conference in Amsterdam, Corey Kallenberg, a security researcher from nonprofit research organization Mitre, also showed Thursday that it’s possible to render some systems unusable by modifying a specific UEFI variable directly from the OS, an issue that could easily be exploited in cybersabotage attacks.




Comments are closed.