CYBER NEWS TIDBITS 4 U JULY 2014

Welcome to Cyber News Tidbits 4​U​ !

Here are updated news compilations from the Cyber Security Community

Topic headers (+++):

1 – Security news you can likely use (re: management / opportunity items)

2 – Other items of general FYI / FYSA level interest

3 – Threats / bad news stuff / etc.. 

and…

4 – SD/SoCAL items of interest / opportunities   (send me your SD meetings!) 


JULY 28

A couple of Highlights of the week

(A couple of items of potentially notable interest / high utility &  value… your mileage will vary….)

+ Putin signs data retention law  (so what country is NEXT???)

Russian President Vladimir Putin has signed a law requiring internet companies to store all personal data of Russian users at data centers in Russia, a move which could chill criticism on foreign social networking sites like Facebook and Twitter. These companies, which do not have offices in Russia, have become a vital resource for opposition groups and refuse to hand over user data to governments. The use of Russian data centers would make them subject to Russian laws on government access to information.

http://www.zdnet.com/putin-signs-data-retention-law-7000031897/

 

 

+ Got a CDO…. Chief Data Officer?  Do we even know what that is / does?

Capital One, the Federal Reserve, Google, New York City and the U.S. Army all have at least one thing in common: they each employ a chief data officer to oversee their big data programs

http://www.information-management.com/news/behind-the-rise-of-the-chief-data-officer-10025918-1.html?utm_campaign=daily-jul%2026%202014&utm_medium=email&utm_source=newsletter&ET=informationmgmt%3Ae2861905%3A1988203a%3A&st=email

 

+ Confused on all the data jobs? 13 analytics jobs compared

http://news360.com/article/249681543

 

 

+ What You Can Buy for the Same Cost as Malware

that depending on the type, malware tools and kits can cost as little as $200 on the black market – price tags that rival common items and services that we buy every day.  And guess what? Despite their affordability, these malicious tools can be quite effective, and your business could be the next victim. That’s why it’s critical to shore up your anti-malware defenses to help protect your valuable information. check out the infographic, which depicts what the average consumer can buy for the same price as malware – a reminder of just how simple and cost-friendly it is to be an attacker these days..

https://www.trustwave.com/Resources/Trustwave-Blog/What-You-Can-Buy-for-the-Same-Cost-as-Malware/?page=1&year=0&month=0&topic=0&category=0&author=0

 

 

+ Security undermined by companies investing in the wrong areas

The new report provides an assessment of the degree of confidence IT departments have in their efficacy, and identifies the areas most likely to receive future enhancements and investment –

http://www.information-age.com/technology/security/123458243/security-undermined-companies-investing-wrong-areas

 

 

+ Growth In The Internet Of Things Market – 2

The ‘Internet Of Things’ Will Be Bigger Than The Smartphone, Tablet, And PC Markets Combined

http://www.businessinsider.com/growth-in-the-internet-of-things-market-2-2014-2

 

 

 

+++  Cyber Security News you can likely use…

 

 

+ Forget ‘Things’ – It’s The Internet Of Business Models

With the Internet of Things, sensors and telematics don’t mean much if they’re not helping you disrupt traditional business models.

http://www.informationweek.com/strategic-cio/digital-business/forget-things—its-the-internet-of-business-models/a/d-id/1297515?_mc=NL_IWK_EDT_IWK_daily_20140724&cid=NL_IWK_EDT_IWK_daily_20140724&elq=b6756bea86bd41f8ab488494605e8a76&elqCampaignId=6566

 

 

+ Infographic: With BYOD, Mobile Is The New Desktop

Security teams have no choice but to embrace the rapid proliferation of BYO devices, apps, and cloud services. To ignore it is to put your head in the sand.   The convergence of mobile and cloud has increased employee productivity and increased the risk of data loss for enterprises. Because both technologies are data-centric and expose corporate data outside of the enterprise, we have to be aware of how we’re managing our resources and protecting our assets.

Not knowing how to protect corporate data, many organizations have been hesitant to adopt mobile and cloud technologies

http://www.darkreading.com/cloud/infographic-with-byod-mobile-is-the-new-desktop/a/d-id/1297436?_mc=NL_DR_EDT_DR_daily_20140723&cid=NL_DR_EDT_DR_daily_20140723&elq=4e22368f7d944d6fb914c092198cacca&elqCampaignId=6504

 

 

 

+ Internet of Things: Security For A World Of Ubiquitous Computing

Endpoint security is hardly dead, and claiming that it is oversimplifies the challenges corporations face now and in the not-very-distant future.  got an email from my car the other day, informing me about its need for service. As a security professional, I found it unsettling, not surprising, but unsettling. What’s my car doing on the Internet, anyway? What are the possible implications of that?  Security practitioners within corporate IT are rightly focusing on the emerging risks presented by laptops, tablets, and smartphones when used by employees and contractors in the course of doing business. But other trends are developing all around us that challenge the foundations of our security assumptions

http://www.darkreading.com/endpoint/internet-of-things-security-for-a-world-of-ubiquitous-computing/a/d-id/1297430?_mc=NL_DR_EDT_DR_daily_20140722&cid=NL_DR_EDT_DR_daily_20140722&elq=629a39ff11734ac8bbd4532d62d5bc09&elqCampaignId=6438

 

 

 

+ Is the Internet of Things Getting Too Big?

US presidential policy advisers are concerned that the Internet of Things is simply too large. Companies that are making some of the items, such as refrigerators, “are not information companies, and the effect is that we are much more vulnerable,” according to Defense Policy Board and President’s Intelligence Advisory Board member Richard Danzig. A report from Danzig’s Center for a New American Security suggests that security can be improved by paring down systems to their essentials, so that they may be able to do less, but also will present fewer opportunities for security problems.

http://www.nextgov.com/cybersecurity/2014/07/some-things-should-be-banned-internet-things/89636/?oref=ng-channeltopstory

[ There are some good thoughts in this report but if we really pared things down to their essentials to be more secure, cars would not have radios or cup holders and PCs would not include network interfaces. Trying to force technology changes to match old approaches to security is not a real world option.

 

 

+ DASN C4I, IO, and Space Discusses NGEN, CANES and IT Cost Savings

Dr. John A. Zangardi assumed the duties of Deputy Assistant Secretary of the Navy, Command, Control, Communications, Computer Systems, and Intelligence, Information Operations and Space (DASN C4I, IO, and Space) in March of 2011.

In this capacity, he provides executive oversight on all Department of Navy business enterprise, information technology acquisition and all space related acquisition. In his oversight role, he coordinates with key stakeholders to maximize alignment  with Navy and Marine Corps needs.  Mr.

Zangardi responded to questions in writing in July

http://www.doncio.navy.mil/chips/ArticleDetails.aspx?ID=5293

 

 

+ Wall Street Journal Hacked Again | really…AGAIN!

SQL injection flaw in Wall Street Journal database led to breach..  A vulnerability in a web-based graphics system led to a breach of The Wall Street Journal’s network by a hacker, the newspaper acknowledged late Tuesday. The system was taken offline, and the intrusion did not affect customers or customers’ data, according to a story published by the paper.

http://www.enterprise-security-today.com/news/Wall-Street-Journal-Hacked-Again/story.xhtml?story_id=11300CO5Y5R7

 

 

+ How Hackers Hid a Money-Mining Botnet in the Clouds of Amazon and Others |

Hackers have long used malware to enslave armies of unwitting PCs, but security researchers Rob Ragan and Oscar Salazar had a different thought: Why steal computing resources from innocent victims when there’s so much free processing power out there for the taking?

http://www.wired.com/2014/07/how-hackers-hid-a-money-mining-botnet-in-amazons-cloud/

 

 

+ Hacking: The $3 Trillion Threat » SO…. just DO hygiene and PbD!!!

Threats and high risk costs are almost boring nowadays..  Just get an improved cyber hygiene program going… nets a 95% drop in security incidents.. then build in privacy by design for a huge liability reduction!!!

I guess that simple message is too hard to see?   As the RoI is huge…

http://gulfbusiness.com/2014/07/hacking-the-3-trillion-threat/#.U9QPm6NlDFo

 

 

+ Your Biggest Security Threats are Convenience and Ignorance

You’d think most of these breaches were the result of some sort of attack—a hacker or group of hackers trying to break in and find anything they can. Interestingly enough, 55 percent of security breaches were caused by human error, which is something we’re all familiar with. One can speculate as to why human error is a key piece of so many security breaches, but the fact is that these errors are likely the result of one (or both) of two things: a need for convenience, or simple ignorance.

http://m.windowsitpro.com/blog/your-biggest-security-threats-are-convenience-and-ignorance

 

 

+ Researchers Develop ‘BlackForest’ to Collect, Correlate Threat Intelligence

Researchers at the Georgia Tech Research Institute develop the BlackForest system to help organizations uncover and anticipate cyberthreats.  hat idea is the linchpin of BlackForest, a new cyber intelligence collection system developed by experts at the Georgia Tech Research Institute (GTRI). The system is meant to complement other GTRI systems that are designed to help companies and other organizations deal with sophisticated attacks.

http://www.darkreading.com/researchers-develop-blackforest-to-collect-correlate-threat-intelligence–/d/d-id/1297570?_mc=NL_DR_EDT_DR_daily_20140728&cid=NL_DR_EDT_DR_daily_20140728&elq=9ee967f4488345d08f7c4d60a99d70cf&elqCampaignId=6653

 

 

+ Changing the Culture of Government Cybersecurity Through The Agile Cybersecurity Action Plan (ACAP):

Changes organization’s focus from compliance to adapting to new risks & threats. A cross-functional/ leadership team shares information and decisions to create an evolving risk profile and resultant Cybersecurity Strategy. Uses agile methods to generate the near 90% solution response to the current risk profile and then iterates on 1-6 month cycles depending on technical and cyber turbulence. Each cycle the team assesses the organization’s Cybersecurity Infrastructure: Technology, Monitoring and Response Processes/Plans, Staff Capacity and Policies. This is an adaptive approach that focuses not on perfection, but good enough, iterating, adapting to make it better. Value is in creating a culture where strategy is seen as provisional, adaptive to changing threats and focused on action planning and implementation. Although the approach is “framework agnostic”, it can be a powerful process for implementing the Federal Cybersecurity Framework.

http://volvoxinc.com/wp-content/uploads/2014/07/ACAP_10_07242014.pdf

 

 

+ An IT Auditor’s Guide to Security Controls & Risk Compliance (GREAT eBook!)

Governance, risk and compliance professionals face many challenges. Most organizations must comply with multiple standards covering privacy, corporate financial data, protected health information and credit card data.

Are you meeting the minimum requirements of the standards applicable to your business?

https://www.bit9.com/download/eBook/An-IT-Auditor-Guide-to-ecurity-Controls-Risk-Compliance.pdf

 

 

+ Keeping Secrets on the Internet of Things – Mobile Web Application Security (good slide show)

http://www.slideshare.net/mobile/Kellydotrobertson/keeping-secrets-on-the-internet-of-things-mobile-web-application-security

 

 

+ From Flying Cars To 3-D Printed Candy: Hottest Tech Trends And Brands At SXSW

Data security and privacy…   wearable tech…  payment methods.. mobile… Apple…

http://www.forbes.com/sites/ekaterinawalter/2014/03/18/from-flying-cars-to-3-d-printed-candy-hottest-tech-trends-and-brands-at-sxsw/

 

 

+ (NIST) TBT Notifications for United States of America Update

Are you a U.S. exporter? Register for Notify U.S. – a free, web-based alert service on changing foreign and U.S. technical regulations that could affect global market access for your business. www.nist.gov/notifyus

 

 

+ The Rising Threat of Cybercrime

Organizations are being breached on a daily basis while often completely unaware that their valuable information is being stolen. 94% of cybercrime victims discovered a compromise only because a 3rd party notified them, and once a cybercriminal gains access to an enterprise’s network it takes an average 416 days to detect the intrusion…  SO.. understand cybercriminal motives and methods and how you can create an effective defense.

http://gcn.com/~/media/F9433ED092C249FEB7C5477489600A41.pdf

 

 

+++  FYI / FYSA  Items of interest…

 

 

+ Did the White House website violate its own privacy rules?

The White House may have misled people who visited its website about how it tracked their online behavior. In a forthcoming paper, a group of researchers write that thousands of top websites, including WhiteHouse.gov, have been using a new persistent type of online tracking. Justin Brookman, the director of consumer privacy at the Center for Democracy and Technology, said the tracking was “probably inconsistent” with the White House’s own website privacy policy. According to the paper, which was first reported on by ProPublica, the White House site and other sites have been using a firm called Addthis, which used a form of tracking different from cookies.

http://www.nextgov.com/technology-news/2014/07/did-white-house-website-violate-its-own-privacy-rules/89300/

 

 

+ GAO: Weaknesses remain in FDIC’s information security

The Federal Deposit Insurance Corporation enforces banking laws and regulates financial institutions across the country, yet weaknesses in its security posture place information at unnecessary risk, according to a new Government Accountability Office report. The GAO report posits that while FDIC has “made progress in securing key financial systems” following a series of GAO audits dating back to 2011, its failure to implement specific recommendations by the watchdog agency has led to vulnerabilities in the “confidentiality, integrity, and availability of financial systems and information.”

http://www.nextgov.com/cybersecurity/2014/07/gao-weaknesses-remain-fdics-information-security/89126/

 

 

+ Significant deficiencies found in Treasury’s computer security

Weaknesses in Treasury Department computer systems that track federal debt are severe enough to disrupt accounting, according to a government audit. Newly discovered security vulnerabilities at the Bureau of the Fiscal Service, coupled with older unfixed problems, constitute a “significant deficiency” for financial reporting purposes, the Government Accountability Office found. The weaknesses “increase the risk of unauthorized access, modification, or disclosure of sensitive data and programs, which could result in the disruption of critical operations,” Gary Engel, GAO director for financial management and assurance, wrote in an audit released July 18.

http://www.nextgov.com/cybersecurity/2014/07/significant-deficiencies-found-treasurys-computer-security/89144/

 

 

 

+ iPhones have major security hole that Apple installed on purpose

If you use an iPhone or iPad, your photos, web history, and GPS logs are vulnerable to theft and surveillance via back-door protocols running on all iOS devices, according forensic scientist Jonathan Zdziarski, better known by the hacker moniker “NerveGas.” In a security-conscious era, we’re used to hearing about zero-day exploits—newly-discovered security holes that can be used to steal personal data or snoop on unsuspecting users. But Zdziarski says the vulnerabilities he has discovered were intentionally installed by Apple and have existed for years.

http://qz.com/238275/iphones-have-a-major-security-hole-that-apple-installed-on-purpose/#/

 

 

+ Are agency insider threat programs getting off the ground?

More than a year and a half after President Barack Obama issued a directive to agencies for dealing with disgruntled or rogue employees, it appears insider- threat programs are finally getting off the ground. But even after the fallout from the WikiLeaks and Edward Snowden disclosures, it’s hard to tell how many agencies are actually checking all the boxes on the Obama administration’s plan for combating insider threats, which is one of the 15 cross- agency priority goals announced in its fiscal 2015 budget proposal. Agencies were supposed to have taken initial steps to set up insider-threat programs by June 30, according to an update posted on Performance.gov. Those initial steps included naming a senior agency official responsible for the agency’s effort, circulating an insider threat policy signed by the agency head and developing an implementation plan.

http://www.federalnewsradio.com/394/3665221/Are-agency-insider-threat-programs-getting-off-the-ground

 

 

+ Chamber backs Senate cyber bill

The U.S. Chamber of Commerce is pressuring the Senate to take up and “expeditiously” pass a Senate cybersecurity bill that would encourage companies to share information about cyber threats with each other and the federal government. The Cybersecurity Information Sharing Act “would strengthen the protection and resilience of businesses’ information networks and systems against increasingly sophisticated and malicious actors,” the Chamber said in a letter Monday. The bill – from Senate Intelligence Committee Chairwoman Dianne Feinstein (D-Calif.) and Vice-chairman Saxby Chambliss (R-Ga.) – passed through the Intelligence Committee earlier this month by a 12-3 vote.

http://thehill.com/policy/technology/212876-chamber-backs-senate-cyber-bill

 

 

+ Microsoft to “Unify” Windows Development

Microsoft CEO Satya Nadella says the company is working on unifying portions of different Windows operating systems. Microsoft plans to “streamline the next version of Windows from three operating systems into one single converged operating system for screens of all sizes.”

The three systems are the one used on phones, the one used on tablets and PCs, and the one used on Xbox systems. This does not mean that Microsoft will move to a single OS, but instead that the links between the various OSes will be deepened.

http://money.cnn.com/2014/07/23/technology/enterprise/microsoft-windows-rt/index.html

[: From a security perspective, this raises the specter of vulnerabilities in Xbox showing up in a Windows phone and a Windows PC.  It also sounds kinda dj vu all over again from circa 2000 when the “same OS on your desktops and your servers” was deemed a competitive “feature” by Microsoft.]

 

 

+  Is Password Protection Really Enough?

When asked about their most commonly used risk control measures, 67 percent of respondents in a BYOD survey cited password protection. Numerous studies have discussed the issues associated with weak passwords and poor password protection practices, concluding that many users are particularly lax when it comes to password protection. Coupled with the fact that the majority of mobile devices are protected with just a four-digit passcode, which is relatively easy to guess or break, it is clear that passwords alone are far from sufficient

http://securityintelligence.com/is-password-protection-really-enough/

 

 

+ ‘System on a chip’ a boost for next-gen RF communications

DARPA researchers demonstrate an all-silicon SoC transmitter that could make RF systems smaller, lighter, cheaper and better

http://defensesystems.com/articles/2014/07/22/darpa-all-silicon-system-on-a-chip-rf.aspx

 

 

+ A Complete Guide to Cyber Security (pretty good overview!!!)

There’s no doubt that cyber security is center stage in the world today, thanks to almost continuous revelations about incidents, breaches and vulnerabilities.   IBM has recently released a new 80-page practical guide “Staying ahead in the Cyber Security game: What Matters Now” that aims to inspire and provoke new thoughts and insights even if you are familiar with the topic. For those new to security, it’s a primer on what matters today.

http://public.dhe.ibm.com/common/ssi/ecm/en/til14103usen/TIL14103USEN.PDF

 

 

+ Internet of Things: 4 Security Tips From The Military

The military has been connecting mobile command posts, unmanned vehicles, and wearable computers for decades. It’s time to take a page from their battle plan. While the efficiencies and insights gained through the deployment of this massive interconnected system will bring new benefits, it could also bring new risk. Experience shows us that when everything is connected, everything is vulnerable   === Resiliency in data AND network…  keep up- with tech… focus on insider…  embrace analytics..

http://www.darkreading.com/mobile/internet-of-things-4-security-tips-from-the-military/a/d-id/1297546?_mc=NL_DR_EDT_DR_daily_20140728&cid=NL_DR_EDT_DR_daily_20140728&elq=9ee967f4488345d08f7c4d60a99d70cf&elqCampaignId=6653

 

 

+ Survey: Agencies could save billions with cloud

Agencies could save nearly $19 billion by migrating services and applications to the cloud, according to a survey of IT professionals released July 23. Public-private IT partnership Meritalk interviewed 159 agency IT professionals and found that while managers believe in savings averaging 18 percent only 41 percent said their agencies were considering cloud computing options. The majority of IT managers surveyed gave their agencies only a “C” grade when it came to adoption cloud technologies. Chris Smith, the vice president of technology at AT&T government solutions, which underwrote the survey, said there is no one-size-fits-all approach to cloud computing and that agencies need to tackle their concerns about security and data management before making the jump.

http://www.federaltimes.com/article/20140723/FEDIT01/307230012/Survey-Agencies-could-save-billions-cloud

 

 

+ A Privacy Engineer’s Bookshelf

Privacy Engineering: A Data Flow and Ontological Approach, Oliver

The Privacy Engineer’s Manifesto, Dennedy, Fox, Finneran

Understanding Privacy, Solove

Privacy in Context, Nissenbaum

http://ijosblog.blogspot.fi/2014/07/a-privacy-engineers-bookshelf.html?m=1

 

 

+ Bloomberg – The ‘Unthinkable’ May Need Board Attention

The lawsuit alleges that Target’s board breached its fiduciary duties to the company by ignoring the warning signs that a data breach could occur and participated in the maintenance of inadequate cyber-security controls by the company. Target is not unique, as similar suits for data security and privacy breaches have been filed against Google and others. The basis for liability revolves around whether the event could not have been reasonably anticipated by the directors–i.e., was it a “black swan” event–or if there were warning signs that were ignored or inadequately pursued by the board

http://www.bna.com/unthinkable-may-need-n17179891721/

 

 

+ Are IT groups really ready for BYOD security challenges?

A new survey of IT security professionals shows that many businesses are barely starting to exploit mobile technology, and some of them may be a mobile security nightmare waiting to happen. In a self-evaluation question, 40% of the 2014 sample (compared to 34% in 2013) ranked their readiness for BYOD at 60% or higher. Yet responses to other questions suggest that is wildly optimistic.

http://www.networkworld.com/article/2457683/mobile-security/are-it-groups-really-ready-for-byod-security-challenges-linkedin.html

 

 

 

+++  THREATs  / bad news stuff / etc…

 

 

+ This Emerging Malware Sends Secret Messages and Is Practically Impossible to Detect

As if computer malware that steals your data weren’t enough, now there’s a new kind to worry about: Malware that does it via covert messages that are practically impossible to detect. And it’s becoming more prevalent, according to a new paper by researchers at the Warsaw University of Technology, the National Research Council of Italy, and Fraunhofer FKIE, a private information security research institute. The malware is a modern take on steganography, an old technique of hiding secret messages in apparently innocuous texts. This new so-called “network steganography” works by cramming extra information into the data packets that travel across networks when we use the internet.

http://m.nextgov.com/cybersecurity/2014/07/emerging-malware-sends-secret-messages-and-practically-impossible-detect/89402/?oref=nextgov_today_nl

 

 

+ How thieves can hack and disable your home alarm system

When it comes to the security of the Internet of Things, a lot of the attention has focused on the dangers of the connected toaster, fridge and thermostat. But a more insidious security threat lies with devices that aren’t even on the internet: wireless home alarms. Two researchers say that top-selling home alarm setups can be easily subverted to either suppress the alarms or create multiple false alarms that would render them unreliable. False alarms could be set off using a simple tool from up to 250 yards away, though disabling the alarm would require closer proximity of about 10 feet from the home.

http://www.wired.com/2014/07/hacking-home-alarms/

 

 

+  Ram Scraper Malware: Why PCI DSS Can’t Fix Retail

There is a gaping hole in the pre-eminent industry security standard aimed at protecting customers, credit card and personal data..  As you undoubtedly know, point of sale (POS) terminals are computers with card readers. Most computers have permanent storage, such as hard drives or flash memory, and temporary storage, such as random access memory (RAM). The security standard that dictates how payment card data is protected is called the Payment Card Industry Data Security Standard (PCI DSS). It requires merchants to encrypt credit card data residing on permanent storage or traversing its publicly accessible networks, but not while being processed in RAM.

http://www.darkreading.com/attacks-breaches/ram-scraper-malware-why-pci-dss-cant-fix-retail/a/d-id/1297501?_mc=NL_DR_EDT_DR_weekly_20140724&cid=NL_DR_EDT_DR_weekly_20140724&elq=453083402fd04bc98f83a3f5f611ce5d&elqCampaignId=6574

 

 

+ U.S. releases intelligence on Flight 17

Officials describe the sensitive information, ranging from satellite images to social media analysis, as evidence that Moscow trained and equipped rebels in Ukraine responsible for the downed jethttp://www.washingtonpost.com/world/national-security/us-discloses-intelligence-on-downing-of-malaysian-jet/2014/07/22/b178fe58-11e1-11e4-98ee-daea85133bc9_story.html?hpid=z1

 

 

+ For nearly every legitimate online business there is a cybercrime-oriented anti-business

The longer one lurks in the Internet underground, the more difficult it becomes to ignore the harsh reality. Case in point: Today’s post looks at a popular service that helps crooked online marketers exhaust the Google AdWords budgets of their competitors.

http://krebsonsecurity.com/2014/07/service-drains-competitors-online-ad-budget/

 

 

 

 

+++   SD/SoCAL items of interest / opportunities

 

 

AUG

 

11-14 – Gartner Catalyst  –  Harness the Power of IT Convergence

http://www.gartner.com/technology/summits/na/catalyst/

 

18 –  USENIX Summit on Gaming, Games and Gamification in Security Education (3GSE ’14)

https://www.usenix.org/conference/3gse14

 

21 – OWASP  6PM – Peleus Uhley from Adobe’s PSIRT Team

http://www.meetup.com/Open-Web-Application-Security-Project-San-Diego-OWASP-SD/events/158734302/

 

20-22 – 23rd USENIX Security Symposium

https://www.usenix.org/conference/usenixsecurity14   http://www.inf.ufpr.br/rtv06/iot/05940923.pdf

 

 

 

+++  Future events FYI:

 

TBD  – Provided by IEEE Cyber SIG / Various Security groups – all day – – Privacy by design workshop – a cyber model & why you must be part of this initiative!  (at Coleman University –  AM Technical approach… PM public discussions)   +++  Help move SD forward in cyber –  DOING security vs admiring the problem…. SO engage and help out on cyber 4 PbD!!!

http://www.sciap.org/blog1/wp-content/uploads/Privacy-by-Design-cyber-security.pdf

 

 

17-19  Sep – CSA congress 2014

CSA and the International Association of Privacy Professionals (IAPP) are combining their Congress US and Privacy Academy events

https://cloudsecurityalliance.org/media/news/csa-opens-registration-congress-2014/

 

 

25 Sep –   San Diego InfraGard Crisis Leadership Symposium

http://www.slideshare.net/slideshow/embed_code/36600356

 

 

1 OCT – SoeC – CyberFest 2014 – great all day agenda planned… improving on last year’s success!  October is cyber month after all!!!

 

1 Nov – Started planning “BigDataDay 4 SD” on a SAT.  Jump in and help us!

WE went to the one in LA and it was great…   the organizer will help us do that here…

likely our three tracks will be:

–  Technical =  Hadoop/Hbase/NoSQL;

–  Data science = predictive analytics, etc

–  Applications = actual products, etc.. Privacy / data security. ..

 

 

—————————————————————

JULY 21

A couple of Highlights of the week

(A couple of items of potentially notable interest / high utility &  value… your mileage will vary….)

+  Google’s Project Zero Aims to Protect Privacy and Improve Internet Security

Google Project Zero is aiming to find software vulnerabilities and to protect Internet users’ privacy. People should “be able to use the web without fear that a criminal or state-sponsored actor is exploiting software bugs to infect your computer, steal secrets, or monitor your communications,” according to Google Researcher Herder Chris Evans.

http://www.zdnet.com/google-recruits-top-ps3-hacker-for-project-zero-7000031718/

http://money.cnn.com/2014/07/17/technology/security/google-cyberattacks/index.html

 

 

+  Communication Between IT Security Teams and Executives is Inadequate… (ya think… .. SO.. we all ‘know’ this, but are YOU at fault???  Have you read the company’s annual report.. business plan???)

According to study conducted by the Ponemon Institute and sponsored by Websense, nearly one third of IT security teams never talk with company executives about security and of those that do, nearly a quarter talk to executives just once a year. The lack of communication could put companies at greater risk of attacks.

http://www.scmagazine.com/report-31-percent-of-it-security-teams-dont-speak-to-company-execs/article/361263/

[The lack of effective communications up to executives and into lines of businesses is a deadly combination that results in bad risk decisions, flawed organizational responses to serious breaches, and a lack of ownership for outcomes.  Cyber security is not simply a technical problem owned by a small group of practitioners some where in the bowls of the organization.  Cyber represents a set of problems that should be addressed by decision makers, practitioners, business process owners, and engineers through out the organization….].

 

+  How Wearables & IoT Will Go To Work

http://www.informationweek.com/mobile/mobile-devices/how-wearables-and-iot-will-go-to-work/a/d-id/1297247?_mc=NL_IWK_EDT_IWK_daily_20140714&cid=NL_IWK_EDT_IWK_daily_20140714&elq=c23e30f3cf114fee90d96deaf2b8ea09&elqCampaignId=6074

 

 

+  Big investors see cybersecurity as opportunity

http://mobile.reuters.com/article/idUSKBN0FL28R20140716?irpc=932

 

 

+ Microsoft CEO lays out vision of cloud convergence

“We’re going to do the best job of being able to enable dual use,” he says. “This entire notion that somehow I buy my device for consumption and personal use, and then I’ll give up that device for work and take another device, just doesn’t work. We know that. Simply saying even just BYOD is not good enough. We’ve got to harmonize this dual use.”

http://m.infoworld.com/d/cloud-computing/microsoft-ceo-lays-out-vision-of-cloud-convergence-246478

 

 

 

+++  Cyber Security News you can likely use…

 

 

+  Maryland’s cyber industry has the potential, but it’s missing something   (and our SD cyber community HAS IT!)

I wrote about how colleges and universities are scrambling to change curriculum to prepare more students for success in the cyber world post graduation. Industry executives have lamented that colleges aren’t doing enough to prepare students to fill vacant positions — more than 10,000 across Maryland in 2013, according to career services firm Burning Glass. Administrators have fired back saying that changes are being made, but executives have to take a more active role in dictating to universities what they want to see out of graduates.  It’s a common theme: universities are playing catch-up to the industry. I think this happens everywhere and with every industry, including journalism.

http://m.bizjournals.com/baltimore/blog/cyberbizblog/2014/07/marylands-cyber-industry-has-the-potential-but-its.html?ana=twt&r=full

 

 

+  SPLUNK … the tool you need – App for Enterprise Security Drives the Analytics-Enabled Security Operations Center

Splunk introduces a new risk scoring framework in the Splunk App for Enterprise Security to enable easier, faster threat detection and containment by empowering users to assign risk scores to any data. The app also includes new features to help users connect and visualize data on the fly and introduces guided search to make security analytics more accessible to a broad range of users without requiring knowledge of programming languages or command syntax.http://www.splunk.com/view/SP-CAAAM8A

 

 

+  Tesla asks Chinese hackers to flag vulnerabilities

Tesla Motors Inc., whose Model S sedan is the target of a hacking contest in Beijing starting today, said it will investigate and rectify any vulnerabilities discovered as a result of the competition. Qihoo 360 Technology Co. has found ways to remotely control the Tesla car’s locks, horn, headlights and skylight while the car is in motion, the Beijing-based Internet security company said in a posting on its Sina Weibo account. Wu Jing, a director of investor relations for the company, said its information technology department conducted the experiment, without elaborating.

http://www.bloomberg.com/news/2014-07-16/tesla-asks-chinese-hackers-to-flag-vulnerabilities.html

 

 

+  How the CIA partnered with Amazon and changed intelligence

The intelligence community is about to get the equivalent of an adrenaline shot to the chest. This summer, a $600 million computing cloud developed by Amazon Web Services for the Central Intelligence Agency over the past year will begin servicing all 17 agencies that make up the intelligence community. If the technology plays out as officials envision, it will usher in a new era of cooperation and coordination, allowing agencies to share information and services much more easily and avoid the kind of intelligence gaps that preceded the Sept. 11, 2001, terrorist attacks. For the first time, agencies within the IC will be able to order a variety of on-demand computing and analytic services from the CIA and National Security Agency. What’s more, they’ll only pay for what they use.

http://www.defenseone.com/technology/2014/07/how-cia-partnered-amazon-and-changed-intelligence/88555/?oref=defenseone_today_nl

 

 

+  Industrial control a weak link in cybersecurity

Cybersecurity threats are rising for industrial control systems around the world, a growing target for attackers seeking to wreak havoc, a study showed Thursday. The study by Ponemon Institute and Unisys Corp. of 599 technology executives in 13 countries found that even as threats are rising, organizations are not as prepared as they should be to deal with cyber attacks. The study said the risk to industrial control systems “is believed to have substantially increased,” with 57% of the respondents citing greater threats. “Security compromises are occurring in most companies,” the report said.

http://www.industryweek.com/safety/industrial-control-weak-link-cybersecurity

 

 

+ CEO Report Card: Low Grades for Risk Management

Dark Reading’s latest community poll shows a stunning lack of confidence in chief execs’ commitment to cyber security.

ormer Target chief executive Greg Steinhafel would be in good company today if the Dark Reading community had a say in his job performance on cyber security risk management.  Steinhafel, as I’m sure you recall, famously resigned from the retailers’ top job this past May, following a data breach of 40 million hacked credit and debit card accounts compromising the names, phone numbers, email and mailing addresses from as many as 70 million customers

http://www.darkreading.com/risk/ceo-report-card-low-grades-for-risk-management/a/d-id/1297416?_mc=NL_DR_EDT_DR_daily_20140721&cid=NL_DR_EDT_DR_daily_20140721&elq=38aa05e1b93f44e893785c94e06c3369&elqCampaignId=6381

 

 

+  Government-Grade Stealth Malware In Hands Of Criminals

“Gyges” can be bolted onto other malware to hide it from anti-virus, intrusion detection systems, and other security tools.

Malware originally developed for government espionage is now in use by criminals, who are bolting it onto their rootkits and ransomware.  The malware, dubbed Gyges, was first discovered in March by Sentinel Labs, which just released an intelligence report outlining their findings. From the report: “Gyges is an early example of how advanced techniques and code developed by governments for espionage are effectively being repurposed, modularized and coupled with other malware to commit cybercrime.”

http://www.darkreading.com/government-grade-stealth-malware-in-hands-of-criminals/d/d-id/1297362?_mc=NL_DR_EDT_DR_daily_20140721&cid=NL_DR_EDT_DR_daily_20140721&elq=38aa05e1b93f44e893785c94e06c3369&elqCampaignId=6381

 

 

+  Automobile Industry Accelerates Into Security

Industry looking at intelligence-sharing platform or an Auto-ISAC in anticipation of more automated, connected — and vulnerable — vehicles.

http://www.darkreading.com/analytics/threat-intelligence/automobile-industry-accelerates-into-security/d/d-id/1297313?_mc=NL_DR_EDT_DR_daily_20140716&cid=NL_DR_EDT_DR_daily_20140716&elq=e7161753adf0407fa82f8877b34db48b&elqCampaignId=6204

 

 

+  Passwords & The Future Of Identity: Payment Networks?

The solution to the omnipresent and enduring password problem may be closer than you think.  Access to online services needs to scale — without requiring new credentials each time someone wants to use a new service or site. We’ve seen this model before, and interact with it every day. The payment cards model offers hope for a more efficient identity future.

http://www.darkreading.com/operations/identity-and-access-management/passwords-and-the-future-of-identity-payment-networks/a/d-id/1297300?_mc=NL_DR_EDT_DR_weekly_20140717&cid=NL_DR_EDT_DR_weekly_20140717&elq=95856a43ba984a7288e3197a873780b7&elqCampaignId=6274

 

 

+  Net Threats: Deteriorating Trust in Governments and Corporations

Reflecting the increasing attention paid to information security by many Americans, Pew Research recently conducted a large study, “Net Threats”, to identify important trends among technology experts’ opinions and predictions regarding the future of digital security. The study targeted thousands of Internet experts to measure their thoughts and concerns about the future of the Internet. Researchers at Pew identified four major themes among responses, and this post will discuss the second theme – Trust will evaporate in the wake of revelations about government and corporate surveillance and likely greater surveillance in the future.  Few topics have received more attention from technologists and security experts than Edward Snowden and the information that he leaked about the National Security Administration. The public backlash against the NSA and its collection of big data has been widespread and long-lasting, and revelations have continued to unfold – further undermining public trust vis-à-vis governmental surveillance

http://www.pewinternet.org/2014/07/03/net-threats/

 

 

+  New Oil and Gas ISAC Opens It’s Doors,

Targets Cybersecurity of Critical Infrastructure – ONG-ISAC  A secure and trusted environment for sharing cybersecurity information across the oil and natural gas industry.

http://ongisac.org/

+   Software Assurance Community of Practice (SwA COP) – CSIAC

CSIAC serves on the DoD  Software Assurance Community of Practice Working Group. For further information contact Taz Daughtrey at hdaughtrey@csiac.org

https://www.csiac.org/discussion/software-assurance-community-practice-swa-cop

 

+  Systems and Software Producibility Collaboration Environment (SPRUCE) – CSIAC

SPRUCE is an online collaborative Forum for describing CS and SE challenging problems, assembling cannonical data sets, and proposing models and solutions. CSIAC invites free use of this environment by the academic, defense-industrial-base, and Government user community. For more information contact Tom McGibbon attmcgibbon@csiac.org

https://www.csiac.org/spruce

 

+ Snowden Calls On Developers To Champion Privacy By Design (PbD) –  “OR… From Russia with Love – even criminal insiders know the value of PbD…  and our Cyber Model 4 PbD makes that a reality now!)

Speaking at the Hope X conference taking place in New York this weekend, NSA whistleblower Edward Snowden put out a call for developers to build systems that protect privacy and constitutional rights by design. He also revealed his own intention to work on developing privacy protecting technology. Responding to a question about what people working in technology can do to counteract dragnet, overreaching surveillance, Snowden said encryption is an “important first step”. But he added that simply securing the content of communications is not in itself enough. New privacy-protecting protocols and infrastructures need to be designed.   “It doesn’t end at encryption it starts at encryption,” said Snowden. “Encryption protects the content but we forget about associations…   ETC..  …    (AND these ‘associations” include the hard parts, security policy methods and automation therein.. supporting various privacy profiles / avatars…)

http://techcrunch.com/2014/07/20/snowden-hope-x/?ncid=tcdaily

 

 

+  Social-media and online giants back net neutrality plan

http://www.usatoday.com/story/tech/personal/2014/07/14/facebook-google-twitter-amazon-net-neutrality/12639555/

 

 

+  How to Unlock Value With Big Data (Infographic) (cool graphic!)

Companies create 2.16 exabytes of new data every day. (That’s a lot.) Here’s what happens to it.

Roughly 90 percent of the data in the world today was created in just the last two years,http://www.inc.com/graham-winfrey/how-to-unlock-value-with-big-data.html

…AND…

+ Developing an Application that Can Display Millions of Data Points on a Map

http://inside-bigdata.com/2014/07/17/developing-application-can-display-millions-data-points-map/

 

 

+  Thread Group creates new wireless protocol 

http://www.usatoday.com/story/tech/2014/07/15/internet-of-things-new-wireless-protocol-thread-group/12655535/

 

 

+  Big investors see cybersecurity as opportunity

http://mobile.reuters.com/article/idUSKBN0FL28R20140716?irpc=932

 

 

+ Microsoft CEO lays out vision of cloud convergence

http://m.infoworld.com/d/cloud-computing/microsoft-ceo-lays-out-vision-of-cloud-convergence-246478

 

 

 

 

+++  FYI / FYSA  Items of interest…

 

 

+ Google forms zero-day hacking team

Google today revealed a new white-hat security team it has formed that will root out vulnerabilities in all software that touches the Internet. The search engine giant is recruiting talent for the so-called Project Zero team, which spun out of Google’s security research on its own products as well as previous part-time vulnerability research on other vendors’ products by some of its researchers. “Beyond securing our own products, interested Googlers also spend some of their time on research that makes the Internet safer, leading to the discovery of bugs like Heartbleed,” says Chris Evans, researcher herder for Google charged with forming the team. “The success of that part-time research has led us to create a new, well-staffed team called Project Zero.”

http://www.darkreading.com/vulnerabilities—threats/google-forms-zero-day-hacking-team/d/d-id/1297290?_mc=RSS_DR_EDT

 

 

+   Agencies reset after missing the mark on cybersecurity goals

Despite steps forward, agencies fell short of their 2014 targets for cybersecurity. The Obama administration is pushing chief information officers to focus on priorities of continuous monitoring, phishing and malware, and authorization processes for 2015, according to the newly released cross-agency priority goals on Performance.gov. The administration continues encouraging agencies to implement information security continuous monitoring mitigation (ISCM), which continually evaluates agency cybersecurity processes and practices, according to the report. This goal carries over from last year, where agencies saw an increase in real-time awareness that enabled them to manage risks more effectively. Despite this improvement, the administration wants more cybersecurity evaluation.

http://www.federalnewsradio.com/1307/3662467/Agencies-reset-after-missing-the-mark-on-cybersecurity-goals

 

 

+ Illinois Attorney General Madigan says federal government should investigate data breaches

Illinois Attorney General Lisa Madigan on Wednesday called for the formation of a new federal agency to investigate data breaches in much the same way the National Transportation Safety Board investigates plane and train crashes. WBBM Newsradio’s John Cody reports Madigan said the federal government lacks a single group to determine the extent of damage caused by a data breach, and come up with ways to fix them and prevent them in the future. “It just makes sense that somebody has to take responsibility in this day and age for putting in place safety standards for our personal financial information, because otherwise you have disruption and a significant impact, potentially, to the overall marketplace,” she said.

http://chicago.cbslocal.com/2014/07/16/madigan-says-federal-government-should-investigate-data-breaches/

 

 

+ Hacking password managers  and four major classes of vulnerabilities

A group of researchers next month will present their finding a grab-bag of vulnerabilities in Web-based password managers, which they believe to be a wakeup call for the major password manager companies. The technical details are slated to be fully aired out at the Usenix conference in San Diego in late August, but conclusions from the research were released via a peer-reviewed paper made public last week. The team, led by Zhiwei Li of the University of California at Berkeley, outlines four major classes of vulnerabilities they discovered, along with representative case-study vulnerabilities to illustrate each. The four classes of vulnerabilities found by the team are bookmarklet vulnerabilities, web vulnerabilities, authorization vulnerabilities, and user interface vulnerabilities.

http://www.darkreading.com/cloud/hacking-password-managers/d/d-id/1297250?_mc=RSS_DR_EDT

 

 

+ Mathematics makes strong case that “snoopy2” can be just fine as a password

By now, most readers know the advice cold. Use long, randomly generated passwords to lock down your digital assets. Never use the same password across two or more accounts. A team of researchers says the widely repeated advice isn’t feasible in practice, and they’ve provided the math they say proves it. The burden stems from the two foundations of password security that (A1) passwords should be random and strong and (A2) passwords shouldn’t be reused across multiple accounts. Those principles are sound when protecting a handful of accounts, particularly those such as bank accounts, where the value of the assets being protected is considered extremely high. Where things break down is when the dictates are applied across a large body of passwords that protect multiple accounts, some of which store extremely low-value data, such as the ability to post comments on a single website.

http://arstechnica.com/security/2014/07/mathematics-makes-strong-case-that-snoopy2-can-be-just-fine-as-a-password/

 

 

+ Russian espionage malware adapted for ransomware scams

Espionage malware, believed to be authored by Russians, has been repurposed to carry out money-making cyber schemes, researchers revealed. According to Sentinel Labs, the malware, called “Gyges,” targets Windows 7 and 8 users running 32 and 64-bit versions of the platforms. Researchers discovered the new Gyges variant in mid-April due to its sophisticated evasion techniques, which allow it to bypass anti-virus and sandboxing solutions. In a threat intelligence report released this month, the company said that the “government-grade malware” leverages a hooking bypass technique to exploit a logic issue affecting Windows systems.

http://www.scmagazine.com/russian-espionage-malware-adapted-for-ransomware-scams/article/361488/

 

 

+ ID scam uses your own phone number against you

The phone rings and when you look at the caller ID you see something very strange-it’s showing your telephone number. Chances are your phone number is being “spoofed” by a scammer. “This is just the latest tactic being used by illegal telemarketers,” said Robert Siciliano, fraud expert with BestIDTheftCompanys.com. “They hope that if you see your own number displayed on the caller ID, your curiosity will get you to pick up the phone.” A phone fraudster might also do this hoping to beat the new call-screening services now being used by millions of people. These services, including Nomorobo, PrivacyStar, Truecaller and WhitePages, rely on blacklists of known robocallers and illegal telemarketers to help block unwanted calls.

http://www.today.com/money/id-scam-uses-your-own-number-against-you-1D79933382?cid=social_20140716_27931376

 

 

+ Here’s how easy it could be for hackers to control your hotel room

Shenzhen is the Silicon Valley of mainland China. Situated about 50 minutes north of Hong Kong, the modern city is home to the Shenzhen Stock Exchange and numerous high-tech giants and startups. So naturally, the city’s five-star hotels regularly host wealthy moguls in their luxury rooms. Last year, one of those hotels also hosted a hacker from Spain who discovered that he could seize control of the wealthy guests’ highly-automated rooms. Jesus Molina, who was staying at the St. Regis Shenzhen hotel, found that he could easily take control of the thermostats, lights, TVs and window blinds in all of the hotel’s 250-plus rooms, as well as alter the electronic “Do Not Disturb” lights outside each door-all from the comfort of his luxurious bed. He’ll be presenting his findings at the Black Hat security conference in August.

http://www.wired.com/2014/07/hacking-hotel-room-controls/

 

 

+  A brief history of federal network breaches and other information-security problems

U.S. officials confirmed last Thursday that hackers may have breached an Office of Personnel Management’s network that contains personal information about federal employees. Data breaches occur somewhat regularly within the federal government, as Federal Diary columnist Joe Davidson pointed out in a recent column. An April report from the Government Accountability Office noted that 25,566 information-security incidents occurred last year, more than double the number from 2009. Below is a brief history of major cyber-security problems that agencies experienced dating back to the latter part of President George W. Bush’s second term.

http://www.washingtonpost.com/blogs/federal-eye/wp/2014/07/11/a-brief-history-of-the-federal-governments-information-security-problems/

 

 

+ Microsoft ways cybercrime bust frees 4.7 million infected PCs

Microsoft Corp said it has freed at least 4.7 million infected personal computers from control of cyber crooks in its most successful digital crime-busting operation, which interrupted service at an Internet-services firm last week. The world’s largest software maker has also identified at least another 4.7 million infected machines, though many are likely still controlled by cyber fraudsters, Microsoft’s cybercrime-fighting Digital Crimes Unit said on Thursday. India, followed by Pakistan, Egypt, Brazil, Algeria and Mexico have the largest number of infected machines, in the first high-profile case involving malware developed outside Eastern Europe.

http://www.reuters.com/article/2014/07/10/us-cybersecurity-microsoft-idUSKBN0FF2CU20140710?feedType=RSS&feedName=technologyNews

 

 

 

+  Cyberattacks are a matter of when, not IF..

With mobility and cloud services taking off in the public sector, it’s becoming harder to define IT boundaries – let alone protect them.    Continuous monitoring solutions can provide the advanced cybersecurity your organization needs by deploying data gathering sensors to parts of your infrastructure, giving you better insight to identify suspicious activity.   In this whitepaper, you’ll learn how continuous monitoring can increase your organization’s cybersecurity..

http://gcn.com/~/media/22BC34ECEFEA43BB931A3CF55A32F58C.pdf

 

+ Cyber Attacks: What are the biggest threats?

In the real world, you only have to worry about the criminals who live in your city. But in the online world, you have to worry about criminals located anywhere on the planet. Many hotbeds of online criminal activity are located in cities whose police forces are already overextended fighting “real-world” crimes and who lack the resources and expertise to investigate online activity. And in the past decade, the criminals themselves have changed. In 2003, all the malware was still being written for fun by hobbyists, but now it is being produced by professional criminals, hacktivists, and governments who can invest big money to craft attacks that deliver massive payoffs.  Bitcoins…. Cyber-spies… exploits… government surveillance..

http://www.technologyreview.com/view/528861/cyber-attacks/

 

 

+   Special Report: Defending the digital frontier

Companies, markets and countries are increasingly under attack from cyber-criminals, hacktivists and spies. They need to get much better at protecting themselves.

http://www.economist.com/news/special-report/21606416-companies-markets-and-countries-are-increasingly-under-attack-cyber-criminals

 

 

+ Malware Poisons One-Third of World’s Computers

The primary motivation behind creating so many new malware strains is to avoid detection by antivirus programs, which use signatures to identify malicious software. “In the old days, they might be able to infect 1,000 users with a Trojan,” said PandaLabs Technical Director Luis Corrons. “It was easy for antivirus to catch that. Now you’ll have 1,000 users infected with 1,000 different Trojans.

http://www.technewsworld.com/story/80707.html

 

 

+  Cybersecurity isn’t the same thing as information assurance…

http://multimedia.telos.com/blog/cybersecurity-isnt-the-same-thing-as-information-assurance

 

 

 

 

 

+++  THREATs  / bad news stuff / etc…

 

+  USEFUL inks / resources:

+ US-CERT Alerts – Department of Homeland Security

Alerts provide timely information about current security issues, vulnerabilities, and exploits.

http://www.us-cert.gov/ncas/alerts

…AND…

+  National Vulnerability Database – NIST

NVD is the U.S. government repository of standards based vulnerability management data represented using the Security Content Automation Protocol (SCAP). This data enables automation of vulnerability management, security measurement, and compliance. NVD includes databases of security checklists, security related software flaws, misconfigurations, product names, and impact metrics.

http://nvd.nist.gov/

 

 

+   Indexeus, a new search engine that indexes user account information acquired from more than 100 recent data breaches,   Even Script Kids Have a Right to Be Forgotten  .. has caught many in the hacker underground off-guard. That’s because the breached databases crawled by this search engine are mostly sites frequented by young ne’er-do-wells who are just getting their feet wet in the cybercrime business.

http://krebsonsecurity.com/2014/07/even-script-kids-have-a-right-to-be-forgotten/

 

 

+  Chinese-made inventory scanners allow hackers to track shipments

Malicious software has been found on tools at seven shipping and logistics companies across the globe that pulled the firms’ financial, customer, and operational data into a Chinese botnet, MarketWatch reports. Cyberoutfit TrapX first detected the malware in scanner software about six months ago while doing security testing for one shipping company. The botnet – a network of infected omputers that is controlled as a group without its owners knowing – was traced to the Lanxiang Vocational School, which is speculated to serve as a hub of anti-U.S. hacking.

http://www.nextgov.com/cybersecurity/2014/07/chinese-made-inventory-scanners-allow-hackers-track-shipments/88546/?oref=ng-channelriver

 

 

+ Northcom: Cyber attack most serious threat to US

A strategic cyber attack against the United States is the most serious threat facing the country, the admiral slated to be the next commander of the U.S. Northern Command told Congress last week. “I think the greatest threat that we have is the cyber threat – – to our critical infrastructure, to our power grid, to our banking system,” said Adm. William E. Gortney, nominee to serve jointly as Northcom and commander of the U.S.-Canada North American Aerospace Defense Command. “That I see as the greatest threat, and the job of Northcom is to handle the physical consequences of that particular threat.”

http://flashcritic.com/northcom-cyber-attack-serious-threat-us/

 

 

+ Russian hackers placed ‘digital bomb’ in Nasdaq – report

Russian hackers managed to slip a “digital bomb” into the Nasdaq — one with the potential to sabotage the stock market’s computers and wreak havoc on the U.S. economy. That’s according to an investigative report by Bloomberg Businessweek, which revealed the details of a 2010 cybergrenade that never detonated. Although it had been reported previously that hackers had snooped around the Nasdaq’s computer network, specific information about the attack had remained secret until this week.

http://money.cnn.com/2014/07/17/technology/security/nasdaq-hack/index.html

 

 

+ Critical industrial control systems remain vulnerable to Heartbleed exploits

More than three months after the disclosure of the catastrophic Heartbleed vulnerability in the OpenSSL library, critical industrial control systems sold by Siemens remain susceptible to hijacking or crashes that can be triggered by the bug, federal officials have warned. The products are used to control switches, valves, and other equipment in chemical, manufacturing, energy, and wastewater facilities. Heartbleed is the name given to a bug in the widely used OpenSSL cryptographic library that leaks passwords, usernames, and secret encryption keys. While Siemens has updated some of its industrial control products to patch the Heartbleed vulnerability, others remain susceptible, an advisory published Thursday by the Industrial Control Systems Cyber Emergency Response Team warned.

http://arstechnica.com/security/2014/07/critical-industrial-control-systems-remain-vulnerable-to-heartbleed-exploits/

 

 

+  IG: Despite efforts to improve security, NASA computer networks still vulnerable

Due to an uptick in cyber attacks on the space agency’s networks and web sites in recent years, the U.S. space agency launched a program to improve its cybersecurity and cut down on potential ways for hackers to get into its systems. A recent report by the NASA inspector general lauds the program’s efforts, but notes that there’s still room for more improvement. Since NASA promotes and shares scientific research, it maintains a very large web presence, linking to university research centers and other federal and international scientific organizations. However, connecting to other sources of technical information is also very attractive to cyber thieves and spies.

http://www.fiercegovernmentit.com/story/ig-despite-efforts-improve-security-nasa-computer-networks-still-vulnerable/2014-07-14

 

 

+  FBI warns self-driving cars may be used as ‘lethal weapons’

http://cir.ca/news/fbi-warns-about-self-driving-cars

 

 

+  Cyberattacks: the threat from inside

http://www.cnn.com/2014/07/16/business/cyberattacks-the-threat-from-inside/index.html?sr=sharebar_linkedin

 

 

+ FBI — Botnets Infecting 18 Computers per Second. But How Many of Them NSA Holds?

http://thehackernews.com/2014/07/fbi-botnets-infecting-18-computers-per.html?m=1

 

 

+ How Hackers Are Hijacking News Sites Using Bitly

http://m.fastcompany.com/3033342/fast-feed/how-hackers-are-hijacking-news-sites-using-bitly

 

 

+  U.S. malware share rising, Amazon service No.1 in hosting it

http://www.networkworld.com/article/2453989/network-security/u-s-malware-share-rising-amazon-service-no-1-in-hosting-it.html

 

 

 

 

+++   SD/SoCAL items of interest / opportunities

 

 

JUL

 

 

23 – AITP – Cyber Liability – What to do if your company becomes a victim of a cyber security incident and how to handle the triage – 5:30 – 7:30PM –  http://www.eventbrite.com/e/cyber-liability-tickets-11866391697?aff=eorg

 

 

AUG

 

11-14 – Gartner Catalyst  –  Harness the Power of IT Convergence

http://www.gartner.com/technology/summits/na/catalyst/

 

18 –  USENIX Summit on Gaming, Games and Gamification in Security Education (3GSE ’14)

https://www.usenix.org/conference/3gse14

 

20-22 – 23rd USENIX Security Symposium

https://www.usenix.org/conference/usenixsecurity14   http://www.inf.ufpr.br/rtv06/iot/05940923.pdf

 

TBD  – Provided by IEEE Cyber SIG / Various Security groups – all day – – Privacy by design workshop – a cyber model & why you must be part of this initiative!  (at Coleman University –  AM Technical approach… PM public discussions)   +++  Help move SD forward in cyber –  DOING security vs admiring the problem…. SO engage and help out on cyber 4 PbD!!!

http://www.sciap.org/blog1/wp-content/uploads/Privacy-by-Design-cyber-security.pdf

 

 

+++  Future events FYI:

 

17-19  Sep – CSA congress 2014

CSA and the International Association of Privacy Professionals (IAPP) are combining their Congress US and Privacy Academy events

https://cloudsecurityalliance.org/media/news/csa-opens-registration-congress-2014/

 

 

25 Sep –   San Diego InfraGard Crisis Leadership Symposium

http://www.slideshare.net/slideshow/embed_code/36600356

 

 

1 OCT – SoeC – CyberFest 2014 – great all day agenda planned… improving on last year’s success!  October is cyber month after all!!!

 

1 Nov – Started planning “BigDataDay 4 SD” on a SAT.  Jump in and help us!

WE went to the one in LA and it was great…   the organizer will help us do that here…

likely our three tracks will be:

–  Technical =  Hadoop/Hbase/NoSQL;

–  Data science = predictive analytics, etc

–  Applications = actual products, etc.. Privacy / data security. ..

 

————————————————————————————————-

JULY 13

A couple of Highlights of the week

A couple of Highlights of the week

(A couple of items of potentially notable interest / high utility &  value… your mileage will vary….)

 

+  20 Critical Security Controls for Effective Cyber Defense

( this is a very good spreadsheet with links to a LOT of great references, etc to map / use the SANS top 20 security controls!)

http://www.amazon.com/gp/drive/share?ie=UTF8&s=5EaH0uuCRk8th3_b2AE2G8#

 

 

+ New Google Glass App Reads Brainwaves, Translates Them To Action

A new app aims to kickstart a more seamless way of interacting with Google Glass, Tech Crunch reports. MindRDR links with Google Glass with a biosensor—which is mounted on the user’s head—to create a “communication loop.” The biosensor picks up on brainwaves that correlate to the user’s ability to focus. Then, those brainwaves are translated to a meter reading that “gets superimposed on the camera view in Google Glass. The technology may be used to train people to concentrate better or for medical applications for users with mobility problems, among other uses

http://techcrunch.com/2014/07/09/forget-ok-glass-mindrdr-is-a-new-google-glass-app-that-you-control-with-your-thoughts/

 

 

+  The Web at 25 and beyond

In a mere 25 years, the Web has irrevocably transformed the world. It has become indispensable, impacting nearly every aspect of human activities in practically all fields. It continues to leap ahead offering new capabilities and extending its reach and utility. The Web has indeed become the most influential technology of our times, although it hasn’t reached its zenith and we’ve yet to recognize and embrace its full potential. – See more

http://www.computer.org/portal/web/computingnow/archive/july2014?lf1=549914213a297416109319e25315419

and

+ Internet to Reach 3 Billion Users but Majority Still Not Online

The Internet Society has launched its first annual report on the state of the Internet globally. The Global Internet Report, finds that while the number of Internet users globally is expected to soon pass three billion, there are still significant challenges that must be addressed in order to ensure that the world’s population is connected to the internet

https://www.internetsociety.org/news/internet-reach-3-billion-users-majority-still-not-online

report is at

http://www.internetsociety.org/sites/default/files/Global_Internet_Report_2014_0.pdf

 

 

 

+++  Cyber Security News you can likely use…

 

 

+  Amazon seeks OK for testing of 50-mph drones   (a ‘disaster’ just waiting to happen over your house, business, airport…)

Amazon is apparently getting serious about using drones to make super quick, airborne deliveries like something you’d see on The Jetsons.  The Seattle-based e-tail giant has asked the government for permission for broader testing of the unmanned compact and zippy aircraft. Among those involved in the experiments, the company says, are “world‐renowned roboticists, scientists, aeronautical engineers, remote sensing experts and a former NASA astronaut.” A company exec tells the Federal Aviation Administration in a letter that Amazon Prime Air will get packages to customers in 30 minutes or less in the rotor-powered flying machines..

http://www.usatoday.com/story/money/business/2014/07/10/amazon-drones/12505605/

(  That won’t fly —   50 mph + catastrophic failure / hacked UAV = significant risk of property damage or personal injury (up to possible loss of life). In all of this rhetoric there is FAA ‘regulation’  and there is real life in practice..

The 400 ft height limit means little.. what about illegally used  toys… cyber hacked UAVs.. how to manage them… in an unmanaged air space… spectrum.. And of course privacy is an equally big issue..  Can’t see any insurer or FAA policy supporting this – primarily due to the liabilities (at least not in the next 5 years).

 

+  Civilian drones need costly fixes to avoid hacking, study indicates  (really, imagine that… see above too)

http://m.csmonitor.com/World/Security-Watch/Cyber-Conflict-Monitor/2014/0703/Exclusive-Civilian-drones-need-costly-fixes-to-avoid-hacking-study-indicates-video

 

 

+ The new plague: Computer viruses that extort you  –  new, novel botnets are coming…

A major ransomware operation called Cryptolocker was supposedly halted by the FBI in May. Not so fast, security experts say. It’s only a setback. Cryptolocker used a massive network of hijacked computers called a “botnet” to spread the virus. The FBI, foreign law enforcement and private security companies teamed up to cut off communication between that botnet and victims’ devices. They seized Cryptolocker’s servers and replaced them with their own. But as antivirus maker Bitdefender points out, all that accomplished was to stop Cryptolocker’s virus delivery system. Cryptolocker lives on, and its criminal masters just need to find a new botnet to start delivering viruses to new computers once again.

http://money.cnn.com/2014/07/09/technology/security/ransomware/index.html

 

 

+ Hard Proof That Wiping Your Phone Doesn’t Actually Delete Everything  (and fax machines, anything with storage!)

Have you ever sold an old smartphone on eBay? You might be interested to know that the apps, photos and even Google searches on your phone can still be recovered — even if you performed a factory reset. The team at security software company Avast purchased 20 different phones on eBay and unleashed data-recovery tools on them to see what they could find. The results are persuasive evidence that resetting your phone back to factory settings doesn’t mean your data is gone forever.

http://mashable.com/2014/07/09/data-wipe-recovery-smartphones/

 

 

+Definitive Guide to Next-Generation Threat Protection

Despite the over $20 billion invested in IT security technology last year, countless enterprises and government agencies have fallen victim to cyber attacks of incredible sophistication and complexity. This all points to the singular resounding reality: the next generation of cyber attacks is already here. In the Definitive Guide to Next-Generation Threat Protection, Steve Piper, CISSP, dissects today’s new breed of cyber attacks and how to fill the gap in network defenses in the battle against them.

http://www.databreachtoday.com/whitepapers/definitive-guide-to-next-generation-threat-protection-w-1023

paper

http://f6ce14d4647f05e937f4-4d6abce208e5e17c2085b466b98c2083.r3.cf1.rackcdn.com/definitive-guide-to-next-generation-threat-protection-pdf-3-w-1023.pdf

 

 

+  Code Spaces Attack Demonstrates Need for Multifactor Authentication for Cloud Services

The attack on the Amazon Web Services’ control panel of Code Spaces that resulted in the shutdown of the code-hosting provider has raised questions about how organizations that depend on cloud services should be protecting themselves. The Code Spaces incident brings to light several security issues. Single users should not have control over a company’s cloud environment; companies should not rely on a single cloud services provider; continuity plans should be established well ahead of any actual incidents; and companies that use cloud services should employ multifactor authentication.

http://searchsecurity.techtarget.com/news/2240224102/Multifactor-authentication-key-to-cloud-security-success

[NOTE –  Standard guidance for all remote access is to *not* rely on reusable passwords; cloud is just one example of remote access. The percentage of people using two step verification (usually via text message to a mobile device) on their personal email accounts is now higher than the percentage of business employees doing so on their work email accounts. Time to bury the myth that users will never accept anything other than reusable passwords.]

 

 

+   US Senate Committee Approves Cyber Threat Information Sharing Bill  (where is the security part?)

In a 12-3 vote, the US Senate Intelligence Committee has approved the Cybersecurity Information Sharing Act (CISA). The bill aims to improve data sharing between the government and private sector to help protect systems from attacks. However, civil liberties advocates say the bill does not go far enough to protect citizens’ privacy. The bill provides liability protection for private companies that monitor their own networks and that share information.

http://www.forbes.com/sites/gregorymcneal/2014/07/09/controversial-cybersecurity-bill-known-as-cisa-advances-out-of-senate-committee/

 

 

+ Worried About Breach Prevention? Forget About It  (yes, that’s doing Privacy by Design!))

Week after week, data breach headlines abound. Most recently, it’s the California Department of Managed Health Care apologizing for an incident where 18,000 doctors’ Social Security numbers were released. But at least one expert is suggesting organizations “stop thinking about breach prevention, accept they’re going to be breached, change their mindset, and think about how they will protect and store their data.” That’s according to SafeNet’s Jason Hart, quoted in an Infosecurity report where he discusses the importance of such protocols as two-factor authentication.

http://www.infosecurity-magazine.com/view/39263/stop-worrying-about-data-breach-prevention-says-safenet-vp/

 

 

+  TRUSTe Event Explores Intersection of Tech and Privacy

Data privacy management firm TRUSTe followed up on its work with the Future of Privacy Forum (FPF) to create a smart grid privacy seal by creating a day-long Internet of Things Privacy Summit, which concluded yesterday in Silicon Valley. The event had 26 speakers exploring the future of connected technology and its implications. Finally, the event finished with a debate on whether privacy “is even possible” in the Internet of Things era. The full event is archived and available for viewing. Following the event, TRUSTe announced an Internet of Things Privacy Tech Working Group, which includes the FPF, along with the Online Trust Alliance, the Center for Democracy & Technology and others

http://www.marketwatch.com/story/truste-announces-multi-stakeholder-iot-privacy-tech-working-group-as-next-step-to-help-enhance-consumer-privacy-in-internet-of-things-2014-07-11

 

 

+ Analytics In Action: Big Data For Government

These days, governments must use fewer resources to provide high-quality services—while also coping with increasing crime and terrorism, aging infrastructures and citizen demands for transparency and accountability. How can government leaders utilize the latest data-driven, consistent, and real-time framework to achieve their goals?

Check out this whitepaper to understand how critically important business analytics can be to government organizations  and yours too!

http://gcn.com/~/media/4568F69DF54449FFBD37958D2303CBFB.pdf

 

 

+ Most Critical Infrastructure Firms Have Been Breached  (you already knew this – and likely so have you – right)

A new Ponemon Institute study finds 70% of critical infrastructure companies have been hit by security breaches in the last year, but cyber security programs are still a low priority.

Uptime still trumps proactive cyber security measures in most critical infrastructure organizations worldwide, a new Ponemon Institute study shows. Though 60% of global IT and IT security executives at critical infrastructure organizations say minimizing downtime is a top security objective, just 32% say improving their security posture is a priority. On top of that, 67% say they suffered at least one security breach in the past 12 months that resulted in confidential data loss or disruption to operations. Nearly one-fourth of those attacks were due to insiders or privileged IT users being negligent, the respondents said.  “Security as a priority… that didn’t make the top five list,” says Larry Ponemon, chairman and founder of the Ponemon Institute. “Availability and uptime” are top priorities.

Preventing and quickly detecting advanced persistent threats (APTs) was a priority for 55% of companies, followed by preventing cyber attacks (44%), compliance (40%), securing the national critical infrastructure (35%), and then, with 32%, improving the organization’s security posture.

http://www.darkreading.com/study-most-critical-infrastructure-firms-have-been-breached/d/d-id/1297205?_mc=NL_DR_EDT_DR_daily_20140711&cid=NL_DR_EDT_DR_daily_20140711&elq=2418661ffe714e24815d8f0d42f3611f&elqCampaignId=6021

 

 

+  Translating Security Speak for CEO

Getting Top Executives to Fund IT Security Initiatives.  In defining the term “IT security as a business enabler,” Gartner’s Paul Proctor looks to the way IT managers at a European car maker translate security problems into a language a CEO can understand.

http://www.careersinfosecurity.com/translating-security-speak-for-ceo-a-7011/op-1?utm

 

 

+  Improving Cybersecurity Posture with Continuous Monitoring

Cybersecurity is not just about preventing cyberattacks, it’s about being prepared to recover from an event when it occurs. This is where continuous monitoring comes in. A continuous monitoring solution involves deploying sensors to different parts of your infrastructure that returns status updates so you can better spot suspicious activity — and it doesn’t stop there.   See this custom whitepaper to find out how advancements in continuous monitoring reach beyond just collecting data through sensors to aggregating it to make the information useful..

http://gcn.com/~/media/22BC34ECEFEA43BB931A3CF55A32F58C.pdf

 

 

+ EMC Privacy Index   – great statistics on privacy world wide…

A World of Paradoxes: The EMC Privacy Index examines privacy perceptions of consumers around the world and creates a ranking of nations.

http://www.emc.com/campaign/privacy-index/index.htm

 

 

+  Cybersecurity expert Richard Clarke on the future of privacy: only for the rich?  (NOT – you know our cyber model for privacy by design is for everyone!)

One surprise from the widespread use of information technology has been the enormous value created out of just data. Information about what individuals do has created corporations worth billions of dollars. Already today, where we are, whom we are with and what we are doing at any given moment can often be determined through a combination of data and video surveillance technology. By 2040, it could be a given that any of our activities can be known by a variety of governmental and corporate entities. While storage of vast amounts of data has led to hugely valuable benefits from analysis and correlation, it also has led to a significant erosion, if not almost complete destruction, of any meaningful concept of privacy. Privacy advocacy groups will probably be overwhelmed by corporate interests, the security industrial complex, and by a public that perceives benefits from the, frequently free, data-yielding devices and applications. Privacy may then be a commodity that only the wealthy can acquire, but only briefly and in special sanctuaries while taking expensive off-the-grid vacations in locations without surveillance cameras or the tracking devices we call mobile phones.  (EVERONE needs to protect their privacy NOW!)

http://online.wsj.com/news/article_email/richard-clarke-on-the-future-of-privacy-only-the-rich-will-have-it-1404762349-lMyQjAxMTA0MDAwODEwNDgyWj

 

 

 

 

+++  FYI / FYSA  Items of interest…

 

 

 

+  Controversial Cybersecurity Bill Known As CISA Advances Out Of Senate Committee

The Senate Select Committee on Intelligence voted Tuesday to approve a controversial cybersecurity bill known as the Cyber Information Sharing Act (CISA). The bill is intended to help companies and the government thwart hackers and other cyber-intrusions.  The bill passed by a 12-3 vote, moving it one step closer to a floor debate.  Lawmakers have been struggling for years to move cybersecurity legislation.  Civil liberties advocates have opposed CISA, arguing that it fails to adequately shield Americans’ privacy.  Proponents of the bill say it will help stop attacks by encouraging data-sharing between businesses and the government.

http://www.forbes.com/sites/gregorymcneal/2014/07/09/controversial-cybersecurity-bill-known-as-cisa-advances-out-of-senate-committee/

 

 

+ ‘Smart’ luggage will text you when it gets lost  –  IoT to the consumer…

When an airline loses your luggage, it can take hours or even days to get someone to tell you where it ended up — if it ever turns up at all. Wouldn’t it be easier to hear from the luggage itself? That’s the promise of “smart luggage,” in which GPS tracking chips are embedded in bags capable of transmitting their locations to travelers and even contacting airlines directly when they get lost.The jumbo jet maker Airbus introduced a concept design for smart luggage at the Paris Air Show last year. The product, known as Bag2Go, can be tracked via a smartphone app. It also allows for self-service check-ins and can weigh itself to ensure that it meets airline requirements. AT&T unveiled a similar concept at a demonstration of its “next-generation technologies” in May. The company envisions integrating the product with standard suitcases and bags — perhaps through an attachable tag — though it could also be built into suitcases directly.

http://money.cnn.com/2014/07/03/technology/innovation/smart-luggage/index.html

 

 

+  LG wants to put a tracking device on your child…   (wearable devices will be everywhere)

Various tech companies have introduced wearable devices over the last few years that track your steps, heart beat and even deliver your e-mails to your wrist.  Is electronically tracking your kid the next frontier?  LG announced a new device Wednesday morning, the KizON wristband, designed to let parents keep track of their child’s whereabouts. The KizON uses GPS, WiFi and mobile Internet signals to identify the user’s location in real time and sends the information to an Android app.

http://www.washingtonpost.com/news/business/wp/2014/07/09/lg-wants-to-put-a-tracking-device-on-your-child/

 

 

+ Apple’s new smartwatch 

Apple hasn’t officially announced its new smartwatch, but the company has left a trail of breadcrumbs with hints about what we can expect from its first new major product line since the iPad came out in 2010. Here’s what’s been reported.

http://www.washingtonpost.com/news/morning-mix/wp/2014/07/07/heres-what-we-know-about-apples-new-smartwatch/

 

+ Android Wear Is Here, and It’s Ready to Rule Your Wrist

The first two watches built on the Android Wear platform launch today. One is from LG, the G Watch, and the other is from its arch Korean peninsular rival, Samsung, the Gear Live.  Should you buy one today? Maybe. It depends on how early you like to adopt. Let’s take a quick trip through analysis lane.

http://www.wired.com/2014/07/android-wear/

 

 

+   UK Parliament Fast Tracking Emergency Data Retention Law 

The UK government is pushing emergency legislation through Parliament that will require telecommunications service providers to store communications metadata for up to one year. All three major political parties have expressed their support of the measure. Prime Minister David Cameron says the law does not create new surveillance powers. The Data Retention and Investigation Powers Bill is being rushed through Parliament because in April, the European Court of Justice overturned the EU Data Retention Directive on the grounds that it “interferes in a particularly serious manner with the fundamental rights to respect for private life and to the protection of personal data.”

http://www.zdnet.com/emergency-phone-and-internet-data-surveillance-bill-to-be-rushed-through-parliament-7000031443/

 

 

+ Banks Dreading Computer Hacks Call for Cyber War Council  –  this is a good thing.. I would use the FS-ISAC to lead the effort.. they are quite good..

Wall Street’s biggest trade group has proposed a government-industry cyber war council to stave off terrorist attacks that could trigger financial panic by temporarily wiping out account balances, according to an internal document. The proposal by the Securities Industry and Financial Markets Association, known as Sifma, calls for a committee of executives and deputy-level representatives from at least eight U.S. agencies including the Treasury Department, the National Security Agency and the Department of Homeland Security, all led by a senior White House official.

http://www.bloomberg.com/news/2014-07-08/banks-dreading-computer-hacks-call-for-cyber-war-council.html

 

 

+  Microsoft Settles No-IP Civil Case  (goes to show you can’t just disable domains the bag guys use, as there are other users affected!)

Microsoft and dynamic domain name provider No-IP have reached a settlement that calls for No-IP to disable certain domains. Microsoft had filed a civil suit against Vitalwerks, which operates as No-IP, for hosting malware that infected millions of computers. Microsoft initially took control of 23 No-IP domains, a move that interrupted service for legitimate customers. The domains have been restored to No-IP and Microsoft is working with Vitalwerks to disable the specific subdomains that are being used to spread malware.

http://www.computerworld.com/s/article/9249646/Microsoft_settles_with_No_IP_after_seizing_its_domains_in_botnet_hunt?taxonomyId=17

[The EFF have posted a very useful overview to the background of this case and highlighted a number of lessons that Microsoft, and hopefully others, will learn from this debacle.

https://www.eff.org/deeplinks/2014/07/microsoft-and-noip-what-were-they-thinking  ]

 

 

+  Invisible IM Project Aims to Leave No Forensic Trail

The Invisible IM project aims to develop a means for people to communicate “without leaving a retrospectively recoverable forensic trail behind on third-party servers.” The technology establishes a local XMPP server on a user’s computer, which then connects to the Tor network. A secure mode will be available that will prevent anyone from knowing who is on someone else’s buddy list or even if they have ever communicated through Invisible IM. The project is being designed to provide anonymity for whistleblowers.

http://www.computerworld.com/s/article/9249568/Encrypted_instant_messaging_project_seeks_to_obscure_metadata?taxonomyId=17

[ Harder to use then you think. Tor is cool, but be aware there is some US Govt funding:

http://www.nrl.navy.mil/itd/chacs/dingledine-tor-second-generation-onion-router  ]

 

 

 

+ The 5 Biggest Cybersecurity Myths, Debunked

Each of us, in whatever role we play in life, makes decisions about cybersecurity that will shape the future well beyond the world of computers. But by looking at this issue as only for the IT Crowd, we too often do so without the proper tools. Basic terms and essential concepts that define what is possible and proper are being missed, or even worse, distorted. Some threats are overblown and overreacted to, while others are ignored. (GOOD overview!!!)

http://www.wired.com/2014/07/debunking-5-major-cyber-security-myths/

 

 

+  Cyber Security Index

An effective cyber security strategy calls for the latest intelligence on the kinds of attacks that are occurring, who is committing them, and how often they are happening. A new IBM report offers expert insight into a range of security statistics, based on monitoring tens of billions of security events that occurred at 3,700 organizations around the world.

http://public.dhe.ibm.com/common/ssi/ecm/en/sew03031usen/SEW03031USEN.PDF

 

 

+ Cybersecurity Strategies: What You Must Know

In today’s security landscape—with the increase in electronic threats, more attention paid to terrorists, criminals, and hackers than ever before, and the increasing popularity of BYOD—it is essential to cover all the basics and reduce attack surfaces wherever possible…Latest brief on Securing the Government Infrastructure to learn how to address these issues and enable secure access to mission critical data without compromise…  See this whitepaper to discover the basics behind DoD security measures and how attacks can be minimized across multiple endpoints..

• BYOD devices    • MDM technologies   • MLS desktops

http://defensesystems.com/~/media/050D91B889D843558B944B14AD03105D.pdf

 

 

+  FFIEC Launches Cybersecurity Web Page, Promotes Awareness of Cybersecurity Activities (lots of good resources!)

http://www.ffiec.gov/press/pr062414.htm      and     www.ffiec.gov/cybersecurity.htm

The Web page is a central repository for current and future FFIEC-related materials on cybersecurity.

While information security has been a core focus of supervision for decades, the FFIEC members are taking a number of steps to raise awareness of cybersecurity risks at financial institutions and the need to identify, assess, and mitigate these risks in light of the increasing volume and sophistication of cyber threats that pose risks to all industries in our society. The FFIEC Web page provides links to joint statements, webinars, and other information that may help financial institutions when thinking about the issue of cybersecurity.

 

 

+ Black Hat USA 2014: A Massive Enterprise

Intel Update we’re going big… enterprise big, with a selection of Black Hat Briefing highlights that focus on big ideas that affect large organizations.  The St. Regis ShenZhen, a gorgeous luxury hotel occupying the top 28 floors of a 100-story skyscraper, lets visitors control lighting, temperature, music, TV, the blinds, and other room features with an iPad 2. Unfortunately, the system relies on outdated home automation protocols, which allowed presenter Jesus Molina full control over every wired room in the hotel… even from home. In “The Dangers of Insecure Home Automation Deployment,” Molina will explore the implications for large-scale home automation applications, particularly in public settings which leave the venue open to potentially serious liability.

Big data is changing the way things are done, but many organizations’ security sensibilities haven’t caught up to their wanton usage of Hadoop. Are they taking on too much risk, too quickly? Big data’s supposed to generate better, more intelligent predictions, but why should we trust our least-secure systems? Based on Davi Ottenheimer’s new book, Realities of Big Data Security, “Babar-ians at the Gate: Data Protection at Massive Scale” will present the author’s findings, probing tomorrow’s hardest big data problem areas and offering recommendations for today.

Next up, companies and their systems still leak information like a sieve, despite an endless array of security and protection standards and certs. Data Loss Prevention (DLP) solutions are touted as the silver bullet that will save corporations from starring in tomorrow’s headlines, but how effective are they, really? “Stay Out of the Kitchen: A DLP Security Bake-Off” will examine the most popular DLP solutions and show you how they really stack up, complete with flaws and exploits.

http://www.darkreading.com/black-hat-usa-2014-a-massive-enterprise-/d/d-id/1297176?_mc=NL_DR_EDT_DR_daily_20140711&cid=NL_DR_EDT_DR_daily_20140711&elq=2418661ffe714e24815d8f0d42f3611f&elqCampaignId=6021

 

 

+ Threat from hackers brings rush for extra insurance

http://www.telegraph.co.uk/finance/newsbysector/banksandfinance/insurance/10950060/Threat-from-hackers-brings-rush-for-extra-insurance.html

 

 

 

 

 

+++  THREATs  / bad news stuff / etc…

 

+ Black Hat USA 2014: Third-Party Vulns Spread Like Diseases

Understanding the impact of vulnerabilities in libraries and other components..   As security professionals grapple with how to classify and triage vulnerabilities in third-party libraries and components their software depends upon, it may help to think about the spread of these vulnerabilities the way a public health professional views the spread of infectious disease. Two researchers at Black Hat next month plan to present data that shows how the spread of attack surface from something like a Heartbleed vulnerability instance looks very similar to an epidemiological event, like a widespread flu outbreak.

http://www.darkreading.com/black-hat-usa-2014-third-party-vulns-spread-like-diseases/d/d-id/1279164?_mc=NL_DR_EDT_DR_daily_20140708&cid=NL_DR_EDT_DR_daily_20140708&elq=daa25877f8874eecb151547225f940ac&elqCampaignId=5830

 

 

+  Phony Certificates Issued by Indian Intermediate Certificate Authority  (CA) Revoked  (CAs can be spoofed!)

An intermediate certificate authority in India, the National Informatics Centre (NIC), was issuing unauthorized certificates for Google domains. A Microsoft spokesperson said that the company is “aware of the mis-issued third-party certificates and … has not detected any of the certificates being issued against Microsoft domains.” The fraudulent certificates have been revoked.

http://www.darkreading.com/endpoint/authentication/fake-google-digital-certificates-found-and-confiscated/d/d-id/1297165?

 

 

+ –Microsoft Issues Emergency Update to Revoke Unauthorized Certificates  (MORE cert / CA issues!!!)

Microsoft has issued an emergency update to revoke 45 of the unauthorized certificates from NIC. The update will be automatically delivered to PCs running Windows 8, 8.1, RT, RT 8.1, Server 2012, Server 2012 RS, Phone 8, and Phone 8.1. Users running Windows 7, Vista, Server 2008, and Server 2008 RS may not have the automatic updater installed. There is presently no way to revoke the certificates for Windows 2003. The updates revoke trust in three intermediary certificates from NIC so that all domain certificates, including some legitimate ones, will be invalid.

http://arstechnica.com/security/2014/07/emergency-windows-update-revokes-dozens-of-bogus-google-yahoo-ssl-certificates/

[NOTE –  While PKI is stronger than the alternatives, it is no stronger than the manual and physical controls that are used to implement it.   We really do need an alternative to the current certificate system as it is implemented. There is some promise down the Extended Validation Certificate path, though it does raise costs.   It is not just ecommerce, the whole SCEP thing has been an issue for some time, where online commerce is growing so rapidly, see these sources if interested:

http://www.certificate-transparency.org/what-is-ct

http://www.css-security.com/wp-content/themes/css/scep/SCEP_and_Untrusted_Devices.pdf

http://www.webtrust.org/item27804.pdf

http://www.webtrust.org/item64428.aspx

 

 

+  Top 10 forgotten mobile threats revealed

Do you have a smartphone? Of course you have. Let’s say you even use some encryption for your mobile calls. Do you know what threats you are exposed to when using it?

1. Spyware

2. Record microphone

3. Man-in-the-middle attack

4. Stealing encryption keys

5. Cracking encryption keys

And more – keep reading

http://encrypted-mobile.blogspot.hu/2014/07/top-10-forgotten-mobile-threats-revealed.html

 

 

+–Intruders Accessed US Government Databases Containing Security Clearance Data

Senior US officials say that an attack that has been traced to China managed to gain access to databases at the Office of Personnel Management, which contain information about people who have applied for top-secret security clearances. The intrusion was discovered and the intruders’ access blocked, but … A Department of Homeland Security   (DHS) official said that an emergency response team will “assess and mitigate any risks identified.”

http://www.nytimes.com/2014/07/10/world/asia/chinese-hackers-pursue-key-data-on-us-workers.html?module=Search&mabReward=relbias%3Aw%2C%7B%221%22%3A%22RI%3A10%22%7D

 

 

+  Simultaneous Cyber Attacks Target Norwegian Banks, Airlines  Insurance Companies

attackers targeted the websites and payment systems of DNB, Danske Bank, Nordea, and several other companies, including airlines and insurance companies. While the attack itself was not particularly large, it was unusually broad for Norway, targeting so many companies at once. A group claiming ties to Anonymous has taken credit for the attacks.

http://www.digitaljournal.com/internet/anonymous-norway-claim-massive-cyber-attack-on-norwegian-banks/article/389030

Norwegian police have arrested a 17-year old in connection with these attacks.

http://news.softpedia.com/news/17-Year-Old-Behind-Norway-DDoS-Attacks-this-Week-450391.shtml

 

 

+ Chinese hackers switched targets to U.S. experts on Iraq   – MAYBE the ‘bad guys’ will attach each other…. Of course who knows what the collateral damage might end up being…)

A sophisticated Chinese hacker group that had been stealing information from U.S. policy experts on nearby Southeast Asia suddenly changed targets last month to focus on the Middle East — Iraq, in particular — security researchers said Monday.  The group, called “Deep Panda,” switched from exploiting one area of expertise to another because of the march of the Islamic State of Iraq and the Levant (ISIS) towards Baghdad, and the collapse of Iraq’s security forces in the north and west of the country.

http://www.computerworld.com/s/article/9249590/Chinese_hackers_switched_targets_to_U.S._experts_on_Iraq

 

 

+ Cyber spying, maritime disputes loom large in U.S.-China talks

The United States will press China to resume cooperation on fighting cyber espionage to ensure an orderly cyber environment, a senior U.S. official said on Tuesday ahead of annual talks between the world’s two largest economies this week. The talks, which start on Wednesday, will be led by U.S. Secretary of State John Kerry and Treasury Secretary Jack Lew, likely taking in China’s currency, North Korea’s nuclear program and escalating tensions between China and neighbors in the South China Sea and with Japan in the East China Sea.

http://www.reuters.com/article/2014/07/08/us-china-usa-idUSKBN0FD0JC20140708

 

 

+ Websense Security Labs Identifies New Strain Of Zeus Malware

http://www.bsminfo.com/doc/websense-security-labs-identifies-new-strain-of-zeus-malware-0001

 

 

+ DPAPI vulnerability allows intruders to decrypt personal data

http://www.net-security.org/secworld.php?id=17094&utm_source=dlvr.it&utm_medium=linkedin

 

 

 

 

+++   SD/SoCAL items of interest / opportunities

 

 

JUL

 

16 – INCOSE – The Internet of Things (IoT) and the explosion of engineering opportunity in what is being called Web 3.0.  (Darin Anderson) –  6 PM dinner & network  7-9 talk

Location – Giovanni’s Italian Restaurant, 9353 Clairemont Mesa Blvd., SD

 

17 – ISACA 12 – 2PM – Applying Data Analytics for Continuous Controls Monitoring

https://www.eventbrite.com/e/isaca-july-meeting-applying-data-analytics-for-continuous-controls-monitoring-tickets-12192587357

 

17 – OWASP Monthly Chapter meeting – Tracy Reed / Log based web app attack detection

http://www.meetup.com/Open-Web-Application-Security-Project-San-Diego-OWASP-SD/events/158734172/

 

23 – AITP – Cyber Liability – What to do if your company becomes a victim of a cyber security incident and how to handle the triage – 5:30 – 7:30PM –  http://www.eventbrite.com/e/cyber-liability-tickets-11866391697?aff=eorg

 

 

AUG

 

1 – Provided by IEEE Cyber SIG / Various Security groups – all day – – Privacy by design workshop – a cyber model & why you must be part of this initiative!  (at Coleman University –  AM Technical approach… PM public discussions)   +++  Help move SD forward in cyber –  DOING security vs admiring the problem…. SO engage and help out on cyber 4 PbD!!!

http://www.sciap.org/blog1/wp-content/uploads/Privacy-by-Design-cyber-security.pdf

 

11-14 – Gartner Catalyst  –  Harness the Power of IT Convergence

http://www.gartner.com/technology/summits/na/catalyst/

 

18 –  USENIX Summit on Gaming, Games and Gamification in Security Education (3GSE ’14)

https://www.usenix.org/conference/3gse14

 

20-22 – 23rd USENIX Security Symposium

https://www.usenix.org/conference/usenixsecurity14   http://www.inf.ufpr.br/rtv06/iot/05940923.pdf

 

27 – INCOSE chapter meeting – PADRES GAME!

http://www.sdincose.org/august-2014-monthly-chapter-meeting-padres-game

 

 

+++  Future events FYI:

 

17-19  Sep – CSA congress 2014

CSA and the International Association of Privacy Professionals (IAPP) are combining their Congress US and Privacy Academy events

https://cloudsecurityalliance.org/media/news/csa-opens-registration-congress-2014/

 

 

25 Sep –   San Diego InfraGard Crisis Leadership Symposium

http://www.slideshare.net/slideshow/embed_code/36600356

 

1 OCT – SoeC – CyberFest 2014 – great all day agenda planned… improving on last year’s success!

 

1 Nov – Started planning “BigDataDay 4 SD” on a SAT.  Jump in and help us!

WE went to the one in LA and it was great…   the organizer will help us do that here…

likely our three tracks will be:

–  Technical =  Hadoop/Hbase/NoSQL;

–  Data science = predictive analytics, etc

–  Applications = actual products, etc.. Privacy / data security. ..

—————————————————————————————

JULY 7 + Cloud’s Next Big Wave: Mission Critical Applications http://www.forbes.com/sites/mikekavis/2014/06/27/clouds-next-big-wave-mission-critical-applications/?linkId=8646390 + Robots Rising: 7 Real-Life Roles Today’s robots feature improved components and capabilities that take them out of labs and into oceans, hospitals — perhaps even your workplace. Take a closer look. http://www.informationweek.com/mobile/mobile-business/robots-rising-7-real-life-roles/d/d-id/1279107?_mc=NL_IWK_EDT_IWK_daily_20140707&cid=NL_IWK_EDT_IWK_daily_20140707&elq=30d4511295424be88574bf0f944cc3ee&elqCampaignId=5776 + Google Fit Wants to Rule All Your Wearable Health, Fitness Devices http://spectrum.ieee.org/tech-talk/biomedical/devices/google-fit-wants-to-rule-all-your-wearable-health-fitness-devices + Hope your 4th holiday was niceA UAV captures views inside the fireworks! http://youtu.be/a9KZ3jgbbmI

+++  Cyber Security News you can likely use… + Why Extracting Value From Big Data Is Difficult http://mobile.cioinsight.com/it-management/expert-voices/why-extracting-value-from-big-data-is-difficult.html#sthash.elCUHbtt.uxfs

+ The Problem With Data We have become so excited in collecting data, lots and lots of data, that we’re forgetting the most important part: analyzing and reporting. Many can take your Excel spreadsheet and create eye-catching pie charts and bar graphs, but what are you getting out of it.  Using mobile, data is collected for a few main reasons: You have a problem and you need to understand it (enterprise and government security) You have a problem and you need to control it (finance, healthcare, correctional facilities) You have a wealth of information at your fingertips and you want to use it to better your business (retail) —   The best part of data? Location. https://www.linkedin.com/today/post/article/20140702002053-156023-the-problem-with-data?_mSplash=1

+  Managing Data According to Its Economic Value Not all data is valuable but can be expensive to keep, though organizations still fear to get rid of data and want to hang on to all of it. Unfortunately, this behavior is unsustainable as the costs associated with handling massive volumes of information can be expensive – see this white paper for how to manage according to data’s value.. http://gcn.com/~/media/5D92DC57B2A64E798F01DF5E292192AE.pdf + The Internet Of Things Will Radically Change Your Big Data Strategy http://www.forbes.com/sites/mikekavis/2014/06/26/the-internet-of-things-will-radically-change-your-big-data-strategy/?utm_campaign=techtwittersf&utm_source=twitter&utm_medium=social + 10 Very Cool Big Data Visualization – gives data a whole new perspective!!! http://www.mastersindatascience.org/blog/10-cool-big-data-visualizations/ + 2014 US Consumer Confidence Privacy report  – consumer opinion and business impacts… http://download.truste.com/dload.php/?f=4HKV87KT-447 + YET, see Forrester’s Total Economic Impact  Study Shows the ROI of Privacy The study reveals: An improvement in output per privacy employee: $150,000 net increase for the company A reduction in legal fees: $180,000 over three years Data privacy breach cost avoidance: $65,000 in annual prevention http://info.truste.com/Acuity-TEIReport_TY.html?asset=NWY5IE95-473&aliId=9233034 + Privacy and the Internet of Things https://www.linkedin.com/today/post/article/20140224154145-45689-privacy-and-the-internet-of-things?_mSplash=1 AND a proposed embedded security framework for IoT http://www.inf.ufpr.br/rtv06/iot/05940923.pdf + Ponemon: Data Breach Costs Rising The 9th annual research report, conducted for IBM, shows that the cost of breaches, in most countries, is on the rise, a matter that should be of concern to top management…  With each breach, an enterprise’s reputation takes a hit, which erodes the bottom line. The adverse impact of that reputation hit is characterized by Ponemon as “abnormal churn rates,” which reflects the loss of customers resulting from a breach.. http://www.bankinfosecurity.com/interviews/ponemon-data-breach-costs-rising-i-2310 + GSA, DHS about ready to turn the spigot on for a new set of cyber tools The 17 vendors under the $6 billion continuous diagnostics and mitigation program are anxiously waiting for the first of six task orders under phase two of the program. The General Services Administration and the Homeland Security Department are putting the final touches on the next set of contracts that will truly kickstart the federal move toward dynamic cybersecurity protections of agency networks and computers. “The future phases allow for the expansion of the CDM capability, but really the focus of phase one — in addition to providing CDM of the hardware, software, configurations and vulnerabilities of the network — is the interconnections to the cyber dashboard,” said Jim Piche, a group manager at GSA’s FEDSIM office, which oversees the management and administration of the CDM contract, at a recent conference. http://www.federalnewsradio.com/241/3655199/GSA-DHS-about-ready-to-turn-the-spigot-on-for-a-new-set-of-cyber-tools +  Hacked companies face SEC scrutiny over disclosure  =  Proper protections AND breach notifications! The U.S. Securities and Exchange Commission has opened investigations of multiple companies in recent months examining whether they properly handled and disclosed a growing number of cyberattacks. The investigations are focused on whether the companies adequately guarded data and informed investors about the impact of breaches, according to two people familiar with the matter who asked not to be named because the probes aren’t public. Target Corp., the victim of a breach last year that allowed hackers to access payment data for 40 million of its customers’ debit and credit cards, is one of the companies facing SEC scrutiny, according to company filings. http://www.bloomberg.com/news/2014-07-02/hacked-companies-face-sec-scrutiny-over-disclosure.html

+ Researcher Finds Flaws In Key Oracle Security Feature Famed security researcher and Oracle database expert David Litchfield next month at Black Hat USA will present details of weaknesses he discovered in a widely touted new security feature in Oracle databases.   ut it turns out the new option in Oracle’s 12c database — which allows organizations to redact or hide from unauthorized eyes sensitive data such as social security or credit-card numbers in a database lookup — can be cheated altogether and also allow an attacker to exploit weaknesses in the code via a Web-based SQL injection attack. http://www.darkreading.com/application-security/database-security/researcher-finds-flaws-in-key-oracle-security-feature/d/d-id/1279078?_mc=NL_DR_EDT_DR_daily_20140703&cid=NL_DR_EDT_DR_daily_20140703&elq=ae39c413903e42fa862e65f86867245f&elqCampaignId=5708 + Cybersecurity: Two Years at a Time The world may move at Internet speed, but the IT security and risk management challenges organizations face seem to be tackled at a much slower pace. Hard to believe, right?   The just-concluded Gartner Information Security and Risk Management Summit was the second one I attended, and many of the themes I heard at the 2012 conference were repeated this year. To be fair, the challenges may be the same, but some of the solutions being offered have matured… http://www.inforisktoday.com/blogs/cybersecurity-two-years-at-time-p-1697?rf=2014-07-02-eir&utm_source=SilverpopMailing&utm_medium=email&utm_campaign=enews-irt-20140702%20(1)&utm_content=&spMailingID=6718977&spUserID=NTQ5MzQyNjI3MTkS1&spJobID=480225310&spReportId=NDgwMjI1MzEwS0 + Does The Internet Of Things Need Its Own Network? http://www.forbes.com/sites/ptc/2014/07/03/does-the-internet-of-things-need-its-own-network/ + What the Exponential Power of the #InternetOfEverything Means for Smart Connected Cities http://blogs.cisco.com/ioe/what-the-exponential-power-of-the-internetofeverything-means-for-smart-connected-cities/ + Microsoft Backs Open Source For the Internet of Things http://news.hitb.org/content/microsoft-backs-open-source-internet-things + Cisco to build Asia’s first Internet of Things innovation hub in India http://m.timesofindia.com/tech/it-services/Cisco-to-build-Asias-first-Internet-of-Things-innovation-hub-in-India/articleshow/37713455.cms + The Chasm between IT and Cybersecurity https://www.linkedin.com/today/post/article/20140616153516-371320-the-chasm-between-it-and-cybersecurity?_mSplash=1 + Why Your Presentations Are Putting People to Sleep http://blog.hubspot.com/marketing/presentation-design-tips

+ A Confused Mind Always Says No http://www.speakforsuccess.net/a-confus.htm +++  FYI / FYSA  Items of interest… + Why RansomWare will be a game changer… and what to do about it Most enterprise security folks scoff at ransomware as just a nuisance category of malware. One that is not new by any means and certainly not worthy of their attention since ransomware by and large is not targeted at companies. Ransomware, after all, is run in broad campaigns by cyber crime gangs, primarily designed to extort people’s hard earned money rather than corporate assets. It’s really not very sexy for Enterprise security professionals to spend much time and effort on — since it’s an individual’s problem — at least perception wise https://www.linkedin.com/today/post/article/20140702135307-262891-why-ransomware-will-be-a-game-changer-and-what-to-do-about-it?trk=eml-ced-b-art-M-0-7425882890636044889&midToken=AQHSP9kJrDSXtw&fromEmail=fromEmail&ut=3PuBZRjjd2f6k1 + Rising use of encryption foiled the cops a record 9 times in 2013 – YES,  PRIVACY PAYS!!! The spread of usable encryption tools hasn’t exactly made law enforcement wiretaps obsolete. But in a handful of cases over the past year—and more than ever before—it did shut down cops’ attempts to eavesdrop on criminal suspects, the latest sign of a slow but steady increase in encryption’s adoption by police targets over the last decade. In nine cases in 2013, state police were unable to break the encryption used by criminal suspects they were investigating, according to an annual report on law enforcement eavesdropping released by the U.S. court system on Wednesday. That’s more than twice as many cases as in 2012, when police said that they’d been stymied by crypto in four cases—and that was the first year they’d ever reported encryption preventing them from successfully surveilling a criminal suspect. Before then, the number stood at zero. http://www.wired.com/2014/07/rising-use-of-encryption-foiled-the-cops-a-record-9-times-in-2013/ + White House Study on Big Data Reveals Need for Encryption… REALLY?   See previous tidbit…. http://blog.proofpoint.com/2014/07/white-house-study-on-big-data-reveals-need-for-encryption.html

+Federal agencies ill-prepared for cyber attacks Here’s a chilling number: 46,160. That’s the number of reported cyber incidents against federal agencies in 2013. Worse, that’s a 30 percent increase in the last two years. All this was detailed in an important but little noticed report released recently by the Government Accountability Office. Think the credit card information breach at Target was a big deal? This is a whole new ballgame: One company versus a governmentwide problem. But it’s not only the increasing number of incidents that is cause for alarm. According to the report, cyber incidents against federal agencies are becoming more damaging and disruptive. http://www.wptv.com/decodedc/federal-agencies-ill-prepared-for-cyber-attacks

+ Attackers poison legitimate apps to infect sensitive industrial control systems Corporate spies have found an effective way to plant their malware on the networks of energy companies and other industrial heavyweights—by hacking the websites of software companies and waiting for the targets to install trojanized versions of legitimate apps. That’s what operators of the Havex malware family have done with aplomb, according to a report published Tuesday by researchers from antivirus provider F-Secure. Over the past few months, the malware group has taken a specific interest in the types of industrial control systems (ICS) used to automate everything from switches in electrical substations to sensitive equipment in nuclear power plants. In addition to the normal infection channels of spam e-mail, the malware operators have added a new tack—replacing the normal installation files of third-party software with tainted copies that surreptitiously install a remote access trojan (RAT) on the computers of targeted companies. http://arstechnica.com/security/2014/06/attackers-poison-legitimate-apps-to-infect-sensitive-industrial-control-systems

+ Microsoft Expands Encryption, Opens First Transparency Center As part of Microsoft’s new privacy initiative, Outlook and OneDrive have also gotten encryption enhancements. The software giant also has expanded its encryption options in Outlook.com and OneDrive. Outlook is now protected by TLS encryption for outbound and inbound email. This does, however, require that the email service provider used by both the sender and the receiver support TLS. http://www.darkreading.com/microsoft-expands-encryption-opens-first-transparency-center/d/d-id/1279044?_mc=NL_DR_EDT_DR_daily_20140702&cid=NL_DR_EDT_DR_daily_20140702&elq=7845961373b147aea9d591a862a0a3e4&elqCampaignId=5658 + Microsoft kills security emails, blames Canada In a move that may wind up helping spammers, Microsoft is blaming a new Canadian anti-spam law for the company’s recent decision to stop sending regular emails about security updates for its Windows operating system and other Microsoft software. Asked about the reason for the change, a Microsoft spokesperson said email communication was suspended to comply with a new Canadian anti-spam law that takes effect on July 1, 2014. Some anti-spam experts who worked very closely on Canada’s Anti-Spam Law (CASL) say they are baffled by Microsoft’s response to a law which has been almost a decade in the making. http://krebsonsecurity.com/2014/06/microsoft-kills-security-emails-blames-canada/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+KrebsOnSecurity+%28Krebs+on+Security%29

+ Even in communications exercises, the cyberattacks are real When the Army set up its latest worldwide emergency communications exercise, it enlisted pretty much the full spectrum of partners, including joint U.S. forces, NATO allies, the National Guard, Homeland Security Department agencies, industry and first responders from around the United States. But one thing they didn’t need was a red team to test the security of their communications. If you build a network, the hackers will come. The Army’s Communications-Electronics Command, or CECOM, at Aberdeen Proving Ground, Md., served as the hub for the month-long exercise, called the Joint Users Interoperability Communications Exercise, or JUICE, the Army said in a release. But about 90 percent of participants operated remotely, communicating via network services provided by the Defense Information Systems Agency. http://defensesystems.com/articles/2014/07/01/juice-emergency-response-cyber-attacks.aspx

+ Microsoft darkens 4M sites in malware fight Millions of Web sites were shuttered after Microsoft executed a legal sneak attack against a malware network thought to be responsible for more than 7.4 million infections of Windows PCs worldwide. In its latest bid to harness the power of the U.S. legal system to combat malicious software and cybercrooks, Microsoft convinced a Nevada court to grant the software giant authority over nearly two dozen domains belonging to no-ip.com, a company that provides dynamic domain name services. http://krebsonsecurity.com/2014/07/microsoft-darkens-4mm-sites-in-malware-fight/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+KrebsOnSecurity+%28Krebs+on+Security%29

+ The Defense Department is preparing to launch a joint task force that officials hope will clarify how the military operates and defends its networks, including the roles and authorities of the Defense Information Systems Agency. http://www.c4isrnet.com/article/20140701/C4ISRNET05/307010004/DoD-launching-DISA-cybersecurity-joint-task-force +  The new intelligence frontier?  “OSINT As an open-source information tool, social media could become invaluable http://www.federaltimes.com/article/20140702/FEDIT/307020012/The-new-intelligence-frontier-?odyssey=mod|newswell|text|FRONTPAGE|p + 10 Concerns When Buying Cyber Insurance   (ask me about this, we have the way forward, a cyber actuarial table too!) Breaches Propel Organizations to Mull Insurance Protection    At the Gartner security summit, Proctor outlined 10 considerations organizations should address when buying cyber insurance: http://www.inforisktoday.com/10-concerns-when-buying-cyber-insurance-a-4859/p-2

Security, Compliance and Risk Management Explained  (in case you had questions n where each fit…) https://www.linkedin.com/today/post/article/20140613192008-3094694-security-compliance-and-risk-management-explained

+ Program management: The importance of architecture  (even more so for our security architecture – you do have one?) http://fcw.com/articles/2014/07/02/spires-the-importance-of-architecture.aspx?s=fcwdaily_030714

+ Why security awareness matters http://www.net-security.org/article.php?id=2060

+  Social Engineering: The Basics http://www.csoonline.com/article/2124681/security-awareness/social-engineering-the-basics.html +  Hackers can break Tor Network Anonymity with USD 3000\ http://securityaffairs.co/wordpress/26395/hacking/tor-network-broken.html

+++  THREATs  / bad news stuff / etc… + US privacy board finds no illegitimate activity in NSA’s overseas surveillance program.. (… REALLY???  Oh.. that’s right.. a government body overseeing another, so…) A U.S. government privacy oversight board has found that the National Security Agency and other agencies have not misused the provisions of the country’s overseas surveillance program, but cautioned that certain aspects of the program, such as the incidental collection of communications of U.S. persons, raises privacy concerns. The Privacy and Civil Liberties Oversight Board said late Tuesday in a pre-release version of its report that it has seen no trace of illegitimate activity around information collected by the government under Section 702 of the Foreign Intelligence Surveillance Act, or any attempt to intentionally circumvent legal limits. http://www.pcworld.com/article/2450180/us-privacy-board-finds-no-illegitimate-activity-in-overseas-surveillance-program.html

+ Cyber criminals continue to conduct Telephony Denial of Service (TDoS) attacks to extort money from Healthcare and Public Health Sector employees. In one instance, the 9-1-1 Public Safety Access Point (PSAP) communications of a hospital was disabled during the attack. The cyber actors often used spoofed telephone numbers and/or assigned IP addresses making the telephone calls more difficult for law enforcement to track. Due to the ease of TDoS attacks that cyber actors carry out on vulnerable systems, as well as using tactics to evade detection, it is most likely that TDoS will be the  go-to  method that can be used on other organizations, whether government or private, that rely heavily on telephone lines http://voipsecurityblog.typepad.com/marks_voip_security_blog/telephony-dos/ http://voipsecurityblog.typepad.com/marks_voip_security_blog/2014/06/good-video-on-voip-security-and-telephony-denial-of-service.html

+ Security researchers have uncovered what they believe is a significant cybercrime operation in Brazil that took aim at $3.75 billion in transactions by Brazilians. It is unclear what percentage of the $3.75 billion worth of compromised transactions was actually stolen. But if even half of that value was redirected to criminals, the scope of the swindle would eclipse any other previous electronic theft. The thieves preyed on Boleto Bancário, or Boletos, a popular Brazilian payment method that can be issued online and paid through various channels like banks and supermarkets, said researchers at the RSA Security division of the EMC Corporation. http://www.nytimes.com/2014/07/03/technology/cybercrime-scheme-aims-at-payments-in-brazil.html?partner=rss&emc=rss&_r=0

+ Hackers found controlling malware and botnets from the cloud In what is considered to be a natural evolution of tactics used by cybercriminals to infiltrate corporate networks, security firm Trend Micro has new evidence that more botnets and malware are being not only hosted in the cloud, but controlled remotely from cloud servers. The goal of hackers is to disguise their malicious software as regular traffic between corporate end points and cloud-based services. Trend Micro reported today through a blog post that it has observed the first instance of hackers using DropBox to host the command and control instructions for malware and botnets that have made it past corporate firewalls. http://www.networkworld.com/article/2369887/cloud-security/hackers-found-controlling-malware-and-botnets-from-the-cloud.html

+ ISIS opponents take aim at its online presence The Islamic State of Iraq and Syria has taken to Twitter to spread its message, trumpet bloody successes, and recruit potential jihadists, but its social media campaign has come under attack from forces that range from the U.S. State Department to the mysterious group of hacker-activists who call themselves Anonymous. ISIS has maintained a notably active presence on Twitter, using creative and tech-savvy tactics to amplify its message, maintaining accounts that tweet in English, German, and Russian in addition to Arabic, and posting polished videos with very graphic action sequences and special effects straight out of a Hollywood playbook. The U.S. government has an answer to ISIS’s recruitment campaign. Long before President Obama announced he would send military advisers to Iraq, the State Department launched a program to engage terrorists on Twitter. http://www.nextgov.com/emerging-tech/2014/06/isis-opponents-take-aim-its-online-presence/87613/ + Small businesses at high risk for data breach The money managers at Silversage Advisors in Irvine, it seemed like a no-brainer to store backup computer drives far from the main office to ensure seamless operations in case of a calamity. Then professional burglars hit the home where the drives were kept, cracked open a safe bolted to the floor and made off with the financial records of hundreds of the firm’s affluent clients: names, addresses, Social Security and driver’s license numbers, account information. http://www.latimes.com/business/la-fi-small-data-breaches-20140705-story.html#page=1 + Is a fortress cyber approach futile? (NO, just not enough!) By all accounts we are at best just barely keeping our heads above water when it comes to defending our digital assets from the relentless attacks emanating from cyber space. http://www.c4isrnet.com/article/20140630/C4ISRNET18/306300004/Is-fortress-cyber-approach-futile

+ Reports reveal ongoing cyberattacks on U.S. and European energy sector Hackers likely linked to a foreign government have targeted U.S. and European energy sector companies in an  escalating industrial espionage campaign, according to reports from private cyber security researchers. http://www.washingtonpost.com/news/morning-mix/wp/2014/07/01/reports-reveal-ongoing-cyberattacks-on-u-s-and-european-energy-sector/

Comments are closed.