CYBER NEWS TIDBITS FOR U - AUGUST 2014

Welcome to Cyber News Tidbits 4​U​ !

Here are updated news compilations from the Cyber Security Community

Topic headers (+++): 1 – Security news you can likely use (re: management / opportunity items) 2 – Other items of general FYI / FYSA level interest 3 – Threats / bad news stuff / etc..  and… 4 – SD/SoCAL items of interest / opportunities   (send me your SD meetings!) 


A couple of Highlights of the week (A couple of items of potentially notable interest / high utility &  value… your mileage will vary….)

AUGUST 14

+ Many US companies failing to uphold EU privacy rules, privacy group claims in FTC complaint

The rules that govern how EU data is treated in the US are being violated by major tech companies, according to a privacy group in a filed complaint to the FTC.  RE:  Safe Harbor” needs help – guidance = Cyber enabled Privacy by Design…;-))

http://www.zdnet.com/many-us-companies-failing-to-uphold-eu-privacy-rules-privacy-group-claims-in-ftc-complaint-7000032595/#ftag=RSS86a1aa4

 

 

+ Dan Geer at black hat

A LONG brief / speech, but if it’s about key cyber items… it’s in here…;-))  Power exists to be used.  Some wish for cyber safety, which they    will not get.  Others wish for cyber order, which they will not    get.  Some have the eye to discern cyber policies that are “the    least worst thing;” may they fill the vacuum of wishful thinking.  There are three professions that beat their practitioners into a state of humility: farming, weather forecasting, and cyber security.

http://geer.tinho.net/geer.blackhat.6viii14.txt

 

 

+ C4P & R&D opportunities for Cyber Physical Systems (CPS) – NIST

A little dated, but still good gouge on what is needed..

http://www.nist.gov/el/upload/12-Cyber-Physical-Systems020113_final.pdf

 

 

+  CISO leadership capacity undervalued by most C-level execs

http://www.scmagazine.com/study-ciso-leadership-capacity-undervalued-by-most-c-level-execs/article/364231/

 

 

+  OLD News / software security paper that is still germane!!!

Enterprise Software Cyber Security approach  ===  What matters most in software security (actually ALL cyber nowadays) –  the four main thrusts in the summary, page two, are still germane now.

(IA/cyber standards and related profiles within a functional cyber architecture..      end2end access control (IA&A)….   Data-centric security….  and dynamic policy execution – WHICH BTW we do them all in our Cyber 4 PbD effort…;-)) )

http://www.sciap.org/blog1/wp-content/uploads/Enterprise_Software_IA_Security_approach.pdf

 

 

 

+++  Cyber Security News you can likely use  +++

 

 

+ GSA makes room at the table for the CISO

The General Services Administration has spelled out a new policy for agency IT projects to ensure that basic principles promoting economy, efficiency and transparency are integrated into technology solutions developed for or operated by GSA. Included in the IT Integration policy issued July 24 are requirements that cybersecurity be incorporated into IT projects from the beginning and that the appropriate security team has a place at the table during planning. “One of the largest challenges for GSA IT is early and consistent engagement with the IT security team throughout the project to understand what security requirements apply, who needs to be engaged to assist in implementation and how this impacts the project schedule,” agency CIO Sonny Hashmi wrote in the instruction letter.

http://gcn.com/blogs/cybereye/2014/08/gsa-ciso-cybersecurity-first.aspx?admgarea=TC_SecCybersSec

 

 

+ Study finds firmware plagued by poor encryption and backdoors

The first large-scale analysis of a fundamental type of software known as firmware has revealed poor security practices that could present opportunities for hackers probing the “Internet of Things.” Firmware is a type of software that manages interactions between higher-level software and the underlying hardware, though it can sometimes be the only software on a device. It’s found on all kinds of computer hardware, though the study focused on embedded systems such as printers, routers and security cameras.

http://www.computerworld.com/s/article/9250307/Study_finds_firmware_plagued_by_poor_encryption_and_backdoors?source=rss_latest_content&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+computerworld%2Fnews%2Ffeed+%28Latest+from+Computerworld%29

 

 

+ Who receives hacker threat info from DHS?

Health care, banking, and other key sectors at risk of cyberattacks have not joined a Department of Homeland Security program required to offer these industries protections against a potential catastrophic hack, according to federal inspectors. President Obama ordered in early 2013 that DHS expand the information-sharing program once restricted to Pentagon contractors to the 16 so-called critical infrastructure industries. Only three of the 16 industries – energy, communications services, and the defense industrial base – are part of the program, according to a DHS inspector general report released Monday. And just two ISPs, termed “communications service providers” or CSPs, are authorized to receive and load the indicators.

http://www.nextgov.com/cybersecurity/2014/08/who-receiving-hacker-threat-info-dhs/91154/

 

 

+ Network-attached storage devices more vulnerable than routers, researcher finds

A security review of network-attached storage (NAS) devices from multiple manufacturers revealed that they typically have more vulnerabilities than home routers, a class of devices known for poor security and vulnerable code. Jacob Holcomb, a security analyst at Baltimore-based Independent Security Evaluators, is in the process of analyzing NAS devices from 10 manufacturers and has so far found vulnerabilities that could lead to a complete compromise in all of them. “There wasn’t one device that I literally couldn’t take over,” Holcomb said Wednesday during a talk at the Black Hat security conference in Las Vegas, where he presented some of his preliminary findings. “At least 50 percent of them can be exploited without authentication,” he said.

http://www.computerworld.com/s/article/9250216/Network_attached_storage_devices_more_vulnerable_than_routers_researcher_finds?source=rss_latest_content&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+computerworld%2Fnews%2Ffeed+%28Latest+from+Computerworld%29

 

 

+ Facebook gets serious about cybersecurity with new purchase

Facebook is getting serious about fighting off online data threats with its latest purchase. The social network is buying PrivateCore, a cybersecurity firm founded in 2012. It develops software to validate and secure server data – essentially making sure that the photos and messages you post to your social media account stay secure from prying eyes. “I’ve seen how much people care about the security of data they entrust to services like Facebook,” Joe Sullivan, Facebook’s chief security officer, said in a post Thursday. “PrivateCore’s technology and expertise will help support Facebook’s mission to help make the world more open and connected, in a secure and trusted way.”

http://fortune.com/2014/08/08/facebook-gets-serious-about-cybersecurity-with-new-purchase/

 

 

+  Internet Of Things Security Reaches Tipping Point

Public safety issues bubble to the top in security flaw revelations. It all began more than four years ago with HD Moore’s groundbreaking research in embedded device security — VoIP, DSL, SCADA, printers, videoconferencing, and switching equipment — found exposed on the public Internet and sporting diagnostics backdoors put in place by developers.   The holes could allow an attacker access to read and write memory and power-cycle the device in order to steal data, sabotage the firmware, and take control of the device, Moore, chief security officer at Rapid7 and creator of Metasploit, found. “This feature shouldn’t be enabled” in production mode but instead deactivated, he told Dark Reading on his research on the widespread vulnerability in VxWorks-based devices.

http://www.darkreading.com/vulnerabilities—threats/internet-of-things-security-reaches-tipping-point/d/d-id/1298019?_mc=NL_DR_EDT_DR_daily_20140814&cid=NL_DR_EDT_DR_daily_20140814&elq=3612689c90bf4132931ff6e2427682f8&elqCampaignId=7252

 

 

+ High-tech’s service workers are a growing underclass.

But they are not on the payroll at Apple, Facebook or Google, companies famous for showering their workers with six-figure salaries, stock options and perks. Instead they are employed by outside contractors. And they say the bounty from the technology boom is not trickling down to them.

http://www.usatoday.com/story/tech/2014/08/13/tech-service-workers-amazon-apple-facebook-google/13461027/

 

+ White House launches ‘U.S. Digital Service,’ with HealthCare.gov fixer at the helm

he White House on Monday announced that it is formally launching a new U.S. Digital Service and that it has hired to lead it Mikey Dickerson, an engineer widely credited with playing a central role in salvaging HealthCare.gov after its disastrous launch. The idea behind the USDS, as the White House has taken to calling it, is institutionalizing the approach that saved the health care site and applying it to the work of the government even before disaster strikes

http://www.washingtonpost.com/blogs/the-switch/wp/2014/08/11/white-house-launches-u-s-digital-service-with-healthcare-gov-fixer-at-the-helm/

 

 

+ Edward Snowden: The Untold Story | MonsterMind

Your favorite worst guy..   Says NSA has ‘monstermind’  a program to automatically hack back..  whoa… rife with bad juju…    SO…   Cyber enabled Privacy by Design anyone. ..

http://www.wired.com/2014/08/edward-snowden

 

 

+  Cybersecurity: Why It’s a Team Sport

Former NSA information assurance leader Tony Sager goes on the road to the Black Hat USA security conference to promote the notion that no one should try to solve cybersecurity threats alone

http://www.inforisktoday.com/interviews/cybersecurity-its-got-to-be-team-sport-i-2413?rf=2014-08-13-eir&utm_source=SilverpopMailing&utm_medium=email&utm_campaign=enews-irt-20140813%20(1)&utm_content=&spMailingID=6907739&spUserID=NTQ5MzQyNjI3MTkS1&spJobID=501370297&spReportId=NTAxMzcwMjk3S0

 

 

+  Current state of cyber crime – does the public know?

Good numbers on ID theft status, $$$

http://www.itgovernance.co.uk/blog/current-state-of-cyber-crime-does-the-public-know/?utm_source=social&utm_medium=linkedin

 

 

+ Closing The Skills Gap Between Hackers & Defenders: 4 Steps

Improvements in security education, budgets, tools, and methods will help our industry avoid more costly and dangerous attacks and data breaches in the future.

http://www.darkreading.com/closing-the-skills-gap-between-hackers-and-defenders-4-steps/a/d-id/1297755?_mc=nl_&cid=NL_DR_Daily&itc=NL_DR_Daily&elq=d2e89f846fcf40d484b550192632c821&elqCampaignId=7160

 

 

+ The Hyperconnected World Has Arrived

Yes, the ever-expanding attack surface of the Internet of Things is overwhelming. But next-gen security leaders gathered at Black Hat are up to the challenge.  There were a plethora of talks devoted to hacking, beyond traditional targets and techniques to include everything that comprises the so-called Internet of Things (IoT). From NEST thermostats to medical devices and tapping into alternate communication channels such as cellular protocols and radio waves, the hacking community has charted a new path for a post-PC world

http://www.darkreading.com/the-hyperconnected-world-has-arrived/a/d-id/1297883?_mc=nl_&cid=NL_DR_Daily&itc=NL_DR_Daily&elq=d7c682d431e740aab64e3de29d512e1d&elqCampaignId=7118

 

 

+ The Impact of Privacy Education and Awareness

As privacy and information security become mainstream concerns, a number of organizations have focused on educating consumers about steps they can take to help protect themselves and their privacy.  The Lares Institute has recently completed a cutting-edge research project that is aimed at measuring whether consumers are getting the message.

http://www.laresinstitute.com/archives/4503

 

 

+  Mobile Security Best Practices: How To Secure Your Organization

Security is the cornerstone of enterprise mobility. The number and variety of threats to mobile devices and the data they access will never disappear—and in fact new threats will continue to arise. As the federal government continues to embrace enterprise mobility, agencies are faced with continuing security challenges. What are the latest mobile technologies, tools and strategies available?

http://fcw.com/~/media/C63A0CE1CD804C0AAC066D991F596CD1.pdf

 

 

+ CNO Discusses Information Dominance at NAVY / SPAWAR Change of Command

http://www.navy.mil/submit/display.asp?story_id=82613

 

+ CNO Views Information Key to Future of Warfare

Chief of Naval Operations Adm. Jonathan Greenert  said: “SPAWAR is the technical agent for information dominance, we know that. It is also the technical agent for a new era in Navy and naval warfare. Control of the information is going to be the key to the future.”

http://www.nextgov.com/defense/2014/08/naval-chief-views-information-key-future-warfare/91127/?oref=ng-HPtopstory

 

 

 

+++  FYI / FYSA  Items of interest  +++

 

 

+ Researcher finds potholes in vehicle traffic control systems

Smart traffic sensor systems that help regulate and automate the flow of traffic and lights contain security weaknesses that could be manipulated by hackers and result in traffic jams or even crashes, a researcher showed here today. Cesar Cerrudo, CTO at IOActive, here at the DEF CON 22 hacker conference, detailed how he was able to build a prototype access point device that could communicate with the network of sensors, repeaters, and access point devices stationed along roads and highways in some major cities in the US. Cerrudo said he found that the devices communicate traffic information wirelessly in clear text and don’t authenticate the data they receive, leaving them open to potential sabotage.

http://www.computerworld.com/s/article/9250301/Senator_wants_curbs_placed_on_fitness_data_use?source=rss_latest_content&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+computerworld%2Fnews%2Ffeed+%28Latest+from+Computerworld%29

 

 

+ NIST test bed will probe industrial systems for cyber flaws

The National Institute of Standards and Technology is planning a test bed to examine industrial control systems for cybersecurity vulnerabilities.  Industrial control or SCADA systems (for Supervisory Control and Data Acquisition) operate critical infrastructure, such as dams, gas plants, petroleum refineries and chemical manufacturing plants. Hackers can potentially wreak havoc with assaults on such systems. In late June, for example, a targeted malware attack on SCADA systems was identified by the Industrial Control Systems Cyber Emergency Response Team at the Department of Homeland Security, could have permitted intruders to take over Internet-connected systems. NIST is trying to get ahead of attackers by developing a simulation system that emulates the operations of specific industrial situations.

http://fcw.com/articles/2014/08/11/nist-probing-for-cyber-flaws.aspx

 

 

+ Start-up CloudFlare to offer free HTTPS encryptions for websites

CloudFlare, a San Francisco start-up that offers cloud-based optimization and online cybersecurity protection, said it plans to offer websites free encrypted HTTPS connections. HTTPS, or Hypertext Transfer Protocol Secure, is an encrypted connection between a user’s computer and website’s servers that prevents hackers from stealing sensitive information, such as a Web user’s login and password. About 2 million websites, including Facebook, Amazon and most banks, already use HTTPS connections, but there are hundreds of millions of other websites that do not. After the disclosure of a major Russian hacking ring, Google this week announced that it will give more weight to HTTPS-enabled sites on its search results, hoping to inspire more companies to adopt the technology.

http://www.latimes.com/business/technology/la-fi-tn-cloudflare-free-https-20140808-story.html?track=rss

 

 

+ NIST is Just Starting Point for Cybersecurity

The National Institute of Standards and Technology’s cybersecurity guidelines for utilities, banks and other crucial industries serve as the baseline for what affected companies should be doing to protect their networks from attacks. Some companies have banded together to come up with additional recommendations that can be taken to enhance security, while some companies have chosen to create their own policies. The Financial Services Information Sharing and Analysis Center’s Third Party Software Security Working Group was looking …

http://crnfpn.advisen.com/fpnHomepagep.shtml?resource_id=223037624427069388#top

 

+ No fixes in site for satellite terminal flaws

Back in April, when security researcher Ruben Santamarta first went public with serious security flaws in the firmware of satellite land equipment that could allow attackers to hijack and disrupt communications links to ships, airplanes, and military operations, only one of the affected vendors had responded to his findings. Santamarta in a presentation on his research here Thursday at Black Hat USA said the satellite terminal vendors with gaping holes in their products have no plans to patch or fix the shortcomings, which include hardcoded passwords, backdoors, insecure protocols and undocumented protocols. Some contend that the issues are not flaws but acceptable features in their products. Santamarta reported his findings to the CERT Coordination Center, which then alerted the satellite vendors in January of this year.

http://www.darkreading.com/vulnerabilities—threats/advanced-threats/no-fixes-in-sight-for-satellite-terminal-flaws/d/d-id/1297882?_mc=RSS_DR_EDT

 

 

+ NSA-Proof “Blackphone” Gets Rooted Within 5 Minutes

http://thehackernews.com/2014/08/nsa-proof-blackphone-gets-rooted-within_11.html?m=1

 

 

+  Ziklag’s as an option – where the major competitor, Blackphone, was publicly hacked

http://www.huffingtonpost.com/rebecca-abrahams/mobile-security-vs-blackp_b_5672960.html

Ziklag FortressFone is a mobile secure IT platform with EAL 5 Common Criteria security rating, as a device for first responders as it provides secure communications, secure geographic location information and a platform for secure distributed applications.

 

 

+ Air Force looks to get proactive on cyber defense

Cyber deception and self-repairing code are among the techniques  that AFRL is looking to develophttp://defensesystems.com/articles/2014/08/12/air-force-cyber-resilience.aspx

 

 

+ New ID-check system now online for military installations

The Identity Matching Engine for Security and Analysis system matches people affiliated with the DOD against an FBI database for active arrest warrants. It also alerts if a person is using a lost or stolen credential.

http://www.stripes.com/news/us/new-id-check-system-now-online-for-military-installations-1.297943

 

 

+ For defense IT, virtual is more agile than physical

Data center consolidation, cloud computing and virtualization are driving the move toward a software-defined fighting force.

http://defensesystems.com/articles/2014/08/11/commentary-virtualization-agility-for-defense-it.aspx

 

 

+ Air Force asks industry for new ways to protect computers and embedded systems from cyber attacks

U.S. Air Force researchers are asking industry for cyber-defense capabilities to help the Air Force avoid cyber attacks. Researchers want industry’s help in  understanding the cyber situation, assessing potential impacts, and implementing deterrence and effects-based defensive methodologieshttp://www.militaryaerospace.com/articles/2014/08/usaf-cyber-protection.html

 

+  Russia Bugs Ukraine Government Offices with Spyware

Putin-backed hackers strike as tensions escalate between Moscow and the West.

http://www.nextgov.com/cybersecurity/2014/08/russia-bugs-ukraine-government-offices-spyware/91178/?oref=nextgov_today_nl

 

+ NIST Aims to Improve Industrial Control System Security with Testbed

The US National Institute of Standards and Technology (NIST) is planning to build a testbed to help improve supervisory control and data acquisition (SCADA) system security. Currently in an early stage of development, the Reconfigurable Industrial Control Systems Cybersecurity Testbed will “measure the performance of industrial control systems when instrumented with cyber-security protections in accordance with best practices prescribed by national and international standards and guidelines,” according to the request for information.

http://www.theregister.co.uk/2014/08/12/nist_wants_better_scada_security/

RFI: https://www.fbo.gov/index?s=opportunity&mode=form&id=34058f1c96ba5cab935633acc50011c9&tab=core&_cview=0

 

 

+ Newly Declassified Documents Regarding the Now-Discontinued NSA Bulk…

http://www.dni.gov/index.php/newsroom/press-releases/198-press-releases-2014/1099-newly-declassified

Following a declassification review by the Executive Branch, the Department of Justice released on August 6, 2014, in redacted form, 38 documents relating to the now-discontinued NSA program to collect bulk electronic communications metadata… Under the program NSA was permitted to collect certain electronic communications metadata such as the “to,” “from,” and “cc” lines of an email and the email’s time and date.  This collection was done only after the Foreign Intelligence Surveillance Court approved the government’s applications, and pursuant to court order generally lasting 90 days.  NSA was not permitted to collect the content of any electronic communications.

 

 

+ Soft intelligence is important too

Organizations need a collection and analysis tool for organizations that might benefit from open source intelligence OSINT.  Today, intelligence experts talk about “target-centric” intelligence. Unlike old school, target-centric does not get bogged down in an obsolete intelligence cycle. That results in more actionable intelligence faster. In cyber intelligence, we tend to be concerned about the bits and bytes. What attacks are landing on my – and other’s – doorstep? Where do they come from (attribution leading to the last inbound hop can be very challenging)?

The bits and bytes really don’t tell us much. We need the data streams, but we also need context… That’s where Silobreaker comes in. It helps define the question, then helps find the answer. It provides context for the data streams.

http://www.scmagazine.com/soft-intelligence-is-important-too-silobreaker/article/360863/

 

 

+ SDN: You Can’t Argue Against It

http://www.networkcomputing.com/data-centers/sdn-you-cant-argue-against-it/a/d-id/1297830?_mc=RSS_NWC_EDT&elq=67265cbf4e45436db54483079980bb3c&elqCampaignId=7105

 

 

+ Web Application Firewalls Are Worth the Investment for Enterprises

http://www.techrepublic.com/resource-library/whitepapers/web-application-firewalls-are-worth-the-investment-for-enterprises/?promo=550&trial=25801346&tag=wpzd&ttag=e550&s_cid=e550&ftag=TREe9f9a2b&cval=dms-docid-list-zd&tag=nl.e550

 

 

+++ For all  you ICS . SCADA security gurus….

In case you don’t have these resources / articles…

This one is  840 pages of a LOT of info

https://www.muckrock.com/foi/united-states-of-america-10/operation-aurora-11765/#1212530-14f00304-documents

http://infosecisland.com/blogview/23862-Google-Aurora-vs-ICS-Aurora–An-industry-and-DHS-Debacle.html

http://threatpost.com/dhs-releases-hundreds-of-documents-on-wrong-aurora-project/107107

http://www.wired.com/2010/01/operation-aurora/

 

 

 

 

 

+++  THREATs  / bad news stuff / ete  +++

 

 

+ Home routers supplied by ISPs can be compromised en masse

Specialized servers used by many ISPs to manage routers and other gateway devices provisioned to their customers are accessible from the Internet and can easily be taken over by attackers, researchers warn. By gaining access to such servers, hackers or intelligence agencies could potentially compromise millions of routers and implicitly the home networks they serve, said Shahar Tal, a security researcher at Check Point Software Technologies. Tal gave a presentation Saturday at the DefCon security conference in Las Vegas.

http://www.computerworld.com/s/article/9250278/Home_routers_supplied_by_ISPs_can_be_compromised_en_masse?source=rss_latest_content&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+computerworld%2Fnews%2Ffeed+%28Latest+from+Computerworld%29

AND related

http://www.fedcyber.com/2014/08/13/fifteen-new-vulnerabilities-reported-during-router-hacking-contest/

 

 

+ Firmware Study Finds Security Concerns

A study conducted by researchers at a French technology graduate school found that much of firmware is not very secure. The research was conducted with information gathered using a web crawler that discovered more than 30,000 firmware images from manufacturers’ websites. Among the issues found in the samples are encryption mechanisms with inadequate protection and backdoors.

http://www.pcworld.com/article/2464060/study-finds-firmware-plagued-by-poor-encryption-and-backdoors.html

 

 

+ TSA checkpoint systems found exposed on the net

A Transportation Safety Administration (TSA) system at airport security checkpoints contains default backdoor passwords, and one of the devices running at the San Francisco Airport was sitting on the public Internet. Renowned security researcher Billy Rios, who is director of threat intelligence at Qualys, Wednesday here at Black Hat USA gave details on security weaknesses he discovered in both the Morpho Detection Itemiser 3 trace-explosives and residue detection system, and the Kronos 4500 time clock system used by TSA agents to clock in and out with their fingerprints, which could allow an attacker to easily gain user access to the devices. Device vendors embed hardcoded passwords for their own maintenance or other technical support.

http://www.darkreading.com/vulnerabilities—threats/advanced-threats/tsa-checkpoint-systems-found-exposed-on-the-net/d/d-id/1297843?_mc=RSS_DR_EDT

 

 

+ Spy agencies hit with cyber espionage campaign: Kaspersky Lab

Security researchers at Kaspersky Lab said they have uncovered a cyber espionage operation that successfully penetrated two spy agencies and hundreds of government and military targets in Europe and the Middle East since the beginning of this year. The hackers, according to Kaspersky, were likely backed by a nation state and used techniques and tools similar to ones employed in two other high-profile cyber espionage operations that Western intelligence sources have linked to the Russian government.

http://www.reuters.com/article/2014/08/07/us-cybersecurity-hackers-epicturla-idUSKBN0G71LU20140807?feedType=RSS&feedName=technologyNews

 

 

+ Attack harbors malware in images

Steganography long has been a tool in the intelligence community and most recently terror groups, but a cyber crime gang has been spotted using the stealth technique of embedding information or code inside digital images. A researcher at Dell SecureWorks investigating an attack in an incident response engagement at a customer site discovered that the malware involved–Lurk–had been spread via a phony digital image as part of a click-fraud campaign. Steganography typically is used in targeted attack scenarios, so the use of the method of hiding and slipping malware onto machines for click-fraud purposes is rare, says Brett Stone-Gross, a researcher with Dell SecureWorks’ Counter Threat Unit.

http://www.darkreading.com/endpoint/attack-harbors-malware-in-images/d/d-id/1297867?_mc=RSS_DR_EDT

 

 

+  Android malware SandroRAT disguised as mobile security app

Researchers are again warning users to steer clear of app downloads from unvetted sources, particularly since new Android malware is making the rounds through phishing emails. Over the weekend, Carlos Castillo, a mobile malware researcher at McAfee, detailed the new variant of remote access trojan (RAT) AndroRAT in a blog post. The latest iteration called “SandroRAT,” appeared after the AndroRAT source code was put up for sale last year, he said. SandroRAT is capable of carrying out a long list of malicious actions, including stealing SMS messages, contact lists, call logs, browser history (including banking credentials), and GPS location data stored in Android devices. The threat can also record nearby sounds using the device’s mic and store the data in an “adaptive multi-rate file on the SD card to later send to a remote server,” Castillo revealed.

http://www.scmagazine.com/android-malware-sandrorat-disguised-as-mobile-security-app/article/364455/

 

 

+ How malware writers cheat AV zero-day detection

As an experiment, Kyle Adams wrote what he describes as “ridiculously obvious” malware that most major antivirus products ultimately failed to detect. The only AV product that caught his malware was the freebie AVG, whose code-emulation feature sniffed it out. So Adams, chief software architect for Junos Webapp Secure at Juniper Networks, kicked it up a notch and reverse engineered AVG’s code emulation engine. Then he was able to bypass AVG’s engine, as well, but he also noticed what attackers could do in that situation. On Tuesday, Aug. 5, at BSides Las Vegas, Adams will demonstrate how he cheated various AV products and how AV’s code emulation feature for catching zero-day exploits has some weaknesses of its own.

http://www.darkreading.com/vulnerabilities—threats/how-malware-writers-cheat-av-zero-day-detection/d/d-id/1297771?_mc=RSS_DR_EDT

 

 

+ Security Holes Exposed In Trend Micro, Websense, Open Source DLP

Researchers Zach Lanier and Kelly Lum at Black Hat USA took the wraps off results of their security testing of popular data loss prevention software.  ach Lanier, senior security researcher at Duo Security, and Kelly Lum, security engineer with Tumblr, revealed details on the cross-site scripting (XSS) and cross-site request forgery (CSRF) vulnerabilities they discovered in four commercial DLP products and one open-source tool they investigated. The pair had provided a sneak-peak of their presentation, “Stay Out of the Kitchen: A DLP Security Bake-off,” to Dark Reading prior to the conference, but stopped short of divulging the vendor and product names.

http://www.darkreading.com/vulnerabilities—threats/security-holes-exposed-in-trend-micro-websense-open-source-dlp-/d/d-id/1297966?_mc=NL_DR_EDT_DR_daily_20140813&cid=NL_DR_EDT_DR_daily_20140813&elq=98d2979817814af89814cb7c738edce6&elqCampaignId=7206

 

 

+ Some “Experts” Say Planes Cannot be Digitally Hijacked

In a presentation at DefCon, two aviation experts allayed concerns that airplanes could be hijacked with computers. Avionics systems are not accessible through in-flight entertainment system or Wi-Fi. Phil Polstra, associate professor of digital forensics at Bloomsburg University, said “One thing everyone needs to understand, you cannot override the pilot.” Autopilot functions could conceivably be altered, but the activity would generate alerts and pilots would disconnect that function. Attackers could attempt to compromise a system that is used to send messages about weather, flight plan changes, delays, and the like, but those attempts are likely to appear suspicious to those who interact with the system, and they would be ignored.

http://www.scmagazine.com/defcon-you-cannot-cyberhijack-an-airplane-but-you-can-create-mischief/article/365465/

 

 

+ CloudBot: A Free, Malwareless Alternative To Traditional Botnets

Researchers from Bishop Fox create a powerful cloud-based botnet for attackers on a budget.

http://www.darkreading.com/cloudbot-a-free-malwareless-alternative-to-traditional-botnets/d/d-id/1297878?_mc=nl_&cid=NL_DR_Daily&itc=NL_DR_Daily&elq=d2e89f846fcf40d484b550192632c821&elqCampaignId=7160

 

 

+ Hacker Shows How to Break Into Military Communications

http://m.nextgov.com/defense/2014/08/hacker-shows-how-break-military-communications/90977/?oref=ng-HPriver

 

 

+ DDOS map worldwide…

http://map.ipviking.com/

 

 

+++   SD/SoCAL security  items of interest / opportunities +++

 

 

AUG

18 –  USENIX Summit on Gaming, Games and Gamification in Security Education (3GSE ’14)

https://www.usenix.org/conference/3gse14

 

19 – (ISC)2 San Diego chapter at 6PM. Topic is “Security Engineering” presented by Jim Acerra.

Location: Mitchell International Inc 6220 Greenwich Dr San Diego, CA 92131

 

21 – OWASP  6PM – Peleus Uhley from Adobe’s PSIRT Team

http://www.meetup.com/Open-Web-Application-Security-Project-San-Diego-OWASP-SD/events/158734302/

 

20-22 – 23rd USENIX Security Symposium

https://www.usenix.org/conference/usenixsecurity14   http://www.inf.ufpr.br/rtv06/iot/05940923.pdf

 

28 – San  Diego ISSA Chapter – Women in Security Panel

https://www.eventbrite.com/e/august-2014-san-diego-issa-chapter-women-in-security-panel-tickets-10649995423

 

SEP

 

17-19  Sep – CSA congress 2014

CSA and the International Association of Privacy Professionals (IAPP) are combining their Congress US and Privacy Academy events

https://cloudsecurityalliance.org/media/news/csa-opens-registration-congress-2014/

 

 

25 Sep –   San Diego InfraGard Crisis Leadership Symposium

http://www.slideshare.net/slideshow/embed_code/36600356

 

 

+++  Future events FYI:

 

TBD  – Provided by IEEE Cyber SIG / Various Security groups – all day – – Privacy by design workshop – a cyber model & why you must be part of this initiative!  (at Coleman University –  AM Technical approach… PM public discussions)   +++  Help move SD forward in cyber –  DOING security vs admiring the problem…. SO engage and help out on cyber 4 PbD!!!

http://www.sciap.org/blog1/wp-content/uploads/Privacy-by-Design-cyber-security.pdf

 

1 OCT – SoeC – CyberFest 2014 – great all day agenda planned… improving on last year’s success!  October is cyber month after all!!!

http://events.r20.constantcontact.com/register/event;jsessionid=5C9580C3DEB4919096AC6BFFCE369008.worker_registrant?llr=mr9qlimab&oeidk=a07e9jfo4or9b1958b3

 

27 Oct – Combined cyber security event … tentative ½ day –  NDIA, AFCEA / IEEE and CCOE, others…

 

1 Nov – Started planning “BigDataDay 4 SD” on a SAT.  Jump in and help us!

WE went to the one in LA and it was great…   likely our three tracks will be:

–  Technical =  Hadoop/Hbase/NoSQL;

–  Data science = predictive analytics, etc

–  Applications = actual products, etc.. Privacy / data security. ..

 

 

AUGUST 9

+  Heartbleed, GotoFail Bring Home Pwnie Awards

– pretty good look at the good and bad of recent cyber stuff..  Pwnie Awards celebrate the best bug discoveries and worst security fails.

http://www.darkreading.com/heartbleed-gotofail-bring-home-pwnie-awards/d/d-id/1297871?_mc=nl_&cid=NL_DR_Daily&itc=NL_DR_Daily&elq=e1cd590365ae4b96b622826206c56366&elqCampaignId=7084

 

 

+ Hackers Wanted: An Examination of the Cybersecurity Labor Market…

Good free report on topic by RAND..     Yes – ethical hackers are needed and well paid..  $200,000+

Yet – what we really need is a LOT more security operators for 90+% of all businesses … SMB... where the volume is!!!  And exactly where our local SD IEEE “cyber needs triangle” security course is focused.. students experience their way up… starting with resiliency…  We can’t afford a cyber ninja in every place… and that is not needed – just get a MSS as your SME….

http://www.rand.org/pubs/research_reports/RR430.html

 

 

+ free new online service that can help CryptoLocker victims

Until today, Microsoft Windows users who’ve been unfortunate enough to have the personal files on their computer encrypted and held for ransom by a nasty strain of malware called CryptoLocker have been faced with a tough choice: Pay cybercrooks a ransom of a few hundred to several thousand dollars to unlock the files, or kiss those files goodbye forever. That changed this morning, when two security firms teamed up to launch a free new online service that can help victims unlock and recover files scrambled by the malware.

http://krebsonsecurity.com/2014/08/new-site-recovers-files-locked-by-cryptolocker-ransomware/

 

 

+  Top 10 Things Cybersecurity Professionals Need to Know About the Internet of Everything

To help cybersecurity professionals cut through the hype and gain a better understanding of what to expect as the IoE continues to evolve, these top 10 observations might help

http://www.securityweek.com/top-10-things-cybersecurity-professionals-need-know-about-internet-everything

 

 

+ An “IA policy” map – and not just for the feds.. (looked at your security policy lately?)

Defending Department of Defense (DoD) networks, systems and data (DDNSD) is a complex and ongoing challenge. The DoD Chief Information Officer issued a new cybersecurity strategy for the Department. At the end of March an unclassified version was made publicly available..

http://iac.dtic.mil/csiac/ia_policychart.html

 

 

+  Cyber enabled Privacy by Design (PbD)….    Get engaged, future proof your data, and reduce liability!

By following the PbD principles, you automatically protect key data, users, etc… We’re promoting an effort developing a cyber model, including one view of an open privacy framework, where we think that approach applies to ALL organizations, commercial and government, and eventually ALL environments TOO… be that IoT,  mobile, ICS, PII, HIPAA, PCI, etc, etc..

We have several existing products that can make the PbD cyber model work now, to a large extent…so it is in play, not just a concept…or PPT slides..    We still need to better quantify the cyber enabled privacy specifications of course, based on the NIST privacy controls (800-53V4 Appd J), and PbD use cases, etc..  Our initial / draft brief on our Cyber model for Privacy by Design (“C4P”)(using data centric security (DCS) methods) is here…

http://www.sciap.org/blog1/wp-content/uploads/Privacy-by-Design-cyber-security.pdf

Our much more detailed technical paper on our “C4P” approach, including an open privacy framework within an enterprise architecture is here:  Please ENGAGE if being ahead of the cyber wave interests you.

http://www.sciap.org/blog1/wp-content/uploads/Cyber-security-enable-privacy-design.pdf

 

 

 

 

+++  Cyber Security News you can likely use…

 

 

+ FTC can sue companies over data breaches, court says…       

An April court decision on company liability for data breaches underlines the increased reliance commercial clients will have on insurance producers, industry and legal experts say. The US District Court for the District Court of New Jersey ruled that the Federal Trade Commission can sue companies on charges related to data breaches. The lawsuit accused Wyndham Worldwide Corp.—which suffered three major data breaches in two years—of unfair trade practices and of misleading customers into believing their cardholder data was adequately protected.  To Tony Busseri, CEO of data security firm Route1, the decision signaled a lasting shift toward corporate responsibility for “inadequate data security measures.”

http://www.ibamag.com/news/ftc-can-sue-companies-over-data-breaches-court-says-18080.aspx

 

 

+  Next-gen cybersecurity means anticipating threats

The recent announcement of a forward-looking cyberthreat tool from the Georgia Tech Research Institute (GTRI) is an example of a developing trend in security of using broad-based data that bad guys themselves put out to try and get ahead of threats. It’s also a tacit admission that security solely based on reacting to threats is not, and will not, work. The GTRI tool, called BlackForest, collects information from the public Internet such as hacker forums and other places those said bad guys gather to swap information and details about the malware they write and sell. It then relates that information to past activities, and uses all of that collated intelligence to warn organizations of potential threats against them – and once attacks have happened, how to make their security better.

http://gcn.com/blogs/cybereye/2014/08/anticipating-cyberthreats.aspx?admgarea=TC_SecCybersSec

 

 

+ Defending against cyberattacks

The growing scourge of cybercrime demands action from Congress..  THE SCALE of cybercrime continues to astonish. The latest eye-opener is a Milwaukee security firm’s claim that Russian hackers stole 1.2 billion usernames and related passwords. This must be one of the biggest hauls of all time, and while it is not clear what the hackers intend to do with their stolen data, the report should serve as another wake-up call to Congress and the American people to break out of their long period of complacency

http://www.washingtonpost.com/opinions/the-growing-scourge-of-cybercrime-demands-action-from-congress/2014/08/07/cdb738d4-1da1-11e4-ab7b-696c295ddfd1_story.html

 

 

+ Danzig: Focus on cyber ‘existential’ threats undermines U.S. preparedness

Washington’s recurring tendency to label cyber attacks an “existential” threat to the United States exaggerates the danger and fails to focus attention on managing significant cyber risks to critical infrastructure and U.S. national security, according to Richard Danzig, a key administration adviser and author of a recent cybersecurity study.

http://insidecybersecurity.com/Cyber-General/Cyber-Public-Content/danzig-focus-on-cyber-existential-threats-undermines-us-preparedness/menu-id-1089.html

 

 

+ Russian hackers might have your info — now what?  Great Q&A views

You may have heard about it in the news: reports that Russian hackers have stolen more than a billion unique username and password combinations, and more than 500 million email addresses, grabbed from thousands of websites. What should you do about it? We asked our resident expert, Maneesha Mithal, director of our Division of Privacy and Identity Protection.

http://www.onguardonline.gov/blog/russian-hackers-might-have-your-info-now-what

ALASO, Krebs: Since security consultancy Hold Security dropped the news that a Russian gang has stolen more than a billion email account credentials.  Rather than respond to each of them in turn, allow me to add a bit of perspective here in the most direct way possible: The Q&A.

http://krebsonsecurity.com/2014/08/qa-on-the-reported-theft-of-1-2b-email-accounts/

 

 

 

+ No Fixes In Sight For Satellite Terminal Flaws

At Black Hat USA, a researcher who in April revealed weaknesses in popular satellite ground terminal equipment found on air, land and sea, demonstrates possible attack scenarios.

http://www.darkreading.com/vulnerabilities—threats/advanced-threats/no-fixes-in-sight-for-satellite-terminal-flaws/d/d-id/1297882?_mc=nl_&cid=NL_DR_Daily&itc=NL_DR_Daily&elq=e1cd590365ae4b96b622826206c56366&elqCampaignId=7084

 

 

+ InfoSec’s Holy Grail: Data Sharing & Collaboration

Despite all the best intentions, cooperation around Internet security is still a work in progress. Case in point: Microsoft’s unilateral action against No-IP.   “We need more collaboration, we need more data sharing!” This obligatory refrain perenially echoes through cyber security conference halls, eliciting a rolling of the eyes and a grimace. Why? It’s a noble notion, but the concept can be unrealistic when perceived as a panacea for countering cyberthreats.

http://www.darkreading.com/operations/infosecs-holy-grail-data-sharing-and-collaboration-/a/d-id/1297633?_mc=NL_DR_EDT_DR_daily_20140801&cid=NL_DR_EDT_DR_daily_20140801&elq=893f8eac353b4c898eeefcb00e9ae977&elqCampaignId=6863

 

 

+ CIA’s Amazon-built cloud goes live

The Central Intelligence Agency is now officially an Amazon Web Services cloud consumer. Less than 10 months after a U.S. Court of Federal Claims judge ended a public battle between AWS and IBM for the CIA’s commercial cloud contract valued at up to $600 million, the AWS-built cloud for the intelligence community went online last week for the first time, according to a source familiar with the deal. The cloud – best thought of as a public cloud computing environment built on private premises – is yet far from its peak operational capabilities when it will provide all 17 intelligence agencies unprecedented access to an untold number of computers for various on-demand computing, analytic, storage, collaboration, and other services.

http://www.nextgov.com/cloud-computing/2014/08/cias-amazon-built-cloud-goes-live/90347/

 

 

+ The data centers of tomorrow will use the same tech our phones do

The mobile revolution has spread beyond the mini supercomputers in our hands all the way to the datacenter. With our expanded use of smartphones comes increased pressure on servers to help drive these devices: The activity we see everyday on our phones is a mere pinhole view into all that’s happening behind the scenes, in the massive cloud infrastructure powering all those apps, photo-shares, messages, notifications, tweets, emails, and more. Add in the billions of devices coming online through the Internet of Things-which scales through number of new endpoints, not just number of users-and you begin to see why the old model of datacenters built around PCs is outdated. We need more power. And our old models for datacenters are simply not enough. That’s where mobile isn’t just pressuring, but actually changing the shape of the datacenter-displacing incumbents and creating new opportunities for startups along the way.

http://www.wired.com/2014/08/datacenter-of-the-future/

 

 

+  Expanding the scope and impact of cybersecurity and privacy research

As our lives and businesses become ever more intertwined with the Internet and networked technologies, it is crucial to continue to develop and improve cybersecurity measures to keep our data, devices and critical systems safe, secure, private and accessible. The other day, the National Science Foundation’s (NSF) Secure and Trustworthy Cyberspace (SaTC) program announced two new center-scale “Frontier” awards to support large, multi-institution projects that address grand challenges in cybersecurity science and engineering with the potential for broad economic and scientific impact. An NSF release reports that the Frontier awards are part a diverse $74.5 million portfolio of more than 225 new projects in 39 states. These cybersecurity research and education projects are aimed at minimizing the misuses of cyber-technology, bolstering education and training in cybersecurity, establishing the science of security, and transitioning promising cybersecurity research into practice.

http://www.homelandsecuritynewswire.com/dr20140801-expanding-the-scope-and-impact-of-cybersecurity-and-privacy-research

 

 

+ Google Maps on your feet: Smartshoes vibrate to tell you where to go

There’s smartglasses and smartwatches. Now, there are smartshoes. The Bluetooth-enabled Lechal shoes, designed by an Indian start-up called Ducere Technologies, can connect to a smartphone and pull out directions from Google Maps and direct you to the destination by vibrating one or the other shoe when it’s time to take a turn. Who are these smartshoes for? The idea behind the Lechal footwear is to help people who are visually challenged, according to the company’s Web site.

http://www.washingtonpost.com/news/business/wp/2014/07/29/goolge-maps-on-your-feet-smartshoes-vibrate-to-tell-you-where-to-go/

 

 

+ Cybersecurity and Boards of Directors

Executive Director Andrew Serwin and Advisory Board Member Ron Plesco, along with Shaygan Kheradpir, Chief Executive Officer, Juniper Networks,  presented at the Corporate Directors Forum on a panel entitled “Secrets of the Hacker Underground: What Directors NEED to Know about Cybercrime.”  The panel covered a number of topics, including: what the emerging threats are; how companies, and Boards, can begin to assess and react to these emerging issues; as well as best practice recommendations.

http://www.laresinstitute.com/archives/4477

http://www.directorsforum.com/events/individual/7_30_14_Breakfast_Materials.html

 

+  C-Level Execs Concerned About Cybersecurity, But Not Investing in It

http://www.infosecurity-magazine.com/view/39492/clevel-execs-concerned-about-cybersecurity-but-not-investing-in-it

 

 

+ The 10 most terrifying security nightmares revealed at the Black Hat and Def Con hacker conferences

http://www.pcworld.com/article/2462884/the-10-most-terrifying-security-nightmares-revealed-at-the-black-hat-and-def-con-hacker-conferences.html

 

 

+ Using Analytics to Prioritize Spending on Cybersecurity

http://spotfire.tibco.com/blog/?p=26125

 

 

+ infographic for more compelling Big Data statistics

Did you know that 90% of the world’s data was created in the last two years? And that 80% of data today is unstructured?  like these in an easy to consume graphic deliverable.

http://gcn.com/~/media/6093A491848742889D9629F61BE81A78.PDF

 

 

 

 

+++  FYI / FYSA  Items of interest…

 

 

+  Twitter says governments are asking for more user data than ever

Twitter said government requests for user data grew sharply in the past six months as more countries asked for a greater amount of information about users. More than half of the requests came from the United States, as has been the case since Twitter began issuing its “transparency report” in 2012. Typically, the requests are part of criminal investigations.San Francisco-based Twitter Inc. said in a blog post Thursday that it received 2,058 requests from 54 countries in the first six months of the year, including from eight countries that had not previously submitted requests. Twitter produced at least “some information” that the governments asked for in 52 percent of cases worldwide and in 72 percent of requests coming from the U.S.

http://www.cbsnews.com/news/twitter-says-governments-are-asking-for-more-user-data-than-ever/

(( +++   SO…..  you know you need a cyber enable privacy by design approach in your company.. right+++)

 

 

+  Twitter Buys Password Security Startup Mitro

Twitter Inc (NYSE:TWTR) has acquired Mitro, a small password-security start-up. The acquisition will help the micro-blogging firm to enhance its geolocation capabilities. The New York-based start-up is founded by ex- Google engineers, and the deal was announced by the company on its site without revealing the financial terms. With improved geolocation technology, small advertisers on Twitter will be able to better target local consumers. In 2009, Twitter acquired Mixer Labs, with the help of which the micro-blogging site was able to add location tags to the tweets.

https://www.valuewalk.com/2014/08/twitter-buys-password-security-startup-mitro/

 

 

+ Getting DoD to buy commercial IT

Despite the best intentions of reformers, the Defense Department still does a poor job of acquiring and deploying off-the-shelf IT systems to meet its administrative and business needs, according to members of the IT Acquisition Advisory Council.

http://fcw.com/articles/2014/08/06/how-to-get-dod-to-buy-commercial-it.aspx

 

 

+ Netscout sues Gartner over Magic Quadrant rating

A lawsuit filed Tuesday in Connecticut Superior Court accuses tech analyst firm Gartner Research of demanding kickbacks in exchange for favorable placement in the company’s famous Magic Quadrant report. NetScout, a Massachusetts-based manufacturer of network performance management products, says in court documents that companies that pay for Gartner’s consulting services are ranked above those that do not, and that this is the reason for NetScout’s inclusion in the “challengers” category of the most recent NPM Magic Quadrant, instead of among the “leaders.”

http://www.networkworld.com/article/2462840/network-management/netscout-sues-gartner-over-magic-quadrant-rating.html?source=NWWNLE_nlt_daily_pm_2014-08-07#tk.rss_all

 

 

+ NASA request for information summarizes the datacenter market

The NASA Goddard Space Flight Center (GSFC) finds itself in the same situation that many businesses and data center operators find themselves: It’s time to start considering the upgrade path for their datacenter operations. But unlike most businesses, the GSFC has taken the approach of a public request, under the name Data Efficiency and Containerization, for information on three main approaches that they believe can solve the datacenter growth needs. The GSFC has defined three solution paths – short-term, interim transitional, and long-term – that they believe best suit the facility’s needs. They are asking for vendors to respond to the request for information with solutions to these models that not only serve their needs but also meet the Federal Data Centers Consolidation and Green mandates.

http://www.zdnet.com/nasa-request-for-information-summarizes-the-datacenter-market-7000032083/

 

 

+ Can Big Data better secure DoD networks?

As the Defense Information Systems Agency gains momentum in the use of its cybersecurity analytics cloud, officials are looking toward better using the analytics to help secure Defense Department networks. Currently, DISA’s Cybersecurity Situational Awareness Analytical Cloud, or CSAAC, compiles data coming in from sensors and Internet access points throughout DoD’s networks and data centers, merging that information to monitor for issues, events or anomalous behavior. Defense officials say CSAAC is helping them get a better understanding of what’s happening on DoD networks at any given time, but the hope is to create an even more comprehensive, sharper operational picture that can be shared among DoD partners-particularly as the military moves to the Joint Information Environment.

http://www.federaltimes.com/article/20140730/FEDIT03/307300010/Can-Big-Data-better-secure-DoD-networks-

 

 

+ Microsoft Releases Updated Enhanced Mitigation Experience Toolkit

Microsoft has released a new version of its Enhanced Mitigation Experience Toolkit (EMET). Among the new features being touted in EMET… 5.0 are the improved Attack Surface Reduction tool and Export Address Table Filtering Plus (EAF+) service.

http://www.v3.co.uk/v3-uk/news/2358646/microsoft-releases-hacker-busting-enhanced-mitigation-experience-toolkit-50

[Note (Given the focus on criminals is to attack computers via their browsers I recommend to my clients that they deploy EMET amongst their Windows PC estate as soon as possible.: EMET would be very effective if implemented. By Microsoft’s own analysis it would resist ninety percent of attacks against Windows.

However, consistent with Microsoft’s commitment to backward compatibility, EMET is still not enabled by default because it might break (a small number of very old) legacy applications.  For the same reason enterprises fail to use it.  Consumers do not even know about it.}

 

+  Study Calls for Cyber Security Professional Organization

A study from the Pell Center at Salve Regina University in Rhode Island acknowledges that “there are not enough people equipped with the appropriate knowledge, skills, and abilities to protect the information infrastructure, improve resilience, and leverage information technology for strategic advantage.” The report “proposes the creation of a national professional association in cybersecurity to solidify the field as a profession, to support individuals engaged in this profession, to establish professional standards, prescribe education and training, and … to support the public good.”

http://pellcenter.salvereginablogs.com/cybersecurity-report-recommends-path-to-professional-standards-in-cybersecurity-industry/

http://pellcenter.salvereginablogs.com/files/2014/07/Professionalization-of-Cybersecurity-7-28-14.pdf

[ Note: a people-focused approach to cybersecurity brings with it the necessary clarity to understand the true nature of the challenges and establishes a clear framework for planning, engineering, and implementing measures that can be sustained and built upon.  We all know of countless organizations that reacted to a specific incident by implementing outside-expert-recommended technology only to fail in its deployment and operation.  Getting a competent handle on cybersecurity means engaging, integrating, equipping and training people to make the difference.  Our attention should turn to identifying and enhancing the knowledge and skills of cybersecurity professionals as a field while involving business architects and engineers to make cyber-informed decisions.

Getting this right sets the stage for game changing progress in cyber resilience and defense.]

 

+  Highly trained security professionals are in demand, and the need is not letting up.

Another fact: Security certifications can increase your paycheck as well as your skill set. According to the results of the Global Knowledge 2014 IT Skills and Salary Survey:   Approximately three out of 10 IT respondents reported that at least a portion of their day included security-related tasks. Two-thirds of this group are performing those tasks without a security-related certification.   There’s a significant lift for those who perform security tasks and those who possess a security certification ($81,907 vs. $98,879).

The top certifications of those surveyed are CompTIA’s Security+, CISA, CEH, CISM and CISSP.

 

 

+ Brad Maiorino, Target’s New Cybersecurity Boss, Discusses Being a ‘Glutton for Punishment’

Really. .. doing right in cyber is punishment?    And getting to 95% pretty good security level is easy… You all know this: effective cyber hygiene… stricter access control.. use only proven devices / APLs  and use SCM to monitor. .  all efforts to enforce your security policy..   and ALL the things you need to do in any security program anyway….

http://mobile.nytimes.com/blogs/bits/2014/07/31/brad-maiorino-targets-new-cybersecurity-boss-discusses-being-a-glutton-for-punishment/

 

 

+ US cyber-army’s cyber-warriors ‘cyber-humiliated by cyber-civvies in cyber-games’

‘They were pretty much obliterated’ – The US military held a series of online war games to pit reservist hackers against its active-duty cyber-warriors – and the results weren’t pretty for the latter, we’re told. “The active-duty team didn’t even know how they’d been attacked. They were pretty much obliterated,” said one Capitol Hill staffer who attended

http://www.theregister.co.uk/2014/08/05/us_military_cyberwarriors_reservists_war_games/

 

 

+ DISA approves BlackBerry Secure Work Space for iOS and Android

The STIG approval for the containerization solution opens the door for Apple and Android devices connected to BlackBerry Enterprise Service.

http://defensesystems.com/articles/2014/08/06/disa-blackberry-secure-work-space-ios-android.aspx

 

 

+ Proposed USA Freedom Act Updated for Improved Privacy

Efforts to reform government surveillance laws continue to push through Congress. The USA Freedom Act of 2014 is the latest step in that direction.

http://www.eweek.com/security/proposed-usa-freedom-act-updated-for-improved-privacy.html

 

 

+ Breach Index: Encryption Used in only 4% of Q2 Incidents

Last quarter, organizations that reported data breaches only used encryption around four percent of the time to further safeguard data, a report found.

http://www.scmagazine.com/breach-index-encryption-used-in-4-percent-of-q2-incidents/article/363654/?DCMP=EMC-SCUS_Newswire&spMailingID=9131284&spUserID=MTI5MTQzMjcyODMxS0&spJobID=342528184&spReportId=MzQyNTI4MTg0S0

 

+ Cybersecurity’s Maginot Line: A Real-world Assessment of the Defense-in-Depth Model

Key findings include:

 

Nearly all (97 percent) organizations had been breached, meaning at least one attacker had bypassed all layers of their defense-in-depth architecture.

More than a fourth of all organizations experienced events known to be consistent with tools and tactics used by advanced persistent threat (APT) actors.

Three-fourths of organizations had active command-and-control communications, indicating that attackers had control of the breached systems and were possibly already receiving data from them.

https://www2.fireeye.com/OLA-14Q3LinkedInSURPTRealWorldAssessment.html

 

 

+ Navy SPAWAR gets new leader

RDML David Lewis took the helm from RADM Patrick Brady, who has commanded SPAWAR for the past four years and plans to retire

http://www.c4isrnet.com/article/20140807/C4ISRNET14/308070001/Navy-SPAWAR-gets-new-leader

 

 

+  Inside the Military’s Secretive Smartphone Program

http://gizmodo.com/inside-the-militarys-secretive-smartphone-program-1603143142

 

 

+ Operation Arachnophobia – ThreatConnect – Threat Intelligence Platform

http://threatc.s3-website-us-east-1.amazonaws.com/?/arachnophobia

 

 

+ Council on CyberSecurity Critical Security Controls for Effective Cyber Defense

http://counciloncybersecurity.org/critical-controls/

 

+ Reasons not to buy Cyberinsurance ::  NOT!

We have a solid triad of processes (legal, broker, security methods)  to make this a MUST DO…  including a cyber actuarial table…  so if interested.. ask me..

http://m.privacyrisksadvisors.com/news/reasons-not-to-buy-purchasing-cyberinsurance/

 

 

+ Top 50 Network Administrator Interview Questions  (not ‘cyber’ per se… but a great IT refresher!)

http://resources.infosecinstitute.com/ramp-5-levels-top-50-network-administrator-interview-questions/

 

 

 

 

+++  THREATs  / bad news stuff / etc…

 

 

+ 10 Dramatic Moments In Black Hat History

From Google hacking to ATM “jackpotting” to the NSA — Black Hat has had some memorable moments over the years.

http://www.darkreading.com/vulnerabilities—threats/advanced-threats/10-dramatic-moments-in-black-hat-history/d/d-id/1297674?_mc=NL_DR_EDT_DR_weekly_20140731&cid=NL_DR_EDT_DR_weekly_20140731&elq=449a3dda89174623b1bae0a862d47774&elqCampaignId=6835

 

 

+  Hackers can control your phone using a tool that’s already built into it

A lot of concern about the NSA’s seemingly omnipresent surveillance over the last year has focused on the agency’s efforts to install back doors in software and hardware. Those efforts are greatly aided, however, if the agency can piggyback on embedded software already on a system that can be exploited. Two researchers have uncovered such built-in vulnerabilities in a large number of smartphones that would allow government spies and sophisticated hackers to install malicious code and take control of the device. The attacks would require proximity to the phones, using a rogue base station or femtocell, and a high level of skill to pull off. But it took Mathew Solnik and Marc Blanchou, two research consultants with Accuvant Labs, just a few months to discover the vulnerabilities and exploit them.

http://www.wired.com/2014/07/hackers-can-control-your-phone-using-a-tool-thats-already-built-into-it/

 

 

+ 600 retailers ensnared in major new malware attack, cybersecurity firm says

The number of businesses ensnared in a new malware attack revealed in a Department of Homeland Security report this week may run to six hundred, according to a cybersecurity firm that helped DHS prepare the report. Hackers are using point-of-sale (PoS) malware to steal consumer payment data, including credit and debit card information, from businesses that use remote desktop applications, according to the DHS report out Thursday. The department is now investigating the breaches. But cybersecurity company Trustwave says at least six hundred businesses across the country have had the malicious software, dubbed “Backoff,” installed on their networks since Oct. 2013, allowing hackers to steal data. The DHS declined to comment to TIME on the scope of the attack.

http://time.com/3070555/malware-backoff-dhs-hacking-retail/

 

 

+ FBI infected PCs on a large scale to persecute alleged criminals

A report disclosed by Wired suggests that the FBI is using a malware to identify Tor users by infecting machines on a large scale.   It’s not a mystery that usage of the Tor network represents a problem for investigators of law enforcement agencies and for government entities that need to track users on the popular anonymizing network. Last year the FBI dismantled the Tor hosting service Freedom Hosting in a large scale investigation on child pornography. FBI used a malicious code able to exploit a Firefox Zero-day for Firefox 17 version that allowed it to track Tor users.

http://securityaffairs.co/wordpress/27391/cyber-crime/fbi-infected-pcs-large-scale-persecute-alleged-criminals.html

 

 

+ Security contractor says hit by computer breach

A government contractor that handles hundreds of thousands of security clearance background checks for civilian and military workers says that some workers’ personal information was compromised after a recent computer breach.

http://www.navytimes.com/article/20140806/NEWS/308060069/Security-contractor-says-hit-by-computer-breach

 

 

+ When Good USB Devices Go Bad

Researchers offer more details about how USB devices can be leveraged in attacks.  Security researchers Karsten Nohl and Jakob Lell demonstrated here at Black Hat USA today what they called “BadUSB.” They reverse-engineered and patched the USB firmware in less than two months, and once reprogrammed, the USB can be transformed into a malicious vehicle to compromise a network.  The implications of the attack are significant. For example, a device could be made to emulate a keyboard and issue commands on behalf of the logged-in user to steal files or install malware. It could also boot a small virus prior to the operating system booting up, or be made to spoof a network card and change the computer’s DNS setting to redirect traffic.

http://www.darkreading.com/endpoint/when-good-usb-devices-go-bad/d/d-id/1297876?_mc=nl_&cid=NL_DR_Daily&itc=NL_DR_Daily&elq=e1cd590365ae4b96b622826206c56366&elqCampaignId=7084

 

 

 

 

 

 

 

+++   SD/SoCAL items of interest / opportunities

 

 

AUG

 

11 – IEEE – 6 – 8 PM –  Tijuana Business Opportunities  Speaker:  David Mayagoitia AICP

9353 Clairemont Mesa Boulevard at Ruffin Road. Giovanni’s Restaurant

 

11-14 – Gartner Catalyst  –  Harness the Power of IT Convergence

http://www.gartner.com/technology/summits/na/catalyst/

 

18 –  USENIX Summit on Gaming, Games and Gamification in Security Education (3GSE ’14)

https://www.usenix.org/conference/3gse14

 

19 – (ISC)2 San Diego chapter at 6PM. Topic is “Security Engineering” presented by Jim Acerra.

Location: Mitchell International Inc 6220 Greenwich Dr San Diego, CA 92131

 

21 – OWASP  6PM – Peleus Uhley from Adobe’s PSIRT Team

http://www.meetup.com/Open-Web-Application-Security-Project-San-Diego-OWASP-SD/events/158734302/

 

20-22 – 23rd USENIX Security Symposium

https://www.usenix.org/conference/usenixsecurity14  http://www.inf.ufpr.br/rtv06/iot/05940923.pdf

 

 

SEP

 

17-19  Sep – CSA congress 2014

CSA and the International Association of Privacy Professionals (IAPP) are combining their Congress US and Privacy Academy events

https://cloudsecurityalliance.org/media/news/csa-opens-registration-congress-2014/

 

 

25 Sep –   San Diego InfraGard Crisis Leadership Symposium

http://www.slideshare.net/slideshow/embed_code/36600356

 

 

+++  Future events FYI:

 

TBD  – Provided by IEEE Cyber SIG / Various Security groups – all day – – Privacy by design workshop – a cyber model & why you must be part of this initiative!  (at Coleman University –  AM Technical approach… PM public discussions)   +++  Help move SD forward in cyber –  DOING security vs admiring the problem…. SO engage and help out on cyber 4 PbD!!!

http://www.sciap.org/blog1/wp-content/uploads/Privacy-by-Design-cyber-security.pdf

 

1 OCT – SoeC – CyberFest 2014 – great all day agenda planned… improving on last year’s success!  October is cyber month after all!!!

http://events.r20.constantcontact.com/register/event;jsessionid=5C9580C3DEB4919096AC6BFFCE369008.worker_registrant?llr=mr9qlimab&oeidk=a07e9jfo4or9b1958b3

 

27 Oct –  tentative Combined cyber event … NDIA, AFCEA / IEEE and CCOE, others…

 

1 Nov – Started planning “BigDataDay 4 SD” on a SAT.  Jump in and help us!

WE went to the one in LA and it was great…   likely our three tracks will be:

–  Technical =  Hadoop/Hbase/NoSQL;

–  Data science = predictive analytics, etc

–  Applications = actual products, etc.. Privacy / data security. ..

 AUGUST 1 +  UBI. .. car status reporting by cell phone.. User based insurance. .   but great location based services info too… Tracking behavior with a phone versus dongle… (progressive insurance) Privacy by Design anyone… especially the mobile profile. ..  and IoT.. http://m.insurancetech.com/151717/show/f3e1bcbbad70f89496642e23ab198010/?

+   The Crazy Things A Savvy Shodan Searcher Can Find Exposed On The Internet …AND.. Locating ICS and SCADA Systems with SHODAN (okay OLD news to some, but this is very easy pickings.. have you checked your sensors, remote sites lately…;-(( http://www.tripwire.com/state-of-security/government/locating-scada-and-ics-systems-on-edu-networks-with-shodan/ http://www.forbes.com/sites/kashmirhill/2013/09/05/the-crazy-things-a-savvy-shodan-searcher-can-find-exposed-on-the-internet/

+  Former NSA Chief: Why I’m Worth $1 Million a Month to Wall Street Critics say Keith Alexander’s rapid move to the private sector is cause for concern…  Former NSA Director Keith Alexander says his services warrant a fee of up to a million dollars, due to a cyber-surveillance technique he and his partners at his new security firm IronNet Cybersecurity have developed, Foreign Policy reported on Tuesday. The claim follows reporting earlier this month that Alexander is slated to head a ‘cyber-war council’ backed by Wall Street…   Alexander claims that the new technology is different from anything the NSA has done as it uses “behavioral models” to predict hackers’ actions ahead of time. http://www.commondreams.org/news/2014/07/29/former-nsa-chief-why-im-worth-1-million-month-wall-street

+ For those interested in Navy / SPAWAR efforts….. see these slides from industry days… small business, CANES, GCCS-M and yes.. CYBER too (for more there, ask me for my paper on where the Navy needs cyber help…) http://www.public.navy.mil/spawar/Atlantic/Pages/ForIndustry.aspx

+++  Cyber Security News you can likely use…     + Seniors And The Internet Of Things: Empowerment And Security   Great way to vector IoT capabilities into a sector that can buy stuff, needs it…;-)) I’d been really passionate with the reporter about the IoT’s potential to transform seniors’ lives through new products such as bedroom slippers with sensors that can detect minute variations in a senior’s gait and alert a caregiver by app in time to avoid a fall, or a gorgeous necklace that can detect the onset of congestive heart failure). However, the article just ended up as a general introduction to the IoT. Too bad. While I was doing the interview, it dawned on me that this might really be a wonderful niche in the Internet of Things.  We don’t have any time to lose: I’ve heard that a third of all doctors in the US will retire in the next decade, while they and about 10,000 others will turn 65 each day. There is simply no way that we can sustain this loss of medical professionals just when they are needed more than ever without fundamental change in the health care system! http://blogs.sap.com/innovation/industries/seniors-and-the-internet-of-things-empowerment-and-security-01249245?campaigncode=CRM-XM14-TH1-CAMOBNAD

+ Internet Of Things Contains Average Of 25 Vulnerabilities Per Device.. I’d say there is a cyber market here…;-)) Good perspectives. . . And more cyber work needed by us all  See also the OWASP top ten project for IoT security Seems IoT can use some privacy by design…;-)) http://www.darkreading.com/vulnerabilities—threats/internet-of-things-contains-average-of-25-vulnerabilities-per-device/d/d-id/1297623?_mc=NL_DR_EDT_DR_daily_20140730&cid=NL_DR_EDT_DR_daily_20140730&elq=95a989811fda4570b4f0c76a7803ceb4&elqCampaignId=6767     + Top 3 visualizations of cyber security…  pretty cool pictures! Text alone is no longer a substantial enough medium in which to represent information, ideas and findings; many companies in the cyber security market are now turning their hard-coded information into remarkable pieces of artwork. (Can we say artwork? I think we can.) 1. Verizon’s 2014 Data Breach Investigations Report Identifies Nine Attack Patterns 2. Norse Dark Intelligence: live map of hacking 3. Information is Beautiful http://www.itgovernanceusa.com/blog/top-3-visualizations-of-cyber-security/?utm_source=social&utm_medium=stumbleupon

+ Researchers develop ‘BlackForest’ to collect, correlate threat intelligence Whether it’s on the ground or in cyberspace, knowing that an army is going to attack you ahead of time is a nice advantage to have. That idea is the linchpin of BlackForest, a new cyber intelligence collection system developed by experts at the Georgia Tech Research Institute (GTRI). The system is meant to complement other GTRI systems that are designed to help companies and other organizations deal with sophisticated attacks. The system works by collecting information from a variety of sources on the public Internet, such as hacker forums and other sites where malware authors and others congregate. The system then connects the information and relates it to past activities to help organizations figure out if and how they are being targeted. http://www.darkreading.com/researchers-develop-blackforest-to-collect-correlate-threat-intelligence–/d/d-id/1297570?_mc=RSS_DR_EDT

+ DARPA takes next step on protecting military wireless networks The military services’ efforts in developing wireless tactical networks have focused mostly on reliability, efficiency and interoperability. Researchers now are working on bringing security into the mix. The Defense Advanced Research Projects Agency has issued a solicitation for Phases 2 and 3 of its Wireless Network Defense program, which seeks to secure networks by gaining better control over them. The program’s goal is to protect the protocols at the network and medium access control layers of the network stack, specifically the protocols that coordinate the management of resources such as spectrum, time, power and information delivery among the mobile devices in use, DARPA said. http://defensesystems.com/articles/2014/07/28/darpa-wireless-network-defense.aspx

  + Hackers raided Israeli contractors that built Iron Dome missile shield (this threat is upfront, as it shows how OUR IP is stolen from our allies.. too… does your security approach account for that?;-(( Three Israel-based defense firms that architected the “Iron Dome” anti-missile system, which is currently protecting Israel from rocket strikes, were robbed of huge quantities of sensitive files related to the shield technology, KrebsOnSecurity reports. The hackers, suspected to be based in China, also copied pages of details on U.S. missile technologies. U.S. threat intelligence firm Cyber Engineering Services Inc. claims the attackers infiltrated the networks of Elisra Group, Israel Aerospace Industries, and Rafael Advanced Defense Systems between 2011 and 2012. Among the information taken is a 900-page document that provide schematics and specifications for the Arrow 3 missile. http://www.nextgov.com/cybersecurity/2014/07/hackers-raided-israeli-contractors-built-iron-dome-missile-shield/89879/?oref=ng-HPriver http://krebsonsecurity.com/2014/07/hackers-plundered-israeli-defense-firms-that-built-iron-dome-missile-defense-system/     + Air Force seeks moving-target cyber defense The Air Force is hunting for Moving Target Defenses (MTD) for its networks. The $9.9 million Command and Control of Proactive Defense (C2PD) solicitation, by the Air Force Research Laboratory’s Information Directorate, describes Moving Target Defenses as “cyber agility techniques” that “offer a capability to assure the network and Air Force missions.” Adding mobility and computing resources give U.S. forces more capabilities over attackers and allow the outmaneuvering of attacks to cyber infrastructure. However, without a command and control structure to coordinate those resources, the risk of “cyber fratricide” is higher, according to the solicitation. http://www.c4isrnet.com/article/20140728/C4ISRNET/307280003/Air-Force-seeks-moving-target-cyber-defense

+  Cyber Attacks Happen: Build Resilient Systems – with hygiene!!! You can’t stop all attacks or build the perfect defense system. The higher-level objective is resilience. http://www.informationweek.com/government/cybersecurity/cyber-attacks-happen-build-resilient-systems/d/d-id/1297496?_mc=NL_IWK_EDT_IWK_govt_20140731&cid=NL_IWK_EDT_IWK_govt_20140731&elq=9cbecfc436ba4685a914c1e1f57d70e4&elqCampaignId=6792

+ Federal IT Networks: Simpler Is Better – YA THINK….Complexity is our enemy!!! A survey of government IT executives found that network complexity slows IT performance and hinders deployment of new technologies and services. http://www.informationweek.com/government/enterprise-architecture/federal-it-networks-simpler-is-better/d/d-id/1297484?_mc=NL_IWK_EDT_IWK_govt_20140731&cid=NL_IWK_EDT_IWK_govt_20140731&elq=9cbecfc436ba4685a914c1e1f57d70e4&elqCampaignId=6792

+  Putin Sets $110,000 Bounty for Cracking Tor as Anonymous Internet Usage in Russia Surges – (I think the NSA has already done this…;-(( http://finance.yahoo.com/news/putin-sets-110-000-bounty-153730200.html

+  Bubblemania: Will We Party Like It’s 1999? Feverish tech activity is exciting and in many ways similar to 15 years ago. We aren’t at dot-bomb levels of hysteria, but there’s one big problem that may threaten growth.  Venture capital funding is at its highest level since 1999. Tech IPOs, mergers, and acquisitions are on the rise. Bidding wars are breaking out for top talent. Could we be floating into another tech bubble?   No — or, at least, not yet. I don’t see the frenzied pace of funding, startups, and public offerings evident during the infamous dot-com bubble. But things are getting frothier, and one area does worry me. http://www.informationweek.com/strategic-cio/team-building-and-staffing/bubblemania-will-we-party-like-its-1999/a/d-id/1297476?_mc=NL_IWK_EDT_cio_IWK_20140728&cid=NL_IWK_EDT_cio_IWK_20140728&elq=5e0ece77501e4628aeceab1bffccf00a&elqCampaignId=6678     + Where The IT Jobs Aren’t: Tech IT jobs in the tech sector will stall while non-tech industries will drive IT job growth, impacting job geography and skills, says new report…. IT job creation within the technology sector will stall or decline through 2018, with non-tech industries such as manufacturing, automotive, healthcare, and retail driving IT job growth instead, according to a new report from advisory company CEB.   This shift will create increased competition for IT talent and a new IT job skillset, and will force organizations to think beyond traditional talent pools and candidate profiles to attract and retain the best employees.    The IT sector employs only about one-third of the total IT workforce, while non-IT industries employ the remaining two-thirds of private sector IT workers, according to the report, which analyzed more than 900 cities and 1,000 skills http://www.informationweek.com/strategic-cio/team-building-and-staffing/where-the-it-jobs-arent-tech/d/d-id/1297531?_mc=NL_IWK_EDT_cio_IWK_20140728&cid=NL_IWK_EDT_cio_IWK_20140728&elq=5e0ece77501e4628aeceab1bffccf00a&elqCampaignId=6678     + DHS-Funded ‘SWAMP’ Helps Scour Code For Bugs Cloud-based platform offering free secure coding tools for developers in government, enterprises, academia, gaining commercial attention as well.  A US Department of Homeland Security-funded online portal that provides government agencies, enterprises, higher education, and independent developers a free platform for testing their code for security holes and vulnerabilities has quietly begun attracting commercial application security providers. The so-called SWAMP (Software Assurance Marketplace) portal, which was developed under a $23.5 million DHS Science & Technology Directorate project aimed at helping developers more easily test their code for bugs http://www.darkreading.com/application-security/dhs-funded-swamp-helps-scour-code-for-bugs/d/d-id/1297619?_mc=NL_DR_EDT_DR_daily_20140730&cid=NL_DR_EDT_DR_daily_20140730&elq=95a989811fda4570b4f0c76a7803ceb4&elqCampaignId=6767     +  House passes three cyber bills The measures, all passed easily, deal with information sharing, technology procurement and the DHS workforce. The House of Representatives passed three bills on July 28 designed to protect U.S. critical infrastructure against hacking by boosting information sharing, advancing cyber technologies and improving the Department of Homeland Security’s cybersecurity workforce.  One measure, by House Homeland Security Committee Chairman Michael McCaul (R-Texas), would codify and enhance DHS’s National Cybersecurity and Communications Integration Center as the hub for information sharing on threats across infrastructure sectors, according to a committee summary. http://fcw.com/articles/2014/07/29/house-passes-cyber-bills.aspx?s=fcwdaily_300714     + House approves stronger cyber protections for critical infrastructure Two bills to strengthen cybersecurity in the systems that underlie the nation’s energy, water, and food supplies passed in the House on Monday evening, along with a measure to improve the federal government’s cyber workforce. A bill (H.R. 3696) introduced by Rep. Michael McCaul, R-Texas, seeks to strengthen the Department of Homeland Security’s ability to protect 16 critical sectors – including defense, health, energy, and food – by establishing partnerships with the private sector and enhancing programs already in place. The legislation would formalize the role of the National Cybersecurity and Communications Integration Center, which was established in 2009 to help critical-infrastructure sectors share cyber-threat information in real time. http://www.nextgov.com/cybersecurity/2014/07/house-passes-bills-protect-critical-infrastructure-cyberattacks/89918/?oref=ng-channeltopstory

+ House Approves Stronger Cyber Protections for Critical infrastructure Separate bill to bolster DHS’ cyber workforce also passes http://www.nextgov.com/cybersecurity/2014/07/house-passes-bills-protect-critical-infrastructure-cyberattacks/89918/?oref=river       +++  FYI / FYSA  Items of interest…

+ Infographic: Is Your Company in the Cyber War Crosshairs? Financial services firms and energy companies – two industries highly targeted by cybercriminals – must move quickly to address their cybersecurity deficiencies and shore up their defenses against advanced malware threats. This infographic summarizes the findings of ThreatTrack Security research into what IT security professionals within these critical economic sectors have to say about their cybersecurity readiness, revealing: • 44% of energy firms and 31% of financial services companies say it is a “certainty” or “highly likely” they will be the target of sophisticated cybercrime; • Energy firms are most concerned about hacktivists while financial services organizations worry about organized cybercrime syndicates; • Energy companies say email their top threat vector, while the financial industry is struggles with web-based threats; • Both sectors plan to bolster their cybersecurity this year by training IT staff on new cyber defenses; investing in advance malware detection tools and hiring new cybersecurity talent. http://f6ce14d4647f05e937f4-4d6abce208e5e17c2085b466b98c2083.r3.cf1.rackcdn.com/infographic-your-company-in-cyber-war-crosshairs-pdf-5-w-1028.pdf

+    The Information Security Hierarchy of Needs “I get many organizations asking me about what is the best solution for threat intelligence. However, when I ask them about whether they have hardened systems and how often they scan for vulnerabilities, it’s clear to me that they’re not ready for the advanced solutions.”  If we were to assess the most important elements of security, what would be some of the most critical capabilities? I have talked to many security professionals that are implementing the 20 Critical Security Controls from the Council on Cyber Security (formerly known as SANS Top 20) as a framework for their internal security policies. Here are the 20 controls, prioritized in order of severity http://www.tripwire.com/state-of-security/security-data-protection/security-controls/the-information-security-hierarchy-of-needs/ NOTE – we developed a week long “security operator / practitioner” course based on Security_ cert, within a cyber hierarch of needs that is more pragmatic.   Agree that the 20 controls are worthy of having in any cyber hierarchy of needs, so are the NSA top 10 and Australia MoD’s top 35 mitigations (where the first four alone cutting incidents by 80%!)… AND  don’t forget the NIST “absolutely necessary” (and highly recommended) protections .. So that’s how we structured our security needs triangle – start with what matters most… and that means resilience, the foundational items and doing the security basics well – After all lack of effective hygiene causes 90% of all security incidents, so do that up front. http://www.sciap.org/blog1/wp-content/uploads/Cyber_Education-map-11Apr.pdf

+ Tech seeks life after death for accounts Members of the tech industry and estate lawyers are pushing Congress to tweak an email privacy law to ensure that digital accounts don’t die when their users do.  With pressure building on Congress to update the 1986 Electronic Communications Privacy Communications Act (ECPA), some are asking lawmakers to explicitly allow people to control who can access their online accounts after they die or become incapacitated. If an author has a novel stored in his Gmail drafts, for example, the person carrying out his will should be able to get that draft to a publisher, some estate lawyers say. http://thehill.com/policy/technology/213194-tech-firms-seek-life-after-death-for-online-accounts

+ Cloud Services Can Impede Forensic Investigations As governments have moved to cloud services, they have saved money and improved efficiency, but the technology holds some challenges to forensic investigations. A draft report from the National Institute of Standards and Technology (NIST) describes 65 “challenges” forensic investigators encounter when dealing with cloud computing. The report classifies the challenges into nine categories, including data collection, analysis, and architecture. One example of a challenge is email. On non-cloud systems, deleted email messages can often be recovered because they are not truly deleted until they are over-written. Because of the shared nature of the cloud, deleted files are more likely to be overwritten. http://www.nextgov.com/cloud-computing/2014/07/cloud-computing-complicates-digital-forensics-investigations/89579/ http://csrc.nist.gov/publications/drafts/nistir-8006/draft_nistir_8006.pdf

+ Data at the Edge Great big data overview…   10 different perspectives http://newsroom.vxchnge.com/story/monthly-video/june-video-roundup/

+  BigData-Startups | Sears Became a Real-Time Digital Enterprise Due to Big Data http://www.bigdata-startups.com/BigData-startup/sears-real-time-digital-enterprise-big-data/

+ New Mobile Phone ’0wnage’ Threat Discovered Widespread major vulnerabilities discovered in client control software that affect nearly all smartphone platforms: Details to come at Black Hat USA next week. Rogue cellular towers and phony base stations long have been a tradition of researchers at Black Hat and DEF CON, who test and demonstrate how they can intercept or manipulate cellphones, but a team of researchers has found a deeper problem of major security vulnerabilities in the client control software running on the majority of mobile phones around the world. http://www.darkreading.com/mobile/new-mobile-phone-0wnage-threat-discovered/d/d-id/1297686?_mc=NL_DR_EDT_DR_daily_20140731&cid=NL_DR_EDT_DR_daily_20140731&elq=d6bc5421fb7b46cb9f4c87bdf0875f45&elqCampaignId=6821     +  Phishing: What Once Was Old Is New Again I used to think the heyday of phishing had passed. But as Symantec notes in its 2014 Internet Security Threat Report, I was wrong! Symantec just recently released its Internet Security Threat Report for 2014. It’s a review of 2013’s threats, a comparison with earlier years, and a look into the crystal ball for the current year with a nod to the direction of trends beyond that. http://www.darkreading.com/operations/phishing-what-once-was-old-is-new-again-/a/d-id/1297634?_mc=NL_DR_EDT_DR_daily_20140731&cid=NL_DR_EDT_DR_daily_20140731&elq=d6bc5421fb7b46cb9f4c87bdf0875f45&elqCampaignId=6821 Symantec 2014 Internet Security Threat http://www.symantec.com/content/en/us/enterprise/other_resources/b-istr_main_report_v19_21291018.en-us.pdf and more http://www.symantec.com/content/en/us/enterprise/other_resources/b-istr_appendices_v19_221284438.en-us.pdf

+   Why Drone Benefits Outweigh Privacy Issues  (really, what about one crash into a jetliner???) “Imagine if the government imposed harsh regulations that effectively prohibited the use of all cameras and recording devices on the theory that they might be used to violate individual privacy,” writes Covington & Burling’s Jeff Kosseff, CIPP/US. With recent news that President Barack Obama plans to issue an executive order calling for the development of a commercial code of conduct for drone use and a subsequent letter from two Congressmen calling for stronger privacy protections, Kosseff, in this post for Privacy Perspectives, argues the benefits—particularly for news-gathering—far outweigh potential privacy violations and points out “past experience has shown that reactionary privacy laws that focus on a specific technology do not stand the test of time.” https://privacyassociation.org/news/a/the-case-for-not-overregulating-drones/

+ NIST’s Smart Grid Federal Advisory Committee Meets, Releases Report on Three Key Emerging Issues  (looking to support POWER / CIP – check out the report’s cyber  “needs”) The role of NIST’s Smart Grid Advisory Committee is to provide input to NIST on smart grid standards, priorities, and gaps—and on the overall direction, status, and health of the smart grid implementation by the smart grid industry—including identification of issues and needs.   The committee is chaired by David Owens (Executive Vice President, Business Operations, Edison Electric Institute), and Evan Gaddis (President and Chief Executive Officer, National Electrical Manufacturers Association) serves as vice chair. The committee meets approximately two times a year, and the most recent meeting was held at NIST-Gaithersburg on June 3-4, 2014. A major focus of the June meeting was to provide strategic input to NIST on three key emerging issues that will drive significant change over the next five to ten years: transactive energy, resilience, and distributed energy resources.   A report, based on the committee’s discussions at that meeting is available online. http://www.nist.gov/smartgrid/upload/SGAC-Discussion-Report.pdf

+ 3 Components of a Digital Insurance Business Plan The most successful business cases start with the key metrics enabling managers to quantify the impact of seemingly different benefits.  Customer Centricity. Big Data. Digital. It is not possible to spend time with insurance marketers and avoid these three terms. They are embraced by both our revolutionaries and our establishment. They are accepted truths; part of the “good fight.” We all think we are leveraging “big data” to get closer to customers, using digital as the ultimate channel to act on the insights it makes possible. http://www.insurancetech.com/management-strategies/3-components-of-a-digital-insurance-busi/240168768?cid=NL_IST_EDT_IST_daily_20140729&_mc=NL_IST_EDT_IST_daily_20140729&elq=554a1bd061054e53b4e6986562e95e93&elqCampaignId=6732

+ 15 Steps to Maximize your Financial Data Protection – Several great tips in how you do banking on-line! We use computers to pay bills, shop online, chat and even keep in touch with friends on social media platforms. You might not realize it, but this makes us vulnerable. Because we willingly broadcast over the Internet valuable details, such as our credit card information or bank account credentials – information usually needed by cyber criminals – we can never be too careful when securing our financial transactions or personal information. A report from the Center for Strategic and International Studies, indicates that financial theft is the second largest source of direct loss from cybercrime. The report, Net Losses – Estimating the Global Cost of Cybercrime, shows the annual cost to national economies and private sector is between 375 and 575 billion dollars. https://heimdalsecurity.com/blog/online-financial-security-guide/

+ DARPA chief: Military’s focus on big systems ‘is now killing us’ Prabhaker says Pentagon has to shed its expensive, slow-moving  approach to technology and new weaponshttp://defensesystems.com/articles/2014/07/29/darpa-mto-tackles-cost-complexity-of-systems.aspx

+++  THREATs  / bad news stuff / etc…

+ CIA admits improperly hacking Senate computers in search of Bush-era information http://m.washingtontimes.com/news/2014/jul/31/cia-admits-improperly-hacking-senate-computers-sea/

+  Mobile devices, apps open for attacks Currently, there are more than 100,000 health-related apps just available via smartphones. As consumers use more and more mobile health apps to store certain medical data, they’re still, for the most part, unaware that security is lacking. Many of these devices, for instance, are transmitting the unencrypted data over the consumer’s network. “Users are one network misconfiguration away from exposing this data to the world via wireless networks,” HP officials wrote in the study.  And in the healthcare space — or anywhere, really — that’s bad news. http://www.healthcareitnews.com/news/mobile-devices-apps-open-attacks?topic=16,18&mkt_tok=3RkMMJWWfF9wsRonuqrJZKXonjHpfsX%2B7u4tWLHr08Yy0EZ5VunJEUWy2YIITNQ%2FcOedCQkZHblFnVUKSK2vULcNqKwP     + DDOS attacks are leveraging the cloud The latest quarterly report on distributed denial of service attacks by Prolexic finds that this year’s DDOS attacks are packing more of a punch. The attacks during Q2 2014 were shorter but used more bandwidth and delivered more packets than during the same period last year. This is due, at least in part, to the cloud. In addition to using reflection and amplification techniques, attackers also exploited vulnerable servers, more powerful than PCs, the report concludes. “When building server-side botnets, attackers have been targeting platform-as-a-service and software-as-a-service vendors with server instances running software with known vulnerabilities,” the authors wrote. http://gcn.com/articles/2014/07/28/ddos-cloud.aspx?admgarea=TC_SecCybersSec

+ –Apple iOS Diagnostics Tool Could be Exploited to Access Personal Data Diagnostic services built into Apple’s iOS mobile operating system could be used to access personal data in iPhones. The services, which Apple says are designed for engineers, are not documented. Apple says that the feature was not designed to let the NSA access data in the devices. http://in.reuters.com/article/2014/07/26/apple-security-spying-idINKBN0FV01Q20140726

+  How thieves can hack and disable your home alarm system When it comes to the security of the Internet of Things, a lot of the attention has focused on the dangers of the connected toaster, fridge and thermostat. But a more insidious security threat lies with devices that aren’t even on the internet: wireless home alarms. Two researchers say that top-selling home alarm setups can be easily subverted to either suppress the alarms or create multiple false alarms that would render them unreliable. False alarms could be set off using a simple tool from up to 250 yards away, though disabling the alarm would require closer proximity of about 10 feet from the home. http://www.wired.com/2014/07/hacking-home-alarms/

+Agencies still plugging gaps in smart card security The Department of Health and Human Services was too lax in issuing smart ID cards to new employees and failed to deactivate them in a timely manner when workers left the agency, according to a new audit from the department’s inspector general office. Personal identity verification, or PIV, smart cards allow agency employees and contractors to access both federal facilities and agency networks and are a key part of the 2004 Homeland Security Presidential Directive-12, which required a common ID credential for federal personnel. Agencies have now taken most of the big steps toward HSPD-12 implementation, but the latest audit reveals some are still vexed by plugging all the gaps in the process, according to security experts. http://www.nextgov.com/cio-briefing/2014/07/agencies-still-plugging-gaps-smart-card-security/89696/

+ Hackers breached NOAA satellite data from contractor’s PC National Oceanic and Atmospheric Administration satellite data was stolen from a contractor’s personal computer last year, but the agency could not investigate the incident because the employee refused to turn over the PC, according to a new inspector general report. This is but one of the “significant security deficiencies” that pose a threat to NOAA’s critical missions, the report says. Other weaknesses include unauthorized smartphone use on key systems and thousands of software vulnerabilities. http://www.nextgov.com/cybersecurity/2014/07/hacker-breached-noaa-satellite-data-contractors-pc/89771/?oref=ng-HPtopstory     \

+ Evil twin Google fakebots slip under the radar Over 4% of Googlebots are not Mountain View crawlers but malicious imposters masquerading as Google software to commit DDoS attacks, scraping, spamming and other malicious activity, according to Incapsula. The security firm analyzed 400 million search engine visits to 10,000 sites, resulting in over 2.19 billion page crawls over a 30 day period, to compile its findings. This amounted to 50 million “Googlebot imposter” visits. “The actual ‘type’ of these impostors may vary, but all of them should be deemed suspicious by default, due to their attempt to assume a false identity,” product evangelist Igal Zeifman said in a blog post. http://www.infosecurity-magazine.com/view/39497/evil-twin-google-fakebots-slip-under-the-radar/

+++   SD/SoCAL items of interest / opportunities     AUG   7 –IT Workforce and Human Capital Training Seminar!  (8 – 2 PM) the ACT-IAC Pacific Chapter is hosting a training seminar on IT Workforce and Human Capital issues and solutions.  The training seminar will include Government and Industry subject matter experts presenting research material and leading collaborative discussion. This seminar will address the components of a successful IT organization in terms of attracting and retaining talent as an integral facet of human capital planning.  It will bring a sharper focus to the salient factors that contribute to a highly effective workforce in both the brick and mortar workplace as well as the virtual workspace. https://actiac.org/groups/event/act-iac-pacific-it-workforce-and-human-capital-seminar-8714     11-14 – Gartner Catalyst  –  Harness the Power of IT Convergence http://www.gartner.com/technology/summits/na/catalyst/   18 –  USENIX Summit on Gaming, Games and Gamification in Security Education (3GSE ’14) https://www.usenix.org/conference/3gse14   21 – OWASP  6PM – Peleus Uhley from Adobe’s PSIRT Team http://www.meetup.com/Open-Web-Application-Security-Project-San-Diego-OWASP-SD/events/158734302/   20-22 – 23rd USENIX Security Symposium https://www.usenix.org/conference/usenixsecurity14   http://www.inf.ufpr.br/rtv06/iot/05940923.pdf

+++  Future events FYI:   TBD  – Provided by IEEE Cyber SIG / Various Security groups – all day – – Privacy by design workshop – a cyber model & why you must be part of this initiative!  (at Coleman University –  AM Technical approach… PM public discussions)

+++  Help move SD forward in cyber –  DOING security vs admiring the problem…. SO engage and help out on cyber 4 PbD!!! http://www.sciap.org/blog1/wp-content/uploads/Privacy-by-Design-cyber-security.pdf     17-19  Sep – CSA congress 2014 CSA and the International Association of Privacy Professionals (IAPP) are combining their Congress US and Privacy Academy events https://cloudsecurityalliance.org/media/news/csa-opens-registration-congress-2014/     25 Sep –   San Diego InfraGard Crisis Leadership Symposium http://www.slideshare.net/slideshow/embed_code/36600356     1 OCT – SoeC – CyberFest 2014 – great all day agenda planned… improving on last year’s success!  October is cyber month after all!!!   1 Nov – Started planning “BigDataDay 4 SD” on a SAT.  Jump in and help us! WE went to the one in LA and it was great…   the organizer will help us do that here… likely our three tracks will be: –  Technical =  Hadoop/Hbase/NoSQL; –  Data science = predictive analytics, etc –  Applications = actual products, etc.. Privacy / data security. ..

Comments are closed.