Welcome to Cyber News Tidbits 4​U​ !

Here are updated news compilations from the Cyber Security Community

Topic headers (+++):

1 – Security news you can likely use (re: management / opportunity items)

2 – Other items of general FYI / FYSA level interest

3 – Threats / bad news stuff / etc.. 


4 – SD/SoCAL items of interest / opportunities   (send me your SD meetings!) 


A couple of Highlights of the week (A couple of items of potentially notable interest / high utility &  value… your mileage will vary….)

Sept 22

+  DOD updates DISA’s role as the department’s cloud broker

The Pentagon is refining the Defense Information Systems Agency’s role as the Defense Department’s cloud broker, while outlining how DOD agencies can acquire commercial CLOUD SERVICES. But DISA will continue to play a central role in DOD’s move to the cloud, evaluating and approving the security of commercial services and offering the department’s private milCloud.A recent draft memo from DOD Acting CIO Terry Halvorsen cancelled the 2012 memo that established DISA as the department’s cloud broker. But even after declaring that 2012 memo (and an updated guidance from December 2013) cancelled…



+ Class action cyber security suits gaining

Of course. ..   3rd party data breach liabilities is HUGE..   Folks Better show cyber due diligence

And Have cyber insurance..



+ Industrial Internet of Things Offers Significant Opportunity for Growth of Digital Services

YES….   and they all need to have the data protected ..  And privacy too. …;-))



+ Uncle Sam’s List goes public

The formerly feds-only project is a one-stop shop for agencies to find and buy shared services.  An online platform for federal agencies seeking to buy services through other agencies opened to commercial providers.



+ Global competitiveness in 11 graphics



+ Cybersecurity Industry Report – $5.2 Billion Invested Across 807 Deals Over the Past Five Years






+++  Cyber Security News you can likely use  +++



+ What defense contractors should know about the Pentagon’s new program

Better buying Power 3.0…



+ Home Depot Breach Affected 56 Million Cards  (YES, all over the news – largest ever…)

Home Depot acknowledged that the breach of its point-of-sale systems affected an estimated 56 million payment cards. Is a press release, the company said that the attackers used “unique, custom-built malware.”

Additional information about the data breach at Home Depot suggests that it affects mainly cards used in self checkout lanes.

[Note: Lesson learned in these recent PoS attacks is why in the world aren’t you using white listing on the PCs attached to payment devices? There is absolutely no business need to allow arbitrary software to run on tills/registers. One area the PCI regime could improve this: Reduce the DSS emphasis on antivirus software everywhere and focus more on whitelisting/application control on any computing device in the PoS chain.

Home Depot should look to the example of UPSStore to learn how to report a breach.  All merchants need to implement strong authentication on any remote access and lock down all register systems.  Online merchants need to resist fraudulent use of credit card numbers (e.g., Verified by Visa, MasterCard SecureCode, PayPal, Apple Pay).  The issuers must accelerate the issuance of EMV cards until a safer method comes along.  The brands should give at least the same encouragement to contactless card readers as to EMV. …]



+ SMB’s are becoming the new target for cyber-criminals

Although in the past, small businesses were unlikely to become a target of cyber-criminals, this trend, however, seems to be changing at an accelerated pace in the recent years. The 2013 Symantec Threat Report highlights new currents moving across the oceans of internet. The report specifically highlights the rise of small business attacks, even claiming that they “are the path of least resistance for attackers.” Although 50 percent of all attacks were targeted on companies with fewer than 2,500 employees, consider this: of those 50 percent, businesses with under 250 employees comprised a stunning 62 percent. A 300 percent increase from the previous year!



+ Widespread Android vulnerability ‘a privacy disaster,’ claim researchers

Right at the start of September, security researcher Rafay Baloch quietly released details on an Android bug that has now been called a “privacy disaster”. That apparently hyperbolic statement doesn’t look too far wide of the mark, given anyone not running the latest release, Android 4.4, is affected. That means as many as 75 per cent of Android devices and millions of users could be open to attack, according to Google’s own stats, though not all are likely to be using the affected Android Open Source Platform (AOSP) Browser. The nature of the bug has worried onlookers too. The flaw could allow a bypass of the Same Origin Policy (SOP) protection used by most modern browsers. Crucially, the SOP protection stops malicious code from spilling over from one site to others open on separate tabs.



+ Cloud computing threat intelligence platforms? The next big thing?

With FireEye Inc.’s announcement of a new threat analytics platform for Amazon Web Services, threat intelligence for the cloud is now becoming a reality. But will cloud-based threat analytics systems displace traditional security information and event management products and threat analytics systems in the near future? Announced last week, FireEye’s threat analytics platform (TAP) for Amazon Web Services (AWS) is the first of its kind because, according to Milpitas, Calif.-based FireEye, the product was built natively on Amazon’s cloud and it combines FireEye’s threat intelligence with event monitoring and analytics across AWS as well as a client’s on-premise IT environment.



+ DOD Deputy CIO: ‘Cybersecurity should vary by mission’  (WHAT???  Cyber is 95+% the SAME for all!!!)

No “one size fits all” at the Pentagon. The different levels of mission risk at the Defense Department have posed a major challenge to building out DOD’s cybersecurity posture. Now, according to Deputy CIO Richard Hale, the department is working to make distinctions on the varying levels of risk by mission in order to make better decisions. “Cybersecurity should vary by mission,” Hale said in his keynote at the MeriTalk Cloud Computing Brainstorm event in Washington, D.C., on Sept. 10. “I shouldn’t spend as much money on morale and welfare website as I do on nuclear command control, it doesn’t make any sense.”



+ Feds hesitate moving IT services to the cloud

Government agencies know the benefits of cloud computing and want to double its use. But when it comes to migrating applications to the cloud, the majority of feds — 89% — are hesitant to lose control of their IT services, according to a new MeriTalk report. For “Cloud Control: Moving to the Comfort Zone,” MeriTalk surveyed 153 government IT executives closely involved in their agencies’ cloud deployments, and found that only 44% of agencies have “mature” data governance practices in the cloud. When asked how they feel about transitioning IT service to the cloud, 43% of feds compared it to giving their son the keys to a new convertible. This explains why agencies manage 71% of data themselves, whereas cloud vendors manage just 29%.



+ Senate Investigation Reveals China Broke Into Key Pentagon Networks

Chinese government operatives infiltrated computer systems at US airlines and military contractors more than 20 times over the course of a year, according to a recently-declassified US Senate investigation report. In one instance, malware was uploaded to an airline’s computers.

[Note: I read through the entire report, and while much was redacted, I could not find a single mention of *why* the attacks succeeded, or what vulnerabilities were exploited. Instead the focus is “the attacks came from China and no one told the government”.  I’ll bet that over 80% of the breaches were due to simple, known vulnerabilities – which is what the Verizon Data Breach Investigation Report finds every year.  Close the hole and it doesn’t matter who the attacker is; they either don’t get in or they get much noisier in their attempts…]



+ USAF IT Strategy to Require Baked-In Cyber Security

Air Force Brig. Gen. Sarah Zabel says that USAF’s revamped information technology strategy, aimed at protecting its equipment from cyber attacks, will require cyber security in every program from the start.

[Note: This is good to hear – “building security in” is always good to hear. But, the key is “building in” not “adding on earlier.” Requiring all software vendors to provide evidence of secure development lifecycles, having acceptance criteria for all software include evidence of clean application security testing runs, all systems designed out of the box in “deny all except what is explicitly enabled” and many other well proven truisms give much more bang for the buck that trying to bolt on “Host Based Security Subsystems” onto PCs and servers running chaotically designed/developed apps….]



+ Hospital CIO Shares How They Fought Attacks From Anonymous

Boston Children’s Hospital senior vice president for information services and CIO Dr. Daniel J. Nigrin, shares how his organization defended itself against a series of attacks launched earlier this year.

The hospital received a warning about the attacks several weeks before they began. The hospital incident response team prepared for the attacks along with the IT department. They managed to fend off a series of distributed denial-of-service (DDoS) attacks for a while, but when those reached a certain level of intensity – 27 Gbps – the hospital called in third-party help. The attacks affected the hospital’s external websites and networks. When Nigrin saw what was happening, he shuttered all the websites and took down email service. Employees communicated through a secure messaging application.

[Note: Nice realistic account of a success story.   Testing out some of the procedures (like the transfer to a DDoS mitigation service provider) in advance can make the next one go even better.]



+  What’s the Average Budget for a Fortune 1000 Privacy Program?

This spring, the IAPP looked at privacy professionals’ roles in organizations worldwide , the influence they had on budget spending and the areas over which they had primary control. All of them were privacy leads at large, private, for-profit firms. And we are beginning to unearth some good benchmarking data.

First, the big number: The average surveyed Fortune 1000 company’s privacy PROGRAM has a budget of $2.4 million. The median budget is $1 million.



+ Study: Deciphering What “Reasonable” Privacy and Security Means to the FTC

As the cloud security and privacy worlds come together here at the IAPP Privacy Academy and CSA Congress, the IAPP releases today a significant new study from the Westin Research Center on the “reasonable” components of a privacy and data security program as interpreted from more than 40 Federal Trade Commission (FTC) enforcement actions. Part of the IAPP’s ongoing FTC Casebook project, this report by Westin Fellow Patricia Bailin is meant to help shed light on what an acceptable level of privacy and data security could be, even as companies litigate the issue with the FTC in federal courts



+ Navy Looks to Float ‘Tactical Cloud’ – Enterprise Tech

As government agencies edge closer to cloud adoption, one of the military services is attempting to take a more proactive approach to leveraging cloud technology to deliver tactical applications needed to handle growing volumes of sensor and targeting data in real time. The Office of Naval Research released a request for proposals in late August soliciting white papers and full proposals for what it calls an “Expeditionary Warfare Data Focused Naval Tactical Cloud.



+ Cybersecurity consulting becomes big business

With new data breach threats arising every day, businesses need expertise and they have numerous options in the field of security consulting, breach response and pre-breach risk mitigation.



+ IOT risk security management and the internet of things



The 5 V’s of Big Data…. adding in value.



+ The Security Skills Shortage No One Talks About

Lack of soft skills in information security is an even bigger problem than the shortage of technical expertise.



+ Cybersecurity for Boards: What You Need to Know Now  (great numbers overview!)



+ WiFi Backscatter: The Internet of Things Could Talk by Turning Reflective



+ Understanding the NIST Cybersecurity Framework in healthcare



+ Here’s What You Need to Know About Big Data



+ Workforce 2020 – Part 1: The Looming Talent Crisis, or which myths about Millenials are busted



+  8 ‘Big Bang Theory’ Spoilers You Need To Know For Season 8  (Hey, a little fun facts too…;-))






+++  FYI / FYSA  Items of interest  +++


+ New CVE naming convention could break vulnerability management

The growing number of vulnerabilities found by IT manufacturers has created the need for a revamp of the way the security industry identifies them, and if practitioners and vendors don’t get ready soon they could be in for some trouble. With so many security products and other IT systems dependent on Common Vulnerabilities and Exposures (CVE) identifiers, an impending change in the syntax of CVE numbers could cause products and vulnerability management processes to break unless accommodations are made.—threats/new-cve-naming-convention-could-break-vulnerability-management-/d/d-id/1315788?_mc=RSS_DR_EDT



+ Does the government’s mobility program go far enough to protect security and privacy?

From checking email to editing presentations on the fly, more federal employees are using mobile devices as part of their job. But technology policymakers at federal agencies, by and large, are still playing catch-up. Agencies are looking to buy technologies that can manage and secure the large and increasing number of employee-owned devices. In an attempt to curb duplicative efforts, the General Services Administration unveiled its Managed Mobility Program last May. But it hasn’t proven to be the last word on either protecting government-owned or private employee data. Among the lingering questions to be answered: How can the government secure itself against the proliferation of devices and apps? And how will federal employees’ personal information stored on such platforms be protected?



+ New aims to consolidate your passwords

With high-profile hacks exposing the futility of passwords, alternative such as biometric identification and two-step verification are gaining popularity. Waiting in the wings is a login network that could grant users access to many of their Internet accounts with a single registration. The National Strategy for Trusted Identities in Cyberspace is the planning ground for this system, where users will not have to release personal information or create new passwords to log on to multiple websites. A “trusted” third-party – such as Verizon or PayPal – would register your personal information once to create a password, fingerprint scan, or other account-login mechanism. Every time you wanted to sign in to H&R Block or another online vendor, for example, you would enter that same ID. Password Consolidation to be Tested Next Month 

Starting as soon as October 2014,, a system that will eliminate the need for users to remember at least some of their sets of access credentials, will “launch with a few key anchor agencies that will be testing it out in the first round.” More agencies are expected to join within the next two years.

[Note: While it is true that the proliferation of passwords is a problem, associating more privilege with fewer passwords is not a good solution.   We need Identification and Authentication solutions that are less, not more, dependent on passwords.   Most edge computers have cameras and microphones.  Many have specialized authentication sensors like fingerprint readers.   We should be decreasing, not increasing our reliance on passwords.]



+ Security ops confidence levels drop

As foreign state-sponsored attackers turn up the heat on corporate targets, security operations staffers are losing confidence in their ability to stave off these threats. New survey results released this week showed that confidence levels among IT security professionals has slipped this year, with fewer than half of them feeling sure they can keep up with new and emerging threats. Conducted among Black Hat attendees by Lieberman Software, the survey asked infosec professionals about their organizations’ readiness to respond to state-sponsored and other advanced attacks. The study found that 59% of respondents believe their organizations are likely to be the target of a state-sponsored attack sometime in the next six months.



+ Yahoo slams ‘digital will’ law, says users have privacy when they die

What should happen to your personal digital communications – emails, chats, photos and the like – after you die? Should they be treated like physical letters for the purposes of a will? Yahoo doesn’t think so. The company is criticizing new legislation giving executors charged with carrying out the instructions in a person’s will broad access to their online accounts. The legislation aims to tackle the sensitive question of what to do when someone’s online accounts on sites like Facebook, Google, or Yahoo outlive them.



+ Tech giants demand vote on email privacy bill

Google, Microsoft, AOL, Yahoo and scores of other technology titans are demanding congressional leaders allow a vote on a bill to grant new privacy protections to people’s emails. The companies want a vote on the Email Privacy Act, a bill that counts more than half of the House as co-sponsors. The bill has yet to move since it was introduced last summer, and a companion measure in the Senate is also awaiting action. The legislation would update the 1986 Electronic Communications Privacy Act, which allows police to conduct warrantless searches of people’s emails and other information stored on the “cloud” that are more than 180 days old. Critics on both sides of the aisle say the law is antiquated and undermines people’s privacy.



+ Managed Service Provider Apologizes for Breach That Compromised Goodwill Card Data

Managed service provider C&K Systems has apologized for a breach in which intruders compromised customer payment card data at three organizations, including Goodwill. The breach was in C&K’s “Hosted Managed Services Environment,” which was affected “intermittently between February 10, 2013 and August 14, 2014.” The attackers used “highly specialized point-of-sale (POS) malware … that was undetectable by [its] security software systems until” earlier this month.

C&K Systems Statement:

[Note: If you look at your logs, and you don’t find anything interesting, you are not looking at your logs. If you look at your logs for 18 months while you are compromised, then you are not looking at your logs at all. In many SOCs I have seen, “watching the logs” is done by the least qualified, most junior group of people if it is not outsourced….;-((



+ US Power Grid Would Not Succumb to Cyber Attack Alone

Experts say that a cyber attack alone could not take down the US power grid. While no one denies that attackers could possibly gain access to bulk power provider networks, that alone could not cause a sustained grid outage.

[Note: The grid is designed to fail in a non-destructive manner.   There are hundreds of component failures every day; the grid is so resilient that most are mitigated automatically in seconds.   Every twenty years or so we experience a sufficient number of simultaneous component failures that, by design, a large portion of the grid shuts down.  However, by design it does this in such a manner that it can be restarted in tens of hours.  All that said, this discussion has resulted in identifying sensitive components that cannot be replaced from inventory.



+  US Official: Chinese Want NSA Cyber Schools. Really.

Chinese universities are welcome to adopt the U.S. National Security Agency’s cyber EDUCATION PROGRAM, the top U.S. computer security education official said, after a recent trip to Beijing. Entrepreneurs in China have voiced support for improving the notoriously spotty relations between the U.S. and China in cyberspace by patterning Chinese courses on NSA-approved curricula, said Ernest McDuffie, head of the National Initiative for Cybersecurity Education. The offer of shared cybersecurity training comes at a time when both countries are exchanging accusations of hacking each other’s trade secrets. Both parties have denied these allegations.



US Military In The Dark On Cyberattacks Against Contractors

A lack of communication between military contractors and government agencies about Chinese cyber espionage attacks is revealed in a new Senate report.

The Armed Services Committee report, released Wednesday, contends that hackers tied to the Chinese government successfully penetrated systems belonging to Transcom contractors at least 20 times during a 12-month period beginning June 1, 2012. The report is the culmination of a year-long investigation by the committee, which found that gaps in reporting requirements and a lack of information sharing between government agencies left Transcom largely unaware of the compromises.



+ Top Data Breaches in the U.S.  great graphics.. (and neither target of home depot are number one…)


+ AND two more Must-See Cyber Security Infographics

How Consumers Foot the Bill for Data Breaches

Fighting Cyber Crime in the US



+ What small businesses need to know about cybersecurity



+ 8 of the Best Online Security Dashboards



+ New species of electrons can lead to better computing  (Who knew electrons even had species???)



+ Insider Threat Best Practices by CERT – GREAT list of 18 steps!!!

if you want MORE – buy the book..  Common Sense Guide to Mitigating Insider Threats, 4th Edition



+ Current state of cyber crime – does the public know?



+ Global cyber attack map – some cool time-lapse of recent attacks…





+++  THREATs  / bad news stuff / etc  +++




+ ISIS cyber capability judged more ‘aspirational’ than operational

The terrorist group’s slick social media presence is a far cry from being able to hack critical infrastructure, cybersecurity experts say.



+ Decade-long cybercrime ring hacked European banks and labs:

A 12-year-long European cybercrime operation targeting more than 300 banks, governments, research labs, critical infrastructure facilities and more has finally been discovered and scuppered. Wired, September 16, 2014



+ WikiLeaks releases FinFisher ‘weaponized malware’ to help people build defenses:

WikiLeaks released copies of ‘weaponized malware’ used by various governments around the world to snoop on individuals.



+ Malicious Kindle e-books can give hackers access to your Amazon account

It seems that there’s a bug going around, making rounds attached to e-books that can hack people’s Amazon accounts. A security researcher has discovered a security hole in the “Manage your Kindle page” on Amazon’s website that provides hackers with the needed data – users’ credentials. This happens when you upload a malicious e-book to your account and move it through Amazon’s system to store it on your device. If one of the e-books you put on your device has been hacked to include a script in the title, then you could easily see your Amazon account in trouble, along with all your data. The code is executed once the book that was added to the library is opened in a web page. Hackers can then access the cookies related to Amazon and take over the account.



+ ‘Tiny Banker’ malware targets US financial institutions

A banking trojan, known for its small size but powerful capabilities, has expanded the number of financial institutions from which it can collect data, according to security vendor Avast. Tiny Banker, also known as Tinba, was discovered around mid-2012 after it infected thousands of computers in Turkey. The malware is just 20K in size and can inject HTML fields into websites when it detects a user has navigated to a banking site, asking for a range of sensitive information banks would never request during an online session.



+ Worm illuminates potential NAS nightmare

A researcher who so far has discovered 30 zero-day vulnerabilities in a dozen major network-attached storage (NAS) vendor products is creating a computer worm to demonstrate just how easy it would be for cyber criminals and other hackers to exploit flaws he found in these devices. Jacob Holcomb, a security analyst at Independent Security Evaluators, has rolled multiple exploits for vulnerabilities he’s already reported to NAS vendors into a proof-of-concept, self-replicating worm. The worm scans for vulnerable services running on NAS systems — mostly web servers — and identifies the type of NAS device and whether it harbors the bugs. If so, the worm launches the corresponding exploit to take control of the device. Then, like any good worm, it spreads to other NAS systems.—threats/worm-illuminates-potential-nas-nightmare/d/d-id/1315737?_mc=RSS_DR_EDT



+ Evolution Online Black Market Trades in Drugs, Account Credentials, and Health Data

Since the takedown of the Silk Road online black marketplace, others have stepped in to take over its shady trades. One of those, Evolution Markets deals not only in drugs, but also stolen financial account credentials and medical records. The medical records appear to have been stolen from a life insurance company. Evolution is accessible only through Tor.



+ Breached Test Server Was Still Using Default Password

The test server breached earlier this summer was still using its default password. US-CERT Team Director Ann Barron-DiCamillo told the House Oversight and Government Reform Committee that the breach did not compromise any patient data “due to the segmentation of the network.” The intruders used the access to harness the server’s resources to launch attacks against other websites.



+ Insider Threat Kill Chain: Detecting Human Indicators of Compromise

Last year, more than a third of data breaches were perpetrated by a malicious insider, such as an employee, contractor or trusted business partner. On average, an attack by an insider is also more likely to cost the most, averaging $412K per incident. The intentions of these insiders can be sabotage, fraud, intellectual property theft or espionage.





+++   SD/SoCAL security items of interest / opportunities +++






25  –   San Diego InfraGard Crisis Leadership Symposium!


25 – ISSA monthly meeting – Lunch time at ADM Baker – Pentesting != A Software Security Initiative






1– SoeC – CyberFest 2014 – great all day agenda planned… improving on last year’s success!  October is cyber month after all!!!;jsessionid=5C9580C3DEB4919096AC6BFFCE369008.worker_registrant?llr=mr9qlimab&oeidk=a07e9jfo4or9b1958b3


14 – RTI Road Show: Build Safe and Secure Distributed Systems for the Industrial Internet of Things

Understand the requirements of your system, research the available technologies and choose the best approach to architecting your distributed software for Industrial Internet of Things applications. Join this breakfast road show to learn about industry standards and technologies such as TCP/IP sockets, MQTT, OPC and DDS.



15–CCOE welcomes  DHS to town — the San Diego Cyber Center Of Excellence (CCOE) is honored to host a national keystone event in conjunction with the U.S. Department of Homeland Security (DHS) and the National Cyber Security Alliance. There is no cost to attend.



27 – NDIA & CCOE….  Present the Military and cyber… SPAWAR-The Navy’s Cyber Security Center of Excellence..   at Sheraton Hotel and Conference Center    11:30am to 4:00pm  ($35.00)

— CCOE introduction and the California Cyber Task Force strategy

–SPAWAR and the Navy’s presentation on cyber security budgets, threats and the future




+++  Future events FYI:


TBD  – Provided by IEEE Cyber SIG / Various Security groups – all day – – Privacy by design workshop – a cyber model & why you must be part of this initiative!  (at Coleman University –  AM Technical approach… PM public discussions)   +++  Help move SD forward in cyber –  DOING security vs admiring the problem…. SO engage and help out on cyber 4 PbD!!!



TBD  Started planning “BigDataDay 4 SD” on a SAT in late fall / early winter….  Jump in and help us!

WE went to the one in LA and it was great…   likely our three tracks will be:

–  Technical =  Hadoop/Hbase/NoSQL;

–  Data science = predictive analytics, etc

–  Applications = actual products, etc.. Privacy / data security. ..


Sept 5 

+++ Some highlights of the week +++

+  FCC fines Verizon for violating customers’ privacy (YES, following “Privacy by Design” does Pay…)

Verizon is in hot water with federal regulators for showing customers ads based on their personal information without first obtaining consent.

The Federal Communications Commission announced Wednesday that Verizon (VZ, Tech30) has agreed to a $7.4 million settlement for failing to properly notify two million new wireline phone customers that it was using information about them like billing and location data to market them new Verizon services.



+ This Map Shows Every Connected Device On The Internet

Here’s a new way of looking at the world: A map showing the location of every single device connected to the Internet. The colors show how many devices are in an area. The redder the dot, the more the devices. The bluer, the fewer. Some areas have no dots, and you’ll notice a single dot near the middle of Greenland.



+  The Next iPhone Could Forever Change How We Spend Money

Wired reported last week that the next iPhone, widely expected to be announced next week, will come with a payment platform that’s “one of the hallmark features of the device.” Tech news site The Information reported in July that Apple has been in discussions with banks and Visa about a “mobile wallet,” and Bloomberg added over the weekend that in addition to Visa, MasterCard and American Express will be on board. Apple’s iPod and iPhone already come with Passbook, an application that stores coupons, gift cards and tickets. And you can of course pay for music, movies and apps either by using the phone’s fingerprint sensor (on the iPhone 5S) or by entering your password. But the company doesn’t yet offer a way for you to buy actual things in the real world.



+ Dead Pirate Sunk By Leaky CAPTCHA  (gotta love it – rather like the geo-location on photos)

Ever since October 2013, when the FBI took down the online black market and drug bazaar known as the Silk Road, privacy activists and security experts have traded conspiracy theories about how the U.S. government managed to discover the geographic location of the Silk Road Web servers. Those systems were supposed to be obscured behind the anonymity service Tor, but as court documents released Friday explain, that wasn’t entirely true: Turns out, the login page for the Silk Road employed an anti-abuse CAPTCHA service that pulled content from the open Internet, thus leaking the site’s true location.



+ Cyber security stocks pop



+ US Navy – CANES Work On Hold After Protests Filed



+ The cost of data breaches has almost doubled, have you doubled your efforts?

Earlier this year, the PWC Information Security Breaches Survey 2014 highlighted the fact that the cost of a breach to an organization has almost doubled since the previous year.







+++  Cyber Security News you can likely use  +++



+ Insurance providers want more UBI data

YES..   Progressive’s car sensor dongle was the beginning..    Usage based insurance = take more risk.. pay more..

More telematics… CRM…  sensor data… robotics… search engines…etc..  IoT…  and more…

+++ instrument everything. ..  AND make the data secure TOO..

Sooo… what’s that spell?   Cyber enabled / facilitated Privacy by Design (PbD) … everywhere… all the time!

And we got that!




+ Three ways to step up your own cloud security

Data thieves leaked private pictures of some of Hollywood’s top celebrities over the long weekend, raising some alarm bells about the security of what users keep in the cloud. Apple said in a statement Tuesday that its iCloud systems had not been breached; rather, the tech firm said thieves stole celebrity photos from Apple accounts by targeting individuals, likely by tricking account holders into giving up their passwords and usernames to break into accounts.

Apple said it is investigating reports that vulnerabilities in its iCloud service were exploited to hack the accounts of celebrities, leading to the publication of nude photos and videos. Initial media reports suggested that the hacks stemmed from individual accounts on iCloud, an online service to store photos, music and other data from Apple devices.



+ Major Weakness Discovered in Android, Windows, and iOS

Researchers have identified a weakness believed to exist in Android, Windows, and iOS mobile operating systems that could be used to obtain personal information from unsuspecting users. They demonstrated the hack in an Android phone. The researchers tested the method and found it was successful between 82 percent and 92 percent of the time on six of the seven popular apps they tested.




+  Social Networks Aim to Curb Terror Posts

Social media platforms such as Facebook, YouTube, Twitter, and Instagram have all become a staple of everyday Western lifestyles – and these avenues have also become more interesting for terrorists to exploit to advance their goals. These companies admit, however, that curbing free speech and screening violent and hateful content does involve walking a fine line.



+ Second Healthcare Sector Cyber Security Exercise Scheduled to Start     in October

According to a press release from the Health Information Trust Alliance (HITRUST), the second cyber security exercise for the healthcare sector, CyberRX 2.0, will begin in October 2014. More than 750 healthcare organizations have signed up to take part in the cyber attack simulation exercise. The program has been expanded to offer three tiers of participation: Local/Basic, Regional/Mature, and National/Leading.



+  How Cybercriminals Monetize Information Obtained From Social Networks

Social networks provide rich opportunities for making new friends, sharing interests with others and even finding romance. Popular networks such as Twitter and Facebook facilitate interactions between hundreds of millions of users. They play an increasingly important role in shaping the way we socialize, but many do not realize that there are real and present dangers around them. Social media sites generate revenue from targeted advertising that is personalized for each user based on geolocation, demographics, interests and more. As such, social networks encourage users to share as much information as possible. Because of this, users happily post information about the places they visit, the people they hang out with and other personal information. They also use various applications and social games to further their information sharing.



+  Privacy and data risk; the naked truth

While explicit pictures are not something many businesses would have stored ‘in the cloud’ other data can be just as vulnerable and may do more than cause embarrassment. Security experts advise that data that could expose a business to commercial espionage or other damage should not be stored in third party cloud storage.


+ 8 of the Biggest Data Breaches Ever and How They Happened (Infographic)  (yes – go for privacy by design!!!)



+ Competing on Privacy in the Tower of Babel

In recent months, there’s been much talk about the idea of companies competing on privacy. In theory, this sounds great. Consumers can make choices based on their privacy preferences, and the marketplace will respond. In practice, there are some significant challenges. The NSTIC pilots are learning about these challenges first hand.

The NSTIC calls for the Identity Ecosystem to be privacy-enhancing and voluntary and provides some high-level considerations around these concepts. The pilots are expected to develop identity solutions that adhere to these concepts. But how do they move from high-level considerations to actual implementation? Moreover, how do they achieve an implementation that demonstrates effective privacy protections in consistent and repeatable ways?




+ National Guard To Form Cyber Protection Teams For Dod Cyber Operations

The U.S. National Guard is planning to establish cyber teams across the country after the Defense Department indicated cyberspace operations as one of its priorities amid a declining budget, Federal News Radio reported

Jared Serbu writes that National Guard Bureau Chief Gen. Frank Grass has called for the creation of cyber units from the Air National Guard and Army National Guard in all states and territories.



+ Executive Cyber Intelligence Report: September 1, 2014

This report was prepared by The Institute for National Security Studies (INSS) and The Cyber Security Forum Initiative (CSFI) to create better cyber situational awareness (Cyber SA) of the nature and scope of threats and hazards to national security worldwide in the domains of cyberspace and open source intelligence. It is provided to Federal, State, Local, Tribal, Territorial and private sector officials to aid in the identification and development of appropriate actions, priorities, and follow-­up measures.



+ Companies lag in revealing data breaches, consumer groups say

Rumors of a data breach at a major New York bank started circulating more than a week ago in cyber-security circles. So for insiders, news that JPMorgan Chase had been victimized was more confirmation than revelation, just the latest headline from a digital crime wave that shows no sign of ebbing. But for the millions of customers of JPMorgan Chase, the news reports that began appearing Wednesday were the first indication that their personal information might have been stolen by hackers. Like Target, Neiman Marcus and countless other companies, the nation’s largest bank chose to keep evidence of a cyber-crime private until journalists forced the issue.

This reticence is both deeply rooted within corporate America and, to some consumer advocates, deeply infuriating



+ Breaking Terrorists’ Will to Fight  (NPS thesis)

Drawing from the expansive literature on the causes of terrorism, and using Bertalanffy’s theory of open systems, the study posits that the will to fight is a function of the following variables: a belief in a cause, a desire for revenge, a search for satisfaction (reputation, joy, and money), and cultural attributes. T


+ Complacency: A Threat to Homeland Security?  (NPS thesis)

An  unconventional approach to addressing a threat to homeland security by focusing on complacency through the lens of human factors and complexity. This approach requires a paradigm shift.


+ New Cyber-Security Legislation After New 9/11 Commission Report : A “9/10 Ability to Protect Against Cyber-Attacks”

New Cyber Information Sharing Tax Credit Would Incentivize Critical Infrastructure Businesses to Join Information-Sharing Organizations to Strengthen Their Cyber Security.






+++  FYI / FYSA  Items of interest  +++



+  How to turn the tables on brute-force hackers

The idea is to use lists of known, compromised passwords as a bulwark against the kind of brute-force guessing that hackers like to do. These lists aren’t theoretical — they are real, and online criminals will use them as a way to make their trial-and-error work a little easier. To use a very simplistic example: If you already know that one person has used the password “qwerty” before, chances are someone else will use it again. By taking these “password dumps” and integrating them into their account creation tools, Web sites could analyze your proposed password and block you from moving forward if it matches or resembles one already in the dump.



+  Drone Developers Consider Obstacles That Cannot Be Flown Around

Drone technology has not been thoroughly tested in populated areas, and commercial use of drones is not allowed in the United States. Even if it were, it is not clear that companies could make a profit using advanced, helicopter-like vehicles to deliver dog food, toothpaste or whatever else a modern family might need. Still, dozens of companies have experimented with using drones for tasks like crop dusting and monitoring breaks in railroad tracks and oil pipelines.



–NATO to Ratify Policy Adding Serious Cyber Attacks to Invoke  Collective Defense Clause

NATO (North Atlantic Treaty Organization) is close to ratifying a policy that would see all members responding to a cyber attack on any one member. The policy would include serious cyber attacks among actions that invoke the collective defense clause of Article V of the NATO treaty.



–Europol’s Cyber Crime Task Force

Europol has launched the Joint Cybercrime Action Taskforce (J-CAT), which will work to coordinate international investigations in the fight against cyber crime.

[Note: Despite the hype about nation/state driven attacks, for most enterprises the most common and damaging form of attack will be by financially motivated criminals – which, of course, is true in the brick and mortar world, too. I’ve noticed in the US, the FBI and the Secret Service have started to come out of hibernation caused by the US putting too much emphasis on the DoD/Intelligence side of cybersecurity.]



+ Cyber Aces – Three key courses for cybersecurity career preparation now available free for colleges and high schools and their students.

With a  $1.3 million grant from the SANS Institute, CyberAces is releasing the three foundation courses required for cybersecurity (Networking, Operating Systems, and Secure System Administration) for open, no-cost on-line use by high schools, colleges, and their students. You cannot be good at technical (highly paid) roles in cybersecurity without mastering the skills covered in these courses. SANS top instructors (led by Ed Skoudis) built them. The on-line courses are accompanied by periodic on-line national quizzes that enable each student to see where s/he stands relative to all others who are taking (and have taken) these courses. More than 10,500 people used earlier versions of the courses; top scorers in past years were recognized by their state governors and two dozen earned $25,000 scholarships funded by SANS and NSF


+ Network Security Challenges in the Enterprise

ESG recently published a new research report titled, Network Security Trends in the Era of Cloud and Mobile Computing (note:  I am an ESG employee). In this project, ESG surveyed 397 IT security professionals working at enterprise organizations (i.e. more than 1,000 employees) and asked a multitude of questions about their current and future network security policies, practices, and technologies.



+ 10 Ways To Strengthen Healthcare Security


+ Science of Security: Does Your Cyber Security Team Include Cyber Security Scientists?


+ No longer just “script kiddies” hackers more sophisticated, state sponsored

News reports of data breaches and cyber crime are so prevalent now that many simply gloss over them.

Recently, companies as varied as Target, JPMorgan Chase and Dairy Queen have reported data breaches with hackers netting thousands of credit card numbers and other financial information. For many consumers, attacks like these don’t seem to have much impact, but for cyber security experts like Steve Crocker, senior vice president of Information Technology at Magna Bank, it’s a never-ending fight.


+ DoD’s EA strategy demands strong but flexible access control

Cards are in, passwords out in the pursuit of tighter identity management. The Defense Department’s strategy to develop an enterprise architecture includes giving military personnel unique IP addresses, enabling users to connect into a network anywhere in the world and retrieve their data reliably and securely. The key to creating such an environment is identity and access management (IAM) technology, which needs to be both strong and usable to allow personnel to work securely and effectively.   CAC and Beyond   “We are seeing a renewed emphasis on using [common access cards] for authenticating [users] to as many resources as possible: workstations, Linux servers, websites and even Mac laptops and workstations,” said Jack Miles, a senior systems engineer at Centrify. “By using CAC cards, DoD is able to force two-factor authentication with a hard-coded identity certificate bound to the card and a PIN known only to the soldier or sailor.”|head



+  Black Hat Europe 2014: Focus On Malware

It wouldn’t be a Black Hat event without a serious focus on malware, and we have some exciting malware and anti-malware programming to share with you this year. Without further ado, here are a few of the most intriguing malware-related Briefings that will be at Black Hat Europe 2014.







+++  THREATs  / bad news stuff / etc  +++



+ Data: Nearly All U.S. Home Depot Stores Hit

Evidence that a major U.S. retailer had been hacked and was leaking card data first surfaced Tuesday on the cybercrime store rescator[dot]cc, the shop that was principally responsible for selling cards stolen in the Target, Sally Beauty, P.F. Chang’s and Harbor Freight credit card breaches.


Home Depot first announced that it was investigating the incident on Sept. 2, saying it was working with banks and law enforcement to figure out what happened. The disclosure followed a report by KrebsOnSecurity that a “massive” batch of stolen credit- and debit-card information was posted for sale online, possibly obtained from Home Depot stores.



+ Intruder Installs Malware on Server

Malware installed on a server used to test code is designed to launch denial-of-service attacks on websites; the attack appears not to have been an attempt to target the online healthcare marketplace. Such malware on a server would not make news if it were not part of such a high profile organization. The infection occurred in July and was detected on August 25 during a security scan.

[Not: The public info shows that a test server was exposed to the Internet when it had no need to be.  Good example of a common pattern in Internet breaches:  failure in Critical Security Control 19 (Secure Network Engineering) leading to a compromised server, which could have easily been hardened but wasn’t – which is why segmentation/zoning (with security controls at the boundaries) is critical to prevent more and detect faster….]



+ Watering Hole Attack Targets Industrial Software Company Website Visitors

A watering hole attack on the website of an unnamed industrial software company used reconnaissance malware to gather information about site visitors, possibly for use in future attacks. Most watering hole attacks attempt to infect site visitors’ computers with malware. The tool used in this attack gathers information about site visitors’ browsers, IP address, operating system, as well as what security programs are being used. The reconnaissance tool has been named Scanbox and was detected by AlienVault Labs.


+ US Cities Seek to Upgrade Stingray Before Providers Drop 2G Network

Several US cities are seeking to upgrade cell phone surveillance systems commonly known as stingray. The controversial technology has been shrouded in secrecy, e.g., law enforcement agencies allegedly misleading the courts about the technology. Stingrays are capable not only of determining a target’s location, but also of intercepting communications contents. One of the techniques the technology uses is to force targeted devices to resort to using the 2G network by jamming 3G and 4G network signals because 2G network security is not as strong as that of later generation networks. Most providers will stop supporting the 2G network within the next few years, which means current stingrays will no longer work.

[Note: The issue here is not so much the technology as the secrecy and deception surrounding its funding, acquisition, and use, not to say misuse and abuse.  In her book, Licensed to Lie, author Sydney Powell documents a pattern of Federal prosecutors lying to courts about illegal investigations and hiding of exculpatory evidence.]



+ I T Strategy Roadmaps: No Knee Jerking

Predicting where your company will be in the next 3 to 5 years can be a difficult task, to say the least. As an IT leader, you’ll need to be aware of and in tune with your company’s goals. Understanding where the CEO is driving the company is the key to your IT strategy’s success. In particularly, aligning business goals with IT is the primary reason you and your team exist. I’ve seen many companies use an IT strategy I call “knee-jerking”



+ Why Russian hackers are beating us

Russian hackers like the ones who breached the computer systems of JP Morgan Chase and at least four other banks win because they think strategically like the best chess players.  “Russians are more intelligent than Americans,” Tom Kellermann, chief cyber-security officer for Trend Micro, said. “They’re more intelligent because they think through every action they take to a point where it’s incredibly strategic



+  DHS: Over 1,000 Businesses Hit by Cyber Attack Stealing Data

The Department of Homeland Security (DHS) revealed Friday that over 1000 businesses across the U.S. have been targeted by a cyber attack that allows hackers to steal personal data from customers’ debit and credit cards. Some of the biggest names that have been hit include Target, Supervalu, and UPS.  The hackers started using a malware called Backoff in October 2013. Backoff’s method has been to pillage the memory contents of cash registers, referred to as point of sales (POS) systems and grab data from credit cards. The malware can observe keyboard strokes and interact with remote servers.






+++   SD/SoCAL security  items of interest / opportunities +++





8 – IEEE consultant’s network.  ^PM –  Members forum – Using teaching opportunities to expand and deepen a consulting practice.


18  – OWASP – 6PM – Sid Shetye / CEO of Crypteron Topic: Vote For IT!: the (alleged) NSA crypto backdoor or Cloud Security –


25  –   San Diego InfraGard Crisis Leadership Symposium


25 – ISSA monthly meeting – Lunch time at ADM Baker – no topic yet





1– SoeC – CyberFest 2014 – great all day agenda planned… improving on last year’s success!  October is cyber month after all!!!;jsessionid=5C9580C3DEB4919096AC6BFFCE369008.worker_registrant?llr=mr9qlimab&oeidk=a07e9jfo4or9b1958b3


15– Heads up –  CCOE welcomes  DHS to town….  More details to follow   — an open invite event for Cyber leaders in the San Diego region to welcome DHS to San Diego and engage partners at the Federal level in the local conversation and to highlight for them what is happening in San Diego in Cyber.


27 – NDIA & CCOE….  Present the Military and cyber… more details to follow




+++  Future events FYI:


TBD  – Provided by IEEE Cyber SIG / Various Security groups – all day – – Privacy by design workshop – a cyber model & why you must be part of this initiative!  (at Coleman University –  AM Technical approach… PM public discussions)   +++  Help move SD forward in cyber –  DOING security vs admiring the problem…. SO engage and help out on cyber 4 PbD!!!



1 Nov – Started planning “BigDataDay 4 SD” on a SAT.  Jump in and help us!

WE went to the one in LA and it was great…   likely our three tracks will be:

–  Technical =  Hadoop/Hbase/NoSQL;

–  Data science = predictive analytics, etc

–  Applications = actual products, etc.. Privacy / data security. ..



Comments are closed.