CYBER NEWS TIDBITS FOR U - OCTOBER 2014

Welcome to Cyber News Tidbits 4​U​ !

Here are updated news compilations from the Cyber Security Community

Topic headers (+++):

1 – Security news you can likely use (re: management / opportunity items)

2 – Other items of general FYI / FYSA level interest

3 – Threats / bad news stuff / etc.. 

and…

4 – SD/SoCAL items of interest / opportunities   (send me your SD meetings!) 


A couple of Highlights of the week (A couple of items of potentially notable interest / high utility &  value… your mileage will vary….)

OCTOBER 21

 

+ White House won’t pursue single, large cybersecurity bill

The Obama Administration hopes to overcome resistance to a single, large cybersecurity bill by pushing for several, smaller cybersecurity bills that could increase the odds of passage, said the White House Cybersecurity director during an Oct. 9 event. “I think it’s easier to get smaller pieces through rather than one big cybersecurity bill,” said Michael Daniel during an event jointly hosted by Christian Science Monitor and the Center for National Policy. Daniel said its unlikely cybersecurity legislation will pass this year and said it will probably be an issue for the next Congress to take up in January.

http://www.fiercegovernmentit.com/story/white-house-wont-pursue-single-large-cybersecurity-bill/2014-10-13

 

+ White House Issues Executive Order To Use Chip and Pin

The U.S. President today signed a new Executive Order directing the government to lead by example in securing transactions and sensitive data. Multiple initiatives are included. The most important is an example of the government leading by example to secure payments to and from the Federal government by applying chip and PIN technology to newly issued and existing government credit and debit cards.

http://www.whitehouse.gov/the-press-office/2014/10/17/fact-sheet-safeguarding-consumers-financial-security

[Note): Pushing government point of sale to Chip and PIN is a good thing, but of course doesn’t do anything for online payments – only point of sale. The section about stronger authentication (Building Public-Private Awareness About More Secure Authentication:) is equally important – moving away from reusable passwords would reduce identity theft way more than Chip and PIN will. The USG hasn’t been consistent on this, since they’ve been pushing an obsolete Smart Card based solution (PIV) and have rejected less secure, but much more usable/feasible, solutions like text messages as a second factor – such as Google, Paypal, Microsoft and many others are using. In fact, the DEA rejected this approach in its Two Factor Authentication Protocol for Electronic Prescriptions for Controlled Substances – it would be good to see the administration revisit tha..t.]

 

 

+ Russian Hackers Made $2.5B Over The Last 12 Months

The big bucks are in selling credit card data — not using it for fraud — and PoS and ATM attacks are on the rise.

The Russian hacking industry brought in $2.5 billion between mid 2013 and mid 2014, thanks in large part to the Target breach, according to a report released today by Group-IB.

Other bad news: ATM hacks are on the rise. Spamming still pays well. New criminal groups are hitting the scene, specializing in mobile threats. And POS attacks will only get worse, because they can deliver data that’s 10 times more profitable than your average plaintext credit card number.

Also, while financial fraud is still a big earner — accounting for $426 million — it’s being surpassed by the simple buying and selling of credit card data. The carding business brought in $680 million

http://www.darkreading.com/russian-hackers-made-$25b-over-the-last-12-months-/d/d-id/1316631?_mc=NL_DR_EDT_DR_weekly_20141016&cid=NL_DR_EDT_DR_weekly_20141016&elq=d6503258b81a40c1944503045cff24d6&elqCampaignId=9632

 

 

+ Cost Of A Data Breach Jumps By 23%

Cleanup and resolution after a breach take an average of one month to complete, a new Ponemon Institute report finds….Paging the incident response team: It now takes a large organization an average of 31 days at a cost of $20,000 per day to clean up and remediate after a cyberattack, …., which surveyed 257 large companies in seven countries, measured the costs of more than 1,700 attacks suffered by the firms. The average cost of an attack is $639,462, according to the report. Some industries incur higher costs in a breach than others, too. Energy and utility organizations incur the priciest attacks ($13.18 million), followed closely by financial services ($12.97 million). Healthcare incurs the fewest expenses ($1.38 million), the report says.

The new Ponemon data underscores the importance of early detection and better preparation for breaches

……

Paging the incident response team: It now takes a large organization an average of 31 days at a cost of $20,000 per day to clean up and remediate after a cyberattack, with the total price tag for a data breach now at nearly $640,000. That’s an increase of 23% over last year, says Larry Ponemon, chairman and founder of the Ponemon Institute, whose 2014 Global Report on the Cost of Cyber Crime, an annual look at what organizations end up paying after a breach, will be published tomorrow. “The most surprising finding from this study was that it takes an average of 31 days to resolve a cyberattack, costing an average of $20,000 per day,” says Ponemon, whose study was commissioned by HP.

http://www.darkreading.com/attacks-breaches/cost-of-a-data-breach-jumps-by-23-/d/d-id/1316637

 

 

+ The Russian epicenter of cybercrime ramps up the sophistication

The Russian high-tech crime market for 2014 is showing ever-increasing sophistication, with criminals creating shadow worlds of illegal activity, exploiting new financial theft techniques and incorporating mobile attacks more often. Group-IB’s computer forensics lab and its CERT-GIB unit, in its annual report on the Russian cybercrime scene, noted that a top trend to stand out is the fact that the Russian market for stolen credit card information-arguably the epicenter of the data breach trend-has become much more structured in the last year, complete with wholesalers and online trading platforms. Revenue is increasing accordingly; the company estimates the carding market to be at about $680 million.

http://www.infosecurity-magazine.com/news/the-russian-epicenter-of-cybercrime/

 

 

+ Nearly Half Of Consumers Will Punish Breached Retailers During Holidays

Consumers say they’ll talk with their wallets if they hear their favorite store has played fast and loose with customer data.

http://www.darkreading.com/nearly-half-of-consumers-will-punish-breached-retailers-during-holidays/d/d-id/1316786?_mc=NL_DR_EDT_DR_daily_20141021&cid=NL_DR_EDT_DR_daily_20141021&elq=6cd409171b8841feb7e828dfeb8dd4c2&elqCampaignId=9755

 

 

+ Draft ‘Internet-of-Things’ policy sees business worth $15 billion

http://m.economictimes.com/tech/ites/draft-internet-of-things-policy-sees-business-worth-15-billion/articleshow/44865824.cms

 

 

+ Cost of Cyber Attacks Jumps for US Firms

http://www.securityweek.com/cost-cyber-attacks-jumps-us-firms-study

 

 

+ How to predict technology flops … startup 10 failure points..

http://blog.intercom.io/how-to-predict-technology-flops/

 

+ The Top 20 Reasons Startups Fail

https://www.cbinsights.com/blog/startup-failure-reasons-top/

 

 

+ Automatic Scanning for ALL OWASP Top 10 Security Flaws

Cool…SCM for the web….. As we know the Web browser is THE biggest threat vector…upwards of 80% of all malware… now almost all is encrypted. . HTTPS..

https://www.netsparker.com/blog/web-security/owasp-top-10-web-security-scanner/

 

 

+ Black Hat Europe 2014

MANY relevant  briefs (for Oct 16 – 17)  (of course it is black hat, ideally these PDFs are not infected…)

http://www.blackhat.com/eu-14/briefings.html

 

 

+ COOL, Non-Cyber fun fact – Lockheed announces breakthrough on nuclear fusion energy

http://www.theguardian.com/environment/2014/oct/15/lockheed-breakthrough-nuclear-fusion-energy?CMP=fb_gu

 

 

 

 

++++  Cyber Security News you can likely use  +++

 

 

+ Researcher builds system to protect against malicious insiders

When an employee turns on his own company, the results — damaged networks, data theft and even work stoppage — could be devastating. It could rock the company even more than an outside attack because the insider knows where sensitive data is kept, what the passwords are and exactly how to hurt the company the most. That’s the driving force behind the work that Daphne Yao, associate professor of computer science at Virginia Tech, is doing on cybersecurity. Yao, who received an NSF Career award for her human-behavior inspired malware detection work, is developing algorithms that will alert companies when an employee might be acting maliciously on their network.

http://www.computerworld.com/article/2825952/researcher-builds-system-to-protect-against-malicious-insiders.html#tk.rss_news

 

 

+ Intel preps new technology to secure credit card transactions

Swiping credit cards or using payment systems like Apple Pay at stores could become much safer thanks to a new Intel system, which could also make it easier for retailers to secure data after transactions are completed. With security breaches and customer data theft on the rise, Intel has developed Data Protection Technology for Transactions, a hardware-software bundle designed to protect credit card and personal data from hackers when transactions are being authorized. Intel will market the chip technology to makers of point-of-sale (POS) systems, PCs and mobile payment terminals. NCR, the world’s largest maker of payment terminals, has plans to put Data Protection Technology for Transactions on its products.

http://www.computerworld.com/article/2834241/intel-preps-new-technology-to-secure-credit-card-transactions.html#tk.rss_news

 

 

+ Cyber Security Must be Built Into Battlefield Systems Acquisition Process…

for battlefield components. Weapons platforms and systems need to be secure. Failing to embed security within these systems is giving adversaries “an advantage that they have not earned.”

[Note ): The real issue is: there are already a myriad of STIGs and NSA guides, Defense Acquisition Guidelines on program protection, and other existing DoD cybersecurity guidance around building and configuring systems and components, why isn’t the security level better? One area that stands out: the lack of prioritization of what are the most important things to do first to thwart as many real world attacks, vs. “do everything under the sun in security” approaches that lead to $5,000 coffee pots that don’t make coffee very well.

(Murray): Security requirements are met only at the expense of other requirements of a system. They cannot be considered in isolation. They must be placed on the same list as all of the other requirements and the whole list prioritized. Only then will we appreciate the costs and limitations.

http://www.nextgov.com/cybersecurity/2014/10/pentagon-needs-build-cybersecurity-acquisition-process/96461/?oref=ng-channelriver

 

 

+ FBI Director Acknowledges Some Warrantless Data Collection, Calls

FBI Director James Comey has admitted that in some cases, his agency does collect information without a warrant. Speaking at the Brookings Institution on Thursday, Comey qualified his statement on television news magazine 60 Minutes earlier in the week that the FBI never conducts surveillance without first obtaining a court order. Comey noted that the two types of cases in which the FBI gathers information without a warrant are when consent has been obtained and when conducting surveillance of foreign suspects under Section 702 of the Foreign Intelligence Surveillance Act. Comey also spoke of his concerns that stronger encryption on new iPhones and Android devices will make it more difficult to pursue investigations. He said that the government needs wiretapping powers because CALEA is outdated and has not kept up with changing technology. He did acknowledge that any provision that allows law enforcement to gain access to communications could also be abused by criminals.

http://www.nextgov.com/cybersecurity/2014/10/comey-says-fbi-collects-some-digital-information-without-warrant/96659/?oref=ng-channelriver

http://www.nextgov.com/big-data/2014/10/fbi-wants-internet-wiretapping-powers/96671/?oref=ng-channelriver

http://www.darkreading.com/fbi-director-urges-new-encryption-legislation/d/d-id/1316711?

 

 

+ A changing view of privacy

Like their industry counterparts, federal agencies and their contractors are finding that monitoring social media to maintain IT and physical security can be frustrating, in part because of the lack of legal guidelines. Legal and federal contracting experts say that publicly available posts are fair game when agencies are conducting background checks on prospective employees or monitoring current employees for insider security threats. But knowing what qualifies as “publicly available” can be tricky. “We’re in the early stages” of how employers use information gathered from social media sources, said Mike Eastman, senior counsel and vice president for public policy at the Equal Employment Advisory Council.

http://fcw.com/articles/2014/10/15/a-changing-view-of-privacy.aspx

 

 

+ Why You Shouldn’t Count On General Liability To Cover Cyber Risk

Travelers Insurance’s legal spat with P.F. Chang’s over who’ll pay breach costs will likely illustrate why enterprises shouldn’t think of their general liability policies as backstops for cyber risk.

“Right now I will tell you that pricing for cyber liability insurance is stupid low — unbelievably low,” he says. “I can’t imagine it will stay this low once losses continue to come in, but at this point I’m stunned by any company that doesn’t have some sort of cyber liability in place today.”

http://www.darkreading.com/why-you-shouldnt-count-on-general-liability-to-cover-cyber-risk/d/d-id/1316758?_mc=NL_DR_EDT_DR_daily_20141021&cid=NL_DR_EDT_DR_daily_20141021&elq=6cd409171b8841feb7e828dfeb8dd4c2&elqCampaignId=9755

 

 

+ As dangers multiply, cyber-insurance becomes a must-have for more businesses

More than 3,000 American businesses were hacked last year, many of them small and midsize firms that are often less protected than their multinational counterparts, according to the Center for Strategic and International Studies.

That surge in cyberattacks has led to a booming industry that aims to insure against data breaches. Roughly 50 companies around the country offer cybersecurity insurance, and as of last week, there was one more: Ridge Insurance Solutions, founded by Tom Ridge, the former Pennsylvania governor and first secretary of the Department of Homeland Security.

http://crnfpn.advisen.com/fpnHomepagep.shtml?resource_id=2265201072010772842#top

 

 

+ Cyber-insurance becomes popular among smaller, mid-size businesses

http://www.washingtonpost.com/business/capitalbusiness/cyber-insurance-becomes-popular-among-smaller-mid-size-businesses/2014/10/11/257e0d28-4e48-11e4-aa5e-7153e466a02d_story.html

 

 

+ Scale of cyber risks outweighs insurance capabilities  (MAYBE if not done right, can’t insure unknown risks?)

Senior P&C executives have sounded a cautious note on the exposures of cyber insurance, questioning whether the insurance industry has a firm grasp of the risks involved or could provide adequate limits for rapidly increasing exposures.

http://www.experian.com/data-breach/newsletters/cyber-insurance-costs.html

Cyber insurance should be a necessity just like fire insurance

http://www.cyberrisknetwork.com/2014/10/02/tim-francis-cyber-insurance-necessity-just-like-fire-insurance/

Ponemon – Managing Cyber Security as a Business Risk: Cyber Insurance in the Digital Age

http://www.experian.com/innovation/downloadAssert?templateAssertId=12082&email=mike.davis.sd@gmail.com&firstName=Mike&lastName=Davis&campaignCode=intcmp:undefined,wt.srch:undefined

 

 

+ Big Takeaways from Annual DPAs Conference

This has been a busy week for international recognition of privacy issues, with leaders of the world’s data protection authorities (DPAs) coming together with some of privacy’s top voices to talk big-picture issues in the African nation of Mauritius..  The declaration thus makes seven conclusions:

1. IoT sensor data “is high in quantity, quality and sensitivity,” allowing for greater inferences and identifiability, and therefore, “such data should be regarded and treated as personal data.”

2. IoT value is not just in devices but in services as well.

3. “Transparency is key,” and businesses using IoT must have privacy policies that adequately explain how the data is being collected, used and shared. Notably, “Companies need a mind shift to ensure privacy policies are no longer primarily about protecting them from litigation.”

4. Processing starts at collection—and from that start, Privacy by Design and security by design are a must.

5. Security needs to be taken to a whole new level—“A simple firewall is no longer sufficient”—and one suggestion is to store data locally on the device. When not feasible, businesses should employ end-to-end encryption.

6. Ominously, the regulators are paying attention to IoT, and they won’t be afraid to work together internationally and across jurisdictions to mete out justice if necessary.

7. But, the declaration backs a multi-stakeholder dialogue to be constructive and raise awareness.

https://privacyassociation.org/news/a/the-big-takeaways-from-the-dpas-conference-in-mauritius/

 

 

+ Will new commercial mobile encryption affect federal BYOD policy?

The flip side of default data encryption on mobile devices is that a lost or stolen device won’t yield up its secrets – an important feature for many federal employees.

http://fcw.com/articles/2014/10/20/mobile-encryption-and-federal-byod-policy.aspx?s=fcwdaily_211014

 

 

+ A Look at Dynamic Data Obscurity

“In data analytics, the phrase, ‘You can have privacy or value, but you cannot have both,’ is an accepted axiom,” writes Gary LaFever, “but it’s actually a dangerous fallacy.” He adds, “The false dichotomy between privacy and value fuels misunderstandings and misconceptions while impairing the ability of organizations to fully leverage the commercial potential of big data.” In this post for Privacy Perspectives, LaFever discusses the development of an alternative data protection scheme, something Information Accountability Foundation Executive Director Martin Abrams recently called “Dynamic Data Obscurity.” This idea moves “beyond protecting data at the data-record level to enable data protection at the data-element level,” LaFever notes.

https://privacyassociation.org/news/a/what-anonymization-and-the-tsa-have-in-common/

 

 

+ Ponemon Study on Patient Privacy and Data Security

The Ponemon Institute’s Fourth Annual Study on Patient Privacy & Data Security, sponsored by ID Experts, reveals new security threats to hospitals and the patient records they manage. According to the report, top threats are the Affordable Care Act, criminal attacks, employee negligence and unsecured mobile devices–smartphones, laptops and tablets–and third parties. Read the study to learn more about the current trends in patient data security.

http://lpa.idexpertscorp.com/acton/ct/6200/s-01a0-1409/Bct/l-19c9/l-19c9:afc/ct7_0/1

 

 

+ Cyber Exposures of Small and Mid-Size Businesses – A Digital Pandemic

one are the days when small and medium-sized business (SMBs) were able to neglect network security with little consequence. Today, countless organizations of all sizes are victimized daily, and in many cases with crippling effect. This unfortunate trend is highlighted in Symantec’s 2014 Internet Security Threat report which found that SMBs (defined as having fewer than 250 employees) accounted for more than half of all targeted attacks (61 percent) in 2013. This was an 11 percentage point increase from the previous year. In another study by the National Cyber Security Alliance, it was reported that 20 percent of small businesses fall victim to cybercrime each year. Advisen data shows similar trends. Of all the cyber incidents tracked by Advisen since 2000, SMBs represent approximately 60 percent of the total cases

http://www.advisenltd.com/wp-content/uploads/cyber-exposures-small-mid-size-businesses-white-paper-2014-10-14.pdf

 

 

+ Eight Industries Now Receiving Classified Cyber Threat Information

The number of industries participating in the US Department of Homeland Security’s Enhanced Cybersecurity Services Initiative has more than doubled since July 2014. The program provides participating companies with classified threat information that they can use to help protect their systems. As of July, just energy, communications, and defense industries were participating, but they have since been joined by the financial, water, chemical, transportation, and information technology industries. The voluntary program was previously open only to defense contractors, but in 2013 was expanded to include companies that manage the country’s critical infrastructure.

http://www.nextgov.com/cybersecurity/2014/10/number-industries-getting-classified-cyberthreat-tips-dhs-has-doubled-july/96923/?oref=ng-HPtopstory

 

 

+ Intel Chief: Russia Tops China as Cyber Threat

The top U.S. spy sounded alarms about America’s lack of preparedness to combat a growing threat from cyberattacks and said that Russia poses a greater cyberspying threat than China. “I worry a lot more about the Russians,” Director of National Intelligence James Clapper said at University of Texas intelligence forum in Austin Thursday. His comments followed a major infiltration of J.P. Morgan’s computer networks, which officials believe was carried to by Russian hackers, though …

http://crnfpn.advisen.com/fpnHomepagep.shtml?resource_id=2267222891449464980#top

 

 

+ Crime-as-a-Service Tools and Anonymization Help Any Idiot Be a Cyber-criminal

The 2014 Internet Organized Crime Threat Assessment report says ‘almost anyone’ can become a cybercrook thanks to Crime-as-a-Service tools, anonymization, darknets and crypto-currencies. Almost any idiot with malicious intentions can jump into the cybercrime arena thanks tools that lower the entry barriers into cybercrime; wannabe cyber-criminals who lack technical expertise can simply buy the tools and skills needed.

http://www.computerworld.com/article/2688411/report-crime-as-a-service-tools-and-anonymization-help-any-idiot-be-a-cyber-criminal.html

and the summary report

https://www.europol.europa.eu/sites/default/files/publications/iocta2014_summary_findings_and_recommendations.pdf

 

 

+ Safeguarding Consumers’ Financial Security | The White House

http://m.whitehouse.gov/the-press-office/2014/10/17/fact-sheet-safeguarding-consumers-financial-security

 

 

+ Giving Yourself Away Online – trade personal data for a cookie!

http://www.newyorker.com/culture/culture-desk/giving-away-personal-data-online

 

 

+ Medical Device Security Benchmarks Emerging

http://www.cio.com/article/2833830/hipaa-security-privacy/medical-device-security-benchmarks-emerging.html

 

 

+ The Digital Tsunami of Cyber Crime is Coming

http://www.techinsider.com.au/2014/10/digital-tsunami-cyber-crime-coming/

 

 

+ 5 Things Boards Should Do About Cybersecurity… Now

http://m.wsj.com/briefly/BL-263B-2276

 

 

+ With This Tiny Box, You Can Anonymize Everything You Do Online

http://www.wired.com/2014/10/tiny-box-can-anonymize-everything-online/

 

 

+ The Internet Of Everything: 2014

http://www.businessinsider.com/the-internet-of-everything-2014-slide-deck-sai-2014-2

 

 

+ Infographic – Some Things Should Not Go Viral

http://pages.bitglass.com/infographic_some-things-should-not-go-viral.html?mkt_tok=3RkMMJWWfF9wsRons6TMZKXonjHpfsX66%2BkvW7Hr08Yy0EZ5VunJEUWy2YcDRNQ%2FcOedCQkZHblFnVgJQq2vXawNoqQITVW3Sy%2FJgbPTboNaWLAujQ%3D%3D

 

 

 

 

++++  FYI / FYSA   +++

 

 

+ Facebook doubles reward for bug reports in ad code

Facebook is doubling the rewards it will pay for security vulnerabilities related to code that runs its advertising system, the company said Wednesday. A comprehensive security audit of its ads code was recently completed, but Facebook “would like to encourage additional scrutiny from whitehats to see what we may have missed,” wrote Collin Greene, a security engineer, in a blog post. “Whitehats” refers to ethical security researchers, as opposed to “blackhats” who take advantage of vulnerabilities. According to bug bounty program guidelines, Facebook pays a minimum of $500 for a valid bug report. Until the end of the year, that has been increased to $1,000.

http://www.computerworld.com/article/2834614/facebook-doubles-reward-for-bug-reports-in-ad-code.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+computerworld%2Fnews%2Ffeed+%28Latest+from+Computerworld%29#tk.rss_all

 

 

+ Who’s watching your WebEx?

KrebsOnSecurity spent a good part of the past week working with Cisco to alert more than four dozen companies — many of them household names — about regular corporate WebEx conference meetings that lack passwords and are thus open to anyone who wants to listen in. At issue are recurring video- and audio conference-based meetings that companies make available to their employees via WebEx, a set of online conferencing tools run by Cisco. These services allow customers to password-protect meetings, but it was trivial to find dozens of major companies that do not follow this basic best practice and allow virtually anyone to join daily meetings about apparently internal discussions and planning sessions.

http://krebsonsecurity.com/2014/10/whos-watching-your-webex/

 

 

+ Banks harvest callers’ voiceprints to fight fraud

“This call may be monitored.” You hear it every time you phone your bank about a lost credit card or an unexpected charge. You may realize your bank is recording you, but did you know it could be taking your biometric data, too? An Associated Press investigation has found that two of America’s biggest retail banks – JPMorgan Chase & Co., and Wells Fargo & Co. – are quietly recording the biometric details of some callers’ voices to weed out fraud. The technology, sometimes called voiceprinting, is aimed at bad guys rather than legitimate customers, but legal and privacy experts alike still have reservations about the practice.

http://hosted.ap.org/dynamic/stories/E/EU_THE_VOICE_HARVESTERS?SITE=AP&SECTION=HOME&TEMPLATE=DEFAULT&CTIME=2014-10-13-15-59-52

 

 

+ Dairy Queen confirms breach at 395 stores

Nationwide fast-food chain Dairy Queen on Thursday confirmed that malware installed on cash registers at some 395 stores resulted in the theft of customer credit and debit card information. The acknowledgement comes nearly six weeks after this publication first broke the news that multiple banks were reporting indications of a card breach at Dairy Queen locations across the country. In a statement issued Oct. 9, Dairy Queen listed nearly 400 DQ locations and one Orange Julius location that were found to be infected with the widely-reported Backoff malware that is targeting retailers across the country.

http://krebsonsecurity.com/2014/10/dairy-queen-confirms-breach-at-395-stores/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+KrebsOnSecurity+%28Krebs+on+Security%29

Dairy Queen Breach Shines Light On Impact Of 3rd-Party Breaches

Yet another retail chain confirms a data breach of customer payment information via a third-party vendor, and Kmart tosses its hat into the breached ring today….   owe’s, Goodwill Industries International, Jimmy John’s, and Dairy Queen have little in common at first glance. But they share one thing in common that they probably wish they didn’t: All three have been in the news for security incidents that began with a breach at a third-party vendor.. According to the Ponemon Institute’s 2014 data breach cost study, third party involvement in a breach increased the global average of data breach by an average of $14.80 per record…

http://www.darkreading.com/attacks-breaches/dairy-queen-breach-shines-light-on-impact-of-3rd-party-breaches/d/d-id/1316565?_mc=NL_DR_EDT_DR_weekly_20141016&cid=NL_DR_EDT_DR_weekly_20141016&elq=d6503258b81a40c1944503045cff24d6&elqCampaignId=9632

 

 

+ Bash/Shellshock Patches May Not be Enough to Protect Systems

Simply patching systems against the Bash/Shellshock vulnerability may not be adequate. Attacks exploiting the flaw appeared within a day of its disclosure. Those attacks may have made changes to systems that would not be remedied by the application of a patch. The problem is due in part to the incomplete patches that were issued initially. Attackers reportedly exploited Bash/Shellshock to create a botnet for a phishing campaign against Spanish-speaking Citibank customers. Many of the compromised machines are running Linux. The command-and-control server for the botnet has been taken offline.

http://arstechnica.com/security/2014/10/ghost-in-the-bourne-again-shell-fallout-of-shellshock-far-from-over/

http://www.scmagazine.com/bash-bug-used-to-assemble-botnet/article/377504/

 

 

+ Universal Plug-and-Play Devices Could be Used in Reflection DDoS Attacks

Akamai says that misconfigured Universal Plug-and-Play (UPnP) devices could be used to launch DDoS reflection attacks. In an advisory, Akamai warned that weaknesses in the UPnP standard put more than four million devices at risk of being recruited by attackers.

http://www.eweek.com/security/akamai-warns-of-reflection-ddos-attacks-using-millions-of-upnp-devices.html

 

 

+ Samsung: Knox Platform Enables First Consumer Mobile Device To Be Validated and Approved For U.S. Gov Classified Use

For those of us who work in and around the enterprise security domain something unique has just happened. The U.S. Government has just approved a commercial consumer device, the Samsung Galaxy family of devices, for classified info. This means government organizations can establish new, smarter, more scalable mechanisms to get classified information to mobile users.

http://global.samsungtomorrow.com/?p=43522

 

 

+ No Repercussions for Failing to Comply with FedRAMP Standards?

US government agencies that missed a June 5, 2014 deadline for ensuring that their cloud computing systems met a set of baseline security standards appear unlikely to face repercussions. The Federal Risk and Authorization Management Program (FedRAMP) established the standards in late 2011. The Office of Management and Budget (OMB) created the FedRAMP program office and the Joint Authorization Board in 2011, but neither has the authority to enforce agency FedRAMP compliance.

http://www.nextgov.com/cloud-computing/2014/10/fedramp-toothless-unauthorized-cloud-systems-abound-agencies-igs-say/96569/

[Note There are really 3 major findings here: (1) The Federal CIO issued a “cloud first edict” back in 2011, before the FedRAMP process was operational, with no accredited services yet available. (2) OMB never provided guidance on contractual terms for government procurements of cloud services; and (3) Government agencies who routinely fail audits on asset inventory of the their own systems are failing audits of the inventory of the cloud services they use.  The first two findings reflect on the “Cloud First” approach vs. “Secure Cloud First” that could have been pushed. The third finding is just another advertisement for the Critical Security Controls..].

 

 

+ Poodle Vulnerability Breaks SSL 3.0

A vulnerability that has been given the name Poodle could put systems at risk of man-in-the-middle attacks. Poodle, which stands for Padding Oracle on Downgraded Legacy Encryption, allows attackers to break SSLv3, also known as SSL 3.0, which is an outdated yet still used cryptographic protocol.

http://www.nbcnews.com/tech/security/new-poodle-bug-takes-bite-out-ssl-3-0-web-n225911

http://www.wired.com/2014/10/poodle-explained/

Internet Storm Center:https://isc.sans.edu/forums/diary/OpenSSL+SSLv3+POODLE+Vulnerability+Official+Release/18827

https://isc.sans.edu/forums/diary/POODLE+Turning+off+SSLv3+for+various+servers+and+client+/18837

https://www.sans.org/webcasts/about-poodle-99032

[Note: It is tricky to accurately determine the impact of this vulnerability. The issue is tricky to exploit, and so far, we haven’t seen any evidence of exploitation against vulnerabilities like BEAST. But overall, SSLv3 is showing its age and you should consider disabling it. Browsers started to disable SSLv3, or at least no longer support block ciphers with SSLv3 which is a bit a questionable choice.

— An additional link to this story: https://poodletest.com  (site to test your browser for SSLv3 support)]

 

 

+ Clip-on amplifier eavesdrops on conversations and translates in real time

http://www.dailymail.co.uk/sciencetech/article-2788297/the-hearing-aid-spies-clip-amplifier-eavesdrops-conversations-translates-foreign-languages-real-time.html

 

 

+ Protect Your Small Business From Being a Target

http://m.huffpost.com/us/entry/5830762?utm_hp_ref=technology&ir=Technology

 

 

+ Beating the bugs | security first

http://m.theengineer.co.uk/1019375.article?mobilesite=enabled

 

 

+ 13 steps through a data breach

http://www.csoonline.com/article/2824006/data-protection/165657-13-steps-through-a-data-breach.html?source=CSONLE_nlt_update_2014-10-14

 

 

+ Security Education K Through Life

http://www.darkreading.com/operations/security-education-k-through-life/a/d-id/1316498

 

 

+ In Cyber Sec? You better be able to answer 9 questions that every company must do

https://www.linkedin.com/today/post/article/20141009125637-9135099-in-cyber-sec-you-better-be-able-to-answer-these-questions

 

 

 

 

 

++++  THREATs  / bad news stuff / etc  +++

 

 

+ Florida Supreme Court Says Warrant Required for Cell Phone Tracking

Florida’s Supreme Court has ruled that law enforcement must obtain a warrant before collecting cell phone location data. The court ruled that obtaining cell tower location data from service providers in real-time constitutes a Fourth Amendment search and therefore requires a warrant.

The case involves cell data from a provider but could likely be applied to devices like StingRays, which simulate cell tower signals.

http://www.wired.com/2014/10/florida-court-requires-warrant-cell-tower-data/

http://arstechnica.com/tech-policy/2014/10/florida-court-come-back-with-a-warrant-to-track-suspects-via-mobile-phone/

 

 

+ Browser makers spell out anti-POODLE plans

The top three browser makers announced yesterday how they will deal with the design flaw in SSL 3.0 after researchers revealed that their “POODLE” attack method can steal encrypted information and pilfer browser session cookies. Microsoft, Google and Mozilla all told users of their browsers — Internet Explorer, Chrome and Firefox, respectively — how they will handle the SSL 3.0 flaw, which cyber criminals could exploit using “man-in-the-middle” attacks to make off with session cookies. Those stolen cookies would let the hackers impersonate their victims, automatically logging into sites to, for example, make online purchases, read email or lift files from cloud storage services.

http://www.computerworld.com/article/2834312/browser-makers-spell-out-anti-poodle-plans.html#tk.rss_news

 

Google details new “Poodle” bug, making browsers susceptible to hackers

Google’s security team detailed today a new bug that takes advantage of a design flaw in SSL version 3.0, a security protocol created by Netscape in the mid 1990s. The researchers called it a Padding Oracle on Downgraded Legacy Encryption bug, or POODLE. Although the protocol is old, Google said that “nearly all browsers support it” and its available for hackers to exploit. Even though many modern-day websites use theTLS security protocol (essentially, the next-generation SSL) as their means of encrypting data for a secure network connection between a browser and a website, things can run amok if the connection goes down for some reason.

https://gigaom.com/2014/10/14/google-details-new-poodle-bug-making-browsers-susceptible-to-hacking/

 

‘POODLE’ Attacks, Kills Off SSL 3.0

A newly discovered design flaw in an older version of SSL encryption protocol could be used for man-in-the-middle attacks — leading some browser vendors to remove SSL 3.0 for good.  Disable SSL 3.0 in browsers and servers: That’s the recommendation of security experts in the wake of the discovery of a serious flaw in the nearly 15-year-old version of the encryption protocol. The flaw could allow an attacker to wage a man-in-the-middle attack against a user…. Google researchers announced late yesterday that they had discovered a vulnerability (CVE-2014-3566) in the older SSL (version 3) that could allow man-in-the-middle attacks on a user’s encrypted web and other communications sessions. However, the so-called POODLE (Padding Oracle On Downgraded Legacy Encryption) attack would be tough to pull off, and the most likely scenario would be a determined attacker targeting a user or group of users, security experts say

http://www.darkreading.com/attacks-breaches/poodle-attacks-kills-off-ssl-30/d/d-id/1316663?_mc=NL_DR_EDT_DR_weekly_20141016&cid=NL_DR_EDT_DR_weekly_20141016&elq=d6503258b81a40c1944503045cff24d6&elqCampaignId=9632

 

 

+  Linux botnet Mayhem spreads through Shellshock exploits

Shellshock continues to reverberate: Attackers are exploiting recently discovered vulnerabilities in the Bash command-line interpreter in order to infect Linux servers with a sophisticated malware program known as Mayhem. Mayhem was discovered earlier this year and was thoroughly analyzed by researchers from Russian Internet firm Yandex. It gets installed through a PHP script that attackers upload on servers via compromised FTP passwords, website vulnerabilities or brute-forced site administration credentials.

http://www.computerworld.com/article/2824625/linux-botnet-mayhem-spreads-through-shellshock-exploits.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+computerworld%2Fnews%2Ffeed+%28Latest+from+Computerworld%29#tk.rss_all

 

 

+ FBI warns U.S. businesses of cyber attacks, blames Beijing

The U.S. Federal Bureau of Investigation said on Wednesday that hackers it believes to be backed by the Chinese government have recently launched attacks on U.S. companies. The “flash” warning to businesses described tools and techniques used by the hackers and asked companies to contact federal authorities if they believe they are the victims of such attacks. The document said the agency recently obtained information regarding “a group of Chinese government affiliated cyber actors who routinely steal high-value information from U.S. commercial and government networks through cyber espionage.”

http://www.reuters.com/article/2014/10/16/us-usa-cybersecurity-china-idUSKCN0I42MU20141016?feedType=RSS&feedName=technologyNews

 

 

+ FBI’s most wanted hackers: A bingo buff, Chinese military members, and a PI for the brokenhearted

Five Chinese nationals, a bingo player, and the mastermind of as spyware service for abandoned lovers were some of the fugitives spotlighted on the FBI’s Cyber’s Most Wanted list in recognition of October’s Cybersecurity Awareness Month. The FBI has put a collective $445,000 bounty on the heads of some of the nearly 30 sought-after hackers, many of whom are holdovers from last year’s list. On Tuesday, the bureau specifically put out an APB for the cyber outlaws.

http://www.nextgov.com/cybersecurity/2014/10/fbis-most-wanted-hackers-bingo-player-chinese-military-members-and-pi-brokenhearted/96467/

 

 

+ Russian hackers use ‘zero-day’ to hack NATO, Ukraine in cyber-spy campaign

A Russian hacking group probably working for the government has been exploiting a previously unknown flaw in Microsoft’s Windows operating system to spy on NATO, the Ukrainian government, a U.S. university researcher and other national security targets, according to a new report. The group has been active since at least 2009, according to research by iSight Partners, a cybersecurity firm. Its targets in the recent campaign also included a Polish energy firm, a Western European government agency and a French telecommunications firm.

http://www.washingtonpost.com/world/national-security/russian-hackers-use-zero-day-to-hack-nato-ukraine-in-cyber-spy-campaign/2014/10/13/f2452976-52f9-11e4-892e-602188e70e9c_story.html?wpisrc=nl-headlines&wpmm=1

 

 

+ DHS: Attackers hacked critical manufacturing firm for months

An unnamed manufacturing firm vital to the U.S. economy recently suffered a prolonged hack, the Department of Homeland Security has disclosed. The event was complicated by the fact that the company had undergone corporate acquisitions, which introduced more network connections, and consequently a wider attack surface. The firm had more than 100 entry and exit points to the Internet. The case contains a lesson for civilian and military agencies, both of which are in the early stages of new initiatives to consolidate network entryways.

http://www.nextgov.com/cybersecurity/2014/10/dhs-attackers-hacked-critical-manufacturing-firm-months/96317/

 

 

+ In Plain Sight: How Cyber Criminals Exfiltrate Data Via Video

Just like Fortune 500 companies, attackers are investing in sophisticated measures that let them fly beneath the radar of conventional security.

http://www.darkreading.com/attacks-breaches/in-plain-sight-how-cyber-criminals-exfiltrate-data-via-video-/a/d-id/1316725?_mc=NL_DR_EDT_DR_daily_20141020&cid=NL_DR_EDT_DR_daily_20141020&elq=7a7453c243aa481d94b915bca5d4564f&elqCampaignId=9698

 

 

+ Hackers strike defense companies through real-time ad bidding

http://www.pcworld.com/article/2835332/hackers-strike-defense-companies-through-realtime-ad-bidding.html

 

 

+ Operation DeathClick APT Malvertising Campaign

http://threatpost.com/apts-target-victims-with-precision-ephemeral-malvertising/108906

 

 

+ Hacked: The six most common ways non-tech people fall victim

http://www.zdnet.com/hacked-the-six-most-common-ways-non-tech-people-fall-victim-7000034743/

 

 

+ The Big Password Mistake That Hackers Are Hoping You’ll Make

http://m.huffpost.com/us/entry/5995208

 

 

+ So.. Never mind the POODLE, there’re NEW OpenSSL bugs to splat…

Four new patches for open-source crypto libraries

http://www.theregister.co.uk/2014/10/15/openssl_ddos_vulns/

 

 

+ CVE-2014-4114: Details on August BlackEnergy PowerPoint Campaigns

http://www.welivesecurity.com/2014/10/14/cve-2014-4114-details-august-blackenergy-powerpoint-campaigns/

 

 

 

 

++++   SD/SoCAL security events / opportunities +++

 

 

+ CyberTECH events / networking / startups / etc  —  THE cyber happening place in SD!!!  Join their Meetup Group for the latest event information!   The definition of “Cyber KEWEL

http://www.meetup.com/cybertech/

 

 

OCT

 

22 – ISC2 Monthly meeting – (6PM)  Tpoic “Model-Driven Security for Policy Automation & Compliance Automation”  by Dr Ulrich Lang…    ALSO Chapter officer elections

 

23 – ISSA Monthly meeting –  (11:30 – 1 PM) Cyber enabled Privacy by Design (PbD) – Learn how and why privacy protections sells security better than FUD.   By Mike Davis

http://www.sdissa.org/home/next-meeting/october2014-generalmeeting-cyberenabledprivacybydeignpbd

 

27 – NDIA & CCOE….  Present the local Cyber Military / SPAWAR effort… as the Navy’s Cyber Security Center of Excellence..   CCOE overview introduction and the California Cyber Task Force strategy… then SPAWAR and the Navy’s presentation on cyber security budgets, threats and the future   at Sheraton Hotel and Conference Center    11:30am to 4:00pm  ($35.00)

https://events.r20.constantcontact.com/register/eventReg?oeidk=a07e9s8f8c6e61c3fca&oseq=&c=&ch=

 

 

NOV

 

1  (Sat) – INCOSE Conference – (8:30 to 4)  Model based systems engineering and beyond.  At UCSD Extension University City Center…

http://www.sdincose.org/2014-fall-mini-conference

 

+++ Webster University comes to town – with their graduate cyber security program – the first formal semester starts in JAN, but also providing three, one-day, Cybersecurity seminar courses as an introduction and a service to the community (AND they provide 12 CEUs for cyber certs too!) –  the 3 cyber seminar pamphlets are at: (and for more info contact Madeline at MGervais@webster.edu)

http://www.webster.edu/sandiego/academic-programs/cyber-security-seminars-sandiego.html

 

8 – Webster University – All day Sat (8 – 5), 1-unit graduate class –  Cyber Security for the next decade” Gene Anderson.   www.linkedin.com/pub/gene-anderson/3/1a8/453

 

15– Webster University  – All day Sat (8 – 5), 1-unit graduate class “  Personal Cyber-Security for the Business Executive, Officer or others that have access to sensitive information”  –

Dr Mogilner     www.linkedin.com/pub/alijandra-mogilner/1/1a9/490

 

17 –  (Mon) Joint ISACA & ISSA- (11:30 – 1PM)    Annual CISO Panel ADM Baker field.

https://www.google.com/calendar/render?eid=N2hlaDVtbWowNWFxZ2Mzb3Btdm5xMzUxNm8gc2Rpc3NhLm9yZ184cmV2NGpzN21tb3A5ZXJoanRlaHZrMTF2NEBn&ctz=America/Los_Angeles&sf=true&output=xml#f

 

20 –  OWASP Month meeting  (6PM)  Joint Speaker: Alex Rice/Facebook & HackerOne and Katie Moussouris/HackerOne —   Topic: AppSec Bug Bounty Programs – Story-Telling

http://www.meetup.com/Open-Web-Application-Security-Project-San-Diego-OWASP-SD/events/158734812/

 

22 – Webster University – All day Sat (8 – 5), 1-unit graduate class –  Cyber enable business risk management”  Mike Davis   http://www.linkedin.com/in/mikedavissd

 

 

+++  Future events in planning  FYI:

 

TBD  – Provided by IEEE Cyber SIG / Various Security groups – all day – – Privacy by design workshop – a cyber model & why you must be part of this initiative!  (at Coleman University –  AM Technical approach… PM public discussions)   +++  Help move SD forward in cyber –  DOING security vs admiring the problem…. SO engage and help out on cyber 4 PbD!!!

http://www.sciap.org/blog1/wp-content/uploads/Privacy-by-Design-cyber-security.pdf

 

 

TBD  Started planning “BigDataDay 4 SD” on a SAT early winter….  Jump in and help us!

WE went to the one in LA and it was great…   likely our three tracks will be:

–  Technical =  Hadoop/Hbase/NoSQL;

–  Data science = predictive analytics, etc

–  Applications = actual products, etc.. Privacy / data security. ..

 

TBD – Cross Border cyber opportunities – MX/TJ and CA/SD collaboration event!!!  (last week in JAN)

        

—————————————————————————————————————

OCTOBER 12

+ Achieving True IoT Integration With Insurance

Telematics efforts under way in the insurance industry can be amplified by leveraging the Internet of Things more fully. We’ve all heard the hype around usage-based insurance, where fees and premiums are dictated by how you drive, as well as mile-based auto insurance, which gauges your insurance costs based on what type of car you drive and how far you drive it.

http://www.insurancetech.com/achieving-true-iot-integration-with-insurance/a/d-id/1316503?cid=NL_IST_EDT_IST_daily_20141009&_mc=NL_IST_EDT_IST_daily_20141009&elq=c3dc7ef9daa74f8989684f021896ba8d&elqCampaignId=9388

 

 

+ Gartner: Top 10 strategic predictions for businesses to watch out for

http://www.networkworld.com/article/2692494/careers/gartner-top-10-strategic-predictions-for-businesses-to-watch-out-for.html?source=NWWNLE_nlt_daily_am_2014-10-07&utm_content=buffer4abd0&utm_medium=social&utm_source=linkedin.com&utm_campaign=buffer#tk.rss_all

 

 

+ Unveiling The Bay Area’s 10 Most In Demand Startups of 2014

[INFOGRAPHIC] (Think cyber support to those capabilities)

http://talent.linkedin.com/blog/index.php/2014/10/most-indemand-startups-2014?utm_source=linkedin&utm_medium=social&utm_campaign=sponsoredupdate&veh=55517937742&sf5095571=1

 

 

+ Internet of Things Is the New Big Data?

The hot topic is to follow the Industrial Internet.  GE is leading it.  Put $1B behind it for seed money.  After 18 months there are 100 large companies in the consortium.  Telematics, nano,  additive manufacturing, embedded HPC are all in the mix….

http://cloudcomputing.sys-con.com/node/3152258

 

 

+ Losing the cyber war.. infograph.   Great numbers… stats..

http://betanews.com/wp-content/uploads/2014/10/Cyberwar_640.jpg

 

 

+  Information Assurance policy chart update

Great tool!     Sad too… so many rules..

http://iac.dtic.mil/csiac/ia_policychart.html

 

 

 

+++  Cyber Security News you can likely use  +++

 

+ Insurers flush with capital are rushing to grab part of an expanding cyber coverage market

that’s been spurred on by high-profile hackings at JPMorgan Chase & Co. and Home Depot Inc.

Sales are set to double this year from about $1 billion in 2013, said Bob Parisi, head of the network security and privacy practice at Marsh, the insurance brokerage arm of Marsh & McLennan Cos. The policies cover against lost revenue, lawsuits, and damage to reputation.  “There is a lot of capital looking to find a home,” said Rick Welsh, head of cyber-coverage at Aegis London, which sells policies through Lloyd’s of London. “They now see cyber-insurance as a once-in-a-generation opportunity that is set for growth.

http://crnfpn.advisen.com/fpnHomepagep.shtml?resource_id=2263196452222

 

 

+ FDA guidance on medical device cybersecurity: Too little too late?

The Food and Drug Administration (FDA) has taken an important step forward in better protecting patients and their data with the release of new guidelines on managing cybersecurity risks of medical devices this week. Despite being a step in the right direction, it unfortunately comes late. Today’s cyber adversary can easily bypass perimeter defenses and quickly find a foothold in almost any network, even those applying “bank grade” security. Healthcare networks are usually not bank grade, and provide a target rich environment once an attacker is in.

http://www.forbes.com/sites/groupthink/2014/10/03/fda-guidance-on-medical-device-cybersecurity-too-little-too-late/

 

 

+ DoD may invite cloud vendors into government data centers

The US Department of Defense is exploring the idea of having commercial cloud vendors use secure DoD data centers and facilities to deliver private cloud services to the military. The goal, explained in a just-published Request for Information document, is to put in place an ecosystem that will allow the DoD to take advantage of commercial cloud computing technologies while ensuring the level of security needed to run highly sensitive workloads. One option being explored is a Data Center Leasing Model (DCLM), under which cloud vendors would be allowed to lease out rack or floor space in DoD data centers and run their hardware and software from them. Selected vendors would be subjected to security scrutiny and an accreditation process before being allowed leased space in DoD’s core data centers. The vendors would deliver their services for the military wholly from inside the DoD data centers.

http://www.informationweek.com/government/cloud-computing/dod-may-invite-cloud-vendors-into-govt-data-centers/d/d-id/1316340?_mc=RSS_IWK_EDT

 

 

+ There are only ‘around 100′ cybercriminal kingpins behind global cybercrime

According to the head of Europol’s Cybercrime Centre. Speaking to the BBC’s Tech Tent radio show, Troels Oerting said that law enforcers needed to target the ‘rather limited group of good programmers’. ‘We roughly know who they are. If we can take them out of the equation then the rest will fall down,” he said … (MAYBE… cyber crime is too easy, cheap. Automated.. anyone can be good at it…;-((

http://www.bbc.com/news/technology-29567782

 

 

+  Big Data Ethics Whitepaper

The Information Accountability Foundation on Wednesday released its first paper on its Big Data Ethics Project. The project aims to create tools for businesses and law enforcement authorities to ensure big data benefits while preventing negative outcomes such as discrimination or misuse of data. Governance, according to the paper, is key. “To establish big data governance, the foundation believes in the need for a common ethical frame based on key values and the need for an interrogation framework,” the paper states. “In formulating a frame, we concluded the following: Governance requires enforcement; big data enforcement needs to be explored by stakeholders, and interrogation frameworks should be customized (at least at the industry level and possibly down to the company level).”

http://informationaccountability.org/wp-content/uploads/IAF-Unified-Ethical-Frame-v1-08-October-2014.pdf

 

 

+ How To Be A ‘Compromise-Ready’ Organization

Incident response pros share tips on how to have all your ducks in a row before the inevitable breach…. You’d think an accurate, up-to-date network diagram would be a given at most organizations, but forensics and incident responders say that’s one of the more common missing puzzle pieces when they first respond to a client’s data breach

http://www.darkreading.com/perimeter/how-to-be-a-compromise-ready-organization/d/d-id/1316516?_mc=NL_DR_EDT_DR_daily_20141010&cid=NL_DR_EDT_DR_daily_20141010&elq=ec444c1e7d9046999190d6531cc9b62d&elqCampaignId=9415

 

 

+ How A Major Bank Hacked Its Java Security

Deutsche Bank London helped create a new application self-defense tool to lock down and virtually patch its Java-based enterprise applications — even the oldest ones.

http://www.darkreading.com/application-security/how-a-major-bank-hacked-its-java-security/d/d-id/1316216?_mc=NL_DR_EDT_DR_daily_20141001&cid=NL_DR_EDT_DR_daily_20141001&elq=f11ebd854a5c4e03ace92aa6b8cac9c1&elqCampaignId=9062

 

 

+  MasterCard unveils tool to tackle cyber threat

With the huge data breaches at Target and Home Depot fresh in the memory, MasterCard has launched a tool designed to protect against cyber attacks on banks and processors.

http://www.finextra.com/news/fullstory.aspx?newsitemid=26532

 

 

+ Banks are struggling with cybersecurity.

That doesn’t bode well for other industries.

http://www.washingtonpost.com/blogs/the-switch/wp/2014/10/03/banks-are-struggling-with-cybersecurity-that-doesnt-bode-well-for-other-industries/

 

 

+ We Want Privacy, but Can’t Stop Sharing    =   PbD to the rescue!

Hence why we need a cyber enabled privacy by design!   Help others protect themselves…. automatically..  whatever avatar they are in at the time…    Agnostic to most of the privacy requirements churn… global variance… etc…

We have an open privacy framework we’re promoting that does that  (with products to make it work now)

http://mobile.nytimes.com/2014/10/05/sunday-review/we-want-privacy-but-cant-stop-sharing.html?mabReward=RI%3A7&_r=0&referrer=

 

 

+ What is the cost of cyber crime? Looking past the headlines.

Dr. Larry Ponemon says the headlines don’t tell the whole story about cyber crime. The Ponemon Institute just completed their fifth annual study on the cost of cyber crime to businesses around the world.  For example, the headlines suggest the cost of cyber attacks is rising. And our research confirmed it is—up to $12.7 million annually per company in the U.S. And as cyber criminals become more skilled at hiding their attacks, the time to resolve incidents increased to 45 days, up from 32 days just last year. That’s a 41 percent increase and accounts for much of the increased cost.

http://h30499.www3.hp.com/t5/HP-Security-Products-Blog/What-is-the-cost-of-cyber-crime-Looking-past-the-headlines/ba-p/6636506#.VDxJCfldVdQ

 

 

+ FDA Takes Steps to Strengthen Cybersecurity of Medical Devices

To strengthen the safety of medical devices, the U.S. Food and Drug Administration today finalized recommendations to manufacturers for managing cybersecurity risks to better protect patient health and information. The final guidance, titled “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices,” recommends that manufacturers consider cybersecurity risks as part of the design and development of a medical device, and submit documentation to the FDA about the risks identified and controls in place to mitigate those risks.

http://crnfpn.advisen.com/fpnHomepagep.shtml?resource_id=225741004583896878&userEmail=mike.davis.sd@gmail.com#top

 

 

+ You’re the Boss: Protecting Your Business From a Data Breach

Andrew Bagrin, founder and chief executive of My Digital Shield, a data security firm in Wilmington, Del., that serves small businesses, says business owners often feel that because they are small, they really aren t at risk. So I ll ask them, he said, How many credit cards do you take in a month? Hackers are looking for information they can use regardless of where it comes from… SMBs take nptice!!!

http://crnfpn.advisen.com/fpnHomepagep.shtml?resource_id=225559463566583177&userEmail=mike.davis.sd@gmail.com#top

 

 

+ Critical Infrastructure Cyber Community C³ Voluntary Program

Very good resources…  especially the CRR – Cyber Resilience Review… service and tool!

https://www.us-cert.gov/ccubedvp

 

 

+  CISOs Reveal Top Threat Worries

http://www.bankinfosecurity.com/interviews/top-threats-that-frighten-cisos-i-1769

 

 

 

 

+++  FYI / FYSA   +++

 

 

+ Should feds be afraid of a popular Chinese chat app?

Even as trendy voice and text-messaging app WeChat, owned by China-based firm Tencent, has gained in popularity, the app is dogged by allegations it serves as an instrument of industrial espionage, according to U.S. technical experts. A large number of Chinese Americans in California, including U.S. government contractors, use the tool for social communications – either because they are drawn to its features or grew accustomed to using its Chinese version, “Weixin,” when living in China. The company denies the chat app is effectively a surveillance arm of the Chinese government. But the globalization of the app is causing particular alarm about intellectual property theft and U.S. national security.

http://www.nextgov.com/cybersecurity/2014/10/should-feds-be-afraid-popular-chinese-chat-app/95696/

 

 

+ DHS no longer needs permission slips to monitor other agencies’ networks for vulnerabilities

The Department of Homeland Security has spelled out its intentions to proactively monitor civilian agency networks for signs of threats, after agencies arguably dropped the ball this spring in detecting federal websites potentially harboring the Heartbleed superbug. Annual rules for complying with the 2002 Federal Information Security Management Act released Friday require agencies to agree to proactive scanning. The regulations also contain new requirements for notifying DHS when a cyber event occurs.

http://www.nextgov.com/cybersecurity/2014/10/dhs-no-longer-needs-permission-slips-monitor-other-agencies-networks-vulnerabilities/95807/

 

 

+ Government Says Accessing Foreign Servers Without a Warrant is Legal

The US Justice Department maintains that the government can break into servers outside the country without a warrant. The statement is part of a response to a motion from the legal team of alleged Silk Road mastermind Ross Ulbricht, which claimed that the government’s activity violated their client’s Fourth Amendment rights and that all information the government gathered when it accessed Silk Road servers should be suppressed.

http://www.forbes.com/sites/katevinton/2014/10/08/feds-say-that-even-if-the-fbi-hacked-silk-road-ulbrichts-rights-werent-violated/

 

 

+ Incident Response is Failing In All Areas

In a keynote speech at the IP Expo conference in London, Bruce Schneier said that while preventing and detecting attacks is necessary, organizations need to pay more attention to incident response, because attacks are inevitable, and the ability to recover quickly is essential to an organization’s integrity.

http://www.theregister.co.uk/2014/10/09/your_security_defences_are_going_to_fall_get_over_it_schneier/

 

 

+ UK Police Say Some Smartphones Have Been Remotely Wiped After Seizure

Police in the UK have reported that several mobile phones in their possession as evidence have been remotely wiped. The feature is designed to prevent owners’ data from being exposed if a phone is stolen. ((Since remote wipe is an important security feature, this piece should really be titled “UK Police Forget to Protect Seized Smartphones from Remote Wipe…))

http://www.bbc.com/news/technology-29464889

http://www.zdnet.com/smartphones-remotely-wiped-in-police-custody-as-encryption-vs-law-enforcement-heats-up-7000034521/

 

 

+ Heartland CEO Talks About Security

Unlike many executives at companies that have experienced major breaches, Heartland Payment Systems’ CEO Robert Carr has spoken candidly about the company’s 2008 breach and what they have learned from the experience. Carr said that Heartland decided it was “not going to clam up and try to point fingers at somebody else,” and instead, took steps to improve information security, implementing end-to-end encryption, tokenization, and EMV chip-and-PIN payment card technology. Carr also said that “liability needs to be held by the breached party. Otherwise, there’s no other way to police anything.”

http://www.darkreading.com/attacks-breaches/heartland-ceo-on-why-retailers-keep-getting-breached/d/d-id/1316388?_mc=sm_dr

[Note The Heartland CEO points out “… a lot of companies haven’t implemented the basics, and they are paying the price for it.” Which echoes Verizon’s findings in their Data Breach Investigation Report that more than 75% of breaches took advantage of simple vulnerabilities, and the DBIR also includes a chart that shows that maps breaches in various industries to which Critical Control would have prevented that breach…]

 

 

+ Don’t Be a Cyber Target: A Primer for Boards and Senior Management (a little dated but a great refresher!)

Before 2014, companies had become somewhat complacent about breaches.  The media had too; it had to be a big breach before it became headline material.  Then came Target.  Now every board and CEO must be sitting on the edge of their chair…fearing that maybe their systems are not as “bullet proof” as they have boasted, or hoped.  The 2008, 2010, and 2012 Carnegie Mellon CyLab Governance Reports (which I authored) clearly show that directors and officers (D&Os) do not understand how serious cyber risks are or how to manage them.   They are beginning to realize, however, that there are best practices for cyber governance, and this involves more than asking interesting questions now and then or accommodating an annual ten-minute IT report on the board agenda.

http://www.forbes.com/sites/jodywestby/2014/01/20/dont-be-a-cyber-target-a-primer-for-boards-and-senior-management/

 

 

+ The Privacy Pillory and the Security Rack: The Enforcement Toolkit

https://www.linkedin.com/pulse/article/20141010044727-2259773-the-privacy-pillory-and-the-security-rack-the-enforcement-toolkit?trk=mp-reader-card

 

 

+ Software Assurance: Time to Raise the Bar on Static Analysis

The results from tools studies suggest that using multiple tools together can produce more powerful analytics and more accurate results.

http://www.darkreading.com/application-security/software-assurance-time-to-raise-the-bar-on-static-analysis-/a/d-id/1316159?_mc=NL_DR_EDT_DR_daily_20141001&cid=NL_DR_EDT_DR_daily_20141001&elq=f11ebd854a5c4e03ace92aa6b8cac9c1&elqCampaignId=9062

 

 

+ House Intelligence Chair Wants To Increase Offensive Cyber Operations Against Russia;

Moscow Suspected To Be Behind JP Morgan Chase Cyber Breach – Retaliation For U.S./Western Sanctions

House Intelligence Committee Chairman (R.-Mich) Mike Rogers believes the United States should be conducting more disruptive cyber attacks against nations like Russia. “I don’t think we’re using all our cyber-capability to disrupt,” actors in Russia targeting U.S. interests

http://fortunascorner.com/2014/10/04/house-intelligence-chair-wants-to-increase-offensive-cyber-operations-against-russia-moscow-suspected-to-be-behind-jp-morgan-chase-cyber-breach-retaliation-for-u-s-western-sanctions/

 

 

+ OWASP Top 10 Privacy Risks Presented at Inaugural IPEN Workshop

The first workshop of the Internet Privacy Engineering Network (IPEN), recently founded by the European Data Protection Supervisor (EDPS), could not have had a more symbolic location: ….. Further, insecure protocols and the lack of technical measures to protect data in current Internet technology make it easy to circumvent privacy. For these reasons and more, IPEN was founded to support the development of privacy-friendly technologies and raise awareness not only among software engineers.

https://privacyassociation.org/news/a/owasp-top-10-privacy-risks-presented-at-inaugural-ipen-workshop-in-berlin/

 

 

+ APT: The Best Defense Is a Full Spectrum Offense (MAYBE – BUT don’t do illegal acts!)

As with most things in life, the answer probably lies somewhere in the middle. One thing is clear – APT attacks have led to breaches at some very high visibility targets and have caused substantial damage. Financial institutions, government agencies, high tech companies have all been breached using APT type attacks. For each attack that has been made public, we really don’t know how many have gone either undetected or just not disclosed

http://online.ipexpo.co.uk/index.php/layout/set/print/content/download/72284/1411231/file/zscaler-apt-the-best-defense-whitepaper.pdf

 

 

+ California Updates State Breach Notification Law,

Expands Security Procedures To Entities That “Maintain” Personal Information, California took further steps to protect the personal information of its residents by amending several sections of its breach notification and information security…

http://crnfpn.advisen.com/fpnHomepagep.shtml?resource_id=2261631082222&userEmail=mike.davis.sd@gmail.com#top

 

 

+Security for businesses on the go  (good infograph!)

http://community.f-secure.com/t5/BSB-Blog/Security-for-businesses-on-the/ba-p/61069

 

 

+ Taking Steps to Improve Federal Information Security

http://m.whitehouse.gov/blog/2014/10/03/taking-steps-improve-federal-information-security

 

+ A Multi-Faceted Strategy for Cyber Standardization,

http://www.slideshare.net/slideshow/embed_code/39885812

 

+ Insider threat to critical infrastructure ‘underestimated’, says DHS

http://www.fiercehomelandsecurity.com/story/insider-threat-critical-infrastructure-underestimated-says-dhs/2014-10-06

 

+ FBI opens its Malware Investigator portal to the private industry

http://securityaffairs.co/wordpress/28782/cyber-crime/fbi-malware-investigator-portal.html

 

+ 22 skills of a data scientist   (what about design,  testing and security = 25 skills!)

http://www.datasciencecentral.com/profiles/blogs/the-22-skills-of-a-data-scientist

 

 

 

 

+++  THREATs  / bad news stuff / etc  +++

 

 

+ Tyupkin Malware Infects ATMs

ATMs around the world are being infected with malware known as Tyupkin that allows thieves to steal piles of cash. The scheme requires physical access to the targeted ATMS, both to inject the malware and to retrieve the money. Tyupkin is active only during certain times, which makes it more difficult to detect the attacks. The money is gathered by so-called “mules,” who obtain one-time-use codes to enter to access the machines from the ringleaders. The targeted machines are running on Windows 32-bit platforms.

http://www.bbc.com/news/technology-29537907

http://www.zdnet.com/atm-malware-dispenses-cash-to-attackers-7000034416/

Eastern European malware allows attacker to steal 40 bank notes of the highest value in the machine from any infected ATM.   Have you ever wanted to withdraw cash without the debit appearing on your account? How about investing in a key that will allow you to rob ATMs? It is claimed that an Eastern European gang have developed a new product for carders (people who commit fraud using stolen payment card information). Instead of having to pay for high value items in-store and requesting cash back, they can simply withdraw the cash from any ATM infected by ‘Tyupkin’. The malware, identified by leading cyber security firm Kaspersky Lab, affects ATMs from a major ATM manufacturer running Microsoft Windows 32-bit.

http://www.itgovernance.eu/blog/tyupkin-atm-malware-banks-give-away-cash/

 

 

+ ATM hacking easily with RM100 chip and a free malware

Cybercrime expert explains anyone with technical knowledge, a malware and the help of an insider could easily hack an ATM machine

http://securityaffairs.co/wordpress/28920/cyber-crime/atm-hacking-rm100.html

 

 

+ New FISMA Regulations Allow DHS to Scan Some Civilian Networks

The US Office of Management and Budget (OMB) is granting the Department of Homeland Security (DHS) authority to scan certain civilian networks for indications of threats. The issue came up after DHS had to get permission from agencies to scan for Heartbleed, which delayed mitigating that threat. New rules for compliance with the Federal Information Security Management Act (FISMA) require the agencies to agree to the DHS scanning.

http://www.federalnewsradio.com/513/3715204/White-House-gives-DHS-new-powers-to-scan-some-civilian-agency-networks-for-cyber-vulnerabilities

 

 

+ Cyber-criminals could spark next financial crisis

Mark Boleat, head of policy for the City of London, said cyber-criminals would go about “destroying bank records and changing the amounts people have in their accounts”, sending shockwaves through the financial system like a “neutron bomb”  People would find that their savings have been wiped out, their records deleted, and they would come up against “denials of service”, stopping them from accessing funds, Mr Boleat told The Sunday Telegraph. The attack would bring much of the financial world grinding to a halt, and render the targeted bank useless, he warned. “A bank will disappear – a national bank.”

http://crnfpn.advisen.com/fpnHomepagep.shtml?resource_id=2263871152222

 

 

+ CHINESE ESPIONAGE: 5 Ways China Successfully Spies On Corporate America

The ongoing tiff between the U.S. and China over economic espionage activities took an unexpected turn recently, with New York Times revealing alleged spying by the U.S. on Huawei. The Chinese company, which had been blocked by the U.S. government from acquiring companies in the United States due to security concerns, was itself reportedly being targeted by the U.S. intelligence community. Most experts still agree, though, that the Chinese are winning the industrial espionage game. According to the FBI, since 2008, economic espionage arrests have doubled, indictments have increased five-fold, and convictions have risen eightfold.  Many of these cases include a Chinese nexus

http://www.businessinsider.co.id/5-ways-china-spies-on-corporate-america-2014-3/#%2EVDe7pr5DsUU

 

 

+ Heartland CEO On Why Retailers Keep Getting Breached

Robert Carr, chairman and CEO of Heartland Payment Systems, says lack of end-to-end encryption and tokenization were factors in recent data breaches.   He’s been outspoken about the massive data breach the firm suffered on his watch in 2008 that exposed 130 million US debit and credit card accounts — the largest breach ever recorded at the time. And in a new breach era when some corporate executives such as former Target CEO Gregg Steinhafel have lost their jobs over high-profile breaches, Carr is still firmly at the helm of the payment processing firm.  Carr led Heartland’s adoption of technologies like end-to-end encryption, tokenization, and EMV chip-and-pin payment card technology to shore up its security after the breach

http://www.darkreading.com/attacks-breaches/heartland-ceo-on-why-retailers-keep-getting-breached/d/d-id/1316388?_mc=NL_DR_EDT_DR_daily_20141007&cid=NL_DR_EDT_DR_daily_20141007&elq=b169ed61541b4ffcbe6a8084e8d8bcc7&elqCampaignId=9256

 

 

+ Are You Threatening Me? A Tutorial on Threat Modeling

http://www.tripwire.com/state-of-security/security-data-protection/are-you-threatening-me-a-tutorial-on-threat-modeling/

 

 

+FBI Director: Every US Company a Victim of Hacking by China

James Comey says state-backed hackers in China are stealing corporate secrets worth billions of dollars.

http://www.ibtimes.co.uk/fbi-director-every-us-company-victim-hacking-by-china-1468685

 

 

+ Cyber crime: First online murder will happen by end of year, warns US firm

http://www.independent.co.uk/life-style/gadgets-and-tech/news/first-online-murder-will-happen-by-end-of-year-warns-us-firm-9774955.html

 

 

 

+++   SD/SoCAL security events / opportunities +++

 

OCT

 

15CCOE welcomes DHS to town — the San Diego Cyber Center Of Excellence (CCOE) is honored to host a national keystone event in conjunction with the U.S. Department of Homeland Security (DHS) and the National Cyber Security Alliance. FREE.

http://www.eventbrite.com/e/national-cyber-security-awareness-month-san-diego-registration-12773149835

 

16 –  ISACA Month meeting (12- 2PM)   Topic: Emerging Threats and Strategies for Defense..   Speaker: Wade Walters, Solutions Architect at Alert Logic

https://www.eventbrite.com/e/october-2014-isaca-san-diego-chapter-meeting-tickets-13545317409

 

16 – OWASP monthly meeting – (6PM) – Zach Lanier From Duo Security/Build It Securely

http://www.meetup.com/Open-Web-Application-Security-Project-San-Diego-OWASP-SD/events/158734882/

 

22 – ISC2 Monthly meeting – (6PM)  Tpoic “Model-Driven Security for Policy Automation & Compliance Automation”  by Dr Ulrich Lang…    ALSO Chapter officer elections

 

23 – ISSA Monthly meeting –  (11:30 – 1 {PM) Cyber enabled Privacy by Design (PbD) – Learn how and why privacy protections sells security better than FUD.   By Mike Davis

http://www.sdissa.org/home/next-meeting/october2014-generalmeeting-cyberenabledprivacybydeignpbd

 

27NDIA & CCOE….  Present the local Cyber Military / SPAWAR effort… as the Navy’s Cyber Security Center of Excellence..   CCOE overview introduction and the California Cyber Task Force strategy… then  SPAWAR and the Navy’s presentation on cyber security budgets, threats and the future   at Sheraton Hotel and Conference Center    11:30am to 4:00pm  ($35.00)

https://events.r20.constantcontact.com/register/eventReg?oeidk=a07e9s8f8c6e61c3fca&oseq=&c=&ch=

 

 

NOV

 

1  (Sat) – INCOSE Conference – (8:30 to 4)  Model based systems engineering and beyond.  At UCSD Extension University City Center…

http://www.sdincose.org/2014-fall-mini-conference

 

8Webster University (comes to town) – All day Sat (8 – 5), 1-unit graduate class –  Cyber Security for the next decade”  Gene Anderson.   www.linkedin.com/pub/gene-anderson/3/1a8/453   (for more info contact Madeline at MGervais@webster.edu)

 

15– Webster University  – All day Sat (8 – 5), 1-unit graduate class “  Personal Cyber-Security for the Business Executive, Officer or others that have access to sensitive information”  –

Dr Mogilner     www.linkedin.com/pub/alijandra-mogilner/1/1a9/490     (for more info contact Madeline at MGervais@webster.edu)

 

17 –  (Mon) Joint ISACA & ISSA-   Annual CISO Panel (11:30 – 1PM)  ADM Baker field.

https://www.google.com/calendar/render?eid=N2hlaDVtbWowNWFxZ2Mzb3Btdm5xMzUxNm8gc2Rpc3NhLm9yZ184cmV2NGpzN21tb3A5ZXJoanRlaHZrMTF2NEBn&ctz=America/Los_Angeles&sf=true&output=xml#f

 

22Webster University – All day Sat (8 – 5), 1-unit graduate class –  Cyber enable business risk management”  Mike Davis   http://www.linkedin.com/in/mikedavissd   (for more info contact Madeline at MGervais@webster.edu)

 

 

+++  Future events in planning  FYI:

 

TBD  – Provided by IEEE Cyber SIG / Various Security groups – all day – – Privacy by design workshop – a cyber model & why you must be part of this initiative!  (at Coleman University –  AM Technical approach… PM public discussions)   +++  Help move SD forward in cyber –  DOING security vs admiring the problem…. SO engage and help out on cyber 4 PbD!!!

http://www.sciap.org/blog1/wp-content/uploads/Privacy-by-Design-cyber-security.pdf

 

 

TBD  Started planning “BigDataDay 4 SD” on a SAT early winter….  Jump in and help us!

WE went to the one in LA and it was great…   likely our three tracks will be:

–  Technical =  Hadoop/Hbase/NoSQL;

–  Data science = predictive analytics, etc

–  Applications = actual products, etc.. Privacy / data security. ..

 

TBDCross Border cyber opportunities – MX/TJ and CA/SD collaboration event!!!  (last week in JAN)

 

___________________________________________________________

October is Cyber security month – 10 year anniversary….  For those in San Diego, see the events planned – including CyberFest THIS WED, 1 Oct.. great venue!!!

http://events.r20.constantcontact.com/register/event;jsessionid=5C9580C3DEB4919096AC6BFFCE369008.worker_registrant?llr=mr9qlimab&oeidk=a07e9jfo4or9b1958b3

 

 

+ 43% of companies had a data breach in the past year

A staggering 43% of companies have experienced a data breach in the past year, an annual study on data breach preparedness finds. The report, released Wednesday, was conducted by the Ponemon Institute, which does independent research on privacy, data protection and information security policy. That’s up 10% from the year before. The absolute size of the breaches is increasing, said Michael Bruemmer, vice president of the credit information company Experian’s data breach resolution group, which sponsored the report. “Particularly beginning with last quarter in 2013, and now with all the retail breaches this year, the size had gone exponentially up,” Bruemmer said.

http://www.usatoday.com/story/tech/2014/09/24/data-breach-companies-60/16106197/

Ponemon Institute release second annual study on corporate data breach preparedness

Findings show that while companies are more aware and taking initial steps to prepare, they are not fully practiced and confident in their data breach response. The second annual study, Is Your Company Ready for a Big Data Breach?, found that executives are concerned about the effectiveness of their data breach response, despite taking the basic steps to be prepare

http://www.experian.com/assets/data-breach/brochures/2014-ponemon-2nd-annual-preparedness.pdf

 

 

+ ISF maps NIST’s Cybersecurity Framework

Now that the US National Institute of Standards and Technology (NIST) has released the official version of its Cybersecurity Framework for Improving Critical Infrastructure Cybersecurity, meant to promote public-private information sharing, the question becomes how to spur along implementation by organizations. To help ease the process, the Information Security Forum (ISF) has created a mapping between the framework and its annual Standard of Good Practice for IT security professionals.

http://www.infosecurity-magazine.com/news/isf-maps-nists-cybersecurity/

+ Now that the US National Institute of Standards and Technology (NIST) has released the official version of its Cybersecurity Framework for Improving Critical Infrastructure Cybersecurity, meant to promote public-private information sharing, the question becomes how to spur along implementation by organizations. To help ease the process, the Information Security Forum has created a mapping between the framework and its annual Standard of Good Practice for IT security professionals.

https://www.securityforum.org/userfiles/mx/livetest/2014sogp/isf_nist_cybersecurity-framework_executive-summary.pdf

 

 

+ White House: ‘Work as a community’ for cybersecurity

The White House wants private companies’ help to secure the country’s cyber networks. In a blog post on Friday, White House cybersecurity coordinator Michael Daniel called for companies to weigh in to the federal government and help coordinate to fight hackers. “Just as a neighborhood bands together to raise its collective safety, we can work as a community to strengthen our collective defenses to make it harder for those who wish to cause harm,” wrote Daniel, who is sometimes referred to as the Obama administration’s cyber czar.

http://thehill.com/policy/technology/218383-white-house-work-as-a-community-for-cybersecurity

 

 

+ China clamps down on web, pinching companies like Google

Google’s problems in China just got worse. As part of a broad campaign to tighten internal security, the Chinese government has draped a darker shroud over Internet communications in recent weeks, a situation that has made it more difficult for Google and its customers to do business. Chinese exporters have struggled to place Google ads that appeal to overseas buyers. Biotechnology researchers in Beijing had trouble recalibrating a costly microscope this summer because they could not locate the online instructions to do so. And international companies have had difficulty exchanging Gmail messages among far-flung offices and setting up meetings on applications like Google Calendar.

http://www.nytimes.com/2014/09/22/business/international/china-clamps-down-on-web-pinching-companies-like-google.html?partner=rss&emc=rss&_r=1

 

 

+ US Will Adopt Chip-and-PIN

The idea of storing credit card account information on a magnetic stripe, while innovative in 1960 when it was first conceived, is now vulnerable to theft, particularly because the data encoded on the magnetic stripes are static. The US is finally following the rest of the world in moving to the more secure chip-and-PIN, or EMV technology (so-called because it was started by Europay, MasterCard, and Visa).

http://www.wired.com/2014/09/emv/

[Note: The mag stripe data has been vulnerable and exploited for years, there is no “is *now*” about it. The retail industry has long considered the damage done to be less than the cost of upgrading the infrastructure. The recent spate of high visibility breaches is like the elevator video of the American football player punching his wife – the problem was there all along but publicity amplifies risk perception…..It is important to remember that while introducing Chip and Pin is a welcome move, its main impact will be on card present fraud. The experience in Europe where Chip and Pin has been in place for a number of years is that criminals will focus on card not present fraud. So it’s important merchants adjust their threat models and security postures accordingly.]

 

 

+ UK Government mandates new cyber security standard for suppliers

The government is improving cyber security in its supply chain. From 1 October 2014, all suppliers must be compliant with the new Cyber Essentials controls if bidding for government contracts which involve handling of sensitive and personal information and provision of certain technical products and services.https://www.gov.uk/government/news/government-mandates-new-cyber-security-standard-for-suppliers

Cyber Essentials was developed by government, in consultation with industry. It offers a sound foundation of basic cyber hygiene measures which, when properly implemented, can significantly reduce a company’s vulnerability. The scheme’s set of 5 critical controls is applicable to all types of organizations, of all sizes, giving protection from the most prevalent forms of threat coming from the internet.

https://www.cyberstreetwise.com/cyberessentials/#downloads

+++ OUR USA version will be based on the NIST cyber security framework.. aka, it will be more than just a voluntary thing…but a quasi-standard…

      

 

+  Le Sueur County: first to get FAA approval for drone operations

http://i-hls.com/2014/09/le-sueur-county-first-get-faa-approval-drone-operations/?utm_source=iHLS&utm_medium=Guy&utm_campaign=RSS

 

 

+   The Joint Force Commander’s Guide to Cyberspace Operations (for you DoD types)

Good overall read of the operational side of what we all need to do to make cyber security work…

http://ndupress.ndu.edu/Portals/68/Documents/jfq/jfq-73/jfq-73_12-19_Williams.pdf

 

 

 

 

+++  Cyber Security News you can likely use  +++

 

 

Just in case you were totally disconnected, off the grid last week

+ Bash – Shellshock Flaw  –  more links in threat section below….

A serious flaw in a software component called Bash is said to be more serious that the Heartbleed vulnerability that was disclosed earlier this year. The flaw, which is being called Shellshock, can be exploited to remotely take control of vulnerable systems. It affects an estimated 500 million UNIX and LINUX machines. Bash, or the GNU Bourne Again Shell, is a command prompt on many Unix systems. The US Computer Emergency Response Team (US-CERT) has issued a warning and is urging admins to patch the flaw. Others have expressed concern that the patches that have been made available are incomplete.

http://www.csmonitor.com/Innovation/Latest-News-Wires/2014/0925/Cybersecurity-What-is-the-Bash-Shellshock-bug

http://krebsonsecurity.com/2014/09/shellshock-bug-spells-trouble-for-web-security/

https://www.us-cert.gov/ncas/current-activity/2014/09/24/Bourne-Again-Shell-Bash-Remote-Code-Execution-Vulnerability

 

 

+ Four Predictions for the Future of Mobile Apps

1. Far fewer apps than websites  (folks will use their top few favorites apps more than URLs)

2. Apps will become “vertical”  (supporting specific sectors, like your health)

3. Data will be kept locally   (they need some data to do things locally)

4. Power will move to mobile vendors  (customize apps.. so URLs not needed)

….so, Yes on 1 & 2..   Partially on 3 & 4

– yes more data on phones… as storage goes more into flash… but cloud storage will stay… back up.. etc..

– URLs won’t go away… just complement mobile delivery..

http://recode.net/sponsored-content/four-predictions-for-the-future-of-mobile-apps/?utm_source=facebook&utm_medium=social

 

 

+ Lessons From The Home Depot Breach:

More information continues to come out about the Home Depot “biggest breach ever,” reinforcing that something as simple as Critical Security Control 2, Inventory of Authorized and Unauthorized Software, implemented on Home Depot’s point of sales systems would have prevented the breach. Cyberpoint has used their Cyber Value at Risk tool to show how the use of whitelisting could have prevented an estimated $246M impact to Home Depot’s bottom line and SANS’ John Pescatore has estimated that the worst case cost for Home Depot to implement whitelisting would have been $25M.     You can see the Cyberpoint CyberVaR report athttp://www.cyberpointllc.com/products/docs/CyberVaR_ScenariosAndSolutions_05.pdf 

and John Pescatore’s analysis at

http://blogs.sans.org/security-trends/?p=3097 

 

 

+ Less than half of feds say security is key part of their mobile strategy

Opposition from employees and unenforceable smartphone protections are the two biggest headaches for government information technology officials attempting to execute a mobile security strategy, according to new research. Even before the recent iCloud hacks bared celebrities’ explicit selfies, there were concerns about agency personnel uploading work to vulnerable cloud locations. For example, about 63 percent of government IT managers recently polled by the Ponemon Institute said there is a high likelihood employees might move business information to Internet locations such as Dropbox or Box.net without the knowledge or consent of the agency.

http://www.nextgov.com/cybersecurity/2014/09/less-half-feds-say-security-key-part-their-mobile-strategy/94667/?oref=ng-channelriver

 

 

+ Gartner: 75 percent of mobile apps will fail security tests through end of 2015

The bulk of mobile applications (75 percent) will fail basic security tests over the next 15 months or so – through the end of 2015 – leaving businesses vulnerable to attack and violations of their security policies, according to a report from Gartner. Enterprises are increasingly embracing BYOD – with more than 90 percent of enterprises using third-party commercial apps – and mobile computing is becoming an integral part of the way companies do business, according to Gartner’s findings. However, the apps that employees download from app stores as well as the mobile apps that can “access enterprise assets or perform business functions,” don’t come with security assurances.

http://www.scmagazine.com/gartner-75-percent-of-mobile-apps-will-fail-security-tests-through-end-of-2015/article/372424/

 

 

+ 10 Essential Elements for a Secure Mobility Strategy

With enhanced mobility and work flexibility comes increased information security risk. Explore the security implications and capabilities of the major mobile OS platforms and learn more about best practices to fortify security while supporting new levels of productivity.

http://www.citrix.com/content/dam/citrix/en_us/documents/oth/10-essential-elements-for-a-secure-enterprise-mobility-strategy.pdf

 

 

+ Barriers to BYOD? A lack of trust in employers to protect privacy

When it comes down to adopting bring-your-own-device (BYOD) schemes, employee adoption is hampered by a lack of trust in employers and a lack of faith that individual privacy will be protected. New research conducted by Ovum on behalf of mobile security firm AdaptiveMobile says these two factors remain a barrier to increased mobility within the enterprise. When asked to use personal devices for work purposes, end users trust mobile service providers more than employers to protect their privacy, according to the survey. While over 84 percent of employees rated privacy as a top three concern, there is a “clear lack of trust” and belief that corporations are able to manage their mobile security and privacy effectively.

http://www.zdnet.com/barriers-to-byod-a-lack-of-trust-in-employers-to-protect-privacy-7000033912/

 

 

+ Ex-employees say Home Depot left data vulnerable

The risks were clear to computer experts inside Home Depot: The home improvement chain, they warned for years, might be easy prey for hackers. But despite alarms as far back as 2008, Home Depot was slow to raise its defenses, according to former employees. On Thursday, the company confirmed what many had feared: The biggest data breach in retailing history had compromised 56 million of its customers’ credit cards. The data has popped up on black markets and, by one estimate, could be used to make $3 billion in illegal purchases. Yet long before the attack came to light this month, Home Depot’s handling of its computer security was a record of missteps, the former employees said.

http://www.nytimes.com/2014/09/20/business/ex-employees-say-home-depot-left-data-vulnerable.html

 

 

+ Why retailers like Home Depot get hacked

Retailers like Home Depot, which recently suffered a major data breach, have known for years about vulnerabilities in payment systems, but have chosen to ignore them, experts say. Home Depot decided only in January to buy technology that fully encrypts payment card data the moment a card is swiped, The Wall Street Journal reported Monday. The home improvement retailer launched the project in order to avoid a breach on the scale of Target’s. The breach at Target in December compromised 40 million credit-card accounts and contributed to the ouster of its chief executive officer. Following several months of testing, Home Depot signed a multimillion-dollar contract with a security vendor in April, but by then, hackers may have already cracked the retailer’s payment systems, the Journal reported. The company said it discovered it had been hacked in September.

http://www.csoonline.com/article/2683912/data-protection/why-retailers-like-home-depot-get-hacked.html

 

 

+ Senate Bill Would Limit Power of US Warrants for Data Stored in Other Countries

A bill proposed in the US Senate last week would limit the type of data that US authorities could obtain from foreign servers with a warrant. The legislation appears to be a response to the case in which Microsoft has refused to surrender customer emails that are stored on a server in Ireland. A US District Judge recently ruled in favor of the government, saying that “it is a question of control, not a question of the location of that information.” The case is moving to appeal. The Law Enforcement Access to Data Stored Abroad Act (LEADS Act) would limit the US’s warrant access to data of US citizens. To obtain data belonging to citizens of other countries, the US would have to follow that country’s legal protocol. US Technology companies maintain that if they are required to surrender data belonging to non-US citizens, trust in their businesses would deteriorate.

http://arstechnica.com/tech-policy/2014/09/bill-would-limit-reach-of-us-search-warrants-for-data-stored-abroad/

 

 

+ NATO steps up private sector cooperation with new alliance

The world’s largest military alliance, NATO, has announced plans for a new initiative designed to bolster co-operation with the private sector on cyber security threats. The NATO Industry Cyber Partnership (NICP) was announced at a two-day event in Mons, Belgium, attended by 1,500 industry leaders and policy makers. However, it was apparently ratified by the 28 member countries at the start of September during NATO’s Wales Summit. The idea is to improve the sharing of “expertise, information and experience” related to cyber security, including information on threats and vulnerabilities, as well as enhancing NATO’s cyber defense capabilities.

http://www.infosecurity-magazine.com/news/nato-steps-up-private-sector/

 

 

+ The Truth About Ransomware: You’re On Your Own

What should enterprises do when faced with ransomware? The answer is, it depends.  hen faced with ransomware infections, people need to know their options. As with any attack, it’s better to learn your technological limitations before you get infected. For the enterprise, security professionals should educate themselves (and users) about the current state of ransomware and consider steps to prevent and quickly remediate infections. But the truth is, for practically everybody, we’re mostly on our own when it comes to dealing with the ransomware problem…

http://www.darkreading.com/vulnerabilities—threats/the-truth-about-ransomware-youre-on-your-own/a/d-id/1315927?_mc=NL_DR_EDT_DR_daily_20140923&cid=NL_DR_EDT_DR_daily_20140923&elq=78ed642d79de460d946f5952778e4c52&elqCampaignId=8712

 

 

+ 5 Top Tips For Outsourced Security

It’s one thing to hire a third-party developer to build a mobile app. It’s quite another to trust a pen tester, MSSP, or DDoS protection firm. But the fact is, the threat landscape is complex, and few organizations can keep security completely in house. Here’s how to decide what to outsource and select and manage providers.

http://www.darkreading.com/5-top-tips-for-outsourced-security/d/d-id/1315962?_mc=NL_DR_EDT_DR_daily_20140923&cid=NL_DR_EDT_DR_daily_20140923&elq=78ed642d79de460d946f5952778e4c52&elqCampaignId=8712

 

 

+  Behavior Biometrics a Popular Defense Against Cyberthreats

Banks are capturing BEHAVIORAL data like swipes, typing cadence, and mouse patterns to identify fraudulent account activity. At Finovate this week, BioCatch, a firm specializing in capturing and analyzing cognitive biometrics, demonstrated a new trend in MOBILE SECURITY. This concept has been rapidly adopted and wildly effective among major banks and e-commerce firms to stop fraud at the point of sale.

http://www.wallstreetandtech.com/security/behavior-biometrics-a-popular-defense-against-cyberthreats/a/d-id/1316083?cid=NL_WST_EDT_WST_daily_20140926&_mc=NL_WST_EDT_WST_daily_20140926&elq=c6120e1b046044d4a512d881d08f8148&elqCampaignId=8880

 

 

+ Commission Releases RTBF Fact Sheet

The European Commission has released a fact sheet on the right to be forgotten to help “make sure the discussion is based on fact” that includes six myths with “In fact” refutations. “A sober reading of the judgment shows that the concerns that have emerged in this debate are exaggerated or simply unfounded,” the document states

http://ec.europa.eu/justice/data-protection/files/factsheets/factsheet_rtbf_mythbusting_en.pdf

 

 

+  On the Risk-Based Approach to Big Data

Last week’s Federal Trade Commission (FTC) workshop has generated much discussion about both big data’s many benefits and its potential to be used for discrimination. Though panelists suggested a slew of potential solutions to this so-called “data paradox,” Markus Heyder, vice president and senior policy counselor at Hunton & Williams’ Centre for Information Policy Leadership, writes for Privacy Perspectives that the “risk-based approach to privacy” is “already available and, in some cases, already part of the law” and could serve as a model to appropriately deal with the benefits and pitfalls of big data.

https://privacyassociation.org/news/a/tackling-the-risks-of-big-data/

 

 

+ Big tips on getting started with big data, from industry leaders (slideshow)

http://www.slideshare.net/qubolemarketing/big-datatips2

 

 

+ Better Buying Power 3.0: How the Pentagon hopes to save its technological advantage

The next phase of defense acquisition reform is an effort to balance strategic spending on technology with budget pressures.

http://fcw.com/articles/2014/09/19/better-buying-power.aspx?s=fcwdaily_220914

 

 

+  Incident Response with Triage-ir     Great tool / source…

https://isc.sans.edu/

 

 

 

 

+++  FYI / FYSA  Items of interest  +++

 

 

+ Government hackers try to crack HealthCare.gov

The government’s own watchdogs tried to hack into HealthCare.gov earlier this year and found what they termed a critical vulnerability — but also came away with respect for some of the health insurance site’s security features. Those are among the conclusions of a report being released Tuesday by the Health and Human Services Department inspector general, who focuses on health care fraud. The report amounts to a mixed review for the federal website that serves as the portal to taxpayer-subsidized health plans for millions of Americans. Open enrollment season starts Nov. 15. So-called “white hat” or ethical hackers from the inspector general’s office found a weakness, but when they attempted to exploit it like a malicious hacker would, they were blocked by the system’s defenses.

http://www.federalnewsradio.com/454/3707407/Government-hackers-try-to-crack-HealthCaregov

 

 

+ CMS sets new deadline to fix two dozen HealthCare.gov cyber shortfalls

The Centers for Medicare and Medicaid Services has until Nov. 15 to close real and potential cybersecurity holes in theHealthCare.gov website. Marilyn Tavenner, the CMS administrator, promised House lawmakers Thursday that the site would be better protected when open enrollment begins in two months. he Government Accountability Office found in a report released Sept. 16 that CMS had problems with its information security and privacy program and its technical security architecture, specifically around access controls and configuration management.

http://www.federalnewsradio.com/241/3705177/CMS-sets-deadline-to-fix-two-dozen-HealthCaregov-cyber-shortfalls-

 

 

+ The FDA wants to talk about medical device cybersecurity

The Food and Drug Administration is asking the public to weigh in on the cybersecurity of medical devices and holding a conference on the subject, organized in collaboration with the Department of Homeland Security. Medical devices, like objects in almost all other aspects of consumers’ lives, are increasingly being networked as we move toward what many observers call the “Internet of Things” era. But with connectivity often comes greater vulnerability – and like many other embed technologies, older medical devices may not necessarily have been designed with security in mind or be difficult to patch with fixes when a problem is spotted.

http://www.washingtonpost.com/blogs/the-switch/wp/2014/09/23/the-fda-wants-to-talk-about-medical-device-cybersecurity/

 

 

+ Health Insurance Marketplaces Could Improve Information Security

The marketplaces set up to provide health insurance to Americans under Obamacare are generally doing a good job of protecting personally identifiable information but can also improve security practices…..

The HEALTH INSURANCE MARKETPLACES instituted by the Affordable Care Act and through which tens of millions of Americans have signed up for medical coverage, aren’t doing a bad job of securing sensitive personal information but they could certainly be doing a better job, according a new analysis.

http://threatpost.com/health-insurance-marketplaces-could-improve-information-security/108493

 

 

+ Your medical record is worth more to hackers than your credit card

http://mobile.reuters.com/article/article/idUSKCN0HJ21I20140924?irpc=932

 

 

+ Ramping Up Medical Device Cybersecurity

http://www.govinfosecurity.com/ramping-up-medical-device-cybersecurity-a-7360

 

 

+ Medical Records For Sale in Underground Stolen From Texas Life Insurance Firm

http://krebsonsecurity.com/2014/09/medical-records-for-sale-in-underground-stolen-from-texas-life-insurance-firm/

 

 

+ College campuses get an “F” in cybersecurity

It’s that time of year again on college campuses. Freshmen hurry to find their way around and seniors bask in their last year of glory. Colleges not only offer a wealth of knowledge, but also house a treasure trove of highly sensitive information. Combined with an open network and a Bring Your Own Device (BYOD) culture, cyberattackers consider colleges a prime target. This obviously isn’t very welcoming news for campuses and their inhabitants. In order to assess the cyber security performance of American higher education institutions, BitSight Technologies conducted a study on the most recognized collegiate athletic conferences: the SEC, ACC, Pac-12, Big 10, Big 12, and Ivy League. These schools represent a student popular of over 2.25 million and network footprint of more than 11 million IP addresses.

http://securitywatch.pcmag.com/security/326921-college-campuses-get-an-f-in-cybersecurity

 

 

+ General Motors appoints its first cybersecurity chief

General Motors Co on Tuesday named an engineer to serve as its first cybersecurity chief as the No. 1 U.S. automaker and its rivals come under increasing pressure to better secure their vehicles against hackers. The No. 1 U.S. automaker promoted manager Jeff Massimilla to the post as part of an eight-month review of its product design and engineering, said GM Vice President of Global Product Development Mark Reuss. “If you look at thetechnology.as we put semi-autonomous and autonomous systems into vehicles, we have to be able to look at this at a very very critical systems level and do it defect-free for the customer,” Reuss said. “So that’s the competitive advantage we’re trying to really put in place for General Motors.”

http://www.reuters.com/article/2014/09/23/us-gm-cybersecurity-idUSKCN0HI2M020140923?feedType=RSS&feedName=technologyNews

 

 

+ Top-level turnover makes it harder for DHS to stay on top of evolving threats

An exodus of top-level officials from the Department of Homeland Security is undercutting the agency’s ability to stay ahead of a range of emerging threats, including potential terrorist strikes and cyberattacks, according to interviews with current and former officials. Over the past four years, employees have left DHS at a rate nearly twice as fast as in the federal government overall, and the trend is accelerating, according to a review of a federal database. The departures are a result of what employees widely describe as a dysfunctional work environment, abysmal morale, and the lure of private security companies paying top dollar that have proliferated in Washington since the Sept. 11, 2001, attacks.

http://www.washingtonpost.com/politics/top-level-turnover-makes-it-harder-for-dhs-to-stay-on-top-of-evolving-threats/2014/09/21/ca7919a6-39d7-11e4-9c9f-ebb47272e40e_story.html?hpid=z1

 

 

+ Navy looks for layered ‘fishing nets’ of cyber defense

Acknowledging that there is no magic bullet to defeat all cyber intrusions, the Navy-and the Defense Department in general-are looking for layered cyber technologies that can at least make it hard for enemies to get into networks. Speaking at a breakout session at the Intelligence and National Security Summit on Sept. 18, Rear Adm. Matthew Klunder, chief of Naval Research and director of Test and Evaluation and Technology requirements at the Office of Naval Research, highlighted the types of cyber tools the Navy is looking for. For the Navy, future cyber systems will have to increase self-awareness, proactive detection and proactive defense, Klunder said. As adversaries use increasingly asymmetrical attack techniques, Klunder said he believes that a multilayered approach is most effective approach for catching and mitigating intrusions.

http://defensesystems.com/articles/2014/09/22/onr-miltilayered-cyber-defense.aspx

 

 

+ Army, Air Force reach first milestone in shared cybersecurity system

The Army and Air Force have taken a major step towards building a shared cybersecurity architecture for their military bases. The first installation is up and running under the joint security construct. Several more installations are expected to follow suit over the next few months. The new security plan, centered on a new system of Joint Regional Security Stacks (JRSS), reached initial operating capability Sunday at Joint Base San Antonio (formerly known as Fort Sam Houston and Lackland Air Force Base). Those neighboring Army and Air Force installations are now managed administratively as one joint base.

http://www.federalnewsradio.com/241/3704373/Army-Air-Force-reach-first-milestone-in-shared-cybersecurity-system

 

 

+ FBI Director Critical of Default Encryption on Mobile Phones

FBI Director James Comey has expressed concerns about Apple’s and Google’s decisions to increase encryption on mobile devices. Comey said that the new features appear to be “something expressly to allow people to place themselves beyond the law.”

http://www.computerworld.com/article/2688095/fbi-director-worries-about-encryption-on-smartphones.html

http://www.nbcnews.com/tech/security/fbi-chief-scolds-apple-google-over-new-smartphone-encryption-n211921

 [Note: This is deja vu all over again, back to the crypto export control debates of the 1990s. Strong encryption is needed to protect sensitive information from attackers and criminals, and yes   – – it does also protect that information from law enforcement. The same dynamic occurs when valuables are put into a physical safe – and law enforcement has the same options (brute force it, or get a warrant compelling owner to open) with encryption as they have with safes… BUT encrypt everything, everywhere we can we all must!!!]

 

 

+ Cyber Security as a Matter of Resilience

 Experts say that the cyber security conversation is better served by focusing on resilience rather than on prevention. Adm. Michael Rogers, NSA Director and commander of US Cyber Command, said that the question is “How, in the midst of degradation and penetration, can we still have confidence in the systems?”

http://www.federaltimes.com/article/20140922/CYBER/309220008/IT-security-shifts-from-prevention-resiliency

[Note: This is the new theme for cybersecurity – the ability to continue fighting when you’re hurt is the differentiator between a successful security organization and the one picking up the pieces after an incident and wondering what happened…   I have liked this idea since I first heard it three years ago… That said, resilience of the whole is improved by the “prevention” of the parts.}

 

 

+ Next Android Release Will Encrypt Data By Default

Google says that the next version of its Android mobile operating system, due to be released before the end of 2014, will encrypt data by default. Android L’s activation features will automatically encrypt data. (Encryption has been available and optional on Android devices since 2011.) The announcement comes as Apple releases iOS 8, the newest version of its mobile operating system, which also has enhanced security. One notable difference between the operating systems is that while most iOS users will update their devices within the next few weeks, Android users must wait for manufacturers to make the updates available.

http://www.washingtonpost.com/blogs/the-switch/wp/2014/09/18/newest-androids-will-join-iphones-in-offering-default-encryption-blocking-police/

http://www.eweek.com/security/new-android-l-os-to-encrypt-data-to-reduce-hacking-snooping.html

http://www.informationweek.com/mobile/mobile-devices/google-plans-to-encrypt-android-data-by-default/d/d-id/1315928

http://www.cnet.com/news/google-to-encrypt-data-by-default-on-new-version-of-android/

 

 

+ DoJ Seeks Authority to Bust Through Anonymization

The US Department of Justice has proposed an amendment to Rule 41 of the Federal Rules of Criminal procedure that would pave the way for law enforcement authorities to break into computers being used by people who are hiding their identities online with anonymizing technologies like Tor.

http://www.networkworld.com/article/2686187/microsoft-subnet/doj-wants-to-give-the-fbi-permission-to-hack-into-pcs-of-tor-and-vpn-users.html

http://www.theregister.co.uk/2014/09/19/fbi_overseas_hacking_powers/

[Note: This has the hallmarks of a pending legal disaster should this amendment be passed. With the nature of anonymization networks the FBI and the US Court will not be able to guarantee the targeted computer is within US jurisdiction, leading to potential breaches of laws in other countries and indeed potential disruption of law enforcement efforts in other countries. It could also further deepen the distrust many non-US corporations and citizens have regarding excessive US government surveillance.]

 

 

+ Cyberthreat Info Sharing App Unveiled

FS-ISAC has teamed up with the Depository Trust and Clearing Corp. to offer software designed to ease cyberthreat information collection and sharing, helping safeguard against cyber-attacks.

http://www.inforisktoday.com/cyberthreat-info-sharing-app-unveiled-a-7349?rf=2014-09-24-eir&utm_source=SilverpopMailing&utm_medium=email&utm_campaign=enews-irt-20140924%20(1)&utm_content=&spMailingID=7149853&spUserID=NTQ5MzQyNjI3MTkS1&spJobID=522618933&spReportId=NTIyNjE4OTMzS0

 

 

+ You ARE going to get hacked! Be better prepared. ..

http://emergingthreatvectors.blogspot.com/2014/09/you-are-going-to-get-hacked.html?m=1

 

 

====  FUN FACTS – FFT, Fast Finite Fourier Transform

Great overview for such an important math…and engineering function….  Yes…. cyber too….;-))

http://blogs.mathworks.com/cleve/2014/09/15/fft-fast-finite-fourier-transform/?s_eid=PSM_8716

 

 

 

 

+++  THREATs  / bad news stuff / etc  +++

 

 

+ Stalkerware: “Even your grandad will be monitoring phones in no time!”

http://workplacetablet.com/2014/09/22/

 

 

+  The Hackers Arsenal Tools Portal » Top Security Tools

Fairly decent list. OWASP tools are state of the art. These are a few more especially on the forensic side:

OSSEC     KALI    SIFT      CAINE

http://www.toolswatch.org/2013/12/2013-top-security-tools-as-voted-by-toolswatch-org-readers/

 

 

+ Hacking the Hackers: The Legal Risks of Taking Matters Into Private Hands

Private groups are beginning to fight back against foreign sources of malware and CREDIT FRAUD, but methodologies put these digital crusaders and their employers at serious legal risk.

http://www.wallstreetandtech.com/security/hacking-the-hackers-the-legal-risks-of-taking-matters-into-private-hands/a/d-id/1315980?cid=NL_WST_EDT_WST_daily_20140923&_mc=NL_WST_EDT_WST_daily_20140923&elq=b77f9c1611be454fae9bac6594947501&elqCampaignId=8740

 

 

+  5 Myths of Virtualization Security: You May Be More Vulnerable Than You Think…

http://www.ecommercetimes.com/story/80573.html

Amazon, for example is one of the biggest repositories of malware in the world.  Godaddy is not far behind.  Shared platforms one of the biggest data security issues.

http://blog.credit.com/2014/09/the-south-park-inspired-malware-you-should-watch-out-for-96934/

http://www.thewhir.com/web-hosting-news/aws-supports-41-malware-hosting-sites-web-host-isp

http://www.networkworld.com/article/2453989/network-security/u-s-malware-share-rising-amazon-service-no-1-in-hosting-it.html

http://www.infosecurity-magazine.com/news/amazon-and-godaddy-rank-as-top-malware-hosters/

AND… VM  do pose a threat, but that said, they are working hard to fix some of the issues at hand.

Past issues which are hypervisor related:

http://www.insinuator.net/2013/05/analysis-of-hypervisor-breakouts/

http://johncouzins.wordpress.com/2013/11/27/attacking-the-hypervisor/

http://arstechnica.com/security/2014/01/openssl-site-defacement-involving-hypervisor-hack-rattles-nerves/

With more and more assets migrating to the cloud there will be increased focus by the bad guys

 

 

+ MORE BASH / Shellshock links:

Johannes Ullrich, Director of SANS Internet Storm Center just updated a brief webcast to provide authoritative answers to the five questions we are being asked…  You can see the slides and listen to his briefing at:

https://isc.sans.edu/forums/diary/Webcast+Briefing+Bash+Code+Injection+Vulnerability/18709

Storm Center has also posted a FAQ which is being updated as new data is found:

https://isc.sans.edu/forums/diary/Update+on+CVE-2014-6271+Vulnerability+in+bash+shellshock+/18707

SIX key fact

http://www.informationweek.com/government/cybersecurity/shellshock-bug-6-key-facts–/d/d-id/1316131?_mc=NL_IWK_EDT_IWK_daily_20140927&cid=NL_IWK_EDT_IWK_daily_20140927&elq=2c660e6b34c84ac19d69464496f6b1d2&elqCampaignId=8935

FYI –  First signs of bash attack hitting the DoD…   Shellshock

http://www.itnews.com.au/News/396197,first-shellshock-botnet-attacks-akamai-us-dod-networks.aspx

Shellshock Vulnerability – 09/24/2014

The Shellshock vulnerability allows remote code execution through a bug in bash. This vulnerability can be exploited through a number of means, the most concerning being through CGI executed web scripts. Exercising the vulnerability is very easy to do.

—–Who should be concerned?

Server Administrators with ANY edge facing Linux based servers running any of the following services:

o             Web Server using CGI

o             DHCP

o             SSH

o             Any other service that may allow the remote modification of environment variables.

—What should I do?

Verify you are at risk – Run this command at a shell prompt if the system echos back VULNERABLE then your version of bash has the bug:

  env X=”() { :;} ; echo VULNERABLE” /bin/sh -c “echo stuff”

Where can I get additional information?

https://www.csiac.org/discussion/vulnerability-alert-shellshock-bash-bug-discovered

 

 

+ ISIS cyber capability judged more ‘aspirational’ than operational

Interviews with cybersecurity experts and questions posed to public officials reveal an assessment of the cyber warfare capabilities of the Islamic State of Iraq and Syria that, while potentially dangerous, remains more aspirational than operational.

It is common for a terrorist group like ISIS to develop cyber capabilities to complement their ambitions to carry out violent attacks, experts say. But being slick with social media is a world apart from being able to hack segments of U.S. critical infrastructure.

http://fcw.com/articles/2014/09/17/isis-cyber-capability.aspx

 

 

+ ISIS cyber threat to US under debate

Amid fresh threats by ISIS against the US and its allies this week, worries of what the well-financed and social-media savvy militant group could do in the cyber realm has triggered debate over whether ISIS ultimately could or would disrupt US critical infrastructure networks. ISIS has made no specific threats to US critical infrastructure, and no one knows for sure whether the militant group has any plans for a cyber attack against US interests or even the technical capabilities to pull it off. Even so, US officials are keeping a watchful eye on ISIS’ movements in the digital realm:  NSA director Michael Rogers last week hinted that the agency is monitoring this. “We need to assume there is a cyber dimension in every area we deal with,” Rogers said in a speech at a Washington conference.

http://www.darkreading.com/vulnerabilities—threats/advanced-threats/isis-cyber-threat-to-us-under-debate/d/d-id/1316004?_mc=RSS_DR_EDT

 

 

+ Why Obama Can’t Say His Spies Underestimated Isis

Nearly eight months ago, some of President Obama’s senior intelligence officials were already warning that ISIS was on the move. In the beginning of 2014, ISIS fighters had defeated Iraqi forces in Fallujah, leading much of the U.S. intelligence community to assess they would try to take more of Iraq.

But in an interview that aired Sunday evening, the president told60 Minutes that the rise of the group now proclaiming itself a caliphate in territory between Syria and Iraq caught the U.S. intelligence community off guard. Obama specifically blamed James Clapper, the current director of national intelligence: “Our head of the intelligence community, Jim Clapper, has acknowledged that, I think, they underestimated what had been taking place in Syria,” he said…

Transcript here: http://www.cbsnews.com/news/president-obama-60-minutes/

http://www.thedailybeast.com/articles/2014/09/28/why-obama-can-t-say-his-spies-underestimated-isis.html

 

 

+ TripAdvisor’s Viator notifies 1.4 million customers about site and mobile data breach

Viator, the tours and activities provider acquired by TripAdvisor this summer, is notifying 1.4 million customers that a data breach affecting its websites and mobile offerings may have compromised their credit and debit card numbers, email addresses, and other personal information. Viator posted notices online September 19 about the breach, although the company learned of a problem 17 days’ earlier when its payment card service provider informed Viator about unauthorized charges on “a number” of customers’ credit cards.

http://skift.com/2014/09/19/tripadvisors-viator-notifies-1-4-million-customers-about-site-and-mobile-data-breach/

 

 

+ FBI warns cyber sabotage, extortion by disgruntled employees rising

http://m.washingtonexaminer.com/fbi-warns-cyber-sabotage-extortion-by-disgruntled-employees-rising/article/2554045

 

 

 

 

 

 

 

+++   SD/SoCAL security items of interest / opportunities +++

 

 

 

OCT

 

1– SoeC – CyberFest 2014 – great all day agenda planned… improving on last year’s success!  October is cyber month after all!!!

http://events.r20.constantcontact.com/register/event;jsessionid=5C9580C3DEB4919096AC6BFFCE369008.worker_registrant?llr=mr9qlimab&oeidk=a07e9jfo4or9b1958b3

 

 

9 – ISACA Webinar: Why Implement the NICE Cybersecurity Workforce Framework?

http://www.isaca.org/Education/Online-Learning/Pages/Webinar-Why-Implement-the-NICE-Cybersecurity-Workforce-Framework.aspx

 

 

14 – RTI Road Show: Build Safe and Secure Distributed Systems for the Industrial Internet of Things

Understand the requirements of your system, research the available technologies and choose the best approach to architecting your distributed software for Industrial Internet of Things applications. Join this breakfast road show to learn about industry standards and technologies such as TCP/IP sockets, MQTT, OPC and DDS.

http://go.rti.com/l/48882/2014-09-05/35nw

 

 

15–CCOE welcomes DHS to town — the San Diego Cyber Center Of Excellence (CCOE) is honored to host a national keystone event in conjunction with the U.S. Department of Homeland Security (DHS) and the National Cyber Security Alliance. There is no cost to attend.

http://www.eventbrite.com/e/national-cyber-security-awareness-month-san-diego-registration-12773149835

 

 

27 – NDIA & CCOE….  Present the local Cyber Military / SPAWAR effort… as the Navy’s Cyber Security Center of Excellence..   CCOE overview introduction and the California Cyber Task Force strategy… then  SPAWAR and the Navy’s presentation on cyber security budgets, threats and the future   at Sheraton Hotel and Conference Center    11:30am to 4:00pm  ($35.00)

https://events.r20.constantcontact.com/register/eventReg?oeidk=a07e9s8f8c6e61c3fca&oseq=&c=&ch=

 

 

 

+++  Future events FYI:

 

TBD  – Provided by IEEE Cyber SIG / Various Security groups – all day – – Privacy by design workshop – a cyber model & why you must be part of this initiative!  (at Coleman University –  AM Technical approach… PM public discussions)   +++  Help move SD forward in cyber –  DOING security vs admiring the problem…. SO engage and help out on cyber 4 PbD!!!

http://www.sciap.org/blog1/wp-content/uploads/Privacy-by-Design-cyber-security.pdf

 

 

TBD  Started planning “BigDataDay 4 SD” on a SAT in late fall / early winter….  Jump in and help us!

WE went to the one in LA and it was great…   likely our three tracks will be:

–  Technical =  Hadoop/Hbase/NoSQL;

–  Data science = predictive analytics, etc

–  Applications = actual products, etc.. Privacy / data security. ..

 

Comments are closed.