Welcome to Cyber News Tidbits 4​U​ !

Here are updated news compilations from the Cyber Security Community

Topic headers (+++):

1 – Security news you can likely use (re: management / opportunity items)

2 – Other items of general FYI / FYSA level interest

3 – Threats / bad news stuff / etc.. 


4 – SD/SoCAL items of interest / opportunities   (send me your SD meetings!) 

A couple of Highlights  (A couple of items of potentially notable interest / high utility &  value… your mileage will vary….)

(Lots happening,  so LOTs to be aware of. Takes 5 min to skim…then pick out a topic or two..)

+++ Some highlights of the past week +++

NOV 16

+ US Postal Service suspends telecommuting following massive data breach 

(??? WHO will do this next???  Change effective work practices due to lack of simple IA controls.. Folks, please just enforce cyber hygiene and effective access controls…in remote sites TOO… ;-((

The United States Postal Service (USPS) has suspended telecommuting for employees while it works to remediate a network intrusion that has exposed data on some 800,000 postal workers and an additional 2.9 million customers. The virtual private network (VPN) service for postal employees was taken down this weekend and will not be brought back up until a version with more robust security features can be installed, USPS spokesman David Partenheimer said in an emailed comment to Dark Reading. “As a result, telecommuting has been suspended until further notice,” he said.

Chinese government hackers are suspected of breaching the computer networks of the United States Postal Service, compromising the data of more than 800,000 employees — including the postmaster general’s. The intrusion was discovered in mid-September, said officials, who declined to comment on who was thought to be responsible.

+ 10 Cybersecurity Solutions for Small Businesses

10 Cyber Security Measures That Every Small Business Must Take

Small biz thinks workers are weak cybersecurity link



+ Guidelines for Securing Mobile Computing Devices

Mobile Security Guide – Everything You Need to Know,review-1918.html

Mobile Phone Security Tips



+ Does Cloud Need A Privacy Police Force?  (“UL” rating for cloud security anyone?)



+ Data Security Confidence Index … great stats…charts



+ Top 10 Big Data Technologies Of Present Times



+ DOD’s Vision for a Commercial Cloud Ecosystem



+ Ultimate Library of ICS Cyber Security Resources

Quite a LOT of resources in one spot    CIP and more..     even if weird domain name..



+ How Can Healthcare Ensure Its Big Data is Smart Enough?



+ Global Information Security Survey 2014



+ Identify Your Cyber Risk

GREAT  stats..  Health care leads the pack… Cyber insurance too..  Great points to show security and privacy by design utility too

Benefits… HOW privacy pays..



+ Gartner Says CIOs Need Bimodal IT to Succeed in Digital Business

Treat Every Business Unit as a Technology Startup





++++  FYI / FYSA   +++



+ ‘Walk & Stalk’: A new twist in cyberstalking

We’re all familiar with the tales of cyber stalking where victims are mercilessly pursued by trolls. But most of us are unaware that the mobile device in our pocket could expose us to stalker attacks in the real world. Walk-and-stalk attacks use the signals emitted by a mobile device such as a smartphone or tablet to pinpoint a specific individual in a given location. Armed with the right equipment it’s possible not only to detect these signals but to capture the user’s online credentials, and determine his daily habits, where he goes to work, what time he clocks on and off, and even where he lives.



+ Cybersecurity codes being added to all federal job descriptions

By the end of 2015, the Office of Personnel Management plans to have every position within the federal government labeled with a descriptive code detailing the cybersecurity functions – if any – required of the employees performing that job function. Federal employees active in cybersecurity account for some 4 percent of the workforce but, until recently, there were no standard job descriptions for the work being done. Prior to OPM’s efforts, there were no clear definitions on cybersecurity workflow in federal agencies and no baseline for hiring managers on what related skills were needed across a variety of positions.



+ Silk Road, other Tor “darknet” sites may have been “decloaked” through DDoS

Last week’s takedown of Silk Road 2.0 wasn’t the only law enforcement strike on “darknet” illicit websites being concealed by the Tor Project’s network of anonymizing routers. A total of 410 .onion pages on at least 27 different sites, some of which sell everything from drugs to murder-for-hire assassins, were shut down as part of Operation Onymous-a joint operation between16 member nations of Europol, the FBI, and US Immigration and Customs Enforcement. While 17 arrests were made, some operators of sites taken down by the worldwide sweep remain at large.



+ Q3 spike sees 20 million new malware strains

Some 20 million new pieces of malware were created in the third quarter of 2014, amounting to over 227,000 each day, according to new data from Panda Security. The Spanish AV vendor’s latest quarterly report found that the daily new malware count actually stood at a staggering 227,747, with trojans the most common type – accounting for 78% of all malware. In second place, some distance behind, came viruses with just shy of 9%, followed by worms (4%). When it comes to infections, trojans once again took the number one spot, accounting for 75% of the total, up from 63% the previous quarter, Panda said in a blog post.



+ Contractors struggle with ‘patchwork’ of cybersecurity regulations

Federal contractors trying to report a hack on their computer systems struggle with a maze of piecemeal regulations, contracting experts say. And clarifying that ambiguity could be a difficult long-term project because there is likely no one bill or executive action that would do the trick. “The compliance issues are hard for government contractors because you don’t have one box, one checklist of things you can do for all of your contracts to make sure that you’re compliant,” said Elizabeth Ferrell, a partner at McKenna Long and Aldridge, at a Nov. 6 conference hosted by the Coalition for Government Procurement in Washington.



+ Minor deficiencies add up to significant weaknesses at SSA (YES, cyber hygiene counts – BIG TIME!)

The Social Security Administration is making progress toward better cybersecurity within the agency’s systems but a combination of weaknesses identified in the annual FISMA report add up to significant vulnerabilities. Auditing firm Grant Thornton LLP tested SSA’s systems across 11 cybersecurity metrics established by the Department of Homeland Security. The analysis showed that SSA’s policies and implementation were “generally consistent” with FISMA, OMB and NIST guidelines, though significant weaknesses were discovered among eight of those metrics. The most significant deficiencies were found in configuration management; identity and access management; risk management; and security training.



+ Changes in Firefox 33.1 Focus on Privacy

Mozilla has released version 33.1 of its Firefox browser. While incremental updates usually go unannounced, this update is notable for the Forget Button, which allows users to delete recent history and cookies for the last five minutes, two hours, or 24 hours, with a simple click. The button is new, but the capability is not – until version 33.1, it has been buried in the Firefox menu. Firefox also has a Private Mode that has been available since version 3.1, released in 2008.



+ The Staggering Complexity of Application Security

During the past few decades of high-speed coding we have automated our businesses so fast that we are now incapable of securing what we have built.



+ Small-to-Midsized Businesses Targeted In More Invasive Cyberattacks

How notorious remote access tools Predator Pain and Limitless have evolved into bargain-basement tools accessible to masses of cybercriminals.  or just $40, a criminal can now buy a keylogger that not only captures keystrokes and credentials, but also geo-locates, intercepts emails and instant messages, and even reconfigures the compromised email account to send the criminal the victim’s emails directly — all while automatically encrypting the back-channel communications. “Before, you were buying a knife with a corkscrew, and now you’re buying a full Swiss Army knife,” says Tom Kellermann, chief cyber security officer at Trend Micro, which today published a report on how two pervasive keylogger programs have evolved into inexpensive cyberspying tools being used to hit small and midsized businesses (SMBs) worldwide.   The so-called Predator Pain and Limitless malware kits are now more accessible to the masses and theoretically to lower-level criminals, Kellermann says. The new modules also offer attackers more “omniscience” into their victim’s machines — and lives.—threats/small-to-midsized-businesses-targeted-in-more-invasive-cyberattacks/d/d-id/1317399?_mc=NL_DR_EDT_DR_daily_20141112&cid=NL_DR_EDT_DR_daily_20141112&elq=b1f668d1c39f4b28be77791ca3ec2ab7&elqCampaignId=10585



+ Policy for US Cybersecurity horizon

The US Air Force magazine Air and Space Power Journal published an article entitled, US Cybersecurity Policy in its November-December 2014 edition. he article describes the US cybersecurity policy and organization and offers a series of recommendations to enhance the protection of both military and civilian infrastructures.



+ Big Data Survey: Trouble Brewing For IT

Just 30% of respondents say their companies are very or extremely effective at identifying critical data and analyzing it to make decisions, down from 42% in 2013. What gives?



+ A pocket guide for new board directors



+ Understanding the Cyber Attack Kill Chain

Infographic –


+ 10 Cool Security Tools Open-Sourced By The Internet’s Biggest Innovators



+ Wearable Health Tech: New Privacy Risks



+ Tracking Data Breaches  (several links / sources)



+ Chip & PIN vs. Chip & Signature  (Krebs does his usual great job on a full report)



+ Carmakers Unite Around Privacy Protections




+  Need cyber security courses?  Here are some free ones…  

Take free online classes from 80+ top universities and organizations. Coursera is a social entrepreneurship company partnering with Stanford University, Yale University, Princeton University and others around the world to offer courses online for many subjects




++++  THREATs  / bad news stuff / etc  +++



+ Russia’s domestic Internet traffic mysteriously passes through Chinese routers

Domestic Internet traffic traveling inside the borders of Russia has repeatedly been rerouted outside of the country under an unexplained series of events that degrades performance and could compromise the security of Russian communications. The finding, reported Thursday in a blog post published by Internet monitoring service Renesys, underscores the fragility of the border gateway protocol (BGP), which forms the underpinning of the Internet’s global routing system. In this case, domestic Russian traffic was repeatedly routed to routers operated by China Telecom, a firm with close ties to that county’s government.



+ Cybersecurity experts reveal U.S. admins’ flaws in fixing Hearbleed bug

Cybersecurity experts from a university conducted a detailed analysis and found that website administrators nationwide tasked with patching security holes exploited by the Heartbleed bug might not have done enough. The Heartbleed bug, which was first disclosed in April this year, presents a serious vulnerability to the popular OpenSSL (Secure Sockets Layer) software, allowing anyone on the Internet to read the memory of systems that are compromised by the malicious bug. A team of cybersecurity experts from the University of Maryland analyzed the most popular websites in the United States, more than one million sites were examined, to better understand the extent to which systems administrators followed specific protocols to fix the problem.



+ U.S. agencies struggle vs. cyberattacks

A $10 billion-a-year effort to protect sensitive government data, from military secrets to Social Security numbers, is struggling to keep pace with an increasing number of cyberattacks and is unwittingly being undermined by federal employees and contractors. Workers scattered across more than a dozen agencies, from the Defense and Education departments to the National Weather Service, are responsible for at least half of the federal cyberincidents reported each year since 2010, according to an Associated Press analysis of records.



+ ‘Dridex’ malware brings back Microsoft Word macro attacks

A recent piece of malware that aims to steal your online banking credentials revives a decade-old technique to install itself on your PC. Called Dridex, the malware tries to steal your data when you log into an online bank account by creating HTML fields that ask you to enter additional information like your social security number. That’s not unusual in itself: Dridex is the successor to a similar piece of malware called Cridex which also targets your bank account. What’s different is how Dridex tries to infect your computer in the first place. Its delivered in the form of a macro, buried in a Microsoft Word document in a spam email message.



+ Employee Mistakes Undermine US Government Data Security

According to an Associated Press analysis of information obtained through Freedom of Information Act (FOIA) requests, at least half of US government IT security incidents are the result of mistakes made by workers. Employees have violated workplace policies; lost or had stolen devices containing sensitive information; and shared sensitive information.

[Note The numbers aren’t tremendously different for private industry; if anything, employee error is responsible for a higher percentage of incidents. Attacker-driven breaches get the press coverage, but errors by well-meaning insiders (both users and sys admins) both directly cause a high percentage of breaches and are the root cause of enabling many external attacker breaches, as well. ]



+ This is the Most Advanced iPhone Malware Yet, and It Should Terrify You

While malware attacks have been possible against jailbroken iOS devices for some time, a new piece of malware has been discovered that can infect even iPhones that have not been jailbroken.



+ Finding Suspects With Multiple Identities in the Darknet

Here is a PDF of a paper being presented at the ACM conference in Phoenix this week. | A useful approach for automating scans for Darknet research



+ Russian hackers’ ‘Trojan Horse’ malware inside U.S. critical infrastructure since 2011

A Russian hacking campaign against U.S. critical infrastructure has gone on since 2011 and puts hundreds of thousands of Americans at risk.



+ Sheriff’s office pays ransom to unlock files from malware  (REALLY – STILL???  Just do & monitor for SIMPLE cyber hygiene factors folks!!!)

A Tennessee sheriff’s department said it paid more than $500 ransom to release files locked away by malicious software accidentally downloaded into the


+ Crowti Crypto-Malware Hits the United States

The ransomware Crowti/CryptoWall with file encryption capabilities has been seen more often in the past month on computers located in the United States, as a result of multiple new email campaigns distributing the threat.   The modus operandi of the malware should be well known by now: after compromising the system, Crowti/CryptoWall starts en0A+ DHS drafts blueprints for self-repairing networks as hacks mount

The Department of Homeland Security is working with industry to automate cyber defenses inside the government, which will ensure operations continue during and after hack attacks, DHS officials said Wednesday. Enterprise Automated Security Environment, or EASE, could give rise to something like a self-repairing network, Philip Quade, chief operating officer of National Security Agency’s information assurance directorate, told Nextgov last week. Hacks are inevitable, many security professionals say. Resiliency is the key to preventing the attackers from finding sensitive information or disrupting activities, they add.



+ FTC asks court to let cybersecurity case against Wyndham proceed

Wyndham Hotel’s failure to use “reasonable” security measures to prevent hackers from accessing information about consumers constitutes an unfair practice, the Federal Trade Commission argues in new court papers. “Wyndham left customer data unprotected by firewalls; did not encrypt credit card information; used outdated software that could not receive security updates; used widely known default passwords and easily guessed passwords instead of complex passwords .. and failed to employ reasonable measures for detecting and preventing intrusions,” the FTC writes in a brief filed this week with the 3rd Circuit Court of Appeals.

In Standoff with FTC, Wyndham Shoots Itself in the Foot

The FTC is going on the offensive in lack of data security ..  Including more personal liability for company D&Os



+ DHS and Industry Seeking to Develop Resilient Information Systems

In an effort to bolster the resilience of its information systems, the US Department of Homeland Security (DHS) is working with industry partners to develop automated cyber defense mechanisms for the government. The concept, dubbed Enterprise Automated Security Environment (EASE) could possibly develop a network that repairs itself.

[Note: Resilience is not free; it comes at the cost of redundancy and complexity, but not so much.  Given the threat, persistent vulnerability, and the consequences, it is efficient…]



+ Post Breach: Prioritizing Cyber Spending

Following a data breach, organizations need to be sure they avoid simply throwing more money into cybersecurity without first carefully analyzing where the investments are most needed.



+ Keeping your cyber security credentials current… (especially all you NAVY CSWF folks!)

ALNAV 250/14 Navy Cybersecurity Workforce (CSWF) credentials ..—  ALL CSWF (government, military and contractors)  must have baseline certs AND keep up their credentials with  40 hrs / year training (CEUs)



+  Everything You Need To Know About The Internet Of Things



$$$ Cloud will make up 3/4 of all data center traffic in 3-4 years



$$$   Why venture funds are rushing to back Ineda






++++  Cyber Security News you can use  +++


+ Only half of USB devices have an unpatchable flaw, but no one knows which half

First, the good news: that unpatchable security flaw in USB devices first brought to light over the summer affects only about half of the things you plug into your USB port. The bad news is it’s nearly impossible to sort out the secure gadgets from the insecure ones without ripping open every last thumb drive. At the PacSec crypting the data on the hard drive and then shows the victim a message asking for payment in return of a key that would unlock the files.



+ Why Cybersecurity Threats Are About to Get Much, Much Worse






++++   SD/SoCAL security events / opportunities +++


+ CyberTECH events / networking / startups / etc  —  THE cyber happening place in SD!!!  Join their Meetup Group for the latest event information!   The definition of “Cyber KEWEL






17 –  (Mon) Joint ISACA & ISSA- (11:30 – 1PM)    Annual CISO Panel ADM Baker field. ALWAYS a good venue!!!



19 – ISC2 Monthly meeting – 6PM – topic –  Security continuous monitoring. …  By Robin Felix (on our ISC2 board)..  We’re always located at Mitchell International Inc,  6220 Greenwich Dr San Diego, CA 92131.



20 –  The IT Summit in San Diego, CA (all day) … LOTS of topics.. great Security CEYs too..   San Diego Convention Center,  92101



20 –  OWASP Month meeting  (6PM)  Joint Speaker: Alex Rice/Facebook & HackerOne and Katie Moussouris / HackerOne —   Topic: AppSec Bug Bounty Programs – Story-Telling







16 – ISSA Annual elections and BIG prize raffle!!





+++  Future events in planning  FYI:


30 JAN – SAVE  THE DATE – Cross Border cyber opportunities – MX/TJ and CA/SD collaboration event, all day Friday!!!  (Hosted at Coleman University) – Contact me to join in…



31 Jan – Tentative –   Started planning “BigDataDay 4 SD”  all-day event – free –   Jump in and help us!

WE went to the one in LA and it was great…   likely our three tracks will be:

–  Technical =  Hadoop/Hbase/NoSQL;

–  Data science = predictive analytics, etc

–  Applications / products = actual new stuff, etc..  Privacy / data security. ..



TBD  – Provided by IEEE Cyber SIG / Various Security groups – all day – – Privacy by design workshop– a cyber model & why you must be part of this initiative!  (at Coleman University –  AM Technical approach… PM public discussions)

Help move SD forward in cyber –  DOING security vs admiring the problem…. SO engage and help out on cyber 4 PbD!!!

+++  Join our PbD / data security meetup, stay tuned into what’s happened..


See our over Cyber for PbD brief at

AND Our more detailed technical paper on our Cyber 4 PbD approach, including an executable, proposed open privacy framework within an enterprise architecture is at (this rough draft is also getting ready to be published in a major IEEE magazine in Jan 2014):


 NOV 2

+ Hackers breach some White House computers  (NO ONE is ‘safe”)

Hackers thought to be working for the Russian government breached the unclassified White House computer networks in recent weeks, sources said, resulting in temporary disruptions to some services while cybersecurity teams worked to contain the intrusion. White House officials, speaking on the condition of anonymity to discuss an ongoing investigation, said that the intruders did not damage any of the systems and that, to date, there is no evidence the classified network was hacked. “In the course of assessing recent threats, we identified activity of concern on the unclassified Executive Office of the President network,” said one White House official. “We took immediate measures to evaluate and mitigate the activity. . . . Unfortunately, some of that resulted in the disruption of regular services to users. But people were on it and are dealing with it.”



+ Study: Cyberattacks up 48 percent in 2014

The number of detected cyberattacks skyrocketed in 2014 — up 48 percent from 2013 — and they are costing companies more money, according to two global studies released Monday. This year is expected to see 42.8 million cyberattacks, roughly 117,339 attacks each day, a study from consulting firm PricewaterhouseCoopers found. Nearly all companies surveyed were hit by a cyberattack in 2014, costing them hundreds of thousands, potentially millions, of dollars…  Data Security Legal Practice Booming

Cisco warns of unprecedented growth of malicious traffic

How Many Financial Services Firms Had Cyber Attacks? 93%  (some great numbers)



+ DHS sketches the tech future

Reginald Brothers will probably be out of his job in another two years or so. But he’s making policy plans for the next three decades. This week, Brothers — Homeland Security undersecretary for science and technology — laid out an ambitious, though very general, long-term agenda for DHS’s tech-development arm that concentrates on developing a seamless cybersecurity infrastructure, networked threat detection technology, and speedier traveler and cargo security detection capabilities.




+ CryptoWall Surpassing Expectations: (??/ have YOU taken this seriously yet???)

Victims Paying Up to $2000 to Get Files Back.. it’s now estimated the creators of Cryptowall are making about $25000 a day from it (victims pay between $200-2000). Also, in the past few weeks, the ransomware increased in the number of infected computers by about 25% to the current 830,000 infected globally..



+ British Spies Allowed to Access U.S. Data Without a Warrant (thought your data was ’safe” in the EU?)

Newly released documents from the British government reveal a lack of judicial oversight for how it sifts through communications data collected by the NSA and other foreign

SEE BELOW if privacy matters to you..



+ Is your current “FUD” / scare tactics cyber approach stalled?  Sell Privacy instead…(PbD)

Try using enhanced privacy protection to sell the cyber utility / RoI instead of just improved security…

Privacy is personal, emotional, applies everywhere and is mandated by laws in many cases (PII, HPIAA, PCI, etc..) with increasingly large fines..  and in many cases corporate officers can be held personally liable for lack of due diligence therein..

IF interested in this privacy first topic / approach.. .. skim our paper on the topic of a cyber enhanced privacy by design (PbD) approach, building an open privacy framework (centered around data centric security principles)  with buildable specifications…

AND/or  join our meetup to collaborate with folks who get Cyber 4 PbD and see all the vast global opportunities..


ALSO..  One of the world’s most ambitious privacy initiatives launches in January



+ 20 Critical Controls for Effective Cyber Defense Interactive Helper Kit

Randy B was able to reestablish a direct download link for anyone who wants his SANS 20 Critical Controls for Effective Cyber Defense Helper Kit –  Version interactive spreadsheet..

Tabs for 800-53a,  NERC CIP 5,  NIST CSF, HIPPA SRS,  VZ DBIR,  ISO 27001,  AND MORE..

—-  a MOST excellent tool.. check it out!!!



+ From Brain To Computer: Helping ‘Locked-In’ Patient Get His Thoughts Out

Cool…  is Security built in…?    Now add Google glass… other wearables…



+ Gartner magic quadrant – Compare 27 Top Business Intelligence Software

Find the best BI solution for your needs. Evaluate vendors based on customer satisfaction, functionality, cost and more. Learn about the business intelligence landscape from top industry analysts in this complimentary report.






++++  Cyber Security News you can use  +++



+ Verizon’s ‘perma-cookie’ is a privacy-killing machine

Verizon Wireless has been subtly altering the web traffic of its wireless customers for the past two years, inserting a string of about 50 letters, numbers, and characters into data flowing between these customers and the websites they visit. The company—one the country’s largest wireless carriers, providing cell phone service for about 123 million subscribers—calls this a Unique Identifier Header, or UIDH. It’s a kind of short-term serial number that advertisers can use to identify you on the web, and it’s the lynchpin of the company’s internet advertising program. But critics say that it’s also a reckless misuse of Verizon’s power as an internet service provider—something that could be used as a trump card to obviate established privacy tools such as private browsing sessions or “do not track” features.



+ FCC becomes data security cop

Two small phone companies will be fined a combined $10 million for violating their customers’ privacy. The Federal Communications Commission (FCC) alleged on Friday that TerraCom and YourTel America stored 300,000 subscribers’ names, addresses, Social Security numbers, driver’s licenses or other sensitive data on unguarded Internet servers that could easily be accessed anywhere in the world. That opened the customers up to fraud and identity theft, the FCC said. “This is unacceptable,” FCC Enforcement Bureau Chief Travis LeBlanc told reporters on Friday. “We will not tolerate conduct that puts American consumers at risk of financial fraud and identity theft.”



+ New cyber doctrine shows more offense, transparency

The Pentagon this week published a doctrine that was unusually candid about offensive scenarios in cyberspace, a transparency that experts say could lead to an open and perhaps overdue policy debate. The document, released internally by the Joint Chiefs of Staff in February 2013 and publicly on Oct. 21, argues that the “growing reliance on cyberspace around the globe requires carefully controlling OCO [offensive cyber operations], requiring national level approval. This requires commanders to remain cognizant of changes in national cyberspace policy and potential impacts on operational authorities.”



+ NIST Issues Information Sharing Guidelines for Public Comment  

The US National Institute of Standards and Technology (NIST) has released a draft of its Guide to Cyber Threat Information Sharing for public comment. “The goal of the publication is to provide guidance that improves the efficiency and effectiveness of defensive cyber operations and incident response activities, by introducing safe and effective information sharing practices.” NIST will be accepting comments through November 28.

[Note: All infrastructure enterprises should read and respond to this guidance.  Response should begin with comparing the maturity of one’s program to that implied by the guidance.  However, it should be noted that these recommendations do not imply, suggest, or require the sharing of PII, IP or, business plans or programs.

Compliance is good business and does not require the granting of any special legislative authority or immunity.

The document is well worth reading, The concepts of security intelligence and information sharing are crucial. In fact they may be mandated by law: ]


+ Marine Corps weeks away from beta testing BYOD approach

The Marine Corps is a “couple weeks” away from a beta test that it hopes will pave the way for a possible overhaul of Defense Department mobility policies. The goal is to let users bring personally-owned devices onto DoD networks potentially as soon as next year. DoD technology leaders have remained skeptical for years about whether a “bring your own device” approach could surmount the Pentagon’s significant legal, security and policy obstacles. But for the Marines, the urgency to at least give BYOD a try almost is entirely about money.



+ 451 Report: The new ‘Un-WAF’

The recent very public spate of security breaches has meant heightened awareness of security in the C-Suite and, with the increased effectiveness of network security products, hackers have increasingly turned to the application layer as a softer target.  Application layer attacks such as cross-site scripting (XSS), SQL injection and cross-site request forgery (CSRF) are the most common and enterprises are looking for immediate solutions.

“Breach reports are still showing web applications as the primary vector for attacks on the enterprise. Prevoty approaches application protection in a new way, by having code inserted in the application that calls its API to do the analysis and scrubbing of incoming requests in real-time.. (a little ‘product centric”report…)



+ Open-Source Software Brings Bugs To Web Applications

An average of eight severe security flaws from open-source and third-party code can be found in each web application, according to new findings from Veracode.



+ 10 Things IT Probably Doesn’t Know About Cyber Insurance

Understand the benefits and the pitfalls you might miss when evaluating cyber policies.



+ Proposed rule change could hit small IT businesses

An SBA plan would reclassify IT firms with annual sales of more than $27.5 million, making them ineligible for small business preferences.



+ Defending National Security by Analyzing Data

In this 12-page whitepaper find out how agencies can keep up with the sophistication of new cyber threats. You will learn how to be armed with the knowledge and tools that have the power to analyze large quantities of data, and provide insights that can reveal connections previously unknown.

—   AND.. Cybersecurity: Evolving Threats, Evolving Solutions: Whitepaper



+ The Blind Men, the Elephant and the FTC’s Data Security Standards

Like a group of blind men encountering an elephant —one touching the trunk and thinking “snake,” another feeling a tusk and thinking “sword,” a third caressing an ear and thinking “sail”—so do commentators, lawyers and industry players struggle to identify what “reasonable data security” practices mean in the eyes of the Federal Trade Commission (FTC). In the absence of federal legislation or regulatory guidance, the reasonableness standard is assessed on a case-by-case basis through a string of FTC enforcement actions, 47 so far, by which the agency provides the public with glimpses into its regulatory interpretation. Luckily, Westin Research Fellow Patricia Bailin, CIPP/US, has pieced together the most comprehensive view to date of the FTC’s reasonable data security standards. Now it is available as a pdf that is easy to distribute and use as a tool in your organization. IAPP VP of Research and Education Omer Tene breaks down how this tool can help you navigate the uncertainty of “reasonable security.”

The IAPP’s study paper




Think You Don’t Need To Think About COPPA? Think Again

“It’s not just online services and websites targeted toward children that need to be diligent about following Children’s Online Privacy Protection Act (COPPA) regulations,” writes Joanne Furtsch, CIPP/US, CIPP/C, of TRUSTe in this Privacy Tracker post. The Federal Trade Commission (FTC) recently took two companies to court—one a popular app for all audiences. And if the EU’s proposed data protection regulation comes to pass, children will be considered data subjects for the first time. Editor’s Note: Furtsch and the FTC’s Peder Magee will speak about COPPA in the IAPP web conference The Cat’s Cradle of COPPA Compliance—Understanding the Complexities of Protecting Children’s Privacy Online



+ A $12 fitness band? Yep.

SAN FRANCISCO —  What would it take to get you to wear a fitness band? How about one that costs $12?  Entrepreneur David Donovick’s Pivotal Living startup is taking on market leaders Fitbit and Jawbone with the Life Tracker 1 — a wristband and smartphone app that promise to do the things modern fitness bands can do, at the cost of about $1 a month. Slapping on any one of these lightweight bracelets can help you get fit by counting your steps, helping you track sleep, weight or even how much water you drink. They all work with companion smartphone apps. For anyone who has tried one (I wear a Jawbone UP24), it’s a no-brainer proposition. They really can motivate you to get up from your desk, move around, get more sleep (or try) and generally get on track to better health goals.



+  NAVY stories on getting more into cyber security.. but can others use it too, and in affordable ways?

Task Force Cyber Awaking and is being run out of OPNAV

Navy Takes on Internet of Things with New Task Force

NVSEA: Submarines Control Systems are at Risk for Cyber Attack



+ Making Sense of the Chaos: Measuring The Influence of Social Media

The power social media has exerted over the way we communicate and do business is nothing short of a phenomenon. Within just a few years, social media has dramatically altered the way most businesses engage with their customers. But how can those efforts be quantified? See this white paper to find out!



+ 8 big trends in big data analytics

YES, many are to watch –  the big trends they missed are what fields are being disrupted and the SENSING…… “Operational Technology”,   Mobility,  3D+,  embedded sensing, cyber physical interfaces,  and the industrial internet.  [This article was written by a database guy for database guys….. The Hadoop trend is now 17 years old and has been open sourced since 2006…. ] IF he is trying to say the trend is main stream adoption of massively parallel processing  … OK…



+ Top 10 Strategic Tech Trends for 2015 from Gartner



+ The Top 20 Most Popular Verticals to Start Companies In



+ The Sectors Where the Internet of Things Really Matters



+ Bumper Book Of Business Intelligence (BI) – free eBook,

A complete, 90-page guide covering everything you need to know about BI, analytics and reporting..



+ Gartner Highlights the Top 10 Cloud Myths



+ Privacy & Security: The New Drivers of Brand, Reputation and Action



+ Why IoT Security & Privacy Are Critical… and… PbD



+ GREAT Resources – Privacy and Big Data Institute – LOTS from Ryerson University





++++  FYI / FYSA   +++



+ U.S. officials urge more govt-business cooperation on cybersecurity

U.S. officials on Tuesday urged corporate America to work with the government to fend off cyber threats and said intelligence and law enforcement authorities are working to get useful information to companies about potential attacks. The FBI has presented more than three dozen classified, sector-specific threat briefings to companies in the past year, John Carlin, head of the Justice Department’s National Security Division, said at a conference hosted by the U.S. Chamber of Commerce. “We also share sensitive information with you so you can defend against attacks in real time, and engage in disruption efforts,” Carlin told the conference.



+ Samsung Knox is weak, researcher says

An unidentified security researcher has analyzed the design of Samsung’s Knox security software for Android devices and claims that the code implements encryption in an insecure manner. The researcher, in a blog post published under the name “Ares,” cites the US government’s decision to certify Knox for government use as a rationale for releasing the findings. This week, Samsung’s Galaxy S4 and S5, Galaxy Note 3, and Galaxy Note 10.1 2014 Edition were added to the Commercial Solutions for Classified (CSfC) Program run by the National Security Agency and Central Security Service. This followed the US Department of Defense’s approval of Samsung Knox-enabled devices in May 2013 for use in DoD networks.



+ The big data shift from predictive to prescriptive analytics

YES, also consider..  In health care big data is going to “prescriptive” –  especially in the context of treating the patient.   IBM is selling time on Watson just for this.  In some of the other heavier industries they are going from predictive to optimization.   Predictive in this case means something like being able to forecast Mean Time Between Failure more accurately.   Optimization is really our old friend Operational Analysis…. traveling salesmen problems etc.   As industries start to use more analytics they move outside their own data (blue data) and start analyzing their entire value chain (what I would equate to grey data)  in the context of supply chain vulnerabilities, threats, shortfalls (red data).   Once they do this they are not “predicting”,  they are actually controlling their future outcomes  i.e., optimizing



+ MasterCard and Zwipe announce the launch of the world’s first biometric contactless payment card

announced their partnership for the launch of the world rsquo s first contactless payment card featuring an integrated fingerprint sensor. The launch of the card comes after a successful live pilot with Norway rsquo s Sparebanken DIN, aligned to the Eika Group, as an answer to the complex challenge of providing a fast, convenient payment solution that does not compromise on security. It includes an integrated biometric sensor and the Zwipe secure biometric authentication technology …



+ Report Offers Guidance for Determining Veracity of Data Leak Claims

Deloitte & Touche has published a paper that contains advice for determining whether data found on the Internet are actually data stolen from a company or if posted information is fake. Companies can check to see if the posted data are duplicates of data that has been posted previously; they can also check to see if the listed usernames actually exist, and if the passwords abide by the company’s password policy.

[Note: Consider “watermarking” or “seeding” data so that one can recognize it later and demonstrate its provenance to third parties when necessary…]



+ Security Companies Team Up, Take Down Chinese Hacking Group

Novetta, Microsoft, and others form Operation SMN to eradicate Hikit malware and disrupt the cyber espionage gang Axiom’s extensive information gathering.



+ How I Became a CISO: Janet Levesque, RSA

RSA’s newest chief information security officer says she landed the job because of her ability to build relationships, not a background in crypto or a pile of certs.



+ Digital government, openness and open cloud — new cornerstones of democracy

The era of openness is upon us, with open cloud as a gateway to the interoperability we all seek.

In just a few decades, we’ve moved from the individualized computing paradigm of the PC toward an always-on world where billions of people are connected across multiple systems, platforms and services by computing devices of all sizes and shapes. Interoperability, open source and open standards are all critical today.



+ 3 Themes of Insurance Tech Transformation

The insurance industry has evolved around three key transformation themes that can be achieved through the use of technology.



+ Privacy After Hours: Bigger Than Ever

Privacy After Hours, a volunteer-organized series of after-hours get-togethers held all across the globe, expanded yet again this past Thursday, with 31 events held and hundreds of attendees. The big news? We’re in China now! Gregory Louvel of Dechert LLP held the IAPP’s first-ever party in Beijing.



+  Small / Medium Businesses (SMB)  articles / tools…  

A Cyber Security Toolkit For Your Small Business

The Cybersecurity Prescription For Small And Growing Businesses

Yes… 3 good recommendations..   ADDED to MSS… and SCM backing up a good hygiene program.. and cyber insurance…

Why hackers love your SMB… lack of security

Improving cybersecurity for small and medium-sized businesses



+ New website helps small business leaders take cybersecurity action

Cybersecurity is important for companies of all sizes, but it can be difficult for smaller businesses to keep their companies protected. To help businesses do this, the National Cyber Security Alliance (NCSA) recently launched a new program called RE: Cyber. The organization realized that many leaders of small and medium size businesses lack the resources and tools they need to protect their companies against cyberthreats. “We want to ensure that small businesses are empowered and have smart cybersecurity plans in place to stay safe online and continue to build customer trust,” said Michael Kaiser, executive director of NCSA.



+ Google has announced the introduction of an improved two-factor authentication mechanism based on a USB token dubbed Security Key.


+ Russia, China near cybersecurity deal



+ Cybersecurity and Data Breaches: What CMOs Need to Know



+ Can You Handle the Truth about Data Breaches?



+ The IoT Ecosystem Meets the Supply Chain



+ Internet Privacy Begins With You

Great consumer view of the need for the need for privacy..



+ HL7 Security  – Document Library

Some good resources  for security info…  much health related… PPTs, papers, etc.. USE CASES too



+ Top 10 Entrepreneurs to Watch in San Diego in 2015



+ Inaugural Internet Privacy Engineering Network (IPEN) (in Berlin – starting best practices sharing…)



+ COOL, Non-Cyber fun fact

– Pope Francis declares evolution and Big Bang theory are right

and God isn’t ‘a magician with a magic wand’     Besides most scientists believing in the big bang theory.. rather an amazing thing in itself… poof… our universe made and is still expanding .. so where did that come from. ..;-))

And billions of galaxies too.. our milky way is small by comparison. .

What of the other end of the spectrum…the smallest particles of matter…  quarks and leptons, with muons and such…  with attributes such as “charm and strange”…     say what?  A massless thing with an attitude… Atoms.. We’re mostly space….   Then there is gravity… and dark matter…  all looking for that unifying principle. .





++++  THREATs  / bad news stuff / etc  +++



+ Employees of Fortune 500 Companies May Have Credentials Leaked

New research alleges that at 221 of the Fortune 500 companies, employees’ credentials are leaked online for hackers to access and use in cyber-attacks, Mashable reports. Web intelligence firm Recorded Future said of the 600,000 websites that have posted users’ credentials from January 1 to October 8 of this year, 44 percent included a username-password combination from a Fortune 500 company. The leading industrial sectors affected include the financial sector and the retail/customer service vertical. Meanwhile, NetworkWorld reports on Voxis, a platform that allows cybercriminals to use stolen credit card data while avoiding fraud detection systems. Apple Pay competitor CurrenC, which is in beta, may have been breached, and cybersecurity firm IT Governance is urging U.S. organizations to implement ISO27001 to minimize data breach risk.




+ ICS-CERT Issues Alert About Ongoing BlackEnergy Malware Campaign

Groups have been using malware known as BlackEnergy to target industrial control systems (ICS) since 2011, according to a security advisory released earlier this week by the US Department of Homeland Security’s

(DHS’s) ICS-CERT. The malware affects human-machine interface (HMI) software from several different vendors.

[Note : This is another revelation of special-purpose ICS-targeted malware engineered to be modular and deliver a foothold onto an ICS component.  The earlier reports focused on one ICS supplier’s HMI implementation, but it was expected to see an exploit capability against additional targets.  This delivery vehicle was designed to take advantage of poor architectures as the scope of the problem of ICS components being connected with direct Internet accessibility is increasing (see Project SHINE [SHINE meaning SHodan Intelligence Extraction] report  ).



+ US military officials, defense firms targeted in ‘Operation Pawn Storm’

In yet another cyber espionage campaign that serves as a chilling reminder that China isn’t the only game in town when it comes to advanced persistent threats, attackers are hammering US and allied military officials and defense contractors — as well as news media outlets — in a series of hacks that aim to gain economic and political intelligence. Trend Micro published a report today on the so-called Operation Pawn Storm cyber espionage campaign that has been in action since 2007 and has become more sophisticated, with the attackers getting adept at remaining inside their targets even after being detected. The security firm stopped short of tying the attacks specifically to any particular nation, but the targeted organizations and regions, as well as the timing geopolitically, appear to point to Russia or Russian interests. The attackers are going after the US, NATO allies, and Russian dissidents.



+ ‘Replay’ attacks spoof chip card charges

An odd new pattern of credit card fraud emanating from Brazil and targeting U.S. financial institutions could spell costly trouble for banks that are just beginning to issue customers more secure chip-based credit and debit cards. Over the past week, at least three U.S. financial institutions reported receiving tens of thousands of dollars in fraudulent credit and debit card transactions coming from Brazil and hitting card accounts stolen in recent retail heists, principally cards compromised as part of the breach at Home Depot.



+ Researchers identify sophisticated Chinese cyberespionage group

A coalition of security researchers has identified a Chinese cyberespionage group that appears to be the most sophisticated of any publicly known Chinese hacker unit and targets not only U.S. and Western government agencies but also dissidents inside and outside China. News of the state-sponsored hacker group dubbed Axiom comes a week before Secretary of State John F. Kerry and two weeks before President Obama are due to arrive in Beijing for a series of high-level talks, including on the issue of cybersecurity. In a report to be issued Tuesday, the researchers said Axiom is going after intelligence benefiting Chinese domestic and international policies — an across-the-waterfront approach that combines commercial cyberespionage, foreign intelligence and counterintelligence with the monitoring of dissidents.



+ Koler Worm Spreads Via SMS, Holds Phones for Ransom

A new variant of the Android malware Koler now spreads by text message and holds infected users’ phones hostage until a ransom is paid.



+ Attackers Change Home Routers’ DNS Settings Via Malicious Code Injected in Ads

Sucuri Security researchers have unearthed a malvertising campaign aimed at changing the DNS settings of home routers in order to lead users questionable and potentially malicious websites.



+ Shellshock Attacks Stack Up

Organizations are unable to keep up with patching processes and find incident response practices lag in wake of Bash bug.



+ Massive DDoS attack on Ukraine’s election commission website on election eve – (YES, can happen in USA!)

The official website of Ukraine’s election commission was under massive DDoS attack by unknown hackers on the eve of country’s parliamentary polls. As per the information from Ukrainian officials, the official election commission website of Ukraine….



+ Europe under massive virtual cyber attack

More than 200 organizations from 25 EU member states are under virtual cyber-attack, as part of the continent’s largest and most complex ever cyber security exercise. Organized by the European Network and Information Security…



+ AirHopper — Hacking Into an Isolated Computer Using FM Radio Signals

Researchers have developed a proof-of-concept malware that can infiltrate a closed network to lift data from a machine that has been kept completely isolated from the internet or any Wi-Fi connection by using little more than a mobile phone’s FM radio signals



+ Want to Kickstart a Hacktivist Campaign – start  Here!

We are currently witnessing a new phenomenon of popular uprising against governments in some post-Soviet Union countries. More and more citizens are forming active groups to protest against government corruption,



+ Hacking air gapped networks by using lasers and drones



+  13 sources of global cyber attack maps (some GREAT pics  maps!)



+ ‘Replay’ Attacks Spoof Chip Card Charges — no free lunch

Getting rid of current charge cards and going to chip and pin is not a total protection path..



+ Penetration Testing with Smartphones




++++   SD/SoCAL security events / opportunities +++



+ CyberTECH events / networking / startups / etc  —  THE cyber happening place in SD!!!  Join their Meetup Group for the latest event information!   The definition of “Cyber KEWEL





6 – Cyber Awareness Month Recap  (6-8 PM)   FREE  @ Scale Matrix, 5775 Kearny Villa Rd  92123



17 –  (Mon) Joint ISACA & ISSA- (11:30 – 1PM)    Annual CISO Panel ADM Baker field.



19 – ISC2 Monthly meeting – 6PM – topic TBD…

Location: Always at Mitchell International Inc 6220 Greenwich Dr San Diego, CA 92131.



20 –  OWASP Month meeting  (6PM)  Joint Speaker: Alex Rice/Facebook & HackerOne and Katie Moussouris / HackerOne —   Topic: AppSec Bug Bounty Programs – Story-Telling







16 – ISSA Annual elections and BIG prize raffle!!





+++  Future events in planning  FYI:


TBD  – Provided by IEEE Cyber SIG / Various Security groups – all day – – Privacy by design workshop – a cyber model & why you must be part of this initiative!  (at Coleman University –  AM Technical approach… PM public discussions)   +++  Help move SD forward in cyber –  DOING security vs admiring the problem…. SO engage and help out on cyber 4 PbD!!!



TBD  Started planning “BigDataDay 4 SD” on a the last SAT in Jan, 31st….  Jump in and help us!

WE went to the one in LA and it was great…   likely our three tracks will be:

–  Technical =  Hadoop/Hbase/NoSQL;

–  Data science = predictive analytics, etc

–  Applications = actual products, etc.. Privacy / data security. ..


TBD – Cross Border cyber opportunities – MX/TJ and CA/SD collaboration event!!!  (last Friday in JAN, 30th)


Comments are closed.