Welcome to Cyber News Tidbits 4​U​ !

Here are updated news compilations from the Cyber Security Community

Topic headers (+++):

1 – Security news you can likely use (re: management / opportunity items)

2 – Other items of general FYI / FYSA level interest

3 – Threats / bad news stuff / etc.. 


4 – SD/SoCAL items of interest / opportunities   (send me your SD meetings!) 

A couple of Highlights  (A couple of items of potentially notable interest / high utility &  value… your mileage will vary….)

(Lots happening,  so LOTs to be aware of. Takes 5 min to skim…then pick out a topic or two..)

 ( some great topics / meetings here in SD … scroll to bottom and get engaged)


++++  A  few  highlights of the week +++

 JAN 20

+ Toward Better Privacy, Data Breach Laws

President Obama on Monday outlined a proposal that would require companies to inform their customers of a data breach within 30 days of discovering their information has been hacked. But depending on what is put in and left out of any implementing legislation, the effort could well lead to more voluminous but less useful disclosure. Here are a few thoughts about how a federal breach law could produce fewer yet more meaningful notice that may actually help prevent future breaches.

YES.. not only that, but PRIVACY PAYS!!!  Check out our “Cyber model for privacy by design” approach in the Jan IEEE CE magazine.



+  Hackers are getting in ‘at will’  (YEP – poor hygiene, access control and they just ‘stroll’ in…;-((

At this point, hackers “are bypassing conventional security deployments almost at will,” according to a report out Thursday from security firm FireEye. Of the 1,200 companies FireEye reviewed in the first half of 2014, every retailer was compromised, every healthcare and pharmaceutical company was breached and all but 9 percent of entertainment and media organizations were infiltrated. And in many industries, these attacks are increasingly launched with the direction or support of a government. It’s bad, FireEye concluded, and not getting better.



+ 2015 brings newer, more devastating exploits on the unprepared

If there’s any one thread that can be cultured from the cybersecurity stories of 2014, it has to be the increasing sophistication of attacks that are being made against both public and private organizations. That only looks to continue in 2015, with potentially staggering losses for the victims. A recent study commissioned by EMC Corp., with research carried out in August and September last year, found that companies on average had lost 400 percent more data since 2012, with losses and downtime costing enterprises some $1.7 trillion.



—-  Executing an effective security program –  HOW TO & timeline  —

With all the major data breaches in the news, many wonder why it seems so hard to have an effective, affordable and adequate security program. A security management plan includes a prioritized task list, backed up with adequate resources, to ensure the product or service is built effectively, and that both the product and the organization are safe. This is especially true with cyber where, like all efforts, security leadership needs to get the requirements right first, or they end up resourcing and building the wrong cyber environment, and security incidents and data breaches follow. Following that, they need mature operational processes (and especially configuration management, the critical security control) and a comprehensive security policy to effectively implement and operate the security architecture. So what’s a company to DO?   Read this 3-page paper on the key “what” things matter and the “how” timeline to execute them!



+ SEC might release firms’ cybersecurity exam results (rather like reporting DUIs in the paper…;-))

The Securities and Exchange Commission (SEC) could release this year the results of a cybersecurity examination it conducted in 2014 across roughly 100 financial firms, according to multiple reports. Speaking at a Practicing Law Institute event Wednesday, the agency’s top inspection official said the report gives an indication of how the financial industry is doing on cybersecurity. “My sense on cyber is it’s an unusual regulatory issue,” said Andrew Bowden, who heads the Office of Compliance Inspections and Examinations, Law360 reported. “Everybody understands the stakes and people therefore are highly motivated to get it right.”



San Diego /  SoCal Cyber and Privacy enthusiasts,

Please join IEEE,  ISACA,  ISC2, & CANIETI, as we collaborate for a first ever

— Cross Border Cyber Opportunities event on Friday, 30 Jan!

This is a full day, jam-packed event (lunch included – all for $35) with high-value, relevant benefits, global connections and timely information including (along with 4 security CPEs!).

Just some of the topics: Regional Teaming Opportunities (by the CALIBAJA Chairman);    Doing business internationally;   Managed services & forensics;   Cool products;   Security group insights, Privacy PAYS (Senior VIP from the MX Space agency);  CUBIC – making the TJ/MX and SD/USA partnership work. and .. .MORE of course…   Details and register at:



+ Proposed Changes to US Laws Could Have Chilling Effect on Research

Proposed changes to the US Computer Fraud and Abuse Act (CFAA) and the Racketeering Influenced and Corrupt Organizations (RICO) Act could make the law more open to interpretation and could potentially criminalize certain research activity. For example, the changes could criminalize accessing a public document without the approval of the owner.



+He knows who really hacked SONY – a hacker group, but McAffe won’t name names



+ The Internet of Things Will Break the Internet



+ Need Some Espionage Done?  Hackers Are for Hire Online – SCARY – ANYONE can pay to attack you… steal your IP…



What a dichotomy in our executive branch on cyber!!!

+ Secret US cybersecurity report: encryption vital to protect private data

Obama makes push for stronger cyber security laws

then Obama Goes On Record Against Encryption,  (WHICH IS IT???)

Says It Should Exist But He Should Be Able To Decrypt?



+ CryptoWall 3.0 is malware on steroids! Sneaky comms with I2P Anonymity Network!



+ 2015: The Year Of The Security Startup – Or Letdown

While stealth startup Ionic and other newcomers promise to change the cyber security game, ISC8 may be the first of many to head for the showers.—threats/vulnerability-management/2015-the-year-of-the-security-startup-andndash-or-letdown/a/d-id/1318584?_mc=NL_DR_EDT_DR_weekly_20150115&cid=NL_DR_EDT_DR_weekly_20150115&elq=e5c7d07f97d14ed68f523407037ec45e&elqCampaignId=12062



+ Cloud, Internet of Things & Big Data: What’s Next in 2015?



+ The state of cybersecurity in the health care industry



+ Top 10 Lessons learned from the Sony Breach (did we really ‘learn” them (not?) = poorhygiene!)






++++  Cyber Security News you can use  +++



+ Obama unveils cybersecurity proposals: ‘Cyber threats are urgent and growing danger’

Barack Obama unveiled new cybersecurity measures on Tuesday amid warnings from privacy campaigners about unnecessarily “broad legal immunity” that could put personal information at risk in the wake of attacks like the Sony Pictures hack. Just one day after the Pentagon’s own Twitter account was compromised and Obama pushed a 30-day window for consumer security breaches, his administration was hoping the proposed legislation would toughen the response of the private sector by allowing companies to share information with government agencies including the NSA, with which the White House admitted there were “overlapping issues”.



+ Energy Department releases energy sector cybersecurity framework

Energy companies and utilities should develop risk management strategies and incorporate cyber best practices into their security procedures, according to voluntary guidance released by the Energy Department Jan. 8. The Energy Sector Cybersecurity Framework Implementation Guidance was developed in response to the overall Cybersecurity Framework released by the National Institutes of Standards and Technology in early 2014 and to an earlier executive order calling for cybersecurity collaboration between industry and government.

Good start – YET  no mention of IEC-62443, no mention of Aurora, etc  – in a way it is similar to DOE’s 21 Step document- true but not comprehensive and not specific to the control systems

One standard is a “must-deploy” best practice is IEC 62443 (formerly known as ISA99).”



+ Banking Trojans disguised as ICS/SCADA software infecting plants

A renowned ICS/SCADA security researcher has discovered a surprising twist in cyberattacks hitting plant floor networks: traditional banking Trojan malware posing as legitimate ICS software updates and files rather than the dreaded nation-state custom malware in the wake of Stuxnet. Kyle Wilhoit, senior threat researcher with Trend Micro, recently found 13 different types of crimeware versions disguised as human machine interface (HMI) products Siemens WinCC, GE Cimplicity, and Advantech device drivers and other files. The attacks appear to be coming from traditional cybercriminals rather than nation-state attackers, and are not using cyber espionage-type malware.



+ DISA aims for next-gen system to secure millions of connected devices

The Defense Information Systems Agency is turning to industry for “novel” approaches to secure the millions of devices plugged in – and virtually connected, to the Pentagon’s computer networks. A Jan. 5 request for information queries contractors on a “next-generation” endpoint security system that would allow the agency to better configure, secure, and keep tabs on network endpoints all using a central management tool.



+ Is DATA the new weapon against cyber attacks?   YES!

Cybersecurity is in the news and for good reason. Many of us have experienced firsthand what cybercriminals can do with our credit card numbers and our personally identifiable information being sold on the black market. In government, though, the stakes are higher. So it shouldn’t be a surprise that cybersecurity is on GAO’s High Risk List. Government leaders are not just concerned about protecting the operations of federal information systems, but also with protecting critical infrastructure that is vital to our economy, safety, and health, such as power distribution, water supply, telecommunications networks, and emergency services.



+ Cyber Attack Caused PHYSICAL Damage at German Steel Mill

A report released in mid-December disclosed that a cyber attack on a German steel mill caused damage to the facility. The attackers disrupted the plant’s control system to make it impossible to shut down a blast furnace properly. The damage was described as “massive,” but no details were provided. This is the second documented case of a cyber attack causing physical damage – the first, of course, was Stuxnet. The date of the German attack was not provided. But the report said that the attackers gained initial foothold in the system through the corporate network and worked their way from there to the production networks.



+ New Jersey Law Requires Stored Health Data be Encrypted

A newly enacted New Jersey law in requires health insurance companies doing business in that state to encrypt personal data they retain on computers. The law, which takes effect later this year, goes beyond data protection requirements specified in the Health Insurance Portability and Accountability Act (HIPAA). The law was prompted by health data breaches in New Jersey.

Text of the Bill:



+ The Future of Privacy | Pew Research Center



+ Hacker Says Attacks On ‘Insecure’ Progressive Insurance Dongle

In 2 Million US Cars Could Spawn Road Carnage – talk about needing IoT security for cars…;-((



+ ISO’s Nightmare: Digital Social Engineering (do you have a social media policy in place, monitored?)



+ What to Expect of Big Data in 2015



+ 2015 CES – Four Scary Key Tech Trends

AND the FTC commissioner backs up the need – PRIVACY MATTERS!



+ Breach Detection Systems (BDS) Security Value Map  (PDF file)



+ Why ‘Zero Trust’ Might be the Best Approach for Your Organization



+ Collaborative cybersecurity for the Internet of Things (mentions our SD “SOeC” too!)



+ 2015 cyber security roadmap  (five points to use in your security plans)



+ Traditional defenses not stopping breaches, claims real-world FireEye study



+ Measure your Return on Security Training (can you show the value?)



+ Simplifying The Overwhelming Cyber Security World For Boards of Directors



+  Insider Cyber Threats are an Escalating Danger for Businesses (OF COURSE… assume the bad guys are in!)



+ Asymmetric economic risk – for you investor types – it ain’t fair out there!





++++  FYI / FYSA   +++


+ Why tort liability for data breaches won’t improve cybersecurity (correct, you must build in privacy)

Government policymakers have been hoping for twenty years that companies will be driven to good cybersecurity by the threat of tort liability.  That hope is understandable.  Tort liability would allow government to get the benefit of regulating cybersecurity without taking heat for imposing restrictions directly on the digital economy. Those who see tort law as a cybersecurity savior are now getting their day in court. Literally. Mandatory data breach notices have led, inevitably, to data breach class actions.  And the class actions have led to settlements. And those freely negotiated deals set what might be called a market price for data breach liability, a price that can be used to decide how much money a company ought to spend on security.



+ Obama: Hackers pose a ‘direct threat’ to families

President Obama on Monday unveiled a series of new bills designed to ratchet up cybersecurity protections in the wake of a massive data breach at Sony Pictures, warning the growing problem of online attacks “costs us billions of dollars.” “This is a direct threat to the economic security of American families, and we’ve got to stop it,” Obama said Monday during a speech at the Federal Trade Commission. “If were going to be connected, we’ve got to be protected.” Obama unveiled the Personal Data Notification and Protection Act, a bill that would require all corporations to notify consumers within a month if their personal information had been exposed in a data breach. The bill would criminalize the overseas trade of identify information and would attempt to standardize the individual state privacy laws that currently govern data beach notifications.



+ When it comes to cyber attacks, “Who did it?”

Is a complex and nuanced question (Attribution is really HARD!!!  In traditional crimes, answering the question is complicated, involving multiple stakeholders and specialties, and progresses incrementally on different levels with follow-up investigations and analysis. “The law enforcement scenario is extensively explored in scholarly literature and popular culture. Attributing cyber attacks is less simple and the ground less familiar,” explain authors in an in-depth and wide-ranging paper on digital attribution that was published Dec. 23, 2014, in the Journal of Strategic Studies.



+  House Dem revives major cyber bill

A senior Democrat on the House Intelligence Committee on Friday will reintroduce a controversial bill that would help the public and private sectors share information about cybersecurity threats. “The reason I’m putting bill in now is I want to keep the momentum going on what’s happening out there in the world,” Rep. Dutch Ruppersberger (D-Md.), told The Hill in an interview, referring to the recent Sony hack, which the FBI blamed on North Korea. The measure – known as the Cyber Intelligence Sharing and Protection Act (CISPA) – has been a top legislative priority for industry groups and intelligence officials, who argue the country cannot properly defend critical infrastructure without it.



+ The Crypto Question – YES is the answer!!!

UK Prime Minister David Cameron pledged to ban encrypted communications without backdoors for government. Cameron is urging President Obama to pressure Apple, Google and Facebook to stop using stronger encryption in their communications products. An article published in The Guardian on Thursday includes details from a 2009 report from the US National Intelligence Council that has surfaced expresses concern that both government and private computers are not adequately protected because encryption is not being implemented as quickly as it ideally should be.

[Note – I suspect the richer nations are going to have to develop their own encryption systems. The NSA may say that maintaining a known flawed algorithm was regrettable, but that dog won’t hunt. Interesting to note the day after Mr Cameron made the above promise the European Network and Information Agency (ENISA) issued a report called “Privacy and Data Protection by Design – from policy to engineering Agency” which urges governments within the European Union to use strong encryption.



+ Anonymous #OpCharlieHebdo campaign takes down 200 suspected jihadist Twitter accounts

A campaign set up by the hacktivist collective Anonymous in the wake of the Charlie Hebdo attacks has resulted in the take down of around 200 suspected jihadist Twitter accounts. The Op Charlie Hebdo (#OpCharlieHebdo) campaign called on social media users to report accounts believed to be affiliated with known terrorists, releasing a link to a list of Twitter accounts. The 36 Twitter accounts included on the list contained posts from users expressing their support of the Paris attack perpetrators, Said and Cherif Kouachi. All 36 accounts have since been suspended.



+ A Beginner’s Guide to Understanding the Internet of Things



+ Microsoft Is Teaching Cybersecurity to Cities Around the World—For Free



+ The Best Privacy and Security-Focused Web Browsers



+ Notable Privacy and Security Books in 2014 | Daniel Solove’s list



+ Obama: Fighting cybercrime is ‘shared mission’



+ Cybersecurity’s Elephant Herd



+ Cybersecurity: How Small and Medium Sized Businesses Can Survive



+ Securing The Modern Enterprise From The Ground Up = PbD



+ A plug for Brian Krebs’ new book – SPAM Nation review



+ Global Information Security Practices: 2015 Survey by Industry:



+ Federal Cloud Deployment Options   (good cloud overview too!



+ Four cyber security risks not to be taken for granted in 2015



+ Hacking & PII Legislation



+ US Infiltrated North Korea’s Networks in 2010

According to reports in The New York Times and Der Spiegel, US officials’ confidence in blaming North Korea for the attacks against Sony Pictures’ networks is due to the fact that the NSA infiltrated North Korean computers in November 2010.




+ FUN cyber related fact – 100 Years of Computer Science






++++  THREATs  / bad news stuff / etc  +++



+ 2014 in security: THE  biggest hacks, leaks, and data breaches

Worth skimming and trying to actually get some ‘lessons learned” out of them..



+ Centcom hack: Military tightens password security

The hack attack that seized the U.S. Central Command’s Twitter and YouTube accounts on Monday has prompted the military to tighten its social media password security. Officials have launched an investigation into the alarming hack, which saw the accounts briefly carrying messages promoting the Islamic State. On Tuesday, Pentagon spokesman Col. Steve Warren told reporters that he has ordered all 50 Office of Secretary of Defense social media websites to change their passwords and increase the strength of their passwords — and offered a tip sheet to social media account administrators on “how to keep their accounts more secure.”



+ This USB wall charger secretly logs keystrokes from Microsoft wireless keyboards nearby

Privacy and security researcher Samy Kamkar has released a keylogger for Microsoft wireless keyboards cleverly hidden in what appears to be a rather large, but functioning USB wall charger. Called KeySweeper, the stealthy Arduino-based device can sniff, decrypt, log, and report back all keystrokes – saving them both locally and online. This is no toy. KeySweeper includes a web-based tool for live keystroke monitoring, can send SMS alerts for trigger words, usernames, or URLs (in case you want to steal a PIN number or password), and even continues to work after it is unplugged thanks to a rechargeable internal battery.



+ The biggest cyberthreat to companies could come from the inside – OF COURSE – INSIDERS!!!

Companies spend billions of dollars each year to protect from determined hackers attacking from across the Internet, but experts warn they shouldn’t ignore a closer threat they aren’t even ready for: Inside jobs. Morgan Stanley, one of the world’s largest financial services firms, revealed Monday its customer information was breached. But it wasn’t the result of determined hackers or sophisticated email attacks. Instead, Morgan Stanley said it was an employee who stole data from more than 350,000 customer accounts. The move is a wake-up call to companies, which spent an estimated $71.1 billion in 2014 on cybersecurity, up nearly 8 percent from the year before. And while hackers have successfully attacked large companies like JPMorgan, Target and Home Depot, experts warn employees pose just as much a threat, whether they act intentionally or by accident.



+  Microsoft abruptly dumps public Patch Tuesday alerts

For the first time in a decade, Microsoft today did not give all customers advance warning of next week’s upcoming Patch Tuesday slate. Instead, the company suddenly announced it is dropping the public service and limiting the alerts and information to customers who pay for premium support. “Moving forward, we will provide ANS information directly to Premier customers and current organizations involved in our security programs, and will no longer make this information broadly available through a blog post and Web page,” wrote Chris Betz, senior director at the Microsoft Security Response Center (MSRC), the group responsible for the warnings.



+ Bitstamp Bitcoin Exchange Operational Again

Bitcoin exchange Bitstamp is once again open for business, after suspending services on Monday, January 5 in the wake of an attack.  Bitstamp resumed services on Friday, January 9. Bitstamp has implemented a new three-key authentication system, and is running on new hardware, which allowed the company to “preserve the evidence for a full forensic investigation.”

[Note  Recent breaches that have exposed mission critical applications suggest that we should NOT be running those key applications on the same networks and systems where we run high risk applications like e-mail and web browsing.]



+ Logs Can be Helpful Forensic Security Tools  “IF” Used Properly

Many cyber attacks leave footprints in security event logs. However, many organizations collect so much information that it is hard to know where to begin looking for evidence. Many companies are not aware of what sorts of logs they have and what data they should be collecting.

[Note ): This Windows logging cheat sheet may be a good start for organizations to look at when considering what they should be logging]



+ Google stops patching aging androids (version 4.3 and older)(930M devices)



+ Bank Fraud Toolkit Circumvents 2FA & Device Identification



+ For cybercriminals, size doesn’t matter



+ Attackers bypass conventional security



+ Mobile Devices Ratchet Up Security Risks



+ Global Botnet Threat Map – Botnet Network Security Activity



+ Why 2015 will be the year of cloud attacks







++++   SD/SoCAL security events / opportunities +++


+ CyberTECH events / networking / startups / etc  —  THE cyber happening place in SD!!! 

Join their Meetup Group for the latest event information!   The definition of “Cyber KEWEL





21 – Wed (6PM) –  ISC2 – developing personal branding to include publishing your own e-book, John Horst.

Location: Mitchell International Inc 6220 Greenwich Dr San Diego, CA 92131.


22 – Thur lunch – ISSA – Gary Hayslip, Chief Information Security Officer (CISO), City of San Diego


28 – International Data privacy day

A – “Securing the IoT Privacy masters” by  CyberTECH, SOeC, others – all day event –


B –   Data Privacy Day–   NCSA and Morrison & Foerster LLP  – all day event –



30  – Cross Border cyber opportunities – MX/TJ and CA/SD collaboration event, all day Friday!!! (Hosted at Coleman University) – Contact me to join in –   introduction email and agenda at:






8-11 – NDSS Symposium 2015


10-12 –  AFCEA West –  Focused on Operations in the Asia-Pacific Region




+++  Future events in planning  FYI:


25-26 Apr – CYBERWEST: The Southwest Cybersecurity Summit (Phoenix AZ)


4-12 May SANS Security West 2015


18-21 Jul  Esri National Security summit




MID-MAR(tbd)   BigDataDay 4 SD”  all-day event SAT – free –  Jump in and help us – speakers needed!!!

WE went to the one in LA and it was great…   our three tracks will be:

(1)  Technical =  Hadoop / Hbase / NoSQL;

(2)  Data science = predictive analytics, parallel algorithms, statistical modeling, algorithms for data mining, etc and

(3)  Applications =  key use cases…  Privacy by Design / data security,  data start-ups / incubators, novel products,

Contact me to join in…  introduction email and agenda at:


TBD – TBD  – Privacy by design workshop – a cyber model  – Provided by IEEE Cyber SIG / Various Security groups – all day  & why you must be part of this initiative!  (at Coleman University –  AM Technical approach… PM public discussions)     Help move SD forward in cyber –  DOING security vs admiring the problem…. SO engage and help out on cyber 4 PbD!!!

+++  Join our PbD / data security meetup, stay tuned into what’s happened..

See our over Cyber for PbD brief at

AND Our more detailed technical paper on our Cyber 4 PbD approach, including an executable, proposed open privacy framework within an enterprise architecture is at (this rough draft was  published in a major IEEE magazine this month):



JAN 11

+ What to DO with all these hacks, SONY, etc?  Focus on the CISO Fundamentals!!!

While the much more aggressive SONY hack is causing more folks to be aware of the criticality of cyber protections, instead we cyber SMEs continuing to admire the problem / threat (the vast majority of articles just spread “FUD”) – what exactly should we advise folks to DO?  We developed a 2-page “CISO Fundamentals” paper that tries to start doing just that. An introduction page with the 2nd our recommendations for an affordable, effective and ‘due diligence” set of cyber tenets to embed in their risk management plan and DO.

Take a quick peek and see if our recommendations resonate with yours, or did we miss anything?



+ A cyberattack has caused confirmed physical damage for the second time ever

Amid all the noise the Sony hack generated over the holidays, a far more troubling cyber attack was largely lost in the chaos. Unless you follow security news closely, you likely missed it. I’m referring to the revelation, in a German report released just before Christmas, that hackers had struck an unnamed steel mill in Germany. They did so by manipulating and disrupting control systems to such a degree that a blast furnace could not be properly shut down, resulting in “massive”—though unspecified—damage. The attack is only the second confirmed case in which a wholly digital attack caused physical destruction of equipment.



+ FTC officials worried about downside of Internet of Things – Prioritize Privacy in Iot!

Connected home devices or cars, health trackers and other wearables can be useful tools for consumers, but the collection of personal data by the devices has some regulators worried. Federal Trade Commission Chairwoman Edith Ramirez on Tuesday raised concerns about potential abuse of private user information during a session at CES, saying companies need to do more to develop products that protect consumer privacy and data. “In the not too distant future, many, if not most, aspects of our everyday lives will be digitally observed and stored,” Ramirez said during an afternoon panel.

FTC commissioners whole speech – some good links too



+ Making Privacy PAY – use Cyber enabled Privacy by Design.

IF the FTC articles stirs an interest in protecting privacy better, using data centric security methods, then…

For one view on how to do that, take a different view on ‘selling improved cyber protections” see our“Privacy PAYS” approach that we propose.

Our more detailed technical paper on our “ Cyber enabled / facilitated Privacy by Design (PbD) ” approach, including an open privacy framework within an enterprise architecture – with proposed specifications too –  is here (it was published in  the  IEEE CE magazine  in JAN):



+ The most important tech stories you may have missed in 2014

Looking back, 2014 was the year of Heartbleed. It was the year of big mergers, net neutrality and data breaches. It was the year we lost three airliners. It was the year Congress nearly – but not quite – passed patent reform. We saw Apple unveil the biggest iPhone ever. These and other stories were some of the biggest of 2014. If you missed them then, have at them now: Below, you’ll find some of our most viral and notable posts of the year.



+ With New Policy, DOD Components Won’t Need DISA to Buy Cloud Services

New Defense Department guidance issued Wednesday by Acting Chief Information Officer Terry Halvorsen allows DOD components to acquire commercial cloud services without the Defense Information Systems Agency acting as a broker.

The new policy overrides two previous memorandums that charged DISA with assessing the security of commercial cloud service offerings and cataloging them – a process that caused a bottleneck between potential DOD customers and providers.



+ DISA Posts RFI for Next-Generation Security

The US Defense Information Systems Agency has published a request for information regarding “next-generation” endpoint security systems. DISA is seeking solutions that will help streamline security for the millions of devices that connect to the Pentagon’s networks. Companies have until February 2, 2015 to respond.



+ 20 Startups To Watch In 2015

Check our list of security startups sure to start (or continue) making waves in the coming year.



+ CES 2015: 8 Innovative Security Products

The explosion in smart technologies that connect everyday objects to the internet is transforming both home and personal security.



+ The 11 Best Practices For Winning Government Contracts



+ CES Recap: Attack of the Drones (great overview!  what.. no privacy?)



+ World’s biggest data breaches   Cool infographic on them all…



+ PRIVACY – From “Nobody Cares” to a Top Tech Trend = pivot point???



+ Intel’s button-size Curie will power all kinds of wearables



+  The FTC  And The New Common Law Of Privacy

Daniel J. Solove & Woodrow Hartzog…  Excellent article (mini privacy book) It should be part of every corporate privacy analyst library as a reference for online (Internet / Cloud) compliance.



+ The biggest security debacles of 2014 show that enterprises are still failing at the basics



+ 5 Cybersecurity Bills Signed Into Law By President Obama (links to each bill  too!)





++++  Cyber Security News you can use  +++



+ How a social network could help close the cyber worker shortage

It’s no secret the federal government and scores of private companies have struggled to attract qualified cybersecurity professionals. But the backers of a new project to create a full-scale social networking site to vet current and would-be cyber warriors say the bustling online community they envision may be the answer. When a beta version of the site goes live this spring, organizers aim to have 10,000 registered users participating on the CyberCompEx site, which is a partnership of the U.S. Cyber Challenge, a nonprofit devoted to training the country’s cyber workforce, and jobs-site giant



+ Smart grid powers up privacy worries

The next Big Data threat to our privacy may come from the electricity we consume in our homes. “Smart” online power meters are tracking energy use – and that data may soon be worth more than the electricity they distribute. The Department of Energy is publishing in January the final draft of a voluntary code of conduct governing data privacy for smart meters, 38 million of which have already been installed nationwide. The meters gather information about household electricity consumption and transmit it wirelessly at regular intervals to the supplier. It’s a key element in the push for the so-called smart grid, a more efficient way to distribute the nation’s electricity.



+ Facebook acquires voice recognition firm

Facebook Inc. acquired a company that makes voice recognition technology for wearable devices and Internet- connected appliances, the latest sign of its ambition to extend its reach beyond computers and smartphones. Facebook said it acquired on Monday, without providing a price for the deal. The 18-month old company, based in Palo Alto, California, makes software that can understand spoken words as well as written text phrased in “natural language.”



+ The mobile wave still looks like a trickle in government

Don’t say federal agencies are phoning it in. As Americans take to smartphones, tablets, and other mobile gadgets in droves, agencies are slowly but surely making sure government websites and services are available from those devices. The Obama administration has set a lofty aim of providing government services “anytime, anywhere, and on any device.” But with thousands of federal websites not yet optimized for miniature screens, agencies clearly have their work cut out for them. That’s the takeaway of a new report from the Government Accountability Office, assessing how agencies are meeting the challenges of an increasingly mobile America.



+ The cybersecurity tipping point???

As we bear witness to the aftermath of major attacks this year against the likes of Target, Home Depot, Neiman Marcus and most recently, Sony, it becomes clear that we are entering an entirely new “war” against cyber crime. Those who do not change their approach will lose. The sophistication and proliferation of advanced malware is greater than it has ever been, and widespread awareness of this problem is being fueled by the near daily headlines touting the latest company to fall victim to a cyber attack. Large enterprises are investing more money into cybersecurity technologies than ever before, and the need for a stronger and more comprehensive security model has become a board-level discussion as the severity of these attacks hits home for businesses and consumers alike.



+ If 2014 was the year of the data breach, brace for more!

Data breaches dominated headlines in 2014, and they appear poised to usher in 2015 as well.  While the cybersecurity plights of certain high-profile retailers, financial institutions, and one prominent movie studio became common knowledge and headline fodder, these companies were far from the year’s only victims.  In fact, a recent study found that more than 40% of companies experienced a data breach of some sort in the past year – four out of ten companies that maintain your credit card numbers, social security numbers, health information, and other personal information.  That number is staggering, and shows no signs of retreat. It is against that backdrop and at the end of 2014-dubbed by some as the “year of the breach”-that we revisit several notable cybersecurity developments from the prior year.



+ Do not accept the myth that cyber thieves are always one step ahead (disagree, assume they are and are IN your network now!)

Millions of pieces of data were stolen this year by cyber-criminals who were able to bypass the sophisticated security systems of some of the world’s largest companies. We’ve all seen the headlines and read the findings from research and analyst firms like Protiviti, whose 2014 IT Security and Privacy Survey found that organizations are not confident they can prevent data breaches. Despite the growing number of high profile breaches, too much information security spending still focuses on the prevention of attacks, while not enough has gone to creating or improving information monitoring and response capabilities. The priorities must shift from protecting information from the outside-in to an approach I call ‘information-centric security’.  (YES, take enterprise risk / privacy view, but do the cyber basics well first, effective prevention rules in ROI)


+ DHS-funded cybersecurity app goes commercial

A cybersecurity product funded by the Homeland Security Department is going wide. A mobile security application archiving application developed with DHS funding is to be commercialized by a small business called KryptoWire. DHS granted George Mason University $250,000 to create the system, according to the Washington Post. The original goal was to allow government agencies maintain an inventory of apps that they had examined for security compliance. Now the department has approved more funding for the company, which spun out of the research project.



+ US Digital Service hauled in to shore up White House security after hack

After a breach of unclassified White House internal networks last fall, the Obama administration hauled in a team of former Silicon Valley tech mavens to help patch up network security. The U.S. Digital Service – the newly minted federal IT fix-it shop headed by former Google engineer Mikey Dickerson – has been dispatched to look at shoring up security on the White House networks, the Office of Management and Budget confirmed to Nextgov. Efforts to extinguish the suspicious behavior on the unclassified network were still ongoing as of Oct. 30, after the breach weeks before.



+ In 2015, agency IT security and operations converge

Two powerful trends will shape the government cybersecurity agenda in the coming year, say security experts, but they have more to do with how government security is managed than what technologies will better defend agency systems. First, cybersecurity will increasingly be integrated from the start into the platforms and software being acquired and developed by agencies. Also, cybersecurity will no longer be considered the exclusive province of the CISO or the CSO, but will become a professional requirement for everyone responsible for IT services to the agency.



+ Microsoft Advance Security Notification Changes

Microsoft will no longer provide advance notification about its monthly security bulletins to the general public. Instead, the information will be available only to paying Premier support customers and to organizations that participate in the company’s security programs. The service, which began more than a decade ago, provided information about bulletins on the Thursday prior to the patches’ Tuesday release.

Microsoft has said that the main reason for the change is that most customers no longer use the information available in advance.



+ Security trends 2015 predictions round-up – great list of the big ones!



+ Last Minute Cybersecurity Predictions for 2015



+ Top 5 cybersecurity risks for 2015

From identity theft and fraud to corporate hacking attacks, cybersecurity has never been more important for businesses, organizations and governments. Hacking experts warn there are plenty more security risks ahead in 2015 as cyber criminals become more sophisticated. While “traditional” cybercrime such as internet password fraud will still be widespread in 2015, larger scale espionage attacks and hacking the Internet of Things (IoT) will also be risks. CNBC takes a look at the biggest threats to your online world in 2015.<



+ The cyber threat in 2015: 10 twists on hackers’ old tricks

Hacking trends are not like fashion fads. They don’t go in and out each year. They withstand defenses by advancing, in terms of stealth and scope. So there will be no 2015 “What’s Hot and What’s Not” list of cyber threats confronting federal agencies. Instead, here is a list of hacker “Old Faves and New Twists” feds should be mindful of.



+ A 2014 Look back: Predictions vs. Reality

It was a tumultuous year for cyber security, but it drove the adoption of incident response plans and two-factor authentication.



+ This cybersecurity medicine might be tough to swallow

Imagine you’re the CEO of a thriving company and you’ve been horrified by the news of the Sony hack, the Target breach and the litany of security issues that have plagued big companies in recent years. You swear you’re going to do whatever’s necessary to make sure it won’t happen to your company. But do you realize what that really means? …..  You have to admit, you’re intrigued because you never want to be in the position of explaining to your board of directors why you were the latest victim.



+ France Passes Online Surveillance Law That Makes It Legal to Spy on Internet User

Eve, that allows the government to collect details about local users, including IP addresses, locations, duration and timing of connections, list of numbers called and callers, as well as device information, be they laptops, tablets, or phones.



+ No Rules of Cyber War – Politico

U.S. in uncharted waters with ‘proportionate response’ on hack attacks. “Unlike plans for possible conventional military attacks in hotspots, the U.S. doesn’t have off-the-shelf response plans for cyberattacks of this sort,”



+ CryptoWall 2.0 Has Some New Tricks  (be fearful of these!!!)

New ransomware variant uses TOR on command-and-control traffic and can execute 64-bit code from its 32-bit dropper.



+ How NOT To Be The Next Sony: Defending Against Destructive Attacks

When an attacker wants nothing more than to bring ruin upon your business, you can’t treat them like just any other criminal…   The Malicious IT Insider…   incident response…



+ Federal Cybersecurity Spending is Big Bucks But Does it Stop Hackers?

Despite paying $59 billion for data protections since fiscal 2010, the federal government couldn’t stave off hacks against the White House, State Department, Army and dozens of other agencies.



+ RE: Common Thread in Major Security Breaches: Privileged Account Vulnerabilities

In fact, threat investigators estimate that anywhere from 80% to all targeted cyber attacks exploit privileged accounts during the attack process. Great overview – PAPER.



+ Five Steps to Making Privacy and Security Your New Year’s Resolution



+ Vendors: Expect Increased Compliance Pressure in 2015

Get Your Cyber Security Insurance, Says One Privacy Lawyer



+ What CISOs, InfoSec Pros Have on Their 2015 Wish Lists



+ Can Your Company Survive a Cyber Attack? (cool Infographic)



+ ISO Adopts Standard For Privacy In the Cloud



+ $1 Spent on State Government Tech Saves $3.50, Study Finds



+  Internet of Things and Fog Computing



+  Cyber ‘mass shooter’ poses future threat to computer security, ex-intel official says



+ What is next for the future tech of 2014?



+ How The Internet Of Things Market Will Grow



+ Survey Indicates Directors Concerned with Lack of Proper Cyber and IT Risk Information



+ Why the Sony Hack Doesn’t Matter (and DOING the security basics does!!!)



+  World Deployment Map | Internet of Things  pick a country, see what they are doing)





++++  FYI / FYSA   +++


+ FBI director gives new clues tying North Korea to Sony hack

The FBI director revealed new details Wednesday about the stunning cyberattack against Sony Pictures Entertainment, part of the Obama administration’s effort to challenge persistent skepticism about whether North Korea’s government was responsible for the brazen hacking. Speaking at the International Conference on Cyber Security at Fordham University, FBI Director James Comey revealed that the hackers “got sloppy” and mistakenly sent messages directly that could be traced to IP addresses used exclusively by North Korea. Comey said the hackers had sought to use proxy computer servers, a common ploy hackers use to disguise their identities and throw investigators off their trail by hiding their true locations.



+ Morgan Stanley says fired employee stole data on 350,000 clients


Morgan Stanley said it has fired an employee for allegedly stealing and trying to sell financial information about 350,000 clients — or about 10% of customers at the Wall Street giant’s wealth-management arm. The stolen data included names, account numbers, size of accounts and certain transaction information. There was no sign that Social Security numbers, passwords or credit-card information were taken, and “no evidence of any economic loss to any client,” Morgan Stanley said in a statement Monday.



+ Medical file hack affected nearly half a million Postal workers

Network intruders compromised health information on current and former U.S. Postal Service employees who filed for workers’ compensation, USPS officials say. (wow, that seem like a lot of claims?) The files were accessed during a previously reported September cyber intrusion that netted the Social Security numbers of about 800,000 USPS employees. Details of the health data breach are just now being revealed for the first time. The agency does not face health data security fines or Health and Human Services Department reach notification violations, because the data was not part of an insurance plan.



+ Agencies improve, but still fall short of cybersecurity CAP goals

Most agencies are making progress in securing their information and protecting themselves from cyber threats, but they’re still falling short of the Cross-Agency Priority (CAP) Goals set by the Obama administration, according to a fourth-quarter update recently posted on The Obama administration established 15 cross-agency priority goals when it released the 2015 budget last spring. The seven mission-oriented and eight management goals are laid out in a four-year timeframe.



+ 2014: The year in cyberattacks

While Sony may have dominated the news toward the end of 2014, three major cyberattacks against U.S. companies shook the corporate world earlier this year: Target opened the year by announcing in January that hackers had stolen personal information from an estimated 110 million accounts; hackers accessed approximately 83 million J.P. Morgan Chase accounts in August; and Home Depot confirmed that its payment system was breached in September, compromising an estimated 56 million accounts. Here’s a look back at the details of each of those attacks, and how they affected the conversation about cybersecurity in the United States and the corporate sector.



+ 2014: The year we entered a cyberpunk present

Fifty years ago, Isaac Asimov wrote about a wondrous science fiction world that would await in 2014: A world of constant convenience with instant coffee, video phones and robot vacuums, much of which is already a reality. But not all science fiction is so utopian. Even as technology makes our lives easier, cybersecurity concerns are also pushing us closer to the darker cyberpunk genre — which often features a neo-noir world with shadowy hacker groups wreaking havoc on the physical world through digital attacks.



+ Browsing in privacy mode? Super Cookies can track you anyway

For years, Chrome, Firefox, and virtually all other browsers have offered a setting that doesn’t save or refer to website cookies, browsing history, or temporary files. Privacy-conscious people rely on it to help cloak their identities and prevent websites from tracking their previous steps. Now, a software consultant has devised a simple way websites can in many cases bypass these privacy modes unless users take special care. Ironically, the chink that allows websites to uniquely track people’s incognito browsing is a much-needed and relatively new security mechanism known as HTTP Strict Transport Security.



+ It’s Time to Treat Your Cyber Strategy Like a Business

How do we win against cybercrime? Take a cue from renowned former GE chief exec Jack Welch and start with a clearly-defined mission.



+ Using Free Tools To Detect Attacks On ICS/SCADA Networks

ICS/SCADA experts say open-source network security monitoring software is a simple and cheap way to catch hackers targeting plant operations.



+ HealthCare security news and decent  facts.. stats..

How Mobility is Changing Healthcare



+ Insider threat methods and concerns…

Enhancing Your Insider Threat Strategy  – good overall PAPER



+ The Most Important Next Step You Should Take After A Data Breach (several great VIPs key points!!)



+ The Hacker-Proof Wares In CES’s First ‘Personal Privacy’ Section



+ Assets: Fundamental Target of Cyber Attacks; Fundamental Subject of Cyber Defenses |



+ 15 AppSec Tips From the Top Ethical Hackers of 2014

Imagine that.. .. most of the same activities the cyber SMEs  propose. And we all should know by now..



+ Ingredients for Architecting the Security of Things



+ Can the Internet of Things Be Secured? Somewhat.  Sort of…

Yet what it connect to needs to be secure too.  Good numbers and points..


+ Education and assessing Cyber KSAs



+ Last Minute Cybersecurity Predictions for 2015



+ In Cyberspace, Anonymity and Privacy are Not the Same



+ Cybercrime’s easiest prey: Small businesses



+  Cyber approach to outsmart criminals



+  Top Cyberespionage Campaigns of 2014






++++  THREATs  / bad news stuff / etc  +++



+ The year of the breach: 10 federal agency data breaches in 2014

Call 2014 the year of the breach. Financial institutions, big-box retailers, entertainment giants, and, yes, government agencies fell victim to an assortment of cyber intruders last year. While private-sector cyberincidents stole the spotlight, the feds proved to be a tempting target for hackers as well. Over the past few years, the number of security incidents at federal agencies involving the potential exposure of personal information has skyrocketed, — from about 10,400 in 2009 to more than 25,000 in 2013, according to the Government Accountability Office. There’s no data yet this year on the total number breaches at agencies in 2014. But with the year almost in the rearview mirror, Nextgov takes a look back at the 10 most impactful, high-profile or otherwise eyebrow-raising federal agency breaches.



+ Cybercrime dipped during holiday shopping season

Black Friday through Cyber Monday traditionally has been the most vulnerable time for many businesses — especially retailers — for cyberattacks, but new data from IBM shows that attacks against all industries during that period in 2014 actually decreased 50% from the previous two years. But that doesn’t mean the bad guys took an extended holiday. From Nov. 24 through Dec. 5, IBM’s Managed Security Services saw 3,043 cyberattack attempts per day against client organizations in various industries, versus an average of 4,200 during that period in 2013. IBM says there were 10 breaches reported during the 2014 holiday season, versus more than 20 last year.



+ Lizard Squad attacks story by Brian Krebs

Now that cybersecurity blogger Brian Krebs has outed members the group that took out the PlayStation and Xbox Live networks over Christmas, the hackers are coming after him. “Lizard Squad” has been bombarding with garbage traffic for some 40 days, Krebs told CNNMoney. On Friday morning, they finally managed to bring it down — although only for a short time. Lizard Squad is a curious modern day phenomenon. With little technical skill and zero finesse, a mysterious group has affected more than 150 million lives by wreaking havoc on popular gaming networks in the last year.



+ Google discloses unpatched Windows vulnerability

A Google researcher has disclosed an unpatched vulnerability in Windows 8.1 after Microsoft didn’t fix the problem within a 90-day window Google gave its competitor. The disclosure of the bug on Google’s security research website early this week stirred up a debate about whether outing the vulnerability was appropriate. The bug allows low-level Windows users to become administrators in some cases, but some posters on the Google site said the company should have kept its mouth shut. Google said it was unclear if versions of the Windows OS earlier than 8.1 were affected by the bug.



+ Researchers find 64-bit version of Havex RAT

Trend Micro researchers have come across a 64-bit version of Havex, a remote access tool (RAT) that has been used in cyber espionage campaigns aimed at industrial control systems (ICS). According to the security firm, while the 64-bit Havex has only been spotted recently, it has been around for quite some time. In the campaign known as Dragonfly (Energetic Bear/Crouching Yeti), the threat actors appeared to be using only a 32-bit version of Havex since most of the systems they targeted ran the outdated Windows XP operating system. However, researchers at Trend Micro have spotted two Windows 7 infections in which the 64-bit version of the threat had been used.



+ FBI Says Warrants Not Necessary to Use Stingray in Public

US Senators are questioning the FBI’s use of cell-tower spoofing technology known familiarly as Stingray. The agency says it does not need a warrant to harvest data. Senators Patrick Leahy (D-Vermont) and Chuck Grassley (R-Iowa), chairman and ranking member of the Senate Judiciary Committee, have written a letter expressing concern “about whether the FBI and other law enforcement agencies have adequately considered [American’s] privacy interests,” and seeking additional information on the technology’s use.



 + Did Insiders Help With Sony Attack? (of course they did!!!  Knew right where to do to steal IP!)

Some researchers suspect that the attack on Sony Pictures’ computer systems was aided by at least one former employee. The theory is based on leaked documents that show a series of layoffs in spring 2014.



+ Deconstructing The Sony Hack: What I Know From Inside The Military

Don’t get caught up in the guessing game on attribution. The critical task is to understand the threat data and threat actor tactics to ensure you are not vulnerable to the same attack.



+ Majority Of 4G USB Modems Vulnerable And SIM Cards Exploitable Via SMS

Security researchers from Positive Technologies have stated that almost all 4G USB modems and SIM cards contain exploitable vulnerabilities through which can give full control of the devices to which they are connected to the hackers.



+ North Korea boosted ‘cyber forces’ to 6,000 troops, South says

North Korean military’s “cyber army” has boosted its numbers to 6,000 troops, the South Korean Defence Ministry said on Tuesday, double Seoul’s estimate for the force in 2013, and is working to cause “physical and psychological paralysis” in the South. The new figure, disclosed in a ministry white paper, comes after the United States, South Korea’s key ally, imposed new sanctions on North Korea for a cyber attack on Sony Pictures Entertainment. Pyongyang has denied involvement in the attack.



+ The hidden dangers of third party code in free apps

Research from MWR InfoSecurity has shown the various ways hackers can abuse ad networks by exploiting vulnerabilities in free mobile apps. When people install and use free applications – more so than paid apps – they may be handing over their address books, the contents of their SMS, e-mail or in some cases, giving away full control of their devices. This is because of privileged code injected into the apps that advertisers and third parties use for tracking. So while the users may trust the app developer, the app code inserted by advertisers may introduce vulnerabilities attackers can exploit to access their devices via the app.



+ Long-Running Cyberattacks Become The Norm

Many companies are so focused on the perimeter that they have little idea what’s going on inside the network.



+ Nation-State Cyberthreats: Why They Hack

All nations are not created equal and, like individual hackers, each has a different motivation and capability.



+ When to Get a Penetration Test vs. A Vulnerability..



+ Hacking an ATM with a Samsung Galaxy 4 Smartphone



+ Wifiphisher Wi-Fi Hacking Tool Automates Wi-Fi Phishing



+ FBI Investigating Whether Companies Are Engaged in Revenge Hacking (DON’T!)



+ The Nature of Cybersecurity and Strategies for Unprecedented Cyber Attacks



+ One billion more: Kaspersky Lab counts up this year’s cyber-threats



+ A Hacker’s Hit List of American Infrastructure (USA ICS / SCADA targets called out!!!)



+  The Most Dangerous People on the Internet Right Now (yes, NSA is one, sort of)




++++   SD/SoCAL security events / opportunities +++


+ CyberTECH events / networking / startups / etc  —  THE cyber happening place in SD!!! 

Join their Meetup Group for the latest event information!   The definition of “Cyber KEWEL


+ Webster University’s  new SD cyber security program – check it out..





15 – OWASP – Running InfoSec for America’s Finest City..   Gary Hayslip, CISO for the city of San Diego,


15 – IoT Startup Table Breakfast



22 – ISSA – Gary Hayslip, Chief Information Security Officer (CISO), City of San Diego


28 – International Data privacy day

A – “Securing the IoT Privacy masters” by  CyberTECH, SOeC, others – all day event –


B –   Data Privacy Day–   NCSA and Morrison & Foerster LLP  – all day event –



30  – Cross Border cyber opportunities – MX/TJ and CA/SD collaboration event, all day Friday!!! (Hosted at Coleman University) – Contact me to join in –   introduction email and agenda at:



31 –(tentative)  BigDataDay 4 SD”  all-day event SAT – free –  Jump in and help us – speakers needed!!!

WE went to the one in LA and it was great…   our three tracks will be:

(1)  Technical =  Hadoop / Hbase / NoSQL;

(2)  Data science = predictive analytics, parallel algorithms, statistical modeling, algorithms for data mining, etc and

(3)  Applications =  key use cases…  Privacy by Design / data security,  data start-ups / incubators, novel products,

Contact me to join in…  introduction email and agenda at:





8-11 – NDSS Symposium 2015


10-12 –  AFCEA West –  Focused on Operations in the Asia-Pacific Region




+++  Future events in planning  FYI:


25-26 Apr – CYBERWEST: The Southwest Cybersecurity Summit (Phoenix AZ)


4-12 May SANS Security West 2015


18-21 Jul  Esri National Security summit



TBD  – Provided by IEEE Cyber SIG / Various Security groups – all day  Privacy by design workshop – a cyber model & why you must be part of this initiative!  (at Coleman University –  AM Technical approach… PM public discussions)     Help move SD forward in cyber –  DOING security vs admiring the problem…. SO engage and help out on cyber 4 PbD!!!

+++  Join our PbD / data security meetup, stay tuned into what’s happened..

See our over Cyber for PbD brief at

AND Our more detailed technical paper on our Cyber 4 PbD approach, including an executable, proposed open privacy framework within an enterprise architecture is at (this rough draft was  published in a major IEEE magazine this month):

Comments are closed.