CYBER NEWS TIDBITS FOR YOU - FEBRUARY 2015

 

Welcome to Cyber News Tidbits 4​U​ !

Here are updated news compilations from the Cyber Security Community

Topic headers (+++):

1 – Security news you can likely use (re: management / opportunity items)

2 – Other items of general FYI / FYSA level interest

3 – Threats / bad news stuff / etc.. 

and…

4 – SD/SoCAL items of interest / opportunities   (send me your SD meetings!) 


A couple of Highlights  (A couple of items of potentially notable interest / high utility &  value… your mileage will vary….)

(Lots happening,  so LOTs to be aware of. Takes 5 min to skim…then pick out a topic or two..)

 ( some great topics / meetings here in SD … scroll to bottom and get engaged) 

http://www.linkedin.com/in/mikedavissd

http://www.sciap.org/blog1/wp-content/uploads/CISO-Fundamentals.pdf

 

++++  A  few  highlights of the week +++

FEB  8

YES… LOTS of articles on this breach – with SSNs, etc – possibly the WORST EVER???

+ Health insurer Anthem hit by massive cybersecurity breach

(as you know – SSNs / healthcare data is much more valuable than credit cards (100x), and effects last much longer.. ID theft, etc)

Health insurer Anthem Inc., which has nearly 40 million U.S. customers, said late on Wednesday that hackers had breached one of its IT systems and stolen personal information relating to current and former consumers and employees. The No. 2 health insurer in the United States said the breach did not appear to involve medical information or financial details such as credit card or bank account numbers. The information accessed during the “very sophisticated attack” did include names, birthdays, social security numbers, street addresses, email addresses and employment information, including income data, the company said.

http://www.reuters.com/article/2015/02/05/us-anthem-cybersecurity-idUSKBN0L907J20150205

https://www.linkedin.com/pulse/first-healthcare-mega-breach-2015-andrew-hicks

—  Here’s Why Your Social Security Number Is Holy Grail for Hackers

http://www.bloomberg.com/news/articles/2015-02-05/here-s-why-your-social-security-number-is-holy-grail-for-hackers

 Anthem-A Catastrophic Event for US Children for Years to Come..

https://www.linkedin.com/pulse/anthem-a-catastrophic-event-us-children-decades-come-tim-rohrbaugh

 

+ China involved in Anthem attack?

Bloomberg reports that U.S. federal investigators probing the theft of 80 million Social Security records and other sensitive data from insurance giant Anthem Inc. are pointing the finger at state-sponsored hackers from China. Although unconfirmed, that suspicion would explain a confidential alert the FBI circulated last week warning that Chinese hackers were targeting personally identifiable information from U.S. commercial and government networks.

http://krebsonsecurity.com/2015/02/china-to-blame-in-anthem-hack/

 

Anthem breach: Warnings, lessons for the industry.. but are we / they listening???

http://ebn.benefitnews.com/news/employer-strategies/anthem-breach-warnings-lessons-for-the-industry-2745571-1.html

 

+ White House preps expansive online privacy bill

The White House is preparing to send a sweeping online privacy proposal to Congress that would restrict how companies like Google and Facebook handle consumer data while greatly expanding the power of the Federal Trade Commission to police abuses – ideas that are likely to incite strong opposition in Congress. The forthcoming measure – slated for release next month – would require large Internet companies, online advertisers, mobile app makers and others to ask permission from consumers before collecting and sharing their most sensitive personal information, according to three sources briefed by administration officials. Companies that collect data for one purpose would in some cases need to get user sign-off before deploying it in a markedly different way, the sources said.

http://www.politico.com/story/2015/01/online-privacy-bill-white-house-114696.html

 

+ Security Lessons Learned from 2014: The Year of the Mega Breaches

A major lesson businesses continue to emphasize they learned this past year is that any organization, regardless of size, is vulnerable.

http://www.itbusinessedge.com/slideshows/security-lessons-learned-from-2014-the-year-of-the-mega-breaches.html?utm_medium=email&utm_campaign=ITBE_NL_DYE_20150206_STR1L2&dni=215002847&rni=215180089

 

+ GREAT security policies – cyber, social media, privacy etc, etc,   Check these out 1st!!!

https://dti.delaware.gov/information/standards-policies.shtml

Then there is also SANS policy examples:

http://www.sans.org/security-resources/policies/

 

+ Move Over Internet of Things, Here is Pixie’s Location of Things

http://www.forbes.com/sites/zackmiller/2015/02/03/move-over-internet-of-things-here-is-pixies-location-of-things/

 

+ The Ultimate Guide to As-A-Service

http://www.connectwise.com/pdf/the-ultimate-guide-to-as-a-service.pdf

 

+ Browsers Are the Window to Enterprise Infection

Ponemon report says infections dominated by browser-based exploits. Around 59%

http://www.darkreading.com/browsers-are-the-window-to-enterprise-infection/d/d-id/1318906?

http://www.riskiq.com/resources/blog/data-shows-insecure-browsers-top-enterprise-threat#.VNfrci6UJZq

++++  Cyber Security News you can (likely) use  +++

+ Most brokerages and advisers have had cyberattacks:

SEC U.S. brokerage firms and financial advisers are a routine target of cyber criminals and some have lost money as a result of fraudulent emails requesting transfers of client funds, the U.S. Securities and Exchange Commission said in a report. At least 88 percent of broker-dealers and 74 percent of advisers have been the target of cyberattacks, the SEC said on Tuesday, citing findings from a cybersecurity examination program it conducted last year.

http://www.reuters.com/article/2015/02/03/us-sec-cybersecurity-idUSKBN0L727420150203?feedType=RSS&feedName=technologyNews

 

+ Obama budget: How far does $14 billion in cyber spending go?

The White House’s overall commitment to fighting hackers in the federal sphere tallies up to $14 billion. That’s how much President Barack Obama has asked for from lawmakers to help protect all U.S. networks from threat actors – a 10 percent increase over his fiscal 2015 total cyber proposal, acting federal Chief Information Officer Lisa Schlosser told Nextgov. The proposed funding figure was derived by pinpointing gaps in the overall federal strategy for securing critical infrastructure, such as the power grid and transportation sector, as well as agency networks, she said. The funding would go toward, for instance, coordination with the private sector on eliminating vulnerabilities and research and development.

http://www.nextgov.com/cybersecurity/2015/02/how-far-does-14-billion-cyber-spending-go/104370/

 

+ Congress continues to want to snoop on you— “Privacy NOT!”

With half of House, lawmakers push email privacy bill A bipartisan pair of lawmakers wants to require police to obtain a warrant to search people’s emails, and they’ve already got more than half the House on their side. Reps. Kevin Yoder (R-Kan.) and Jared Polis (D-Colo.) will introduce their Email Privacy Act on Wednesday with 223 co-sponsors. Sens. Patrick Leahy (D-Vt.) and Mike Lee (R-Utah) are planning to introduce a companion bill in the Senate. But just because the lawmakers have more than enough early backers to get their bill approved doesn’t mean it’s guaranteed a vote. Last year, Yoder and Polis worked their way up to 272 co-sponsors on a previous version of the bill, but it never even got a markup in the House Judiciary Committee. The new show of force should change that, lawmakers told The Hill.

http://thehill.com/policy/technology/231677-with-half-of-house-lawmakers-push-email-privacy-bill

 

+ AG nominee Lynch expected to be fighter on cyber crime

Attorney General nominee Loretta Lynch is well-suited to help the Justice Department tackle the rising threat of cyber crime, according to lawmakers and former DOJ officials. Lynch, a federal prosecutor in New York, has received considerable attention for her work on the issue, including the successful prosecution of eight New York-based members of an international cyber crime ring that hacked bank accounts and emptied $45 million from ATMs around the world. The next attorney general is expected to play a major role in a host of cyber issues, including reforming the National Security Agency, setting standards about what constitutes a digital crime and figuring out how to thwart cyber terrorists.

http://thehill.com/policy/cybersecurity/231335-ag-nominee-lynch-expected-to-be-fighter-on-cyber-crime

 

+ ‘Google Now’ will suck in outside app data

Google Inc. doesn’t want to lose its perch atop the search market, and it’s looking to the likes of Airbnb, eBay, Lyft and a couple dozen other companies to help it do just that. On Friday, Google is set to announce that, for the first time, it’s allowing third-party apps to deliver information to Google Now, its predictive search app that’s built into Android phones, Android Wear smartwatches and the Chrome web browser. Google Now has been seen as the future of Google’s search technology since it launched in 2012-a tool built to deliver frequently searched for information before users ask for it: Traffic for the commute home, sports scores, details on flights and reservations, package shipments, calendar appointments, breaking or popular news stories, and the weather.

http://blogs.wsj.com/digits/2015/01/30/google-now-will-suck-in-outside-app-data/

 

+ Halvorsen to industry: ‘Let’s be real’ with each other on cloud data

Acting Defense Department CIO Terry Halvorsen on Jan. 29 called on commercial cloud providers to own up to the challenges of data liability and information sharing, measures he sees as instrumental to the Pentagon reaping the benefits of the commercial cloud. “When you lose our data that’s in your cloud, you have all the normal liability issues, but let’s be real, you’re dealing with DOD.you also have a bit of a political liability,” Halvorsen said. “Our data gets lost, it’s going to make the news. It’s going to get interest [from] Congress, it’s going to get interest [from] the American people.”

http://fcw.com/articles/2015/01/29/halvorsen-on-cloud-data.aspx

 

+ The internet of dangerous things

Distributed denial-of-service (DDoS) attacks designed to silence end users and sideline Web sites grew with alarming frequency and size last year, according to new data released this week. Those findings dovetail quite closely with the attack patterns seen against this Web site over the past year. Arbor Networks, a major provider of services to help block DDoS assaults, surveyed nearly 300 companies and found that 38% of respondents saw more than 21 DDoS attacks per month. That’s up from a quarter of all respondents reporting 21 or more DDoS attacks the year prior.

http://krebsonsecurity.com/2015/01/the-internet-of-dangerous-things/

 

+ FCC Chairman to Propose Strong Net Neutrality Rules

US Federal Communications Commission (FCC) chairman Tom Wheeler says he will propose that cable Internet companies be reclassified as common carriers, which would subject them to additional government regulation.

Wheeler says the move will “preserve the Internet as an open platform for innovation and free expression.”

http://www.wired.com/2015/02/fcc-chairman-wheeler-net-neutrality

http://www.csmonitor.com/Innovation/2015/0204/FCC-chairman-proposes-strong-net-neutrality-rules

[Note : I read the wired article earlier today. I suppose the overwhelming majority of us are not in a position to do much about this, but we ought to be informed. The New Yorker piece is also a pretty good read:

http://www.newyorker.com/news/news-desk/net-neutrality-shows-democracy-can-work

Shades of Vietnam. Wheeler proposes to destroy the Internet to save it.  Regulating the Internet under this eighty year old law, designed to regulate a legal monopoly, will stifle competition, innovation, and investment.  To do so on the basis of anticipated abuse, without ever knowing whether competition and public opinion would have been a more effective and efficient way to accomplish the same objective, is the worst kind of government over reach.  This policy is not recommended by the amount of populist support it has. “Net neutrality” is a slogan, not a policy.]

 

+ New ‘F0xy’ malware uses clever techniques to stay hidden

Researchers at Websense have come across a new piece of malware that leverages legitimate websites and services in an effort to disguise its malicious activities. The threat has been dubbed “f0xy” not only because it’s cunning like a fox, but also because this particular string has been found in its executables and the registries it creates for persistence. The earliest samples identified by researchers are dated January 13, 2015, but the malware has been enhanced by its creators since. Initial variants only worked on Windows Vista and later versions of Microsoft’s operating system, but newer variants also work on Windows XP, Websense said.

http://www.securityweek.com/new-%E2%80%9Cf0xy%E2%80%9D-malware-uses-clever-techniques-stay-hidden

+ The Value of a Hacked Email Account

http://krebsonsecurity.com/2013/06/the-value-of-a-hacked-email-account/

 

+ New Technology Detects Hacks in Milliseconds

http://www.bloomberg.com/news/articles/2015-02-03/new-technology-detects-hacks-in-milliseconds

 

+ Security Trends for 2015: Internet of Things and Border Security

http://www.ifsecglobal.com/security-trends-2015-internet-things-border-security-not-drones/

 

+ Leveraging The Kill Chain For Awesome

http://www.darkreading.com/attacks-breaches/leveraging-the-kill-chain-for-awesome/a/d-id/1317810?utm_content=buffera276a&utm_medium=social&utm_source=linkedin.com&utm_campaign=buffer

 

+ Advanced Defense Posture Assessment

https://nigesecurityguy.wordpress.com/2014/10/09/advanced-defense-posture-assessment/

 

+ Data Privacy Day 2015 Tips Round Up

http://privacyref.com/wordpress/2015/02/08/data-privacy-day-2015-tips-round/

 

+ Cybersecurity is a C-Level Activity

http://www.tenable.com/blog/cybersecurity-is-a-c-level-activity

+ Hackers holding websites to ransom by switching their encryption keys

http://www.theguardian.com/technology/2015/feb/03/hackers-websites-ransom-switching-encryption-keys

++++  FYI / FYSA  – items of general interest  +++

+ Intel chief warns US tech threatened by China cybertheft

The U.S. defense intelligence chief warned Tuesday that America’s technological edge over China is at risk because of cybertheft. Lt. Gen. Vincent Stewart, director of the U.S. Defense Intelligence Agency, told a congressional hearing the U.S. retains technological superiority. But he said China had stolen “a lot” of intellectual property from U.S. defense contractors and that effort continues. He’s declined to say publicly whether that has affected U.S. defense capabilities. “I do not believe we are at this point losing our technological edge, but it is at risk based on some of their cyber activities,” Stewart told a House Armed Services Committee hearing on worldwide threats.

http://www.washingtonpost.com/business/technology/intel-chief-warns-us-tech-threatened-by-china-cyber-theft/2015/02/03/d1163474-abd3-11e4-8876-460b1144cbc1_story.html

 

+ Pentagon proposes at least $27M to grow ranks of cyber forces

The military services each want to bring on board an additional 20 to 60 security whizzes starting next fall to fill the ranks of a 6,000-person Cyber Command, according to President Barack Obama’s fiscal 2016 funding request. Air Force Maj. Gen. James Martin earlier this week said that increases in the service’s operations and maintenance budget would create a total of 39 cyber teams. Those teams will include “200 military personnel in cyber operations and cyber warfare positions to counter growing worldwide cyber threats,” according to budget documents.

http://www.nextgov.com/cybersecurity/2015/02/pentagon-proposes-least-27-million-grow-ranks-cyber-forces/104592/

+ White House debuts dot-gov cyber enforcement squad

The Obama administration will spend about $20 million on a new White House cyber unit to oversee dog-gov network security, including, for the first time, making sure agencies notify victims of breaches according to a specific timetable. The “E-gov Cyber” division, housed within the Office of Management and Budget, is aimed at making clear OMB’s role in government-wide cybersecurity: policymaking and enforcement. The newly enacted 2014 Federal Information Security Modernization Act formally tasks the Department of Homeland Security with operational aspects of guarding the dot-gov network, and cements OMB’s strategic role.

http://www.nextgov.com/cybersecurity/2015/02/white-house-debuts-dot-gov-cyber-enforcement-squad/104313/

 

+ Why Internet users all around the world should be worried about China’s Great Firewall

China’s Great Firewall is coming to a computer near you. What may be the world’s biggest censorship and Internet monitoring operation does not just affect Netizens in China, it is becoming a potential concern for Internet users elsewhere in the world, experts say. News that China is building that firewall steadily higher only heightens those concerns. For a start, Web browsers all over the world now trust the Chinese government to tell it which Web sites are genuine. That is increasingly dangerous as Chinese hackers target foreign Web services to steal users’ data, allegedly at the behest or with the connivance of the Chinese government. An attack on Microsoft Outlook last month underscores that risk. Then there is the question of China’s growing demands for the keys to global operating systems, which it is making on foreign IT firms as condition for doing business here.

http://www.washingtonpost.com/blogs/worldviews/wp/2015/02/02/why-internet-users-all-around-the-world-should-be-worried-about-chinas-great-firewall/

 

+ Cybersecurity experts says government hasn’t done enough to protect data

Hackers could tap into air traffic control systems, bust into banks or even cut off the water supply to a city. There’s little or no legislation right now that could help prevent these attacks, but that could change soon as both President Barack Obama and Congress are taking steps to find compromises for cybersecurity legislation after years of deadlock. “The government’s not nearly done what it should,” said Fred Cate, Indiana University professor of law and senior fellow with the IU Center for Applied Cybersecurity Research. “We have no obligation to protect data.” Compare it to a car: There are safety measures that need to be in place, such as seat belts and air bags, tests that need to be done and other requirements met. But for cybersecurity, none of those safety rules and regulations exist, Cate said.

http://www.govtech.com/security/Cybersecurity-Expert-Says-Government-Hasnt-Done-Enough-to-Protect-Data.html

 

+ ‘Anonymized’ credit card data not so anonymous, study finds

Credit card data isn’t quite as anonymous as promised, a new study says. Scientists showed they can identify you with more than 90 percent accuracy by looking at just four purchases, three if the price is included — and this is after companies “anonymized” the transaction records, saying they wiped away names and other personal details. The study out of MIT, published Thursday in the journal Science, examined three months of credit card records for 1.1 million people.  “We are showing that the privacy we are told that we have isn’t real,” study co-author Alex “Sandy” Pentland of the Massachusetts Institute of Technology, said in an email.

http://www.mercurynews.com/business/ci_27421102/anonymized-credit-card-data-not-so-anonymous-study?source=rss

 

+  In communications, privacy and security are illusions

President Obama has tried for three years to persuade Congress to pass a cybersecurity bill. The president went so far as to highlight his cybersecurity proposals to a prime-time audience during his recent State of the Union address. And in the wake of the massive Sony hack, the political climate may finally have shifted in his favor. Indeed, the Sony breach was one of the worst in corporate history. It torpedoed a Hollywood blockbuster and nearly brought down a major studio. But, more important, it represented a significant escalation of cyber warfare and demonstrated the quickly accelerating skills of hackers everywhere.

http://techcrunch.com/2015/01/29/in-communications-privacy-and-security-are-illusions/

 

+ DISA Rolls Out Defense Department Online Collaboration Tool

http://www.defense.gov/news/newsarticle.aspx?id=128125

 

+ Mandatory Security Design Considerations for the IoT / IoE

http://blog.norsecorp.com/2015/02/04/mandatory-security-design-considerations-for-the-iot-ioe/

 

+ How Ransomware Works, and Why You Should Be Afraid

http://www.technologyreview.com/news/534516/holding-data-hostage-the-perfect-internet-crime/?utm_campaign=socialsync&utm_medium=social-post&utm_source=linkedin

+ Digital Electronic “Internet of Things”(IoT) and “Smart Grid Technologies” to Fully Eviscerate Privacy

http://www.globalresearch.ca/digital-electronic-internet-of-things-and-smart-grid-technologies-to-fully-eviscerate-privacy/5428595

 

+ DoD cyber types – JRSS paves the road to JIE

http://archive.c4isrnet.com/article/20141001/C4ISRNET14/310010002/JRSS-paves-road-JIE

 

+ Cisco’s Chief Security and Trust Officer: ‘all hands on deck’

http://www.itworldcanada.com/blog/ciscos-chief-security-and-trust-officer-all-hands-on-deck/101331#ixzz3QVuImhHJ

 

+ Closing the Cyber Talent Gap

http://m.huffpost.com/us/entry/6582192

+ MOBILE security / MDM potpourri… 

10 Commandments Of BYOD

https://www.linkedin.com/pulse/10-commandments-byod-manuel-w-lloyd

10 BYOD mobile device management suites you need to know

http://www.zdnet.com/article/10-byod-mobile-device-management-suites-you-need-to-know/

Five new threats to your mobile device security

http://www.csoonline.com/article/2157785/data-protection/five-new-threats-to-your-mobile-device-security.html

2015 Mobile Device Management Solution Directory | MDM,

http://solutions-review.com/mobile-device-management/mdm-buyers-guide-directory/

Six criteria for master data management (MDM) tool evaluation

http://searchdatamanagement.techtarget.com/answer/Six-criteria-for-master-data-management-MDM-tool-evaluation

Gartner Master Data Management Magic Quadrant of Customer Data Solutions 2014

http://www.informatica.com/us/magic-quadrant-MDM/

MDM tools: Features and functions compared

http://www.computerworld.com/article/2497055/mobile-device-management/mdm-tools-features-and-functions-compared.html

++++  THREATs  / bad news stuff / etc  +++

+ BMW Fixes Software Flaw that Affected 2.2 Million Cars

BMW has remotely fixed a vulnerability in software used in some of its cars that could have been exploited to open the vehicles’ doors using a mobile phone. The software, ConnectedDrive, uses an on-board SIM card and manages door locks, air conditioning, and traffic updates, but not brakes or steering. The patch encrypts data from the car with HTTPS.

http://www.bbc.com/news/technology-31093065

http://www.forbes.com/sites/thomasbrewster/2015/02/02/bmw-door-hacking/

[Note: While this patch was innocuous it does raise bigger questions about how we manage patches to critical devices such as cars, alarm systems, health monitoring devices, that are connected to the Internet. Blindly patching devices with the latest updates may not prove to be the most sensible approach, having your PC crash during an update is an entirely difference beast than having your car crash during an update.  This is the kind of gross error of omission that one can expect when programmers, rather than engineers, build infrastructure….   It demonstrates the necessity of failure mode analysis.  It is the kind of omission that the FTC Guidance might hope to address. It is also the kind of problem that we can expect if we employ a programming “late discovery and patch” strategy rather than an engineering “do it right the first time” approach. Note that the difficult to secure functionality, that the programmer includes to facilitate late patching of his errors and omissions, will greatly increase the attack surface and vulnerability of the infrastructure. Are we to trust the same programmer to design the patch function as makes this kind of error in the base product?]

 

+ DDoS attacks spike 80% in Q4 2014

Traffic volume for internet attacks aimed at bringing web servers to their knees continues to accelerate. In the past year, there has been a 52% increase in average peak bandwidth of distributed denial of service (DDoS) attacks, according to new research. Akamai Technologies’ Q4 2014 State of the Internet – Security Report, produced by the Prolexic Security Engineering and Research Team (PLXsert), found that compared to Q4 a year ago, there were 57% more DDoS attacks and a 28% increase in average attack duration. Compared to the previous quarter, attacks spiked by 90%.

http://www.infosecurity-magazine.com/news/ddos-attacks-spike-80-in-q4-2014/

 

+ Browser-borne malware costs top $3.2M

Enterprise IT failure to defend against web-borne malware is a rapidly growing enterprise data security threat, new research has revealed, with more than 75% of enterprises having been infiltrated via inherently insecure browsers. According to the Ponemon Institute report, there’s also a very real cost attached to the issue, apart from fraud-related costs and impact on valuation from data leakage. The findings reveal the average cost to respond to and remediate just one security breach resulting from failed malware detection technology to be approximately $62,000. Ponemon estimates that such attacks and infections have cost survey respondents an average of $3.2 million.

http://www.infosecurity-magazine.com/news/browserborne-malware-costs-top-32mn/

 

+ Serious bug in fully patched Internet Explorer puts user credentials at risk

A vulnerability in fully patched versions of Internet Explorer allows attackers to steal login credentials and inject malicious content into users’ browsing sessions. Microsoft officials said they’re working on a fix for the bug, which works successfully on IE 11 running on both Windows 7 and 8.1. The vulnerability is known as a universal cross-site scripting (XSS) bug. It allows attackers to bypass the same origin policy, a crucially important principle in Web application models that prevents one site from accessing or modifying browser cookies or other content set by any other site. A proof-of-concept exploit published in the past few days shows how websites can violate this rule when people use supported versions Internet Explorer running the latest patches to visit maliciously crafted pages.

http://arstechnica.com/security/2015/02/serious-bug-in-fully-patched-internet-explorer-puts-user-credentials-at-risk/

 

+ Google paid over $1.5 million in bug bounties in 2014

Google last year doled out more than $1.5 million to security researchers who rooted out vulnerabilities in its open-source software and web services. The search engine giant today released a 2014 postmortem of its Security Reward Programs, which includes its Vulnerability Reward Program. The top-dollar reward of 2014 went to George Hotz, who earned a $150,000 reward from Google for finding flaws in the Chrome operating system. Hotz was later hired as an intern with the Project Zero team at Google. Google last year awarded bug bounties for more than 500 vulnerabilities found by some 200 security researchers. “For Chrome, more than half of all rewarded reports for 2014 were in developer and beta versions,” Google security engineer Eduardo Vela Nava wrote in a blog post today. “We were able to squash bugs before they could reach our main user population.”

http://www.darkreading.com/vulnerabilities—threats/google-paid-over-$15-million-in-bug-bounties-in-2014/d/d-id/1318886?_mc=RSS_DR_EDT

 

+ Syrian conflict: Attackers steal rebel battle plans

Security researchers have uncovered a major new attack campaign designed to covertly steal military and political intelligence which could be used to gain a battlefield advantage against the Syrian ‘rebel’ armies. FireEye explained in a new report, Behind the Syrian Conflict’s Digital Front Lines, that the attackers would typically hide behind a female online avatar, striking up a conversation with their targets on Skype. Unusually, the ‘women’ would ask the victim what device they were using, most likely in order to determine what type of malware to deliver.

http://www.infosecurity-magazine.com/news/syrian-conflict-attackers-steal/

 

+ TurboTax owner Intuit Inc. has issues… (long time TurboTax user.. I switched to HRBlock this year)

said Thursday that it is temporarily suspending the transmission of state e-filed tax returns in response to a surge in complaints from consumers who logged into their TurboTax accounts only to find crooks had already claimed a refund in their name.

http://krebsonsecurity.com/2015/02/citing-tax-fraud-spike-turbotax-suspends-state-e-filings/

 

+ The Russian hackers first hacked into the Sony Entertainment computers in their Asian branches.

The hackers first accessed SPE’s Culver City, California network in late 2014 through a Spear Phishing attack on Sony employees in Russia, India and…

https://www.linkedin.com/pulse/new-surprising-fact-sony-hack-states-russian-hackers-hacked-mayur

 

+ FINAL word on this  – Anthem Notifying Customers Just Eight Days After Breach

US health insurance company Anthem has acknowledged a breach of one of its systems that compromised customer and employee data. Anthem began notifying affected customers just eight days after the breach. The company has also notified the FBI and has hired Mandiant to investigate. Mandiant said that the attack was conducted through custom backdoors, suggesting that the company was the target of an “advanced attack.”

http://www.scmagazine.com/anthem-brings-in-mandiant-to-investigate-resolve-breach/article/396749/

http://krebsonsecurity.com/2015/02/data-breach-at-health-insurer-anthem-could-impact-millions/

[Note): Focus on what vulnerabilities were exploited to breach Anthem, not who launched the attack. So far, it looks like the common combination of exploiting well known vulnerabilities with a targeted phishing attack at the front end. When Critical Security Controls are not in place or are disabled or mismanaged, advanced targeted attacks do *not* need to be very “advanced.”…     To focus on the good news: Anthem detected the breach internally, without requiring notification by an external entity. They also noticed the breach quickly and may have prevented the attacker from ever using the data….   Well, there is finally a breach to rival eBay.  Anthem will likely draw a bye from the media as has eBay. The media does not seem to worry as much about identity theft as credit card fraud. Anthem has stressed that no health information has been compromised, hoping to avoid the draconian penalties under HIPAA. Fortunately for all of us there is a limit to the number of identities one can exploit.  Consumers should be warned against the kinds of telephone scams that will seek to exploit this information.  As with previous major breaches the how the breach happened is the more important lesson for most people, rather than the who conducted the attack. Let law enforcement worry about who is behind the attack and hopefully put them behind bars, let those of us responsible…]

+ Multiple Security Weaknesses in Microsoft Outlook for iOS Revealed by Developer – Softpedia

A software developer has analyzed the way the newly released Microsoft Outlook for iOS functions and discovered that it does not align to the best security practices, presenting a serious risk if used for company email communication.

http://news.softpedia.com/news/Multiple-Security-Weaknesses-in-Microsoft-Outlook-for-iOS-Revealed-by-Developer-471688.shtml

 

+ Dangerous IE vulnerability opens door to powerful phishing attacks

http://www.csoonline.com/article/2879004/vulnerabilities/dangerous-ie-vulnerability-opens-door-to-powerful-phishing-attacks.html#tk.rss_news

 

+ Terrorist Use Of U.S. Social Media Is A National Security Threat

http://www.forbes.com/sites/realspin/2015/01/30/terrorist-use-of-u-s-social-media-is-a-national-security-threat/

 

+ Take Immediate Steps to Repair Identity Theft | Consumer Information

http://www.consumer.ftc.gov/articles/0274-immediate-steps-repair-identity-theft

++++   SD/SoCAL security events / opportunities +++

+ CyberTECH events / networking / startups / etc  —  THE cyber happening place in SD!!! 

Join their Meetup Group for the latest event information!   The definition of “Cyber KEWEL

http://www.meetup.com/cybertech/

 

FEB

8-11 – NDSS Symposium 2015

http://www.internetsociety.org/events/ndss-symposium-2015

10-12 –  AFCEA West –  (and DoN CIO conf too) Focused on Operations in the Asia-Pacific Region

http://events.jspargo.com/West15/public/enter.aspx

19 – ISACA – 12-2PM – Hybrid Solutions Providers and the Sometimes Fragmented Solutions that Occur When Selecting at Patchwork of Hosts.

http://www.eventbrite.com/e/february-2015-isaca-san-diego-chapter-meeting-tickets-15539390736

19 – OWASP – 6PM  – Improving Application Security & Penetration testing, through training and presentations

http://www.meetup.com/Open-Web-Application-Security-Project-San-Diego-OWASP-SD/events/218879077/

MAR

19 – OWASP –  Kelly FitzGerald

+++  Future events in planning  FYI:

25-26 Apr – CYBERWEST: The Southwest Cybersecurity Summit (Phoenix AZ)

http://www.afei.org/events/5A06/Pages/default.aspx

4-12 May SANS Security West 2015

http://www.sans.org/event/sans-security-west-2015

18-21 Jul  Esri National Security summit

http://www.esri.com/events/homeland

 

MAR / APR(tbd)   “BigDataDay 4 SD”  all-day event SAT – free –  Jump in and help us – speakers needed!!!

WE went to the one in LA and it was great…   our three tracks will be:

http://www.sciap.org/blog1/?page_id=1256

TBD – Privacy by design workshop – a cyber model  – Provided by IEEE Cyber SIG / Various Security groups – all day  & why you must be part of this initiative!  (at Coleman University –  AM Technical approach… PM public discussions)     Help move SD forward in cyber –  DOING security vs admiring the problem…. SO engage and help out on cyber 4 PbD!!!

+++  Join our PbD / data security meetup, stay tuned into what’s happened..

http://www.meetup.com/San-Diego-Privacy-by-Design-Data-Security-Meetup/

 

————————————————————————————————–

FEB  1

+ Report suggests most DoD networks susceptible to mid-grade cyber threats

A new Pentagon report on the Defense Department’s major systems includes some worrying assessments of DoD’s overall cybersecurity posture: A troubling proportion of its IT systems appears to be vulnerable to low- or intermediate-level hackers, leaving aside the advanced persistent threats everyone’s worried about. The annual report from the Office of Operational Test and Evaluation is most known for its summarized assessments on the performance of dozens of individual weapons programs. But a separate eight-page section dedicated to cybersecurity draws some stark conclusions about DoD’s overall defensive positioning.

http://www.federalnewsradio.com/?nid=1323&sid=3787806

http://www.dote.osd.mil/pub/reports/FY2014/

But a separate eight-page section is dedicated to cybersecurity draws some stark conclusions about DoD’s weak overall defensive positioning.

http://www.dote.osd.mil/pub/reports/FY2014/pdf/other/2014cybersecurity.pdf

— Of course — lack of effective cyber hygiene and weak access control cause over 90-90% of all security incidents…   Everyone tells us that… Verizon data breach report, NSA, even Navy’s own NCDOC (for what seems like many years…;-((   “”..Nearly all the vulnerabilities were discoverable with novice- and intermediate- level cyber threat techniques,” the authors wrote…”

 

+ U.S. intelligence challenged by technology, cyber

A day after President Barack Obama’s State of the Union address, a top Pentagon intelligence official gave what might be described as a State of Intelligence speech describing U.S. advantages in the field as increasingly challenged by asymmetric threats. Undersecretary of Defense for Intelligence Michael Vickers put insecurity in cyberspace on par with terrorism as the biggest immediate threats to U.S. national security — and touched on how IT can help cope with those challenges — in a Jan. 21 appearance at the Atlantic Council in Washington.

http://fcw.com/articles/2015/01/21/us-intel-challenged-by-cyber.aspx

 

+Tech Companies Balking at China’s Security Requirements

Vendors are unhappy with the Chinese government’s requirements that products sold to financial institutions in that country include “management ports” in hardware and allow the government complete access to all software and firmware source code. The requirement is part of China’s “cyber security vetting process.” The US Chamber of Commerce and others have called the new rules “intrusive.”

http://arstechnica.com/tech-policy/2015/01/it-vendors-cry-foul-at-new-chinese-security-rules-requiring-built-in-backdoors/

http://www.scmagazine.com/us-firms-push-back-against-chinese-cybersecurity-policies/article/395281/

[Note : Given the calls from US and UK governments in support of backdoors into security products it will be interesting to see their reaction to these demands from China.]

 

+ Deep Dark Web Of The Internet Iceberg

https://www.linkedin.com/pulse/deep-dark-web-internet-iceberg-scott-schober

 

+ Lest we forget the Sony hack

http://gcn.com/articles/2015/01/30/internet-of-things.aspx?m=1

 

+ Business Insurance On The Go… D & O increasing

http://www.businessinsurance.com/article/20141109/NEWS07/141109863?template=smartphoneart

 

+ 10 Quotes From Entrepreneurial Icons That Will Inspire You to Crush 2015

http://www.entrepreneur.com/article/241140

 

+ NIST 8018, Public Safety Mobile Application Security Requirements

http://nvlpubs.nist.gov/nistpubs/ir/2015/NIST.IR.8018.pdf

+ Top 10 Security Vendors To Watch In 2015

http://www.crn.com/slide-shows/security/300075418/top-10-security-vendors-to-watch-in-2015.htm

 

+ Advice For Entrepreneurs From 2014

http://www.businessinsider.com/advice-for-entrepreneurs-from-2014-2015-1
++++  Cyber Security News you can use  +++

+ New rules in China upset western tech companies

The Chinese government has adopted new regulations requiring companies that sell computer equipment to Chinese banks to turn over secret source code, submit to invasive audits and build so-called back doors into hardware and software, according to a copy of the rules obtained by foreign technology companies that do billions of dollars’ worth of business in China. The new rules, laid out in a 22-page document approved at the end of last year, are the first in a series of policies expected to be unveiled in the coming months that Beijing says are intended to strengthen cybersecurity in critical Chinese industries. As copies have spread in the past month, the regulations have heightened concern among foreign companies that the authorities are trying to force them out of one of the largest and fastest-growing markets.

http://www.nytimes.com/2015/01/29/technology/in-china-new-cybersecurity-rules-perturb-western-tech-companies.html?_r=0

 

+ More white hats improve security, researchers demonstrate

White hat hackers have been making significant contributions to cybersecurity by detecting vulnerabilities in companies’ software systems and websites and communicating their findings, according to a recent research project at Penn State. Long used by agencies for penetration and vulnerability testing, white hat or ethical hacking helps organizations find holes and bugs in software, digital devices and networks, thereby better securing the online world. Researchers at Penn State’s College of Information Sciences and Technology (IST) studying white hat behaviors suggest that organizations that reward hackers who uncover vulnerabilities in their systems could improve the bug discovery process by expanding and adding diversity to their white hat communities.

http://gcn.com/articles/2015/01/26/white-hats.aspx?admgarea=TC_SecCybersSec

 

+ This is how feds will protect sensitive data in the cloud

Officials at the Federal Data and Authorization Management Program have released draft security standards aimed at protecting some of the government’s most sensitive unclassified data in cloud computing environments. FedRAMP officials are now seeking feedback from industry and agencies on the proposed standards. The so-called high-impact baseline under the Federal Information Security Management Act has been discussed since FedRAMP – the government’s program to standardize cloud security requirements – was created nearly three years ago.

http://www.nextgov.com/cloud-computing/2015/01/new-fedramp-standards-provide-glimpse-how-feds-will-protect-sensitive-data-cloud/103971/

 

+ Email privacy blitz unites Amazon, Grover Norquist

Major technology companies and advocacy groups are rushing to urge “speedy consideration” of legislation to add new legal protections to people’s emails. Companies from Amazon to eBay to Facebook joined the Electronic Frontier Foundation, Grover Norquist’s Americans for Tax Reform and dozens of others in sending letters demanding Congress finalize a bill to require that officials get a warrant before searching people’s old emails or other items stored digitally on the cloud.

http://thehill.com/policy/technology/230538-tech-advocacy-groups-ready-email-privacy-blitz

 

+ 123456’ again: The most popular passwords aren’t changing

This is not a reprinted mistake: The most commonly used password in 2014 was “123456,” a security company says. Despite the high-profile hacking attacks last year, people are still using passwords that security analysts say should have been in the dustbin years ago. Both “123456″ and “password” have been the top two passwords since security-app provider SplashData began measuring the most frequently used passwords in 2011.

http://blogs.wsj.com/digits/2015/01/20/123456-again-the-most-popular-passwords-arent-changing/?mod=djemCIO_h

 

+ Agencies get roadmap for security data sharing

The Office of the Director of National Intelligence’s Information Sharing Environment this month released what it called the first-ever roadmap for national security information sharing, a set of best practices for agencies and IT firms to synchronize data sharing in pursuing national security threats. The model, called the Data Aggregation Reference Architecture (DARA), was developed over several years as a compendium of ways for agencies to share aggregate information to gain insights into potentially relevant intelligence data, said government executives involved the effort.

http://gcn.com/articles/2015/01/21/data-aggregation-reference-architecture.aspx

 

+ Study uncovers 40,000 malicious mobile banking apps

Mobile banking is an increasingly popular way to stay on top of one’s finances, with the ability to check balances, transfer money and even deposit checks virtually. Unfortunately, the sector is also a rich tapestry of criminal activity, with 11% of mobile banking apps categorized as “suspicious.” According to research findings from RiskIQ, there’s a notable prevalence of suspicious mobile apps related to banking. The company found that more than 40,000 (or 11%) of the 350,000 apps which reference banking in the world’s top 90 app stores contain malware or suspicious binaries. Roughly half of those (20,000) actually contained Trojan malware.

http://www.infosecurity-magazine.com/news/40000-malicious-mobile-banking-apps/

 

+ Report: US Weapons Programs Vulnerable to Cyber Attacks

According to a report released by the US Defense Department’s Director of Operational Test and Evaluation (DOT&E) Michael Gilmore on January 20, most of the country’s weapons programs contain security flaws.

Gilmore wrote, “The continued development of advanced cyber intrusion techniques makes it likely that determined cyber adversaries can acquire a foothold in most (Department of Defense) networks, and could be in a position to degrade important DOD missions when and if they chose to.” Many of the security problems found during testing could have been addressed in the programs’ development stage. Other issues include old, misconfigured, and unpatched software.

http://www.scmagazine.com/report-most-us-weapons-programs-contain-significant-vulnerabilities/article/394499/

http://www.nytimes.com/reuters/2015/01/20/technology/20reuters-cybersecurity-pentagon.html

[Note : One of the major recommendations was pretty straightforward: “Emphasize network defense fundamentals” – essentially citing many of the Critical Security Controls. : One might think that it would be obvious that weapons systems should be purpose built, closed, and have a very high cost of attack.  It isn’t.  This report suggests that we are not even addressing the “essentials,” the “low hanging fruit.”  The IT culture of shoddy affects the military the same way as the rest of us.  This should be a source of shame rather than mere concern.]

 

+ Court Dismisses LabMD’s Challenge to FTC Breach Enforcement

The 11th Circuit Court has dismissed a challenge from LabMD to the US Federal Trade Commission’s (FTC’s) authority to take enforcement action against the company for an alleged data breach.

http://www.scmagazine.com/court-refuses-to-address-labmds-challenge-to-ftcs-enforcement-authority/article/394388/

http://www.natlawreview.com/article/11th-circuit-allows-ftc-data-breach-case-against-labmd-to-proceed

[Note : The FTC has done great work, without needing any new legislation, in going after companies that don’t protect citizen information. This court decision didn’t really dismiss LabMD’s challenge completely – it really said LabMD has to exhaust all administrative remedies before asking the Court to act. I can guarantee that LabMD has already paid lawyers more to fight this action that it would have spent in just protecting customer information sufficiently in the first place.]

 

+ Enterprise security needs more than just new and improved

The innovation void is real and it will grow in severity and pose a major threat to all of information security if we wait for others to correct the problem. There is no magic fix or killer app coming this time.” said Peter Kuper.  . Yet we know that the biggest threat to business continuity is the threats that are already inside – the ones that much of the “IT Security” boxes failed to stop….(aka, need SCM / SIEM / SDM..)  “We don’t have enough of the basics; security is always behind the [threat] curve. We need to leverage resources – make most of big data and the cloud for example…

http://h41085.www4.hp.com/uk/en/campaign/inform-emagazine/articles/enterprise-security-needs-more-than-just-new-and-improved.html

 

+ NFL mobile sports app contains Super Bowl-sized vulnerabilities

Russell Wilson and Tom Brady aren’t the only ones who might be due for an interception this Super Bowl Sunday. As the Seahawks and the New England Patriots lock horns on the gridiron, football fans might find that their data is what’s being intercepted off the field. According to a report by mobile data gateway firm Wandera, the popular NFL Mobile app has a vulnerability that leaves users’ sensitive personal data exposed to man-in-the-middle attacks. Wandera performed scanning on the app to find that following a successful login by the user through their NFL.com account, the NFL Mobile app leaks their credentials in an unencrypted API call. Additionally, it leaks the username and email address in an unencrypted cookie immediately after login and on subsequent calls by the app to the NFL.com domain.

http://www.darkreading.com/nfl-mobile-sports-app-contains-super-bowl-sized-vulns/d/d-id/1318802?_mc=RSS_DR_EDT

+ The top five mistakes new security leaders make

https://www.linkedin.com/pulse/top-five-mistakes-new-security-leaders-make-dan-lohrmann

 

+ Obama cybersecurity proposals, CISPA: Who is liable for big data breaches?

http://www.slate.com/articles/technology/future_tense/2015/01/obama_cybersecurity_proposals_cispa_who_is_liable_for_big_data_breaches.1.html

 

+ Building A Cybersecurity Program: 3 Tips

http://www.darkreading.com/operations/building-a-cybersecurity-program-3-tips-/a/d-id/1318775

 

+ 7 ideas for security leaders

I like them.  Besides being really good at the security basics and CISO fundamentals we suggest. ..;-))

http://www.csoonline.com/article/2876310/security-leadership/7-ideas-for-security-leaders.html#slide1

 

+ Cloud Computing in Government

Creating Cloud Builder Organizations Across Government, that featured some of the brightest tech minds sharing their knowledge of cloud computing

http://fcw.com/~/media/E2022C92299A4FB2A75E7FB96B61CCD9.pdf

+ Very nice IR plan overview!   Social Media Cyber-Vandalism Toolkit

https://www.digitalgov.gov/resources/readiness-recovery-response-social-media-cyber-vandalism-toolkit/

AND

https://www.enisa.europa.eu/activities/cert/support/actionable-information/actionable-information-for-security/at_download/fullReport

 

+ NSA Releases Defensive Best Practices for Destructive Malware

http://blog.norsecorp.com/2015/01/23/nsa-releases-defensive-best-practices-for-destructive-malware/

+ Privacy and Data Protection by Design

http://www.enisa.europa.eu/activities/identity-and-trust/library/deliverables/privacy-and-data-protection-by-design/at_download/fullReport
++++  FYI / FYSA   +++

+ Fed data at risk in attacks on university computers

Cyber attackers hijacked a university’s supercomputer in early 2014, leveraging its vast capabilities in a massive electronic assault on U.S. gaming networks, according to a recent warning to U.S. higher education from the Department of Homeland Security. DHS’s “unclassified, for official use only” memo said university networks are attractive targets for cybercriminals, adding that universities’  information-filled computer infrastructure and networks can provide access to other types of electronic facilities, including sensitive federal networks.

http://fcw.com/articles/2015/01/27/fed-data-at-risk.aspx

 

+ Feds get a how-to guide for responding to social media hacks

Remember two weeks ago when the Twitter and YouTube accounts of U.S. Central Command were compromised in a very public, embarrassing fashion that had some question the need for certain agencies’ social media use? The news sparked a rapid response form the SocialGov Community – hundreds of digital engagement managers across the government – which created a working group to compile best practices and guidance in social media for federal agencies. Launched today, the Social Media Cyber-Vandalism Toolkit is the result of the working group’s collaboration, and “the new resource is now available as a ‘living document’ for continuous technologies.”

http://www.nextgov.com/emerging-tech/emerging-tech-blog/2015/01/new-toolkit-feds-aims-prevent-social-media-hacks/103866/?oref=ng-channelriver

 

+ DHS to launch iris and facial recognition at the border

The Department of Homeland Security this summer plans to roll out iris and facial recognition services to the U.S. Border Patrol, according to DHS officials. The service will be able to share images with the FBI’s massive multibiometric system, officials said. The test is part of a coming overhaul of the Department’s “IDENT” biometric system, which currently contains more than 170 million foreigner fingerprints and facial images, as well as 600,000 iris templates. DHS last November released two sets of system specifications as part of market research for the new product.

http://www.nextgov.com/defense/2015/01/dhs-launch-iris-and-facial-recognition-border/103908/

 

+ Google defends policy that leaves most Android devices unpatched

Google on Friday defended its decision to stop patching WebView, a core component of Android, on versions older than 4.4, aka “KitKat,” saying that the huge code base is unsafe to fix. “Until recently, we have also provided backports for the version of WebKit that is used by WebView on Android 4.3 and earlier,” wrote Adrian Ludwig, Android lead security engineer on Google+. “But WebKit alone is over 5 million lines of code and hundreds of developers are adding thousands of new commits every month, so in some instances applying vulnerability patches to a two-plus-year-old branch of WebKit required changes to significant portions of the code and was no longer practical to do safely.”

http://www.computerworld.com/article/2875136/google-defends-policy-that-leaves-most-android-devices-unpatched.html

 

+ Financial groups want same data security standards for retailers

Financial groups want retailers and banks to be held to the same standards when data breaches occur. The Credit Union National Association sent a letter to Congress on Friday asking for new rules for how retailers must handle customers’ personal data “The financial industry is required by law to develop and maintain robust internal protections to combat and address criminal attacks, and are required to protect consumer financial information and notify consumers when a breach occurs within their systems that will put their customers at risk,” the letter said. “The same cannot be said for other industries, like retailers, that routinely handle this same information and increasingly store it for their own purposes.”

http://thehill.com/regulation/cybersecurity/230585-financial-groups-want-same-standards-for-retailers-in-data-breaches

 

+ In emergencies, companies are turning to employee-tracking services

The recent terrorist attack in Paris put Norm Sheehan, a safety director for an international development company, on high alert. Employees of his company, Chemonics International, were headed to West Africa through Charles de Gaulle Airport, and he had to find them. So his emergency plan – long in preparation, regularly updated and only sometimes used – went into effect. It took more than just a call on their cellphones to help locate the workers during the emergency. Rather, he relied on an online tracking tool, to identify travelers’ plans and their contact information, developed by International SOS, one of a growing number of companies offering such services.

http://www.nytimes.com/2015/01/27/business/in-emergencies-companies-are-turning-to-employee-tracking-services.html?partner=rss&emc=rss&_r=0

 

+ House Subcommittee Hears Testimony on Data Breach Legislation

The US House Energy and Commerce Subcommittee on Commerce, Manufacturing and Trade heard testimony from tech company representatives, legal experts and others regarding what data breach legislation ought to look like. A trade association executive spoke of the need for federal legislation to establish a national standard for breach notification so companies do not have to navigate of the current patchwork of state laws. A law professor and scholar cautioned that “data breach legislation should be minimally preemptive [of state laws] because multiple approaches are still needed to determine the best approach to data security and breach notification.”

http://www.scmagazine.com/testimony-before-legislators-outlines-elements-of-data-breach-law/article/395045/

 

+ FCC Enforcement Advisory Says Blocking Personal Wi-Fi Hotspots Could be Fined

The US Federal Communications Commission (FCC) has issued an enforcement advisory, clarifying its position on Wi-Fi blocking. The advisory is in response to a recent settlement the agency reached with Marriott International. That company was fined US $600,000 for blocking guests’bpersonal hotspots at a resort and convention facility. The advisory says that “willful or malicious interference with Wi-Fi hotspots is illegal.”

http://www.scmagazine.com/fcc-warns-businesses-wi-fi-blocking-prohibited/article/394998/

http://www.fcc.gov/document/warning-wi-fi-blocking-prohibited

[Note : Where do you draw the line? It clearly makes sense that a hotel blocking your personal wi-fi so they can force you to pay for hotel internet is just plain wrong. But what about virtual horse racing tracks in Vegas, what about disabling cell phones when the US Presidential motorcade is driving by to prevent bombs? We need rules of the road. Was it appropriate when the San Francisco Police department jammed phones to try to prevent a protest? I surely do not know, but someone needs to establish just and fair rules of the road:

http://gawker.com/5830458/san-francisco-cops-jam-cell-phones-to-prevent-protest ]

 

+ Google Will Not Fix Flaw in Older Versions of Android OS

Google does not plan to fix a security issue in WebView in older versions of its Android operating system. The decision will affect about 60 percent of people using Android. The flaw is in the default web browser for Android 4.3 and previous versions of Android OS.

http://www.zdnet.com/article/google-why-we-wont-patch-pre-kitkat-android-webview/

http://www.cnet.com/news/google-leaves-most-android-users-exposed-to-hackers/

[Note : Here is where Google shows its consumer DNA. Android 4.3 shipped in mid-2013, which in consumer/Internet years was over 10 years ago. However, in enterprise years that is only 1.5 years ago. If enterprises want to take advantage of consumer-driven IT, they will have to invest in security mitigation to deal with the differences in enterprise products and support vs. consumer/advertising supported technology. If mechanics used tools they bought at dollar stores, they would be replacing their tools much more often than when they buy them from Snap-on…  Enterprise users of consumer software face special problems. They should have a strategy for doing so.  The strategy should include a trusted source, avoiding version dependencies, staying current, and patching as necessary. That said Android(s) is a special case.  Too many sources, too many versions, too many uses and copies.  It is not really a product, so much as a collection of related products.  These products may share vulnerabilities but may also have product specific problems. Best to treat each product rather than the class.  Consider alternatives.]

 

+ Feds Release New Guidelines To Bolster Social Media Security After CENTCOM Twitter Hack

http://www.buzzfeed.com/evanmcsan/fixing-government-social-media?s=mobile#.ywBPyDWMQK

 

+ State of Security Operations 2015 Report – HP Enterprise

http://h30499.www3.hp.com/t5/HP-Security-Products-Blog/State-of-Security-Operations-2015-Report/ba-p/6697279

 

+ Internet Society Issues Developing Cyber Security Policy Initiatives… Privacy too

http://www.circleid.com/posts/20150123_internet_society_on_developing_cyber_security_policy_initiatives/

 

—–  Internet of Things (IoT) potpourri   — 

FTC calls for strong data and privacy protection with connected devices

As consumers increasingly adopt devices that can collect information and transmit it to the Internet, the Federal Trade Commission on Tuesday called on technology companies that sell those products to institute comprehensive measures to protect users’ data security and privacy. Advancements like in-car sensors, which can record vehicle location and speed, or glucose monitors that can send information on diabetic patients to their doctors, have huge potential benefits, like reducing traffic accidents or improving public health. But the agency said the devices, which make up the so-called Internet of Things, also raise serious security and privacy risks that could undermine consumers’ confidence.

http://bits.blogs.nytimes.com/2015/01/27/f-t-c-calls-for-strong-data-and-privacy-protection-with-connected-devices/

 

FTC Publishes Report on Security and Privacy for Internet of Things

The US Federal Trade Commission (FTC) has published a report to address security for the Internet of Things (IoT). The report, “The Internet of Things: Privacy and Security in a Connected World,” provides guidance for companies that manufacture IoT devices on incorporating security and privacy into the development process.

http://www.computerworld.com/article/2876236/ftc-wants-iot-vendors-to-safeguard-privacy.html

http://www.scmagazine.com/ftc-report-looks-at-expanding-threat-of-the-iot/article/395034/

http://media.scmagazine.com/documents/103/ftc_internet_of_things_25662.pdf

[Note : Weakening of the infrastructure should go on the list of concerns with, and perhaps ahead of, “privacy” and “harm to the consumer.”  In a world in which web servers sell for a dime, our strategy should be minimal function, purpose-built, owner control, firmware rather than software, “discard and replace” in preference to exploitable manage and patch.  One does not need the capability to update the firmware on a three year old light bulb or router that can be replaced with a brighter, better, faster one for a third of its cost….]

 

HP internet of things research study

Reviewed 10 of the most popular devices in some of the most common IoT – expect these five shortcomings listed below to model most if not all IoT devices…

http://www8.hp.com/h20195/V2/GetPDF.aspx/4AA5-4759ENW.pdf

ISSUES:  Privacy concerns…   Insufficient authentication and authorization…. Lack of transport encryption…. Insecure Web interface…. Insecure software and firmware…

CONCLUSIONs:   Conduct a security review of your device and all associated components…..  Implement security standards that all devices must meet before production…..   Ensuring security is a consideration throughout the product lifecycle….

 

Internet of Things (IOT): Seven enterprise risks to consider

http://searchsecurity.techtarget.com/tip/Internet-of-Things-IOT-Seven-enterprise-risks-to-consider

However, despite the opportunities of IoT, there are many risks that must be contended with. Any device that can connect to Internet has an embedded operating system deployed in its firmware. Because embedded operating systems are often not designed with security as a primary consideration, there are vulnerabilities present in virtually all of them — just look at the amount of malware that is targeting Android-based devices today. Similar threats will likely proliferate among IoT devices as they catch on.

1. Disruption and denial-of-service attacks

2. Understanding the complexity of vulnerabilities

3. IoT vulnerability management

4. Identifying, implementing security controls

5. Fulfilling the need for security analytics capabilities

6. Modular hardware and software components

7. Rapid demand in bandwidth requirement

 

FTC – IoT connected world workshop summary

http://www.ftc.gov/system/files/documents/reports/federal-trade-commission-staff-report-november-2013-workshop-entitled-internet-things-privacy/150127iotrpt.pdf

They focused on three areas of consumer harm:  enable unauthorized access – thus misuse of PII,  facilitating attacks on other systems,  and creating personal safety risks. ….  Additionally this workshop discussed the FIPPs and other privacy ‘requirements” artifacts and how ‘use-based’ approaches could help protect consumer privacy…

 

FTC Warns of the Huge Security Risks in the Internet of Things

http://www.wired.com/2015/01/ftc-warns-huge-security-risks-internet-things

70 percent of the most commonly used Internet of Things devices had serious security vulnerabilities. And this issue was a recurring theme at the Black Hat and the DEFCON hacker conferences this past year.

—  Security first (baked in first);   defense in depth (yes this is still needed);   best data practices (aka, privacy by design)

 

A Beginner’s Guide to Understanding the Internet of Things

http://recode.net/2015/01/15/a-beginners-guide-to-understanding-the-internet-of-things/?utm_source=linked&utm_medium=social

 

IoT basics – Cheat sheet for the Internet of Things

http://gcn.com/articles/2015/01/30/internet-of-things.aspx?m=1

 

On Cybersecurity for the Internet of Things

http://www.lawfareblog.com/2015/01/on-cybersecurity-for-the-internet-of-things/

 

Distributed denial-of-service (DDoS) attacks and IoT

http://krebsonsecurity.com/2015/01/the-internet-of-dangerous-things/

 

FTC ‘Internet of Things’ report ignites beltway scuffle

http://www.healthcaredive.com/news/ftc-internet-of-things-report-ignites-beltway-scuffle/358018/#.VMsWZ369BJI.linkedin

 

FTC: Build security into IoT devices at the outset, rather than as an afterthought

https://www.nccgroup.com/en/newsroom/news/2015/01/ftc-build-security-into-iot-devices-at-the-outset-rather-than-as-an-afterthought/

 

IoT / IoE: If It Has an IP Address, It Can Be Hacked

http://blog.norsecorp.com/2015/01/26/iot-ioe-if-it-has-an-ip-address-it-can-be-hacked/

++++  THREATs  / bad news stuff / etc  +++

+ Half Of Enterprises Worldwide Hit By DDoS Attacks, Report Says

New data illustrates how distributed denial-of-service (DDoS) attacks remain a popular attack weapon — and continue to evolve.  f you still think distributed denial-of-service (DDoS) attacks are merely old-school, outdated, pain in the neck disruption campaigns waged by hacktivists or script kiddies, think again: about half of all enterprises were hit with a DDoS attack last year and most ISPs and enterprises also suffered more stealthy DDoS attacks aimed at flying under the radar.    Some 90% of ISP and enterprise respondents in Arbor Networks’ 10th Annual Worldwide Infrastructure Security Report say they experienced application-layer (versus network connection-sapping) DDoS attacks, and 42% say they were hit by DDoS attacks that used a combination of bandwidth-sapping, application-layer, and state exhaustion methods. HTTP- and DNS are the top two targets of application-layer attacks, according to the report, which was released today.

http://www.darkreading.com/perimeter/half-of-enterprises-worldwide-hit-by-ddos-attacks-report-says/d/d-id/1318824?_mc=RSS_DR_EDT

 

+ President’s plan to crack down on hacking could hurt good hackers

Last night President Obama dedicated more time on cybersecurity than any other president has on a State of the Union address. While on its face a positive sign that political leaders are taking notice of cybersecurity as a real item of pressing national concern, many within the security community believe that the president’s proposed cybersecurity legislation at best would be ineffective at curtailing black hat hacking and at worst could actually criminalize the type of research and penetration testing that vendors and enterprises depend on to harden software and hardware implementations.

http://www.darkreading.com/risk/presidents-plan-to-crack-down-on-hacking-could-hurt-good-hackers/d/d-id/1318721?_mc=RSS_DR_EDT

 

+ Will Millennials Be the Death Of Data Security?

Millennials, notoriously promiscuous with data and devices, this year will become the largest generation in the workforce. Is your security team prepared?  s the 51 million members of Generation X begin turning 50 this year and start thinking about retirement, the Millennials (also known as Generation C for “Connected”) will be entering the workforce en masse with fresh ideas, optimism…and millions of unprotected connected devices. According to Forrester Research, Generation Xers use technology strictly for convenience; they don’t consider it an integral part of day-to-day life. Millennials, on the other hand, were born in hospitals that attached digital security bracelets on them upon birth, which is an apt metaphor for how they now live. Millennials, says Forrester, are digitally integrated into the world around them at all times, both personally and professionally.  What’s interesting to me about the Millennial generation is while they are certainly tech-savvy, they have no interest in protecting their data.

http://www.darkreading.com/operations/wiil-millennials-be-the-death-of-data-security-/a/d-id/1318806?_mc=NL_DR_EDT_DR_daily_20150128&cid=NL_DR_EDT_DR_daily_20150128&elq=19db5d2f14f24f01a8528fbfdc152066&elqCampaignId=12273

 

+ White House claims good ‘cyber hygiene’

When it comes to cybersecurity, the White House tries to be as clean as it can be. President Obama and his top officials all practice good “cyber hygiene” so that their accounts and sensitive information are safe from hackers, press secretary Josh Earnest told reporters on Wednesday. Staffers are careful not to get duped by trick links, Earnest said, and officials regularly update their passwords — even on something as simple as a Twitter account. The new focus on the Obama administration’s cyber practices comes in the wake of hackers’ success gaining access to social media accounts run by the Pentagon’s Central Command.

http://thehill.com/policy/cybersecurity/230301-white-house-claims-good-cyber-hygiene

 

+ Accidental insider top threat to federal cybersecurity

Although federal agencies identify careless or untrained insiders as the top threat to federal cybersecurity, agencies continue to devote the most concern and resources to malicious external threat sources, according to IT software management company SolarWinds. In partnership with research firm Market Connections, SolarWinds conducted an online survey of 200 federal IT professionals to investigate insider threats to federal cybersecurity and gauge federal agencies’ confidence and ability to combat external and internal IT security threats.

http://www.hstoday.us/briefings/industry-news/single-article/accidental-insider-top-threat-to-federal-cybersecurity-solarwinds-finds/f1dadf6e4bb5148d2001ace4ab9e2386.html

 

_ Supposedly clean Office documents download malware

Bitdefender is warning Microsoft Office users against the emergence of a new spam campaign that is looking to trick antispam filters in order to allow spam to pass freely into mailboxes. The campaign’s success is elevated due to the attachment of what appears to be a ‘clean’ Microsoft document alongside the spam emails. “For a few days, cybercriminals have been sending targeted e-mails to management departments. The e-mails look like a tax return, a remittance or some kind of bill from a bank and carry a Microsoft Word or Excel attachment,” states Catalin Cosoi, Chief Security Strategist at Bitdefender. “If you’ve recently received an odd tax return or a similar request via email, you may not want to open the file.”

http://www.net-security.org/malware_news.php?id=2947

 

+ Bug in ultra secure BlackPhone let attackers decrypt texts, stalk users

A recently fixed vulnerability in the BlackPhone instant messaging application gave attackers the ability to decrypt messages, steal contacts, and control vital functions of the device, which is marketed as a more secure way to protect communications from government and criminal snoops. Mark Dowd, a principal consultant with Australia-based Azimuth Security, said would-be attackers needed only a user’s Silent Circle ID or phone number to remotely exploit the bug. From there, the attacker could surreptitiously decrypt and read messages, read contacts, monitor geographic locations of the phone, write code or text to the phone’s external storage, and enumerate the accounts stored on the device. He said engineers at BlackPhone designer Silent Circle fixed the underlying bug after he privately reported it to them.

http://arstechnica.com/security/2015/01/bug-in-ultra-secure-blackphone-let-attackers-decrypt-texts-stalk-users/

 

+ IG blasts secrecy on JFK IT security lapses

The Department of Homeland Security Inspector General says the Transportation Security Administration is using secrecy protections to paper over run-of-the-mill sloppy IT security practices at John F. Kennedy International Airport. Citing Sensitive Security Information (SSI), the TSA blacked out substantial portions of a report DHS Inspector General John Roth submitted on the security of JFK Airport’s IT operations. In a Jan. 16 letter to Chip Fulghum, acting undersecretary for management, Roth said TSA had overused SSI protections in making redactions in the JFK report. The IT security lapses at the airport, he said, didn’t warrant SSI classification.

http://fcw.com/articles/2015/01/26/ig-blasts-secrecy.aspx

 

+ Internet attack cloud shut down US gas stations

A device used to monitor the gasoline levels at refueling stations across the United States—known as an automated tank gauge or ATG—could be remotely accessed by online attackers, manipulated to cause alerts, and even set to shut down the flow of fuel, according to research to be published on Thursday. The security weakness—identified by Jack Chadowitz, a former process control engineer and founder of control-system monitoring service BostonBase—could theoretically affect the devices at many of the approximately 115,000 fueling stations in the United States, but only a small fraction of those systems—about 5,300—appear to be vulnerable to an Internet attack, according to security firm Rapid7, which conducted a scan for such devices on January 10.

http://arstechnica.com/security/2015/01/internet-attack-could-shut-down-us-gasoline-stations

 

+ Critical Java updates fix 19 vulnerabilities, disable SSL 3.0

Oracle released new security updates for Java to fix 19 vulnerabilities and disable default support for SSL 3.0, an outdated version of the secure communications protocol that is vulnerable to attacks. The updates were part of Oracle’s quarterly Critical Patch Update, released Tuesday, which fixes 169 security issues across hundreds of products. Fourteen of the 19 vulnerabilities fixed in Java affect client deployments and can be exploited from Web pages through malicious Java applets or Java Web Start applications. Four of them have the maximum severity score 10 in the Common Vulnerability Scoring System (CVSS) and two others come close, at 9.3, meaning they can lead to a full system compromise.

http://www.computerworld.com/article/2873215/critical-java-updates-fix-19-vulnerabilities-disable-ssl-30.html

 

+ New Zeus Variant Targeting Canadian Banks

A new variant of Zeus malware is targeting banks in Canada. It is spreading through exploit kits and through email claiming to be Air Canada invoices. Once it gains purchase in a computer, the malware injects phony web pages to steal account access information, payment card numbers, and driver’s license and Social Insurance numbers.

http://www.scmagazine.com/zeus-variant-targeting-banks-spread-by-social-engineering-exploit-kits/article/395326/

 

+ ZeroAccess Click-Fraud Botnet Back In Action Again

After a six-month hiatus, the much-diminished P2P botnet is up to its old tricks. e ZeroAccess botnet — aka Sirefet — is back in action. Fortunately, it’s operating at a smaller scale than it was a couple years ago.

http://www.darkreading.com/zeroaccess-click-fraud-botnet-back-in-action-again/d/d-id/1318865?_mc=NL_DR_EDT_DR_daily_20150130&cid=NL_DR_EDT_DR_daily_20150130&elq=a97f9e9d65f64eb29470400a8b8a5e06&elqCampaignId=12334

 

+ ‘Ghost’ Not So Scary After All

The latest open-source Linux vulnerability is serious but some security experts say it’s not that easy to abuse and use in an attack.

http://www.darkreading.com/application-security/ghost-not-so-scary-after-all/d/d-id/1318844?_mc=NL_DR_EDT_DR_daily_20150130&cid=NL_DR_EDT_DR_daily_20150130&elq=a97f9e9d65f64eb29470400a8b8a5e06&elqCampaignId=12334

 

+ 90% of IT Professionals Worried about a Data Breach

http://www.seculert.com/blog/2015/01/90-of-it-professionals-worried-about-a-data-breach.html?utm_source=linkedin&utm_medium=social&utm_content=Oktopost-linkedin-profile&utm_campaign=Oktopost-Blog+Posts-+Jan+2015

 

+ Eight of the Worst Computer Viruses Ever to Hit the Headlines

http://www.informationsecuritybuzz.com/eight-worst-computer-viruses-ever-hit-headlines/

 

+ IT security in 2015: Insider threat will take center stage

http://m.firstpost.com/business/security-2015-insider-threat-will-take-centre-stage-2057275.html

 

+ Rtfm: Red Team Field Manual (great reference – $10)

http://www.amazon.com/Rtfm-Red-Team-Field-Manual/dp/1494295504
++++   SD/SoCAL security events / opportunities +++

+ CyberTECH events / networking / startups / etc  —  THE cyber happening place in SD!!! 

Join their Meetup Group for the latest event information!   The definition of “Cyber KEWEL

http://www.meetup.com/cybertech/

 

FEB

2 – ISACA – 1PM – Deloitte CIO – A passion for the possible

https://www.eventbrite.com/e/deloitte-cio-a-passion-for-the-possible-tickets-15432286384

 

8-11 – NDSS Symposium 2015

http://www.internetsociety.org/events/ndss-symposium-2015

 

10-12 –  AFCEA West –  Focused on Operations in the Asia-Pacific Region

http://events.jspargo.com/West15/public/enter.aspx

19 – OWASP – 6PM  RAT Traps & Savvy Adversary Attribution

http://www.meetup.com/Open-Web-Application-Security-Project-San-Diego-OWASP-SD/events/218879077/
+++  Future events in planning  FYI:

25-26 Apr – CYBERWEST: The Southwest Cybersecurity Summit (Phoenix AZ)

http://www.afei.org/events/5A06/Pages/default.aspx

4-12 May SANS Security West 2015

http://www.sans.org/event/sans-security-west-2015

18-21 Jul  Esri National Security summit

http://www.esri.com/events/homeland

 

MAR / APR(tbd)   “BigDataDay 4 SD”  all-day event SAT – free –  Jump in and help us – speakers needed!!!

WE went to the one in LA and it was great…   our three tracks will be:

(1)  Technical =  Hadoop / Hbase / NoSQL;

(2)  Data science = predictive analytics, parallel algorithms, statistical modeling, algorithms for data mining, etc and

(3)  Applications =  key use cases…  Privacy by Design / data security,  data start-ups / incubators, novel products,

Contact me to join in…  introduction email and agenda at:

http://www.sciap.org/blog1/?page_id=1256

TBD – Privacy by design workshop – a cyber model  – Provided by IEEE Cyber SIG / Various Security groups – all day  & why you must be part of this initiative!  (at Coleman University –  AM Technical approach… PM public discussions)     Help move SD forward in cyber –  DOING security vs admiring the problem…. SO engage and help out on cyber 4 PbD!!!

+++  Join our PbD / data security meetup, stay tuned into what’s happened..

http://www.meetup.com/San-Diego-Privacy-by-Design-Data-Security-Meetup/

See our over Cyber for PbD brief at

http://www.sciap.org/blog1/wp-content/uploads/Privacy-PAYS-cyber-message.pdf

AND Our more detailed technical paper on our Cyber 4 PbD approach, including an executable, proposed open privacy framework within an enterprise architecture is at (this rough draft was  published in a major IEEE magazine this month):

http://www.sciap.org/blog1/wp-content/uploads/Cyber-4-PbD_IEEE-CE-mag-article.pdf

 

Comments are closed.