Welcome to Cyber News Tidbits 4​U​ !

Here are updated news compilations from the Cyber Security Community

Topic headers (+++):

1 – Security news you can likely use (re: management / opportunity items)

2 – Other items of general FYI / FYSA level interest

3 – Threats / bad news stuff / etc.. 


4 – SD/SoCAL items of interest / opportunities   (send me your SD meetings!) 

A couple of Highlights  (A couple of items of potentially notable interest / high utility &  value… your mileage will vary….)

(Lots happening,  so LOTs to be aware of. Takes 5 min to skim…then pick out a topic or two..)

 ( some great topics / meetings here in SD … scroll to bottom and get engaged)

March 23

+ How to stay “cyber safe” guide – effectively protect yourself and clients!

Integrating several existing security guides with very useful information; these current best practices help you build a known baseline. It’s important to use only approved cyber products (aka, “NIAP”) and never start anything in cyber from scratch, as someone has already done all the hard work.  These guides, methods and products work well because cyber is essentially 95% the same everywhere! These are your security best practices and also apply to remote office workers, small office / home office (SOHO), small & medium businesses (SMB) – as being cyber safe is universal!  This cyber safe guide has two parts; a short, key takeaways part for those who want a quick look, bulleted list, and then we map out targeted, key reference materials and detailed rationale and recommendations to develop your own personal security plan!   Comments and challenges always welcome!



+ Cyber commander wants more offense

The nation’s top cyber official wants more offensive capabilities. “We focused primarily on the defensive piece initially … but I think now we’re at a tipping point,” where more attention needs to be paid to offensive capabilities, U.S. Cyber Command commander Adm. Michael Rogers told a Senate Armed Services Committee hearing March 19. The U.S. needs “to think about how can we increase our capacity on the offensive side,” said Rogers, who is also National Security Agency director.  (I guess they think they can be better at ‘attribution” than the FBI / CIA???)



+ Can HP’s ‘security-as-a-service’ product change how agencies secure apps?

HP bills its latest security software offering to government customers as the first cloud-based “security software-as-a-service” solution to meet requirements under the Federal Risk and Authorization Management Program. In truth, HP’s latest offering, HP Fortify on Demand, is unique among FedRAMP’s growing list of compliant solutions. Government customers can use Fortify to perform security assessments of new or existing application code, websites, and end-to-end mobile app security testing through the cloud, an important feature given that research cited by HP contends that 70 percent of data breaches now occur through software – not network – vulnerabilities.



+ Most companies expect to be hacked in the next 12 months

Enterprises are getting hacked regularly, and over and over again: last year, more than 70% of organizations say they suffered a successful cyberattack, with 22% of them hit six or more times. That first-hand experience apparently provides the backdrop for a drop in confidence, too:  most security professionals don’t believe they can stop attacks on their organizations anymore. Some 52% of security professionals surveyed in a new report from CyberEdge Group say their organizations will likely be successfully hacked in the next 12 months. That’s an increase over 2013, when 39% were resigned to getting hacked, the report says.



+ Make hackers’ jobs harder – JOB ONE?

It is nearly impossible to participate in modern society without entrusting your most sensitive personal information to countless Internet-based systems. At the same time, even the most well-resourced organizations are being hammered by sophisticated digital attacks, making it difficult to trust that any of these systems will keep our information safe. So the question debated at the highest levels of government, and by dozens of industries, thousands of companies, and millions of consumers, is: How can you keep your personal information secure while continuing to participate in a society powered by the extensive sharing of personal information? However, that’s probably not the question we should be asking.



+ House budget silent on cybersecurity

Cybersecurity received no mention in the House Republican budget released Tuesday, a stark contrast with President Obama’s spending proposal, which increased funding for cyber defenses by $14 billion. The House GOP seeks to balance the budget in nine years and cut $5.5 trillion in projected government spending over the next decade. It would also provide an additional $90 billion in war funding while keeping the 2011 spending limits in place. Some of the $90 billion could be used for cybersecurity activities, though it is technically earmarked for the overseas contingency operations (OCO) fund, an account that has been used to finance the Iraq and Afghanistan wars.



+ OPM orchestrates cyber protections through automation

The Office of Personnel Management is pushing the bounds of cybersecurity. It’s moving from the idea of defense in-depth or even the popular continuous monitoring to a concept called orchestration. Jeff Wagner, OPM’s director of IT security, said orchestration isn’t just about protecting network or systems, but understanding in real time what’s happening and who is on your IT infrastructure, and then being able to react to any potential or real problem immediately. “We’ve changed our perspective about how cybersecurity works. It’s not that defense in-depth is dead. I’ll never take away from doing defense in-depth or FISMA audits or controls of that nature, but audit by visibility is what we call it,”



+ ICS-CERT – Incident response / vulnerability coordination in 2014

FYI…  great report.. it’s a good source for factual cyber info (as are Ponemon’s survey’s and Verizon’s DBR)

BTW… Verizon put out a great report on PCI compliance too..



+ Committee Approves Request to Expand Judge’s Warrant Authority for Digital Searches

The US Judicial Conference Advisory Committee on Criminal Rules voted 11-1 to modify a provision known as Rule 41 to give judges more flexibility in how they approve search warrants for electronic data. Prior to the change, judges had the authority to approve warrants only within the geographic boundaries of their districts. Now they can approve warrants for electronic searches of devices that are not physically within their judicial districts.



+ U.S. State Department Email Goes Dark, Again

Only 120 days after taking its email system off line to clean up after a cyber attack, the U.S. State Department took its email system off line to clean up after another even more virulent cyber attack.

[Note : If Tony Blinken (State Department Deputy Secretary) wants to do more than give lip service to cybersecurity at his Department, he should have his CIO run iPOST again and see how far the individual divisions and embassy security status degraded since the State Department IT security folks decided they didn’t actually need to monitor and mitigate vulnerabilities every day (when John Streufert left for DHS).  The State Department used to be the model for effective mitigation and cyber hygiene.  It can easily get back on top of its game; it has the tools in place. Does it have the leadership???]



+ FCC Telecom cyber plan – great report (all 415 pages!!!)  (even if communication focused)

Key sections:   V. Findings pg 24…       VI. Conclusions – pg 25        VII – recommendations – pg 30

There a lots of details…   (there is a LOT of specific cable / telecom stuff of course)

9.6 – requirements and barriers –    9.7 – Cyber ecosystem and barriers –   9.9 – Small business –  9.10 – top cyber threats and vectors.



+ $10 million settlement with consumers a ‘good deal’ for Target, insurers

According to court documents, Target Corp and consumers have agreed on a $10 million settlement to end a class-action lawsuit filed after an enormous data breach during the 2013 holiday shopping season.  Individuals who can prove financial damage can receive up to $10,000 under proposed deal.$10-million/d/d-id/1319549?



+ Ex-NSA director: China has hacked ‘every major corporation’ in U.S.

“The Chinese government — seeking to steal valuable secrets — has hacked into the computers at every major American company, according to the nation’s former spy director. Mike McConnell, who served as director of national intelligence under President George W. Bush,



+ Aon Corp.: This is how much big data breaches cost companies

Globally, 80 percent of business-related privacy and security breaches result in less than $1 million in direct costs and damages, according to Aon’s data. Those costs include legal expenses and legal settlements, business interruption costs, investigating and remediating problems, as well as possibly paying for crisis communications and other specialized services.



+ 10 Young Cyber-Security Companies to Watch in 2015



+ The Military’s Cybersecurity Budget in 4 Charts



+ Malware Analysis and Incident Response for the Lazy | great resources / sites!

Nice list of analysis sites and tools ..   While you probably have some..  a pretty good  site to check out!



+ Cyber Intel for D & O’s….



+ Premera hack: What criminals can do with your healthcare data



+ 700,000 routers ISPs gave to their customers are vulnerable to hacking



+ Ransomware Attacks’ New Focus: Businesses



+ Cybersecurity Efforts Turn Focus to Financial Institutions, Service Providers and “Cyber Resilience”



+ Obama unveils cyber training initiative   .. AND… white house education fact sheet





2  +++++++


+ China reveals its cyberwar secrets

A high-level Chinese military organization has for the first time formally acknowledged that the country’s military and its intelligence community have specialized units for waging war on computer networks. China’s hacking exploits, particularly those aimed at stealing trade secrets from U.S. companies, have been well known for years, and a source of constant tension between Washington and Beijing. But Chinese officials have routinely dismissed allegations that they spy on American corporations or have the ability to damage critical infrastructure, such as electrical power grids and gas pipelines, via cyber attacks. Now it appears that China has dropped the charade.



+ Healthcare breaches like Premera first stage of bigger attacks?

This week brought news of three more healthcare data breaches, one of which left the personal data of 11 million individuals exposed. The incidents raise more questions about why China-based cyberespionage groups have taken a shine to American healthcare data and what plans they have for it. While shining harsh light on the deep cracks in the healthcare industry’s security, the recent events also highlight the potential success of information sharing.



+ Congress looks for interagency coordination on drones

Lawmakers are calling on the Department of Homeland Security to produce a comprehensive strategy to combat the potential threat of domestic drones. Citing the January crash on the White House South Lawn, members of the House Homeland Security Subcommittee on Oversight and Management Efficiency called for a better understanding of the threat environment and remedial technologies. Through its Science and Technology Directorate, DHS has been assessing unmanned aerial systems’ applicability to law enforcement, but “much more needs to be done to safeguard against malicious actors” that use the technology, Subcommittee Chairman Scott Perry (R-Pa.) said at a March 18 hearing. DHS “needs a cohesive strategy to address these issues.”



+ Internet Explorer, we hardly knew you (Spartan version to follow)

After 20 years, Internet Explorer is riding off into the sunset. And all most of us can say is: it’s about time. This wasn’t exactly a surprise. Internet Explorer is the Nickelback of Web browsers, and already fading into oblivion. Microsoft had previously said that it was working on a new “Project Spartan” browser when it first showed off Windows 10. Spartan will include Microsoft’s Cortana voice assistant and the ability to annotate Web pages with a keyboard or digital pen. It will also have a simplified reading mode for Web articles. But, really, the important thing is that Internet Explorer will no longer be the default browser on Windows machines.



+ OMB proposes new approach to guarantee federal website authenticity

The Office of Management and Budget wants to know what it would take to make every federal public websites more secure and ensure their validity for citizens and businesses. In a draft proposal released today, the White House seeks input from public and private sector experts on how best to implement a standard called secure HTTP. “HTTPS verifies the identity of a website or Web service for a connecting client, and encrypts nearly all information sent between the website or service and the user. Protected information includes cookies, user agent details, URL paths, form submissions, and query string parameters. HTTPS is designed to prevent this information from being read or changed while in transit,” OMB wrote in seeking request for comments.



+ Yahoo’s one-time passwords have security experts divided

Yahoo yesterday announced that in lieu of a standard username-password combination, Yahoo users in the US could log into their accounts with one-time passwords sent to their mobile phones via SMS message. Yahoo! calls them “on-demand passwords,” texted to your mobile phone when you need them. To be clear, Yahoo is not proposing “on-demand passwords” as a second factor of authentication, but rather as an alternative to the traditional username-password combo. It’s really just replacing a “something you know” with a “something you have.” Yahoo already offers two-factor authentication, but for now, it cannot be combined with on-demand passwords: users will need to choose between the two options.



+ The Senate Select Committee on Intelligence cybersecurity information-sharing bill

advanced the bill by a vote of 14-1. The bill is Congress’ latest attempt to find a way to give private-sector network operators liability protection when they share cyberthreat information with government. The Cybersecurity Information Sharing Act of 2015 was marked up and amendments added during a closed session of the committee, but it’s not clear yet how the bill passed in committee measures up with the discussion drafts. According to the committee, the bill gives the private sector incentives to cooperate with governmental cyber defenders via a portal set up by the Department of Homeland Security.



+ Windows 10 Will be Free Upgrade, and Will Support Biometric Authentication

Windows 10, which is expected to be available later this year, will be offered as a free upgrade to users running Windows 7, 8, and 8.1, even if the versions currently being run are pirated. Windows 10 will also support biometric authentication. Users will be able to authenticate with fingerprints and iris and facial scans. Users may opt -in to the feature, known as “Windows Hello.”

[Note: The biggest barrier to moving beyond reusable passwords has not really been user resistance to the idea, it has been the lack of “readers” built into the devices (like PCs, phones, tablets) that they use. Being forced into YATC (Yet Another Thing to Carry) like a SecurID card or an enormous Smart Card *and* a reader has been and always will be a deal killer. But all major mobile platforms support text messaging as a second factor *and* various forms of biometrics; users are starting to find their own value in moving beyond just a password. This does not solve the federated identity problem by any means, but can significantly raise the barrier against phishing…]



+ Cybercom Chief: Cyber Threats Blur Roles, Relationships

Over five years of U.S. Cyber Command operations, global movement of threat activity through cyberspace has blurred roles and relationships among government agencies, as well as between the public and private sectors and the real and virtual worlds, the Cybercom commander told a House panel. Cybercom’s Cyber Mission Force, or CMF, was formed to turn strategy and plans into operational outcomes, the admiral said..  He added, “We have a target of about 6,200 personnel in 133 teams, with the majority achieving at least initial operational capability by the end of fiscal year 2016.”



+ Make FedRAMP Work for Your Agency

Decent FedRAMP overview, with some hints we might be able to use…  (plus “ads” to ignore….;-((



+ Rush To Release Resulting In Vulnerable Mobile Apps

IT organizations overlooking security in their haste to crank out mobile apps, Ponemon Institute report finds. To me, the one number that sticks out is the 40 percent of companies that are not scanning their mobile applications for vulnerabilities



+ Hacker steals protected health data on 151,000 patients at Oregon dentist

Advantage Dental said the hacker was able to gain access to the database through a malware-infected computer. The hacker stole patients’ names, dates of birth, phone numbers, Social Security numbers and home addresses, but not treatment, payment or other financial data… ***  a SMB loses SSNs, and PII  ***  so can your business!!!



+ Revisiting the Navy’s blueprint for cyber operations

Operation Rolling Tide, which drove Iranian hackers from the Navy Marine Corps Intranet, could have a lasting impact on the Pentagon’s approach to cyber.



+ Center for Internet Security – Benchmarks – Well reviewed security metrics list




+ Is Mobile Device Spying Revealing Your Company’s Secrets?



+ Do you know where your data is?



+ New model of cybercrime factors in perishability of stolen data



+ Cybersecurity wake-up call… “PCI compliance – NOT!”





3  +++++++



+ TeslaCrypt Targets Numerous File Types, Including Gaming Files

Ransomware is now targeting online gamers. Malware known as TeslaCrypt targets more than 50 game-related files extensions and holds them for ransom. It also targets documents, pictures, and iTunes files.

Virlock ransomware not only locks the screen of devices, but is also infects files on the devices. Virlock is polymorphic, meaning that it alters its code each time it runs so it is more difficult for security software to detect.

[Note: Users are reminded that “ransomware” will attack ANY data that is visible to the file system.  This can include backup drives and cloud storage that are visible in the file system.]


+ The bot threat for the rest of us: Application-layer attacks DDoS,

As we all know, garners unprecedented media attention. And the volume of coverage is a direct correlation to the size of the attack — the larger, the better. But DDoS attacks are only one manifestation of sophisticated bot attacks that can scrape information, fraudulently fill out forms, and otherwise erode the overall website experience. What is often overlooked by the media are the application-layer bot attacks affecting almost every website on a daily basis. These bots are capable of competitive data mining, account hijacking, and so much more. They degrade site availability, user experience, and steal competitive information. They often work under the surface, degrading a company’s brand trust, completely undetected.



+ Hackers breaking new ground with ransomware

The enormous success which hackers have had extracting millions of dollars from individuals and businesses using ransomware appears to be driving more sophisticated tools and tactics from them. This week researchers sounded the alert on two recent ransomware families that break ground in different ways. One of them dubbed Virlock is noteworthy because it not only locks the screen of compromised systems like other ransomware, but also infects files on the device. First noticed by security firm ESET in December, Virlock is also polymorphic, meaning the code changes every time it runs making it hard to detect using standard malware detection tools.



+ HTTPS-crippling FREAK attacks become cheaper and easier to carry out

There’s more bad news surrounding the HTTPS-crippling FREAK vulnerability that came to light two weeks ago. A recently completed scan of the Internet revealed 10 percent of servers that support the underlying transport layer security protocol remain susceptible. Even worse, many of these laggards contain an additional weakness that drastically drives down exploitation costs, in the most extreme cases to just pennies per server. As Ars reported almost two weeks ago, so-called FREAK attacks—short for Factoring attack on RSA-EXPORT Keys—are possible when an end user with a vulnerable device connects to an HTTPS-protected website configured to use a weak, 512-bit encryption key.

AND Hundreds of Android and iOS apps are still vulnerable to a dangerous attack revealed two weeks ago that can compromise encrypted data, a security vendor said Tuesday. The apps have not yet been patched against the FREAK attack, short for Factoring attack on RSA-EXPORT Keys, The unpatched apps, which were not identified, are in categories including finance, communication, shopping, business and medicine, computer security company



+ Premera, Anthem data breaches linked by similar hacking tactics

Premera Blue Cross may have been attacked using the same methods employed against its fellow health insurer Anthem, suggesting that a single group may be behind both breaches. Customer data, including bank account and clinical data going back to 2002, may have been compromised in the attack, affecting 11 million people, Premera said Tuesday. It is the largest breach to affect the healthcare industry since Anthem disclosed last month that upwards of 78.4 million records were at risk after hackers accessed one of its databases. Several computer security companies have published data that points to a China-based group known as Deep Panda as a possible source for Anthem’s breach.



+ Google researchers hack computers using DRAM electrical leaks

Google researchers have written the first-ever attack code that takes advantage of electrical interference between densely packed memory cells, a unique style of attack that could require changes in chip design. The work builds on a paper published last year by Carnegie Mellon University (CMU) and Intel, which found it was possible to change binary values in stored memory by repeatedly accessing nearby memory cells, a process called “bit flipping.” DRAM memory is vulnerable to such electrical interference because the cells are so closely packed together, a result of engineers increasing a chip’s memory capacity.



+ Hacker Finds a Simple Way to Fool IRIS Biometric Security Systems

Biometric security systems that involve person’s unique identification (ID), such as Retinal, IRIS, Fingerprint or DNA, are still evolving to change our lives for the better even though the biometric scanning technology still has many concerns such as information privacy, and physical privacy.



+ Symantec Research Highlights Security Failures in the Connected Home

Research analyzing today’s smart home devices has revealed disturbing security implications for consumers.



+ Navy’s maritime strategy puts emphasis on ‘all domain access

The document, updated from 2007, stresses the importance of cyberspace and the electromagnetic spectrum in national security



+ All major browsers have been hacked



+ IoT security is still a pipe dream





+++ SD/SoCAL security events / opportunities +++


+ CyberTECH events / networking / startups / etc  —  THE cyber happening place in SD!!! 

Join their Meetup Group for the latest event information!   The definition of “Cyber KEWEL





25  –  ISC2 –  6PM (Now meeting the 4th Wed)   “Hackersponders”  by Rusty Sailors  CEO of LP3

Location – BAH (Suite 200, 4055 Hancock Street, San Diego, CA 92110 USA).


26  – ISSA – 11:30AM –   Who’s “Really” Accessing Your Privileged Accounts? Reducing Advanced Persistent Threat (APT’s) Exposure by Protecting Privileged Accounts..  Evan Litwak, CyberArk  (at ADM Baker)

30  – ISACA –   11:30 AM    As a New CISO – How to assess your Security Program for Success. Gary Hayslip.  SD City CISO. (at Coleman University)





16 – OWASP –  6PM –   (3rd Thur)  Gabriel Lawrence =  Who’s that knocking on my door?







Comments are closed.