Welcome to Cyber News Tidbits 4​U​ !

Here are updated news compilations from the Cyber Security Community

Topic headers (+++):

1 – Security news you can likely use (re: management / opportunity items)

2 – Other items of general FYI / FYSA level interest

3 – Threats / bad news stuff / etc.. 


4 – SD/SoCAL items of interest / opportunities   (send me your SD meetings!) 

A couple of Highlights  (A couple of items of potentially notable interest / high utility &  value… your mileage will vary….)

(Lots happening,  so LOTs to be aware of. Takes 5 min to skim…then pick out a topic or two..)

 ( some great topics / meetings here in SD … scroll to bottom and get engaged)

MAY 31

+ IRS gets hacked 100,000+ stolen tax returns

Hackers stole personal information from 104,000 taxpayers, IRS says Hackers gained access to personal information of 104,000 taxpayers this spring, downloading an online service the Internal Revenue Service uses to give Americans access to their past tax returns, the agency said Tuesday. The information included several years’ worth of returns and other tax information on file with the IRS, Commissioner John Koskinen said in a press conference. The thieves hacked into a system called “Get Transcript,” clearing a security screen that requires users to know the taxpayer’s Social Security number, date of birth, address and tax filing status. Those who successfully downloaded the transcripts gained access to information from prior years’ tax returns that could be used to file fraudulent tax returns that more closely resemble those of legitimate taxpayers, officials said. Koskinen said the system, which has temporarily been shut down, was targeted from February through mid-May.

Sources said to be close to the investigation tell reporters the attack has been traced to Russia.. What’s not as tentative is the conclusion about how the attackers got it: they used stolen personal information to bypass security protections. Thus the attack itself (if not its roots in the criminal market) was decidedly low tech. It was also decidedly the kind of attack any number of other agencies might suffer using minimal technical skill, according to experts.  Hackers who harvested US taxpayers’ personal datausing data from previous breaches were targeting high-value personal data


+ Cost of data breaches increasing to average of $3.8 million,

The cost of data breaches is rising for companies around the world as sophisticated thieves target valuable financial and medical records, according to a study released on Wednesday. The total average cost of a data breach is now $3.8 million, up from $3.5 million a year ago, according to a study by data security research organization Ponemon Institute, paid for by International Business Machines Corp. The direct costs include hiring experts to fix the breach, investigating the cause, setting up hotlines for customers and offering credit monitoring for victims. Business lost because customers are wary after a breach can be even greater, the study said.

Really – this site says $6.5M… (Ponemon Study)  Still, it’s a LOT..


+ ISA presses for data to shape cyber security policy, encourages use of NIST framework

The Internet Security Alliance Monday encouraged the Department of Commerce to work with private sector organizations to determine what’s needed in terms of cost-effectiveness, incentives and prioritization to stimulate use of the NIST Framework. Developed in response to a 2013 Executive Order from President Obama, the NIST Framework for Improving Critical Infrastructure Cybersecurity was released in February 2014.Yet 15 months after the unveiling, ISA President Larry Clinton said in a Tuesday email correspondence with that “there has been no systematic work to provide the supports for Framework use that were also called for in the President’s Order.”


+ Global initiative ‘Securing Smart Cities’ launches IOActive,

Kaspersky Lab and the Cloud Security Alliance are among a group of security organizations supporting a new initiative that tackles “existing and future cybersecurity problems of smart cities” through public and private sector collaboration. The effort, “Securing Smart Cities,” aims to connect the security community with other key players in the critical infrastructure ecosystem, like city planners and authorities and vendors, in order to educate the public on security best practices and create standards and guidelines to improve the security of smart cities, a Tuesday release sent to said.


+ NSA chief urges ‘safe’ Internet under equivalent of Law of the Sea

The U.S. National Security Agency chief called on Wednesday for an “open, reliable and safe” Internet governed by international rules akin to the Law of the Sea, while deflecting critics who say NSA spying has undermined public trust in the cyberworld. Admiral Michael Rogers spoke a few days after the U.S. Senate rejected a bill to extend spy agencies’ bulk collection of Americans’ telephone records, putting the program in doubt shortly before its expiry on June 1. Addressing a cyberwarfare conference in Estonia, Rogers adopted the diplomatic language of a grassroots online governance activist, hailing the Internet’s openness and value as a shared, public good.


+ Countries pick sides in global fight for the Internet

The world is choosing sides in a fight over what the Internet will look like in the years to come. In recent months, countries have rushed to sign cybersecurity pacts that not only secure cyberspace allies, but also promote their vision of the global Internet.  “It’s kind of indicating how the battle lines are being drawn,” said Richard Stiennon, chief research analyst for security consulting firm IT-Harvest. While a coalition of nations, including the U.S., is pushing to turn the Internet into a borderless global entity, others such as Russia and China are pressing to give local governments more control over the flow of data.


+ FCC prepares to become the Internet’s privacy cop

The Federal Communications Commission is warning Internet providers to get in line as it prepares to enforce new privacy regulations. The agency issued an “enforcement advisory” Wednesday, outlining for the first time how it plans to decide whether to crack down on a company for violating its customers’ privacy. But the statement offers few specifics, leading critics to warn that the agency is claiming expansive new regulatory powers. Internet providers, the FCC said, should take “reasonable, good faith steps” to protect customer information. That means that Internet providers should comply with their own privacy policies and the “core tenets of basic privacy protections,” the agency said, adding that companies should reach out to it for advice on whether specific practices would violate the rules.


+ DOJ releases privacy policy for US drones

The Justice Department on Friday released guidelines that would explicitly bar the agency from using drones solely to monitor activity protected by the First Amendment, like peaceful protests. The department issued five pages of policy guidelines dealing with privacy and civil liberties protections when conducting drone flights. It also outlined transparency requirements. “Department personnel may never use UAS solely for the purpose of monitoring activities protected by the First Amendment or the lawful exercise of other rights secured by the Constitution and laws of the United States,” according to the policy guidance.

+ San Diego NDIA Small Business Cyber event – actionable info!!!

The event went well – 80 or so folks attended –a LOT of actionable info provided. The link to all the briefs in the agenda is here (including how tocomply with theDFAR UCI mandate, and also the CISO Fundamentals / Cyber Security Tenets, and Small Business Cyber guide):


+  7 Cyber Threats That Will Keep You Up at Night

1. Financial and data stealing tools

2. Software vulnerabilities in unpatched software (8 programs cover 99% of all vulnerabilities)

3. Phishing spam campaigns           4. Identity Theft attempts

5. Online scams       6. Cyberbullying             7. Spyware


+ 20 future cyber prediction for 2015 (FireEye)


+ The Cost of Bad Threat Intelligence

Threat intelligence quality is paramount. Growing errors and mistakes are costing organizations time and money reducing their security effectiveness.


+ 7 Bold Tech Ideas That Will Make You Uncomfortable


+ “Patent troll” (Commil)  with a big verdict against Cisco notches a Supreme Court win


+  3 Critical Takeaways From The Damaging CareFirst Hack That Exposed Millions


+ Breaches Cost Healthcare $6 Billion Annually

A Ponemon Institute report indicates cyber criminals have increased their attacks on healthcare 125 percent, costing the industry $6 billion annually…


+ Escalating Cyberattacks Threaten US Healthcare Systems


+ Data security in focus after hack attack on IRS


+ The Interconnecting of Everything  (IBM white paper)

2  +++++++

+ Check Point launches new ICS security appliance

Check Point Software Technologies announced on Tuesday the launch of a new rugged appliance designed to protect industrial control systems (ICS) against cyber threats. Available immediately through Check Point’s global partners, the 1200R is a rugged security gateway appliance line that provides protection for SCADA (supervisory control and data acquisition) systems in remote locations and harsh environments. Part of Check Point’s ICS/SCADA security offering, 1200R is a fully-featured gateway with six 1GbE ports and raw firewall throughput of 2 Gbps. The product supports a wide range of ICS/SCADA-specific protocols, including Siemens Step7, OPC, DNP3, BACNet, IEC-60870-5-104, IEC 60870-6 (ICCP), IEC 61850, Profinet, MMS, and Modbus.


+ Iris scans: Security breakthrough or privacy invasion?

Imagine if you could be identified with certainty from 40 feet away by anyone with a special camera and your iris scan in a database. Carnegie Mellon researchers at the Cylab Biometrics Center have invented a device that can do that. It should definitely have criminals feeling nervous, but maybe we should all be nervous. First the good news. According to SRI International, a spinoff of Stanford Research Institute, iris scans are 1,000 times more accurate than fingerprint scans. We’re already using handheld iris scanners in high security situations. The new Carnegie Mellon device will work up to 40 feet away — even in a mirror — so, for example, a police officer making a traffic stop can safely identify a potentially dangerous suspect before he even exits his vehicle.


+ NIST preps digital privacy framework, considers control catalog

The National Institute of Standards and Technology is putting the finishing touches on a new interagency report that will advise federal agencies on assessing and mitigating the privacy risks associated with their digital services. “Cybersecurity has come a long way in the last ten years, in sort of unifying the type of conversation about risks across organizations. And privacy has really lagged behind,” said Sean Brooks, privacy engineer at NIST. Over the last year and a half, a team at NIST has been working on a privacy engineering and risk framework, and a soon-to-be-released draft publication will summarize their work to date, said Brooks during a May 21 event hosted by the General Services Administration in Washington, D.C.


+ UVa, cybersecurity company researching possibility of ‘car hacking’

Imagine a group of bank robbers who disable all the police cars within a mile radius of their heist by hacking into the cars’ computer systems, allowing them more time to take the money and run. It sounds like a Hollywood movie. As of 2015, it’s extremely unlikely. But automakers, researchers and security experts believe car hacking could become a credible threat over the next few years. The University of Virginia and local cybersecurity company Mission Secure Inc. are part of a statewide effort to examine the ways the electronics systems that control features such as anti-lock braking and adaptive cruise control could be exploited by criminals.


+ iPhone users’ privacy at risk due to leaky Bluetooth technology

Security researchers have revealed that the privacy of smartphone and fitness tracker users is at risk due to leaky Bluetooth Low Enegry (BLE) technology. Researchers from security firm Context have revealed that devices using embedded BLE technology, such as the iPhone and numerous fitness trackers, can be easily tracked from up to 100m way.   Scott Lester, a senior researcher at Context, said: “Many people wearing fitness devices don’t realize that they are broadcasting constantly and that these broadcasts can often be attributed to a unique device.”


+ Google’s ‘Chucky’ teddy bear to control the home

Google’s engineers have floated the idea of making Internet-connected teddy bears that will have the ability to control gadgets and devices in the home. The robot would be an “anthropomorphic device” which could take the form a “doll or toy that resembles a human, an animal, a mythical creature or an inanimate object,” according to a patent granted to the U.S. search giant last week. A camera and microphone would be installed in the head of the toy, which could move to maintain eye contact with the user—much like the popular horror film doll “Chucky.” A user could signal a command by speaking or moving their hands.


+ Why hackers want kids’ personal information

Data breaches give hackers a chance to cash in, and no personal information is more valuable to cyber criminals than a child’s. It’s a surprising fact in the age of the massive cyberattack. While adults might fret when their financial data is stolen in a breach, it’s their kids’ identities they should be worried about, experts say. “A child’s Social Security number can be used by identity thieves to apply for government benefits, open bank and credit card accounts, apply for a loan or utility service, or rent a place to live,” says the Federal Trade Commission.


+ MasterCard, Target data breach settlement falls apart

A proposed $19 million settlement between MasterCard Inc and Target Corp over the retailer’s 2013 data breach fell through after not enough banks accepted the deal, the credit card company said on Thursday. The agreement, announced in April, would have provided up to $19 million to banks and credit unions that sued Target in federal court in Minnesota over the breach. The lead lawyers for the banks had argued that the settlement with MasterCard, which was not a party to the lawsuit, was an attempt to undercut their claims for damages. But a federal judge earlier this month rejected the banks’ attempt to block the deal, though he expressed concerns about its fairness.


+ Inspector General finds Justice Dept. slow to create privacy rules

The Justice Department for seven years failed to implement a provision requiring it to create privacy rules for use of an intelligence-gathering tool authorized by the USA Patriot Act, the department’s inspector general said in a new report. The law in question is Section 215 of the Patriot Act, a measure that has provoked controversy for its once-secret use allowing the mass collection of Americans’ phone records. With the law expiring in 10 days, Congress is debating whether it should be renewed, amended or allowed to lapse. Beyond the bulk collection of phone records, the law also enables intelligence agencies to obtain court orders to gather all manner of records in foreign terrorism investigations.


+ First steps to cyber risk management

Organizations today are struggling to find options that can effectively help deal with cyber security threats, including assessing and measuring cyber risk management. Essentially, the current cyber security solutions are not really addressing cyber security risks or focusing on challenges within a corporate surrounding


+ House Passes USA Freedom Act

The US House of Representative has passed the USA Freedom Act, which reauthorizes PATRIOT ACT provisions set to expire at the end of the month with some changes. The changes to would still allow law enforcement access to mobile communications metadata, but would require that the telecommunications providers retain it and law enforcement seek the data with warrants.


+ Use phone number verification to ensure security and compliance

Using a simple process. Access now to learn why this technology is rising in prominence and uncover the seven key components to look for in a third-party service


+ Cyber Security Skills: The Hot New Must-Have IT Skill Set


+ Confronting the widening infosec skills gap   (some great statistics too)

Estimates of the shortage of qualified information security professionals needed to fill available jobs in the next several years range into the multiple millions. A number of organizations are trying to change that. But they say it will likely be years before the gap is closed…


+ Expert Tips: Privacy on Social Media

Social media have taken over the Internet. People spend ever more time on Facebook, Twitter, LinkedIn, and others – but many forget (or are not concerned at all) about their privacy.


+ Researchers publish developer guidance for medical device security

The guidance is organized into 10 categories, and serves as starting point for a more complete code, report authors said.


+ Raytheon’s SureView cybersecurity product named Best Malware Analysis Solution of the Year by Cyber Defense Magazine


+ Why insider threats are succeeding 

Data leaks and other news events over the past few years have brought insider threats to the forefront of public attention, but most companies still lack the means or motivation to protect themselves from malicious insiders…


+ 10 Threat Intelligence Goals for Financial Institutions


+ Will Your Contractors Take Down Your Business? (“Probably!”)


+ Cyber Threat Analysis: A Call for Clarity  (prioritize malware, etc)—threats/cyber-threat-analysis-a-call-for-clarity/a/d-id/1320539


+ Why small firms mean big business for cybersecurity


+ Fifteen Innovative Gadgets for Your Mobile Devices


+ ISC Study Shows Decline in US Cybersecurity Readiness

A new ISC study indicates that the federal government’s efforts in recent years to bolster cybersecurity have seen little return on investment.


+ Billington Corporate Cybersecurity Summit  (some great topics / speaker views)


3  +++++++


+ Massive campaign uses router exploit kit to change routers’ DNS servers

Well-known security researcher Kafeine has spotted an active campaign aimed at compromising SOHO routers and changing their DNS settings so that the attackers can seamlessly redirect users to phishing sites, hijack their search queries, intercept their traffic, and more.This particular campaign apparently targets only users of Google’s Chrome browser and ignores others. Chrome users who visit a compromised website are redirected to a site that serves cross-site request forgery (CSRF) code that determines which router model the victims use.  Depending on that information, an exploit for one of several vulnerabilities – CVE-2015-1187, CVE-2008-1244, or CVE-2013-2645 – is served, or several sets of common administrative credentials are tried, all with the aim to access the router’s administration interface.


+ NetUSB router vulnerability puts devices in jeopardy

A newly discovered router vulnerability could leave millions of connected devices open to denial-of-service attacks and remote code execution.


+ Islamic, Chinese hackers target media

News outlets are coping with a wave of cyberattacks as hackers around the world seek to monitor their coverage or deface their websites for publicity.  The latest intrusion at the Washington Post redirected users to a site controlled by the Syrian Electronic Army (SEA), a group that supports embattled President Bashar al-Assad.  The attack, which took place last Thursday, affected parts of the paper’s mobile website but did not compromise its internal networks.  Intruders found a way in through a software vendor, declaring in a message..


+ Grabit Malware Targets Small- and Medium-Sized Organizations

A new strain of malware dubbed Grabit targets small- and medium-sized companies in media, education, nanotechnology, and other sectors. Grabit has stolen thousands of documents since the attack campaign began in February 2015.


+ Android Ransomware

Ransomware targeting users of Android devices pretends to be an update for Adobe Flash Player. Once the user clicks on the phony update, the malware displays what appears to be a warning from the FBI about the user’s viewing of online pornography. The warning includes phony screenshots of what appears to be an incriminating browsing history.


+ Hackers Build a New Tor Client Designed to Beat the NSA – Daily Dot

With the threat of powerful intelligence agencies, like the NSA, looming large, researchers have built a new Tor client called Astoria designed specifically to make eavesdropping harder for the world’s richest, most aggressive, and most capable spies


+ Yemeni Hackers Reveal Top Secret Docs in Saudi Government Cyber Attack

+ ‘Marauders Map’: App exposes ease of tracking Facebook Messenger user


+ Over 1,000 websites ‘blackout’ Congress in protest of NSA surveillance laws


+ The 3 Best Hacking Techniques To Create A Security Breach


+ The iPhone bug that lets anyone crash your phone with a text message


+  86 percent of websites contain at least one ‘serious’ vulnerability


+++  SD/SoCAL security events / opportunities +++

+ CyberTECH events / networking / startups / etc  —  THE cyber happening place in SD!!! 

Join their Meetup Group for the latest event information!  The definition of“Cyber KEWEL


06 (SAT) University of Phoenix –-Cyber Nexus Conference – great all day event – panels / topics! (and FREE)

San Diego Campus,   9645 Granite Ridge Dr.   San Diego, CA 92123

8-11 – Cloud identity Summit  (La Jolla)

11 SD ISC2 (Thur at 6PM) –  “Cloud Security”  Chris Simpson

Location – BAH (Suite 200)  4055 Hancock Street, San Diego, CA 92110 USA


18  – ISACA (noon – 1:30 PM)     ‘ TBD”    (at Colman University)

18 OWASP – 6PM – Arvind Mani – Head, Data & Infrastructure Security at LinkedIn

25  – ISSA – (  11:30AM).    “TBD”     (at ADM Baker field clubhouse )


Global  Cyber events:


MAY 25

+ BTW – Another great source of cyber news is the “cyberwire”

The CyberWire is a free, no-ad, community-driven cyber security news service based in Baltimore. Their mission is to provide a relevant and intelligently organized daily digest of the critical news happening across the global cyber security domain.   (They have adaily jam-packed newsletter … AND generally the stories, cyber info we provide in these cyber tidbits do not overlap very much with their stories.. (ours is a weekly summary which I get from several other sources, LinkedIn, etc – but not the “wire”)…  so.. sign up for their security news digest too… win-win-win.…;-))


+ Cybercrime Cost Americans $800,492,073 Last Year

Federal Bureau of Investigation’s Internet Crime Complaint Center (IC3) tallied 269,422 complaints in 2014, totaling $800,492,073 in losses, according to a new report. The center has received 3,175,611 complaints since its establishment in May 2000. The losses compiled in 2014 are likely much lower than actual Internet crime losses. The report states, “Only an estimated 15 percent of the nation’s fraud victims report their crimes to law enforcement, while the IC3 estimates less than 10 percent of victims file directly through [w]”

IC3 Issues Internet Crime Report for 2014

+ Georgetown’s Cybersecurity Law Institute (topic / briefs overview) May 20-21, 2015


+ San Diego NDIA Cyber event for Small Business!!!

The event went very well – 80 or so folks attended –a LOT ofactionable info provided. The link to all the briefs in the agenda is here (and also the CISO Fundamentals / Cyber Security Tenets, and Small Business Cyber guide):


+ Pentagon to invest in Silicon Valley tech startups

The Pentagon will begin to invest in Silicon Valley tech startups as part of the department’s plan to develop and acquire more advanced cyber solutions to secure the country and military’s digital infrastructure. The investments will be made through In-Q-Tel, a nonprofit strategic investing firm the Central Intelligence Agency launched sixteen years ago and which has backed tech companies such as Keyhole, which helped create Google Earth. As part of the program, the Pentagon will open its first office in Silicon Valley, an outpost in Moffett Field staffed with active-duty military and civilians responsible for “scouting emerging and breakthrough technologies and building direct relationships to DOD,” a senior Pentagon official said.


+ Protests grow against Facebook’s

The backlash against Facebook’s “free mobile data” scheme has spread across the globe. A total of 67 digital rights groups – including i Freedom Uganda, Ecuador’s Usuarios Digitales and Indonesia’s ICT Watch – have signed a letter to Facebook’s founder, Mark Zuckerberg, stating concerns about the initiative. They say the project threatens freedom of expression, privacy and the principle of net neutrality.


+ US House Passes Bill Ending NSA Bulk Data Collection

The USA Freedom Act is seen as a big win for privacy and civil rights advocates. The White House backs the reforms, saying the bill protects privacy while preserving essential national security authorities. The measure now heads for a vote in the Senate, where the clash between reformists and supporters of the intelligence community, coming within the context of warnings on the increasing digital reach of the Islamic State terror group, transcends party lines. The bill, which focuses on people in the United States and not overseas, would amend controversial sections of the USA Patriot Act which passed in the wake of the September 11, 2001 attacks and which expire on June 1. The reforms would explicitly prohibit the mass collection of telephone metadata — numbers, time and duration of calls — by the National Security Agency, as well as electronic data such as emails and web addresses.


+ Microsoft Research Unveils VC3 Cloud Workload Privacy Project

Extending its “lockbox” approach to securing data on the cloud, Microsoft’s research arm today announced a new technology dubbed Verifiable Confidential Cloud Computing, or VC3. Last year, the Redmond, Wash.-based software giant announced a new process for safeguarding cloud data called a lockbox. Encompassing a set of technologies, along with strict policies and IT practices at the company’s cloud data centers, the approach essentially places customers in complete control of their data and requires that they issue their approval before even Microsoft’s own administrators can access protected information. Now, Microsoft is using a similar strategy to protect cloud workloads.


+ FBI: Data breaches ‘increasing substantially’

The rate of major data breaches in the United States is rapidly increasing, as hackers around the world become more sophisticated, a top FBI cyber official said Thursday. James Trainor, acting assistant director of the FBI’s Cyber Division, said the agency used to learn about a new, large-scale data breach every two or three weeks. “Now, it is close to every two to three days,” Trainor said at an event hosted by Microsoft. “Those types of events, whether they concern a national security threat actor or a criminal actor, are ones we see on a much more regular basis.”

+ FBI: Data Breaches Up 400%; Workforce Needs To Be “Doubled or Tripled”

James Trainor, acting assistant director of the FBI’s Cyber Division, said the agency used to learn about a new, large-scale data breach every two or three weeks. “Now, it is close to every two to three days,” Trainor also said thecybersecurity industry needs to “double or triple”its workforce in order to keep up with hacking threats.  [Note: The “aha” moment on cyber workforce usually arises when senior managers find out that the skills (and

certifications) they hired for policy and compliance with frameworks and FISMA and HIPAA and SOX and ISO, are not the ones needed for finding and mitigating the increasing number of breaches. If you are looking for people with the skills to meet the new security requirements, hire people who did well on “Continuous Monitoring and Security Operations” (Security 511) because it prepares them to analyze threats and detect anomalies that often indicate cybercriminal behavior.  Also look for GCFE (forensic examiners) and GCFA (forensics analysts) certifications because they have demonstrated they have the knowledge and skills to play an important technical role in the new era. ]


+ Belgian watchdog raps Facebook for treating personal data ‘with contempt’

Belgium’s privacy watchdog sharply criticized Facebook Inc. for treating the personal data of Internet users “with contempt” and failing to cooperate with its inquiries, escalating a dispute between the California company and European regulators that could result in heavy fines and orders to change its business practices. The Belgian report, which runs to 28 pages, is part of a broader effort by privacy regulators in several European countries to examine the way Facebook combines data from its services, which include Instagram and WhatsApp, to target advertising. It is being led by authorities in the Netherlands and includes watchdogs in France, Spain and Germany.


+ Cyber threats will keep coming if public and private sectors don’t collaborate

Public-private partnerships are the key to robust national cybersecurity, according to Peter Fonash, chief technology officer for the Department of Homeland Security’s Cybersecurity and Communications Office. Still, they’re unlikely to happen until both sectors can communicate better. Cyber breaches have been getting worse over the years, Fonash said during a recent conference in Washington, D.C. He referenced two key statistics from a recent Verizon Data Breach Investigation Report that shows two particular trend-lines between 2004 and 2013: one for percent of time compromising a system took a day or less, and another, much lower, for percent of time that the discovery of breaches took a day or less.


+ More than 1,000 organizations join IBM to battle cybercrime

IBM announced that more than 1,000 organizations across 16 industries are participating in its X-Force Exchange threat intelligence network, just one month after its launch. IBM X-Force Exchange provides open access to historical and real-time data feeds of threat intelligence, including reports of live attacks from IBM’s global threat monitoring network, enabling enterprises to defend against cybercrime. IBM’s new cloud-based cyberthreat network, powered by IBM Cloud, is designed to foster broader industry collaboration by sharing actionable data to defend against these very real threats to businesses and governments.

+ What 700 TB of cyber threat data can do for you

The value of cyber threat intelligence increases as it’s shared. That’s the idea behind the X-Force Exchange, a 700-terabyte platform of aggregated cyber threat information IBM has built to foster cybersecurity collaboration. This hoard of cybercrime data features IBM’s security intelligence research, a global network of third-party threat data, expert analyses and real-time insight on live attacks, all on a social sharing site built on IBM’s cloud.


+ Employing technology to ensure privacy

Automating the process of excising personally identifiable information when sharing data is a challenge that the Defense Department hopes to overcome. The Defense Advanced Research Projects Agency, known as DARPA, will consider proposals from the public that would expedite the way organizations safeguard PII while sharing the data with others. Its’ a technology that has vexed the information security and privacy world for years. The goal of the initiative, known as Brandeis, is to “break the tension” between maintaining privacy and being able to tap into the huge value of data, DARPA Program Manager John Launchbury says.


+ Funds sought for tiny $9 computer

A Californian start-up is seeking funding to make a computer that will cost $9 (£6) in its most basic form. Next Thing wants $50,000 to finish development of the credit-car sized Chip computer. The first versions will have a 1Ghz processor, 512MB of Ram and 4GB of onboard storage. The gadget, due to go on general release in early 2016, could become yet another rival to the popular Raspberry Pi barebones computer. The Chip shares some technical elements with the Pi in that it is built around an Arm chip but it includes some networking technologies, such as wi-fi and Bluetooth 4.0, that are not present on the standard Raspberry configuration.


+ 70 million Americans report stolen data

More than 70 million American adults discovered that their personal information had been compromised in 2014, according to projections from a recent nationally representative survey of more than 3,000 American adults, conducted by Consumer Reports. While some of those incidents may have resulted from stolen credit cards or other crimes, many stemmed from data breaches. And, as a slew of widely reported breaches last year showed, not only online shoppers are at risk. According to Consumer Reports’ survey, 79% of those notified of a data breach were told by a brick-and-mortar store or a financial institution. Just eighteen percent said the problem originated with an online retailer.


+ Android ‘M’ could return privacy control to users

Google is expected to bring Android into line with Apple iOS on user privacy, with version “M” due for release later this month, giving control of app data back to the users. Android will include detailed control over personal data, such as phone numbers, location, names and addresses, and whether apps can access some or none or all of it, according to a Bloomberg report. Apps installed on Android request permission to access various features and data of a mobile device, but a user can either accept all permission requests and install the app, or reject them and prevent the app from installing. There is no middle ground and users cannot revoke permissions after the fact.


+ Cyber Security a Growing Concern for Financial Services Companies

Close to 50 percent of US financial institutions rank cyber security as their number one concern, according to a survey from the Depository Trust & Clearing Corporation (DTCC), topping geo-political risks and new regulations. The DTCC’s Systemic Risk Barometer Study compiled responses from 250 financial market participants. In last year’s report, just 24 percent of respondents ranked cyber security as their top concern.


+ Navy moves cloud initiatives to spur change

Frustrated with slow data center consolidation and cloud adoption, the Navy is moving their SPAWAR DCAO initiative to PEO EIS in hopes of shaking up server-hugging commands


+ Average Fortune 100 firm suffers 69 social media compliance incidents


+ Top 10 emerging technologies of 2015


+ State of Cybersecurity: Implications for 2015


+ Pentagon Kills $475M Cyber Contract


+ Has the White House’s cybersecurity plan been effective?


+ Data Breach Costs Estimated To Jump Four-Fold In Four Years


+ Top security tools in the fight against cybercrime


+ Your Reputation and Being Cyber Breach Ready
2  +++++++

+ U.S. proposes tighter export rules for computer security tools

The U.S. Commerce Department has proposed tighter export rules for computer security tools, a potentially controversial revision to an international agreement aimed at controlling weapons technology. On Wednesday, the department published a proposal in the Federal Register and opened a two-month comment period. The changes are proposed to the Wassenaar Arrangement, an international agreement reached in 1995 aimed at limiting the spread of “dual-use” technologies that could be used for harm. The Commerce Department’s Bureau of Industry and Security (BIS) is proposing requiring a license in order to export certain cybersecurity tools used for penetrating systems and analyzing network communications.


+ U.S. Navy secretary says paying attention to cyber threats

The U.S. Navy is working hard to improve the cyber security of its computer networks and weapon and communications systems, while bracing for potential attacks on power grids and fuel supplies, Navy Secretary Ray Mabus said Wednesday. Mabus said cyber warfare was a clear threat given Russia’s use of cyber attacks before its physical invasions of Crimea and Georgia. “We’ve got to pay a whole lot of attention to this,” Mabus said at an event sponsored by Defense One media group. “Cyber is in everything now. It’s not just weapons systems. It’s in every system because we are so networked.”

+ Navy unveils new 5-year cyber strategy plan reflecting rising tide of cybersecurity threats

The Navy last week announced a new five-year cyber strategy plan designed to address the rising threat to military networks and, perhaps, position the military branch as a more offensive force in cyberspace. “A lot of work had been done since our inception in 2010 and the world has changed – gotten a lot more dangerous,” said Vice Adm. Jan E. Tighe, who leads U.S. Fleet Cyber Command/U.S. Tenth Fleet, in a May 7 press release. “The cyberspace domain is changing on a daily basis. First and foremost [the plan is] a way to organize our mission and to begin to measure if we’re making sufficient progress in each of our goal areas.”


+ The government is trying to get serious about cyber as a foreign policy issue

After a string of high-profile Internet attacks directed at the U.S. government and private sector, Congress and the executive branch are trying to get serious about treating cyber warfare as a foreign policy issue-especially when it comes to addressing threats from China and Russia. But it’s slow going. The Senate Foreign Relations Committee added cybersecurity to the portfolio of one of its subpanels, which had its first hearing Thursday. Yet only two members showed up: Colorado Republican Cory Gardner and Maryland Democrat Ben Cardin, chairman and ranking member of the Subcommittee on East Asia, the Pacific, and International Cybersecurity Policy, respectively.


+ Sony hack aftermath: How Hollywood is getting tough on cybersecurity

The cyber-attack that crippled Sony Pictures Entertainment may have occurred way back in December, but the reverberations are still being felt across the entertainment industry. A new normal is setting in, according to panelists assembled Thursday in Los Angeles at the Hollywood IT Summit from companies including Disney-owned Marvel Studios and Live Nation Entertainment. The Sony incident has prompted some soul-searching at many businesses big and small in and out of Hollywood, which are all exploring their own preparedness to deal with similar scenarios.


+ Free tool reveals mobile apps sending unencrypted data

A surprising amount of mobile data still crosses the Internet unencrypted, and a new free app is designed to show users what isn’t protected. The program, called Datapp, comes from the University of New Haven’s Cyber Forensics Research and Education Group (UNHcFREG), which last year showed popular Android applications such as Instagram, Grindr and OkCupid failed to safely store or transmit data. The reaction to that study prompted the group to create an application where people could test for themselves which applications don’t encrypt data and exactly what is exposed, said Ibrahim Baggili, UNHcFREG’s director.


+ What if a cybersecurity attack shut down our ports?

It’s easy to forget when you’re on dry land that 90 percent of the world’s goods are shipped on boats. While we worry about the cybersecurity of power grids and nuclear missile silos, most of us have never thought about whether the container ships and ports that bring us our clothes, electronics, food-everything-are secured against digital threats. Spoiler alert: They’re not. The April newsletter from maritime cybersecurity consulting firm CyberKeel contained a scary stat. According to a spot check the group conducted, 37 percent of maritime companies with Windows webservers haven’t been keeping up with installing security patches from Microsoft. As a result, more than one-third of these sites are vulnerable to denial of service attacks and certain types of remote access.


+ Quantum computing is about to overturn cybersecurity’s balance of power

“Spooky action at a distance” is how Albert Einstein described one of the key principles of quantum mechanics: entanglement.  Entanglement occurs when two particles become related such that they can coordinate their properties instantly even across a galaxy. Think of wormholes in space or Star Trek transporters that beam atoms to distant locations. Quantum mechanics posits other spooky things too: particles with a mysterious property called superposition, which allows them to have a value of one and zero at the same time; and particles’ ability to tunnel through barriers as if they were walking through a wall.


+ China’s draft national security law calls for cyberspace ‘sovereignty’

China has included cybersecurity in a draft national security law, the latest in a string of moves by Beijing to bolster the legal framework protecting the country’s information technology. China has recently advanced a wave of policies to tighten cybersecurity after former National Security Agency contractor Edward Snowden disclosed that U.S. spy agencies planted code in American tech exports to snoop on overseas targets. The standing committee of the National People’s Congress (NPC), China’s legislature, reviewed a cyberspace “sovereignty” clause in a proposed national security law, according to a draft posted online this week after its second reading in late April.


+ Romania turns hacking crisis into advantage,

helping Ukraine Ukraine is turning to an unlikely partner in its struggle to defend itself against Russian cyber warfare: Romania. The eastern European country known more for economic disarray than technological prowess has become one of the leading nations in Europe in the fight against hacking. The reason: the country’s own battle against Internet renegades and a legacy of computing excellence stemming from Communist dictator Nicolae Ceausescu’s regime. Both historic twists have ironically turned Romanian cyber sleuths into some of Europe’s best. So much so that NATO tapped Bucharest to defend Ukraine from Russian digital espionage by sending experts to monitor Kiev government institutes and train Ukrainian IT specialists.


+ Beijing to troops: Wearables represent a national security risk

The Chinese authorities have warned People’s Liberation Army (PLA) troops that wearable technology represents a national security risk as it could be tracked and used to reveal military secrets. The note came in a report from military mouthpiece the PLA Daily which urged all personnel to avoid any kind of device, from smart watches to fitness trackers and HUD glasses. It claimed that the ability to record video and audio, take pictures and transmit details such as location, render wearables a major security risk. The warning is a serious one as crimes deemed harmful to national security could lead to the death penalty in China.


+ South Korea mandates spyware installation on teenagers’ smartphones

A law requiring the mass installation of spyware on teenagers’ smartphones suggests that the frightening level of population control exercised by its neighbors in “Best Korea” has rubbed off on the Republic’s administrators in Seoul. The Republic of South Korea’s Communications Commission, a media regulator modeled after the United States’ FCC, now requires telecom companies and parents to ensure a monitoring app is installed whenever anyone under the age of 19 receives a new smartphone.


+ Turkish blackout sparks fears of cyber attack on the West

Iran is now believed to be responsible for the blackout that, on 31 March, plunged over 40 million people into darkness in Turkey for over 12 hours, paralyzing the country’s principal cities. Intelligence experts are speculating that the attack was a reprisal for support from Turkey to Saudi Arabia in a dispute against the Iran-backed Houthis in Yemen. It could also be related to Turkey’s recent moves to topple Syrian dictator Bashar Assad – a strong ally of Iran. Iran-based hacker group Parastoo is already understood to have been actively recruiting hackers with the skills needed to break into the kind of control systems which run power grids and other utilities.


+ Execs say cyberattacks could disrupt whole industries

Widespread concern regarding the potential effects of cyber-attacks in corporate America has led C-level professionals to readily acknowledge that a coordinated assault launched by sophisticated cyber-criminals would wreak ongoing havoc on business operations, cause considerable harm to a brand, and potentially affect related companies, even entire industries. A survey from RedSeal showed that three-quarters (74%) of executives acknowledge that cyber-attacks on networks of U.S. organizations can cause “serious damage or disruption,” and most of the rest, 21%, admit to fears of “significant damage or disruption.”


+ Additional Vulnerabilities Found in Medical Infusion Pumps

The US Department of Homeland Security’s ICS-CERT has amended an advisory released last week regarding remotely exploitable security issues in drug infusion pumps; the new information is about additional vulnerabilities affecting the Hospira LifeCare PCA Infusion System. The US Food and Drug Administration (FDA) has added its voice to the warnings to help the information become more widely circulated.

[Note : It is obvious that “information sharing” is still immature.  We do not broadcast “intelligence” in hopes that it gets to those who can do something about the risk.  The object is to get it, on a timely basis, only to those who must act. This implies that one must have identified those folks in advance.  (The aviation industry continues to be the best example of how to do it.)  In this particular case, broadcast of this information serves only to raise unnecessary anxiety among those who cannot do anything to reduce the risk.]


+ Insurer challenging cyber liability claim

CNA is challenging it’s obligation to cover breach cost for one of its  cyber liability customersdue to the customer’s failure to meetminimum required security practices. If this becomes case law, it could force organizations to change what appears to be the mindset of falling back on risk transference (via insurance) rather than adequately investing in risk mitigation.


+ Insider Threat Report: Cloud and Big Data Edition

The increasing use of cloud services and Big Data projects is causing major security concerns. This report provides up-to-date insight and opinion on the increasing security, risk, and compliance concerns that enterprise organizations face as they deploy in new environments.


+ Half Of Retail, Healthcare Sites ‘Always Vulnerable’

Finding vulnerabilities in custom web applications isn’t the major problem; fixing them in a timely fashion is, a new report from WhiteHat Security finds.—threats/vulnerability-management/half-of-retail-healthcare-sites-always-vulnerable-/d/d-id/1320489?


+ 90% of Healthcare Firms Hit by Cyber Attack:

Ponemon – Insurance Journal. A rise in cyber attacks against doctors and hospitals is costing the U.S. healthcare system $6 billion a year as organized criminals who once targeted retailers and financial firms increasingly go after medical records.


+ Privacy vs progress: the ethical quandary of big data


+ Digital Privacy Is Out of Control – Lorrie Faith Cranor:


+ How to prevent 80% of cyber attacks


+ Legal landscape for cybersecurity risk is changing as federal government and SEC take action


+ Multi-tiered security – paper


+  (ISC)2 Annual Report and Other Cyber Resources


+ Meet ‘Tox’: Ransomware for the Rest of Us (scary stuff)


+ Robots.txt tells hackers the places you don’t want them to look


+ Millennials Understand Privacy a Lot Better than You Do


3  +++++++

+ A new threat to children’s online privacy: Parents

Most parents go to great lengths to keep their children safe online—but what if parents themselves, through the simple act of posting photos to Facebook and Instagram, are putting their own kids at risk every day? Researchers at the New York University Polytechnic School of Engineering and NYU Shanghai have released a study showing that parents’ habits on popular social media sites may allow third parties to easily obtain their children’s identities and other sensitive information. Their paper, “Children Seen but Not Heard: When Parents Compromise Children’s Online Privacy” will be presented at the International World Wide Web Conference in Florence, Italy, on May 22, 2015.


+ NSA chief wary of proxies

As the U.S. government’s ability to pinpoint the source of cyber behavior grows more precise, nation-states could increasingly turn to proxies to carry out attacks, according to National Security Agency Director Adm. Michael Rogers. “One of the trends I look for increasingly in the future . [is] do you see nation-states start to look for surrogates as a way to overcome our capabilities in attribution?” Rogers said May 11 in remarks at a cybersecurity event at George Washington University. U.S. officials consider accurate attribution, which is supported by the NSA’s vaunted cyber capabilities, to be an important method of deterring cyberattacks.


+ Data Belonging To 1.1 Million CareFirst Customers Stolen In Cyber Attack

BlueShield customers in the Washington D.C. area was stolen in a cyber attack last year, the healthcare insurer announced Thursday. Concerned by the string of recent cyber attacks against other healthcare providers-including Anthem, Premera, and Community Health Systems-CareFirst decided to take a look into its own system, the company explained in a notice on its website. CareFirst hired Mandiant to review its networks, which led to the discovery of an undetected intrusion in June 2014.

The attack resembles those perpetrated on Anthem and Premera. The affected data include names, birth dates, email addresses, and insurance identification numbers.

[Note : We have nothing left to hide.  Only partly as the result of massive and repeated breaches of firms like eBay, Anthem and Target, all information about us is now for sale, often in bulk for pennies, in white and black markets.  Security based upon shared secrets like credit card numbers, social security numbers, and passwords is no longer effective.  Strong authentication can help but we need to rely on prompt notification of transactions and the white market sale of personal information…]


+ Russia and China pledge not to hack each other

If the U.S. intelligence community believes that Russia poses a greater cyber spying threat than China, what will it make of this? Russia and China signed a cyber-security deal on Friday, which experts say could firm up Russia’s ties with the east and may become a foundation for binding cyber security ties in the future. According to the text of the agreement posted on the Russian government’s website on Wednesday, Russia and China agree to not conduct cyber-attacks against each other, as well as jointly counteract technology that may “destabilize the internal political and socio-economic atmosphere,” “disturb public order” or “interfere with the internal affairs of the state.”


+ Apple Watch vulnerability could let thieves use Apple Pay on stolen watches

A potential security vulnerability recently detailed by a blogger may have uncovered a serious flaw in the Apple Watch’s design that could lead to some big headaches for some users. In a nutshell, a nifty feature designed by Apple to maintain security on the Watch without sacrificing convenience may have actually ended up sacrificing security instead, allowing thieves to continue using Apple Pay on a stolen Watch without having to input the owner’s PIN code to confirm purchases. It should be noted, however, that the procedure detailed by the blogger in question did not yield consistent results. As such, a thief would seemingly need a bit of luck in order to ensure that he or she can exploit this vulnerability.


+ New Computer Bug Exposes Broad Security Flaws

A dilemma this spring for engineers at big tech companies, including Google Inc., Apple Inc. and Microsoft Corp., shows the difficulty of protecting Internet users from hackers. Internet-security experts crafted a fix for a previously undisclosed bug in security tools used by all modern Web browsers. But deploying the fix could break the Internet for thousands of websites. The newly discovered weakness could allow an attacker to read or alter communications that claim to be secure. It was disclosed Tuesday by an international team of computer scientists that has found several problems in technology behind prominent security tools, including the green padlock on secure websites.


+ Phantom Menace’ Hack Strikes Oil Industry Computers 

What looked to be an ordinary malware attack on a computer at an oil-trading firm turns out to have been part of a targeted attack on the industry at large, according to a report from Panda Security. It began, as it so often does, with someone on their work computer opening an email attachment they shouldn’t have. This attachment, instead of producing one of the many trojans, worms or viruses already watched for by antivirus programs, merely unpacked a few common scripts and tools often used by Windows programs – thus avoiding detection. These scripts request credentials from various places on the computer, send what they find home via a File Transfer Protocol connection, then rename themselves just in case the computer starts getting suspicious. And that FTP server was full of data from other oil companies that had been targeted.


+ Mobile spy software maker mSpy hacked, customer data leaked

mSpy, the makers of a dubious software-as-a-service product that claims to help more than two million people spy on the mobile devices of their kids and partners, appears to have been massively hacked. Last week, a huge trove of data apparently stolen from the company’s servers was posted on the Deep Web, exposing countless emails, text messages, payment and location data on an undetermined number of mSpy “users.” mSpy has not responded to multiple requests for comment left for the company over the past five days. KrebsOnSecurity learned of the apparent breach from an anonymous source who shared a link to a Web page that is only reachable via Tor, a technology that helps users hide their true Internet address and allows users to host Web sites that are extremely difficult to get taken down.


+ Password Security Questions Easy to Guess

Google’s analysis of hundreds of millions of password security questions found that it would be easy for people intent on gaining access to someone’s account to do so. Guesses yielded correct results a surprising amount of the time. Google says that instead of adding more questions, but to update account information to provide a phone number or secondary email address to help prevent accounts from being taken over.

[Note : As the Starbucks stored value card incident recently pointed out, just adding a phone number or email address contact to a password is useless if you can change the phone number/email address by just knowing the password – phished or guessed passwords are used to change the phone number/email address. Need to require two-factor auth to change any one of the factors. The proper use of challenge-response can be an effective factor in strong authentication schemes.   Many implementations use too few, poorly chosen, challenges too often.  I like Google’s implementation of strong authentication using one-time passwords sent out of band to phone numbers of the user’s choice;]


+ Android Factory Reset Does Not Always Clear Data

Researchers at Cambridge University have found that as many as 500 million Android phones contain a security issue that could expose data even after the factory reset option is run. The researchers were able to recover data, including login credentials, text messages, and emails, from supposedly wiped devices


+St. Louis Federal Reserve DNS Servers Breached

Attackers hijacked the domain name servers of the St. Louis Federal Reserve so that site visitors were redirected to malicious web pages. The computers of people who visited the phony pages may have been infected with malware, and their access credentials may have been stolen. The attack was detected on April 24. The DNS provider has not been identified.

[Note : This looks like the Fed’s Domain Name registrar, eNom, was compromised. Back in 2008/2009 there was a flurry of attacks against registrars and ICANN kicked off some initiatives looking to improve the consistency of security across the ever growing list of registrars, but I’m not sure anything has actually changed yet.]


+ USIS Attackers Exploited SAP ERP Vulnerability

A digital forensics company retained by Department of Homeland Security

(DHS) contractor USIS said that a breach of its system last year was the work of attackers exploiting a vulnerability in a third-party enterprise resource planning (ERP) application. It is unclear if a fix for the unnamed SAP application was available at the time of the breach, and it has not been determined whether USIS or SAP was the party responsible for fixing the vulnerability.

[Note : A useful (slighted dated) report on the status of SAP security was published 3 years ago

and updated data was released a few days ago. ]


+ Every 4 Seconds New Malware Is Born

New report shows rate of new malware strains discovered increased by 77 percent in 2014.—threats/every-4-seconds-new-malware-is-born/d/d-id/1320474

A LOT of great statistics in the full report is at

+++  SD/SoCAL security events / opportunities +++

+ CyberTECH events / networking / startups / etc  —  THE cyber happening place in SD!!! 

Join their Meetup Group for the latest event information!  The definition of“Cyber KEWEL


28  – ISSA – 11:30AM – (4th Thur) –   “The Sophisticated Attack Myth: What Your Threat Intelligence is really trying to tell you about your security program”    Araceli Gomes

28 Interface San Diego – all day forum

Join the area’s top IT leaders, providers and thought leaders for the purposes of information exchange and community networking. For more info and registration,

30 OWASP –  6PM –   WebApp Pen-testing Training (waitlist)


06 (SAT) University of Phoenix –- Cyber Nexus Conference – great all day panels / topics! (and FREE)

San Diego Campus,   9645 Granite Ridge Dr.   San Diego, CA 92123

10 (or 18) – SD ISC2 chapter meeting –  “TBD  – likely Medical device related)”

Location – BAH (Suite 200, 4055 Hancock Street, San Diego, CA 92110 USA

18  – ISACA chapter meeting ‘ TBD”    noon – 2PM

18 OWASP – 6PM – Arvind Mani – Head, Data & Infrastructure Security at LinkedIn

25  – ISSA – 11:30AM – (4th Thur) –  “TBD”


MAY 10

+++ For those in San Diego – NDIA Small Business Cyber Forum  – THIS Friday, May 15

A premier ½ day event (8 – 12:30)  on how SMBs can be cyber – safe .. PLUS learn about the FAR / DFAR cyber rules on “CUI”    Registration link is:



+ Government cybersecurity officials warn Hospira device vulnerable to hackers

US cybersecurity officials have issued a warning regarding a medical device manufactured by Hospira, saying the device was identified as having several vulnerabilities which have since been patched. The warning, issued on 5 May 2014 by the Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) focuses on Hospira’s LifeCare PCA Infusion System, an intravenous pump used to deliver medication to patients. ICS-CERT said that a security researcher, Billy Rios, had approached it more than a year ago after identifying “an improper authorization vulnerability and an insufficient verification of data authenticity vulnerability in Hospira’s LifeCare PCA Infusion System.”



+ Is it time for a cyber HMO?

The problem with many of the cybersecurity solutions offered today is that they often bear no relation to the problem at hand. Cyber insurers, like many others, assume that cyberattacks will successfully strike a company only infrequently. The reality is that cyberattacks are a constant threat, much more akin to medical claims than property or casualty claims.  We know they will occur on a regular basis, and so insurers need to establish an infrastructure that supports constant care over a lifetime. Following on the health-care analogy, cyber insurers should view their policies through the lens of a health insurance model and not a general liability or casualty policy. In my mind, it follows then that cyber insurers should develop cyber policies using a “HMO” model.



+ India and Japan form cyber alliance

India has called on Japan for help in combating cybercrime. Indian officials from the Ministry of Telecom and the Department of Electronics and Information Technology (DeitY) met with a visiting Japanese trade delegation led by Minister of Economy and Trade Yoichi Miyazawa according to the Economic Times. The parties discussed a variety of topics ranging from securing government information in the cloud to India’s cybersecurity laws. Indian officials solicited Japan’s help with technology that could prevent cyber attacks and data breaches, a source told the Times.



+ DoD grants new security approvals to 23 cloud providers

The Defense Department announced security approvals for nearly two dozen cloud computing products on Monday, showing modest progress in DoD’s slow advance toward commercial cloud adoption and making good on a promise to put more of its trust in the cloud security process used by the rest of the government. All 23 of the cloud offerings the department approved for use by military departments and defense agencies had already met the “moderate” security baseline under the governmentwide Federal Risk and Authorization Management Program (FedRAMP).



+  DHS certifies first cyber products under SAFETY Act

The Department of Homeland Security (DHS) has certified the first cybersecurity products ever under the SAFETY Act, a post-9/11 program that provides a level of liability protection to companies that use certain products to enhance their security.  Customers that employ FireEye’s Multi-Vector Virtual Execution engine and Dynamic Threat Intelligence platform are now protected from lawsuits or claims alleging that the products failed to prevent an act of cyberterrorism, the company said.  FireEye is a leader in the cybersecurity industry for incident prevention and response. The certification of its products is seen as a landmark event in the government’s effort to step up U.S. cyber defenses.

FireEye customers get liability shield thanks to SAFETY Act



+ Senate panel raises privacy concerns in White House hacking incident

The U.S. Senate Commerce Committee has written President Barack Obama over concerns that a recently reported data breach on the White House computer system might have compromised the personal information of many Americans. “Just like any entity that handles personally-identifiable information, the White House has a responsibility to notify Americans if the recent, or any future breach, results in a compromise,” the committee chairman, John Thune, said in a statement on Sunday accompanying the letter.



+ Your new credit card may not be as safe as you think

There’s a good chance that if you’ve added a new credit card to your wallet this year, you’ve noticed something a little different. Many of them are now equipped with chip technology known as EMV. As the threat of data breaches intensifies, card issuers have been slowly rolling out these chip-enabled cards to customers because they – along with retailers and cybersecurity experts – believe the technology is far more secure than the magnetic stripe cards that Americans have been swiping for decades. This technology has been in place in Europe for years, and so the conventional wisdom has been that American consumers will enjoy the same fraud protection as their overseas counterparts as soon as the shift to EMV is complete. But in many cases, that’s not quite true.



+ Survey: C-level tech execs most responsible for breaches

As the data breach epidemic rages on, the question of corporate liability has been front and center. It turns out that many security-industry folks believe that C-level technology executives would and should be the ones held responsible for compromises, new research has revealed. According to a survey by Tripwire of 250 attendees at RSA Conference USA 2015 and BSidesSF 2015 in San Francisco last week, technology leaders within firms are the ones who should be on the hook for security, in spite of pervasive vulnerabilities being present on many fronts that are leading to devastating cyber-attacks across a broad range of industries.



+ RSA president questions government role in cybersecurity

The president of one of the world’s biggest computer security vendors says he is skeptical that a stronger government role in cyberdefense will abate the growing number of attacks. In an interview with IDG News Service, Amit Yoran, president of RSA, also rejected calls by U.S. intelligence chiefs for industry to tread carefully in deploying more encryption in case it cuts off their ability to eavesdrop on communications by suspected criminals. “The government is not the answer here,” he said, when asked about White House proposals for sharing of cybersecurity information. Despite the growing severity of attacks and a feeling that the government should “do something,” the issue is best left to private companies, because they are the ones developing networks and the technology that defends them, he said.



+ As sensors shrink, watch as ‘wearables’ disappear

Forget ‘wearables’, and even ‘hearables’. The next big thing in mobile devices: ‘disappearables’. Even as the new Apple Watch piques consumer interest in wrist-worn devices, the pace of innovation and the tumbling cost, and size, of components will make wearables smaller – so small, some in the industry say, that no one will see them. Within five years, wearables like the Watch could be overtaken by hearables – devices with tiny chips and sensors that can fit inside your ear. They, in turn, could be superseded by disappearables – technology tucked inside your clothing, or even inside your body.



+ NSF seeks input on cybersecurity strategic plan for federal agencies

The National Science Foundation wants feedback on how the government should focus cybersecurity research and development in order to guide and coordinate federally funded studies. The Cybersecurity Enhancement Act of 2014 requires federal agencies to come up with a cybersecurity research and development strategic plan, according to the RFI published April 27 in the Federal Register. The Cyber Security and Information Assurance Research and Development Senior Steering Group is seeking the information on behalf of the agencies involved.



+ Survey finds CEOs, boards getting increasingly involved in security policy

Netskope recently announced the results of a survey of 100 2015 RSA Conference attendees, which found that 69 percent of respondents’ CEOs or boards of directors had queried their security teams regarding specific security policies in the wake of recent high-profile breaches. Those queries covered a variety of topics — 28 percent were focused on cloud or SaaS technologies, while 27 percent were focused on mobile device security and network security. Almost two thirds of respondents said they have changed, or plan to change, cloud-specific security methods since the Anthem security breach — and more than half said their cloud-specific security methods have changed as a direct result of CEO or board-level conversations.



+ Cyber risk the most serious threat to business,

says Lloyd’s chief Lloyd’s of London, one of the largest insurance markets in the world, has experienced rapid growth in the demand for insurance against cyber attacks. Inga Beale, chief executive of Lloyd’s , said: “Cyber risk poses the most serious threat to businesses and national economies, and it’s an issue that’s not going to go away. The London market has a long, proud history of finding innovative solutions to insuring large, complex risks that are challenging to underwrite locally.”



+ Will the Seventh Circuit Lower the Harm Bar?

With the rising tide of data breaches has come a flood of breach-related lawsuits, many of which fall flat when measured up against the Clapper definition of “certainly impending” harm.



+ Privacy and the Profit Motive



+ Healthcare Data Breaches From Cyberattacks, Criminals Eclipse Employee Error For The First Time



+ Total Cost of Ownership vs. Managed Services for Security

Managed security pays for itself quickly and easily justifies the expense



+ Russia’s Greatest Weapon May Be Its Hackers



+ Zero-Days Remained Unpatched an Average of 59 Days



+ New cyberthreats: Defending against the digital invasion—threats/3-of-4-global-2000-companies-still-vulnerable-to-heartbleed/d/d-id/1319768



+++ “THE”  Best Hacker Tools Online –  REALLY – LOTS of them!

Wireless, Wifi Hacking, firewall hacking, digital forensic tools fuzzers, intrusion detection, packet crafting, password crackers, port scanners and rootkit detectors



+ Ten Cybersecurity Concerns for Every Board of Directors



+ Risk Managers See Reputation Damage as Top Threat



+ Nine Years Later, IT Security Is Even More Important To Business



+ Your iPhones Are Not Secure



+ These 3 Steps Could Prevent 85 Percent of All Data Breaches





2  +++++++


+Why geofencing will become the next endpoint security innovation

As data breaches continue to grow in complexity, severity and frequency, and organizations face growing threats – internal and external, deliberate and unintentional  – new and more advanced technologies are needed to keep critical information safe. As demonstrated by the Anthem Insurance breach in the US, when sensitive information gets in the wrong hands, it can be incredibly costly – experts are estimating it could cost the company upwards of US$100 million in this case. While the mainstream media loves to run headlines about the world of data breaches, the cause is usually that the company does not have the proper systems in place. There are solutions available right now, one of the most promising of which is geofencing. By using this solution as part of a larger data loss prevention (DLP) strategy, organizations can control access to devices, and applications on these devices, within a certain physical perimeter.



+ The rapid evolution of cyber diplomacy

Christopher Painter, the United States’ top cyber diplomat, says the nations’ No. 1 cybersecurity priority is getting nations to agree not to attack their respective critical infrastructures. “This is not something that we came up with just because we thought it was a good idea,” Painter, the State Department’s coordinator for cyber issues, says in an interview with Information Security Media Group. “We thought this would have universal attractiveness and applicability that countries, whether we agreed with them or not on a range of issues, would find is something that they could adhere to.”



+ Maritime cybersecurity firm: 37% of Microsoft servers on ships vulnerable to hacking

A recent Department of Homeland Inspector General report focused mostly on U.S. Coast Guard insider threats, stating, “Trusted insiders could use their access or insider knowledge to exploit USCG’s physical and technical vulnerabilities with the intent to cause harm.” The audit also found numerous issues involving thumb drives and removable media that could be connected to Coast Guard IT systems and used to remove sensitive info, as well as issues allowing sensitive info to be sent via email. The IG also found unlocked USCG network equipment and server rooms, unsecured wireless routers and laptops.



+ The truth about smartphone apps that secretly connect to user tracking and ad sites

There are essentially two starkly different environments in which to download apps. The first is Apple’s app store, which carefully vets apps before allowing only those deemed fit to appear. The second is the Google Play store, which is more open because Google exercises a lighter touch in vetting apps, only excluding those that are obviously malicious.  But because Google Play is more open, the apps it offers span a much wider quality range. Many connect to ad-related sites and tracking sites while some connect to much more dubious sites that are associated with malware. But here’s the problem-this activity often takes place without the owner being aware of what is going on. That’s something that most smartphone users would be appalled to discover-if only they were able to.



+ Researchers plan to demonstrate a wireless car hack this summer

A note of caution to anyone who works on the security team of a major automobile manufacturer: Don’t plan your summer vacation just yet. At the Black Hat and Defcon security conferences this August, security researchers Charlie Miller and Chris Valasek have announced they plan to wirelessly hack the digital network of a car or truck. That network, known as the CAN bus, is the connected system of computers that influences everything from the vehicle’s horn and seat belts to its steering and brakes. And their upcoming public demonstrations may be the most definitive proof yet of cars’ vulnerability to remote attacks, the result of more than two years of work since Miller and Valasek first received a DARPA grant to investigate cars’ security in 2013.



+ New DOJ guidance offers tips for cyber incident response

During one of her first public appearances since being sworn in, Attorney General Loretta Lynch said she will focus on investigating and prosecuting cyber crimes and stressed the need for law enforcement to work with the private sector to achieve true cybersecurity. “We have a mutual and compelling interest in developing comprehensive strategies for confronting this threat and it is imperative that our strategies evolve along with those of the hackers searching for new areas of weakness,” Lynch said at a cybersecurity roundtable with industry hosted by the Criminal Division on April 29. “But we can only meet that challenge if law enforcement and private companies share the effort and work in cooperation with each other.” To help meet this challenge, Justice announced the release of a new guidance document outlining best practices for companies developing a response plan or reacting to a breach.



+ Threats on government networks remain undetected for 16 days

Government cyber security professionals estimate that cyber threats exist on their networks for an average of 16 days before they are detected – hiding in plain sight. The good news is that 86 percent say big data analytics will improve cyber security efforts. But, just 28 percent are fully leveraging big data for security purposes today. A new MeriTalk and Splunk report examines the state of cyber security in Federal, state and local government agencies, and identifies steps to empower these organizations to make the shift from compliance to risk management to see better security outcomes.



+ US plays host to largest number of phishing sites

According to a report from endpoint security solution provider Webroot, the US is the largest host of phishing sites with over 75% of sites being within its borders. In terms of malicious IP addresses, 31%of IP addresses are based in the US, followed by China with 23% and Russia with 10%. Asian regions are hosts to half of active malicious IP addresses, with as many as 85,000 new malicious IPs launched every day. Top phishing targets of these malicious IP addresses are technology companies and financial institutions, with over 9,000 attempts detected per technology company, while nearly 900 phishing attempts were detected per financial institution.



+ Federal Appeals Court Rules NSA Data Collection Not Authorized by Patriot Act

A US Federal Appeals Court has found the National Security Agency’s

(NSA’s) wholesale collection of cellphone communication metadata to be illegal. The court did not address the constitutionality of the practice, but instead said that the scope of the operation exceeds what Congress authorized in section 215 of the Patriot Act, which was passed in the wake of the September 11, 2001 attacks. The original case was brought by the American Civil Liberties Union (ACLU) and was dismissed by a lower court in 2013.



+ Cybercriminals Targeting Healthcare Data

According a new study on Privacy and Security of Healthcare Data, criminal attacks have now passed insider negligence as the main cause of data loss and theft in the healthcare industry, which is not well prepared. With “some exceptions, … healthcare providers either lack the resources, staff, or technical innovations to meet the changing cyber-threat environment.” Half of the healthcare organizations surveyed said they had “little or no confidence” that they would be able to detect every data loss or theft. And nearly two-thirds of healthcare providers and affiliated businesses offer no protection services for patients whose data are stolen.



+ Superfish Responsible for Majority of Injected Ads on Google Sites

A study conducted by Google and University of California Berkeley and Santa Barbara researchers found that at least five percent of browser visits to Google websites experience injected ads. Adware known as Superfish is responsible for the majority of the interference. The study examined more than 102 million Google page views between June and September 2014.



+ Cyber Threat Intelligence (CTI) Survey

As malware has become more commercialized, attackers are leveraging the same attack kits again and again. Cyber Threat Intelligence (CTI) offers the ability to detect attacks carried out using methods previously reported by others in the threat intelligence network. As a result, more organizations are implementing CTI to improve early detection and response capabilities.

Harnessing The Power Of Cyber Threat Intelligence



+ DoD Release of the Report of Military and Security Developments in China

Department of Defense released the “Military and Security Developments Involving the People’s Republic of China”. This annual report informs Congress of the Department of Defense’s assessment of military and security developments involving China.



+ SC Magazine eBook on Insider Threat (2015)

Insiders come in various flavors, ranging from those with criminal intent to sell PII and credit card account numbers on the black market to absented-minded employees who lose a company-owned mobile device or forget to logout of their desktop at the end of the work day. As well, there are those employees who ordinarily would adhere to ethical principles, but find themselves susceptible to crossing the line for what they see as an easy payoff.

Specifically for the financial sector

AND the top 10 database threats



+ 3 Of 4 Global 2000 Companies Still Vulnerable To Heartbleed

Unfortunately, this is expected, as poor cyber hygiene (and lack of effective access control) account for the vast majority of security incidents. There are many authoritative sources that state not doing these basic security tasks  cause 85% of the problems  (NSA, Verizon Data breach report, there is even a national cyber hygiene campaign to try to get folks to take care of the 4-5 key aspects of their cyber environment.

The recent report enclosed below is but one report.  Sadly, these simple tasks are part of what should be in their standard operational security processes and thus cost very little to manage. (these three were: minimize privileged accounts, application whitelisting, and patching…)—threats/3-of-4-global-2000-companies-still-vulnerable-to-heartbleed/d/d-id/1319768



+ ISACA Issues Special Report on New US Cybersecurity Legislation



+ Russia and China promise not to hack each other



+ China’s draft national security law calls for cyberspace ‘sovereignty’

BEIJING (Reuters) – China has included cybersecurity in a draft national security law, the latest in a string of moves by Beijing to bolster the legal framework protecting the country’s information technology.



+ C-Level Executives and the Need for Increased Cybersecurity Literacy



+ Cybersecurity competition for schoolchildren .. STEM-C



+ How serious is Cybercrime in the US?



+ The Rise of the Chief Security Officer: What It Means for Corporations and Customers





3  +++++++



+ Microsoft bangs the cybersecurity drum with Advanced Threat Analytics

Microsoft announced a raft of security and data protection software on the first day of its Ignite conference. The company said that attacks on companies were increasingly using legitimate tools: organizations are being compromised through access made with valid (albeit stolen or otherwise compromised) user credentials, rather than malware, with a Verizon report saying that more than 75 percent of breaches occur this way. This needs a different approach to network security, Microsoft says, and new software built to sniff out anomalous activity, even if it looks superficially legitimate. In November last year, Microsoft bought enterprise security firm Aorata, and at ignite it announced a product based on this purchase: Microsoft Advanced Threat Analytics (ATA), now available in preview.



+ New ‘Rombertik’ malware destroys master boot record if analysis function detected

While detection scanning malware is nothing new, Cisco researchers have identified a new malware sample that takes its detection evasion features one step further than the average malware. Instead of simply self-destructing when analysis tools are detected, Rombertik attempts to destroy the device’s master boot record (MBR), researchers wrote in a blog post.  This malware spreads through spam and phishing messages sent to possible victims. In one example, attackers attempted to convince a user to download an attached document in an email. If downloaded and unzipped, a file that looks like a document thumbnail comes up. Although it mimics a PDF icon, it is actually a .SCR screensaver executable file containing the malware.



+ New AlphaCrypt ransomware delivered via Angler EK

Yet another type of ransomware has been detected by malware researchers. Dubbed AlphaCrypt, it appropriates the look of TeslaCrypt, but operates similarly to Cryptowall 3.0. “While this may look identical to TeslaCrypt it does have some improvements like deleting the VSS to make sure you aren’t saved by your shadow volume,” Webroot researchers shared. It also makes sure to execute the process quietly (i.e. that no messages are shown to the victim). The criminals are asking for the ransom to be paid in Bitcoin, which ensures anonymity and easy laundering of the money via Bitcoin mixers.



+ Breach tally shows more hacker attacks

The official federal tally of major health care breaches shows that the healthcare sector continues to be a growing target for hackers, including those waging phishing attacks. As of April 29, the Department of Health and Human Services’ “wall of shame” website of breaches affecting 500 or more individuals shows 1,213 incidents affecting more than 133.2 million individuals since September 2009, when the HIPAA breach notification rule went into effect. One incident, the recent hacking attack against health insurer Anthem, Inc., accounts for 78.8 million of those victims.



+ Unnoticed for years, malware turned Linux and BSD servers into spamming machines

For over 5 years, and perhaps even longer, servers around the world running Linux and BSD operating systems have been targeted by an individual or group that compromised them via a backdoor Trojan, then made them send out spam, ESET researchers have found.  What’s more, it seems that the spammers are connected with a software company called Yellsoft, which sells DirectMailer, a “system for automated e-mail distribution” that allows users to send out anonymous email. This operation succeeded in remaining hidden for so long thanks to several factors: the sophistication of the malware used, its stealth and persistence, the fact the spammers aren’t constantly infecting new machines, and that each of the infected machines wasn’t made to blast out spam all the time.



+ VA thwarts over a billion cyber threats – just in March

The Department of Veterans Affairs experienced a significant surge in cyber threats in March, Chief Information Officer Stephen Warren said during a Thursday call with reporters. The department blocked 1.19 billion malware instances and 358 million intrusion attempts into VA systems in March alone, Warren said. This number is up since February, when VA reported blocking 930 million malware instances and 4.3 million intrusion attempts.



+ Medical Infusion Pump Vulnerability

The US Department of Homeland Security’s (DHS’s) ICS-CERT has issued an advisory about a security issue in a medical infusion pump distributed by Hospira. Versions 5.0 and earlier of the LifeCare PCA Infusion System contain an improper authorization flaw and inadequate data authenticity verification. It could allow unauthorized users to modify the pump’s configuration. The problem lies in an unauthenticated Telnet port.



+ CyberLock Lawyers Invoke DMCA to Halt Vulnerability Disclosure

Lawyers for electronic lock manufacturer CyberLock have sent two letters to individuals demanding that they refrain from disclosing information about vulnerabilities in the company’s products. The letters, which invoke the Digital Millennium Copyright Act (DMCA), were sent after the recipients attempted to contact CyberLock to notify them about the security issues.



+ US Legislators: Encryption Backdoors Undermine Security

A hearing at the House Government Oversight and Reform Committee’s Information technology subcommittee saw heated discussion regarding encryption. Law enforcement officials argued that stronger encryption is aiding criminals and impeding their ability to gather evidence; they are concerned about encryption available on new smartphones. Legislators said that the FBI’s request for mandatory encryption backdoors in smartphones would put all users of those devices at risk because they create vulnerabilities that could be exploited by criminals. Legislators pointed out that there is no way to create a backdoor that is accessible only to “good guys.” Representative Ted Lieu (D-California) noted that the companies that are providing the stronger encryption are doing so in answer to demand from citizens who are fed up with having their fourth amendment rights violated.



+ SANS ICS Defense Use Case (DUC) 3:

Analysis of recent claims  suggesting a large number of Iranian ICS Cyber Attacks

The third Defense Use Case from the SANS ICS team is an analysis of the recent report from Norse and the American Enterprise Institute that makes claims of an increase in attacks against Industrial Control Systems. The DUC evaluates what can be learned from the Norse report while also taking the opportunity to illustrate what the cyber security community would typically deem to be a cyber attack on ICS. The DUC, available for .pdf download via the link below, is our best understanding of information that is publicly available.



+ Preventing Insider Threats Starts with the Basics:

Recent statistics show that almost 87% of organizations have experienced a security breach in the last 12 months. Download this informative event summary based on the recent event titled “Insider Threat Detection and Mitigation” to learn what you need to do to protect your organization from potential threats.  Focus must first be on the basics, such as training and awareness, while incorporating sophisticated data analysis tools to be successful.



+ 3 Ways Attackers Will Own Your SAP

SAP vulnerabilities that have been highlighted for years are now becoming attackers’ favorite means of breaking into enterprises.—threats/3-ways-attackers-will-own-your-sap-/d/d-id/1320293?_mc=NL_DR_EDT_DR_weekly_20150507



+++ DDos Attacks



+ Top DNS Threats and How to Deal with Them



+  A peek inside the cybercriminal’s toolkit



+ Dyre Trojan Adds New Sandbox-Evasion Feature

New tactic makes it that much harder to detect, says Seculert—threats/dyre-trojan-adds-new-sandbox-evasion-feature/d/d-id/1320244





+++  SD/SoCAL security events / opportunities +++


+ CyberTECH events / networking / startups / etc  —  THE cyber happening place in SD!!! 

Join their Meetup Group for the latest event information!   The definition of “Cyber KEWEL





13ISC2 – 6PM –  HVAC interconnectivity and Security concerns   BY:  Mike Schell – from Codenomics

Location – BAH (Suite 200, 4055 Hancock Street, San Diego, CA 92110 USA).


15  +++   8 – 12:30 – NDIA Small Business (Cyber) Forum

½ day on how SMBs can be cyber – safe .. PLUS learn about the FAR / DFAR cyber rules on “CUI”

Registration link is:


21  – ISACA –   noon – 2PM  –   Women in Technology – Networking Event


28  – ISSA – 11:30AM – (4th Thur) –   “TBD”


30 OWASP –  6PM –   WebApp Pentesting Training (waitlist)



LOCATION:  Qualcomm’s Irwin Jacob’s Hall, 5775 Morehouse Drive, San Diego, California 92121.

AGENDA:   this year’s theme is “Developing the Whole Security Professional.” The event will provide you and your security team with an unequalled opportunity to hear topics relevant to today’s ever-changing security environment.  Highlight:  we will have an insider threat panel – a unique opportunity to learn from established experts on how to create and maintain a successful and compliant Insider Threat Program whether you are a large facility or a small organization.  ( $80…)




Comments are closed.