Welcome to Cyber News Tidbits 4​U​ !

Here are updated news compilations from the Cyber Security Community

Topic headers (+++):

1 – Security news you can likely use (re: management / opportunity items)

2 – Other items of general FYI / FYSA level interest

3 – Threats / bad news stuff / etc.. 


4 – SD/SoCAL items of interest / opportunities   (send me your SD meetings!) 

Another periodic cyber security news gram / digest / tidbits,

(.. and… TWO  weeks’ worth again this time – so.. a tad long, but not too much!)

Arranged in a top down, couple of ‘likely” interest levels as before…with more short snippets, fewer threats and only a few local events (at the very bottom)

Feedback is always welcome too as is sending me articles to share cyber information sharing in action!

July 26

+ Senators want to give DHS new CYBERCOM-like powers to thwart agency hacks

Senators from both parties are pushing to position the Department of Homeland Security as the U.S. Cyber command of the civilian government, after many agencies refused to fall into line on information security last year. Following the largest known hack of U.S. federal employee information, a bipartisan group of six lawmakers believes there is now enough momentum to grant DHS power over government networks. Just as CYBERCOM monitors and blocks threats to the military network, DHS, under proposed legislation, would scan for and repel attacks against the dot-gov domain.


+ U.S. vs. hackers: Still lopsided despite years of warnings and a recent push

In the month since a devastating computer systems breach at the Office of Personnel Management, digital Swat teams have been racing to plug the most glaring security holes in government computer networks and prevent another embarrassing theft of personal information, financial data and national security secrets. But senior cybersecurity officials, lawmakers and technology experts said in interviews that the 30-day “cybersprint” ordered by President Obama after the attacks is little more than digital triage on federal computer networks that are cobbled together with out-of-date equipment and defended with the software equivalent of Bubble Wrap.


+ Where’s the new Federal cyber strategy?

Federal CIO Tony Scott told federal agencies to hurry up and “sprint.” Now it’s hurry up and wait.

He promised that the results of the federal cyber sprint would be made public July 20. But his office — wrestling with the influx of data and the crafting of a government-wide cyber strategy — has yet to release the highly anticipated report. The Office of Management and Budget has declined to officially offer an alternate publication date; a source familiar with the review could only say results would be published “later this summer.”


+ Cybersecurity pros make final push to quash proposed export restrictions

With just three days left to comment on a controversial plan to stymie US exports of surveillance technology, many cybersecurity professionals are making their final pleas to kill the proposed trade restrictions.  While many in the security community agree in spirit with the plan from the Department of Commerce’s Bureau of Industry and Security to limit overseas sales of spyware, especially to oppressive regimes, they also say the recommended pact is so broad and vague that it could harm the entire cybersecurity industry.


+ NSA’s new project is a cyber security tool

A tool devised by the National Security Agency to “maintain a specific security posture” is now available as an open source project — the first offering on the agency’s recently inaugurated GitHub page. The Systems Integrity Management Platform (SIMP) tool uses the Puppet framework to ensure network systems running Red Hat Linux remain compliant with established security standards. Less clear, given NSA’s reputation, is whether anyone outside of a government agency operating under a mandate will use it.


+ NATO study finds vulnerabilities in cross-border information infrastructure

Despite the current focus on cybersecurity in relation to foreign operators, one of the least explored areas of cyber vulnerabilities is cross-border dependency on cyber infrastructure, a new report finds. Banking and telecommunications increasingly rely on information infrastructure that could be located abroad or depend on systems beyond a country’s jurisdiction, but legal and regulatory remedies to lessen associated risks are nearly nonexistent, according to a new study published this week by the NATO Cooperative Cyber Defence Centre of Excellence.


+ Automakers unite to prevent cars from being hacked

Today’s automobiles now come loaded with software and sensors that can help drivers navigate the roads more safely and even do away with the need to have human drivers at all. However, this world of connected vehicles involving on board computers collecting and transmitting data about location, speed, and engine performance also leads to a much more insecure automobile landscape. This is why the Alliance of Automobile Manufacturers (AAM)-an alliance of twelve automakers including Ford , General Motors , and Mercedes-Benz-said Tuesday that it is creating an information sharing and analysis center (ISAC). This center will let participating companies swap cyber security data and keep each other abreast of the latest hacking threats targeting vehicles.


+ Black Hat attendees fear a major breach but few are prepared

Almost three quarters of security pros interviewed by Black Hat USA said they think their organization will suffer a breach in the next 12 months, yet just a quarter (27%) feel they’re able to deal with it. That’s according to a new survey of 500 past attendees of the globally renowned event which reveals a worrying lack of technical and human resources to hand for many information security professionals. The majority of respondents pegged advanced targeted attacks (57%) as the number-one source of concern, yet just 26% said that tackling such an eventuality was among their top three spending priorities.


+ Too Much Innovation: The Cyber Challenge

“Electronic warfare is the same as cyber. If you put it crudely, you basically shoot pulses at a system to take it out. In cyber, you shoot bits at the system to take it out”. Peshin told us the cyber security market is very busy with a huge number of start ups and established companies pushing their cyber credentials. However, such a vibrant market has created a massive challenge for companies… — Implementation  takes too long!!!


+ Global Cyberspace Is Safer than You Think: Real Trends in Cybercrime (really?)

What are the real trends in cybercrime? Recent media coverage has been rife with stories of large-scale data breaches, hacks and online financial crime. Information technology (IT) security firms such as Norton Symantec and Kaspersky Labs publish yearly reports that generally show the security of cyberspace to be poor and often getting worse. This paper argues that the level of security in cyberspace is actually far better than the picture described by media accounts and IT security reports…


+ The Era Of Cyber Liability:

US Court of Appeals reinstated a liability case against Neiman Marcus for potential damage to consumers from the data breach that exposed data for 350,000 Neiman Marcus customers. The company acknowledged that at least 9,200 of those accounts were later used for fraud. This appears to be the first time an appeals court has recognized the actual damage associated with consumers having to research and repair credit card accounts after data breaches.

[Note: One likely consequence will be a demand among CEOs to get a definitive answers to the pair of questions they have been asking for nearly a decade: “What do I need to do to avoid liability, and how much is enough?”  The growing consensus is that the minimum standard of due care will be measured around full and constantly monitored implementation of the basic “critical controls” published by NSA, the Australian ASD and the Center for Internet Security, because those are the only benchmarks that can demonstrate their controls stop attacks…]


+ InfoSec pros spend most time, money on self-inflicted problems

InfoSec professionals spend most of their time and budgets on security problems created within the organization itself…


+ How experts stay safe online and what non-experts can learn from them

Google researchers have asked 231 security experts and 294 web-users who aren’t security experts about their security best practices, and the list of top ones for each group differs considerably… (—Make sure we bridge this gap!!!)


+ What threats do security experts fear?

Enterprises spend more than $70 billion dollars annually on information security. But a survey of top security experts revealed that there is a gap between the threats most feared by the experts and what management focuses on…


+ Measuring the Quality of Commercial Threat Intelligence

One person’s quality is another person’s fluff so objective measurements will be difficult. Threat intelligence quality may ultimately be gauged through crowdsourcing and threat intelligence sharing…


+  FuTuRology: A Look at Impending Threats to Popular Technologies

How do you think will the threat landscape evolve in the next two years? Three years?…


+ Pentagon’s Silicon Valley push angers defense contractors

Ash Carter’s aggressive push to recruit more tech start-ups has miffed some of the largest defense companies…


+  2015 Cyberthreat Defense Report

What are the emerging cyberthreats that companies should be most concerned about? How do you overcome the organizational barriers that inhibit IT security? Read the “2015 Cyberthreat Defense Report” to learn what matters most to the over 800 North American and European IT security decision makers surveyed.


+ The First Affordable Consumer 3D Printer ($400)

Okay.. this will change a LOT of potential things for the good…  IF consumerism is good.. .3D food too perhaps?

And for the bad…..guns.. projectiles.  untraceable IED parts.. and who knows what else???  Then put it on a drone..


+ Cyber attack on US power grid could result in losses up to $1 trillion


+++ Top 100+ Cyber Security Blogs & Infosec Resources


2  +++++++

+ Hackers remotely kill a Jeep on the highway

With  me in it I was driving 70 mph on the edge of downtown St. Louis when the exploit began to take hold. Though I hadn’t touched the dashboard, the vents in the Jeep Cherokee started blasting cold air at the maximum setting, chilling the sweat on my back through the in-seat climate control system. Next the radio switched to the local hip hop station and began blaring Skee-lo at full volume. I spun the control knob left and hit the power button, to no avail. Then the windshield wipers turned on, and wiper fluid blurred the glass. As I tried to cope with all this, a picture of the two hackers performing these stunts appeared on the car’s digital display:


+ Homeland Security cybercrime center expands

amid concerns over computer hacking At a time of growing concern over computer hackers targeting government and private industry databases, the Department of Homeland Security on Wednesday bolstered its efforts to target cyber criminals. U.S. Immigration and Customs Enforcement (ICE), which is part of DHS, unveiled a major expansion of its cybercrime center in Fairfax, Va. The larger facility includes a forensic laboratory that grew from 1,000 to 5,000 square feet, new state-of-the-art classrooms to train agents and a new evidence vault to help store evidence for cyber cases.


+ How to avoid becoming the next OPM

The questions are flying on Capitol Hill about federal agency cybersecurity practices. As we learn more about the Office of Personnel Management breach, federal leaders are left wondering how such an incident could occur and whether other agencies are vulnerable to similar attacks. The incident prompted Federal CIO Tony Scott to initiate a 30-day cybersecurity “sprint,” recently concluded, that called on agencies to evaluate their security practices and address vulnerabilities.  But federal agencies aren’t the only ones that should be reevaluating their approach to security.


+ OPM’s plan to ‘pass-the-hat’ to pay for data breach services draws ire

The Office of Personnel Management had the data of more than 21 million current and former federal employees stolen and now it wants your agency to pay for it. Acting OPM Director Beth Cobert sent an email to agencies telling them about OPM’s plans to raise its fees for security clearance services it provides in order to recoup the costs of the identity protection services it must purchase for the victims of the attack. “Given the limited resources available to OPM at this time to deal with a contract of this size, agencies will be asked to contribute FY 2015 funding to cover the first full year’s costs of credit monitoring and related services/benefits for the second incident involving 21.5M individuals,”


+ Online cheaters exposed after hackers access AshleyMadison hookup site

The secret’s out. Maybe lots of secrets. Data stolen by hackers from, the online cheating site that claims 37 million users, has been posted online, according to Krebs on Security, the authoritative Web site that monitors hacking across the globe. “We apologize for this unprovoked and criminal intrusion into our customers’ information.” AshleyMadison’s slogan is “Life is short. Have an affair.” It’s an unusual and apparently very popular dating Web site for those seeking extramarital relations.


+ 2016 campaign tech tests the will of privacy advocates

Presidential campaigns this time around have a new technological ace in the hole – you. Building off two decades of digital wizardry, the campaigns are getting ready to monitor and analyze most of what you do online instantaneously. And if you forward certain political emails to your Aunt Maggie in Iowa or your old college roommate in Ohio, they’ll reward you for doing it. The technology will no doubt make it easier for campaigns to personalize their messages and respond in seconds, but it will also test the will and patience of privacy advocates who might feel a little itchy about campaigns looking over everyone’s shoulders in real time.


+ Will ID protection offer set new standard?

Blue Cross Blue Shield plans’ groundbreaking offer, in the wake of mega-breaches, of extended ID protection to all of the more than 106 million individuals covered by their insurance could set new expectations for breach response, some security experts predict. In the aftermath of a breach, compromised companies often offer free credit monitoring and identity fraud protection services for a limited period of time, generally a year or two. That’s why the July 14 announcement by the Blue Cross Blue Shield Association that each of its 36 affiliated Blues plans will begin offering free identity protection services to their members for as long as they’re enrolled in the plans’ insurance coverage is extraordinary.


+ Cybersecurity firms eye India as attacks on world’s IT hub rise

Global cybersecurity company TaaSera launched its India business on Thursday, joining a growing number of cybersecurity firms eyeing India as a growth frontier amid an expected doubling of online crime in the country. Silicon Valley-based TaaSera said India, host to some of the world’s biggest IT service companies, was vulnerable to cybercrimes on account of its growing economic progress. Increasing smartphone use, online transactions and the government’s “Digital India” initiative are opening up opportunities in an industry that is worth $77 billion globally. The number of cyber crimes in India may reach 300,000 in 2015, almost double the level of last year, according to an ASSOCHAM-Mahindra SSG study conducted this year.


+ IG: Interior has 3,000 vulnerabilities

At a hearing on the role the Interior Department played in a recent breach at the Office of Personnel Management, the Interior deputy inspector general painted a picture of how a hacker might have breached the agency’s computer system. Interior Deputy IG Mary Kendall, in remarks prepared for the July 15 House hearing, said an IG investigation of the OPM breach “found that a remote attacker could … use a compromised computer to attack the department’s internal or nonpublic computer networks.” Kendall did not link the nearly 3,000 vulnerabilities the IG found in Interior’s IT systems to the OPM breach. However, the IG office characterized the vulnerabilities found in hundreds of publicly accessible computers operated by three of the agency’s bureaus as either “critical” or “high-risk.”


+ Cybersecurity Challenges For The IoT

The traditional approach to cybersecurity is to assume trust and then take steps to manage what isn’t trusted. But as the concept of an industrial Internet of Things (IIoT) gains momentum, one of the primary challenges facing businesses is safeguarding connections between information technology (IT) and operational technology (OT)

The company, Tempered Networks, provides built-for-purpose, military-grade security appliances that are designed to “cloak” the network’s critical infrastructure using cryptographic identities to hide communications between trusted devices.


+ Why Healthcare Security Matters

Does it really matter if someone steals your healthcare records? What would a hacker do with that information? Sell it? To whom and for what purpose?… Medical records can be worth as much as 10 times more than credit card numbers on the black market. Attackers are using the information to buy medical equipment or drugs that can be resold or to file fraudulent claims with insurers.  Last year, the cost of a security breach leapt 282% in healthcare


+ 6 types of cybervillains that are no match for your data scientists

It’s time for your data scientists to put their brilliant minds to work defending against cybercriminals. Be on the lookout for these main security threats…  using predictive analytics to spot the insiders..


+ Top digital trends affecting organizations today

And what you should do about them – ISACA Now

Many reports are at:


3  +++++++

+ United Airlines awards ‘bug bounty’: Is it getting cybersecurity savvy?

Rewarding two hackers with 1 million free flight miles each for calling attention to security gaps on its website. The reward is the highest that can be given as part of the company’s new “bug bounty” scheme, which compensates hackers who opt to privately disclose security flaws instead of exploiting them or exposing them on the Internet. As aviation network vulnerabilities begin to garner headlines, airlines are seeking new ways to protect themselves from cyber threats. Many technology companies have been offering bug bounties for years,  but United may be the first in the aviation industry to adopt such a method – a sign that the airline is starting to catch up with the times, experts say.


+ Nearly all websites have serious security vulnerabilities

A new Acunetix report on 5,500 companies comprising 15,000 website and network scans, performed on over 1.9 million files, finds nearly half of the web applications scanned contained a high security vulnerability such as XSS or SQL Injection, while almost 4 in 5 web applications were affected by a ‘medium security’ vulnerability. In today’s landscape, with high profile hacks and data breaches appearing in the media you might think these are the unlucky few – yet actually most companies are leaving themselves vulnerable to attacks. In the race to produce user-friendly interfaces and customer-centred apps, modern companies are leaving their (and our) precious data wide open to cyber criminals.


+ Mobile phone usage is increasing cyber security threat within US government

A recent whitepaper on cyber security in the US government reveals that the increasing number of mobile phones being used within federal agencies is escalating the risk of cyber threat from inside agencies. It also cites employees as the key to insider threats, and recommends that more money be spent addressing this issue. Titled ‘Cybersecurity in the Federal Government,’ the report commissioned by management software company, SolarWinds tackles the many challenges IT professionals currently face trying to prevent both external and internal IT security threats and attacks. It also suggests ways that government and the private sector can help to mitigate the growing risks of cyber attack.


+ Senators seek privacy, anti-hacking safeguards in cars

A pair of Democratic senators want rules requiring automakers to develop hacking and privacy protections for their cars and trucks.  Sens. Ed Markey (Mass.) and Richard Blumenthal (Conn.) on Tuesday introduced the Spy Car Act, which would require the Federal Trade Commission (FTC) and the National Highway Traffic Safety Administration (NHTSA) to develop standards to protect drivers’ privacy and to guard against a potentially deadly hack of a vehicle. “Drivers shouldn’t have to choose between being connected and being protected,” Markey said in a statement. “We need clear rules of the road that protect cars from hackers and American families from data trackers.”


+ The average DDoS attack size is increasing

New global DDoS attack data from Arbor Networks shows strong growth in the average size of DDoS attacks, from both a bits-per-second and packets-per-second perspective. The largest attack monitored in Q2 was a 196GB/sec UDP flood, a large, but no longer uncommon attack size. Of most concern to enterprise networks is the growth in the average attack size. In Q2, 21% of all attacks topped 1GB/sec, while the most growth was seen in the 2-10GB/sec range. However, there was also a significant spike in the number of attacks in the 50 – 100GB/sec range in June, mainly SYN Floods targeting destinations in the US and Canada.


+ Feds shut down Darkode malware marketplace

The Justice Department shut down an online “criminal bazaar” where computer hackers bought and sold stolen databases, malicious software and other products that could cripple or steal information from computers and cellphones, authorities said Wednesday. Roughly 70 alleged cybercriminals in the United States and 19 other countries were targeted in the 18-month probe of The secretive, members-only site was the largest-known English language malware forum in the world until the FBI got a court order to shut it down, investigators said. “We have dismantled a cyber-hornets’ nest of criminal hackers which was believed by many to be impenetrable,” U.S. Attorney David Hickton said.


+ 5 Chinese Cyber Attacks That Might Be Even Worse Than the OPM Hack

If the Chinese government is in fact behind the OPM hack, it would not be their boldest alleged move in cyberspace; only the most recent.


+ 4,900 New Android Malware Strains Discovered Every Day – Net-Security

Security experts discovered 440,267 new Android malware strains in the first quarter of 2015, which means that a new mobile malware strain for Android was discovered every 18 seconds.


+ Anonymous and ISIS engaged in bitter cyber warfare

The internet is now a war zone between the collection of hackers known as Anonymous and ISIS (Islamic State) sympathisers on social media to discredit them…


+ Drones —  LOTS of warnings… Will we ACT?

Are We Waiting for a Drone to Take down a Plane?

July 27 – Aug. 6, the Defense Department is going to conduct a counter-drone testfest and failure is an option.

A drone firing a gun: so this is what all the regulation is about

The press called it the “Gone Girl” kidnapping. But the bizarre story of a former Marine and Harvard-trained lawyer who allegedly masterminded the abduction of a California woman is notable for more than the twists and misdirections that made it fodder for CNN. availed itself fully of the riches of the Internet age, providing a glimpse of a future where physical crime and its digital analog merge into one…


+ It’s the Data, Stupid! (Shodan Blog)

I would like to take a moment to discuss databases. Most people use Shodan to find devices that have web servers, but for a few years now I’ve also been crawling the Internet for various database software. There’s a total of 595.2 TB of data exposed on the Internet via publicly accessible MongoDB instances that don’t have any form of authentication


+ Six Technical Measures to Mitigate the Insider Threat –
+++  SD/SoCAL security events / opportunities +++

+ CyberTECH events / networking / startups / etc  —  THE cyber happening place in SD!!! 

Join their Meetup Group for the latest event information!  The definition of“Cyber KEWEL


28  – OWASP –  6PM –  Pre-Blackhat/Defcon SD Drinkup

Green Flash Brewing Company



13 – ISC2 –  6PM –  Care Fusion – what’s up in the Medical space?  David Scott.

Location – BAH (Suite 200)  4055 Hancock Street, San Diego, CA 92110 USA


20 – ISACA – noon –  Running InfoSec for America’s Finest City – Gary Hayslip – Coleman University


27  – ISSA – (4th Thus at 11.30)  – ‘Cybercrime: Operational Risk or Overblown Threat”    Stephen Cobb

(at ADM Baker field clubhouse)


—-  Global  Cyber events:


July 5

—FBI Warns U.S. Companies to Be Ready for Chinese Hack Attacks

In a message obtained by The Daily Beast, the bureau strongly implies Beijing was behind the massive hack that exposed U.S. government employees’ secrets — and U.S. companies are next… The FBI warning, which was sent to companies Wednesday, includes so-called hash values for the malware, called Sakula, that can be used to search a company’s systems to see if they’ve been affected.


—Smart Cities’ 4 Biggest Security Challenges

The messiness of politics and the vulnerability of the Internet of Things in one big, unwieldy package…  It’s no secret that Internet of Things devices like Nest smart meters and Fitbits are behind the curve on information security — lax encryption and access control standards for both wireless network and data security, for starters. So what about when IoT devices run a “smart city,” and the public water system, power grid, waste management, traffic control, street lighting, public transportation, and physical security systems are all as vulnerable as that Fitbit on your wrist…—threats/smart-cities-4-biggest-security-challenges/d/d-id/1321121


—Providers grapple with cybersecurity

Anti-virus, firewalls deployed as protection, but most recognize need for more advanced strategies… Nearly 300 respondents – all of whom bear some responsibility for information security at their organizations – reported using an average of 11 different technologies to keep data safe, according to the survey,  t he numbers should shake any provider still blissfully ignorant of privacy threats out of their complacency: Two-thirds of health organizations polled by HIMSS for its latest cybersecurity survey say they’ve recently experienced a “significant security incident.” despite this extra attention, staffing and technological firepower, poll respondents reported only an average level of confidence in their organization’s ability to protect infrastructure and data


—Enterprise Threat Intelligence Programs are Immature

Seems like everyone is talking about threat intelligence these days. The feds are promoting public/private threat intelligence sharing across the executive and legislative branches while the industry is buzzing about threat intelligence feeds, sharing platforms, and advanced analytics…


—Franchising Ransomware

Ransomware-as-a-service is fueling cyberattacks. Is your organization prepared?… Cybercriminals have long been making their tools available to others, whether due to pride of authorship or as a means of raking in some extra cash. However, the ransomware-as-a-service model is relatively new and has resulted in a massive increase in ransomware attacks (as reported in the latest quarterly Threats Report). CTB-Locker and Tox are two examples of how malware uses different business models to flood the Internet with attacks, trying to catch more victims before threat notices, signature updates, and other defensive measures catch up.


—Middle-manager inaction the weak link in enterprise cyber-security

Lethargic, narrow-minded middle-managers are among the biggest remaining obstacles to consolidating enterprise cyber-security, an industry expert has warned…


—US Army Seeks Leap-Ahead Cyber Defense Tech

The US Army is seeking to equip its cyber warriors with cutting-edge networking hardware, and it is going outside the traditional acquisitions system to do it… The easily transportable “fly-away” kit of hardware and software would travel with the Army’s cyber protection teams, whose job involves hunting inside the military’s networks for intrusions and fighting off cyber attacks.


—Five Strategies for Better Cyber Protection and Defense

BitSight Technologies announces $23M in Series B funding to continue protecting businesses from cyber attacks with sophisticated cyber security ratings, as attacks are an ever-increasing board-level threat to businesses today…


—An Underwriters Laboratories for cybersecurity is long overdue

Noted security researcher Mudge left Google to launch what appears to be the cybersecurity equivalent of electronics testing outfit Underwriters Laboratories — an idea first proposed 16 years ago…



—Pentagon Releases New National Military Strategy

The Pentagon has released a new National Military Strategy, the first update to that document since 2011 — and one that warns non-traditional threats are on the rise…  The document focuses on the importance of partnerships to maintain the delicate security balance around the globe, something Pentagon officials have been pushing over the last several months.


—The FBI Most Wanted hackers. Cyber Bounty hunters!

Law enforcement is willing to pay $4.2 million to get them FBI has published the lists of most wanted hackers, the rewards for their capture reach $4.2 million. They have stolen hundreds of millions of dollars…

1. Evgeniy Mikhailovich Bogachev | Reward: $3 million


—Spies Warned Feds About OPM Mega-Hack Danger

U.S. intelligence agencies initially refused to share data with OPM, the now-infamously insecure arm of the government. Then the spies apparently handed over their files anyway… (this abysmal saga will only get worse!)


—Android Malware On The Rise

By the end of 2015, researchers expect the number of new Android malware strains to hit 2 million…


—EVERY company is compromised, but most infections not yet at critical stage

In a recent analysis of a quarter-million endpoint devices in 40 enterprises, every single corporate network showed evidence of a targeted intrusion but most of the activity was not yet at the most-dangerous data exfiltration stage…


—European businesses use an average 897 cloud services

Firms download a new cloud service every day, but security is still a major concern… The number of cloud apps used by European businesses has grown 61 per cent year-on-year This is according to a survey of 2.5 million European employees across 12,000 cloud services


—4 Signs Your Board Thinks Security Readiness Is Better Than It Is

Ponemon Institute survey shows a gap in perception between boards of directors and IT executives when it comes to IT risk posture…


—‘Personal’ Dark Web service removes corporate cyberthreat blindness

The new service dives into the murky Dark Web to track your stolen data, hacktivism, insider threats and hackers willing to break into your network… (seems useful.. “OSI on the dark sid”.. but can you trust them???)


—Cybersecurity is the killer app for big data analytics

Big data analytics tools will be the first line of defense to provide holistic and integrated security threat prediction, detection, and deterrence and prevention programs…


—Clever CryptoWall Spreading Via New Attacks

Top ransomware doesn’t waste time jumping on the latest Flash zero-day, and hops rides on click fraud campaigns, too… For example, within two hours, a device hijacked for relatively innocent click fraud attacks can become a conduit for far more serious kit — including CryptoWall.  As researchers at Damballa explain in their latest State of Infections Report, operators of the RuthlessTreeMafia click fraud malware campaign infect client machines via the Asprox botnet. As a second revenue stream, they sell other attackers access to those bots.


—Intelligence community loves its new Amazon cloud

The new Amazon Web Services-built CIA cloud is more secure and capable than legacy systems, according to intelligence IT officials speaking at an AWS event…  (btw, I love the new ‘legacy’ term — “heritage” system.. sounds almost noble…  even for us “SaaS” users… )


—FFIEC  Cybersecurity Assessment Tool

In light of the increasing volume and sophistication of cyber threats, the Federal Financial Institutions Examination Council (FFIEC) developed the Cybersecurity Assessment Tool (Assessment) to help institutions identify their risks and determine…


—Cloud Security Buyer’s Guide

In order to limit business disruption from data loss, organizations need to ensure that cloud services such as Office 365, Salesforce, Box and AWS are secured. This buyer’s guide helps identify critical capabilities that are required to address the security of an organization’s cloud services.


—Cyber losses – Anthem sued for alleged negligence leading to data breach


—Don’t Let the IT Security Paradigm Shift Leave You Stranded


—OPM Temporarily Shuts Down Background Check App to Fix Security Hole..e-Qip

4-6 weeks shutdown. Good they are taking security seriously.


—Billion Dollar Unicorns: Lookout Getting Ready for an IPO


—What DHS must do now after largest cyber attack ever


2  +++++++

— Four in five execs think conventional security is not enough for cloud environments

C-level study which showed a distinct lack of trust in cloud storage for fully securing corporate data. Now, a new survey from CloudPassage sheds light on the security executive perspective; 80% of security execs in North America don’t believe conventional network security solutions are enough to protect their cloud computing environments…


—Is the information security industry having a midlife crisis?

The information security industry is hot right now, but it’s hot because it’s failing. Focusing on awesomeness and a plan B can help get InfoSec out of its slump…  Plan B accepts that hackers will get unauthorized access, but what is key for security is making sure that what they take they can’t really use


—Injection Attacks on 802.11n MAC Frame Aggregation

The ability to inject packets into a network is known to be an important tool for attackers: it allows them to exploit or probe for potential vulnerabilities residing on the connected hosts. In this paper, we present a novel practical methodology for injecting arbitrary frames into wireless networks, by using the Packet-In-Packet (PIP) technique to exploit the frame aggregation mechanism introduced in the 802.11n standard.  how an attacker can apply this methodology over a WAN — without physical proximity to the wireless network and without requiring a wireless interface card…


—Hundreds of .gov credentials found in public hacker dumps

It’s not surprise that careless government employees use their .gov email addresses to sign up for all sorts of personal accounts. But when those insecure third party services are breached by hackers—and if those employees were foolish enough to reuse their .gov passwords, too—that carelessness can offer a dead-simple backdoor into federal agencies, with none of the usual “sophisticated Chinese attackers” required. The security intelligence firm Recorded Future on Wednesday released a report that details its scouring of online email addresses and passwords revealed when hacker groups breach third party websites and dump their booty on the web. Searching through those user data dumps from November 2013 to November 2014 on public websites like Pastebin—not even on dark web sites or private forums—Recorded Future found 224 government staffers’ data from 12 federal agencies that don’t consistently use two-factor authentication to protect their basic user access.


—Facebook is now able to recognize you without even seeing your face

Privacy on Facebook has always been controversial and its latest artificial intelligence algorithm will not be an exception. Facebook’s artificial intelligence team is testing out an algorithm that can recognize people in photos even if they are not looking at the camera. According to New Scientist, the algorithm is able to identify people by reviewing hairdos, clothing, postures and body shapes. Facebook’s head of artificial intelligence Yann LeCun used CEO Mark Zuckerberg as an example of how the algorithm recognizes fashion preferences since he is known for always wearing a gray T-shirt.


—Start with Security: A Guide for Business by the FTC

When managing your network, developing an app, or even organizing paper files, sound security is no accident. Companies that consider security from the start assess their options and make reasonable choices based on the nature of their business and the sensitivity of the information involved.


—Securing Single Points of Compromise (SPoC) (SANS)

that provide central services to the institution s environment is paramount to success when trying to protect the business. Time Based Security mandates protection (erecting and ensuring effective controls) that last longer than the time to detect and react to a compromise. When enterprise protections fail, providing additional layered controls for these central services provides more time to detect and react.


—Class-Action Suit Alleges OPM Officials Failed to Protect Employees’ Data

A class-action lawsuit filed by a government employees’ union against the Office of Personnel Management as a result of the massive data breach at OPM that affects more than 18 million people alleges that not only did the agency know about vulnerabilities in its network long before the attack, but that the agency’s director and CIO both broke federal laws by ignoring directives to fix the weaknesses


—Which industries best safeguard your personal information? Security perceptions vs. reality

When it comes to your personal information, which industries do you trust most, or least, with your data? How do some of the recent, highly publicized breaches such as those at Target, Home Depot and the Office of Personnel Management affect your opinion in terms of which industries are most vulnerable, and how does this compare to reality?…


—5 Ways Lax Security Makes Small Businesses Cyber-Morsels for Computer Criminals

Most small businesses don’t have the budget, expertise, staff or time to manage security programs on their own. It’s a longstanding problem, as pointed out in a survey of small businesses conducted by the Ponemon Institute, which found that 55 percent of respondents experienced a data breach


—IT Pros Believe Cyberattacks Are Under-reported

Despite devastating cyber-attacks being reported daily in today’s media, most IT professionals believe that the true state of affairs is being significantly underreported…


—Bromium Survey Finds Increased Concern About Legacy Solutions

announced the results of a new survey, “Enterprise Security Confidence Report.” For the survey, more than 125 information security professionals were asked about the greatest risks facing organizations today and the effectiveness of different solutions and architectures. The results show that while concern for end-user risk persists, confidence is waning in traditional detection-based security solutions, such as antivirus and firewalls. Instead, interest is shifting toward prevention-based security solutions, such as endpoint threat isolation…


—Enhancing Resilience Through Cyber Incident Data Sharing and Analysis:

The Value Proposition for a Cyber Incident Data Repository (Department of Homeland Security) This paper outlines the potential benefits of a trusted cyber incident data repository that enterprise risk owners and insurers could use to anonymously share, store, aggregate, and analyze sensitive cyber incident data. Optimally, such a repository could enable a novel information sharing capability


—Considerations in Drafting Limitations of Liability for Data Breaches

Until very recently, it was considered matter of course in a services agreement for any data disclosure or loss, regardless of cause, to be excluded from any and all limitations of the vendor’s liability. However, as data breaches continue to change the risk landscape of the business world, third-party vendors increasingly insist on limiting their liability for damages related to data breaches. In light of this, many transactions now include a “super cap”


—Many Companies Face A Huge Security Problem In Just ONE Week.

Support for Microsoft’s Windows Server 2003 is ending on July 14. Is Yours One Of Them? Many companies don’t want to admit it, but they haven’t yet transitioned entirely to the cloud. It’s happening, of course, but it’s taking time. One recent survey by BetterCloud reported that by 2020, 62% of the 1,500 its customers will be running 100% of their information technology in the cloud


—Building a Capability Development Work Force For the Cyber Age

Greater agility, flexibility and imagination will help field capabilities to meet the “speed of need”…


—Microsoft quietly pushes 17 new trusted root certificates to all Windows systems

The aging foundation of Certificate Authorities shows yet another crack as security experts are caught unaware… just last year Microsoft was caught in the embarrassing position of yanking 45 bogus certificates issued under the root certificate authority of the government of India’s Controller of Certifying Authorities.


—How to Protect Your Aging Network

The Office of Personnel Management breach was the most recent and public example of the damage aging networks can help deliver to an organization: A lack of standard practices such as encryption, data masking, and redaction that prevents many attacks… many in media, focus on attribution, with very little focus on the root cause. No one should lose valuable information where at the root cause there is a known remedy. For me, that is unforgivable in this day and age..Networks in the Americas are among the most vulnerable and dated, the solution provider’s annual Network Barometer Report said. Almost three-fourths cannot support organizations’ expanding reliance on mobility and 79 percent do not support IPv6, it found. And I’ve got to tell you too much of this distraction around attribution takes away fromfocusing on what’s really important here  — doing the cyber basics well.. upgrading even that dated network!


—Cyber Resilience And Spear Phishing

Balanced security capability, defense in depth, integrated countermeasures, and a threat-intelligence strategy are critical to defending your business from spear-phishing attacks…


—Small businesses – The next target for heavyweight hackers |

Small organizations store valuable data that give hackers big returns, such as credit card numbers, medical records, or personal information.


—Your IT Support Provider Sucks? Here Are 5 Reasons Why!

We see it time and time again. Companies that complain about how slow their support is. Their IT provider doesn’t provide insight into strategy, new technologies or risk. Here’s why they aren’t getting the job done.

1 – They weren’t organized –

2 – They were too cheap

3 – They didn’t have the right staff

4 – They didn’t standardize across clients –

5 – They took on more than they could chew


—6 reasons why there will be another OPM-style hack

Congress might fume about the security failures, but the truth is that it’s part of the problem…

1. We always hit the snooze button

2. We fail to learn from past hacks

3. We underestimate the true value of information

4. We don’t give security adequate funding

5. We get suckered into low-bid contracts

6. We suffer from ‘detection deficit disorder’


—5 ways to stop the Internet of Things from becoming the Internet of Thieves

The Internet of Things is here and is now on your wrist, in your pocket, in your car, and maybe even in your socks. From smart watches and self-driving cars to smart toothbrushes and digital socks that track your steps, we are living in a world where no device is an island… By 2020, according to IDC, there will be more than 30 billion connected devices – more than triple the current number, which already dwarfs digitally linked people.

1. Secure operating systems (securely update “over-the-air” and across untrusted connections…)

2. Unique identifiers for each device… Especially when devices are interacting in a machine-to-machine (M2M) environment

3. Strong authentication and access control,

4. Data privacy protection.

5. Strong application security.


—6 truly shocking cyber security statistics

We’re now halfway through the year, so I thought I’d take a look back at some of the most shocking cyber security statistics so far

  • 98% of tested web apps are vulnerable to attack
  • 90% of large organizations reported suffering a security breach
  • 75% of directors are not involved in the review of cyber security risks
  • 93% of DPA breaches are caused by human error
  • Online banking fraud increases 48% year-on-year
  • 144% increase in successful cyber attacks on businesses over 4-year period


—Pen testing tool or exploit? Samples of ways hackers get in

Attackers use the same tools in attacks that pen testers use to test. Sample vulnerabilities and exploits…

  • Cross-site scripting (XSS) vulnerabilities in web applications
  • sqlmap / SQL Injection Vulnerabilities
  • Metasploit / numerous security holes
  • w3af / multiple vulnerabilities
  • WordPress 4.2  Stored XSS security hole


—CSA Announces New Working Group For Cloud Security API Standards

CipherCloud, Deloitte, InfoSys, Intel Security and SAP all on board to start developing vendor-neutral guidelines that could further accelerate CASB growth


— You Can Connect Anonymously To Wi-Fi 2.5 Miles Away ($150-200)

Proxyham is made of a Raspberry Pi computer with a Wi-Fi card, connected to three antennas, a Wi-Fi one that connects to the internet at a public space (think Starbucks or a public library) and a dual antenna that transmits at 900MHz
3  +++++++

—The 9 Scariest Things That China Could Do with the OPM Security Clearance Data


—App security: RASP vs. WAF

the SANS Institute captures the relative capabilities and efficiencies of RASP and WAF technologies using a representative product in each category. Learn how your defense-in-depth strategy could benefit from the additional visibility of runtime protection


—6 DIY Projects to Protect Your Digital Privacy

Kinda cool ideas.. and prototypes.. future business opportunities.   Takes an anti-surveillance view.. for both

data (simple Tor box.. your own shared storage… both using simple raspberry PIs) and  physical (face cloaking from image recognition… thermal distortion for drones / sensors… etc )  This “anti surveillance” products trend will continue to grow.


—Do Privacy Concerns Really Change With The Internet Of Things?

Some good statistics. . Numbers.. which we know… privacy matters everywhere..   and concepts to integrate

LIKE:   Data value chain….. and…   Life management platform


—VPN vulnerabilities compromise user privacy

VPNs needed of course..As in all security capabilities. . Need to be setup right, settings verified on each use, and be enforced (no user can disable)


—Hundreds of Dark Web sites cloned and “booby trapped”

Traps The founder of one of the Dark Web’s fledgling search engines is warning Tor users about the presence of hundreds of fake and booby trapped .onion websites… (dark web surfers beware!!!)


—Hacktivist group possibly compromised hundreds of websites

A hacker group known as Team GhostShell is publishing snippets of sensitive data allegedly stolen from the databases of hundreds of compromised websites…


—Researchers point out the holes in NoScript’s default whitelist

Security researchers Linus S?rud and Matthew Bryant have recently discovered some pretty big holes in NoScript, a popular Firefox plugin that prevents executable web content such as JavaScript, Java, Flash, and other plugins to be loaded from sites users haven’t designated as “trusted”…


—Targeted attacks rise, cyber attackers spreading through networks, report says

Lateral movement and reconnaissance detections observed in a Vectra Networks Post-Intrusion Report, released Tuesday, show a sharp upturn in targeted attacks that have penetrated the perimeter. The report, which is the culmination of data collected over a six-month period from 40 of the company’s customer and prospect networks that feature more than 250,000 hosts, found that non-linear growth in lateral movement increased 580 percent from last year while reconnaissance detections were up 270 percent. Overall, detections outpaced those recorded last year by 97 percent.


—Iran and Saudi Arabia Heading Toward A Cyber War? 

Iran and Saudi Arabia, regional rivals in the Middle East, may be engaged in cyber warfare, according to a new report by threat intelligence firm Recorded Future. As the two powers vie for influence over the civil wars in Yemen and Syria and regional dominance, Tehran and Riyadh have begun using cyber attacks to release critical intelligence…  (maybe they self destruct?  OR provide US target intel!)


—Windows kerberos ticket theft and exploitation on other platforms

In the past there has been a lot of talk about pass the hash, but surprisingly little about different methods for exploiting kerberos tickets. Besides the discussion focused on golden tickets the Kerberos has not really ever been a major target for abuse…This is a HOW TO arricle (on how these sorts of articles help the beginner’s get started)

— Cyber Threats of 2015 | Free eBook


+++  SD/SoCAL security events / opportunities +++

+ CyberTECH events / networking / startups / etc  —  THE cyber happening place in SD!!! 

Join their Meetup Group for the latest event information!  The definition of“Cyber KEWEL


9  ISC2  ( 2ndThur at 6PM) –  “SD CityCISO – 2 years and counting – lessons learned”  Gary Hayslip

Location – BAH (Suite 200)  4055 Hancock Street, San Diego, CA 92110 USA

16 – ISACA – (12 PM)  “TBD


16 – OWASP –  6PM –  Peter Bartoli is the VP of Operations at M5 Hosting and an adjunct professor at San Diego State University in the Computer


23 July (4th Thus at 11.30)  – ISSA monthly chapter meeting ‘ TBD”    (at ADM Baker field clubhouse)


Global  Cyber events:

Comments are closed.