CYBER NEWS TIDBITS FOR YOU - NOVEMBER 2015

Welcome to Cyber News Tidbits 4​U​ !

Here are updated news compilations from the Cyber Security Community

Topic headers (+++):

1 – Security news you can likely use (re: management / opportunity items)

2 – Other items of general FYI / FYSA level interest

3 – Threats / bad news stuff / etc.. 

and…

4 – SD/SoCAL items of interest / opportunities   (send me your SD meetings!) 


Another periodic cyber security news gram / digest = tidbits.   (.. been over 3 weeks since the last one, so….)

Arranged in a top down, “likely” interest level…with more short snippets, fewer threats and only a few local events (at the very bottom)

Feedback is always welcome tooas is sending me articles to sharecyber information sharing in action!

http://www.linkedin.com/in/mikedavissd

http://www.sciap.org/blog1/wp-content/uploads/CISO-Fundamentals.pdf

(all links  have been checked out… though you may need to cut & paste into your browser).


NOVEMBER 22

—Microsoft Invests $1 Billion In ‘Holistic’ Security Strategy

Executives detail strategic and cultural shift at Microsoft to an integrated security approach across its software and services, and announce new managed services group and cyber defense operation center.

http://www.darkreading.com/endpoint/microsoft-invests-$1-billion-in-holistic-security-strategy/d/d-id/1323170

 

 

—Millions of sensitive records exposed by mobile apps leaking back-end credentials

Thousands of mobile applications, including popular ones, implement cloud-based, back-end services in a way that lets anyone access millions of sensitive records created by users, according to a recent study.

http://www.pcworld.com/article/3005330/millions-of-sensitive-records-exposed-by-mobile-apps-leaking-back-end-credentials.html

 

 

—NIST Seeks Review of Email Safety Doc

Email systems have become so routine that consumers and workers often regard them as simply part of the furniture — like a standard-issue desk at a government or business office. However, the technology is more complex than most users appreciate — and that complexity makes it constantly vulnerable to cybersecurity threats.

http://www.technewsworld.com/story/82729.html

 

 

— Backup Your Files To Thwart A Ransomware Attack On Your Laptop And PC

Ransomware is on the rise and you should protect yourself by backing up your laptop and PC files today. An advisory from the FBI’s Internet Crime Complaint Center this past June stated that more than $1 million a month, on average ($18 million over the prior 15 months), was paid to recover computers from Ransomware incidents. The FBI had received nearly one thousand Ransomware complaints from citizens, businesses, and government agencies.

http://www.forbes.com/sites/stevemorgan/2015/11/12/cybersecurity-alert-backup-your-files-to-thwart-a-ransomware-attack-on-your-laptop-and-pc/

 

 

—Cybercriminals turn to video ads to plant malware

Cybercriminals have been delivering malware through online display ads for years, but they appear to be making headway with a new distribution method: video advertisements. Both methods of attack, known as malvertising, can have a broad impact and are a major headache for the ad industry. A single malicious advertisement, distributed to several highly trafficked sites, can expose tens of thousands of computers to malware in a short time.

http://www.pcworld.com/article/3005033/business-security/cybercriminals-turn-to-video-ads-to-plans-malware.html

 

 

—IBM Report: Ransomware, Malicious Insiders On The Rise

X-Force’s top four cyber threat trends also names upper management’s increasing interest in infosec.

http://www.darkreading.com/vulnerabilities—threats/ibm-report-ransomware-malicious-insiders-on-the-rise/d/d-id/1323163

 

 

—One in six US employees who find lost USBs use them

Some 17% of US consumers picked up USB sticks they `found’ and plugged them into their devices, opened the text file and either clicked the unique link or emailed the listed address, according to an experiment by The Computing Technology Industry Association.

http://www.hotforsecurity.com/blog/one-in-six-us-employees-who-find-lost-usbs-use-them-13016.html

 

 

—Cryptolocker/Cryptowall Ransomware Kit Sold for $3,000 – Source Code Included

The Cryptolocker/Cryptowall 3.1 ransomware kit is being sold for $3,000 worth of bitcoins, according to a Pastebin post, which claims to even offer the source code along with the manual and free support. For those interested in purchasing only a couple of binaries, the malware developers offer a bundle of 8 per customer for $400. However, the developer also seems open to an affiliation program in which both you – the customer – and the developer split the revenue 50/50.

http://www.hotforsecurity.com/blog/cryptolockercryptowall-ransomware-kit-sold-for-3000-source-code-included-13020.html

 

 

—Healthcare Apps, WordPress Most Popular Web Attack Targets

Content management systems were attacked three times more often than other Web applications — especially WordPress, which was hit 3.5 times more often, according to Imperva’s new Web Application Attacks Report. WordPress, the most popular CMS, has taken a beating this year, marred by a variety of vulnerabilities — particularly, weaknesses in plug-ins, of which the CMS has over 30,000 — and an increase in brute-force attacks.

http://www.darkreading.com/attacks-breaches/healthcare-apps-wordpress-most-popular-web-attack-targets/d/d-id/1323125

 

 

—Microsoft to Host Data in Germany to Block the US from Spying on Its Users

Microsoft’s getting ready to take the fight with the United States government over user data to a completely new level, as the company is ready to turn to data centers in Germany in order to block American agencies from snooping in on customers.

http://news.softpedia.com/news/microsoft-to-host-data-in-germany-to-block-the-us-from-spying-on-its-users-496017.shtml

 

 

—Don’t Toy With The Dark Web, Harness It

The Dark Web’s sinister allure draws outsized attention, but time-strapped security teams would benefit from knowing what’s already circulating in places they don’t need Tor or I2P to find.

http://www.darkreading.com/vulnerabilities—threats/dont-toy-with-the-dark-web-harness-it/a/d-id/1323078

 

 

—Microsoft Finally Ties the Knot with Red Hat for Linux on Azure – Network World

In a move many consider long overdue, Microsoft and Red Hat on Wednesday announced a new partnership through which Microsoft will offer Red Hat Enterprise Linux as the preferred choice for enterprise Linux workloads on Azure.

http://www.networkworld.com/article/3001370/microsoft-finally-ties-the-knot-with-red-hat-for-linux-on-azure.html

 

 

—Emerging Threats to Maritime Energy Infrastructure

Countries are increasingly dependent on the security of maritime energy infrastructure, which is vulnerable to a range of well-known risks and threats, including terrorist attacks, piracy and natural disasters. More recently, concerns about the potential consequences of cyber attacks have become more widespread.

http://www.nato.int/cps/en/natolive/news_124544.htm?selectedLocale=en

 

 

—Everyone Should Get a Security Freeze

This author has frequently urged readers to place a freeze on their credit files as a means of proactively preventing identity theft. Now, a major consumer advocacy group is recommending the same: The U.S. Public Interest Research Group (US-PIRG) recently issued a call for all consumers to request credit file freezes before becoming victims of ID theft.

http://krebsonsecurity.com/2015/11/report-everyone-should-get-a-security-freeze/

 

 

—States’ Cyber Security Readiness Presents “Grim Picture” Pell Study Finds

Just eight states of 50 fared decently in a Pell study on their preparedness to deal with current and emerging cyberthreats

http://www.darkreading.com/government/states-cyber-security-readiness-presents–grim-picture–pell-study-finds/d/d-id/1323042

 

 

—US-China Security Review Commission Discusses ‘Hack-Back’ Laws

Commission’s annual report to Congress recommends a closer look at whether companies should be allowed to launch counterattacks on hackers.

http://www.darkreading.com/vulnerabilities—threats/us-china-security-review-commission-discusses-hack-back-laws/d/d-id/1323226

 

 

—DDoS And The Internet’s Liability Problem

It’s past time for an improved liability model to disrupt DDoS.

http://www.darkreading.com/perimeter/ddos-and-the-internets-liability-problem/a/d-id/1323197

 

 

—What The Boardroom Thinks About Data Breach Liability

Most public companies subscribe to cybersecurity insurance of some sort, and 90% say third-party software vendors should be held liable for vulnerabilities in their code.

http://www.darkreading.com/risk/what-the-boardroom-thinks-about-data-breach-liability/d/d-id/1323037

 

 

—How Web Analytics Is Being Used for Cyber Attacks

Today, websites are being altered to redirect users to a profiling script known as WITCHCOVEN. The purpose is to track and profile Internet users and infect their computers with targeted malware.  WITCHCOVEN is part of a large-scale effort by cyber criminals that uses web analytics and open source tools for reconnaissance. The effort has been highly successful, with vast amounts of information collected on web traffic and Internet visitors from around the world.

https://www2.fireeye.com/rs/848-DID-242/images/rpt-witchcoven.pdf

 

 

—Insider’s Guide to Incident Response

handy guide provides expert, practical tips on how to build an incident response plan and team, and what tools and training you can use to arm those team members. Learn insider secrets like:

  • Arming & Aiming Your Incident Response Team
  • Incident Response Process & Procedures
  • The Art of Triage: Types of Security Incidents

http://learn.alienvault.com/ir-guide-lookbook/asset

 

 

—Is Your Data Governance Program Heading Down the Wrong Path?

Good data governance is as much about doing things the right way as not doing things the wrong way. Although enterprise data governance efforts have been launched at many companies, the success rate of these initiatives isn’t encouraging. There’s a lot of advice available on data governance best practices that should be adopted; this expert guide lists the top “worst practices” that your company needs to avoid. You’ll view both sides of the issue: How data governance done right will add value to your business – and how data governance done wrong will create more work for your company, without any of the benefits.

http://docs.media.bitpipe.com/io_11x/io_115137/item_876599/What%20to%20Do%20What%20Not%20to%20Do%20in%20Enterprise%20Data%20Governance_final.pdf

http://docs.media.bitpipe.com/io_10x/io_103481/item_519075/DataFlux_sDataManagement_IO%2324834_E-Book_081011.pdf

 

 

—Who’s Really In Charge If a Massive Cyberattack Strikes US?

https://www.linkedin.com/pulse/whos-really-charge-massive-cyberattack-strikes-us-davis-nguyen-casp

 

 

—FFIEC Updates Cybersecurity Expectations for Boards

http://www.bankinfosecurity.com/ffiec-management-booklet-a-8683/op-1

 

 

—IoT begs for Privacy | 21st Century Privacy

https://www.safejunction.com/?p=6510

 

 

—Clarifying the fog of cyber security complexity – the “sweet 16” capabilities / portfolios.

Functionally decompose what “cyber” is into manageable portfolios!

https://www.linkedin.com/pulse/clarifying-fog-cyber-security-complexity-sweet-16-portfolios-davis

 

 

 

 

2  +++++++

 

 

—Security researcher warns “future is extortion” as cyber-criminals target SMEs

Sitting in the F-Secure Labs in Helsinki, Sean Sullivan, security researcher at F-Secure warned that the “future is extortion”. Referring to a significant rise in ransomware attacks by organised crime gangs, he warned that ransomware operations have become ‘slick’, so much so their customer support could be viewed as ‘enterprise’ grade.

http://www.scmagazineuk.com/security-researcher-warns-future-is-extortion-as-cyber-criminals-target-smes/article/453790/

 

 

—Study: Serious Web Security Flaws Rampant on Embedded Devices

The web interface is a bit like the “bacon” of the Internet of Things – every device tastes (and works) a lot better with one. But, if implemented or deployed improperly, those web interfaces can be fat targets for remote attackers. Now a survey of firmware by researchers in France and Germany finds that many of those web interfaces are, indeed, vulnerable.

https://securityledger.com/2015/11/serious-web-security-flaws-rampant-on-embedded-devices/

 

 

—Report: Botnets Help Bump Cyberattack Attempts by 20 Percent

ThreatMetrix last week reported that it had detected and prevented more than 90 million attempted cyberattacks in real time across industries from July to September.

The attempted attacks covered fraudulent online payments, logins and new account registrations, and represented a 20 percent increase over the previous quarter, according to ThreatMetrix Cybercrime Report: Q3 2015.

http://www.technewsworld.com/story/82753.html

 

 

—Decryption Tool Foils Linux Server Ransomware Attacks

Bitdefender on Monday released a free decryption tool designed to wrest data from the grip of a rare type of ransomware that’s been plaguing Linux servers. Details for performing the decryption are available on the company’s website. Essentially, the solution takes advantage of a flaw in the ransomware, which Bitdefender discovered through reverse-engineering.

http://www.technewsworld.com/story/82731.html

 

 

—U.S. and U.K. Test Response to Major Financial Cyberattack

Britain and the United States carried out a planned drill with leading global firms on Thursday to see how they would respond to a cyber incident in the financial sector.

The test focused on how the world’s two biggest financial centers, New York and London, would cope with a cyberattack in terms of sharing information, communicating with the public and handling an incident.

http://www.nbcnews.com/tech/security/u-s-u-k-test-response-major-financial-cyberattack-n462406

 

 

—The Lingering Mess from Default Insecurity

The Internet of Things is fast turning into the Internet-of-Things-We-Can’t-Afford. Almost daily now we are hearing about virtual shakedowns wherein attackers demand payment in Bitcoin virtual currency from a bank, e-retailer or online service. Those who don’t pay the ransom see their sites knocked offline in coordinated cyberattacks. This story examines one contributor to the problem, and asks whether we should demand better security from ISPs, software and hardware makers.

http://krebsonsecurity.com/2015/11/the-lingering-mess-from-default-insecurity/

 

 

—Gmail to Warn When Messages Take Unencrypted Routes

Google plans to ramp up security at its free email service by letting users know when messages arrive via unencrypted connections that could be prone to snooping or tampering.

http://www.securityweek.com/gmail-warn-when-messages-take-unencrypted-routes

 

 

—The Secret Pentagon Push for Lethal Cyber Weapons – Defense One

With nearly $500 million allotted, military contractors are competing for funds to develop the next big thing: computer code capable of killing.

http://www.defenseone.com/technology/2015/11/secret-pentagon-push-lethal-cyber-weapons/123435/?oref=d_brief_nl&ct=t%28Today_s_Headlines_and_Commentary11_3_2015%29

 

 

—Federal Legislation Targets “Swatting” Hoaxes

A bill introduced in the U.S. House of Representatives on Wednesday targets “swatting,” an increasingly common and costly hoax in which perpetrators spoof a communication to authorities about a hostage situation or other violent crime in progress in the hopes of tricking police into responding at a particular address with deadly force.

http://krebsonsecurity.com/2015/11/federal-legislation-targets-swatting-hoaxes/

 

 

—Heat map identifies need for cybersecurity professionals

The US National Institute of Standards and Technology (NIST) is creating “a heat map visualization tool that will show where cybersecurity jobs are open across the country”, enabling employers and job seekers to harmonize.

http://www.itgovernanceusa.com/blog/nist-heat-map-identifies-need-for-cybersecurity-professionals/?utm_source=social&utm_medium=linkedinannc

 

 

—IT professionals reveal top challenges in web security

A new report from CYREN describes the challenges to web security that IT professionals face..

http://www.itgovernanceusa.com/blog/it-professionals-reveal-their-top-challenges-in-web-security/?utm_source=social&utm_medium=linkedinannc

 

 

—DISA director: ‘We expect a cyberattack as a prelude to war’

http://www.c4isrnet.com/story/military-tech/omr/cybercon/2015/11/18/disa-director-we-expect-cyberattack-prelude-war/76001244/

 

 

—CES Announces the Most Innovative Tech Products for 2016

http://www.itbusinessedge.com/slideshows/ces-announces-the-most-innovative-tech-products-for-2016.html

 

 

—Why The Java Deserialization Bug Is A Big Deal

Millions of app servers are potentially open to compromise due to how they handle serialized Java apps, researchers say.

http://www.darkreading.com/informationweek-home/why-the-java-deserialization-bug-is-a-big-deal/d/d-id/1323237

 

 

—GCHQ chief (UK) claims that everything is failing cyber security

http://www.theinquirer.net/inquirer/news/2434496/gchq-chief-claims-that-everything-is-failing-cyber-security

 

 

—Privileged Account Control Still Weak In Most Organizations

Two studies this week show there’s a long way to go in securing credentials for risky accounts.

http://www.darkreading.com/endpoint/privileged-account-control-still-weak-in-most-organizations_/d/d-id/1323097

 

 

—NIST official: Move past passwords

A group of identity access experts, including one from NIST, debated whether passwords were worth the trouble.

http://fedscoop.com/nist-official-we-may-kill-password-entropy-guidelines

 

 

—Security in 2016: The death of advanced persistent threats

Kaspersky predicts that APTs will cease to exist next year — but what will take their place?

http://www.zdnet.com/article/security-in-2016-the-death-of-advanced-persistent-threats/

 

 

—The State of Cyber Insurance

Immature market, land grab for customers, high premiums, little change in the short-term.

http://www.networkworld.com/article/3005213/security/the-state-of-cyber-insurance.html

 

 

—Global Privacy & Cybersecurity Update, Issue 8 (great laws, etc overview)

http://www.jonesday.com/global-privacy–cybersecurity-update-volume-8-11-16-2015/

http://thewritestuff.jonesday.com/cv/9d4ffbe9e14481f54ea1bff7fd9f010e530d9267

 

 

—Five moves for every new CISO’s playbook

http://www.csoonline.com/article/3000329/it-careers/five-moves-for-every-new-ciso-s-playbook.html

 

 

—Get Ready for Next-Generation Endpoint Security

http://www.govtech.com/blogs/lohrmann-on-cybersecurity/why-you-need-next-generation-endpoint-security.html

 

 

 

 

3  +++++++

 

 

—“Cherry Picker” PoS Malware Cleans Up After Itself

A point-of-sale (PoS) malware that went largely undetected for the past several years has been analyzed by researchers at Trustwave. Dubbed by the security firm “Cherry Picker,” the threat has been around since at least 2011, but it managed to stay under the radar thanks to its sophisticated functionality and use in highly targeted attacks.

http://www.securityweek.com/cherry-picker-pos-malware-cleans-after-itself

 

 

—Thousands of Java applications vulnerable to nine-month-old exploit

A popular Java library has a serious vulnerability, discovered over nine months ago, that continues to put thousands of Java applications and servers at risk of remote code execution attacks.

http://www.computerworld.com/article/3004505/security/thousands-of-java-applications-vulnerable-to-nine-month-old-exploit.html

 

 

—Britain Develops Cyber Attack Powers to Take on ISIS (OK, yet hack back is s slippery slope for any entity)

British spies are developing an offensive cyber capability to attack terrorists, hackers and rogue states, finance minister George Osborne said on Tuesday after warning Islamic State militants wanted to launch deadly cyber attacks of their own.

http://www.nbcnews.com/tech/tech-news/britain-develops-cyber-attack-powers-take-isis-n464836

 

 

—Thousands of cheap tablets sold on Amazon have Trojans pre-installed

Security researchers at Cheetah Mobile have discovered potentially thousands of Android tablets for sale on Amazon that come pre-installed with a Trojan called Cloudsota. The Cloudsota Trojan has root permissions and can give its author remote control of your device, as well as install adware, malware, or even uninstall your anti-virus app. The researchers believe that the Trojan originated in China.

http://www.digitaltrends.com/mobile/cloudsota-trojan-malware-on-cheap-tablets-amazon/

 

 

—Hackers Claim Million-Dollar Bounty for iOS Zero Day Attack

Hacking Apple’s IOS isn’t easy. But in the world of cybersecurity, even the hardest target isn’t impossible – only expensive. And the price of a working attack that can compromise the latest iPhone is apparently somewhere around $1 million.

http://www.wired.com/2015/11/hackers-claim-million-dollar-bounty-for-ios-attack/

 

 

—Tricky New Malware Replaces Your Entire Browser with a Dangerous Chrome Lookalike

This malicious browser looks and acts just like Chrome–except for all the pop-up ads, system file hijacking, and activity monitoring.

http://www.pcworld.com/article/2994778/security/tricky-new-malware-replaces-your-entire-browser-with-a-dangerous-chrome-lookalike.html

 

 

—New 4G LTE Hacks Punch Holes In Privacy

Black Hat Europe researchers to demonstrate newly found flaws in 4G mobile that expose privacy and disrupt phone service.

http://www.darkreading.com/endpoint/new-4g-lte-hacks-punch-holes-in-privacy/d/d-id/1323063

 

 

—Anonymous’s Cyber War with ISIS Could Compromise Terrorism Intelligence

“As French police scoured Paris and surrounding areas in search of those responsible for Friday’s terrorist attacks on the French capital, a group of cyber activists took aim at the Islamic State’s online presence. The computer-hacker federation known as Anonymous claims to have disabled at least 5,500 pro-ISIS Twitter accounts

http://www.scientificamerican.com/article/anonymous-s-cyber-war-with-isis-could-compromise-terrorism-intelligence/

 

 

—An app called Telegram is the ‘hot new thing among jihadists’

When ISIS terrorists want to hide what they’re saying, they are increasingly turning to an app called Telegram. It’s “the new hot thing among jihadists,” said Laith Alkhouri, director of Research at Flashpoint Global Partners.T he Berlin-based startup boasts two layers of encryption and claims to be “faster and more

http://money.cnn.com/2015/11/17/technology/isis-telegram/index.html

 

 

—Cyber ‘War Games’ against China, Iran and North Korea Set for 2016

In an unprecedented move, Congress just ordered U.S. Cyber Command to carry out simulated “war games” against, specifically, Russia, along with China, Iran and North Korea. The drills are expected to run uniformed service members, civilians and contractors through the motions of staving off a cyber assault the likes of which each nation state will be equipped for — five to 10 years from now.

http://www.nextgov.com/cybersecurity/2015/11/cyber-war-games-against-china-iran-and-n-korea-set-2016/123660/?oref=ng-HPriver

 

 

—Islamic State Determined to get Chemical Weapons (To be used ‘anywhere”!)

http://hosted.ap.org/dynamic/stories/M/ML_ISLAMIC_STATE_CHEMICAL_WEAPONS?SITE=AP&SECTION=HOME&TEMPLATE=DEFAULT&CTIME=2015-11-19-11-54-05

 

 

 

http://www.darkreading.com/endpoint/microsoft-invests-$1-billion-in-holistic-security-strategy/d/d-id/1323170

 

 

—Millions of sensitive records exposed by mobile apps leaking back-end credentials

Thousands of mobile applications, including popular ones, implement cloud-based, back-end services in a way that lets anyone access millions of sensitive records created by users, according to a recent study.

http://www.pcworld.com/article/3005330/millions-of-sensitive-records-exposed-by-mobile-apps-leaking-back-end-credentials.html

 

———————————————————————————-

NOVEMBER 1

+UL creating standard for wearable privacy and security

UL, formerly called Underwriters Labs, soon expects to certify wearables for safety and security, including user privacy. Founded in 1894 and more commonly known for certifying appliances for electrical safety, UL is developing draft requirements for security and privacy for data associated with Internet of Things devices, including wearables. A pilot program is underway, and UL plans to launch the program early in 2016, UL told Computerworld.

http://www.computerworld.com/article/2991331/security/ul-creating-standard-for-wearable-privacy-and-security.html

 

+The Internet of Things: It’s All About Trust

As billions of devices come online, it will be critical to protect the keys and certificates we use for authentication, validation, and privileged access control.

http://www.darkreading.com/risk/the-internet-of-things-its-all-about-trust/a/d-id/1322649

 

+Millennials Not Pursuing Cybersecurity Careers

Young adults ages 18- to 26 worldwide aren’t flocking to the cybersecurity field due to lack of awareness of cybersecurity career opportunities, and young women are less interested and informed about the field than men.

http://www.darkreading.com/operations/millennials-not-pursuing-cybersecurity-careers/d/d-id/1322834

 

+Senate Passes CISA

The US Senate has passed the Cybersecurity Information Sharing Act (CISA) by a significant margin. The bill still must survive conference negotiation to reconcile the versions passed in each chamber before heading for the president’s desk.

http://thehill.com/policy/cybersecurity/258305-overnight-cybersecurity-senate-overwhelmingly-passes-cybersecurity

http://thehill.com/policy/cybersecurity/258387-hurdles-remain-for-major-cyber-bill

[ Note): This bill is not so much about enabling sharing as it is about immunity from liability. It should be called the AT&T/Verizon Protection Act.  You are unlikely to see ANY security improvement from the bill. Members of Congress who foisted this on the American public as a security bill should be sued for malpractice.

The government needs threat actor information – Adversary tools, tactics, indicators of attack, etc.   The private sector, likewise, needs the same type of intelligence so they can hunt on their networks for signs of Adversary activity, to detect and mitigate the threats.  Nowhere does anyone need to share customer information or private data, or anything else that should concern consumers or lawmakers…]

5 Things To Know About CISA

Despite criticism from privacy advocates, the Cybersecurity Information Sharing Act passed through the Senate.

http://www.darkreading.com/analytics/5-things-to-know-about-cisa-/d/d-id/1322870

 

+Pentagon’s Public/Private Cybersecurity Exchange Program is Expanding

The US Defense Department (DoD) has established a public/private exchange program for cybersecurity specialists. Pentagon CIO Terry Halvorsen said that they are “looking to industry to help … solve some [problems in] specific areas.” The program is expanding to include specialists from 10 technology companies. Halvorsen spoke about his goals for the program at a Christian Science Monitor event in Washington, DC on Thursday.

https://fcw.com/articles/2015/10/29/pentagon-cyber-exchanges.aspx

http://www.bloomberg.com/news/articles/2015-10-29/pentagon-creates-cybersecurity-exchange-program-with-industry

 

+Hackers Discover Voice Recognition Vulnerability on iOS and Android

A group of French researchers have discovered they can use radio waves to silently trigger voice commands on any Android phone or iPhone that has simultaneously enabled Google Now or Siri and plugged headphones with microphone.

http://www.hotforsecurity.com/blog/hackers-discover-voice-recognition-vulnerability-on-ios-and-android-12855.html

 

+Certificate Authorities Will Stop Issuing SHA1 Certificates as of January 1

decision was made in light of research indicating that SHA1 could be cracked by the end of this year.

The certificate authorities will instead issue SHA2 certificates. However, a significant portion of users will face problems accessing familiar sites because their browsers or their devices are incompatible with SHA2. About 75 percent of SSL-encrypted websites are already using SHA2 certificates.

http://www.zdnet.com/article/as-sha1-winds-down-sha2-leap-will-leave-millions-stranded

 

+ENISA Will Broaden IT Security Research

The European Union’s Agency for Network and Information Security (ENISA) says it will fund IT security research for vehicles, airports, and hospitals. ENISA will continue “its work on established priorities [including] the pan-European cyber-security exercises, critical information infrastructure protection” and other initiatives.

http://www.scmagazine.com/enisa-puts-smart-devices-and-iot-on-top-of-european-security-agenda/article/450202/

http://www.computerworld.com/article/2997790/security/eu-will-fund-car-hospital-and-airport-it-security-research.html

 

+Breach analytics: The next billion-dollar investment opportunity

http://venturebeat.com/2015/10/24/breach-analytics-the-next-billion-dollar-investment-opportunity/

 

+IoT is here and mobile networks will never be the same

http://www.networkworld.com/article/2994012/iot-is-here-and-mobile-networks-will-never-be-the-same.html

 

+Your next cyber crisis – APTs meet the man-in-the-middle (MITM)

http://www.csoonline.com/article/2997241/advanced-persistent-threats/meet-the-man-in-the-middle-of-your-next-security-crisis.html

 

+The top threat vector for mobile devices?  Porn.

As mobile devices become more deeply woven into the fabric of our personal and work lives, cyber criminals are taking increasingly vicious and disturbingly personal shots at us, according to Blue Coat Systems… Porn isn’t just back on top – it’s bigger than ever – jumping from 16.55 percent in 2014 to over 36 percent this year..

http://www.net-security.org/malware_news.php?id=3135

 

+Draft NIST guide helps banks with IT audit  (YOURS TOO!)

The National Cybersecurity Center of Excellence is trying to help financial organizations modernize how they manage their massive IT footprints…

http://fedscoop.com/draft-nist-guide-helps-financial-organizations-with-it-asset-management

IT Asset Management Practice Guide

https://nccoe.nist.gov/projects/use_cases/financial_services_sector/it_asset_management

 

+The playbook for smart printer use

The proliferation of Internet-enabled devices means that your network is now more interconnected than ever before. While this is great for business productivity, it also brings a host of new – and often unexpected – security risks. And some of the most unexpected of these risks are those caused by insecure multifunction printers (MFPs).

http://resources.idgenterprise.com/original/AST-0145338_Printer_Playbook.pdf

 

+2015 IT Security and Privacy Survey

http://www.protiviti.com/ITSecuritySurvey

 

+What should companies do after a wide-scale data breach?

http://www.net-security.org/article.php?id=2402

 

+New Approaches to Vendor Risk Management

The key to managing partner security risk is having truly verifiable evidence.

http://www.darkreading.com/attacks-breaches/new-approaches-to-vendor-risk-management/a/d-id/1322819

 

+Keith Alexander’s cyber startup draws backing

The former NSA director’s firm, IronNet, will use the cash infusion  to scale his line of cybersecurity products.

https://defensesystems.com/articles/2015/10/27/alexander-ironnet-cybersecurity.aspx

 

2  +++++++

+CrowdStrike Spots Chinese APTs Targeting US Firms Post-Pact

No one expected China to change its cyber espionage ways overnight — if at all — in the wake of the historic agreement last month between President Obama and China’s president Xi Jinping not to conduct cyberspying attacks for economic gain. So not surprisingly, researchers say they’ve spotted continued hacking by Chinese groups aiming to steal intellectual property from seven US firms in the technology and pharmaceutical industries.

http://www.darkreading.com/attacks-breaches/crowdstrike-spots-chinese-apts-targeting-us-firms-post-pact/d/d-id/1322712

 

+Your Stolen Data Is Worth as Little as 55 Cents Online: Intel Security Report

Ever wonder how much your stolen personal information sells for online? Turns out not much, according to a report released Thursday by Intel Security Group’s McAfee Labs. McAfee researchers monitored websites, chat rooms and other places on the Dark Web where stolen data — everything from credit card numbers to hotel loyalty account info — are packaged, bought and sold.

http://www.nbcnews.com/tech/security/your-stolen-data-worth-little-55-cents-online-intel-security-n444666

 

+New Technology Won’t Remove Endpoint From The Bullseye

Dark Reading Radio guests from endpoint security vendor Tanium and Intel Security/McAfee may have different product views, but they concur on the problems plaguing end user machines.

http://www.darkreading.com/endpoint/new-technology-wont-remove-endpoint-from-the-bullseye/a/d-id/1322804

 

+The Rebirth Of Endpoint Security

A slew of startups and veteran security firms are moving toward proactive and adaptive detection and mitigation for securing the endpoint. But few enterprises are ready to pull the antivirus plug.

http://www.darkreading.com/endpoint/the-rebirth-of-endpoint-security/d/d-id/1322775

 

+ Critical Security Controls Version 6.0 Released

The consensus standard for high priority cyber security actions has just been updated.  The Critical Security Controls are now the de facto standard for what to implement first when adopting either the NIST Framework or the ISO security standard.  GREAT Security tool —  Map your key security efforts to this!!!

https://isc.sans.edu/forums/diary/CIS+Critical+Security+Controls+Version+60/20267/

 

+Germany Has Another Data Retention Law

Legislators in Germany have passed a bill that requires telecommunications companies to retain customer metadata for up to 10 weeks and allow law enforcement access to the information. Two earlier laws regarding data retention were found to be unconstitutional. The newest law applies to ISPs, mobile, and fixed telecommunications operators.

http://www.computerworld.com/article/2993500/data-privacy/germany-will-make-telcos-share-customer-data-with-the-police.html

 

+NIST to Support Cybersecurity Jobs “Heat Map”

The cybersecurity jobs “heat map” is a “unique tool that will allow users on both sides of the employment equation to assess supply and demand in cybersecurity on a city-by-city or state-by-state basis,” said NICE Director Rodney Petersen. “The information will help students and job-seekers understand the diverse career pathways available to them and can influence education and training providers to align their curriculum and programs to address emerging workforce needs.

https://www.commerce.gov/news/press-releases/2015/10/nist-support-cybersecurity-jobs-heat-map-highlight-employer-needs-and

 

+US Army Needs Vulnerability Response Program  (SO DO WE ALL!!!)

According to an article in The Cyber Defense Review, many vulnerabilities in US Army software and networks are not reported because there is no centralized authority for disclosing vulnerabilities; there is no central entity that tracks issues from disclosure through remediation; and there is no government program that allows active assessments of system security. Army personnel are often reluctant to disclose vulnerabilities because the report could potentially be seen as a threat. The article’s authors propose establishing the Army Vulnerability Response Program (AVRP) to address these issues.

http://www.cyberdefensereview.org/2015/10/23/avrp/

http://www.theregister.co.uk/2015/10/27/army_bug_bounties/

[Note): The success of a program like AVRP will rest on being able to identify connected and mission relevant systems while prioritizing vulnerabilities based on their importance and susceptibility.  Many programs are climbing up hill right from the start as asset inventories are incomplete, software bundles can be complex and include undocumented third-party code, and technology is becoming so pervasive that it is camouflaged more effectively than the latest battle dress.]

 

+New DMCA Exemptions Include Car Software and Some Medical Devices

The Library of Congress has adopted new exemptions to the Digital Millennium Copyright Act (DMCA) provision that prohibits circumventing technology that controls access to copyrighted works. The new exemptions include vehicle software for the purposes of diagnosis, repair, or modification and certain networked medical devices.

http://arstechnica.com/tech-policy/2015/10/us-regulators-grant-dmca-exemption-legalizing-vehicle-software-tinkering/

http://thehill.com/policy/technology/258237-copyright-exemption-handed-out-for-car-security-research

 

+One in Six Americans Stores Passwords and PINs in Wallets, Mobiles and PCs

Some 15 percent of US consumers keep written records of passwords and PINs in their wallets, mobile devices or computers, according to a study by ProtectMyID. More than half do not check for an icon of a lock to see if a website is secure or uses HTTPS connections, half do not password-protect their smartphones, and some 55 percent do not close the Web browser when they are finished using an online account to prevent hacks, as Inc. notes.

http://www.hotforsecurity.com/blog/one-in-six-americans-stores-passwords-and-pins-in-wallets-mobiles-and-pcs-12883.html

 

+NSA “Day of Cyber,” a National Initiative

Day of Cyber provides schools, colleges/universities, and organizations a powerful online tool to introduce Cybersecurity directly into the classroom… (need to register… free for a year)

http://www.nsadayofcyber.com/

 

+Security industry broken, says security researcher

http://www.computerweekly.com/news/4500255775/Security-industry-broken-says-security-researcher

 

+Black-ops, billionaire connections attract customers, investors to Cytegic

http://www.timesofisrael.com/black-ops-billionaire-connections-attract-customers-investors-to-cytegic/

 

+From 55 Cents to $1,200: The Value Chain For Stolen Data

The latest pricing models for stolen information in the underground economy.

http://www.darkreading.com/risk/from-55-cents-to-$1200-the-value-chain-for-stolen-data/d/d-id/1322692

 

+Cloud security tools thwart attacks on AWS infrastructure

http://searchaws.techtarget.com/news/4500255665/Cloud-security-tools-thwart-attacks-on-AWS-infrastructure

 

+Organized Crime Manipulates Chip Equipped Credit Cards

http://eprint.iacr.org/2015/963.pdf

 

+Passing the Sniff Test: Security Metrics and Measures

Cigital dishes dirt on top security metrics that don’t work well, why they’re ineffective and which measurable to consider instead.

http://www.darkreading.com/analytics/passing-the-sniff-test-security-metrics-and-measures/d/d-id/1322805

 

+SBA Unveils Small Business Cybersecurity Tools

http://www.businessnewsdaily.com/8491-sba-unveils-small-business-cybersecurity-tools.html

Tools are at:

https://www.sba.gov/navigation-structure/cybersecurity

 

+The latest Cybersecurity Policy Chart:

http://iac.dtic.mil/csiac/ia_policychart.html

 

3  +++++++

+Google Gives Symantec Certificate Health Ultimatum

Earlier this year, Symantec employees improperly released test certificates for Google domains. Google is now demanding that Symantec provide details of its certificate authority processes; if Symantec does not comply, Google says it will start warning users who visit sites that are protected with the company’s certificates. Google says its own investigation revealed that more than the 23 test certificates were improperly issued. Google is demanding that Symantec provide more information about why initial report did not include the other improperly issued certificates; identify the steps it will take to prevent the improper release of certificates; and that as of June 1, 2016, all Symantec-issued certificates must support Certificate Transparency.  ??? What do you do when gatekeepers leave the door open?  In these cases you rapidly re-examine your procedures to determine how mistakes are made and conduct remedial training!

http://arstechnica.com/security/2015/10/still-fuming-over-https-mishap-google-gives-symantec-an-offer-it-cant-refuse/

http://www.computerworld.com/article/2998970/encryption/google-threatens-action-against-symantec-issued-certificates-following-botched-investigation.html

 

+Joint Hearing on Grid Security

US power grid preparedness for cyber security incidents. the industry needs to implement a system that would allow members to share real-time information about cyber attacks with each other and with the government.

Gaines’s concern is that “the information [those in the industry] get from the government is not timely.”

http://thehill.com/policy/cybersecurity/257643-house-probes-cyber-threats-to-power-grid

[Note: The issue is that the utilities do not even know what connections that they have to the public networks, much less have adequate control over them. This is aggravated by automatic remedies for component failures built into the grid.  Said another way, it is vulnerability and consequences, not threat, that are the significant risk factors in power generation and distribution}

 

+High school student reportedly hacks CIA director’s personal email

A high school student has claimed to have hacked the private email account of CIA Director John Brennan where the student found a number of sensitive, government-related files, according to a report in the New York Post.

http://www.scmagazine.com/cia-director-brennans-personal-email-contained-sensitive-info-hacker-says/article/447996/

 

+Survey Shows Little Accord On Responsibility For Cloud Security

Many industry experts agree that cloud security has to be a shared responsibility between cloud providers and the businesses that use these services to host and manage their data and applications. But there’s less agreement is over just how much responsibility each side has for ensuring data security in the cloud.

http://www.darkreading.com/cloud/survey-shows-little-accord-on-responsibility-for-cloud-security/d/d-id/1322677

 

+Migration to SHA-2 Inevitable, as SHA-1 is Broken

The SHA-1 security standard used for digital signatures has been deemed vulnerable by security specialists, prompting accelerated migration to SHA-2 for better security. Privacy specialist Bruce Schneier has predicted in the past that hackers would be able to afford to attack SHA-1 by 2015, as costs were estimated at $700,000.

http://www.hotforsecurity.com/blog/migration-to-sha-2-inevitable-as-sha-1-is-broken-12805.html

+  Businesses Using Millions of Flawed Certificates

Many big businesses, including firms like Deloitte, are still using SHA-1 certificates, despite the fact that SHA-1 is known to be ineffective. In fact, 120,000 SHA-1 certificates were issued this year, according to research from Netcraft. Nearly a million SSL certificates found in Netcraft’s October SSL Survey were signed with the potentially vulnerable SHA-1 hashing algorithm, and some certificate authorities are continuing to issue more.

http://www.infosecurity-magazine.com/news/businesses-using-millions-of/

+Study Finds Revoked Certificates Still in Use

A study about certificate revocation conducted by researchers at four major US universities and Akamai found that eight percent of public key certificates served by websites had been revoked. The problems can be traced to Certificate Authorities failing to distribute revocation lists effectively and browsers failing to check to see if certificates have been revoked.

http://www.darkreading.com/risk/digital-certificate-security-fail/d/d-id/1322887

+Fraudsters exploit weak SSL certificate security to set up hundreds of phishing sites

Certificate authorities are granting SSL certificates to the owners of spoof domain names which are being used to phish customers of well-known retail and banking brands. In just one month, fraudsters were able to get the official SSL security ‘padlock’ seal of approval for hundreds of fake websites impersonating banks and other companies, partly because the checks on them were minimal or non-existent.

http://www.scmagazine.com/fraudsters-exploit-weak-ssl-certificate-security-to-set-up-hundreds-of-phishing-sites/article/444711/

 

+Is better defense the answer to the China cyber threat?

While the U.S. and China in September reached a “common understanding” to stem China’s ongoing cyber theft of U.S. intellectual property, the deal focused on economic interests – and left unaddressed the onslaught of attacks on the government, many of which are attributed to China.

http://www.c4isrnet.com/story/military-tech/cyber/2015/10/27/is-better-defense-the-answer-to-the-china-cyber-threat/74689802/

 

+French Criminals hack chips and pins

Criminals in France have managed to ‘hack’ chip and pin in a surprisingly simple scheme, according to Wired. Although chip and pin is a system designed to provide two levels of security to financial transactions, first, the possession of the card itself and then the entry of the pin, this simple technique bypasses the pin and allows the would-be conman to type in any pin they like and have it approved.

http://www.scmagazine.com/french-criminals-hack-chips-and-pins/article/448697/

 

+Japan’s Cybercrime Underground On The Rise

When you think cybercrime, Japan probably isn’t top of mind. But like anywhere else, the bad guys there are following the money, and an emerging yet highly stealthy underground economy is growing in Japan.

http://www.darkreading.com/vulnerabilities—threats/japans-cybercrime-underground-on-the-rise/d/d-id/1322607

 

+Botnets running on CCTVs and NASs

http://boingboing.net/2015/10/23/botnets-running-on-cctvs-and-n.html

 

+10 Ways to Protect Against Hackers

https://www.malwarebytes.org/articles/10-ways-to-protect-against-hackers/

 

+  Top Cyber Security Threats & Risks for 2016

http://www.inc.com/joseph-steinberg/6-emerging-cybersecurity-risks-about-which-you-should-be-aware.html

1.While preventative information-security measures are obviously a necessity, businesses and people must still assume that hackers will ultimately penetrate their infrastructure despite all of the security technologies in place. (always assume the bad guys are inside, then develop your security strategy around that)

2.Likewise, deception (honeypots, etc) can be a useful component of a security strategy. (have a defined, well-monitored deception process. This gives you more time to spot, then thwart hackers who get inside) )

3.Cyberterrorism has begun–Almost half of the energy-sector organizations polled for a recent cybersecurity study reported that attackers had attempted to delete or destroy information on their systems. (employ open source intel (OSI) methods to know your likely enemies, attackers, their favorite hacker tools, methods, etc) )

4.Nearly every person and business today relies on the information-security of third-parties for many mission critical tasks. (have a proactive B2B / vendor security V&V / audit process)..

5.Humans are often the weakest point in the security chain. (security design must minimize the impact of human mistakes as much as possible)…

  1. Emerging technologies are obviously great targets. The success of zero-day attacks (work to minimize your security unknown, unknowns – use anomaly detection systems,  join sector ISAC, engage local FBI / Infragard,  etc)

http://phoenixts.com/blog/top-5-cyber-security-threats-for-2016/

Everyone is a potential target of cybercrime and you don’t always know when it will hit. What we do know is that there are five prevalent cyber issues we continue to face in 2015, 2016 and possibly even further.

—Internet of Things;   Mobile Malware;   Third-Party Attacks;    Data Destruction &  Vulnerabilities of Critical Infrastructure  (There are 16 major critical infrastructure protection (CIP) areas)

 

Comments are closed.