Welcome to Cyber News Tidbits 4​U​ !

Here are updated news compilations from the Cyber Security Community

Topic headers (+++):

1 – Security news you can likely use (re: management / opportunity items)

2 – Other items of general FYI / FYSA level interest

3 – Threats / bad news stuff / etc.. 


4 – SD/SoCAL items of interest / opportunities   (send me your SD meetings!) 

Another periodic cyber security news gram / digest = tidbits.   (.. been over 3 weeks since the last one, so….)

Arranged in a top down, “likely” interest level…with more short snippets, fewer threats and only a few local events (at the very bottom)

Feedback is always welcome tooas is sending me articles to sharecyber information sharing in action!

(all links  have been checked out… though you may need to cut & paste into your browser).


—Microsoft Invests $1 Billion In ‘Holistic’ Security Strategy

Executives detail strategic and cultural shift at Microsoft to an integrated security approach across its software and services, and announce new managed services group and cyber defense operation center.$1-billion-in-holistic-security-strategy/d/d-id/1323170



—Millions of sensitive records exposed by mobile apps leaking back-end credentials

Thousands of mobile applications, including popular ones, implement cloud-based, back-end services in a way that lets anyone access millions of sensitive records created by users, according to a recent study.



—NIST Seeks Review of Email Safety Doc

Email systems have become so routine that consumers and workers often regard them as simply part of the furniture — like a standard-issue desk at a government or business office. However, the technology is more complex than most users appreciate — and that complexity makes it constantly vulnerable to cybersecurity threats.



— Backup Your Files To Thwart A Ransomware Attack On Your Laptop And PC

Ransomware is on the rise and you should protect yourself by backing up your laptop and PC files today. An advisory from the FBI’s Internet Crime Complaint Center this past June stated that more than $1 million a month, on average ($18 million over the prior 15 months), was paid to recover computers from Ransomware incidents. The FBI had received nearly one thousand Ransomware complaints from citizens, businesses, and government agencies.



—Cybercriminals turn to video ads to plant malware

Cybercriminals have been delivering malware through online display ads for years, but they appear to be making headway with a new distribution method: video advertisements. Both methods of attack, known as malvertising, can have a broad impact and are a major headache for the ad industry. A single malicious advertisement, distributed to several highly trafficked sites, can expose tens of thousands of computers to malware in a short time.



—IBM Report: Ransomware, Malicious Insiders On The Rise

X-Force’s top four cyber threat trends also names upper management’s increasing interest in infosec.—threats/ibm-report-ransomware-malicious-insiders-on-the-rise/d/d-id/1323163



—One in six US employees who find lost USBs use them

Some 17% of US consumers picked up USB sticks they `found’ and plugged them into their devices, opened the text file and either clicked the unique link or emailed the listed address, according to an experiment by The Computing Technology Industry Association.



—Cryptolocker/Cryptowall Ransomware Kit Sold for $3,000 – Source Code Included

The Cryptolocker/Cryptowall 3.1 ransomware kit is being sold for $3,000 worth of bitcoins, according to a Pastebin post, which claims to even offer the source code along with the manual and free support. For those interested in purchasing only a couple of binaries, the malware developers offer a bundle of 8 per customer for $400. However, the developer also seems open to an affiliation program in which both you – the customer – and the developer split the revenue 50/50.



—Healthcare Apps, WordPress Most Popular Web Attack Targets

Content management systems were attacked three times more often than other Web applications — especially WordPress, which was hit 3.5 times more often, according to Imperva’s new Web Application Attacks Report. WordPress, the most popular CMS, has taken a beating this year, marred by a variety of vulnerabilities — particularly, weaknesses in plug-ins, of which the CMS has over 30,000 — and an increase in brute-force attacks.



—Microsoft to Host Data in Germany to Block the US from Spying on Its Users

Microsoft’s getting ready to take the fight with the United States government over user data to a completely new level, as the company is ready to turn to data centers in Germany in order to block American agencies from snooping in on customers.



—Don’t Toy With The Dark Web, Harness It

The Dark Web’s sinister allure draws outsized attention, but time-strapped security teams would benefit from knowing what’s already circulating in places they don’t need Tor or I2P to find.—threats/dont-toy-with-the-dark-web-harness-it/a/d-id/1323078



—Microsoft Finally Ties the Knot with Red Hat for Linux on Azure – Network World

In a move many consider long overdue, Microsoft and Red Hat on Wednesday announced a new partnership through which Microsoft will offer Red Hat Enterprise Linux as the preferred choice for enterprise Linux workloads on Azure.



—Emerging Threats to Maritime Energy Infrastructure

Countries are increasingly dependent on the security of maritime energy infrastructure, which is vulnerable to a range of well-known risks and threats, including terrorist attacks, piracy and natural disasters. More recently, concerns about the potential consequences of cyber attacks have become more widespread.



—Everyone Should Get a Security Freeze

This author has frequently urged readers to place a freeze on their credit files as a means of proactively preventing identity theft. Now, a major consumer advocacy group is recommending the same: The U.S. Public Interest Research Group (US-PIRG) recently issued a call for all consumers to request credit file freezes before becoming victims of ID theft.



—States’ Cyber Security Readiness Presents “Grim Picture” Pell Study Finds

Just eight states of 50 fared decently in a Pell study on their preparedness to deal with current and emerging cyberthreats–grim-picture–pell-study-finds/d/d-id/1323042



—US-China Security Review Commission Discusses ‘Hack-Back’ Laws

Commission’s annual report to Congress recommends a closer look at whether companies should be allowed to launch counterattacks on hackers.—threats/us-china-security-review-commission-discusses-hack-back-laws/d/d-id/1323226



—DDoS And The Internet’s Liability Problem

It’s past time for an improved liability model to disrupt DDoS.



—What The Boardroom Thinks About Data Breach Liability

Most public companies subscribe to cybersecurity insurance of some sort, and 90% say third-party software vendors should be held liable for vulnerabilities in their code.



—How Web Analytics Is Being Used for Cyber Attacks

Today, websites are being altered to redirect users to a profiling script known as WITCHCOVEN. The purpose is to track and profile Internet users and infect their computers with targeted malware.  WITCHCOVEN is part of a large-scale effort by cyber criminals that uses web analytics and open source tools for reconnaissance. The effort has been highly successful, with vast amounts of information collected on web traffic and Internet visitors from around the world.



—Insider’s Guide to Incident Response

handy guide provides expert, practical tips on how to build an incident response plan and team, and what tools and training you can use to arm those team members. Learn insider secrets like:

  • Arming & Aiming Your Incident Response Team
  • Incident Response Process & Procedures
  • The Art of Triage: Types of Security Incidents



—Is Your Data Governance Program Heading Down the Wrong Path?

Good data governance is as much about doing things the right way as not doing things the wrong way. Although enterprise data governance efforts have been launched at many companies, the success rate of these initiatives isn’t encouraging. There’s a lot of advice available on data governance best practices that should be adopted; this expert guide lists the top “worst practices” that your company needs to avoid. You’ll view both sides of the issue: How data governance done right will add value to your business – and how data governance done wrong will create more work for your company, without any of the benefits.



—Who’s Really In Charge If a Massive Cyberattack Strikes US?



—FFIEC Updates Cybersecurity Expectations for Boards



—IoT begs for Privacy | 21st Century Privacy



—Clarifying the fog of cyber security complexity – the “sweet 16” capabilities / portfolios.

Functionally decompose what “cyber” is into manageable portfolios!





2  +++++++



—Security researcher warns “future is extortion” as cyber-criminals target SMEs

Sitting in the F-Secure Labs in Helsinki, Sean Sullivan, security researcher at F-Secure warned that the “future is extortion”. Referring to a significant rise in ransomware attacks by organised crime gangs, he warned that ransomware operations have become ‘slick’, so much so their customer support could be viewed as ‘enterprise’ grade.



—Study: Serious Web Security Flaws Rampant on Embedded Devices

The web interface is a bit like the “bacon” of the Internet of Things – every device tastes (and works) a lot better with one. But, if implemented or deployed improperly, those web interfaces can be fat targets for remote attackers. Now a survey of firmware by researchers in France and Germany finds that many of those web interfaces are, indeed, vulnerable.



—Report: Botnets Help Bump Cyberattack Attempts by 20 Percent

ThreatMetrix last week reported that it had detected and prevented more than 90 million attempted cyberattacks in real time across industries from July to September.

The attempted attacks covered fraudulent online payments, logins and new account registrations, and represented a 20 percent increase over the previous quarter, according to ThreatMetrix Cybercrime Report: Q3 2015.



—Decryption Tool Foils Linux Server Ransomware Attacks

Bitdefender on Monday released a free decryption tool designed to wrest data from the grip of a rare type of ransomware that’s been plaguing Linux servers. Details for performing the decryption are available on the company’s website. Essentially, the solution takes advantage of a flaw in the ransomware, which Bitdefender discovered through reverse-engineering.



—U.S. and U.K. Test Response to Major Financial Cyberattack

Britain and the United States carried out a planned drill with leading global firms on Thursday to see how they would respond to a cyber incident in the financial sector.

The test focused on how the world’s two biggest financial centers, New York and London, would cope with a cyberattack in terms of sharing information, communicating with the public and handling an incident.



—The Lingering Mess from Default Insecurity

The Internet of Things is fast turning into the Internet-of-Things-We-Can’t-Afford. Almost daily now we are hearing about virtual shakedowns wherein attackers demand payment in Bitcoin virtual currency from a bank, e-retailer or online service. Those who don’t pay the ransom see their sites knocked offline in coordinated cyberattacks. This story examines one contributor to the problem, and asks whether we should demand better security from ISPs, software and hardware makers.



—Gmail to Warn When Messages Take Unencrypted Routes

Google plans to ramp up security at its free email service by letting users know when messages arrive via unencrypted connections that could be prone to snooping or tampering.



—The Secret Pentagon Push for Lethal Cyber Weapons – Defense One

With nearly $500 million allotted, military contractors are competing for funds to develop the next big thing: computer code capable of killing.



—Federal Legislation Targets “Swatting” Hoaxes

A bill introduced in the U.S. House of Representatives on Wednesday targets “swatting,” an increasingly common and costly hoax in which perpetrators spoof a communication to authorities about a hostage situation or other violent crime in progress in the hopes of tricking police into responding at a particular address with deadly force.



—Heat map identifies need for cybersecurity professionals

The US National Institute of Standards and Technology (NIST) is creating “a heat map visualization tool that will show where cybersecurity jobs are open across the country”, enabling employers and job seekers to harmonize.



—IT professionals reveal top challenges in web security

A new report from CYREN describes the challenges to web security that IT professionals face..



—DISA director: ‘We expect a cyberattack as a prelude to war’



—CES Announces the Most Innovative Tech Products for 2016



—Why The Java Deserialization Bug Is A Big Deal

Millions of app servers are potentially open to compromise due to how they handle serialized Java apps, researchers say.



—GCHQ chief (UK) claims that everything is failing cyber security



—Privileged Account Control Still Weak In Most Organizations

Two studies this week show there’s a long way to go in securing credentials for risky accounts.



—NIST official: Move past passwords

A group of identity access experts, including one from NIST, debated whether passwords were worth the trouble.



—Security in 2016: The death of advanced persistent threats

Kaspersky predicts that APTs will cease to exist next year — but what will take their place?



—The State of Cyber Insurance

Immature market, land grab for customers, high premiums, little change in the short-term.



—Global Privacy & Cybersecurity Update, Issue 8 (great laws, etc overview)–cybersecurity-update-volume-8-11-16-2015/



—Five moves for every new CISO’s playbook



—Get Ready for Next-Generation Endpoint Security





3  +++++++



—“Cherry Picker” PoS Malware Cleans Up After Itself

A point-of-sale (PoS) malware that went largely undetected for the past several years has been analyzed by researchers at Trustwave. Dubbed by the security firm “Cherry Picker,” the threat has been around since at least 2011, but it managed to stay under the radar thanks to its sophisticated functionality and use in highly targeted attacks.



—Thousands of Java applications vulnerable to nine-month-old exploit

A popular Java library has a serious vulnerability, discovered over nine months ago, that continues to put thousands of Java applications and servers at risk of remote code execution attacks.



—Britain Develops Cyber Attack Powers to Take on ISIS (OK, yet hack back is s slippery slope for any entity)

British spies are developing an offensive cyber capability to attack terrorists, hackers and rogue states, finance minister George Osborne said on Tuesday after warning Islamic State militants wanted to launch deadly cyber attacks of their own.



—Thousands of cheap tablets sold on Amazon have Trojans pre-installed

Security researchers at Cheetah Mobile have discovered potentially thousands of Android tablets for sale on Amazon that come pre-installed with a Trojan called Cloudsota. The Cloudsota Trojan has root permissions and can give its author remote control of your device, as well as install adware, malware, or even uninstall your anti-virus app. The researchers believe that the Trojan originated in China.



—Hackers Claim Million-Dollar Bounty for iOS Zero Day Attack

Hacking Apple’s IOS isn’t easy. But in the world of cybersecurity, even the hardest target isn’t impossible – only expensive. And the price of a working attack that can compromise the latest iPhone is apparently somewhere around $1 million.



—Tricky New Malware Replaces Your Entire Browser with a Dangerous Chrome Lookalike

This malicious browser looks and acts just like Chrome–except for all the pop-up ads, system file hijacking, and activity monitoring.



—New 4G LTE Hacks Punch Holes In Privacy

Black Hat Europe researchers to demonstrate newly found flaws in 4G mobile that expose privacy and disrupt phone service.



—Anonymous’s Cyber War with ISIS Could Compromise Terrorism Intelligence

“As French police scoured Paris and surrounding areas in search of those responsible for Friday’s terrorist attacks on the French capital, a group of cyber activists took aim at the Islamic State’s online presence. The computer-hacker federation known as Anonymous claims to have disabled at least 5,500 pro-ISIS Twitter accounts



—An app called Telegram is the ‘hot new thing among jihadists’

When ISIS terrorists want to hide what they’re saying, they are increasingly turning to an app called Telegram. It’s “the new hot thing among jihadists,” said Laith Alkhouri, director of Research at Flashpoint Global Partners.T he Berlin-based startup boasts two layers of encryption and claims to be “faster and more



—Cyber ‘War Games’ against China, Iran and North Korea Set for 2016

In an unprecedented move, Congress just ordered U.S. Cyber Command to carry out simulated “war games” against, specifically, Russia, along with China, Iran and North Korea. The drills are expected to run uniformed service members, civilians and contractors through the motions of staving off a cyber assault the likes of which each nation state will be equipped for — five to 10 years from now.



—Islamic State Determined to get Chemical Weapons (To be used ‘anywhere”!)



—Millions of sensitive records exposed by mobile apps leaking back-end credentials

Thousands of mobile applications, including popular ones, implement cloud-based, back-end services in a way that lets anyone access millions of sensitive records created by users, according to a recent study.




+UL creating standard for wearable privacy and security

UL, formerly called Underwriters Labs, soon expects to certify wearables for safety and security, including user privacy. Founded in 1894 and more commonly known for certifying appliances for electrical safety, UL is developing draft requirements for security and privacy for data associated with Internet of Things devices, including wearables. A pilot program is underway, and UL plans to launch the program early in 2016, UL told Computerworld.


+The Internet of Things: It’s All About Trust

As billions of devices come online, it will be critical to protect the keys and certificates we use for authentication, validation, and privileged access control.


+Millennials Not Pursuing Cybersecurity Careers

Young adults ages 18- to 26 worldwide aren’t flocking to the cybersecurity field due to lack of awareness of cybersecurity career opportunities, and young women are less interested and informed about the field than men.


+Senate Passes CISA

The US Senate has passed the Cybersecurity Information Sharing Act (CISA) by a significant margin. The bill still must survive conference negotiation to reconcile the versions passed in each chamber before heading for the president’s desk.

[ Note): This bill is not so much about enabling sharing as it is about immunity from liability. It should be called the AT&T/Verizon Protection Act.  You are unlikely to see ANY security improvement from the bill. Members of Congress who foisted this on the American public as a security bill should be sued for malpractice.

The government needs threat actor information – Adversary tools, tactics, indicators of attack, etc.   The private sector, likewise, needs the same type of intelligence so they can hunt on their networks for signs of Adversary activity, to detect and mitigate the threats.  Nowhere does anyone need to share customer information or private data, or anything else that should concern consumers or lawmakers…]

5 Things To Know About CISA

Despite criticism from privacy advocates, the Cybersecurity Information Sharing Act passed through the Senate.


+Pentagon’s Public/Private Cybersecurity Exchange Program is Expanding

The US Defense Department (DoD) has established a public/private exchange program for cybersecurity specialists. Pentagon CIO Terry Halvorsen said that they are “looking to industry to help … solve some [problems in] specific areas.” The program is expanding to include specialists from 10 technology companies. Halvorsen spoke about his goals for the program at a Christian Science Monitor event in Washington, DC on Thursday.


+Hackers Discover Voice Recognition Vulnerability on iOS and Android

A group of French researchers have discovered they can use radio waves to silently trigger voice commands on any Android phone or iPhone that has simultaneously enabled Google Now or Siri and plugged headphones with microphone.


+Certificate Authorities Will Stop Issuing SHA1 Certificates as of January 1

decision was made in light of research indicating that SHA1 could be cracked by the end of this year.

The certificate authorities will instead issue SHA2 certificates. However, a significant portion of users will face problems accessing familiar sites because their browsers or their devices are incompatible with SHA2. About 75 percent of SSL-encrypted websites are already using SHA2 certificates.


+ENISA Will Broaden IT Security Research

The European Union’s Agency for Network and Information Security (ENISA) says it will fund IT security research for vehicles, airports, and hospitals. ENISA will continue “its work on established priorities [including] the pan-European cyber-security exercises, critical information infrastructure protection” and other initiatives.


+Breach analytics: The next billion-dollar investment opportunity


+IoT is here and mobile networks will never be the same


+Your next cyber crisis – APTs meet the man-in-the-middle (MITM)


+The top threat vector for mobile devices?  Porn.

As mobile devices become more deeply woven into the fabric of our personal and work lives, cyber criminals are taking increasingly vicious and disturbingly personal shots at us, according to Blue Coat Systems… Porn isn’t just back on top – it’s bigger than ever – jumping from 16.55 percent in 2014 to over 36 percent this year..


+Draft NIST guide helps banks with IT audit  (YOURS TOO!)

The National Cybersecurity Center of Excellence is trying to help financial organizations modernize how they manage their massive IT footprints…

IT Asset Management Practice Guide


+The playbook for smart printer use

The proliferation of Internet-enabled devices means that your network is now more interconnected than ever before. While this is great for business productivity, it also brings a host of new – and often unexpected – security risks. And some of the most unexpected of these risks are those caused by insecure multifunction printers (MFPs).


+2015 IT Security and Privacy Survey


+What should companies do after a wide-scale data breach?


+New Approaches to Vendor Risk Management

The key to managing partner security risk is having truly verifiable evidence.


+Keith Alexander’s cyber startup draws backing

The former NSA director’s firm, IronNet, will use the cash infusion  to scale his line of cybersecurity products.


2  +++++++

+CrowdStrike Spots Chinese APTs Targeting US Firms Post-Pact

No one expected China to change its cyber espionage ways overnight — if at all — in the wake of the historic agreement last month between President Obama and China’s president Xi Jinping not to conduct cyberspying attacks for economic gain. So not surprisingly, researchers say they’ve spotted continued hacking by Chinese groups aiming to steal intellectual property from seven US firms in the technology and pharmaceutical industries.


+Your Stolen Data Is Worth as Little as 55 Cents Online: Intel Security Report

Ever wonder how much your stolen personal information sells for online? Turns out not much, according to a report released Thursday by Intel Security Group’s McAfee Labs. McAfee researchers monitored websites, chat rooms and other places on the Dark Web where stolen data — everything from credit card numbers to hotel loyalty account info — are packaged, bought and sold.


+New Technology Won’t Remove Endpoint From The Bullseye

Dark Reading Radio guests from endpoint security vendor Tanium and Intel Security/McAfee may have different product views, but they concur on the problems plaguing end user machines.


+The Rebirth Of Endpoint Security

A slew of startups and veteran security firms are moving toward proactive and adaptive detection and mitigation for securing the endpoint. But few enterprises are ready to pull the antivirus plug.


+ Critical Security Controls Version 6.0 Released

The consensus standard for high priority cyber security actions has just been updated.  The Critical Security Controls are now the de facto standard for what to implement first when adopting either the NIST Framework or the ISO security standard.  GREAT Security tool —  Map your key security efforts to this!!!


+Germany Has Another Data Retention Law

Legislators in Germany have passed a bill that requires telecommunications companies to retain customer metadata for up to 10 weeks and allow law enforcement access to the information. Two earlier laws regarding data retention were found to be unconstitutional. The newest law applies to ISPs, mobile, and fixed telecommunications operators.


+NIST to Support Cybersecurity Jobs “Heat Map”

The cybersecurity jobs “heat map” is a “unique tool that will allow users on both sides of the employment equation to assess supply and demand in cybersecurity on a city-by-city or state-by-state basis,” said NICE Director Rodney Petersen. “The information will help students and job-seekers understand the diverse career pathways available to them and can influence education and training providers to align their curriculum and programs to address emerging workforce needs.


+US Army Needs Vulnerability Response Program  (SO DO WE ALL!!!)

According to an article in The Cyber Defense Review, many vulnerabilities in US Army software and networks are not reported because there is no centralized authority for disclosing vulnerabilities; there is no central entity that tracks issues from disclosure through remediation; and there is no government program that allows active assessments of system security. Army personnel are often reluctant to disclose vulnerabilities because the report could potentially be seen as a threat. The article’s authors propose establishing the Army Vulnerability Response Program (AVRP) to address these issues.

[Note): The success of a program like AVRP will rest on being able to identify connected and mission relevant systems while prioritizing vulnerabilities based on their importance and susceptibility.  Many programs are climbing up hill right from the start as asset inventories are incomplete, software bundles can be complex and include undocumented third-party code, and technology is becoming so pervasive that it is camouflaged more effectively than the latest battle dress.]


+New DMCA Exemptions Include Car Software and Some Medical Devices

The Library of Congress has adopted new exemptions to the Digital Millennium Copyright Act (DMCA) provision that prohibits circumventing technology that controls access to copyrighted works. The new exemptions include vehicle software for the purposes of diagnosis, repair, or modification and certain networked medical devices.


+One in Six Americans Stores Passwords and PINs in Wallets, Mobiles and PCs

Some 15 percent of US consumers keep written records of passwords and PINs in their wallets, mobile devices or computers, according to a study by ProtectMyID. More than half do not check for an icon of a lock to see if a website is secure or uses HTTPS connections, half do not password-protect their smartphones, and some 55 percent do not close the Web browser when they are finished using an online account to prevent hacks, as Inc. notes.


+NSA “Day of Cyber,” a National Initiative

Day of Cyber provides schools, colleges/universities, and organizations a powerful online tool to introduce Cybersecurity directly into the classroom… (need to register… free for a year)


+Security industry broken, says security researcher


+Black-ops, billionaire connections attract customers, investors to Cytegic


+From 55 Cents to $1,200: The Value Chain For Stolen Data

The latest pricing models for stolen information in the underground economy.$1200-the-value-chain-for-stolen-data/d/d-id/1322692


+Cloud security tools thwart attacks on AWS infrastructure


+Organized Crime Manipulates Chip Equipped Credit Cards


+Passing the Sniff Test: Security Metrics and Measures

Cigital dishes dirt on top security metrics that don’t work well, why they’re ineffective and which measurable to consider instead.


+SBA Unveils Small Business Cybersecurity Tools

Tools are at:


+The latest Cybersecurity Policy Chart:


3  +++++++

+Google Gives Symantec Certificate Health Ultimatum

Earlier this year, Symantec employees improperly released test certificates for Google domains. Google is now demanding that Symantec provide details of its certificate authority processes; if Symantec does not comply, Google says it will start warning users who visit sites that are protected with the company’s certificates. Google says its own investigation revealed that more than the 23 test certificates were improperly issued. Google is demanding that Symantec provide more information about why initial report did not include the other improperly issued certificates; identify the steps it will take to prevent the improper release of certificates; and that as of June 1, 2016, all Symantec-issued certificates must support Certificate Transparency.  ??? What do you do when gatekeepers leave the door open?  In these cases you rapidly re-examine your procedures to determine how mistakes are made and conduct remedial training!


+Joint Hearing on Grid Security

US power grid preparedness for cyber security incidents. the industry needs to implement a system that would allow members to share real-time information about cyber attacks with each other and with the government.

Gaines’s concern is that “the information [those in the industry] get from the government is not timely.”

[Note: The issue is that the utilities do not even know what connections that they have to the public networks, much less have adequate control over them. This is aggravated by automatic remedies for component failures built into the grid.  Said another way, it is vulnerability and consequences, not threat, that are the significant risk factors in power generation and distribution}


+High school student reportedly hacks CIA director’s personal email

A high school student has claimed to have hacked the private email account of CIA Director John Brennan where the student found a number of sensitive, government-related files, according to a report in the New York Post.


+Survey Shows Little Accord On Responsibility For Cloud Security

Many industry experts agree that cloud security has to be a shared responsibility between cloud providers and the businesses that use these services to host and manage their data and applications. But there’s less agreement is over just how much responsibility each side has for ensuring data security in the cloud.


+Migration to SHA-2 Inevitable, as SHA-1 is Broken

The SHA-1 security standard used for digital signatures has been deemed vulnerable by security specialists, prompting accelerated migration to SHA-2 for better security. Privacy specialist Bruce Schneier has predicted in the past that hackers would be able to afford to attack SHA-1 by 2015, as costs were estimated at $700,000.

+  Businesses Using Millions of Flawed Certificates

Many big businesses, including firms like Deloitte, are still using SHA-1 certificates, despite the fact that SHA-1 is known to be ineffective. In fact, 120,000 SHA-1 certificates were issued this year, according to research from Netcraft. Nearly a million SSL certificates found in Netcraft’s October SSL Survey were signed with the potentially vulnerable SHA-1 hashing algorithm, and some certificate authorities are continuing to issue more.

+Study Finds Revoked Certificates Still in Use

A study about certificate revocation conducted by researchers at four major US universities and Akamai found that eight percent of public key certificates served by websites had been revoked. The problems can be traced to Certificate Authorities failing to distribute revocation lists effectively and browsers failing to check to see if certificates have been revoked.

+Fraudsters exploit weak SSL certificate security to set up hundreds of phishing sites

Certificate authorities are granting SSL certificates to the owners of spoof domain names which are being used to phish customers of well-known retail and banking brands. In just one month, fraudsters were able to get the official SSL security ‘padlock’ seal of approval for hundreds of fake websites impersonating banks and other companies, partly because the checks on them were minimal or non-existent.


+Is better defense the answer to the China cyber threat?

While the U.S. and China in September reached a “common understanding” to stem China’s ongoing cyber theft of U.S. intellectual property, the deal focused on economic interests – and left unaddressed the onslaught of attacks on the government, many of which are attributed to China.


+French Criminals hack chips and pins

Criminals in France have managed to ‘hack’ chip and pin in a surprisingly simple scheme, according to Wired. Although chip and pin is a system designed to provide two levels of security to financial transactions, first, the possession of the card itself and then the entry of the pin, this simple technique bypasses the pin and allows the would-be conman to type in any pin they like and have it approved.


+Japan’s Cybercrime Underground On The Rise

When you think cybercrime, Japan probably isn’t top of mind. But like anywhere else, the bad guys there are following the money, and an emerging yet highly stealthy underground economy is growing in Japan.—threats/japans-cybercrime-underground-on-the-rise/d/d-id/1322607


+Botnets running on CCTVs and NASs


+10 Ways to Protect Against Hackers


+  Top Cyber Security Threats & Risks for 2016

1.While preventative information-security measures are obviously a necessity, businesses and people must still assume that hackers will ultimately penetrate their infrastructure despite all of the security technologies in place. (always assume the bad guys are inside, then develop your security strategy around that)

2.Likewise, deception (honeypots, etc) can be a useful component of a security strategy. (have a defined, well-monitored deception process. This gives you more time to spot, then thwart hackers who get inside) )

3.Cyberterrorism has begun–Almost half of the energy-sector organizations polled for a recent cybersecurity study reported that attackers had attempted to delete or destroy information on their systems. (employ open source intel (OSI) methods to know your likely enemies, attackers, their favorite hacker tools, methods, etc) )

4.Nearly every person and business today relies on the information-security of third-parties for many mission critical tasks. (have a proactive B2B / vendor security V&V / audit process)..

5.Humans are often the weakest point in the security chain. (security design must minimize the impact of human mistakes as much as possible)…

  1. Emerging technologies are obviously great targets. The success of zero-day attacks (work to minimize your security unknown, unknowns – use anomaly detection systems,  join sector ISAC, engage local FBI / Infragard,  etc)

Everyone is a potential target of cybercrime and you don’t always know when it will hit. What we do know is that there are five prevalent cyber issues we continue to face in 2015, 2016 and possibly even further.

—Internet of Things;   Mobile Malware;   Third-Party Attacks;    Data Destruction &  Vulnerabilities of Critical Infrastructure  (There are 16 major critical infrastructure protection (CIP) areas)



Welcome to Cyber News Tidbits 4​U​ !

Here are updated news compilations from the Cyber Security Community

Topic headers (+++):

1 – Security news you can likely use (re: management / opportunity items)

2 – Other items of general FYI / FYSA level interest

3 – Threats / bad news stuff / etc.. 


4 – SD/SoCAL items of interest / opportunities   (send me your SD meetings!) 

Another periodic cyber security news gram / digest / tidbits,

Arranged in a top down, “likely” interest level…with more short snippets, fewer threats and only a few local events (at the very bottom)

Feedback is always welcome tooas is sending me articles to sharecyber information sharing in action!

(all links  have been checked out… though you may need to cut & paste into your browser).




Welcome to Cyber News Tidbits 4​U​ !

Here are updated news compilations from the Cyber Security Community

Topic headers (+++):

1 – Security news you can likely use (re: management / opportunity items)

2 – Other items of general FYI / FYSA level interest

3 – Threats / bad news stuff / etc.. 


4 – SD/SoCAL items of interest / opportunities   (send me your SD meetings!) 

Another periodic cyber security news gram / digest / tidbits,

Arranged in a top down, “likely” interest level…with more short snippets, fewer threats and only a few local events (at the very bottom)

Feedback is always welcome tooas is sending me articles to sharecyber information sharing in action!

(all links  have been checked out… though you may need to cut & paste into your browser).

September 27

+ Credit Cards Migrating To EMV Technology: Why The Change?

The U.S. is prepping up for a nationwide migration to EMV technology which is set to revolutionize the way consumers and merchants use a credit card. The process would require banks to issue new credit cards with an embedded microchip which experts believe would help in fighting against fraud and enhance the banking security.


+ FBI in Internet of Things Cybersecurity Warning

The Federal Bureau of Investigation (FBI) has been forced to issue a public service announcement warning US citizens and businesses of the cybersecurity dangers of the internet of things (IoT). The Feds argued that a combination of “deficient security capabilities” inside the devices themselves, a lack of consumer awareness, and difficulties with patching could all be exploited by cyber-criminals.


+ Study names the five most hackable vehicles

A study released by a forensic consultancy has singled out the top five vehicles most susceptible to hacking. The results of the study, by PT&C|LWG Forensic Consulting Services, were based on published research by hackers, vehicle recall information and media reports. The most hackable list includes the 2014 Jeep Cherokee, the 2014 Infiniti Q50, the 2015 Cadillac Escalade, the 2010 and 2014 Toyota Prius and the 2014 Ford Fusion.


+  Google and Academic Researchers Study of Fighting Cybercrime

Researchers from Google and from six universities have conducted a study of a vast array of cybercrime data with the goal of developing strategies that have the potential to disrupt the supply chain upon which cybercrime depends. Rather than focusing only on the technical aspects of security, the study recommends tactics that make the costs of operating a cybercrime operation prohibitive. The study also recommends that tech companies collaborate with academics.

+ ABA Says Law Firm Breaches are Rising

Breaches of systems at US law firms are increasing, according to the American Bar Association’s (ABA’s) 2015 Legal Technology Survey. The most significant increases were observed at firms with 100 or more lawyers. Just five percent of respondents said the breaches they experienced required them to notify clients, and just three percent said they experienced breaches that compromised client data.


+Focus on Security Operating Systems and Firmware

The US government’s response to recent colossal data breaches has been to use more secure log-ons to protect data. Lawmakers are pushing for legislation that would ease threat information sharing between the public and private sector. Former CIA CISO Robert Bigman thinks the US may be focusing on the wrong areas. Speaking at the Billington Cybersecurity Summit last week, Bigman noted that those the country views as cyberthreats are concerned that the US will “get [its] act together on how to secure firmware and operating systems.”


+ 10 cutting-edge security threats

These 10 threats, bugs, and vulnerabilities serve as reminders that computer security goes well beyond the PC…

Crack the car,  Malware in the BIOS,  Malware that uses high frequency sound,  BadUSB, a prospective malware distributor could modify the firmware on the flash drive ( and provide a shock),  WireLurker takes aim at Macs, iPhones,  malware could potentially run on a PC’s graphics processor,  connected home devices contain issues that could allow an attacker to compromise your privacy or security… and others..

+ Six cybersecurity questions every CEO should ask

At Boston forum, Raytheon’s top exec gives tips to start the cyber conversation…

How is the company managing risk?

Is everybody on board?

How secure are acquired companies?

How does the company protect personal information?

How much Internet traffic data does the company keep?

How does the company train employees?


+ China Tries to Extract Pledge of Compliance From U.S. Tech Firms

The Chinese government, which has long used its country’s vast market as leverage over American technology companies, is now asking some of those firms to directly pledge their commitment to contentious policies that could require them to turn user data and intellectual property over to the government.


+ Be careful in putting your cybertrust in Google, Microsoft and Apple

We have the natural tendency to believe that our data is safe with one of the “tech giants” — after all, they are the leaders in the field. But is that trust warranted?…


+ Insider Threats Responsible for 43% of Data Breaches

Among companies experiencing data breaches (and that is to say, a majority), internal actors were responsible for 43% of data loss, half of which was intentional, and half accidental…


+ Could this ex-NSA hotshot protect your email from hacking?

Will Ackerly was a tech whiz who grew concerned by the agency’s widespread snooping. He left and launched what just may be the best technology to shield your data from cyber-criminals — and government spying…


+ Social media can quickly take down your business if not monitored

Cyber intrusions have dominated news and media headlines the past few years…


+ A New Defense for Navy Ships: Protection from Cyberattacks

U.S. Navy is developing the Resilient Hull, Mechanical, and Electrical Security (RHIMES) system, a cyber protection system designed to make its shipboard mechanical and electrical control systems resilient to cyber attacks.


+  Feds Seek a Cyberattack Forecaster

Federal intelligence services are seeking a developer to create software that can predict cyber threats before they emerge.


+ Kaspersky And FireEye Security Products Cracked By Researchers

it is your software that is shown to be vulnerable and open to exploit — which is exactly what has happened to Kaspersky Lab and FireEye, two of the best known cybersecurity companies in the world.


2  +++++++


+ Prepare to Get Hit Warns FBI Cybercrime Boss

Speaking at Cloudsec London 2015, FBI supervisory special agent Timothy Wallach warned that tackling cybercrime would be an inevitability for all companies.“ There’s an assumption among companies that ‘it won’t happen to me’,” began Wallach, who manages the FBI Seattle Division’s Cyber Task Force. But that attitude, he cautioned, was long outdated, with the frequency and magnitude of data breaches across the world indicating that no company is safe.


+ Microsoft Partners With NATO On EU Cybersecurity

At NATO’s annual cyber conference on Monday, Microsoft announced the signing of a Government Security Program (GSP) agreement with the NATO Communications and Information Agency (NCI Agency), a new step in a 12-year cybersecurity relationship between the two. The GSP was designed by Microsoft to help governments evaluate and protect existing systems, as well as to build and maintain more secure infrastructure, Microsoft said.


+ Popular Mobile Travel Apps Have Critical Security Issues: Report

Developers of mobile travel applications are more focused on features that boost the user experience than on ensuring increased security for their programs and customer data, a recent report from Bluebox Security reveals. According to the mobile security company, even the top 10 most popular mobile travel apps lack proper security, and all of the analyzed programs include critical flaws. The issues impact applications designed for popular mobile platforms including Android and iOS.


+Working Group Considers Ways to Access Encrypted Data

An Obama administration working group has come up with four possible approaches that tech companies could implement that would allow law enforcement to access encrypted data. Each of the methods could be implemented, but each also has shortcomings.


+ NSA Director Agrees that Encryption Key Copies Increase Likelihood of Breaches

During a Senate Intelligence Committee hearing on Thursday, September 24, NSA director Admiral Michael Rogers acknowledged that if the government holds encryption keys, there is a significantly higher risk of data breaches. Rogers was responding to a question from Senator Ron Wyden (D-Oregon).


+ Microsoft Word Intruder gets down to business: Operation Pony Express 

a malware toolkit that uses Microsoft Word as its delivery vehicle…The idea is to package malware inside a Word document in such a way that the file looks innocent, with no macros (Word program code)… The infection kit, known as Microsoft Word Intruder (MWI),


+ FTC v. Wyndham: ‘Naughty 9’ Security Fails to Avoid

The Federal Trade Commission’s fair trade suit against Wyndham hotels offers insight into the brave new world of cybersecurity regulation of consumer data…

Failed to employ “readily available” protections,     Stored sensitive payment card data in clear, readable text (i.e. unencrypted);       Failed to remedy “known security vulnerabilities” caused by using out-of-date operating systems, and failing to patch properly;         Used easily obtainable default log-in credentials on devices connected to the corporate network;        Failed to require complex passwords for access to the corporate network;        Failed to maintain an accurate hardware inventory of devices connected to the corporate network;        Failed to employ reasonable measures to detect and prevent unauthorized access to its computer network or to conduct security investigations;        Failed to follow proper incident response procedures;        Failed to adequately restrict third-party access to the corporate network “such as by restricting connections to specified IP addresses, or granting temporary or limited access”

+ Engineers, Ethics, and the VW Scandal

Volkswagen’s installation of a software “defeat device” in 11 million Volkswagen and Audi diesel vehicles sold worldwide has led to a massive vehicle recall in the United States and an official apology from the company’s now-ex CEO…


+ Healthcare sector 340% more prone to IT security threats

Cyber criminals are targeting healthcare organizations because of the rocketing black market value of personal medical data, says Raytheon Websense…

Healthcare Organizations Twice As Likely To Experience Data Theft

Bad guys very willing to invest in attacking medical data, but healthcare not very willing to invest in defending it.


+ The Secret Sauce to Fighting Cyber Attacks

As the war against cybercriminals and their devastating attacks wages on, a new weapon in the fight has emerged to help merchants better protect themselves and the privacy of their consumers: data…


+ The Top 10 Tips for Building an Effective Security Dashboard

Today, enterprises must grapple with a panoply of numerous and highly sophisticated threats…  We asked industry experts for their tips on what they recommend a powerful dashboard must have.


+ Pentagon Designing Cyber ‘Scorecard’ to Stay Ahead of Hackers

The U.S. Defense Department is building a massive, electronic system to provide an overview of the vulnerabilities of the military’s computer networks, weapons systems, and installations, and help officials prioritize how to fix them.


3  +++++++

+ 5.6 Million Sets of Fingerprints Stolen in OPM Breach

Office of Personnel Management (OPM) now says that more fingerprint data were stolen than was first acknowledged. In an official statement, OPM press secretary Sam Shumach announced that the fingerprints of as many as 5.6 people were compromised. That figure was initially estimated to be 1.1 million. A working group will be established to determine how the stolen data might be used in future attacks and what steps can be taken to prevent those attacks.


+ Kovter malware upgraded with Poweliks features

The security team at Symantec reported in a security response blog post that a new variant of Kovter malware is incorporating some characteristics of the Poweliks malware that broke onto the scene back in 2015. Tricks employed by Poweliks, which made a name for itself by being the first persistent, fileless, registry-based malware, are now being used by Kovter, which has been in the wild since 2013 and has continually evolved.


+ Thousands of iOS apps infected by XcodeGhost

The impact of iOS app developers unknowingly using a rogue version of the Xcode development tool is turning out to be greater than initially thought: early reports listed just 39 apps that had been trojanized with the tool, but security researchers have since identified thousands more.


+ iOS 9 hack lets strangers access photos and contacts from a locked iPhone

A hacker has found a new and relatively simple method to bypass a locked iOS device (could be an iPhone, iPad or iPod Touch) running Apple’s latest iOS 9 operating system that could allow you to access the device’s photos and contacts in 30 seconds or less, even if it’s passcode and/or Touch ID enabled. All you need to bypass the device’s passcode is Apple’s personal assistant Siri.


+ New malware infects ATMs, dispenses cash on command

Security researchers have discovered a new malware program that infects automated teller machines (ATMs) and allows attackers to extract cash on command. The program is dubbed GreenDispenser and was detected in Mexico. However, it’s only a matter of time until similar attacks are adopted by cybercriminals in other countries, researchers from security firm Proofpoint said in a blog post.


+ Attackers install highly persistent malware implants on Cisco routers

Replacing router firmware with poisoned versions is no longer just a theoretical risk. Researchers from Mandiant have detected a real-world attack that has installed rogue firmware on business routers in four countries. The router implant, dubbed SYNful Knock, provides attackers with highly privileged backdoor access to the affected devices and persists even across reboots.


China-based Cyber Attacks On US Military Are ‘Advanced, Persistent And Ongoing’

A high-level hacking group dubbed Iron Tiger has been observed stealing trillions of bytes of confidential data from the United States government, US defense contractors and related companies in the United States and abroad.

+ Chinese promotion company hijacks Android devices around the world

A Chinese mobile app promotion company has created malicious adware that allows them to gain complete control of users’ Android devices…


+ Ransomware Risk from Over 140 Million Websites

Around 142 million legitimate websites could be serving up ransomware to their unwitting users due to out-of-date software, according to a new study.


+ Android 5 Bug Allows Attackers to Easily Unlock Password-Protected Devices

If you own a mobile device running any Android 5 version but the very last (v5.1.1) and you use a password to lock your device, you will want to update your OS or switch to a PIN or a pattern-based lockscreen.


+  No Patches Available for Flaws in Cisco Security Appliances

Cisco has revealed the existence of denial-of-service (DoS) vulnerabilities in several of its security products. Customers are advised to apply workarounds since software updates are not available for most of the issues.


—-  Global  Cyber events:


September 7

–Pentagon teams up with Apple, Boeing to develop wearable tech

U.S. Defense Secretary Ash Carter awarded $75 million on Friday to help a consortium of high-tech firms and researchers develop electronic systems packed with sensors flexible enough to be worn by soldiers or molded onto the skin of a plane. Carter said funding for the Obama administration’s newest manufacturing institute would go to the FlexTech Alliance, a consortium of 162 companies, universities and other groups, from Boeing (BA.N), Apple (AAPL.O) and Harvard, to Advantest Akron Polymer Systems and Kalamazoo Valley Community College..


–DoD implements stricter cyber incident oversights, cloud computing guidelines

The Defense Department Wednesday initiated two sets of policies to enforce stricter guidelines when dealing with about 10,000 contractors the department trusts with offsite cyber information.  One part of the interim rule, called “Defense Federal Acquisition Regulation Supplement: Network Penetration Reporting and Contracting for Cloud Services,” will amend the DFARS to include mandates passed in recent Defense funding bills for stricter contractor reporting rules on cyber incidents. According to the issuance, this is part of a greater effort to streamline contractor incident reports..


–FTC has power to police cyber security: appeals court

A U.S. appeals court said the Federal Trade Commission has authority to regulate corporate cyber security, and may pursue a lawsuit accusing hotel operator Wyndham Worldwide Corp of failing to properly safeguard consumers’ information. The 3-0 decision by the 3rd U.S. Circuit Court of Appeals in Philadelphia on Monday upheld an April 2014 lower court ruling allowing the case to go forward.


–Why industry groups are wary of stronger FTC cybersecurity oversight

With a federal appeals court this week reaffirming the Federal Trade Commission’s regulatory authority of data security practices, the question now becomes: Just how powerful will the agency become in overseeing matters of privacy and cybersecurity?  Congress is already considering several bills that could expand the role of the FTC to police corporate cybersecurity, and President Obama’s draft Consumer Privacy Bill of Rights Act would also give the agency more power over industry.


–State Dept. Wants Cybersecurity Playbooks

The US State Department is seeking information from industry experts to develop cybersecurity playbooks – “to clearly guide both offensive cyber operations and responses to cyberattacks.” The agency is offering a one-year paid contract for playbooks “suitable to provide clear direction and guidance for actionable information security operation activities.” Proposals will be accepted until September 11, 2015.  (see FBO RFI link below)

[Note The most important characteristic of a playbook – – in fact the one thing that determines its value – is a set of reliable and measurable indicators of performance on a key success factor. IOW if the playbook works, what is the measurable security improvement that we get.  Substantial amounts of money have been wasted paying federal contractors to deliver their “methodologies” when they have no reliable evidence that the implementation actually reduces risk.]


–New cybersecurity mantra: “If you can’t protect it, don’t collect it”

Black Hat is the somewhat more corporate sibling of the annual DEF CON hacker convention, which follows Black Hat. Since my first visit to both conferences in 2002, I’ve kept tabs on the themes expressed by computer security practitioners. This year I heard a new refrain: “If you can’t protect it, don’t collect it”…


–5 Growing Cyber-Security Epicenters Around the World

The recent hack of Ashley Madison reminds us just how vulnerable society is to cyber attacks. Big companies such as Target, Home Depot, Michaels, P.F. Chang’s and JP Morgan fell victim to data breaches in 2014, and the attacks have continued this year…

Silicon Valley,   Israel, New York City,  Boston, and London!


–The Art Of Deception: New Class Of Security Startups Use Decoys

As companies continue to get hammered by breaches, a clear gap in the effectiveness of many security portfolios becomes more evident with each attack. However, a new category of emerging security startups say they have the answer and are disrupting the threat detection space with what they call “deception” technology…


–DoD’s top secret smartphone expected in the fall

Government agencies have made significant strides in incorporating smartphones and tablets into their offices and missions, even at the Defense Department. But the caveat always has been that those devices could only be used for non-classified purposes. That’s changing…  the Defense Mobile Classified Capability-Secret (DMCC-S) is fully operational


–91% of cyberattacks begin with spear phishing email

So what to “DO” about it? —    Stamp out corporate phishing impacts using your existing cyber suite!


–OPM (Mis)Spends $133M on Credit Monitoring

Krebs is right on… his “credit freeze” approach is THE way to go for all of us… data breach aside.   After all, you already have all the credit sources you need… house. . Bank.. credit card..  SO stop All new attempts to start new ones from anywhere.. “unfreeze” as needed,  then redo it..

–Securing Yourself in the Wake of OPM, Anthem, and Target


–20 Questions for your Cyber-Coverage Insurance

VERY SOLID list of questions… use these!!!

–You Need an Innovation Strategy


–10 Critical Corporate Cyber Security Risks – A Data Driven List

Great top 10 list….  Blend these in with doing the SANS top 20 critical IA controls!


–The Biggest Security Threats We’ll Face in 2015

Nation state attacks, extortion,  data destruction,  breaches continue (bank and 3rd party), critical infrastructure,


–A Security Wake Up Call for Chief Information Officers


–Study of CEOs Reveals Alarming CyberSecurity Trends |

SO — What Every Company’s Board Must Know About Cybersecurity


–On a scale of one to 10, the risks law firms are facing are an 11


–Verizon DBIR App for Splunk Provides Actionable Security Intelligence for Enterprises


2  +++++++

–CEOs Failing to Grasp Information Security Risk

Despite a continuing string of high-profile information security breaches, many organizations’ leadership teams still have a very poor understanding of their own susceptibility to similar failures, asserts a research note from leading analyst Ovum.  In his frank analysis of the security sector, Ovum’s chief analyst for enterprise IT Tim Jennings believes that most businesses will have the appropriate security solutions in place, and can point to malware detection, firewalls, email security measures, identity and access management, security intelligence, and any number of other elements designed to militate against attack.


–Shadow IT Feeds ‘Man in the Cloud’ Attacks

Shadow IT — the use of unauthorized online services by company employees — is a concern of cyberwarriors charged with defending business systems against network attacks. There’s new evidence that those concerns are justified. A new attack vector on business systems leverages the synchronization features of services like Dropbox and Google Drive to perform malicious mischief, according to a report Imperva released earlier this month at the Black Hat Conference in Las Vegas.  The “Man in the Cloud” attack, as it’s called, involves making a simple change in configuration settings to turn services into a devastating criminal tool not detected easily using common security measures, the report explains.


–US Parents Concerned About Student Data Security

Some 87% of US parents are concerned about student data privacy and security in America’s K-12 schools, according to a survey by The Future of Privacy Forum. American parents worry that their child’s electronic education records could be hacked or stolen, the study shows. Consequently, 85% of parents said that their willingness to support the use of student data and technology in education must be coupled with efforts to ensure security.


–Symantec expands to IoT protection as part of new strategy

As Symantec prepares to become a pure information security firm again by spinning off its storage division, it has added protection for the internet of things (IoT) to its product portfolio. The move is part of a strategy to simplify the task of information security professionals in defending businesses against increasingly sophisticated threats across fixed, mobile and cloud environments.


–Alibaba adds artificial intelligence capability to its cloud offerings

Alibaba’s cloud computing business is hoping to attract enterprise customers with a new artificial intelligence service designed for data mining and analysis. On Tuesday, the Chinese e-commerce giant announced DT PAI, a platform designed to comb through a client’s data and analyze it for useful information. The service could help companies find key trends within their customer data, or even recommend goods to users, according to Alibaba.


–Latest security flaw to destroy all business? ‘Sanity check’ your cybercrime statistics

The difficulty telling fact from fiction in cybercrime news has been getting worse over the past few years. For decision makers, this means a “sanity check” on reported stats should be in your everyday toolkit…

Hackonomics: A First-of-Its-Kind Economic Analysis of the Cyber Black Markets


–6 ways to become more resilient to cyber-security threats

they are:  Prioritize data / information,  OST / threat intel,  Security policies and monitoring them,  test all key controls,  update the board, C-suite and line managers periodically,  share information (similiar sector security officers, ISAC, etc)


–Self-Hacking: Corporations Start Thinking Like Criminals

How do companies defend their assets against cybercriminals?  (aka, ethical hacker for the company good)

Warning! Seagate Wireless Hard Drives Have a Secret Backdoor for Hackers


–Hands Off! NIST Helps Bring Contactless Fingerprint Technology to Market

Quickly moving through security checkpoints by showing your hand to a scanner seems straight out of science fiction, but the National Institute of Standards and Technology (NIST) is working with industry to bring fast, touchless fingerprint readers out of the lab and into the marketplace…


–Demand for jobs high in cyber security (great statistics)


–Black Hat 2015 attendees concerned about endpoint risks


–Back To Basics: 10 Security Best Practices


–OUR article on

–Stealing Data By ‘Living Off The Land’

Hackers latest tactic involves a malware-free attack using a company’s own system credentials and admin tools to gain access…


–Advanced Threat Detection Buying Guide

Advanced threat detection offers a more proactive approach to enterprise security than traditional perimeter defenses…


–Bridging the Gap in Third-Party Breaches (vendor risk management!)


–Ashley Madison Breach: 6 Essential Lessons

You know these!!!  Identify, Safeguard Sensitive Data,   Secure Passwords,   Collect / Store Less Data,

Honor Promises / appropriate due diligence to protect data,   Secure the Supply Chain, and

Talk to Customers (have the communications channel open before a breach!)


–Why a Vendor Scorecard Is Just One Piece of the Risk Management Pie

Vendor scorecard:


3  +++++++

–Scanner identifies thousands of malicious Android apps on Google Play, other markets

A team of researchers have created an app vetting scanner referred to as “MassVet,” and they used it to identify more than 127,000 potentially harmful applications (PHA) in more than 30 Android markets – including Google Play.  In their whitepaper, “Finding Unknown Malice in 10 Seconds: Mass Vetting for New Threats at the Google-Play Scale,” the researchers explained how they used MassVet to evaluate more than 1.2 million Android apps from 33 app markets around the world.


–Unmanaged Apple Devices ‘a Liability’ for Corporations

Lack of encryption and weak or shared passwords on Apple devices in the workplace are exposing sensitive corporate and customer information says research from identity protection specialist Centrify Corporation. The survey of 2,249 US workers, conducted by Dimensional Research, found fundamentally that while people widely use Apple devices for work, lack of security and management of those devices are opening up companies to significant liabilities.


–DDoS Attacks Rising and Getting More Targeted

Verisign’s latest quarterly DDoS Trends Report, looking at the three months to June 2015, has found a noticeable rise in distributed denial of service (DDoS) attacks, with finance, and especially Bitcoin, a particular focus.Verisign also noted a continued upward trend in the number of attacks in Q2 and mitigated 34% more attacks in the first half of 2015 than in the first half of 2014. IT services/cloud/SaaS customers experienced the largest volume of attacks in Q2, representing over a third of all attacks.


–Tor Increasingly Used by Malicious Actors: IBM

The Tor network, created with support from the U.S. government, is often used by journalists, activists, and whistleblowers to protect their identities and their communications. However, the anonymity network is also utilized by intelligence operatives, cybercriminals and other malicious actors. The use of Tor for malicious purposes has increased over the past period with millions of malicious events originating from Tor exit nodes every year. According to IBM, roughly 180,000 malicious events originated from United States exit nodes between January 1 and May 10, 2015.


–Android Ransomware Communicates Through XMPP

Ransomware called Simplocker targets Android devices by pretending to be a legitimate version of Flash or of a video player in app stores. The malware encrypts the smartphone’s contents. Some victims get a message telling them they must pay the NSA a fine if they want their files back. Simplocker uses Extensible Messaging and Presence Protocol (XMPP) to communicate with its creators; because the communication looks like normal instant messaging traffic, it is more difficult for security tools to detect.


–Baby Monitors May Be Vulnerable to Hackers, Report Finds

Baby monitors offer the convenience of live-streaming videos of children straight to their parents’ smartphones and tablets. But a new report warns that the children’s parents might not be the only ones watching. The report, released Wednesday by tech security firm Rapid7, put nine different Internet-connected baby monitors to the test. Of the nine kinds of baby monitors tested, one received a grade “D” and the other eight monitors received grades of “F.”


–Could hackers take down a city?


–Minimize Your Exposure to Hackers: Steps to Protect Your Mobile Device

See what ZAP has to say about your favorite mobile app!


Hacking For Cause: Today’s Growing Cyber Security Trend


–WHO is an Insider Threat?  Some decent views / points!


–The 7 ‘Most Common’ RATS In Use Today


—-  Global  Cyber events:



Welcome to Cyber News Tidbits 4​U​ !

Here are updated news compilations from the Cyber Security Community

Topic headers (+++):

1 – Security news you can likely use (re: management / opportunity items)

2 – Other items of general FYI / FYSA level interest

3 – Threats / bad news stuff / etc.. 


4 – SD/SoCAL items of interest / opportunities   (send me your SD meetings!) 

Another periodic cyber security news gram / digest / tidbits,

Arranged in a top down, “likely” interest level…with more short snippets, fewer threats and only a few local events (at the very bottom)

Feedback is always welcome tooas is sending me articles to sharecyber information sharing in action!

(all links  have been checked out… though you may need to cut & paste into your browser.

August 10

+ BLACK HAT Briefs …and… associated white papers (all PDFs)

Could not get there this year?  You can pick up some of the key points with these presentations, papers!!!

AND… the black hat attendee survey….’time to rethink enterprise IT security???


+  DEFCON 2015 briefs (enter at your own risk…;-))

If you intend to peak at code, I would recommend a Chromebook or opening in a separate partition on your HD… you KNOW the drill for these folks…;-))

+  Report: Russia hacked Pentagon’s Joint Staff email

Russia is behind a spearphishing attack that forced the Pentagon to shut down its Joint Staff unclassified email system, NBC News is reporting. The hack, which took place around July 25, affected approximately 4,000 military and civilian personnel, NBC News reported. The news outlet cited U.S. officials who called the intrusion a “sophisticated cyberattack.” Pentagon officials have kept the system offline for almost two weeks. According to the NBC report, the cyberattack used a very fast-paced automated system that collected large amounts of data from the email accounts then distributed it to thousands of other accounts.

+ Russia hacks Pentagon computers: They should be better protected than OPM???         

Really scary part.      “…Automated process to steal massive amounts of data and distribute to thousands of Internet points in a few minutes. ..”    So we all know the value of a balanced cyber posture, as many know it’s the first few hours (now minutes!) of an attack we must detect then thwart.. (even as we know the average data breach takes 200 days to get reported by a third party…:-((     Must speed up the front end of the cyber kill chain.. detect (I&W) with multiple methods… then defend!

+ ‘New and different vulnerability’ exploited in Joint Staff email hack

A spear phishing attack into the unclassified email of the Pentagon’s Joint Staff “exposed a new and different vulnerability” than has been seen in the past, a senior Defense official told CNN on Wednesday. For more than 10 days, some 4,000 users on the Defense Department network have been without their email while military cyber experts have tried to scrub and rebuild the network. Spear phishing attacks are emails to employees that dupe them into giving up their network credentials. Military cyber experts have concluded the attackers were specifically targeting the Joint Staff, hoping to learn what they could from the unclassified email network.


+ 0-day attack on Firefox users stole password and key data: Patch now!

A website in Russia has been caught exploiting a serious zero-day vulnerability in Mozilla’s Firefox browser, prompting the open-source developer to deliver an emergency update that fixes the flaw. The bug in a built-in PDF reader allowed attackers to steal sensitive files stored on the hard drives of computers that used the vulnerable Firefox version. The attack was used against both Windows and Linux users, Mozilla researcher Daniel Veditz wrote in a blog post published Thursday. The exploit code targeting Linux users uploaded cryptographically protected system passwords, bash command histories, secure shell (SSH) configurations and keys. The attacker downloaded several other files, including histories for MySQL and PgSQL and configurations for remina, Filezilla, and Psi+, text files that contained the strings “pass” and “access” in the names. Any shell scripts were also grabbed.


+U.S. decides to retaliate against China’s hacking

The Obama administration has determined that it must retaliate against China for the theft of the personal information of more than 20 million Americans from the databases of the Office of Personnel Management, but it is still struggling to decide what it can do without prompting an escalating cyberconflict. The decision came after the administration concluded that the hacking attack was so vast in scope and ambition that the usual practices for dealing with traditional espionage cases did not apply.


+ Researchers create first firmware worm that attacks Macs

The common wisdom when it comes to PCs and Apple computers is that the latter are much more secure. Particularly when it comes to firmware, people have assumed that Apple systems are locked down in ways that PCs aren’t. It turns out this isn’t true. Two researchers have found that several known vulnerabilities affecting the firmware of all the top PC makers can also hit the firmware of MACs. What’s more, the researchers have designed a proof-of-concept worm for the first time that would allow a firmware attack to spread automatically from MacBook to MacBook, without the need for them to be networked.


+ Sea-to-sea: China hacks in U.S.

National Security Agency map that shows nearly 700 cyber-assaults on computers at American military installations, government agencies, businesses and educational institutions raises the question among security experts whether the NSA should have shared some of that information. The NSA map, from 2014 and obtained by NBC News, purports to show the Chinese government’s massive cyber-assault on all sectors of the U.S economy, including major firms such as Google and Lockheed Martin, as well as the U.S. government and military. Red dots representing more than 600 corporate, private or government sites can be seen on the map, with many of the dots concentrated along the northeast corridor and Silicon Valley. The highest number of attacks were in California.


+ Federally funded project focuses on tracking data to prevent advanced persistent threats

The Defense Advanced Research Projects Agency and the Air Force Research Laboratory are seeking greater insight into how data are tracked between computers, Internet hosts and browsers with the intention of detecting and stopping advanced persistent threats. To that end, the Georgia Institute of Technology announced June 30 that it was awarded a $4.25 million contract from the two agencies in a four-year project called “THEIA” to discover exactly where data moves as it’s routed from one host to another and if, for example, malicious code is attached to that data.


+ Survey exposes consumer fears about car hacking

Recent high-profile hacks have heightened awareness about the vulnerability of cars to electronic attacks, and there is real concern about vehicle cybersecurity, according to Kelley Blue Book’s new Vehicle Hacking Vulnerability Survey. The study’s results show that 71 percent of respondents are aware of the Jeep Cherokee hacking revealed last month by Wired, an incident that triggered the recall of over 1.4 million cars and trucks. The study also notes that more than three-quarters of respondents believe vehicle hacking will become a frequent problem within the next three years. The wide-ranging survey also investigated who consumers blame for these potential security issues, as well as how consumers would like these cyber-vulnerabilities handled.


+ Apple and Google know what you want before you do

Apple Inc. and Google Inc. are racing to anticipate the needs of their users. The technology giants, whose software runs nearly all of the world’s smartphones, are adding features to deliver information before users ask for it. Their moves suggest that smartphones will evolve into devices that dispense information unprompted. The companies are tackling the technology differently, reflecting their own expertise and priorities. Apple’s Proactive Assistant, a feature of its forthcoming iOS 9 software, aims to learn how a user will behave from information stored on an iPhone. By contrast, Google Now combs data from a universe of online services and searches.


+ Is hacking back a cyber-theft deterrent option?

A new report from the Hudson Institute on economic espionage in cyberspace reflects a shifting conversation in Washington from passive to proactive cyber defense – to the point of suggesting that an “Economic Warfare Command” be set up at the Treasury Department for using offensive coercion against adversaries. Cyber economic warfare is the pursuit of political and security goals through “cyber-enabled economic aggression,” and “in this type of warfare, the United States is particularly vulnerable,” said Samantha Ravich… (NOT unless you are the LAW!)


+ VA launches cyber squad

LaVerne Council, the new CIO at the Department of Veterans Affairs, has assembled a team charged with coming up with an overall cybersecurity plan for the agency. The new Enterprise Cybersecurity Strategy Team will be led by Susan McHugh-Polley, a senior executive program manager at VA. The team includes executives and subject matter experts from across the VA’s Office of Information and Technology. “The team’s scope includes management of current cybersecurity efforts as well as development and review of VA’s cybersecurity requirements and operations holistically — from desktop to software to network protection,” a VA spokesperson told FCW.


+ Dream of free and open Internet dying, lawyer says

The dream of a free and open Internet is slowly being killed by overregulation, censorship and bad laws that don’t stop the right people, a top computer crime defense lawyer says. The annual Black Hat computer security conference in Las Vegas kicked off Wednesday with a keynote address from Jennifer Granick, director of Civil Liberties at the Stanford Center for Internet and Society. Granick said that while the Internet needs to be reasonably safe in order to be functional, it’s no longer the revolutionary place it was 20 years ago.


+ Flash zero-day weaponized in record time

The speed with which attackers are weaponizing zero-day vulnerabilities in the wild has been essentially cut in half. New research at Black Hat 2015 from Malwarebytes Labs shows that after Hacking Team, an Italian security company specializing in offensive technology, was compromised, their trove of zero days was leaked to the Internet, including several for Adobe’s Flash Player. The zero days were previously unknown, but were accompanied by clear and concise instructions to deploy them. As a consequence, exploit kit makers integrated it into their digital weapons in record time.


FYI –  Comprehensive, overall Enterprise Mobile Security paper covers key enterprise concerns and mitigation recommendations – plus a specific phone set-up guide.  It’s an extensive overview of the mobile security space, threats, capabilities needed, etc… adding in a guide in the appendix for users and corporate.

It’s pretty useful as is, where we’re looking for folks to help finesse and more widely publish it – interested?


+ This Man Implanted A Chip In His Arm To Hack His Way Into Buildings

Don’t get squeamish… there is a lot of stealthy reasons he did it, so will criminals too..


+ GE To Offer Industrial Data Analytics in the Cloud

Very nice way to get a PaaS solution to run all your IoT “big data / predictive / forensics ” efforts!!


+ Russia, China And United States Engage In Cyber War

“Cyber WAR” is too fuzzy to have anyone other than the LAW, FBI, CIA etc do “it” –  great overviews though


+ Study Reveals the Most Common Attack Methods of Data Thieves


+ Why every CIO needs a cybersecurity attorney (and cyber insurance!)


2  +++++++

+ Organizations should focus on data sharing post-incident, not attribution

There have been several notable security incidents in the news this year, from healthcare and retail breaches, to financial; even security firms themselves have been targeted. In each instance, attribution seems to take the lead during incident response, something organizations should resist. The key is collecting the right information and passing it on to the right people. When it comes to figuring out who did it and where they are, authorities are the ones who should take the lead – organizations that focus on this area first are wasting resources and time.


+ Feds months away from broader cybersecurity ‘sprint’ strategy following OPM breaches

More than two weeks after the so-called “cybersecurity sprint” wrapped up, resulting in some improved protections across federal agencies, the government is working on an overarching strategy that’s still months away. In a July 31 blog post, Federal Chief Information Officer Tony Scott wrote that a team of more than 100 experts from across the government and private sector are reviewing federal cybersecurity policies, procedures and practices. “Ultimately, the team’s assessment will inform and operationalize a set of action plans and strategies to further address critical cybersecurity priorities and recommend a Cybersecurity Sprint Strategy and Implementation Plan to be released in the coming months,” he wrote.


+ Russian cyber underground goes from strength to strength

The Russian cybercrime underground has evolved to a new level of sophistication and professionalism, with enhanced features such as automation to accelerate sales, as well as translation and anti-spam proof services. That’s according to Trend Micro’s third report on the country, Russian Underground 2.0, which tracked and analyzed 78 forums – each with as many as 20,000 unique members. It claimed that traffic-related products and services – like traffic direction systems (TDSs) and pay-per-install (PPI) services – are “the cornerstone of the entire Russian malware industry” because they provide both an increased number of victims and useful C&C information for targeted attacks.


+ Shellshock flaw still actively exploited:

Shellshock, the Bash bug disclosed in September 2014, is still being exploited by threat actors, according to a report from Solutionary’s Security Engineering Research Team (SERT). While 10 months should have been enough time for organizations to ensure that they are protected against Shellshock attacks, researchers discovered that there are still numerous vulnerable systems and malicious actors are making the best of it. Data collected by Solutionary in the second quarter of 2015 shows that attackers have found new ways to exploit the Shellshock vulnerability, they have adapted their techniques in an effort to bypass intrusion prevention systems, and they have learned to rapidly extend successful compromises.


+ 7 cybersecurity questions to expect after the OPM breach

The OPM data breach has resulted in considerable “armchair quarterbacking” from government and industry, and already prompted the resignation of OPM Director Katherine Archuleta. While identifying parties, policies and practices responsible for cybersecurity breaches is an understandable part of the post-mortem process, it is more important to learn from recent events and encourage dialog that may result in sound choices in the future for information assurance in major computer systems. The depth and breadth of the OPM breach was a punch to the gut that should fuel a round of introspection and questioning, even for agencies with sophisticated cybersecurity programs in place. And to ensure your organization is not next in the limelight for all the wrong reasons, the answers to these questions must be the right ones.


+ White House preps new cyber policy dealing with federal contractors

The Obama Administration is preparing to release a new policy to homogenize the way vendors secure agency data. The proposal, which could be published as early as today, follows hacks at two background checkers an the Office of Personnel Management that potentially compromised the security of personnel who handle U.S. secrets. “The increase in threats facing federal information systems demand that certain issues regarding security of information on these systems is clearly, effectively, and consistently addressed in federal contracts,” states a notice scheduled to be posted Thursday in Federal Register.


+ CYBERCOM wants secretive cyber arms dealer to hack Pentagon

The protection arm of the U.S. Cyber Command says it needs products from Endgame, a company known for crafting hacking tools, but purely to safeguard military networks. The once uber-secretive vendor is part of the cyber arms trade, a legal but controversial industry that sells governments so-called exploits, or “zero-days” in information security parlance. Endgame’s traditional goods are tailored to find and exploit bugs in software that developers have not discovered yet. Typically, the malware is deployed to help disrupt or tap an adversary’s systems. The tools for Cyber Command “cyber protection teams,” however, will not be used to attack adversary networks, but rather to find weaknesses in the dot-mil domain, according to the Air Force, which is managing the purchases.


+ Can FITARA prevent future cyberattacks?

The Federal Information Technology Acquisition Reform Act – which aims to give agency chief information officers more authority over their IT budgets – could help CIOs eliminate outdated technology vulnerable to cyberattack, according to a group of federal IT leaders. “A lot of CIOs are getting called into the [deputy secretaries’] offices and they’re getting asked, ‘Is what happened to OPM going to happen to us?,” the Government Accountability Office’s Director of IT Management Issues David Powner said during a panel Tuesday in Washington on agile IT development.


+ Why banks are turning to tokenization to protect cloud data

Of all the sensitive data moving into the cloud, banking information may be the most precious, which is probably why financial institutions are increasingly looking at tokenization as a way to fend off cybercriminals, recent research suggested. California-based vendor CipherCloud released its “Q2 2015 Global Cloud Data Security Report,” which indicated that tokenization is used by 68 percent of the 50 banks surveyed, particularly for personally identifiable information (PII). It’s a technology that safeguards data by taking something like a bank card number and substituting a randomly generated figure of the same length for it. That way, even if cybercriminals compromise data in the cloud, it will be nearly impossible for them to use it.


+ Internet firms to be subject to new cybersecurity rules in EU

Internet firms such as Cisco, Google and Amazon will be subject to a new EU cybersecurity law forcing them to adopt tough security measures and possibly report serious breaches to national authorities, according to a document seen by Reuters. The so-called Network and Information Security Directive has been stuck in talks between member states and EU lawmakers because of disagreements over whether to include digital platforms such as search engines, social networks, e-commerce sites and cloud computing providers. Members of the European Parliament want the law to only cover sectors they consider critical, such as energy, transport and finance.


+ Secure SDLC – building in software security

Resources to build your SW / apps store much more securely (BTW, working on a best practices / how to paper for this – anyone want to join us?)

AND the Software Assurance Maturity Model (SAMM


+ Greenbelt-based MOOC platform offers free cybersecurity courses


3  +++++++

+ HTML5 privacy hole left users open to tracking for three years

A feature of HTML5 that allows sites to detect battery life on a visitor’s device can also be used to track behavior, a piece of research has revealed. Analysts from France and Belgium made the discovery <>  while investigating the battery power API, used on Firefox, Chrome and Opera “Our study shows that websites can discover the capacity of users’ batteries by exploiting the high precision readouts provided by Firefox on Linux,” the authors write in a paper published online <> , having focused their efforts on Mozilla’s <>  browser. “The capacity of the battery, as well as its level, expose a fingerprintable surface that can be used to track web users in short time intervals.”


+ Researcher says can hack GM’s OnStar app, open vehicle, start engine

A researcher is advising drivers not to use a mobile app for General Motors Co’s OnStar vehicle communications system, saying hackers can exploit a security flaw in the product to unlock cars and start engines remotely. “White-hat” hacker Samy Kamkar posted a video on Thursday saying he had figured out a way to “locate, unlock and remote-start” vehicles by intercepting communications between the OnStar RemoteLink mobile app and the OnStar service. Kamkar said he plans to provide technical details on the hack next week in Las Vegas at the Def Con conference, where tens of thousands of hacking aficionados will gather to learn about new cybersecurity vulnerabilities.


+ HAMMERTOSS malware represents culmination of ‘best practices’ for cyber attackers

In only a year, a Russian Advanced Persistent Threat (APT) group has proven to exemplify the future of cyber threats. It’s only a matter of time, FireEye researchers warned, until the group’s tactics make their way over to the cybercrime underworld. The group, known as APT29, uses a new malware called HAMMERTOSS to maintain a covert presence in victims’ systems, FireEye wrote in its report on the malware. Often times, the company’s staff told, the malware is used as a last effort, or “the big gun,” when other tools cease working.


+ Black Vine espionage group attacked aerospace, energy, healthcare industries

Symantec has been monitoring the activities of the cyber espionage group that breached health insurance giant Anthem last year. Researchers say Anthem is just one of the threat actor’s many high profile targets. The personal details of 80 million individuals were compromised in the Anthem breach that came to light in February. Following the incident, researchers determined that the attackers were linked to Topsec, a Beijing-based IT security company with ties to the Chinese People’s Liberation Army (PLA). According to Symantec, the cyber espionage group behind the Anthem hack, which the company calls “Black Vine,” has been active since 2012. The group has relied on custom-built malware, zero-day exploits, and watering hole attacks to target organizations in the aerospace, healthcare, energy, military and defense, finance, agriculture, and technology industries.


+++  SD/SoCAL security events / opportunities +++

+ CyberTECH events / networking / startups / etc  —  THE cyber happening place in SD!!! 

Join their Meetup Group for the latest event information!   The definition of “Cyber KEWEL



13 – ISC2 –  6PM –  Care Fusion – Cyber Security In Healthcare: Just What The Doctor Ordered?  David Scott.

Location – BAH (Suite 200)  4055 Hancock Street, San Diego, CA 92110 USA

20 – ISACA – noon –  Running InfoSec for America’s Finest City – Gary Hayslip – Coleman University

20 – OWASP –  6PM –  Joel Weinberger from Google  (at Qualcomm)

27  – ISSA – (4th Thus at 11.30)  – ‘Cybercrime: Operational Risk or Overblown Threat”    Stephen Cobb

(at ADM Baker field clubhouse)


—-  Global  Cyber events:


August 2

+ Mobile security paper –key enterprise concerns and mitigations, plus set-up guide

We developed an extensive overview of the mobile security space, adding in a guide for users and corporate

It’s useful as is we think, where we’re looking for folks to help finesse and more widely publish it – interested?


+ Chinese Information Dominance: Encircling America with Weaponized Technology

A very good view of our formidable adversary. .   (In addition to the Russian criminals..  ISIS… and other terrorists..)… PRC’s  key fronts..  already flanking us big time.. in case you needed more proof…:-((


+ Car hacking: Security experts caution automakers on greater need for cybersecurity

New cars carry more interlinked computing systems than a typical small business. Buried under hoods and behind touchscreen control panels, microprocessors run by millions of lines of code operate an array of crucial functions, from brakes and steering to headlights and horns. Automakers are constantly adding more features, processors and software. This new era in the evolution of motorized transport seems like a win-win situation for all. Most consumers embrace the technologies, and automakers welcome the bigger profit margins that teched-out cars provide. But cybersecurity experts warn: Not so fast.


+ Software vulnerabilities hit record high in 2014, report says

How safe is the software you use? Do you have a system in place to identify vulnerabilities and patch them when they are discovered? How quickly do you react to vulnerability reports? There’s evidence that software vulnerabilities are on the rise, and few companies are taking the necessary action to combat them. There was some worrying news in the recent Secunia Vulnerability Review 2015. The number of recorded vulnerabilities hit a record high of 15,435 last year, up 18% from 2013. The vulnerability count has increased 55% in the last five years. The report also found a rise in the number of zero-day vulnerabilities with 20 being uncovered in the 50 most popular programs. These are vulnerabilities that have already been exploited by hackers before being made public or being patched.


+ Here’s what your stolen identity goes for on the Internet’s black market

The going rate for a stolen identity is about twenty bucks. Tens of millions of people have lost their private information in data breaches over the past few years. But what happens after that-how the data are leveraged for financial gain-remains murky. Many of those stolen records end up for sale on the anonymous, seedy area of the internet commonly known as the dark web. Analyzing the sale of those records sheds some light on the vibrant market for stolen identities. On the dark web’s eBay-like marketplaces, the full set of someone’s personal information-identification number, address, birthdate, etc.-are known as “fullz.” We analyzed listings for individual fullz that were put up for sale over the past year, using data collected by Grams, a search engine for the dark web. Our question: How much is a stolen identity worth?


+ DHS Secretary: I ‘probably’ should have stopped using Gmail sooner

Department of Homeland Security Secretary Jeh Johnson yesterday confirmed that he and 28 senior staffers have been using private web-based email on work computers for the last year.  Private email was banned from DHS computers in April 2014-after Office of Personnel Management (OPM) computers were breached. Now that he’s been caught by media for bending the rules, Johnson said that he plans to use his smartphone to access his personal Gmail account from now on. Speaking at a Politico event, Johnson said that he had obtained a waiver from DHS’ chief information officer to do continue accessing webmail from work.


+ Flash zero-day monster Angler dominates exploit kit crime market

SophosLabs researcher Fraser Howard says the Angler exploit kit is dominating the highly-competitive underground malware market, growing from exploding a quarter to 83 percent of market share within nine months. The blitzkrieg occurred between September and May this year. Angler emerged in 2013 to become one of the most capable exploit kits. Like its rivals, the code is designed to be an all-in-one ram-rod hacking package that web scum can use to get their malware, ransomware, and other net nasties past user machine defenses.


+ IARPA funds program to predict next wave of cyberattacks

To-date, cybersecurity has largely been reactionary – stopping infiltrators before they can do too much damage to a system. A new initiative from the Intelligence Advanced Research Projects Agency is trying to get ahead of the next attack by combining traditional security techniques with information culled from unconventional sources to block currently unknown threats. The Cyberattack Automated Unconventional Sensor Environment (CAUSE) is a framework for coupling known threat indicators – whether internal or through shared information environments – with external information sources such as social media and search engine trends.


+ Facebook just lost a search warrant fight, and that’s bad news for privacy

In a setback for privacy advocates, an appeals court on Tuesday ruled that law enforcement can order tech companies to hand over data on hundreds of users in one swoop – and the companies can’t challenge the warrant or even warn users about the search. The case in question involves an investigation by New York prosecutors into state employees who scammed the disability system. The investigation, which saw 134 people indicted, was partly based on scanning Facebook for posts that showed the employees doing sports or other physical activities.


+ Google Maps’ new ‘Your Timeline’ feature helps you track your travel history

Google is rolling out a new “Your Timeline” feature for Maps over the coming weeks that is certain to thrill some folks-and horrify others.  The feature allows you to view your entire location history on Google Maps based on data pulled from your devices when signed-in to your Google account. Google calls Your Timeline “a useful way to remember and view the places you’ve been on a given day, month or year.” You can already view your location history by diving into the My Account dashboard for your Google account. The difference now is that it will be available in a more user-friendly manner right from the Google Maps menu on the desktop or Android.

+ Neiman Marcus case a reminder to check your cyber coverage

It’s a decision that should send major corporations to double-check their cyberinsurance…   a federal appeals court ruled Monday that retail customers could go ahead and file a class-action lawsuit against Neiman Marcus in the wake of last year’s data breach. Previously, such cases were dismissed because the customers hadn’t suffered any actual damages.

+  Will the Real Victim Stand Up?

Class action suits over data breaches continue to be met with conflicting results — but what effect does this have on corporations’ responsibility for consumer data protection?…


+ More Than a Third of Employees Willing to Sell Private Company Data and IP

Clearswift survey confirms that organizations must have data protection policies in place that safeguard against both malicious and inadvertent insider threats…


+ Security awareness to benefit from government incentives,

says former GC of Verizon …Pricey government fines will force management to think security…


+ State of Application Security Report At-A-Glance

The illegal reproduction and distribution of copyrighted material on the Web is extensive and growing rapidly…


+ Beware the Internet of Things — it’s early, security sucks and the C-Suite doesn’t care

The Internet of Things is one of those buzzphrases that sets all sorts of unrealistic expectations. There are other concerns though, many of which hinge around security…


+ Cybersecurity Technology Integration Changes Everything

Based upon current and future cybersecurity technology integration trends, CISOs are adjusting budgets, organizations, skills, and vendor choices. Even industry analysts are impacted by cybersecurity technology integration…


+ Best Practices to Protect You, Your Network, and Your Information

During NCCIC’s recent work, following best practices proved extremely effective in protecting networks, the information residing on them, and the equities of information owners. Cybersecurity is a risk management issue. Our experience demonstrates that individuals and organizations may reduce risk when they implement cybersecurity best practices


+ The First 24 Hours In The Wake Of A Data Breach

There is a direct correlation between how quickly an organization can identify and contain a data breach and the financial consequences that may result.


+ Wearable health technology and HIPAA: What is and isn’t covered


+ Cyber-boom or cyber-bubble?

Internet security has become a bigger export earner than arms…


+ Stagefright Android Bug: ‘Heartbleed for Mobile’ But Harder To Patch

Critical vulnerability in Android’s multimedia playback engine is easy to exploit, requires NO user interaction, and affects 95 percent of Android devices.  Just text their phone!!—threats/stagefright-android-bug-heartbleed-for-mobile-but-harder-to-patch/d/d-id/1321477


+ Startup ‘Stealth Worker’ Matches Businesses With Security Talent

New online service helps businesses looking for part-time security professionals fill specific job needs…


2  +++++++

+ Bill would mandate agencies use Einstein program

Could a change to federal law help prevent breaches such as those at the Office of Personnel Management that exposed the private information of more than 22 million individuals? Sen. Ron Johnson thinks so. Johnson, the South Dakota Republican who chairs the Senate Committee on Homeland Security and Governmental Affairs, and the panel’s ranking Democratic member, Tom Carper of Delaware, introduced on July 27 the Federal Cybersecurity Enhancement Act of 2015, which would require federal agencies to implement the government’s Einstein intrusion protection program.


+ What federal employees really need to worry about after the Chinese hack

A new government review of what the Chinese hack of sensitive security clearance files of 21 million people means for national security is in – and some of the implications are quite grave. Covert intelligence officers and their operations could be exposed and high-resolution fingerprints could be copied by criminals, the Congressional Research Service disclosed in an analysis of one of the most harmful cyber thefts in U.S. history. Since the breach was disclosed in June, the response to the compromised background investigation files and a separate intrusion into personnel data of 4.2 million people has focused mainly on the risk of identity theft.


+ How the way you type can shatter anonymity – even on Tor

Security researchers have refined a long-theoretical profiling technique into a highly practical attack that poses a threat to Tor users and anyone else who wants to shield their identity online. The technique collects user keystrokes as an individual enters usernames, passwords, and other data into a website. After a training session that typically takes less than 10 minutes, the website-or any other site connected to the website-can then determine with a high degree of certainty when the same individual is conducting subsequent online sessions. The profiling works by measuring the minute differences in the way each person presses keys on computer keyboards. Since the pauses between keystrokes and the precise length of time each key is pressed are unique for each person, the profiles act as a sort of digital fingerprint that can betray its owner’s identity.


+ Daimler says hacking concerns drive Nokia maps bid

Daimler Chief Executive Dieter Zetsche said a desire to have better control over data security was one of the reasons Mercedes was bidding for Nokia’s high-definition mapping business. In a call to discuss second-quarter results, Zetsche was asked whether he was concerned about hacker attacks on Mercedes-Benz cars. “You can see from reading the papers that we are trying to acquire a platform together with our German competitors, to gain control over the platform which enables autonomous driving, for exactly these reasons,” Zetsche said.


+ IG: Lack of cybersecurity staff, technology left USPS vulnerable to 2014 attack

A lack of properly trained cybersecurity workers and a comprehensive cyber strategy were major reasons why the U.S. Postal Service experienced a data breach late last year, a new report found. In November 2014, when data on 2.9 million USPS employees was compromised, the agency was relying on basic cybersecurity protections and untrained workers to keep their systems safe, a July 17 report from the agency’s inspector general found. “At the time the intrusion was identified, Postal Service leadership had not emphasized cybersecurity, as evidenced by its undertrained employees, lack of accountability for risk acceptance decisions, ineffective collaboration among cybersecurity teams, and continued operation of unsupported systems,” the report states.


+ Senate committee poised to upgrade agency anti-hacking laws, again

Federal data security legislation enacted in 2002 that was overhauled last December already is due for an upgrade owing to a confluence of events, say the bill’s authors. First, the Department of Homeland Security laid out a course to wrap its intrusion-thwarting system around all federal networks this year. But DHS had trouble convincing agencies it was legal to let the department scan their Internet traffic for threats. Then came hacks into ill-guarded federal and contractor networks that potentially yielded enough information to bribe government personnel for secrets. Both incidents illustrated that DHS – supposedly the civilian cybersecurity operations center – does not have enough authority to protect other agencies’ networks. Now, the Senate Homeland Security and Governmental Affairs Committee, which pushed through cyber reforms in 2014, is proposing new hacker-prevention legislation.


+ Most Major Financial Hacks Completely Covered Up

Lieberman Software survey reveals most companies are persistently targeted by cyber attacks and the public only finds out about a small portion of security breaches…


+ The new Microsoft browser has brand new security issues

Yesterday’s release of Microsoft’s Windows 10 saw Microsoft introduce a new browser to replace the aging Internet Explorer. Called Microsoft Edge, it’s supposed to be faster and more secure than its predecessor. However, according to several tech reviews that came out in the hours since its release, cyberattacks are still very possible on Edge…


+ Hackers give up when they go up against this cybersecurity company

In conversation with George Kurtz, CEO of CrowdStrike…It’s not every day that a company can compel hackers to give up. Yet that’s exactly what CrowdStrike managed to do earlier this year.


+ Clearer, More Stringent Cybersecurity Rules for Government Contractors

The White House wants government contractors to have strong, clear, and consistent rules for protecting sensitive data. Recent breaches underscore problems in the current contactor arrangements, including inconsistent data security standards in federal contracts as well as in various guidelines established by different agencies. A proposal for new rules will soon be available for public comment.

[Note: Many government RFPs, and probably most of the large ones, include FISMA requirements. The issue is not the requirements; it is the lack of assessing whether the contractor actually meets the requirements – same as the problem at Government agencies. The White House should look at the FedRAMP program, which has a consistent, well-thought-out way of defining, and more importantly assessing, the security of cloud service providers who want to do business with the Federal Government….]


+ Can thinking like cyberattackers improve organizations’ security?

Getting in the minds of cyberattackers can help organizations mount better defenses against attacks. Here are some ways to accomplish this…


+ Securing connected machines, what is there to know?

Companies looking to secure their networks should verify and minimize the visibility of their ICS resources over the internet. Due to the growing number of advanced threats, collecting and analyzing threat intelligence can play a valuable role in providing security teams with detailed information about the attack vectors


+10 Security Mistakes Nearly Everyone’s Guilty Of

When it comes to data security, attackers continue to exploit the biggest weakness of all — people. ESET Ireland looks at 10 security mistakes humans continue to make on a daily basis…  (poor hygiene, lax access control.. etc..)


+ A Security Awareness and Training Policy Checklist

Your organization may already have security training and awareness (STA) program, or (this is less likely nowadays) you may have to build one from scratch…


3  +++++++

+ Code Theft: Protecting IP At The Source

Your corporate assets are at risk and every day that you avoid taking action shortens the time until your IP will be leaked. Here are six steps toward better data security…


+  Nearly all Americans support and want retaliation for cyberattacks (hacking back is illegal!)

The vast majority of Americans are calling for retaliation in the wake of cyberattacks that compromise sensitive government data. Security company Vormetric coordinated with an outside firm in July to poll 1,026 nationally representative U.S. adults on whether they believed action is necessary against a foreign country that breaches U.S. government data; 92 percent said yes. That said, most Americans prefer more passive action with 45 percent saying the government should initiate talks between the sitting president and the attacking country’s leaders to prevent further data breaches, and 36 percent want to impose trade sanctions on a country’s goods.


+ Researchers analyze faulty new Linux backdoor

Researchers at Dr. Web have discovered a faulty trojan designed as a backdoor for Linux that could also target Windows systems. Identified as Linux.BackDoor.Dklkt.1, the trojan – possibly of Chinese origin – is designed to perform functions typical of file managers, SOCKS proxy servers, and remote shells; however, it ignores several of its commands due to poor design, a post indicated. Some of the commands the trojan awaits include change remark, open shell, run an application, start proxy, exit, reboot and turn off a computer. Some of the commands that are ignored include update itself, receive user data and remove itself.


+  China-tied hackers that hit U.S. said to breach United Airlines

The hackers who stole data on tens of millions of U.S. insurance holders and government employees in recent months breached another big target at around the same time — United Airlines. United, the world’s second-largest airline, detected an incursion into its computer systems in May or early June, said several people familiar with the probe. According to three of these people, investigators working with the carrier have linked the attack to a group of China-backed hackers they say are behind several other large heists — including the theft of security-clearance records from the U.S. Office of Personnel Management and medical data from health insurer Anthem Inc.


+ Sun Tzu 2.0: Is cyberwar the new warfare?

For better or worse, the multitude of networks that help keep our world interconnected is a much different place today than it was in the past. Paradoxically, the networks that provide users with a wealth of information, transactional services and the like have also been used as a battlefield to disrupt our everyday lifestyle.


+ When a cyber attack hits: Who’s in charge?

It takes a combination of specialties to handle a data security incident in a way that fully protects the organization…


+ For DOD, building the cyber force is a team game

The Defense Department is still in the relatively nascent stages of building its cyber mission force, but it has made some progress in recruitment, training and defining roles. In some ways, it has come down to team building…


+ Threat Report Identifies Security Risks of Popular Websites and Software

News and entertainment websites unknowingly host more than 50 percent of malvertisements; Flash exploits increase 60 percent and ransomware increases 80 percent since 2014…


+ Researchers Steal Door Badge Credentials Using Smartphone Bluetooth

Weakness in facility access control protocol leaves most badge-in systems open to attack…


+ Accuvant researchers to release open source RFID access tool

Security researchers have long known about the vulnerabilities of RFID… an open source piece of hardware that can be used to circumvent these readers.


+ Windows 10 Shares Your Wi-Fi With Contacts

Starting today, Microsoft is offering most Windows 7 and Windows 8 users a free upgrade to the software giant’s latest operating system — Windows 10. But there’s a very important security caveat that users should know about before transitioning to the new OS: Unless you opt out, Windows 10 will by default share your Wi-Fi network password with any contacts you may have listed in Outlook and Skype — and, with an opt-in, your Facebook friends!…


+ Phishing Up 74% in Q2 2015, Says Infoblox DNS Threat Index


+ One-Third of Industrial Control Systems Breached in Last Twelve Months

According to a report from SANS on the state of Industrial Control System (ICS) security, one-third of respondents (34%) said their systems had been infiltrated or infected in an attack at least twice in the last twelve months.



+++  SD/SoCAL security events / opportunities +++

+ CyberTECH events / networking / startups / etc  —  THE cyber happening place in SD!!! 

Join their Meetup Group for the latest event information!   The definition of “Cyber KEWEL



13 – ISC2 –  6PM –  Care Fusion – Cyber Security In Healthcare: Just What The Doctor Ordered?  David Scott.

Location – BAH (Suite 200)  4055 Hancock Street, San Diego, CA 92110 USA


20 – ISACA – noon –  Running InfoSec for America’s Finest City – Gary Hayslip – Coleman University


27  – ISSA – (4th Thus at 11.30)  – ‘Cybercrime: Operational Risk or Overblown Threat”    Stephen Cobb

(at ADM Baker field clubhouse)


—-  Global  Cyber events:



Welcome to Cyber News Tidbits 4​U​ !

Here are updated news compilations from the Cyber Security Community

Topic headers (+++):

1 – Security news you can likely use (re: management / opportunity items)

2 – Other items of general FYI / FYSA level interest

3 – Threats / bad news stuff / etc.. 


4 – SD/SoCAL items of interest / opportunities   (send me your SD meetings!) 

Another periodic cyber security news gram / digest / tidbits,

(.. and… TWO  weeks’ worth again this time – so.. a tad long, but not too much!)

Arranged in a top down, couple of ‘likely” interest levels as before…with more short snippets, fewer threats and only a few local events (at the very bottom)

Feedback is always welcome too as is sending me articles to share cyber information sharing in action!

July 26

+ Senators want to give DHS new CYBERCOM-like powers to thwart agency hacks

Senators from both parties are pushing to position the Department of Homeland Security as the U.S. Cyber command of the civilian government, after many agencies refused to fall into line on information security last year. Following the largest known hack of U.S. federal employee information, a bipartisan group of six lawmakers believes there is now enough momentum to grant DHS power over government networks. Just as CYBERCOM monitors and blocks threats to the military network, DHS, under proposed legislation, would scan for and repel attacks against the dot-gov domain.


+ U.S. vs. hackers: Still lopsided despite years of warnings and a recent push

In the month since a devastating computer systems breach at the Office of Personnel Management, digital Swat teams have been racing to plug the most glaring security holes in government computer networks and prevent another embarrassing theft of personal information, financial data and national security secrets. But senior cybersecurity officials, lawmakers and technology experts said in interviews that the 30-day “cybersprint” ordered by President Obama after the attacks is little more than digital triage on federal computer networks that are cobbled together with out-of-date equipment and defended with the software equivalent of Bubble Wrap.


+ Where’s the new Federal cyber strategy?

Federal CIO Tony Scott told federal agencies to hurry up and “sprint.” Now it’s hurry up and wait.

He promised that the results of the federal cyber sprint would be made public July 20. But his office — wrestling with the influx of data and the crafting of a government-wide cyber strategy — has yet to release the highly anticipated report. The Office of Management and Budget has declined to officially offer an alternate publication date; a source familiar with the review could only say results would be published “later this summer.”


+ Cybersecurity pros make final push to quash proposed export restrictions

With just three days left to comment on a controversial plan to stymie US exports of surveillance technology, many cybersecurity professionals are making their final pleas to kill the proposed trade restrictions.  While many in the security community agree in spirit with the plan from the Department of Commerce’s Bureau of Industry and Security to limit overseas sales of spyware, especially to oppressive regimes, they also say the recommended pact is so broad and vague that it could harm the entire cybersecurity industry.


+ NSA’s new project is a cyber security tool

A tool devised by the National Security Agency to “maintain a specific security posture” is now available as an open source project — the first offering on the agency’s recently inaugurated GitHub page. The Systems Integrity Management Platform (SIMP) tool uses the Puppet framework to ensure network systems running Red Hat Linux remain compliant with established security standards. Less clear, given NSA’s reputation, is whether anyone outside of a government agency operating under a mandate will use it.


+ NATO study finds vulnerabilities in cross-border information infrastructure

Despite the current focus on cybersecurity in relation to foreign operators, one of the least explored areas of cyber vulnerabilities is cross-border dependency on cyber infrastructure, a new report finds. Banking and telecommunications increasingly rely on information infrastructure that could be located abroad or depend on systems beyond a country’s jurisdiction, but legal and regulatory remedies to lessen associated risks are nearly nonexistent, according to a new study published this week by the NATO Cooperative Cyber Defence Centre of Excellence.


+ Automakers unite to prevent cars from being hacked

Today’s automobiles now come loaded with software and sensors that can help drivers navigate the roads more safely and even do away with the need to have human drivers at all. However, this world of connected vehicles involving on board computers collecting and transmitting data about location, speed, and engine performance also leads to a much more insecure automobile landscape. This is why the Alliance of Automobile Manufacturers (AAM)-an alliance of twelve automakers including Ford , General Motors , and Mercedes-Benz-said Tuesday that it is creating an information sharing and analysis center (ISAC). This center will let participating companies swap cyber security data and keep each other abreast of the latest hacking threats targeting vehicles.


+ Black Hat attendees fear a major breach but few are prepared

Almost three quarters of security pros interviewed by Black Hat USA said they think their organization will suffer a breach in the next 12 months, yet just a quarter (27%) feel they’re able to deal with it. That’s according to a new survey of 500 past attendees of the globally renowned event which reveals a worrying lack of technical and human resources to hand for many information security professionals. The majority of respondents pegged advanced targeted attacks (57%) as the number-one source of concern, yet just 26% said that tackling such an eventuality was among their top three spending priorities.


+ Too Much Innovation: The Cyber Challenge

“Electronic warfare is the same as cyber. If you put it crudely, you basically shoot pulses at a system to take it out. In cyber, you shoot bits at the system to take it out”. Peshin told us the cyber security market is very busy with a huge number of start ups and established companies pushing their cyber credentials. However, such a vibrant market has created a massive challenge for companies… — Implementation  takes too long!!!


+ Global Cyberspace Is Safer than You Think: Real Trends in Cybercrime (really?)

What are the real trends in cybercrime? Recent media coverage has been rife with stories of large-scale data breaches, hacks and online financial crime. Information technology (IT) security firms such as Norton Symantec and Kaspersky Labs publish yearly reports that generally show the security of cyberspace to be poor and often getting worse. This paper argues that the level of security in cyberspace is actually far better than the picture described by media accounts and IT security reports…


+ The Era Of Cyber Liability:

US Court of Appeals reinstated a liability case against Neiman Marcus for potential damage to consumers from the data breach that exposed data for 350,000 Neiman Marcus customers. The company acknowledged that at least 9,200 of those accounts were later used for fraud. This appears to be the first time an appeals court has recognized the actual damage associated with consumers having to research and repair credit card accounts after data breaches.

[Note: One likely consequence will be a demand among CEOs to get a definitive answers to the pair of questions they have been asking for nearly a decade: “What do I need to do to avoid liability, and how much is enough?”  The growing consensus is that the minimum standard of due care will be measured around full and constantly monitored implementation of the basic “critical controls” published by NSA, the Australian ASD and the Center for Internet Security, because those are the only benchmarks that can demonstrate their controls stop attacks…]


+ InfoSec pros spend most time, money on self-inflicted problems

InfoSec professionals spend most of their time and budgets on security problems created within the organization itself…


+ How experts stay safe online and what non-experts can learn from them

Google researchers have asked 231 security experts and 294 web-users who aren’t security experts about their security best practices, and the list of top ones for each group differs considerably… (—Make sure we bridge this gap!!!)


+ What threats do security experts fear?

Enterprises spend more than $70 billion dollars annually on information security. But a survey of top security experts revealed that there is a gap between the threats most feared by the experts and what management focuses on…


+ Measuring the Quality of Commercial Threat Intelligence

One person’s quality is another person’s fluff so objective measurements will be difficult. Threat intelligence quality may ultimately be gauged through crowdsourcing and threat intelligence sharing…


+  FuTuRology: A Look at Impending Threats to Popular Technologies

How do you think will the threat landscape evolve in the next two years? Three years?…


+ Pentagon’s Silicon Valley push angers defense contractors

Ash Carter’s aggressive push to recruit more tech start-ups has miffed some of the largest defense companies…


+  2015 Cyberthreat Defense Report

What are the emerging cyberthreats that companies should be most concerned about? How do you overcome the organizational barriers that inhibit IT security? Read the “2015 Cyberthreat Defense Report” to learn what matters most to the over 800 North American and European IT security decision makers surveyed.


+ The First Affordable Consumer 3D Printer ($400)

Okay.. this will change a LOT of potential things for the good…  IF consumerism is good.. .3D food too perhaps?

And for the bad…..guns.. projectiles.  untraceable IED parts.. and who knows what else???  Then put it on a drone..


+ Cyber attack on US power grid could result in losses up to $1 trillion


+++ Top 100+ Cyber Security Blogs & Infosec Resources


2  +++++++

+ Hackers remotely kill a Jeep on the highway

With  me in it I was driving 70 mph on the edge of downtown St. Louis when the exploit began to take hold. Though I hadn’t touched the dashboard, the vents in the Jeep Cherokee started blasting cold air at the maximum setting, chilling the sweat on my back through the in-seat climate control system. Next the radio switched to the local hip hop station and began blaring Skee-lo at full volume. I spun the control knob left and hit the power button, to no avail. Then the windshield wipers turned on, and wiper fluid blurred the glass. As I tried to cope with all this, a picture of the two hackers performing these stunts appeared on the car’s digital display:


+ Homeland Security cybercrime center expands

amid concerns over computer hacking At a time of growing concern over computer hackers targeting government and private industry databases, the Department of Homeland Security on Wednesday bolstered its efforts to target cyber criminals. U.S. Immigration and Customs Enforcement (ICE), which is part of DHS, unveiled a major expansion of its cybercrime center in Fairfax, Va. The larger facility includes a forensic laboratory that grew from 1,000 to 5,000 square feet, new state-of-the-art classrooms to train agents and a new evidence vault to help store evidence for cyber cases.


+ How to avoid becoming the next OPM

The questions are flying on Capitol Hill about federal agency cybersecurity practices. As we learn more about the Office of Personnel Management breach, federal leaders are left wondering how such an incident could occur and whether other agencies are vulnerable to similar attacks. The incident prompted Federal CIO Tony Scott to initiate a 30-day cybersecurity “sprint,” recently concluded, that called on agencies to evaluate their security practices and address vulnerabilities.  But federal agencies aren’t the only ones that should be reevaluating their approach to security.


+ OPM’s plan to ‘pass-the-hat’ to pay for data breach services draws ire

The Office of Personnel Management had the data of more than 21 million current and former federal employees stolen and now it wants your agency to pay for it. Acting OPM Director Beth Cobert sent an email to agencies telling them about OPM’s plans to raise its fees for security clearance services it provides in order to recoup the costs of the identity protection services it must purchase for the victims of the attack. “Given the limited resources available to OPM at this time to deal with a contract of this size, agencies will be asked to contribute FY 2015 funding to cover the first full year’s costs of credit monitoring and related services/benefits for the second incident involving 21.5M individuals,”


+ Online cheaters exposed after hackers access AshleyMadison hookup site

The secret’s out. Maybe lots of secrets. Data stolen by hackers from, the online cheating site that claims 37 million users, has been posted online, according to Krebs on Security, the authoritative Web site that monitors hacking across the globe. “We apologize for this unprovoked and criminal intrusion into our customers’ information.” AshleyMadison’s slogan is “Life is short. Have an affair.” It’s an unusual and apparently very popular dating Web site for those seeking extramarital relations.


+ 2016 campaign tech tests the will of privacy advocates

Presidential campaigns this time around have a new technological ace in the hole – you. Building off two decades of digital wizardry, the campaigns are getting ready to monitor and analyze most of what you do online instantaneously. And if you forward certain political emails to your Aunt Maggie in Iowa or your old college roommate in Ohio, they’ll reward you for doing it. The technology will no doubt make it easier for campaigns to personalize their messages and respond in seconds, but it will also test the will and patience of privacy advocates who might feel a little itchy about campaigns looking over everyone’s shoulders in real time.


+ Will ID protection offer set new standard?

Blue Cross Blue Shield plans’ groundbreaking offer, in the wake of mega-breaches, of extended ID protection to all of the more than 106 million individuals covered by their insurance could set new expectations for breach response, some security experts predict. In the aftermath of a breach, compromised companies often offer free credit monitoring and identity fraud protection services for a limited period of time, generally a year or two. That’s why the July 14 announcement by the Blue Cross Blue Shield Association that each of its 36 affiliated Blues plans will begin offering free identity protection services to their members for as long as they’re enrolled in the plans’ insurance coverage is extraordinary.


+ Cybersecurity firms eye India as attacks on world’s IT hub rise

Global cybersecurity company TaaSera launched its India business on Thursday, joining a growing number of cybersecurity firms eyeing India as a growth frontier amid an expected doubling of online crime in the country. Silicon Valley-based TaaSera said India, host to some of the world’s biggest IT service companies, was vulnerable to cybercrimes on account of its growing economic progress. Increasing smartphone use, online transactions and the government’s “Digital India” initiative are opening up opportunities in an industry that is worth $77 billion globally. The number of cyber crimes in India may reach 300,000 in 2015, almost double the level of last year, according to an ASSOCHAM-Mahindra SSG study conducted this year.


+ IG: Interior has 3,000 vulnerabilities

At a hearing on the role the Interior Department played in a recent breach at the Office of Personnel Management, the Interior deputy inspector general painted a picture of how a hacker might have breached the agency’s computer system. Interior Deputy IG Mary Kendall, in remarks prepared for the July 15 House hearing, said an IG investigation of the OPM breach “found that a remote attacker could … use a compromised computer to attack the department’s internal or nonpublic computer networks.” Kendall did not link the nearly 3,000 vulnerabilities the IG found in Interior’s IT systems to the OPM breach. However, the IG office characterized the vulnerabilities found in hundreds of publicly accessible computers operated by three of the agency’s bureaus as either “critical” or “high-risk.”


+ Cybersecurity Challenges For The IoT

The traditional approach to cybersecurity is to assume trust and then take steps to manage what isn’t trusted. But as the concept of an industrial Internet of Things (IIoT) gains momentum, one of the primary challenges facing businesses is safeguarding connections between information technology (IT) and operational technology (OT)

The company, Tempered Networks, provides built-for-purpose, military-grade security appliances that are designed to “cloak” the network’s critical infrastructure using cryptographic identities to hide communications between trusted devices.


+ Why Healthcare Security Matters

Does it really matter if someone steals your healthcare records? What would a hacker do with that information? Sell it? To whom and for what purpose?… Medical records can be worth as much as 10 times more than credit card numbers on the black market. Attackers are using the information to buy medical equipment or drugs that can be resold or to file fraudulent claims with insurers.  Last year, the cost of a security breach leapt 282% in healthcare


+ 6 types of cybervillains that are no match for your data scientists

It’s time for your data scientists to put their brilliant minds to work defending against cybercriminals. Be on the lookout for these main security threats…  using predictive analytics to spot the insiders..


+ Top digital trends affecting organizations today

And what you should do about them – ISACA Now

Many reports are at:


3  +++++++

+ United Airlines awards ‘bug bounty’: Is it getting cybersecurity savvy?

Rewarding two hackers with 1 million free flight miles each for calling attention to security gaps on its website. The reward is the highest that can be given as part of the company’s new “bug bounty” scheme, which compensates hackers who opt to privately disclose security flaws instead of exploiting them or exposing them on the Internet. As aviation network vulnerabilities begin to garner headlines, airlines are seeking new ways to protect themselves from cyber threats. Many technology companies have been offering bug bounties for years,  but United may be the first in the aviation industry to adopt such a method – a sign that the airline is starting to catch up with the times, experts say.


+ Nearly all websites have serious security vulnerabilities

A new Acunetix report on 5,500 companies comprising 15,000 website and network scans, performed on over 1.9 million files, finds nearly half of the web applications scanned contained a high security vulnerability such as XSS or SQL Injection, while almost 4 in 5 web applications were affected by a ‘medium security’ vulnerability. In today’s landscape, with high profile hacks and data breaches appearing in the media you might think these are the unlucky few – yet actually most companies are leaving themselves vulnerable to attacks. In the race to produce user-friendly interfaces and customer-centred apps, modern companies are leaving their (and our) precious data wide open to cyber criminals.


+ Mobile phone usage is increasing cyber security threat within US government

A recent whitepaper on cyber security in the US government reveals that the increasing number of mobile phones being used within federal agencies is escalating the risk of cyber threat from inside agencies. It also cites employees as the key to insider threats, and recommends that more money be spent addressing this issue. Titled ‘Cybersecurity in the Federal Government,’ the report commissioned by management software company, SolarWinds tackles the many challenges IT professionals currently face trying to prevent both external and internal IT security threats and attacks. It also suggests ways that government and the private sector can help to mitigate the growing risks of cyber attack.


+ Senators seek privacy, anti-hacking safeguards in cars

A pair of Democratic senators want rules requiring automakers to develop hacking and privacy protections for their cars and trucks.  Sens. Ed Markey (Mass.) and Richard Blumenthal (Conn.) on Tuesday introduced the Spy Car Act, which would require the Federal Trade Commission (FTC) and the National Highway Traffic Safety Administration (NHTSA) to develop standards to protect drivers’ privacy and to guard against a potentially deadly hack of a vehicle. “Drivers shouldn’t have to choose between being connected and being protected,” Markey said in a statement. “We need clear rules of the road that protect cars from hackers and American families from data trackers.”


+ The average DDoS attack size is increasing

New global DDoS attack data from Arbor Networks shows strong growth in the average size of DDoS attacks, from both a bits-per-second and packets-per-second perspective. The largest attack monitored in Q2 was a 196GB/sec UDP flood, a large, but no longer uncommon attack size. Of most concern to enterprise networks is the growth in the average attack size. In Q2, 21% of all attacks topped 1GB/sec, while the most growth was seen in the 2-10GB/sec range. However, there was also a significant spike in the number of attacks in the 50 – 100GB/sec range in June, mainly SYN Floods targeting destinations in the US and Canada.


+ Feds shut down Darkode malware marketplace

The Justice Department shut down an online “criminal bazaar” where computer hackers bought and sold stolen databases, malicious software and other products that could cripple or steal information from computers and cellphones, authorities said Wednesday. Roughly 70 alleged cybercriminals in the United States and 19 other countries were targeted in the 18-month probe of The secretive, members-only site was the largest-known English language malware forum in the world until the FBI got a court order to shut it down, investigators said. “We have dismantled a cyber-hornets’ nest of criminal hackers which was believed by many to be impenetrable,” U.S. Attorney David Hickton said.


+ 5 Chinese Cyber Attacks That Might Be Even Worse Than the OPM Hack

If the Chinese government is in fact behind the OPM hack, it would not be their boldest alleged move in cyberspace; only the most recent.


+ 4,900 New Android Malware Strains Discovered Every Day – Net-Security

Security experts discovered 440,267 new Android malware strains in the first quarter of 2015, which means that a new mobile malware strain for Android was discovered every 18 seconds.


+ Anonymous and ISIS engaged in bitter cyber warfare

The internet is now a war zone between the collection of hackers known as Anonymous and ISIS (Islamic State) sympathisers on social media to discredit them…


+ Drones —  LOTS of warnings… Will we ACT?

Are We Waiting for a Drone to Take down a Plane?

July 27 – Aug. 6, the Defense Department is going to conduct a counter-drone testfest and failure is an option.

A drone firing a gun: so this is what all the regulation is about

The press called it the “Gone Girl” kidnapping. But the bizarre story of a former Marine and Harvard-trained lawyer who allegedly masterminded the abduction of a California woman is notable for more than the twists and misdirections that made it fodder for CNN. availed itself fully of the riches of the Internet age, providing a glimpse of a future where physical crime and its digital analog merge into one…


+ It’s the Data, Stupid! (Shodan Blog)

I would like to take a moment to discuss databases. Most people use Shodan to find devices that have web servers, but for a few years now I’ve also been crawling the Internet for various database software. There’s a total of 595.2 TB of data exposed on the Internet via publicly accessible MongoDB instances that don’t have any form of authentication


+ Six Technical Measures to Mitigate the Insider Threat –
+++  SD/SoCAL security events / opportunities +++

+ CyberTECH events / networking / startups / etc  —  THE cyber happening place in SD!!! 

Join their Meetup Group for the latest event information!  The definition of“Cyber KEWEL


28  – OWASP –  6PM –  Pre-Blackhat/Defcon SD Drinkup

Green Flash Brewing Company



13 – ISC2 –  6PM –  Care Fusion – what’s up in the Medical space?  David Scott.

Location – BAH (Suite 200)  4055 Hancock Street, San Diego, CA 92110 USA


20 – ISACA – noon –  Running InfoSec for America’s Finest City – Gary Hayslip – Coleman University


27  – ISSA – (4th Thus at 11.30)  – ‘Cybercrime: Operational Risk or Overblown Threat”    Stephen Cobb

(at ADM Baker field clubhouse)


—-  Global  Cyber events:


July 5

—FBI Warns U.S. Companies to Be Ready for Chinese Hack Attacks

In a message obtained by The Daily Beast, the bureau strongly implies Beijing was behind the massive hack that exposed U.S. government employees’ secrets — and U.S. companies are next… The FBI warning, which was sent to companies Wednesday, includes so-called hash values for the malware, called Sakula, that can be used to search a company’s systems to see if they’ve been affected.


—Smart Cities’ 4 Biggest Security Challenges

The messiness of politics and the vulnerability of the Internet of Things in one big, unwieldy package…  It’s no secret that Internet of Things devices like Nest smart meters and Fitbits are behind the curve on information security — lax encryption and access control standards for both wireless network and data security, for starters. So what about when IoT devices run a “smart city,” and the public water system, power grid, waste management, traffic control, street lighting, public transportation, and physical security systems are all as vulnerable as that Fitbit on your wrist…—threats/smart-cities-4-biggest-security-challenges/d/d-id/1321121


—Providers grapple with cybersecurity

Anti-virus, firewalls deployed as protection, but most recognize need for more advanced strategies… Nearly 300 respondents – all of whom bear some responsibility for information security at their organizations – reported using an average of 11 different technologies to keep data safe, according to the survey,  t he numbers should shake any provider still blissfully ignorant of privacy threats out of their complacency: Two-thirds of health organizations polled by HIMSS for its latest cybersecurity survey say they’ve recently experienced a “significant security incident.” despite this extra attention, staffing and technological firepower, poll respondents reported only an average level of confidence in their organization’s ability to protect infrastructure and data


—Enterprise Threat Intelligence Programs are Immature

Seems like everyone is talking about threat intelligence these days. The feds are promoting public/private threat intelligence sharing across the executive and legislative branches while the industry is buzzing about threat intelligence feeds, sharing platforms, and advanced analytics…


—Franchising Ransomware

Ransomware-as-a-service is fueling cyberattacks. Is your organization prepared?… Cybercriminals have long been making their tools available to others, whether due to pride of authorship or as a means of raking in some extra cash. However, the ransomware-as-a-service model is relatively new and has resulted in a massive increase in ransomware attacks (as reported in the latest quarterly Threats Report). CTB-Locker and Tox are two examples of how malware uses different business models to flood the Internet with attacks, trying to catch more victims before threat notices, signature updates, and other defensive measures catch up.


—Middle-manager inaction the weak link in enterprise cyber-security

Lethargic, narrow-minded middle-managers are among the biggest remaining obstacles to consolidating enterprise cyber-security, an industry expert has warned…


—US Army Seeks Leap-Ahead Cyber Defense Tech

The US Army is seeking to equip its cyber warriors with cutting-edge networking hardware, and it is going outside the traditional acquisitions system to do it… The easily transportable “fly-away” kit of hardware and software would travel with the Army’s cyber protection teams, whose job involves hunting inside the military’s networks for intrusions and fighting off cyber attacks.


—Five Strategies for Better Cyber Protection and Defense

BitSight Technologies announces $23M in Series B funding to continue protecting businesses from cyber attacks with sophisticated cyber security ratings, as attacks are an ever-increasing board-level threat to businesses today…


—An Underwriters Laboratories for cybersecurity is long overdue

Noted security researcher Mudge left Google to launch what appears to be the cybersecurity equivalent of electronics testing outfit Underwriters Laboratories — an idea first proposed 16 years ago…



—Pentagon Releases New National Military Strategy

The Pentagon has released a new National Military Strategy, the first update to that document since 2011 — and one that warns non-traditional threats are on the rise…  The document focuses on the importance of partnerships to maintain the delicate security balance around the globe, something Pentagon officials have been pushing over the last several months.


—The FBI Most Wanted hackers. Cyber Bounty hunters!

Law enforcement is willing to pay $4.2 million to get them FBI has published the lists of most wanted hackers, the rewards for their capture reach $4.2 million. They have stolen hundreds of millions of dollars…

1. Evgeniy Mikhailovich Bogachev | Reward: $3 million


—Spies Warned Feds About OPM Mega-Hack Danger

U.S. intelligence agencies initially refused to share data with OPM, the now-infamously insecure arm of the government. Then the spies apparently handed over their files anyway… (this abysmal saga will only get worse!)


—Android Malware On The Rise

By the end of 2015, researchers expect the number of new Android malware strains to hit 2 million…


—EVERY company is compromised, but most infections not yet at critical stage

In a recent analysis of a quarter-million endpoint devices in 40 enterprises, every single corporate network showed evidence of a targeted intrusion but most of the activity was not yet at the most-dangerous data exfiltration stage…


—European businesses use an average 897 cloud services

Firms download a new cloud service every day, but security is still a major concern… The number of cloud apps used by European businesses has grown 61 per cent year-on-year This is according to a survey of 2.5 million European employees across 12,000 cloud services


—4 Signs Your Board Thinks Security Readiness Is Better Than It Is

Ponemon Institute survey shows a gap in perception between boards of directors and IT executives when it comes to IT risk posture…


—‘Personal’ Dark Web service removes corporate cyberthreat blindness

The new service dives into the murky Dark Web to track your stolen data, hacktivism, insider threats and hackers willing to break into your network… (seems useful.. “OSI on the dark sid”.. but can you trust them???)


—Cybersecurity is the killer app for big data analytics

Big data analytics tools will be the first line of defense to provide holistic and integrated security threat prediction, detection, and deterrence and prevention programs…


—Clever CryptoWall Spreading Via New Attacks

Top ransomware doesn’t waste time jumping on the latest Flash zero-day, and hops rides on click fraud campaigns, too… For example, within two hours, a device hijacked for relatively innocent click fraud attacks can become a conduit for far more serious kit — including CryptoWall.  As researchers at Damballa explain in their latest State of Infections Report, operators of the RuthlessTreeMafia click fraud malware campaign infect client machines via the Asprox botnet. As a second revenue stream, they sell other attackers access to those bots.


—Intelligence community loves its new Amazon cloud

The new Amazon Web Services-built CIA cloud is more secure and capable than legacy systems, according to intelligence IT officials speaking at an AWS event…  (btw, I love the new ‘legacy’ term — “heritage” system.. sounds almost noble…  even for us “SaaS” users… )


—FFIEC  Cybersecurity Assessment Tool

In light of the increasing volume and sophistication of cyber threats, the Federal Financial Institutions Examination Council (FFIEC) developed the Cybersecurity Assessment Tool (Assessment) to help institutions identify their risks and determine…


—Cloud Security Buyer’s Guide

In order to limit business disruption from data loss, organizations need to ensure that cloud services such as Office 365, Salesforce, Box and AWS are secured. This buyer’s guide helps identify critical capabilities that are required to address the security of an organization’s cloud services.


—Cyber losses – Anthem sued for alleged negligence leading to data breach


—Don’t Let the IT Security Paradigm Shift Leave You Stranded


—OPM Temporarily Shuts Down Background Check App to Fix Security Hole..e-Qip

4-6 weeks shutdown. Good they are taking security seriously.


—Billion Dollar Unicorns: Lookout Getting Ready for an IPO


—What DHS must do now after largest cyber attack ever


2  +++++++

— Four in five execs think conventional security is not enough for cloud environments

C-level study which showed a distinct lack of trust in cloud storage for fully securing corporate data. Now, a new survey from CloudPassage sheds light on the security executive perspective; 80% of security execs in North America don’t believe conventional network security solutions are enough to protect their cloud computing environments…


—Is the information security industry having a midlife crisis?

The information security industry is hot right now, but it’s hot because it’s failing. Focusing on awesomeness and a plan B can help get InfoSec out of its slump…  Plan B accepts that hackers will get unauthorized access, but what is key for security is making sure that what they take they can’t really use


—Injection Attacks on 802.11n MAC Frame Aggregation

The ability to inject packets into a network is known to be an important tool for attackers: it allows them to exploit or probe for potential vulnerabilities residing on the connected hosts. In this paper, we present a novel practical methodology for injecting arbitrary frames into wireless networks, by using the Packet-In-Packet (PIP) technique to exploit the frame aggregation mechanism introduced in the 802.11n standard.  how an attacker can apply this methodology over a WAN — without physical proximity to the wireless network and without requiring a wireless interface card…


—Hundreds of .gov credentials found in public hacker dumps

It’s not surprise that careless government employees use their .gov email addresses to sign up for all sorts of personal accounts. But when those insecure third party services are breached by hackers—and if those employees were foolish enough to reuse their .gov passwords, too—that carelessness can offer a dead-simple backdoor into federal agencies, with none of the usual “sophisticated Chinese attackers” required. The security intelligence firm Recorded Future on Wednesday released a report that details its scouring of online email addresses and passwords revealed when hacker groups breach third party websites and dump their booty on the web. Searching through those user data dumps from November 2013 to November 2014 on public websites like Pastebin—not even on dark web sites or private forums—Recorded Future found 224 government staffers’ data from 12 federal agencies that don’t consistently use two-factor authentication to protect their basic user access.


—Facebook is now able to recognize you without even seeing your face

Privacy on Facebook has always been controversial and its latest artificial intelligence algorithm will not be an exception. Facebook’s artificial intelligence team is testing out an algorithm that can recognize people in photos even if they are not looking at the camera. According to New Scientist, the algorithm is able to identify people by reviewing hairdos, clothing, postures and body shapes. Facebook’s head of artificial intelligence Yann LeCun used CEO Mark Zuckerberg as an example of how the algorithm recognizes fashion preferences since he is known for always wearing a gray T-shirt.


—Start with Security: A Guide for Business by the FTC

When managing your network, developing an app, or even organizing paper files, sound security is no accident. Companies that consider security from the start assess their options and make reasonable choices based on the nature of their business and the sensitivity of the information involved.


—Securing Single Points of Compromise (SPoC) (SANS)

that provide central services to the institution s environment is paramount to success when trying to protect the business. Time Based Security mandates protection (erecting and ensuring effective controls) that last longer than the time to detect and react to a compromise. When enterprise protections fail, providing additional layered controls for these central services provides more time to detect and react.


—Class-Action Suit Alleges OPM Officials Failed to Protect Employees’ Data

A class-action lawsuit filed by a government employees’ union against the Office of Personnel Management as a result of the massive data breach at OPM that affects more than 18 million people alleges that not only did the agency know about vulnerabilities in its network long before the attack, but that the agency’s director and CIO both broke federal laws by ignoring directives to fix the weaknesses


—Which industries best safeguard your personal information? Security perceptions vs. reality

When it comes to your personal information, which industries do you trust most, or least, with your data? How do some of the recent, highly publicized breaches such as those at Target, Home Depot and the Office of Personnel Management affect your opinion in terms of which industries are most vulnerable, and how does this compare to reality?…


—5 Ways Lax Security Makes Small Businesses Cyber-Morsels for Computer Criminals

Most small businesses don’t have the budget, expertise, staff or time to manage security programs on their own. It’s a longstanding problem, as pointed out in a survey of small businesses conducted by the Ponemon Institute, which found that 55 percent of respondents experienced a data breach


—IT Pros Believe Cyberattacks Are Under-reported

Despite devastating cyber-attacks being reported daily in today’s media, most IT professionals believe that the true state of affairs is being significantly underreported…


—Bromium Survey Finds Increased Concern About Legacy Solutions

announced the results of a new survey, “Enterprise Security Confidence Report.” For the survey, more than 125 information security professionals were asked about the greatest risks facing organizations today and the effectiveness of different solutions and architectures. The results show that while concern for end-user risk persists, confidence is waning in traditional detection-based security solutions, such as antivirus and firewalls. Instead, interest is shifting toward prevention-based security solutions, such as endpoint threat isolation…


—Enhancing Resilience Through Cyber Incident Data Sharing and Analysis:

The Value Proposition for a Cyber Incident Data Repository (Department of Homeland Security) This paper outlines the potential benefits of a trusted cyber incident data repository that enterprise risk owners and insurers could use to anonymously share, store, aggregate, and analyze sensitive cyber incident data. Optimally, such a repository could enable a novel information sharing capability


—Considerations in Drafting Limitations of Liability for Data Breaches

Until very recently, it was considered matter of course in a services agreement for any data disclosure or loss, regardless of cause, to be excluded from any and all limitations of the vendor’s liability. However, as data breaches continue to change the risk landscape of the business world, third-party vendors increasingly insist on limiting their liability for damages related to data breaches. In light of this, many transactions now include a “super cap”


—Many Companies Face A Huge Security Problem In Just ONE Week.

Support for Microsoft’s Windows Server 2003 is ending on July 14. Is Yours One Of Them? Many companies don’t want to admit it, but they haven’t yet transitioned entirely to the cloud. It’s happening, of course, but it’s taking time. One recent survey by BetterCloud reported that by 2020, 62% of the 1,500 its customers will be running 100% of their information technology in the cloud


—Building a Capability Development Work Force For the Cyber Age

Greater agility, flexibility and imagination will help field capabilities to meet the “speed of need”…


—Microsoft quietly pushes 17 new trusted root certificates to all Windows systems

The aging foundation of Certificate Authorities shows yet another crack as security experts are caught unaware… just last year Microsoft was caught in the embarrassing position of yanking 45 bogus certificates issued under the root certificate authority of the government of India’s Controller of Certifying Authorities.


—How to Protect Your Aging Network

The Office of Personnel Management breach was the most recent and public example of the damage aging networks can help deliver to an organization: A lack of standard practices such as encryption, data masking, and redaction that prevents many attacks… many in media, focus on attribution, with very little focus on the root cause. No one should lose valuable information where at the root cause there is a known remedy. For me, that is unforgivable in this day and age..Networks in the Americas are among the most vulnerable and dated, the solution provider’s annual Network Barometer Report said. Almost three-fourths cannot support organizations’ expanding reliance on mobility and 79 percent do not support IPv6, it found. And I’ve got to tell you too much of this distraction around attribution takes away fromfocusing on what’s really important here  — doing the cyber basics well.. upgrading even that dated network!


—Cyber Resilience And Spear Phishing

Balanced security capability, defense in depth, integrated countermeasures, and a threat-intelligence strategy are critical to defending your business from spear-phishing attacks…


—Small businesses – The next target for heavyweight hackers |

Small organizations store valuable data that give hackers big returns, such as credit card numbers, medical records, or personal information.


—Your IT Support Provider Sucks? Here Are 5 Reasons Why!

We see it time and time again. Companies that complain about how slow their support is. Their IT provider doesn’t provide insight into strategy, new technologies or risk. Here’s why they aren’t getting the job done.

1 – They weren’t organized –

2 – They were too cheap

3 – They didn’t have the right staff

4 – They didn’t standardize across clients –

5 – They took on more than they could chew


—6 reasons why there will be another OPM-style hack

Congress might fume about the security failures, but the truth is that it’s part of the problem…

1. We always hit the snooze button

2. We fail to learn from past hacks

3. We underestimate the true value of information

4. We don’t give security adequate funding

5. We get suckered into low-bid contracts

6. We suffer from ‘detection deficit disorder’


—5 ways to stop the Internet of Things from becoming the Internet of Thieves

The Internet of Things is here and is now on your wrist, in your pocket, in your car, and maybe even in your socks. From smart watches and self-driving cars to smart toothbrushes and digital socks that track your steps, we are living in a world where no device is an island… By 2020, according to IDC, there will be more than 30 billion connected devices – more than triple the current number, which already dwarfs digitally linked people.

1. Secure operating systems (securely update “over-the-air” and across untrusted connections…)

2. Unique identifiers for each device… Especially when devices are interacting in a machine-to-machine (M2M) environment

3. Strong authentication and access control,

4. Data privacy protection.

5. Strong application security.


—6 truly shocking cyber security statistics

We’re now halfway through the year, so I thought I’d take a look back at some of the most shocking cyber security statistics so far

  • 98% of tested web apps are vulnerable to attack
  • 90% of large organizations reported suffering a security breach
  • 75% of directors are not involved in the review of cyber security risks
  • 93% of DPA breaches are caused by human error
  • Online banking fraud increases 48% year-on-year
  • 144% increase in successful cyber attacks on businesses over 4-year period


—Pen testing tool or exploit? Samples of ways hackers get in

Attackers use the same tools in attacks that pen testers use to test. Sample vulnerabilities and exploits…

  • Cross-site scripting (XSS) vulnerabilities in web applications
  • sqlmap / SQL Injection Vulnerabilities
  • Metasploit / numerous security holes
  • w3af / multiple vulnerabilities
  • WordPress 4.2  Stored XSS security hole


—CSA Announces New Working Group For Cloud Security API Standards

CipherCloud, Deloitte, InfoSys, Intel Security and SAP all on board to start developing vendor-neutral guidelines that could further accelerate CASB growth


— You Can Connect Anonymously To Wi-Fi 2.5 Miles Away ($150-200)

Proxyham is made of a Raspberry Pi computer with a Wi-Fi card, connected to three antennas, a Wi-Fi one that connects to the internet at a public space (think Starbucks or a public library) and a dual antenna that transmits at 900MHz
3  +++++++

—The 9 Scariest Things That China Could Do with the OPM Security Clearance Data


—App security: RASP vs. WAF

the SANS Institute captures the relative capabilities and efficiencies of RASP and WAF technologies using a representative product in each category. Learn how your defense-in-depth strategy could benefit from the additional visibility of runtime protection


—6 DIY Projects to Protect Your Digital Privacy

Kinda cool ideas.. and prototypes.. future business opportunities.   Takes an anti-surveillance view.. for both

data (simple Tor box.. your own shared storage… both using simple raspberry PIs) and  physical (face cloaking from image recognition… thermal distortion for drones / sensors… etc )  This “anti surveillance” products trend will continue to grow.


—Do Privacy Concerns Really Change With The Internet Of Things?

Some good statistics. . Numbers.. which we know… privacy matters everywhere..   and concepts to integrate

LIKE:   Data value chain….. and…   Life management platform


—VPN vulnerabilities compromise user privacy

VPNs needed of course..As in all security capabilities. . Need to be setup right, settings verified on each use, and be enforced (no user can disable)


—Hundreds of Dark Web sites cloned and “booby trapped”

Traps The founder of one of the Dark Web’s fledgling search engines is warning Tor users about the presence of hundreds of fake and booby trapped .onion websites… (dark web surfers beware!!!)


—Hacktivist group possibly compromised hundreds of websites

A hacker group known as Team GhostShell is publishing snippets of sensitive data allegedly stolen from the databases of hundreds of compromised websites…


—Researchers point out the holes in NoScript’s default whitelist

Security researchers Linus S?rud and Matthew Bryant have recently discovered some pretty big holes in NoScript, a popular Firefox plugin that prevents executable web content such as JavaScript, Java, Flash, and other plugins to be loaded from sites users haven’t designated as “trusted”…


—Targeted attacks rise, cyber attackers spreading through networks, report says

Lateral movement and reconnaissance detections observed in a Vectra Networks Post-Intrusion Report, released Tuesday, show a sharp upturn in targeted attacks that have penetrated the perimeter. The report, which is the culmination of data collected over a six-month period from 40 of the company’s customer and prospect networks that feature more than 250,000 hosts, found that non-linear growth in lateral movement increased 580 percent from last year while reconnaissance detections were up 270 percent. Overall, detections outpaced those recorded last year by 97 percent.


—Iran and Saudi Arabia Heading Toward A Cyber War? 

Iran and Saudi Arabia, regional rivals in the Middle East, may be engaged in cyber warfare, according to a new report by threat intelligence firm Recorded Future. As the two powers vie for influence over the civil wars in Yemen and Syria and regional dominance, Tehran and Riyadh have begun using cyber attacks to release critical intelligence…  (maybe they self destruct?  OR provide US target intel!)


—Windows kerberos ticket theft and exploitation on other platforms

In the past there has been a lot of talk about pass the hash, but surprisingly little about different methods for exploiting kerberos tickets. Besides the discussion focused on golden tickets the Kerberos has not really ever been a major target for abuse…This is a HOW TO arricle (on how these sorts of articles help the beginner’s get started)

— Cyber Threats of 2015 | Free eBook


+++  SD/SoCAL security events / opportunities +++

+ CyberTECH events / networking / startups / etc  —  THE cyber happening place in SD!!! 

Join their Meetup Group for the latest event information!  The definition of“Cyber KEWEL


9  ISC2  ( 2ndThur at 6PM) –  “SD CityCISO – 2 years and counting – lessons learned”  Gary Hayslip

Location – BAH (Suite 200)  4055 Hancock Street, San Diego, CA 92110 USA

16 – ISACA – (12 PM)  “TBD


16 – OWASP –  6PM –  Peter Bartoli is the VP of Operations at M5 Hosting and an adjunct professor at San Diego State University in the Computer


23 July (4th Thus at 11.30)  – ISSA monthly chapter meeting ‘ TBD”    (at ADM Baker field clubhouse)


Global  Cyber events:


Welcome to Cyber News Tidbits 4​U​ !

Here are updated news compilations from the Cyber Security Community

Topic headers (+++):

1 – Security news you can likely use (re: management / opportunity items)

2 – Other items of general FYI / FYSA level interest

3 – Threats / bad news stuff / etc.. 


4 – SD/SoCAL items of interest / opportunities   (send me your SD meetings!) 

A couple of Highlights  (A couple of items of potentially notable interest / high utility &  value… your mileage will vary….)

(Lots happening,  so LOTs to be aware of. Takes 5 min to skim…then pick out a topic or two..)

 ( some great topics / meetings here in SD … scroll to bottom and get engaged)

June 24

Of course this is still news

+++ OPM hack – 4 – 19 million records exposed, SF86 too – for sale on Darknet.

“EPIC” fail – How OPM hackers tapped the mother lode of espionage data

Government officials have been vague in their testimony about the data breaches-there was apparently more than one-at the Office of Personnel Management. But on Thursday, officials from OPM, the Department of Homeland Security, and the Department of the Interior revealed new information that indicates at least two separate systems were compromised by attackers within OPM’s and Interior’s networks. The first was the Electronic Official Personnel Folder (eOPF) system, an entity hosted for OPM at the Department of the Interior’s shared service data center. The second was the central database behind EPIC, the suite of software used by OPM’s Federal Investigative Service in order to collect data for government employee and contractor background investigations.


+ Officials: Chinese had access to U.S. security clearance data for one year

The recently disclosed breach of the Office of Personnel Management’s security-clearance computer system took place a year ago, giving Chinese government intruders access to sensitive data for a year, according to new information. The considerable lag time between breach and discovery means that the adversary had more time to pull off a cyber-heist of consequence, said Stewart Baker, a former National Security Agency general counsel. “The longer you have to exfiltrate the data, the more you can take,” he said. “If you’ve got a year to map the network, to look at the file structures, to consult with experts and then go in and pack up stuff, you’re not going to miss the most valuable files.”

+++  OUR LinkedIn post on the top ten basic security tasks to DO for OPM /YOU =  targeted cyber basics


+ Attack gave Chinese hackers privileged access to U.S. systems

For more than five years, American intelligence agencies followed several groups of Chinese hackers who were systematically draining information from defense contractors, energy firms and electronics makers, their targets shifting to fit Beijing’s latest economic priorities. But last summer, officials lost the trail as some of the hackers changed focus again, burrowing deep into United States government computer systems that contain vast troves of personnel data, according to American officials briefed on a federal investigation into the attack and private security experts.


+ Navy challenged by spear phishing, software patches

Of the myriad cybersecurity challenges facing the Navy, two stand out: spear phishing and more swiftly deploying software patches. That was the gist of a June 18 update on Navy defensive cyber operations given by Capt. David Bondura, U.S. Fleet Cyber Command’s assistant chief of staff for operations. Spear phishing, when hackers send malicious emails to a select group of people, is “our biggest problem right now,” Bondura said at an AFCEA conference in Baltimore. “Every single sailor on board any ship still poses a potential risk to that network” when they establish a secure socket layer (SSL) connection to an outside website by, for example, checking Facebook, Bondura said. “Once that SSL connection is established, we cannot see – that whole DOD architecture that’s built there – cannot see what’s coming down that encrypted pipe.”


+ Cyber warfare overshadows ‘netwar’ concept putting US at risk,

While many government officials are focused on cyberwarfare following a spate of high-profile cyberattacks including the recent Office of Personnel Management data breach allegedly by Chinese hackers, a new paper states that another concept called “netwar” – a psychological force that’s increasingly related to cyber – deserves more attention. The paper, released June 11 by the Office of the Director of National Intelligence, defines netwar as “intentional activities [meant] to influence the domain of human perception via either overt or hidden channels, in which one or more actors seeks to impose a desired change upon the perception of another actor, in order that this change facilitate second-and third order effects of benefit to them.”


+  ‘digitization of everything’ will help enhance cybersecurity across government

The federal government’s top technology official / CIO said June 15 that “the digitization of everything” will help accelerate a new technological model that infuses cybersecurity as a core component. “This digitization is relentless and it won’t stop and it’s accelerating and it’s changing everything, including government,” Tony Scott, the federal chief information officer, told government employees during his keynote at the inaugural CIO Council IT Symposium in Washington, D.C. “We’re going to see more change in the next three or four or five years as the technology industry responds to today’s challenges and figures out new architectural models and paradigms for the future,” he added.


+ DISA five-year plan treats cyber as warring domain

The Defense Information Systems Agency has released a five-year strategy that calls on Defense Department personnel to treat cyberspace like a war-fighting domain by enabling maneuvering on DOD networks.   “We will execute synchronized [DOD information network] command, operations and cyber defense missions to ensure freedom of maneuver for the war-fighter and mission partners,” the document states. “We’re waking up to realizing that there is a lot more that needs to be protected, there [are] a lot of better ways that we need to protect” DOD assets, said DISA Director Lt. Gen. Ronnie Hawkins.


+ Medical-device, IoT hacks spurring security software boom

The same hospital computer networks that have helped deliver medical devices to U.S. patients are now making them more vulnerable to cyberattacks. Malware intrusions are on the rise among such systems, says Greg Enriquez, CEO of TrapX, which tracks them as part of its effort to build software that tricks such evil code into revealing itself. This battle is growing, he says, because such data is often on older, more-vulnerable networks, while the financial incentives for stealing medical data increase.


+ Data breaches from nowhere – Most compromises still being discovered by third parties

The majority of data breaches are still being detected by sources outside the affected organisations, security firm Trustwave has reported in its annual report on the topic. Most victims took around three months to uncover incidents. Altogether, Trustwave investigated 574 breaches among its customer base in during 2014. Although 15 countries were represented, the firm’s business orientation towards certain countries probably explains why half of those incidents were in the US, followed by Australia with 24 percent and the UK with 15 percent although it is also possible that these are more heavily targeted.


+ Data warehouse raises privacy concerns

A government data warehouse that stores information indefinitely on millions of customers is raising privacy concerns at a time when major breaches have become distressingly common. Known as MIDAS, the system is described on a federal website as the “perpetual central repository” for information collected under President Barack Obama’s health care law. “Data in MIDAS is maintained indefinitely at this time,” says a government privacy assessment dated Jan. 15. The information stored includes names, Social Security numbers, birthdates, addresses, phone numbers, passport numbers, employment status and financial accounts.


+ Why China Wants Your Sensitive Data

Since May 2014, the Chinese government has been amassing a ‘Facebook for human intelligence.’ Here’s what it’s doing with the info…


+ The US Navy’s warfare systems command just paid millions to stay on Windows XP

Windows XP and other obsolete systems remain critical to the Navy’s operations…(they want to outdo OPM?)


Insider threat control: Using predictive and real-time analytics

According to a new security report, fewer than half of organizations have appropriate controls to prevent insider attacks. That would be the routine controls — the standard, basic stuff one would think every company uses and has used for years…


+ Why Is Fighting Cybercrime So Hard?

It’s tough to target the few hundred super hackers that experts believe are behind the majority of cyber attacks…


+ Pentagon May Hold IT Users More Accountable for Cyber Security

DOD CIO Terry Halvorsen said that there are few if any consequences for users whose online behavior creates security problems for DOD systems. Halvorsen said that the Pentagon plans to start holding IT users and their commanders more responsible for violating cyber security rules.


+ 2015 Data Protection Maturity Report


+ 2015 Annual Security report (and summary)


+  KREBS SAYS – Stop Worrying and Embrace the Security Freeze


+ Ten essential cyber security questions to ask your CISO


+  The Future Of Cybersecurity (Info sharing)


2  +++++++

+ US to raise breach of government records at talks with China

The United States began annual security talks with China on Monday, and an official said it plans to raise directly the breach of a federal government server that resulted in the theft of personnel and security clearance records of millions of employees and contractors. China has openly denied involvement in the break-in. Obama administration officials have said they are increasingly confident that China’s government, not criminal hackers, were responsible. U.S. and Chinese officials are discussing thorny issues including cybersecurity, maritime security, military relations, missile defense, nuclear policy and space security. The discussions, led by Deputy Secretary of State Antony Blinken and his Chinese counterpart, Executive Vice Foreign Minister Zhang Yesui, involve both civilian and military officials.


+ What’s worse: Living with legacy systems or replacing them?

The recent revelation of a breach at the Office of Personnel Management, which could have resulted in the theft of personal information of millions of government employees, also points up the broader problem government has with legacy systems — whether it’s worth spending the money to secure them. Not that securing the OPM’s systems would have done much good in this case —  according to the Department of Homeland Security Assistant Secretary for Cybersecurity Andy Ozment, the systems were not directly penetrated.  Instead, attackers obtained OPM users’ network credentials and got to the systems and data from the inside.


+ OPM hack: The role FISMA played

The Office of Personnel Management data breach is merely a symptom of a much larger problem across all federal government executive branch agencies, and it’s not going away anytime soon. That’s because the Federal Information Security Management Act, in all of its various forms over the past 14 years, has created a veritable disarray of legislative mandates, ostentatious oversight, ambiguous policy frameworks, ineffective guidelines, disjointed funding, and deficient accountability. Even more significant, FISMA botched cybersecurity leadership and governance across the entire executive branch.


+ Reacting to Chinese hack, the government did not follow its own cybersecurity rules

In responding to China’s massive hack of federal personnel data, the government may have run afoul of computer security again. Over the last nine days, the Office of Personnel Management has sent e-mail notices to hundreds of thousands of federal employees to notify them of the breach and recommend that they click on a link to a private contractor’s Web site to sign up for credit monitoring and other protections. But those e-mails have been met with increasing alarm by employees – along with retirees and former employees with personal data at risk – who worry that the communications may be a form of “spear phishing” used by adversaries to penetrate sensitive government computer systems.


+ Valuing cybersecurity outcomes instead of oversight

Every day, new technologies and applications offer opportunities to change how we work, live and play. This frenetic pace is rivaled only by the ever increasing number and sophistication of the cybersecurity threats we face. We are eager to embrace the future: the Internet of Things, nanotechnology and everything from Fitbits to bring your own device. We want to be always connected, from any device, from anywhere. Yet with each new capability that we embrace, new threats and vulnerabilities are introduced.


+ Study: 15-30 percent of eCommerce site visitors infected with CSIM

Infected with client side injected malware (CSIM), according to whitepaper from Namogoo, an online security firm that monitors numerous verticals throughout the U.S. and Europe. Although legally the company can’t identify the sites it monitors, Namogoo said they are among some of the most popular travel sites. “We didn’t expect to see such an increase in the infection rate in such a short time. We were surprised about the scale of the problem and also about the variety of different types of client-side Injected Malware,” Namogoo co-founder and CEO Chemi Katz told in an email correspondence.


+ Push for facial recognition privacy standards hits roadblock

Retailers have the ability to scan your face digitally and use that identification to offer you special prices or even recognize you as a prior shoplifter. But should they use it? Should they get your permission first? Privacy advocates announced Tuesday that they had walked away from government-mediated talks with industry that were intended to answer such questions. The idea was to hash out voluntary protocols for the use of facial recognition technology in a way that would not hurt consumers. The Commerce Department’s National Telecommunications and Information Administration, or NTIA, was acting as mediator.


+ Here’s what OPM told Congress the LAST TIME hackers breached its networks

A day after representatives from a security firm who happened to be giving a sales pitch say they detected months-old malware on the Office of Personnel Management’s networks, the agency’s chief information officer, Donna Seymour, testified before Congress that OPM’s leadership and cyber defenses were effective at quickly resolving threats. The newly discovered network threat, which Seymour did not mention to lawmakers, ultimately exposed sensitive data on 4.1 million federal workers and background-check forms detailing employees with access to classified information.


+  Emoji passwords could be coming your way. Is that a good thing?

Soon, you might be able to log into your bank account with a litany of smiling poo emojis, or a string of little chicken wing images, or multiple little monkeys holding their hands over their eyes. On Monday, a UK online banking service provider called Intelligent Environments announced what they’re calling the “world’s first emoji-only passcode.” Intelligent Environments says the emoji passcode system will allow users to use codes from a bank of 44 emojis — and don’t worry, it includes that lady in the red dress salsa dancing.


+  Put up the firewalls

When it comes to Chinese hacking, Americans cannot say they were not warned. In January James Clapper, the director of national intelligence, told a technology conference in New York that “China has been robbing our industrial base blind, largely withvulnerabilities that are easy to guard against or to simply fix.” They are, he said, “cleaning us out, because we know we’re supposed to do those simple things, and yet we don’t do them.” .


+ Only Seven Percent of Malicious Mobile Applications Apparent to Users:

Data from ESET on malicious mobile applications shows that only seven percent of reported incidents on mobile applications are caused by straightforward malware…


+ The Dark Web: An Untapped Source For Threat Intelligence

Most organizations already have the tools for starting a low-cost, high-return Dark Web cyber intelligence program within their existing IT and cybersecurity teams. Here’s how…


+ Lessons from the Sony Hack: The Importance of a Data Breach Response Plan

In a decision emphasizing the need for employers to focus on data security,


+  All industries fail cybersecurity, govt the worst

Most sectors failed industry-standard security tests of their Web and mobile applications, but the government failed the worst, a report by application security company Veracode found…


+ Case Study: Critical Controls that Sony Should Have Implemented

November 24, 2014, an incident almost pulled right out of a 90’s hacker movie transformed into a massive computer hack. A group calling itself The Guardians of Peace (GOP) managed to breach Sony Pictures Entertainment


+  National Cyber Security Hall of Fame 2015 Nominations

Mike Jacobs, chair of the Cyber Security Institute of San Diego, is chair of the NCS HoFame. Mike was the first Information Assurance Director at NSA.  We have had three years of inductees into the NCS HoFame that include many of the significant contributors to Cyber Security including Rivest, Shamir, Adleman, Diffie, Hellman, etc.

There are five contribution categories for nominations: Technology, Policy, Public Awareness, Education and Business….  Soliciting publicity for nominations that aredue July 5, 2015


3  +++++++

+ Hunt for Deep Panda intensifies in trenches of U.S.-China cyberwar

Security researchers have many names for the hacking group that is one of the suspects for the cyberattack on the U.S. government’s Office of Personnel Management: PinkPanther, KungFu Kittens, Group 72 and, most famously, Deep Panda. But to Jared Myers and colleagues at cybersecurity company RSA, it is called Shell Crew, and Myers’ team is one of the few who has watched it mid-assault – and eventually repulsed it. Myers’ account of a months-long battle with the group illustrates the challenges governments and companies face in defending against hackers that researchers believe are linked to the Chinese government – a charge Beijing denies.


+ New exploit turns Samsung Galaxy phones into remote bugging devices

As many as 600 million Samsung phones may be vulnerable to attacks that allow hackers to surreptitiously monitor the camera and microphone, read incoming and outgoing text messages, and install malicious apps, a security researcher said. The vulnerability is in the update mechanism for a Samsung-customized version of SwiftKey, available on the Samsung Galaxy S6, S5, and several other Galaxy models. When downloading updates, the Samsung devices don’t encrypt the executable file, making it possible for attackers in a position to modify upstream traffic-such as those on the same Wi-Fi network-to replace the legitimate file with a malicious payload. The exploit was demonstrated Tuesday at the Blackhat security conference in London by Ryan Welton, a researcher with security firm NowSecure.


+ Major Mac flaw spills your passwords

Apple claims that its “Keychain” software lets people securely store their passwords on their Macs. As it turns out, hackers can pull the keys off the chain. A crucial flaw found in Macs allows a malicious app to snatch the passwords from your Keychain — or even directly from other apps. That exposes the passwords to your iCloud account, notes, photos, email, banking, social media — everything. Indiana University computer science professor XiaoFeng Wang and his team of researchers found several ways a bad app could “cross over” into other apps. The researchers found that malicious software could slip into the Apple Keychain, delete old passwords, and wait for you to retype them in. When you do, it grabs them.


+ Hack of cloud-based LastPass exposes hashed master passwords

LastPass officials warned Monday that attackers have compromised servers that run the company’s password management service and made off with cryptographically protected passwords and other sensitive user data. It was the second breach notification regarding the service in the past four years In all, the unknown attackers obtained hashed user passwords, cryptographic salts, password reminders, and e-mail addresses, LastPass CEO Joe Siegrist wrote in a blog post. It emphasized that there was no evidence the attackers were able to open cryptographically locked user vaults where plain-text passwords are stored. That’s because the master passwords that unlock those vaults were protected using an extremely slow hashing mechanism that requires large amounts of computing power to work.


+ 44.5 million new malware variants recorded in 1 month

A freshly released report from Symantec about the state of malware risks identified in the month of May informs that cybercriminals were highly active, creating no less than 44.5 million new versions of threats. The figure sets a new high this year and it represents an increase of more than 50% compared to the previous month, when the company’s system recorded 29.2 million new threats. The time interval with the second largest number of malicious software seen by Symantec systems is March, the total amount reaching 35.8 million samples.


+ China and Russia almost definitely have the Snowden docs

Last weekend, the Sunday Times published a front-page story, citing anonymous British sources claiming that both China and Russia have copies of the Snowden documents. It’s a terrible article, filled with factual inaccuracies and unsubstantiated claims about both Snowden’s actions and the damage caused by his disclosure, and others have thoroughly refuted the story. I want to focus on the actual question: Do countries like China and Russia have copies of the Snowden documents I believe the answer is certainly yes, but that it’s almost certainly not Snowden’s fault.


+ Polish LOT airplanes grounded by computer hack

Some flights operated by Poland’s national airline, LOT, were grounded on Sunday after hackers attacked its computer system. The hacking attack targeted computers issuing flight plans at Warsaw’s Okecie airport. More than 1,400 passengers were affected, with 10 flights cancelled and another 12 delayed. Services were getting back to normal on Sunday evening. The attack is now being investigated by airline authorities. Flights to Dusseldorf, Hamburg and Copenhagen and Polish cities were affected, although LOT stressed that the glitch did not affect the airport or airplanes that were already in the air.

–Vulnerable Flight Plan Protocol Widely Used

The flight plan delivery protocol is used by virtually every airline. It does not require authentication. Earlier this month, United Airlines flights in the US were grounded for an hour; the airline did not offer many details, but the issue was reportedly with incorrect flight plans being sent to pilots.


+ Stegoloader malware hides in images on legit sites

Security researchers have warned that a little-known malware family could spell a new trend emerging in the ongoing cybersecurity arms race: the use of digital steganography to hide malicious code. Dell SecureWorks revealed its findings in a new report, Stegoloader: A Stealthy Information Stealer. It details a malware family first identified in 2013, although little discussed in the white hat community. The malware has been architected with several key features designed to make analysis and detection incredibly difficult – key among these being that it only deploys the modules it needs one by one, limiting exposure to investigators.


+  Even with a VPN, open Wi-Fi exposes users

By now, any sentient IT person knows the perils of open Wi-Fi. Those free connections in cafes and hotels don’t encrypt network traffic, so others on the network can read your traffic and possibly hijack your sessions. But one of the main solutions to this problem has a hole in it that isn’t widely appreciated. Large sites like Twitter and Google have adopted SSL broadly in order to protect users on such networks. But for broader protection, many people use a virtual private network (VPN). Most people, if they use a VPN at all, use a corporate one. But there are public services as well, such as F-Secure’s Freedome and Privax’s HideMyAss. Your device connects with the VPN service’s servers and establishes an encrypted tunnel for all your Internet traffic from the device to their servers. The service then proxies all your traffic to and from its destination.


+ Samsung and LG smartwatches leave sensitive data open to hackers

Hackers can easily swipe personal data from LG and Samsung smartwatches, researchers have revealed, with neither brand encrypting sensitive data. According to researchers at the University of New Haven, hackers can easily extract personal data, including contacts, messages and health information, from both the Samsung Gear 2 and LG G Watch. Ibrahim Baggili of the University of New Haven’s Cyber Forensics Research and Education Group, said: “It was not very difficult to get the data, but expertise and research was required.” The researchers, who are currently looking into whether the Apple Watch suffers a similar issue, said they were able to easily swipe data from both the Tizen and Android Wear-powered watches by poking around the wearables’ internal storage and the smartphone to which they were linked.


+ Chinese hackers circumvent popular web privacy tools

a way around widely used privacy technology to target the creators and readers of web content that state censors have deemed hostile, according to new research. The hackers were able to circumvent two of the most trusted privacy tools on the Internet: virtual private networks, or VPNs, and Tor, the anonymity software that masks a computer’s true whereabouts by routing its Internet connection through various points around the globe, according to findings by Jaime Blasco, a security researcher at AlienVault, a Silicon Valley security company.


+ Criminals Continue to Defraud and Extort Funds from Victims

Using Cryptowall Ransomware Schemes Data from the FBI’s Internet Crime Complaint Center (IC3) shows ransomware continues to spread and is infecting devices around the globe…


+ Just How Dark Is The ‘Deep Web’?

A new report has attempted to shed some light on the kinds of illegal and immoral activities carried out on the deep web, an area off limits to the majority of Internet users…


+ US Hosts The Most Botnet Servers

More malicious command and control servers are based in the US than anywhere else,and China is home to the most bots.


+  Verizon, AT&T, WhatsApp rank low in data privacy report


+++  SD/SoCAL security events / opportunities +++

+ CyberTECH events / networking / startups / etc  —  THE cyber happening place in SD!!! 

Join their Meetup Group for the latest event information!  The definition of“Cyber KEWEL


25  – ISSA – (  11:30AM).    “HealthCare CISO panel”     (at ADM Baker field clubhouse )


9 SD ISC2  (Thur at 6PM) –  “SD CityCISO – 2 years and counting – lessons learned”  Gary Hayslip

Location – BAH (Suite 200)  4055 Hancock Street, San Diego, CA 92110 USA

16 – OWASP –  6PM –  Peter Bartoli is the VP of Operations at M5 Hosting and an adjunct professor at San Diego State University in the Computer


Global  Cyber events:


June 15   (TWO weeks worth again…)

1  +++++++

Of course this is still news

+++ OPM hack – 4 – 19 million records exposed, already for sale on Darknet.

Union: Hackers have personnel data on every federal employee Hackers stole personnel data and Social Security numbers for every federal employee, a government worker union said Thursday, asserting that the cyber theft of U.S. employee information was more damaging than the Obama administration has acknowledged. the December hack into Office of Personnel Management data was carried out by “the Chinese”

And a DHS spokesperson told Ars that “interagency partners” were helping the OPM improve its network monitoring “through which OPM detected new malicious activity affecting its information technology systems and data in April 2015.” Those statements may not be entirely accurate…. A product demo looks to have found the hack,,,

China hackers got past costly U.S. computer security with ease The hackers sneaked past a sophisticated counter-hacking system called Einstein 3, a highly-touted, multimillion-dollar and mostly secret technology that’s been years in the making. It’s also, by the government’s own admission, already obsolete.

AND this.. 

White house orders government to do four basic security items (and one was NOT encryption???


+++  OUR LinkedIn post on the top ten basic security tasks to DO for OPM / YOU =  targeted cyber basics



+ When regulating apps, smart cities need to be smart about privacy

Cities across the country are using data to more effectively and efficiently provide services for citizens. New York City, under the last several mayors, has been at the forefront of analyzing information from across the city to tackle problems ranging from public safety to the environment. Smart cities bring together cutting-edge monitoring, big data analysis and innovative management technologies to the world of urban planning, but all of these data in government hands raise important privacy issues. Basic caution is warranted with regards to law enforcement access and public release of this information, either through data breaches or Freedom of Information laws.



+ Government malware spied on cybersecurity company, possibly Iran nuclear talks

A successor to Stuxnet, the sophisticated piece of malware that infected Iran’s nuclear centrifuges around 2010, managed to infiltrate one of the most high-profile cybersecurity groups. Today, Kaspersky Labs published a postmortem on what it calls Duqu 2.0, a derivative of the Duqu program it investigated in 2011; Kaspersky has previously tied Duqu to Stuxnet. “The thinking behind it is a generation ahead of anything we’d seen earlier — it uses a number of tricks that make it really difficult to detect and neutralize,”



+ Here’s what you can do to secure your network as the Internet of Everything nears

The Internet of Everything, the intersection and connection of people, processes, data, and things, holds great promise for creating greater operational efficiencies within government entities. It has the potential to help with everything from traffic jams to safety in public parks. Cisco predicts that by the year 2020, 50 billion devices will be Internet connected. As government agencies continue to bring more and more devices from disparate suppliers into their network, cybersecurity models need to radically change.



+ Agencies spend big on cloud this year

Federal agencies are expected to spend at least $400 million more on cloud computing this year than last. The expected bump would bring the year’s total cloud computing spending to $2 billion and illustrates the heightened attention the federal government is paying to the cloud,



+ SpaceX founder files with government to provide Internet service from space

Elon Musk’s space company has asked the federal government for permission to begin testing on an ambitious project to beam Internet service from space, a significant step forward for an initiative that could create another major competitor to Comcast, AT&T and other telecom companies.



+ Sidewalk Labs, a start-up created by Google, has bold aims to improve city living

Now Google is getting into the ultimate manifestation of the messy real world: cities. The Silicon Valley giant is starting and funding an independent company dedicated to coming up with new technologies to improve urban life. The start-up, Sidewalk Labs, will be headed by Daniel L. Doctoroff, former deputy mayor of New York City for economic development and former chief executive of Bloomberg L.P.



+ Microsoft opens EU ‘Transparency Centre’ to allay fears over NSA backdoors

in Brussels, its second after launching the first in Redmond just under a year ago. According to the company, the new centre “offers participating governmental agencies the opportunity to review the source code of Microsoft products, access information on cybersecurity threats and vulnerabilities,



+ Wall Street watchdog sets rules for bitcoin

A top Wall Street watchdog on Wednesday issued new rules that place stricter cybersecurity requirements on financial firms wishing to use virtual currencies.  “Building trust and confidence among consumers is crucial for wider adoption. It also helps attract additional investment.”



+ NIST releases draft framework to help agencies understand, manage privacy issues

The National Institute of Standards and Technology last week released a draft guide aimed at helping federal agencies anticipate and address privacy risks from collecting and processing personal data through their computer networks. NIST Internal Report 8062, called “Privacy Risk Management for Federal Information Systems,



+More bosses expected to track their staff through wearables in the next 5 years

Last year insurance company USAA banned its employees from wearing Google Glass to work. The problem wasn’t the geeky look they gave their staff, but the potential privacy risk they posed on other colleagues and customers.



+ Security Defenses Are No Match for Cyber-Crooks

Organizations are falling behind the security curve, and security defenses that were at least somewhat effective a decade ago no longer cut it… Privacy Rights Clearinghouse, 49 major public breaches representing 80,319,845 records have already taken place in 2015



+ Why the Internet of Things isn’t the same as the new hardware movement

Cheap, accessible, open hardware is driving the IoT… So, hardware can be deployed in all sorts of ways that it couldn’t before, and at much lower cost. That means computing can extend into many places where it couldn’t before — like cornfields and streetlights.



+ Growing cyber threats challenging cost reduction as reason to use managed services

Mid-sized companies plan to use more managed services and many see it as improving security…



+ Raytheon Rethinks Cyber, Trademarks C5I Concept

The defense industry loves acronyms, but it’s rare that one given to a trade space is trademarked. Yet by adding “cyber” to the widely used C4I (command, control, communications, computers and intelligence), Raytheon has taken that step with C5I…



+ Companies Should Heed DOJ’s New Cybersecurity Guidance to Minimize Liability

The Department of Justice (DOJ) has released new guidance on cyber preparedness and incident response, becoming the latest federal agency to do so in recent months…



+ 20 Top Security Influencers

It can be tough to know where to go for the latest enterprise security news and actionable advice. This list of influencers is a great place to start…



+ Survival Tips For The Security Skills Shortage

No matter how you slice it, creating a security professional with 10 years of experience takes, well, 10 years. Here are six suggestions for doing more with less…



+ Duqu 2.0 Attack On Kaspersky Lab Opens Chilling New Chapter In Cyber Espionage

New nation-state campaign with previous ties to Stuxnet spies on security firm’s research and anti-cyber spying technologies — plus participants in Iranian nuclear negotiations and their telecommunications, mobile providers…



+ RAND study: Cyber-defense must change course, or else

RAND today released the results of its multiphased study on cybersecurity’s future, The Defender’s Dilemma, delivering a frightening snapshot of defenders lost at sea…  (162 pages of solid cyber sense…)



+ 8 Surprising Facts About the Rise of the Dark Net

One of the truly indispensable works of nonfiction released in 2015, Jamie Bartlett’s The Dark Net charts the rise of the anonymous Internet — the “dark net” — and its many appendages…



+ 10 highest-paying IT security jobs

High-profile security breaches, data loss and the need for companies to safeguard themselves against attacks is driving salaries for IT security specialists through the roof. Here are the 10 highest-paying security roles



+ Insider Threat Report 2015



+ Definitive Guide To Cloud Access Security Brokers (CASBs)  (requires browser plug in)



+ SIEM guide



+ The Calm Before the Mobile API Data Breach Storm?



+ IEEE May/June Security and Privacy Magazine





2  +++++++



+ After OPM debacle, three-step biometric ID checks are coming

Expect computers to require that federal personnel use a smartcard, a password, and their fingerprints before logging on, as a way to shore up defenses in the wake of a massive government cyber assault, a top official at the Department of Homeland Security said this week. So-called three-factor authentication goes one step further than today’s government-wide sign-on routine, which involves only a badge and PIN, if that. Most agencies, including the recently hacked Office of Personnel Management, only require a PIN. Foreign spies, who allegedly extracted details on millions of current and former federal employees from OPM’s network, might change that.



+ Senate rejects measure to strengthen cybersecurity

On the heels of a vast breach of the personal information of federal employees, the Senate failed Thursday to advance a cybersecurity measure, the third time in three years that a bipartisan effort to tackle the problem has fallen victim to procedural actions. The measure, which failed, 40 to 56, was similar to an expansive bill passed by the House two months ago that would push companies to share access to their computer networks and records with federal investigators. Senator Mitch McConnell, Republican of Kentucky and the majority leader, attached the cybersecurity measure to a larger defense policy bill, hoping its complexity and broad bipartisan support would counter President Obama’s threat to veto that measure. Democrats objected to the move and voted against the cybersecurity measure as a result.



+ EU, US officials close in on broad privacy accords

After years of thorny negotiations, top EU and U.S. officials say they are close to agreement on two privacy accords that would regulate the transfer of personal data of European citizens to the U.S. At stake is the ability of U.S. and European companies and governments to share data about private citizens for commercial and law enforcement purposes. A version of one of the two privacy deals being discussed, the Safe Harbor accord, has been in force for years but is being renegotiated. Failure to reach agreement on how to change the accord would spell serious trouble for companies like Google, Facebook and Twitter, which have relied on it to transmit data on EU citizens to the U.S. for processing and storage.



+ Big data systems house sensitive data, security exposures

Big data systems are invading enterprise data centers at a rapid rate, but they often lack the controlled access, data encryption, and other protections inherent in relational systems, according to a SANS Institute survey of 206 companies. Of the respondents, 43% were from organizations with 10,000 or more employees and 53% held a title related to IT security. Big data systems increasingly serve as the repository for personal-identification information and corporate intellectual property. For example, the SANS survey found 73% of respondents with big data applications “use them to store personal data on customers and 72% store important business data,” such as employee records (64%), intellectual property (59%), and payment card information (53%).



+ FCC Open Internet rules are finally here. So what’s changed?

The Federal Communications Commission’s long-awaited rules to ensure Internet openness take effect today. Whether you’re a casual Web user or a so-called “cord cutter” who’s ditched pay-TV service in favor of streaming sites like Netflix and Hulu, here’s how the regulations might affect you. Under the FCC rules, companies providing you a broadband Internet access service — whether it’s cable in your home or 4G on your phone — must treat all traffic traveling over the Web equally. They can’t block your lawful content or slow your connection to keep you from using particular services, apps or devices. They also can’t favor their own content ahead of others’ or create fast lanes for a fee.

+ Funding bill would block net neutrality until courts rule A House appropriations bill released Wednesday would block the Federal Communication Commission from implementing its net neutrality rules until the courts weigh in on the issue.



+ How did Estonia become a global leader in digital government?

Quick, think of the most digital-friendly government in the world? If Estonia’s didn’t immediately pop into your head, then listen up. The tiny European nation was the first country to permit online voting more than a decade ago, and it has consistently led the way in digital signatures and online transactions. But Estonia didn’t become a global leader of e-governance because the country is some sort of “digital Narnia,” says Andres Kutt, the architect and adviser to the Estonian Information Security Authority. The country’s tech transformation was born out of necessity, he says.



+ SANS whitepaper, based on its 2015 State of Application Security Survey,

to find out: the top security challenges faced by both the builders and defenders of software; how these challenges are made more complicated by the rapidly accelerating pace of development and lack of control over applications hosted in the cloud; the progress, and the setbacks, occurring in the effort to align developers and security professionals; best-practice advice for secure development and delivery of applications throughout the software development lifecycle.



+ NASA and Verizon plan to monitor US drone network from phone towers

Verizon signed an agreement last year with NASA “to jointly explore whether cell towers … could support communications and surveillance of unmanned aerial systems (UAS) at low altitudes”. That $500,000 project is now underway at NASA’s Ames Research Center in the heart of Silicon Valley.



+ Building effective cybersecurity teams at all levels

Cybersecurity is becoming an increasingly common topic of conversation across the public sector, and for good reason.



+ The U.S. government is mandating the use of the HTTPS

security protocol on all of its public websites and web services by the end of 2016. Deploying HTTPS will authenticate communications with government websites and encrypt the data sent back and forth, which will help protect against snooping and imposter websites..



+ Your finger is about to replace your bank password

We already use our fingerprint to unlock our phones, and one day soon your finger could replace your bank password. Over the past year, U.S. banks have been ramping up efforts to incorporate biometric technology (iris scanners, fingerprint readers and facial recognition) into their systems.



+ Facebook is finally embracing consumers’ desire to encrypt their emails.

The company announced today that people will now be able to share encryption keys via their Facebook profiles. They can also have the company encrypt the emails it sends them whenever they receive a notification on the social network. In a blog post, Facebook explains that it already encrypts notification emails as they’re ferried along the network.



+ New privacy app takes a page from NSA technology

smartphone application called Scrambl3 from a California startup which claims its “dark Internet tunnel” thwarts snooping on voice calls and messages. Scrambl3 was launched as a stand-alone app for Android devices by the startup, USMobile, which describes it as a way to create “trusted connections on untrusted networks.”



+ U.S. to bring Japan under its cyber defense umbrella

The United States will extend its cyber defense umbrella over Japan, helping its Asian ally cope with the growing threat of online attacks against military bases and infrastructure such as power grids, the two nations said in a joint statement



+ Lawmakers to automakers: How are you protecting cars from cyberattacks?

Ten members of the House of Energy and Commerce Committee are questioning how the government and auto-makers are prepping for the potential cybersecurity risks of reliance on software in vehicles.



+ Most Security Depts Blindly Trust Certificates and Keys

Most IT security professionals acknowledge they don’t know how to detect or remediate quickly from compromised cryptographic keys and digital certificates…



+ Offended by Offensive Security

The commonly held belief in the realm of digital security (cyber security for the new folks and media) is the methods employed are strictly defensive in nature…



+ How Employee Negligence Can Put Your Company’s Data At Risk

Cyber Liability Insurance is a coverage that many businesses have overlooked in the hopes of keeping costs down in tough market conditions…



+ What is Cyber Insurance?

You may have heard the term “Cyber Insurance” in exceptionally glowing terms, describing it as the next big thing that no sensible business should be without. Or you may also have heard it described as something that is greatly hyped but which is not quite as awesome as all that.



+ 90% of DLP violations occur in cloud storage apps

violations occur in cloud storage apps, and a large percentage of these are for enterprise confidential intellectual property or customer or regulated data that the customer did not know or want to store there…



+ The Rise Of Bring Your Own Encryption

The BYOE security model gives cloud customers complete control over the encryption of their data. At the same time, cloud providers are finding innovative ways to let users manage encryption keys…



+ BYOD advice

Five experts offer advice on managing risks when agency employees bring their own mobile devices to work



+ Cybersecurity Maturity Lacking or Non-Existent for Most



+ NIST outlines process for vetting mobile apps



+ “Top 10″ List for Security Law Compliance



+ 400 Awesome Free Things for Entrepreneurs and Startups




3  +++++++



+++ GREAT interactive database on SANS top 20 and way more!!!  GET THIS TOOL!!



+ 98% of tested web apps vulnerable to attack!

Of the many findings detailed in the newly released 2015 Trustwave Global Security Report (GSR), the news that 98% of tested web applications and 95% of tested mobile applications were found to be vulnerable to attack should alarm any organization.



+ Massive growth in new ransomware, malware targeting Adobe Flash

In the first quarter of 2015, McAfee Labs registered a 165 percent increase in new ransomware driven largely by the new, hard-to-detect CTB-Locker ransomware family, a new ransomware family called Teslacrypt, and the emergence of new versions of CryptoWall, TorrentLocker and BandarChor…

What to do if your computer is taken over by ransomware



+ Serious iOS bug makes it easy to steal users’ iCloud passwords

A security researcher has published attack code he said makes it easy to steal the iCloud passwords of people using the latest version of Apple iOS for iPhones and iPads. The proof-of-concept attack exploits a flaw in, the default iOS e-mail program. Since the release of version 8.3 in early April, the app has failed to properly strip out potentially dangerous HTML code from incoming e-mail messages. The proof-of-concept exploit capitalizes on this failure by downloading a form from a remote server that looks identical to the legitimate iCloud log-in prompt. It can be displayed each time the booby-trapped message is viewed.



+ 75% of Companies Worldwide Face Significant Risk Exposure, RSA Survey Finds

overall survey results found that nearly 75 percent of respondents face significant cybersecurity risk exposure and had their overall capabilities ranked below the developed category. Out of over 400 companies surveyed, only five percent were ranked for advanced capabilities. The report also found that the size of an organization is not an adequate indication of its security maturity.



+ Hackers can send fatal dose to hospital drug pumps

When security researcher Billy Rios reported earlier this year that he’d found vulnerabilities in a popular drug infusion pump that would allow a hacker to raise the dosage limit on medication delivered to patients, there was little cause for concern. Now Rios says he’s found the more serious vulnerabilities in several models of pumps made by the same manufacturer, which would allow a hacker to surreptitiously and remotely change the amount of drugs administered to a patient.



+ Hunting for hackers, N.S.A. secretly expands Internet spying at U.S. border

Without public notice or debate, the Obama administration has expanded the National Security Agency‘s warrantless surveillance of Americans’ international Internet traffic to search for evidence of malicious computer hacking,



+ Cloud providers hit hard by DDoS attacks in Q1: VeriSign

According to research from VeriSign, in the first quarter of 2015 the company observed that those customers experienced the largest volume of DDoS attacks, accounting for more than a third of all attacks and peaking in size at just over 54 Gbps.



+ Cyber weapons: 4 defining characteristics

Nations can take advantage of anonymity and deniability while conducting military campaigns in cyberspace, enabling a type of “clean coercion” warfare. But, what is the definition of a weapon, and how can we more clearly identify when a cyberattack should be correctly labeled as a “cyber weapon”?



+ Hola VPN used to perform DDoS attacks, violate user privacy

Hola is a VPN provider that purports to offer its users freedom from censorship, a way to access geoblocked content, and anonymous browsing. The service claims that more than 47 million people are part of its peer-to-peer network. it’s dangerously insecure: the client software has flaws that allow for remote code execution and features of the client enabled tracking. On top of that, critically, Hola sells access to its peer-to-peer network with little oversight, enabling it to be used maliciously.



+ Russian crypto-malware encrypts files completely

Ransomware with file encryption routines is one of the nastiest cyber threats today, not just for the average user but also for businesses and even law enforcement departments, which have no other alternative but to pay for data recovery, unless a backup system has been set up. also known as Encoder.858 and Shade, applies full encryption of the files it processes, from content to name and extension.



+ FBI calls for new wiretap law covering social media

Encrypted social networking tools are hindering the FBI’s ability to track terrorists and recruiters who are appealing to young people in the U.S., an FBI official told lawmakers. Congress must pass a new wiretap law that requires social media websites and operators of other Internet communication tools to share customers’ communications with law enforcement agencies the same way that telecom carriers do,



+ British spies betrayed to Russians and Chinese

Russia and China have cracked the top-secret cache of files stolen by the fugitive US whistleblower Edward Snowden, forcing MI6 to pull agents out of live operations in hostile countries, according to senior officials in Downing Street, the Home Office and the security services…



+ Even with a VPN, open Wi-Fi exposes users

Those moments between Wi-Fi connect and VPN launch can give away a lot…I tested this scenario at a Starbucks with Google Wi-Fi while running Wireshark. Thousands of packets went back and forth on the open network before the VPN attempted to connect. A quick scan of the list found nothing that looked dangerous, and in fact the software on my system used TLS 1.2 in almost all cases, which was quite a relief



+ Price of website disabling DDoS attacks fall to US$38 per hour

as botnets proliferate in China, Vietnam (South China Morning Post) It is becoming easier than ever to launch a potentially ruinously expensive, server disabling assault against any website as criminal organizations offer distributed denial-of-service (DDoS) attacks at cut price rates…



+ Firewalls Sustain Foundation of Sound Security

Simply put, organizations that cannot maintain rigid firewall enforcement are more likely to be compromised…

Why the Firewall is Increasingly Irrelevant

It will take a dramatic reimagining of security to dedicate focus to the areas where company data actually resides. It starts with tearing down the firewall.



+ Conventional Wisdom About Cyber Hacks is Flawed

A recent article out of SolPass reports, “Business and government leaders who are being told that there’s no preventive strategy to stop cyberattacks and fraud are being subjected to fundamentally flawed thinking,

DO the cyber basics well folks – it works!!!



+Cybercrime Can Give Attackers 1,425% Return on Investment

Going rates on the black market show ransomware and carding attack campaign managers have plenty to gain.–return-on-investment/d/d-id/1320756



+ 11 Countries with Most Hackers and Cyber Criminals

US first (includes compromised computers)  then China, then Germany..



+Long Cons: The Next Age of Cyber Attacks

When hackers know that a big payday is coming they don’t mind waiting for months for the best moment to strike.—threats/long-cons-the-next-age-of-cyber-attacks/a/d-id/132065



Welcome to Cyber News Tidbits 4​U​ !

Here are updated news compilations from the Cyber Security Community

Topic headers (+++):

1 – Security news you can likely use (re: management / opportunity items)

2 – Other items of general FYI / FYSA level interest

3 – Threats / bad news stuff / etc.. 


4 – SD/SoCAL items of interest / opportunities   (send me your SD meetings!) 

A couple of Highlights  (A couple of items of potentially notable interest / high utility &  value… your mileage will vary….)

(Lots happening,  so LOTs to be aware of. Takes 5 min to skim…then pick out a topic or two..)

 ( some great topics / meetings here in SD … scroll to bottom and get engaged)

MAY 31

+ IRS gets hacked 100,000+ stolen tax returns

Hackers stole personal information from 104,000 taxpayers, IRS says Hackers gained access to personal information of 104,000 taxpayers this spring, downloading an online service the Internal Revenue Service uses to give Americans access to their past tax returns, the agency said Tuesday. The information included several years’ worth of returns and other tax information on file with the IRS, Commissioner John Koskinen said in a press conference. The thieves hacked into a system called “Get Transcript,” clearing a security screen that requires users to know the taxpayer’s Social Security number, date of birth, address and tax filing status. Those who successfully downloaded the transcripts gained access to information from prior years’ tax returns that could be used to file fraudulent tax returns that more closely resemble those of legitimate taxpayers, officials said. Koskinen said the system, which has temporarily been shut down, was targeted from February through mid-May.

Sources said to be close to the investigation tell reporters the attack has been traced to Russia.. What’s not as tentative is the conclusion about how the attackers got it: they used stolen personal information to bypass security protections. Thus the attack itself (if not its roots in the criminal market) was decidedly low tech. It was also decidedly the kind of attack any number of other agencies might suffer using minimal technical skill, according to experts.  Hackers who harvested US taxpayers’ personal datausing data from previous breaches were targeting high-value personal data


+ Cost of data breaches increasing to average of $3.8 million,

The cost of data breaches is rising for companies around the world as sophisticated thieves target valuable financial and medical records, according to a study released on Wednesday. The total average cost of a data breach is now $3.8 million, up from $3.5 million a year ago, according to a study by data security research organization Ponemon Institute, paid for by International Business Machines Corp. The direct costs include hiring experts to fix the breach, investigating the cause, setting up hotlines for customers and offering credit monitoring for victims. Business lost because customers are wary after a breach can be even greater, the study said.

Really – this site says $6.5M… (Ponemon Study)  Still, it’s a LOT..


+ ISA presses for data to shape cyber security policy, encourages use of NIST framework

The Internet Security Alliance Monday encouraged the Department of Commerce to work with private sector organizations to determine what’s needed in terms of cost-effectiveness, incentives and prioritization to stimulate use of the NIST Framework. Developed in response to a 2013 Executive Order from President Obama, the NIST Framework for Improving Critical Infrastructure Cybersecurity was released in February 2014.Yet 15 months after the unveiling, ISA President Larry Clinton said in a Tuesday email correspondence with that “there has been no systematic work to provide the supports for Framework use that were also called for in the President’s Order.”


+ Global initiative ‘Securing Smart Cities’ launches IOActive,

Kaspersky Lab and the Cloud Security Alliance are among a group of security organizations supporting a new initiative that tackles “existing and future cybersecurity problems of smart cities” through public and private sector collaboration. The effort, “Securing Smart Cities,” aims to connect the security community with other key players in the critical infrastructure ecosystem, like city planners and authorities and vendors, in order to educate the public on security best practices and create standards and guidelines to improve the security of smart cities, a Tuesday release sent to said.


+ NSA chief urges ‘safe’ Internet under equivalent of Law of the Sea

The U.S. National Security Agency chief called on Wednesday for an “open, reliable and safe” Internet governed by international rules akin to the Law of the Sea, while deflecting critics who say NSA spying has undermined public trust in the cyberworld. Admiral Michael Rogers spoke a few days after the U.S. Senate rejected a bill to extend spy agencies’ bulk collection of Americans’ telephone records, putting the program in doubt shortly before its expiry on June 1. Addressing a cyberwarfare conference in Estonia, Rogers adopted the diplomatic language of a grassroots online governance activist, hailing the Internet’s openness and value as a shared, public good.


+ Countries pick sides in global fight for the Internet

The world is choosing sides in a fight over what the Internet will look like in the years to come. In recent months, countries have rushed to sign cybersecurity pacts that not only secure cyberspace allies, but also promote their vision of the global Internet.  “It’s kind of indicating how the battle lines are being drawn,” said Richard Stiennon, chief research analyst for security consulting firm IT-Harvest. While a coalition of nations, including the U.S., is pushing to turn the Internet into a borderless global entity, others such as Russia and China are pressing to give local governments more control over the flow of data.


+ FCC prepares to become the Internet’s privacy cop

The Federal Communications Commission is warning Internet providers to get in line as it prepares to enforce new privacy regulations. The agency issued an “enforcement advisory” Wednesday, outlining for the first time how it plans to decide whether to crack down on a company for violating its customers’ privacy. But the statement offers few specifics, leading critics to warn that the agency is claiming expansive new regulatory powers. Internet providers, the FCC said, should take “reasonable, good faith steps” to protect customer information. That means that Internet providers should comply with their own privacy policies and the “core tenets of basic privacy protections,” the agency said, adding that companies should reach out to it for advice on whether specific practices would violate the rules.


+ DOJ releases privacy policy for US drones

The Justice Department on Friday released guidelines that would explicitly bar the agency from using drones solely to monitor activity protected by the First Amendment, like peaceful protests. The department issued five pages of policy guidelines dealing with privacy and civil liberties protections when conducting drone flights. It also outlined transparency requirements. “Department personnel may never use UAS solely for the purpose of monitoring activities protected by the First Amendment or the lawful exercise of other rights secured by the Constitution and laws of the United States,” according to the policy guidance.

+ San Diego NDIA Small Business Cyber event – actionable info!!!

The event went well – 80 or so folks attended –a LOT of actionable info provided. The link to all the briefs in the agenda is here (including how tocomply with theDFAR UCI mandate, and also the CISO Fundamentals / Cyber Security Tenets, and Small Business Cyber guide):


+  7 Cyber Threats That Will Keep You Up at Night

1. Financial and data stealing tools

2. Software vulnerabilities in unpatched software (8 programs cover 99% of all vulnerabilities)

3. Phishing spam campaigns           4. Identity Theft attempts

5. Online scams       6. Cyberbullying             7. Spyware


+ 20 future cyber prediction for 2015 (FireEye)


+ The Cost of Bad Threat Intelligence

Threat intelligence quality is paramount. Growing errors and mistakes are costing organizations time and money reducing their security effectiveness.


+ 7 Bold Tech Ideas That Will Make You Uncomfortable


+ “Patent troll” (Commil)  with a big verdict against Cisco notches a Supreme Court win


+  3 Critical Takeaways From The Damaging CareFirst Hack That Exposed Millions


+ Breaches Cost Healthcare $6 Billion Annually

A Ponemon Institute report indicates cyber criminals have increased their attacks on healthcare 125 percent, costing the industry $6 billion annually…


+ Escalating Cyberattacks Threaten US Healthcare Systems


+ Data security in focus after hack attack on IRS


+ The Interconnecting of Everything  (IBM white paper)

2  +++++++

+ Check Point launches new ICS security appliance

Check Point Software Technologies announced on Tuesday the launch of a new rugged appliance designed to protect industrial control systems (ICS) against cyber threats. Available immediately through Check Point’s global partners, the 1200R is a rugged security gateway appliance line that provides protection for SCADA (supervisory control and data acquisition) systems in remote locations and harsh environments. Part of Check Point’s ICS/SCADA security offering, 1200R is a fully-featured gateway with six 1GbE ports and raw firewall throughput of 2 Gbps. The product supports a wide range of ICS/SCADA-specific protocols, including Siemens Step7, OPC, DNP3, BACNet, IEC-60870-5-104, IEC 60870-6 (ICCP), IEC 61850, Profinet, MMS, and Modbus.


+ Iris scans: Security breakthrough or privacy invasion?

Imagine if you could be identified with certainty from 40 feet away by anyone with a special camera and your iris scan in a database. Carnegie Mellon researchers at the Cylab Biometrics Center have invented a device that can do that. It should definitely have criminals feeling nervous, but maybe we should all be nervous. First the good news. According to SRI International, a spinoff of Stanford Research Institute, iris scans are 1,000 times more accurate than fingerprint scans. We’re already using handheld iris scanners in high security situations. The new Carnegie Mellon device will work up to 40 feet away — even in a mirror — so, for example, a police officer making a traffic stop can safely identify a potentially dangerous suspect before he even exits his vehicle.


+ NIST preps digital privacy framework, considers control catalog

The National Institute of Standards and Technology is putting the finishing touches on a new interagency report that will advise federal agencies on assessing and mitigating the privacy risks associated with their digital services. “Cybersecurity has come a long way in the last ten years, in sort of unifying the type of conversation about risks across organizations. And privacy has really lagged behind,” said Sean Brooks, privacy engineer at NIST. Over the last year and a half, a team at NIST has been working on a privacy engineering and risk framework, and a soon-to-be-released draft publication will summarize their work to date, said Brooks during a May 21 event hosted by the General Services Administration in Washington, D.C.


+ UVa, cybersecurity company researching possibility of ‘car hacking’

Imagine a group of bank robbers who disable all the police cars within a mile radius of their heist by hacking into the cars’ computer systems, allowing them more time to take the money and run. It sounds like a Hollywood movie. As of 2015, it’s extremely unlikely. But automakers, researchers and security experts believe car hacking could become a credible threat over the next few years. The University of Virginia and local cybersecurity company Mission Secure Inc. are part of a statewide effort to examine the ways the electronics systems that control features such as anti-lock braking and adaptive cruise control could be exploited by criminals.


+ iPhone users’ privacy at risk due to leaky Bluetooth technology

Security researchers have revealed that the privacy of smartphone and fitness tracker users is at risk due to leaky Bluetooth Low Enegry (BLE) technology. Researchers from security firm Context have revealed that devices using embedded BLE technology, such as the iPhone and numerous fitness trackers, can be easily tracked from up to 100m way.   Scott Lester, a senior researcher at Context, said: “Many people wearing fitness devices don’t realize that they are broadcasting constantly and that these broadcasts can often be attributed to a unique device.”


+ Google’s ‘Chucky’ teddy bear to control the home

Google’s engineers have floated the idea of making Internet-connected teddy bears that will have the ability to control gadgets and devices in the home. The robot would be an “anthropomorphic device” which could take the form a “doll or toy that resembles a human, an animal, a mythical creature or an inanimate object,” according to a patent granted to the U.S. search giant last week. A camera and microphone would be installed in the head of the toy, which could move to maintain eye contact with the user—much like the popular horror film doll “Chucky.” A user could signal a command by speaking or moving their hands.


+ Why hackers want kids’ personal information

Data breaches give hackers a chance to cash in, and no personal information is more valuable to cyber criminals than a child’s. It’s a surprising fact in the age of the massive cyberattack. While adults might fret when their financial data is stolen in a breach, it’s their kids’ identities they should be worried about, experts say. “A child’s Social Security number can be used by identity thieves to apply for government benefits, open bank and credit card accounts, apply for a loan or utility service, or rent a place to live,” says the Federal Trade Commission.


+ MasterCard, Target data breach settlement falls apart

A proposed $19 million settlement between MasterCard Inc and Target Corp over the retailer’s 2013 data breach fell through after not enough banks accepted the deal, the credit card company said on Thursday. The agreement, announced in April, would have provided up to $19 million to banks and credit unions that sued Target in federal court in Minnesota over the breach. The lead lawyers for the banks had argued that the settlement with MasterCard, which was not a party to the lawsuit, was an attempt to undercut their claims for damages. But a federal judge earlier this month rejected the banks’ attempt to block the deal, though he expressed concerns about its fairness.


+ Inspector General finds Justice Dept. slow to create privacy rules

The Justice Department for seven years failed to implement a provision requiring it to create privacy rules for use of an intelligence-gathering tool authorized by the USA Patriot Act, the department’s inspector general said in a new report. The law in question is Section 215 of the Patriot Act, a measure that has provoked controversy for its once-secret use allowing the mass collection of Americans’ phone records. With the law expiring in 10 days, Congress is debating whether it should be renewed, amended or allowed to lapse. Beyond the bulk collection of phone records, the law also enables intelligence agencies to obtain court orders to gather all manner of records in foreign terrorism investigations.


+ First steps to cyber risk management

Organizations today are struggling to find options that can effectively help deal with cyber security threats, including assessing and measuring cyber risk management. Essentially, the current cyber security solutions are not really addressing cyber security risks or focusing on challenges within a corporate surrounding


+ House Passes USA Freedom Act

The US House of Representative has passed the USA Freedom Act, which reauthorizes PATRIOT ACT provisions set to expire at the end of the month with some changes. The changes to would still allow law enforcement access to mobile communications metadata, but would require that the telecommunications providers retain it and law enforcement seek the data with warrants.


+ Use phone number verification to ensure security and compliance

Using a simple process. Access now to learn why this technology is rising in prominence and uncover the seven key components to look for in a third-party service


+ Cyber Security Skills: The Hot New Must-Have IT Skill Set


+ Confronting the widening infosec skills gap   (some great statistics too)

Estimates of the shortage of qualified information security professionals needed to fill available jobs in the next several years range into the multiple millions. A number of organizations are trying to change that. But they say it will likely be years before the gap is closed…


+ Expert Tips: Privacy on Social Media

Social media have taken over the Internet. People spend ever more time on Facebook, Twitter, LinkedIn, and others – but many forget (or are not concerned at all) about their privacy.


+ Researchers publish developer guidance for medical device security

The guidance is organized into 10 categories, and serves as starting point for a more complete code, report authors said.


+ Raytheon’s SureView cybersecurity product named Best Malware Analysis Solution of the Year by Cyber Defense Magazine


+ Why insider threats are succeeding 

Data leaks and other news events over the past few years have brought insider threats to the forefront of public attention, but most companies still lack the means or motivation to protect themselves from malicious insiders…


+ 10 Threat Intelligence Goals for Financial Institutions


+ Will Your Contractors Take Down Your Business? (“Probably!”)


+ Cyber Threat Analysis: A Call for Clarity  (prioritize malware, etc)—threats/cyber-threat-analysis-a-call-for-clarity/a/d-id/1320539


+ Why small firms mean big business for cybersecurity


+ Fifteen Innovative Gadgets for Your Mobile Devices


+ ISC Study Shows Decline in US Cybersecurity Readiness

A new ISC study indicates that the federal government’s efforts in recent years to bolster cybersecurity have seen little return on investment.


+ Billington Corporate Cybersecurity Summit  (some great topics / speaker views)


3  +++++++


+ Massive campaign uses router exploit kit to change routers’ DNS servers

Well-known security researcher Kafeine has spotted an active campaign aimed at compromising SOHO routers and changing their DNS settings so that the attackers can seamlessly redirect users to phishing sites, hijack their search queries, intercept their traffic, and more.This particular campaign apparently targets only users of Google’s Chrome browser and ignores others. Chrome users who visit a compromised website are redirected to a site that serves cross-site request forgery (CSRF) code that determines which router model the victims use.  Depending on that information, an exploit for one of several vulnerabilities – CVE-2015-1187, CVE-2008-1244, or CVE-2013-2645 – is served, or several sets of common administrative credentials are tried, all with the aim to access the router’s administration interface.


+ NetUSB router vulnerability puts devices in jeopardy

A newly discovered router vulnerability could leave millions of connected devices open to denial-of-service attacks and remote code execution.


+ Islamic, Chinese hackers target media

News outlets are coping with a wave of cyberattacks as hackers around the world seek to monitor their coverage or deface their websites for publicity.  The latest intrusion at the Washington Post redirected users to a site controlled by the Syrian Electronic Army (SEA), a group that supports embattled President Bashar al-Assad.  The attack, which took place last Thursday, affected parts of the paper’s mobile website but did not compromise its internal networks.  Intruders found a way in through a software vendor, declaring in a message..


+ Grabit Malware Targets Small- and Medium-Sized Organizations

A new strain of malware dubbed Grabit targets small- and medium-sized companies in media, education, nanotechnology, and other sectors. Grabit has stolen thousands of documents since the attack campaign began in February 2015.


+ Android Ransomware

Ransomware targeting users of Android devices pretends to be an update for Adobe Flash Player. Once the user clicks on the phony update, the malware displays what appears to be a warning from the FBI about the user’s viewing of online pornography. The warning includes phony screenshots of what appears to be an incriminating browsing history.


+ Hackers Build a New Tor Client Designed to Beat the NSA – Daily Dot

With the threat of powerful intelligence agencies, like the NSA, looming large, researchers have built a new Tor client called Astoria designed specifically to make eavesdropping harder for the world’s richest, most aggressive, and most capable spies


+ Yemeni Hackers Reveal Top Secret Docs in Saudi Government Cyber Attack

+ ‘Marauders Map’: App exposes ease of tracking Facebook Messenger user


+ Over 1,000 websites ‘blackout’ Congress in protest of NSA surveillance laws


+ The 3 Best Hacking Techniques To Create A Security Breach


+ The iPhone bug that lets anyone crash your phone with a text message


+  86 percent of websites contain at least one ‘serious’ vulnerability


+++  SD/SoCAL security events / opportunities +++

+ CyberTECH events / networking / startups / etc  —  THE cyber happening place in SD!!! 

Join their Meetup Group for the latest event information!  The definition of“Cyber KEWEL


06 (SAT) University of Phoenix –-Cyber Nexus Conference – great all day event – panels / topics! (and FREE)

San Diego Campus,   9645 Granite Ridge Dr.   San Diego, CA 92123

8-11 – Cloud identity Summit  (La Jolla)

11 SD ISC2 (Thur at 6PM) –  “Cloud Security”  Chris Simpson

Location – BAH (Suite 200)  4055 Hancock Street, San Diego, CA 92110 USA


18  – ISACA (noon – 1:30 PM)     ‘ TBD”    (at Colman University)

18 OWASP – 6PM – Arvind Mani – Head, Data & Infrastructure Security at LinkedIn

25  – ISSA – (  11:30AM).    “TBD”     (at ADM Baker field clubhouse )


Global  Cyber events:


MAY 25

+ BTW – Another great source of cyber news is the “cyberwire”

The CyberWire is a free, no-ad, community-driven cyber security news service based in Baltimore. Their mission is to provide a relevant and intelligently organized daily digest of the critical news happening across the global cyber security domain.   (They have adaily jam-packed newsletter … AND generally the stories, cyber info we provide in these cyber tidbits do not overlap very much with their stories.. (ours is a weekly summary which I get from several other sources, LinkedIn, etc – but not the “wire”)…  so.. sign up for their security news digest too… win-win-win.…;-))


+ Cybercrime Cost Americans $800,492,073 Last Year

Federal Bureau of Investigation’s Internet Crime Complaint Center (IC3) tallied 269,422 complaints in 2014, totaling $800,492,073 in losses, according to a new report. The center has received 3,175,611 complaints since its establishment in May 2000. The losses compiled in 2014 are likely much lower than actual Internet crime losses. The report states, “Only an estimated 15 percent of the nation’s fraud victims report their crimes to law enforcement, while the IC3 estimates less than 10 percent of victims file directly through [w]”

IC3 Issues Internet Crime Report for 2014

+ Georgetown’s Cybersecurity Law Institute (topic / briefs overview) May 20-21, 2015


+ San Diego NDIA Cyber event for Small Business!!!

The event went very well – 80 or so folks attended –a LOT ofactionable info provided. The link to all the briefs in the agenda is here (and also the CISO Fundamentals / Cyber Security Tenets, and Small Business Cyber guide):


+ Pentagon to invest in Silicon Valley tech startups

The Pentagon will begin to invest in Silicon Valley tech startups as part of the department’s plan to develop and acquire more advanced cyber solutions to secure the country and military’s digital infrastructure. The investments will be made through In-Q-Tel, a nonprofit strategic investing firm the Central Intelligence Agency launched sixteen years ago and which has backed tech companies such as Keyhole, which helped create Google Earth. As part of the program, the Pentagon will open its first office in Silicon Valley, an outpost in Moffett Field staffed with active-duty military and civilians responsible for “scouting emerging and breakthrough technologies and building direct relationships to DOD,” a senior Pentagon official said.


+ Protests grow against Facebook’s

The backlash against Facebook’s “free mobile data” scheme has spread across the globe. A total of 67 digital rights groups – including i Freedom Uganda, Ecuador’s Usuarios Digitales and Indonesia’s ICT Watch – have signed a letter to Facebook’s founder, Mark Zuckerberg, stating concerns about the initiative. They say the project threatens freedom of expression, privacy and the principle of net neutrality.


+ US House Passes Bill Ending NSA Bulk Data Collection

The USA Freedom Act is seen as a big win for privacy and civil rights advocates. The White House backs the reforms, saying the bill protects privacy while preserving essential national security authorities. The measure now heads for a vote in the Senate, where the clash between reformists and supporters of the intelligence community, coming within the context of warnings on the increasing digital reach of the Islamic State terror group, transcends party lines. The bill, which focuses on people in the United States and not overseas, would amend controversial sections of the USA Patriot Act which passed in the wake of the September 11, 2001 attacks and which expire on June 1. The reforms would explicitly prohibit the mass collection of telephone metadata — numbers, time and duration of calls — by the National Security Agency, as well as electronic data such as emails and web addresses.


+ Microsoft Research Unveils VC3 Cloud Workload Privacy Project

Extending its “lockbox” approach to securing data on the cloud, Microsoft’s research arm today announced a new technology dubbed Verifiable Confidential Cloud Computing, or VC3. Last year, the Redmond, Wash.-based software giant announced a new process for safeguarding cloud data called a lockbox. Encompassing a set of technologies, along with strict policies and IT practices at the company’s cloud data centers, the approach essentially places customers in complete control of their data and requires that they issue their approval before even Microsoft’s own administrators can access protected information. Now, Microsoft is using a similar strategy to protect cloud workloads.


+ FBI: Data breaches ‘increasing substantially’

The rate of major data breaches in the United States is rapidly increasing, as hackers around the world become more sophisticated, a top FBI cyber official said Thursday. James Trainor, acting assistant director of the FBI’s Cyber Division, said the agency used to learn about a new, large-scale data breach every two or three weeks. “Now, it is close to every two to three days,” Trainor said at an event hosted by Microsoft. “Those types of events, whether they concern a national security threat actor or a criminal actor, are ones we see on a much more regular basis.”

+ FBI: Data Breaches Up 400%; Workforce Needs To Be “Doubled or Tripled”

James Trainor, acting assistant director of the FBI’s Cyber Division, said the agency used to learn about a new, large-scale data breach every two or three weeks. “Now, it is close to every two to three days,” Trainor also said thecybersecurity industry needs to “double or triple”its workforce in order to keep up with hacking threats.  [Note: The “aha” moment on cyber workforce usually arises when senior managers find out that the skills (and

certifications) they hired for policy and compliance with frameworks and FISMA and HIPAA and SOX and ISO, are not the ones needed for finding and mitigating the increasing number of breaches. If you are looking for people with the skills to meet the new security requirements, hire people who did well on “Continuous Monitoring and Security Operations” (Security 511) because it prepares them to analyze threats and detect anomalies that often indicate cybercriminal behavior.  Also look for GCFE (forensic examiners) and GCFA (forensics analysts) certifications because they have demonstrated they have the knowledge and skills to play an important technical role in the new era. ]


+ Belgian watchdog raps Facebook for treating personal data ‘with contempt’

Belgium’s privacy watchdog sharply criticized Facebook Inc. for treating the personal data of Internet users “with contempt” and failing to cooperate with its inquiries, escalating a dispute between the California company and European regulators that could result in heavy fines and orders to change its business practices. The Belgian report, which runs to 28 pages, is part of a broader effort by privacy regulators in several European countries to examine the way Facebook combines data from its services, which include Instagram and WhatsApp, to target advertising. It is being led by authorities in the Netherlands and includes watchdogs in France, Spain and Germany.


+ Cyber threats will keep coming if public and private sectors don’t collaborate

Public-private partnerships are the key to robust national cybersecurity, according to Peter Fonash, chief technology officer for the Department of Homeland Security’s Cybersecurity and Communications Office. Still, they’re unlikely to happen until both sectors can communicate better. Cyber breaches have been getting worse over the years, Fonash said during a recent conference in Washington, D.C. He referenced two key statistics from a recent Verizon Data Breach Investigation Report that shows two particular trend-lines between 2004 and 2013: one for percent of time compromising a system took a day or less, and another, much lower, for percent of time that the discovery of breaches took a day or less.


+ More than 1,000 organizations join IBM to battle cybercrime

IBM announced that more than 1,000 organizations across 16 industries are participating in its X-Force Exchange threat intelligence network, just one month after its launch. IBM X-Force Exchange provides open access to historical and real-time data feeds of threat intelligence, including reports of live attacks from IBM’s global threat monitoring network, enabling enterprises to defend against cybercrime. IBM’s new cloud-based cyberthreat network, powered by IBM Cloud, is designed to foster broader industry collaboration by sharing actionable data to defend against these very real threats to businesses and governments.

+ What 700 TB of cyber threat data can do for you

The value of cyber threat intelligence increases as it’s shared. That’s the idea behind the X-Force Exchange, a 700-terabyte platform of aggregated cyber threat information IBM has built to foster cybersecurity collaboration. This hoard of cybercrime data features IBM’s security intelligence research, a global network of third-party threat data, expert analyses and real-time insight on live attacks, all on a social sharing site built on IBM’s cloud.


+ Employing technology to ensure privacy

Automating the process of excising personally identifiable information when sharing data is a challenge that the Defense Department hopes to overcome. The Defense Advanced Research Projects Agency, known as DARPA, will consider proposals from the public that would expedite the way organizations safeguard PII while sharing the data with others. Its’ a technology that has vexed the information security and privacy world for years. The goal of the initiative, known as Brandeis, is to “break the tension” between maintaining privacy and being able to tap into the huge value of data, DARPA Program Manager John Launchbury says.


+ Funds sought for tiny $9 computer

A Californian start-up is seeking funding to make a computer that will cost $9 (£6) in its most basic form. Next Thing wants $50,000 to finish development of the credit-car sized Chip computer. The first versions will have a 1Ghz processor, 512MB of Ram and 4GB of onboard storage. The gadget, due to go on general release in early 2016, could become yet another rival to the popular Raspberry Pi barebones computer. The Chip shares some technical elements with the Pi in that it is built around an Arm chip but it includes some networking technologies, such as wi-fi and Bluetooth 4.0, that are not present on the standard Raspberry configuration.


+ 70 million Americans report stolen data

More than 70 million American adults discovered that their personal information had been compromised in 2014, according to projections from a recent nationally representative survey of more than 3,000 American adults, conducted by Consumer Reports. While some of those incidents may have resulted from stolen credit cards or other crimes, many stemmed from data breaches. And, as a slew of widely reported breaches last year showed, not only online shoppers are at risk. According to Consumer Reports’ survey, 79% of those notified of a data breach were told by a brick-and-mortar store or a financial institution. Just eighteen percent said the problem originated with an online retailer.


+ Android ‘M’ could return privacy control to users

Google is expected to bring Android into line with Apple iOS on user privacy, with version “M” due for release later this month, giving control of app data back to the users. Android will include detailed control over personal data, such as phone numbers, location, names and addresses, and whether apps can access some or none or all of it, according to a Bloomberg report. Apps installed on Android request permission to access various features and data of a mobile device, but a user can either accept all permission requests and install the app, or reject them and prevent the app from installing. There is no middle ground and users cannot revoke permissions after the fact.


+ Cyber Security a Growing Concern for Financial Services Companies

Close to 50 percent of US financial institutions rank cyber security as their number one concern, according to a survey from the Depository Trust & Clearing Corporation (DTCC), topping geo-political risks and new regulations. The DTCC’s Systemic Risk Barometer Study compiled responses from 250 financial market participants. In last year’s report, just 24 percent of respondents ranked cyber security as their top concern.


+ Navy moves cloud initiatives to spur change

Frustrated with slow data center consolidation and cloud adoption, the Navy is moving their SPAWAR DCAO initiative to PEO EIS in hopes of shaking up server-hugging commands


+ Average Fortune 100 firm suffers 69 social media compliance incidents


+ Top 10 emerging technologies of 2015


+ State of Cybersecurity: Implications for 2015


+ Pentagon Kills $475M Cyber Contract


+ Has the White House’s cybersecurity plan been effective?


+ Data Breach Costs Estimated To Jump Four-Fold In Four Years


+ Top security tools in the fight against cybercrime


+ Your Reputation and Being Cyber Breach Ready
2  +++++++

+ U.S. proposes tighter export rules for computer security tools

The U.S. Commerce Department has proposed tighter export rules for computer security tools, a potentially controversial revision to an international agreement aimed at controlling weapons technology. On Wednesday, the department published a proposal in the Federal Register and opened a two-month comment period. The changes are proposed to the Wassenaar Arrangement, an international agreement reached in 1995 aimed at limiting the spread of “dual-use” technologies that could be used for harm. The Commerce Department’s Bureau of Industry and Security (BIS) is proposing requiring a license in order to export certain cybersecurity tools used for penetrating systems and analyzing network communications.


+ U.S. Navy secretary says paying attention to cyber threats

The U.S. Navy is working hard to improve the cyber security of its computer networks and weapon and communications systems, while bracing for potential attacks on power grids and fuel supplies, Navy Secretary Ray Mabus said Wednesday. Mabus said cyber warfare was a clear threat given Russia’s use of cyber attacks before its physical invasions of Crimea and Georgia. “We’ve got to pay a whole lot of attention to this,” Mabus said at an event sponsored by Defense One media group. “Cyber is in everything now. It’s not just weapons systems. It’s in every system because we are so networked.”

+ Navy unveils new 5-year cyber strategy plan reflecting rising tide of cybersecurity threats

The Navy last week announced a new five-year cyber strategy plan designed to address the rising threat to military networks and, perhaps, position the military branch as a more offensive force in cyberspace. “A lot of work had been done since our inception in 2010 and the world has changed – gotten a lot more dangerous,” said Vice Adm. Jan E. Tighe, who leads U.S. Fleet Cyber Command/U.S. Tenth Fleet, in a May 7 press release. “The cyberspace domain is changing on a daily basis. First and foremost [the plan is] a way to organize our mission and to begin to measure if we’re making sufficient progress in each of our goal areas.”


+ The government is trying to get serious about cyber as a foreign policy issue

After a string of high-profile Internet attacks directed at the U.S. government and private sector, Congress and the executive branch are trying to get serious about treating cyber warfare as a foreign policy issue-especially when it comes to addressing threats from China and Russia. But it’s slow going. The Senate Foreign Relations Committee added cybersecurity to the portfolio of one of its subpanels, which had its first hearing Thursday. Yet only two members showed up: Colorado Republican Cory Gardner and Maryland Democrat Ben Cardin, chairman and ranking member of the Subcommittee on East Asia, the Pacific, and International Cybersecurity Policy, respectively.


+ Sony hack aftermath: How Hollywood is getting tough on cybersecurity

The cyber-attack that crippled Sony Pictures Entertainment may have occurred way back in December, but the reverberations are still being felt across the entertainment industry. A new normal is setting in, according to panelists assembled Thursday in Los Angeles at the Hollywood IT Summit from companies including Disney-owned Marvel Studios and Live Nation Entertainment. The Sony incident has prompted some soul-searching at many businesses big and small in and out of Hollywood, which are all exploring their own preparedness to deal with similar scenarios.


+ Free tool reveals mobile apps sending unencrypted data

A surprising amount of mobile data still crosses the Internet unencrypted, and a new free app is designed to show users what isn’t protected. The program, called Datapp, comes from the University of New Haven’s Cyber Forensics Research and Education Group (UNHcFREG), which last year showed popular Android applications such as Instagram, Grindr and OkCupid failed to safely store or transmit data. The reaction to that study prompted the group to create an application where people could test for themselves which applications don’t encrypt data and exactly what is exposed, said Ibrahim Baggili, UNHcFREG’s director.


+ What if a cybersecurity attack shut down our ports?

It’s easy to forget when you’re on dry land that 90 percent of the world’s goods are shipped on boats. While we worry about the cybersecurity of power grids and nuclear missile silos, most of us have never thought about whether the container ships and ports that bring us our clothes, electronics, food-everything-are secured against digital threats. Spoiler alert: They’re not. The April newsletter from maritime cybersecurity consulting firm CyberKeel contained a scary stat. According to a spot check the group conducted, 37 percent of maritime companies with Windows webservers haven’t been keeping up with installing security patches from Microsoft. As a result, more than one-third of these sites are vulnerable to denial of service attacks and certain types of remote access.


+ Quantum computing is about to overturn cybersecurity’s balance of power

“Spooky action at a distance” is how Albert Einstein described one of the key principles of quantum mechanics: entanglement.  Entanglement occurs when two particles become related such that they can coordinate their properties instantly even across a galaxy. Think of wormholes in space or Star Trek transporters that beam atoms to distant locations. Quantum mechanics posits other spooky things too: particles with a mysterious property called superposition, which allows them to have a value of one and zero at the same time; and particles’ ability to tunnel through barriers as if they were walking through a wall.


+ China’s draft national security law calls for cyberspace ‘sovereignty’

China has included cybersecurity in a draft national security law, the latest in a string of moves by Beijing to bolster the legal framework protecting the country’s information technology. China has recently advanced a wave of policies to tighten cybersecurity after former National Security Agency contractor Edward Snowden disclosed that U.S. spy agencies planted code in American tech exports to snoop on overseas targets. The standing committee of the National People’s Congress (NPC), China’s legislature, reviewed a cyberspace “sovereignty” clause in a proposed national security law, according to a draft posted online this week after its second reading in late April.


+ Romania turns hacking crisis into advantage,

helping Ukraine Ukraine is turning to an unlikely partner in its struggle to defend itself against Russian cyber warfare: Romania. The eastern European country known more for economic disarray than technological prowess has become one of the leading nations in Europe in the fight against hacking. The reason: the country’s own battle against Internet renegades and a legacy of computing excellence stemming from Communist dictator Nicolae Ceausescu’s regime. Both historic twists have ironically turned Romanian cyber sleuths into some of Europe’s best. So much so that NATO tapped Bucharest to defend Ukraine from Russian digital espionage by sending experts to monitor Kiev government institutes and train Ukrainian IT specialists.


+ Beijing to troops: Wearables represent a national security risk

The Chinese authorities have warned People’s Liberation Army (PLA) troops that wearable technology represents a national security risk as it could be tracked and used to reveal military secrets. The note came in a report from military mouthpiece the PLA Daily which urged all personnel to avoid any kind of device, from smart watches to fitness trackers and HUD glasses. It claimed that the ability to record video and audio, take pictures and transmit details such as location, render wearables a major security risk. The warning is a serious one as crimes deemed harmful to national security could lead to the death penalty in China.


+ South Korea mandates spyware installation on teenagers’ smartphones

A law requiring the mass installation of spyware on teenagers’ smartphones suggests that the frightening level of population control exercised by its neighbors in “Best Korea” has rubbed off on the Republic’s administrators in Seoul. The Republic of South Korea’s Communications Commission, a media regulator modeled after the United States’ FCC, now requires telecom companies and parents to ensure a monitoring app is installed whenever anyone under the age of 19 receives a new smartphone.


+ Turkish blackout sparks fears of cyber attack on the West

Iran is now believed to be responsible for the blackout that, on 31 March, plunged over 40 million people into darkness in Turkey for over 12 hours, paralyzing the country’s principal cities. Intelligence experts are speculating that the attack was a reprisal for support from Turkey to Saudi Arabia in a dispute against the Iran-backed Houthis in Yemen. It could also be related to Turkey’s recent moves to topple Syrian dictator Bashar Assad – a strong ally of Iran. Iran-based hacker group Parastoo is already understood to have been actively recruiting hackers with the skills needed to break into the kind of control systems which run power grids and other utilities.


+ Execs say cyberattacks could disrupt whole industries

Widespread concern regarding the potential effects of cyber-attacks in corporate America has led C-level professionals to readily acknowledge that a coordinated assault launched by sophisticated cyber-criminals would wreak ongoing havoc on business operations, cause considerable harm to a brand, and potentially affect related companies, even entire industries. A survey from RedSeal showed that three-quarters (74%) of executives acknowledge that cyber-attacks on networks of U.S. organizations can cause “serious damage or disruption,” and most of the rest, 21%, admit to fears of “significant damage or disruption.”


+ Additional Vulnerabilities Found in Medical Infusion Pumps

The US Department of Homeland Security’s ICS-CERT has amended an advisory released last week regarding remotely exploitable security issues in drug infusion pumps; the new information is about additional vulnerabilities affecting the Hospira LifeCare PCA Infusion System. The US Food and Drug Administration (FDA) has added its voice to the warnings to help the information become more widely circulated.

[Note : It is obvious that “information sharing” is still immature.  We do not broadcast “intelligence” in hopes that it gets to those who can do something about the risk.  The object is to get it, on a timely basis, only to those who must act. This implies that one must have identified those folks in advance.  (The aviation industry continues to be the best example of how to do it.)  In this particular case, broadcast of this information serves only to raise unnecessary anxiety among those who cannot do anything to reduce the risk.]


+ Insurer challenging cyber liability claim

CNA is challenging it’s obligation to cover breach cost for one of its  cyber liability customersdue to the customer’s failure to meetminimum required security practices. If this becomes case law, it could force organizations to change what appears to be the mindset of falling back on risk transference (via insurance) rather than adequately investing in risk mitigation.


+ Insider Threat Report: Cloud and Big Data Edition

The increasing use of cloud services and Big Data projects is causing major security concerns. This report provides up-to-date insight and opinion on the increasing security, risk, and compliance concerns that enterprise organizations face as they deploy in new environments.


+ Half Of Retail, Healthcare Sites ‘Always Vulnerable’

Finding vulnerabilities in custom web applications isn’t the major problem; fixing them in a timely fashion is, a new report from WhiteHat Security finds.—threats/vulnerability-management/half-of-retail-healthcare-sites-always-vulnerable-/d/d-id/1320489?


+ 90% of Healthcare Firms Hit by Cyber Attack:

Ponemon – Insurance Journal. A rise in cyber attacks against doctors and hospitals is costing the U.S. healthcare system $6 billion a year as organized criminals who once targeted retailers and financial firms increasingly go after medical records.


+ Privacy vs progress: the ethical quandary of big data


+ Digital Privacy Is Out of Control – Lorrie Faith Cranor:


+ How to prevent 80% of cyber attacks


+ Legal landscape for cybersecurity risk is changing as federal government and SEC take action


+ Multi-tiered security – paper


+  (ISC)2 Annual Report and Other Cyber Resources


+ Meet ‘Tox’: Ransomware for the Rest of Us (scary stuff)


+ Robots.txt tells hackers the places you don’t want them to look


+ Millennials Understand Privacy a Lot Better than You Do


3  +++++++

+ A new threat to children’s online privacy: Parents

Most parents go to great lengths to keep their children safe online—but what if parents themselves, through the simple act of posting photos to Facebook and Instagram, are putting their own kids at risk every day? Researchers at the New York University Polytechnic School of Engineering and NYU Shanghai have released a study showing that parents’ habits on popular social media sites may allow third parties to easily obtain their children’s identities and other sensitive information. Their paper, “Children Seen but Not Heard: When Parents Compromise Children’s Online Privacy” will be presented at the International World Wide Web Conference in Florence, Italy, on May 22, 2015.


+ NSA chief wary of proxies

As the U.S. government’s ability to pinpoint the source of cyber behavior grows more precise, nation-states could increasingly turn to proxies to carry out attacks, according to National Security Agency Director Adm. Michael Rogers. “One of the trends I look for increasingly in the future . [is] do you see nation-states start to look for surrogates as a way to overcome our capabilities in attribution?” Rogers said May 11 in remarks at a cybersecurity event at George Washington University. U.S. officials consider accurate attribution, which is supported by the NSA’s vaunted cyber capabilities, to be an important method of deterring cyberattacks.


+ Data Belonging To 1.1 Million CareFirst Customers Stolen In Cyber Attack

BlueShield customers in the Washington D.C. area was stolen in a cyber attack last year, the healthcare insurer announced Thursday. Concerned by the string of recent cyber attacks against other healthcare providers-including Anthem, Premera, and Community Health Systems-CareFirst decided to take a look into its own system, the company explained in a notice on its website. CareFirst hired Mandiant to review its networks, which led to the discovery of an undetected intrusion in June 2014.

The attack resembles those perpetrated on Anthem and Premera. The affected data include names, birth dates, email addresses, and insurance identification numbers.

[Note : We have nothing left to hide.  Only partly as the result of massive and repeated breaches of firms like eBay, Anthem and Target, all information about us is now for sale, often in bulk for pennies, in white and black markets.  Security based upon shared secrets like credit card numbers, social security numbers, and passwords is no longer effective.  Strong authentication can help but we need to rely on prompt notification of transactions and the white market sale of personal information…]


+ Russia and China pledge not to hack each other

If the U.S. intelligence community believes that Russia poses a greater cyber spying threat than China, what will it make of this? Russia and China signed a cyber-security deal on Friday, which experts say could firm up Russia’s ties with the east and may become a foundation for binding cyber security ties in the future. According to the text of the agreement posted on the Russian government’s website on Wednesday, Russia and China agree to not conduct cyber-attacks against each other, as well as jointly counteract technology that may “destabilize the internal political and socio-economic atmosphere,” “disturb public order” or “interfere with the internal affairs of the state.”


+ Apple Watch vulnerability could let thieves use Apple Pay on stolen watches

A potential security vulnerability recently detailed by a blogger may have uncovered a serious flaw in the Apple Watch’s design that could lead to some big headaches for some users. In a nutshell, a nifty feature designed by Apple to maintain security on the Watch without sacrificing convenience may have actually ended up sacrificing security instead, allowing thieves to continue using Apple Pay on a stolen Watch without having to input the owner’s PIN code to confirm purchases. It should be noted, however, that the procedure detailed by the blogger in question did not yield consistent results. As such, a thief would seemingly need a bit of luck in order to ensure that he or she can exploit this vulnerability.


+ New Computer Bug Exposes Broad Security Flaws

A dilemma this spring for engineers at big tech companies, including Google Inc., Apple Inc. and Microsoft Corp., shows the difficulty of protecting Internet users from hackers. Internet-security experts crafted a fix for a previously undisclosed bug in security tools used by all modern Web browsers. But deploying the fix could break the Internet for thousands of websites. The newly discovered weakness could allow an attacker to read or alter communications that claim to be secure. It was disclosed Tuesday by an international team of computer scientists that has found several problems in technology behind prominent security tools, including the green padlock on secure websites.


+ Phantom Menace’ Hack Strikes Oil Industry Computers 

What looked to be an ordinary malware attack on a computer at an oil-trading firm turns out to have been part of a targeted attack on the industry at large, according to a report from Panda Security. It began, as it so often does, with someone on their work computer opening an email attachment they shouldn’t have. This attachment, instead of producing one of the many trojans, worms or viruses already watched for by antivirus programs, merely unpacked a few common scripts and tools often used by Windows programs – thus avoiding detection. These scripts request credentials from various places on the computer, send what they find home via a File Transfer Protocol connection, then rename themselves just in case the computer starts getting suspicious. And that FTP server was full of data from other oil companies that had been targeted.


+ Mobile spy software maker mSpy hacked, customer data leaked

mSpy, the makers of a dubious software-as-a-service product that claims to help more than two million people spy on the mobile devices of their kids and partners, appears to have been massively hacked. Last week, a huge trove of data apparently stolen from the company’s servers was posted on the Deep Web, exposing countless emails, text messages, payment and location data on an undetermined number of mSpy “users.” mSpy has not responded to multiple requests for comment left for the company over the past five days. KrebsOnSecurity learned of the apparent breach from an anonymous source who shared a link to a Web page that is only reachable via Tor, a technology that helps users hide their true Internet address and allows users to host Web sites that are extremely difficult to get taken down.


+ Password Security Questions Easy to Guess

Google’s analysis of hundreds of millions of password security questions found that it would be easy for people intent on gaining access to someone’s account to do so. Guesses yielded correct results a surprising amount of the time. Google says that instead of adding more questions, but to update account information to provide a phone number or secondary email address to help prevent accounts from being taken over.

[Note : As the Starbucks stored value card incident recently pointed out, just adding a phone number or email address contact to a password is useless if you can change the phone number/email address by just knowing the password – phished or guessed passwords are used to change the phone number/email address. Need to require two-factor auth to change any one of the factors. The proper use of challenge-response can be an effective factor in strong authentication schemes.   Many implementations use too few, poorly chosen, challenges too often.  I like Google’s implementation of strong authentication using one-time passwords sent out of band to phone numbers of the user’s choice;]


+ Android Factory Reset Does Not Always Clear Data

Researchers at Cambridge University have found that as many as 500 million Android phones contain a security issue that could expose data even after the factory reset option is run. The researchers were able to recover data, including login credentials, text messages, and emails, from supposedly wiped devices


+St. Louis Federal Reserve DNS Servers Breached

Attackers hijacked the domain name servers of the St. Louis Federal Reserve so that site visitors were redirected to malicious web pages. The computers of people who visited the phony pages may have been infected with malware, and their access credentials may have been stolen. The attack was detected on April 24. The DNS provider has not been identified.

[Note : This looks like the Fed’s Domain Name registrar, eNom, was compromised. Back in 2008/2009 there was a flurry of attacks against registrars and ICANN kicked off some initiatives looking to improve the consistency of security across the ever growing list of registrars, but I’m not sure anything has actually changed yet.]


+ USIS Attackers Exploited SAP ERP Vulnerability

A digital forensics company retained by Department of Homeland Security

(DHS) contractor USIS said that a breach of its system last year was the work of attackers exploiting a vulnerability in a third-party enterprise resource planning (ERP) application. It is unclear if a fix for the unnamed SAP application was available at the time of the breach, and it has not been determined whether USIS or SAP was the party responsible for fixing the vulnerability.

[Note : A useful (slighted dated) report on the status of SAP security was published 3 years ago

and updated data was released a few days ago. ]


+ Every 4 Seconds New Malware Is Born

New report shows rate of new malware strains discovered increased by 77 percent in 2014.—threats/every-4-seconds-new-malware-is-born/d/d-id/1320474

A LOT of great statistics in the full report is at

+++  SD/SoCAL security events / opportunities +++

+ CyberTECH events / networking / startups / etc  —  THE cyber happening place in SD!!! 

Join their Meetup Group for the latest event information!  The definition of“Cyber KEWEL


28  – ISSA – 11:30AM – (4th Thur) –   “The Sophisticated Attack Myth: What Your Threat Intelligence is really trying to tell you about your security program”    Araceli Gomes

28 Interface San Diego – all day forum

Join the area’s top IT leaders, providers and thought leaders for the purposes of information exchange and community networking. For more info and registration,

30 OWASP –  6PM –   WebApp Pen-testing Training (waitlist)


06 (SAT) University of Phoenix –- Cyber Nexus Conference – great all day panels / topics! (and FREE)

San Diego Campus,   9645 Granite Ridge Dr.   San Diego, CA 92123

10 (or 18) – SD ISC2 chapter meeting –  “TBD  – likely Medical device related)”

Location – BAH (Suite 200, 4055 Hancock Street, San Diego, CA 92110 USA

18  – ISACA chapter meeting ‘ TBD”    noon – 2PM

18 OWASP – 6PM – Arvind Mani – Head, Data & Infrastructure Security at LinkedIn

25  – ISSA – 11:30AM – (4th Thur) –  “TBD”


MAY 10

+++ For those in San Diego – NDIA Small Business Cyber Forum  – THIS Friday, May 15

A premier ½ day event (8 – 12:30)  on how SMBs can be cyber – safe .. PLUS learn about the FAR / DFAR cyber rules on “CUI”    Registration link is:



+ Government cybersecurity officials warn Hospira device vulnerable to hackers

US cybersecurity officials have issued a warning regarding a medical device manufactured by Hospira, saying the device was identified as having several vulnerabilities which have since been patched. The warning, issued on 5 May 2014 by the Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) focuses on Hospira’s LifeCare PCA Infusion System, an intravenous pump used to deliver medication to patients. ICS-CERT said that a security researcher, Billy Rios, had approached it more than a year ago after identifying “an improper authorization vulnerability and an insufficient verification of data authenticity vulnerability in Hospira’s LifeCare PCA Infusion System.”



+ Is it time for a cyber HMO?

The problem with many of the cybersecurity solutions offered today is that they often bear no relation to the problem at hand. Cyber insurers, like many others, assume that cyberattacks will successfully strike a company only infrequently. The reality is that cyberattacks are a constant threat, much more akin to medical claims than property or casualty claims.  We know they will occur on a regular basis, and so insurers need to establish an infrastructure that supports constant care over a lifetime. Following on the health-care analogy, cyber insurers should view their policies through the lens of a health insurance model and not a general liability or casualty policy. In my mind, it follows then that cyber insurers should develop cyber policies using a “HMO” model.



+ India and Japan form cyber alliance

India has called on Japan for help in combating cybercrime. Indian officials from the Ministry of Telecom and the Department of Electronics and Information Technology (DeitY) met with a visiting Japanese trade delegation led by Minister of Economy and Trade Yoichi Miyazawa according to the Economic Times. The parties discussed a variety of topics ranging from securing government information in the cloud to India’s cybersecurity laws. Indian officials solicited Japan’s help with technology that could prevent cyber attacks and data breaches, a source told the Times.



+ DoD grants new security approvals to 23 cloud providers

The Defense Department announced security approvals for nearly two dozen cloud computing products on Monday, showing modest progress in DoD’s slow advance toward commercial cloud adoption and making good on a promise to put more of its trust in the cloud security process used by the rest of the government. All 23 of the cloud offerings the department approved for use by military departments and defense agencies had already met the “moderate” security baseline under the governmentwide Federal Risk and Authorization Management Program (FedRAMP).



+  DHS certifies first cyber products under SAFETY Act

The Department of Homeland Security (DHS) has certified the first cybersecurity products ever under the SAFETY Act, a post-9/11 program that provides a level of liability protection to companies that use certain products to enhance their security.  Customers that employ FireEye’s Multi-Vector Virtual Execution engine and Dynamic Threat Intelligence platform are now protected from lawsuits or claims alleging that the products failed to prevent an act of cyberterrorism, the company said.  FireEye is a leader in the cybersecurity industry for incident prevention and response. The certification of its products is seen as a landmark event in the government’s effort to step up U.S. cyber defenses.

FireEye customers get liability shield thanks to SAFETY Act



+ Senate panel raises privacy concerns in White House hacking incident

The U.S. Senate Commerce Committee has written President Barack Obama over concerns that a recently reported data breach on the White House computer system might have compromised the personal information of many Americans. “Just like any entity that handles personally-identifiable information, the White House has a responsibility to notify Americans if the recent, or any future breach, results in a compromise,” the committee chairman, John Thune, said in a statement on Sunday accompanying the letter.



+ Your new credit card may not be as safe as you think

There’s a good chance that if you’ve added a new credit card to your wallet this year, you’ve noticed something a little different. Many of them are now equipped with chip technology known as EMV. As the threat of data breaches intensifies, card issuers have been slowly rolling out these chip-enabled cards to customers because they – along with retailers and cybersecurity experts – believe the technology is far more secure than the magnetic stripe cards that Americans have been swiping for decades. This technology has been in place in Europe for years, and so the conventional wisdom has been that American consumers will enjoy the same fraud protection as their overseas counterparts as soon as the shift to EMV is complete. But in many cases, that’s not quite true.



+ Survey: C-level tech execs most responsible for breaches

As the data breach epidemic rages on, the question of corporate liability has been front and center. It turns out that many security-industry folks believe that C-level technology executives would and should be the ones held responsible for compromises, new research has revealed. According to a survey by Tripwire of 250 attendees at RSA Conference USA 2015 and BSidesSF 2015 in San Francisco last week, technology leaders within firms are the ones who should be on the hook for security, in spite of pervasive vulnerabilities being present on many fronts that are leading to devastating cyber-attacks across a broad range of industries.



+ RSA president questions government role in cybersecurity

The president of one of the world’s biggest computer security vendors says he is skeptical that a stronger government role in cyberdefense will abate the growing number of attacks. In an interview with IDG News Service, Amit Yoran, president of RSA, also rejected calls by U.S. intelligence chiefs for industry to tread carefully in deploying more encryption in case it cuts off their ability to eavesdrop on communications by suspected criminals. “The government is not the answer here,” he said, when asked about White House proposals for sharing of cybersecurity information. Despite the growing severity of attacks and a feeling that the government should “do something,” the issue is best left to private companies, because they are the ones developing networks and the technology that defends them, he said.



+ As sensors shrink, watch as ‘wearables’ disappear

Forget ‘wearables’, and even ‘hearables’. The next big thing in mobile devices: ‘disappearables’. Even as the new Apple Watch piques consumer interest in wrist-worn devices, the pace of innovation and the tumbling cost, and size, of components will make wearables smaller – so small, some in the industry say, that no one will see them. Within five years, wearables like the Watch could be overtaken by hearables – devices with tiny chips and sensors that can fit inside your ear. They, in turn, could be superseded by disappearables – technology tucked inside your clothing, or even inside your body.



+ NSF seeks input on cybersecurity strategic plan for federal agencies

The National Science Foundation wants feedback on how the government should focus cybersecurity research and development in order to guide and coordinate federally funded studies. The Cybersecurity Enhancement Act of 2014 requires federal agencies to come up with a cybersecurity research and development strategic plan, according to the RFI published April 27 in the Federal Register. The Cyber Security and Information Assurance Research and Development Senior Steering Group is seeking the information on behalf of the agencies involved.



+ Survey finds CEOs, boards getting increasingly involved in security policy

Netskope recently announced the results of a survey of 100 2015 RSA Conference attendees, which found that 69 percent of respondents’ CEOs or boards of directors had queried their security teams regarding specific security policies in the wake of recent high-profile breaches. Those queries covered a variety of topics — 28 percent were focused on cloud or SaaS technologies, while 27 percent were focused on mobile device security and network security. Almost two thirds of respondents said they have changed, or plan to change, cloud-specific security methods since the Anthem security breach — and more than half said their cloud-specific security methods have changed as a direct result of CEO or board-level conversations.



+ Cyber risk the most serious threat to business,

says Lloyd’s chief Lloyd’s of London, one of the largest insurance markets in the world, has experienced rapid growth in the demand for insurance against cyber attacks. Inga Beale, chief executive of Lloyd’s , said: “Cyber risk poses the most serious threat to businesses and national economies, and it’s an issue that’s not going to go away. The London market has a long, proud history of finding innovative solutions to insuring large, complex risks that are challenging to underwrite locally.”



+ Will the Seventh Circuit Lower the Harm Bar?

With the rising tide of data breaches has come a flood of breach-related lawsuits, many of which fall flat when measured up against the Clapper definition of “certainly impending” harm.



+ Privacy and the Profit Motive



+ Healthcare Data Breaches From Cyberattacks, Criminals Eclipse Employee Error For The First Time



+ Total Cost of Ownership vs. Managed Services for Security

Managed security pays for itself quickly and easily justifies the expense



+ Russia’s Greatest Weapon May Be Its Hackers



+ Zero-Days Remained Unpatched an Average of 59 Days



+ New cyberthreats: Defending against the digital invasion—threats/3-of-4-global-2000-companies-still-vulnerable-to-heartbleed/d/d-id/1319768



+++ “THE”  Best Hacker Tools Online –  REALLY – LOTS of them!

Wireless, Wifi Hacking, firewall hacking, digital forensic tools fuzzers, intrusion detection, packet crafting, password crackers, port scanners and rootkit detectors



+ Ten Cybersecurity Concerns for Every Board of Directors



+ Risk Managers See Reputation Damage as Top Threat



+ Nine Years Later, IT Security Is Even More Important To Business



+ Your iPhones Are Not Secure



+ These 3 Steps Could Prevent 85 Percent of All Data Breaches





2  +++++++


+Why geofencing will become the next endpoint security innovation

As data breaches continue to grow in complexity, severity and frequency, and organizations face growing threats – internal and external, deliberate and unintentional  – new and more advanced technologies are needed to keep critical information safe. As demonstrated by the Anthem Insurance breach in the US, when sensitive information gets in the wrong hands, it can be incredibly costly – experts are estimating it could cost the company upwards of US$100 million in this case. While the mainstream media loves to run headlines about the world of data breaches, the cause is usually that the company does not have the proper systems in place. There are solutions available right now, one of the most promising of which is geofencing. By using this solution as part of a larger data loss prevention (DLP) strategy, organizations can control access to devices, and applications on these devices, within a certain physical perimeter.



+ The rapid evolution of cyber diplomacy

Christopher Painter, the United States’ top cyber diplomat, says the nations’ No. 1 cybersecurity priority is getting nations to agree not to attack their respective critical infrastructures. “This is not something that we came up with just because we thought it was a good idea,” Painter, the State Department’s coordinator for cyber issues, says in an interview with Information Security Media Group. “We thought this would have universal attractiveness and applicability that countries, whether we agreed with them or not on a range of issues, would find is something that they could adhere to.”



+ Maritime cybersecurity firm: 37% of Microsoft servers on ships vulnerable to hacking

A recent Department of Homeland Inspector General report focused mostly on U.S. Coast Guard insider threats, stating, “Trusted insiders could use their access or insider knowledge to exploit USCG’s physical and technical vulnerabilities with the intent to cause harm.” The audit also found numerous issues involving thumb drives and removable media that could be connected to Coast Guard IT systems and used to remove sensitive info, as well as issues allowing sensitive info to be sent via email. The IG also found unlocked USCG network equipment and server rooms, unsecured wireless routers and laptops.



+ The truth about smartphone apps that secretly connect to user tracking and ad sites

There are essentially two starkly different environments in which to download apps. The first is Apple’s app store, which carefully vets apps before allowing only those deemed fit to appear. The second is the Google Play store, which is more open because Google exercises a lighter touch in vetting apps, only excluding those that are obviously malicious.  But because Google Play is more open, the apps it offers span a much wider quality range. Many connect to ad-related sites and tracking sites while some connect to much more dubious sites that are associated with malware. But here’s the problem-this activity often takes place without the owner being aware of what is going on. That’s something that most smartphone users would be appalled to discover-if only they were able to.



+ Researchers plan to demonstrate a wireless car hack this summer

A note of caution to anyone who works on the security team of a major automobile manufacturer: Don’t plan your summer vacation just yet. At the Black Hat and Defcon security conferences this August, security researchers Charlie Miller and Chris Valasek have announced they plan to wirelessly hack the digital network of a car or truck. That network, known as the CAN bus, is the connected system of computers that influences everything from the vehicle’s horn and seat belts to its steering and brakes. And their upcoming public demonstrations may be the most definitive proof yet of cars’ vulnerability to remote attacks, the result of more than two years of work since Miller and Valasek first received a DARPA grant to investigate cars’ security in 2013.



+ New DOJ guidance offers tips for cyber incident response

During one of her first public appearances since being sworn in, Attorney General Loretta Lynch said she will focus on investigating and prosecuting cyber crimes and stressed the need for law enforcement to work with the private sector to achieve true cybersecurity. “We have a mutual and compelling interest in developing comprehensive strategies for confronting this threat and it is imperative that our strategies evolve along with those of the hackers searching for new areas of weakness,” Lynch said at a cybersecurity roundtable with industry hosted by the Criminal Division on April 29. “But we can only meet that challenge if law enforcement and private companies share the effort and work in cooperation with each other.” To help meet this challenge, Justice announced the release of a new guidance document outlining best practices for companies developing a response plan or reacting to a breach.



+ Threats on government networks remain undetected for 16 days

Government cyber security professionals estimate that cyber threats exist on their networks for an average of 16 days before they are detected – hiding in plain sight. The good news is that 86 percent say big data analytics will improve cyber security efforts. But, just 28 percent are fully leveraging big data for security purposes today. A new MeriTalk and Splunk report examines the state of cyber security in Federal, state and local government agencies, and identifies steps to empower these organizations to make the shift from compliance to risk management to see better security outcomes.



+ US plays host to largest number of phishing sites

According to a report from endpoint security solution provider Webroot, the US is the largest host of phishing sites with over 75% of sites being within its borders. In terms of malicious IP addresses, 31%of IP addresses are based in the US, followed by China with 23% and Russia with 10%. Asian regions are hosts to half of active malicious IP addresses, with as many as 85,000 new malicious IPs launched every day. Top phishing targets of these malicious IP addresses are technology companies and financial institutions, with over 9,000 attempts detected per technology company, while nearly 900 phishing attempts were detected per financial institution.



+ Federal Appeals Court Rules NSA Data Collection Not Authorized by Patriot Act

A US Federal Appeals Court has found the National Security Agency’s

(NSA’s) wholesale collection of cellphone communication metadata to be illegal. The court did not address the constitutionality of the practice, but instead said that the scope of the operation exceeds what Congress authorized in section 215 of the Patriot Act, which was passed in the wake of the September 11, 2001 attacks. The original case was brought by the American Civil Liberties Union (ACLU) and was dismissed by a lower court in 2013.



+ Cybercriminals Targeting Healthcare Data

According a new study on Privacy and Security of Healthcare Data, criminal attacks have now passed insider negligence as the main cause of data loss and theft in the healthcare industry, which is not well prepared. With “some exceptions, … healthcare providers either lack the resources, staff, or technical innovations to meet the changing cyber-threat environment.” Half of the healthcare organizations surveyed said they had “little or no confidence” that they would be able to detect every data loss or theft. And nearly two-thirds of healthcare providers and affiliated businesses offer no protection services for patients whose data are stolen.



+ Superfish Responsible for Majority of Injected Ads on Google Sites

A study conducted by Google and University of California Berkeley and Santa Barbara researchers found that at least five percent of browser visits to Google websites experience injected ads. Adware known as Superfish is responsible for the majority of the interference. The study examined more than 102 million Google page views between June and September 2014.



+ Cyber Threat Intelligence (CTI) Survey

As malware has become more commercialized, attackers are leveraging the same attack kits again and again. Cyber Threat Intelligence (CTI) offers the ability to detect attacks carried out using methods previously reported by others in the threat intelligence network. As a result, more organizations are implementing CTI to improve early detection and response capabilities.

Harnessing The Power Of Cyber Threat Intelligence



+ DoD Release of the Report of Military and Security Developments in China

Department of Defense released the “Military and Security Developments Involving the People’s Republic of China”. This annual report informs Congress of the Department of Defense’s assessment of military and security developments involving China.



+ SC Magazine eBook on Insider Threat (2015)

Insiders come in various flavors, ranging from those with criminal intent to sell PII and credit card account numbers on the black market to absented-minded employees who lose a company-owned mobile device or forget to logout of their desktop at the end of the work day. As well, there are those employees who ordinarily would adhere to ethical principles, but find themselves susceptible to crossing the line for what they see as an easy payoff.

Specifically for the financial sector

AND the top 10 database threats



+ 3 Of 4 Global 2000 Companies Still Vulnerable To Heartbleed

Unfortunately, this is expected, as poor cyber hygiene (and lack of effective access control) account for the vast majority of security incidents. There are many authoritative sources that state not doing these basic security tasks  cause 85% of the problems  (NSA, Verizon Data breach report, there is even a national cyber hygiene campaign to try to get folks to take care of the 4-5 key aspects of their cyber environment.

The recent report enclosed below is but one report.  Sadly, these simple tasks are part of what should be in their standard operational security processes and thus cost very little to manage. (these three were: minimize privileged accounts, application whitelisting, and patching…)—threats/3-of-4-global-2000-companies-still-vulnerable-to-heartbleed/d/d-id/1319768



+ ISACA Issues Special Report on New US Cybersecurity Legislation



+ Russia and China promise not to hack each other



+ China’s draft national security law calls for cyberspace ‘sovereignty’

BEIJING (Reuters) – China has included cybersecurity in a draft national security law, the latest in a string of moves by Beijing to bolster the legal framework protecting the country’s information technology.



+ C-Level Executives and the Need for Increased Cybersecurity Literacy



+ Cybersecurity competition for schoolchildren .. STEM-C



+ How serious is Cybercrime in the US?



+ The Rise of the Chief Security Officer: What It Means for Corporations and Customers





3  +++++++



+ Microsoft bangs the cybersecurity drum with Advanced Threat Analytics

Microsoft announced a raft of security and data protection software on the first day of its Ignite conference. The company said that attacks on companies were increasingly using legitimate tools: organizations are being compromised through access made with valid (albeit stolen or otherwise compromised) user credentials, rather than malware, with a Verizon report saying that more than 75 percent of breaches occur this way. This needs a different approach to network security, Microsoft says, and new software built to sniff out anomalous activity, even if it looks superficially legitimate. In November last year, Microsoft bought enterprise security firm Aorata, and at ignite it announced a product based on this purchase: Microsoft Advanced Threat Analytics (ATA), now available in preview.



+ New ‘Rombertik’ malware destroys master boot record if analysis function detected

While detection scanning malware is nothing new, Cisco researchers have identified a new malware sample that takes its detection evasion features one step further than the average malware. Instead of simply self-destructing when analysis tools are detected, Rombertik attempts to destroy the device’s master boot record (MBR), researchers wrote in a blog post.  This malware spreads through spam and phishing messages sent to possible victims. In one example, attackers attempted to convince a user to download an attached document in an email. If downloaded and unzipped, a file that looks like a document thumbnail comes up. Although it mimics a PDF icon, it is actually a .SCR screensaver executable file containing the malware.



+ New AlphaCrypt ransomware delivered via Angler EK

Yet another type of ransomware has been detected by malware researchers. Dubbed AlphaCrypt, it appropriates the look of TeslaCrypt, but operates similarly to Cryptowall 3.0. “While this may look identical to TeslaCrypt it does have some improvements like deleting the VSS to make sure you aren’t saved by your shadow volume,” Webroot researchers shared. It also makes sure to execute the process quietly (i.e. that no messages are shown to the victim). The criminals are asking for the ransom to be paid in Bitcoin, which ensures anonymity and easy laundering of the money via Bitcoin mixers.



+ Breach tally shows more hacker attacks

The official federal tally of major health care breaches shows that the healthcare sector continues to be a growing target for hackers, including those waging phishing attacks. As of April 29, the Department of Health and Human Services’ “wall of shame” website of breaches affecting 500 or more individuals shows 1,213 incidents affecting more than 133.2 million individuals since September 2009, when the HIPAA breach notification rule went into effect. One incident, the recent hacking attack against health insurer Anthem, Inc., accounts for 78.8 million of those victims.



+ Unnoticed for years, malware turned Linux and BSD servers into spamming machines

For over 5 years, and perhaps even longer, servers around the world running Linux and BSD operating systems have been targeted by an individual or group that compromised them via a backdoor Trojan, then made them send out spam, ESET researchers have found.  What’s more, it seems that the spammers are connected with a software company called Yellsoft, which sells DirectMailer, a “system for automated e-mail distribution” that allows users to send out anonymous email. This operation succeeded in remaining hidden for so long thanks to several factors: the sophistication of the malware used, its stealth and persistence, the fact the spammers aren’t constantly infecting new machines, and that each of the infected machines wasn’t made to blast out spam all the time.



+ VA thwarts over a billion cyber threats – just in March

The Department of Veterans Affairs experienced a significant surge in cyber threats in March, Chief Information Officer Stephen Warren said during a Thursday call with reporters. The department blocked 1.19 billion malware instances and 358 million intrusion attempts into VA systems in March alone, Warren said. This number is up since February, when VA reported blocking 930 million malware instances and 4.3 million intrusion attempts.



+ Medical Infusion Pump Vulnerability

The US Department of Homeland Security’s (DHS’s) ICS-CERT has issued an advisory about a security issue in a medical infusion pump distributed by Hospira. Versions 5.0 and earlier of the LifeCare PCA Infusion System contain an improper authorization flaw and inadequate data authenticity verification. It could allow unauthorized users to modify the pump’s configuration. The problem lies in an unauthenticated Telnet port.



+ CyberLock Lawyers Invoke DMCA to Halt Vulnerability Disclosure

Lawyers for electronic lock manufacturer CyberLock have sent two letters to individuals demanding that they refrain from disclosing information about vulnerabilities in the company’s products. The letters, which invoke the Digital Millennium Copyright Act (DMCA), were sent after the recipients attempted to contact CyberLock to notify them about the security issues.



+ US Legislators: Encryption Backdoors Undermine Security

A hearing at the House Government Oversight and Reform Committee’s Information technology subcommittee saw heated discussion regarding encryption. Law enforcement officials argued that stronger encryption is aiding criminals and impeding their ability to gather evidence; they are concerned about encryption available on new smartphones. Legislators said that the FBI’s request for mandatory encryption backdoors in smartphones would put all users of those devices at risk because they create vulnerabilities that could be exploited by criminals. Legislators pointed out that there is no way to create a backdoor that is accessible only to “good guys.” Representative Ted Lieu (D-California) noted that the companies that are providing the stronger encryption are doing so in answer to demand from citizens who are fed up with having their fourth amendment rights violated.



+ SANS ICS Defense Use Case (DUC) 3:

Analysis of recent claims  suggesting a large number of Iranian ICS Cyber Attacks

The third Defense Use Case from the SANS ICS team is an analysis of the recent report from Norse and the American Enterprise Institute that makes claims of an increase in attacks against Industrial Control Systems. The DUC evaluates what can be learned from the Norse report while also taking the opportunity to illustrate what the cyber security community would typically deem to be a cyber attack on ICS. The DUC, available for .pdf download via the link below, is our best understanding of information that is publicly available.



+ Preventing Insider Threats Starts with the Basics:

Recent statistics show that almost 87% of organizations have experienced a security breach in the last 12 months. Download this informative event summary based on the recent event titled “Insider Threat Detection and Mitigation” to learn what you need to do to protect your organization from potential threats.  Focus must first be on the basics, such as training and awareness, while incorporating sophisticated data analysis tools to be successful.



+ 3 Ways Attackers Will Own Your SAP

SAP vulnerabilities that have been highlighted for years are now becoming attackers’ favorite means of breaking into enterprises.—threats/3-ways-attackers-will-own-your-sap-/d/d-id/1320293?_mc=NL_DR_EDT_DR_weekly_20150507



+++ DDos Attacks



+ Top DNS Threats and How to Deal with Them



+  A peek inside the cybercriminal’s toolkit



+ Dyre Trojan Adds New Sandbox-Evasion Feature

New tactic makes it that much harder to detect, says Seculert—threats/dyre-trojan-adds-new-sandbox-evasion-feature/d/d-id/1320244





+++  SD/SoCAL security events / opportunities +++


+ CyberTECH events / networking / startups / etc  —  THE cyber happening place in SD!!! 

Join their Meetup Group for the latest event information!   The definition of “Cyber KEWEL





13ISC2 – 6PM –  HVAC interconnectivity and Security concerns   BY:  Mike Schell – from Codenomics

Location – BAH (Suite 200, 4055 Hancock Street, San Diego, CA 92110 USA).


15  +++   8 – 12:30 – NDIA Small Business (Cyber) Forum

½ day on how SMBs can be cyber – safe .. PLUS learn about the FAR / DFAR cyber rules on “CUI”

Registration link is:


21  – ISACA –   noon – 2PM  –   Women in Technology – Networking Event


28  – ISSA – 11:30AM – (4th Thur) –   “TBD”


30 OWASP –  6PM –   WebApp Pentesting Training (waitlist)



LOCATION:  Qualcomm’s Irwin Jacob’s Hall, 5775 Morehouse Drive, San Diego, California 92121.

AGENDA:   this year’s theme is “Developing the Whole Security Professional.” The event will provide you and your security team with an unequalled opportunity to hear topics relevant to today’s ever-changing security environment.  Highlight:  we will have an insider threat panel – a unique opportunity to learn from established experts on how to create and maintain a successful and compliant Insider Threat Program whether you are a large facility or a small organization.  ( $80…)





Welcome to Cyber News Tidbits 4​U​ !

Here are updated news compilations from the Cyber Security Community

Topic headers (+++):

1 – Security news you can likely use (re: management / opportunity items)

2 – Other items of general FYI / FYSA level interest

3 – Threats / bad news stuff / etc.. 


4 – SD/SoCAL items of interest / opportunities   (send me your SD meetings!) 

A couple of Highlights  (A couple of items of potentially notable interest / high utility &  value… your mileage will vary….)

(Lots happening,  so LOTs to be aware of. Takes 5 min to skim…then pick out a topic or two..)

 ( some great topics / meetings here in SD … scroll to bottom and get engaged)


+ Verizon Data Breach Investigations Report (DBIR ) Says Mobile Malware Not Important – Yet

According to Verizon’s 2015 DBIR, the threat landscape has not changed much since last year’s report. The leading causes of data breaches last year include web application attacks, point-of-sale intrusions, cyber espionage, and crimeware. The report also says that the majority of mobile malware infections are adware and other annoyances rather than something truly malicious.  SO FAR!

[Note If you read only one security report this year, read the Verizon’s 2015 Data Breach Investigations Report (DBIR). It provides good data and insights on incidents provided by many contributors around the world…)

AND… 2015 DBIR and the Human Attack Surface – minimize the cause of 90% of the breaches

AND –  ITRC’s Findings from the 2015 Data Breach Incident Report

Estimated that the financial loss from data breaches covered in the DBIR was $400 million

The ratio of internal to external threats remains relatively static with more than 80% of threats being external rather than internal.

ONE hour is all it took for nearly 50% of the recipients to open an email and click on phishing links



+ IBM’s X-Force Exchange to make decades worth of cyber-threat data public

IBM has announced it will make its huge store of about two-decades worth of security and cyber-threat data available to private and public companies. Through what IBM is calling its new X-Force Exchange, the company said Thursday it will offer its massive 700-terabyte (and growing) database of raw cyber-threat data and intelligence to companies who want it. That also includes malware threat data from 270 million computers and devices, as well as from 25 billion web pages and images, and spam and phishing attack emails.



+ Why corporate cybersecurity teams are going anonymous

Paul Kurtz, a former cybersecurity advisor to Presidents Obama and Bush, is a successful entrepreneur. His company, CyberPoint, reportedly offers security consulting services to the United States government, the United Arab Emirates, and a variety of domestic and overseas customers. Now his new startup, TruStar, is venturing into uncharted waters: anonymous sharing of cyberattack information by some of the world’s largest corporations. When I spoke with Kurtz on the phone, he described his new company (cofounded with former eBay chief security officer Dave Cullinane) as an anonymous cyberattack report sharing platform. Cybersecurity teams at corporate or government clients fill out reports of attacks against their organization—anything from emails that attempt to “spearphish” information from executives to sophisticated attacks on servers—which are then stripped of identifying information by TruStar’s platform and re-sent to clients on an inbox-like dashboard.



+ Pentagon eyes recruiting cyber talent through National Guard

The Defense Department still doesn’t have the capabilities and resources needed to defend against a major cyberattack from another nation or other tech-savvy criminals, Pentagon officials told members of a Senate panel Tuesday. But officials said they are looking for more creative ways to attract high-tech experts into the military and the department, including beefed up National Guard and Reserve recruiting in places like California’s Silicon Valley. Eric Rosenbach, the principle cyber adviser to Defense Secretary Ash Carter, told senators that the Pentagon wants to find ways to bring talent into the department without individuals having to go through one of the military services.



+ Nearly 1 million new malware threats released every day

New reports from the Internet security teams at Symantec and Verizon provide an alarming picture of how difficult it’s becoming for computer users to stay safe online Last year was a big one for high-profile cybercrime, from the Heartbleed bug to major corporate attacks, and Sony’s embarrassing hack. Symantec’s analysis of security threats in 2014 revealed thieves are working faster than companies can defend themselves, and launching more malicious attacks than in previous years. More than 317 million new pieces of malware — computer viruses or other malicious software — were created last year. That means nearly one million new threats were released each day.



+ BYOD employees ‘indifferent’ to enterprise security

Businesses are ill-prepared for the attitude of next generation employees who own mobile devices, and may be placed at risk as the BYOD trend causes fractures in security enforcement. Bring-your-own-device (BYOD) is a corporate trend which has become firmly entrenched in the business world. Most employees in the West own personal devices — whether they be tablets or smartphones — and companies can cut costs by allowing staff to use their own devices to connect to corporate networks. While this permission may be convenient for employees, improve workflows and save the enterprise from facing the cost of outfitting their staff with suitable mobile devices, BYOD can also be a headache for IT and security departments.



+ A global consensus on cyber security is gaining momentum

Cybersecurity developments grab headlines. Everyone wants to know the tales of treachery and intrigue, who hacked who, and what was stolen or broken. Interest wanes, however, when the conversation switches to the drudgery of what is to be done, especially capacity building, which generally involves transferring knowledge and good practices to countries in the developing world so that they can improve their cybersecurity and participate on a more equitable basis in the digital economy. While it may be tedious work, it is critically important because the next billion Internet users will be from the developing world.



+ New cyberthreat information-sharing bill may be more friendly to privacy

A new bill designed to encourage businesses and government agencies to share information about cyberthreats with each other may go farther in protecting the privacy of Internet users than other recent legislation in Congress. The National Cybersecurity Protection Advancement NCPA Act, introduced Monday in the House of Representatives by two Texas Republicans, appears to do a “much better job” at protecting privacy than two bills that have passed through the House and Senate Intelligence Committees, said Robyn Greene, policy counsel at the New America Foundation’s Open Technology Institute.



+ IBM wants your smartwatch to talk to your doctor

It may finally be time for your smartwatch to talk to your doctor. Plenty of people wear fitness trackers. And plenty of doctors use electronic data to help with patient care. But it’s also true that these silos of data often never meet, arguably limiting how useful any of it could be to patients. IBM is aiming to change that, saying Monday that it’s striking deals with Apple, Johnson & Johnson and Medtronic to collect and use more information from personal medical devices to help with patients’ clinical care.  Using its Watson supercomputer — yes, of “Jeopardy!” fame — IBM said that it will also be launching a whole Watson Health unit.



+ Pentagon weapons guide adds cybersecurity  (really.. finally making it a formal requirement….)

Cybersecurity is now a core consideration for all weapons purchases at the Defense Department. The Pentagon released its new buying guide, Better Buying Power 3.0, late Thursday. For the first time, it discusses cybersecurity. “Cybersecurity is a pervasive problem for the department,” said acquisition chief Frank Kendall during a press conference. “It’s a pervasive problem in the sense that it affects and is a danger, if you will, a source of risk for our programs from inception all the way through retirement.”



+ Wall St. is told to tighten digital security of partners

Wall Street’s oversight of cybersecurity measures at outside firms it does business with remains a work in progress, according to a review by New York State’s top financial regulator. A survey of 40 banks found that only about a third require their outside vendors to notify them of any breach to their own networks, which could in turn compromise confidential information of the bank and its customers. Fewer than half the banks surveyed said they conducted regular on-site inspections to make sure the vendors they hire – like data providers, check-processing firms, accounting firms, law firms and even janitorial companies – are using adequate security measures.



+ GAO Report Urges FAA to Address Wi-Fi Security Concerns

According to a report from the US Government Accountability Office (GAO), on certain aircraft, passenger Wi-Fi networks use the same networks as the plane’s avionics systems, putting the aircraft at risk of attacks from passengers and even from people on the ground. The report, titled “FAA Needs a More Comprehensive Approach to Address Cybersecurity As Agency Transitions to NextGen,” was requested by the House Transportation and Infrastructure Committee.

[Note: This Forbes article argues that many of the findings in the GAO report are misleading or incorrect.

The Forbes article asserts that GAO’s report “was put together by people who didn’t understand how modern aircraft actually work.” I would normally reject that type of argument as light-weight whining, but in GAO’s case I would be making an error. GAO staffers have demonstrated repeatedly that they do not understand how attacks and networks and operating systems work – at the deep technical level. That means their reports have been forcing government agencies to spend money in precisely the wrong ways – so much so that a close analysis will show that GAO is culpable in enabling the deep and pervasive cyber penetration that has occurred across many elements of the federal government…;-((


+ Dell Report Notes Increase in Attacks Against Industrial Control Systems

According to the 2015 Dell Security Annual Threat Report, attacks against Industrial Control Systems rose nearly fourfold last year. Most of those attacks were against systems in Finland, the UK, and the US.

The report also noted an increase in HTTPS traffic last year. Dell says that may not be good news because it could be used to hide malware.



+ China Suspends Stringent Tech Rules

China has temporarily suspended implementation of rules that would make it nearly impossible for foreign technology companies to offer products to the country’s financial sector. The rules would require tech companies that sell to Chinese financial institutions to provide access to source code. Following a meeting with Chinese officials last month, US officials said that the rules would be suspended, but earlier this week, trade groups in Japan, Europe, and the US said the rules were still being enforced. A letter from the Chinese government letter makes the temporary change official.

[Note: Many  thought this would be the case; some companies would simply cease to do business with China. It also leaves the IBM Apple agreement team to earn enterprise class business decision revenue subject to further scrutiny. Reportedly, they agreed to do this. Also, rumor has it China will demand back doors in some of the products:



+How Ionic Says It Makes Data Breaches Irrelevant

Ionic Security goes public with a data security platform that manages trillions of encryption keys and enables a user to sign each pixel with its own unique key!



+ Youth, Apathy, And Salary Dictate Mobile Threats To Business

Mobile cyberattacks may not be a thing today, but a new study shows how vulnerable businesses are via user smartphones and tablets.



+ Federal Trade Commission released the agency’s 2014 Annual Highlights

Emphasizing the agency’s work to protect consumers and promote competition during the past calendar year. “With over 150 law enforcement actions taken and $640 million in consumer redress ordered, we marked the FTC’s centennial year..



+ PCI DSS 3.1 debuts, requires detailed new SSL security management plan

PCI DSS 3.1 grants merchants about 14 months to nix flawed SSL and TLS protocols, but demands they quickly provide detailed new documentation on how they plan to make the transition.



+ Verizon launches security certificate service for IoT

Great service….  It will help make IoT security work. The End device’s will need the capability affordably built in to make it cheap to use.



+ New Dark-Web Market Is Selling Zero-Day Exploits to Hackers



+ The Cybersecurity Risk That Dwarfs All Others (windows server 2003)



+ Getting a Sense of IoT in Asia




2  +++++++


+ Hackers could commandeer new planes through passenger Wi-Fi

Seven years after the Federal Aviation Administration first warned Boeing that its new Dreamliner aircraft had a Wi-Fi design that made it vulnerable to hacking, a new government report suggests the passenger jets might still be vulnerable. Boeing 787 Dreamliner jets, as well as Airbus A350 and A380 aircraft, have Wi-Fi passenger networks that use the same network as the avionics systems of the planes, raising the possibility that a hacker could hijack the navigation system or commandeer the plane through the in-plane network, according to the US Government Accountability Office, which released a report about the planes today.



+ Federal cyber workforce woefully inadequate,

Says Rigid hiring processes and low pay for specialized employees have kept the U.S. government from developing the type of cyber workforce it needs to keep up with growing attacks, according to an independent analysis. The Partnership for Public Service released a report on Tuesday saying the federal government has positioned itself poorly for recruiting cybersecurity personnel at a time when the nation as a whole is already facing a shortage. Aside from non-competitive pay and strict hiring practices, other causes of the deficiency include weak talent pipelines and the lack of a government-wide strategy for hiring and retaining talent, according to the group.



+ Pentagon to release cyber strategy

In his two months on the job, Defense Secretary Ashton Carter has made building out the Pentagon’s capabilities in cyberspace a priority. That work will cross a threshold next week when the Pentagon releases a multi-year cyber strategy. Eric Rosenbach, Carter’s top cyber adviser, on April 14 told a Senate Armed Services Subcommittee on Emerging Threats and Capabilities that the strategy would be out next week, and would include projects and benchmarks for measuring progress, but didn’t elaborated much beyond that.



+ DHS defends FY 2016 cyber budget before Senate committee

The Homeland Security Department is asking Senate appropriators for budget increases to bolster its cybersecurity programs, including the Federal Risk and Authorization Management Program (FedRAMP). The total request for cyber programs at DHS add up to $1.4 billion. That’s just part of the total White House budget request for cybersecurity programs, which is up 11 percent for FY 2016, or $13.9 billion. “These are ballpark figures, but my idea here is to give you a sense of the magnitude and relative effort that should be expended,” said Andy Ozment, assistant secretary for cybersecurity and communications, before the Senate Appropriations Subcommittee on Homeland Security today.



+ Former FBI director talks cybersecurity

From hammering out new cybersecurity responsibilities to successfully transitioning thousands of case files over to a digital system, it was the delegation of responsibility – not the technology itself – that posed a major challenge to former FBI Director Robert Mueller, he said in a recent keynote. During a government IT conference in Washington, Mueller discussed organizational missteps and lessons learned during his time as head of the FBI between 2001 and 2013.



+ House panel passes cyberthreat sharing bill

After beating back amendments by Democratic members to limit liability protections for businesses, the House Homeland Security Committee on April 14 unanimously approved cyberthreat information sharing legislation on a voice vote. The bill, sponsored by Committee Chairman Mike McCaul, R-Texas, now goes to the full House, where differences with another cyberthreat information sharing measure approved by the House Intelligence Committee last month will be worked out. House leaders indicated that the full House could vote on the cyberthreat information sharing legislation as early as next week.



+ Pilot union highlights cybersecurity concerns for air-traffic control

Europe’s largest pilot union is expected to release a report Saturday highlighting the hazards of potential cyberattacks on future air-traffic control systems. Prepared by the European Cockpit Association, which represents some 38,000 commercial aviators, the study spells out the stark consequences if a hacker were to disrupt such vital communication links. Security and safety experts have been studying the topic for many years, and development work under way on both sides of the Atlantic seeks to incorporate measures to reduce cyber vulnerabilities.



+ Companies, seeking common ground on cybersecurity, turn to insurers

A relentless barrage of cyberattacks has left many corporate security officers searching for a clearer, common understanding of what constitutes good security strategy, and looking to the insurance industry for answers. Beyond a few regulated industries such as health care, most companies get relatively little official guidance on security, and ideas about best practices tend to be fragmented. Government and industry groups provide some help, but most companies are more or less free to chart their own course through the hazards of the digital era. While that can have advantages, fostering flexibility and innovation, some companies would like clearer standards. That might help strengthen defenses, improve risk management, and make it easier to defend against accusations of negligence in the event of a major breach.



+ Blend of old and new technique help attackers dodge detection

A clever mix of new and old techniques were combined to create “highly evasive attacks” in 2014, according to the Websense 2015 Threat Report. The report, which zeroes in on eight behavioral and technique-based trends regarding cybercrime, found that cybercrime has become easier as threat actors can rent exploit kits, take advantage of malware-as-a-service (MaaS) and even use subcontractors to create and execute attacks aimed at stealing data. In fact, 99.3 percent of malicious files in 2014 used an existing command-and-control URL used by other malware. And the bulk of malware authors-98.2 percent-used C&Cs that were traced to five other malware types.



+ Coast Guard IT security gaps cited

Although the Coast Guard has taken substantial steps in protecting its IT operations from insider threats, a few nagging gaps remain in its internal cyber armor, according to a recent Department of Homeland Inspector General report. The Coast Guard is in the process of establishing an Insider Threat Working Group that will be charged with implementing a “holistic” program focused on identifying and counteracting insider threat risks. It has also implemented a process to verify system administrators’ level of access to IT systems and networks, and set up a Cyber Security Operations Center to monitor and respond to potential insider threat risks and incidents.



+ Tokenization would not have prevented most retail breaches

Tokenization, where credit card numbers and other sensitive data is replaced by random characters, can be a secure alternative to encryption in many cases — but would not have helped in the majority of retail breaches over the past two years. The Payment Card Industry released guidance last week about how technology vendors and retailers can use tokenization to reduce the amount of card data they store in their systems. “Tokenization is one way organizations can limit the locations of cardholder data,” said PCI SSC Chief Technology Officer Troy Leach. in a statement. “A smaller subset of systems to protect should improve the focus and overall security of those systems, and better security will lead to simpler compliance efforts.”



+ Wanted: Ten million Chinese students to “civilize” the Internet

China wants to recruit 10 million young people, mostly university students belonging to the Communist Party’s youth wing, to “spread positive energy” on the Internet – in other words, to use social media to praise and defend the government. Web users recently posted a document issued by the China Communist Youth League dated Feb. 13 that asks for no less than 20 percent of its members to be recruited as “cyber civilization volunteers”, who would be expected to become “good Chinese Netizens” and promote the “voice of good youth.”



+ Think Tank Says Iran Gathering Information About US Grid

According to a report from a Washington think tank, Iranian cyber attackers are looking for information online to identify systems that control elements of the US’s critical infrastructure. The researchers say that current sanctions against Iran have not diminished its espionage and cyber warfare capability.

[Note: Iran and China and Russian….oh my!  This has been happening for years, by Iran, other nation states, and, increasingly, terrorist organizations.  Adversaries will constantly look for vulnerabilities to exploit, and critical infrastructure is at the top of the list.  Good to see Norse incorporate SCADA port information into its sensor nets and resulting analysis. However, it’s no surprise that Iranians — and those of other nationalities with interest in “cyber” – are examining what’s on the Net. …).   There is no excuse for any of these controls to be visible to the public networks. They should be hidden behind VPNs and strong authentication.  If the control itself does not support this, a $50 proxy will hide it from Iran and other prying eyes.]



+ ICO Investigated Law Firms Over Reported Breaches

According to data obtained through a Freedom of Information request, the UK’s Information Commissioner’s Office (ICO) investigated 173 law firms in that country regarding reports of Data Protection Act (DPA) breaches.

Following a series of breaches, the Information Commissioner last summer issued a warning that law firms need to do more to make sure that client data are secure. In addition, the Law Society, a professional organization, issued a practice notice last year warning that using cloud services could violate the DPA.

[Note: Law Firms aggregate the most sensitive data from many of their clients…IP, Patent, Merger and Acquisitions, etc.  Their networks historically have not been well protected, and law firms are increasingly suffering serious breaches in the US. This is an important area that needs to be addressed.  Law firms and accountancy practices are prime targets for criminals. Not only do they contain a lot of personal data but many of these firms work on behalf of their corporate clients to help them file patents etc. So if your organization relies on these services of these firms make sure you check their security before criminals do.  Don’t accept their assurances that their systems are protected.]



+ Millions of Health Records Compromised Over Past Four Years

A study published in the Journal of the American Medical Association (JAMA) says that between 2010 and 2013, data breaches compromised more than 29 million health records. The information was drawn from a government database of breaches that included unencrypted health data. The researchers looked at 949 breaches that occurred during that period; they did not include incidents that affected fewer than 500 people.

[Note: This report does not even cover the large number of records that remain on paper because of the perverse effects of HIPAA.  These records are not covered by HIPAA and we may never know about breaches of these records.]



+ Why Standardized Threat Data Will Help Stop the Next Big Breach

Adopting industry standards for threat intelligence will reduce a lot of the heavy lifting and free cyber security first responders to focus on what they do best….  The good news is that there are emerging standards out there. Two of the best known standards are protocols developed with MITRE and the US Department of Homeland Security to improve how cyber threat information is handled: STIX (Structured Threat Information eXpression) and TAXII (Trusted Automated eXchange of Indication Information). By using data converted to standardized STIX and TAXII formats, security practitioners can rapidly answer questions around current threats, how they act, who is responsible and the course of action based on standard categorie



+ Special Report: 50 Years of Moore’s Law

Though Gordon Moore didn’t descend from a mountain 50 years ago with a tablet in each hand, his prophecies about the future of electronics have most definitely become canonical. The ideas that were later distilled into what we now refer to as Moore’s Law presaged the breakneck pace of advancement that lets us do more with today’s tablets than could be done with a room-size mainframe. In this special report, we look at Moore’s organizing principle from several angles, delving into why the streak has endured and what we’ll do when it ends.



+ RTF and DOC Files Used in Majority of Targeted

Analysis of attack trends in 2014 reveals that tainted .RTF and .DOC files were employed in the majority of email-based targeted attacks, for a combined 46% of malicious doc types, according to a new study. 2014 also saw further refinements in…



+ 5 Cyberwar Threats Worth Watching



+ (ISC)² Workforce Study: As Threats Evolve, Security Professionals are Concerned About

Full report



+ Dell report revealed attacks on SCADA system are doubled



+ SDN is tailor-made for the consolidation, automation and security needs of the DoD



+ While cyberwarfare on a large scale favors a nation on the attack,

it also carries the risk of unintended consequences, the former U.S. director of National Intelligence said



+ How to mitigate VPN security issues in the cloud



+ Cisco Survey Sees Evolving Security Threats

IT infrastructure and the applications they deliver along with emerging open-source web frameworks remain the most attractive targets for hackers and cyber-criminals, according to new web security research data.



+ Five Hidden Risks with Public Cloud Usage



+ SANS Honors Information Security Products

That are Making a Difference by Protecting Businesses and Consumers from Cyber Attacks





3  +++++++


+ China’s hackers run 10-year spy campaign in Asia, report finds

State-sponsored hackers in China are likely behind a sophisticated, decade-long cyberespionage campaign targeting governments, companies and journalists in Southeast Asia, India and other countries, a U.S. cybersecurity company said in a report released Monday. FireEye Inc. says the attacks have been designed to glean intelligence, likely from classified government networks and other sources, pertaining to political and military issues such as disputes over the South China Sea.

APT30 Espionage Campaign Has Been Operating Since 2005

According to the FireEye Intelligence Report, an espionage campaign known as APT30, has been targeting governments and businesses for 10 years. APT30 is attributed to China, and also targets media organizations and journalists who cover information of interest to the Chinese government. FireEye says it has discovered the tools APT30 has used to steal information.



+ Russia’s cyberattacks grow more brazen

Russia has ramped up cyber attacks against the United States to an unprecedented level since President Obama imposed sanctions last year on President Putin’s government over its intervention in Ukraine. The emboldened attacks are hitting the highest levels of the U.S. government, according to reports, in what former officials call a “dramatic” shift in strategy. The efforts are also targeting a wide array of U.S. businesses, pilfering intellectual property in an attempt to level the playing field for Russian industries hurt by sanctions.



+ An Advanced Threat Protection Framework (whitepaper)

In 2015 we expect to see cyber criminals, fueled by the success of many high profile hacks, continue to innovate with an even greater focus on deceiving and evading existing security solutions. As attacks continue to become more advanced, so must the security solutions used by organizations to protect themselves. Advanced Threat Protection relies on multiple types of security technologies, products, and research — each performing a different security protection role



+ Botnet that ensaved 770,000 PCs worldwide comes crashing down

Law enforcement groups and private security companies around the world said they have taken down a botnet that enslaved more than 770,000 computers in 190 countries, stealing owners’ banking credentials and establishing a backdoor to install still more malware. Simda, as the botnet was known, infected an additional 128,000 new computers each month over the past half year, a testament to the stealth of the underlying backdoor trojan and the organization of its creators. The backdoor morphed into a new, undetectable form every few hours, allowing it to stay one step ahead of many antivirus programs. Botnet operators used a variety of methods to infect targets, including exploiting known vulnerabilities in software such as Oracle Java, Adobe Flash, and Microsoft Silverlight.



+ French network’s broadcasts hacked by group claiming IS ties

Hackers claiming allegiance to the Islamic State group simultaneously blacked out 11 channels of a French global TV network and took over its website and social media accounts on Thursday, in what appeared to be the most ambitious media attack so far by the extremist group. Anti-terror prosecutors opened an investigation into the attack that began late Wednesday and blocked TV5 Monde from functioning part of the day Thursday. Operations were fully re-established Thursday evening. France’s interior minister, while counseling caution until investigators find hard evidence, said the attack was likely a terrorist act. “Numerous elements converge to suggest the cause of this attack is, indeed, a terrorist act,” Bernard Cazeneuve said at a news conference.



+ New evasion techniques help AlienSpy RAT spread Citadel malware

Hackers have co-opted AlienSpy, a remote access tool, to deliver the Citadel banking Trojan and establish backdoors inside a number of critical infrastructure operations. AlienSpy is a descendent of the Adwind, Unrecom and Frutas Java-based remote access Trojans, according to security company Fidelis, which is owned by General Dynamics. Fidelis said today in its report that AlienSpy RAT infections have been reportedly been spreading via phishing messages, and have been discovered inside technology companies, financial services, government agencies, and energy utilities. “We believe that it benefits from unified development and support that has resulted in rapid evolution of its feature set including multiplatform support, including Android, as well as evasion techniques not present in other RATs,” Fidelis said in its report.



+ Majority of critical infrastructure firms in Americas have battled hack attempts

Cyber-attacks against critical infrastructure companies have long since moved out of the realm of science fiction and into reality, and a new report from Trend Micro and the Organization of the American States (OAS) shows just how much. In a new survey, the challenges those organizations are facing today are laid bare. Forty percent of 575 security leaders polled said they had dealt with attempts to shut down their computer networks. Forty-four percent said they had faced attempts by attackers to delete files, while 60 percent have had attackers try to steal their information. Perhaps even more ominous is the fact that 54 percent had dealt with attempts to manipulate their organization’s equipment through a control network or system.



+ Deadly combination of Upatre and Dyre Trojans still actively targeting users

Upatre (or Waski) is a downloader Trojan that has lately become the malware of choice for cyber crooks to deliver additional, more dangerous malware on users’ computers. A few weeks ago, Swiss and German users were targeted with email campaigns attempting to deliver it. Now the criminals have shifted to targeting English-speaking users in the UK, Ireland, US, Canada, Australia and New Zealand. The threat comes via a seemingly harmless email coming from an employee of a random company, usually consisting of a short line, urging recipients to download the attached ZIP or PDF file.  The attachment is actually an executable (a .exe file).



+ Advanced Persistent Threat (APT) Wars

While investigating the operations of the Naikon advanced persistent threat (APT) group, researchers at Kaspersky discovered that one of the groups phishing emails had been sent to an email address belonging to another APT group. That group, Hellsing, sent a message back to Naikon, asking if the first message was legitimate. Naikon’s response was poorly worded enough to let Hellsing know that they had been attacked, and so they retaliated by sending phishing emails to Naikon, possibly in an attempt to learn more about Naikon’s operations.

[Note: We will continue to see online criminal gangs target each other to either hijack other gangs’ infrastructure, shut down rival gangs, or simply to let people know who is boss, similar to how it happens in the physical world.]



+ “Great Cannon” Attack Tool Used in DDoS Attacks Against GreatFire and GitHub

The distributed denial-of-service (DDoS) attacks that targeted GreatFire and GitHub in March were likely launched by a Chinese attack tool called “Great Cannon.” Initially, the attacks were thought to be the work of China’s Great Firewall, but researchers at Citizen Lab say that “Great Cannon” is a new tool.



+ Insider Threats: Focus On The User, Not The Data

Global cybersecurity spending will hit almost $77 billion in 2015, so why are there more high-profile leaks than ever?



+ SANS Report Reveals One-Third of Organizations Powerless Against Insider Threats



+ Police Pay Off Ransomware Operators, Again

Law enforcement agencies are proving to be easy marks — but are they any worse than the rest of us?



+ Popular Home Automation System Backdoored Via Unpatched Flaw

Malicious firmware update could lead to device, full home network 0wnage, researcher will show at the RSA Conference.—threats/popular-home-automation-system-backdoored-via-unpatched-flaw/d/d-id/1320004?_mc=NL_DR_EDT_DR_daily_20150417



+ Microsoft Zero-Day Bug Being Exploited In The Wild

As attacks mount, and over 70 million websites remain vulnerable, advice is “fix now.”—threats/microsoft-zero-day-bug-being-exploited-in-the-wild/d/d-id/1319988?_mc=NL_DR_EDT_DR_daily_20150417



+ Thieves using a $17 device to break into cars with keyless systems



+  Simple steps to secure your PC (bet you are not doing most of them…;-((





+++  SD/SoCAL security events / opportunities +++


+ CyberTECH events / networking / startups / etc  —  THE cyber happening place in SD!!! 

Join their Meetup Group for the latest event information!   The definition of “Cyber KEWEL






23  – ISSA – 11:30AM – (4th Thur) –   Risk Management Framework (RMF) – How to execute a successful framework that allows for continuously monitoring in agile environments. BY Maryann Knapton





13ISC2 – 6PM –  HVAC interconnectivity and Security concerns…   BY:  Mike Schell – from Codenomics

Location – BAH (Suite 200, 4055 Hancock Street, San Diego, CA 92110 USA).


15  +++   8 – 12:30 – NDIA Small Business (Cyber) Forum

½ day on how SMBs can be cyber – safe .. PLUS learn about the FAR / DFAR cyber rules on “CUI”

Registration link is:


16 OWASP –  6PM –   (3rd ThurGabriel Lawrence =  Who’s that knocking on my door?


21  – ISACA –   noon – 2PM  –   Women in Technology – Networking Event


28  – ISSA – 11:30AM – (4th Thur) –   “TBD”




+ New crypto-ransomware “quarantines” files, downloads info-stealer

Trend Micro researchers have found and analyzed a new piece of crypto-ransomware: CryptVault encrypts files, makes them look like files quarantined by an AV solution, asks for ransom and, finally, downloads info-stealer malware. It arrives on target computers after the user has been tricked into downloading and running a malicious attachment – a Javascript file – that downloads four files: the ransomware itself, SDelete (a MS Sysinternals tool that will be used to delete files), GnuPG (legitimate open source encryption tool), and a GnuPG library file. The ransomware uses GnuPG to create an RSA-1024 public and private key pair that is used to encrypt and decrypt the files. It targets popular file types, mostly document, image, and database files.


+ InfoSec workforce continues robust growth

In the first three months of 2015, the number of information security analysts in the United States grew at a much stronger pace than other occupations within the information technology sector. According to an Information Security Media Group analysis of  the latest government data, issued last week, the number of people in the United States who consider themselves information security analysts soared by 34 percent to 74,000 during the first quarter of 2015 from 55,300 in the same quarter a year earlier. In the fourth quarter of 10`4, the IT security analysts’ workforce soared by 432 percent.


+ U.S. establishes sanctions program to combat cyberattacks, cyberspying

President Obama on Wednesday signed an executive order establishing the first sanctions program to allow the administration to impose penalties on individuals overseas who engage in destructive attacks or commercial espionage in cyberspace. In the works for two years, the order declares “significant malicious cyber-enabled activities” a “national emergency” and enables the treasury secretary to target foreign individuals and entities that take part in the illicit cyberactivity for sanctions that could include freezing their financial assets and barring commercial transactions with them.


+ Anti-hacker executive order: 5 concerns

President Barack Obama says the ongoing increase in hack attacks against U.S. businesses, government agencies, and critical infrastructure represents a “national emergency.” As a result, he signed an executive order authorizing the U.S. government to block or seize the assets of anyone – foreign or domestic – who launches or supports “significant” hack attacks. Numerous information security and legal experts agree that not only are hack attacks damaging the U.S.  economy, but they’re harder than ever to battle. But when it comes to how the new executive order will be used to battle cybercrime and online espionage, many security experts say the moves leave many unanswered questions.


+ DHS trying to smooth the integration of cloud, network security programs

In the government’s move to the cloud over the last five years, one outlying cybersecurity question no one has been able to answer well is: How does the Federal Risk Authorization and Management Program integrate with the Trusted Internet Connections (TIC) initiative? This challenge became greater as mobile devices quickly rose in prominence in the day-to-day lives of nearly every federal worker. The default approach required federal workers to go through their agency’s secure Internet gateway or TIC to get to cloud services. That approach was clunky to say the least and reduced the major benefit of cloud computing – easy access to data and apps. But now the Homeland Security Department and the FedRAMP program management office have an idea on how to fix the problem.


+ White House Data Breach

Attackers breached an unclassified White House computer system last fall. A Kremlin spokesperson has denied allegations that Russia is responsible for the attack. US legislators have requested a briefing on the incident.

How Russians hacked the White House (used spear phishing of course)


+ SANS Reveals Insider Threat Security Gaps

2/3 have no insider threat response plan..


+ Healthcare data: A hacker’s jackpot

Patient Zero: The Healthcare Security Breach Epidemic


+ Cyber threat growth ‘almost exponential,

As hackers around the world become more sophisticated, a leading expert said this week.

“As the volume of threats multiply, the likelihood that you will be confronted with a threat multiples,”


+ The Combined Power of iSIGHT Partners and Critical Intelligence (good for ICS security!)


+ The future of SDN: Agility and automation


+ FBI’s Next Generation Identification is Fully Operational


+ Want to See Domestic Spying’s Future? Follow the Drug War


+ NIST Special Publication 800-161, Supply Chain Risk Management Practices


+ Data Breaches Have Evolved And Size No Longer Matters


+ 9 biggest information security threats for the next two years (slide show)


+ Wearables in the Enterprise Take Different Path than BYOD Predecessors


+ 10 Apple Acquisitions: What Do They Mean?


2  +++++++

+ A new experiment tracks credit card data as it travels through the criminal web

What happens to a credit card number once it leaks onto the web? It’s an important question, as data breaches dump more and more personal data onto the web each month, but there’s still little understanding of how the information travels once it’s outside a company’s grasp. As security firms struggle to detect breaches earlier and faster, a new study is shedding light on how far and fast that data might travel in the wake of an intrusion.


+ HP tells cybersecurity customers to focus on people and processes

To protect themselves against cyberattacks, organizations should focus more on training their employees and improving their internal processes instead of buying new technology, according to one tech vendor. Yet, businesses and government agencies often focus on the next “silver bullet” product, unaware that most cybersecurity problems stem from flawed procedures and human error, said Art Gilliland, senior vice president and general manager for Hewlett-Packard’s software enterprise security products. “This is hard for a product guy to say out loud to an audience, but invest in your people and process,” Gilliland said at HP’s Software Government Summit in Washington, D.C. “The first thing that always gets negotiated out of every [security software] contract is the training and the services.”


+ DoD breaks mobile security roadblock

Securing smartphones and tablets is a lot easier said than done for most agencies. Federal security experts still are trying to find the right balance between mobile access and security of data and applications. The Defense Department, however, may have the answer for many of these challenges. Richard Hale, DoD’s deputy chief information officer for cybersecurity, said the military may have broken through the long-time roadblock to meet users’ needs for mobile devices and DoD’s requirements for cybersecurity. He said this new approach will continue to depend on the Common Access Card (CAC), but just in a different way.


+ NSA touts role in cyber investigations

The National Security Agency has helped investigate every major cyber intrusion in the private sector in the last six months, Director Adm. Michael Rogers said, adding that he wants that collaboration to get faster and more anticipatory. “We have got to figure out a way that we can harness the capabilities of NSA to partner with the private sector in the name of defending our nation, because NSA has some amazing technical capabilities in the information assurance arena,” Rogers said April 2 at a conference hosted by AFCEA’s Washington, D.C., chapter.


+ Navy finalizing strategy to begin moving cyber to warfighter domain

The Department of Navy’s Cyber Command is finalizing a new strategy as part of its five-year anniversary. That new document outlines the concept of integrating cyber into the broader warfighter domain. The first of the DoN’s five tenets outlined in the forthcoming strategy is to operate the network as a warfighting platform. This is a distinctly different approach to cyber than the Navy and, for that matter the Defense Department, has taken before.


+ US Drug Enforcement Agency Collected Call Metadata for More Than 20 Years

The US Drug Enforcement Agency (DEA) amassed a database of phone call metadata from all calls made from the US to countries that the DEA had identified as being linked to drug trafficking between 1992 and 2013. AT the program’s peak, it harvested metadata from calls made to 116 countries. The program stopped after the leak that disclosed the NSA’s own database, which was a separate program. The Electronic Frontier Foundation, representing the Human Rights Watch advocacy group, is suing the DEA to make sure the program does not start up again, and that all records pertaining to Human Rights Watch that were illegally collected be expunged from all government systems.


+ US Technology Companies Wary of Data Sharing

Technology companies in the US are wary of sharing threat information with the federal government, according to a Department of Homeland Security (DHS) official. Phyllis Schneck, Deputy Under Secretary for Cybersecurity and Communications for the National protection and Programs Directorate says that her “top priority is building that trust.” Technology companies are reluctant to be seen to be working too closely with the government because they want to assure their customers that their personal data are safe and their privacy protected. Schneck says that companies are more likely to warm to the idea when the government can prove the value of sharing such information to fight cyber crimes while protecting citizens’ privacy.


+  Premera Data Security Audit Report: Another Case Study in What Not-to-Do!!!  

Premera has paid, and will continue to pay a steep price for running unsupported or out-of-date software:

Hackers stole PII (personally identifiable information) for 11 million current and former Premera customers, including names, dates of birth, Social Security numbers, addresses, banking information, claim information, and clinical information.

Premera customers are now at risk of identity theft, bank fraud, tax fraud and medical-identity fraud.

Premera is currently involved in five class-action lawsuits.

Several states are investigating Permera’s activities surrounding the data breach, including whether it failed to disclose the data breach to customers in a timely fashion, and the federal investigators can’t be too far behind.

The federal government audit report came several weeks before the data breach occurred, and Premera didn’t discover the breach for several months thereafter, which could subject Premera to punitive damages and statutory penalties for willful/reckless disregard for the privacy rights of its customers.


+ The 2015 National CyberTalent Fair (in May)

will attract thousands of online attendees seeking opportunities in cybersecurity. Employers such as Deloitte, the US Army’s INSCOM, United Health Group, MSSP leader Solutionary, Next Jump, Workday, and more have already signed up. visit   for more information


+ Stuxnet Five Years Later: Did We Learn The Right Lesson?

No! That’s despite an abundance of best practices and standards that are shining light into the dark corners of industrial control system security.


+ Diving into the Dark Web: Where does your stolen data go?


+ Infographic: How to secure the unwired workplace


+ Internet of Things (I0T) devices lack fundamental security,

A Guide to The Internet of Things

The Internet of Things will aid criminals and burglars

IBM Launches Major Internet Of Things Offensive


+ A CISO reveals why the cloud is your secret weapon for faster, better, and cheaper PCI audits


+ The experts’ step-by-step guide to cyber security


+ 9 Free Encryption Software Tools To Protect Your Data


+ Vulnerability management: A step-by-step strategic guide…


3  +++++++

+ Drug Pump Vulnerability Could be Exploited to Alter Dosage Limits

Some drug-infusion pumps do not use authentication for internal drug libraries, which establish upper and lower limits for dosages. This means that anyone with access to the hospital’s network could load a new library with changed limits. The actual dosage for each pump could not be changed, but because the upper and lower limits, a caregiver could accidentally set the pump to provide an incorrect dose. Other pumps examined last year were found to have web interfaces that could be used by attackers to change actual dosages.


+ Public WiFi, location data, and privacy anxiety

WiFi has become so ubiquitous: It’s at airports, libraries, department stores, hotels, hospitals, and of course coffee shops. All this public WiFi is incredibly convenient, but raises privacy issues for users and potential backlash for WiFi providers. With retailers and other WiFi providers gathering mobile location data, consumers are being tracked, oftentimes without ever knowing it. And there’s very little in the way of any regulatory framework for these data collection activities, experts say.


+ IBM uncovers new, sophisticated bank transfer cyber scam

run by a well- funded Eastern European gang of cyber criminals that uses a combination of phishing, malware and phone calls that the technology company says has netted more than $1 million from large and medium-sized U.S. companies. The scheme, which IBM security researchers have dubbed “The Dyre Wolf,” is small in comparison with more recent widespread online fraud schemes but represents a new level of sophistication.


+ Bogus Hillary Clinton website highlights online perils for 2016 candidates bears the likely Democratic presidential candidate’s name, but she would not want supporters to go there: some cyber security experts said this week the site contains malicious software. The site is registered, not to Clinton, but to an administrator in the Cayman Islands. Its existence underscores the challenge 2016 U.S. presidential hopefuls will face in trying to control their digital brands, more important than ever before as voters increasingly turn to the Internet to learn more about candidates. An examination by Reuters of domains including the full names of eight Republican and four Democratic hopefuls, ending in .com, .org, .net and .info, showed that only a few of those sites appear to be under the control of the candidates.


+ Critical Infrastructure Systems are Often Targets of Destructive Cyber Attacks

According to a survey conducted by the Organization of American States, destructive attacks happen more often than expected at organizations that operate elements of national critical infrastructure in both North and South America. While 60 percent of the 575 responding organizations said that they had detected attacks that tried to steal data, 54 percent said that they had detected attacks that attempted to manipulate equipment. The organizations also reported attempts to delete files and to shut down networks.


+ Solving the Right Problem: Stop Adversaries, Not Just Their Tools—threats/solving-the-right-problem-stop-adversaries-not-just-their-tools/a/d-id/1319840


+ The 10 Most Common Application Attacks in Action


+++ HTTPS Everywhere Updates to Keep You Secure on Thousands More Sites
+++  SD/SoCAL security events / opportunities +++

+ CyberTECH events / networking / startups / etc  —  THE cyber happening place in SD!!! 

Join their Meetup Group for the latest event information!  The definition of“Cyber KEWEL




16 – OWASP –  6PM –   (3rd Thur improving Application Security & Penetration testing,


16  – ISACA –   6-7 PM –   Navigating the Internet of Things (IoT) Privacy Challenges- Doron M. Rotman

23  – ISSA – 11:30AM – (4th Thur) –   Risk Management Framework (RMF) – How to execute a successful framework that allows for continuously monitoring in agile environments. BY Maryann Knapton


– 13 – ISC2 – 6PM –  HVAC interconnectivity and Security concerns…   BY:  Mike Schell – from Codenomics

Location – BAH (Suite 200, 4055 Hancock Street, San Diego, CA 92110 USA

– NDIA Small Business (Cyber) Forum – 5/15/2015

? day on how SMBs can be cyber – safe .. PLUS learn about the FAR / DFAR cyber rules on “CUI”

Registration link is:



“Blocking the Property of Certain Persons Engaging in Significant Malicious Cyber-Enabled Activities”

Executive order – I, BARACK OBAMA, President of the United States of America, find that the increasing prevalence and severity of malicious cyber-enabled activities originating from, or directed by persons located, in whole or in substantial part, outside the United States constitute an unusual and extraordinary threat to the national security, foreign policy, and economy of the United States. I hereby declare a national emergency to deal with this threat.


+ Ripple, a cryptocurrency company, wants to rewire bank authentication

Companies built around Bitcoin and other digital currencies mostly focus on storing and transferring money. But at least one company is trying to prove that some of the underlying technology can have a much wider impact on the financial industry. That startup, Ripple Labs, has already had some success persuading banks to use its Bitcoin-inspired protocol to speed up money transfers made in any currency, especially across borders. Now it is building a system that uses some similar cryptographic tricks to improve the way financial companies check the identity of their customers. The system could also provide a more secure way to log in to other online services.


+ IARPA eyes insider-threat tech

The intelligence community’s research arm wants to meet with researchers and companies to talk about advances in technologies that continuously monitor insider threats. The Intelligence Advanced Research Projects Activity (IARPA) said it will host a Proposers’ Day conference April 16 to discuss its Scientific Advances to Continuous Insider Threat Evaluation (SCITE) program, in anticipation of the release of a new solicitation. The all-day conference in an as yet unspecified Washington, D.C., location will provide introductory information on SCITE and the research problems the program aims to address. The conference will also give interested parties an opportunity to ask questions, present their capabilities and identify potential partners.


+ How to stay “cyber safe” guide – effectively protect yourself and clients!

Integrating several existing security guides with very useful information; these current best practices help you build a known baseline. It’s important to use only approved cyber products (aka, “NIAP”) and never start anything in cyber from scratch, as someone has already done all the hard work.  These guides, methods and products work well becausecyber is essentially 95% the same everywhere! These are your security best practices and also apply to remote office workers, small office / home office (SOHO), small & medium businesses (SMB) – to develop your own personal security plan!

—  This in San Diego – NDIA Small Business (Cyber) Forum – 5/15/2015

½ day on how SMBs can be cyber – safe .. PLUS learn about the FAR / DFAR cyber rules on “CUI”

Registration link is:


+ Study finds lack of investment in mobile app security

A new study from the Ponemon Institute has given some quantitative figures to a trend that many information security professionals were already aware of — companies are not spending enough on mobile app security. Sponsored by IBM Security, the report, The State of Mobile Application Insecurity, shows an average of $34 million is spent on mobile app development, yet a meager 6% of this, or $2 million, is earmarked for security purposes. Perhaps even more distressing, the study found 50% of the 400 companies surveyed said they devote none of their mobile app development budget at all to security, while 40% said they weren’t scanning their mobile apps for vulnerabilities.


+ For hardware makers, sharing their secrets is now part of the business plan

Facebook showed plans last week for drone aircraft that beam lasers conveying high-speed data to remote parts of the world. As powerful as that sounds, Facebook already has something that could be even more potent: a huge sharing of its once-proprietary information, the kind of thing that would bring a traditional Silicon Valley patent lawyer to tears. Facebook is not alone. Technology for big computers, electric cars and high-technology microcontrollers to operate things like power tools and engines is now given away. These ideas used to be valued at hundreds of millions of dollars. To the new generation of technologists, however, moving projects and data fast overrides the value of making everything in secret.


+ One in three of the top million websites are ‘risky,’ researchers find

One out of three of the top one million websites ranked by Alexa are “risky,” meaning the site is compromised, or is running vulnerable software that puts it at risk of being compromised, according to new findings by Menlo Security. For its “State of the Web 2015: Vulnerability Report,” Menlo Security scanned more than 1.75 million URLs representing more than 750,000 unique domains. Researchers checked if URLs appeared on lists of known malicious sites, if IP addresses were linked to spam networks and botnets, and if the sites were running vulnerable and unpatched software.


+ A quarter of businesses have no control over network privileges

While data breaches stemming from insider privilege abuse continue to make headlines, the sad reality is that a full quarter of organizations have zero control over who accesses what in the network. A BeyondTrust survey, Privilege Gone Wild 2 shows that more than one out of four companies indicated they have no controls in place to manage privileged access. That’s even though nearly half of the survey respondents (47%) admit they have employees with access rights not necessary to their current role.


+ Best Practices for Securing Privileged Accounts


2  +++++++

+ How cyberattacks can be overlooked in America’s most critical sectors

The most critical sectors of the American economy were affected by 245 “cyberincidents” last year, according to the Department of Homeland Security. As high as that number seems, however, security experts caution the real number may be much higher. Turns out, there’s a huge gulf between the Internet-related attacks the department’s Industrial Control System Cyber Emergency Response Team recorded for the country’s critical infrastructure – important areas such as energy, manufacturing, agriculture, and healthcare – and the true number of malfunctions, technological failures, or other happenings within those sectors. The discrepancy comes down to widespread uncertainty of when something should be classified as a “cyberincident” in the first place.


+ Pentagon personnel now talking on ‘NSA-proof’ smartphones

The Defense Department has rolled out supersecret smartphones for work and maybe play, made by anti-government surveillance firm Silent Circle, according to company officials. Silent Circle, founded by a former Navy Seal and the inventor of privacy-minded PGP encryption, is known for decrying federal efforts to bug smartphones. And for its spy-resistant “blackphone.” Apparently, troops don’t like busybodies either. As part of limited trials, U.S. military personnel are using the device, encrypted with smart code down to its hardware, to communicate “for both unclassified and classified” work, Silent Circle chairman Mike Janke told Nextgov.


+ SANS Honors Information Security Products

that are Making a Difference by Protecting Businesses and Consumers from Cyber Attacks

Probably can’t go wrong using one of the top three in each category.. (well, the affordable ones for us SMBs)


+ Quantum computer this – Mathematicians build code to take on toughest of cyber attacks

Washington State University mathematicians have designed an encryption code capable of fending off the phenomenal hacking power of a quantum computer.  Using high-level number theory and cryptography, the researchers reworked an infamous old cipher called the knapsack code to create an online security system better prepared for future demands. The findings were recently published in the journal The Fibonacci Quarterly.


+ The smartest hackers in the room (Hint: They’re not the humans)

Next month, unmanned computers all over the globe will face off in a dress rehearsal for a Las Vegas hacking tournament run by the U.S. military. The $2 million “Cyber Grand Challenge” pits hacker-fighting software against malicious code programmed by Pentagon personnel. During the 2016 finals in Vegas, the humans who built these cyberbots might as well go play blackjack. At stake in the cyber challenge is a chunk of change and perhaps societal gratitude. That’s because the research and development gleaned during the two-year competition could lay the groundwork for a world where machines are in charge of cybersecurity.


+ Cybersecurity remains a weak spot, top intelligence official says

Although the possibility of a catastrophic cyberattack is remote, the unclassified information and communication technology networks that support government, military, commercial and social activities remain vulnerable despite efforts to protect them, the national intelligence director said. To that end, the chance for ongoing low- to moderate-level attacks from myriad sources is more likely, causing “cumulative costs on US economic competitiveness and national security,” James Clapper said in prepared testimony he delivered at a closed hearing of the House Appropriations Committee’s Defense Subcommittee on March 25.


+  Stealing data from computers using heat

Air-gapped systems, which are isolated from the Internet and are not connected to other systems that are connected to the Internet, are used in situations that demand high security because they make siphoning data from them difficult. Air-gapped systems are used in classified military networks, the payment networks that process credit and debit card transactions for retailers, and in industrial control systems that operate critical infrastructure. Even journalists use them to prevent intruders from remotely accessing sensitive data. To siphon data from an air-gapped system generally requires physical access to the machine, using removable media like a USB flash drive or a firewire cable to connect the air-gapped system directly to another computer. But security researchers at Ben Gurion University in Israel have found a way to retrieve data from an air-gapped computer using only heat emissions and a computer’s built-in thermal sensors.


+ 2016 Chevrolet Malibu to debut new spyware targeting teen drivers

Chevrolet has announced that it will offer parents a creepy level of oversight when it comes to letting the kids borrow the family ride, and the NSA-style spying begins with the 2016 Malibu. A system dubbed Teen Driver will debut on the bow-tie brand’s newest mid-size sedan (which itself bows at the 2015 New York auto show). It allows parents to set speed alerts, limit audio volume, and even receive vehicle reports “so parents could use it as a teaching tool with their kids-they can discuss and reinforce safe driving habits.” Like Ford’s MyKey system (both current and future), Teen Driver lets parents with a Jason Bourne complex program speed warnings that flash when their child exceeds a preset velocity (from 40 to 75 mph) and set sound-system volume limits. Parents can also pull customizable reports full of juicy stuff, such as distance driven, top speed achieved, preset-speed warnings exceeded, stability-control events, anti-lock brake events, and forward-collision alerts and auto-braking events-on vehicles equipped with those systems.


+Lack of Consensus on What Constitutes a Cyber Incident Can Omit Important Data

The US Department of Homeland Security (DHS) says critical sectors of the US economy suffered 245 cyber incidents last year, but experts say the actual number is likely to be much higher. The issue lies in what criteria must be present for an attack to be deemed a cyber incident.

Non-malicious events can also provide important data. Some serious incidents were due to SCADA failure, but were not results of attacks.

[Note The European Network and Information Security Agency (ENISA) issued a whitepaper in 2013 titled “Can we learn from SCADA security incidents?”  ]


+ US House Committee Introduces Threat Information Sharing Bill

The US House Intelligence Committee has introduced a bill that would remove the threat of being sued for sharing information from companies who share cyber threat information with the government. The Protecting Cyber Networks Act also includes language explicitly forbidding intelligence agencies from using the collected information for government surveillance. Its goal is to gather shared information to understand how attacks occurred and figure out the best steps to take to protect systems from such attacks in the future. The committee is expected to vote on March 26; if it passes, it will then go to the full House for a vote late next month. A companion bill has been introduced in the Senate.


+ Firms can’t afford to fail at cybersecurity


+ An Effective Cyber Security is About Economics and Efficiency


+ CIOs – how to manage shadow IT


3  +++++++

+ Social engineering techniques are becoming harder to stop, experts say

As more personal and corporate information is shared on the Web, social engineering techniques and attacks are becoming increasingly sophisticated, forcing enterprises to adopt new awareness training methods to protect employees. While the term social engineering is relatively new, Amy Baker, vice president of marketing for Pittsburgh-based Wombat Security Technologies Inc., noted that the practice has a long history. “What I think is interesting about social engineering is that it goes back very far; we used to call them con men,” said Baker. “It just starts with the act of manipulating someone to get something that they need.”


+ Lebanese cyberespionage campaign hits defense, telecom, media firms worldwide

For the past two years, a cyberespionage group that likely operates from Lebanon has hacked into hundreds of defense contractors, telecommunications operators, media groups and educational organizations from at least 10 countries. The still-active attack campaign was uncovered and analyzed recently by security researchers from Check Point Software Technologies, who dubbed it Volatile Cedar. The company’s researchers found evidence that the attackers started their operation in late 2012, but have managed to fly under the radar until now by carefully adapting their tools to avoid being detected by antivirus programs. Unlike most cyberespionage groups, the Volatile Cedar attackers do not use spear phishing or drive-by downloads to gain a foothold into their victims’ networks. Instead they target Web servers and use them as initial entry points.


+ Big vulnerability in hotel Wi-Fi router puts guests at risk

Guests at hundreds of hotels around the world are susceptible to serious hacks because of routers that many hotel chains depend on for their Wi-Fi networks. Researchers have discovered a vulnerability in the systems, which would allow an attacker to distribute malware to guests, monitor and record data sent over the network, and even possibly gain access to the hotel’s reservation and keycard systems. The security hole involves an authentication vulnerability in the firmware of several models of InnGate routers made by ANTlabs, a Singapore firm whose products are installed in hotels in the US, Europe and elsewhere.


+ Noose around Internet’s TLS system tightens with 2 new decryption attacks

The noose around the neck of the Internet’s most widely used encryption scheme got a little tighter this month with the disclosure of two new attacks that can retrieve passwords, credit card numbers and other sensitive data from some transmissions protected by secure sockets layer and transport layer security protocols. Both attacks work against the RC4 stream cipher, which is estimated to encrypt about 30 percent of today’s TLS traffic. Cryptographers have long known that some of the pseudo-random bytes RC4 uses to encode messages were predictable, but it wasn’t until 2013 that researchers devised a practical way to exploit the shortcoming. The result was an attack that revealed small parts of the plaintext inside an HTTPS-encrypted data stream. It required attackers to view more than 17 billion (234) separate encryptions of the same data. That was a high bar, particularly given that the attack revealed only limited amounts of plaintext. Still, since the researchers demonstrated the attack could decrypt HTTPS-protected authentication cookies used to access user e-mail accounts, Google and other website operators immediately took notice.


+ Over 15,000 vulnerabilities detected in 2014

IT security solutions provider Secunia today published its annual vulnerability review. The report provides facts and details on the security flaws uncovered in 2014. According to the security firm, a total of 15,435 vulnerabilities were identified in 2014 in 3,870 applications from 500 vendors. This represents an 18 percent increase compared to the previous year, and a 55 percent increase over five years. Of the total number of flaws detected last year, 11 percent were rated “highly critical” and 0.3 percent were rated “extremely critical.” The percentage of highly critical vulnerabilities decreased compared to 2013 when more than 16 percent of issues were included in this category. A majority of the bugs had patches available on the day they were disclosed, Secunia said.


+++  SD/SoCAL security events / opportunities +++

+ CyberTECH events / networking / startups / etc  —  THE cyber happening place in SD!!! 

Join their Meetup Group for the latest event information!  The definition of“Cyber KEWEL




8  –  ISC2 –  6PM  –   “Emerging  Risks and Exploitation of a Connected Car Platform” – John Scroggins

Location – BAH (Suite 200, 4055 Hancock Street, San Diego, CA 92110 USA).


16 – OWASP –  6PM –   (3rd Thur improving Application Security & Penetration testing, through training and presentations?


16  – ISACA –   6-7 PM –   Navigating the Internet of Things (IoT) Privacy Challenges- Doron M. Rotman

23  – ISSA – 11:30AM – (4th Thur) –   NOT listed yet


– NDIA Small Business (Cyber) Forum – 5/15/2015

½ day on how SMBs can be cyber – safe .. PLUS learn about the FAR / DFAR cyber rules on “CUI”

Registration link is:


Welcome to Cyber News Tidbits 4​U​ !

Here are updated news compilations from the Cyber Security Community

Topic headers (+++):

1 – Security news you can likely use (re: management / opportunity items)

2 – Other items of general FYI / FYSA level interest

3 – Threats / bad news stuff / etc.. 


4 – SD/SoCAL items of interest / opportunities   (send me your SD meetings!) 

A couple of Highlights  (A couple of items of potentially notable interest / high utility &  value… your mileage will vary….)

(Lots happening,  so LOTs to be aware of. Takes 5 min to skim…then pick out a topic or two..)

 ( some great topics / meetings here in SD … scroll to bottom and get engaged)

March 23

+ How to stay “cyber safe” guide – effectively protect yourself and clients!

Integrating several existing security guides with very useful information; these current best practices help you build a known baseline. It’s important to use only approved cyber products (aka, “NIAP”) and never start anything in cyber from scratch, as someone has already done all the hard work.  These guides, methods and products work well because cyber is essentially 95% the same everywhere! These are your security best practices and also apply to remote office workers, small office / home office (SOHO), small & medium businesses (SMB) – as being cyber safe is universal!  This cyber safe guide has two parts; a short, key takeaways part for those who want a quick look, bulleted list, and then we map out targeted, key reference materials and detailed rationale and recommendations to develop your own personal security plan!   Comments and challenges always welcome!



+ Cyber commander wants more offense

The nation’s top cyber official wants more offensive capabilities. “We focused primarily on the defensive piece initially … but I think now we’re at a tipping point,” where more attention needs to be paid to offensive capabilities, U.S. Cyber Command commander Adm. Michael Rogers told a Senate Armed Services Committee hearing March 19. The U.S. needs “to think about how can we increase our capacity on the offensive side,” said Rogers, who is also National Security Agency director.  (I guess they think they can be better at ‘attribution” than the FBI / CIA???)



+ Can HP’s ‘security-as-a-service’ product change how agencies secure apps?

HP bills its latest security software offering to government customers as the first cloud-based “security software-as-a-service” solution to meet requirements under the Federal Risk and Authorization Management Program. In truth, HP’s latest offering, HP Fortify on Demand, is unique among FedRAMP’s growing list of compliant solutions. Government customers can use Fortify to perform security assessments of new or existing application code, websites, and end-to-end mobile app security testing through the cloud, an important feature given that research cited by HP contends that 70 percent of data breaches now occur through software – not network – vulnerabilities.



+ Most companies expect to be hacked in the next 12 months

Enterprises are getting hacked regularly, and over and over again: last year, more than 70% of organizations say they suffered a successful cyberattack, with 22% of them hit six or more times. That first-hand experience apparently provides the backdrop for a drop in confidence, too:  most security professionals don’t believe they can stop attacks on their organizations anymore. Some 52% of security professionals surveyed in a new report from CyberEdge Group say their organizations will likely be successfully hacked in the next 12 months. That’s an increase over 2013, when 39% were resigned to getting hacked, the report says.



+ Make hackers’ jobs harder – JOB ONE?

It is nearly impossible to participate in modern society without entrusting your most sensitive personal information to countless Internet-based systems. At the same time, even the most well-resourced organizations are being hammered by sophisticated digital attacks, making it difficult to trust that any of these systems will keep our information safe. So the question debated at the highest levels of government, and by dozens of industries, thousands of companies, and millions of consumers, is: How can you keep your personal information secure while continuing to participate in a society powered by the extensive sharing of personal information? However, that’s probably not the question we should be asking.



+ House budget silent on cybersecurity

Cybersecurity received no mention in the House Republican budget released Tuesday, a stark contrast with President Obama’s spending proposal, which increased funding for cyber defenses by $14 billion. The House GOP seeks to balance the budget in nine years and cut $5.5 trillion in projected government spending over the next decade. It would also provide an additional $90 billion in war funding while keeping the 2011 spending limits in place. Some of the $90 billion could be used for cybersecurity activities, though it is technically earmarked for the overseas contingency operations (OCO) fund, an account that has been used to finance the Iraq and Afghanistan wars.



+ OPM orchestrates cyber protections through automation

The Office of Personnel Management is pushing the bounds of cybersecurity. It’s moving from the idea of defense in-depth or even the popular continuous monitoring to a concept called orchestration. Jeff Wagner, OPM’s director of IT security, said orchestration isn’t just about protecting network or systems, but understanding in real time what’s happening and who is on your IT infrastructure, and then being able to react to any potential or real problem immediately. “We’ve changed our perspective about how cybersecurity works. It’s not that defense in-depth is dead. I’ll never take away from doing defense in-depth or FISMA audits or controls of that nature, but audit by visibility is what we call it,”



+ ICS-CERT – Incident response / vulnerability coordination in 2014

FYI…  great report.. it’s a good source for factual cyber info (as are Ponemon’s survey’s and Verizon’s DBR)

BTW… Verizon put out a great report on PCI compliance too..



+ Committee Approves Request to Expand Judge’s Warrant Authority for Digital Searches

The US Judicial Conference Advisory Committee on Criminal Rules voted 11-1 to modify a provision known as Rule 41 to give judges more flexibility in how they approve search warrants for electronic data. Prior to the change, judges had the authority to approve warrants only within the geographic boundaries of their districts. Now they can approve warrants for electronic searches of devices that are not physically within their judicial districts.



+ U.S. State Department Email Goes Dark, Again

Only 120 days after taking its email system off line to clean up after a cyber attack, the U.S. State Department took its email system off line to clean up after another even more virulent cyber attack.

[Note : If Tony Blinken (State Department Deputy Secretary) wants to do more than give lip service to cybersecurity at his Department, he should have his CIO run iPOST again and see how far the individual divisions and embassy security status degraded since the State Department IT security folks decided they didn’t actually need to monitor and mitigate vulnerabilities every day (when John Streufert left for DHS).  The State Department used to be the model for effective mitigation and cyber hygiene.  It can easily get back on top of its game; it has the tools in place. Does it have the leadership???]



+ FCC Telecom cyber plan – great report (all 415 pages!!!)  (even if communication focused)

Key sections:   V. Findings pg 24…       VI. Conclusions – pg 25        VII – recommendations – pg 30

There a lots of details…   (there is a LOT of specific cable / telecom stuff of course)

9.6 – requirements and barriers –    9.7 – Cyber ecosystem and barriers –   9.9 – Small business –  9.10 – top cyber threats and vectors.



+ $10 million settlement with consumers a ‘good deal’ for Target, insurers

According to court documents, Target Corp and consumers have agreed on a $10 million settlement to end a class-action lawsuit filed after an enormous data breach during the 2013 holiday shopping season.  Individuals who can prove financial damage can receive up to $10,000 under proposed deal.$10-million/d/d-id/1319549?



+ Ex-NSA director: China has hacked ‘every major corporation’ in U.S.

“The Chinese government — seeking to steal valuable secrets — has hacked into the computers at every major American company, according to the nation’s former spy director. Mike McConnell, who served as director of national intelligence under President George W. Bush,



+ Aon Corp.: This is how much big data breaches cost companies

Globally, 80 percent of business-related privacy and security breaches result in less than $1 million in direct costs and damages, according to Aon’s data. Those costs include legal expenses and legal settlements, business interruption costs, investigating and remediating problems, as well as possibly paying for crisis communications and other specialized services.



+ 10 Young Cyber-Security Companies to Watch in 2015



+ The Military’s Cybersecurity Budget in 4 Charts



+ Malware Analysis and Incident Response for the Lazy | great resources / sites!

Nice list of analysis sites and tools ..   While you probably have some..  a pretty good  site to check out!



+ Cyber Intel for D & O’s….



+ Premera hack: What criminals can do with your healthcare data



+ 700,000 routers ISPs gave to their customers are vulnerable to hacking



+ Ransomware Attacks’ New Focus: Businesses



+ Cybersecurity Efforts Turn Focus to Financial Institutions, Service Providers and “Cyber Resilience”



+ Obama unveils cyber training initiative   .. AND… white house education fact sheet





2  +++++++


+ China reveals its cyberwar secrets

A high-level Chinese military organization has for the first time formally acknowledged that the country’s military and its intelligence community have specialized units for waging war on computer networks. China’s hacking exploits, particularly those aimed at stealing trade secrets from U.S. companies, have been well known for years, and a source of constant tension between Washington and Beijing. But Chinese officials have routinely dismissed allegations that they spy on American corporations or have the ability to damage critical infrastructure, such as electrical power grids and gas pipelines, via cyber attacks. Now it appears that China has dropped the charade.



+ Healthcare breaches like Premera first stage of bigger attacks?

This week brought news of three more healthcare data breaches, one of which left the personal data of 11 million individuals exposed. The incidents raise more questions about why China-based cyberespionage groups have taken a shine to American healthcare data and what plans they have for it. While shining harsh light on the deep cracks in the healthcare industry’s security, the recent events also highlight the potential success of information sharing.



+ Congress looks for interagency coordination on drones

Lawmakers are calling on the Department of Homeland Security to produce a comprehensive strategy to combat the potential threat of domestic drones. Citing the January crash on the White House South Lawn, members of the House Homeland Security Subcommittee on Oversight and Management Efficiency called for a better understanding of the threat environment and remedial technologies. Through its Science and Technology Directorate, DHS has been assessing unmanned aerial systems’ applicability to law enforcement, but “much more needs to be done to safeguard against malicious actors” that use the technology, Subcommittee Chairman Scott Perry (R-Pa.) said at a March 18 hearing. DHS “needs a cohesive strategy to address these issues.”



+ Internet Explorer, we hardly knew you (Spartan version to follow)

After 20 years, Internet Explorer is riding off into the sunset. And all most of us can say is: it’s about time. This wasn’t exactly a surprise. Internet Explorer is the Nickelback of Web browsers, and already fading into oblivion. Microsoft had previously said that it was working on a new “Project Spartan” browser when it first showed off Windows 10. Spartan will include Microsoft’s Cortana voice assistant and the ability to annotate Web pages with a keyboard or digital pen. It will also have a simplified reading mode for Web articles. But, really, the important thing is that Internet Explorer will no longer be the default browser on Windows machines.



+ OMB proposes new approach to guarantee federal website authenticity

The Office of Management and Budget wants to know what it would take to make every federal public websites more secure and ensure their validity for citizens and businesses. In a draft proposal released today, the White House seeks input from public and private sector experts on how best to implement a standard called secure HTTP. “HTTPS verifies the identity of a website or Web service for a connecting client, and encrypts nearly all information sent between the website or service and the user. Protected information includes cookies, user agent details, URL paths, form submissions, and query string parameters. HTTPS is designed to prevent this information from being read or changed while in transit,” OMB wrote in seeking request for comments.



+ Yahoo’s one-time passwords have security experts divided

Yahoo yesterday announced that in lieu of a standard username-password combination, Yahoo users in the US could log into their accounts with one-time passwords sent to their mobile phones via SMS message. Yahoo! calls them “on-demand passwords,” texted to your mobile phone when you need them. To be clear, Yahoo is not proposing “on-demand passwords” as a second factor of authentication, but rather as an alternative to the traditional username-password combo. It’s really just replacing a “something you know” with a “something you have.” Yahoo already offers two-factor authentication, but for now, it cannot be combined with on-demand passwords: users will need to choose between the two options.



+ The Senate Select Committee on Intelligence cybersecurity information-sharing bill

advanced the bill by a vote of 14-1. The bill is Congress’ latest attempt to find a way to give private-sector network operators liability protection when they share cyberthreat information with government. The Cybersecurity Information Sharing Act of 2015 was marked up and amendments added during a closed session of the committee, but it’s not clear yet how the bill passed in committee measures up with the discussion drafts. According to the committee, the bill gives the private sector incentives to cooperate with governmental cyber defenders via a portal set up by the Department of Homeland Security.



+ Windows 10 Will be Free Upgrade, and Will Support Biometric Authentication

Windows 10, which is expected to be available later this year, will be offered as a free upgrade to users running Windows 7, 8, and 8.1, even if the versions currently being run are pirated. Windows 10 will also support biometric authentication. Users will be able to authenticate with fingerprints and iris and facial scans. Users may opt -in to the feature, known as “Windows Hello.”

[Note: The biggest barrier to moving beyond reusable passwords has not really been user resistance to the idea, it has been the lack of “readers” built into the devices (like PCs, phones, tablets) that they use. Being forced into YATC (Yet Another Thing to Carry) like a SecurID card or an enormous Smart Card *and* a reader has been and always will be a deal killer. But all major mobile platforms support text messaging as a second factor *and* various forms of biometrics; users are starting to find their own value in moving beyond just a password. This does not solve the federated identity problem by any means, but can significantly raise the barrier against phishing…]



+ Cybercom Chief: Cyber Threats Blur Roles, Relationships

Over five years of U.S. Cyber Command operations, global movement of threat activity through cyberspace has blurred roles and relationships among government agencies, as well as between the public and private sectors and the real and virtual worlds, the Cybercom commander told a House panel. Cybercom’s Cyber Mission Force, or CMF, was formed to turn strategy and plans into operational outcomes, the admiral said..  He added, “We have a target of about 6,200 personnel in 133 teams, with the majority achieving at least initial operational capability by the end of fiscal year 2016.”



+ Make FedRAMP Work for Your Agency

Decent FedRAMP overview, with some hints we might be able to use…  (plus “ads” to ignore….;-((



+ Rush To Release Resulting In Vulnerable Mobile Apps

IT organizations overlooking security in their haste to crank out mobile apps, Ponemon Institute report finds. To me, the one number that sticks out is the 40 percent of companies that are not scanning their mobile applications for vulnerabilities



+ Hacker steals protected health data on 151,000 patients at Oregon dentist

Advantage Dental said the hacker was able to gain access to the database through a malware-infected computer. The hacker stole patients’ names, dates of birth, phone numbers, Social Security numbers and home addresses, but not treatment, payment or other financial data… ***  a SMB loses SSNs, and PII  ***  so can your business!!!



+ Revisiting the Navy’s blueprint for cyber operations

Operation Rolling Tide, which drove Iranian hackers from the Navy Marine Corps Intranet, could have a lasting impact on the Pentagon’s approach to cyber.



+ Center for Internet Security – Benchmarks – Well reviewed security metrics list




+ Is Mobile Device Spying Revealing Your Company’s Secrets?



+ Do you know where your data is?



+ New model of cybercrime factors in perishability of stolen data



+ Cybersecurity wake-up call… “PCI compliance – NOT!”





3  +++++++



+ TeslaCrypt Targets Numerous File Types, Including Gaming Files

Ransomware is now targeting online gamers. Malware known as TeslaCrypt targets more than 50 game-related files extensions and holds them for ransom. It also targets documents, pictures, and iTunes files.

Virlock ransomware not only locks the screen of devices, but is also infects files on the devices. Virlock is polymorphic, meaning that it alters its code each time it runs so it is more difficult for security software to detect.

[Note: Users are reminded that “ransomware” will attack ANY data that is visible to the file system.  This can include backup drives and cloud storage that are visible in the file system.]


+ The bot threat for the rest of us: Application-layer attacks DDoS,

As we all know, garners unprecedented media attention. And the volume of coverage is a direct correlation to the size of the attack — the larger, the better. But DDoS attacks are only one manifestation of sophisticated bot attacks that can scrape information, fraudulently fill out forms, and otherwise erode the overall website experience. What is often overlooked by the media are the application-layer bot attacks affecting almost every website on a daily basis. These bots are capable of competitive data mining, account hijacking, and so much more. They degrade site availability, user experience, and steal competitive information. They often work under the surface, degrading a company’s brand trust, completely undetected.



+ Hackers breaking new ground with ransomware

The enormous success which hackers have had extracting millions of dollars from individuals and businesses using ransomware appears to be driving more sophisticated tools and tactics from them. This week researchers sounded the alert on two recent ransomware families that break ground in different ways. One of them dubbed Virlock is noteworthy because it not only locks the screen of compromised systems like other ransomware, but also infects files on the device. First noticed by security firm ESET in December, Virlock is also polymorphic, meaning the code changes every time it runs making it hard to detect using standard malware detection tools.



+ HTTPS-crippling FREAK attacks become cheaper and easier to carry out

There’s more bad news surrounding the HTTPS-crippling FREAK vulnerability that came to light two weeks ago. A recently completed scan of the Internet revealed 10 percent of servers that support the underlying transport layer security protocol remain susceptible. Even worse, many of these laggards contain an additional weakness that drastically drives down exploitation costs, in the most extreme cases to just pennies per server. As Ars reported almost two weeks ago, so-called FREAK attacks—short for Factoring attack on RSA-EXPORT Keys—are possible when an end user with a vulnerable device connects to an HTTPS-protected website configured to use a weak, 512-bit encryption key.

AND Hundreds of Android and iOS apps are still vulnerable to a dangerous attack revealed two weeks ago that can compromise encrypted data, a security vendor said Tuesday. The apps have not yet been patched against the FREAK attack, short for Factoring attack on RSA-EXPORT Keys, The unpatched apps, which were not identified, are in categories including finance, communication, shopping, business and medicine, computer security company



+ Premera, Anthem data breaches linked by similar hacking tactics

Premera Blue Cross may have been attacked using the same methods employed against its fellow health insurer Anthem, suggesting that a single group may be behind both breaches. Customer data, including bank account and clinical data going back to 2002, may have been compromised in the attack, affecting 11 million people, Premera said Tuesday. It is the largest breach to affect the healthcare industry since Anthem disclosed last month that upwards of 78.4 million records were at risk after hackers accessed one of its databases. Several computer security companies have published data that points to a China-based group known as Deep Panda as a possible source for Anthem’s breach.



+ Google researchers hack computers using DRAM electrical leaks

Google researchers have written the first-ever attack code that takes advantage of electrical interference between densely packed memory cells, a unique style of attack that could require changes in chip design. The work builds on a paper published last year by Carnegie Mellon University (CMU) and Intel, which found it was possible to change binary values in stored memory by repeatedly accessing nearby memory cells, a process called “bit flipping.” DRAM memory is vulnerable to such electrical interference because the cells are so closely packed together, a result of engineers increasing a chip’s memory capacity.



+ Hacker Finds a Simple Way to Fool IRIS Biometric Security Systems

Biometric security systems that involve person’s unique identification (ID), such as Retinal, IRIS, Fingerprint or DNA, are still evolving to change our lives for the better even though the biometric scanning technology still has many concerns such as information privacy, and physical privacy.



+ Symantec Research Highlights Security Failures in the Connected Home

Research analyzing today’s smart home devices has revealed disturbing security implications for consumers.



+ Navy’s maritime strategy puts emphasis on ‘all domain access

The document, updated from 2007, stresses the importance of cyberspace and the electromagnetic spectrum in national security



+ All major browsers have been hacked



+ IoT security is still a pipe dream





+++ SD/SoCAL security events / opportunities +++


+ CyberTECH events / networking / startups / etc  —  THE cyber happening place in SD!!! 

Join their Meetup Group for the latest event information!   The definition of “Cyber KEWEL





25  –  ISC2 –  6PM (Now meeting the 4th Wed)   “Hackersponders”  by Rusty Sailors  CEO of LP3

Location – BAH (Suite 200, 4055 Hancock Street, San Diego, CA 92110 USA).


26  – ISSA – 11:30AM –   Who’s “Really” Accessing Your Privileged Accounts? Reducing Advanced Persistent Threat (APT’s) Exposure by Protecting Privileged Accounts..  Evan Litwak, CyberArk  (at ADM Baker)

30  – ISACA –   11:30 AM    As a New CISO – How to assess your Security Program for Success. Gary Hayslip.  SD City CISO. (at Coleman University)





16 – OWASP –  6PM –   (3rd Thur)  Gabriel Lawrence =  Who’s that knocking on my door?









Welcome to Cyber News Tidbits 4​U​ !

Here are updated news compilations from the Cyber Security Community

Topic headers (+++):

1 – Security news you can likely use (re: management / opportunity items)

2 – Other items of general FYI / FYSA level interest

3 – Threats / bad news stuff / etc.. 


4 – SD/SoCAL items of interest / opportunities   (send me your SD meetings!) 

A couple of Highlights  (A couple of items of potentially notable interest / high utility &  value… your mileage will vary….)

(Lots happening,  so LOTs to be aware of. Takes 5 min to skim…then pick out a topic or two..)

 ( some great topics / meetings here in SD … scroll to bottom and get engaged)


++++  A  few  highlights of the week +++

FEB  8

YES… LOTS of articles on this breach – with SSNs, etc – possibly the WORST EVER???

+ Health insurer Anthem hit by massive cybersecurity breach

(as you know – SSNs / healthcare data is much more valuable than credit cards (100x), and effects last much longer.. ID theft, etc)

Health insurer Anthem Inc., which has nearly 40 million U.S. customers, said late on Wednesday that hackers had breached one of its IT systems and stolen personal information relating to current and former consumers and employees. The No. 2 health insurer in the United States said the breach did not appear to involve medical information or financial details such as credit card or bank account numbers. The information accessed during the “very sophisticated attack” did include names, birthdays, social security numbers, street addresses, email addresses and employment information, including income data, the company said.

—  Here’s Why Your Social Security Number Is Holy Grail for Hackers

 Anthem-A Catastrophic Event for US Children for Years to Come..


+ China involved in Anthem attack?

Bloomberg reports that U.S. federal investigators probing the theft of 80 million Social Security records and other sensitive data from insurance giant Anthem Inc. are pointing the finger at state-sponsored hackers from China. Although unconfirmed, that suspicion would explain a confidential alert the FBI circulated last week warning that Chinese hackers were targeting personally identifiable information from U.S. commercial and government networks.


Anthem breach: Warnings, lessons for the industry.. but are we / they listening???


+ White House preps expansive online privacy bill

The White House is preparing to send a sweeping online privacy proposal to Congress that would restrict how companies like Google and Facebook handle consumer data while greatly expanding the power of the Federal Trade Commission to police abuses – ideas that are likely to incite strong opposition in Congress. The forthcoming measure – slated for release next month – would require large Internet companies, online advertisers, mobile app makers and others to ask permission from consumers before collecting and sharing their most sensitive personal information, according to three sources briefed by administration officials. Companies that collect data for one purpose would in some cases need to get user sign-off before deploying it in a markedly different way, the sources said.


+ Security Lessons Learned from 2014: The Year of the Mega Breaches

A major lesson businesses continue to emphasize they learned this past year is that any organization, regardless of size, is vulnerable.


+ GREAT security policies – cyber, social media, privacy etc, etc,   Check these out 1st!!!

Then there is also SANS policy examples:


+ Move Over Internet of Things, Here is Pixie’s Location of Things


+ The Ultimate Guide to As-A-Service


+ Browsers Are the Window to Enterprise Infection

Ponemon report says infections dominated by browser-based exploits. Around 59%

++++  Cyber Security News you can (likely) use  +++

+ Most brokerages and advisers have had cyberattacks:

SEC U.S. brokerage firms and financial advisers are a routine target of cyber criminals and some have lost money as a result of fraudulent emails requesting transfers of client funds, the U.S. Securities and Exchange Commission said in a report. At least 88 percent of broker-dealers and 74 percent of advisers have been the target of cyberattacks, the SEC said on Tuesday, citing findings from a cybersecurity examination program it conducted last year.


+ Obama budget: How far does $14 billion in cyber spending go?

The White House’s overall commitment to fighting hackers in the federal sphere tallies up to $14 billion. That’s how much President Barack Obama has asked for from lawmakers to help protect all U.S. networks from threat actors – a 10 percent increase over his fiscal 2015 total cyber proposal, acting federal Chief Information Officer Lisa Schlosser told Nextgov. The proposed funding figure was derived by pinpointing gaps in the overall federal strategy for securing critical infrastructure, such as the power grid and transportation sector, as well as agency networks, she said. The funding would go toward, for instance, coordination with the private sector on eliminating vulnerabilities and research and development.


+ Congress continues to want to snoop on you— “Privacy NOT!”

With half of House, lawmakers push email privacy bill A bipartisan pair of lawmakers wants to require police to obtain a warrant to search people’s emails, and they’ve already got more than half the House on their side. Reps. Kevin Yoder (R-Kan.) and Jared Polis (D-Colo.) will introduce their Email Privacy Act on Wednesday with 223 co-sponsors. Sens. Patrick Leahy (D-Vt.) and Mike Lee (R-Utah) are planning to introduce a companion bill in the Senate. But just because the lawmakers have more than enough early backers to get their bill approved doesn’t mean it’s guaranteed a vote. Last year, Yoder and Polis worked their way up to 272 co-sponsors on a previous version of the bill, but it never even got a markup in the House Judiciary Committee. The new show of force should change that, lawmakers told The Hill.


+ AG nominee Lynch expected to be fighter on cyber crime

Attorney General nominee Loretta Lynch is well-suited to help the Justice Department tackle the rising threat of cyber crime, according to lawmakers and former DOJ officials. Lynch, a federal prosecutor in New York, has received considerable attention for her work on the issue, including the successful prosecution of eight New York-based members of an international cyber crime ring that hacked bank accounts and emptied $45 million from ATMs around the world. The next attorney general is expected to play a major role in a host of cyber issues, including reforming the National Security Agency, setting standards about what constitutes a digital crime and figuring out how to thwart cyber terrorists.


+ ‘Google Now’ will suck in outside app data

Google Inc. doesn’t want to lose its perch atop the search market, and it’s looking to the likes of Airbnb, eBay, Lyft and a couple dozen other companies to help it do just that. On Friday, Google is set to announce that, for the first time, it’s allowing third-party apps to deliver information to Google Now, its predictive search app that’s built into Android phones, Android Wear smartwatches and the Chrome web browser. Google Now has been seen as the future of Google’s search technology since it launched in 2012-a tool built to deliver frequently searched for information before users ask for it: Traffic for the commute home, sports scores, details on flights and reservations, package shipments, calendar appointments, breaking or popular news stories, and the weather.


+ Halvorsen to industry: ‘Let’s be real’ with each other on cloud data

Acting Defense Department CIO Terry Halvorsen on Jan. 29 called on commercial cloud providers to own up to the challenges of data liability and information sharing, measures he sees as instrumental to the Pentagon reaping the benefits of the commercial cloud. “When you lose our data that’s in your cloud, you have all the normal liability issues, but let’s be real, you’re dealing with also have a bit of a political liability,” Halvorsen said. “Our data gets lost, it’s going to make the news. It’s going to get interest [from] Congress, it’s going to get interest [from] the American people.”


+ The internet of dangerous things

Distributed denial-of-service (DDoS) attacks designed to silence end users and sideline Web sites grew with alarming frequency and size last year, according to new data released this week. Those findings dovetail quite closely with the attack patterns seen against this Web site over the past year. Arbor Networks, a major provider of services to help block DDoS assaults, surveyed nearly 300 companies and found that 38% of respondents saw more than 21 DDoS attacks per month. That’s up from a quarter of all respondents reporting 21 or more DDoS attacks the year prior.


+ FCC Chairman to Propose Strong Net Neutrality Rules

US Federal Communications Commission (FCC) chairman Tom Wheeler says he will propose that cable Internet companies be reclassified as common carriers, which would subject them to additional government regulation.

Wheeler says the move will “preserve the Internet as an open platform for innovation and free expression.”

[Note : I read the wired article earlier today. I suppose the overwhelming majority of us are not in a position to do much about this, but we ought to be informed. The New Yorker piece is also a pretty good read:

Shades of Vietnam. Wheeler proposes to destroy the Internet to save it.  Regulating the Internet under this eighty year old law, designed to regulate a legal monopoly, will stifle competition, innovation, and investment.  To do so on the basis of anticipated abuse, without ever knowing whether competition and public opinion would have been a more effective and efficient way to accomplish the same objective, is the worst kind of government over reach.  This policy is not recommended by the amount of populist support it has. “Net neutrality” is a slogan, not a policy.]


+ New ‘F0xy’ malware uses clever techniques to stay hidden

Researchers at Websense have come across a new piece of malware that leverages legitimate websites and services in an effort to disguise its malicious activities. The threat has been dubbed “f0xy” not only because it’s cunning like a fox, but also because this particular string has been found in its executables and the registries it creates for persistence. The earliest samples identified by researchers are dated January 13, 2015, but the malware has been enhanced by its creators since. Initial variants only worked on Windows Vista and later versions of Microsoft’s operating system, but newer variants also work on Windows XP, Websense said.

+ The Value of a Hacked Email Account


+ New Technology Detects Hacks in Milliseconds


+ Security Trends for 2015: Internet of Things and Border Security


+ Leveraging The Kill Chain For Awesome


+ Advanced Defense Posture Assessment


+ Data Privacy Day 2015 Tips Round Up


+ Cybersecurity is a C-Level Activity

+ Hackers holding websites to ransom by switching their encryption keys

++++  FYI / FYSA  – items of general interest  +++

+ Intel chief warns US tech threatened by China cybertheft

The U.S. defense intelligence chief warned Tuesday that America’s technological edge over China is at risk because of cybertheft. Lt. Gen. Vincent Stewart, director of the U.S. Defense Intelligence Agency, told a congressional hearing the U.S. retains technological superiority. But he said China had stolen “a lot” of intellectual property from U.S. defense contractors and that effort continues. He’s declined to say publicly whether that has affected U.S. defense capabilities. “I do not believe we are at this point losing our technological edge, but it is at risk based on some of their cyber activities,” Stewart told a House Armed Services Committee hearing on worldwide threats.


+ Pentagon proposes at least $27M to grow ranks of cyber forces

The military services each want to bring on board an additional 20 to 60 security whizzes starting next fall to fill the ranks of a 6,000-person Cyber Command, according to President Barack Obama’s fiscal 2016 funding request. Air Force Maj. Gen. James Martin earlier this week said that increases in the service’s operations and maintenance budget would create a total of 39 cyber teams. Those teams will include “200 military personnel in cyber operations and cyber warfare positions to counter growing worldwide cyber threats,” according to budget documents.

+ White House debuts dot-gov cyber enforcement squad

The Obama administration will spend about $20 million on a new White House cyber unit to oversee dog-gov network security, including, for the first time, making sure agencies notify victims of breaches according to a specific timetable. The “E-gov Cyber” division, housed within the Office of Management and Budget, is aimed at making clear OMB’s role in government-wide cybersecurity: policymaking and enforcement. The newly enacted 2014 Federal Information Security Modernization Act formally tasks the Department of Homeland Security with operational aspects of guarding the dot-gov network, and cements OMB’s strategic role.


+ Why Internet users all around the world should be worried about China’s Great Firewall

China’s Great Firewall is coming to a computer near you. What may be the world’s biggest censorship and Internet monitoring operation does not just affect Netizens in China, it is becoming a potential concern for Internet users elsewhere in the world, experts say. News that China is building that firewall steadily higher only heightens those concerns. For a start, Web browsers all over the world now trust the Chinese government to tell it which Web sites are genuine. That is increasingly dangerous as Chinese hackers target foreign Web services to steal users’ data, allegedly at the behest or with the connivance of the Chinese government. An attack on Microsoft Outlook last month underscores that risk. Then there is the question of China’s growing demands for the keys to global operating systems, which it is making on foreign IT firms as condition for doing business here.


+ Cybersecurity experts says government hasn’t done enough to protect data

Hackers could tap into air traffic control systems, bust into banks or even cut off the water supply to a city. There’s little or no legislation right now that could help prevent these attacks, but that could change soon as both President Barack Obama and Congress are taking steps to find compromises for cybersecurity legislation after years of deadlock. “The government’s not nearly done what it should,” said Fred Cate, Indiana University professor of law and senior fellow with the IU Center for Applied Cybersecurity Research. “We have no obligation to protect data.” Compare it to a car: There are safety measures that need to be in place, such as seat belts and air bags, tests that need to be done and other requirements met. But for cybersecurity, none of those safety rules and regulations exist, Cate said.


+ ‘Anonymized’ credit card data not so anonymous, study finds

Credit card data isn’t quite as anonymous as promised, a new study says. Scientists showed they can identify you with more than 90 percent accuracy by looking at just four purchases, three if the price is included — and this is after companies “anonymized” the transaction records, saying they wiped away names and other personal details. The study out of MIT, published Thursday in the journal Science, examined three months of credit card records for 1.1 million people.  “We are showing that the privacy we are told that we have isn’t real,” study co-author Alex “Sandy” Pentland of the Massachusetts Institute of Technology, said in an email.


+  In communications, privacy and security are illusions

President Obama has tried for three years to persuade Congress to pass a cybersecurity bill. The president went so far as to highlight his cybersecurity proposals to a prime-time audience during his recent State of the Union address. And in the wake of the massive Sony hack, the political climate may finally have shifted in his favor. Indeed, the Sony breach was one of the worst in corporate history. It torpedoed a Hollywood blockbuster and nearly brought down a major studio. But, more important, it represented a significant escalation of cyber warfare and demonstrated the quickly accelerating skills of hackers everywhere.


+ DISA Rolls Out Defense Department Online Collaboration Tool


+ Mandatory Security Design Considerations for the IoT / IoE


+ How Ransomware Works, and Why You Should Be Afraid

+ Digital Electronic “Internet of Things”(IoT) and “Smart Grid Technologies” to Fully Eviscerate Privacy


+ DoD cyber types – JRSS paves the road to JIE


+ Cisco’s Chief Security and Trust Officer: ‘all hands on deck’


+ Closing the Cyber Talent Gap

+ MOBILE security / MDM potpourri… 

10 Commandments Of BYOD

10 BYOD mobile device management suites you need to know

Five new threats to your mobile device security

2015 Mobile Device Management Solution Directory | MDM,

Six criteria for master data management (MDM) tool evaluation

Gartner Master Data Management Magic Quadrant of Customer Data Solutions 2014

MDM tools: Features and functions compared

++++  THREATs  / bad news stuff / etc  +++

+ BMW Fixes Software Flaw that Affected 2.2 Million Cars

BMW has remotely fixed a vulnerability in software used in some of its cars that could have been exploited to open the vehicles’ doors using a mobile phone. The software, ConnectedDrive, uses an on-board SIM card and manages door locks, air conditioning, and traffic updates, but not brakes or steering. The patch encrypts data from the car with HTTPS.

[Note: While this patch was innocuous it does raise bigger questions about how we manage patches to critical devices such as cars, alarm systems, health monitoring devices, that are connected to the Internet. Blindly patching devices with the latest updates may not prove to be the most sensible approach, having your PC crash during an update is an entirely difference beast than having your car crash during an update.  This is the kind of gross error of omission that one can expect when programmers, rather than engineers, build infrastructure….   It demonstrates the necessity of failure mode analysis.  It is the kind of omission that the FTC Guidance might hope to address. It is also the kind of problem that we can expect if we employ a programming “late discovery and patch” strategy rather than an engineering “do it right the first time” approach. Note that the difficult to secure functionality, that the programmer includes to facilitate late patching of his errors and omissions, will greatly increase the attack surface and vulnerability of the infrastructure. Are we to trust the same programmer to design the patch function as makes this kind of error in the base product?]


+ DDoS attacks spike 80% in Q4 2014

Traffic volume for internet attacks aimed at bringing web servers to their knees continues to accelerate. In the past year, there has been a 52% increase in average peak bandwidth of distributed denial of service (DDoS) attacks, according to new research. Akamai Technologies’ Q4 2014 State of the Internet – Security Report, produced by the Prolexic Security Engineering and Research Team (PLXsert), found that compared to Q4 a year ago, there were 57% more DDoS attacks and a 28% increase in average attack duration. Compared to the previous quarter, attacks spiked by 90%.


+ Browser-borne malware costs top $3.2M

Enterprise IT failure to defend against web-borne malware is a rapidly growing enterprise data security threat, new research has revealed, with more than 75% of enterprises having been infiltrated via inherently insecure browsers. According to the Ponemon Institute report, there’s also a very real cost attached to the issue, apart from fraud-related costs and impact on valuation from data leakage. The findings reveal the average cost to respond to and remediate just one security breach resulting from failed malware detection technology to be approximately $62,000. Ponemon estimates that such attacks and infections have cost survey respondents an average of $3.2 million.


+ Serious bug in fully patched Internet Explorer puts user credentials at risk

A vulnerability in fully patched versions of Internet Explorer allows attackers to steal login credentials and inject malicious content into users’ browsing sessions. Microsoft officials said they’re working on a fix for the bug, which works successfully on IE 11 running on both Windows 7 and 8.1. The vulnerability is known as a universal cross-site scripting (XSS) bug. It allows attackers to bypass the same origin policy, a crucially important principle in Web application models that prevents one site from accessing or modifying browser cookies or other content set by any other site. A proof-of-concept exploit published in the past few days shows how websites can violate this rule when people use supported versions Internet Explorer running the latest patches to visit maliciously crafted pages.


+ Google paid over $1.5 million in bug bounties in 2014

Google last year doled out more than $1.5 million to security researchers who rooted out vulnerabilities in its open-source software and web services. The search engine giant today released a 2014 postmortem of its Security Reward Programs, which includes its Vulnerability Reward Program. The top-dollar reward of 2014 went to George Hotz, who earned a $150,000 reward from Google for finding flaws in the Chrome operating system. Hotz was later hired as an intern with the Project Zero team at Google. Google last year awarded bug bounties for more than 500 vulnerabilities found by some 200 security researchers. “For Chrome, more than half of all rewarded reports for 2014 were in developer and beta versions,” Google security engineer Eduardo Vela Nava wrote in a blog post today. “We were able to squash bugs before they could reach our main user population.”—threats/google-paid-over-$15-million-in-bug-bounties-in-2014/d/d-id/1318886?_mc=RSS_DR_EDT


+ Syrian conflict: Attackers steal rebel battle plans

Security researchers have uncovered a major new attack campaign designed to covertly steal military and political intelligence which could be used to gain a battlefield advantage against the Syrian ‘rebel’ armies. FireEye explained in a new report, Behind the Syrian Conflict’s Digital Front Lines, that the attackers would typically hide behind a female online avatar, striking up a conversation with their targets on Skype. Unusually, the ‘women’ would ask the victim what device they were using, most likely in order to determine what type of malware to deliver.


+ TurboTax owner Intuit Inc. has issues… (long time TurboTax user.. I switched to HRBlock this year)

said Thursday that it is temporarily suspending the transmission of state e-filed tax returns in response to a surge in complaints from consumers who logged into their TurboTax accounts only to find crooks had already claimed a refund in their name.


+ The Russian hackers first hacked into the Sony Entertainment computers in their Asian branches.

The hackers first accessed SPE’s Culver City, California network in late 2014 through a Spear Phishing attack on Sony employees in Russia, India and…


+ FINAL word on this  – Anthem Notifying Customers Just Eight Days After Breach

US health insurance company Anthem has acknowledged a breach of one of its systems that compromised customer and employee data. Anthem began notifying affected customers just eight days after the breach. The company has also notified the FBI and has hired Mandiant to investigate. Mandiant said that the attack was conducted through custom backdoors, suggesting that the company was the target of an “advanced attack.”

[Note): Focus on what vulnerabilities were exploited to breach Anthem, not who launched the attack. So far, it looks like the common combination of exploiting well known vulnerabilities with a targeted phishing attack at the front end. When Critical Security Controls are not in place or are disabled or mismanaged, advanced targeted attacks do *not* need to be very “advanced.”…     To focus on the good news: Anthem detected the breach internally, without requiring notification by an external entity. They also noticed the breach quickly and may have prevented the attacker from ever using the data….   Well, there is finally a breach to rival eBay.  Anthem will likely draw a bye from the media as has eBay. The media does not seem to worry as much about identity theft as credit card fraud. Anthem has stressed that no health information has been compromised, hoping to avoid the draconian penalties under HIPAA. Fortunately for all of us there is a limit to the number of identities one can exploit.  Consumers should be warned against the kinds of telephone scams that will seek to exploit this information.  As with previous major breaches the how the breach happened is the more important lesson for most people, rather than the who conducted the attack. Let law enforcement worry about who is behind the attack and hopefully put them behind bars, let those of us responsible…]

+ Multiple Security Weaknesses in Microsoft Outlook for iOS Revealed by Developer – Softpedia

A software developer has analyzed the way the newly released Microsoft Outlook for iOS functions and discovered that it does not align to the best security practices, presenting a serious risk if used for company email communication.


+ Dangerous IE vulnerability opens door to powerful phishing attacks


+ Terrorist Use Of U.S. Social Media Is A National Security Threat


+ Take Immediate Steps to Repair Identity Theft | Consumer Information

++++   SD/SoCAL security events / opportunities +++

+ CyberTECH events / networking / startups / etc  —  THE cyber happening place in SD!!! 

Join their Meetup Group for the latest event information!   The definition of “Cyber KEWEL



8-11 – NDSS Symposium 2015

10-12 –  AFCEA West –  (and DoN CIO conf too) Focused on Operations in the Asia-Pacific Region

19 – ISACA – 12-2PM – Hybrid Solutions Providers and the Sometimes Fragmented Solutions that Occur When Selecting at Patchwork of Hosts.

19 – OWASP – 6PM  – Improving Application Security & Penetration testing, through training and presentations


19 – OWASP –  Kelly FitzGerald

+++  Future events in planning  FYI:

25-26 Apr – CYBERWEST: The Southwest Cybersecurity Summit (Phoenix AZ)

4-12 May SANS Security West 2015

18-21 Jul  Esri National Security summit


MAR / APR(tbd)   “BigDataDay 4 SD”  all-day event SAT – free –  Jump in and help us – speakers needed!!!

WE went to the one in LA and it was great…   our three tracks will be:

TBD – Privacy by design workshop – a cyber model  – Provided by IEEE Cyber SIG / Various Security groups – all day  & why you must be part of this initiative!  (at Coleman University –  AM Technical approach… PM public discussions)     Help move SD forward in cyber –  DOING security vs admiring the problem…. SO engage and help out on cyber 4 PbD!!!

+++  Join our PbD / data security meetup, stay tuned into what’s happened..



FEB  1

+ Report suggests most DoD networks susceptible to mid-grade cyber threats

A new Pentagon report on the Defense Department’s major systems includes some worrying assessments of DoD’s overall cybersecurity posture: A troubling proportion of its IT systems appears to be vulnerable to low- or intermediate-level hackers, leaving aside the advanced persistent threats everyone’s worried about. The annual report from the Office of Operational Test and Evaluation is most known for its summarized assessments on the performance of dozens of individual weapons programs. But a separate eight-page section dedicated to cybersecurity draws some stark conclusions about DoD’s overall defensive positioning.

But a separate eight-page section is dedicated to cybersecurity draws some stark conclusions about DoD’s weak overall defensive positioning.

— Of course — lack of effective cyber hygiene and weak access control cause over 90-90% of all security incidents…   Everyone tells us that… Verizon data breach report, NSA, even Navy’s own NCDOC (for what seems like many years…;-((   “”..Nearly all the vulnerabilities were discoverable with novice- and intermediate- level cyber threat techniques,” the authors wrote…”


+ U.S. intelligence challenged by technology, cyber

A day after President Barack Obama’s State of the Union address, a top Pentagon intelligence official gave what might be described as a State of Intelligence speech describing U.S. advantages in the field as increasingly challenged by asymmetric threats. Undersecretary of Defense for Intelligence Michael Vickers put insecurity in cyberspace on par with terrorism as the biggest immediate threats to U.S. national security — and touched on how IT can help cope with those challenges — in a Jan. 21 appearance at the Atlantic Council in Washington.


+Tech Companies Balking at China’s Security Requirements

Vendors are unhappy with the Chinese government’s requirements that products sold to financial institutions in that country include “management ports” in hardware and allow the government complete access to all software and firmware source code. The requirement is part of China’s “cyber security vetting process.” The US Chamber of Commerce and others have called the new rules “intrusive.”

[Note : Given the calls from US and UK governments in support of backdoors into security products it will be interesting to see their reaction to these demands from China.]


+ Deep Dark Web Of The Internet Iceberg


+ Lest we forget the Sony hack


+ Business Insurance On The Go… D & O increasing


+ 10 Quotes From Entrepreneurial Icons That Will Inspire You to Crush 2015


+ NIST 8018, Public Safety Mobile Application Security Requirements

+ Top 10 Security Vendors To Watch In 2015


+ Advice For Entrepreneurs From 2014
++++  Cyber Security News you can use  +++

+ New rules in China upset western tech companies

The Chinese government has adopted new regulations requiring companies that sell computer equipment to Chinese banks to turn over secret source code, submit to invasive audits and build so-called back doors into hardware and software, according to a copy of the rules obtained by foreign technology companies that do billions of dollars’ worth of business in China. The new rules, laid out in a 22-page document approved at the end of last year, are the first in a series of policies expected to be unveiled in the coming months that Beijing says are intended to strengthen cybersecurity in critical Chinese industries. As copies have spread in the past month, the regulations have heightened concern among foreign companies that the authorities are trying to force them out of one of the largest and fastest-growing markets.


+ More white hats improve security, researchers demonstrate

White hat hackers have been making significant contributions to cybersecurity by detecting vulnerabilities in companies’ software systems and websites and communicating their findings, according to a recent research project at Penn State. Long used by agencies for penetration and vulnerability testing, white hat or ethical hacking helps organizations find holes and bugs in software, digital devices and networks, thereby better securing the online world. Researchers at Penn State’s College of Information Sciences and Technology (IST) studying white hat behaviors suggest that organizations that reward hackers who uncover vulnerabilities in their systems could improve the bug discovery process by expanding and adding diversity to their white hat communities.


+ This is how feds will protect sensitive data in the cloud

Officials at the Federal Data and Authorization Management Program have released draft security standards aimed at protecting some of the government’s most sensitive unclassified data in cloud computing environments. FedRAMP officials are now seeking feedback from industry and agencies on the proposed standards. The so-called high-impact baseline under the Federal Information Security Management Act has been discussed since FedRAMP – the government’s program to standardize cloud security requirements – was created nearly three years ago.


+ Email privacy blitz unites Amazon, Grover Norquist

Major technology companies and advocacy groups are rushing to urge “speedy consideration” of legislation to add new legal protections to people’s emails. Companies from Amazon to eBay to Facebook joined the Electronic Frontier Foundation, Grover Norquist’s Americans for Tax Reform and dozens of others in sending letters demanding Congress finalize a bill to require that officials get a warrant before searching people’s old emails or other items stored digitally on the cloud.


+ 123456’ again: The most popular passwords aren’t changing

This is not a reprinted mistake: The most commonly used password in 2014 was “123456,” a security company says. Despite the high-profile hacking attacks last year, people are still using passwords that security analysts say should have been in the dustbin years ago. Both “123456″ and “password” have been the top two passwords since security-app provider SplashData began measuring the most frequently used passwords in 2011.


+ Agencies get roadmap for security data sharing

The Office of the Director of National Intelligence’s Information Sharing Environment this month released what it called the first-ever roadmap for national security information sharing, a set of best practices for agencies and IT firms to synchronize data sharing in pursuing national security threats. The model, called the Data Aggregation Reference Architecture (DARA), was developed over several years as a compendium of ways for agencies to share aggregate information to gain insights into potentially relevant intelligence data, said government executives involved the effort.


+ Study uncovers 40,000 malicious mobile banking apps

Mobile banking is an increasingly popular way to stay on top of one’s finances, with the ability to check balances, transfer money and even deposit checks virtually. Unfortunately, the sector is also a rich tapestry of criminal activity, with 11% of mobile banking apps categorized as “suspicious.” According to research findings from RiskIQ, there’s a notable prevalence of suspicious mobile apps related to banking. The company found that more than 40,000 (or 11%) of the 350,000 apps which reference banking in the world’s top 90 app stores contain malware or suspicious binaries. Roughly half of those (20,000) actually contained Trojan malware.


+ Report: US Weapons Programs Vulnerable to Cyber Attacks

According to a report released by the US Defense Department’s Director of Operational Test and Evaluation (DOT&E) Michael Gilmore on January 20, most of the country’s weapons programs contain security flaws.

Gilmore wrote, “The continued development of advanced cyber intrusion techniques makes it likely that determined cyber adversaries can acquire a foothold in most (Department of Defense) networks, and could be in a position to degrade important DOD missions when and if they chose to.” Many of the security problems found during testing could have been addressed in the programs’ development stage. Other issues include old, misconfigured, and unpatched software.

[Note : One of the major recommendations was pretty straightforward: “Emphasize network defense fundamentals” – essentially citing many of the Critical Security Controls. : One might think that it would be obvious that weapons systems should be purpose built, closed, and have a very high cost of attack.  It isn’t.  This report suggests that we are not even addressing the “essentials,” the “low hanging fruit.”  The IT culture of shoddy affects the military the same way as the rest of us.  This should be a source of shame rather than mere concern.]


+ Court Dismisses LabMD’s Challenge to FTC Breach Enforcement

The 11th Circuit Court has dismissed a challenge from LabMD to the US Federal Trade Commission’s (FTC’s) authority to take enforcement action against the company for an alleged data breach.

[Note : The FTC has done great work, without needing any new legislation, in going after companies that don’t protect citizen information. This court decision didn’t really dismiss LabMD’s challenge completely – it really said LabMD has to exhaust all administrative remedies before asking the Court to act. I can guarantee that LabMD has already paid lawyers more to fight this action that it would have spent in just protecting customer information sufficiently in the first place.]


+ Enterprise security needs more than just new and improved

The innovation void is real and it will grow in severity and pose a major threat to all of information security if we wait for others to correct the problem. There is no magic fix or killer app coming this time.” said Peter Kuper.  . Yet we know that the biggest threat to business continuity is the threats that are already inside – the ones that much of the “IT Security” boxes failed to stop….(aka, need SCM / SIEM / SDM..)  “We don’t have enough of the basics; security is always behind the [threat] curve. We need to leverage resources – make most of big data and the cloud for example…


+ NFL mobile sports app contains Super Bowl-sized vulnerabilities

Russell Wilson and Tom Brady aren’t the only ones who might be due for an interception this Super Bowl Sunday. As the Seahawks and the New England Patriots lock horns on the gridiron, football fans might find that their data is what’s being intercepted off the field. According to a report by mobile data gateway firm Wandera, the popular NFL Mobile app has a vulnerability that leaves users’ sensitive personal data exposed to man-in-the-middle attacks. Wandera performed scanning on the app to find that following a successful login by the user through their account, the NFL Mobile app leaks their credentials in an unencrypted API call. Additionally, it leaks the username and email address in an unencrypted cookie immediately after login and on subsequent calls by the app to the domain.

+ The top five mistakes new security leaders make


+ Obama cybersecurity proposals, CISPA: Who is liable for big data breaches?


+ Building A Cybersecurity Program: 3 Tips


+ 7 ideas for security leaders

I like them.  Besides being really good at the security basics and CISO fundamentals we suggest. ..;-))


+ Cloud Computing in Government

Creating Cloud Builder Organizations Across Government, that featured some of the brightest tech minds sharing their knowledge of cloud computing

+ Very nice IR plan overview!   Social Media Cyber-Vandalism Toolkit



+ NSA Releases Defensive Best Practices for Destructive Malware

+ Privacy and Data Protection by Design
++++  FYI / FYSA   +++

+ Fed data at risk in attacks on university computers

Cyber attackers hijacked a university’s supercomputer in early 2014, leveraging its vast capabilities in a massive electronic assault on U.S. gaming networks, according to a recent warning to U.S. higher education from the Department of Homeland Security. DHS’s “unclassified, for official use only” memo said university networks are attractive targets for cybercriminals, adding that universities’  information-filled computer infrastructure and networks can provide access to other types of electronic facilities, including sensitive federal networks.


+ Feds get a how-to guide for responding to social media hacks

Remember two weeks ago when the Twitter and YouTube accounts of U.S. Central Command were compromised in a very public, embarrassing fashion that had some question the need for certain agencies’ social media use? The news sparked a rapid response form the SocialGov Community – hundreds of digital engagement managers across the government – which created a working group to compile best practices and guidance in social media for federal agencies. Launched today, the Social Media Cyber-Vandalism Toolkit is the result of the working group’s collaboration, and “the new resource is now available as a ‘living document’ for continuous technologies.”


+ DHS to launch iris and facial recognition at the border

The Department of Homeland Security this summer plans to roll out iris and facial recognition services to the U.S. Border Patrol, according to DHS officials. The service will be able to share images with the FBI’s massive multibiometric system, officials said. The test is part of a coming overhaul of the Department’s “IDENT” biometric system, which currently contains more than 170 million foreigner fingerprints and facial images, as well as 600,000 iris templates. DHS last November released two sets of system specifications as part of market research for the new product.


+ Google defends policy that leaves most Android devices unpatched

Google on Friday defended its decision to stop patching WebView, a core component of Android, on versions older than 4.4, aka “KitKat,” saying that the huge code base is unsafe to fix. “Until recently, we have also provided backports for the version of WebKit that is used by WebView on Android 4.3 and earlier,” wrote Adrian Ludwig, Android lead security engineer on Google+. “But WebKit alone is over 5 million lines of code and hundreds of developers are adding thousands of new commits every month, so in some instances applying vulnerability patches to a two-plus-year-old branch of WebKit required changes to significant portions of the code and was no longer practical to do safely.”


+ Financial groups want same data security standards for retailers

Financial groups want retailers and banks to be held to the same standards when data breaches occur. The Credit Union National Association sent a letter to Congress on Friday asking for new rules for how retailers must handle customers’ personal data “The financial industry is required by law to develop and maintain robust internal protections to combat and address criminal attacks, and are required to protect consumer financial information and notify consumers when a breach occurs within their systems that will put their customers at risk,” the letter said. “The same cannot be said for other industries, like retailers, that routinely handle this same information and increasingly store it for their own purposes.”


+ In emergencies, companies are turning to employee-tracking services

The recent terrorist attack in Paris put Norm Sheehan, a safety director for an international development company, on high alert. Employees of his company, Chemonics International, were headed to West Africa through Charles de Gaulle Airport, and he had to find them. So his emergency plan – long in preparation, regularly updated and only sometimes used – went into effect. It took more than just a call on their cellphones to help locate the workers during the emergency. Rather, he relied on an online tracking tool, to identify travelers’ plans and their contact information, developed by International SOS, one of a growing number of companies offering such services.


+ House Subcommittee Hears Testimony on Data Breach Legislation

The US House Energy and Commerce Subcommittee on Commerce, Manufacturing and Trade heard testimony from tech company representatives, legal experts and others regarding what data breach legislation ought to look like. A trade association executive spoke of the need for federal legislation to establish a national standard for breach notification so companies do not have to navigate of the current patchwork of state laws. A law professor and scholar cautioned that “data breach legislation should be minimally preemptive [of state laws] because multiple approaches are still needed to determine the best approach to data security and breach notification.”


+ FCC Enforcement Advisory Says Blocking Personal Wi-Fi Hotspots Could be Fined

The US Federal Communications Commission (FCC) has issued an enforcement advisory, clarifying its position on Wi-Fi blocking. The advisory is in response to a recent settlement the agency reached with Marriott International. That company was fined US $600,000 for blocking guests’bpersonal hotspots at a resort and convention facility. The advisory says that “willful or malicious interference with Wi-Fi hotspots is illegal.”

[Note : Where do you draw the line? It clearly makes sense that a hotel blocking your personal wi-fi so they can force you to pay for hotel internet is just plain wrong. But what about virtual horse racing tracks in Vegas, what about disabling cell phones when the US Presidential motorcade is driving by to prevent bombs? We need rules of the road. Was it appropriate when the San Francisco Police department jammed phones to try to prevent a protest? I surely do not know, but someone needs to establish just and fair rules of the road: ]


+ Google Will Not Fix Flaw in Older Versions of Android OS

Google does not plan to fix a security issue in WebView in older versions of its Android operating system. The decision will affect about 60 percent of people using Android. The flaw is in the default web browser for Android 4.3 and previous versions of Android OS.

[Note : Here is where Google shows its consumer DNA. Android 4.3 shipped in mid-2013, which in consumer/Internet years was over 10 years ago. However, in enterprise years that is only 1.5 years ago. If enterprises want to take advantage of consumer-driven IT, they will have to invest in security mitigation to deal with the differences in enterprise products and support vs. consumer/advertising supported technology. If mechanics used tools they bought at dollar stores, they would be replacing their tools much more often than when they buy them from Snap-on…  Enterprise users of consumer software face special problems. They should have a strategy for doing so.  The strategy should include a trusted source, avoiding version dependencies, staying current, and patching as necessary. That said Android(s) is a special case.  Too many sources, too many versions, too many uses and copies.  It is not really a product, so much as a collection of related products.  These products may share vulnerabilities but may also have product specific problems. Best to treat each product rather than the class.  Consider alternatives.]


+ Feds Release New Guidelines To Bolster Social Media Security After CENTCOM Twitter Hack


+ State of Security Operations 2015 Report – HP Enterprise


+ Internet Society Issues Developing Cyber Security Policy Initiatives… Privacy too


—–  Internet of Things (IoT) potpourri   — 

FTC calls for strong data and privacy protection with connected devices

As consumers increasingly adopt devices that can collect information and transmit it to the Internet, the Federal Trade Commission on Tuesday called on technology companies that sell those products to institute comprehensive measures to protect users’ data security and privacy. Advancements like in-car sensors, which can record vehicle location and speed, or glucose monitors that can send information on diabetic patients to their doctors, have huge potential benefits, like reducing traffic accidents or improving public health. But the agency said the devices, which make up the so-called Internet of Things, also raise serious security and privacy risks that could undermine consumers’ confidence.


FTC Publishes Report on Security and Privacy for Internet of Things

The US Federal Trade Commission (FTC) has published a report to address security for the Internet of Things (IoT). The report, “The Internet of Things: Privacy and Security in a Connected World,” provides guidance for companies that manufacture IoT devices on incorporating security and privacy into the development process.

[Note : Weakening of the infrastructure should go on the list of concerns with, and perhaps ahead of, “privacy” and “harm to the consumer.”  In a world in which web servers sell for a dime, our strategy should be minimal function, purpose-built, owner control, firmware rather than software, “discard and replace” in preference to exploitable manage and patch.  One does not need the capability to update the firmware on a three year old light bulb or router that can be replaced with a brighter, better, faster one for a third of its cost….]


HP internet of things research study

Reviewed 10 of the most popular devices in some of the most common IoT – expect these five shortcomings listed below to model most if not all IoT devices…

ISSUES:  Privacy concerns…   Insufficient authentication and authorization…. Lack of transport encryption…. Insecure Web interface…. Insecure software and firmware…

CONCLUSIONs:   Conduct a security review of your device and all associated components…..  Implement security standards that all devices must meet before production…..   Ensuring security is a consideration throughout the product lifecycle….


Internet of Things (IOT): Seven enterprise risks to consider

However, despite the opportunities of IoT, there are many risks that must be contended with. Any device that can connect to Internet has an embedded operating system deployed in its firmware. Because embedded operating systems are often not designed with security as a primary consideration, there are vulnerabilities present in virtually all of them — just look at the amount of malware that is targeting Android-based devices today. Similar threats will likely proliferate among IoT devices as they catch on.

1. Disruption and denial-of-service attacks

2. Understanding the complexity of vulnerabilities

3. IoT vulnerability management

4. Identifying, implementing security controls

5. Fulfilling the need for security analytics capabilities

6. Modular hardware and software components

7. Rapid demand in bandwidth requirement


FTC – IoT connected world workshop summary

They focused on three areas of consumer harm:  enable unauthorized access – thus misuse of PII,  facilitating attacks on other systems,  and creating personal safety risks. ….  Additionally this workshop discussed the FIPPs and other privacy ‘requirements” artifacts and how ‘use-based’ approaches could help protect consumer privacy…


FTC Warns of the Huge Security Risks in the Internet of Things

70 percent of the most commonly used Internet of Things devices had serious security vulnerabilities. And this issue was a recurring theme at the Black Hat and the DEFCON hacker conferences this past year.

—  Security first (baked in first);   defense in depth (yes this is still needed);   best data practices (aka, privacy by design)


A Beginner’s Guide to Understanding the Internet of Things


IoT basics – Cheat sheet for the Internet of Things


On Cybersecurity for the Internet of Things


Distributed denial-of-service (DDoS) attacks and IoT


FTC ‘Internet of Things’ report ignites beltway scuffle


FTC: Build security into IoT devices at the outset, rather than as an afterthought


IoT / IoE: If It Has an IP Address, It Can Be Hacked

++++  THREATs  / bad news stuff / etc  +++

+ Half Of Enterprises Worldwide Hit By DDoS Attacks, Report Says

New data illustrates how distributed denial-of-service (DDoS) attacks remain a popular attack weapon — and continue to evolve.  f you still think distributed denial-of-service (DDoS) attacks are merely old-school, outdated, pain in the neck disruption campaigns waged by hacktivists or script kiddies, think again: about half of all enterprises were hit with a DDoS attack last year and most ISPs and enterprises also suffered more stealthy DDoS attacks aimed at flying under the radar.    Some 90% of ISP and enterprise respondents in Arbor Networks’ 10th Annual Worldwide Infrastructure Security Report say they experienced application-layer (versus network connection-sapping) DDoS attacks, and 42% say they were hit by DDoS attacks that used a combination of bandwidth-sapping, application-layer, and state exhaustion methods. HTTP- and DNS are the top two targets of application-layer attacks, according to the report, which was released today.


+ President’s plan to crack down on hacking could hurt good hackers

Last night President Obama dedicated more time on cybersecurity than any other president has on a State of the Union address. While on its face a positive sign that political leaders are taking notice of cybersecurity as a real item of pressing national concern, many within the security community believe that the president’s proposed cybersecurity legislation at best would be ineffective at curtailing black hat hacking and at worst could actually criminalize the type of research and penetration testing that vendors and enterprises depend on to harden software and hardware implementations.


+ Will Millennials Be the Death Of Data Security?

Millennials, notoriously promiscuous with data and devices, this year will become the largest generation in the workforce. Is your security team prepared?  s the 51 million members of Generation X begin turning 50 this year and start thinking about retirement, the Millennials (also known as Generation C for “Connected”) will be entering the workforce en masse with fresh ideas, optimism…and millions of unprotected connected devices. According to Forrester Research, Generation Xers use technology strictly for convenience; they don’t consider it an integral part of day-to-day life. Millennials, on the other hand, were born in hospitals that attached digital security bracelets on them upon birth, which is an apt metaphor for how they now live. Millennials, says Forrester, are digitally integrated into the world around them at all times, both personally and professionally.  What’s interesting to me about the Millennial generation is while they are certainly tech-savvy, they have no interest in protecting their data.


+ White House claims good ‘cyber hygiene’

When it comes to cybersecurity, the White House tries to be as clean as it can be. President Obama and his top officials all practice good “cyber hygiene” so that their accounts and sensitive information are safe from hackers, press secretary Josh Earnest told reporters on Wednesday. Staffers are careful not to get duped by trick links, Earnest said, and officials regularly update their passwords — even on something as simple as a Twitter account. The new focus on the Obama administration’s cyber practices comes in the wake of hackers’ success gaining access to social media accounts run by the Pentagon’s Central Command.


+ Accidental insider top threat to federal cybersecurity

Although federal agencies identify careless or untrained insiders as the top threat to federal cybersecurity, agencies continue to devote the most concern and resources to malicious external threat sources, according to IT software management company SolarWinds. In partnership with research firm Market Connections, SolarWinds conducted an online survey of 200 federal IT professionals to investigate insider threats to federal cybersecurity and gauge federal agencies’ confidence and ability to combat external and internal IT security threats.


_ Supposedly clean Office documents download malware

Bitdefender is warning Microsoft Office users against the emergence of a new spam campaign that is looking to trick antispam filters in order to allow spam to pass freely into mailboxes. The campaign’s success is elevated due to the attachment of what appears to be a ‘clean’ Microsoft document alongside the spam emails. “For a few days, cybercriminals have been sending targeted e-mails to management departments. The e-mails look like a tax return, a remittance or some kind of bill from a bank and carry a Microsoft Word or Excel attachment,” states Catalin Cosoi, Chief Security Strategist at Bitdefender. “If you’ve recently received an odd tax return or a similar request via email, you may not want to open the file.”


+ Bug in ultra secure BlackPhone let attackers decrypt texts, stalk users

A recently fixed vulnerability in the BlackPhone instant messaging application gave attackers the ability to decrypt messages, steal contacts, and control vital functions of the device, which is marketed as a more secure way to protect communications from government and criminal snoops. Mark Dowd, a principal consultant with Australia-based Azimuth Security, said would-be attackers needed only a user’s Silent Circle ID or phone number to remotely exploit the bug. From there, the attacker could surreptitiously decrypt and read messages, read contacts, monitor geographic locations of the phone, write code or text to the phone’s external storage, and enumerate the accounts stored on the device. He said engineers at BlackPhone designer Silent Circle fixed the underlying bug after he privately reported it to them.


+ IG blasts secrecy on JFK IT security lapses

The Department of Homeland Security Inspector General says the Transportation Security Administration is using secrecy protections to paper over run-of-the-mill sloppy IT security practices at John F. Kennedy International Airport. Citing Sensitive Security Information (SSI), the TSA blacked out substantial portions of a report DHS Inspector General John Roth submitted on the security of JFK Airport’s IT operations. In a Jan. 16 letter to Chip Fulghum, acting undersecretary for management, Roth said TSA had overused SSI protections in making redactions in the JFK report. The IT security lapses at the airport, he said, didn’t warrant SSI classification.


+ Internet attack cloud shut down US gas stations

A device used to monitor the gasoline levels at refueling stations across the United States—known as an automated tank gauge or ATG—could be remotely accessed by online attackers, manipulated to cause alerts, and even set to shut down the flow of fuel, according to research to be published on Thursday. The security weakness—identified by Jack Chadowitz, a former process control engineer and founder of control-system monitoring service BostonBase—could theoretically affect the devices at many of the approximately 115,000 fueling stations in the United States, but only a small fraction of those systems—about 5,300—appear to be vulnerable to an Internet attack, according to security firm Rapid7, which conducted a scan for such devices on January 10.


+ Critical Java updates fix 19 vulnerabilities, disable SSL 3.0

Oracle released new security updates for Java to fix 19 vulnerabilities and disable default support for SSL 3.0, an outdated version of the secure communications protocol that is vulnerable to attacks. The updates were part of Oracle’s quarterly Critical Patch Update, released Tuesday, which fixes 169 security issues across hundreds of products. Fourteen of the 19 vulnerabilities fixed in Java affect client deployments and can be exploited from Web pages through malicious Java applets or Java Web Start applications. Four of them have the maximum severity score 10 in the Common Vulnerability Scoring System (CVSS) and two others come close, at 9.3, meaning they can lead to a full system compromise.


+ New Zeus Variant Targeting Canadian Banks

A new variant of Zeus malware is targeting banks in Canada. It is spreading through exploit kits and through email claiming to be Air Canada invoices. Once it gains purchase in a computer, the malware injects phony web pages to steal account access information, payment card numbers, and driver’s license and Social Insurance numbers.


+ ZeroAccess Click-Fraud Botnet Back In Action Again

After a six-month hiatus, the much-diminished P2P botnet is up to its old tricks. e ZeroAccess botnet — aka Sirefet — is back in action. Fortunately, it’s operating at a smaller scale than it was a couple years ago.


+ ‘Ghost’ Not So Scary After All

The latest open-source Linux vulnerability is serious but some security experts say it’s not that easy to abuse and use in an attack.


+ 90% of IT Professionals Worried about a Data Breach


+ Eight of the Worst Computer Viruses Ever to Hit the Headlines


+ IT security in 2015: Insider threat will take center stage


+ Rtfm: Red Team Field Manual (great reference – $10)
++++   SD/SoCAL security events / opportunities +++

+ CyberTECH events / networking / startups / etc  —  THE cyber happening place in SD!!! 

Join their Meetup Group for the latest event information!   The definition of “Cyber KEWEL



2 – ISACA – 1PM – Deloitte CIO – A passion for the possible


8-11 – NDSS Symposium 2015


10-12 –  AFCEA West –  Focused on Operations in the Asia-Pacific Region

19 – OWASP – 6PM  RAT Traps & Savvy Adversary Attribution
+++  Future events in planning  FYI:

25-26 Apr – CYBERWEST: The Southwest Cybersecurity Summit (Phoenix AZ)

4-12 May SANS Security West 2015

18-21 Jul  Esri National Security summit


MAR / APR(tbd)   “BigDataDay 4 SD”  all-day event SAT – free –  Jump in and help us – speakers needed!!!

WE went to the one in LA and it was great…   our three tracks will be:

(1)  Technical =  Hadoop / Hbase / NoSQL;

(2)  Data science = predictive analytics, parallel algorithms, statistical modeling, algorithms for data mining, etc and

(3)  Applications =  key use cases…  Privacy by Design / data security,  data start-ups / incubators, novel products,

Contact me to join in…  introduction email and agenda at:

TBD – Privacy by design workshop – a cyber model  – Provided by IEEE Cyber SIG / Various Security groups – all day  & why you must be part of this initiative!  (at Coleman University –  AM Technical approach… PM public discussions)     Help move SD forward in cyber –  DOING security vs admiring the problem…. SO engage and help out on cyber 4 PbD!!!

+++  Join our PbD / data security meetup, stay tuned into what’s happened..

See our over Cyber for PbD brief at

AND Our more detailed technical paper on our Cyber 4 PbD approach, including an executable, proposed open privacy framework within an enterprise architecture is at (this rough draft was  published in a major IEEE magazine this month):



Welcome to Cyber News Tidbits 4​U​ !

Here are updated news compilations from the Cyber Security Community

Topic headers (+++):

1 – Security news you can likely use (re: management / opportunity items)

2 – Other items of general FYI / FYSA level interest

3 – Threats / bad news stuff / etc.. 


4 – SD/SoCAL items of interest / opportunities   (send me your SD meetings!) 

A couple of Highlights  (A couple of items of potentially notable interest / high utility &  value… your mileage will vary….)

(Lots happening,  so LOTs to be aware of. Takes 5 min to skim…then pick out a topic or two..)

 ( some great topics / meetings here in SD … scroll to bottom and get engaged)


++++  A  few  highlights of the week +++

 JAN 20

+ Toward Better Privacy, Data Breach Laws

President Obama on Monday outlined a proposal that would require companies to inform their customers of a data breach within 30 days of discovering their information has been hacked. But depending on what is put in and left out of any implementing legislation, the effort could well lead to more voluminous but less useful disclosure. Here are a few thoughts about how a federal breach law could produce fewer yet more meaningful notice that may actually help prevent future breaches.

YES.. not only that, but PRIVACY PAYS!!!  Check out our “Cyber model for privacy by design” approach in the Jan IEEE CE magazine.



+  Hackers are getting in ‘at will’  (YEP – poor hygiene, access control and they just ‘stroll’ in…;-((

At this point, hackers “are bypassing conventional security deployments almost at will,” according to a report out Thursday from security firm FireEye. Of the 1,200 companies FireEye reviewed in the first half of 2014, every retailer was compromised, every healthcare and pharmaceutical company was breached and all but 9 percent of entertainment and media organizations were infiltrated. And in many industries, these attacks are increasingly launched with the direction or support of a government. It’s bad, FireEye concluded, and not getting better.



+ 2015 brings newer, more devastating exploits on the unprepared

If there’s any one thread that can be cultured from the cybersecurity stories of 2014, it has to be the increasing sophistication of attacks that are being made against both public and private organizations. That only looks to continue in 2015, with potentially staggering losses for the victims. A recent study commissioned by EMC Corp., with research carried out in August and September last year, found that companies on average had lost 400 percent more data since 2012, with losses and downtime costing enterprises some $1.7 trillion.



—-  Executing an effective security program –  HOW TO & timeline  —

With all the major data breaches in the news, many wonder why it seems so hard to have an effective, affordable and adequate security program. A security management plan includes a prioritized task list, backed up with adequate resources, to ensure the product or service is built effectively, and that both the product and the organization are safe. This is especially true with cyber where, like all efforts, security leadership needs to get the requirements right first, or they end up resourcing and building the wrong cyber environment, and security incidents and data breaches follow. Following that, they need mature operational processes (and especially configuration management, the critical security control) and a comprehensive security policy to effectively implement and operate the security architecture. So what’s a company to DO?   Read this 3-page paper on the key “what” things matter and the “how” timeline to execute them!



+ SEC might release firms’ cybersecurity exam results (rather like reporting DUIs in the paper…;-))

The Securities and Exchange Commission (SEC) could release this year the results of a cybersecurity examination it conducted in 2014 across roughly 100 financial firms, according to multiple reports. Speaking at a Practicing Law Institute event Wednesday, the agency’s top inspection official said the report gives an indication of how the financial industry is doing on cybersecurity. “My sense on cyber is it’s an unusual regulatory issue,” said Andrew Bowden, who heads the Office of Compliance Inspections and Examinations, Law360 reported. “Everybody understands the stakes and people therefore are highly motivated to get it right.”



San Diego /  SoCal Cyber and Privacy enthusiasts,

Please join IEEE,  ISACA,  ISC2, & CANIETI, as we collaborate for a first ever

— Cross Border Cyber Opportunities event on Friday, 30 Jan!

This is a full day, jam-packed event (lunch included – all for $35) with high-value, relevant benefits, global connections and timely information including (along with 4 security CPEs!).

Just some of the topics: Regional Teaming Opportunities (by the CALIBAJA Chairman);    Doing business internationally;   Managed services & forensics;   Cool products;   Security group insights, Privacy PAYS (Senior VIP from the MX Space agency);  CUBIC – making the TJ/MX and SD/USA partnership work. and .. .MORE of course…   Details and register at:



+ Proposed Changes to US Laws Could Have Chilling Effect on Research

Proposed changes to the US Computer Fraud and Abuse Act (CFAA) and the Racketeering Influenced and Corrupt Organizations (RICO) Act could make the law more open to interpretation and could potentially criminalize certain research activity. For example, the changes could criminalize accessing a public document without the approval of the owner.



+He knows who really hacked SONY – a hacker group, but McAffe won’t name names



+ The Internet of Things Will Break the Internet



+ Need Some Espionage Done?  Hackers Are for Hire Online – SCARY – ANYONE can pay to attack you… steal your IP…



What a dichotomy in our executive branch on cyber!!!

+ Secret US cybersecurity report: encryption vital to protect private data

Obama makes push for stronger cyber security laws

then Obama Goes On Record Against Encryption,  (WHICH IS IT???)

Says It Should Exist But He Should Be Able To Decrypt?



+ CryptoWall 3.0 is malware on steroids! Sneaky comms with I2P Anonymity Network!



+ 2015: The Year Of The Security Startup – Or Letdown

While stealth startup Ionic and other newcomers promise to change the cyber security game, ISC8 may be the first of many to head for the showers.—threats/vulnerability-management/2015-the-year-of-the-security-startup-andndash-or-letdown/a/d-id/1318584?_mc=NL_DR_EDT_DR_weekly_20150115&cid=NL_DR_EDT_DR_weekly_20150115&elq=e5c7d07f97d14ed68f523407037ec45e&elqCampaignId=12062



+ Cloud, Internet of Things & Big Data: What’s Next in 2015?



+ The state of cybersecurity in the health care industry



+ Top 10 Lessons learned from the Sony Breach (did we really ‘learn” them (not?) = poorhygiene!)






++++  Cyber Security News you can use  +++



+ Obama unveils cybersecurity proposals: ‘Cyber threats are urgent and growing danger’

Barack Obama unveiled new cybersecurity measures on Tuesday amid warnings from privacy campaigners about unnecessarily “broad legal immunity” that could put personal information at risk in the wake of attacks like the Sony Pictures hack. Just one day after the Pentagon’s own Twitter account was compromised and Obama pushed a 30-day window for consumer security breaches, his administration was hoping the proposed legislation would toughen the response of the private sector by allowing companies to share information with government agencies including the NSA, with which the White House admitted there were “overlapping issues”.



+ Energy Department releases energy sector cybersecurity framework

Energy companies and utilities should develop risk management strategies and incorporate cyber best practices into their security procedures, according to voluntary guidance released by the Energy Department Jan. 8. The Energy Sector Cybersecurity Framework Implementation Guidance was developed in response to the overall Cybersecurity Framework released by the National Institutes of Standards and Technology in early 2014 and to an earlier executive order calling for cybersecurity collaboration between industry and government.

Good start – YET  no mention of IEC-62443, no mention of Aurora, etc  – in a way it is similar to DOE’s 21 Step document- true but not comprehensive and not specific to the control systems

One standard is a “must-deploy” best practice is IEC 62443 (formerly known as ISA99).”



+ Banking Trojans disguised as ICS/SCADA software infecting plants

A renowned ICS/SCADA security researcher has discovered a surprising twist in cyberattacks hitting plant floor networks: traditional banking Trojan malware posing as legitimate ICS software updates and files rather than the dreaded nation-state custom malware in the wake of Stuxnet. Kyle Wilhoit, senior threat researcher with Trend Micro, recently found 13 different types of crimeware versions disguised as human machine interface (HMI) products Siemens WinCC, GE Cimplicity, and Advantech device drivers and other files. The attacks appear to be coming from traditional cybercriminals rather than nation-state attackers, and are not using cyber espionage-type malware.



+ DISA aims for next-gen system to secure millions of connected devices

The Defense Information Systems Agency is turning to industry for “novel” approaches to secure the millions of devices plugged in – and virtually connected, to the Pentagon’s computer networks. A Jan. 5 request for information queries contractors on a “next-generation” endpoint security system that would allow the agency to better configure, secure, and keep tabs on network endpoints all using a central management tool.



+ Is DATA the new weapon against cyber attacks?   YES!

Cybersecurity is in the news and for good reason. Many of us have experienced firsthand what cybercriminals can do with our credit card numbers and our personally identifiable information being sold on the black market. In government, though, the stakes are higher. So it shouldn’t be a surprise that cybersecurity is on GAO’s High Risk List. Government leaders are not just concerned about protecting the operations of federal information systems, but also with protecting critical infrastructure that is vital to our economy, safety, and health, such as power distribution, water supply, telecommunications networks, and emergency services.



+ Cyber Attack Caused PHYSICAL Damage at German Steel Mill

A report released in mid-December disclosed that a cyber attack on a German steel mill caused damage to the facility. The attackers disrupted the plant’s control system to make it impossible to shut down a blast furnace properly. The damage was described as “massive,” but no details were provided. This is the second documented case of a cyber attack causing physical damage – the first, of course, was Stuxnet. The date of the German attack was not provided. But the report said that the attackers gained initial foothold in the system through the corporate network and worked their way from there to the production networks.



+ New Jersey Law Requires Stored Health Data be Encrypted

A newly enacted New Jersey law in requires health insurance companies doing business in that state to encrypt personal data they retain on computers. The law, which takes effect later this year, goes beyond data protection requirements specified in the Health Insurance Portability and Accountability Act (HIPAA). The law was prompted by health data breaches in New Jersey.

Text of the Bill:



+ The Future of Privacy | Pew Research Center



+ Hacker Says Attacks On ‘Insecure’ Progressive Insurance Dongle

In 2 Million US Cars Could Spawn Road Carnage – talk about needing IoT security for cars…;-((



+ ISO’s Nightmare: Digital Social Engineering (do you have a social media policy in place, monitored?)



+ What to Expect of Big Data in 2015



+ 2015 CES – Four Scary Key Tech Trends

AND the FTC commissioner backs up the need – PRIVACY MATTERS!



+ Breach Detection Systems (BDS) Security Value Map  (PDF file)



+ Why ‘Zero Trust’ Might be the Best Approach for Your Organization



+ Collaborative cybersecurity for the Internet of Things (mentions our SD “SOeC” too!)



+ 2015 cyber security roadmap  (five points to use in your security plans)



+ Traditional defenses not stopping breaches, claims real-world FireEye study



+ Measure your Return on Security Training (can you show the value?)



+ Simplifying The Overwhelming Cyber Security World For Boards of Directors



+  Insider Cyber Threats are an Escalating Danger for Businesses (OF COURSE… assume the bad guys are in!)



+ Asymmetric economic risk – for you investor types – it ain’t fair out there!





++++  FYI / FYSA   +++


+ Why tort liability for data breaches won’t improve cybersecurity (correct, you must build in privacy)

Government policymakers have been hoping for twenty years that companies will be driven to good cybersecurity by the threat of tort liability.  That hope is understandable.  Tort liability would allow government to get the benefit of regulating cybersecurity without taking heat for imposing restrictions directly on the digital economy. Those who see tort law as a cybersecurity savior are now getting their day in court. Literally. Mandatory data breach notices have led, inevitably, to data breach class actions.  And the class actions have led to settlements. And those freely negotiated deals set what might be called a market price for data breach liability, a price that can be used to decide how much money a company ought to spend on security.



+ Obama: Hackers pose a ‘direct threat’ to families

President Obama on Monday unveiled a series of new bills designed to ratchet up cybersecurity protections in the wake of a massive data breach at Sony Pictures, warning the growing problem of online attacks “costs us billions of dollars.” “This is a direct threat to the economic security of American families, and we’ve got to stop it,” Obama said Monday during a speech at the Federal Trade Commission. “If were going to be connected, we’ve got to be protected.” Obama unveiled the Personal Data Notification and Protection Act, a bill that would require all corporations to notify consumers within a month if their personal information had been exposed in a data breach. The bill would criminalize the overseas trade of identify information and would attempt to standardize the individual state privacy laws that currently govern data beach notifications.



+ When it comes to cyber attacks, “Who did it?”

Is a complex and nuanced question (Attribution is really HARD!!!  In traditional crimes, answering the question is complicated, involving multiple stakeholders and specialties, and progresses incrementally on different levels with follow-up investigations and analysis. “The law enforcement scenario is extensively explored in scholarly literature and popular culture. Attributing cyber attacks is less simple and the ground less familiar,” explain authors in an in-depth and wide-ranging paper on digital attribution that was published Dec. 23, 2014, in the Journal of Strategic Studies.



+  House Dem revives major cyber bill

A senior Democrat on the House Intelligence Committee on Friday will reintroduce a controversial bill that would help the public and private sectors share information about cybersecurity threats. “The reason I’m putting bill in now is I want to keep the momentum going on what’s happening out there in the world,” Rep. Dutch Ruppersberger (D-Md.), told The Hill in an interview, referring to the recent Sony hack, which the FBI blamed on North Korea. The measure – known as the Cyber Intelligence Sharing and Protection Act (CISPA) – has been a top legislative priority for industry groups and intelligence officials, who argue the country cannot properly defend critical infrastructure without it.



+ The Crypto Question – YES is the answer!!!

UK Prime Minister David Cameron pledged to ban encrypted communications without backdoors for government. Cameron is urging President Obama to pressure Apple, Google and Facebook to stop using stronger encryption in their communications products. An article published in The Guardian on Thursday includes details from a 2009 report from the US National Intelligence Council that has surfaced expresses concern that both government and private computers are not adequately protected because encryption is not being implemented as quickly as it ideally should be.

[Note – I suspect the richer nations are going to have to develop their own encryption systems. The NSA may say that maintaining a known flawed algorithm was regrettable, but that dog won’t hunt. Interesting to note the day after Mr Cameron made the above promise the European Network and Information Agency (ENISA) issued a report called “Privacy and Data Protection by Design – from policy to engineering Agency” which urges governments within the European Union to use strong encryption.



+ Anonymous #OpCharlieHebdo campaign takes down 200 suspected jihadist Twitter accounts

A campaign set up by the hacktivist collective Anonymous in the wake of the Charlie Hebdo attacks has resulted in the take down of around 200 suspected jihadist Twitter accounts. The Op Charlie Hebdo (#OpCharlieHebdo) campaign called on social media users to report accounts believed to be affiliated with known terrorists, releasing a link to a list of Twitter accounts. The 36 Twitter accounts included on the list contained posts from users expressing their support of the Paris attack perpetrators, Said and Cherif Kouachi. All 36 accounts have since been suspended.



+ A Beginner’s Guide to Understanding the Internet of Things



+ Microsoft Is Teaching Cybersecurity to Cities Around the World—For Free



+ The Best Privacy and Security-Focused Web Browsers



+ Notable Privacy and Security Books in 2014 | Daniel Solove’s list



+ Obama: Fighting cybercrime is ‘shared mission’



+ Cybersecurity’s Elephant Herd



+ Cybersecurity: How Small and Medium Sized Businesses Can Survive



+ Securing The Modern Enterprise From The Ground Up = PbD



+ A plug for Brian Krebs’ new book – SPAM Nation review



+ Global Information Security Practices: 2015 Survey by Industry:



+ Federal Cloud Deployment Options   (good cloud overview too!



+ Four cyber security risks not to be taken for granted in 2015



+ Hacking & PII Legislation



+ US Infiltrated North Korea’s Networks in 2010

According to reports in The New York Times and Der Spiegel, US officials’ confidence in blaming North Korea for the attacks against Sony Pictures’ networks is due to the fact that the NSA infiltrated North Korean computers in November 2010.




+ FUN cyber related fact – 100 Years of Computer Science






++++  THREATs  / bad news stuff / etc  +++



+ 2014 in security: THE  biggest hacks, leaks, and data breaches

Worth skimming and trying to actually get some ‘lessons learned” out of them..



+ Centcom hack: Military tightens password security

The hack attack that seized the U.S. Central Command’s Twitter and YouTube accounts on Monday has prompted the military to tighten its social media password security. Officials have launched an investigation into the alarming hack, which saw the accounts briefly carrying messages promoting the Islamic State. On Tuesday, Pentagon spokesman Col. Steve Warren told reporters that he has ordered all 50 Office of Secretary of Defense social media websites to change their passwords and increase the strength of their passwords — and offered a tip sheet to social media account administrators on “how to keep their accounts more secure.”



+ This USB wall charger secretly logs keystrokes from Microsoft wireless keyboards nearby

Privacy and security researcher Samy Kamkar has released a keylogger for Microsoft wireless keyboards cleverly hidden in what appears to be a rather large, but functioning USB wall charger. Called KeySweeper, the stealthy Arduino-based device can sniff, decrypt, log, and report back all keystrokes – saving them both locally and online. This is no toy. KeySweeper includes a web-based tool for live keystroke monitoring, can send SMS alerts for trigger words, usernames, or URLs (in case you want to steal a PIN number or password), and even continues to work after it is unplugged thanks to a rechargeable internal battery.



+ The biggest cyberthreat to companies could come from the inside – OF COURSE – INSIDERS!!!

Companies spend billions of dollars each year to protect from determined hackers attacking from across the Internet, but experts warn they shouldn’t ignore a closer threat they aren’t even ready for: Inside jobs. Morgan Stanley, one of the world’s largest financial services firms, revealed Monday its customer information was breached. But it wasn’t the result of determined hackers or sophisticated email attacks. Instead, Morgan Stanley said it was an employee who stole data from more than 350,000 customer accounts. The move is a wake-up call to companies, which spent an estimated $71.1 billion in 2014 on cybersecurity, up nearly 8 percent from the year before. And while hackers have successfully attacked large companies like JPMorgan, Target and Home Depot, experts warn employees pose just as much a threat, whether they act intentionally or by accident.



+  Microsoft abruptly dumps public Patch Tuesday alerts

For the first time in a decade, Microsoft today did not give all customers advance warning of next week’s upcoming Patch Tuesday slate. Instead, the company suddenly announced it is dropping the public service and limiting the alerts and information to customers who pay for premium support. “Moving forward, we will provide ANS information directly to Premier customers and current organizations involved in our security programs, and will no longer make this information broadly available through a blog post and Web page,” wrote Chris Betz, senior director at the Microsoft Security Response Center (MSRC), the group responsible for the warnings.



+ Bitstamp Bitcoin Exchange Operational Again

Bitcoin exchange Bitstamp is once again open for business, after suspending services on Monday, January 5 in the wake of an attack.  Bitstamp resumed services on Friday, January 9. Bitstamp has implemented a new three-key authentication system, and is running on new hardware, which allowed the company to “preserve the evidence for a full forensic investigation.”

[Note  Recent breaches that have exposed mission critical applications suggest that we should NOT be running those key applications on the same networks and systems where we run high risk applications like e-mail and web browsing.]



+ Logs Can be Helpful Forensic Security Tools  “IF” Used Properly

Many cyber attacks leave footprints in security event logs. However, many organizations collect so much information that it is hard to know where to begin looking for evidence. Many companies are not aware of what sorts of logs they have and what data they should be collecting.

[Note ): This Windows logging cheat sheet may be a good start for organizations to look at when considering what they should be logging]



+ Google stops patching aging androids (version 4.3 and older)(930M devices)



+ Bank Fraud Toolkit Circumvents 2FA & Device Identification



+ For cybercriminals, size doesn’t matter



+ Attackers bypass conventional security



+ Mobile Devices Ratchet Up Security Risks



+ Global Botnet Threat Map – Botnet Network Security Activity



+ Why 2015 will be the year of cloud attacks







++++   SD/SoCAL security events / opportunities +++


+ CyberTECH events / networking / startups / etc  —  THE cyber happening place in SD!!! 

Join their Meetup Group for the latest event information!   The definition of “Cyber KEWEL





21 – Wed (6PM) –  ISC2 – developing personal branding to include publishing your own e-book, John Horst.

Location: Mitchell International Inc 6220 Greenwich Dr San Diego, CA 92131.


22 – Thur lunch – ISSA – Gary Hayslip, Chief Information Security Officer (CISO), City of San Diego


28 – International Data privacy day

A – “Securing the IoT Privacy masters” by  CyberTECH, SOeC, others – all day event –


B –   Data Privacy Day–   NCSA and Morrison & Foerster LLP  – all day event –



30  – Cross Border cyber opportunities – MX/TJ and CA/SD collaboration event, all day Friday!!! (Hosted at Coleman University) – Contact me to join in –   introduction email and agenda at:






8-11 – NDSS Symposium 2015


10-12 –  AFCEA West –  Focused on Operations in the Asia-Pacific Region




+++  Future events in planning  FYI:


25-26 Apr – CYBERWEST: The Southwest Cybersecurity Summit (Phoenix AZ)


4-12 May SANS Security West 2015


18-21 Jul  Esri National Security summit




MID-MAR(tbd)   BigDataDay 4 SD”  all-day event SAT – free –  Jump in and help us – speakers needed!!!

WE went to the one in LA and it was great…   our three tracks will be:

(1)  Technical =  Hadoop / Hbase / NoSQL;

(2)  Data science = predictive analytics, parallel algorithms, statistical modeling, algorithms for data mining, etc and

(3)  Applications =  key use cases…  Privacy by Design / data security,  data start-ups / incubators, novel products,

Contact me to join in…  introduction email and agenda at:


TBD – TBD  – Privacy by design workshop – a cyber model  – Provided by IEEE Cyber SIG / Various Security groups – all day  & why you must be part of this initiative!  (at Coleman University –  AM Technical approach… PM public discussions)     Help move SD forward in cyber –  DOING security vs admiring the problem…. SO engage and help out on cyber 4 PbD!!!

+++  Join our PbD / data security meetup, stay tuned into what’s happened..

See our over Cyber for PbD brief at

AND Our more detailed technical paper on our Cyber 4 PbD approach, including an executable, proposed open privacy framework within an enterprise architecture is at (this rough draft was  published in a major IEEE magazine this month):



JAN 11

+ What to DO with all these hacks, SONY, etc?  Focus on the CISO Fundamentals!!!

While the much more aggressive SONY hack is causing more folks to be aware of the criticality of cyber protections, instead we cyber SMEs continuing to admire the problem / threat (the vast majority of articles just spread “FUD”) – what exactly should we advise folks to DO?  We developed a 2-page “CISO Fundamentals” paper that tries to start doing just that. An introduction page with the 2nd our recommendations for an affordable, effective and ‘due diligence” set of cyber tenets to embed in their risk management plan and DO.

Take a quick peek and see if our recommendations resonate with yours, or did we miss anything?



+ A cyberattack has caused confirmed physical damage for the second time ever

Amid all the noise the Sony hack generated over the holidays, a far more troubling cyber attack was largely lost in the chaos. Unless you follow security news closely, you likely missed it. I’m referring to the revelation, in a German report released just before Christmas, that hackers had struck an unnamed steel mill in Germany. They did so by manipulating and disrupting control systems to such a degree that a blast furnace could not be properly shut down, resulting in “massive”—though unspecified—damage. The attack is only the second confirmed case in which a wholly digital attack caused physical destruction of equipment.



+ FTC officials worried about downside of Internet of Things – Prioritize Privacy in Iot!

Connected home devices or cars, health trackers and other wearables can be useful tools for consumers, but the collection of personal data by the devices has some regulators worried. Federal Trade Commission Chairwoman Edith Ramirez on Tuesday raised concerns about potential abuse of private user information during a session at CES, saying companies need to do more to develop products that protect consumer privacy and data. “In the not too distant future, many, if not most, aspects of our everyday lives will be digitally observed and stored,” Ramirez said during an afternoon panel.

FTC commissioners whole speech – some good links too



+ Making Privacy PAY – use Cyber enabled Privacy by Design.

IF the FTC articles stirs an interest in protecting privacy better, using data centric security methods, then…

For one view on how to do that, take a different view on ‘selling improved cyber protections” see our“Privacy PAYS” approach that we propose.

Our more detailed technical paper on our “ Cyber enabled / facilitated Privacy by Design (PbD) ” approach, including an open privacy framework within an enterprise architecture – with proposed specifications too –  is here (it was published in  the  IEEE CE magazine  in JAN):



+ The most important tech stories you may have missed in 2014

Looking back, 2014 was the year of Heartbleed. It was the year of big mergers, net neutrality and data breaches. It was the year we lost three airliners. It was the year Congress nearly – but not quite – passed patent reform. We saw Apple unveil the biggest iPhone ever. These and other stories were some of the biggest of 2014. If you missed them then, have at them now: Below, you’ll find some of our most viral and notable posts of the year.



+ With New Policy, DOD Components Won’t Need DISA to Buy Cloud Services

New Defense Department guidance issued Wednesday by Acting Chief Information Officer Terry Halvorsen allows DOD components to acquire commercial cloud services without the Defense Information Systems Agency acting as a broker.

The new policy overrides two previous memorandums that charged DISA with assessing the security of commercial cloud service offerings and cataloging them – a process that caused a bottleneck between potential DOD customers and providers.



+ DISA Posts RFI for Next-Generation Security

The US Defense Information Systems Agency has published a request for information regarding “next-generation” endpoint security systems. DISA is seeking solutions that will help streamline security for the millions of devices that connect to the Pentagon’s networks. Companies have until February 2, 2015 to respond.



+ 20 Startups To Watch In 2015

Check our list of security startups sure to start (or continue) making waves in the coming year.



+ CES 2015: 8 Innovative Security Products

The explosion in smart technologies that connect everyday objects to the internet is transforming both home and personal security.



+ The 11 Best Practices For Winning Government Contracts



+ CES Recap: Attack of the Drones (great overview!  what.. no privacy?)



+ World’s biggest data breaches   Cool infographic on them all…



+ PRIVACY – From “Nobody Cares” to a Top Tech Trend = pivot point???



+ Intel’s button-size Curie will power all kinds of wearables



+  The FTC  And The New Common Law Of Privacy

Daniel J. Solove & Woodrow Hartzog…  Excellent article (mini privacy book) It should be part of every corporate privacy analyst library as a reference for online (Internet / Cloud) compliance.



+ The biggest security debacles of 2014 show that enterprises are still failing at the basics



+ 5 Cybersecurity Bills Signed Into Law By President Obama (links to each bill  too!)





++++  Cyber Security News you can use  +++



+ How a social network could help close the cyber worker shortage

It’s no secret the federal government and scores of private companies have struggled to attract qualified cybersecurity professionals. But the backers of a new project to create a full-scale social networking site to vet current and would-be cyber warriors say the bustling online community they envision may be the answer. When a beta version of the site goes live this spring, organizers aim to have 10,000 registered users participating on the CyberCompEx site, which is a partnership of the U.S. Cyber Challenge, a nonprofit devoted to training the country’s cyber workforce, and jobs-site giant



+ Smart grid powers up privacy worries

The next Big Data threat to our privacy may come from the electricity we consume in our homes. “Smart” online power meters are tracking energy use – and that data may soon be worth more than the electricity they distribute. The Department of Energy is publishing in January the final draft of a voluntary code of conduct governing data privacy for smart meters, 38 million of which have already been installed nationwide. The meters gather information about household electricity consumption and transmit it wirelessly at regular intervals to the supplier. It’s a key element in the push for the so-called smart grid, a more efficient way to distribute the nation’s electricity.



+ Facebook acquires voice recognition firm

Facebook Inc. acquired a company that makes voice recognition technology for wearable devices and Internet- connected appliances, the latest sign of its ambition to extend its reach beyond computers and smartphones. Facebook said it acquired on Monday, without providing a price for the deal. The 18-month old company, based in Palo Alto, California, makes software that can understand spoken words as well as written text phrased in “natural language.”



+ The mobile wave still looks like a trickle in government

Don’t say federal agencies are phoning it in. As Americans take to smartphones, tablets, and other mobile gadgets in droves, agencies are slowly but surely making sure government websites and services are available from those devices. The Obama administration has set a lofty aim of providing government services “anytime, anywhere, and on any device.” But with thousands of federal websites not yet optimized for miniature screens, agencies clearly have their work cut out for them. That’s the takeaway of a new report from the Government Accountability Office, assessing how agencies are meeting the challenges of an increasingly mobile America.



+ The cybersecurity tipping point???

As we bear witness to the aftermath of major attacks this year against the likes of Target, Home Depot, Neiman Marcus and most recently, Sony, it becomes clear that we are entering an entirely new “war” against cyber crime. Those who do not change their approach will lose. The sophistication and proliferation of advanced malware is greater than it has ever been, and widespread awareness of this problem is being fueled by the near daily headlines touting the latest company to fall victim to a cyber attack. Large enterprises are investing more money into cybersecurity technologies than ever before, and the need for a stronger and more comprehensive security model has become a board-level discussion as the severity of these attacks hits home for businesses and consumers alike.



+ If 2014 was the year of the data breach, brace for more!

Data breaches dominated headlines in 2014, and they appear poised to usher in 2015 as well.  While the cybersecurity plights of certain high-profile retailers, financial institutions, and one prominent movie studio became common knowledge and headline fodder, these companies were far from the year’s only victims.  In fact, a recent study found that more than 40% of companies experienced a data breach of some sort in the past year – four out of ten companies that maintain your credit card numbers, social security numbers, health information, and other personal information.  That number is staggering, and shows no signs of retreat. It is against that backdrop and at the end of 2014-dubbed by some as the “year of the breach”-that we revisit several notable cybersecurity developments from the prior year.



+ Do not accept the myth that cyber thieves are always one step ahead (disagree, assume they are and are IN your network now!)

Millions of pieces of data were stolen this year by cyber-criminals who were able to bypass the sophisticated security systems of some of the world’s largest companies. We’ve all seen the headlines and read the findings from research and analyst firms like Protiviti, whose 2014 IT Security and Privacy Survey found that organizations are not confident they can prevent data breaches. Despite the growing number of high profile breaches, too much information security spending still focuses on the prevention of attacks, while not enough has gone to creating or improving information monitoring and response capabilities. The priorities must shift from protecting information from the outside-in to an approach I call ‘information-centric security’.  (YES, take enterprise risk / privacy view, but do the cyber basics well first, effective prevention rules in ROI)


+ DHS-funded cybersecurity app goes commercial

A cybersecurity product funded by the Homeland Security Department is going wide. A mobile security application archiving application developed with DHS funding is to be commercialized by a small business called KryptoWire. DHS granted George Mason University $250,000 to create the system, according to the Washington Post. The original goal was to allow government agencies maintain an inventory of apps that they had examined for security compliance. Now the department has approved more funding for the company, which spun out of the research project.



+ US Digital Service hauled in to shore up White House security after hack

After a breach of unclassified White House internal networks last fall, the Obama administration hauled in a team of former Silicon Valley tech mavens to help patch up network security. The U.S. Digital Service – the newly minted federal IT fix-it shop headed by former Google engineer Mikey Dickerson – has been dispatched to look at shoring up security on the White House networks, the Office of Management and Budget confirmed to Nextgov. Efforts to extinguish the suspicious behavior on the unclassified network were still ongoing as of Oct. 30, after the breach weeks before.



+ In 2015, agency IT security and operations converge

Two powerful trends will shape the government cybersecurity agenda in the coming year, say security experts, but they have more to do with how government security is managed than what technologies will better defend agency systems. First, cybersecurity will increasingly be integrated from the start into the platforms and software being acquired and developed by agencies. Also, cybersecurity will no longer be considered the exclusive province of the CISO or the CSO, but will become a professional requirement for everyone responsible for IT services to the agency.



+ Microsoft Advance Security Notification Changes

Microsoft will no longer provide advance notification about its monthly security bulletins to the general public. Instead, the information will be available only to paying Premier support customers and to organizations that participate in the company’s security programs. The service, which began more than a decade ago, provided information about bulletins on the Thursday prior to the patches’ Tuesday release.

Microsoft has said that the main reason for the change is that most customers no longer use the information available in advance.



+ Security trends 2015 predictions round-up – great list of the big ones!



+ Last Minute Cybersecurity Predictions for 2015



+ Top 5 cybersecurity risks for 2015

From identity theft and fraud to corporate hacking attacks, cybersecurity has never been more important for businesses, organizations and governments. Hacking experts warn there are plenty more security risks ahead in 2015 as cyber criminals become more sophisticated. While “traditional” cybercrime such as internet password fraud will still be widespread in 2015, larger scale espionage attacks and hacking the Internet of Things (IoT) will also be risks. CNBC takes a look at the biggest threats to your online world in 2015.<



+ The cyber threat in 2015: 10 twists on hackers’ old tricks

Hacking trends are not like fashion fads. They don’t go in and out each year. They withstand defenses by advancing, in terms of stealth and scope. So there will be no 2015 “What’s Hot and What’s Not” list of cyber threats confronting federal agencies. Instead, here is a list of hacker “Old Faves and New Twists” feds should be mindful of.



+ A 2014 Look back: Predictions vs. Reality

It was a tumultuous year for cyber security, but it drove the adoption of incident response plans and two-factor authentication.



+ This cybersecurity medicine might be tough to swallow

Imagine you’re the CEO of a thriving company and you’ve been horrified by the news of the Sony hack, the Target breach and the litany of security issues that have plagued big companies in recent years. You swear you’re going to do whatever’s necessary to make sure it won’t happen to your company. But do you realize what that really means? …..  You have to admit, you’re intrigued because you never want to be in the position of explaining to your board of directors why you were the latest victim.



+ France Passes Online Surveillance Law That Makes It Legal to Spy on Internet User

Eve, that allows the government to collect details about local users, including IP addresses, locations, duration and timing of connections, list of numbers called and callers, as well as device information, be they laptops, tablets, or phones.



+ No Rules of Cyber War – Politico

U.S. in uncharted waters with ‘proportionate response’ on hack attacks. “Unlike plans for possible conventional military attacks in hotspots, the U.S. doesn’t have off-the-shelf response plans for cyberattacks of this sort,”



+ CryptoWall 2.0 Has Some New Tricks  (be fearful of these!!!)

New ransomware variant uses TOR on command-and-control traffic and can execute 64-bit code from its 32-bit dropper.



+ How NOT To Be The Next Sony: Defending Against Destructive Attacks

When an attacker wants nothing more than to bring ruin upon your business, you can’t treat them like just any other criminal…   The Malicious IT Insider…   incident response…



+ Federal Cybersecurity Spending is Big Bucks But Does it Stop Hackers?

Despite paying $59 billion for data protections since fiscal 2010, the federal government couldn’t stave off hacks against the White House, State Department, Army and dozens of other agencies.



+ RE: Common Thread in Major Security Breaches: Privileged Account Vulnerabilities

In fact, threat investigators estimate that anywhere from 80% to all targeted cyber attacks exploit privileged accounts during the attack process. Great overview – PAPER.



+ Five Steps to Making Privacy and Security Your New Year’s Resolution



+ Vendors: Expect Increased Compliance Pressure in 2015

Get Your Cyber Security Insurance, Says One Privacy Lawyer



+ What CISOs, InfoSec Pros Have on Their 2015 Wish Lists



+ Can Your Company Survive a Cyber Attack? (cool Infographic)



+ ISO Adopts Standard For Privacy In the Cloud



+ $1 Spent on State Government Tech Saves $3.50, Study Finds



+  Internet of Things and Fog Computing



+  Cyber ‘mass shooter’ poses future threat to computer security, ex-intel official says



+ What is next for the future tech of 2014?



+ How The Internet Of Things Market Will Grow



+ Survey Indicates Directors Concerned with Lack of Proper Cyber and IT Risk Information



+ Why the Sony Hack Doesn’t Matter (and DOING the security basics does!!!)



+  World Deployment Map | Internet of Things  pick a country, see what they are doing)





++++  FYI / FYSA   +++


+ FBI director gives new clues tying North Korea to Sony hack

The FBI director revealed new details Wednesday about the stunning cyberattack against Sony Pictures Entertainment, part of the Obama administration’s effort to challenge persistent skepticism about whether North Korea’s government was responsible for the brazen hacking. Speaking at the International Conference on Cyber Security at Fordham University, FBI Director James Comey revealed that the hackers “got sloppy” and mistakenly sent messages directly that could be traced to IP addresses used exclusively by North Korea. Comey said the hackers had sought to use proxy computer servers, a common ploy hackers use to disguise their identities and throw investigators off their trail by hiding their true locations.



+ Morgan Stanley says fired employee stole data on 350,000 clients


Morgan Stanley said it has fired an employee for allegedly stealing and trying to sell financial information about 350,000 clients — or about 10% of customers at the Wall Street giant’s wealth-management arm. The stolen data included names, account numbers, size of accounts and certain transaction information. There was no sign that Social Security numbers, passwords or credit-card information were taken, and “no evidence of any economic loss to any client,” Morgan Stanley said in a statement Monday.



+ Medical file hack affected nearly half a million Postal workers

Network intruders compromised health information on current and former U.S. Postal Service employees who filed for workers’ compensation, USPS officials say. (wow, that seem like a lot of claims?) The files were accessed during a previously reported September cyber intrusion that netted the Social Security numbers of about 800,000 USPS employees. Details of the health data breach are just now being revealed for the first time. The agency does not face health data security fines or Health and Human Services Department reach notification violations, because the data was not part of an insurance plan.



+ Agencies improve, but still fall short of cybersecurity CAP goals

Most agencies are making progress in securing their information and protecting themselves from cyber threats, but they’re still falling short of the Cross-Agency Priority (CAP) Goals set by the Obama administration, according to a fourth-quarter update recently posted on The Obama administration established 15 cross-agency priority goals when it released the 2015 budget last spring. The seven mission-oriented and eight management goals are laid out in a four-year timeframe.



+ 2014: The year in cyberattacks

While Sony may have dominated the news toward the end of 2014, three major cyberattacks against U.S. companies shook the corporate world earlier this year: Target opened the year by announcing in January that hackers had stolen personal information from an estimated 110 million accounts; hackers accessed approximately 83 million J.P. Morgan Chase accounts in August; and Home Depot confirmed that its payment system was breached in September, compromising an estimated 56 million accounts. Here’s a look back at the details of each of those attacks, and how they affected the conversation about cybersecurity in the United States and the corporate sector.



+ 2014: The year we entered a cyberpunk present

Fifty years ago, Isaac Asimov wrote about a wondrous science fiction world that would await in 2014: A world of constant convenience with instant coffee, video phones and robot vacuums, much of which is already a reality. But not all science fiction is so utopian. Even as technology makes our lives easier, cybersecurity concerns are also pushing us closer to the darker cyberpunk genre — which often features a neo-noir world with shadowy hacker groups wreaking havoc on the physical world through digital attacks.



+ Browsing in privacy mode? Super Cookies can track you anyway

For years, Chrome, Firefox, and virtually all other browsers have offered a setting that doesn’t save or refer to website cookies, browsing history, or temporary files. Privacy-conscious people rely on it to help cloak their identities and prevent websites from tracking their previous steps. Now, a software consultant has devised a simple way websites can in many cases bypass these privacy modes unless users take special care. Ironically, the chink that allows websites to uniquely track people’s incognito browsing is a much-needed and relatively new security mechanism known as HTTP Strict Transport Security.



+ It’s Time to Treat Your Cyber Strategy Like a Business

How do we win against cybercrime? Take a cue from renowned former GE chief exec Jack Welch and start with a clearly-defined mission.



+ Using Free Tools To Detect Attacks On ICS/SCADA Networks

ICS/SCADA experts say open-source network security monitoring software is a simple and cheap way to catch hackers targeting plant operations.



+ HealthCare security news and decent  facts.. stats..

How Mobility is Changing Healthcare



+ Insider threat methods and concerns…

Enhancing Your Insider Threat Strategy  – good overall PAPER



+ The Most Important Next Step You Should Take After A Data Breach (several great VIPs key points!!)



+ The Hacker-Proof Wares In CES’s First ‘Personal Privacy’ Section



+ Assets: Fundamental Target of Cyber Attacks; Fundamental Subject of Cyber Defenses |



+ 15 AppSec Tips From the Top Ethical Hackers of 2014

Imagine that.. .. most of the same activities the cyber SMEs  propose. And we all should know by now..



+ Ingredients for Architecting the Security of Things



+ Can the Internet of Things Be Secured? Somewhat.  Sort of…

Yet what it connect to needs to be secure too.  Good numbers and points..


+ Education and assessing Cyber KSAs



+ Last Minute Cybersecurity Predictions for 2015



+ In Cyberspace, Anonymity and Privacy are Not the Same



+ Cybercrime’s easiest prey: Small businesses



+  Cyber approach to outsmart criminals



+  Top Cyberespionage Campaigns of 2014






++++  THREATs  / bad news stuff / etc  +++



+ The year of the breach: 10 federal agency data breaches in 2014

Call 2014 the year of the breach. Financial institutions, big-box retailers, entertainment giants, and, yes, government agencies fell victim to an assortment of cyber intruders last year. While private-sector cyberincidents stole the spotlight, the feds proved to be a tempting target for hackers as well. Over the past few years, the number of security incidents at federal agencies involving the potential exposure of personal information has skyrocketed, — from about 10,400 in 2009 to more than 25,000 in 2013, according to the Government Accountability Office. There’s no data yet this year on the total number breaches at agencies in 2014. But with the year almost in the rearview mirror, Nextgov takes a look back at the 10 most impactful, high-profile or otherwise eyebrow-raising federal agency breaches.



+ Cybercrime dipped during holiday shopping season

Black Friday through Cyber Monday traditionally has been the most vulnerable time for many businesses — especially retailers — for cyberattacks, but new data from IBM shows that attacks against all industries during that period in 2014 actually decreased 50% from the previous two years. But that doesn’t mean the bad guys took an extended holiday. From Nov. 24 through Dec. 5, IBM’s Managed Security Services saw 3,043 cyberattack attempts per day against client organizations in various industries, versus an average of 4,200 during that period in 2013. IBM says there were 10 breaches reported during the 2014 holiday season, versus more than 20 last year.



+ Lizard Squad attacks story by Brian Krebs

Now that cybersecurity blogger Brian Krebs has outed members the group that took out the PlayStation and Xbox Live networks over Christmas, the hackers are coming after him. “Lizard Squad” has been bombarding with garbage traffic for some 40 days, Krebs told CNNMoney. On Friday morning, they finally managed to bring it down — although only for a short time. Lizard Squad is a curious modern day phenomenon. With little technical skill and zero finesse, a mysterious group has affected more than 150 million lives by wreaking havoc on popular gaming networks in the last year.



+ Google discloses unpatched Windows vulnerability

A Google researcher has disclosed an unpatched vulnerability in Windows 8.1 after Microsoft didn’t fix the problem within a 90-day window Google gave its competitor. The disclosure of the bug on Google’s security research website early this week stirred up a debate about whether outing the vulnerability was appropriate. The bug allows low-level Windows users to become administrators in some cases, but some posters on the Google site said the company should have kept its mouth shut. Google said it was unclear if versions of the Windows OS earlier than 8.1 were affected by the bug.



+ Researchers find 64-bit version of Havex RAT

Trend Micro researchers have come across a 64-bit version of Havex, a remote access tool (RAT) that has been used in cyber espionage campaigns aimed at industrial control systems (ICS). According to the security firm, while the 64-bit Havex has only been spotted recently, it has been around for quite some time. In the campaign known as Dragonfly (Energetic Bear/Crouching Yeti), the threat actors appeared to be using only a 32-bit version of Havex since most of the systems they targeted ran the outdated Windows XP operating system. However, researchers at Trend Micro have spotted two Windows 7 infections in which the 64-bit version of the threat had been used.



+ FBI Says Warrants Not Necessary to Use Stingray in Public

US Senators are questioning the FBI’s use of cell-tower spoofing technology known familiarly as Stingray. The agency says it does not need a warrant to harvest data. Senators Patrick Leahy (D-Vermont) and Chuck Grassley (R-Iowa), chairman and ranking member of the Senate Judiciary Committee, have written a letter expressing concern “about whether the FBI and other law enforcement agencies have adequately considered [American’s] privacy interests,” and seeking additional information on the technology’s use.



 + Did Insiders Help With Sony Attack? (of course they did!!!  Knew right where to do to steal IP!)

Some researchers suspect that the attack on Sony Pictures’ computer systems was aided by at least one former employee. The theory is based on leaked documents that show a series of layoffs in spring 2014.



+ Deconstructing The Sony Hack: What I Know From Inside The Military

Don’t get caught up in the guessing game on attribution. The critical task is to understand the threat data and threat actor tactics to ensure you are not vulnerable to the same attack.



+ Majority Of 4G USB Modems Vulnerable And SIM Cards Exploitable Via SMS

Security researchers from Positive Technologies have stated that almost all 4G USB modems and SIM cards contain exploitable vulnerabilities through which can give full control of the devices to which they are connected to the hackers.



+ North Korea boosted ‘cyber forces’ to 6,000 troops, South says

North Korean military’s “cyber army” has boosted its numbers to 6,000 troops, the South Korean Defence Ministry said on Tuesday, double Seoul’s estimate for the force in 2013, and is working to cause “physical and psychological paralysis” in the South. The new figure, disclosed in a ministry white paper, comes after the United States, South Korea’s key ally, imposed new sanctions on North Korea for a cyber attack on Sony Pictures Entertainment. Pyongyang has denied involvement in the attack.



+ The hidden dangers of third party code in free apps

Research from MWR InfoSecurity has shown the various ways hackers can abuse ad networks by exploiting vulnerabilities in free mobile apps. When people install and use free applications – more so than paid apps – they may be handing over their address books, the contents of their SMS, e-mail or in some cases, giving away full control of their devices. This is because of privileged code injected into the apps that advertisers and third parties use for tracking. So while the users may trust the app developer, the app code inserted by advertisers may introduce vulnerabilities attackers can exploit to access their devices via the app.



+ Long-Running Cyberattacks Become The Norm

Many companies are so focused on the perimeter that they have little idea what’s going on inside the network.



+ Nation-State Cyberthreats: Why They Hack

All nations are not created equal and, like individual hackers, each has a different motivation and capability.



+ When to Get a Penetration Test vs. A Vulnerability..



+ Hacking an ATM with a Samsung Galaxy 4 Smartphone



+ Wifiphisher Wi-Fi Hacking Tool Automates Wi-Fi Phishing



+ FBI Investigating Whether Companies Are Engaged in Revenge Hacking (DON’T!)



+ The Nature of Cybersecurity and Strategies for Unprecedented Cyber Attacks



+ One billion more: Kaspersky Lab counts up this year’s cyber-threats



+ A Hacker’s Hit List of American Infrastructure (USA ICS / SCADA targets called out!!!)



+  The Most Dangerous People on the Internet Right Now (yes, NSA is one, sort of)




++++   SD/SoCAL security events / opportunities +++


+ CyberTECH events / networking / startups / etc  —  THE cyber happening place in SD!!! 

Join their Meetup Group for the latest event information!   The definition of “Cyber KEWEL


+ Webster University’s  new SD cyber security program – check it out..





15 – OWASP – Running InfoSec for America’s Finest City..   Gary Hayslip, CISO for the city of San Diego,


15 – IoT Startup Table Breakfast



22 – ISSA – Gary Hayslip, Chief Information Security Officer (CISO), City of San Diego


28 – International Data privacy day

A – “Securing the IoT Privacy masters” by  CyberTECH, SOeC, others – all day event –


B –   Data Privacy Day–   NCSA and Morrison & Foerster LLP  – all day event –



30  – Cross Border cyber opportunities – MX/TJ and CA/SD collaboration event, all day Friday!!! (Hosted at Coleman University) – Contact me to join in –   introduction email and agenda at:



31 –(tentative)  BigDataDay 4 SD”  all-day event SAT – free –  Jump in and help us – speakers needed!!!

WE went to the one in LA and it was great…   our three tracks will be:

(1)  Technical =  Hadoop / Hbase / NoSQL;

(2)  Data science = predictive analytics, parallel algorithms, statistical modeling, algorithms for data mining, etc and

(3)  Applications =  key use cases…  Privacy by Design / data security,  data start-ups / incubators, novel products,

Contact me to join in…  introduction email and agenda at:





8-11 – NDSS Symposium 2015


10-12 –  AFCEA West –  Focused on Operations in the Asia-Pacific Region




+++  Future events in planning  FYI:


25-26 Apr – CYBERWEST: The Southwest Cybersecurity Summit (Phoenix AZ)


4-12 May SANS Security West 2015


18-21 Jul  Esri National Security summit



TBD  – Provided by IEEE Cyber SIG / Various Security groups – all day  Privacy by design workshop – a cyber model & why you must be part of this initiative!  (at Coleman University –  AM Technical approach… PM public discussions)     Help move SD forward in cyber –  DOING security vs admiring the problem…. SO engage and help out on cyber 4 PbD!!!

+++  Join our PbD / data security meetup, stay tuned into what’s happened..

See our over Cyber for PbD brief at

AND Our more detailed technical paper on our Cyber 4 PbD approach, including an executable, proposed open privacy framework within an enterprise architecture is at (this rough draft was  published in a major IEEE magazine this month):


Welcome to Cyber News Tidbits 4​U​ !

Here are updated news compilations from the Cyber Security Community

Topic headers (+++):

1 – Security news you can likely use (re: management / opportunity items)

2 – Other items of general FYI / FYSA level interest

3 – Threats / bad news stuff / etc.. 


4 – SD/SoCAL items of interest / opportunities   (send me your SD meetings!) 

A couple of Highlights  (A couple of items of potentially notable interest / high utility &  value… your mileage will vary….)

(Lots happening,  so LOTs to be aware of. Takes 5 min to skim…then pick out a topic or two..)

 ( some great topics / meetings here in SD … scroll to bottom and get engaged) 

++++  Some  highlights of the week +++

DEC 30

Since it’s New Year’s… got to have predictions…

+ Cybersecurity hindsight and a look ahead at 2015

This year we witnessed a series of high-profile security breaches, from the aftermath of the Target and Home Depot fiascos, to a number of attacks on other national retailers, including Michaels, Goodwill and Neiman Marcus. Then there was the massive breach at JP Morgan Chase, which compromised personal information of more than 83 million households and businesses, and finally over 100 terabytes of internal files and films recently stolen from Sony. Nobody was safe in 2014. In addition to large retailers, media companies and financial institutions, technology companies like eBay and Snapchat were hacked, too, and so were government organizations and healthcare institutions. Also this year, massive Internet infrastructure vulnerabilities were discovered, including Shellshock, Heartbleed and POODLE.

AND another – Proofpoint cybersecurity predictions for 2015 – Let’s just FIX what we know is broken!!



+ Top Data Breaches of 2014 – SONY is but ONE (and a call to cyber arms…)

If the top breaches of 2014 taught the security world anything, it’s that size and sector don’t matter – all organizations are vulnerable. infographic looks at the top incidents and the lessons security leaders took away from them.

+  Lessons Learned from Data Breaches – BUT did we – really???

Timeline of cyber attacks and data breaches in 2014



+ Sony’s Wake Up Call for Cybersecurity  –  MAYBE???

How corporate executives may respond to the Sony Hack.  . if they actually get the gravity now…



+ Cyber and Privacy turmoil abounds… WHAT TO DO – the CISO Fundamentals

All these hacks, leaks, breaches – more ‘admiring the problem / threat’ – spreading more “FUD” and not so much DOING cyber – so where are the affordable mitigation recommendations?    With breaches continuing to increase as well as cybercrime overall, thus financial and business loses increasing too, organizations need to take a more effective enterprise risk management approach to cyber security and protecting privacy.  So what are the ‘due diligence’ cyber steps needed, that we can afford? Gary and I developed a two-page “CISO Fundamentals” paper to help quantify what that entails. Take a quick peek and let us know what else you think is needed.



+ The first polymorphic ransomware emerges, spreads on its own – SCARY STUFF!!

A new step in the evolution of ransomware has been documented by security researchers who discovered a sample that encrypts the files on the storage unit and creates unique instances of itself due to its polymorphic feature. This threat has been named VirRansom and VirLock by researchers from Sophos and ESET, respectively, in order to relay both its virus and desktop locking and ransomware sides. However, unlike the usual crypto-malware, this one allows decryption of the files, but it won’t stop locking the screen, thus forcing the victim to pay.



+ And the Winner for the Most Hacked Sector for 2014 is … Health and Medical

How much does that cost???  Data Breach Cost Calculator



+ 2014 is ending, but this wave of technology disruptions is just beginning

Changes in technology are happening at a scale which was unimaginable before and will cause disruption in industry after industry. This has really begun to worry me, because we are not ready for this change and most of our leading companies won’t exist 15–20 years from now. Here are five sectors to keep an eye on



+ DARPA’s Autonomous Microdrones Designed to Enter Houses

And you thought those pesky quad-copters were an invasion of privacy, a perfect terrorists tool…;-((



+ IoT & Marketing in 2015: 3 Ways Marketers Will Rethink Big Data



+ What 2015 Holds for Cybersecurity Stocks — HD, JPM, EBAY, SNE, CSCO





++++  Cyber Security News you can use  +++



+ Apple Issues First Automatic Update (what does this tell you… on several fronts!!!)

Apple has pushed out its first automated update. The fix aims to address flaws in the Mac OS X network time protocol (NTP) segment. Apple has had the capability to push out fixes for several years, but this is the first time it has actually used the service. The vulnerability fixed in this patch lies in the NTP in OS X clock systems.



+ Will CDM finally be ‘the realization of IT security’?

For more than a decade, the federal government has been moving from a periodic, compliance-based approach to IT security to real-time awareness based on the continuous monitoring of IT systems and networks. While progress has been spotty so far, some security watchers say Phase 2 of the Homeland Security Department’s Continuous Diagnostics and Mitigation program, expected to be implemented in 2015, could be a major step forward. Jeff Wagner, director of security operations for the Office of Personnel Management, said Phase 2 could be “the realization of IT security.”



+ NSA Releases 12 Years Worth of Internal Reports

US National Security Agency (NSA) made public 12 years worth of internal reports for the President’s Intelligence Oversight Board. Even so, the reports indicate that the NSA conducted illegal surveillance with mild or no consequences. The reports, which are heavily redacted, were released in response to a Freedom of Information Act (FOIA) lawsuit brought by the American Civil Liberties Union (ACLU).



+ Cybersecurity Firm Identifies Six In Sony Hack

One A Former employee – do you have a tight process to delete ALL the terminated employee’s access???



+ Security in 2015: Will you care about the next big breach?



+  Breaches should reignite push for better cyber hygiene  — YES!!!

While it is debatable as to whether or not companies like USIS or Keypoint had sufficient internal cybersecurity controls in place to mitigate the breaches, what’s clear is that most contracting vehicles are outdated and ill-suited for the cyber challenges of today.



+ Congress is urged to make key decisions on commercial drones

The Obama administration is on the verge of proposing long-awaited rules for commercial drone operations in U.S. skies, but key decisions on how much access to grant drones are likely to come from Congress next year



+  Insider Threats a Major Concern for Businesses (this should be obvious to all by now)



+ NIST Cybersecurity Framework infographic… how it all integrates..



+ Snowden Documents Show How Well NSA Codebreakers Can Pry



+ Security and the Rise of Machine-to-Machine (M2M) Communications  (IoE & IoT)



+ 10 Top Challenges Industrial IoT Must Overcome in 2015



+ 2015 CISO Wish List and New Year Resolutions


SO.. quit wishing for stuff and DO the CISO fundamentals!!!



+ Smartwatch Hacked, how to access data exchanged with Smartphone



‘+ Farcing’ overtaking ‘phishing’ as online identity theft threat



+ Pew Research VCenter: The future of privacy – VERY IN-DEPTH review!!






++++  FYI / FYSA   +++



+ Sony hack: Is Congress next?

Government agencies and congressional offices are vulnerable to the same kind of cyberattack that hit Sony Pictures, experts say. Lawmakers on Capitol Hill are well aware of the growing threat online, and many tell staff to act as if everything they write in email could one day become public. “I try to inspire my staff often that when they write an email, they write it as if it should be right on the front page of your newspaper,” said Rep. Brad Sherman (D-Calif.), whose district includes Hollywood, in an interview with The Hill.



+ Obama signs 5 cybersecurity bills

Without ceremony, President Obama on Dec. 18 signed five cybersecurity-related bills, including legislation to update the Federal Information Security Management Act, the law that governs federal government IT security. It’s the first time in 12 years that significant cybersecurity legislation has become law. The last major piece of cybersecurity law to be passed by Congress and signed by a president was the E-Government Act of 2002, which included FISMA.



+ German researchers discover a flaw that could let anyone listen to your cell calls

German researchers have discovered security flaws that could let hackers, spies and criminals listen to private phone calls and intercept text messages on a potentially massive scale – even when cellular networks are using the most advanced encryption now available. The flaws, to be reported at a hacker conference in Hamburg this month, are the latest evidence of widespread insecurity on SS7, the global network that allows the world’s cellular carriers to route calls, texts and other services to each other. Experts say it’s increasingly clear that SS7, first designed in the 1980s, is riddled with serious vulnerabilities that undermine the privacy of the world’s billions of cellular customers.



+ Attack on German Steel Factory System Caused “Massive Damage”

Attackers breached security of a German steel mill’s network and caused considerable damage by manipulating the controls of a blast furnace. The attackers gained initial foothold in the network through a phishing email, and from there were able to make their way into the plant’s production network. The attack was disclosed in the annual report of the German Federal Office for Information Security.

[Note: Another bad example of weak reusable passwords used for very sensitive access. Many other security failures here, but the root cause of so many breaches traces back to the use of reusable passwords and the ease of compromise, whether via phishing or eavesdropping or keystroke capture malware….   This is a classic example of the air-gap mythology that endures in industrial control system environments.  Most companies in these historically non-technology based critical infrastructure industries continue to operate as if they don’t need to be concerned about cybersecurity when in fact they should be more concerned than the companies whose greatest fear is simply losing data.  And – they need to re-evaluate their architecture to ensure physical separation of IT and OT.]



+ FIRST LOOK at Australian Signals Directorate Cloud Computing Security for Tenants guidelines:

In general, the Australian Cyber Security Center has put together a “Critical Security Controls”-like look at the most important security processes to examine when considering a cloud service provider. There are several recommendations that are meaningful/doable and rightly prioritized (like “choose a CSP that has been assessed, yearly test incident response, protection authentication credentials, tokenize data, etc.). There is a sensible differentiation between what security issues are most relevant to Software as a Service vs. Infrastructure as a Service, etc. The CSP version is pretty much just the Tenant document with the syntax changed such that an auditor looks to see that the Tenant recommendations were followed.



+ Watchdog says Secret Services misses the bar on cybersecurity

The Secret Service, no stranger to security lapses, is being dinged by an internal auditor for not requiring two-step verification to access agency networks and for ignoring government-wide rules for continuously monitoring network security. For the past year, the Department of Homeland Security subdivision has refused to digitally report data about cyber defenses, according to a new inspector general report. DHS, which Congress last week designated the point-agency on cybersecurity, is in charge of the federal continuous monitoring initiative. The department’s inability to get its own agency to fall in line could raise questions about the enlargement of Homeland Security’s cyber authorities.



+ Chinese Android phone maker hides secret backdoor in its devices

Chinese smartphone maker Coolpad has built an extensive “backdoor” into its Android devices that can track users, serve them unwanted advertisements and install unauthorized apps, a U.S. security firm alleged today. In a research paper released today, Palo Alto Networks detailed its investigation of the backdoor, which it dubbed “CoolReaper.” “Coolpad has built a backdoor that goes beyond the usual data collection,” said Ryan Olson, director of intelligence at Palo Alto’s Unit 42. “This is way beyond what one malicious insider could have done.”



+ China is reportedly blocking access to Gmail inside the country.

China began blocking various Google services in 2009 and started blocking Gmail access earlier this year. Users have been seeking third party email clients to access their accounts, and now those have been blocked as well. The only way to access Gmail in China now is through virtual private networks (VPNs).



+ 2014: The year cyber danger doubled

As we look back at cyber topics in 2014, don’t be surprised if you are seeing double.

This has been a year when cybersecurity stories doubled in breadth, depth and width of societal influence. As the Internet has expanded into every area of life, the opportunities have grown dramatically – but so have the challenges with the ‘dark side’ of the Internet.



+ Heartbleed, Shellshock, Tor and more: The 13 biggest security stories of 2014

The security of the web itself was tested in unprecedented ways in 2014–but the news isn’t all bad.



+ US Justice Dept. Establishes New Cyber Security

A new unit operating under the US Department of Justice’s (DoJ’s) Computer Crime and Intellectual Property division will provide legal advice for cyber crime investigations worldwide. The unit will concentrate on proactive considerations to help reduce the likelihood of attacks.



+   ‘Data Integration for Dummies’  (eBook)



+ Making Security Measurable – Application Security

Making Security Measurable – Software Assurance



+ 8 ways mobile will get your attention in 2015



+ Hackers hit a poorly configured server to breach JPMorgan

Weak hygiene and access control…   THE cause of 95% of all security incidents…;-((

So when will folks make this job one???



+ An ‘Hour of Code’? How About 5 Minutes for Security?



+ The Future of Cybersecurity Jobs



+  Tracking Moving Targets: Exploit Kits and CVEs



+ FBI: The Top 3 Ways Congress Could Help Fight Tenacious Cyber Threats

Demarest suggested three ways Congress could help evolve with cyber threats.





++++  THREATs  / bad news stuff / etc  +++



+ The Coolest Hacks Of 2014

TSA baggage scanners, evil USB sticks, and smart homes were among the targets in some of the most creative — and yes, scary — hacks this year by security researchers.  A weaponized PLC…. Cheating TSA’s carry-on baggage scanners… Hacking satellite ground terminals by air, sea, land…   Smart home devices not so savvy…   Crashing the vehicle traffic control system…  One bad-ass USB….    A worm in your NAS…—threats/the-coolest-hacks-of-2014/d/d-id/1318348?_mc=NL_DR_EDT_DR_daily_20141229&cid=NL_DR_EDT_DR_daily_20141229&elq=aca7e6bc6d844d199bda56e5dc95c3cb&elqCampaignId=11806



+ U.S. puts new focus on fortifying cyber defenses

The Obama administration is increasingly concerned about a wave of digital extortion copycats in the aftermath of the cyberattack on Sony Pictures Entertainment, as the government and companies try to navigate unfamiliar territory to fortify defenses against further breaches. About 300 theaters on Thursday screened the movie that apparently triggered the hacking attack, a comedy about the assassination of North Korean leader Kim Jong Un, after Sony reversed its initial decision to acquiesce to hacker demands that the film be shelved.



+ For North Korea’s cyber army, long-term target may be telecoms, utility grids

The hacking attack on Sony Pictures may have been a practice run for North Korea’s elite cyber-army in a long-term goal of being able to cripple telecoms and energy grids in rival nations, defectors from the isolated state said. Non-conventional capabilities like cyber-warfare and nuclear technology are the weapons of choice for the impoverished North to match its main enemies, they said. Obsessed by fears that it will be over-run by South Korea and the United States, North Korea has been working for years on the ability to disrupt or destroy computer systems that control vital public services such as telecoms and energy utilities, according to one defector.



+ Misfortune Cookie flaw puts 12 million routers at risk

Researchers at the security software company Check Point say they’ve discovered a serious vulnerability lurking inside the routers and modems used to deliver Internet connectivity to 12 million homes and small businesses around the world, and it’s going to be a complicated matter to fix it. Dubbed the Misfortune Cookie, the weakness is present in cable and DSL modems from well-known manufacturers like D-Link, Huawei and ZTE, and could allow a malicious hacker to hijack them and attack connected computers, phones and tablets. An attacker exploiting Misfortune Cookie could also monitor a vulnerable Internet connection, stealing passwords, business data or other information.



+ ICANN e-mail accounts, zone database breached in spearphishing attack

Unknown attackers used a spearphishing campaign to compromise sensitive systems operated by the Internet Corporation for Assigned Names and Numbers (ICANN), a coup that allowed them to take control of employee e-mail accounts and access personal information of people doing business with the group. ICANN, which oversees the Internet’s address system, said in a release published Tuesday that the breach also gave attackers administrative access to all files stored in its centralized zone data system, as well as the names, postal addresses, e-mail addresses, fax and phone numbers, user names, and cryptographically hashed passwords of account holders who used the system.



+ Russian Group Stole Millions from Banks

A cyber crime group has been targeting banks, payment systems, and retail companies in Russia and countries that were once part of the Soviet Union. Known as Anunak, the group stole funds, credit card data, and intellectual property. They stole from cash machine networks, which means the finds are being stolen from the banks and not customers’ accounts. In all, the group has stolen more than US $25 million.



+ Xbox Live, PlayStation Network Target of DDoS Attacks

Last week, users found they were unable to log into the PlayStation Network and Xbox Live; Sony says the problems were caused by distributed denial-of-service (DDoS) attacks. The trouble began on the evening of December 24. As of Sunday, December 28, the PlayStation network is back online. The FBI is reportedly investigating the attacks.



+ Security boot kits past present future (eBOOK)

A history of these malware tools, and why might the future bring…



+ 10 deadliest differences of state-sponsored attacks




++++   SD/SoCAL security events / opportunities +++


+ CyberTECH events / networking / startups / etc  —  THE cyber happening place in SD!!! 

Join their Meetup Group for the latest event information!   The definition of “Cyber KEWEL


+ Webster University’s  new SD cyber security program – check it out..





15 – OWASP – Running InfoSec for America’s Finest City..   Gary Hayslip, CISO for the city of San Diego,