• Home
  • Resources
    • Find Resources by Topic Tags
    • Cybersecurity Policy Chart
    • CSIAC Reports
    • Webinars
    • Podcasts
    • Cybersecurity Digest
    • Standards & Reference Docs
    • Journals
    • Certifications
    • Acronym DB
    • Cybersecurity Related Websites
  • Services
    • Free Technical Inquiry
    • Core Analysis Task (CAT) Program
    • Subject Matter Expert (SME) Network
    • Training
    • Contact Us
  • Community
    • Upcoming Events
    • Cybersecurity
    • Modeling & Simulation
    • Knowledge Management
    • Software Engineering
  • About
    • About the CSIAC
    • The CSIAC Team
    • Subject Matter Expert (SME) Support
    • DTIC’s IAC Program
    • DTIC’s R&E Gateway
    • DTIC STI Program
    • FAQs
  • Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer
Login / Register

CSIAC

Cyber Security and Information Systems Information Analysis Center

  • Resources
    • Find Resources by Topic Tags
    • Cybersecurity Policy Chart
    • CSIAC Reports
    • Webinars
    • Podcasts
    • Cybersecurity Digest
    • Standards & Reference Docs
    • Journals
    • Certifications
    • Acronym DB
    • Cybersecurity Websites
  • Services
    • Free Technical Inquiry
    • Core Analysis Task (CAT) Program
    • Subject Matter Expert (SME) Network
    • Training
    • Contact
  • Community
    • Upcoming Events
    • Cybersecurity
    • Modeling & Simulation
    • Knowledge Management
    • Software Engineering
  • About
    • About the CSIAC
    • The CSIAC Team
    • Subject Matter Expert (SME) Support
    • DTIC’s IAC Program
    • DTIC’s R&E Gateway
    • DTIC STI Program
    • FAQs
  • Cybersecurity
  • Modeling & Simulation
  • Knowledge Management
  • Software Engineering
/ CS Digests / 14 Nov 2017

CS Digest: 14 Nov 2017

Posted: 11/14/2017 | Leave a Comment

The Cybersecurity (CS) Digest is a curated bi-weekly news summary for cybersecurity professionals. It is transmitted in an HTML-formatted email and provides links to articles and news summaries across a spectrum of cybersecurity topics.

CSIAC ANNOUNCEMENTS:

6 New Cyber Awareness Videos: “Simple Steps to Online Safety” - CSIAC

These six short cyber awareness videos feature simple steps you and your organization can take to be more secure online.

Read the Latest CSIAC Journal – Tools & Testing Techniques for Assured Software – DoD Software Assurance Community of Practice: Volume 2 - CSIAC

This is volume 2 of 2 special edition issues on Software Assurance. This edition explores different aspects of software assurance competencies that can be used to improve software assurance functions and how to develop/deploy assured software throughout the lifecycle acquisition process. Articles are contributed by software assurance practitioners from the DoD and civil government that are devoted to the advancement of secure development principles in U.S government critical systems.

Free CSIAC Webinar Tomorrow Nov 15 @ 12:00PM EST – Software Defined WAN (SD-WAN): Security Implications and Design Solutions - CSIAC

Software Defined WAN (SD-WAN) is transforming Wide Area Networks (WANs) by providing a highly available Secure WAN Transport combined with Direct Internet Access in the branches. With SD-WAN, Enterprises can mix WAN service offerings from multiple providers (MPLS, Internet, Carrier Ethernet, 3G/4G, ...) to optimize their bandwidth costs and dynamically balance applications across the various links. This session will discuss the security implications of this new architecture.

The DoD Cybersecurity Policy Chart – Updated January 2018 - CSIAC

The goal of the DoD Cybersecurity Policy Chart is to capture the tremendous breadth of applicable policies, some of which many cybersecurity professionals may not even be aware, in a helpful organizational scheme. The use of color, fonts and hyperlinks are all designed to provide additional assistance to cybersecurity professionals navigating their way through policy issues in order to defend their networks, systems and data.

RECENT HEADLINES:

Cyber Crime:

The Devil Targets Japan with Bad Rabbit-like Wiper-Ransomware - Infosecurity

The name ONI, can mean "devil" in Japanese, and it also appears in the email address found in its ransom note. Attacks observed by Cybereason suggest that the malware lives up to its name. Aside from encrypting files on the infected machines, ONI can encrypt files on removable media and network drives - and there's evidence that the true purpose of the attack is to exfiltrate and destroy data.

Silence Gang Borrows From CARBANAK to Steal From Banks - Threatpost

A cybercrime outfit stealing from as many as 10 banks in Russia, Armenia and Malaysia has borrowed heavily from one of the kingpins in this realm, Carbanak, which is alleged to have stolen possibly as much as $1 billion worldwide from financial organizations. The new group has been called Silence by researchers at Kaspersky Lab who today published a report about the criminals' activities, which bare a sharp resemblance to Carbanak. But the relationship apparently ends at imitation.

FEEDBACK FROM PREVIOUS DIGEST:

Cyberwarfare:

Russia’s Election Hackers Use D.C. Cyber Warfare Conference as Bait - The Daily Beast

The Russian military hackers behind last year's election meddling are using an upcoming cyber warfare conference in Washington D.C. as a lure to infect a new crop of victims with malware, security researchers said Sunday, effectively turning a high-level gathering packed with NATO and U.S. military cyber defenders into an opportunity for more attacks.

Cybercom Establishes Strategic Concepts to Mitigate Cyber Threats to Natl Security - Executive Gov

The U.S. Cyber Command has developed an operational approach to defensive cyber operations and strategic concepts which aim to help address a number of cyber threats to national security.

RECENT HEADLINES:

Data Security:

Analysis of 3,200 Phishing Kits Sheds Light on Attacker Tools and Techniques - SecurityWeek

Phishing kits are used extensively by cybercriminals to increase the efficiency of stealing user credentials. The basic kit comprises an accurate clone of the target medium's login-in page (Gmail, Facebook, Office 365, targeted banks, etc), and a pre-written php script to steal the credentials -- both bundled and distributed as a zip file. Successfully phished credentials are mailed by the script to the phisher, or gathered in a text file for later collection. This is commodity phishing; not spear-phishing. A legitimate website, often a Wordpress site with old and vulnerable add-ons, is compromised. An orphaned page with no internal links is created, and the kit uploaded and unzipped. It is largely unknown to the site's administrator and invisible to external search engines; and is ready to use. The criminal merely has to send out his phishing emails pointing to the spoofed login on the compromised website.
Tags: Phishing

Russia Hackers Pursued Putin Foes, Not Just US Democrats - The Associated Press

The hackers who disrupted the U.S. presidential election last year had ambitions that stretched across the globe, targeting the emails of Ukrainian officers, Russian opposition figures, U.S. defense contractors and thousands of others of interest to the Kremlin, according to a previously unpublished digital hit list obtained by The Associated Press.
Tags: Information Warfare

Estonia Government Locks Down ID Smartcards: Refresh or Else - The Register

The Estonian government is suspending the use of the Baltic country's identity smartcards in response to a recently discovered and wide-ranging security flaw.

Kaspersky: NSA Staffer’s Laptop Was Infected with Malware - CNET

The Russian cybersecurity company releases details from its internal investigation into an NSA hack, which it's accused of being behind.

Blockchain and Digital Currency:

D-Link Middle East “DLink-MEA” Website is Secretly Mining Cryptocurrencies - Seekurity Blog

Bitcoin mining websites became the new fashion of 2017 and there is no dust on that but when it comes to compromise websites to host such fashion it becomes a headache (well to the consumers at least). Have you heard about KRACK the WPA2 vulnerability? If you did you probably was searching for your device/router vendor's patch, no? if you are using D-Link products and living in the middle east and while looking for KRACK's cure and the search results led you to D-LINKMEA.com website unfortunately you were mining Monero cryptocurrency!
Tags: Cryptocurrency

Hundreds of Millions in Digital Currency Remains Frozen - Threatpost

Between $150 million and $300 million in digital currency called ether remains inaccessible today after a user said he "accidentally" triggered a vulnerability that froze the funds in the popular Parity wallet.
Tags: Cryptocurrency

Insider Threat:

The Human Element: Insider Behavior Facilitates Cyber Attacks, Erodes Business Trust - Security Magazine

The mysterious foreign villains striking the largest companies and political organizations from the dark corners of the Internet tend to get the splashy headlines. However, the network openings that allow outside cyber-attackers to burrow in, infect databases, and potentially take down an organization's file servers overwhelmingly originate with trusted insiders.

Internet-of-Things:

IOT is Insecure, Get Over it! Say Researchers - Threat Post

Noted security experts Charlie Miller and Chris Valasek said the Internet of Things can't be secure, but it can be tamed. Drawing from their car hacking experience, the two spent the morning contemplating the larger universe of IoT security and conceded that there will always be thousands of connected devices that will never be secure, and that industry should prioritize personal safety and the security of automobiles and medical devices, for example, over toothbrushes and door locks.

Machine Learning and Artificial Intelligence:

An AI Detected Colorectal Cancer With 86 Percent Accuracy - Engadget

We've heard of many different uses for AI within the medical field, including for prediction of heart attacks and detection of Alzheimer's. Now, it looks as though machine intelligence could be applied to early detection of cancer as well. A group of Japanese researchers has figured out a way to use AI to spot colorectal cancer tumors before they become malignant, according to Inverse. The team compiled a database of over 30,000 images of pre-cancerous and cancerous cells in order to help the AI detect the difference between the two. After the machine learning process had taken place, they fed it an image of a colorectal polyp that had its magnification increased by a factor of 500. The program was able to determine within a second whether that specific polyp was cancerous.
Tags: Artificial Intelligence (AI)

Mobile Security:

ToastAmigo Malware Uses New Twist to Attack Toast Overlay Vulnerability - SCMagazine

A new malware has been uncovered that uses an updated methodology to abuse the previously patched Android Toast overlay vulnerability, which once installed, can download additional malware as well as use various permissions to access the phone. The malware is called ToastAmigo, detected by Trend Micro as ANDROIDOS_TOASTAMIGO, and is believed to represent the first observed weaponized use of vulnerability CVE-2017-0752 in Toast, Trend Micro mobile threat analyst Lorin Wu reported. This type of attack was shown as possible in a proof of concept earlier this year and Google issued a patch for the flaw in September. Trend Micro found two apps, disguised as app lockers and both named Smart AppLocker, that are being used to spread ToastAmigo. One of the apps has been downloaded more than 500,000 times (Wu did not say which) as of November 6. The full extent of the malware's capabilities are not known, but it is thought to have ad-clicking, app-installing, and self-protecting/persistence capabilities.
Tags: Mobile Security

Private Sector:

Cybersecurity Skills Crisis Causing Rapidly Widening Business Problem - Security Magazine

The Information Systems Security Association (ISSA) and independent industry analyst firm Enterprise Strategy Group (ESG) revealed trending data finding that the cybersecurity skills shortage is worsening and becoming a rapidly widening business problem. The majority of survey respondents (70 percent) continue to believe that the cybersecurity skills shortage has had an impact on their organization - yet these same organizations (62 percent, up almost 10 percent from last year) are falling behind in providing an adequate level of training for their cybersecurity professionals. Further, the report confirms that the cybersecurity skills shortage is exacerbating the number of data breaches: Forty-five percent of organizations experienced at least one security event over the past two years, and 91 percent of survey respondents believe most organizations are vulnerable to a significant cyber-attack or data breach. The cybersecurity skills shortage represents the top two contributing factors to these security events, with the first being a lack of adequate training of non-technical employees (31 percent) and the second being a lack of adequate cybersecurity staff (22 percent). These are followed by business executive management making cybersecurity a low priority (20 percent).

Quantum Computing:

Corkscrew Light Beams Could Lead to Practical Quantum Computers - Engadget

Who said light only had to travel in boring waves or particles? Not Harvard. Its researchers have found a way to spin light into complex states that promise breakthroughs in multiple fields. They've built metasurfaces whose elaborate optics combine two kinds of light momentum (orbital angular and spin angular) to send light into corkscrews, spirals or even fork-like shapes. If you want to change the light state, you just need to change the polarization of that light. They're not just for show, of course. The research team envisions these complex light states being very helpful for quantum optics and data, which could help quantum computers become a practical reality. They could also lead to high-powered imaging where a hole in the center of a light vortex could be changed to refocus on a subject. And it could also lead to better free-space optical communication that can transmit through turbulent air and other conditions that scatter light. While it's very early days for this exotic light manipulation, it could prove instrumental to computing in the long run.
Tags: Quantum Computing

CSIAC Supported Communities

CSIAC supports several communities of practice, such as the Cyber Community of Interest (COI) Group and research & development working groups.

Technical Resources, Policy and Guidance

This list of related sites provides additional sources to pursue the topic of Cybersecurity. The sites include Government organizations, including federal agencies, Department of Defense and military service agencies, commercial organizations, and academic institutions.


The CS Digest provides links to third party Websites. The CSIAC is not responsible for the availability of, and content provided on, third party Websites. You should refer to the policies posted by other Websites regarding their privacy and other topics before you use them. The CSIAC is not responsible for third party content accessible through the CSIAC CS Digest, including opinions, advice, statements, advertisements and endorsements, and you bear all risks associated with the use of such content.

« 31 Oct 2017
28 Nov 2017 »

Reader Interactions

Leave a Comment Cancel

You must be logged in to post a comment.

sidebar

Blog Sidebar

Featured Content

Data Privacy Day - Jan 28

Data Privacy Day is January 28th

You can help create a global community that respects privacy, safeguards data, and enables trust. You can help teach others about privacy at home, at work, and in your community.

Learn How

Featured Subject Matter Expert (SME): Daksha Bhasker

A dynamic CSIAC SME, Senior Principal Cybersecurity Architect, Daksha Bhasker has 20 years of experience in the telecommunications services provider industry. She has worked in systems security design and architecture in production environments of carriers, often leading multidisciplinary teams for cybersecurity integration, from conception to delivery of complex technical solutions. As a CSIAC SME, Daksha's contributions include several published CSIAC Journal articles and a webinar presentation on the sophiscated architectures that phone carriers use to stop robocalls.

View SME's Contributed Content

The DoD Cybersecurity Policy Chart

The DoD Cybersecurity Policy Chart

This chart captures the tremendous breadth of applicable policies, some of which many cybersecurity professionals may not even be aware, in a helpful organizational scheme.

View the Policy Chart

CSIAC Report - Smart Cities, Smart Bases and Secure Cloud Architecture for Resiliency by Design

Integration of Smart City Technologies to create Smart Bases for DoD will require due diligence with respect to the security of the data produced by Internet of Things (IOT) and Industrial Internet of Things (IIOT). This will increase more so with the rollout of 5G and increased automation "at the edge". Commercially, data will be moving to the cloud first, and then stored for process improvement analysis by end-users. As such, implementation of Secure Cloud Architectures is a must. This report provides some use cases and a description of a risk based approach to cloud data security. Clear understanding, adaptation, and implementation of a secure cloud framework will provide the military the means to make progress in becoming a smart military.

Read the Report

CSIAC Journal - Data-Centric Environment: Rise of Internet-Based Modern Warfare “iWar”

CSIAC Journal Cover Volume 7 Number 4

This journal addresses a collection of modern security concerns that range from social media attacks and internet-connected devices to a hypothetical defense strategy for private sector entities.

Read the Journal

CSIAC Journal M&S Special Edition - M&S Applied Across Broad Spectrum Defense and Federal Endeavors

CSIAC Journal Cover Volume 7 Number 3

This Special Edition of the CSIAC Journal highlights a broad array of modeling and simulation contributions – whether in training, testing, experimentation, research, engineering, or other endeavors.

Read the Journal

CSIAC Journal - Resilient Industrial Control Systems (ICS) & Cyber Physical Systems (CPS)

CSIAC Journal Cover Volume 7 Number 2

This edition of the CSIAC Journal focuses on the topic of cybersecurity of Cyber-Physical Systems (CPS), particularly those that make up Critical Infrastructure (CI).

Read the Journal

Recent Video Podcasts

  • Privacy Impact Assessment: The Foundation for Managing Privacy Risk Series: The CSIAC Podcast
  • Agile Condor: Supercomputing at the Edge for Intelligent Analytics Series: CSIAC Webinars
  • Securing the Supply Chain: A Hybrid Approach to Effective SCRM Policies and Procedures Series: The CSIAC Podcast
  • DoD Vulnerability Disclosure Program (VDP) Series: CSIAC Webinars
  • 5 Best Practices for a Secure Infrastructure Series: The CSIAC Podcast
View all Podcasts

Upcoming Events

Wed 27

Enterprise Data Governance Online 2021

January 27 @ 08:00 - 13:30 EST
Organizer: DATAVERSITY
Thu 28

Data Privacy Day

January 28
Jan 28

Data Privacy Day

January 28, 2022
View all Events

Footer

CSIAC Products & Services

  • Free Technical Inquiry
  • Core Analysis Tasks (CATs)
  • Resources
  • Events Calendar
  • Frequently Asked Questions
  • Product Feedback Form

About CSIAC

The CSIAC is a DoD-sponsored Center of Excellence in the fields of Cybersecurity, Software Engineering, Modeling & Simulation, and Knowledge Management & Information Sharing.Learn More

Contact Us

Phone:800-214-7921
Email:info@csiac.org
Address:   266 Genesee St.
Utica, NY 13502
Send us a Message
US Department of Defense Logo USD(R&E) Logo DTIC Logo DoD IACs Logo

Copyright 2012-2021, Quanterion Solutions Incorporated

Sitemap | Privacy Policy | Terms of Use | Accessibility Information
Accessibility / Section 508 | FOIA | Link Disclaimer | No Fear Act | Policy Memoranda | Privacy, Security & Copyright | Recovery Act | USA.Gov

This website uses cookies to provide our services and to improve your experience. By using this site, you consent to the use of our cookies. To read more about the use of our site, please click "Read More". Otherwise, click "Dismiss" to hide this notice. Dismiss Read More
Privacy & Cookies Policy

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled

Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.

Non-necessary

Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.