The Cybersecurity (CS) Digest is a curated bi-weekly news summary for cybersecurity professionals. It is transmitted in an HTML-formatted email and provides links to articles and news summaries across a spectrum of cybersecurity topics.
Free CSIAC Webinar Jan 30 @ 12:00 pm EST – Meeting DFARS Controlled Unclassified Information (CUI) Compliance Standards for Federal Contractors - CSIAC
Defense Federal Acquisition Regulation Supplement (DFARS) established guidelines that required all government contractors to establish a program to protect Controlled Unclassified Information (CUI). All federal contractors were required to meet DFARS minimum security standards by December 31, 2017 or risk losing their DoD contracts. This webinar will detail the steps to become compliant including following the National Institute of Standards (NIST) procedures for Protecting Controlled Unclassified Information in Nonfederal Systems, and Organizations, Special Publication 800-171. Although the deadline is past, many companies still have much work to do to be fully compliant. This webinar will walk through the background of CUI, what organizations have done to become compliant, and outline where the CUI program is headed.
Data Privacy Day – January 28 - CSIAC
CSIAC proudly joins the NCSA and numerous of other organizations in celebrating Data Privacy Day. CSIAC acknowledges the Internet touches all aspects of everyone's daily life and we understand there are many unknown variables on how to stay safe and secure online. Which is why we're so excited to announce we are launching a series of resources during January to help raise privacy awareness. During the entire month of January, you will have the chance to participate in and receive a variety of resources to help you better understand data privacy and the simple steps you can take to protect yourself, your family and your organization. Our goal is to enable you to make the most of today's technology in a safer and more secure environment.
The goal of the DoD Cybersecurity Policy Chart is to capture the tremendous breadth of applicable policies, some of which many cybersecurity professionals may not even be aware, in a helpful organizational scheme. The use of color, fonts and hyperlinks are all designed to provide additional assistance to cybersecurity professionals navigating their way through policy issues in order to defend their networks, systems and data.
An elite, government authored cyberweapon has been sitting online in public view for nearly anyone to copy since Dec. 22 because multinational energy technology company Schneider Electric mistakenly posted a sensitive computer file to VirusTotal, three sources familiar with the matter told CyberScoop.
British 15-year-old Gained Access to Intelligence Operations in Afghanistan and Iran by Pretending to be Head of CIA, Court Hears - Telegraph
A 15-year-old gained access to plans for intelligence operations in Afghanistan and Iran by pretending to be the head of the CIA to gain access to his computers, a court has heard.
‘Terabyte of Death’ Cyberattack Against DoD Looms, DISA Director Warns - Department of Defense
The vast, global networks of the Defense Department are under constant attack, with the sophistication of the cyber assaults increasing, the director of Defense Information Systems Agency said here today.
Cybercriminals are exploiting Microsoft Office Vulnerabilities to distribute Zyklon Malware in a recent spam campaign targeting telecommunication, insurance, and financial services.
Tech Giants and Elected Officials Back Microsoft in Supreme Court Case on International Data Privacy - GeekWire
Microsoft is set for a Supreme Court face-off with the U.S. Department of Justice next month over the privacy of emails stored abroad, and some of the world's biggest tech giants as well as elected representatives in the U.S. and Europe are lending support to Microsoft's arguments.
When we appeared before the United States Congress last fall, Twitter publicly committed to regularly updating both congressional committees and the public on findings from our ongoing review into events surrounding the 2016 U.S. election.
On a clear day this summer, security researcher Ang Cui boarded a boat headed to a government biosafety facility off the northeastern tip of Long Island. Cui's security company, Red Balloon, will spend the next year studying how its Internet of Things threat-scanning tool performs on the building control systems of Plum Island Animal Disease Center. If successful, the project could provide a critical tool in the fight against vulnerabilities in embedded industrial systems and critical infrastructure.
After a contentious debate, the House of Representatives has voted to extend a controversial government surveillance program that powers American spying operations, as it voted down a proposal to include new privacy measures.
In December, new export control rules for computer network intrusion software were published by the Wassenaar Arrangement, an international body that governs trade in goods with military and civilian applications for 42 member states. These new rules represent a significant victory for computer security practitioners in a policy dialog that has been going on for many years. However, there is important work that remains to be done.
Image recognition technology may be sophisticated, but it is also easily duped. Researchers have fooled algorithms into confusing two skiers for a dog, a baseball for espresso, and a turtle for a rifle. But a new method of deceiving the machines is simple and far-reaching, involving just a humble sticker.
Last year, researchers found what at the time was quite possibly the world's most sophisticated espionage app ever written for the Android mobile operating system. Now, in a discovery that underscores the growing arms race among competing malware developers, researchers have uncovered a new Android spying platform that includes location-based audio recording and other features that have never been seen in the wild before.
OnePlus has announced that up to 40,000 customers were affected by the security breach that caused the company shut down credit card payments for its online store earlier this week. The information is the result of an ongoing investigation with a third-party security agency into the breach that caused customers' credit card information to be stolen while they were purchasing OnePlus products.
Prolific bug hunter Guang Gong has earned the highest-ever payout for a vulnerability in the history of Google's Android Security Rewards program, which began in 2015. He earned a combined $112,500 for the disclosure of an Android exploit chain impacting Google's Pixel handset that could allow an attacker to inject arbitrary code via a malicious URL accessed via the phone's Chrome browser.
Yale Privacy Lab is now collaborating with Exodus Privacy to detect and expose trackers with the help of the F-Droid app store. F-Droid only offers FOSS apps without tracking, has a strict auditing process, and may be installed on most Android devices without any hassles or restrictions
Cisco Rolls Out Solution to Detect Malware in Encrypted Traffic - Bleeping Computer
Cisco rolled out Encrypted Traffic Analytics (ETA), a breakthrough technology that identifies malware in encrypted traffic without the need of intercepting and decrypting data streams.
Maine Program Aims to Get Girls Interested in Cybersecurity - Seattle Times
Republican Gov. Paul LePage, the Maine Office of Information Technology and the Maine Department of Education are backing a new program to get high school girls interested in cybersecurity.
After Years of Avoidance, Department of Energy Joins Quest to Develop Quantum Computers - Science Mag
The U.S. Department of Energy (DOE) is joining the quest to develop quantum computers, devices that would exploit quantum mechanics to crack problems that overwhelm conventional computers. The initiative comes as Google and other companies race to build a quantum computer that can demonstrate "quantum supremacy" by beating classical computers on a test problem. But reaching that milestone will not mean practical uses are at hand, and the new $40 million DOE effort is intended to spur the development of useful quantum computing algorithms for its work in chemistry, materials science, nuclear physics, and particle physics.
Now NIST has incorporated these viewpoints into a second draft for Version 1.1 of its Framework. It's done so in the interest of meeting the demands of those that use the document to stay on top of the latest digital threats. The updates NIST made in Version 1.1 of its Framework (PDF) boil down to five major revisions.
Meltdown and Spectre: Vulnerabilities in Modern Computers Leak Passwords and Sensitive Data. - Meltdown Attack
Meltdown and Spectre exploit critical vulnerabilities in modern processors. These hardware vulnerabilities allow programs to steal data which is currently processed on the computer. A malicious program can exploit Meltdown and Spectre to get hold of secrets stored in the memory of other running programs.
Naval Dome Exposes Vessel Vulnerabilities to Cyber Attack - Sea Trade-Maritime
More onboard cyber vulnerability has been revealed, with maritime cyber defence firm Naval Dome demonstrating yet more ways hackers can compromise ship safety.
CSIAC supports several communities of practice, such as the Cyber Community of Interest (COI) Group and research & development working groups.
This list of related sites provides additional sources to pursue the topic of Cybersecurity. The sites include Government organizations, including federal agencies, Department of Defense and military service agencies, commercial organizations, and academic institutions.
The CS Digest provides links to third party Websites. The CSIAC is not responsible for the availability of, and content provided on, third party Websites. You should refer to the policies posted by other Websites regarding their privacy and other topics before you use them. The CSIAC is not responsible for third party content accessible through the CSIAC CS Digest, including opinions, advice, statements, advertisements and endorsements, and you bear all risks associated with the use of such content.