The Cybersecurity (CS) Digest is a curated bi-weekly news summary for cybersecurity professionals. It is transmitted in an HTML-formatted email and provides links to articles and news summaries across a spectrum of cybersecurity topics.

CSIAC ANNOUNCEMENTS:

Free CSIAC Webinar June 29 @ 12 PM EDT – eMASS, the True Story - CSIAC

This webinar will cover the realities of the Enterprise Mission Assurance Support Service (eMASS): what works well, what does not work, and how to best make it work for you.

RECENT HEADLINES:

Critical Infrastructure:

Watch Hackers Take Over the Mouse of a Power-Grid Computer - WIRED

The best work of hackers tends to remain invisible. But when sophisticated intruders broke into the computer networks of regional energy firms in Ukraine in 2015 and cut power to roughly a quarter million people, their tampering didn't go unnoticed. In this rare instance, the staff of one of those electric utilities managed to capture the hackers' handiwork on video.

Cyber Crime:

South Korean Web Host Pays Largest Ransomware Demand Ever - CNET

The ransomware attacked more than 153 Linux servers that South Korean web provider Nayana hosted, locking up more than 3,400 websites on June 10. In Nayana's first announcement a few days later, it said the hackers demanded 550 bitcoins to free up all the servers -- about $1.62 million.

Data Security:

AES-256 Keys Sniffed in Seconds Using €200 of Kit a Few Inches Away - The Register

Researchers at Fox‑IT have managed to wirelessly extract secret AES-256 encryption keys from a distance of one metre (3.3 feet) – using €200 (~US$224) worth of parts obtained from a standard electronics store – just by measuring electromagnetic radiation. At that distance sniffing the keys over the air took five minutes, but if an attacker got within 30 centimetres (11.8 inches) of a device, the extraction time is cut down to just 50 seconds.

Threats: Social Engineering and Malicious Spam Dominate - DataBreach Today

Good news: Exploits kits remain in decline, thanks in large part to concerted efforts to disrupt their efficacy.  Unfortunately, criminals are focusing instead on social engineering attacks - including tech-support scams - and malicious spam campaigns as malware distribution mechanisms, as noted by Brad Duncan, a threat intelligence analyst for the Unit 42 security research group at Palo Alto Networks, in a Wednesday blog post.

A Decade Old Unix/Linux/BSD Root Privilege-Escalation Bug Discovered - The Hacker News

Security researchers have discovered more than a decade-old vulnerability in several Unix-based operating systems - including Linux, OpenBSD, NetBSD, FreeBSD and Solaris - which can be exploited by attackers to escalate their privileges to root, potentially leading to a full system takeover.

Republican Data Broker Exposes 198M Voter Records - Threat Post

Detailed voter profiles of 198 million voters were left exposed on an Amazon S3 account by Republican Party-affiliated data broker Deep Root Analytics. The discovery was made by Chris Vickery, cyber risk analyst at security firm UpGuard.

Internet-of-Things:

Internet of Things: Let the Avatars Talk to Each Other - MIT News

On the 25th anniversary of the universal barcode in 1999, the barcode community gathered around Sanjay Sarma and his colleagues and said, "Let's do this."

Network Security:

Has ‘Fireball’ Malware Infected 250 Million Computers? Microsoft Disputes Shocking Claim - ARS Technica

Microsoft sparked a curious squabble over malware discovery and infection rates. At the start of the month security firm Check Point reported on a browser hijacker and malware downloader called Fireball. The firm claimed that it had recently discovered the Chinese malware and that it had infected some 250 million systems.

Blockchain: Overhyped Buzzword or Real-deal Enterprise Solution? - ComputerWorld

While blockchain is among the hottest technologies in the enterprise security, data storage and file-sharing arenas, many experts question its use or even whether it's really as secure as billed.

Public Sector:

The NSA (yes, that NSA) has a Github account now - The Next Web

And now, it's opened a Github account, and has shared several interesting code repositories under the NSA Technology Transfer Program (TTP).  So far, it lists 32 different projects, although some of these are 'coming soon.'

Quantum Computing:

Quantum Computing’s Threat to Public-Key Cryptosystems - Security Week

Fittingly, while we do know a little about 'what', we actually know little about 'where' (in time) we will get commercially viable quantum computers. The 'what' includes massively increased computational power. The 'when' is thought to be some time within the next 15 to 30 years.

Software Security:

Under Pressure, Western Tech Firms Bow to Russian Demands to Share Cyber Secrets - Reuters

Western technology companies, including Cisco, IBM and SAP, are acceding to demands by Moscow for access to closely guarded product security secrets, at a time when Russia has been accused of a growing number of cyber attacks on the West, a Reuters investigation has found.

FEEDBACK FROM PREVIOUS DIGEST:

Most Popular:

NIST Announces Plan to Sponsor First Cybersecurity FFRDC - NIST

To help the National Cybersecurity Center of Excellence (NCCoE) address industry's needs most efficiently, the National Institute of Standards and Technology (NIST) today announced its intention to sponsor its first Federally Funded Research and Development Center (FFRDC).

The Army Can Now Stop Enemy Tanks In Their Tracks Without Firing A Shot - Task and Purpose

U.S. Army personnel have successfully used advanced electronic warfare technology to completely disable enemy armor during a simulated tank assault at the Army National Training Center, Defense Systems reports.

Defense Contractor Stored Intelligence Data in Amazon Cloud Unprotected [Updated] - ARS Technica

On May 24, Chris Vickery, a cyber risk analyst with the security firm UpGuard, discovered a publicly accessible data cache on Amazon Web Services' S3 storage service that contained highly classified intelligence data. The cache was posted to an account linked to defense and intelligence contractor Booz Allen Hamilton.

DoD Cybersecurity Policy Chart was updated on June 5th - CSIAC

The goal of the DoD Cybersecurity Policy Chart is to capture the tremendous breadth of applicable policies, some of which many cybersecurity professionals may not even be aware, in a helpful organizational scheme.

CSIAC SUPPORTED COMMUNITIES:

Cyber Security of Critical Infrastructure - Department of Homeland Security

CSIAC serves on the EO 13636/PPD-21 Research & Development (R&D) Working Group (WG) run by DHS S&T. If you would like further information, contact Dr. Paul Losiewicz at plosiewicz@csiac.org

Cyber Community of Interest (COI) Group - CSIAC

The Cyber COI engages in multiple activities and forums for coordinating cyber S&T strategies, sharing innovative ideas and technical approaches, promoting technology transfer and upcoming business opportunities, and in jointly planning programs across the Department of Defense and other government agencies. Membership is based upon approval by the Cyber COI group administrator.

TECHNICAL RESOURCES, POLICY & GUIDANCE:

Presidential Policy Directive – United States Cyber Incident Coordination - The White House

The DoD Cybersecurity Policy Chart (Formerly the IA Policy Chart) - CSIAC

DoD Cyber Domain Resources - Department of Defense

DHS Cyber Security Strategy (“Blueprint for a Secure Cyber Future”, 2011) - Department of Homeland Defense

DIB CS/IA Voluntary Information Sharing Program - DoD DIBNet

DoD's DIB CS/IA program is a voluntary program to enhance and supplement DIB participants' capabilities to safeguard DoD information that resides on, or transits, DIB unclassified information systems.

US-CERT Bulletins - Department of Homeland Security

Bulletins provide weekly summaries of new vulnerabilities. Patch information is provided when available.

US-CERT Alerts - Department of Homeland Security

Alerts provide timely information about current security issues, vulnerabilities, and exploits.

National Vulnerability Database - NIST

NVD is the U.S. government repository of standards based vulnerability management data represented using the Security Content Automation Protocol (SCAP). This data enables automation of vulnerability management, security measurement, and compliance. NVD includes databases of security checklists, security related software flaws, misconfigurations, product names, and impact metrics.

Trustworthy CyberSpace: Strategic Plan For The Federal Cybersecurity Research and Development Program - NITRD

Committee on National Security Systems (CNSS) - Committee on National Security Systems

Opportunities Exist for DOD to Share Cybersecurity Resources with Small Businesses - GAO

DOD OSBP officials acknowledged that cybersecurity is an important and timely issue for small businesses -and therefore the office is considering incorporating cybersecurity into its existing outreach and education efforts. During the review, GAO identified 15 existing federal cybersecurity resources that DOD OSBP could disseminate to defense small businesses.

DHS S&T Collaboration Community - Ideascale

The National Conversation is intended to bring together everyone to play a role in shaping the future of homeland security technology. This means responders, operational users, citizens, academia, and industry.

The Department of Defense Cyber Strategy - Department of Defense

The purpose of this strategy is to guide the development of DoD's cyber forces and strengthen our cyber defense and cyber deterrence posture. It focuses on building cyber capabilities and organizations for DoD's three primary cyber missions.

Information Sharing Environment - ISE

The Information Sharing Environment (ISE) broadly refers to the people, projects, systems, and agencies that enable responsible information sharing for national security.

Standards & Reference Documents - CSIAC

View all Best Practices and Reference Documents on the CSIAC website.

The CS Digest provides links to third party Websites. The CSIAC is not responsible for the availability of, and content provided on, third party Websites. You should refer to the policies posted by other Websites regarding their privacy and other topics before you use them. The CSIAC is not responsible for third party content accessible through the CSIAC CS Digest, including opinions, advice, statements, advertisements and endorsements, and you bear all risks associated with the use of such content.