The Cybersecurity (CS) Digest is a curated bi-weekly news summary for cybersecurity professionals. It is transmitted in an HTML-formatted email and provides links to articles and news summaries across a spectrum of cybersecurity topics.
FEEDBACK FROM PREVIOUS DIGEST:
CSIAC ANNOUNCEMENTS:
DoD Cybersecurity Policy Chart was updated on June 5th - CSIAC
The goal of the DoD Cybersecurity Policy Chart is to capture the tremendous breadth of applicable policies, some of which many cybersecurity professionals may not even be aware, in a helpful organizational scheme.
Free CSIAC Webinar June 29 @ 12 PM EDT – eMASS, the True Story - CSIAC
This webinar will cover the realities of the Enterprise Mission Assurance Support Service (eMASS): what works well, what does not work, and how to best make it work for you.
RECENT HEADLINES:
Critical Infrastructure:
Watch Hackers Take Over the Mouse of a Power-Grid Computer - WIRED
The best work of hackers tends to remain invisible. But when sophisticated intruders broke into the computer networks of regional energy firms in Ukraine in 2015 and cut power to roughly a quarter million people, their tampering didn't go unnoticed. In this rare instance, the staff of one of those electric utilities managed to capture the hackers' handiwork on video.
Cyber Crime:
South Korean Web Host Pays Largest Ransomware Demand Ever - CNET
The ransomware attacked more than 153 Linux servers that South Korean web provider Nayana hosted, locking up more than 3,400 websites on June 10. In Nayana's first announcement a few days later, it said the hackers demanded 550 bitcoins to free up all the servers -- about $1.62 million.
Tags: Ransomware
FEEDBACK FROM PREVIOUS DIGEST:
Cyberwarfare:
The Army Can Now Stop Enemy Tanks In Their Tracks Without Firing A Shot - Task and Purpose
U.S. Army personnel have successfully used advanced electronic warfare technology to completely disable enemy armor during a simulated tank assault at the Army National Training Center, Defense Systems reports.
RECENT HEADLINES:
Data Security:
AES-256 Keys Sniffed in Seconds Using €200 of Kit a Few Inches Away - The Register
Researchers at Fox‑IT have managed to wirelessly extract secret AES-256 encryption keys from a distance of one metre (3.3 feet) – using €200 (~US$224) worth of parts obtained from a standard electronics store – just by measuring electromagnetic radiation. At that distance sniffing the keys over the air took five minutes, but if an attacker got within 30 centimetres (11.8 inches) of a device, the extraction time is cut down to just 50 seconds.
Threats: Social Engineering and Malicious Spam Dominate - DataBreach Today
Good news: Exploits kits remain in decline, thanks in large part to concerted efforts to disrupt their efficacy. Unfortunately, criminals are focusing instead on social engineering attacks - including tech-support scams - and malicious spam campaigns as malware distribution mechanisms, as noted by Brad Duncan, a threat intelligence analyst for the Unit 42 security research group at Palo Alto Networks, in a Wednesday blog post.
Defense Contractor Stored Intelligence Data in Amazon Cloud Unprotected [Updated] - ARS Technica
On May 24, Chris Vickery, a cyber risk analyst with the security firm UpGuard, discovered a publicly accessible data cache on Amazon Web Services' S3 storage service that contained highly classified intelligence data. The cache was posted to an account linked to defense and intelligence contractor Booz Allen Hamilton.
A Decade Old Unix/Linux/BSD Root Privilege-Escalation Bug Discovered - The Hacker News
Security researchers have discovered more than a decade-old vulnerability in several Unix-based operating systems - including Linux, OpenBSD, NetBSD, FreeBSD and Solaris - which can be exploited by attackers to escalate their privileges to root, potentially leading to a full system takeover.
Tags: Linux
Republican Data Broker Exposes 198M Voter Records - Threat Post
Detailed voter profiles of 198 million voters were left exposed on an Amazon S3 account by Republican Party-affiliated data broker Deep Root Analytics. The discovery was made by Chris Vickery, cyber risk analyst at security firm UpGuard.
Internet-of-Things:
Internet of Things: Let the Avatars Talk to Each Other - MIT News
On the 25th anniversary of the universal barcode in 1999, the barcode community gathered around Sanjay Sarma and his colleagues and said, "Let's do this."
Tags: Internet of Things (IoT)
Network Security:
Has ‘Fireball’ Malware Infected 250 Million Computers? Microsoft Disputes Shocking Claim - ARS Technica
Microsoft sparked a curious squabble over malware discovery and infection rates. At the start of the month security firm Check Point reported on a browser hijacker and malware downloader called Fireball. The firm claimed that it had recently discovered the Chinese malware and that it had infected some 250 million systems.
Tags: Microsoft
Blockchain: Overhyped Buzzword or Real-deal Enterprise Solution? - ComputerWorld
While blockchain is among the hottest technologies in the enterprise security, data storage and file-sharing arenas, many experts question its use or even whether it's really as secure as billed.
Tags: Network Security
Public Sector:
The NSA (yes, that NSA) has a Github account now - The Next Web
And now, it's opened a Github account, and has shared several interesting code repositories under the NSA Technology Transfer Program (TTP). So far, it lists 32 different projects, although some of these are 'coming soon.'
Tags: National Security Agency (NSA)
Quantum Computing:
Quantum Computing’s Threat to Public-Key Cryptosystems - Security Week
Fittingly, while we do know a little about 'what', we actually know little about 'where' (in time) we will get commercially viable quantum computers. The 'what' includes massively increased computational power. The 'when' is thought to be some time within the next 15 to 30 years.
Tags: Encryption, Quantum Computing
Software Security:
Under Pressure, Western Tech Firms Bow to Russian Demands to Share Cyber Secrets - Reuters
Western technology companies, including Cisco, IBM and SAP, are acceding to demands by Moscow for access to closely guarded product security secrets, at a time when Russia has been accused of a growing number of cyber attacks on the West, a Reuters investigation has found.
FEEDBACK FROM PREVIOUS DIGEST:
Most Popular:
NIST Announces Plan to Sponsor First Cybersecurity FFRDC - NIST
To help the National Cybersecurity Center of Excellence (NCCoE) address industry's needs most efficiently, the National Institute of Standards and Technology (NIST) today announced its intention to sponsor its first Federally Funded Research and Development Center (FFRDC).
CSIAC SUPPORTED COMMUNITIES:
Cyber Security of Critical Infrastructure - Department of Homeland Security
CSIAC serves on the EO 13636/PPD-21 Research & Development (R&D) Working Group (WG) run by DHS S&T. If you would like further information, contact Dr. Paul Losiewicz at plosiewicz@csiac.org
Cyber Community of Interest (COI) Group - CSIAC
The Cyber COI engages in multiple activities and forums for coordinating cyber S&T strategies, sharing innovative ideas and technical approaches, promoting technology transfer and upcoming business opportunities, and in jointly planning programs across the Department of Defense and other government agencies. Membership is based upon approval by the Cyber COI group administrator.
TECHNICAL RESOURCES, POLICY & GUIDANCE:
Presidential Policy Directive – United States Cyber Incident Coordination - The White House
The DoD Cybersecurity Policy Chart (Formerly the IA Policy Chart) - CSIAC
DoD Cyber Domain Resources - Department of Defense
DHS Cyber Security Strategy (“Blueprint for a Secure Cyber Future”, 2011) - Department of Homeland Defense
DIB CS/IA Voluntary Information Sharing Program - DoD DIBNet
DoD's DIB CS/IA program is a voluntary program to enhance and supplement DIB participants' capabilities to safeguard DoD information that resides on, or transits, DIB unclassified information systems.
US-CERT Bulletins - Department of Homeland Security
Bulletins provide weekly summaries of new vulnerabilities. Patch information is provided when available.
US-CERT Alerts - Department of Homeland Security
Alerts provide timely information about current security issues, vulnerabilities, and exploits.
National Vulnerability Database - NIST
NVD is the U.S. government repository of standards based vulnerability management data represented using the Security Content Automation Protocol (SCAP). This data enables automation of vulnerability management, security measurement, and compliance. NVD includes databases of security checklists, security related software flaws, misconfigurations, product names, and impact metrics.
Trustworthy CyberSpace: Strategic Plan For The Federal Cybersecurity Research and Development Program - NITRD
Committee on National Security Systems (CNSS) - Committee on National Security Systems
Opportunities Exist for DOD to Share Cybersecurity Resources with Small Businesses - GAO
DOD OSBP officials acknowledged that cybersecurity is an important and timely issue for small businesses -and therefore the office is considering incorporating cybersecurity into its existing outreach and education efforts. During the review, GAO identified 15 existing federal cybersecurity resources that DOD OSBP could disseminate to defense small businesses.
DHS S&T Collaboration Community - Ideascale
The National Conversation is intended to bring together everyone to play a role in shaping the future of homeland security technology. This means responders, operational users, citizens, academia, and industry.
The Department of Defense Cyber Strategy - Department of Defense
The purpose of this strategy is to guide the development of DoD's cyber forces and strengthen our cyber defense and cyber deterrence posture. It focuses on building cyber capabilities and organizations for DoD's three primary cyber missions.
Tags: Cybersecurity Strategy
Information Sharing Environment - ISE
The Information Sharing Environment (ISE) broadly refers to the people, projects, systems, and agencies that enable responsible information sharing for national security.
Standards & Reference Documents - CSIAC
View all Best Practices and Reference Documents on the CSIAC website.
The CS Digest provides links to third party Websites. The CSIAC is not responsible for the availability of, and content provided on, third party Websites. You should refer to the policies posted by other Websites regarding their privacy and other topics before you use them. The CSIAC is not responsible for third party content accessible through the CSIAC CS Digest, including opinions, advice, statements, advertisements and endorsements, and you bear all risks associated with the use of such content.
Leave a Comment
You must be logged in to post a comment.