The Cybersecurity (CS) Digest is a curated bi-weekly news summary for cybersecurity professionals. It is transmitted in an HTML-formatted email and provides links to articles and news summaries across a spectrum of cybersecurity topics.

RECENT HEADLINES:

Cyberwarfare:

Army Cyber Command Looks to Build new HQ - Defense Systems

The Army Corps of Engineers recently announced plans to issue an Invitation for Bid on the construction of a new headquarters command and control facility at Fort Gordon, Ga. The facility will also house a cyber protection team operations facility.

Pentagon Memo: U.S. Weapons Open to Cyberattacks - The Daily Beast

The military can't afford to pay top hackers to seal up its systems. That's nothing but good news for those looking to penetrate America's defenses.

Anonymous Takes Credit for DDoS Attacks on Turkey’s DNS Servers, Accuses Turkey of Aiding ISIS - Softpedia

A massive 40 Gbps DDoS attack hit Turkey's root DNS servers managed by NIC.tr, Turkey's administrative body that handles the country's main DNS servers and its .tr domain names inventory.

Data Security:

List of Data Breaches and Cyberattacks in 2015 – Over 290 Million Leaked Records - IT Governance

The volume of data breaches and cyber attacks that marked 2015 could be appropriately described as a 'cascade' or 'torrent', or perhaps 'maelstrom'.

Gomasom Ransomware Decrypted, Get Your Files Back for Free - Softpedia

Users who had the misfortune of getting infected with the Gomasom ransomware can now start sending Christmas gifts to Fabian Wosar, security researcher at Emsisoft, who has managed to create a tool for decrypting files locked by this ransomware.

XRTN Ransomware uses Batch Files to Encrypt your Data - Bleeping Computer

A new ransomware called the XRTN Ransomware is in the wild that encrypts your data with RSA-1024 encryption using the open source Gnu Privacy Guard (GnuPG) encryption software.

TeslaCrypt Ransomware Attacks are Increasing - Computer World

Over the past two weeks security researchers have seen a surge in attacks using a file-encrypting ransomware program called TeslaCrypt, known for targeting gamers in the past.

Healthcare Security:

Nearly 1 in 5 Health Data Breaches Take Years to Spot, says Verizon - The Register

Stolen medical information is a prevalent problem across multiple industries, according to a new study by Verizon.

High Performance Computing:

Supercomputer Benchmark Gains Adherents - PHYS

A software program that ranks supercomputers on their ability to solve complex problems rather than on raw speed alone continues to gain traction in the high-performance computing community.

Legislation:

A Practical Path To Cybersecurity - Forbes

With the two bills now reconciled by House and Senate negotiators and included in the omnibus budget spending bill, the combined bills join the Federal Information Security Management Act (FISMA), which modernized roles, responsibilities, and requirements for management of information security and the National Cybersecurity Protection Act, which codified the National Cybersecurity and Communications Integration Center (NCCIC), as significant pieces of legislation to address the growing cybersecurity threat facing the United States.

Obama Signs Cyberthreat Information Sharing Bill - Gov Info Security

On Dec. 18, both houses of Congress enacted the Cybersecurity Information Sharing Act, which is part of a 2,009-page $1.1 trillion omnibus spending bill (see page 1,729). CISA will establish a process for the government to share cyberthreat information with businesses that voluntarily agree to participate in the program.

Long-delayed Cyber Bill Included in Omnibus - The Hill

A long-delayed cybersecurity bill was included in the sweeping omnibus spending deal released early.

Feinstein Vows to Offer Bill to Pierce Encryption - The Hill

Sen. Dianne Feinstein (D-Calif.) is vowing to lead the charge on legislation that would require companies to decrypt data under court order.

Deadline for Better Encryption on Payment Systems Pushed Back Two Years - Softpedia

The Payment Card Industry Security Standards Council (PCI SSC) has announced that it has pushed back the mandatory migration date for TLS 1.1 encryption or higher for organizations that process online or offline payments.

Mobile Security:

Officials: Paris Attackers Used Encrypted Apps - The Hill

Investigators of the Paris attacks have evidence they believe indicates that some of the terrorists used encrypted apps to plan the strikes, officials briefed on the inquiry told CNN.

Network Security:

Four Network Management Systems Vulnerable to SQLi and XSS Attacks - Softpedia

Security researchers have found six vulnerabilities in the products of four vendors of NMSs (Network Management Systems), four cross-site scripting (XSS) and two SQL injection (SQLi) flaws.

Public Sector:

Engaging the International Community on Cybersecurity Standards - White House

The administration releases a new strategy to improve the U.S. government's participation in the development and use of international standards for cybersecurity.

Quantum Computing:

Entangling Different Kinds of Atoms Could be the Way Forward for Quantum Computers - IEEE Spectrum

Last week two research groups, one at the National Institute of Standards and Technology (NIST) in Boulder, Col., and one at the University of Oxfordreported experiments in which particles of different species were entangled for the first time.

Researchers Break “Unbreakable” Quantum Cryptography - Softpedia

Before it even had a chance to be deployed within real-world applications, a group of Swedish scientists have already found a way to break quantum cryptography, a novel, advanced concept for encrypting data using the law of physics themselves.

Software Security:

Vulnerability in Popular Bootloader puts Locked-down Linux Computers at Risk - PC World

Pressing the backspace key 28 times can bypass the Grub2 bootloader's password protection and allow a hacker to install malware on a locked-down Linux system.

FireEye Security Devices Provide Attackers with Backdoor into Corporate Networks - Softpedia

Two security researchers working for Google have discovered a simple method of compromising FireEye security products, which, ironically, are installed to prevent a network's computers from being compromised.

FEEDBACK FROM PREVIOUS DIGEST:

Most Popular:

DARPA on the Hunt for ‘Early Warning’ Cyberattack Detection Technology - Fierce Government IT

The Defense Advanced Research Projects Agency will bring together potential proposers on Dec. 14 to give industry more information on its cyber threat monitoring needs in advance of forthcoming solicitations under a broad agency announcement known as the Rapid Attack Detection, Isolation and Characterization, or RADICS, program.

CSIAC SUPPORTED COMMUNITIES:

Cyber Security of Critical Infrastructure - Department of Homeland Security

CSIAC serves on the EO 13636/PPD-21 Research & Development (R&D) Working Group (WG) run by DHS S&T. If you would like further information, contact Dr. Paul Losiewicz at plosiewicz@csiac.org

Cyber Community of Interest (COI) Group - CSIAC

The Cyber COI engages in multiple activities and forums for coordinating cyber S&T strategies, sharing innovative ideas and technical approaches, promoting technology transfer and upcoming business opportunities, and in jointly planning programs across the Department of Defense and other government agencies. Membership is based upon approval by the Cyber COI group administrator.

The Cyber Shield Newsletter - New Mexico Counterintelligence Working Group (NMCIWG)

The Cyber Shield is a Cyber Newsletter for Counterintelligence, IT and Security Professionals associated with DoD and USG agencies. There are no distribution constraints. If you would like to subscribe, please contact Paul Losiewicz at plosiewicz@csiac.org

POLICY RESOURCES:

DHS Cyber Security Strategy (“Blueprint for a Secure Cyber Future”, 2011) - Department of Homeland Defense

Trustworthy CyberSpace: Strategic Plan For The Federal Cybersecurity Research and Development Program - NITRD

The CS Digest provides links to third party Websites. The CSIAC is not responsible for the availability of, and content provided on, third party Websites. You should refer to the policies posted by other Websites regarding their privacy and other topics before you use them. The CSIAC is not responsible for third party content accessible through the CSIAC CS Digest, including opinions, advice, statements, advertisements and endorsements, and you bear all risks associated with the use of such content.