Washingtion, DC: the latest from the Georgetown Cybersecurity Law Institute
Report from the Georgetown Cybersecurity Law Institute (The CyberWire) A summary of remarks made and presentations delivered during the annual continuing legal education event
Cybersecurity Law Institute (Georgetown Law Continuing Legal Education) Please find PDF copies of documents from specific sessions linked below
FBI Director Comey, Assistant AG Caldwell Speak on Cyber Security (Georgetown Law) Attendees at the third annual Cybersecurity Law Institute, sponsored by Georgetown Law CLE on May 20 and 21, received insights and observations on cyber risk straight from the top. Day One featured FBI Director James B. Comey, who discussed the biggest threats facing the FBI in 2015, Bureau strategies for cyber security and the role of the private sector in addressing the problem
Cybersecurity Challenges (CSPAN) FBI Director James Comey spoke about Justice Department efforts to address cybersecurity challenges
FBI Chief Fears ISIS Gearing Up For Cyberattacks On US, Claims "It's Coming" (HackRead) The FBI chief James Comey is worried about possible cyber attacks by the ISIS group on critical infrastructure in the United States
Tallinn Manual (NATO Cooperative Cyber Defence Centre of Excellence) Launched in 2009, the Tallinn Manual Process is a leading effort in international cyber law research and education
Critical Infrastructure Cyber Community Voluntary Program: Getting Started for Business (US-CERT) The resources below are available to businesses and aligned to the five Cybersecurity Framework Function Areas
FTC gives thumbs up to companies that cooperate during breach probes (SC Magazine) The Federal Trade Commission (FTC) views a company "more favorably" if it cooperates during the course of a data breach investigation than one that doesn't, the commission said in a Wednesday blog post
The FCC warns Internet providers they're on the hook now for user privacy (Washington Post) Don't misuse your customers' personal information
US Regulators Warn of Cyber Threat to Financial System (Voice of America) U.S. regulators highlighted concerns about the potential for a cyber attack that could "significantly disrupt the workings of the financial system" as they presented an annual look at the challenges facing the economic sector
Cyber Attacks, Threats, and Vulnerabilities
Attack Gains Foothold Against East Asian Government Through "Auto Start" (TrendLabs Security Intelligence Blog) East Asian government agencies came under siege when attackers targeted several servers within their networks. The said attackers, who showed familiarity and in-depth knowledge of their agencies' network topology, tools, and software, were able to gain access to their targeted servers and install malware. After which, they used the compromised servers not only as gateways to the rest of the network but also as C&C servers. This particular attack has been active since 2014
A message from CareFirst President and CEO, Chet Burrell (CareFirst) Cyberattacks on businesses have, regrettably, become all too common. We understand that news of a cyberattack on CareFirst BlueCross BlueShield (CareFirst) is a cause of concern for our members and others with whom we do business. Maintaining the privacy and security of our members' personal information is one of our highest priorities
4 things you need to know following the CareFirst hack (Washington Business Journal) CareFirst BlueCross BlueShield officials said they've brought on stronger safeguards — namely Herndon-based cybersecurity firm Mandiant — to protect client data after disclosing Wednesday that it had joined other major health insurers in falling victim to a cyberattack
The CareFirst Hack: What Went Right, What Went Wrong (Health Data Management) CareFirst BlueCross BlueShield first learned in May 2014 of malware on an information system that was hacked a month later
CareFirst becomes 3rd BlueCross BlueShield health insurer to be hit by major data breach this year (FierceITSecurity) Hackers were able to penetrate health insurance provider CareFirst's systems and steal personal information on 1.1 million subscribers, the health insurance provider announced on Wednesday
Healthcare hackers may have accessed lawmaker info (Politico) House lawmakers were warned Thursday night that their personal data may have been compromised in a cyberattack involving health care plans from CareFirst Blue Cross Blue Shield
HITRUST Statement on Healthcare Industry Cyber Breach Events (HITRUST) HITRUST commonly receives inquiries about recent healthcare related cyber breaches, as HITRUST is the leading authority on healthcare information protection and operates the most active and sophisticated cyber threat intelligence sharing service for the healthcare industry, HITRUST Cyber Threat XChange (CTX). As a federally recognized Information Sharing and Analysis Organization (ISAO), we are in constant engagement with industry, law enforcement and government cyber threat intelligence sources to ensure HITRUST CTX participants have the latest indicators of compromise (IOCs)
LogJam Computer Bug Creates Another Ruckus (TechZone360) When it comes to malware and other types of computer bugs it seems like we are falling into a problematic pattern. In fact, it has made the words "wreak havoc" almost cliché
Joke or Blunder: Carbanak C&C Leads to Russia Federal Security Service (TrendLabs Security Intelligence Blog) In an interesting turn of events, a C&C used in the Carbanak targeted attack campaign now resolves to an IP linked to the Russian Federal Security Service (FSB)
Cyber-Attack Takes ULCC Offline for Hours (Infosecurity Magazine) The University of London Computer Centre (ULCC) has been hit by a major cyber-attack, knocking out open source learning platform Moodle and numerous university websites for several hours
Hacker leaks sensitive info of millions of Adult FriendFinder users (Help Net Security) Information of over 3.5 million users of dating site Adult FriendFinder has been stolen and leaked online, and is being used by spammers, scammers and phishers, a Channel 4 investigation into the Deep Web has revealed
Exploit kits delivering Necurs (Internet Storm Center) In the past few days, we've seen Nuclear and Angler exploit kits (EKs) delivering malware identified as Necurs
An unapologetic history of plane hacking: Beyond the hype and hysteria (ZDNet) Controversy over a security researcher's alleged hacking into a plane's engine mid-flight raises serious questions as to why years of public research on airline hacking has gone ignored
Hacker's Claims Spotlight Vulnerabilities of Jetliners' Systems (Claims Journal) Even as the U.S. questioned a computer researcher's claims of tampering with a jetliner in flight, his account spotlighted possible cybersecurity risks in commercial aviation
Flawed Android factory reset leaves crypto and login keys ripe for picking (Ars Technica) An estimated 630 million phones fail to purge contacts, e-mails, images, and more
mSpy Denies Breach, Even as Customers Confirm It (KrebsOnSecurity) Last week, KrebsOnSecurity broke the news that sensitive data apparently stolen from hundreds of thousands of customers mobile spyware maker mSpy had been posted online. mSpy has since been quoted twice by other publications denying a breach of its systems. Meanwhile, this blog has since contacted multiple people whose data was published to the deep Web, all of whom confirmed they were active or former mSpy customers
Researchers raise privacy concerns about Bluetooth Low Energy devices (ComputerWeekly) Researchers at Context Information Security have raised privacy concerns about a growing number of devices using Bluetooth Low Energy (BLE) technology
This Android App Tracks All Your Fitbit, Jawbone And Nike Wearables (Forbes) Anyone wearing a body tracker, smart watch or other wearable beware: your devices are constantly leaking information about you, even if it isn't exactly personal data at first glance
New gTLDs: .SUCKS Illustrates Potential Problems for Security, Brand Professionals (Cyveillance Blog) The launch of the .SUCKS top-level domain name (gTLD) has reignited and heightened concerns about protecting brands and trademarks from cybersquatters and malicious actors
Experts bust Android security myths (CIO) A set of mobile security experts provides insight on the current state of Android security
Curaçao Identified As Hackers Satellite Grid During Investigation Of 2012 Cyber Attack On Grenada And Several Other OECS Countries (Curaçao Chronicle) In 2012, the Caribbean island state of Grenada and most of the other OECS countries suffered a massive attack that actually shut down a larger part of the OECS financial system
Charter Communications Fixes Website Data Leak Vulnerability (Threatpost) Internet-cable-television provider Charter Communications recently fixed an issue with its website that was inadvertently leaking the information of tens of thousands of customers
Alibaba's UC Browser found leaking users' data (IDG via CSO) A mobile browser owned by China's Alibaba Group contained privacy risks that could have exposed users' personal data, according to a security group
Google Study: Most Security Questions Easy To Hack (Newsfactor) There's a big problem with the security questions often used to help people log into Web sites, or remember or access lost passwords — questions with answers that are easy to remember are also easy for hackers to guess. That's the key finding of a study that Google recently presented at the International World Wide Web Conference in Florence, Italy
Malvertising: Silent but Deadly (Trend Micro: Simply Security) The malvertising phenomenon is not a new thing; it has been a criminal tactic for over a decade
Cyber Trends
Many agree sharing threat intelligence is good, few companies doing it (FierceITSecurity) Despite the agreed value of sharing threat intelligence, only 37 percent of firms surveyed by the Enterprise Strategy Group regularly share internal threat intelligence with other companies or industry information sharing and analysis centers
'Perfect storm' is brewing in cybersecurity, warns Schneider Electric CSO (FierceITSecurity) A "perfect storm" is brewing in cybersecurity that threatens to disrupt the corporate world
DDoS attacks have doubled in a year, says Akamai (We Live Security) Distributed Denial of Service (DDoS) attacks are on the rise, according to cloud service provider Akamai, with more than double the number reported from this time a year ago
Human expertise filling endpoint security holes that defunct antivirus tools no longer can (CSO) Monitoring of endpoint traffic is key to modern security defences but a human element is also essential to make up for the deficiencies of outdated signature-based antivirus security solutions that haven't been effective for many years, a senior security consultant has warned
Resurgence of old threats suggest complacency among security professionals (SecurityAsia) There has been a rise of reemerging vulnerabilities, such as malvertising, zero-day vulnerability exploitation, "old-school" macro malware and the decade-old FREAK vulnerability, according to Trend Micro Incorporated's quarterly threat roundup report for the first quarter of 2015
More Attacks, Cannier Criminals Leave No Room For Complacency Over Cyber Security (MISCO) When it comes to cyber security, there's no room for complacency says security firm Trend Micro
Bad Ads and Zero-Days: Reemerging Threats Challenge Trust in Supply Chains and Best Practices (Trend Micro Security Roundup) In the beginning of 2015, we were faced with a paradox: none of the prominent threats were new — the schemes and attacks we saw used very common cybercriminal tactics — and yet they were all still so effective. Regardless of how well individuals and organizations implemented basic security measures, the simplest of blind spots had left them exposed. Who knew online and mobile ads, over-the-counter transactions, and even basic Word documents could still cause so much trouble?
Digital disruption threatens to change IT to its core (FierceCIO) A great deal of lip service has been paid this year to digital transformation and its impact on the CIO role, but no less critical is the topic of digital disruption
Time to move beyond 'medieval' cyber security approach, expert says (Missouri S&T News) The nation's approach to cyber security has much in common with medieval defense tactics, and that needs to change, says a cyber security expert at Missouri University of Science and Technology
Nordics well prepared for Industrial Internet of Things (ComputerWeekly) In the race to reap the productivity and growth rewards of the industrial internet of things (IIoT), Nordic countries are already among the leading nations
IC3 urges social media users to beware: scams and fraud are surging (Naked Security) Research from the Pew Research Center shows that 69% of US adults are leery about how their personal data will fare once it's on social media
Marketplace
Cyber-security threat growing, company directors warned (The Australian) Cyber-security is a growing concern to company boards, a high-powered conference was told yesterday
FireEye CEO expects a lot of mergers in cybersecurity industry (Economic News Daily) Today every firm wants to keep it safe and sound from cyber security vulnerabilities. This is a big issue in industry. As hacking activity is increasing day by day and it derailed many well-known firms including the likes of Target, JP Morgan Chase, Sony Pictures and others
Gary Steele Pushes Proofpoint Past Email Protection (Investor's Business Daily) Proofpoint has been on a buying spree, making relatively small but strategic acquisitions. The Sunnyvale, Calif.-based provider of security software via the cloud spent $24 million for NetCitadel and $35 million for Nexgate last year. In March, Proofpoint agreed to pay $40 million for security firm Emerging Threats
Cutting through the RSA conference jargon: cybersecurity lessons for the C-Suite (Vanilla+) Another RSA conference is behind us, and as always, we overheard security professionals speaking their own language using terms like "APTs" and "zero-day threats"
Akamai opens security operations centres in Bangalore, Tokyo (Telecompaper) Akamai Technologies announced the opening of new security operations centres (SOCs) in Bangalore, India, and Tokyo, Japan
BTS Software Solutions Announces New Ownership Team (Baltimore City BizList) BTS Software Solutions, a leading software development company that uses technology to create impactful solutions for the community, is publically announcing its new majority ownership team
Products, Services, and Solutions
Freelance hacking site vows to clean up dodgy listings (IDG via CSO) Charles Tendell is trying to repair a reputation problem for his website, Hacker's List
OpenStack users can add software-defined security (CloudPro) The new software from Catbird provides security wrapper for OpenStack workloads
ThetaRay Named as a Gartner Cool Vendor in Security for Technology and Service Providers (PRNewswire) Recognized for its math-based multi-domain anomaly detection, which protects organizations against unknown cyber and operational risks
ObserveIT Offers Deeper Visibility into Cloud User Activity with CloudThreat for AWS (The Whir) Boston's ObserveIT has launched a free security solution for Amazon's public cloud this week that monitors user activity and provides behavior analytics
DB Networks' Behavioral Analysis and Intelligent Continuous Monitoring Immediately Identifies Zero-day Attacks Originating from Vulnerable Database Connected Web Applications (PRNewswire) The exploitation of previously unknown weak points in networked computer systems costs organizations $3 billion annually. This highlights the fact that traditional security approaches have proven woefully unprepared to address the zero-day threat. Cybersecurity firm DB Networks has spearheaded an approach to database security that is radically different — using machine learning and behavioral analysis in combination with continuous monitoring of database traffic to immediately and effectively identify both known and unknown database attacks
Technologies, Techniques, and Standards
A first aid kit for ransomware infections (Help Net Security) You've been hit by ransomware and you don't know what to do?
Static Analysis Can 'Score' Software Security (eSecurity Planet) Static analysis can be even more effective in improving software security if it is used to create quality metrics
Practical IT: What is encryption and how can I use it to protect my corporate data? (Naked Security) There's been a lot of talk about encryption in the media lately
How to Pass-the-Hash with Mimikatz (Cobalt Strike Blog) I'm spending a lot of time with mimikatz lately. I'm fascinated by how much capability it has and I'm constantly asking myself, what's the best way to use this during a red team engagement?
Security Survival Guide: 10 Steps for Protecting Patient Data (Health Data Management) With increasing numbers of access points to protected health information under attack, the healthcare industry continues to be plagued with damaging breaches
Company compiles massive marketing database by scraping data dumps (Help Net Security) SalesMaple, a recently founded data analytics startup headed by PwnedList founder Steve Thomas, has made available a free database of some 30 million business contacts, which has been compiled by sifting through data dumps
Changing the Security Culture within an Organisation — How to be Forearmed Against an Internal Data Breach (Information Security Buzz) Hindsight can be a wonderful thing, but when it comes to data security and potential breaches, it's best to ensure that your security policies and tools are able to protect your organisation
Design and Innovation
Global payments startup leverages blockchain engine to reduce cross-border friction (FierceFinanceIT) A former Western Union executive has launched a Web-based global payments platform powered by a blockchain engine to reduce friction for businesses in international payments
Research and Development
Keeping passwords safe from cracking (Help Net Security) A group of researchers from Purdue University in Indiana have come up with an effective and easy-to-implement solution for protecting passwords from attackers
Academia
UK Kids Set For Cybersecurity Flavored Computing Exams (Infosecurity Magazine) The UK's Oxford, Cambridge and RSA (OCR) exam board has drafted a new GCSE Computer Science course with a major focus on cybersecurity
Illinois State recognized for cyber defense education (Illinois State University) The Center for Information Assurance and Security Education (CIASE) in Illinois State University's School of Information Technology has once again been designated as a National Center of Academic Excellence in Cyber Defense Education
Legislation, Policy, and Regulation
Wassenaar Arrangement 2013 Plenary Agreements Implementation: Intrusion and Surveillance Items (Federal Register) The Bureau of Industry and Security (BIS) proposes to implement the agreements by the Wassenaar Arrangement (WA) at the Plenary meeting in December 2013
Security Researchers Wary of Proposed Wassenaar Rules (Threatpost) Professional security researchers concerned about proposed changes to the Computer Fraud and Abuse Act (CFAA) that include stiff penalties for what today is considered legitimate offensive research, are worried about another impending punch to the gut
Head-Scratching Begins on Proposed Wassenaar Export Control Rules (Threatpost) Two things worth noting from yesterday's unveiling of the Bureau of Industry and Security's proposed Wassenaar rules for the U.S. that weren't so overt: a) The U.S. generally leads the way in implementing Wassenaar changes, and this time it's been beaten by the EU by almost 18 months; and b) requests for comments, such as the 60-day period that opened yesterday, are uncommon
China's military has declared war on Western thought on the internet (Quartz) China's military says the internet has become its main ideological battlefield and that it should build a "Great Wall" online to protect the country's citizens from "hostile Western forces"
Chinese Army newspaper calls for military role in Internet culture war (Ars Technica) Claims West and "ideological traitors" use Internet to weaken Party's authority
What's Happening Right Now in the NSA Fight in Congress (National Journal) The latest on all possible options lawmakers have to handle the fast-approaching Patriot Act deadline
Future of domestic surveillance powers uncertain as Congress fights (Reuters) The future of the U.S. government's power to spy on Americans' phone calls was up in the air on Thursday as Congress fought over proposed reforms, with no clear outcome in sight
Rand Paul's NSA Filibuster: His Notable Quotes (Real Clear Politics) In an impassioned rebuke of the National Security Agency's surveillance capabilities, Sen. Rand Paul spoke for more than 10 hours on the Senate floor Wednesday to filibuster a Patriot Act provision used to legally justify the bulk collection of telephone data
Reviewing the surveillance state (Economist) America argues anew over how much snooping the NSA can do
Massive Clinton-era Internet bug shows pitfalls of Obama's 'backdoor' proposal (CNN) A Clinton-era Internet law is coming back to haunt us by exposing our private online messages to hackers. Now, the Obama administration is lobbying Congress to repeat the same policy all over again
Australia a leader in hacking mobile phones, Snowden document reveals (Sydney Morning Herald) Australia's electronic espionage agency has exploited weaknesses in a mobile browser used by hundreds of millions worldwide and planned to hack into smartphones through data links to the Google and Samsung app stores, a leaked top secret intelligence document has revealed
National Security Agency planned hack of Google app store (AFP via Economic Times) The US National Security Agency developed plans to hack into data links to app stores operated by Google and Samsung to plant spyware on smartphones, a media report said Thursday
Brennan: CIA Must Rely on Social Media in the Middle East (PJMedia) Director advocates new legal framework to let agency "tap into" digital information
As Twitter Removes Some ISIS Accounts, Al-Qaeda's Branch In Syria Jabhat Al-Nusra (JN) Thrives, Tweeting Jihad And Martyrdom To Over 200,000 Followers (MEMRI) Over the past four years, beginning in 2011, MEMRI has published more than a dozen research reports on how jihadi organizations, from Al-Qaeda to the Islamic State (ISIS) and more, are using Twitter on a daily basis to promote their agendas, spread their messages, call for attacks against American and Western interests, recruit new members and build their audience of sympathizers, raise funds, and other purposes
Usama bin Ladin Document Release (IC on the Record) Today the ODNI released a sizeable tranche of documents recovered during the raid on the compound used to hide Usama bin Ladin
Confessions of a Jihadi Nerd: A Guide to Reading the New Bin Laden Documents (War on the Rocks) Today, the Office of the Director of National Intelligence released a new batch of declassified documents recovered during the raid to kill Osama Bin Laden in Pakistan. Like most terrorism researchers (nerds), I am excited to see these documents finally come to light as I think they provide a much needed window for the public to see inside al Qaeda?s operations and thinking. These documents will provide excellent primary source material for researchers and ideally yield insights into how terrorist groups operate — illuminating their vulnerabilities and offering solutions to mitigate their violence
Cyber stands to make gains in national defense bill, but Obama threatens veto (FierceGovernmentIT) Cyber got a boost as a fiscal 2016 defense bill moved through Congress last week
Cracking down on poor cyber hygiene (FCW) Defense Department Chief Information Officer Terry Halvorsen is taking a no-holds-barred approach to DOD network users with sloppy cyber habits
Litigation, Investigation, and Law Enforcement
A Review of the FBI's Use of Section 215 Orders (US Department of Justice, Office of the Inspector General) This Executive Summary provides a brief overview of the results of the Department of Justice (Department or DOJ) Office of the Inspector General's (OIG) third review of the Federal Bureau of Investigation's (FBI) use of the investigative authority granted by Section 215 of the Patriot Act
Audit finds Coast Guard still lacks strong organizational approach to safeguard data (FierceHomelandSecurity) The Coast Guard has made progress in protecting personal and health data, but organizational challenges such as a lack of coordination among its privacy offices, incomplete contingency planning and infrequent security reviews of physical facilities could still put data at risk, a Homeland Security Department audit found
Lizard Squad member pleads guilty to harassing women gamers (Engadget) The co-called Lizard Squad have established that they're pretty terrible people, but one of the members has hit a sad new low
