Emerging threats from 2011 are on track to become the major players for cyberactivity in 2012, including mobile banking, “legal” spam and virtual currency. McAfee Labs also predicts that attacks involving political motivation or notoriety will also make headlines, including high-profile industrial attacks, cyberwarfare demonstrations and hacktivist attacks targeting public figures.

The researchers, who can make thousands of dollars for reporting just one security hole on the social-networking site, can use the card to make purchases, just like a credit card, or create a PIN and take money out of an ATM. As the researchers find more bugs, Facebook can add more money to the account.

This recommendation provides technical guidelines for Federal agencies implementing electronic authentication and is not intended to constrict the development or use of standards outside of this purpose. The recommendation covers remote authentication of users (such as employees, contractors, or private individuals) interacting with government IT systems over open networks. It defines technical requirements for each of four levels of assurance in the areas of identity proofing, registration, tokens, management processes, authentication protocols and related assertions. This publication supersedes NIST SP 800-63.

As recommended in the Cyberspace Policy Review’s near-term action plan, Trustworthy Cyberspace replaces the piecemeal  approaches of the past with a set of coordinated research priorities whose promise is to “change  the game,” resulting in a trustworthy cyberspace. As called for in the policy review’s mid-term action plan, this plan identifies opportunities to engage the private sector in activities for transitioning promising R&D into practice. In addition, and consistent with the PCAST recommendations, it prioritizes the development of a “science of security” to derive first  principles and the fundamental building blocks of security and trustworthiness.

Federal CIO Steven VanRoekel Thursday unveiled the Federal Risk and Authorization Management Program (FedRAMP), which establishes a set of baseline security and privacy standards that all cloud service providers will need to meet in order to sell their products to government agencies.

The program requires that all federal agencies use only FedRAMP-certified cloud services and technologies for public clouds, private clouds, hybrid clouds and community clouds. The program also covers all cloud service models, including Software as a Service (SaaS) and Platform as a Service (PaaS).

To people who want to encrypt data, this is a potential source of randomly-chosen numbers that are used as a “key” to lock and unlock sensitive data — military transmissions, banking transactions, or your email.

The idea is that if no one knows how the key was created in the first place, hackers and code-breakers won’t be able to figure out the secret and decode the messages.

Separating persistent threats from more opportunistic cybercrime-focused attacks is not easy, but can help inform defense, according to security experts. Block an opportunistic attack and the crisis is averted; block a persistent attacker and they will come back tomorrow…

…..

In many cases, the patterns are not clear. Even “advanced” attackers will only use, for example, the minimum force necessary to compromise a network. In some cases, attackers have rented botnets; in others, they’ve used standard cybercrime tools.

To provide segmentation, you need the physical hardware team, and maybe the systems team, to configure the SAN disk arrays to balance performance, storage, and access requirements. Sure, you could physically carve up the disks and give different slices to each customer to provide a physical boundary, but this concept is anathema to performance-minded shops and the private cloud model.

The system, which is being tested in a lab environment, uses a host-based agent to “learn” a user’s behavior and to look for anomalous behavior or other signatures, said computer scientist and project leader Justin Beaver.

……….

Among the characteristic information leveraged by the system are system call sequences. Each function on a computer initiates a series of calls for services. This occurs at a low level in the operating system, out of the user’s view, and creates a characteristic pattern for each user over time. Researchers found that normal patterns remain surprisingly consistent for individuals as they switch between computers and jobs.

It’s easy to feel overwhelmed by the increasingly bad news in cyberspace, but there are a few bright spots. Government and commercial techies are finding some success in trying to protect computer users — often from their own careless behavior.

With an influx of bring your own devices (BYOD) and mobility, social media exploding, cloud computing  knocking, and other operational challenges thrown in for good measure, if 2011 was the shocker, then 2012 is  likely to be the kitchen sink of security concern

The goal is to demonstrate better accuracy in predicting near-term and middle-term events than an opinion poll by the end of the four-year experiment. In the first year, Warnaar is seeking to achieve a 20 percent improvement over traditional polling methods. If its predictions turn out more accurate, the program will be made available to government decision makers.

Questions from informed policy makers could then be fed into ACES and predictions would be based on weighted answers from program participants.

The top risk for individuals utilising life-logging devices and scenarios is the threat to privacy that accompany using them. Loss of control over this data might result in individuals being subjected to financial fraud or unauthorised access might result in reputational harm or discrimination and exclusion. This risk is compounded by the nature of life-logging in that apart from privacy threat to individuals coming from commercial entities and governmental agencies, there is also a threat of deliberate or accidental data collection about one person by other individuals.

Dependency on the availability of certain devices or services is also increasing the risks for individuals, as the mobile devices, sensors or services become more attractive targets for attackers. In this direction, it is particularly important the link between tangible and intangible assets, as we can also see in Future Internet scenarios; a related risk is the loss of autonomy.

Finally, we should consider risks such as psychological damage, related to discrimination, exclusion, harassing, cyberstalking, child grooming, feeling of being continuously under surveillance (paranoid behaviour), pressures related to work performance, peering into other peoples life etc.

The top risk for individuals utilising life-logging devices and scenarios is the threat to privacy that accompany using them. Loss of control over this data might result in individuals being subjected to financial fraud or unauthorised access might result in reputational harm or discrimination and exclusion. This risk is compounded by the nature of life-logging in that apart from privacy threat to individuals coming from commercial entities and governmental agencies, there is also a threat of deliberate or accidental data collection about one person by other individuals.

Dependency on the availability of certain devices or services is also increasing the risks for individuals, as the mobile devices, sensors or services become more attractive targets for attackers. In this direction, it is particularly important the link between tangible and intangible assets, as we can also see in Future Internet scenarios; a related risk is the loss of autonomy.

Finally, we should consider risks such as psychological damage, related to discrimination, exclusion, harassing, cyberstalking, child grooming, feeling of being continuously under surveillance (paranoid behaviour), pressures related to work performance, peering into other peoples life etc.

“We are losing ground because we are inherently divergent from the threat,” she said, noting that while the size of viruses has remained small over the years, the defensive security apparatus continues to grow. “Such divergences are the seeds of surprise, and this [size disparity] is a striking example of why it’s currently easier to play offense rather than defense in cyber. This is not to suggest that we stop doing what we are doing in cybersecurity. But if we continue only down the current path, we will not converge with the threat.”

Berners-Lee also outlined the notion of a security friendly Web interface in which users would be able to divide their lives into their different activities – for instance, family, work, public – each of which could be colour coded and assigned a different level of privacy, set by the user. This way, even when filling out a form, the different fields could be given different colours according to their privacy rating. This kind of approach, he said, could create “an explosion of interesting new applications.”

The National Institute of Standards and Technology said the draft publication defines high-priority requirements for standards, official guidance and technology developments that need to be met in order for agencies to accelerate their migration of existing IT systems to the cloud computing model. “A key contribution of the roadmap effort is to focus the discussion to achieve a clear understanding between the government and private sector, particularly on the specific technical steps – standards, guidance and technology solutions – needed to move federal IT from its current early-cloud state to a cloud-based foundation, as envisioned in the Federal Cloud Computing Strategy.

The Small Biz Cyber Planner will ask a series of questions such as “Does your business use credit cards?” and “Does your business have a public website?” Based on the responses, it will generate a planning guide to help companies put in place basic policies to protect against cyberthreats.

The alternate Internet would be built with the intention of securing critical systems where there would be strict access rules and those who are allowed entry must report any suspicious behavior.

Researchers Juraj Somorovsky and Tibor Jager from the Ruhr University of Bochum (RUB) in Germany, devised an attack that decrypts data secured with the DES (Data Encryption Standard) or the AES (Advanced Encryption Standard) in CBC (cipher block chaining) mode. They plan to present their findings in more detail at the ACM Conference on Computer and Communications Security later this year.

According to Jrg Schwenk who teaches of Electrical Engineering and Information Technology at RUB, all data encryption algorithms recommended in the XML Encryption standard are affected by this attack, which relies on sending modified ciphertexts to the server and analyzing the errors for clues.

A research team from Google, George Mason University and the National Security Agency have developed a hardened kernel for the Android 3.0 operating system that could solve the problem of using smart phones in military operations and emergency response.

The kernel, which is in the final stages of certification testing, opens the way for the Army to begin issuing smart phones or tablet-type wireless devices to troops in combat operations.

Researchers at North Carolina State University and IBM said they may have found a way to effectively protect certain information in cloud and services environments. A new technique called Strongly Isolated Computing Environment” (SICE) aims to isolate sensitive information and workload from the rest of the functions performed by a hypervisor, which serves as gateway to a virtual, cross-platform workspace shared by users in a cloud system.

The Department of Homeland Security (DHS) outlined new requirements for FISMA, the National Institute of Standards and Technology (NIST) security standard for federal IT solutions. One of them calls for agencies to establish monthly data feeds to CyberScope, a compliance tool developed to help the feds to better and more actively monitor cybersecurity.

……

Indeed, CyberScope represents a major shift in the way federal agencies report FISMA compliance in that it replaces once-a-year compliance reporting with a more operational, consistent approach.

The first step to dealing with Cloud Security Anti-Patterns is deploying a Policy Enforcement Point to give the Information Security team a place to implement controls that avoid the Anti-Patterns and enable more robust security architecture.

A checklist for Mitigating the Anti-Patterns

• Low/no access control – strong access control protocols for authentication and authorization
• Replicating user accounts – retain enterprise provisioning on Cloud Consumer side
• Copying credentials – implement federated identity
• “Trusted” proxy – improved audit logging and monitoring on the Gateway

While database security activities in and of themselves might not necessarily be enormous tasks to tackle individually, it is scale that trips up organization. It can take a long time to implement a carefully planned security program blanketed across hundreds or even thousands of databases. In the meantime, organizations can’t afford to leave critical data flapping in the wind. By segmenting the network and compartmentalizing data by criticality, you can effectively perform a database security triage to put other compensating controls around the most important data.

In addition to providing a comprehensive process for assessing information security risk, the publication also describes how to apply the process at the three tiers in the risk management hierarchy—the organization level, mission/business process level, and information system level.

To facilitate ease of use for individuals or groups conducting risk assessments within organizations, a set of exemplary templates, tables, and assessment scales for common risk factors is also provided. The templates, tables, and assessment scales give maximum flexibility in designing risk assessments based on the express purpose, scope, assumptions, and constraints established by organizations.

In a Wi-Fi network, the Denial of Service attacks are usually generated by so called ‘backoff misbehavior,’” she says. Based on the Wi-Fi protocols, client radios “listen” to see if the radio channel is being used. If it is, it “backs off” and waits for a set period, and then listens again. If the channel is clear, it can claim it, and send or receive data.

But an attacker can manipulate this process, changing the rules, Wang says. “[W]hen attacks change the rules of backoff time, it is similar to crashing a queue and occupying it forever,” she says. “Of course, [the] other users do not know what happened and would assume the entire network is down.”

By shortening its own backoff time, the attacker “can increase the chances of connecting to the access point dramatically, resulting in a much higher probability of access success.”

NIST (the US National Institute of Standards and Technology) recently published a draft version on its strategy for promoting cyber security awareness and education. From page 2 of the document, the three stated goals are.

1. Raise awareness among the American public about the risks of online activities.
2. Broaden the pool of skilled workers capable of supporting a cyber-secure nation.
3. Develop and maintain an unrivaled, globally competitive cybersecurity workforce.

The problem with that black magnetic stripe on the back of your credit card is that it’s about as secure as writing your account information on a postcard: everything is in the clear and can be copied. Card fraud, and the measures taken to prevent it, costs U.S. merchants, banks and consumers billions each year.

The smart cards can’t be copied, which greatly reduces the potential for fraud. Smart cards with built-in chips are the equivalent of a safe: they can hide information so it can only be unlocked with the right key. Because the important information is hidden, the cards can’t be replicated.

Lightweight Portable Security (LPS) creates a secure end node from trusted media on almost any Intel-based computer (PC or Mac). LPS boots a thin Linux operating system from a CD or USB flash stick without mounting a local hard drive. Administrator privileges are not required; nothing is installed.

The idea behind it is that workers can use a CDROM or USB stick to boot into a tamper proof, pristine desktop when using insecure computers such as those available in hotels or a worker’s own home. The environment that it offers should be largely resistant to Internet-borne security threats such as viruses and spyware, particularly when launched from read-only media such as a CDROM. The LPS system does not mount the hard drive of the host machine, so no trace of work activity can be written to the local computer.

How do you answer the inevitable question “Are we good at security?” If you are like most organizations, you stutter quite a bit and then fall back to either irrelevant numbers (like AV or patch coverage) or a qualitative assessment – “We had 2 incidents last month, down from 5 the prior month prior”. Either way, the answer isn’t what management needs, or deserves.

…..Governance of Enterprise IT (GEIT) is an integral part of corporate governance and addresses the definition and implementation of processes, structures and relational mechanisms in the organizations that enable both business and IT personnel to execute their responsibilities in support of business-IT alignment and the creation of business value from IT-enabled investments. GEIT clearly goes beyond the IT-related responsibilities and expands toward (IT-related) business processes needed for business value creation. ISACA frameworks such as Val IT and the upcoming COBIT 5 fully embrace these concepts.

we’ve isolated such cases from the larger DBIR dataset and include stats around IP and classified data theft in these presentations (don’t get too upset – we’re sharing some of this with you too). The differences between these datasets are often substantial and provide plenty of food for thought…which brings us back to breach discovery, fraud, and the number 44.

The current theory is that a nation-state wanted to break in to Lockheed-Martin and Northrop-Grumman to steal military secrets. They couldn’t do it, since these companies were using RSA SecurID tokens for network authentication. So, the hackers broke into RSA with a targeted email attack. They planted a backdoor and eventually were able to gain access to SecurID information that enabled them to go back to their original targets and succesfully break into there. In the aftermath of the attack, RSA was forced to replace SecurID tokens for their customers around the world.

Dubbed Tamper-evident pairing, or TEP, the technique is based on understanding how man-in-the-middle attacks tamper with wireless messages, and then detects and in some cases blocks the tampering. The researchers suggest that TEP could have detected the reported but still unconfirmed cellular man-in-the-middle attack that unfolded at the Defcon conference earlier this month in Las Vegas.

This report presents a taxonomy of operational cyber security risks that attempts to identify and organize the sources of operational cyber security risk into four classes: (1) actions of people, (2) systems and technology failures, (3) failed internal processes, and (4) external events. Each class is broken down into subclasses, which are described by their elements. This report discusses the harmonization of the taxonomy with other risk and security activities, particularly those described by the Federal Information Security Management Act (FISMA), the National Institute of Standards and Technology (NIST) Special Publications, and the CERT Operationally Critical Threat, Asset, and Vulnerability EvaluationSM (OCTAVE®) method.

Visa announced that it’s putting its muscle behind the adoption of “chip and PIN” capabilities in U.S. credit cards, which require in-person purchasers to input a PIN code into a point-of-sale machine before the card can be used. Also known as EMV–for Europay, MasterCard, and Visa, referring to their global standard for integrated circuit chips built into cards–the U.S. chip will include contactless chip technology, laying the groundwork for greater adoption of mobile payments using near-field communications (NFC).

Naturally, 1234 is the most common passcode: mimicking the most common internet passwords. To put this into perspective, these 10 codes represent 15% of all passcodes in use. Most of the top passcodes follow typical formulas, such as four identical digits, moving in a line up/down the pad, repetition. 5683 is the passcode with the least obvious pattern, but it turns out that it is the number representation of LOVE (5683), once again mimicking a very common internet password: “iloveyou.”

The 19-page document, called the “Department of Defense Strategy for Operating in Cyberspace,” establishes that cyber space be a domain protected by the U.S. military in the same way it defends land, sea and air.

In general, the strategy calls for new ways to bolster defenses of critical cyber infrastructure, such as the computer networks of the U.S. military and defense contractors, while developing new weapons and methods to retaliate against U.S. adversaries launching cyber attacks.

This foundational COBIT volume introduces the following, which combine to provide a comprehensive, effective framework to support the governance and management of enterprise information and related technology:

• Principles
• Drivers
• Benefits
• Enablers
• Other aspects

The COBIT 5 Process Reference Guide incorporates and is the successor to COBIT 4.1, Val IT and Risk IT processes. It describes the:

• Goals cascade
• Process model
• Process reference model
• Detailed processes

We security pundits, researchers, and vendors tend to forget how hard real-world operational IT is. If you’re small, you can control more, but you have fewer resources at your disposal. If you’re large, you still struggle for resources, but now at an enormous scale. It’s a no-win situation because no one can be perfect all the time. Or even some of the time.

……

Security is hard. It’s even harder at scale. And we need to stop pretending that even the most basic of practices are always simple, and start focusing on how to make them more effective and easier to manage in a messy, ugly, real world.

Google queries show the information currently in Google’s index and cache while Google alerts send email notifications when Google is returning new information. The combination of queries and alerts can be leverage by organizations to identify security issues such as data leakage, website vulnerabilities, and stolen information.

The majority of the data breaches referenced had two things in common. The first commonality was sensitive company information was exposed to the Internet. The second commonality was the companies were notified about the data leakage after a third party located the information through Google searches.

• provides a common framework for prioritizing security errors (“weaknesses”) that are discovered in software applications
• provides a quantitative measurement of the unfixed weaknesses that are present within a software application
• can be used by developers to prioritize unfixed weaknesses within their own software
• in conjunction with the Common Weakness Risk Analysis Framework (CWRAF), can be used by consumers to identify the most important weaknesses for their business domains, in order to inform their acquisition and protection activities as one part of the larger process of achieving software assurance.

This new security challenge was on the agenda at the June 8th-9th meeting of NATO defence ministers in Brussels. Ministers agreed on an action plan and on a revised cyber defence policy which will not only ensure a quicker and more effective protection of NATO’s own network, but also provide the Allies and Partners with more assistance in preventing the cyber attacks, coping with them and limiting their impact.

The new strategy requires that all NATO structures be brought under a centralised protection system, and that all of its networks be monitored round the clock as of 2012.

But in this shadowy world of claims, boasts and posturing, nothing is quite what it seems. It may have been other members of the hacker “community” – disgruntled with the antics of LulzSec – who forced the group into retreat. A document posted online in the last 24 hours purports to be a history of LulzSec, complete with full details on its leaders.

……

But even if LulzSec has gone offline, its members and other hackers trying to make a name for themselves may soon pop up elsewhere. And the other question is whether we should take any publicity-hungry group like this too seriously. The real damage is more likely being done by criminal groups who wouldn’t dream of boasting of their exploits on Twitter or anywhere else.

Researchers at North Carolina State University claim they’ve achieved a breakthrough in how encryption can be used in technology called non-volatile main memory, which is seen as an eventual replacement for conventional dynamic random-access memory.

—-

In work conducted with graduate students, Solihin says N.C. State researchers completed building a hardware-based method to self- encrypt NVMM data. The idea is it might eventually become integrated into chipsets.

But it is the job of the courts to balance privacy against security, and they can’t do this job if they refuse to evaluate whether the security measure is really worth the tradeoff. Deference is an abdication of the court’s role in ensuring that the government respects constitutional rights. The deference argument is one that impedes any effective balancing of interests.