Posted by Kevin on August 27, 2014.
The ITsecurity daily security briefing: Wednesday, August 27, 2014.
If you find this security briefing useful, please spread the word via social media. If you have any comments or recommendations, please email kevtownsend at gmail dot com.
Secret data retention discussion paper leaked
Via The Sydney Morning Herald. Titled Confidential industry consultation paper: Telecommunications data retention—Statement of requirements, it is a nine-page document providing a statement of the communications data that the Australian government wants the telecomms companies to retain. It states “that data retention obligations should apply to all entities that provide communications services available in Australia,” and it was meant to be secret from the public. As a member of the Five Eyes, we can expect the data to be mirrored by the other four members: UK, US, New Zealand and Canada.
Telecommunications data retention—Statement of requirements
Report from UK’s ICO shows much room for improvement in local authorities
Not one of 16 audited authorities achieved a ‘high assurance’ rating for conformance with the data protection requirements, although 56% provide ‘reasonable assurance’. The message is ‘could do better’.
EFF has filed amicus brief in support of Anthony Elonis
“When Anthony Elonis posted some ugly speech on his Facebook account, fantasizing about killing his ex-wife and law enforcement agents, he was arrested, indicted for making Internet threats and sentenced to more than three and a half years in prison.” Courts have so far ruled that the government only has to show that a reasonable person feels threatened: EFF says First Amendment demonstrates that actual threat must be intended.
Repeated security failings lead to £180,000 fine for Ministry of Justice
“The penalty follows the loss of a back-up hard drive at HMP Erlestoke prison in Wiltshire in May 2013. The hard drive contained sensitive and confidential information about 2,935 prisoners, including details of links to organised crime, health information, history of drug misuse and material about victims and visitors. The device was not encrypted.” Once again, the tax payer will pick up the bill.
California Senate approves measure banning warrantless drone surveillance
“The California State Senate passed legislation on Tuesday imposing strict regulations on how law enforcement and other government agencies can use drones, a move supporters said will protect privacy and prevent warrantless surveillance.”
Malvertising: Not all Java from java.com is legitimate
Fox-IT reports on malvertising being used to spread malware. “Isn’t it ironic getting a Java exploit via java.com, the primary source for one of the most common used browser plugins? Current malvertising campaigns are able to do this. This blog post details a relatively new trend: real-time advertisement bidding platforms being infiltrated by cyber criminals spreading malware.”
ISACA’s European Cybersecurity Implementation Series
The series includes: Overview; Assurance; Resilience; and Risk. A further paper, European Cybersecurity Audit/Assurance Program, will follow shortly. “The series provides practical implementation guidance that is aligned with European Network and Information Security Agency (ENISA), European requirements and good practices.” The papers are free to ISACA members, and can be purchased by non-members.
Intelligence Gap: How a Chinese National Gained Access to Arizona’s Terror Center
“The un-vetted computer engineer plugged into law enforcement networks and a database of 5 million Arizona drivers in a possible breach that was kept secret for years… For five months in 2007, the Chinese national and computer programmer opened his laptop and enjoyed access to a wide range of sensitive information, including the Arizona driver’s license database, other law enforcement databases, and potentially a roster of intelligence analysts and investigators.”
The Center for Investigative Reporting and ProPublica:
How to Detect System Compromise & Data Exfiltration
Have you ever wondered how the bad guys actually get control of a system? And, how they convert that system into a data-syphoning droid? Join AlienVault security engineer, Tom D’Aquino as he walks you through the steps of a system compromise and how detect these nefarious activities at every stage.
Wednesday, September 03 at 1:00 PM EDT (17:00:00 UTC)
From Zero-Day Attacks to exploit kits: How to Contain Advanced Threats
* Understand the nature of advanced threats and why they are difficult to contain with today’s signature-based tools
* Understand how to maximize the value of the security systems and solutions they already have in place at the web gateway
* Step through the various methods of attack ranging from basic data theft, Zero-Day attacks, advanced malware, exploit kits and more
Wed, Sep 3, 2014; 06:00 PM GMTDT
PCISSC 2014 North American Community Meeting
One purpose of the meeting is to vote on the special interest groups for 2015. The candidates were announced this week, viz:
* Effective Daily Log Monitoring
* PCI DSS Assessments of Mainframe Environments
* Network Virtualization
* Cryptographic Keys and Digital Certificate Security Guidelines
* Working Forum for Securing Retail Locations
* Unattended Security Guidance for ATMs, Vending, and Pay at the Pump
* Guidance on Determining Shared Responsibilities for Interrelated Third Party Services
9-11 September: Walt Disney World Swan and Dolphin Resort, Orlando
The International Conference on Cyber-Crime Investigation and
Cyber Security (ICCICS2014)
“The event will be held over three days, with presentations delivered by researchers from the international community, including presentations from keynote speakers and state-of-the-art lectures.”
APU Technology and Innovation (), Kuala Lumpur, Malaysia on November 17-19, 2014
Submitted in: News |