ITsecurity
twitter facebook rss

ITsecurity Daily News: 08/26/2014

Posted by on August 27, 2014.

The ITsecurity daily security briefing: Wednesday, August 27, 2014.
If you find this security briefing useful, please spread the word via social media. If you have any comments or recommendations, please email kevtownsend at gmail dot com.

News Papers/Reports WebThings Events M&A Alerts

line

News

Secret data retention discussion paper leaked
AUdataretentionVia The Sydney Morning Herald. Titled Confidential industry consultation paper: Telecommunications data retention—Statement of requirements, it is a nine-page document providing a statement of the communications data that the Australian government wants the telecomms companies to retain. It states “that data retention obligations should apply to all entities that provide communications services available in Australia,” and it was meant to be secret from the public. As a member of the Five Eyes, we can expect the data to be mirrored by the other four members: UK, US, New Zealand and Canada.
Telecommunications data retention—Statement of requirements
http://images.smh.com.au/file/2014/08/27/5711351/Data_retention_consultation_1.pdf

Report from UK’s ICO shows much room for improvement in local authorities
Not one of 16 audited authorities achieved a ‘high assurance’ rating for conformance with the data protection requirements, although 56% provide ‘reasonable assurance’. The message is ‘could do better’.
council auditsICO:
http://ico.org.uk/for_organisations/sector_guides/~/media/documents/library/Data_Protection/Research_and_reports/outcomes-report-local-%20authorities.pdf

EFF has filed amicus brief in support of Anthony Elonis
“When Anthony Elonis posted some ugly speech on his Facebook account, fantasizing about killing his ex-wife and law enforcement agents, he was arrested, indicted for making Internet threats and sentenced to more than three and a half years in prison.” Courts have so far ruled that the government only has to show that a reasonable person feels threatened: EFF says First Amendment demonstrates that actual threat must be intended.
EFF:
https://www.eff.org/deeplinks/2014/08/supreme-court-tackles-online-threats

Repeated security failings lead to £180,000 fine for Ministry of Justice
“The penalty follows the loss of a back-up hard drive at HMP Erlestoke prison in Wiltshire in May 2013. The hard drive contained sensitive and confidential information about 2,935 prisoners, including details of links to organised crime, health information, history of drug misuse and material about victims and visitors. The device was not encrypted.” Once again, the tax payer will pick up the bill.
ICO:
http://ico.org.uk/news/latest_news/2014/repeated-security-failings-lead-to-180000-fine-for-moj-26082014

California Senate approves measure banning warrantless drone surveillance
“The California State Senate passed legislation on Tuesday imposing strict regulations on how law enforcement and other government agencies can use drones, a move supporters said will protect privacy and prevent warrantless surveillance.”
Reuters:
http://www.reuters.com/article/2014/08/27/us-usa-california-drones-idUSKBN0GR0E020140827

Malvertising: Not all Java from java.com is legitimate
Fox-IT reports on malvertising being used to spread malware. “Isn’t it ironic getting a Java exploit via java.com, the primary source for one of the most common used browser plugins? Current malvertising campaigns are able to do this. This blog post details a relatively new trend: real-time advertisement bidding platforms being infiltrated by cyber criminals spreading malware.”
Fox-IT
http://blog.fox-it.com/2014/08/27/malvertising-not-all-java-from-java-com-is-legitimate/

line

Whitepapers and Reports

ISACA’s European Cybersecurity Implementation Series
The series includes: Overview; Assurance; Resilience; and Risk. A further paper, European Cybersecurity Audit/Assurance Program, will follow shortly. “The series provides practical implementation guidance that is aligned with European Network and Information Security Agency (ENISA), European requirements and good practices.” The papers are free to ISACA members, and can be purchased by non-members.
ISACA:
http://www.isaca.org/Knowledge-Center/Research/ResearchDeliverables/Pages/European-Cybersecurity-Implementation-Series.aspx

Intelligence Gap: How a Chinese National Gained Access to Arizona’s Terror Center
“The un-vetted computer engineer plugged into law enforcement networks and a database of 5 million Arizona drivers in a possible breach that was kept secret for years… For five months in 2007, the Chinese national and computer programmer opened his laptop and enjoyed access to a wide range of sensitive information, including the Arizona driver’s license database, other law enforcement databases, and potentially a roster of intelligence analysts and investigators.”
The Center for Investigative Reporting and ProPublica:
http://www.propublica.org/article/lizhong-fan

line

Webcasts and Webinars

How to Detect System Compromise & Data Exfiltration
Have you ever wondered how the bad guys actually get control of a system? And, how they convert that system into a data-syphoning droid? Join AlienVault security engineer, Tom D’Aquino as he walks you through the steps of a system compromise and how detect these nefarious activities at every stage.
Wednesday, September 03 at 1:00 PM EDT (17:00:00 UTC)
SANS:
https://www.sans.org/webcasts/detect-system-compromise-data-exfiltration-98592

From Zero-Day Attacks to exploit kits: How to Contain Advanced Threats
* Understand the nature of advanced threats and why they are difficult to contain with today’s signature-based tools
* Understand how to maximize the value of the security systems and solutions they already have in place at the web gateway
* Step through the various methods of attack ranging from basic data theft, Zero-Day attacks, advanced malware, exploit kits and more
Wed, Sep 3, 2014; 06:00 PM GMTDT
Blue Coat:
https://webinar.darkreading.com/18210

line

Events

PCISSC 2014 North American Community Meeting
One purpose of the meeting is to vote on the special interest groups for 2015. The candidates were announced this week, viz:
* Effective Daily Log Monitoring
* PCI DSS Assessments of Mainframe Environments
* Network Virtualization
* Cryptographic Keys and Digital Certificate Security Guidelines
* Working Forum for Securing Retail Locations
* Unattended Security Guidance for ATMs, Vending, and Pay at the Pump
* Guidance on Determining Shared Responsibilities for Interrelated Third Party Services
9-11 September: Walt Disney World Swan and Dolphin Resort, Orlando
PCIDSS:
http://community.pcisecuritystandards.org/2014/

The International Conference on Cyber-Crime Investigation and
Cyber Security (ICCICS2014)
“The event will be held over three days, with presentations delivered by researchers from the international community, including presentations from keynote speakers and state-of-the-art lectures.”
APU Technology and Innovation (), Kuala Lumpur, Malaysia on November 17-19, 2014
ICCICS 2014:
http://sdiwc.net/conferences/2014/iccics2014/

line

Mergers and Acquisitions

line

Alerts


Share This:
Facebooktwittergoogle_plusredditpinterestlinkedinmail

Leave a Reply

Your email address will not be published. Required fields are marked *

Submitted in: News | Tags: , , , , , , , , , , , ,