DDoS defense and mitigation challenges:

In their quest to maximize downtime and damage, cyber criminals and hacktivists are using increasingly sophisticated Distributed Denial-of-Service (DDoS) attack methods to detect and circumvent enterprise defenses. Widely accessible DIY malware kits, such as Dirt Jumper, sell for as little as $150 in the black market and can be used to customize botnets capable of carrying out such sophisticated DDoS attacks. As the total number of DDoS attacks continues to increase, the evolution of DDoS botnet capabilities to bypass DDoS mitigation methods will likely fuel the already growing fire of DDoS attacks upon enterprises.

via Sophisticated DDoS Botnets Bypass Defenses – Cyveillance Blog – The Cyber Intelligence Blog.

I recommend taking a look at the references in the article.

In the old fable, the Boy Who Cried Wolf was capricious and stupid. He cried “wolf” the first two times because he wanted to see who would come. The third time, when the wolf actually appeared, he cried out and no one came. He became wolf chow.

But what if the Boy Who Cried Wolf had actually seen a wolf the first two times? Would help still have come the third time? What would have happened, in that wolf-infested forest, if he had cried five, six, seven times?

This is a question that IT security professionals face every day. And there isn’t always a clear answer.

via For Security Pros, Maintaining Credibility Means Walking A Fine Line | Dark Reading.

This is always a concern for InfoSec professionals. Another piece that goes with is a measured response. Running around claiming the sky is falling at the first blush of a security issue only to later learn it’s not as bad as the headlines made things out to be can also poison the audience to real threats.

I like this quote from the same article:

A security warning is only as good as the credibility of the professional who delivers it.

For five years now, a Ponemon Institute annual report has tried to put a number on the cost of data breaches. It creates benchmarks for direct costs such as regulatory fines and the cost of notifying customers, alongside estimates of indirect costs such as customer churn and lost business. In 2013, Ponemon pegged the cost of a data breach at $136 per lost record on average across the globe. Ponemon estimated the cost in the U.S. at $188 per record, and $277 per record when the breach came at the hands of malicious and criminal attacks such as outside hacking or insider theft.

via How To Cushion The Impact Of A Data Breach — Dark Reading.

Interesting numbers in the article with a strong emphasis on planning.


Given how much data the scientists at CERN have to crunch through, it’s not surprising that it take its computing power seriously. This video takes a look inside the massive computer center that allows the magic to happen.

In what is essentially the brain of the Large Hadron Collider it is noisy, hot—and incredibly powerful. Sit back and lust over the tech on show.

via Inside CERN’s Massive Computer Center.

It has been an eventful time in the mobile world with two recent breaking stories revealing vulnerabilities in the security infrastructure for Android and iOS respectively. While vastly different in their nature, both point to a fundamental lesson that CISOs in an increasingly mobile world cannot ignore – when it comes to encryption, read the fine print. Otherwise you may find yourself up the proverbial creek without a paddle (i.e., remediation strategy).

A sensible approach to mobile security is rooted in a clear identification of what needs protection. In general, CISOs want to protect access (i.e. who can login and get to company systems) and company data, both in transit and at rest. At the root of all protection strategies is strong encryption to protect data that is either input or consumed by the mobile user. Without strong encryption all mobile security strategies are nothing more than a game that hackers can play and win.

via What CISOs must learn from Bitcoin and a research team at Georgia Tech.

What can RDP intruders do? If you have administrative privileges assigned to the user they login as, they can take your computer for an unfettered spin around the block, ranging from turning it off, rebooting it, installing software (including malware), or just having a look around to find documents of files with your critical personal information in them like banking, accounting, or other information and then spirit them off across the network to their own computers for nefarious purposes.

via Remote Desktop (RDP) Hacking 101: I can see your desktop from here! – We Live Security.

As of Friday afternoon, a notice on NASA’s kepler.arc.nasa.gov website was reading “Down for Maintenance: The requested webpage is down for maintenance. Please try again later.”

The site is only one of what appear to be 14 hacked subdomains, hosted in the heart of Silicon Valley, that were defaced on Tuesday and stayed offline for some time.

via “Stop spy on us!” 14 NASA sites hacked | Naked Security.

Apparently, there may be yet another reason to be underwhelmed by the iPhone 5s: a lawyer named Marcia Hofmann, writing for Wired, offers the opinion that its fingerprint authentication might end up eroding a long-cherished legal right.

In this case it wouldn’t be the government chipping away at your statutory protections, but technology itself.

The protection that Hofmann thinks might be at risk relates to self-incrimination.

Many jurisdictions give you some sort of “right to silence” – in the USA, it’s usually known as the Fifth, because the Founding Fathers neglected to enshrine it in the original constitution, leaving it to be retrofitted in the so-called Fifth Amendment some three years later.

via Apple’s “Touch ID” fingerprint login – not everyone is cock-a-hoop about it | Naked Security.

At approximately 7:29 AM PDT today, we were notified by several security researchers that a fireeye[.]com/careers HR link was inadvertently serving up a drive-by download exploit. Our internal security, IT operations team, and third-party partners quickly researched and discovered that the malicious code was not hosted directly on any FireEye web infrastructure, but rather, it was hosted on a third-party advertiser (aka “malvertisement”) that was linked via one of our third-party web services. The team then responded and immediately removed links to the malicious code in conjunction with our partners in order to protect our website users. More information on this third-party compromise (of video.js) can be found here.

via Darkleech Says Hello | FireEye Blog.

A long read about the cyber-security industrial complex:

In the eastern New Jersey suburbs, a train carrying radiological material is barreling toward a small town, and it is up to Pentagon cyber-operators to derail it. The town is the kind of idyllic whistle-stop hamlet where residents socialize at a cafe with complimentary Wi-Fi while surfing FaceSpace, a social networking site.

But danger lurks all around. Terrorists are using the open Wi-Fi connection to hack into the laptop of a patron who works at the hospital down the street. They plan to find the hospital codes stored in his computer to access the mayor’s medical records, in which they will change the dosage of a prescription the mayor refills regularly in an effort to poison him.

They have other nefarious future schemes, too: They will cut the power grid with a nasty cybervirus and destroy the local water supply by engineering a program to make it appear as though the reservoir is polluted. When employees dump chemicals into the water to fix the problem, they will inadvertently be doing just what the terrorists want: contaminating the water supply.

This model town – CyberCity – is one of the US military’s premier cyberwar simulators. Situated in a surprisingly unassuming suburban enclave, it is built with hobby shop-supplied model trains, miniature cellphone towers, and streetlights – all attached to a miniature power grid.

CyberCity is just a small town compressed onto an 8-by-10-foot plywood table. But its intricate electronic detail highlights the Pentagon’s growing effort to expand its offensive cyberwarfare skills in a bid to bolster the nation’s cybersecurity, through increasingly sophisticated and aggressive forays that have the potential to revolutionize the way America’s military fights wars

via Cyber security: The new arms race for a new front line – CSMonitor.com.

Note: I still hate the term cyber-security.