Sunday Security Maxim
Arg Maxim: But users, manufacturers, managers, & bureaucrats will be reluctant to implement them for reasons of inertia, pride, bureaucracy, fear, wishful thinking, and/or cognitive dissonance. Compiled by Roger G. Johnston, Ph.D., CPP, Argonne National Laboratory
XKCD, Typical Morning Routine →
Saturday Security Maxim
Yippee Maxim: There are effective, simple, & low-cost counter-measures (at least partial countermeasures) to most vulnerabilities. Compiled by Roger G. Johnston, Ph.D., CPP, Argonne National Laboratory
Sparks' End of Show Report →
Estonia, Creates Volunteer Cyberwarrior Brigade
Considering the country's highly systems-literate populis, this is one of the more interesting cases of a so-called Cybernational Guard, this time, stationed at the K5 Barracks (NATO Cyber Defense Center, Tallinn, Estonia), in quite likely one of the most astoundingly beautiful countries on our planet - Estonia!
Researched Research on Anti-Drone Research
News, via Aliya Sternstein, writing at NextGov, details research regarding anti-drone activities fueled by published research. A drone research conundrum, of sorts...
SANS ICS Defense Use Case: The Norse / AEI Rebuttal →
Superb rebuttal co-authored by Robert M. Lee, CAPT USAF (see Captain Lee's personal rebuttal of the NORSE and AEI document here), Michael J. Assante Co-Founder and Chief Security Strategist, NexDefense, Inc., and Tim Conway, ICS and SCADA Technical Training Director at SANS targeting the report entitled "The Growing Cyberthreat from Iran: The Initial Report of Project Pistaschio Harvest" produced by Norse and the American Enterprise Institute. Read it and Weep.
Cryptologists, Gaggle of →
Certainly an eponymous panel of cryptographic scientists, inclusive of Paul Kocher (Moderator) , Adi Shamir, Whitfield Diffie, Ed Giorgio, Ronald Rivest holding forth, as it were...
Alexanders' Warning: Catastrophic Attacks on Energy Sector in the Offing
via David Bisson, writing at Tripwire's State of Security blog, comes a particularly dire warning from Keith Alexander, GEN (RET) USA (RET), holder of a Bronze Star and the 16th Director of the United States National Security Agency, focusing on the security bulwarks of the embattled Energy Sector.
Ira Winkler's ' Making Penetration Tests Actually Useful' →
A presentation of Ira Winkler's, from RSA Conference 2014. Over a year old, and interestingly, highly relevant.
DARPA's CyberOps Visualized Revolution →
via Sara Sorcher, writing at the Christian Science Monitor, for the Monitor's new Passcode department, comes the story of Plan X, the Defense Advanced Research Projects Agency's (DARPA) push into proper management of the cyberwar battlespace.
XKCD, Basketball Earth
Sunday Security Maxim
Voltaire’s Maxim: The problem with common sense is that it is not all that common. Comment: Real world security blunders are often stunningly dumb. Compiled by Roger G. Johnston, Ph.D., CPP, Argonne National Laboratory
XKCD, Win by Induction
Saturday Security Maxim
IC3 Issues LEO Warning, Targeted 'Cyber' Attacks Against Public Officials
The Internet Crime Complaint Center (IC3) has published a warning focusing on Law Enforcement Officers (and other LEO personnel including family members). The warning explicitly states Law Enforcement Officers, personnel and public officials are at an increased risk of cyber related attacks, due to attacks committed by so-called Hactiviists; primarily focused at this time on the act of DOXING, see the etymology of Doxing here). The full text of IC3 Alert Number I-042115-PSA appears below:
Hacktivists Threaten to Target Law Enforcement Personnel and Public Officials
Summary
Law enforcement personnel and public officials may be at an increased risk of cyber attacks. These attacks can be precipitated by someone scanning networks or opening infected emails containing malicious attachments or links. Hacking collectives are effective at leveraging open source, publicly available information identifying officers, their employers, and their families. With this in mind, officers and public officials should be aware of their online presence and exposure. For example, posting images wearing uniforms displaying name tags or listing their police department on social media sites can increase an officer's risk of being targeted or attacked.
Many legitimate online posts are linked directly to personal social media accounts. Law enforcement personnel and public officials need to maintain an enhanced awareness of the content they post and how it may reflect on themselves, their family, their employer or how it could be used against them in court or during online attacks.
Threat
The act of compiling and posting an individual's personal information without permission is known as doxing. The personal information gathered from social media and other Web sites could include home addresses, phone numbers, email addresses, passwords and any other information used to target an individual during a cyber attack. The information is then posted on information sharing Web sites with details suggesting why the individual should be targeted.
Recent activity suggests family members of law enforcement personnel and public officials are also at risk for cyber attacks and doxing activity. Targeted information may include personally identifiable information and public information and pictures from social media Web sites.
Another dangerous attack often used by criminals is known as “swatting.” This involves calling law enforcement authorities to report a hostage situation or other critical incident at the victim's residence, when there is no emergency situation.
Defense
Defending Against Hacktivism
While eliminating your exposure in the current digital age is nearly impossible, law enforcement and public officials can take steps to minimize their risk in the event they are targeted.
Turn on all privacy settings on social media sites and refrain from posting pictures showing your affiliation to law enforcement.
Be aware of your security settings on your home computers and wireless networks.
Limit your personal postings on media sites and carefully consider comments.
Restrict your driver license and vehicle registration information with the Department of Motor Vehicles.
Request real estate and personal property records be restricted from online searches with your specific county.
Routinely update hardware and software applications, including antivirus.
Pay close attention to all work and personal emails, especially those containing attachments or links to other Web sites. These suspicious or phishing emails may contain infected attachments or links.
Routinely conduct online searches of your name to identify what public information is already available.
Enable additional email security measures to include two factor authentication on your personal email accounts. This is a security feature offered by many email providers. The feature will cause a text message to be sent to your mobile device prior to accessing your email account.
Closely monitor your credit and banking activity for fraudulent activity.
Passwords should be changed regularly. It is recommended to use a password phrase of 15 characters or more. Example of a password phrase: Thisisthemonthofseptember,2014.
Be aware of pretext or suspicious phone calls or emails from people phishing for information or pretending to know you. Social engineering is a skill often used to trick you into divulging confidential information and continues to be an extremely effective method for criminals.
Advise family members to turn on security settings on ALL social media accounts. Family member associations are public information and family members can become online targets of opportunity.