Security in the News – Week of December 23

Information Security

Computerworld

Target Hackers Try New Ways to Use Stolen Card Data

December 23

For the first time, hackers market stolen data with info on location of store where card was used; experts say new strategy will slow detection.

 

Help Net Security

Breaking Backlog of Digital Forensic Evidence

December 23

Time for change in the way law enforcement works with digital forensic evidence.

 

How Consumer Attitudes Changed Towards Data Security

December 24

With moves in digital world, a traceable footprint is created, which organizations can use to analyze, predict and act upon.

 

State of Security

Target: The Desolation of Fraud

December 24

Security teams are feeling more overwhelmed by challenges of modern, organized cyber-crime.

 

Security and Crisis Management

BBC News Africa

Kenya and Ethiopia Leaders in Juba for Talks

December 26

Leaders of two of South Sudan’s neighbors, Kenya and Ethiopia, have held constructive talks in a bid to halt fighting.

 

BBC News Asia

Bangladesh Deploys Army Ahead of January Elections

December 25

Tens of thousands of troops are being deployed across Bangladesh to try to prevent potential political violence ahead of next month’s elections.

 

Thailand Protests: Yingluck Government Rejects Election Delay

December 26

Thailand’s government rejected calls to delay February’s election, amid increasingly violent protests in which a policeman was shot dead.

 

BBC News Europe

Defiant Turkish PM in Major Reshuffle

December 25

Turkish PM announced major cabinet reshuffle after three ministerial resignations over a corruption inquiry.

Channel News Asia

Thai Army Chief Refuses to Rule Out Coup

December 27

With tensions running high in Ba

ngkok after violent clashes between police, opposition protesters, army chief refused to rule out a coup, saying anything can happen.

 

The Cambodian Daily

Factories Advised to Close as Wage Strikes Swell

December 27

Cambodia’s garment manufacturers were advised to temporarily shut operations as tens of thousands of workers at hundreds of factories joined nationwide strikes over wages.

Security in the News – Week of December 16

Information Security

All Things D

People More Freaked Out by Hacking Than Tracking

December 20

Respondents to recent survey said hacking is a bigger concern than tracking.

 

CNN Money

Target: 40 Million Credit Cards Compromised

December 19

Breach of credit, debit card data may have affected 40 million shoppers who went to the store in three weeks after Thanksgiving.

 

Computerworld

Most iPhone Users Enable Activation Lock

December 18

Survey by San Francisco DA finds that there’s room for improvement in Apple implementation.

 

FBI Launches New Biometric Systems to Nail Criminals

December 19

Palm prints, iris images and mug shots join fingerprints in the FBI’s database, helping to identify the bad guys.

 

Help Net Security

Resurgence of Malware Signed with Stolen Certificates

December 16

Since 2009, variants of the Winwebsec rogue AV family have tricked users into believing computer is infected, paying for registering software to rid of non-existent threat.

 

Gamers Attacked 11.7 Million Times in 2013

December 16

Kaspersky Lab discovered PC gamers across Europe were hit by a massive number of attacks in 2013.

 

How Human Behavior Affects Malware and Defense Measures

December 17

Even the most security-conscious users are open to attack through unknown vulnerabilities, and best security mechanisms can be circumvented as a result of poor user choices

 

Top Eight Security Insights for 2014

December 18

BeyondTrust’s Advanced Research identified the top 8 pain points and big deals in security in 2014.

 

India Set to Escalate Internet Surveillance

December 18

Indian government to launch surveillance system capable of analyzing online communication in real-time, detecting words that indicate terrorist, criminal activity.

 

Teaching Children Information Security Skills

December 18

(ISC)2 Foundation discusses biggest online threats to kids and provides tips on how to teach children to stay safe online.

 

What’s the Greatest Security Risk?

December 18

Study by the Ponemon Institute.

 

Krebs on Security

The Case for a Compulsory Bug Bounty

December 17

Study presents economic case yet for compelling companies to pay for information about security vulnerabilities in products.

 

Network World

Phishing Messages Fall in 2013 Despite Better Targeting

December 18

Criminals are sending fewer phishing emails than year ago, but more skilfully targeted, says security firm Websense.

 

Proof Point

Attackers Making Malware Delivery More Secure

December 19

Attackers directly send SSL-protected URLs in targeted phishing emails that link to their malware which is almost always packed inside a zip file.

 

State of Security

Cloud Computing Adoption by Federal Agencies Increases 400%

December 19

Cloud security technology trends in federal government finds despite security concerns cited as roadblocks to cloud adoption, agencies rapidly expanding tadoption of cloud infrastructure.

 

We Live Security

NSA Saves World from Plot to Remotely Destroy PCs

December 16

International plot which would turn PCs into bricks by remotely triggering deeply buried malware foiled by NSA.

 

Biometric Smart ID Card Could Offer Ultimate in Portable Security

December 17

New smart ID card to eliminate hacking, identity theft using voiceprints, fingerprints, iris readings and connecting to mobile devices via Bluetooth.

 

Holiday Shoppers Turning to Mobile to Bag Bargains, Ignoring Security Risk

December 19

40 believe convenience of shopping via mobile outweighed the risk.

 

Security and Crisis Management

No SCM news this week.

Security in the News – Week of December 9

Information Security

Computerworld

300 Victims Report Fake Support Calls to Security Org

December 10

Internet Storm Center collects info on scam for research.

 

Banks Shouldn’t Rely on Mobile SMS Passcodes

December 11

As mobile banking grows, malicious Android applications are increasingly intercepting one-time passcodes.

 

NASDAQ, Other Global Exchanges to Collaborate on Cybersecurity

December 12

World Federation of Exchanges creates working group to address cyberthreats against capital markets.

 

FireEye

Letting The Wrong Ones In: Email Security’s Big Blind Spot

December 13

Security professionals seem confident that email security gateways and SaaS providers can safeguard them from spear-phishing attacks.

 

Help Net Security

Popular Holiday-Themed Phishing Attacks

December 10

Holidays are busy, especially for hackers. Phishing is most effective when it exploits human emotions—fear, greed, anxiousness, curiosity, compassion, getting a good deal.

 

Inadequate Electronic Disposal Protocols Can Lead to Security Leaks

December 10

IT departments’ decisions could inadvertently put orgs at risk of IS breach if they don’t have sufficient protocols for disposal of old electronic devices.

 

Visualizing Year’s Top Cyber Attacks

December 10

Red October, Kelihos, Syrian Electronic Army DNS Hijack, Syria Internet shutdown and Cryptolocker topped list of malicious events.

 

SC Magazine

Top Breaches in 2013

December 10

Sideshow.

 

CISOs of Global Firms Offer Insight on Effective Security Programs

December 10

CISOs, security execs at well-known companies provided recommendations to help enhance organizations’ security programs.

 

Security Affairs

ENISA Threat Landscape 2013 Report, Rise of Cyber Threats

December 12

ENISA Threat Landscape 2013, collection of information on top cyber-threats that have been assessed in reporting period.

 

State of Security

Chinese Hackers Targeted Europeans Before G20 Summit

December 10

Chinese hackers gained access to European ministries, with attackers sending malware-laden emails designed to infect target’s computers and eavesdrop on communications.

 

ThreatPost

Tech Giants Unite in Call for Surveillance Reform

December 9

Technology companies coalition calling for reform of surveillance practices, undermining trust in respective services, and nternet as a medium for communication and commerce.

 

Facebook Phishing Campaign Employing Malicious Tumblr Pages

December 11

New round of Facebook-related spam using fake messages about recent crimes involving recipients’ friends as a lure to direct them to Tumblr pages serving exploits.

 

64-Bit Version of Zeus Banking Trojan In The Wild

November 11

Researchers spotted new version of malware that uses Web injects to steal banking credentials to drain online accounts, steal digital certificates and log keystrokes.

 

We Live Security

Microsoft Uses Telepathy To Warn Users Off Weak Passwords

December 9

Telepathy, comes from computing, illustrates which passwords are easy for a computer to guess the next letter as you type in a password.

 

Guide to APTs – and Why Most of US Have Little to Fear from These Cyberweapons

December 9

If you work for a government or large institution I’m pretty sure you are being targeted by an APT right now.

 

New Hesperbot Targets: Germany and Australia

December 10

November has been eventful, update on situation and malware developments.

 

2014 Security and Privacy Predictions

December 10

Trends in security and privacy ESET researchers are predicting for 2014.

 

Security and Crisis Management

Reuters

Suicide Bomber Attacks German Troops Near Airport in Afghan Capital

December 11

Suicide bomber attacked a convoy of German troops near international airport in Kabul, but there were no immediate reports of casualties.

 

News 24

Kenya Police Shot Near Somali Border

December 10

Gunmen killed five Kenyan policemen and wounded two in an ambush in troubled northeast border region close to war-torn Somalia.

 

Washington Post

Argentine Looting: 10 Dead, $90 million Lost

December 11

Argentina’s Cabinet chief is declaring end to police strikes and scattered looting, but violence continues in streets abandoned by officers demanding higher pay.

The Meaning of Life

The meaning of life… is to make life meaningful… of course.

This section of the blog will concentrate on the journey of my life, what I’ve learned and continue to learn along the way, while sharing insight that I hope you’ll find valuable.

Much more to come…

4 New Ways to Think About Our Jobs

Below is a summary of the way we should be thinking about our jobs today versus the way it might have been 20 or 30 years ago:
1) “Average” is officially over…everyone has to find their (personal) way to create value
2) We grew up in a high wage/medium skill world…now it is only a high wage/high skill world
3) We must keep reinventing our jobs to keep them:
• Think like an immigrant (be a paranoid optimist)
• Think like an artisan (your job is a personal work, “your initials in it”)
• If you think you are “finished”…you may be
• PQ+CQ>IQ (‘passion quotient’ plus ‘curiosity quotient’ is more important than ‘intellectual quotient’)
4) The world of “defined benefits” is over…only defined contributions count

Security in the News – Week of December 2

Information Security

Computerworld

Bitcointalk.org Warns Passwords in Danger after DNS Attack

December 2

Some users are advised to change their passwords.

 

Enjoy Trip, Protect Data You Take

December 2

International travel can require some pretty strong security measures if your devices contain sensitive information.

 

Worm May Create Internet of Harmful Things

December 3

Symantec says it has found a Linux worm aimed at Internet of Things devices.

 

Dark Reading

Experts Predict Mass Attacks On Online Banking Users

December 3

Neverquest Trojan banker supports almost every trick used to bypass online banking security system.

 

340K New Malicious Websites Detected In Past 30 Days

December 3

Creation of new malware, spam, and phishing sites growing at unprecedented rates, report says.

 

Hacker News

Two Million Stolen Facebook, Twitter Login Credentials

December 2

Researchers found Pony Botnet Controller Server with 2 million usernames, passwords, stolen by cybercriminals.

Krebs on Security

Important Security Update for D-Link Routers

December 2

D-Link released security update for older Internet routers; patch closes backdoor in devices that could let attackers seize remote control over vulnerable routers.

 

Simple But Effective Point-of-Sale Skimmer

December 3

POS skimmers, fraud devices made to siphon bank card and PIN data at the cash register, have grown in sophistication over the years.

 

Net Security

Financial Services Cyber Security Trends for 2014

December 4

Years ago, questions directed at executives at financial services firms on risk management wouldn’t have mentioned cyber security, question today generates a much different answer.

 

Spoofed MasterCard Warning Delivers Malware

December 4

Email notifying users their MasterCard debit card has been blocked during holiday shopping has been landing in inboxes around the world.

 

Fake Amazon Order Status Emails Deliver Malware

December 4

Fake invoice scams are year round, but more effective during the holiday as more packages get delivered from online purchases.

 

Security Watch

Over 80% Of Employees Use Non-Approved SaaS Applications at Work

December 4

McAfee survey discovers worst offenders amongst those surveyed were those working in IT who used more unauthorized apps than coworkers.

 

Security Week

ENISA Releases Guide for Defending Against Attacks on Industrial Control Systems

December 4

ENISA, Europe’s cyber security agency, released guide to help organizations better mitigate attacks against Industrial Control Systems.

 

State of Security

Israel and Saudi Arabia Plot Cyber Attack on Iran’s Nuclear Program

December 2

Iran’s accuses Israel, Saudi Arabia of plotting to unleash a cyber-attack targeting elements of rogue nation’s ambitious nuclear program with malware similar to Stuxnet virus.

 

Vodafone Iceland Hacked: 77,000 Accounts Exposed

December 2

Vodafone Iceland breached by Turkish hacker group, Maxn3y, 77k customer records compromised in addition to defacement of company webpage.

 

Consumers Concerned about Mobile Shopping Security

December 3

In Q3, mobile malware threats also increased 26 percent, making consumers more vulnerable to mobile attacks than ever before.

 

We Live Security

Google Nexus Phones can be Remote-Crashed by SMS

December 2

Two recent models of Nexus Android handsets can be crashed remotely, simply by sending them a flurry of SMS text messages.

 

ZDNet

Biggest Malware, Security Threats in 2013

December 4

Assumed guilt ransomware tactics, mobile device cyberattacks and Mac-based threats were largest in 2013.

 

JPMorgan Chase Admits Network Hack; 465,000 Card Users’ Data Stolen

December 5

Banking giant suffered network breach that resulted in a large data breach, though, funds or critical personal information are not thought to been stolen.

 

Security and Crisis Management

BBC

Central African Republic Bozize Loyalists Attack Bangui

December 5

16 killed during fighting in capital of the Central African Republic (CAR), Bangui.

 

News 24

10 Killed in Mozambique Unrest

December 5

Mozambique’s government says Renamo rebels killed 10 during six weeks of unrest, warned military may soon go on the offensive.

 

Reuters

Seven Dead in Car Bomb Attack on Armed Convoy in Northern Somalia

December 5

Seven killed in car bomb on armed convoy escorting two foreigners working for a company training local security forces.

 

International New York Times

Assault on Yemeni Defense Ministry Compound Kills 52

December 5

Suspected members of Al Qaeda carried out a two-pronged attack on Yemen’s Defense Ministry HQs, blowing open compound entrance with car explosives, killing civilians in hospital.

Where and Why Agile Project Management Works

Plan, make decisions, and demonstrate your learning so you can succeed.

Move quickly from decision-making to action and innovation. Companies using Agile Project Management principles to run projects allows organizations with an Agile mindset to respond quickly and effectively to the complexity and uncertainty that characterize today’s business needs.

Illustration of Agile Project Management
What is Agile Project Management?

Broadly defined, Agile Project Management is an iterative process that focuses on customer value first, team interaction over tasks, and adapting to current business reality rather than following a prescriptive plan. Agile Project Management is based on the same organizational practices and key principles found in the Agile Manifesto.

The diagram below displays the differences between agile and waterfall development processes. By delivering working, tested, deployable software on an incremental basis, agile development delivers increased value, visibility, and adaptability much earlier in the life cycle, significantly reducing project risk.

value-prop

Agile Project Management is how you deliver high value and technical quality within your time and budget constraints. However, the principles go beyond software development. It’s a mindset for people who need a management approach that builds consensus quickly in a fast-paced environment.

Risk Mitigation
Time to Market
Budget Risk
Cancellation Cost
Scope Creep
Requirements Error
Technology Risk
Testing Risk

What the Analysts Say
1. Reduced time-to-market
2. Increased quality
3. Reduced waste
4. Better predictability
5. Better morale
Agile projects are 37% faster to market than industry average.

The Agile Paradigm Shift

agile1

 

What Agile is NOT
A specific methodology
– It’s an umbrella term for a set of approaches which share common values
“Glorified hacking”
– Rather, a synergistic set of highly disciplined practices
Working without planning
– Adaptive planning instead of following a plan
Suitable for all types of projects
– Unavailability of customers and pre-defined requirements may sway projects to other approaches
A silver bullet
– The project could still fail… but it will fail faster

Agile Manifesto for Software Development

Individuals and interactions over processes and tools
Working software over comprehensive documentation
Customer collaboration over contract negotiation
Responding to change over following a plan
“While there is value in the items on the right,
we value the items on the left more”

12 Principles behind Agile Manifesto

1. Our highest priority is to satisfy the customer through early and continuous delivery of valuable software.
2. Welcome changing requirements, even late in development. Agile processes harness change for the customer’s competitive advantage.
3. Deliver working software frequently, from a couple of weeks to a couple of months, with a preference to the shorter timescale.
4. Business people and developers must work together daily throughout the project.
5. Build projects around motivated individuals. Give them the environment and support they need, and trust them to get the job done.
6. The most efficient and effective method of conveying information to and within a development team is face-to-face conversation.

agile2

7. Working software is the primary measure of progress.
8. Agile processes promote sustainable development. The sponsors, developers, and users should be able to maintain a constant pace indefinitely.
9. Continuous attention to technical excellence and good design enhances agility.
10. Simplicity – the art of maximizing the amount of work not done – is essential.
11. The best architectures, requirements, and designs emerge from self-organizing teams.
12. At regular intervals, the team reflects on how to become more effective, then tunes and adjusts its behavior accordingly.

Bottom Line Agile
Focus on customer value
Deliver early and often
Working software is the primary measure of progress
Inspect and adapt
Collaborative culture

The Scrum Framework

agile3

Scrum Project Lifecycle

agile4

agile5

 

Scrum is Light-Weight
• No mention of issues or risk management, quality assurance, configuration management, story boards, etc.
• Anything additional that you do needs to support the Agile manifesto.
• Any additions are inspected and adapted by the team as part of the sprint retrospective.

Scrum Framework

Roles
Agile Manager
Product Owner
ScrumMaster
Team

Practices
Release planning
Sprint planning
Daily stand-up
Sprint showcase
Sprint retrospective

Metrics
Sprint burndown chart
Release burnup chart

Agile Manager
• Coach, inspire, and lead teams more than they measure and manage them.
• Focus on the organizational environment’s ability to deliver value

“If you fail to honor your people, they will fail to honor you;
It is said of a good leader that When the work is done, the aim fulfilled, the people will say ‘We did it ourselves.’ ”

The Scrum Team = 7  (+/- 2 people)
• Scrum Master
• Product Owner
• Team

SCRUM MASTER
• Removes impediments
• Enforces values and practices
• Protects the team
• Develops team members skills
• Facilitates ceremonies
• Escalates issues on behalf of the team

PRODUCT OWNER
• Develops and communicates the vision
• Represents (or is) the customer
• One voice, even if not one person
• Develops the product roadmap and release plan
• Accepts or rejects work results
• Addresses team’s questions
• Grooms the backlog and sets priorities

The Team
Primary responsibilities
• Breaks down user stories into tasks
• Estimate tasks during Sprint planning
• Works on design/code/test/integration for each task
• Supports other team members
• Continues to work through tasks until no tasks remain in Sprint backlog
• Participates in sprint demos and retrospectives
Skillsets required
• Technical expertise
• Cross functional – analysis /design /development / testing
• Collaborative team player – voluntarily offers assistance as needed
• Good communicator – knows to ask for help so the team stays on track

Product Roadmap

agile6

Release Schedule
Release Schedule looks easy – but the confidence to commit requires the rigor of Release Planning

agile7

Sprint Planning
0) Estimate team capacity
1) Discuss highest priority story from the product backlog
2) Size the user story
3) Break story into tasks
4) Task owner estimates task in hours
5) Repeat 1-5 until capacity is reached

Plan to the Team’s Capacity
1. Collect available hours before the sprint planning session
2. Build in a buffer
3. Stop when the team reaches capacity
 Prevent over-commitment
 Ensure a sustainable pace
 Ensure that the team has enough work
 Level-load the work

Deduct Time from Capacity for the Following Scrum Practices
Release Planning Session
– ~4 hours
– at least once per release
Sprint Planning
– ~2 hours for each 2-week sprint
Daily Scrum
– 15 minutes per day
Sprint Showcase
– 1.5 hours per sprint
Retrospective
– 30 minutes per sprint

Commit to the Work
“On a scale of 1 to 5, how confident are you that we can complete the user stories in the sprint plan by the end of the sprint?”

Daily Scrum or Standup
• Brief (10-15 min) daily meeting
• Assures continual team communication
• Drives accountability (peer-pressure, transparency)
• Demonstrates day-to-day progress to all team members and stakeholders

Everyone answers 3 questions
1. What did you do yesterday?
2. What will you do today?
3. Is anything in your way?
These are not status for the Scrum Master, they are commitments in front of peers.

Sprint Showcase
Two Parts
• Review of sprint metrics
• Live demonstration by the people who did the work
Informal
• 2-hour prep time rule
• No slides
Invite all interested parties
Open forum – collect feedback

The Definition of Done
Each delivery team needs to define their definition of when a user story is considered to be “DONE.”
For example:
 Has the code been promoted to QA/TEST environment?
 Has the code passed functional testing?
 Has documentation been updated?
 Has the code undergone peer code review?
Only when a user story meets all the criteria of done, (i.e., DONE/DONE) can the team claim credit for completing the story/functionality.
Note: Incomplete work cannot be demonstrated!!

Commit-Accept (Say-Do) Ratio
This diagnostic metric reflects team progress by completion of its work commitment.
Total story points accepted by the Product Owner Total story points committed for completion by the team
The higher the Say-Do Ratio, the better. For instance, if a team commits to finishing 40 story points in a sprint, and the PO only accepts 36 story points, the Say-Do Ratio equation is:
(36/40)*100 = 90%
Benefits:
A team can identify/inspect delivery problems then take corrective action(s) as required.
By meeting its work commitments, a team build trust with the PO/client supported.

Sprint Retrospective

agile8

• Team reviews sprint successes and short falls
• What could be done different in subsequent sprint?
• Build in continuous improvement to agile process
• Vital to success of agile development

Net Promoter Score How do customers feel about our product?

agile9

Promoters (score 9-10) Loyal enthusiasts who will keep buying and refer others, fueling growth.
Passives (score 7-8) Satisfied but unenthusiastic customers who are vulnerable to competitive offerings.
Detractors (score 0-6) Unhappy customers who can damage your brand through negative word-of-mouth.

Sprint Burndown Chart

agile10

 

Scrum Team Velocity
Velocity is the average number of user story points a delivery team completes during a sprint. It’s used to gage of how much work a team is capable of delivering. Benefits:
• Team velocity enables the Product Owner to forecast how much work a team can be expected to complete – based on the team’s own estimate of effort.
• With an established team velocity, the Product Owner can plan future releases with improved predictably.
The team’s goal is to gain and sustain a consistent velocity across releases.

User Stories
Purpose of User Story
A user story is an agreement to have a conversation

Product Backlog – “The Work”
• Owned and maintained by the Product Owner – stack ranked by business value offered – most important at top
• Master list of desired product functionality expressed as user stories
• One Product Backlog per delivery team
• Initiates the development process
• High priority items are used to create the Sprint Backlog
• Each user story provides value
• Grows & changes as more information is acquired

Sample Backlog Grooming Checklist
 Prioritize stories
 Clarify stories (e.g., title, description, notes, etc.)
 Assign initial point estimates (i.e., 1, 2, 3, 5, 8, 13, 20, 40, 100)
 Break down “epics” into smaller stories
 Identify any risks and dependencies
 Tag stories (e.g., administrative, technical spike, CRM, etc.)
 Add acceptance criteria
 Add any known tasks
 Change status in Rally from “B” (backlog) to “D” (defined)

Breaking Down User Stories
Right-Sizing Stories

agile11

Splitting User Stories
Remember: Don’t split or detail Product Backlog Items until they are declared sufficiently valuable for the product

Estimating User Stories
Estimating Effort
We’re not very good at estimating…
Relative Sizing
Begin by estimating the effort for what the team agrees is a medium story
Estimating Effort
Story 1/2/3 – Complexity, Effort, Doubt

Planning Poker
1. Read the user story, discuss briefly to ensure clarity
2. Each team member selects an estimate card Fibonacci sequence (1, 2, 3, 5, 8, 13) — any higher (20, 40, 100) means story needs more clarification
3. Cards are all turned over at once
4. Discuss the high and low cards
5. Re-estimate once more
6. SM makes the final call

Planning Poker acts to:
• Identify consensus quickly
• Democratize the discussion, so we hear from all voices!
• Uncover assumptions
• Team learns to collaborate on decisions

Summary:
Agile Manifesto for Software Development
Individuals and interactions over processes and tools Working software over comprehensive documentation Customer collaboration over contract negotiation Responding to change over following a plan
“While there is value in the items on the right, we value the items on the left more”
http://agilemanifesto.org/

The Scrum “Fractal”

agile12