Cyber Security News of the Week, February 17, 2013by Fred F. Farkel, Tuesday, February 19th, 2013
Guest column by Citadel Information Group
Facebook Says Hackers Breached Its Computers: Facebook admitted that it was breached by sophisticated hackers in recent weeks, two weeks after Twitter made a similar admission. Both Facebook and Twitter were breached through a well-publicized vulnerability in Oracle’s Java software. The New York Times, February 15, 2013
Exploit Sat on LA Times Website for 6 Weeks: The Los Angeles Times has scrubbed its Web site of malicious code that served browser exploits and malware to potentially hundreds of thousands of readers over the past six weeks. KrebsOnSecurity, February 13, 2013
Staying Private on the New Facebook: Facebook is a personal vault that can contain photos of your firstborn, plans to bring down your government and, occasionally, a record of your indiscretions. New York Times, February 6, 2013
Following WikiLeaks’ Playbook, BalkanLeaks Releases Insurance File With Its Spilled Secrets: WikiLeaks may have faded from the headlines, but in a corner of Eastern Europe, a copycat is playing out the secret-spilling site’s saga again. And it’s learned all of its predecessor’s tricks. Forbes, February 13, 2013
Zero-Day Flaws in Adobe Reader, Acrobat: Adobe is warning that attackers are exploiting critical flaws in its PDF Reader and Acrobat software to break into vulnerable systems, and that the exploit being used in attacks evades the sandbox protection built into these products. KrebsOnSecurity, February 15, 2013
iPhone lockscreen can be bypassed with new iOS 6.1 trick: A security flaw in Apple’s iOS 6.1 lets anyone bypass your iPhone password lock and access your phone app, view or modify contacts, check your voicemail, and look through your photos (by attempting to add a photo to a contact). The method, as detailed by YouTube user videosdebarraquito, involves making (and immediately canceling) an emergency call and holding down the power button twice. We followed the steps and managed to access the phone app on two UK iPhone 5s running iOS 6.1. This isn’t the first time this has happened – a very similar bug affected iOS 4.1, and was fixed in iOS 4.2. We’ve reached out to Apple for comment and will update you once we hear back. The Verge, February 14, 2013
Yahoo! Pushing Java Version Released in 2008: At a time when Apple, Mozilla and other tech giants are taking steps to prevent users from browsing the Web with outdated versions of Java, Yahoo! is pushing many of its users in the other direction: The free tool that it offers users to help build Web sites installs a dangerously insecure version of Java that is more than four years old. KrebsOnSecurity, February 11, 2013
Cyber Security Management – Cyber Update
Fat Patch Tuesday: Adobe and Microsoft each have issued security updates to fix multiple critical vulnerabilities in their products. Adobe released updates for Flash Player, AIR and Shockwave; Microsoft pushed out a dozen patches addressing at least 57 security holes in Windows, Office, Internet Explorer, Exchange and .NET Framework. KrebsOnSecurity, February 12, 2013
Cyber Security Management
Hackers Aim Arrows at Retail Bulls Eye: Cyber security breaches may come in all shapes and sizes, but thieves are honing in on the retail industry, hoping to slip through the sector’s security loopholes on the hunt for credit card numbers. Fox News, February 15, 2013
Leaving the door unlocked in information security: Inside the enterprise: Most data security threats are well known and can be prevented. But research shows firms fail to act. ITPro, February 14, 2013
Survey of GCs Sees Cybersecurity Risk, Anxiety: Dr. Stahl Quoted Despite the growing threat of computer security breaches, some 30 percent of general counsel in a recent survey said their companies were not prepared to deal with such a crisis. And experts say more GCs need to overcome their technophobia and help their firms face the increasing risk. Law.com, February 13, 2013
Securing the Village – Critical Infrastructure
Zombie Hackers Exploited Emergency Alert System Security Flaws: FCC has known about security gaps in networked alert systems equipment for more than 10 years. What if next hoax is serious? InformationWeek, February 15, 2013
U.S. Agency Issues Call for National Cybersecurity Standards: In the post-Stuxnet world, the prospect of undeclared cyberwar has been dragged out of the shadows to the front pages. With that in mind, yesterday the U.S. National Institute of Standards and Technology (NIST) kicked off an effort to establish a set of best practices for protecting the networks and computers that run the country’s critical infrastructure. The Cybersecurity Framework was initiated at the behest of President Barack Obama, who issued an executive order calling for a common core of standards and procedures aimed at keeping power plants and financial, transportation, and communication systems from falling prey to any of a wide range of cybersecurity threats. ieee Spectrum, February 15, 2013
Securing the Village
Certificate Authorities Form Group to Educate on SSL Best Practices: Responding to the increasing number of threats aimed at certificate authorities and the ecosystem of trusted online transactions they represent, seven certificate authorities have come together to form an advocacy group to advance security standards and promote best practices. CIO, February 15, 2013
European Union: EU Proposed Directive On Network And Information Security: On 7 February, the European Commission (EC) published an EU Cyber Security Strategy encompassing a proposed Directive on Network and Information Security (NIS Directive). The aim of the Strategy and NIS Directive is to establish a secure and trustworthy digital environment while promoting and protecting fundamental rights, including data protection, democracy and the rule of law. Mondaq, February 15, 2013
National Cyber Security
Napolitano Names Top Three Countries Where Cyber Attacks Against U.S. Are Launched: Homeland Security Secretary Janet Napolitano told NewsHour senior correspondent Ray Suarez on Friday that cyber attacks on the United States are on the rise, and internationally, three countries are the biggest sources: Iran, Russia and China. PBS Newshour, February 15, 2013
ACLU Responds to Executive Order on Cybersecurity; Opposes CISPA: WASHINGTON – President Obama tonight signed an executive order to protect U.S. critical infrastructure from cyberattacks by improving cybersecurity information sharing between the government and owners and operators of the nation’s critical infrastructure. Unlike legislation that will be introduced into the House tomorrow, the president’s executive order seeks to protect Americans’ digital privacy when information-sharing occurs, according to the ACLU. ACLU, February 13, 2013
Obama’s cybersecurity executive order: What you need to know: There was grave concern that the president could sign an executive order effectively signing into law some, if not most, parts of the proposed Cyber Intelligence Sharing and Protection Act (CISPA) Bill. Though it was passed by the US House, it failed to gain traction in the Senate, and also faced threats by the White House to veto the Bill altogether. (The whole Bill can be found at the bottom of this article.) ZDNet, February 13, 2013
Obama signs cybersecurity executive order ahead of State Of The Union: President Obama signed an executive order aimed at bolstering U.S. cybersecurity prior to tonight’s State of the Union address. The Order precedes a House Homeland Security Committee hearing on “new threats.” ZDNet, February 13, 2013
President Obama’s Cybersecurity Executive Order Scores Much Better Than CISPA On Privacy: With the reintroduction of the much-maligned Cyber Intelligence Sharing and Protection Act scheduled for the day after the State of the Union, the House of Representatives may have hoped the President’s own cybersecurity initiative would divert some of the attention away from the controversial legislation known as CISPA. Instead, the White House’s long-awaited executive order on cybersecurity is actually scoring points with the privacy advocates-and putting CISPA in a worse light than ever.Forbes, February 12, 2013
Executive Order – Improving Critical Infrastructure Cybersecurity: EXECUTIVE ORDER: IMPROVING CRITICAL INFRASTRUCTURE CYBERSECURITY The White House, February 12, 2013
Contest aims to boost state of password encryption: A group of cryptographers from academia and the tech industry are hoping to improve online password protection by holding an international competition to develop a new password hash algorithm that is more difficult for hackers to break. CSO, February 15, 2013
Cybercrime Network Based in Spain Is Broken Up: MADRID – Europol, the European police agency, said Wednesday that it had dismantled one of the most efficient cybercrime organizations to date, led by Russians who had managed to extort millions of euros from online users across more than 30 countries – mostly European – by persuading them to pay spurious police fines for abusive use of the Internet. The New York Times, February 13, 2013
Securing the Village-Events Calendar
ISSA-LA February Lunch Meeting; February 20, 2013. Bring your CFO to Work Day: 5 Tips for Optimizing the InfoSec/ Finance Relationship. For more information and to register, visit ISSA-LA.
ISSA-Ventura County February Dinner Meeting; February 21, 2013: Dr. Stan Stahl, Citadel and ISSA-LA President, will speak at the monthly meeting of the Ventura County ISSA Chapter. The meeting is held at Cal Lutheran University. For more information please contact firstname.lastname@example.org or call 805-876-4229.
ISSA-LA March Dinner Meeting; March 20, 2013. For more information and to register, visit ISSA-LA.
NAWBO Ventura County March Dinner Meeting, March 28, 2013: Citadel Vice President Ms. Kimberly Pease, CISSP, will speak on cybersecurity at the monthly meeting of the Ventura County Chapter of the National Association of Women Business Owners. In her talk The Growing Cyber Threat: Why the Bad Guys are Winning!, Kimberly will identify threats to information and computers, review common weaknesses being exploited by the bad guys and offer proactive steps you can take at business and at home to increase your security posture and decrease your exposure.
ISSA-LA April Lunch Meeting; April 17, 2013. For more information and to register, visit ISSA-LA.
Santa Monica Rotary Club; Lunch Meeting, May 3, 2013: Dr. Stan Stahl, Citadel and ISSA-LA President, will speak on cybersecurity at the weekly meeting of the Santa Monica Rotary Club. In this non-technical talk – It Takes the Village to Secure the Village SM – Dr. Stahl discusses the financial implications of cyber crime, illustrates how cyber criminals take control of a user’s computer, describes the limitations of technology, summarizes emerging cyber security laws, regulations and practices, and provides practical tips to lower the risk of becoming a victim.
ISSA-LA Fifth Annual Information Security Summit; May 21, 2013: Join over 500 of your colleagues and peers at the Universal City Hilton. Special Keynote Speaker: Howard Schmidt, former White House CyberSecurity Coordinator. For more information and to register, visit ISSA-LA. Special Early-Bird pricing until March 1.
Citadel Information Group … Delivering Information Peace of Mind ® to Business and the Not-for-Profit Community
The IT Summit would like to thank Citadel Information Group for allowing us to provide this information to you.