The following software vulnerabilities and updates were announced last week. Citadel Information Group strongly recommends that readers update their computers and take other action as indicated.

Cyber Crime

NBC.com hacked, briefly compromised with RedKit malware: The website NBC.com and other NBC websites were hacked and compromised by malware for a few hours around Thursday 12pm PST with RedKit malware. ZDNet, February 21, 2013

Developer Site That Was Used To Hack Facebook And Apple Issues Mea Culpa: The recent hacker breaches of high-profile tech firms including Facebook and Apple began with the compromise of another site you’ve likely never heard of: iPhoneDevSDK.com. And now that initial victim in the hacking spree is coming clean. Forbes, February 20, 2013

Educause Server Hit With Security Breach: A non-profit association for IT professionals in higher education announced Tuesday its server had been breached. ThreatPost, February 19, 2013

DDoS Attack on Bank Hid $900,000 Cyberheist: A Christmas Eve cyberattack against the Web site of a regional California financial institution helped to distract bank officials from an online account takeover against one of its clients, netting thieves more than $900,000. KrebsOnSecurity, February 19, 2013

Apple confirms attack by same hackers who hit Facebook: Apple acknowledged Tuesday that hackers had infiltrated a small number of the company’s computers. The Washington Post, February 19, 2013

Cyber Espionage

The Shanghai Army Unit That Hacked 115 U.S. Targets Likely Wasn’t Even China’s ‘A-Team’: In just the last week, the abbreviation APT1 has come to represent the bogeyman of digital espionage nightmares. On Monday, security response firm Mandiant released a report profiling a hacker group of that name-referring to it as Advanced Persistent Threat One-and providing detailed evidence that it represented the most active hacking unit within China’s People’s Liberation Army, one that’s compromised more than 141 private sector and government targets in seven years, 115 of which were American. Forbes, February 21, 2013

China Biggest, But Not the Only Country Engaged in Cyberespionage: Computerworld – China is by far the most aggressive, but not the only, country attempting the sort of extensive cyberespionage described in security firm Mandiant’s dramatic report, released this week. CIO, February 20, 2013

Bit9 Breach Began in July 2012: Malware Found Matches Code Used Vs. Defense Contractors in 2012: Cyber espionage hackers who broke into security firm Bit9 initially breached the company’s defenses in July 2012, according to evidence being gathered by security experts investigating the incident. Bit9 remains reluctant to name customers that were impacted by the intrusion, but the custom-made malicious software used in the attack was deployed last year in highly targeted attacks against U.S. Defense contractors. KrebsOnSecurity, February 20, 2013

Chinese Army Unit Is Seen as Tied to Hacking Against U.S.: On the outskirts of Shanghai, in a run-down neighborhood dominated by a 12-story white office tower, sits a People’s Liberation Army base for China’s growing corps of cyberwarriors. The New York Times, February 18, 2013

Cyber Privacy

If You’re Collecting Our Data, You Ought to Protect It: LAST summer, employees at the National Aeronautics and Space Administration received an in-house newsletter illustrated with mock front pages of USA Today and The Washington Post and seemingly hyperbolic headlines like: “NASA Laptop Stolen, Potential Compromise of 10,000 Employees’ Private Information!” The New York Times, February 16, 2013

The President Revives an Old Debate About Privacy: Few expect Internet privacy legislation in Congress this year. But many were heartened that the “p” word came up at all in the State of Union address Tuesday night. The New York Times, February 14, 2013

Cyber Warning

Hackers circulate tainted version of China cyber security report: (Reuters) – Unknown hackers are trying to infect computers by capitalizing on strong interest in a recent report by a security firm that accuses the Chinese military of supporting widespread cyber attacks on U.S. companies. Reuters, February 22, 2013

Cyber Update

Critical Security Updates for Adobe Reader, Java: Adobe and Oracle each released updates to fix critical security holes in their software. Adobe’s patch plugs two zero-day holes that hackers have been using to break into computers via Adobe Reader and Acrobat. Separately, Oracle issued updates to correct at least five security issues with Java. KrebsOnSecurity, February 20, 2013

Oracle Releases New Java Fixes, Speeds Up Patching Cycle: IDG News Service – Oracle released new Java security updates on Tuesday and announced plans to accelerate the release of future Java patches following recent attacks that have infected computers with malware by exploiting zero-day vulnerabilities in Java browser plug-ins. CIO, February 20, 2013 

Chrome 25 Fixes Nine High-Risk Vulnerabilities: Google has fixed nine high-severity vulnerabilities in its Chrome browser, as well as a dozen other flaws with the release of Chrome 25. This release is one of the few for which the company did not pay out much in the way of bug bounties, only giving out $3,500. ThreatPost, February 22, 2013

Cyber Security Management – Employee Awareness

5 myths about awareness: I’m often amazed by all the myths and misconceptions that pervade the security community when it comes to security awareness training. Here are the most common falsehoods I have heard, and why they are wrong. CSO, February 11, 2013

Cyber Security Management – HIPAA

HITRUST Establishing Work Group To Address Cybersecurity Issues: On Wednesday, the Health Information Trust Alliance announced that it will establish a new work group to address cybersecurity issues, Modern Healthcare reports. iHealthBeat, February 22, 2013

National Cyber Security

Smoking gun: Evidence is mounting that China’s government is sponsoring the cybertheft of Western corporate secrets. What should America do to stop it? The Economist, February 23, 2013

Kaspersky Lab CEO: Obama Cybersecurity Order ‘Step In Right Direction’: The founder of Russian cyber security firm Kaspersky Lab said President Barack Obama’s Feb. 12 executive order on cybersecurity was a “step in the right direction.” Forbes, February 19, 2013

Cyber Survey

Malware getting smarter, says McAfee: Savvier cyberattacks are being directed toward more critical segments of the U.S. economy, says the security provider. CNet, February 21, 2013

Cyber Career

15 tips for landing – and acing – a job interview: 1. Write a great resume to open the door: Interviews are granted to those whose resumes demonstrate accomplishments, contributions and value. If you’re not a great writer and you have trouble tooting your own horn, seek help from industry friends or consider a security-resume writer. CSO, February 4, 2013

Cyber Sunshine

The long arm of the Google: Is Google becoming a key arm of the law-enforcement complex? It certainly seems to be so with respect to art thefts. I first came across this idea back in November, when Bloomberg Markets profiled Jeff Gundlach, who was hit by art thieves in September…Reuters, February 20, 2013

Securing the Village-Events Calendar

ISSA-LA March Dinner Meeting; March 20, 2013. For more information and to register, visit ISSA-LA.

NAWBO Ventura County March Dinner Meeting, March 28, 2013: Citadel Vice President Ms. Kimberly Pease, CISSP, will speak on cybersecurity at the monthly meeting of the Ventura County Chapter of the National Association of Women Business Owners. In her talk The Growing Cyber Threat: Why the Bad Guys are Winning!, Kimberly will identify threats to  information and computers, review common weaknesses being exploited by the bad guys and offer proactive steps you can take at business and at home to increase your security posture and decrease your exposure.

ISSA-LA April Lunch Meeting; April 17, 2013. For more information and to register, visit ISSA-LA.

Santa Monica Rotary Club; Lunch Meeting, May 3, 2013: Dr. Stan Stahl, Citadel and ISSA-LA President, will speak on cybersecurity at the weekly meeting of the Santa Monica Rotary Club. In this non-technical talk – It Takes the Village to Secure the Village ^SM – Dr. Stahl discusses the financial implications of cyber crime, illustrates how cyber criminals take control of a user’s computer, describes the limitations of technology, summarizes emerging cyber security laws, regulations and practices, and provides practical tips to lower the risk of becoming a victim.

ISSA-LA Fifth Annual Information Security Summit; May 21, 2013: Join over 500 of your colleagues and peers at the Universal City Hilton. Special Keynote Speaker: Howard Schmidt, former White House CyberSecurity Coordinator. For more information and to register, visit ISSA-LA. Special Early-Bird pricing until March 1.

Citadel Information Group … Delivering Information Peace of Mind ® to Business and the Not-for-Profit Community

The IT Summit would like to thank Citadel Information Group for allowing us to provide this information to you.

The following software vulnerabilities and updates were announced last week. Citadel Information Group strongly recommends that readers update their computers and take other action as indicated.

Cyber Crime

Facebook Says Hackers Breached Its Computers: Facebook admitted that it was breached by sophisticated hackers in recent weeks, two weeks after Twitter made a similar admission. Both Facebook and Twitter were breached through a well-publicized vulnerability in Oracle’s Java software. The New York Times, February 15, 2013

Exploit Sat on LA Times Website for 6 Weeks: The Los Angeles Times has scrubbed its Web site of malicious code that served browser exploits and malware to potentially hundreds of thousands of readers over the past six weeks. KrebsOnSecurity, February 13, 2013

Cyber Privacy

Staying Private on the New Facebook: Facebook is a personal vault that can contain photos of your firstborn, plans to bring down your government and, occasionally, a record of your indiscretions. New York Times, February 6, 2013

Following WikiLeaks’ Playbook, BalkanLeaks Releases Insurance File With Its Spilled Secrets: WikiLeaks may have faded from the headlines, but in a corner of Eastern Europe, a copycat is playing out the secret-spilling site’s saga again. And it’s learned all of its predecessor’s tricks. Forbes, February 13, 2013

Cyber Warning

Zero-Day Flaws in Adobe Reader, Acrobat: Adobe is warning that attackers are exploiting critical flaws in its PDF Reader and Acrobat software to break into vulnerable systems, and that the exploit being used in attacks evades the sandbox protection built into these products. KrebsOnSecurity, February 15, 2013

iPhone lockscreen can be bypassed with new iOS 6.1 trick: A security flaw in Apple’s iOS 6.1 lets anyone bypass your iPhone password lock and access your phone app, view or modify contacts, check your voicemail, and look through your photos (by attempting to add a photo to a contact). The method, as detailed by YouTube user videosdebarraquito, involves making (and immediately canceling) an emergency call and holding down the power button twice. We followed the steps and managed to access the phone app on two UK iPhone 5s running iOS 6.1. This isn’t the first time this has happened – a very similar bug affected iOS 4.1, and was fixed in iOS 4.2. We’ve reached out to Apple for comment and will update you once we hear back. The Verge, February 14, 2013

Yahoo! Pushing Java Version Released in 2008: At a time when Apple, Mozilla and other tech giants are taking steps to prevent users from browsing the Web with outdated versions of Java, Yahoo! is pushing many of its users in the other direction: The free tool that it offers users to help build Web sites installs a dangerously insecure version of Java that is more than four years old. KrebsOnSecurity, February 11, 2013

Cyber Security Management – Cyber Update

Fat Patch Tuesday: Adobe and Microsoft each have issued security updates to fix multiple critical vulnerabilities in their products. Adobe released updates for Flash Player, AIR and Shockwave; Microsoft pushed out a dozen patches addressing at least 57 security holes in Windows, Office, Internet Explorer, Exchange and .NET Framework. KrebsOnSecurity, February 12, 2013

Cyber Security Management

Hackers Aim Arrows at Retail Bulls Eye: Cyber security breaches may come in all shapes and sizes, but thieves are honing in on the retail industry, hoping to slip through the sector’s security loopholes on the hunt for credit card numbers. Fox News, February 15, 2013

Leaving the door unlocked in information security: Inside the enterprise: Most data security threats are well known and can be prevented. But research shows firms fail to act. ITPro, February 14, 2013

Survey of GCs Sees Cybersecurity Risk, Anxiety: Dr. Stahl Quoted Despite the growing threat of computer security breaches, some 30 percent of general counsel in a recent survey said their companies were not prepared to deal with such a crisis. And experts say more GCs need to overcome their technophobia and help their firms face the increasing risk. Law.com, February 13, 2013

Securing the Village – Critical Infrastructure

Zombie Hackers Exploited Emergency Alert System Security Flaws: FCC has known about security gaps in networked alert systems equipment for more than 10 years. What if next hoax is serious? InformationWeek, February 15, 2013

U.S. Agency Issues Call for National Cybersecurity Standards: In the post-Stuxnet world, the prospect of undeclared cyberwar has been dragged out of the shadows to the front pages. With that in mind, yesterday the U.S. National Institute of Standards and Technology (NIST) kicked off an effort to establish a set of best practices for protecting the networks and computers that run the country’s critical infrastructure. The Cybersecurity Framework was initiated at the behest of President Barack Obama, who issued an executive order calling for a common core of standards and procedures aimed at keeping power plants and financial, transportation, and communication systems from falling prey to any of a wide range of cybersecurity threats. ieee Spectrum, February 15, 2013

Securing the Village

Certificate Authorities Form Group to Educate on SSL Best Practices: Responding to the increasing number of threats aimed at certificate authorities and the ecosystem of trusted online transactions they represent, seven certificate authorities have come together to form an advocacy group to advance security standards and promote best practices. CIO, February 15, 2013

European Union: EU Proposed Directive On Network And Information Security: On 7 February, the European Commission (EC) published an EU Cyber Security Strategy encompassing a proposed Directive on Network and Information Security (NIS Directive). The aim of the Strategy and NIS Directive is to establish a secure and trustworthy digital environment while promoting and protecting fundamental rights, including data protection, democracy and the rule of law. Mondaq, February 15, 2013

National Cyber Security

Napolitano Names Top Three Countries Where Cyber Attacks Against U.S. Are Launched: Homeland Security Secretary Janet Napolitano told NewsHour senior correspondent Ray Suarez on Friday that cyber attacks on the United States are on the rise, and internationally, three countries are the biggest sources: Iran, Russia and China. PBS Newshour, February 15, 2013

ACLU Responds to Executive Order on Cybersecurity; Opposes CISPA: WASHINGTON – President Obama tonight signed an executive order to protect U.S. critical infrastructure from cyberattacks by improving cybersecurity information sharing between the government and owners and operators of the nation’s critical infrastructure. Unlike legislation that will be introduced into the House tomorrow, the president’s executive order seeks to protect Americans’ digital privacy when information-sharing occurs, according to the ACLU. ACLU, February 13, 2013

Obama’s cybersecurity executive order: What you need to know: There was grave concern that the president could sign an executive order effectively signing into law some, if not most, parts of the proposed Cyber Intelligence Sharing and Protection Act (CISPA) Bill. Though it was passed by the US House, it failed to gain traction in the Senate, and also faced threats by the White House to veto the Bill altogether. (The whole Bill can be found at the bottom of this article.) ZDNet, February 13, 2013

Obama signs cybersecurity executive order ahead of State Of The Union: President Obama signed an executive order aimed at bolstering U.S. cybersecurity prior to tonight’s State of the Union address. The Order precedes a House Homeland Security Committee hearing on “new threats.” ZDNet, February 13, 2013

President Obama’s Cybersecurity Executive Order Scores Much Better Than CISPA On Privacy: With the reintroduction of the much-maligned Cyber Intelligence Sharing and Protection Act scheduled for the day after the State of the Union, the House of Representatives may have hoped the President’s own cybersecurity initiative would divert some of the attention away from the controversial legislation known as CISPA. Instead, the White House’s long-awaited executive order on cybersecurity is actually scoring points with the privacy advocates-and putting CISPA in a worse light than ever.Forbes, February 12, 2013

Executive Order – Improving Critical Infrastructure Cybersecurity: EXECUTIVE ORDER: IMPROVING CRITICAL INFRASTRUCTURE CYBERSECURITY The White House, February 12, 2013

Cyber Research

Contest aims to boost state of password encryption: A group of cryptographers from academia and the tech industry are hoping to improve online password protection by holding an international competition to develop a new password hash algorithm that is more difficult for hackers to break. CSO, February 15, 2013

Cyber Sunshine

Cybercrime Network Based in Spain Is Broken Up: MADRID – Europol, the European police agency, said Wednesday that it had dismantled one of the most efficient cybercrime organizations to date, led by Russians who had managed to extort millions of euros from online users across more than 30 countries – mostly European – by persuading them to pay spurious police fines for abusive use of the Internet. The New York Times, February 13, 2013

Securing the Village-Events Calendar

ISSA-LA February Lunch Meeting; February 20, 2013. Bring your CFO to Work Day: 5 Tips for Optimizing the InfoSec/ Finance Relationship. For more information and to register, visit ISSA-LA. 

ISSA-Ventura County February Dinner Meeting; February 21, 2013: Dr. Stan Stahl, Citadel and ISSA-LA President, will speak at the monthly meeting of the Ventura County ISSA Chapter. The meeting is held at Cal Lutheran University. For more information please contact [email protected] or call 805-876-4229.

ISSA-LA March Dinner Meeting; March 20, 2013. For more information and to register, visit ISSA-LA. 

NAWBO Ventura County March Dinner Meeting, March 28, 2013: Citadel Vice President Ms. Kimberly Pease, CISSP, will speak on cybersecurity at the monthly meeting of the Ventura County Chapter of the National Association of Women Business Owners. In her talk The Growing Cyber Threat: Why the Bad Guys are Winning!, Kimberly will identify threats to  information and computers, review common weaknesses being exploited by the bad guys and offer proactive steps you can take at business and at home to increase your security posture and decrease your exposure.

ISSA-LA April Lunch Meeting; April 17, 2013. For more information and to register, visit ISSA-LA.

Santa Monica Rotary Club; Lunch Meeting, May 3, 2013: Dr. Stan Stahl, Citadel and ISSA-LA President, will speak on cybersecurity at the weekly meeting of the Santa Monica Rotary Club. In this non-technical talk – It Takes the Village to Secure the Village ^SM – Dr. Stahl discusses the financial implications of cyber crime, illustrates how cyber criminals take control of a user’s computer, describes the limitations of technology, summarizes emerging cyber security laws, regulations and practices, and provides practical tips to lower the risk of becoming a victim.

ISSA-LA Fifth Annual Information Security Summit; May 21, 2013: Join over 500 of your colleagues and peers at the Universal City Hilton. Special Keynote Speaker: Howard Schmidt, former White House CyberSecurity Coordinator. For more information and to register, visit ISSA-LA. Special Early-Bird pricing until March 1.

Citadel Information Group … Delivering Information Peace of Mind ® to Business and the Not-for-Profit Community

The IT Summit would like to thank Citadel Information Group for allowing us to provide this information to you.

Weekend Vulnerability and Patch Report

The following software vulnerabilities and updates were announced last week. Citadel Information Group strongly recommends that readers update their computers and take other action as indicated.

Cyber Crime

Secret Service investigating hack of Bush family e-mails: The Secret Service said Friday that it is investigating the theft of numerous personal e-mails from members of the Bush family, after an apparent hacker leaked the ­e-mails and Bush family photos to the Smoking Gun’s Web site. The Washington Post, February 8, 2013

Security Firm Bit9 Hacked, Used to Spread Malware: Bit9, a company that provides software and network security services to the U.S. government and at least 30 Fortune 100 firms, has suffered an electronic compromise that cuts to the core of its business: helping clients distinguish known “safe” files from computer viruses and other malicious software. KrebsOnSecurity, February 8, 2013

Crooks Net Millions in Coordinated ATM Heists: Organized cyber criminals stole almost $11 million in two highly coordinated ATM heists in the final days of 2012, KrebsOnSecurity has learned. The events prompted Visa to warn U.S. payment card issuers to be on high-alert for additional ATM cash-out fraud schemes in the New Year.KrebsOnSecurity, February 6, 2013

Hacktivists

Federal Reserve Admits It was Briefly Hacked During Super Bowl: Two days after the group Anonymous boasted it had broken into a government Web site and had the data dump to prove it, the U.S. Federal Reserve admitted it was hacked. ThreatPost, February 5, 2013

Cyber Espionage

China cyberspies highlighted by Schmidt book, Post report: Hot on the heels of reports from The New York Times and The Wall Street Journal, another storied U.S. newspaper – The Washington Post – has confirmed that it too was attacked by what it suspects were Chinese hackers. And a new book from Google’s Eric Schmidt reportedly calls the Asian country “the most sophisticated and prolific” hacker of foreign companies. CNet, February 2, 2013

Source: Washington Post Also Broadly Infiltrated By Chinese Hackers in 2012: The Washington Post was among several major U.S. newspapers that spent much of 2012 trying to untangle its newsroom computer networks from a Web of malicious software thought to have been planted by Chinese cyberspies, according to a former information technology employee at the paper. KrebsOnSecurity, February 1, 2013

Cyber Privacy

The Threat of Silence: Meet the groundbreaking new encryption app set to revolutionize privacy and freak out the feds. Slate, February 4, 2013

FTC Endorses New Privacy Guidelines, Do Not Track for Mobile Apps, Devices: Hoping to ramp up privacy on mobile devices such as smartphones and tablets, the Federal Trade Commission (FTC) has released a series of suggestions to help app developers, advertising networks and device companies better protect their users online.ThreatPost, February 4, 2013

Cyber Warning

New Whitehole Exploit Toolkit Emerges on the Underground Market: IDG News Service – A new exploit kit called Whitehole has emerged on the underground market, providing cybercriminals with one more tool to infect computers with malware over the Web, security researchers from antivirus vendor Trend Micro reported Wednesday. CIO, February 7, 2013

‘Fragmentation’ leaves Android phones vulnerable to hackers, scammers: In late October, researchers at North Carolina State University alerted Google to a security flaw that could let scam artists send phony text messages to Android phones – a practice called “smishing” that can ensnare consumers in fraud. The Washington Post, February 6, 2013

Android malware emerges on Google Play which installs a trojan on your PC, uses your microphone to record you: We’ve seen malware for PCs that infects mobile devices, but it turns out there’s also malware for mobile devices designed to infect PCs. Kaspersky researchers have discovered a new piece of Android malware that masquerades as a “cleaner” app meant to free memory for Google’s operating system but wreaks havoc on your smartphone in the background and on Microsoft’s operating system when it’s connected to a PC. TNW, February 3, 2013

Pro-Grade Point-of-Sale Skimmer: Every so often, the sophistication of the technology being built into credit card skimmers amazes even the experts who are accustomed to studying such crimeware. This post focuses on one such example – images from one of several compromised point-of-sale devices that used Bluetooth technology to send the stolen data to the fraudsters wirelessly. KrebsOnSecurity, February 1, 2013

Cyber Security Management

Ex-Employees Say It’s OK To Take Corporate Data With Them: New Symantec survey finds nearly 70 percent of employees who recently left or were fired from their job say their organizations don’t prevent them from using confidential info. DarkReading, February 7, 2013

More Executives Worry About Cyberattacks, Study Says: More corporate executives are concerned about cyberattacks and data breaches than property damage and investment risk, according to a survey commissioned by insurer American International Group Inc. The Wall Street Journal, February 6, 2013

Calling general counsel to the front lines of cybersecurity: As President Barack Obama studies how the U.S. military should respond to an increasing number of cyber attacks against public and private institutions, general counsel would be wise to examine their own companies’ situations. Daily Report, February 6, 2013

Backup Databases: The Data Security Achilles’ Heel: The same sensitive information on production databases resides on backups – protect them accordingly. Dr. Stahl is quoted in this story. DarkReading, February 5, 2013

Cyber Security Management – Cyber Update

Barracuda Issues Security Update, Apologizes To Customers: Barracuda Networks Monday issued a product update designed to address some of the security vulnerabilities that have been identified in some of its appliances, as well as a mea culpa for building hardcoded, undocumented backdoors into its products.InformationWeek, February 7, 2013

Critical Flash Player Update Fixes 2 Zero-Days: Adobe today pushed out an emergency update that fixes at least two zero-day vulnerabilities in its ubiquitous Flash Player software – flaws that attackers are already exploiting to break into systems. Interestingly, Adobe warns that one of the exploits in use is designed to drop malware on both Windows and Mac OS X systems. KrebsOnSecurity, February 7, 2013

Critical Java Update Fixes 50 Security Holes: Oracle Corp. has issued an update for its Java SE software that plugs at least 50 security holes in the software, including one the company said was actively being exploited in the wild. KrebsOnSecurity, February 3, 2013

Cyber Security Management – Cyber Defense

The Dreaded Captcha: Beginning Of The End?: If those all-but-impossible-to-read Captchas disappeared tomorrow, would anyone lament their demise?InformationWeek, February 1, 2013

Cyber Security Management – Payment Card Industry

PCI Council Releases Guidelines for Cloud Compliance: CIO – Cloud providers and cloud customers now have a roadmap that defines their security responsibilities in the cloud.CIO, February 7, 2013

Cyber Security Management – HIPAA

Blood Bank with Big Breach Settles with the FTC: CBR Systems Inc., a cord blood bank vendor, has settled with the Federal Trade Commission and agreed to a proposed consent order to improve its information security practices following a major breach of protected health information in December 2010. HealthDataManagement, January 30, 2013

Cyber Security Management – Critical Infrastructure

We need a cybersecurity policy: Reports are that the latest round of cyber-attacks have been aimed at large media outlets like the New York Times, Wall Street Journal and Washington Post. Before media, large banks and other financial institutions were being targeted. Before the financial industry, it was something else. All the while, the U.S. government is under constant bombardment from potential cyber threats probing for weaknesses. NetworkWorld, February 4, 2013

Cyber Sunshine

Microsoft, Symantec Hijack ‘Bamital’ Botnet: Microsoft and Symantec said Wednesday that have teamed up to seize control over the “Bamital” botnet, a multi-million dollar crime machine that used malicious software to hijack search results. The two companies are now using that control to alert hundreds of thousands of users whose PCs remain infected with the malware. KrebsOnSecurity, February 7, 2013

Securing the Village

NIST Seeks Comments to Final Public Draft of Major Federal Cybersecurity Document:The National Institute of Standards and Technology (NIST) is requesting comments on the final public draft of Security and Privacy Controls for Federal Information Systems and Organizations, Special Publication (SP)800-53, Revision 4. The document, two years in the making, is the latest revision to a document that is considered the principal catalog of security safeguards and countermeasures that federal agencies use to protect their information and information systems. NIST, February 6, 2013

Flaw Flood Busts Bug Bank: The Common Vulnerability & Exposures (CVE) index, the industry standard for cataloging software security flaws, is growing so rapidly that it will soon be adding a few more notches to its belt: The CVE said it plans to allow for up to 100 times more individual vulnerabilities to be indexed each year to accommodate an increasing number of software flaw reports. KrebsOnSecurity, February 4, 2013

National Cyber Security

Department of Energy Compromised in Sophisticated Attack: Hackers targeted and compromised computer networks at United States Department of Energy headquarters in Washington DC two weeks ago, according to a report published by the Washington Free Beacon earlier this morning. ThreatPost, February 4, 2013

Broad Powers Seen for Obama in Cyberstrikes: WASHINGTON – A secret legal review on the use of America’s growing arsenal of cyberweapons has concluded that President Obama has the broad power to order a pre-emptive strike if the United States detects credible evidence of a major digital attack looming from abroad, according to officials involved in the review. The New York Times, February 3, 2013

Cyber Attacks on Press Reveal Gap in US Diplomacy: On January 30, The New York Times reported that it had been under sustained cyber attacks from Chinese hackers who had infiltrated their system to steal login credentials and information from its reporters and employees. The Times noted that the attacks coincided with its coverage concerning the massive financial holdings of relatives of China’s prime minister, Wen Jiabao, and continued for months. Using tactics similar to those previously attributed by security experts to the Chinese military, the attackers weaved their communications through U.S. university systems in an attempt to mask their origin. One day later, The Wall Street Journal reported that its computer systems also have been subjected to “”wide-ranging electronic surveillance” by Chinese attackers in an attempt to gain intelligence on the publication’s coverage of Chinese issues. The articles revealed that Bloomberg LP and Thomson Reuters PLC have acknowledged that they, too, have suffered attacks, but they have not indicated who may have been behind them. Forbes, February 1, 2013

Securing the Village-Events Calendar

Cloud Security Alliance – Los Angeles Chapter; February 13, 2013: “Can encryption help alleviate concerns about moving to the cloud?” For more information and to register, go to meetup.com/LASC-CSA/.

ISSA-LA February Lunch Meeting; February 20, 2013. Bring your CFO to Work Day: 5 Tips for Optimizing the InfoSec/ Finance Relationship. For more information and to register, visit ISSA-LA.

ISSA-Ventura County February Dinner Meeting; February 21, 2013: Dr. Stan Stahl, Citadel and ISSA-LA President, will speak at the monthly meeting of the Ventura County ISSA Chapter. The meeting is held at Cal Lutheran University. For more information please contact [email protected] or call 805-876-4229.

ISSA-LA March Dinner Meeting; March 20, 2013. For more information and to register, visit ISSA-LA.

NAWBO Ventura County March Dinner Meeting, March 22, 2013: Citadel Vice President Ms. Kimberly Pease, CISSP, will speak on cybersecurity at the monthly meeting of the Ventura County Chapter of the National Association of Women Business Owners. In her talk The Growing Cyber Threat: Why the Bad Guys are Winning!, Kimberly will identify threats to  information and computers, review common weaknesses being exploited by the bad guys and offer proactive steps you can take at business and at home to increase your security posture and decrease your exposure.

ISSA-LA April Lunch Meeting; April 17, 2013. For more information and to register, visit ISSA-LA.

Santa Monica Rotary Club; Lunch Meeting, May 3, 2013: Dr. Stan Stahl, Citadel and ISSA-LA President, will speak on cybersecurity at the weekly meeting of the Santa Monica Rotary Club. In this non-technical talk – It Takes the Village to Secure the Village ^SM – Dr. Stahl discusses the financial implications of cyber crime, illustrates how cyber criminals take control of a user’s computer, describes the limitations of technology, summarizes emerging cyber security laws, regulations and practices, and provides practical tips to lower the risk of becoming a victim.

ISSA-LA Fifth Annual Information Security Summit; May 21, 2013: Join over 500 of your colleagues and peers at the Universal City Hilton. Special Keynote Speaker: Howard Schmidt, former White House CyberSecurity Coordinator. For more information and to register, visit ISSA-LA. Special Early-Bird pricing until March 1.

Citadel Information Group … Delivering Information Peace of Mind ® to Business and the Not-for-Profit Community

The IT Summit would like to thank Citadel Information Group for allowing us to provide this information to you.

Weekend Vulnerability and Patch Report

The following software vulnerabilities and updates were announced last week. Citadel Information Group strongly recommends that readers update their computers and take other action as indicated.

Cyber Crime

Twitter, Washington Post targeted by hackers: SAN FRANCISCO – Social media giant Twitter is among the latest U.S. companies to report that it is among a growing list of victims of Internet security attacks, saying that hackers may have gained access to information on 250,000 of its more than 200 million active users. And now, The Washington Post is joining the chorus, revealing the discovery of a sophisticated cyberattack in 2011. NewsDay, February 1, 2013

New York Times hacking revelations shed new light on China cybercrime: Revelations that China apparently targeted the New York Times in a campaign of cyber-espionage have cast a rare spotlight on attempts by Beijing to crack down on any criticism of its ruling elite. The Guardian, January 31, 2013

Cyber Espionage

Wall Street Journal Infiltrated by Chinese Hackers: The Wall Street Journal says its computer systems have been infiltrated by Chinese hackers who were trying to monitor the newspaper’s coverage of China. ABC News, February 1, 2013

Hackers in China Attacked The Times for Last 4 Months: SAN FRANCISCO – For the last four months, Chinese hackers have persistently attacked The New York Times, infiltrating its computer systems and getting passwords for its reporters and other employees. The New York Times, January 31, 2013

Cyber Threat

Facts and figures behind the current threat landscape: Mobile malware up, spam down, the age of privacy is over and porn is less dangerous than advertisements – just some of the findings in a new annual security report. InfoSecurity, January 31, 2013

Cyber Warning

The New Child Pornography Malware. Blackmailing malware has been around for some time of course. A trojan or virus gets into the computer then locks it until a ransom has been paid: as I say, this has been around for some time now. However, there’s a variation of it that is much, much, more dangerous: it actually displays a piece of child pornography while claiming that this is what you’ve been watching and thus you must pay the fine. Forbes, February 1, 2013

Hacking The Laptop Docking Station: Black Hat Europe researcher builds prototype device that could be used to steal corporate data, listen in on voice calls, videoconferences. DarkReading, January 31, 2013

Yahoo Mail Breach Linked to Old WordPress Vulnerability: Researchers at Australia-based BitDefender say they’ve found how some Yahoo Mail accounts are being hijacked, and it leads back to “buggy” blog software Yahoo’s developers used.ThreatPost, January 31, 2013

Symantec Gets A Black Eye In Chinese Hack Of The New York Times: Having your email hacked and malicious software spread on your servers for months may be embarrassing. But being outed as the antivirus vendor that failed to catch the vast majority of that malware is likely more humiliating still. Forbes, January 31, 2013

5 Years After Major DNS Flaw is Discovered, Few U.S. Companies have Deployed Long-Term Fix: Network World – Five years after the disclosure of a serious vulnerability in the Domain Name System dubbed the Kaminsky bug, only a handful of U.S. ISPs, financial institutions or e-commerce companies have deployed DNS Security Extensions (DNSSEC ) to alleviate this threat. CIO, January 29, 2013

Disable This Buggy Feature On Your Router Now To Avoid A Serious Set Of Security Vulnerabilities: You’ve probably never checked whether your Internet router is set by default to use a harmless-sounding protocol called Universal Plug and Play. If it does, now’s a good time to turn it off. Forbes, January 29, 2013

Java Security Feature FAIL: Researcher Bypasses Java Sandbox, Security Settings: Zero-day bugs in Java have been coming fast and furious lately. In the latest twist, a researcher says he was able to cheat built-in security features in Java applications.DarkReading, January 28, 2013

Hackers squeeze through DVR hole, break into CCTV cameras: The digital video recorders of several CCTV video cameras are vulnerable to attacks that create a means for hackers to watch, copy or delete video streams, according to security researchers. The Register, January 28, 2013

Cyber Security Management

Lesson Learned in Cyberattack on The New York Times: CSO – The New York Times’ description of a cyberespionage campaign waged against the news media company by Chinese hackers demonstrates the importance of assuming criminals will eventually break into a computer system, and the best defense is to detect the intrusion as soon as possible. CIO, February 1, 2013

Cyber Security Management – Online Bank Fraud

Big Bank Mules Target Small Bank Businesses: A $170,000 cyberheist last month against an Illinois nursing home provider starkly illustrates how large financial institutions are being leveraged to target security weaknesses at small to regional banks and credit unions. KrebsOnSecurity, January 28, 2013

Cyber Security Management – Cyber Update

Apple Releases iOS 6.1 With Fixes for More Than 20 Vulnerabilities: Apple has fixed dozens of security vulnerabilities in iOS with the release of version 6.1, including a serious flaw in the kernel and a number of bugs in the WebKit framework. The company also revoked trust in the bad TurkTrust certificates that were discovered late last year. ThreatPost, January 29, 2013

Cyber Defense

Apple’s anti-malware blacklists Java 7 plug-in again: Apple has once again effectively blacklisted Java 7 web plug-ins on Macs by enforcing a minimum version for the software – a version that has yet to be released by Oracle. ZDNet, February 1, 2013

RSA, IBM Bet On Big Data Analytics To Boost Security: RSA and IBM’s turning to big data analytics to improve security monitoring mark what some analysts say could be the wave of the future. DarkReading, January 31, 2013

Mozilla takes drastic step to automatically block virtually all plug-ins in Firefox:Computerworld – Mozilla yesterday announced it would automatically disable all plug-ins in Firefox except the latest version of Adobe’s Flash Player, citing security and stability reasons for the move. ComputerWorld, January 30 2013

Google Offers $3.14159 Million In Total Rewards For Chrome OS Hacking Contest:Google has never been stingy when it comes to paying for information about security vulnerabilities in its products. Now it’s offering an especially large-and especially nerdy-sum of money. Forbes, January 28, 2013

National Cyber Security

Former Obama Cybersecurity Czar Warns Against Use of Cyberweapons: Talks of cyberwar and a cyber Pearl Harbor seem to be a regular fixture of news reports in the last few months, with prominent U.S. administration officials like Janet Napolitano or Leon Panetta regularly touting the threat of a cyber attack on the United States. But not everybody is buying it. For one, Howard Schmidt, the former chief cybersecurity advisor to President Barack Obama, is skeptical. Mashable, January 31, 2013

Rockefeller: Fortune 500 companies back voluntary cybersecurity standards: Leading U.S. companies will support a voluntary program enabling the government and industry to develop a set of cybersecurity best practices, according to a memo from Senate Commerce Committee Chairman Jay Rockefeller (D-W. Va.). The Hill, January 30, 2013

Pentagon Cyber Force Turns To Hackers To Meet Growing Demand: Faced with growing fears of potentially crippling cyber attacks and not enough skilled technicians to combat the threat, the Defense Department has launched a massive recruitment drive that’s tapping an unlikely group: computer hackers. HuffingtonPost, January 28, 2013

Unseen, all-out cyber war on the U.S. has begun: Security pros and government officials warn of a possible cyber 9/11 involving banks, utilities, other companies, or the Internet InfoWorld, January 28, 2013

Securing the Village – ISSA-LA

Obama Admin Cybersecurity Expert Howard Schmidt Speaks at ISSA-LA Annual Info Security Summit: Former cybersecurity coordinator of the Obama Administration, Howard A. Schmidt, will be a keynote speaker at the Los Angeles Chapter of the Information Systems Security Association Fifth Annual Information Security Summit on May 21, 2013. PRLog, January 29, 2013

Cyber Survey

Living in today’s “Any-to-any” world: Cybercriminals are taking advantage of the rapidly expanding attack surface found in today’s “any-to-any” world, where individuals are using any device to access business applications in a network environment that utilizes decentralized cloud services. The 2013 Cisco® Annual Security Report highlights global threat trends based on real-world data, and provides insight and analysis that helps businesses and governments improve their security posturing for the future.Cisco 2013 Annual Security Report

Cyber Misc

Ticketmaster abandons Captcha verification system: Ticketmaster will use a new verification system after deciding that Captcha has become too complex for human users to understand easily. The Telegraph, January 30, 2013

Securing the Village-Events Calendar

ISC2-LA February Dinner Meeting; February 5, 2013: Email Bill Zajac at [email protected] for more information.

Cloud Security Alliance – Los Angeles Chapter; February 13, 2013: “Can encryption help alleviate concerns about moving to the cloud?” For more information and to register, go to meetup.com/LASC-CSA/.

ISSA-LA February Lunch Meeting; February 20, 2013. For more information and to register, visit ISSA-LA.

ISSA-LA March Dinner Meeting; March 20, 2013.

NAWBO Ventura County March Dinner Meeting, March 22, 2013: Citadel Vice President Ms. Kimberly Pease, CISSP, will speak on cybersecurity at the monthly meeting of the Ventura County Chapter of the National Association of Women Business Owners. In her talk The Growing Cyber Threat: Why the Bad Guys are Winning!, Kimberly will identify threats to  information and computers, review common weaknesses being exploited by the bad guys and offer proactive steps you can take at business and at home to increase your security posture and decrease your exposure.

Santa Monica Rotary Club; Lunch Meeting, May 3, 2013: Dr. Stan Stahl, Citadel and ISSA-LA President, will speak on cybersecurity at the weekly meeting of the Santa Monica Rotary Club. In this non-technical talk – It Takes the Village to Secure the Village ^SM – Dr. Stahl discusses the financial implications of cyber crime, illustrates how cyber criminals take control of a user’s computer, describes the limitations of technology, summarizes emerging cyber security laws, regulations and practices, and provides practical tips to lower the risk of becoming a victim.

ISSA-LA Fifth Annual Information Security Summit; May 21, 2013: Join over 500 of your colleagues and peers at the Universal City Hilton. Special Keynote Speaker: Howard Schmidt, former White House CyberSecurity Coordinator. For more information and to register, visit ISSA-LA. Special Early-Bird pricing until March 1.

Citadel Information Group … Delivering Information Peace of Mind ® to Business and the Not-for-Profit Community

The IT Summit would like to thank Citadel Information Group for allowing us to provide this information to you.