The following software vulnerabilities and updates were announced last week. Citadel Information Group strongly recommends that readers update their computers and take other action as indicated.

Cyber Attack

Computer Networks in South Korea Are Paralyzed in Cyberattacks: SEOUL, South Korea – Computer networks running three major South Korean banks and the country’s two largest broadcasters were paralyzed Wednesday in attacks that some experts suspected originated in North Korea, which has consistently threatened to cripple its far richer neighbor. The New York Times, March 20, 2013

Cyber Warning

Apple security flaw discovered; two-step verification recommended: A major security flaw was discovered Friday that makes it possible to easily change another user’s Apple ID password and hijack the account. LA Times, March 22, 2013

A DHL delivery which is nothing but malware – Windows users warned of email attack:Just earlier this week, I warned about a malware attack that had been widely spammed out posing as a message from DHL Express International. NakedSecurity, March 20, 2013

Cyber Underworld

Botnet Business Booming: Some dismantled botnets rank in the top ten most prevalent as old bot malware gets repurposed, according to new Fortinet report. Dark Reading, March 19, 2013

The Obscurest Epoch is Today: To say that there is a law enforcement manhunt on for the individuals responsible for posting credit report information on public figures and celebrities at the rogue site exposed.su would be a major understatement. I like to think that when that investigation is completed, some of the information I’ve helped to uncover about those affiliated with the site will come to light. For now, however, I’m content to retrace some of my footwork this past weekend that went into tracking individuals who may have been responsible for attacking my site and SWATing my home last Thursday. KrebsOnSecurity, March 18, 2013

Cyber Privacy

Privacy 101: Skype Leaks Your Location: The events of the past week reminded me of a privacy topic I’ve been meaning to revisit: That voice-over-IP telephony service Skype constantly exposes your Internet address to the entire world, and that there are now numerous free and commercial tools that can be used to link Skype user account names to numeric Internet addresses. KrebsOnSecurity, March 21, 2013

Here’s The Judge’s Order Banning The FBI’s Secret Requests For Companies’ User Data:For the FBI, secret, warrantless snooping on companies’ user data may be about to get much more difficult. Forbes, March 15, 2013

Cyber Defense

Apple Strengthens iCloud Security With 2-Step Authentication: Apple on Thursday rolled out a tool that strengthens password security for Apple accounts: two-step verification, a feature widely available for many Web services. The New York Times, March 21, 2013

Google Fully Implements Security Feature on DNS Lookups: IDG News Service – Google has fully implemented a security feature that ensures a person looking up a website isn’t inadvertently directed to a fake one. CIO, March 19, 2013

Security-Bug Rating System Gets A Makeover: The Common Vulnerability Scoring System will be moving to its third iteration next year, aiming to make the rankings more objective and add more ratings to increase accuracy. DarkReading, March 19, 2013

Security of Open-Source Software Again Being Scrutinized: A recent round of flaws discovered in open-source software has reignited concerns that security is getting bypassed in the rush to continue expanding the large and extremely popular code base used by millions. CIO, March 13, 2013

Cyber Security Management

Most Small Businesses Don’t Recover From Cybercrime: In light of the growing number of high-profile cyber-attacks hitting tech and financial institutions across the country, the U.S. House Small Business Subcommittee on Health and Technology held a hearing Thursday on the topic of “Protecting Small Businesses Against Emerging and Complex Cyber-Attacks.” Fox News, March 21, 2013

The Seven Deadly Sins of Data Security: There is no shortage of advice on how to secure electronic information. Companies can look to pronouncements by state and federal agencies (for example, the recent statements by the California Attorney General and the Federal Trade Commission on mobile application security), private industry (like the Payment Card Industry’s Data Security Standards) and foreign standards (like the European Union Data Protection Directive). There is guidance regarding technical standards, corporate protocols, contracting requirements and others. Michael Gold, Esq., Robert Braun, Esq., Jeffer Mangels Butler Mitchell, March 18, 2013

National Cyber Security

Privacy Protection for Documents Stored in the Cloud Gets DoJ Nod: As House subcommittee weighs overhaul of 1986 statute to strengthen privacy in the cloud, senators introduce their own legislation to update Electronic Communications Privacy Act. Department of Justice affirms the Obama administration’s support for an overhaul.CIO, March 19, 2013

America’s 3 Biggest Cybersecurity Vunerabilities: When James Clapper, the country’s top intelligence official, visited Capitol Hill this week to discuss the major threats facing America, he put cyberattacks at the top of the list. National Journal, March 13, 2013

Cyber Law

Wholesalers Hid Data Breach From Customers, Suit Says: Restaurant and grocery suppliers Jetro Holdings LLC, Jetro Cash & Carry Enterprises LLC and Restaurant Depot LLC were hit Friday with a proposed class action over their alleged failure to notify consumers of a data breach that exposed confidential credit and debit card information. LAW 360, February 27, 2013

Genesco takes VISA to court over data breach: Nashville-based retailer Genesco Inc. is suing VISA, accusing the credit-card company of wrongfully taking more than $13 million as punishment for a data breach. The Tennessean, March 8, 2013

Cyber Survey

Third-Party Applications to Blame for 87 Percent of Vulnerabilities Last Year: Third-party applications accounted for a whopping percentage of vulnerabilities last year, many more than security flaws found in Microsoft programs according to a report released this week by Danish vulnerability research firm Secunia. ThreatPost, March 15, 2013

Survey: Investors Crave More Cyber Security Transparency: As corporate America continues to grapple with the mounting cyber threat, a new survey reveals investors want more information about security practices and may even shun stocks of companies with a poor cyber track record. Fox News, March 4, 2013

Securing the Village-Events Calendar

NAWBO Ventura County March Dinner Meeting, March 28, 2013: Citadel Vice President Ms. Kimberly Pease, CISSP, will speak on cybersecurity at the monthly meeting of the Ventura County Chapter of the National Association of Women Business Owners. In her talk The Growing Cyber Threat: Why the Bad Guys are Winning!, Kimberly will identify threats to  information and computers, review common weaknesses being exploited by the bad guys and offer proactive steps you can take at business and at home to increase your security posture and decrease your exposure.

SecureIT-2013, March 28, 2013: David Lam, our newest Citadel partner and ISSA Los Angeles VP, will be speaking at SecureIT on 28 March regarding the appropriate use of ISO 27001/2 as an information security framework. David will be showing how the framework is extensible to all different sizes of organizations, and how it helps you achieve both security and compliance. For more information and to register, visitwww.secureitconf.com.

ISSA-LA April Lunch Meeting; April 17, 2013. For more information and to register, visitISSA-LA.

Santa Monica Rotary Club; Lunch Meeting, May 3, 2013: Dr. Stan Stahl, Citadel and ISSA-LA President, will speak on cybersecurity at the weekly meeting of the Santa Monica Rotary Club. In this non-technical talk – It Takes the Village to Secure the Village ^SM – Dr. Stahl discusses the financial implications of cyber crime, illustrates how cyber criminals take control of a user’s computer, describes the limitations of technology, summarizes emerging cyber security laws, regulations and practices, and provides practical tips to lower the risk of becoming a victim.

ISSA-LA Fifth Annual Information Security Summit; May 21, 2013: Join over 500 of your colleagues and peers at the Universal City Hilton. Special Keynote Speaker: Howard Schmidt, former White House CyberSecurity Coordinator. For more information and to register, visit ISSA-LA.

Citadel Information Group … Delivering Information Peace of Mind ® to Business and the Not-for-Profit Community

The IT Summit would like to thank Citadel Information Group for allowing us to provide this information to you.

The following software vulnerabilities and updates were announced last week. Citadel Information Group strongly recommends that readers update their computers and take other action as indicated.

Cyber Crime

US government cyber-security database taken offline due to hacker attack: A federal government database that stores malicious viruses and cyber-attacks has been taken offline following the detection of a hacker attack on its servers. The database is meant to provide an early warning of Internet infiltration by new viruses. RT, March 15, 2013

Israeli Government Websites Targeted in Watering Hole Attack: A new watering hole attack has been reported, this one targeting two government-related websites based in Israel that have been injected with malware exploiting a six-month-old vulnerability in Internet Explorer. ThreatPost, March 13, 2013

Top Credit Agencies Say Hackers Stole Celebrity Reports: Experian Plc (EXPN), Equifax Inc. (EFX) and TransUnion Corp. (TRUN), the three biggest U.S. credit-reporting companies, said they uncovered cases where hackers gained illegal, unauthorized access to users’ information. Bloomberg, March 12, 2013

Cyber Underworld

The World Has No Room For Cowards: It’s not often that one has the opportunity to be the target of a cyber and kinetic attack at the same time. But that is exactly what’s happened to me and my Web site over the past 24 hours. On Thursday afternoon, my site was the target of a fairly massive denial of service attack. That attack was punctuated by a visit from a heavily armed local police unit that was tricked into responding to a 911 call spoofed to look like it came from my home. KrebsOnSecurity, March 15, 2013

Credit Reports Sold for Cheap in the Underweb: Following the online publication of Social Security numbers and other sensitive data on high-profile Americans, the three major credit reporting bureaus say they’ve uncovered cases where hackers gained access to users’ information, Bloomberg reports. The disclosure, while probably discomforting for many, offers but a glimpse of the sensitive data available to denizens of the cybercrime underworld, which hosts several storefronts that sell cheap, illegal access to consumer credit reports. KrebsOnSecurity, March 13, 2013

Cyber Privacy

Privacy backlash against CISPA cybersecurity bill gains traction: A petition to the White House asking the president to “stop” a controversial cybersecurity bill passes the 100,000 mark. The only problem: President Obama has already threatened to veto it.CNet, March 13, 2013

Cyber Defense

New Google Site Aimed At Helping Webmasters of Hacked Sites: IDG News Service (Miami Bureau) – Google has launched a site for webmasters whose sites have been hacked, something that the company says happens thousands of times every day. CIO, March 13, 2013

Help Keep Threats at Bay With ‘Click-to-Play’: Muzzling buggy and insecure Web browser plugins like Java and Flash goes a long way toward blocking attacks from drive-by downloads and hacked or malicious Web sites. But leaving them entirely unplugged from the browser is not always practical, particularly with Flash, which is used on a majority of sites. Fortunately for many users, there is a relatively simple and effective alternative: Click-to-Play. KrebsOnSecurity, March 13, 2013

Microsoft to Roll Out Windows Store App Patches Quickly: IDG News Service – Microsoft will release security updates for applications in its Windows Store as those patches are available in order to speed up the updating process. CIO, March 13, 2013

Cyber Update

Apple Fixes OS X Flaw That Allowed Java Apps to Run With Plugin Disabled: Apple on Thursday released a large batch of security fixes for its OS X operating system, one of which patches a flaw that allowed Java Web Start applications to run even when users had Java disabled in the browser. OS X 10.8.3 fixes 21 total vulnerabilities, and also includes a new version of the malware removal tool for Apple machines. ThreatPost, March 15, 2013

Critical Updates for Windows, Adobe Flash, Air: Microsoft and Adobe each released patches today to plug critical security holes in their products. Microsoft issued seven update bundles to address at least 19 20 vulnerabilities in Windows and related software. Adobe released the fourth security update in nearly as many weeks for its Flash Player software, as well as a fix for Adobe AIR. KrebsOnSecurity, March 12, 2013

National Cyber Security

Obama: Cybersecurity ‘key’ in talks with China: In talks with Chinese President Xi Jinping, President Obama stated that cybersecurity is a “key” topic in discussions between both nations. ZDNet, March 15, 2013

Intelligence Officials See Cyberattacks As a Top US Threat: IDG News Service (Washington, D.C., Bureau) – Cyberattacks are near the top of the list of most serious threats facing the U.S., with the rivaling concerns about terrorism and North Korea, intelligence officials with President Barack Obama’s administration said. CIO, March 12, 2013

Cyber Law

Apparel Company Files Landmark Lawsuit Against Visa in PCI Dispute: A Tennessee-based footwear and apparel company has filed a $13 million lawsuit against Visa for what it considers random, subjective penalties for being out of compliance with the Payment Card Industry (PCI) standard the credit card company regulates. ThreatPost, March 12, 2013

Cyber Survey

DDoS, Malware Attacks Cost Victims Thousands Of Dollars A Day: New eye-popping data shows the cost of cyberattacks to victim organizations: They spend as much as $6,500 per hour to recover from DDoS attacks, and $3,000 a day for up to 30 days recovering from malware infections. DarkReading, March 12, 2013

Cyber Research

Cryptographers Demonstrate New Crack For Common Web Encryption: It’s long been known that one of the oldest and most widely used standards for encrypting web sites has some serious weaknesses. But one group of researchers has found a method that downgrades that security scheme from vaguely flawed to demonstrably breakable.Forbes, March 13, 2013

Securing the Village-Events Calendar

ISSA-LA March Dinner Meeting; March 20, 2013. Garret Grajek, CTO / COO, SecureAuth Corporation will speak on Securing Mobile Apps for the Enterprise. Luminaria’s 3500 West Ramona Boulevard. Monterey Park. 6:30 – 8:45. For more information and to register, visit ISSA-LA.

NAWBO Ventura County March Dinner Meeting, March 28, 2013: Citadel Vice President Ms. Kimberly Pease, CISSP, will speak on cybersecurity at the monthly meeting of the Ventura County Chapter of the National Association of Women Business Owners. In her talk The Growing Cyber Threat: Why the Bad Guys are Winning!, Kimberly will identify threats to  information and computers, review common weaknesses being exploited by the bad guys and offer proactive steps you can take at business and at home to increase your security posture and decrease your exposure.

SecureIT-2013, March 28, 2013: David Lam, our newest Citadel partner and ISSA Los Angeles VP, will be speaking at SecureIT on 28 March regarding the appropriate use of ISO 27001/2 as an information security framework. David will be showing how the framework is extensible to all different sizes of organizations, and how it helps you achieve both security and compliance. For more information and to register, visitwww.secureitconf.com.

ISSA-LA April Lunch Meeting; April 17, 2013. For more information and to register, visitISSA-LA.

Santa Monica Rotary Club; Lunch Meeting, May 3, 2013: Dr. Stan Stahl, Citadel and ISSA-LA President, will speak on cybersecurity at the weekly meeting of the Santa Monica Rotary Club. In this non-technical talk – It Takes the Village to Secure the Village ^SM – Dr. Stahl discusses the financial implications of cyber crime, illustrates how cyber criminals take control of a user’s computer, describes the limitations of technology, summarizes emerging cyber security laws, regulations and practices, and provides practical tips to lower the risk of becoming a victim.

ISSA-LA Fifth Annual Information Security Summit; May 21, 2013: Join over 500 of your colleagues and peers at the Universal City Hilton. Special Keynote Speaker: Howard Schmidt, former White House CyberSecurity Coordinator. For more information and to register, visit ISSA-LA.

Citadel Information Group … Delivering Information Peace of Mind ® to Business and the Not-for-Profit Community

The IT Summit would like to thank Citadel Information Group for allowing us to provide this information to you.

The following software vulnerabilities and updates were announced last week. Citadel Information Group strongly recommends that readers update their computers and take other action as indicated.

Cyber Crime

Microsoft joins Apple, Facebook as target of hackers: Feb. 23 (Bloomberg) – Microsoft Corp., the largest software maker, said a small number of its computers were infected by malicious software in a cyberattack similar to those experienced by Facebook Inc. and Apple Inc. The Washington Post, February 23, 2013

Hack On Zendesk Affects Twitter, Pinterest, Tumblr Users: The hack of a common provider of customer service software may put the personal information of Twitter, Pinterest, and Tumblr customers at risk, the companies said today. DarkReading, February 22, 2013

Cyber Espionage

From Shanghai With Love: Espionage, like so many things these days, ain’t what it used to be now that the computer has supplanted the cloak and dagger. While James Bond used to ply his trade in exotic locales, surrounded by beautiful women and driving fancy sports cars equipped with all sorts of great gadgets, spies now are hackers holed up in nondescript office buildings in Shanghai. Barron’s, February 23, 2013

Cyber Privacy

Audit finds problems with census information security: Weaknesses in Census Bureau information security could compromise the confidentiality and integrity of the agency’s survey data, according to a report released Wednesday by Congress’s auditing department. The Washington Post, February 22, 2013

Identity Theft

Identity Theft Remains Top Consumer Complaint Fielded by FTC: The FTC’s annual look at its Consumer Sentinel Network database of complaints found that 2012 was the first year the agency got more than 2 million complaints overall, and 369,132, or 18%, were related to identity theft. Of those, more than 43% related to tax- or wage-related fraud, the agency stated. CIO, February 26, 2013

Incidence of Identity Theft Hits 3-Year High: Identity theft in the United States rose to a three-year high in 2012, with more than 5 percent of the adult population, or 12.6 million people, falling victim to such crimes, says a new survey. Yahoo, February 25, 2013

Cyber Misc

Here’s What Law Enforcement Can Recover From A Seized iPhone: You may think of your iPhone as a friendly personal assistant. But once it’s alone in a room full of law enforcement officials, you might be surprised at the revealing things it will say about you. Forbes, February 26, 2013 

BBC blocked in China just days after reporting on Chinese hackers: The British Broadcasting Corporation may have discovered a new “red line” for the Chinese government: don’t bring reporters near the Shanghai complex where China’s suspected military hacking team is thought to be located. The Washington Post, February 25, 2013

Cyber Warning

Evernote Resets Everyone’s Passwords After Intrusion: Evernote’s security team has detected a coordinated attempt to gain access to secured areas of their systems. So as to be safe, rather than sorry, they have forced all users to reset their passwords before proceeding to use the service. InformationWeek March 2, 2013

Dropbox Users Reporting More Spam Following Last Summer’s Breach: It appears the breach of cloud-based storage service Dropbox last year has spurned another wave of spam over the last week or so. Users began posting complaints on the service’s Bugs and Troubleshooting forum yesterday claiming that their Dropbox-specific accounts started receiving spam again last weekend. ThreatPost, March 1, 2013

New Java 0-Day Attack Echoes Bit9 Breach: Once again, attackers are leveraging a previously unknown critical security hole in Java to break into targeted computers. Interestingly, the malware and networks used in this latest attack match those found in the recently disclosed breach at security firm Bit9. KrebsOnSecurity, March 1, 2013

Japanese agency warns of information-stealing Android porn app: IDG News Service (Tokyo Bureau) – A Japanese Internet security agency has issued a public warning about Android apps that offer free images of scantily clad models to trick users into giving up their personal details. CIO, March 1, 2013

NBC hack infects visitors in ‘drive by’ cyberattack: Chances are, you know not to open that e-mail attachment from the “Nigerian prince” who wants to give you a hundred grand. But a hack of some NBC.com sites on Thursday proves you can accidentally download malware even when visiting a reputable website. CNN, February 23, 2013

Move Over, APTs – The RAM-Based Advanced Volatile Threat Is Spinning Up Fast: For security pros, the advanced persistent threat (APT) has become a term as everyday as virus or Trojan horse. But as defenders become increasingly wise to the APT, experts say, attackers are now trying a new approach: the advanced volatile threat (AVT). Dark Reading, February 22, 2013

Cyber Defense

Amid Hacking Headaches, Twitter Begins Using Email Authentication: Amid a string of hackings this week, Twitter said it has begun using a new security protocol that will help reduce email-based abuse and ensure that emails coming from a Twitter.com address are authentic. Fox News, February 22, 2013

Cyber Security Management

More Companies Reporting Cyber Security Incidents: At least 19 financial institutions have disclosed to investors in recent weeks that their computers were targets of malicious cyber­assaults last year, a sign of growing openness among corporations about the breadth of cybersecurity incidents plaguing the private sector. The Washington Pose, March 1, 2013

A Vulnerability Disclosure Game Changer: Two new ISO standards will push third-party developers, online service providers and even hardware vendors to stop ignoring vulnerability disclosures. DarkReading, March 1, 2013

Tale Of Two Compromises Provides Lessons For SMBs: The stories behind the hacking of a startup’s CEO and a journalist, as told at the RSA Conference, provides small and medium businesses with good tactics to secure their businesses. DarkReading, March 1, 2013

IT Security Managers Too Focused on Compliance, Experts Say: Companies with IT security strategies that focus mostly on complying with key standards are dangerously unprepared for emerging cyber threats, said security experts at the RSA Conference 2013 here this week. CIO, March 1, 2013

Cloud Security Falls Short … But Could Be Great: SAN FRANCISCO – RSA CONFERENCE 2013 – Public cloud services could have better security than the vast majority of corporate on-premise networks, but today’s tools fail to provide needed protections, and providers and security firms fall short of the cooperation necessary to build security into the cloud. DarkReading, February 26, 2013

Securing the Village

Cyber Attacks and Cyber Crime Abroad: Veteran CLBR guest Stan Stahl returns to explain what is going on and what is or should be done about it. They discuss the major Cyber Attacks against the U.S. and U.S. businesses from Iran and China and of an emerging marketplace for Cyber Crime in Russia. WebmasterRadio, February 28, 2013

NIST seeks cybersecurity guidance: The National Institute of Standards and Technology issued a request for information in the Feb. 26 Federal Register asking for comments to help develop a cybersecurity framework and guidance. FCW, February 26, 2013

An Eerie Silence on Cybersecurity: Apart from a few companies like Google, which revealed that Chinese hackers had tried to read its users’ e-mail messages, American companies have been disturbingly silent about cyberattacks on their computer systems – apparently in fear that this disclosure will unnerve customers and shareholders and invite lawsuits and unwanted scrutiny from the government. The New York Times, February 27, 2013

ISSA-LA

Executive Forum: 5th Annual Information Security Summit The Growing Cyber Threat: Protect Your Business: Tuesday, May 21, 2013 8:30 – 11:00 Information risk is business risk. Managing information risk is now the responsibility of executive and senior management. From Main Street to Wall Street, cybercriminals are stealing our money, our trade secrets, our credit cards, our personal health information, our identities and our ability to conduct commerce. Laws, regulations and contractual agreements are raising the cost of insecurity. Business, not-for-profits and government agencies have become the first line-of-defense. ISSA-LA

National Cyber Security

New Evidence Shows Stuxnet Used Since At Least 2007: IDG News Service – Researchers from security firm Symantec have found and analyzed a version of the Stuxnet cybersabotage malware that predates previously discovered versions by at least two years and used a different method of disrupting uranium enrichment processes at Iran’s nuclear facility at Natanz. CIO, February 26, 2013

U.K., India Sign Cybersecurity Pact: U.K. Prime Minister David Cameron last week signed a cybersecurity deal with India’s Prime Minister Manmohan Singh to reassure Brits about protection of data held by outsourcers or cloud companies in India.Information Week, February 25, 2013

Obama’s Five-Point Plan To Fight Cyber-Crime: Continued cyber-attacks on the United States may soon be met with trade or diplomatic punishment against the nations of origin. The Obama administration last week listed more than a dozen instances of international assaults against U.S. businesses, resulting in stolen trade secrets, blunted competitive edge and lost American jobs. Forbes, February 23, 2013

White House will soon revive cybersecurity legislation push: (Reuters) – A senior adviser to President Barack Obama said the White House will soon renew efforts to push cybersecurity legislation through Congress, though he foresaw an uphill battle given the failure of the last attempt. Reuters, February 25, 2013

Chinese army hackers are the tip of the cyberwarfare iceberg: China is awash with nondescript new office buildings so the 12-storey tower on the outskirts of Shanghai’s Pudong area hardly looked likely to cause global headlines. Not even propaganda posters on walls surrounding it or People’s Liberation Army guards standing at the gates made the building stand out. The Guardian, February 23, 2013

Cyber Sunshine

Latest Kelihos Botnet Shut Down Live at RSA Conference 2013: The third version of the prolific peer-to-peer botnet responsible for volumes of pharmaceutical spam, Bitcoin wallet theft and credential harvesting was shut down before a live audience today at RSA Conference 2013. February 26, 2013

Citadel Information Group … Delivering Information Peace of Mind ® to Business and the Not-for-Profit Community

The IT Summit would like to thank Citadel Information Group for allowing us to provide this information to you.