Guest column by Citadel Information Group

 

Guest column by Citadel Information Group

Cyber Security News of the Week

Cyber Privacy

Facebook admits year-long data breach exposed six million users: (Reuters) – Facebook Inc has inadvertently exposed 6 million users’ phone numbers and email addresses to unauthorized viewers over the past year, the world’s largest social networking company disclosed late Friday. Reuters, June 22, 201 

Newly disclosed papers give rules for NSA surveillance without a warrant: Classified documents newly made available to The Washington Post and the Guardian describe the National Security Agency’s procedures for protecting the privacy of U.S. citizens. Since Edward Snowden, a former NSA contractor, first leaked documents describing the agency’s surveillance program this month, it has become the subject of intense controversy here and abroad. The new disclosures did not mollify the agency’s critics:The Washington Post, June 21, 2013

Edward Snowden: the truth about US surveillance will emerge: The NSA whistleblower Edward Snowden has warned that the truth about the extent of surveillance carried out by US authorities would emerge, even if he was eventually silenced. The Guardian, June 17, 2013

Intel Leaker Edward Snowden Attacks NSA’s Distinction Between Americans And Foreigners: Debate over the National Security Agency’s spying powers has long focused on its potentially unconstitutional spying on Americans. But as NSA leaker Edward Snowden reveals more of his motives to the public, it now seems he’s equally critical of the NSA’s legal core mission: practically unlimited spying on foreigners. Forbes, June 17, 2013

Cyber Warning

COMMON WEB VULNERABILITIES PLAGUE TOP WORDPRESS PLUG-INS: Since late March, no fewer than a half-dozen high profile attacks have involved a compromised website built on the WordPress platform. Attackers abuse vulnerabilities in the content management system’s customizable plug-ins and themes to pull off anything from drive-by downloads to watering hole attacks. ThreatPost, June 20, 2013

Online Bank Fraud

Double Cashing With Mobile Banking: The case of a Kentucky man arrested this month for using mobile banking to steal thousands of dollars from a local supermarket chain highlights the security loopholes that thieves can exploit in mobile check deposit schemes being deployed by financial institutions across the country. KrebsOnSecurity, June 17, 2013

ACH Fraud Cases: Lessons for Banks: Former federal banking examiner Amy McHugh says banks can learn a lot from recent legal decisions and settlements in account takeover cases, including which authentication and online-banking security investments they should make. BankInfoSecurity, June 17, 2013

Cyber Security Management

Cyber crime: Is it on your radar?: The costs associated with cyber crime are rising. Annie Plaskett looks at the solutions available to business. Financial Director, June 17, 2013

How ME Bank moved information security from IT to the boardroom: A concerted effort to push information-security risk from the IT group across the business organisation has had “a dramatic effect” on the profile of IT security at ME Bank, according to information security manager Lachlan McGill. CSO, June 17, 2013

Cyber Security Management – Cyber Update

Critical Update Plugs 40 Security Holes in Java: Oracle today released a critical patch update for its Java software that fixes at least 40 security vulnerabilities in this widely deployed program and browser plugin. Updates are available for Java 7 on both Mac and Windows. KrebsOnSecurity, June 18, 2013

Cyber Security Management – Cyber Defense

Microsoft to Offer Standing Bug Bounty: Microsoft said today it will pay up to $100,000 to security researchers who find and report novel methods for bypassing the security built into the latest version of the company’s flagship operating system. Researchers who go the extra mile and can also demonstrate a way to block the new attack method they’ve reported can earn an extra $50,000. KrebsOnSecurity, June 19, 2013

Windows Security 101: EMET 4.0: Several years ago, Microsoft released the Enhanced Mitigation Experience Toolkit (EMET), a free tool that can help Windows users beef up the security of third-party applications. This week, Microsoft debuted EMET 4.0, which includes some important new security protections and compatibility fixes for this unobtrusive but effective security tool. KrebsOnSecurity, June 18, 2013

Cyber Security Management – HIPAA

Six legal tips for HIPAA omnibus compliance: The HIPAA omnibus rule will go into effect on Sept. 23, but law firms are already doling out HIPAA advice to covered entities. Eileen Elliott, a partner in the Burlington, VT-based law firm Dunkiel, Saunders, Elliott, Raubvogel & Hand, concentrates on healthcare law and provided six tips for healthcare providers as they prepare for potential HIPAA audits in 2014. Health IT Security, June 18, 2013

Sara Boyns: New definition of ‘breach’ under HIPAA: Q: I am a covered health care provider subject to the Health Insurance Portability and Accountability Act (HIPAA). I recently heard there is a new rule about when we have to report if an employee accesses a patient’s medical record in violation of HIPAA. I know that I am supposed to report breaches of my patient’s protected health information, but how am I supposed to determine whether a breach has occurred? Monterey Herald, May 30, 2013

National Cyber Security

U.S. charges Snowden with espionage: Federal prosecutors have filed a criminal complaint against Edward Snowden, the former National Security Agency contractor who leaked a trove of documents about top-secret surveillance programs, and the United States has asked Hong Kong to detain him on a provisional arrest warrant, according to U.S. officials. The Washington Post, June 21, 2013

MICROSOFT’S BUG BOUNTY PROGRAM AND THE LAW OF UNINTENDED CONSEQUENCES: The Microsoft bug bounty program has been nearly a decade in the making and it is clear from the shape and size of it that the company did not simply slap the program together in order to join the cool kids. Rather, Microsoft’s security team spent years watching the way other programs work, seeing what incentives attract good researchers and looking for a system that made sense for Microsoft’s specific goals. The result is a well thought-out reward system that likely will reward good research while making customers safer at the same time. But the program may also create some unintended consequences and ripples in the security world.ThreatPost, June 21, 2013

NSA Implementing ‘Two-Person’ Rule To Stop The Next Edward Snowden: The next Edward Snowden may need a partner on the inside. On Tuesday, National Security Agency Director Keith Alexander told a congressional hearing of the Intelligence Committee that the agency is implementing a “two-person” system to prevent future leaks of classified information like the one pulled off by 29-year-old Booz Allen contractor Edward Snowden, who exfiltrated “thousands” of files according to the Guardian, to whom he has given several of the secret documents. Forbes, June 18, 2013

Obama Defends Authorization of Surveillance Programs: WASHINGTON – President Obama defended his authorization of recently revealed domestic and international surveillance programs in comments broadcast Monday night but rejected the suggestion that his policies were basically a warmed-over version of those of the last White House. The New York Times, June 17, 2013

GCHQ intercepted foreign politicians’ communications at G20 summits: Foreign politicians and officials who took part in two G20 summit meetings in London in 2009 had their computers monitored and their phone calls intercepted on the instructions of their British government hosts, according to documents seen by the Guardian. Some delegates were tricked into using internet cafes which had been set up by British intelligence agencies to read their email traffic. The Guardian, June 17, 2013

Forget PRISM: Global Cyberchiefs Say They Need to Pry Even Further: The exposure of the PRISM data-collection program might not fall squarely under the heading of the third annual International Cyber Security Conference, which concluded on Wednesday at Tel Aviv University. The secret data-collection program, by which U.S. intelligence agencies routinely vacuum up huge amounts of private communications from Internet users, stands outside the realm of safeguarding the cyberworld from attacks. PRISM is defended as an antiterrorism measure, necessary to detect plots as they are hatched between evildoers communicating with one another online. Time, June 13, 2013

Critical Infrastructure

Energy secretary creates cybersecurity council: Energy Secretary Ernest Moniz said he has created a cybersecurity council to bring together various Energy Department branches, a move that underscores increasing political and policy focus on cyber threats. The Hill, June 12, 2013

 

Guest column by Citadel Information Group

 

Guest column by Citadel Information Group

Cyber Security News of the Week

Cyber Privacy

PRISM: Here’s how the NSA wiretapped the Internet: The U.S. National Security Agency’s PRISM program is able to collect, in realtime, intelligence not limited to social networks and email accounts. But the seven tech companies accused of opening ‘back doors’ to the spy agency could well be proven innocent. ZDNet, June 8, 2013

Obama Calls Surveillance Programs Legal and Limited: WASHINGTON – President Obama offered a robust defense of newly revealed surveillance programs on Friday as more classified secrets spilled into public, complicating a summit meeting with China’s new president focused partly on human rights and cybersecurity. The New York Times, June 7, 2013

U.S., British intelligence mining data from nine U.S. Internet companies in broad secret program: The National Security Agency and the FBI are tapping directly into the central servers of nine leading U.S. Internet companies, extracting audio and video chats, photographs, e-mails, documents, and connection logs that enable analysts to track foreign targets, according to a top-secret document obtained by The Washington Post.The Washington Post, June 6, 2013 

Watch Top U.S. Intelligence Officials Repeatedly Deny NSA Spying On Americans Over The Last Year (Videos): To paraphrase Joseph Heller: Just because you’re paranoid doesn’t mean they aren’t surveilling you. Forbes, June 6, 2013

Europe Continues Wrestling With Online Privacy Rules: BRUSSELS – More than a year ago, the European Union’s top justice official proposed a tough set of measures for protecting the privacy of personal data online. The New York Times, June 6, 2013

NSA’s Verizon Spying Order Specifically Targeted Americans, Not Foreigners: The National Security Agency has long justified its spying powers by arguing that its charter allows surveillance on those outside of the United States, while avoiding intrusions into the private communications of American citizens. But the latest revelation of the extent of the NSA’s surveillance shows that it has focused specifically on Americans, to the degree that its data collection has in at least one major spying incident explicitly excluded those outside the United States. Forbes, June 5, 2013 

NSA collecting phone records of millions of Verizon customers daily: NSA collecting phone records of millions of Verizon customers daily: The National Security Agency is currently collecting the telephone records of millions of US customers of Verizon, one of America’s largest telecoms providers, under a top secret court order issued in April.The Guardian, June 5, 2013

Online Bank Fraud

FDIC: 2011 FIS Breach Worse Than Reported: A 2011 hacker break-in at banking industry behemoth Fidelity National Information Services (FIS) was far more extensive and serious than the company disclosed in public reports, banking regulators warned FIS customers last month. The disclosure highlights a shocking lack of basic security protections throughout one of the nation’s largest financial services providers.KrebsOnSecurity, June 4, 2013

Cyber Warning

Android super-malware discovered – Is Google’s platform in peril?: Android malware has long been a very real, but limited threat to devices. These malicious software packages have so far been poorly coded, easy to detect, and even easier to remove. But a newly detected Trojan targeting Google’s platform looks more like an advanced Windows virus than Android malware. It exploits multiple previously unknown vulnerabilities in the mobile OS, uses complex code obfuscation techniques, and blocks uninstall attempts. ExtremeTech, June 7, 2013 

Android Antivirus Products a Big Flop, Researchers Say: Android smartphones and tablets are under attack, and the most popular tools developed to protect them are easily circumvented, according to new research from Northwestern University and the University of North Carolina. CIO, June 6, 2013

Cyber Security Management – Cyber Defense

Should companies be allowed to ‘hack back’?: Radio featuring Dr. Stahl American businesses are at a loss as to what they could do to end cyber-espionage and intellectual property theft. One Internet security firm estimates that an organization is hit by malware every few minutes, and there’s very little companies can do to protect themselves or seek recourse. Air Talk with Larry Mantle. KPCC. Southern California Public Radio, June 4, 2013

How To Avoid The Virus On Facebook That Can Drain Your Bank Account: If you click on the wrong link on Facebook, a virus may find its way into your bank account and drain it of all your money. The New York Times’ Bits Blogs details how a 6-year-old virus called Zeus is all over Facebook right now. Here’s how to avoid it. Huffington Post, June 4, 2013

Some companies looking at retaliating against cyber attackers: Frustrated by their inability to stem an onslaught of computer hackers, some companies are considering adopting the standards of the Wild West to fight back against online bandits. LA Times, May 31, 2013

Cyber Security Management

Mobile Boom Turns BYOD Into Unmanaged Risk, Check Point Finds: The challenge of securing mobile technology is starting to overwhelm some IT departments, with many BYOD smartphones and tablets left in an unmanaged state despite the risk of data loss, a global survey by Check Point has found. CIO, June 7, 2013

CISOs Must Engage the Board About Information Security: With technology now at the center of nearly all business processes, information security is no longer simply an operational concern. It deserves a place on the board’s strategic agenda. And that means the CISO needs to step up in the boardroom. CIO, May 31, 2013

Securing the Village

Google Ups Bug Bounty Awards: Google has made its vulnerability reward program even more lucrative for security researchers who discover bugs in its software and services. DarkReading, June 7, 2013

Microsoft Authorities Disrupt Hundreds of Citadel Botnets with ‘Operation  B54’:Calling it the company’s “most aggressive” botnet operation operation to date, Microsoft has joined with the FBI for a massive disruption of the Citadel botnet.ThreatPost, June 6, 2013

The Report of the Commission on the Theft of American Intellectual Property: The scale of international theft of American intellectual property (IP) is unprecedented-hundreds of billions of dollars per year, on the order of the size of U.S. exports to Asia.IP Commission, May 2013

National Cyber Security

President Obama to Press Chinese President on Cybersecurity, As NSA Surveillance Looms Large: SAN JOSE, Calif. – News that the U.S. government has been secretly monitoring Americans’ phone calls and internet activity is threatening to derail President Obama’s efforts to press Chinese President Xi Jinping on cybersecurity when the two leaders sit down for two days of talks in California later today. ABC News, June 7, 2013

Cyber Underworld

Vrublevsky Arrested for Witness Intimidation: Pavel Vrublevsky, the owner of Russian payments firm ChronoPay and the subject of an upcoming book by this author, was arrested today in Moscow for witness intimidation in his ongoing trial for allegedly hiring hackers to attack against Assist, a top ChronoPay competitor. KrebsOnSecurity, June 5, 2013

Cashout Service for Ransomware Scammers: There are 1,001 ways to swindle people online, but the hardest part for crooks is converting those ill-gotten gains into cash. A new service catering to purveyors of ransomware – malware that hijacks PCs until victims pay a ransom – levees a hefty fee for laundering funds from these scams, and it does so by abusing a legitimate Web site that allows betting on dog and horse races in the United States. KrebsOnSecurity, June 3, 2013

You’re Being Hacked: Cyberspies are everywhere. But who are they helping? Winding through corridors lined with poison-tipped umbrellas, pistols fashioned from lipstick tubes, and bulky button-hole cameras, visitors to Washington’s International Spy Museum will soon be confronted by a modern, quotidian tool of the trade: a small black laptop. According to the computer’s owner, it was employed over a three-year period to briefly knock WikiLeaks offline, disable almost 200 jihadist websites, and develop a handful of sophisticated hacking tools. The laptop, says International Spy Museum executive director Peter Earnest, will “provide historical context to the … world of espionage and the intelligence community, in this instance through the scope of cyberterrorism.” Newsweek, May 29, 2013

Cyber Research

Laws of Physics Say Quantum Cryptography Is Unhackable. It’s Not: In the never-ending arms race between secret-keepers and code-breakers, the laws of quantum mechanics seemed to have the potential to give secret-keepers the upper hand. A technique called quantum cryptography can, in principle, allow you to encrypt a message in such a way that it would never be read by anyone whose eyes it isn’t for. Wired, June 7, 2013

Cyber Misc

Robbing a Gas Station: The Hacker Way: Thieves of the future will look back on today’s stick-up artists and have a good old belly laugh. Why would anyone ever rob a cashier with a gun, when all that is needed is a smartphone? The New York Times, June 6, 2013