Cyber Crime

Hackers steal identity info of 72,000 at U of Delaware: NEWARK, Del. – A cyberattack on a University of Delaware computer system exposed more than 72,000 people to identity theft and could cost the school millions of dollars – and the full extent of the security breach hasn’t been determined. USA Today, July 31, 2013

New Retail Breach Reported: Harbor Freight Tools, a U.S.-based chain of 400 retail tool stores, has reported a breach against its payment processing system. BankInfoSecurity, July 23, 2013

Identity Theft

Criminal Investigations of Identity Theft Increasing at U.S. IRS: The U.S. Internal Revenue Service opened 1,100 criminal investigations of tax fraud by June 30 this year, exceeding the 2012 total with three months remaining in the fiscal year. Bloomberg, August 2, 2013

Cyber Privacy

XKeyscore: NSA tool collects ‘nearly everything a user does on the internet’: A top secret National Security Agency program allows analysts to search with no prior authorization through vast databases containing emails, online chats and the browsing histories of millions of individuals, according to documents provided by whistleblower Edward Snowden. The Guardian, July 31, 2013

Public gets first look at once-secret court order on NSA surveillance: WASHINGTON – The public got its first look at the secret court order that authorized the government’s vast collection of records of domestic telephone calls as the Obama administration moved Wednesday to try to boost public confidence in the National Security Agency’s program. LA Times, July 31, 2013

Edward Snowden’s not the story. The fate of the internet is: The press has lost the plot over the Snowden revelations. The fact is that the net is finished as a global network and that US firms’ cloud services cannot be trusted. The Guardian, July 27, 2013

Cyber Threat

5 scariest cybersecurity threats at Black Hat, Defcon: An annual show-and-tell of some of the most alarming security breaches currently known is underway at two hacker conferences being held in Las Vegas this week. Cybersecurity researchers, hackers, government agencies and privacy advocates converge at Black Hat and Defcon to share the results of some shocking research. CBS, July 31, 2013

Cyber Warning

5 Top Targets for Today’s Hackers: Black Hat USA bills itself as “the show that sets the benchmark for all other security conferences.” While most conferences tend to over-promote themselves, given the activity at this year’s show, that actually might be something of an understatement. Forbes, August 2, 2013

Black Hat: How to Create a Massive DDoS Botnet Using Cheap Online Ads: The bad news is if you click on the wrong online ad, your browser can be immediately enlisted in a botnet carrying out a denial of service attack to take down Web sites. CIO, August 1, 2013

JAVASCRIPT AND TIMING ATTACKS USED TO STEAL BROWSER DATA: LAS VEGAS-Security researchers have been warning about the weaknesses and issues with JavaScript and iframes for years now, but the problem goes far deeper than even many of them thought. A researcher in the U.K. has developed a new technique that uses a combination of JavaScript-based timing attacks and other tactics to read any information he wants from a targeted user’s browser and sites the victim is logged into. The attack works on all of the major browsers and researchers say there’s no simple fix to prevent it. ThreatPost, August 1, 2013

This Fake Charger Will Hide A Trojan In Your iPhone’s Facebook App: Apple AAPL +1.29% takes great pains to protect its air-tight iOS app store from the malware that plagues PCs. But get physical access to the device’s data port-with, for instance, a carefully spoofed charger-and those app store protections can be bypassed in seconds.Forbes, July 31, 2013

Bogus Chrome, Firefox extensions pilfer social media accounts: IDG News Service – Trend Micro has found two malicious browser extensions that hijack Twitter, Facebook and Google+ accounts. CIO, July 30, 2013

Don’t Get Sucker Pumped: Gas pump skimmers are getting craftier. A new scam out of Oklahoma that netted thieves $400,000 before they were caught is a reminder of why it’s usually best to pay with credit versus debit cards when filling up the tank.KrebsOnSecurity, July 29, 2013

Cyber Security Management

Universities Putting Sensitive Data at Risk via Unsecure Email: Colleges and universities are putting the financial and personal information of students and parents at risk by allowing them to submit such data to the school in unencrypted email. CIO, July 30, 2013

Cyber Security Management – Cyber Defense

Carriers rush to fix SIM card vulnerability – by hacking into them: A bug that could have allowed hackers to exploit a vulnerability in millions of SIM cards, commonly used in mobile phones and other cellular equipment, has been fixed, according to the security researcher who first discovered the flaw. ZDNet, August 2, 2013

Securing the Village

VERIS: A New Database for Sharing Security Incident Information: A new community database has been launched by Verizon to help bridge the uncertainty gap in data breach information: what we know and what we need to know. Based on VERIS, it is designed to facilitate the secure sharing of incident information for the good of all.InfoSecurity, August 2, 2013

Government Gets Closer To Launching CyberSecurity Framework: The federal government and private industry are getting close to releasing a cybersecurity framework that will provide both private and public-sector entities with a way to assess how resilient their computer networks are to cyber attack and the steps needed to make improvements. Information Week, July 30, 2013

CROWDSOURCE TOOL AIMS TO IMPROVE AUTOMATED MALWARE ANALYSIS: When a new piece of malware surfaces, it’s typically analyzed eight ways from Sunday by a long list of antimalware and other security companies, government agencies, CERTs and other organizations who try to break it down and classify its capabilities. There’s a lot of duplicated effort there, and a group of researchers is building a new tool called CrowdSource that is designed to take advantage of the existing analysis capabilities in the community and perform automated malware analysis to provide rich reports on each new sample. ThreatPost, July 30, 2013

National Cyber Security

NSA Director Heckled At Conference As He Asks For Security Community’s Understanding: When NSA Director Keith Alexander appeared at the Las Vegas security conference Black Hat Wednesday morning, he hoped to mend the NSA’s reputation in the eyes of thousands of the conference’s hackers and security professionals. It didn’t go exactly as planned. Forbes, July 31, 2013

Critical Infrastructure

Industrial Control Systems Targeted By Malicious Attackers, Research Shows: IDG News Service – Attackers are actively targeting Internet-connected industrial control systems (ICS) in an effort to compromise their operation, according to data collected from a global network of honeypot systems that simulate water pumps. CIO, August 1, 2013

Scada Experts Simulate ‘Catastrophic’ Attack: LAS VEGAS – BLACK HAT USA – SCADA experts here today demonstrated just how easy it is to commandeer the antiquated networking protocols used in an oil-well pumping station and other SCADA environments, causing a simulated oil tank to nearly overflow using spoofed commands to the programmable logic controller (PLC). DarkReading, August 1, 2013

Cyber Law

Parties Inch Closer to Agreement on Federal Cyberlaw: Whether the voluntary approach to developing cybersecurity protection standards for business use carries through to compliance with those standards remains an open question. The private sector may be comfortable with the emphasis on a voluntary approach so far, and thus be hopeful that any eventual legislation will retain that approach. Still, a bit of caution remains. ECommerceTimes, July 31, 2013

Cyber Underworld

Russia’s Massive Android Malware Industry Revealed: Mobile security company Lookout released a report today at DefCon that reveals the amazing size, scope, and complexity of Android malware operations in Russia. The report found the bulk of this Russian malware wasn’t coming from lone individuals in basements, but well-oiled malware producing machines. PC Magazine, August 2, 2013

Mail from the (Velvet) Cybercrime Underground: Over the past six months, “fans” of this Web site and its author have shown their affection in some curious ways. One called in a phony hostage situation that resulted in a dozen heavily armed police surrounding my home. Another opened a $20,000 new line of credit in my name. Others sent more than $1,000 in bogus PayPal donations from hacked accounts. Still more admirers paid my cable bill for the next three years using stolen credit cards. Malware authors have even used my name and likeness to peddle their wares.KrebsOnSecurity, July 30, 2013

Cyber Research

RESEARCHERS HACK GPS, $80M YACHT VEERS OFF COURSE: A 213-foot luxury yacht veered off course while cruising in the Mediterranean Sea this summer after a radio navigation research team led by global positioning systems expert Todd Humphreys of the University of Texas Austin built a custom-made device capable of overriding the ship’s GPS receivers with spoofed signals. ThreatPost, July 30, 2013

NEW SOFTWARE OBFUSCATION THROWS WRENCH INTO REVERSE ENGINEERING:Researchers at UCLA said they’ve developed a game-changing obfuscation mechanism that will put a dent in hackers’ efforts to reverse engineer patches and understand how an underlying piece of software works. ThreatPost, July 30, 2013

The IT Summit would like to thank Citadel Information Group for allowing us to provide this information to you.