Guest column by Citadel Information Group

 

Guest column by Citadel Information Group

Cyber Security News of the Week

Cyber Attack

Twitter Account of U.K.’s Largest TV Network Falls to Syrian Hackers: A Twitter account belonging to ITV, Britain’s largest TV broadcaster, is the latest victim of a hacking campaign by the Syrian Electronic Army. The network confirmed to Reuters that the account was compromised. It’s the latest attack on a Twitter account controlled by a Western media organization by the pro-Assad group. Previous targets include the Associated Press, the Financial Times, the Onion and CBS News. Twitter has recently instituted new security measures to help prevent incidents like these. AllThingsD, May 24, 2013

Identity Theft

THOUSANDS OF DHS PERSONNEL NOTIFIED OF DATA BREACH: The Department of Homeland Security this week began notifying up to tens of thousands of employees, contractors and others with a DHS security clearance that their personal data may be at risk. ThreatPost, May 23, 2013

Online Bank Fraud

NC Fuel Distributor Hit by $800,000 Cyberheist: A fuel distribution firm in North Carolina lost more than $800,000 in a cyberheist earlier this month. Had the victim company or its bank detected the unauthorized activity sooner, the loss would have been far less. But both parties failed to notice the attackers coming and going for five days before being notified by a reporter. KrebsOnSecurity, May 23, 2013

Cyber Warning

How to Hack Twitter’s Two-Factor Authentication: We’ve pointed out some problems with Twitter’s new two-factor authentication. For example, since just one phone number can be associated with an account, Twitter’s two-factor authentication won’t work for organizations like the Associated Press, The Onion, or The Guardian. They were hacked; they could still be hacked again in the same way. However, security experts indicate that the problem is worse than that, a lot worse. PCMag, May 24, 2013

Hackers use social media to bedevil advertisers: The hallowed halls of social media are no longer safe. Not when the operators of botnets like Chameleon are able to systematically steal $6 million per month from advertisers in the form of payments received for clicks from infected PCs, not real consumers. USA Today, May 15, 2013

Cyber Security Management

DESPITE £800M IN LOSSES, SMALL BUSINESSES SCOFF AT SECURITY: Small- and medium-sized businesses are losing a staggering £785 million per year to cybercrime, according to a joint report published by the Federation of Small Businesses (FSB) and the Home Office and Business Departments in the United Kingdom. ThreatPost, May 24, 2013

Telling the FBI Your Company Has Been Hacked: As cyber attacks against U.S. companies move markets, drain tens of millions dollars from bank accounts, siphon off trade secrets, and threaten critical infrastructure, the mantra among government officials is: sharing (information) is caring. The government’s desire to increase information sharing on cyber intrusions with the private sector is at the heart of an executive order issued in February-and it was a point underscored at a New York City Bar Association event on Monday, when Mary Galligan, who is an FBI “cyber cop,” urged corporations to come forward with information about attacks on their networks. Law.com, May 22, 2013

Cyber Security Management – Cyber Defense

Google plans to beef up its SSL encryption keys: Google plans to upgrade the security of its SSL (Secure Sockets Layer) certificates, an important component of secure communications. PC World, May 24, 2013

Skype Beta Plugs IP Resolver Privacy Leak: A few months ago, I warned readers that a glaring privacy weakness in voice-over-IP telephony service Skype allows anyone using the network to quickly learn the Internet address of any other Skype user. A new beta version of the popular Microsoft program appears to have nixed that privacy leak with a setting that restricts this capability to connections in your Skype contacts only. KrebsOnSecurity, May 24, 2013

U.S. Defense Department Approves Apple’s iOS Devices for its Networks: IDG News Service (Bangalore Bureau) – Devices built around Apple’s iOS operating system have been approved by the U.S. Department of Defense for use on its networks, as the department moves to support multivendor mobile devices and operating systems. CIO, May 20, 2013

Securing the Village

REPORT SAYS ACTIVE RECOVERY EFFORTS COULD DETER IP THEFT BY FOREIGN ATTACKERS: An independent commission focused on the threat of intellectual property from U.S. companies says that between 50 percent and 80 percent of all IP theft originates in China and, in a new report, urges the government to take stronger action against government-sanctioned IP theft. The Commission on the Theft of American Intellectual Property said in the report that the dollar value of all IP stolen from the U.S. in a year could approach the value of all American trade with Asia, a figure in the hundreds of billions of dollars. ThreatPost, May 24, 2013

California Launches Cybersecurity Task Force: On May 13, California government officials and private-sector leaders met behind closed doors to discuss a comprehensive cybersecurity plan for the state – it was the beginning of the California Cybersecurity Task Force, the first state-led collaboration of its kind. EmergencyManagement, May 20, 2013

National Cyber Security

Hackers From China Resume Attacks on U.S. Targets: WASHINGTON – Three months after hackers working for a cyberunit of China’s People’s Liberation Army went silent amid evidence that they had stolen data from scores of American companies and government agencies, they appear to have resumed their attacks using different techniques, according to computer industry security experts and American officials. The New York Times, May 19, 2013

Critical Infrastructure

Hackers appear to probe U.S. energy infrastructure, suspicions about Iran: The United States is investigating “a string of malicious” cyber incidents that appear to be focused on probing energy infrastructure, a U.S. official familiar with the latest intelligence tells CNN. CNN, May 24, 2013

Cyber Underworld

Conversations with a Bulletproof Hoster: Criminal commerce on the Internet would mostly grind to a halt were it not for the protection offered by so-called “bulletproof hosting” providers – the online equivalent of offshore havens where shady dealings go ignored. Last month I had an opportunity to interview a provider of bulletproof services for one of the Web’s most notorious cybercrime forums, and who appears to have been at least partly responsible for launching what’s been called the largest cyber attack the Internet has ever seen. KrebsOnSecurity, May 20, 2013

Cyber Law

FTC Fires Back In Cybersecurity Case: The Federal Trade Commission is offering a strong defense of its powers to police cybersecurity practices against a challenge by Wyndham Worldwide Corp. The Wall Street Journal, May 24, 2013

Cyber Misc

ANALYSIS: Bets overlap in cybersecurity gold rush: SEATTLE – Champagne corks popped at Allegis Capital this week as the Silicon Valley venture firm announced what it describes as the “highly profitable” sale of Solera Networks to network security firm Blue Coat Systems in an all-cash transaction. USA Today, May 24, 2013

Krebs, KrebsOnSecurity, As Malware Memes: Hardly a week goes by when I don’t hear from some malware researcher or reader who’s discovered what appears to be a new sample of malicious software or nasty link that invokes this author’s name or the name of this blog. I’ve compiled this post to document a few of these examples, some of which are quite funny. KrebsOnSecurity, May 22, 2013

 

Guest column by Citadel Information Group

 

Guest column by Citadel Information Group

Cyber Security News of the Week

ISSA-LA

Healthcare HITECH Privacy and Security Summit Provides Critical Compliance Content:Healthcare providers must comply with a new HIPAA/HITECH rule by September 23. This critical set of rules provides for additional safety and security for healthcare data, and experts will be on hand in Los Angeles on May 21 to provide important guidance.PRWeb, May 3, 2013

Cyber Crime

Systems Manager Arrested for Hacking Former Employer’s Network: IDG News Service – A 41-year-old man was arrested for allegedly disrupting his former employer’s network after he was passed over for promotions, leading him to quit his job and take revenge, the U.S. Federal Bureau of Investigation said. CIO, May 3, 2013

Reputation.com notifies customers of network attack: A company known for burying bad information to improve its customers’ online images let everyone know this week its network was hacked. Reputation.com sent e-mails to thousands of customers in more than 100 countries to let them know of the attack. ThreatPost, May 2, 2013

Wash. Hospital Hit By $1.03 Million Cyberheist: Organized hackers in Ukraine and Russia stole more than $1 million from a public hospital in Washington state earlier this month. The costly cyberheist was carried out with the help of nearly 100 different accomplices in the United States who were hired through work-at-home job scams run by a crime gang that has been fleecing businesses for the past five years.KrebsOnSecurity, April 30, 2013

Cyber Espionage

Chinese Cyberespionage: Brazen, Prolific, And Persistent: China, China, China: New data and intelligence is shedding more light on just how bold and pervasive Chinese cyberespionage activity is today. DarkReading, April 30, 2013

Cyber Warning

DHS: ‘OpUSA’ May Be More Bark Than Bite: The U.S. Department of Homeland Security is warning that a group of mostly Middle East- and North Africa-based criminal hackers are preparing to launch a cyber attack campaign next week known as “OpUSA” against websites of high-profile US government agencies, financial institutions, and commercial entities. But security experts remain undecided on whether this latest round of promised attacks will amount to anything more than a public nuisance. KrebsOnSecurity, May 2, 2013

MORE MALWARE SHOWING UP ON FAKE SOURCEFORGE WEB SITES: Malware developers continue to clone SourceForge Web sites that appear to offer the source code for popular gaming software but are actually peddling malicious code tied to the ZeroAccess Trojan. ThreatPost, April 30, 2013

Online Bank Fraud

Banks targeted by ‘mind-boggling’ online scam: Britain’s major banks have been targeted in a “mind-boggling” online scam potentially affecting record numbers of customers. E&T, May 1, 2013

Cyber Privacy

Spy Court OK’d all U.S. Wiretap Requests it Received in 2012: A special court established to review government requests for warrants to conduct electronic surveillance of suspected foreign spies received close to 1,900 warrant requests last year – all of which it approved. CIO, May 3, 2013

Cyber Defense

Samsung Smartphones, Tablets Running Knox Get U.S. Defense Department Approval:Samsung said Friday that its smartphones and tablets running its Knox security and management software have been cleared for use on the U.S. Department of Defense network. CIO, May 3, 2013

Got Malware? Three Signs Revealed In DNS Traffic: Companies focus much of their energy on hardening computer systems against threats and stopping attempts to breach their systems’ security, and rightfully so. However, companies should always assume that the attackers have already successfully compromised systems and look for the telltale signs of such a breach. DarkReading, May 3, 2013

Cyber Security Management

La Vie En ROSI: With very few exceptions, there is really nothing in security that gives you a return on investment. Unless you’re selling them, security technologies almost never make you any money – what they’re there for is loss avoidance. Now, you may be able to achieve that loss avoidance by spending a lot of money, or by spending a little money; and if you manage the latter, then yes, you have parlayed a cost savings into another cost savings. But that’s not the same as investing some money and watching it grow in value. DarkReading, May 3, 2013

The Art of Cyber War: Boardroom threat level rising: A closer look at how vulnerability in cyber space is redefining national security, enterprise risk, intellectual property, and oversight. NACD, May 3, 2013

The 7 elements of a successful security awareness program: CSO – When we were asked to keynote a recent CSO event, it was a pleasant surprise that the top concern of the CSOs was “security culture.” From performing many security assessments and penetration tests, it is sadly obvious that even the best technical security efforts will fail if their company has a weak security culture. It is heartwarming that CSOs are now moving past straight technological solutions and moving towards instilling a strong security culture as well. [NB: Author Ira Winkler Delivers Luncheon Keynote at ISSA-LA 5th Annual Summit. May 21. Universal City.] NetworkWorld, May 1, 2013

LivingSocial Breach Scope Widens on Finding of 60% Sharing Logins: If having to reset 50 million passwords was not enough to worry about, Dashlane has found that about 60 percent of LivingSocial members reuse their passwords at other sites. CIO, May 1, 2013

National Cyber Security

US and UK to increase cybersecurity cooperation: As the militaries of the United States and Britain purchase more and more of the same networked hardware, most notably the F-35 Joint Strike Fighter (above), the two nations are increasing collaboration in cyber warfare, according to a Pentagon official. Foreign Policy, May 3, 2013

US military secrets leaked to Chinese hackers for three years: A US military contractor was allegedly hacked by those associated with the Chinese military. The company reportedly ignored signs of security breaches, allowing hackers to access military technology and classified documents for three years. RT.com, May 3, 2013

China’s Cyberspies Outwit Model for Bond’s Q: Among defense contractors, QinetiQ North America (QQ/) is known for spy-world connections and an eye- popping product line. Its contributions to national security include secret satellites, drones, and software used by U.S. special forces in Afghanistan and the Middle East. Bloomberg, May 1, 2013

Critical Infrastructure

ICS-CERT REVISES RECOMMENDATIONS TO AVOID SHAMOON INFECTIONS: Most publicly known malware attacks are disruptive in nature, for example causing the interruption of online banking services or taking websites temporarily offline. Few attacks cause actual physical damage to computers where hard drives are damaged and data lost or destroyed. ThreatPost, May 3, 2013

Dam! Sensitive Army database of U.S. dams compromised; Chinese hackers suspected:U.S. intelligence agencies traced a recent cyber intrusion into a sensitive infrastructure database to the Chinese government or military cyber warriors, according to U.S. officials. The Washington Times, May 1, 2013

Cyber Survey

PandaLabs Q1 Report: Trojans Account For 80% Of Malware Infections, Set New Record: In addition, China is the world’s most infected country with more than 50 percent of all computers riddled with malware DarkReading, May 3, 2013

Cyber Misc

We rooted Wii U encryption and file system, says hacker group: The hacking group responsible for one of the first major modchips for the original Wii claims to have successfully reverse-engineered the pieces necessary to run copies of Wii U games from external USB hard drives. are technica, May 1, 2013

Developer Warns Of Google Glass Security Risks Following His Jailbreak Exploit: If the notion of an intruder hacking into your smartphone or PC seems disturbing, just imagine an even more personal sort of privacy breach-a hacker who gains full access to your sight. Forbes, April 30, 2013

Cyber Sunshine

Alleged SpyEye Seller Bx1 Extradited to U.S.: A 24-year-old Algerian man arrested in Thailand earlier this year on suspicion of co-developing and selling the infamous SpyEye banking trojan was extradited this week to the United States, where he faces criminal charges for allegedly hijacking bank accounts at more than 200 financial institutions. KrebsOnSecurity, May 3, 2013

Securing the Village – Events Calendar

ISSA-LA Fifth Annual Information Security Summit; May 21, 2013: Join 800 of your colleagues and peers at the Universal City Hilton. Special Keynote Speaker: Howard Schmidt, former White House CyberSecurity Coordinator. For more information and to register, visit ISSA-LA.

 

Guest column by Citadel Information Group

 

Guest column by Citadel Information Group

Cyber Security News of the Week

Cyber Crime

Cyberattackers hack into LivingSocial, 50 million customers impacted: LivingSocial, the daily deals site owned in part by Amazon, has suffered a massive cyberattack on its computer systems, according to officials at the company. USA Today, April 26, 2013

Sources: Tea Leaves Say Breach at Teavana: Multiple sources in law enforcement and the financial community are warning about a possible credit and debit card breach at Teavana, a nationwide tea products retailer. Seattle-based coffee giant Starbucks, which acquired Teavana late last year, declined to confirm a breach at Teavana, saying only that the company is currently responding to inquiries from card-issuing banks and credit card brands. KrebsOnSecurity, April 22, 2013

Cyber Attack

Hackers compromise AP Twitter account: Hackers compromised Twitter accounts of The Associated Press on Tuesday, sending out a false tweet about an attack at the White House. CBS News, April 23, 2013

Syria’s pro-Assad hackers are hijacking high-profile Twitter feeds: The Syrian Electronic Army, an informal network of hackers who wage cyberwar in support of the Syrian government and President Bashar al-Assad, have found yet another way to harass Western Web users. Hackers identifying as part of the Syrian Electronic Army have hijacked a series of Twitter feeds over the last few weeks. The targeted feeds tend to be associated with Western organizations, particularly ones that somehow cover Syria.The Washington Post, April 22, 2013

Cyber Underworld

BRAZEN CRIMEWARE MARKETING BRANCHES OUT TO SOCIAL NETWORKS: The secrecy of underground forums where financial malware and crimeware kits are traded is well guarded, to the point that few are able to penetrate them without some kind of internal sponsor. Here, criminals value their privacy as much as those from whom they steal. ThreatPost, April 26, 2013

MALWARE C&C SERVERS FOUND IN 184 COUNTRIES: In an attempt to better evade detection, cybercriminals are increasingly configuring their command and control infrastructure in such a way that initial malware callbacks communicate with a server located in the same country as the newly infected machines. ThreatPost, April 23, 2013

Cyber Warning

Hackers increasingly target shared Web hosting servers for use in mass phishing attacks: Cybercriminals increasingly hack into shared Web hosting servers in order to use the domains hosted on them in large phishing campaigns, according to a report from the Anti-Phishing Working Group (APWG). ThreatPost, April 26, 2013

VULNERABILITY IN VIBER FOR ANDROID ENABLES LOCK SCREEN BYPASS: Another day, another smartphone lock screen bypass vulnerability. ThreatPost, April 25, 2013

Fireeye Finds Gh0stRAT Cyberespionage Campaigns Continue: Many advanced persistent threat attacks use the malware, believed to have been developed in ChinaCIO, April 24, 2013

Researcher’s Serial Port Scans Find More Than 100,000 Hackable Devices, Including Traffic Lights And Fuel Pumps: You probably remember serial ports as the ancient nine-pin plugs you once used to hook up your mouse or joystick to your computer in the pre-USB dark ages. But tracking down devices that still use serial port connections isn’t so hard, it seems. In fact, according to H.D. Moore, any hacker can find-and tamper with-more than 100,000 of them over the Internet, including critical systems ranging from traffic lights to fuel pumps to building heating and cooling systems to retail point-of-sale devices. Forbes, April 23, 2013

JAVA SANDBOX BYPASS DISCOVERED THAT BREAKS LATEST UPDATE: Optimism and praise followed last week’s Java critical patch update. Oracle not only patched 42 vulnerabilities in the Java browser plug-in, but also added new code-signing restrictions and new prompts warning users when applets are potentially malicious. It took less than a week, however, to deflate any good will toward Java that resulted. ThreatPost, April 23, 2013

New Malware Hijacks Twitter Accounts for Financial Fraud: Cyber criminals are always looking for new ways to avoid detection, escape cyber sleuths, and carry out their cyber crimes. So it shouldn’t be surprising that malicious hackers are now taking advantage of social media. A newly discovered malware, designed to gain access to users’ banking credentials, uses Twitter to spread itself and reach more victims.Mashable, April 22, 2013

Cyber Threat

Businesses Face Growing Threat From Hackers: With government scrambling to fight cyber threats, the private sector sees a growing need to protect itself. US News and World Report, April 26, 2013

New Research Shows Remote Users Expose Companies To Cybercrime: BROOMFIELD, Colo., April 23, 2013 /PRNewswire/ – Results of new remote access security research show half of companies with a remote workforce had their websites compromised in 2012, over a third had passwords hacked, and twice as many companies with remote users were victims of SQL injection attacks. DarkReading, April 23, 2013

Hacktivists Change Tactics From Data Breaches to Disruption: Verizon: The amount of data hacktivists stole plunged in 2012 as politically motivated hackers focused more on DDoS, but state-sponsored attackers and cyber-crooks picked up the slack. eWeek, April 23, 2013

Cybercrime’s easiest prey: Small businesses: A data breach investigations report from Verizon (VZ, Fortune 500), released Tuesday, showed that small businesses continue to be the most victimized of all companies. CNN, April 23, 2013

Report: DDoS Attacks Getting Bigger, Faster Than Ever: Distributed denial-of-service (DDoS) attacks are steadily increasing in size and speed, creating new problems for enterprise defenses, according to a study published today. DarkReading, April 22, 2013

Online Bank Fraud

Lawsuits Bring Clarity To SMBs In Corporate Account Takeovers: Small businesses have had millions of dollars stolen from their accounts by online thieves; court cases have started creating a clear picture of responsibilities. DarkReading, April 22 2013

Cyber Security Management – Cyber Defense

Tech Insight: Time To Set Up That Honeypot:Many companies are simply doing security wrong. While they might have perimeter security nailed down, they are probably failing at securing their workstations from insider abuse or have no true visibility as to what’s going on within their internal networks. DarkReading, Apri 26, 2013

Social engineering in penetration tests: 6 tips for ethical (and legal) use: Social engineering techniques are often crucial to executing penetration tests. But which methods cross the ethical line – or even venture into the dangerous territory of illegal?CSO, April 23, 2013

Cyber Security Management

Many Hacked Businesses Remain Unprepared For The Next Breach: New Ponemon report finds three-fourths of hacked organizations either have had or expect to have a breach that loses them customers and business partners DarkReading, April 24, 2013

Cyber Privacy

It’s privacy versus cybersecurity as CISPA bill arrives in Senate: Cybersecurity and online privacy are two critical interests that seem destined never to get along. Sure, you want malicious hackers, spammers, and other Internet lowlifes brought to justice-but you also want to protect your online data. PC World, April 25, 2013

IN FOCUS: The Directive: In this Q&A, Timothy Toohey, CIPP/US, CIPP/E, of Snell & Wilmer, discusses the tensions and controversies within the proposed EU data protection regulation. IAAP, April 22, 2013

Securing The Village

GOOGLE JOINS FIDO ALLIANCE EFFORT TO MOVE BEYOND PASSWORDS: Google, which gradually has been moving its users away from using passwords as their main form of authentication for Web services, has joined a young organization whose goal is to phase out passwords and replace them with various forms of strong authentication. The FIDO Alliance, formed last year, is working to make two-factor authentication the default mechanism for authentication through the establishment of an open standard for strong authentication. ThreatPost, Aprul 26, 2013

National Cyber Security

EXECUTIVE ORDER EXPANDS WARRANTLESS NETWORK MONITORING TO INCLUDE CRITICAL INFRASTRUCTURE: A little-known policy through which the Departments of Justice, Defense, and Homeland Security offered prosecutorial immunity to companies that helped the U.S. military monitor Internet traffic on the private networks of defense contractors has reportedly been expanded by Executive Order to include a score of other “critical infrastructure” industries, according to information obtained as part of a Freedom of Information Act lawsuit filed by the Electronic Privacy Information Center (EPIC). ThreatPost, April 25, 2013

U.S. and China Put Focus on Cybersecurity: BEIJING – The United States and China held their highest-level military talks in nearly two years on Monday, with a senior Chinese general pledging to work with the United States on cybersecurity because the consequences of a major cyberattack “may be as serious as a nuclear bomb.” The New York Times, April 22, 2013

Stuxnet and the Dawn of Algorithmic Warfare: Though autonomous, destructive robots are a long-time, hackneyed science fiction plot, for some time, this new kind of warfare has been shifting from yesterday’s movie to today’s reality. But unforeseen by the imaginations of both headline and science fiction writers, it was not a missile-laden drone or humanoid Terminator that introduced this new kind of combat, but a piece of software. Stuxnet, part of the “Olympic Games” covert assault by the United States and Israel on Iranian nuclear capability, appears to be the first autonomous weapon with an algorithm, not a human hand, pulling the trigger. While the technology behind Stuxnet or other autonomous weapons is impressive, there has been little or no ethical debate on how (or indeed whether) such weapons should be used. ACUS, April 17, 2013

Cyber Law

Finding Common Threads in Privacy and Information Security Laws: The sheer number and variety of laws and regulations that can apply to even small businesses handling sensitive information can be daunting, if not overwhelming. In some instances, it may be almost impossible for even a large, sophisticated organization to identify all applicable laws, reconcile inconsistencies, and then implement a compliance program. In this discussion, the goal is not to discuss any specific laws or regulations, but to identify three common threads that run through many of them. By understanding those common threads, businesses can more easily understand their baseline compliance obligations. CSO, April 26, 2013

Cyber Survey

VERIZON DBIR TAKES FIRST DEEP DIVE INTO CYBERESPIONAGE: Targeted cyberespionage attacks have dominated discussions within the security community and outside of it from the mainstream media to the halls of the executive and legislative branches of government. But until now, discussions about attacks stemming from China that target intellectual property from engineering, manufacturing and military interests in the United States, have been anecdotal and one-off analyses of specific breaches. ThreatPost, April 22, 2013

No ‘One Size Fits All’ In Data Breaches, New Verizon Report Finds: Verizon Data Breach Investigations Report 2013 says financial cybercrime accounting for three-fourths of real-world breaches, followed by cyberespionage in one-fifth of breaches.DarkReading, April 22, 2013

One in five data breaches are the result of cyberespionage, Verizon says: IDG News Service – Even though the majority of data breaches continue to be the result of financially motivated cybercriminal attacks, cyberespionage activities are also responsible for a significant number of data theft incidents, according to a report that will be released Tuesday by Verizon. CIO, April 22, 2013

Cyber Sunshine

Dutchman Arrested in Spamhaus DDoS: A 35-year-old Dutchman thought to be responsible for launching what’s been called “the largest publicly announced online attack in the history of the Internet” was arrested in Barcelona on Thursday by Spanish authorities. The man, identified by Dutch prosecutors only as “SK,” was being held after a European warrant was issued for his arrest in connection with a series of massive online attacks last month against Spamhaus, an anti-spam organization.KrebsOnSecurity, April 26, 2013

Leadership

Is It Okay to Show Vulnerability?: Leaders should show a sense of vulnerability. Forbes, April 23, 2013

Securing the Village – Events Calendar

Santa Monica Rotary Club; Lunch Meeting, May 3, 2013: Dr. Stan Stahl, Citadel and ISSA-LA President, will speak on cybersecurity at the weekly meeting of the Santa Monica Rotary Club. In this non-technical talk – It Takes the Village to Secure the Village ^SM – Dr. Stahl discusses the financial implications of cyber crime, illustrates how cyber criminals take control of a user’s computer, describes the limitations of technology, summarizes emerging cyber security laws, regulations and practices, and provides practical tips to lower the risk of becoming a victim.

ISSA-LA Fifth Annual Information Security Summit; May 21, 2013: Join 800 of your colleagues and peers at the Universal City Hilton. Special Keynote Speaker: Howard Schmidt, former White House CyberSecurity Coordinator. For more information and to register, visit ISSA-LA.

 

Guest column by Citadel Information Group

 

Guest column by Citadel Information Group

ISSA-LA – Securing the Village

Healthcare HITECH Privacy and Security Highlights ISSA-LA Fifth Annual Information Security Summit: The Los Angeles Chapter of the Information Systems Security Association and the Healthcare Information and Management Systems Society Southern California hold the Healthcare HITECH Privacy and Security Summit on Tuesday, May 21, 2013 in LA. PRLog, April 17, 2013

Cyber Crime

Reddit hit with a denial-of-service attack: The social news site Reddit is being hit with what the company called a “malicious” denial of service attack, first disclosed via its official Twitter account Friday. The Washington Post, April 19, 2013

Schnucks breach will likely cost millions: Book stores. Banks. Even data security companies. They’ve all become recent targets of increasingly sophisticated, determined – some say talented – hacker gangs. St. Louis Post-Dispatch, April 7, 2013

Cyber Underworld

Where Kim Dotcom Got His Start: The House Of Coolness: Kim Dotcom, who I profile in the latest issue of the magazine, is a born entrepreneur. In fact, he’s launched so many money making ventures in his 39 years that not all of them fit into our print edition. But one, at least, was controversial enough among Dotcom’s one-time hacker peers that it deserves its own historical footnote. Forbes, April 17, 2013

Cyber Warning

Data security firm warns of malware exploiting Boston bombings: Chicago-based data security firm Trustwave said it has detected “a large-scale malicious spam campaign” circulating online that is exploiting this week’s Boston bombings. ChicagoTribune, April 19, 2013

Malware and domain-squatters target Boston Marathon bombing: The scummier end of the online community has been quick to use Monday’s bombing of the Boston Marathon as bait for multiple malware dispersals, plus a spot of old-fashioned online fraud along the way. The Register, April 17, 2013

Cyber Threat

Browsers Pose the Greatest Threat to Enterprise, Microsoft Reports: Microsoft’s latest security report has found that Web-based attacks pose the greatest threat to companies, giving credence to efforts to develop browser alternatives to accessing the Internet. CIO, April 19, 2013

Study: 32.8 Million Android Phones Infected with Malware: Do you have an anti-virus app on your Android phone yet? If not, a new study conducted by security firm NQ Mobile suggests you’re playing with fire: The number of malware threats to your Android phone has increased 163% over the past year alone. Time, April 17, 2013

Microsoft: Worms And Rogue AV Dying, Web Threats Thriving: For the first time in nearly four years, the top malware threat plaguing enterprises is not the Conficker worm: Web-based attacks have taken over, according to new data gathered from more than 1 billion Windows machines worldwide. DarkReading, April 17, 2013

Symantec report finds small businesses battered by cyber crime: Cyber criminals are increasingly targeting small businesses due to their less sophisticated defenses, according to a new report from Symantec. InfoWorld, April 16, 2013

Cyber Security Management – Cyber Update

Java Update Plugs 42 Security Holes: Oracle Corp. today released an update for its Java SE software that fixes at least 42 security flaws in the widely-installed program and associated browser plugin. The Java update also introduces new features designed to alert users about the security risks of running certain Java content. KrebsOnSecurity, April 16, 2013

Cyber Security Management – Cyber Defense

Microsoft adds two-factor authentication to keep accounts secure: If you’re an active user of Outlook, SkyDrive, Office Web Apps, or other Microsoft services, you may want to add two-step verification for an extra layer of security. PCWorld, April 17, 2013

Google further secures Chrome against malicious extensions, will start malware download prompts next week: Google on Wednesday announced it has added new measures to protect Chrome users being targeted by malicious extensions. This time, the company is focusing on extensions that are abusing enterprise options or manipulating Chrome preferences; the company says you can expect to see “Safe Browsing” malicious download warnings “within a week.” The Next Web, April 17, 2013

Cyber Security Management – Online Bank Fraud

Bank Sues Cyberheist Victim to Recover Funds: A bank that gave a business customer a short term loan to cover $336,000 stolen in a 2012 cyberheist is now suing that customer to recover the fronted funds, after the victim company refused to repay or even acknowledge the loan. KrebsOnSecurity, April 19, 2013

Cyber Security Management – HIPAA

HIPAA Compliance: What Providers Should Know About HITECH Act Mandatory Audits:Investigations by the Office for Civil Rights related to compliance with the Health Insurance Portability and Accountability Act will no longer be initiated by only complaints and self-reported breaches. Section 13411 of the HITECH Act requires HHS to provide for periodic audits of covered entities’ and business associates’ compliance with the HIPAA Privacy Rule, Security Rule and Breach Notification standards. While the audits are not intended to be investigations, an audit could reveal a serious compliance issue that could lead to a separate enforcement investigation by OCR. These mandatory audits are further evidence of the increased enforcement efforts of HHS. Becker’s Hospital Review, April 17, 2013

National Cyber Security

CISPA Passes In The House, (Again) But Faces Resistance In Senate And White House (Again): The controversial Cyber Intelligence Sharing and Protection Act passed in the House of Representatives Thursday despite growing opposition to the bill, legislation designed to allow data about digital threats to be shared between the government and the private sector, but which opponents say could circumvent protections against users’ private data being siphoned from companies to the Department of Homeland Security or intelligence agencies. The bill now faces an uphill battle in the Senate and a possible veto from the White House. Forbes, April 18, 2013

Cyber Defenders

U.S. Air Force cadets win cyber war game with NSA hackers: HANOVER, Maryland (Reuters) – A U.S. Air Force Academy team on Friday beat out rivals from other elite military colleges after a three-day simulated cyber “war” against hackers from the National Security Agency that is meant to teach future officers the importance of cybersecurity. Yahoo News, April 19, 2013

Cyber Research

Machine Learning Susses Out Social-Network Fraud: Machine learning techniques can be used to detect fraud and spies on social networks based on certain features, such as the number of followers and the number of devices used to access the network.DarkReading, April 19, 2013

Securing the Village – Events Calendar

Santa Monica Rotary Club; Lunch Meeting, May 3, 2013: Dr. Stan Stahl, Citadel and ISSA-LA President, will speak on cybersecurity at the weekly meeting of the Santa Monica Rotary Club. In this non-technical talk – It Takes the Village to Secure the Village ^SM – Dr. Stahl discusses the financial implications of cyber crime, illustrates how cyber criminals take control of a user’s computer, describes the limitations of technology, summarizes emerging cyber security laws, regulations and practices, and provides practical tips to lower the risk of becoming a victim.

ISSA-LA Fifth Annual Information Security Summit; May 21, 2013: Join 800 of your colleagues and peers at the Universal City Hilton. Special Keynote Speaker: Howard Schmidt, former White House CyberSecurity Coordinator. For more information and to register, visit ISSA-LA.

 

Guest column by Citadel Information Group

 

Guest column by Citadel Information Group