Cyber Security News of the Week, November 20, 2011

Cyber Security Story of the Week — Securing Androids and Other Smart Devices

Two stories this week illustrate the challenge of securing mobile apps. In Android malware infections skyrocket, Juniper Networks reports skyrocketing rates of Android malware infection while App Freedom Vs. Corporate Security illustrates the challenges organizations have in helping users keep their Androids [and their iPhones and other smart devices] free of malware.

The situation with Androids has become so serious that Citadel now recommends to our clients that they “white list” acceptable Android applications while prohibiting staff from accessing sensitive corporate information from Android devices running unapproved apps.

The Android malware risk impacts the phone owner as well as the organization. We are seeing reports of users getting stiffed for thousand dollar cell phone bills after installing applications containing hidden malware designed to secretly use the phone’s text messaging system to send SMS messages to premium rate numbers owned by cyber criminals. Once messages are sent, the money is generally not recoverable.

Information at Risk – Personal Information

Breach exposes data at VCU: Virginia Commonwealth University will hire an outside cybersecurity consultant to examine its information technology system after a computer server containing personal data on 176,567 people was hacked last month. Richmond Times-Dispatch, November 12, 2011

Information at Risk – Anonymous Leaks

Anonymous Leaks Another Computer Expert’s Personal Emails: In a typically nasty personal-political combo, Anonymous has leaked thousands of private emails belonging to a retired California cybercrime investigator named Fred Bacalagan, in what they say is payback for the recent Occupy Wall Street crackdown. Gawker, November 18, 2011

Information at Risk – Intellectual Property

Security watchdog: Norwegian energy, defense industries hit by extensive data-theft attack: OSLO, Norway — Data from Norway’s oil and defense industries may have been stolen in what is feared to be one of the most extensive data espionage cases in the country’s history, security officials said Thursday. The Washington Post, November 17, 2011

Information at Risk – Online Bank Fraud

Title Firm Sues Bank Over $207k Cyberheist: A title insurance firm in Virginia is suing its bank after an eight-day cyber heist involving more than $2 million in thefts and more than $200,000 in losses last year. In an unusual twist, at least some of the Eastern European thieves involved in the attack have already been convicted and imprisoned for their roles in the crime. November 14, 2011

Cyber Security Management – Help for Small Business

FCC Small Biz Cyber Planner: Information technology and high-speed Internet are great enablers of small business success, but with the benefits comes the need to guard against growing cyber threats. As larger companies take steps to secure their systems, less secure small businesses are easier targets for cyber criminals. Use this tool to create and save a custom cyber security plan for your company, choosing from a menu of expert advice to address your specific business needs and concerns. FCC.gov

Cyber Security Management – Mobile Devices

App Freedom Vs. Corporate Security: You can’t prevent employees from snapping up iPads and Droid phones, even if you wanted to. Sixty-five percent of respondents to our InformationWeek 2011 Mobile Device Management and Security Survey predict that the number of employee-owned devices accessing company data will increase. What you can do is use your leverage when they want to connect to business systems by asking them to run mobile device management (MDM) software, which can enforce corporate policies and provide features such as device tracking and remote wiping. Information Week, November 18, 2011

Cyber Security Management – IRS Fails to Protect Taxpayer’s Data

GAO Rips IRS Taxpayer Data Security: A new report from the Government Accountability Office (GAO) ripped into the IRS once again for insufficient access controls, database maintenance, and monitoring necessary to keep taxpayer information safe. The report’s findings echo many of the issues seen in database and application security across many large enterprises today, experts say. Released last week, the GAO’s financial audit reported that during the past fiscal year, the IRS still had glaring holes in internal controls over information security, in spite of initiating efforts to address concerns levied by the GAO in past years. Information Week, November 17, 2011

Cyber Security Management – Lessons Learned

Exclusive: Lax security at Nasdaq helped hackers: A federal investigation into last year’s cyber attack on Nasdaq OMX Group found surprisingly lax security practices that made the exchange operator an easy target for hackers, people with knowledge of the probe said. The sources did not want to be identified because the matter is classified. Reuters, November 17, 2011

Internet Badlands – Trust

F-Secure Finds Malware Signed With Stolen Digital Certificate: Researchers from security vendor F-Secure have spotted a rare malicious software sample that carried a valid code-signing certificate from a Malaysian governmental institution. PC World, November 14, 2011

Internet Badlands – Android

Android malware infections skyrocket, says Juniper: Juniper Networks has reported skyrocketing rates of Android malware infections on the networks of its mobile customers, with detected malware more than quadrupling in just the last six weeks. That’s on top of dramatic increases in the previous two years. The report will put more pressure on Google to tighten up security practices in the Android Market. Ars Technica, November 16, 2011

How to Detect Malicious Android Apps Before They Infect Your Smartphone or Tablet: For millions of people, the first thing to do when they get their new smartphone or tablet is to visit the device’s app store and begin downloading games, magazines, utilities and sports apps. Apps are fun, useful and a bit addictive. They can also be dangerous. Malicious apps, especially those for Android devices, are a growing problem for smartphone and tablet users. (Apple devices are protected as long as they’re not “jailbroken” to run unauthorized apps.) Security News Daily, October 25, 2011

Internet Badlands – Facebook

Facebook users reel from porn spam attack: After being bombarded with hard-core pornographic and violent images on their news feeds, some Facebook users may change how and if they use the social network, according to industry analysts.Computerworld, November 16, 2011

National Cyber Security – Critical Infrastructure

Foreign hackers targeted U.S. water plant in apparent malicious cyber attack, expert says: Foreign hackers caused a pump at an Illinois water plant to fail last week, according to a preliminary state report. Experts said the cyber-attack, if confirmed, would be the first known to have damaged one of the systems that supply Americans with water, electricity and other essentials of modern life. The Washington Post, November 18, 2011

Water utility hackers destroy pump, expert says: Hackers destroyed a pump used by a US water utility after gaining unauthorized access to the industrial control system it used to operate its machinery, a computer security expert said. The Register, November 17, 2011

National Cyber Security – Combating Cyber Crime

DOJ wants to prosecute cyber criminal activity under racketeering law: The set of laws that has allowed federal prosecutors to bring down traditional organized crime gangs should be applied to international cyber crime rings, a top Department of Justice official told a congressional committee on Nov. 15. GSN, November 16, 2011

Cyber War – Stuxnet & Duqu

New Computer Malware May Presage Another Cyberattack, Potentially on Iran: Roughly a year ago, the era of cyberwar officially began with the revelation that a complex computer worm called Stuxnet, allegedly designed in the U.S and tested in Israel, had sabotaged the Iranian nuclear facility in Natanz. The Daily Beast, November 16, 2011

Iran Admits Nuclear Sites Hit by ‘Duqu’ Cyberweapon: Iranian officials admitted Sunday that they had uncovered evidence of the Duqu computer virus — labeled “Son of Stuxnet” by cyber experts — at the Islamic Republic’s nuclear sites, state-controlled IRNA news agency reported. Fox News, November 14, 2011

Cyber Security Legislation – Pending

Sandia Labs: SOPA will ‘negatively impact’ U.S. cybersecurity: Add the Sandia National Laboratories, part of the U.S. Department of Energy, to the list of opponents of a controversial Hollywood-backed copyright bill. Cnet, November 17, 2011

SOPA, controversial online piracy bill, gains support as lobbying intensifies: Several lawmakers expressed support Wednesday for a controversial bill aimed at curbing online piracy as lobbying over the issue reached a fever pitch. The Washington Post, November 16, 2011

Cybercrime Watch: Fabricated Dating Profiles: House lawmakers on Tuesday are slated to mull updating a 1986 anti-hacking law that even ideological opponents agree criminalizes innocent Web surfing. However, when a Senate panel discussed the Computer Fraud and Abuse Act in September, Justice Department officials argued that changing the penalties could let legitimate bad guys off the hook. Nextgov, November 14, 2011

Ray of Sunshine

Celeb hacker Christopher Chaney faces fresh charges of identity theft: A US man has been indicted on two additional felony counts for allegedly hacking into an email account belonging to an unnamed actress, according to court documents. AP, November 19, 2011