We posted a special blog this week in response to FBI Director Robert Mueller’s testimony to the U.S. House Permanent Select Committee on Intelligence. Mueller stated that he believes “the cyber threat will equal or surpass the threat from counter terrorism in the foreseeable future.”
Human nature being what it is, cyber crime and hacktivism will get worse before things get better. While we can hope to avoid cybergeddon, we also have to remember that hope is not a strategy. Lest there be any doubt, take a look at the face of Anonymous described in the Huffington Post or any of the other articles we’ve posted recently describing the cyber criminal and hacktivist communities.
As we wrote in our blog, organizations of all types and sizes need to take a hard look at their cyber security management, asking themselves how they can better gather, share, analyze and use cyber information to strengthen their security posture and improve their ability to withstand cyber attacks.
Update: Windows Media Player vulnerability: New research from M86 Labs adds further insight on the MIDI exploit first highlighted by Trend Micro last week. InfoSecurity, February 1, 2012
Facebook Malware Scam Takes Hold: A “worrying number” of Facebook users are sharing a link to a malware-laden fake CNN news page reporting the U.S. has attacked Iran and Saudi Arabia, security firm Sophos said Friday. PC World, February 3, 2012
China-Based Hackers Target Law Firms to Get Secret Deal Data: Jan. 31 (Bloomberg) — China-based hackers looking to derail the $40 billion acquisition of the world’s largest potash producer by an Australian mining giant zeroed in on offices on Toronto’s Bay Street, home of the Canadian law firms handling the deal. Bloomberg, February 3, 2012
Hackers infiltrate domain name auction house: Computer hackers have penetrated the database of Australia’s biggest internet domain name auction house, possibly accessing client home addresses and encrypted credit card numbers. TheAge.com, February 2, 2012
Have 5 Million Android Users Fallen Victim to Malware Attack?: For as long as there has been advertising on the Internet there has been a fuzzy line dividing subterfuge and acceptable tricks to attract clicks. The problem of distinguishing between the legitimate and illegitimate now appears to have extended to smartphone apps as well. The Wall Street Journal, January 30, 2012
Cyber Liability: Do You Need To Safeguard Your Firm Against Cyber Crimes?: It’s no secret that cyber crime is on the rise. From identity theft, to credit card fraud, cyber criminals become more sophisticated by the day. That means that data breaches are skyrocketing and victims of online theft are multiplying exponentially. Furthermore, there is an emerging trend in cyber crime that is slowly starting to make headlines. That being that victims of cyber crimes are no longer just major credit card companies or large businesses. In fact, according to an article published in the Wall Street Journal in July of 2011, a whopping 63% of data breaches occurring in 2010 were at companies with less than 100 employees. Attorney Journal, January 17, 2012
Google now scanning Android apps for malware: Google has added an automated scanning process that is designed to keep malicious apps out of the Android Market, the company announced today. Cnet, February 2, 2012
Why corporate mobile banking is scary: In its December report on the emergence of corporate mobile banking, Celent wrote that “a slew of new devices, cheaper data plans, and faster networks are upon us. Business mobile users have the opportunity to take advantage of rich and powerful mobile banking services, provided their bank has an offering,” Sound pretty good. But the report, “Corporate Mobile Banking: Revolutionizing Cash Management,” authored by Jacob Jegher, also raises red flags about security. ABA Banking Journal
Our Mobile-Banking Warnings about Security Prove Prophetic: There’s another warning about mobile banking — even the American Bankers Association in this published report: “Why corporate mobile banking is scary.” The banking-industry article explains the difference between corporate and retail mobile banking. Corporate mobile banking is used by high net worth executives. Retail mobile banking refers to use by the masses. The Biz Coach, February 1, 2012 [This article, by our colleague, Terry Corbell, continues to document the challenges of mobile banking security. Dr. Stahl is quoted extensively.]
Utah attorney general unveils program to combat ID theft targeting children: SALT LAKE CITY — Utah’s attorney general and credit reporting company TransUnion unveiled a program Tuesday that seeks to protect children from identity theft, a growing problem in the U.S. that authorities say is difficult to detect and prosecute. The Republic, January 31, 2012
Questions on Hacking for Times of London: LONDON — Questions about illegal computer hacking by The Times of London were raised on Thursday when officials at the judicial inquiry into press ethics said they would recall the paper’s editor for further testimony and the police confirmed that they were investigating an incident in 2009 in which one of the paper’s reporters apparently hacked an e-mail account. The New York Times, February 2, 2012
‘Anonymous’ hackers intercept conversation between FBI and Scotland Yard on how to deal with hackers: The conversation covered updates to on-going court cases, the recent arrest of a 15-year-old for hacking his school website, and even touched on cheese and the merits of Sheffield. The Telegraph, February 3, 2012
VeriSign Hit by Hackers in 2010: Internet giant VeriSign was hacked repeatedly in 2010 resulting in the theft of undisclosed information and raising questions about the integrity of security certificates issued by the company as well as its domain name service. Wired, February 2, 2012
Anonymous And The War Over The Internet: Late in the afternoon of Jan. 19, the U.S. Department of Justice website vanished from the Internet. Anyone attempting to visit it to report a crime or submit a complaint received a message saying the site was unable to load. More websites disappeared in rapid succession. The Recording Industry Association of America. The Motion Picture Association of America. Universal Music. Warner Brothers. The FBI. Huffington Post, January 30, 2012
Anonymous And The War Over The Internet (Part II): If Anonymous spans the moral range between the idealistic revolutionary and the nihilistic imp, Phoenix stands all the way at the idealistic end. His base of operations is a network of chat rooms called AnonOps, which birthed many of the overtly political attacks that have made Anonymous a front-page story during the last two years. Huffington Post, January 31, 2012
Hackers deface website of lawyers for US Marine: Members of the hacker group Anonymous defaced the website on Friday of the law firm that defended a US Marine who faced charges in connection with the 2005 killing of 24 Iraqi civilians. AFP, February 4, 2012
Law enforcement websites under attack by hackers: SALT LAKE CITY – (AP) — Saboteurs stole passwords and sensitive information on tipsters while hacking into the websites of several law enforcement agencies worldwide in attacks attributed to the collective known as Anonymous. Newsday, February 3, 2012
Pro-Palestinian hackers claim to publish details of 26,000 more Israeli credit cards: An international group of hackers claimed Thursday to have published the details of 26,000 credit cards overnight, in the latest addition to a series of cyber attacks between pro-Palestinian and pro-Israeli hackers. Haaretz.com, February 2, 2012
FBI Director Says Cyberthreat Will Surpass Threat From Terrorists: Threats from cyber-espionage, computer crime, and attacks on critical infrastructure will surpass terrorism as the number one threat facing the United States, FBI Director Robert Mueller testified today. ABC News, January 31, 2012
FBI: Cyber threat might surpass terror threat: Today, FBI Director Robert Mueller told the U.S. House Permanent Select Committee on Intelligence that he believes “the cyber threat will equal or surpass the threat from counter terrorism in the foreseeable future. CBS News, February 2, 2012
Cybersecurity is a ‘team sport’: The federal government possesses cybersecurity threat information and technical capabilities that private enterprises simply do not have. But what is the proper role of the government in the cyber realm? Should it provide cybersecurity for the private sector, or should the government require that the private sector secure its own networks to a particular standard? These topics are currently under great debate in both the House and Senate. The Hill, February 3, 2012
Symantec recants Android malware claims: Symantec has backtracked from assertions last week that 13 Android apps distributed by Google’s Android Market were malicious, and now says that the code in question comes from an aggressive ad network that provides revenue to the smartphone programs. Computer World, February 1, 2012
Expect more cyber-espionage, sophisticated malware in ’12, experts say: The security industry expects the number of cyber-espionage attacks to increase in 2012 and the malware used for this purpose to become increasingly sophisticated. ComputerWorld, December 26, 2011
6 Credit Card Mistakes that can ruin your holidays: Credit cards can help make a breeze out of holiday shopping. A few missteps, though, and that breeze can turn into a storm of financial headaches. Dr. Stahl is quoted in this story. creditcards.com, December 2011
Using Starbucks’ WIFI? Security Pro Issues Warning and Security Checklist, an article featuring Dr. Stahl, has been the number one article on Terry Corbell’s site ‘The Biz Coach’ since the portal was launched in 2009.
Double wham bam: AntiSec hacks, dumps CA & NY law enforcement emails: Almost like an echo from retired hackers, those from the 90s who long ago faded into the ether, the motto for 2011 may have been along the lines of “hack the planet.” Yet there are some who obviously learned nothing about the consequences of maintaining sloppy security in 2011. In the cyber world, 2012 was not greeted by the boom of fireworks but by a double wham bam to law enforcement in California and New York. ComputerWorld, January 3, 2012
Saudi hackers leak personal information of thousands of Israelis: Saudi hackers who identified themselves as members of the online Anonymous network claimed on Monday to have leaked files containing personal information, including credit card numbers and expiration dates, belonging to more than 400,000 Israelis. Ynet News, January 3, 2012
Huge Security Breach at Security Firm Symantec No Threat to Consumers, Analyst Says: One of the biggest security firms in the world may need to boost its own security: A hacker stole the source code behind Symantec’s industry-leading antivirus program. Fox News, January 6, 2012
Hackers reveal personal data of 860,000 Stratfor subscribers: A computer hacking group has revealed email addresses and other personal data from former Vice President Dan Quayle, former Secretary of State Henry A. Kissinger, and hundreds of U.S. intelligence, law enforcement and military officials in a high-profile case of cyber-theft. LA Times, January 4, 2012
Army warns of ID theft from Stratfor hack: The Army is warning users of its Army Knowledge Online portal to beware of identity theft following the recent Anonymous hack of intelligence analysis company Strategic Forecasting. GNC, January 3, 2012
Questions About Motives Behind Stratfor Hack: When hackers used the Christmas holiday to attack Stratfor, a security group based in Austin, Tex., they initially said they were aiming to steal the credit card numbers of its clients and use them to make $1 million in donations to charity. New York Times, December 27, 2011
Major security hole in most modern wireless routers: According to a vulnerability notice issued by the US Computer Emergency Readiness Team (US-CERT) on December 27th, just about every Wi-Fi router that supports Wi-Fi Protected Setup (WPS) is vulnerable to a brute force attack. IT Wire, December 27, 2011
New Tools Bypass Wireless Router Security: Security researchers have released new tools that can bypass the encryption used to protect many types of wireless routers. Ironically, the tools take advantage of design flaws in a technology pushed by the wireless industry that was intended to make the security features of modern routers easier to use. KrebsOnSecurity, December 28, 2011
Ramnit Computer Worm Compromises 45K Facebook Logins: A computer worm that has traditionally targeted the financial industry has set its sights on social networking, recently stealing over 45,000 Facebook login credentials, according to security firm Seculert. PC Magazine, January 5, 2012
Report: Phishing attack targets Apple customers: A “vast phishing attack” that attempts to capture the credit card information of Apple customers was launched on Christmas day, according to a report from Mac security-software company Intego. ComputerWorld, December 26, 2011
Turkish hackers avenge France’s ‘genocide bill’: The websites of the French Senate and a National Assembly lawmaker who introduced a bill that would outlaw the denial of the 1915 Turkish ‘genocide’ of Armenians, have been attacked by Turkish hackers. France24, December 29, 2011
Spam Campaign following Kim Jong-il’s Demise Serves Malware: The telecommunications regulator of South Korea alerted that a malicious spam campaign, by capitalizing on Kim Jong-il’s death who was the Workers Party of Korea’s general secretary in North Korea, is striking users’ mailboxes. Help Net Security published this, December 20, 2011. Spamfighter.com, December 27, 2011
Websites targeting Olympics visitors closed down by police: Detectives from the UK’s leading cyber crime unit have identified hundreds of websites that could be used to dupe visitors to next year’s London Olympics. The Guardian, December 26, 2011
GSM phones vulnerable to hijack scams -researcher: Flaws in a widely used wireless technology could allow hackers to gain remote control of phones and instruct them to send text messages or make calls, according to an expert on mobile phone security. Reuters, December 27, 2011
Chamber of Commerce Cyber Attack a Wake-Up Call for In-House Counsel: The extent of the cyber-damage caused by China-based hackers who tapped into the U.S. Chamber of Commerce in 2010 is not yet known. But following the recently publicized information about the attack, the message to in-house counsel is clear: protect yourselves. And that may mean having your company work more closely with the government. Law.Com, December 23, 2011
Cyber strike rampage: White-hot Israel vows to treat hackers like terrorists: In the wake of a massive online dump of Israeli credit card details by “Saudi” hackers, Tel Aviv says it will treat cyber attacks as acts of terror. It has also commended the US, who has hinted at retaliating for such assaults with military action. RT News, January 7, 2012
Dept. of Energy developing project to reinforce grid cybersecurity: The government is trying once again to whip the key players behind the country’s electrical grid into a security force that can defend against mounting cyber threats. Network World, January 5, 2012
Happy 2nd Birthday, KrebsOnSecurity.com!: This past year, KrebsOnSecurity.com has featured more than 200 blog posts, and attracted 5,000+ reader comments. It has been humbling to watch the audience here steadily grow and mature into a community. The expertise and conversations offered by readers in the blog comments have added immeasurably to the value and usefulness of this site. KrebsOnSecurity, December 25, 2011
This week’s lead story is the bust of major cyber crime gangs on both sides of the pond. One Russian and six Estonians were charged with wire fraud and conspiracy in a 27-count indictment unsealed Thursday by Manhattan U.S. Attorney Preet Bharara. The cyber-hijacking victims included at least a half million individuals, businesses in the U.S. and government agencies, including the National Aeronautics and Space Administration. Meanwhile British police have jailed 13 people for their participation in a sophisticated banking fraud gang that used malware to help steal at least 2.9 million British pounds ($4.6 million) from hundreds of people. Police said the gang was led by two Ukrainian nationals, Yevhen Kulibaba, 33, and Yuriy Konovalenko (aka Pavel Klikov), 29. Both plead guilty to “conspiracy to defraud,” were sentenced to serve four years and eight months in prison, and began serving those terms on Monday.
The story serve as a reminder of the dangers of cyber crime and the importance of strong defensive measures:
For more about the arrest of these cyber crime gangs, see our “Ray of Sunshine” section.
What’s it like to share your SSN with 50 people? Follow a victim’s struggle: Jonathan Barnett is also Jose Cruz. And Jesus Ramirez. And Pilar Terrones, Pilar Sanchez, Esmeralda Gonzalez and dozens of other people, at least according to the nation’s identity system. MSNBC, November 7, 2011
How Much Is Your Identity Worth?: How much does it cost for thieves to discover the data that unlocks identity for creditors, such as your Social Security number, birthday, or mother’s maiden name? Would it surprise you to learn that crooks are selling this data to any and all comers for pennies on the dollar? KrebsOnSecurity, November 8, 2011
Lesson about Passwords after Theft of 16,000+ UCLA Patient Records: The personal information of 16,288 patients at UCLA’s network of hospitals and clinics are in the wrong hands following a burglary of a doctor. The information was on the computer hard drive stolen from a doctor’s home, according to an article in the The New York Times (U.C.L.A. Health System Warns About Stolen Records).
Dr. Stahl is quoted in this story. The Biz Coach, November 6, 2011
Encryption And Other Database Security Lags At Healthcare Organizations: Healthcare and IT experts convened on Capitol Hill this week to warn Congress that as healthcare organizations are increasing the use of electronic medical records in light of federal mandates, they are not protecting these records within the database and elsewhere. Security professionals agree that in order for the public to trust these records, healthcare organizations need to start working on database security best practices — the same first-order practices that any organization with minimal security should start with to shore up sensitive data stores. Dark Reading, November 11 2011
Internet Risk: Online Ads That Carry Computer Viruses and Other Malware: The online advertising industry is scrambling to quell a long-standing problem that has taken a turn for the worse: the spread of malicious ads on the Internet’s top commercial websites. ABC News, November 6, 2011
Hackers may have spent years crafting Duqu: The hacker group behind Duqu may have been working on its attack code for more than four years, new analysis of the Trojan revealed Friday. Computerworld, November 11, 2011
Apple banishes expert who exposed software flaw: Boston: Apple Inc expelled a highly regarded cybersecurity expert from one of its developers’ programs, stripping him of rights to build software for iPads and iPhones after he publicly demonstrated a flaw in its iOS operating system. FirstPost, November 9, 2011
DroidDream Light a malware nightmare, booted from Android Market: A number of malware-encumbered applications were found in the Android Market back in March, but the infestation was brought to a swift end when Google deployed its kill switch. A new variant of the same malware recently resurfaced and was identified by security researchers over the weekend. Google has responded by booting the new round of infected applications out of the Android Market. ars technica, July 2011
Vulnerabilities give hackers ability to open prison cells from afar: Researchers have demonstrated a vulnerability in the computer systems used to control facilities at federal prisons that could allow an outsider to remotely take them over, doing everything from opening and overloading cell door mechanisms to shutting down internal communications systems. Tiffany Rad, Teague Newman, and John Strauchs, who presented their research on October 26 at the Hacker Halted information security conference in Miami, worked in Newman’s basement to develop the attacks that could take control of prisons’ industrial control systems and programmable logic controllers. They spent less than $2,500 and had no previous experience in dealing with those technologies. ars technica, November 8, 2011
Cyber weaknesses should deter US from waging war: WASHINGTON (AP) — America’s critical computer networks are so vulnerable to attack that it should deter U.S. leaders from going to war with other nations, a former top U.S. cybersecurity official said Monday. Associated Press, November 8, 2011
Ex-Marine Corps General: We’ve Got to Step Up Our Cyber Security Game: James Cartwright, a recently retired four-star Marine Corps general, is urging the U.S. government to be more open about its use of offensive cyber weapons so that they may act as a deterrent. Daily Tech, November 7, 2011
Darpa Begs Hackers: Secure Our Networks, End ‘Season of Darkness’: The Pentagon’s far-out research agency and its brand new military command for cyberspace have a confession to make. They don’t really know how to keep U.S. military networks secure. And they want to know: Could you help them out? Wired, November 7, 2011
London Conference reveals ‘fault lines’ in global cyberspace and cybersecurity governance: BLOOMINGTON, Ind. — The recently completed London Conference on Cyberspace — a major event attended by participants from more than 60 countries and hosted by the U.K. government — sought to advance an agenda to guide creation of a global, secure, resilient, and open cyberspace. But according to an Indiana University Maurer School of Law cybersecurity expert, the meeting revealed deep differences that make effective international cooperation on cyberspace and cybersecurity increasingly difficult. Indiana University News Room, November 7, 2011
Senators Push for Changes in Cybercrime Law: The main U.S. law targeting cybercrime may need to be changed because it has allowed law enforcement agencies to target people who simply violate websites’ terms of service or their employers’ computer use policies, two senators said Wednesday. PC World, September 7, 2011
FBI Helps Bust $4.6 Million Cybercrime Gang: British police announced Monday they have jailed 13 people for their participation in a sophisticated banking fraud gang that used malware to help steal at least 2.9 million British pounds ($4.6 million) from hundreds of people. InformationWeek, November 2, 2011
Hackers Hijack Millions of Computers in ‘Massive’ Fraud Case: Nov. 9 (Bloomberg) — The U.S. charged seven people with a “massive” computer intrusion scheme that used malicious software to manipulate online advertising, diverted users to rogue servers and infected more than 4 million computers in more than 100 countries. Bloomberg, November 10, 2011
Biggest Cybercriminal Takedown in History: The proprietors of shadowy online businesses that have become synonymous with cybercrime in recent years were arrested in their native Estonia on Tuesday and charged with running a sophisticated click fraud scheme that infected with malware more than four million computers in over 100 countries — including an estimated 500,000 PCs in the United States. The law enforcement action, dubbed “Operation Ghost Click,” was the result of a multi-year investigation, and is being called the “biggest cybercriminal takedown in history.” KrebsOnSecurity, November 9, 2011
DHS warns that Irene could prompt phishing scams: As Hurricane Irene barrels toward the eastern seaboard, the U.S. Department of Homeland Security is warning government agencies and private companies to be on the lookout for storm-related phishing attacks and other malicious cyberactivity. Computer World, August 26, 2011
Child Identity Theft Takes Advantage Of Kids’ Unused Social Security Numbers: Every few weeks, Stephanie McManis receives a phone call from a collection agency asking for someone she never met. She recently opened a letter from a bank threatening to sue her for defaulting on a loan she never took out. She checks her credit report monthly, disputing late payments on emergency room visits she never made. The Huffington Post, August 22, 2011
Google hacking exposes large caches of personal data: Google hacking, which has been on the rise this summer, is a bit of a misnomer. Also known as Google dorking, Google hacking refers to cybercriminals’ enterprising use of Google’s advanced search functions to find caches of valuable data ripe for the taking. USA Today, August 23, 2011
Maine voter registration system breached: The Maine Secretary of State’s Office said Wednesday it is investigating a potential security breach in the computer system that contains records on Maine’s registered voters. Bangor Daily News, August 26. 2011
Researcher battles insulin pump maker over security flaw: A security researcher who has proven he can remotely disable the insulin pump he relies on to keep his diabetes in check says the device maker is refusing to acknowledge the problem and misleading the public. Cnet, August 26, 2011
Fake goods, stolen secrets cost U.S. firms billions: An industrial spy tries to steal $20 million in trade secrets from Minnesota-based Valspar paints. The kingpin of a Houston-based drug counterfeiting ring makes millions plugging his fake pharmaceuticals into the pipeline of Britain’s socialized medical system. In Washington, the Defense Department unwittingly buys and installs knockoff Cisco computer software to track troop movements. The Republic, August 24, 2011
New Data Spill Highlights Risk of Online Health Records: Until recently, medical files belonging to nearly 300,000 Californians sat unsecured on the Internet for the entire world to see. Fox News, August 22, 2011
Consumers Fear Online Fraud and Seek Retailers’ Resolutions: Is consumers’ growing concern for online shopping safety a good thing for brick and mortar retailers? Could some of those customers be willing to pack in their PayPal accounts and abandon their online shopping carts, and find their way back to Main Street USA? A recent Harris Interactive survey commissioned by McAfee makes it seem likely, reporting, “84 percent of consumers say they are at least somewhat concerned about providing their personal information when shopping online. And less than 33 percent of shoppers believe most websites are safe for shopping, an 11 percent dip from 2009.” That leaves only six percent of consumers that aren’t worrying about Internet security. And while you hope that means more customers will hit the storefronts, there are no guarantees. Plus, as multi-channel browsing has become a growing trend, more and more brick and mortars are investing in a B2C site, and it would be a waste of money if consumers online security concerns were not addressed and the B2C sites abandoned. Independent Retailer, August 25, 2011
Source Code For SpyEye Trojan Published; More Exploits On The Horizon, Researcher Says: The source code for SpyEye, an infamous data-stealing Trojan, has been published on the Web and could easily be adapted and used by any savvy cybercriminal with virtually no cost or chance of getting caught, a researcher said Monday. Dark Reading, August 15, 2011
Hybrid Hydras and Green Stealing Machines: Hybrids seem to be all the rage in the automobile industry, so it’s unsurprising that hybrid threats are the new thing in another industry that reliably ships updated product lines: The computer crime world. The public release of the source code for the infamous ZeuS Trojan earlier this year is spawning novel attack tools. And just as hybrid cars hold the promise of greater fuel efficiency, these nascent threats show the potential of the ZeuS source code leak for morphing ordinary, run-of-the-mill malware into far more efficient data-stealing machines. KrebsOnSecurity, August 24, 2011
Researchers See Improvements in Breakaway Zeus Malware: A dangerous piece of malicious code responsible for stealing money from online bank accounts is being updated with new functions after its source code was leaked earlier this year, according to security researchers. PC World, August 25, 2011
Researchers find first Android malware targeting Gingerbread: Researchers have spotted the first malware that exploits a critical vulnerability in Android 2.3, aka Gingerbread, finding samples tucked into legitimate apps on Chinese download sites. Computer World, August 23, 2011
Exclusive: Privacy lawsuit targets comScore: Online data tracking service comScore Inc siphons confidential information including passwords, credit card numbers and Social Security numbers from unsuspecting users, according to a lawsuit filed on Tuesday. Reuters, August 23, 2011
Facebook reworks its maligned privacy settings: Facebook on Tuesday said it was overhauling its privacy settings to give members easier, more precise control over who sees posts, photos and other content over the vast social network. SF Gate, August 24, 2011
New Control Over Privacy on Facebook: Privacy worries have bedeviled Facebook since its early days, from the introduction of the endless scroll of data known as the news feed to, most recently, the use of facial recognition technology to identify people in photographs. The New York Times, August 23, 2011
Moving Toward Trusted Identities: In an effort to alleviate one of the biggest issues in online security—the problem of secure online authentication—the Obama administration recently issued its final National Strategy for Trusted Identities in Cyberspace (NSTIC). The goal is to partner with private sector entities to implement the strategy; that initiative is being led by the Commerce Department and the National Institute of Standards and Technology (NIST). If it works, it could help reduce online fraud and identity theft and spur commerce, according to government officials. It would be particularly useful for online banking and in protecting sensitive electronic medical records. Security Management, August 2011
AntiSec stole thousands of personal records, analysis shows: A massive data cache posted on the Internet by hacker group AntiSec over the weekend contained thousands of Social Security numbers, dates of birth, passwords and telephone numbers, among other personal information, according to an analysis by a developer of identity theft prevention software. LA Times, August 8, 2011
Anonymous, LulzSec Dump Data from 70 Sheriffs’ Offices: Anonymous continued its attacks against law enforcement agencies to protest recent arrests of Anonymous members and Topiary by breaching a third-party marketing firm hosting 70 law enforcement Websites. eWeek, August 8, 2011
Hackers Expose 75,000 Social Security Numbers from University of Wisconsin: While Anonymous plots the destruction of Facebook and Lulzsec remains on the lam, another hacker (or group of hackers) decided to kick it old school by planting malware on a computer system at the University of Wisconsin-Milwaukee. The security breach exposed the social security numbers of thousands of students, faculty, and staff, and if that’s what the party responsible was after, the numbers could end up on the underground market. Maximum PC, August 11, 2011
How USB Sticks Cause Data Breach, Malware Woes: In the past two years, 70% of businesses have traced the loss of sensitive or confidential information to USB flash memory sticks. While such losses can obviously occur when the devices get lost or stolen, 55% of those incidents are likely related to malware-infected devices that introduced malicious code onto corporate networks. Information Week, August 8, 2011
Cyber Security Is Ready to Explode: If the rash of recent high-profile cyber attacks at Sony (NYS: SNE) , Lockheed Martin (NYS: LMT) , and Citigroup (NYS: C) didn’t give corporations that naked-to-the-world feeling, then this should: McAfee, the Internet security unit of Intel (NAS: INTC) , discovered network penetrations at 72 international organizations, including governments, the United Nations, and a litany of defense contractors. Daily Finance, August 11, 2011
Lose your laptop? Change all passwords, pronto: If your Windows laptop is stolen, be warned: new research shows how a thief can gain access to the passwords used by your Amazon.com, Google, Yahoo, Facebook, and other Web accounts. The passwords for accounts in the cloud are supposed to be protected by Windows’ built-in encryption. But a team of security researchers demonstrated at the Black Hat security conference here how last week to bypass the operating system’s security. Cnet, August 8, 2011
App Makers May Be Exposing Your Sensitive Data to Hackers: Some popular apps store sensitive data such as user names and passwords and credit card information in plain text on your phone’s memory, making the data an easy target for hackers. A Chicago-based mobile forensics company called viaForensics recently found as much after completing an audit of dozens of the most popular apps on both iOS and Android platforms. PC World, August 8, 2011
Hackers crack crypto for GPRS mobile networks: A cryptographer has devised a way to monitor cellphone conversations by exploiting security weaknesses in the technology that forms the backbone used by most mobile operators. The Register, August 10, 2011
Judge Nixes Patco’s eBanking Fraud Case: A district court judge in Maine last week approved a pending decision that commercial banks which protect accounts with little more than passwords and secret questions are in compliance with federal online banking security guidelines. KrebsOnSecurity, August 8, 2011
Cybertheft and the U.S. Economy: In August 2011, the cybersecurity firm McAfee released an eye-opening report (PDF) detailing its investigation into a multi-year, most likely state-sponsored cyberattack that includes intrusions into the U.S. federal government and defense contractors, resulting in the theft of massive stores of intellectual property. The report’s author and McAfee’s vice president of threat research, Dmitri Alperovitch, describes these attacks, known as Operation Shady RAT, as a profound threat, indicative of a larger trend that may result in “the complete destruction” of the U.S. economy. Rather than focus on the potential for a theoretical “cyber Pearl Harbor,” he says that U.S. policymakers should use all of the nation’s power to stem the steady theft of national secrets. Council on Foreign Relations, August 11, 2011
Can the nation get smart about cybersecurity?: Declaring that “our nation is at risk” from vulnerabilities in the critical online infrastructure, the National Institute of Standards and Technology has released a draft plan for improving cybersecurity awareness, developing educational resources and creating career paths for IT professionals. Government Computer News, August 12, 2011