ISSA-LA and Citadel President Dr. Stahl and Jim Harper, Director of Information Policy Studies, at the Libertarian CATO Institute will discuss the government’s role in cyber security on AirTalk with Larry Mantle on Monday, June 10. The interview is scheduled to begin shortly after 11:00 AM, PDT.
Stahl and Harper will talk about last week’s cybersecurity poll by the Washington Post which showed that more than 60% of Americans believe that business and government are at least pretty-well prepared for a major cyber-attack. According to the poll. Americans are divided over whether government should impose security requirements on companies.
KPCC is at 89.3 FM in Southern California and also available online.
Citadel Special Alert: Citadel issued a special blog post on June 6 advising Linkedn users to change their passwords and to be on the alert for phishng scams purporting to come from LinkedIn.
If LinkedIn Hasn’t Fixed Its Massive Security Breach, A New Password May Not Be Enough: For a Web firm like LinkedIn, there’s a fate worse than confessing to a massive security breach: Failing to detect an ongoing one. Forbes, June 6, 2012
Hackers crack more than 60% of breached LinkedIn passwords: More than 60% of the unique hashed passwords that were accessed by hackers from a LinkedIn password database and posted online this week have already been cracked, according to security firm Sophos. ComputerWorld, June 7, 2012
Like LinkedIn, Last.fm And eHarmony Suffer Password Breach: Last.fm and eHarmony became the latest websites to suffer security breaches that put the passwords of some of their users at risk.. NPR, June 7, 2012
Last.fm warns users of password leak: Last.fm today urged its users to change their passwords because of a compromise that may be related to a huge password leak involving LinkedIn and eHarmony. Cnet, June 7, 2012
Attackers Hit Weak Spots in 2-Factor Authentication: An attack late last week that compromised the personal and business Gmail accounts of Matthew Prince, chief executive of Web content delivery system CloudFlare, revealed a subtle but dangerous security flaw in the 2-factor authentication process used in Google Apps for business customers. Google has since fixed the glitch, but the incident offers a timely reminder that two-factor authentication schemes are only as secure as their weakest component. KrebsOnSecurity, June 5, 2012
‘Flame’ Malware Prompts Microsoft Patch: Microsoft has issued an emergency security update to block an avenue of attack first seen in “Flame,” a newly-discovered, sophisticated malware strain that experts believe was designed to steal data specifically from computers in Iran and the Middle East. KrebsOnSecurity, June 5, 2012
Cybersecurity poll: Americans divided over government requirements on companies: In general, the poll found, people worry more about getting a computer virus and having their financial information stolen than they do about someone reading their e-mail or knowing what Web sites they have visited. But about a third of Americans are concerned about those issues as well. The Washington Post, June 7, 2012
Disclosing Cyber Security Incidents: The SEC Weighs In: Recent high profile data breaches, corporate economic espionage cases and government reports detailing the threat posed by foreign economic espionage in cyberspace have generated more focus on the risks posed by cyber incidents and whether corporations are doing enough to protect their computer systems and intellectual property. Despite this, and prior to recently released guidelines from the Division of Corporation Finance of the Securities and Exchange Commission, there were no guidelines as to when a corporation should publicly disclose the loss of confidential information or disruption to a system caused by a cyber incident even where the incident caused financial losses. Indeed, it was widely assumed that many companies did not report loss of confidential information or a disruption to their computer system caused by a cyber incident for fear of damaging their reputation with investors, customers, and their employees, and highlighting their vulnerabilities. Now, however, corporations and their managers should aware of the guidelines from the SEC on the disclosure of cyber incidents. Forbes, June 4, 2012
Google Adds State-Sponsored Attack Alerts In Fight Against Cyber Crime: Internet search giant Google on Tuesday introduced a new alert system that will warn users who are logged into their Google account when it thinks they may be the target of a state-sponsored cyber attack. redOrbit, June 6, 2012
Stopping Cybercrime Paying: Microsoft has come a long way in Brussels since its antitrust battles with the European Commission over the last decade. They’ve since become a big presence in Brussels, keen to showcase their credentials for good works such as battling cybercrime, including helping users identify victimized computers which, unbeknownst to their owners, are being used for nefarious purposes. The Wall Street Journal, June 6, 2012
Secretary of Homeland Security: cybercrime as big a threat as Al Qaeda: The Obama administration dramatically upped the ante in the botnet wars this week, at least rhetorically speaking, as it unveiled a public-private partnership to detect and clean PCs and other devices that have been infected with malicious code. Forbes, June 3, 2012
Why the United States Can’t Win a Cyberwar: Sen. John McCain rarely ceases to boggle the mind. He did it again today, highlighting a provision that he inserted in the defense authorization bill requiring U.S. Cyber Command “to provide a strategy for the development and deployment of offensive cyber capabilities.” Slate, June 8, 2012
Cyber search engine Shodan exposes industrial control systems to new risks: It began as a hobby for a teenage computer programmer named John Matherly, who wondered how much he could learn about devices linked to the Internet. After tinkering with code for nearly a decade, Matherly eventually developed a way to map and capture the specifications of everything from desktop computers to network printers to Web servers. The Washington Post, June 3, 2012
THE REWARDS (AND RISKS) OF CYBER WAR: The militarization of cyberspace has been under way for more than a decade, but only in the last few years have the telltale signs appeared suggesting that the United States is erecting a new digital wing of its permanent national-security state. The New Yorker, June 7, 2012
Report: Hackers could access US weapons systems through vulnerable chip: A secret nanoscale “backdoor” etched into the silicon of a supposedly secure programmable chip could give cyberattackers access to classified US weapons systems, including guidance, flight control, networking, and communications systems, according to a new report by cybersecurity researchers in Britain. Christian Science Monitor, June 7, 2012
Sophisticated cyber-battles raise fears of cyber-blowback: WASHINGTON — The Obama administration is warning American businesses about an unusually potent computer virus that infected Iran’s oil industry even as suspicions persist that the United States is responsible for secretly creating and unleashing cyberweapons against foreign countries. MSNBC, June 2, 2012
U.S. Administration’s Reckless Cyber Policy Puts Nation at Risk: The Russian security company, Kaspersky Lab, recently contacted IMPACT, the global cybersecurity coordinating center run by the UN’s International Telecommunication Union (ITU), and reported that new variations of a malicious software known as Flame were capable of stealing large amounts of data from government and critical infrastructure systems. IMPACT (an acronym for the International Multilateral Partnership Against Cyber Threats), began working closely with Kaspersky and issued an alert to its 142 member countries. The United States, however, did not receive the alert because it is not a member of the global cyber center. In fact, the U.S. State Department has rebuffed the organization’s overtures to join and has blocked other U.S. government agencies that have tried to develop working relationships with IMPACT. Forbes, June 4, 2012
Expert Issues a Cyberwar Warning: MOSCOW — When Eugene Kaspersky, the founder of Europe’s largest antivirus company, discovered the Flame virus that is afflicting computers in Iran and the Middle East, he recognized it as a technologically sophisticated virus that only a government could create. The New York Time, June 4, 2012
Compromise Cybersecurity Bill Talks Started, Lieberman Says: A bipartisan group of senators is working on a compromise around U.S. cybersecurity legislation that’s been stalled over differences on whether government should set protection standards, Senator Joseph Lieberman said. Bloomberg, June 7, 2012
Alleged Romanian Subway Hackers Were Lured to U.S.: The alleged ringleader of a Romanian hacker gang accused of breaking into and stealing payment card data from hundreds of Subway restaurants made news late last month when he was extradited to face charges in the United States. But perhaps the more interesting story is how his two alleged accomplices were lured here by undercover U.S. Secret Service agents, who promised to shower the men with love and riches.KrebsOnSecurity, June 6, 2012
Zappo’s reported that it had been hacked, exposing the personal information of 24 million customers. Anonymous brought down the Justice Department’s website and several websites associated with the entertainment industry in response to the Feds bringing down MegaUpload, a large pirate site. America’s critical infrastructure, including water and power, as well as our manufacturing base was put at greater risk with the public release of exploits that target vulnerabilities in industrial control systems. Cyber criminals are targeting our children by installing malicious software (malware) on popular child-focused sites. Israel, Palestine and hacktivists in Saudi Arabia seem locked in cyber war. Adding insult to injury, security vendor McAfee was caught with it’s pants down as a vulnerability in one of its products allowed cyber criminals to send spam from supposedly protected PCs.
The New York Times reports again on how difficult it is even for large companies to protect their sensitive information while PC World once again documents several challenges every organization faces in securing information outside the corporate perimeter, whether in the Cloud, in employee’s homes, on laptops, on iPads and other tablets, etc. Meanwhile bank regulators are pushing financial institutions to do more to protect their customers from online bank fraud.
Want to know how cyber crime might impact your organization? Want to better understand your exposure to cyber crime? We encourage you to contact us.
Email, Personal Information on PlayBook Left Vulnerable to Hackers: Research in Motion may have improved its overall experience on the PlayBook with its recent update, but security researchers recently revealed that the device leaves corporate email and user information open to potential hackers. Researchers Zach Lenier and Ben Nell of Intrepidus Group uncovered a vulnerability in the PlayBook’s Bridge application that leaves the authentication token for the Bridge application somewhere anyone could dig it up. PCWorld, January 17, 2012
Hackers Steal $6.7 Million in Cyber Bank Robbery: The first major cybercrime of 2012 has taken place in South Africa, with hackers made off with about $6.7 million from Postbank, which is state-owned and part of the South African post office. PCWorld, January 18, 2012
Zappos hacked, 24 million accounts accessed: NEW YORK (CNNMoney) — Online shoe store Zappos has been hacked, exposing the names, e-mail addresses, addresses, phone numbers and partial credit card numbers of its 24 million customers, the company said late Sunday night. CNN, January 16, 2012
Megaupload Founder Kim Dotcom, By the Numbers: When news of the international raid on Megaupload broke Thursday in the U.S., Internet aficionados got a glimpse at the man behind of the largest file-sharing websites in the world. And it turns out the site’s founder, Kim Dotcom, was rich, large, and most certainly in charge. He currently sits in a New Zealand prison awaiting trial, while we attempt to dissect the man who (formerly) controlled the online media empire. Time, January 21, 2012
Megaupload Execs Had Thing For Bling, Indictment Shows: The Justice Department Thursday unsealed an indictment in Virginia charging seven executives at file-sharing site Megaupload.com with copyright violations, racketeering, and money laundering. Four of the people charged, including 37-year-old Megaupload CEO and founder Kim Dotcom (aka Kim Tim Jim Vestor, aka Kim Schmitz), were arrested by New Zealand authorities, while the others remain at large. InformationWeek, January 20, 2012
Anonymous tricked people into joining Web site attacks: If you clicked a link distributed by Anonymous yesterday, you may have unwittingly helped the online activists in their attacks against U.S. government and entertainment industry sites that were organized to protest proposed antipiracy legislation. Cnet, January 20, 2012
New Report Shows Malware ‘Sleeps’ on Computer for Average of 8 Months, Collecting Data: In a new investigative report from Daily Safety Check ™, the average time before ‘activation’ of malware before committing cyber crimes – such as bank transfers, fraud and information theft – is 8 months. SFGate, January 18, 2012
Facebook exposes hackers behind Koobface worm: As expected, Facebook today started to release information about the Koobface worm (its name is an anagram of “Facebook”) and those behind it. The update comes almost a year since Facebook’s last post about the infamous piece of malware. After more than three years and numerous hours of working closely with industry leaders, the security community, and law enforcement, Facebook has announced its social network has been free of the virus for over nine months. ZDNet, January 17, 2012
Web Gang Operating in the Open: Five men believed to be responsible for spreading a notorious computer worm on Facebook and other social networks — and pocketing several million dollars from online schemes — are hiding in plain sight in St. Petersburg, Russia, according to investigators at Facebook and several independent computer security researchers. The New York Times, January 16, 2012
Clamor for Cloud Apps Increases Corporate Data Breach Risk: Employees bringing in their own devices and choosing their own application services is significantly increasing the risk to enterprise data. PC World, January 17, 2012
Regulators push banks to improve online security: According to a report in the New York Times , the Federal Deposit Insurance Corporation wants financial institutions to add a new security layer that detects unusual patterns of online activity — such as a volley of transfers to an account in Russia — in real time, starting this month. However, the Financial Times reported that a poll by a bank technology firm in November suggested that 40 percent of banks weren’t even aware that regulators want them to adopt new measures. Atm Marketplace, January 17, 2012
Even Big Companies Cannot Protect Their Data: Barbara Scott just hit the trifecta of computer security breaches. Since the New Year, Ms. Scott has been a victim of three separate cyberattacks. Two weeks ago, the online auction site eBay said in an e-mail to her that there had been suspicious activity on her account. On Monday, she received an e-mail from Zappos and another from 6PM, two online shoe retailers owned by Amazon. Both messages alerted her that — once again — her information had been compromised. The New York Times, January 17, 2012
Hackers Target Children as Adults Wise Up to Spam: Hackers are targeting websites aimed at children, by embedding malicious software in free gaming sites, praying on the young as adults grow wise to their strategies. Forbes, January 19, 2012
Hackers spread malware via children’s gaming websites: Hackers are increasingly targeting child-focused gaming websites, according to a leading anti-virus firm. BBC, January 16, 2012
‘Anonymous’ hackers attack Brazilian websites: RIO DE JANEIRO — The computer hacker group Anonymous attacked websites of Brazil’s federal district Saturday as well as one belonging to a Brazilian singer to protest the forced closure of Megaupload.com. AFP, January 21, 2012
Hackers disrupt websites of Israel’s stock exchange, national air carrier: JERUSALEM — A hacker network that claims to be based in Saudi Arabia paralyzed the websites of Israel’s stock exchange and national airline on Monday, escalating an international cyber war that has jolted this security-obsessed country. The Washington Post, January 16, 2012
Hoping to Teach a Lesson, Researchers Release Exploits for Critical Infrastructure Software: MIAMI, Florida — A group of researchers has discovered serious security holes in six top industrial control systems used in critical infrastructure and manufacturing facilities and, thanks to exploit modules they released on Thursday, have also made it easy for hackers to attack the systems before they’re patched or taken offline. Wired, January 19, 2012
Israel in the frame after rapid rise in cybercrime: There has been a huge and sudden rise in online attacks in the region that seem to originate in Israel, a major anti-virus company warns. The National, January 22, 2012
Israeli and Palestinian hackers trade DDoS attacks in rising cyber-gang war: Pro-Palestinian and pro-Israeli hackers are waging a cyber street-fight in a tit-for-tat exchange of posturing, threats of mass credit card exposures, and denial-of-service attacks. As Hamas has egged on hackers in recent weeks, promoting more “hacktivist” attacks against Israeli targets, pro-Israel hackers have responded in kind, today taking down the websites of stock exchanges in Saudi Arabia and the United Arab Emirates. Both sites appear to be back online. ars technica, January 17, 2012
PSA: McAfee computer security patches flaw: are you fixed?: Earlier this week, the McAfee group began sending out a fix to stopper up a flaw which turned their protection service into a hijacked spam festival. The flaw, they say, was allowing hackers to attach themselves to your computer specifically and shoot spam throughout your machine – hijacking that which was supposed to be protected using a flaw in the system that was supposed to be doing the protecting. The exploit was reported earlier this week by two customers who were taken aback by the flaw earlier this week, McAfee responding with a fix now here at the end of it. SlashGear, January 20, 2012
Alleged Muscovite cybercrime daddy hauled in to face US court: A suspected Russian cyber-crook has arrived in the US to face charges of security fraud, computer hacking and ID theft following his deportation from Switzerland. The Register, January 18, 2012
Defenses Against Hackers Are Like the ‘Maginot Line,’ NSA Chief Says: U.S. companies still aren’t taking the threat of computer attacks seriously enough, despite a recent string of high-profile security failures, top government cybersecurity officials said this week. The Wall Street Journal, January 13, 2012
Viruses stole City College of S.F. data for years: Personal banking information and other data from perhaps tens of thousands of students, faculty and administrators at City College of San Francisco have been stolen in what is being called “an infestation” of computer viruses with origins in criminal networks in Russia, China and other countries, The Chronicle has learned. SFGate, San Francisco Chronicle, January 13, 2012
Tax Department computer glitch inadvertently displayed Social Security numbers: The Vermont Department of Taxes (VDT) inadvertently displayed personal data from a weekly batch of Property Transfer Tax Returns for less than two hours on a vendor portion of its website on January 9th. A computer error began a process that resulted in an extra field added to a routine public report. The social security numbers of 1,332 individuals and the Federal Employee Identification Number of 245 businesses were involved. VTDigger, January 10, 2012
DuPont, Makhteshim, Kodak, News Corp: Intellectual Property: China-based hackers rifled the computers of DuPont Co. at least twice in 2009 and 2010, hunting for technological secrets that made the company one of the world’s most successful chemical makers. Bloomberg, January 11, 2012
FBI Warns of Malware Phishing Scam: So long as people click on unsolicited attachments in e-mail, scammers will invent new ways to take their money, identities and more. The FBI last week issued a warning on one such new Internet blight called “Gameover,” which, once ensconced on your PC, can steal usernames and passwords and defeat common methods of user authentication employed by financial institutions. PC World, January 8, 2012
Malicious Software Attacks Security Cards Used by Pentagon: Chinese hackers have deployed a new cyber weapon that is aimed at the Defense Department, the Department of Homeland Security, the State Department and potentially a number of other United States government agencies and businesses, security researchers say. The New York Times, January 12, 2012
Phishing Campaign Using Spoofed US-CERT Email Addresses: On January 10, 2012, US-CERT received reports of a phishing campaign that is spoofing US-CERT email to deliver a variant of the Zeus/Zbot Trojan known as Ice-IX. This campaign appears to be targeting a large number of private sector organizations as well as federal, state and local governments. US-CERT, January 12, 2012
Lawsuit Claims Symantec “Scareware” Warns Of Fake Threats To Sell Upgrades: Security firms often warn users about “scareware”: malicious software that performs fake antivirus scans and then demands the user pay for a cleanup. Now a lawsuit claims that the world’s top antivirus firm, Symantec, is itself a scareware scammer. Forbes, January 11, 2012
Hack Attacks Now Leading Cause Of Data Breaches: The majority of data breaches stem from hack attacks, followed by data that’s lost while physically in transit. That’s according to a forthcoming study from the Identity Theft Resource Center (ITRC), which assessed all known information relating to the 419 breaches that were publicly disclosed in the United States in 2011. A copy of the report was provided to InformationWeek in advance of its release. InformationWeek, January 12, 2012
Hacking of DuPont computers won’t go unreported anymore: China-based hackers rifled the computers of DuPont Co. at least twice in 2009 and 2010, hunting the technological secrets that made the company one of the world’s most successful chemical makers. DelawareOnline, January 14, 2012
Banks Unite to Battle Online Theft: Rising cybersecurity threats are pushing big banks to do something that doesn’t come naturally for these secrecy-steeped institutions: share information with one another. The Wall Street Journal, January 10, 2012
Rare Legal Fight Takes On Credit Card Company Security Standards and Fines: A small celebrity-friendly restaurant in Utah is finally doing what many merchants have only dreamed of doing for a long time — taking on a part of the payment card industry’s powerful but flawed system for securing card data by fining merchants for failing to secure their data. Wired, January 11, 2012
Park City Eatery Balks at Credit Card Fines in Rare Court Fight: Stephen and Cissy McComb say they managed their Italian eatery in Park City, Utah, for more than two decades without running afoul of security rules of Visa Inc. and MasterCard Inc. — until they were accused of mishandling data and opening the door to $1.26 million in fraud. SFGate, San Francisco Chronicle, January 9, 2012
Israel warns against computer-hacker vigilantism: Israel Thursday called on computer hackers not to take the law into their own hands to avenge attacks on Israeli credit card companies, and said the authorities were capable of countering all cyber threats. Reuters, January 12, 2012
DISA OKs secure Android mobile system for DOD: The Defense Information Systems Agency has certified a secure Android-based mobile system for use by Defense Department agencies. The system allows DOD personnel to sign, encrypt and decrypt e-mail, and securely access data from a smart phone or tablet computer. GCN, January 5, 2012
Israeli, Saudi Hacker Battle Escalates: A war of words and website hacks is escalating in Israel over the purported hack of credit card data by a hacker from Saudi Arabia. InformationWeek, January 11, 2012
Cyber crime a major risk to stability, warns WEF: The survey, which points to a bleak outlook just two weeks before the start of the WEF’s annual meeting in Davos, warns that although the “impacts of crime, terrorism and war in the virtual world have yet to equal that of the physical world but there is a fear that this could change.” The Telegraph, January 11, 2012
Shifting Priorities: Investing in Cybersecurity: Cyber-based threats against information infrastructures in the United States have generated an increasing concern for national security. Understanding these real threats against our nation enforces the need for a shift in prioritization and funding to address any future cyber security threats in all capacities. Partnership in a Secure America, January 13, 2012
NJ ringleader of ID theft, fraud ploy admits guilt: The leader of an identity theft and fraud ring has pleaded guilty in a scheme that federal authorities said operated as a veritable “crime superstore” that reached from northern New Jersey to U.S. territories in the Pacific. Newsday, January 10, 2012
Expect more cyber-espionage, sophisticated malware in ’12, experts say: The security industry expects the number of cyber-espionage attacks to increase in 2012 and the malware used for this purpose to become increasingly sophisticated. ComputerWorld, December 26, 2011
6 Credit Card Mistakes that can ruin your holidays: Credit cards can help make a breeze out of holiday shopping. A few missteps, though, and that breeze can turn into a storm of financial headaches. Dr. Stahl is quoted in this story. creditcards.com, December 2011
Using Starbucks’ WIFI? Security Pro Issues Warning and Security Checklist, an article featuring Dr. Stahl, has been the number one article on Terry Corbell’s site ‘The Biz Coach’ since the portal was launched in 2009.
Double wham bam: AntiSec hacks, dumps CA & NY law enforcement emails: Almost like an echo from retired hackers, those from the 90s who long ago faded into the ether, the motto for 2011 may have been along the lines of “hack the planet.” Yet there are some who obviously learned nothing about the consequences of maintaining sloppy security in 2011. In the cyber world, 2012 was not greeted by the boom of fireworks but by a double wham bam to law enforcement in California and New York. ComputerWorld, January 3, 2012
Saudi hackers leak personal information of thousands of Israelis: Saudi hackers who identified themselves as members of the online Anonymous network claimed on Monday to have leaked files containing personal information, including credit card numbers and expiration dates, belonging to more than 400,000 Israelis. Ynet News, January 3, 2012
Huge Security Breach at Security Firm Symantec No Threat to Consumers, Analyst Says: One of the biggest security firms in the world may need to boost its own security: A hacker stole the source code behind Symantec’s industry-leading antivirus program. Fox News, January 6, 2012
Hackers reveal personal data of 860,000 Stratfor subscribers: A computer hacking group has revealed email addresses and other personal data from former Vice President Dan Quayle, former Secretary of State Henry A. Kissinger, and hundreds of U.S. intelligence, law enforcement and military officials in a high-profile case of cyber-theft. LA Times, January 4, 2012
Army warns of ID theft from Stratfor hack: The Army is warning users of its Army Knowledge Online portal to beware of identity theft following the recent Anonymous hack of intelligence analysis company Strategic Forecasting. GNC, January 3, 2012
Questions About Motives Behind Stratfor Hack: When hackers used the Christmas holiday to attack Stratfor, a security group based in Austin, Tex., they initially said they were aiming to steal the credit card numbers of its clients and use them to make $1 million in donations to charity. New York Times, December 27, 2011
Major security hole in most modern wireless routers: According to a vulnerability notice issued by the US Computer Emergency Readiness Team (US-CERT) on December 27th, just about every Wi-Fi router that supports Wi-Fi Protected Setup (WPS) is vulnerable to a brute force attack. IT Wire, December 27, 2011
New Tools Bypass Wireless Router Security: Security researchers have released new tools that can bypass the encryption used to protect many types of wireless routers. Ironically, the tools take advantage of design flaws in a technology pushed by the wireless industry that was intended to make the security features of modern routers easier to use. KrebsOnSecurity, December 28, 2011
Ramnit Computer Worm Compromises 45K Facebook Logins: A computer worm that has traditionally targeted the financial industry has set its sights on social networking, recently stealing over 45,000 Facebook login credentials, according to security firm Seculert. PC Magazine, January 5, 2012
Report: Phishing attack targets Apple customers: A “vast phishing attack” that attempts to capture the credit card information of Apple customers was launched on Christmas day, according to a report from Mac security-software company Intego. ComputerWorld, December 26, 2011
Turkish hackers avenge France’s ‘genocide bill’: The websites of the French Senate and a National Assembly lawmaker who introduced a bill that would outlaw the denial of the 1915 Turkish ‘genocide’ of Armenians, have been attacked by Turkish hackers. France24, December 29, 2011
Spam Campaign following Kim Jong-il’s Demise Serves Malware: The telecommunications regulator of South Korea alerted that a malicious spam campaign, by capitalizing on Kim Jong-il’s death who was the Workers Party of Korea’s general secretary in North Korea, is striking users’ mailboxes. Help Net Security published this, December 20, 2011. Spamfighter.com, December 27, 2011
Websites targeting Olympics visitors closed down by police: Detectives from the UK’s leading cyber crime unit have identified hundreds of websites that could be used to dupe visitors to next year’s London Olympics. The Guardian, December 26, 2011
GSM phones vulnerable to hijack scams -researcher: Flaws in a widely used wireless technology could allow hackers to gain remote control of phones and instruct them to send text messages or make calls, according to an expert on mobile phone security. Reuters, December 27, 2011
Chamber of Commerce Cyber Attack a Wake-Up Call for In-House Counsel: The extent of the cyber-damage caused by China-based hackers who tapped into the U.S. Chamber of Commerce in 2010 is not yet known. But following the recently publicized information about the attack, the message to in-house counsel is clear: protect yourselves. And that may mean having your company work more closely with the government. Law.Com, December 23, 2011
Cyber strike rampage: White-hot Israel vows to treat hackers like terrorists: In the wake of a massive online dump of Israeli credit card details by “Saudi” hackers, Tel Aviv says it will treat cyber attacks as acts of terror. It has also commended the US, who has hinted at retaliating for such assaults with military action. RT News, January 7, 2012
Dept. of Energy developing project to reinforce grid cybersecurity: The government is trying once again to whip the key players behind the country’s electrical grid into a security force that can defend against mounting cyber threats. Network World, January 5, 2012
Happy 2nd Birthday, KrebsOnSecurity.com!: This past year, KrebsOnSecurity.com has featured more than 200 blog posts, and attracted 5,000+ reader comments. It has been humbling to watch the audience here steadily grow and mature into a community. The expertise and conversations offered by readers in the blog comments have added immeasurably to the value and usefulness of this site. KrebsOnSecurity, December 25, 2011
Two stories this week illustrate the challenge of securing mobile apps. In Android malware infections skyrocket, Juniper Networks reports skyrocketing rates of Android malware infection while App Freedom Vs. Corporate Security illustrates the challenges organizations have in helping users keep their Androids [and their iPhones and other smart devices] free of malware.
The situation with Androids has become so serious that Citadel now recommends to our clients that they “white list” acceptable Android applications while prohibiting staff from accessing sensitive corporate information from Android devices running unapproved apps.
The Android malware risk impacts the phone owner as well as the organization. We are seeing reports of users getting stiffed for thousand dollar cell phone bills after installing applications containing hidden malware designed to secretly use the phone’s text messaging system to send SMS messages to premium rate numbers owned by cyber criminals. Once messages are sent, the money is generally not recoverable.
Breach exposes data at VCU: Virginia Commonwealth University will hire an outside cybersecurity consultant to examine its information technology system after a computer server containing personal data on 176,567 people was hacked last month. Richmond Times-Dispatch, November 12, 2011
Anonymous Leaks Another Computer Expert’s Personal Emails: In a typically nasty personal-political combo, Anonymous has leaked thousands of private emails belonging to a retired California cybercrime investigator named Fred Bacalagan, in what they say is payback for the recent Occupy Wall Street crackdown. Gawker, November 18, 2011
Security watchdog: Norwegian energy, defense industries hit by extensive data-theft attack: OSLO, Norway — Data from Norway’s oil and defense industries may have been stolen in what is feared to be one of the most extensive data espionage cases in the country’s history, security officials said Thursday. The Washington Post, November 17, 2011
Title Firm Sues Bank Over $207k Cyberheist: A title insurance firm in Virginia is suing its bank after an eight-day cyber heist involving more than $2 million in thefts and more than $200,000 in losses last year. In an unusual twist, at least some of the Eastern European thieves involved in the attack have already been convicted and imprisoned for their roles in the crime. November 14, 2011
FCC Small Biz Cyber Planner: Information technology and high-speed Internet are great enablers of small business success, but with the benefits comes the need to guard against growing cyber threats. As larger companies take steps to secure their systems, less secure small businesses are easier targets for cyber criminals. Use this tool to create and save a custom cyber security plan for your company, choosing from a menu of expert advice to address your specific business needs and concerns. FCC.gov
App Freedom Vs. Corporate Security: You can’t prevent employees from snapping up iPads and Droid phones, even if you wanted to. Sixty-five percent of respondents to our InformationWeek 2011 Mobile Device Management and Security Survey predict that the number of employee-owned devices accessing company data will increase. What you can do is use your leverage when they want to connect to business systems by asking them to run mobile device management (MDM) software, which can enforce corporate policies and provide features such as device tracking and remote wiping. Information Week, November 18, 2011
GAO Rips IRS Taxpayer Data Security: A new report from the Government Accountability Office (GAO) ripped into the IRS once again for insufficient access controls, database maintenance, and monitoring necessary to keep taxpayer information safe. The report’s findings echo many of the issues seen in database and application security across many large enterprises today, experts say. Released last week, the GAO’s financial audit reported that during the past fiscal year, the IRS still had glaring holes in internal controls over information security, in spite of initiating efforts to address concerns levied by the GAO in past years. Information Week, November 17, 2011
Exclusive: Lax security at Nasdaq helped hackers: A federal investigation into last year’s cyber attack on Nasdaq OMX Group found surprisingly lax security practices that made the exchange operator an easy target for hackers, people with knowledge of the probe said. The sources did not want to be identified because the matter is classified. Reuters, November 17, 2011
F-Secure Finds Malware Signed With Stolen Digital Certificate: Researchers from security vendor F-Secure have spotted a rare malicious software sample that carried a valid code-signing certificate from a Malaysian governmental institution. PC World, November 14, 2011
Android malware infections skyrocket, says Juniper: Juniper Networks has reported skyrocketing rates of Android malware infections on the networks of its mobile customers, with detected malware more than quadrupling in just the last six weeks. That’s on top of dramatic increases in the previous two years. The report will put more pressure on Google to tighten up security practices in the Android Market. Ars Technica, November 16, 2011
How to Detect Malicious Android Apps Before They Infect Your Smartphone or Tablet: For millions of people, the first thing to do when they get their new smartphone or tablet is to visit the device’s app store and begin downloading games, magazines, utilities and sports apps. Apps are fun, useful and a bit addictive. They can also be dangerous. Malicious apps, especially those for Android devices, are a growing problem for smartphone and tablet users. (Apple devices are protected as long as they’re not “jailbroken” to run unauthorized apps.) Security News Daily, October 25, 2011
Facebook users reel from porn spam attack: After being bombarded with hard-core pornographic and violent images on their news feeds, some Facebook users may change how and if they use the social network, according to industry analysts.Computerworld, November 16, 2011
Foreign hackers targeted U.S. water plant in apparent malicious cyber attack, expert says: Foreign hackers caused a pump at an Illinois water plant to fail last week, according to a preliminary state report. Experts said the cyber-attack, if confirmed, would be the first known to have damaged one of the systems that supply Americans with water, electricity and other essentials of modern life. The Washington Post, November 18, 2011
Water utility hackers destroy pump, expert says: Hackers destroyed a pump used by a US water utility after gaining unauthorized access to the industrial control system it used to operate its machinery, a computer security expert said. The Register, November 17, 2011
DOJ wants to prosecute cyber criminal activity under racketeering law: The set of laws that has allowed federal prosecutors to bring down traditional organized crime gangs should be applied to international cyber crime rings, a top Department of Justice official told a congressional committee on Nov. 15. GSN, November 16, 2011
New Computer Malware May Presage Another Cyberattack, Potentially on Iran: Roughly a year ago, the era of cyberwar officially began with the revelation that a complex computer worm called Stuxnet, allegedly designed in the U.S and tested in Israel, had sabotaged the Iranian nuclear facility in Natanz. The Daily Beast, November 16, 2011
Iran Admits Nuclear Sites Hit by ‘Duqu’ Cyberweapon: Iranian officials admitted Sunday that they had uncovered evidence of the Duqu computer virus — labeled “Son of Stuxnet” by cyber experts — at the Islamic Republic’s nuclear sites, state-controlled IRNA news agency reported. Fox News, November 14, 2011
Sandia Labs: SOPA will ‘negatively impact’ U.S. cybersecurity: Add the Sandia National Laboratories, part of the U.S. Department of Energy, to the list of opponents of a controversial Hollywood-backed copyright bill. Cnet, November 17, 2011
SOPA, controversial online piracy bill, gains support as lobbying intensifies: Several lawmakers expressed support Wednesday for a controversial bill aimed at curbing online piracy as lobbying over the issue reached a fever pitch. The Washington Post, November 16, 2011
Cybercrime Watch: Fabricated Dating Profiles: House lawmakers on Tuesday are slated to mull updating a 1986 anti-hacking law that even ideological opponents agree criminalizes innocent Web surfing. However, when a Senate panel discussed the Computer Fraud and Abuse Act in September, Justice Department officials argued that changing the penalties could let legitimate bad guys off the hook. Nextgov, November 14, 2011
Celeb hacker Christopher Chaney faces fresh charges of identity theft: A US man has been indicted on two additional felony counts for allegedly hacking into an email account belonging to an unnamed actress, according to court documents. AP, November 19, 2011