Scammers take advantage of Epsilon data breach: Scammers are currently taking advantage of the data breach that affected email security provider Epsilon recently, by creating a copy of Epsilon‘s website and claiming that people can download a ‘security tool’ that tells them whether they have been affected. Virus Bulletin, April 18, 2011 [Read Citadel's analysis of Epsilon here.]
Cybercriminals Target Consumers Looking to Give Disaster Relief: The emails read: “I’m Mrs. Mariam Ellis, a devoted humanitarian, with your assistance I want to set up a foundation (worth millions of dollars) to help the victims of Tsunami in Japan and other environments around the world. The funds are available. Please contact me for more details…”. Fox News
Scam may target Texans after personal data leak. Telephone scammers may be targeting the nearly 3.5 million Texans who had their Social Security numbers and other vital personal information inadvertently exposed to the public, the state attorney general’s office warned Tuesday. Bloomberg BusinessWeek, April 19, 2011
‘Naked pic’ scam spreads across Internet: A new email scam is hoping to catch eager Web surfers with their pants down. MSNBC, Security News Daily
Android Skype Users Had Personal Info Exposed to Malicious Apps: Android users of Skype may have had their personal sensitive information stolen due to malicious applications stealing user data from their phones due to file permissions that were incorrectly assigned due to a vulnerability in the method Skye’s Android application stored their data. TopTechReviews.net, April 18, 2011
Amazon Cloud Failure Takes Down Web Sites. A widespread failure in Amazon.com’s Web services business was still affecting many Internet sites on Friday morning, highlighting the risks involved when companies rely on so-called cloud computing. New York Times, April 21, 2011
ISSA of Los Angeles Announces Carl Terzian Distinguished Keynote Speaker at 3rd Annual Information Security Summit. The Los Angeles Chapter of the Information Systems Security Association (ISSA-LA) announces Carl Terzian, chairman of Carl Terzian Associates, as Distinguished Keynote Speaker at its third annual Information Security Summit on Protecting Businesses from Cyber Attacks. The theme of this year’s Summit is The Growing Cyber Threat: Protect Your Business. The Summit will be held Wednesday, June 15, 2011 at 7:30 AM on the UCLA Campus and will be hosted by UCLA Extension. PRLog.org, April 22, 2011 [Visit ISSA-LA for more information or to register]
U.S. Government Targets Ring Infecting 2.3 Million Computers: The FBI and the Justice Department on Wednesday began dismantling a ring of international computer thieves who stole hundreds of millions of dollars worldwide by infecting over 2.3 million computers with malicious software. It was the biggest such enforcement action U.S. authorities have ever taken against cyber criminals. Fox News, April 13, 2011
U.S. Government Takes Down Coreflood Botnet: The U.S. Justice Department and the FBI were granted unprecedented authority this week to seize control over a criminal botnet that enslaved millions of computers and to use that power to disable the malicious software on infected PCs. KrebsOnSecurity, April 14, 2011
Verizon Security Report: Data Breaches At New Highs In 2010: According to a new report by Verizon and the U.S. Secret Service, a record number of data breaches were reported in 2010, though the number of compromised records dropped dramatically to 4 million in 2010 from 144 million in 2009. Huffington Post, April 19, 2011
Are Megabreaches Out? E-Thefts Downsized in 2010: The number of financial and confidential records compromised as a result of data breaches in 2010 fell dramatically compared to previous years, a decrease that cybercrime investigators attribute to a sea-change in the motives and tactics used by criminals to steal information. At the same time, organizations of all sizes are dealing with more frequent and smaller breaches than ever before, and most data thefts continue to result from security weaknesses that are relatively unsophisticated and easy to prevent. Krebs On Security, April 19, 2011
Security lags cyberattack threats in critical industries, report finds: The world’s water treatment plants, power grids, and other vital industries are seeing escalating cyberattacks, but are not ramping up security fast enough, says a new global report. Christian Science Monitor, April 20, 2011
Sharp Rise in Cyber Attacks on Grids Is Reported: McAfee, a network security firm in Santa Clara, Calif., and Georgetown University’s Center for Strategic and International Studies (CSIS) have issued a report documenting a high rate of cyber attacks against the electric power grids in 14 countries surveyed. Of 200 IT executives questioned, 40 percent thought vulnerabilities had increased, 30 percent thought their companies were not adequately prepared, and 40 percent expected a major attack in the next year. Energy Wise, April 20, 2011
National lab lax in securing nuclear stockpile information, says audit. Lawrence Livermore National Laboratory has fallen short in securing information about the US nuclear stockpile, according to a Department of Energy (DOE) audit. infosecurity, April 20, 2011
Obama Calls for Secure Online-Identity System. President Barack Obama unveiled an ambitious proposal Friday urging the private sector to create a trusted-identity system to boost consumer security in cyberspace.Digital rights groups cautiously welcomed the first-of-its-kind government proposal, calling it a blueprint for increased internet security and privacy, as the nation drifts to the virtual world to take care of basic needs from grocery shopping to paying taxes and dating. Wired, April 15, 2011
The Web’s Trust Issues: THE most dubious phrase in English after “act natural” is “trust me”. A party asking for trust without offering a reason why is probably untrustworthy. And yet the internet’s entire security ecosystem relies on precisely that reasoning. Browsers believe in the integrity of secured websites based on other unknown parties’ word. In these complicated times such implicit trust may be misplaced. Thankfully, work is afoot to change how trust is assigned, and it cannot come too quickly. The Economist, April 18, 2011
Tracking File Found in iPhones: Apple faced questions on Wednesday about the security of its iPhone and iPad after a report that the devices regularly record their locations in a hidden file. New York Times, April 20, 2011
French Hacker Cuffed After Bragging on Telly:A French hacker who boasted of breaking into the systems of a government security contractor on national television has suffered some unsurprising consequences. The Register, April 14, 2011
McAfee released a report today showing that incidents of malware (malicious software) reached its highest levels ever in the first half of 2010. The company identified 6 million malicious files in the second quarter, making for a total of 10 million malicious files over the first six months of the year. Among the most common attack vectors were attacks targeted to social media users. Password stealing Trojan horses — commonly used used in online bank thefts — were among the most common payloads.
The report reconfirms everything we’ve been saying since we began our blog 18 months agoThere has been a sea change in cybercrime. Threats are more sophisticated than ever, weaknesses and vulnerabilities abound. Defenses have not kept pace.
The report is a reminder to every organization to take a critical look at its defenses — everything from policies and employee awareness training to modern intrusion prevention systems. It needs to make sure it’s employing a cost-effective defense-in-depth strategy covering all three critical information security management domains:
It’s also a time to talk to your attorney and your insurance broker. Your attorney can make sure you’re aware of your legal responsibilities and can provide counsel on sharing sensitive information with 3rd parties. Your insurance broker can help you mitigate some of your security risk through cyber-insurance policies.
Thanks to Terry Corbell for alerting us to this story.
Brian Krebs reports on a research report just released by Google on the increasing difficulty defenses have in countering cybercriminals spreading fake anti-virus programs, commonly known as scareware. Using data provided by Google, purveyors of scareware programs have aggressively stepped up their effort to evade detection by legitimate anti-virus programs, both anti-virus software and Google’s own detection efforts.
According to Google’s Niels Provos, “We found that if you have anti-virus protection installed on your computer but the [malware detection] signatures for it are out-of-date by just a couple of days, this can drastically reduce the detection rates. It turns out that the closer you get to now, the commercial anti-virus programs were doing a much worse job at detecting pages that were hosting fake anti-virus payloads.”
As to the danger, Krebs writes: “Fake anti-virus attacks use misleading pop-ups and videos to scare users into thinking their computers are infected and offer a free download to scan for malware. The bogus scanning programs then claim to find oodles of infected files, and victims who fall for the ruse often are compelled to register the fake anti-virus software for a fee in order to make the incessant malware warnings disappear. Worse still, fake anti-virus programs frequently are bundled with other malware. What’s more, victims end up handing their credit or debit card information over to the people most likely to defraud them.”
Read the story and link to the Google report at KrebsOnSecurity.com …
For what to do if you become a scareware victim, read Brian Krebs tutorial here …
Symantec has published their 2009 Global Internet Security Threat Report. According to the report, the top web-based attacks in 2009 were on Internet Explorer and Adobe Acrobat/Reader. The report notes the growth in PDF attacks, from 11% of web-based attacks in 2008 to 49% in 2009. The report covers topics like threat activities, vulnerability trends, phishing and the underground economy.
Download the Executive Summary from Symantec …
The survey, conducted by Forrester Consulting, identified two primary types of information needing to be secured: (1) Sales lists, strategies and other secrets conferring competitive advantage and (2) custodial information, like credit card numbers, requiring protection. One of the conclusions of the survey: Investments are overweighed against protection and toward compliance.
Read more at eSecurity Planet …