Adobe Flash Player: Adobe has released version 11.2.202.235 to fix an extremely critical vulnerability. Updates are available from Adobe’s website.

Adobe Illustrator: Adobe has released version CS6 to fix 5 highly critical vulnerabilities. Updates are available from Adobe’s website.

Adobe Flash Professional: Adobe has released version CS6 to fix a highly critical vulnerability. Updates are available from Adobe’s website.

Adobe Shockwave Player: Adobe has released version 11.6.5.635 to fix 5 highly critical vulnerabilities. Updates are available from Adobe’s website.

Apple iOS: Apple has released iOS 5.1.1 for iPhone, iPod, iPad, and iPad 2 to fix several vulnerabilities, several of which are highly critical. The update is available through Apple’s website. We first alerted readers to one of these vulnerabilities in Weekend Vulnerability and Patch Report, March 25, 2012.

Apple Mac OS X: Apple has released updates for OS X Lion v10.7.4 to fix 36 vulnerabilities, many of which are highly critical. The updates are available through the programs or from Apple’s download site.

Microsoft Patch-Tuesday: Microsoft has released 7 updates to fix at least 23 vulnerabilities, many of which are highly critical. Updates include Windows Vista, XP Pro and Microsoft Office Suite. Updates are available through the Window’s Control Panel.

Current Software Versions

Join us on May 16 for ISSA-LA’s 4th Annual Information Security Summit.  Keynote addresses by Alan Paller of the SANS Institute, DHS’ Bruce McConnell and business coach Chris Coffey. Perfect for business, technology and information security leaders. Nonprofits can attend for free by taking advantage of ISSA-LA’s special scholarship fund. Email vp@issa-la.org for more information.

The ISSA Summit provides business leaders with a concentrated, thought-provoking, and valuable education in the nature of these threats, and how organizations can and should mitigate their risks from today’s cyber threats.  I highly recommend that executives take advantage of this annual event.

Eric Schwab
General Manager
GFI Software

Visit the ISSA-LA Summit Website for more information or to register.

Cyber Crime

Hackers target Twitter spammers in massive account data breach: Summary: A massive breach has led to more than 55,000 Twitter accounts being published on the Web. But it appears the hackers may have targeted spammers over ordinary users. Twitter is investigating after 55,000 account details — including username and password combinations — were published online. ZDNet, May 8, 2012

Hackers breach UMaine servers. Affected students made purchases at computer store: A University of Maine computer server breach by hackers may have exposed personal information, including credit card and Social Security numbers of students, college officials said Thursday. Morning Sentinel, May 12, 2012

Cyber Hacktivists

Activist hackers temporarily block Putin’s website: Hackers temporarily blocked President Vladimir Putin’s web site on Wednesday, carrying out a promise to disrupt government information portals two days after his swearing-in for another six-year term that has drawn street protests. Reuters, May 9, 2012

Cyber Risk

Is Your Cloud Provider Exposing Remnants of Your Data?: CIO – If your organization uses a multi-tenant managed hosting service or Infrastructure as a Service (IaaS) cloud for some or all of your data and you aren’t following best practices by encrypting that data you may be inadvertently exposing it. ComputerWorld, May 10, 2012

FBI: Updates Over Public ‘Net Access = Bad Idea: The Federal Bureau of Investigation is advising travelers to avoid updating software while using hotel or other public Internet connections, warning that malicious actors are targeting travelers abroad through pop-up windows while they are establishing an Internet connection in their hotel rooms. KrebsOnSecurity, May 11, 2012

DHS: Hackers Mounting Organized Cyber Attack on U.S. Gas Pipelines: For the past six months, an unidentified group of hackers has been mounting an ongoing, coordinated cyber attack on the control systems of U.S. gas pipelines, prompting the Department of Homeland Security to issue alerts. ABC News, May 8, 2012

At the Crossroads of eThieves and Cyberspies: Lost in the annals of campy commercials from the 1980s is a series of ads that featured improbable scenes between two young people (usually of the opposite sex) who always somehow caused the inadvertent collision of peanut butter and chocolate. After the mishap, one would complain, “Hey you got your chocolate in my peanut butter!,” and the other would shout, “You got your peanut butter in my chocolate!” The youngsters would then sample the product of their happy accident and be amazed to find someone had already combined the two flavors into a sweet and salty treat that is commercially available. KrebsOnSecurity, May 8, 2012

Financial Malware Tricks Users With Claims of Free Credit Card Fraud Insurance: A piece of financial malware called Tatanga attempts to trick online banking users into authorizing rogue money transfers from their accounts as part of the activation procedure for a free credit-card fraud insurance service purportedly provided by their banks, security researchers from Trusteer said Tuesday. IDG News, May 8, 2012

Hackers Gain Access to Homes Through Webcams: Internet users are becoming vulnerable to hackers who can infiltrate software and gain access to webcams. “The main thing to worry about is when software is able to turn on your camera without notifying you, without the user explicitly turning it on, that’s the main issue,” said Feross Aboukhadijeh, a student at Stanford University in California. Information Week, May 9, 2012

Cyber Security Management

HIPAA/HiTECH – Changes on the Way for Covered Providers: The privacy and security landscape for covered providers will soon be changing. A number of rules are finally making their way through the system in relationship to HIPAA, HiTECH and Stage II Meaningful Use. JDSupra, May 9, 2012

Securing the Village

Pentagon to expand cybersecurity program for defense contractors: The Pentagon is expanding and making permanent a trial program that teams the government with Internet service providers to protect defense firms’ computer networks against data theft by foreign adversaries. Washington Post, May 11, 2012

Identity-Theft Victims Given Short Shrift by IRS, Says Watchdog: J. Russell George, the Treasury Inspector General for Tax Administration, or Tigta—an official IRS watchdog—today told a Congressional oversight committee that the Internal Revenue Service gives “confusing and often conflicting instructions” to taxpayers who are victims of identity theft. IRS Deputy Commissioner Steven Miller gave testimony before the committee as well. Wall Street Journal, May 8, 2012

FBI Fears Bitcoin’s Popularity with Criminals: The FBI sees the anonymous Bitcoin payment network as an alarming haven for money laundering and other criminal activity — including as a tool for hackers to rip off fellow Bitcoin users. … That’s according to a new FBI internal report that leaked to the internet this week, which expresses concern about the difficulty of tracking the identify of anonymous Bitcoin users, while also unintentionally providing tips for Bitcoin users to remain more anonymous. Wired, May 9, 2012

Cyber Defenders

Cybersecurity Firms Ditch Defense, Learn To ‘Hunt’: The most challenging cyberattacks these days come from China and target Western firms’ trade secrets and intellectual property. But a problem for some is a business opportunity for others: It’s boom time for cybersecurity firms that specialize in going after Chinese hackers. NPR May 10, 2012

Cyber Research

Cybersecurity Experts Begin Investigation on Self-Adapting Computer Network That Defends Itself Against Hackers: In the online struggle for network security, Kansas State University cybersecurity experts are adding an ally to the security force: the computer network itself. Newswise, May 10, 2012

Adobe Flash Player: Adobe has released version 11.2.202.235 to fix several highly critical vulnerabilities, including an active zero day vulnerability. Updates are available from Adobe’s website.

Adobe Flash Player for Android: Adobe has released updates for the Android mobile device to fix several highly critical vulnerabilities. Updates are available through the Android device.

Google Chrome: Google has released  version 18.0.1025.168 to fix at least 5 vulnerabilities, several of which are highly critical. The update is available through the program.

WinZip: WinZip has released version 16.5 (10095) of the WinZip software to fix a vulnerability. Update from within the program. Note: This month marks the end of support to WinZip’s version 12.0. The support for all versions prior to 12.0 have also expired.

Current Software Versions

Join us on May 16 for ISSA-LA’s 4th Annual Information Security Summit.  Keynote addresses by Alan Paller of the SANS Institute, DHS’ Bruce McConnell and business coach Chris Coffey. Perfect for business, technology and information security leaders. Nonprofits can attend for free by taking advantage of ISSA-LA’s special scholarship fund. Email vp@issa-la.org for more information

I recommend the Summit to both the CIO and their staff because it’s the one day you can count on to get informed, learn how to stay informed, and build a network of strong security professionals who are passionate about supporting the “neighborhood watch” of information security. 

Jennifer Terrill, CISSP
Vice President Information Technology /  CISO
True Religion Brand Jeans

Visit the ISSA-LA Summit Website for more information or to register.

Cyber Crime

Hackers Blackmail Belgian Bank With Threats to Publish Customer Data: Hackers claimed to have breached the systems of the Belgian credit provider Elantis and threatened to publish confidential customer information if the bank does not pay €150,000 (US$197,000) before Friday, May 4, they said in a statement posted to Pastebin. Elantis confirmed the data breach on Thursday, but the bank said it will not give in to extortion threats. PC World, May 3, 2012

Global Payments Breach Window Expands: A hacker break-in at credit and debit card processor Global Payments Inc. dates back to at least early June 2011, Visa and MasterCard warned in updated alerts sent to card-issuing banks in the past week. The disclosures offer the first additional details about the length of the breach since Global Payments acknowledged the incident on March 30, 2012. KrebsOnSecurity, May 4, 2012

Cyber Crime – HIPAA

SC inspector general analyzing security processes following theft of Medicaid information: COLUMBIA, S.C. — South Carolina’s inspector general is reviewing the security systems of state agencies following the theft of more than 228,000 Medicaid patients’ personal information, Gov. Nikki Haley said Monday. The Republic, April 30, 2012

Cyber Hacktivists

Hackers plan attack on Russian government sites: The activist hacker group Anonymous said on Friday it planned to attack Russian government websites in order to support opposition protests ahead of Vladimir Putin’s inauguration as president. Reuters, May 4, 2012

Cyber Privacy

How to Muddy Your Tracks on the Internet: Legal and technology researchers estimate that it would take about a month for Internet users to read the privacy policies of all the Web sites they visit in a year. So in the interest of time, here is the deal: You know that dream where you suddenly realize you’re stark naked? You’re living it whenever you open your browser. The New York Times, May 3, 2012

Cyber Risk

Processor Warns of Hacking Trend: Over the past year, First Data, the largest payments processor in the U.S., has seen an uptick in “trolling” – hackers sniffing networks for remote access into point-of-sale systems that are open or loosely protected. BankInfoSecurity, April 30, 2012

Fears of spying hinder U.S. license for China Mobile: WASHINGTON — Concerned about possible cyber spying, U.S. national security officials are debating whether to take the unprecedented step of recommending that a Chinese government-owned mobile phone giant be denied a license to offer international service to American customers. LA Times, May 5, 2012

Malware for Macs Lucrative, Security Researchers Say: Last month, cybercriminals embarked on what quickly became one of the largest-scale malware attacks on Apple computers to date. Their motive was financial: security researchers now estimate that the infected computers made the malware’s creators $10,000 a day. The New York Times, May 1, 2012

Cyber Threat

Android Apps Slurp Excessive Data: More than one-third of Android apps request “excessive permissions,” giving them access to more data than they require. InformationWeek, May 1, 2012

Snow Leopard hit hardest by Flashback malware: Russian security company Dr. Web recently analyzed one of the latest known variants of the Flashback malware for OS X, and in doing so revealed some interesting statistics regarding the infection rates of the malware — which, by some perspectives, counters criticism of Apple’s lapse in attention to security on OS X. Cnet, April 30, 2012

6 Discoveries That Prove Mobile Malware’s Mettle: Mobile malware hasn’t yet grown to the problematic levels that once plagued Windows PCs back in the days before Trustworthy Computing. That doesn’t mean mobile vulnerabilities aren’t exploitable, though: Today’s security researchers are not only creating and discovering proof-of-concept examples with real-world applicability, but they’re finding in-the-wild samples, too. Dark Reading, May 3, 2012

Cyber Vulnerability

The 10 worst Web application-logic flaws that hackers love to abuse: Hackers are always hunting to find business-logic flaws, especially on the Web, in order to exploit weaknesses in online ordering and other processes. NT OBJECTives, which validates Web application security, says these are the top 10 business-logic flaws they see all the time. NetworkWorld, May 3, 2012

Mac Malware Targeting Unpatched Office Running on OS X: Microsoft is reporting that malware is exploiting unpatched versions of its Microsoft Office Word 2000 suite to compromise Apple Macintoshes running Snow Leopard or earlier versions of Mac OS X. eWeek, May 2, 2012

Adobe warns: Flash Player malware hitting IE on Windows users: Adobe has shipped an extremely urgent Flash Player patch to block in-the-wild malware attacks against Windows users. ZDNet, May 4, 2012

Cyber Security Management

8 Reasons Conficker Malware Won’t Die: Obstinate. That’s how Microsoft has labeled Conficker, which, despite being three years old and targeted for eradication, continues to survive–and even thrive–in corporate networks. InformationWeek, April 30, 2012

Vulnerability Management

Hackers’ Favorite Target Last Year Was a Blast From the Past: If you need more proof that users are a weak link in computer security, look no further than today’s report from Symantec, which showed that hackers’ favorite target in 2011 was a security hole fixed about four years ago. Bloomberg, April 30, 2012

Securing the Village

For Stronger IT Security, Build Relationships, Not Walls: Security leaders put up walls. Firewalls, barriers to entry, ways to control the flow of information. It’s what we do. But ironically, to do a better job of protecting our enterprises, we’ve got to become more open and collaborative. Forbes, May 4, 2012

Cyber Career

Hottest IT Skill? Cybersecurity: Embattled by hactivists, cybercriminals and foreign rivals seeking to steal proprietary information, U.S. corporations are ramping up their hiring of cybersecurity experts, with open jobs reaching an all-time high in April. PC World, May 3, 2012

Cyber Crime Busters

Microsoft says raid damaged cybercrime operation: BALTIMORE – Microsoft and the banking industry Monday provided a detailed, behind-the-scenes account of an operation they said disrupted a major cybercrime operation that used malicious software to allegedly steal $100 million from consumers over the last five years. Fox News, April 30, 2012

Cyber Expose

Flashback malware exposes big gaps in Apple security response: A pair of high-profile malware attacks have given Apple a crash course in security response. Based on recent actions, 70 million current Mac owners have a right to expect much more from Apple than they’re getting today. ZDNet, April 29, 2012

Mozilla Firefox / Thunderbird: Mozilla has released Firefox version 12.0 and Thunderbird version12.0 to correct many highly critical vulnerabilities. Updates are available through the program.

Mozilla Firefox Mobile for Android: Mozilla has released Firefox Mobile version 10.0.4 to correct many highly critical vulnerabilities. Updates are available through the Android device.

Current Software Versions

Join us on May 16 for ISSA-LA’s 4th Annual Information Security Summit.  Keynote addresses by Alan Paller of the SANS Institute, DHS’ Bruce McConnell and business coach Chris Coffey. Perfect for business, technology and information security leaders. Nonprofits can attend for free by taking advantage of our special scholarship fund. Email vp@issa-la.org for more information.

After almost two decades of building and managing technology companies, I can attest to two unmistakable and converging facts.  First, the intellectual property, financial data, and other assets of almost every organization are now in electronic format.  And second, we are seeing a skyrocketing volume of espionage, theft, and other malicious activity conducted against those electronic assets.

The ISSA-LA Summit provides business leaders with a concentrated, thought-provoking, and valuable education in the nature of these threats, and how organizations can and should mitigate their risks from today’s cyber threats.  I highly recommend that executives take advantage of this annual event.

Eric Schwab
General Manager
GFI Software

Visit the ISSA-LA Summit Website for more information or to register.

ISSA-LA

ISSA-LA Offers Free Registration Program For NonProfits: The Los Angeles Chapter of the Information Systems Security Association (ISSA-LA) has created a donation fund of up to $20,000 to IT employees and executives of nonprofits to attend, at no charge to the attendees, the fourth annual Information Security Summit on Wednesday, May 16, 2012 at Hilton Universal City Hotel in Los Angeles. The theme of the one-day Summit is The Growing Cyber Threat: Protect Your Business, which includes the business of operating nonprofits. DarkReading, April 27, 2012

Cyber Security Management

Mac Flashback Malware Still Going Strong, Security Experts Say: Security experts looking at the Flashback malware that had infected hundreds of thousands of Apple Macs worldwide are trying to come to an agreement over how many of these systems are still compromised by the exploit. eWeek, April 23, 2012

Infected Computers to Lose Web Access When FBI Band-Aid Falls Off: The safety net that federal authorities set up several months ago as a countermeasure to a massive malware scam will be shut down in July. When that happens, computers that are still infected with the malware, known as “DNSChanger,” may be completely unable to access the Internet. The FBI and other groups have set up tools to diagnose and mend affected computers. TechNewsWorld, April 23, 2012

One in Five Macs Infected With Malware: Sophos: One in every five Apple Macs is infected with malware, according to a survey by security software firm Sophos. eWeek, April 24, 2012

Cyber Risk – HIPAA

OCR settles HIPAA case for $100k: April 26, 2012 — On April 17, 2012, the United States Department of Health and Human Services Office for Civil Rights (“OCR”) reached a settlement with Phoenix Cardiac Surgery (“PSC”) for alleged violations of the HIPAA Privacy and Security Rules. chiroeco.com, April 26, 2012

Cyber Crime – HIPAA

Hospitals seeing more patient data breaches: A bi-annual survey of 250 healthcare organizations shows that the percentage experiencing a patient data breach is up. And with the growth in electronic records-keeping, more of those problems are originating from laptops and mobile devices rather than a human slip-up in handling paper documents. NetworkWorld, April 13, 2012

Cyber Criminals

Russia’s Million Dollar Hackers: Few nationalities are as good at making money from hacking than the Russians. Their share of the global cyber crime market, an estimated $12.5 billion black market, doubled last year to $4.5 billion, according to Moscow-based Group-IB, a cyber security services firm working mainly with the Russian government and banks to help reduce online fraud. Forbes, April 24, 2012

Refund Tax Fraud, iPhone, Feed Identity Theft By Employees: Last Thursday night, an undercover deputy from the Hillsborough County, Fla. Sheriff’s office, acting on a tip, made a street buy. What makes this noteworthy is he didn’t buy drugs. Instead, he purchased 33 stolen names, birth dates and Social Security numbers. The Sheriff’s office says the seller, Joseph Burden, 29, was found to have 221 names in his book bag and admitted he’d taken them from his employer, Tampa-based ProVest. In an e-mailed statement, ProVest President James Ward says the arrested employee has been placed on leave and that “ProVest takes data security and privacy seriously; numerous precautions are and have been in place to safely guard consumer data.” ProVest ironically, specializes in fraud detection, skip tracing and loss mitigation. Forbes, April 24, 2012

Cyber Legislation

House cybersecurity sponsors respond to privacy concerns: Leaders of the House Permanent Select Committee on Intelligence pledged Tuesday to amend their cybersecurity bill, the Cyber Intelligence Sharing and Protection Act, to address the main concerns raised by civil libertarians and privacy advocates. The revisions are clear improvements, and they show that the committee is trying hard to limit the measure’s scope. Nevertheless, the bill still has a fundamental problem: By encouraging network operators to share information with the government about what their customers do online, it threatens to turn ISPs and online service providers into snoops. LA Times, April 25, 2012

House GOP dares Senate on cybersecurity: The House is sending a message to the White House and Senate Democrats this week by passing a batch of cybersecurity bills aimed at preventing the digital version of a Pearl Harbor: Not on our watch. Politico, April 25, 2012

Cybersecurity bills aim to prevent ‘digital Pearl Harbor’: NEW YORK (CNNMoney) — Cybercrime isn’t just a threat to your bank account or personal computer — it’s an issue of national security.Foreign spies and organized criminals are inside of virtually every U.S. company’s network. The government’s top cybersecurity advisors widely agree that cyber criminals or terrorists have the capability to take down the country’s critical financial, energy or communications infrastructure. CNN, April 23, 2012

Apple Update for Java: Apple has released updates for Java for OS X Lion and Mac OS X to remove variants of the Flashback malware. The updates are available through the programs or from Apple’s download site.

Android TwitRocker2: Android released an update for TwitRocker2 for the Android to fix a vulnerability. Update to version 1.0.23.

IBM Java 6: IBM has released updates for Java 6 to fix at least 12 vulnerabilities, some highly critical. Update to version 6 SR10-FP1.

IBM Java 5: IBM has released updates for Java 5 to fix at least 12 vulnerabilities, some highly critical. Update to version 5.0 SR13-FP1.

Current Software Versions

Join us on May 16 for ISSA-LA’s 4th Annual Information Security Summit.  Keynote address by Alan Paller. Special keynote address by Chris Coffey. Perfect for business, technology and information security leaders.

I recommend the Summit to both the CIO and their staff because it’s the one day you can count on to get informed, learn how to stay informed, and build a network of strong security professionals who are passionate about supporting the “neighborhood watch” of information security. 

Jennifer Terrill, CISSP
Vice President Information Technology /  CISO
True Religion Brand Jeans

Visit the ISSA-LA Summit Website for more information or to register.

Cyber Crime

Thieves Replacing Money Mules With Prepaid Cards?: Recent ebanking heists — such as a $121,000 online robbery at a New York fuel supplier last month — suggest that cyber thieves increasingly are cashing out by sending victim funds to prepaid debit card accounts. The shift appears to be an effort to route around a major bottleneck for these crimes: Their dependency on unreliable money mules. KrebsOnSecurity, April 13, 2012

Cybercriminals Check In At Hotel Point-Of-Sale Systems: Cybercrime gangs are increasingly finding hotel point-of-sale systems hospitable to attack: Researchers have spotted a new remote access Trojan (RAT) tool for sale in underground forums that targets hotel computers at a global hotel chain. Dark Reading, April 19, 2012

Cyber Vulnerabilities

Flashback Malware Still Affects 140,000 Macs: Apparently not all Mac users got the memo about Flashback, the malware that recently infected more than 600,000 computers running OS X. According to security firm Symantec, roughly 140,000 Mac computers were still infected as of April 16. CIO, April 18, 2012

Google Warns 20,000 Websites They Could Be Infected with Malware: Google has warned 20,000 websites that they might be hacked and injected with JavaScript redirect malware, Google said. CIO, April 19, 2012

The malware numbers game: how many viruses are out there?: How many distinct strains of malware are in circulation today? If you said hundreds of thousands or millions, you’re way off. A close look at numbers from one leading security company helps explain why some big numbers don’t tell the whole story. ZDNet, April 15, 2012

Cyber Security Management

Three Security Snags That Expose The Database: Insecure Web apps, no linkage to IAM, and poorly configured segmentation all contribute to database vulnerability. Dark Reading, April 19, 2012

The Benefits Of Top-Down Security: While enterprise-level breaches often get the attention of C-level suite executives and the members of their IT staff, industry research shows it actually falls to rank-and-file employees to apply best practices and exercise sound judgment in order to properly contain them. Dark Reading, April 18, 2012

Board: Protect medical devices from cybercrime: Medical devices such as insulin pumps are at increased risk of cybersecurity breaches, which puts millions of patients at risk of significant harm, warns the Information Security and Privacy Advisory Board (ISPAB). FierceHealthIT, April 16, 2012

Enterprise Networking: Data Security in the BYOD Era: 10 Big Risks Facing Enterprises: Rogue and shadow IT have been problems for data and network security and compliance officers for a long time, but the rising number of bring-your-own-device (BYOD) proponents is threatening to become a much larger overall issue. Most organizations do not have the tools to ensure security of their data on just any device, especially when those devices will be by definition either partially or totally unmanaged. In addition, organizations are grappling with the challenges these pose for the enterprise network. Traditional security technologies that rely on endpoint security, configuration management, or establishing and controlling a network perimeter are ill-suited for a BYOD-friendly company, prompting CIOs to turn to more innovative, data-centric approaches as they come to terms with losing control of access to sensitive data. And make no mistake: 2012 is all about control of data. Our expert resource for this slideshow is Ryan Kalember, vice president of strategy at WatchDox, which enables organizations to access, share and control their documents on any tablet, smartphone or PC—even those beyond the IT department’s control. eWeek, April 17, 2012

Securing the Village

America’s cyber czar speaks: Howard Schmidt, special assistant to U.S. president Barack Obama and White House cybersecurity coordinator, appeared this morning before a group of executives gathered at Bloomberg’s New York headquarters to discuss his goals, challenges and hopes for American cybersecurity. ZDNet, April 20, 2012

Microsoft Responds to Critics Over Botnet Bruhaha: Microsoft’s most recent anti-botnet campaign — a legal sneak attack against dozens of ZeuS botnets — seems to have ruffled the feathers of many in security community. The chief criticism is that the Microsoft operation exposed sensitive information that a handful of researchers had shared in confidence, and that countless law enforcement investigations may have been delayed or derailed as a result. In this post, I interview a key Microsoft attorney about these allegations. KrebsOnSecurity, April 18, 2012

Cyber Crime Economics

The Cybercrime Wave That Wasn’t: In less than 15 years, cybercrime has moved from obscurity to the spotlight of consumer, corporate and national security concerns. Popular accounts suggest that cybercrime is large, rapidly growing, profitable and highly evolved; annual loss estimates range from billions to nearly $1 trillion. While other industries stagger under the weight of recession, in cybercrime, business is apparently booming. The New York Times, April 14, 2012

Hacktivists

Anonymous Must Evolve Or Break Down, Say Researchers: The movement started as an Internet meme and grew into a complex and chaotic community. Security experts argue that the Anonymous brand is now in danger of imploding. Dark Reading, April 19, 2012

Cyber Legislation

House committees approve 2 cybersecurity bills”>House committees approve 2 cybersecurity bills: Two cybersecurity bills were approved by House committees on Wednesday. Those bills — as well as a third cybersecurity bill — are expected to be considered on the House floor as soon as next week. Federal Times, April 18, 2012

Cyber crime official optimistic on new legislation: The Obama administration’s top cyber security official says companies would not be unduly burdened by a Senate bill that would phase in security standards for key parts of the country’s privately held infrastructure. Chicago Tribune, April 16, 2012

New CISPA Draft Narrows Cybersecurity Language as Protests Loom: The U.S. House Intelligence Committee has released a new draft of the Cybersecurity Intelligence Sharing and Protection Act (CISPA), narrowing the definition of “cybersecurity threat” in response to alarms being sounded throughout the technology community. Mashable, April 14, 2012

Adobe Reader / Acrobat: Adobe has released several updates for Acrobat and Reader to fix at least 17 vulnerabilities, several of which are highly critical. The updates are available through the programs.

Apple Update for Java: Apple has released updates for Java for OS X Lion and Mac OS X to remove variants of the Flashback malware. The updates are available through the programs or from Apple’s download site.

Microsoft Internet Explorer: Microsoft has released an update for Internet Explorer to fix at least 5 vulnerabilities, several of which are highly critical. The update is available through the Windows Control Panel.

Microsoft Office / Works: Microsoft has released updates for Office and Works to fix a highly critical vulnerability. The updates are available through the Windows Control Panel.

Microsoft Patch Tuesday: Microsoft has released numerous updates to fix at least 20 vulnerabilities, many of which are extremely critical. According to Secunia, some of the vulnerabilities are being actively exploited by cyber criminals in targeted attacks. This makes it extremely important to quickly apply  the updates. The updates are available through the Windows Control Panel. [See below for additional updates For Your IT Department]

Current Software Versions

Join us on May 16 for ISSA-LA’s 4th Annual Information Security Summit.  Keynote address by Alan Paller. Special keynote address by Chris Coffey. Perfect for business, technology and information security leaders.

Information security is here. It’s now. And while we see stories in the paper about problems, there is little information about what we as business leaders need to do. I have been impressed with what i have learned from attending the ISSA-LA Summit.   I have gained important knowledge about protecting my business. And about the competitive advantage I achieve when I protect my customers’ sensitive information.

Leading edge Information security requires everyone in your organization to get involved, to work together as a team. This takes leadership. This is what the Summit is all about. By attending yourself and bringing one or two members of your team you will leave with actionable insights.  No group understands information security like ISSA-LA. That’s why I’m going to Summit IV and that’s why I recommend ISSA-LA’s Information Security Summit to my clients. We are fortunate to have this organization gathering so many experts together. It is a not to be missed opportunity.

Tom Drucker
President
Consultants in Corporate Innovation

Visit the ISSA-LA Summit Website for more information or to register.

Cyber Crime

Utah breach 10X worse than originally thought: The scope of a data breach involving a Medicaid server at the Utah Department of Health is much worse than originally thought. State officials now say that close to 280,000 Social Security Numbers may have been exposed in the incident instead of 25,000, as originally believed. ComputerWorld, April 9, 2012

Cyber Threats

Checking for Mac Flashback infestation? There’s an app for that: Our post from Friday about how to check your Mac for a Flashback malware infection has been wildly popular so far. And with good reason, too, since a second security firm has now backed up the numbers indicating that more than half a million Macs have been infected. That’s slightly more than 1 percent of all 45 million Macs in the world—still a relatively small number, but a worrisome one for Mac users, as the tally of infected machines continues to grow. ars technica, April 9, 2012

Criminals Hide Malware in Version of ‘Angry Birds: Space’: A version of the hit game Angry Birds: Space that’s been seeded with malware has been discovered in the wild, although only the adventurous may risk being infected. PC Magazine, April 12, 2012

HP’s Malware-Laden Switches Illustrate Supply Chain Risks: Hewlett-Packard is trying to figure out what happened as the technology giant warned customers that some of the HP ProCurve switches shipped last year contained malware-laden flash cards. PC Magazine, April 12, 2012

Cyber Security Management

Has Security Bloom Fallen off the Rose for Macs?: Dr. Stahl is quoted extensively in this story. For years in terms of security, Windows has been considered inferior to Macs. But no longer thanks to malware security epidemics. Apple is under increasing pressure to take preventative security measures by cyber experts in the wake of 600,000 malware-infected Macs. The Biz Coach, April 11, 2012

Conversations On Cybersecurity, Part 4: Effective Protection: Alan Paller, Research Director, SANS Institute:  When we last left the attorneys, they had asked what they could do to stop the targeted attacks that the Chinese and other competitors used in industrial espionage. Forbes, March 5, 2012

Data Security: Who’s Winning the Cyber War?: Data security has long been a priority for financial services firms. But a wave of very public cyber attacks by international hacker groups such as Anonymous, combined with an already distrustful public following the financial crisis, has forced financial services firms to step up their network security to prevent data breaches and regain clients’ trust. While victims of some of the more notable attacks and data breaches of 2011 were large consumer companies and government agencies — including Sony, PBS, the U.S. Senate, and even the CIA and FBI — security experts say financial services firms, traditionally a popular target of fraudsters, are increasingly a target of criminal hackers. Wall Street & Technology, April 9, 2012

ISSA-LA – Securing the Village

World renowned executive and leadership coach Chris Coffey will be a featured speaker at the Los Angeles Chapter of the Information Systems Security Association’s (ISSA-LA) fourth annual Information Security Summit on Wednesday, May 16, 2012 at Hilton Universal City Hotel in Los Angeles. The theme of the one-day Summit is The Growing Cyber Threat: Protect Your Business. PRLog, April 12, 2012

Cyber Updates

Adobe, Microsoft Issue Critical Updates: Adobe and Microsoft today each issued critical updates to plug security holes in their products. The patch batch from Microsoft fixes at least 11 flaws in Windows and Windows software. Adobe’s update tackles four vulnerabilities that are present in current versions of Adobe Acrobat and Reader. KrebsOnSecurity, April 10, 2012

Apple’s Flashback malware remover now live: Apple this afternoon released an integrated tool to remove Flashback, malware designed to steal user information that was estimated to be present in more than half a million machines just last week. Cnet, April 12, 2012

Cyber Risks

FBI: Smart Meter Hacks Likely to Spread: A series of hacks perpetrated against so-called “smart meter” installations over the past several years may have cost a single U.S. electric utility hundreds of millions of dollars annually, the FBI said in a cyber intelligence bulletin obtained by KrebsOnSecurity. The law enforcement agency said this is the first known report of criminals compromising the hi-tech meters, and that it expects this type of fraud to spread across the country as more utilities deploy smart grid technology. KrebsOnSecurity, April 11, 2012

Cyber Sabatoge — Stuxnet

Stuxnet Loaded by Iran Double Agents: The Stuxnet virus that damaged Iran’s nuclear program was implanted by an Israeli proxy — an Iranian, who used a corrupt “memory stick.32,” former and serving U.S. intelligence officials said. ISSSource, April 11, 2012

Cyber Law

House to take up cybersecurity bill with revisions: (Reuters) – The U.S. House of Representatives will take up a cybersecurity bill at the end of April that lets the government and corporations share information about hacking attacks on U.S. networks, with amendments intended to ease civil liberties concerns, lawmakers said on Tuesday. Reuters, April 11, 2012