Chinese hacker who breached Google gained access to sensitive data, US officials say
According to current and former government officials, they gained access to a sensitive database with years’ worth of information about U.S. surveillance targets
Why don’t risk management programs work?
“Risk management programs don’t work because our profession doesn't, in large part, understand risk” – agree? Disagree?
Journalists Find Massive Data Security Lapse, Get Threats Instead of Thanks
Telecom firms may sue the reporters who uncovered mishandled customer data; sounds like security research to me
Few utilities complying with voluntary anti-Stuxnet measures
“A voluntary approach to cybersecurity might make sense for some sectors, but experience shows that it cannot be relied upon to protect the electric grid.”
Federal government hunkers down for massive cyber attack Tuesday
#OPUSA could affect agencies across the Federal government
Research reveals reality of password sniffing over HTTP connections
When you load a login form over HTTP, ‘anything you do after that is a little bit pointless'
'Aggressive' espionage-for-hire operation behind new Mac spyware
An Indian malware service is building attack software for projects involving secret surveillance
Opinion: Cyber security, what’s in a word?
Hate the ‘cyber’ pre-fix that’s taking over security news? Here’s why you should get over it
California’s Right to Know law was recently put on hold because of push-back from various technology companies and business lobbies. The law aimed to provide consumers with greater transparency on how online vendors use their data.
Listen to Tim Eriln, Lamar Bailey, Andrew Storms and Dwayne Melançon discuss why the Right to Know law and more on Tripwire's State of Security blog.
Chinese hackers resume attacks on US targets
Unit 61398, the People’s Liberation army cyber unit featured in the Mandiant report earlier this year, is now operating at 60 percent to 70 percent of previous levels
Millions hit by Yahoo Japan hack attack
22 million IDs, but no passwords or other identifying info, may have been stolen
Large Attacks Hide More Subtle Threats In DDoS Data
According to DDoS mitigation experts the worst denial of service attacks are not the biggest ones, not the ones that knock applications down
Want To Destroy Any Hope Of Serious Cybersecurity? Give The DOJ Its Desired Backdoor Wiretaps On All Communications
The Obama administration has been "considering" the latest version of the DOJ's plan to require backdoor wiretapping abilities in any form of digital communication
Jailed hacker designs device to thwart ATM skimming
The device is meant to be installed over the ATM's card slot or incorporated into new ATM models, and requires cards to be inserted into the device longer side first, then the card is rotated and and pushed into the slot – too simple?
Think your Skype messages get end-to-end encryption? Think again….
“Right now is that there's a mismatch between the privacy people expect and what Microsoft is actually delivering…”
DDos for hire works with the blessing of FBI, operator says
"Since it is a public service on a public connection to other public servers this is not illegal"
Financial Times Twitter and tech blog accounts hacked
Twitter and two-factor authentication are getting to be a regular item in the media
Saudi websites under attack following surveillance accusations
#OpSaudi is mostly DDoS with a little SQL injection and Twitter hacking mixed in
Smartphones become wide avenue for hackers
Smartphones are increasingly popular with thieves who see the devices as another way to tap into bank accounts
US government wants security research on car-to-car networks
NHTSA has asked for $US2m to research V2V networks with the aim of developing a preliminary baseline set of threats
House could withhold DHS funds while waiting for chemical security report
House appropriators are thinking about withholding $20M in 2013 funds from Homeland Security Department until it delivers a spending plan and progresss report for its chemical security program.
Mac malware signed with Apple ID infects activists laptop
Stealthy Mac spyware is programmed to take screenshots and send them to remote servers under the control of the attackers
Opinion: Let’s not sacrifice privacy on the altar of cyber security
CISPA cyber security bill backers hope second time’s a charm
We might see this bill again by fall
Utilities rising target of hackers with warning of dire results
“Cyber attacks on computers that run the nation’s energy grid, nuclear reactors and water-treatment plants are increasing with potentially lethal effects, the Department of Homeland Security’s top investigator said.”
Researchers develop industrial systems that watch for breaches
"Each device listens to its neighboring device to see if they're misbehaving,"
CISO: Chief infosec scapegoat officer
CISOs are the first victims of every data breach and it's just going to get worse
Hotel Lock Hack Still Being Used In Burglaries, Months After Lock Firm's Fix
The latest Onity hack crime wave has been occurring in hotels across Arizona.
It was recently revealed that QinetiQ North American, a major defense contractor, was the victim amassive, multi-year, cyber espionage operation allegedly originating from China. According to a representative from Verizon’s security division, “There was virtually no place we looked where we didn’t find [intrusion].” How could an important national security contractor suffer such devastating breach?
Listen to Tim Eriln, Lamar Bailey, Andrew Storms and Dwayne Melançon discuss QinetiQ’s security issues and more on Tripwire's State of Security blog.
Internet crime costs consumers more than half a billion dollars last year
Consumers lost an average of $1,800 last year
A hacker broke into 420,000 vomputers to bring you this GIF of the entire internet at work
An anonymous researcher took control over some 420,000 Internet connected-devices in order to "map the whole Internet in a way nobody had done before."
Spreading the word about cyber security
"Network building is the most important part of the job; you have to win advocates for moving forward with security controls in our systems”
Holder backs warrant requirement for most email searches
The balance between privacy and government access is “one of the most important conversations…we can have in the 21st century."
Air gaps won’t protect your operations
“Because people will always find a way to get the data where they need it”
Critical Linux vulnerability imperils users even after silent fix
This high-severity vulnerability that gives untrusted users with restricted accounts nearly unfettered "root" access over machines
Adobe shares cyber security lessons
Allan Paller: “It’s hard to build a good reputation when you’ve been the cause of so much damage”
On cyber security the nation needs meta leadership
Will information sharing only come as a response to a major attack resulting in “a plan will be assembled quickly and haphazardly after the fact”?
Android threats growing in number and complexity, report says
FSecure: "While the raw amount of Android malware continues to rise significantly, it is the increased commoditization of those malware that is the more worrying trend,"
It’s better to call ahead when sending malware, Symantec finds
Symantec describes as a sophisticated social engineering campaign aimed at French-speaking accounting and finance department employees. The victim is called and asked in French if they can process an invoice sent by email
New York student aims to sell his own personal data on Kickstarter
Turning the online privacy equation on its head, this student aims to take control of his personal data by selling it himself
3 Big Mistakes In Incident Response
Remember: Overreaction can cause you to miss the key details.
Windows Malware Techniques Spread to Android
Over 75% of current Android threats exist to make money for their creators.
Email: Even The CIA Uses It. Time To Get Serious About Its Legal Protections
Everyone is impacted by weak email security…
Cyberattacks Against U.S. Corporations Are on the Rise
Energy companies are targeted, attacks may be coming from the Middle East
Should companies by required to meet certain cyber security standards?
The debate on national cyber security regulation rages on
SEC Chairman reviewing company cyber security disclosures
U.S. Securities and Exchange Commission Chairman Mary Jo White has asked her staff to review whether publicly traded companies should be prodded to disclose more information about cyberattacks on their computer networks
Saudi Telco asks researcher Moxie Marlinkspike to help spy on residents
it was seeking Marlinspike's assistance in a government-sponsored surveillance project that was seeking to intercept "mobile application data" belonging to Twitter, WhatsApp, Viber and Line users
Court Data Breach Could Affect Up To 1 Million In Washington State
The Washington State Administrative Office of the Courts (AOC) announced a data breach on its public website. Potentially up to 160,000 social security numbers and 1 million driver license numbers may have been accessed
Tough times at Homeland Security
You think you have hiring problems, DHS has been grappling with the departures of its top cybersecurity officials
Five Useless Tips From the NSA’s Quaint, Hopelessly Outdated Guide to Internet Research
Remember, your password should be “at least 8 characters long.”
Evaluating risk and formulating effective responses are two major components of information security. But what is the best way to communicate risk and response to the rest of your organization?
Listen to Tim Erlin and Dwayne Melançon as they discuss security risk communication and more on Tripwire's State of Security blog.
ATM hackers stole $45M in 21st century bank heist
Bank robbers cyber security style
The U.S. military's supply chain risk called 'frightening'
The Alliance for American Manufacturing believes the U.S. military is too reliant on foreign-made products.
US cyber war strategy stokes fears of blow back
“The US is the biggest buyer in the gray market where hackers and security firms sell tools for breaking into computers
APIs are doors to web services and they need locks
APIs can be misused by hackers to spoof services, or even pretend to be entire websites
How the Syrian Army hacked the Onion’s Twitter account
Great step by step case study
Google has aggressive plans for strong authentication
In addition to logging in at the OS level,”….one of our goals will be to have a consistent concept of identity between the OS, applications, and websites accessed from the browser on the device.”
Why Intel’s “How Strong is Your Password?” site can’t be trusted
Oh Intel, why no HTTPS?
Easing into FISMA and FedRAMP? It’s possible
"It's a huge change from doing a FISMA scorecard last December to implementing real-time scanning and continuous diagnostic monitoring this year"
'OpUSA' Hacktivist Attacks Fall Short
A small bank in Arkansas had its website defaced, but that’s pretty much it.
Senators propose law to go after foreign cybercriminals
The “Deter Cyber Theft Act” would require an annual report listing the countries involved in cyber espionage, and could lead to product or country level embargos
Government Policy on Email Surveillance in "State of Chaos"
The FBI may or may not be able to search your email without a warrant.
Syrian internet back after 19-hour blackout
“The Syrian government blamed that incident on "terrorists", but internet experts said it was more likely that the regime had shut down the web.”
Organizations Underestimate The Dangers of Privileged Accounts: Survey
53% of enterprises said they take 90 days or longer to change the password on privileged accounts.
It's Time to Check Your Facebook Privacy Settings
Do your privacy settings need some spring cleaning?
Lack of Chip and PIN technology leaves US shoppers and diners at risk from hackers
According to Trustwave’s annual security report, 45% companies breached were in the retail sector.
Sweet Password Security Strategy: Honeywords
Will Honeywords be a sweet solution or will they create a sticky situation?
Government Takes Precautions Over Expected ‘OpUSA’ Cyber Attack
OpUSA were expected to launch DDoS attacks against financial and governmental organizations today.
Convenience Store Chain Hacked, Customer Payment Data At Risk
MAPCO says the attack affects debit and credit-card payments made at its stores between March 19 and 25, April 14 and 15, and April 20 and 21.
Database Security: It's More Than Meets the Eye
"Letting the cat guard the milk is known to be a bad security practice."
New Motto for Silicon Valley: First Security, Then Innovation
Should security change come from within?
Google's Schmidt: The Internet needs a delete button
Mistakes young people make can haunt them forever online.
A primer on Bitcoin risks and threats
Malware has certainly hit the Bitcoin market.
The Onion Apparently Hacked by the Syrian Electronic Army
Either the Onion was hit by hackers or “this is an instant contender for cleverest Onion stunt of all time.”
China's Cyber Espionage Targets US Government: Pentagon
“China is using its computer network exploitation (CNE) capability to support intelligence collection against the US diplomatic, economic, and defense industrial base sectors that support US national defense programs.”
7 Habits For Highly Effective BYOD
As BYOD becomes more popular, what security steps are you taking?
Cyberspies outwit model for Bond’s Q
QinetiQ ( a government cyber security contractor) hack may have compromised information vital to national security, such as the deployment and capabilities of the combat helicopter fleet.
And the same contractor has been hacked repeatedly
Cybersecurity needs work, experts say
Advocating ‘gradual change’
The consumer cost of a data breach
A new analysis of the huge data breach last year in Utah estimates that more than 120,000 cases of fraud will occur as a result of information stolen
Facebook puts a friendly spin on password security with launch of Trusted Contacts
Facebook has re-vamped its password security measures
50% of enterprises will mandate BYOD by 2017
According to Gartner using personal devices for work functionality is inevitable
Cloud security certification in the works
ISC(2) and the Cloud Security Alliance are teaming up on a professional cloud security certification
Dam! Sensitive Army database of U.S. dams compromised; Chinese hackers suspected
Is China preparing a future cyber-attack against the national electrical power grid?
Why you should take hacked sites’ password assurances with a grain of salt
Reputation.com suffered a security breach that exposed password and then told users, “It was highly unlikely that these passwords could ever be decrypted.”
Five Habits Of Highly Successful Malware
In 2012, more than 40 million Windows systems were infected with malware. How do you protect yourself?
How to Stay Anonymous Online
Anonymous may be an over statement but there’s a lot you can do to protect your privacy online.
Websites gradually shedding vulnerabilities, though most still contain a serious one
53% of websites still have cross-site scripting (XSS) errors.
The 7 elements of a successful security awareness program
One view of how to do security awareness - how do you do this?
Speed traders eyed after Twitter hack attack: regulator
Another unintended consequence of the AP twitter hack
White House: 'Fundamental concerns' remain over cyber security bill
“The United States must update our cybersecurity laws, but we will not sacrifice our values in the process."
Spyware used by governments poses as Firefox, and Mozilla is angry
Mozilla sent the FinFisher software maker a cease and desist letter.
Password Reuse Rampant, But Users Value Security, Survey Says
61% of the respondents said they use the same password for multiple accounts, but 47% use multi-factor authentication for their email accounts.
Apple, Verizon earn poor marks in EFF privacy report
Who did the best? Twitter and Sonic.net
Use a Software Bug to Win Video Poker? That’s a Federal Hacking Case
“Who would not win as much money as they could on a machine that says, ‘Jackpot’? That’s the whole idea!”
71 Percent of Applications Use Components With Severe or Critical Security Flaws: Report
About 76% of users say they have no control over what components get used in software development projects.
Twitter warns of additional hacks, threats
High-profile news organizations are told to take extra precaution when opening email.
U.S. Urges Finance Industry to Form Cyber Threat Clearinghouses
“Government alone cannot keep our financial system safe. The responsibility of protecting our financial sector rests also with the sector itself.”
Online monitoring scheme bad news for security, opponents say
Surveillance backdoors could potentially be used for state sponsored attacks.
Recent Breaches More Likely To Result In Fraud
A person whose data was stolen in 2012 has a 25% chance of becoming a fraud victim.
Hactivists change tactics from data breaches to disruption
In 2011, hactivists stole almost 50% of the total records analyzed in Verizon’s DBIR, last year is was only 2%
Living Social hacked, as many as 50 million affected
Not much information available on this yet, no credit card data was affected
Attackers target shared Web hosting servers for mass phishing attacks
A cautionary tale: Nearly half of all phishing attacks in the second half of 2012 involved the use of hacked hosting servers
FSOC Report: US Banking still too vulnerable to hackers
In reference to the DDoS attacks against banks last year, FSOC said "the knowledge and skill of the attackers appeared to increase over time."
Google Glass hacked within days of release
“….gaining root access to Google Glass ‘looks easy’ after discovering a 'debug mode' option on Glass that enables further access to the device's operating system”
ACLU: CISPA is dead (for now)
The Senate is working on another cyber security bill with more privacy provisions
Many hacked businesses remain unprepared for the next breach
Kind of flies in the face of “experience is the best teacher”
Maker of smart-grid software discloses hack
Telvent Canada says someone sneaked past its internal firewall, installing malicious software and stealing files related to control software used to manage the electric grid in various countries
FBI denied permission to spy on hacker through his webcam
The description of what the spyware the Feds wanted to installs sounds eerily similar to the RAT banking Trojan
Israeli airport security allowed to read tourists email
Security officials at Ben Gurion airport are legally allowed to demand access to tourists' email accounts and deny them entry if they refuse
Twitter prepping two factor authentication
Bet they’re working even harder after yesterday’s AP hack
here is no such thing as information security risk
Connecting security risk to the business is the heart of the issue
More malware discovered from drone cyber attacks
A cyber espionage campaign targeted at stealing drone related technology
Homeland Security Chairman to develop cybersecurity bill
House Homeland Security Chairman Michael McCaul insists his CISPA amendment was "actually praised by the privacy groups."
Should Insiders Really Be Your Biggest Concern?
What are more damaging: internal or external threats?
AP says it’s Twitter account was hacked
The market was temporarily stunned, but Twitter moved very quickly to suspend the account
Google’s Schmidt: Cyber war is the new normal
Schmidt says we can expect “perpetual, permanent, low-grade cyber war”
The Verizon Data Breach Report came out today and got tons of coverage. Here were two of my favorite articles:
The year in hacking by the numbers
“There are only two kinds of companies. Those that have been hacked and those that don’t know they’ve been hacked”
No one size fits all in Verizon data breach report
A nice round up of the report including this gem: “…..organizations typically don't discover that they've been breached for months and even years after the fact and nearly 70 percent of them learn from a third party.”
Why security is in denial about awareness
“Why do we allow users and administrators to perform unsafe acts such as selecting passwords like 'Password1'?”
CISPA blackout fails to match 2012’s SOPA and PIPA protest levels
“The Internet yawned”
55% of net users use the same password for most, if not all, websites. When will they learn?
26% of users said that they pick easy-to-remember passwords such as birthdays or people's names.
Scan My Eyeball, Already
Are consumers demanding biometrics over passwords?
US eyes push back on Chinese hacking
“Options include trade sanctions, diplomatic pressure, indictments of Chinese nationals in U.S. courts and cyber countermeasures—both attack and defense, officials said”
Oracle bug hunter spots Java 7 Server flaw
Another security black eye for Java
Three simple steps to determine your risk tolerance
Who has the authority to assume risk in your organization?
CBS News says some of its Twitter accounts were hacked
CBS News programs, "60 Minutes" and "48 Hours" Twitter accounts were compromised on Saturday
Attacks on SCADA, ICS honeypots modified critical operations
“…during a 28-day trial attackers were determined to access SCADA networks and ICS devices and come armed not only with working knowledge of devices and their default configurations, but with purpose-built malware, and the desire to modify industrial processes if they’re able to successfully access a system”
Ten tips to security funding for an IT security program
Number 4 is pretty important….
Brookings Institute’s Alan Friedman on the rhetoric surrounding CISPA
These comments seem to apply to the entire national conversation we’re having around cyber security
Deconstructing defensible: Too many assets, not enough resources
Good blog post from Rafal Los
What you should know about enabling Microsoft two-factor authentication
“Users who know their passwords, but lose access to their secondary security proof, will have to go through a mandatory 30 day wait before regaining access to their account”
Can we cease check box compliance?
"They have to be advocates with persuasive skills in communicating the current state [of security], a future state and what steps are necessary…”
Assange to Google’s Schmidt: Don’t use email
Wikileaks published a transcript of conversations between Assange and Eric Schmidt
IT security in a nutshell
A little Friday humor
Cybersecurity: A view from the front
Remember the cyber attacks on Estonia in 2008? They made cyber security a national priority
Popular Wi-Fi routers easy to hack
And, according to ISE, there’s not much you can do to protect yourself
Siri remembers your secrets, but for how long?
Evidently, Siri has a very long memory
Opinion: Cyber intelligence sharing and protection act
“Tech companies like CISPA because it grants them the equivalent of a Christmas pony”
Users prefer new forms of authentication
Interesting data from UK, Germany and US what users think about authentication
DDoS ‘fire drill’ services urges companies to be prepared
Is your business doing regular data breach drills? Do they include DDoS attacks?
Cyberattacks can't break the Internet
Today’s humor: “Cyberattackers depend on the Internet too.”Read more...
ACLU files FTC complaint over Android security
Patch management for Android devices comes under FTC scrutiny
Google boosts IT admin control for Chrome browser
Includes configurable permissions and a “curated web app store”
Marathon bombing suspect reportedly identified
Speculation on the technology involved in finding suspects in the Boston Marathon bombing
Apple keeps patching Java on OS X and Snow Leopard long after proposed drop-dead date
Safari6 now lets users closely manage Java permissions by selecting which sites can execute the software
Identity theft goes hyperlocal
The interesting thing here is the example of loss threshold for local police cyber crime investigation
Fueled by super botnets, DDoS attacks grow meaner and ever-more powerful
In the first quarter, DDoS attacks jumped to 48.25 gigabits per second.
With security vote looming, White House threatens veto (again)
Privacy and immunity from prosecution revisions needed
Microsoft discovers Trojan that erases evidence of its existence
Part of a trend toward malware with anti-forensics capabilities
Targeted attacks hitting small business have increases threefold
Symantec: Small businesses under 250 employees now the target of 31% of attacks
High level execs not always the juiciest target for attackers
Sales and R&D are the most targeted groups
Schnuck’s supermarket struggled to find breach that exposed 2.4M credit cards
The chain’s credit card processor alerted the supermarket chain to a breach but it took them 14 days to find it and shut it down
The CISOs guide to advanced attackers: Sizing up the adversary
A new series on APTs from Securosis, worth reading
Android gets 97% of malware, Apple gets 58% of the enterprise
“….is it really a good idea to be issuing malware-friendly Android devices to field workers in utilities, healthcare and communication services?”
An opportunity for CIOs
“CIOs have little direct say on strategy…”
Evaluating risk in the dark
Where should existing audit issues that haven’t been remediated fit in the risk equation?
Hacktivists as gadflies
A great opinion piece about the “obscenely excessive prosecution” of relatively innocuous hacks recently
How hackers fool your employees
Some (more) advice on security awareness and why it matters
The unique challenges of controlling Java exploits
“For many enterprises the rewards of Java have considerably diminished over the years, while the risks are growing exponentially”
FAA debunks Android hijack claim
Evidently, hacking a simulator and hacking an airplane during flight are two different things
Security Awareness Training Debate: Does it Make a Difference?
"You need to set the right expectation that you are trying to help the company, not frame individuals.”
Porn sites reject 'growing risk' of malware claim
Spokesmen say the threat (along with several other things) has been "grossly exaggerate[d]."
Ten years after: Where security monitoring still falls short
Blog post: “Yesterday’s security tools aren’t effective for today’s threats”
The IRS going against email privacy tide
IRS is taking the position that they don’t need subpoenas for email communications in criminal investigations
Hackers Could Start Abusing Electric Car Chargers to Cripple the Grid, Researcher Says
Hack-in-theBox: Vulnerable charging stations could prevent the charging of electric vehicles in a certain area, or possibly even use the vulnerabilities to cripple parts of the electricity grid
Kevin Mitnick: Hacking the hamburglar
Pretty funny: Mitnick hacked the frequency of a local McDonalds ordering system and took control of the drive-through ordering system
New cybersecurity bill, privacy threat or crucial band-aid
CISPAs new privacy amendments may not go far enough
Rockefeller asks SEC to step-up cybersecurity disclosures
Rockefeller argues that investors have a right to know about cyber-attacks and security protocols.
Hackers steal Ubisoft's unreleased Far Cry video game
All PC video game sales have been halted until Ubisoft fixes the issue.
Adobe updates are no laughing matter, but at least XKCD makes them funny
This made me laugh out loud
How To Successfully Phish Your Own Firm
“The smarter everyone is the more secure the company will be."
Taking steps to stop software sabotage
Tips for a secure software development process
Hijacking an airplane with an Android phone
A German security researcher at Hack in the Box demonstrates the “sorry state of aviation security”
According to a recent MIT study, it's possible to identify anonymous mobile users based on the data their phones send to cell towers. Is privacy and anonymity simple an illusion? Listen to Episode 73 of our Security Slice podcast and hear Tim Eriln and Tim “TK” Keanini discuss why our mindsets clash with our browser settings, if there is a bright side to being traced and when privacy is absolutely necessary.