According to current and former government officials, they gained access to a sensitive database with years’ worth of information about U.S. surveillance targets
http://www.networkworld.com/news/2013/052013-risk-
“Risk management programs don’t work because our profession doesn't, in large part, understand risk” – agree? Disagree?
Telecom firms may sue the reporters who uncovered mishandled customer data; sounds like security research to me
“A voluntary approach to cybersecurity might make sense for some sectors, but experience shows that it cannot be relied upon to protect the electric grid.”
#OPUSA could affect agencies across the Federal government
When you load a login form over HTTP, ‘anything you do after that is a little bit pointless'
http://www.zdnet.com/aggressive-espionage-for-hire
An Indian malware service is building attack software for projects involving secret surveillance
http://www.infosecurity-magazine.com/view/32534/co
Hate the ‘cyber’ pre-fix that’s taking over security news? Here’s why you should get over it
http://www.nytimes.com/2013/05/20/world/asia/chine
Unit 61398, the People’s Liberation army cyber unit featured in the Mandiant report earlier this year, is now operating at 60 percent to 70 percent of previous levels
http://www.bbc.co.uk/news/technology-22594136
22 million IDs, but no passwords or other identifying info, may have been stolen
http://www.darkreading.com/monitoring/large-attack
According to DDoS mitigation experts the worst denial of service attacks are not the biggest ones, not the ones that knock applications down
The Obama administration has been "considering" the latest version of the DOJ's plan to require backdoor wiretapping abilities in any form of digital communication
http://www.net-security.org/secworld.php?id=14931
The device is meant to be installed over the ATM's card slot or incorporated into new ATM models, and requires cards to be inserted into the device longer side first, then the card is rotated and and pushed into the slot – too simple?
“Right now is that there's a mismatch between the privacy people expect and what Microsoft is actually delivering…”
"Since it is a public service on a public connection to other public servers this is not illegal"
http://online.wsj.com/article/SB100014241278873247
Twitter and two-factor authentication are getting to be a regular item in the media
#OpSaudi is mostly DDoS with a little SQL injection and Twitter hacking mixed in
http://seattletimes.com/html/businesstechnology/20
Smartphones are increasingly popular with thieves who see the devices as another way to tap into bank accounts
http://www.theregister.co.uk/2013/05/17/usa_car_ne
NHTSA has asked for $US2m to research V2V networks with the aim of developing a preliminary baseline set of threats
House appropriators are thinking about withholding $20M in 2013 funds from Homeland Security Department until it delivers a spending plan and progresss report for its chemical security program.
http://arstechnica.com/security/2013/05/mac-malwar
Stealthy Mac spyware is programmed to take screenshots and send them to remote servers under the control of the attackers
http://njtoday.net/2013/05/16/opinion-lets-not-sac
Here, here!
http://www.nbcnews.com/technology/cispa-cybersecur
We might see this bill again by fall
“Cyber attacks on computers that run the nation’s energy grid, nuclear reactors and water-treatment plants are increasing with potentially lethal effects, the Department of Homeland Security’s top investigator said.”
"Each device listens to its neighboring device to see if they're misbehaving,"
http://www.infosecurity-magazine.com/view/32453/ci
CISOs are the first victims of every data breach and it's just going to get worse
The latest Onity hack crime wave has been occurring in hotels across Arizona.
http://www.darkreading.com/attacks-breaches/intern
Consumers lost an average of $1,800 last year
An anonymous researcher took control over some 420,000 Internet connected-devices in order to "map the whole Internet in a way nobody had done before."
http://fcw.com/articles/2013/05/15/cybersecurity-e
"Network building is the most important part of the job; you have to win advocates for moving forward with security controls in our systems”
The balance between privacy and government access is “one of the most important conversations…we can have in the 21st century."
http://www.automationworld.com/air-gaps-wont-prote
“Because people will always find a way to get the data where they need it”
This high-severity vulnerability that gives untrusted users with restricted accounts nearly unfettered "root" access over machines
http://blogs.wsj.com/riskandcompliance/2013/05/14/
Allan Paller: “It’s hard to build a good reputation when you’ve been the cause of so much damage”
http://www.politico.com/story/2013/05/on-cybersecu
Will information sharing only come as a response to a major attack resulting in “a plan will be assembled quickly and haphazardly after the fact”?
FSecure: "While the raw amount of Android malware continues to rise significantly, it is the increased commoditization of those malware that is the more worrying trend,"
Symantec describes as a sophisticated social engineering campaign aimed at French-speaking accounting and finance department employees. The victim is called and asked in French if they can process an invoice sent by email
Turning the online privacy equation on its head, this student aims to take control of his personal data by selling it himself
http://www.darkreading.com/management/3-big-mistak
Remember: Overreaction can cause you to miss the key details.
http://securitywatch.pcmag.com/mobile-security/311
Over 75% of current Android threats exist to make money for their creators.
Everyone is impacted by weak email security…
http://www.nytimes.com/2013/05/13/us/cyberattacks-
Energy companies are targeted, attacks may be coming from the Middle East
http://stream.wsj.com/story/latest-headlines/SS-2-
The debate on national cyber security regulation rages on
U.S. Securities and Exchange Commission Chairman Mary Jo White has asked her staff to review whether publicly traded companies should be prodded to disclose more information about cyberattacks on their computer networks
it was seeking Marlinspike's assistance in a government-sponsored surveillance project that was seeking to intercept "mobile application data" belonging to Twitter, WhatsApp, Viber and Line users
http://www.seattlemedium.com/News/article/article.
The Washington State Administrative Office of the Courts (AOC) announced a data breach on its public website. Potentially up to 160,000 social security numbers and 1 million driver license numbers may have been accessed
http://bits.blogs.nytimes.com/2013/05/13/tough-tim
You think you have hiring problems, DHS has been grappling with the departures of its top cybersecurity officials
Remember, your password should be “at least 8 characters long.”
http://www.foxnews.com/tech/2013/05/09/atm-hackers
Bank robbers cyber security style
The Alliance for American Manufacturing believes the U.S. military is too reliant on foreign-made products.
http://www.reuters.com/article/2013/05/10/us-usa-c
“The US is the biggest buyer in the gray market where hackers and security firms sell tools for breaking into computers
http://readwrite.com/2013/05/10/apis-are-the-doors
APIs can be misused by hackers to spoof services, or even pretend to be entire websites
http://theonion.github.io/blog/2013/05/08/how-the-
Great step by step case study
In addition to logging in at the OS level,”….one of our goals will be to have a consistent concept of identity between the OS, applications, and websites accessed from the browser on the device.”
http://arstechnica.com/security/2013/05/why-intels
Oh Intel, why no HTTPS?
http://fcw.com/articles/2013/05/08/fedramp-fisma-r
"It's a huge change from doing a FISMA scorecard last December to implementing real-time scanning and continuous diagnostic monitoring this year"
http://www.darkreading.com/attacks-breaches/opusa-
A small bank in Arkansas had its website defaced, but that’s pretty much it.
The “Deter Cyber Theft Act” would require an annual report listing the countries involved in cyber espionage, and could lead to product or country level embargos
The FBI may or may not be able to search your email without a warrant.
http://www.bbc.co.uk/news/world-middle-east-224472
“The Syrian government blamed that incident on "terrorists", but internet experts said it was more likely that the regime had shut down the web.”
http://www.securityweek.com/organizations-underest
53% of enterprises said they take 90 days or longer to change the password on privileged accounts.
http://securitywatch.pcmag.com/security/311233-it-
Do your privacy settings need some spring cleaning?
According to Trustwave’s annual security report, 45% companies breached were in the retail sector.
Will Honeywords be a sweet solution or will they create a sticky situation?
OpUSA were expected to launch DDoS attacks against financial and governmental organizations today.
http://www.darkreading.com/attacks-breaches/conven
MAPCO says the attack affects debit and credit-card payments made at its stores between March 19 and 25, April 14 and 15, and April 20 and 21.
http://www.securityweek.com/database-security-its-
"Letting the cat guard the milk is known to be a bad security practice."
Should security change come from within?
http://news.cnet.com/8301-1009_3-57583022-83/googl
Mistakes young people make can haunt them forever online.
https://www.net-security.org/secworld.php?id=14857
Malware has certainly hit the Bitcoin market.
Either the Onion was hit by hackers or “this is an instant contender for cleverest Onion stunt of all time.”
http://www.securityweek.com/chinas-cyber-espionage
“China is using its computer network exploitation (CNE) capability to support intelligence collection against the US diplomatic, economic, and defense industrial base sectors that support US national defense programs.”
http://www.forbes.com/sites/adriankingsleyhughes/2
As BYOD becomes more popular, what security steps are you taking?
http://www.bloomberg.com/news/2013-05-01/china-cyb
QinetiQ ( a government cyber security contractor) hack may have compromised information vital to national security, such as the deployment and capabilities of the combat helicopter fleet.
And the same contractor has been hacked repeatedly
Advocating ‘gradual change’
http://www.cnbc.com/id/100695689
A new analysis of the huge data breach last year in Utah estimates that more than 120,000 cases of fraud will occur as a result of information stolen
Facebook has re-vamped its password security measures
http://www.infosecurity-magazine.com/view/32215/50
According to Gartner using personal devices for work functionality is inevitable
http://www.cso.com.au/article/460943/cloud_securit
ISC(2) and the Cloud Security Alliance are teaming up on a professional cloud security certification
http://www.washingtontimes.com/news/2013/may/1/sen
Is China preparing a future cyber-attack against the national electrical power grid?
Reputation.com suffered a security breach that exposed password and then told users, “It was highly unlikely that these passwords could ever be decrypted.”
http://www.darkreading.com/advanced-threats/five-h
In 2012, more than 40 million Windows systems were infected with malware. How do you protect yourself?
http://securitywatch.pcmag.com/security/311007-how
Anonymous may be an over statement but there’s a lot you can do to protect your privacy online.
53% of websites still have cross-site scripting (XSS) errors.
http://www.csoonline.com/article/732602/the-7-elem
One view of how to do security awareness - how do you do this?
http://www.reuters.com/article/2013/04/30/us-hft-r
Another unintended consequence of the AP twitter hack
http://thehill.com/blogs/hillicon-valley/technolog
“The United States must update our cybersecurity laws, but we will not sacrifice our values in the process."
Mozilla sent the FinFisher software maker a cease and desist letter.
http://www.darkreading.com/end-user/password-reuse
61% of the respondents said they use the same password for multiple accounts, but 47% use multi-factor authentication for their email accounts.
http://news.cnet.com/8301-1009_3-57582292-83/apple
Who did the best? Twitter and Sonic.net
http://www.wired.com/threatlevel/2013/05/game-king
“Who would not win as much money as they could on a machine that says, ‘Jackpot’? That’s the whole idea!”
About 76% of users say they have no control over what components get used in software development projects.
http://news.cnet.com/8301-1009_3-57582102-83/twitt
High-profile news organizations are told to take extra precaution when opening email.
“Government alone cannot keep our financial system safe. The responsibility of protecting our financial sector rests also with the sector itself.”
http://www.csoonline.com/article/732538/online-mon
Surveillance backdoors could potentially be used for state sponsored attacks.
http://www.darkreading.com/attacks-breaches/recent
A person whose data was stolen in 2012 has a 25% chance of becoming a fraud victim.
http://www.eweek.com/security/hactivistists-change
In 2011, hactivists stole almost 50% of the total records analyzed in Verizon’s DBIR, last year is was only 2%
http://news.cnet.com/8301-1009_3-57581718-83/livin
Not much information available on this yet, no credit card data was affected
A cautionary tale: Nearly half of all phishing attacks in the second half of 2012 involved the use of hacked hosting servers
http://www.securityweek.com/us-banking-sector-too-
In reference to the DDoS attacks against banks last year, FSOC said "the knowledge and skill of the attackers appeared to increase over time."
http://www.ibtimes.co.uk/articles/461827/20130426/
“….gaining root access to Google Glass ‘looks easy’ after discovering a 'debug mode' option on Glass that enables further access to the device's operating system”
http://www.usnews.com/news/articles/2013/04/25/acl
The Senate is working on another cyber security bill with more privacy provisions
Kind of flies in the face of “experience is the best teacher”
http://news.cnet.com/8301-1009_3-57521049-83/maker
Telvent Canada says someone sneaked past its internal firewall, installing malicious software and stealing files related to control software used to manage the electric grid in various countries
http://arstechnica.com/tech-policy/2013/04/fbi-den
The description of what the spyware the Feds wanted to installs sounds eerily similar to the RAT banking Trojan
http://www.securityweek.com/israel-airport-securit
Security officials at Ben Gurion airport are legally allowed to demand access to tourists' email accounts and deny them entry if they refuse
http://www.wired.com/threatlevel/2013/04/twitter-a
Bet they’re working even harder after yesterday’s AP hack
http://www.cio.com/article/732299/There_is_No_Such
Connecting security risk to the business is the heart of the issue
http://www.csoonline.com/article/732277/more-malwa
A cyber espionage campaign targeted at stealing drone related technology
House Homeland Security Chairman Michael McCaul insists his CISPA amendment was "actually praised by the privacy groups."
http://www.darkreading.com/insider-threat/should-i
What are more damaging: internal or external threats?
http://www.marketwatch.com/story/ap-says-its-twitt
The market was temporarily stunned, but Twitter moved very quickly to suspend the account
http://www.afr.com/p/technology/cyber_war_the_new_
Schmidt says we can expect “perpetual, permanent, low-grade cyber war”
The year in hacking by the numbers
http://bits.blogs.nytimes.com/2013/04/22/the-year-
“There are only two kinds of companies. Those that have been hacked and those that don’t know they’ve been hacked”
No one size fits all in Verizon data breach report
http://www.darkreading.com/attacks-breaches/no-one
A nice round up of the report including this gem: “…..organizations typically don't discover that they've been breached for months and even years after the fact and nearly 70 percent of them learn from a third party.”
http://www.csoonline.com/article/732153/why-securi
“Why do we allow users and administrators to perform unsafe acts such as selecting passwords like 'Password1'?”
“The Internet yawned”
http://nakedsecurity.sophos.com/2013/04/23/users-s
26% of users said that they pick easy-to-remember passwords such as birthdays or people's names.
http://www.darkreading.com/end-user/scan-my-eyebal
Are consumers demanding biometrics over passwords?
“Options include trade sanctions, diplomatic pressure, indictments of Chinese nationals in U.S. courts and cyber countermeasures—both attack and defense, officials said”
Another security black eye for Java
http://www.csoonline.com/article/731833/three-simp
Who has the authority to assume risk in your organization?
http://uk.reuters.com/article/2013/04/20/usa-cbsne
CBS News programs, "60 Minutes" and "48 Hours" Twitter accounts were compromised on Saturday
http://threatpost.com/attacks-scada-ics-honeypots-
“…during a 28-day trial attackers were determined to access SCADA networks and ICS devices and come armed not only with working knowledge of devices and their default configurations, but with purpose-built malware, and the desire to modify industrial processes if they’re able to successfully access a system”
http://www.csoonline.com/article/732053/10-tips-to
Number 4 is pretty important….
http://www.lawfareblog.com/2013/04/brookings-alan-
These comments seem to apply to the entire national conversation we’re having around cyber security
Good blog post from Rafal Los
“Users who know their passwords, but lose access to their secondary security proof, will have to go through a mandatory 30 day wait before regaining access to their account”
http://www.darkreading.com/compliance/can-we-cease
"They have to be advocates with persuasive skills in communicating the current state [of security], a future state and what steps are necessary…”
http://www.csoonline.com/article/732042/assange-to
Wikileaks published a transcript of conversations between Assange and Eric Schmidt
http://fishbowl.pastiche.org/2013/04/14/it_securit
A little Friday humor
http://www.nytimes.com/2013/04/12/opinion/global/c
Remember the cyber attacks on Estonia in 2008? They made cyber security a national priority
http://www.digitaltrends.com/computing/wi-fi-route
And, according to ISE, there’s not much you can do to protect yourself
http://www.wired.com/wiredenterprise/2013/04/siri-
Evidently, Siri has a very long memory
http://bdaily.co.uk/opinion/16-04-2013/opinion-cyb
“Tech companies like CISPA because it grants them the equivalent of a Christmas pony”
http://www.inforisktoday.com/consumers-favor-new-f
Interesting data from UK, Germany and US what users think about authentication
Is your business doing regular data breach drills? Do they include DDoS attacks?
http://money.cnn.com/2013/04/16/technology/securit
Today’s humor: “Cyberattackers depend on the Internet too.”
Read more...
Patch management for Android devices comes under FTC scrutiny
Includes configurable permissions and a “curated web app store”
http://www.computerworld.com/s/article/9238460/Upd
Speculation on the technology involved in finding suspects in the Boston Marathon bombing
Safari6 now lets users closely manage Java permissions by selecting which sites can execute the software
http://www.securityweek.com/identity-theft-goes-hy
The interesting thing here is the example of loss threshold for local police cyber crime investigation
In the first quarter, DDoS attacks jumped to 48.25 gigabits per second.
Privacy and immunity from prosecution revisions needed
Part of a trend toward malware with anti-forensics capabilities
http://www.net-security.org/secworld.php?id=14762&
Symantec: Small businesses under 250 employees now the target of 31% of attacks
http://www.securityweek.com/high-level-execs-not-a
Sales and R&D are the most targeted groups
The chain’s credit card processor alerted the supermarket chain to a breach but it took them 14 days to find it and shut it down
https://securosis.com/blog/the-cisos-guide-to-adva
A new series on APTs from Securosis, worth reading
http://tech.fortune.cnn.com/2013/04/14/apple-enter
“….is it really a good idea to be issuing malware-friendly Android devices to field workers in utilities, healthcare and communication services?”
http://www.forbes.com/sites/forbesinsights/2013/04
“CIOs have little direct say on strategy…”
Where should existing audit issues that haven’t been remediated fit in the risk equation?
http://opinionator.blogs.nytimes.com/2013/04/13/ha
A great opinion piece about the “obscenely excessive prosecution” of relatively innocuous hacks recently
http://www.darkreading.com/security/client-securit
Some (more) advice on security awareness and why it matters
http://www.securityweek.com/unique-challenges-cont
“For many enterprises the rewards of Java have considerably diminished over the years, while the risks are growing exponentially”
http://www.theregister.co.uk/2013/04/13/faa_debunk
Evidently, hacking a simulator and hacking an airplane during flight are two different things
http://www.securityweek.com/security-awareness-tra
"You need to set the right expectation that you are trying to help the company, not frame individuals.”
http://www.bbc.co.uk/news/technology-22153527
Spokesmen say the threat (along with several other things) has been "grossly exaggerate[d]."
http://itsecurityjournal.com/ten-years-after-where
Blog post: “Yesterday’s security tools aren’t effective for today’s threats”
http://www.networkworld.com/news/2013/041213-irs-g
IRS is taking the position that they don’t need subpoenas for email communications in criminal investigations
Hack-in-theBox: Vulnerable charging stations could prevent the charging of electric vehicles in a certain area, or possibly even use the vulnerabilities to cripple parts of the electricity grid
http://www.forbes.com/sites/singularity/2013/04/11
Pretty funny: Mitnick hacked the frequency of a local McDonalds ordering system and took control of the drive-through ordering system
CISPAs new privacy amendments may not go far enough
Rockefeller argues that investors have a right to know about cyber-attacks and security protocols.
http://www.bbc.co.uk/news/technology-22095115
All PC video game sales have been halted until Ubisoft fixes the issue.
http://nakedsecurity.sophos.com/2013/04/10/adobe-u
This made me laugh out loud
“The smarter everyone is the more secure the company will be."
Tips for a secure software development process
http://www.net-security.org/secworld.php?id=14733
A German security researcher at Hack in the Box demonstrates the “sorry state of aviation security”
