Guest column by Citadel Information Group
Cyber Crime
Adobe Breach Impacted At Least 38 Million Users: The recent data breach at Adobe that exposed user account information and prompted a flurry of password reset emails impacted at least 38 million users, the company now says. It also appears that the already massive source code leak at Adobe is broadening to include the company’s Photoshop family of graphical design products. KrebsOnSecurity, October 29, 2013
Cyber Attack
Syrian hackers claim to hack Obama’s Twitter account: For a short time on Monday, the website and Twitter account of BarackObama.com were breached by a group of hackers going by the name Syrian Electronic Army. CBS, October 28, 2013
AP Exclusive: Israeli tunnel hit by cyber attack: HADERA, Israel (AP) – When Israel’s military chief delivered a high-profile speech this month outlining the greatest threats his country might face in the future, he listed computer sabotage as a top concern, warning a sophisticated cyberattack could one day bring the nation to a standstill. USA Today, October 27, 2013
Cyber Threat
Social Engineers Pwn The ‘Human Network’ In Major Firms: To provide some perspective on just how poorly corporate America is able to combat social engineering attacks today, consider this: Famously secretive Apple fared the worst in a recent social engineering contest. DarkReading, Octobe 30, 2013
Cyber Warning
New Vulnerability Found in Apps Using Wi-Fi: Public Wi-Fi networks are notoriously insecure, and now there’s this: Mobile security researchers have discovered a new way for attackers to access mobile phone apps from Wi-Fi networks. The New York Times, October 29, 2013
Researchers Flag Security Flaws In New LinkedIn Offering: A new LinkedIn feature designed to familiarize users with their email partners could introduce a slew of security problems to enterprises and individuals who use it, researchers said this week. DarkReading, October 25, 2013
Security Expert Warns about Using App that Emails Money: Dr. Stahl featured - A service by a company called Square Inc. will allow you to e-mail money to your friends free-of-charge. But a nationally recognized IT security expert, Stan Stahl, Ph.D., says the concept is fraught with danger. The Biz Coach, October
Cyber Privacy
N.S.A. Said to Tap Google and Yahoo Abroad: WASHINGTON – The National Security Agency and its British counterpart have apparently tapped the fiber-optic cables connecting Google’s and Yahoo’s overseas servers and are copying vast amounts of email and other information, according to accounts of documents leaked by the former agency contractor Edward J. Snowden. The New York Times, October 30, 2013
What You Need to Know About Privacy, Email, and Particularly Gmail: Unless you take special precautions, nothing you send by email is secure. That’s doubly true with Gmail, since Google uses the content of your messages to target advertising. CIO, October 21, 2013
Financial Fraud
Victorian Trolling: How Con Artists Spammed in a Time Before Email: In May of 1978, a computer tech named Carl Gartley typed the following message into the flickering, black-and-green screen of an early computer terminal. The company he worked for, Digital Equipment Corporation, was eager to publicize its new computers to the users of Arpanet, the network that would grow into the Internet. The recipients of the email were a catalog of the digital elite (at places like UCLA, PARC, and the Rand Corporation) who possessed the mainframe computers and access privileges necessary to be on the web in the late 1970s. The Atlantic, October 29, 2013
ATM malware may spread from Mexico to English-speaking world: A malicious software program found in ATMs in Mexico has been improved and translated into English, which suggests it may be used elsewhere, according to security vendor Symantec. PCWorld, October 28, 2013
Cyber Security Management
Cyber-crime is ‘greatest threat’ to companies survival: EY: Companies see cyber-crime as an increasing threat with a third of organizations reporting a rise in attacks in the past year, a study reveals. CNBC, October 30, 2013
IBM Assessment: How Information Security Leaders Can Do Better: A quarter of all company security leaders have deployed mobile security in the past month, but they’re still playing “catch-up” as they try to wrap policies and technology around the Bring Your Own Device (BYOD) trend. That’s one of the findings in the second annual IBM assessment of Chief Information Security Officers (CISOs). CMS Wire, October 23, 2013
Generation Y Users Say They Will Break Corporate BYOD Rules: Most young employees are so dependent on their mobile devices that they are prepared to break any policy that restricts their use, according to a new study. DarkReading, October 22, 2013
Cyber Security Management – Cyber Update
Mozilla Fixes 10 Vulnerabilities with Firefox 25: Mozilla released the 25th version of its mobile and desktop Firefox browser yesterday, fixing 10 vulnerabilities, five of them critical. ThreatPost, Octobe 30, 2013
NETGEAR READYNAS STORAGE VULNERABLE TO SERIOUS COMMAND-INJECTION FLAW: A popular NETGEAR network-attached storage product used primarily in medium-sized organizations has a gaping vulnerability that puts any data moving through a network in jeopardy. ThreatPost, October 22, 2013
Cyber Security Management – Cyber Defense
Web app security best practices and the people who love them: When a website is attacked, the results can be devastating to an organization – both financially and from a brand perspective. Given modern society’s ever-increasing reliance on the Web, the impact of a breach and the associated costs are going up, and fast. Adding more “robust” firewalls or allocating more budget to anti-virus protection is not the answer. It’s still an important step, sure, but these controls provide nearly zero protection against today’s web-based attacks. CSO, October 30, 2013
Google Project Shield To Protect Sensitive Sites From DDOS Attacks: DDoS attacks have been a problem for nearly as long as the Internet has been a thing, but they’re difficult to visualize and understand on a practical level. A whole bunch of traffic is going to a Web site. So what? Now, Google and Arbor Networks are collaborating on a project that shows exactly how large and damaging some of these attacks are, and who’s attacking who at any given moment. ThreatPost, October 22, 2013
How To Avoid Breaches Where You Least Expect Them:In the real world of constrained budgets and limited personnel, prioritization of security resources is a must. Many departments prioritize practices based on the severity of vulnerabilities, the value of a target, and the likelihood of a threat hitting said target. However, the flip side of that is to remember the real world is also a connected one. And as many security experts can attest, enterprises often forget to account for how attacks against the vulnerabilities in less critical systems can jeopardize the crown jewels. DarkReading, October 21, 2013
Securing the Village
Seeking Comments on the Preliminary Cybersecurity Framework: America must also face the rapidly growing threat from cyber-attacks. We know hackers steal people’s identities and infiltrate private e-mail. We know foreign countries and companies swipe our corporate secrets. Now our enemies are also seeking the ability to sabotage our power grid, our financial institutions, and our air traffic control systems. We cannot look back years from now and wonder why we did nothing in the face of real threats to our security and our economy. The White House Blog, October 29, 2013
NIST’s latest cybersecurity framework reveals a lot of goodwill amidst continued criticism: After delays due to the government shutdown, the National Institute of Standards and Technology (NIST) released on October 22 its latest version of a comprehensive cybersecurity framework for critical infrastructure as mandated by President Obama’s February cybersecurity executive order (EO). This preliminary framework is subject to a 45-day public comment period, after which NIST will make revisions and then produce a final framework for publication in February. CSO, October 24, 2013
Critical Infrastructure
‘White Hat’ Hackers Expose Flaws of U.S. Stock Market: Ethical “white hat” hackers, intentionally looking to expose the cyber vulnerabilities of U.S. equity markets, were able to directly impact market performance in a test last month-forcing a mock market close. Fox News, October 23, 2013
Months Later, EAS Equipment Still Vulnerable: More than three months ago, a researcher from IOActive published details of some serious problems he’d found with equipment used to run the Emergency Alert System, which is used to send out notifications in the case of a natural disaster or other serious situation. The researcher notified the equipment manufacturers affected by the bugs, one of which could enable an attacker to send out a fake alert, and the vendors updated their software. However, it appears that those fixes didn’t actually solve the problems. ThreatPost, October 22, 2013
Cyber Research
DARPA Announces $2 Million Prize In Self-Patching Software Competition: The mad scientist wing of the Pentagon known as the Defense Advanced Research Projects Agency announced Tuesday that it’s planning to hold a new “Grand Challenge” competition with a $2 million prize. The goal of that seven-figure bakeoff: To build a “fully automated cyber defense system” that protects itself from hackers, responding to attacks and even updating its own code in real-time, without the assistance of humans. Forbes, October 23, 2013
Cyber Misc
Twitter Illiterate? Mastering the @BC’s: Using Twitter sounds so simple. Type out no more than 140 characters – the maximum allowed in a single tweet – and hit send. That’s all, right? The New York Times, October 23, 2013
Cyber Calander
ISSA-LA November Lunch Meeting: In today’s world of advanced cyber threats, security professionals need to implement new methods and strategies to gain the upper hand in protecting their business. Thinking like an attacker isn’t really good enough. However, incorporating hacker methodologies & tools will give security teams the situational awareness and intelligence needed to respond quickly to new & previously unknown threats. The security industry is changing. For some, it’s a good thing, and for others, they’re watching their antiquated ways of failing to prevent exploits become irrelevant for smart security teams. ISSA-LA, Event Date: November 20, 2013
The IT Summit would like to thank Citadel Information Group for allowing us to provide this information to you.