Guest column by Citadel Information Group
Cyber Security News of the Week
Cyber Attack
How Syrian Hackers Found the New York Times’s Australian Weak Spot: A hacking attack launched by the Syrian Electronic Army may have targeted the New York Times and other U.S. media companies, but the weak link was Melbourne IT (MLB:AU), a domain registrar that directs Internet traffic to the companies’ servers. How can an assault on obscure Australian Web-services provider lead to a more than 20-hour disruption at the Times’ website? BusinessWeek, August 28, 2013
Syrian Hack Of NYTimes.com Could Have Inflicted Much More Than Mere Embarrassment: When hackers take down a website, their weapon of choice is often a less-than-subtle technique known as a denial of service attack, which merely overwhelms a site’ servers with junk traffic. But the trick that the hacker group known as the Syrian Electronic Army pulled against the New York Times, Twitter, and the Huffington Post UK Tuesday seems to have been very different-and potentially far more invasive. Forbes, August 28, 2013
Syrian Hackers Might Have Used More Sophisticated Method to Bring Down the New York Times: The New York Times’ website went down midafternoon Tuesday, marking the second time in August the Grey Lady has gone dark. While the company blamed the first outage on an “internal issue,” a company VP tweeted Tuesday that an “initial assessment” concluded the new outage, which was still plaguing the site as of Tuesday evening, was due to a “malicious external attack.” It didn’t take long for Twitter users to come to a consensus that the most likely culprit was the Syrian Electronic Army, or SEA, and soon enough the SEA claimed credit. But as more details emerge about the attack, it appears the SEA may be using more-sophisticated methods to wreak havoc online than was previously believed. Time, August 27, 2013
SERVICE RESTORED TO .CN DOMAIN AFTER LARGE DDOS ATTACK: Long fingered as the source of denial-of-service attacks and other hacks against foreign interests, China’s .cn domain was targeted on Sunday and approximately one-third of the sites registered to that domain were kept offline for a period of time. A statement from the China Internet Network Information Center blamed the outage on the largest ever denial of service attack the country has faced. ThreatPost, August 26, 2013
Hackers deface Google Palestine, object to Google Maps labeling of Israel: Google’s presence in the Palestinian territories, Google.ps, has been defaced by hackers, apparently objecting to the Google Maps labeling of the Israel and Palestinian borders. The Washington Post, August 26, 2013
Cyber Privacy
Facebook reveals governments asked for data on 38,000 users in 2013: Government agencies around the world demanded access to the information of over 38,000 Facebook users in the first half of this year, and more than half the orders came from the United States, the company said on Tuesday. The Guardian, August 28, 2013
Report: NSA Broke Into UN Video Teleconferencing System: IDG News Service – The U.S. National Security Agency reportedly cracked the encryption used by the video teleconferencing system at the United Nations headquarters in New York City. CIO, August 26, 2013
U.S. Surveillance Fallout Costing Third-Party Providers: E-mail encryption provider Lavabit shuts down, Silent Circle shutters its own service, and analysts are forecasting tens of billions of lost revenue for cloud and service providers DarkReading, August 23, 2013
FISA Judge: NSA misrepresented themselves, violated the Constitution: A federal judge said in a recently declassified opinion, issued during his time serving on the Foreign Intelligence Surveillance Court, that the National Security Agency misrepresented themselves and violated the Constitution for several years. CSO, August 22, 2013
Online Bank Fraud
Mobile Trojan Defeats Dual Authentication: A new cross-device mobile Trojan that already has targeted online-banking customers has been linked to the same group that waged the successful High Roller attacks last summer. So far, customers of several top-tier institutions in Northern Europe and a handful in the U.S. have been victimized. BankInfoSecurity, August 29, 2013
Account Takeovers Get More Sophisticated: Account takeover techniques are getting more sophisticated. Now, attackers no longer need to use phishing, vishing and smishing attacks to get users to cough up their account logins and passwords. BankInfoSecurity, August 22, 2013
Identity Theft
Call DirecTV, risk identity theft?: Despite the risk of identity theft and fraud, DirecTV asks for the Social Security numbers of people who aren’t even signing up for service but are merely checking out costs. LA Times, August 26, 2013
Cyber Warning
Apple Mac flaw gives hackers ‘super status,’ root access: An unaddressed five-month-old flaw in Apple’s Mac OS X gives hackers near unlimited access to files by altering clock and user timestamp settings. ZDNet, August 30, 2013
Gone Phishing: How Major Websites Get Hacked: Two digital publishing giants, the New York Times and Twitter, succumbed to hackers on Tuesday, with the Times going dark for six long hours and with Twitter forced to reassure its millions of users that their personal information had not been compromised. National Geographic, August 28, 2013
Crooks are using new “vishing” scam to plunder bank accounts: In the latest swindle householders are called on their landlines and are duped into parting with personal and financial details Mirror News, August 28, 2013
Malicious Software Poses as Video From a Facebook Friend: A piece of malicious software masquerading as a Facebook video is hijacking users’ Facebook accounts and Web browsers, according to independent Italian security researchers who have been investigating the situation. The New York Times, August 26, 2013
Internal US government memo warns authorities about Android malware threats: Public Intelligence has published a joint release from the US Department of Homeland Security and Department of Justice cautioning government workers about the severity of malware threats on the Android platform. According to the government’s findings, 79% of mobile operating malware threats in 2012 took place on Android, compared to 0.7% on iOS. The Next Web, August 26, 2013
Spear-Phishing E-mail with Missing Children Theme: The FBI is aware of a spear-phishing e-mail appearing as if it were sent from the National Center for Missing and Exploited Children. The subject of the e-mail is “Search for Missing Children,” and a zip file containing three malicious files is attached. E-mail recipients should always treat links and attachments in unsolicited or unexpected e-mail with caution. US Cert, August 22, 2013
Cyber Security Management
How To Prevent Cyber Crime: Prevention will always be your best line of defense against cyber criminals. Like any other criminal activity, those most vulnerable tend to be the first targeted. Forbes, August 28, 2013
How Worried Should Small Businesses Be Regarding Cyber Security?: By some estimates, network-based attacks, such as DDOS (short for Distributed Denial of Services), which have the ability to take down large computing networks, have increased by 700 percent this year. Forbes, August 27, 2013
CDSA Releases Updated Version of its Content Protection Security Standard, Making Ongoing Improvements to its International Certification Program: NEW YORK – The Content Delivery & Security Association (CDSA), the international association advocating the secure and responsible delivery and storage of entertainment, software, and information media, announced today the release of an updated version of its Content Protection and Security (CPS) Certification Standard. CDSA, August 27, 2013
Another Amazon Outage Exposes the Cloud’s Dark Lining: It was likely another eventful weekend for the engineers in Amazon’s Web services division. On Sunday afternoon, a hardware failure at Amazon’s U.S.-East data center in North Virginia led to spiraling problems at a host of well-trafficked online services, including Instagram, Vine, AirBnB, and the popular mobile magazine app Flipboard. Bloomberg, August 26, 2013
Nearly One-Fifth Of Enterprise Operating Systems Not Fully Patched: One in five IT professionals say they either have not fully patched their organizations’ endpoint operating systems – or they aren’t sure whether the machines are up-to-date. DarkReading, August 23, 2013
ISO Updates Information Security Management Standard: ISO/IEC 27001, the information security management system standard, is being revised to strengthen risk management practices and encourage them to be integrated into the operational whole for organizations. InfoSecurity Magazine, August 21, 2013
Cyber Security Management – Cyber Update
Hackers Target Java 6 With Security Exploits: Warning to anyone still using Java 6: Upgrade now to Java 7 to avoid being compromised by active attacks. InformationWeek, August 26, 2013
Securing the Village
Secretive Companies Allow Hackers To Thrive: U.S. Attorney: Some American companies are still unwilling to report to law enforcement they have been hacked, a reluctance that is making it more difficult to combat cybercrime, a top federal prosecutor told The Huffington Post. Huffington Post, August 28, 2013
Dynamic cooperation: the best weapon for cybersecurity: In the furious public debate on how best to protect the nation’s electric system from cyber attacks, it’s easy to forget that all of us-public officials, utility leaders and consumers-are in this together. That’s why we took note when Dr. Patrick Gallagher, Director of the National Institute of Standards and Technology, testified that the “partnership with industry to develop, maintain and implement voluntary consensus standards related to cybersecurity best ensures the interoperability, security and resiliency of this global infrastructure and makes us all more secure.” Intelligent Utility, August 26, 2013
Cyber Underworld
Cybercrime service automates creation of fake ID verification documents: A new Web-based service for cybercriminals automates the creation of fake scanned documents that can help fraudsters bypass the identity-verification processes used by some banks, e-commerce businesses, and other online services providers, according to researchers from Russian cybercrime investigations firm Group-IB. PC World, August 27, 2013
Cyber Career
Cybersecurity And Privacy Specialists In Short Supply: A cover story in the Los Angeles Daily Journal (subscription required) reported that the need for privacy and cybersecurity legal specialists has exploded in California, yet general counsel say there is a shortage of qualified practitioners who can do the job. LinkedIn Corp.’s General Counsel Erika Rottenberg was featured in the story, she speculated that technology companies in Silicon Valley were hiring most of the qualified attorneys, leaving less talent for law firms. Amidst a legal job market in which law graduates are clamoring to find jobs, the demand for privacy and cybersecurity specialists may present an opportunity for the law schools that are nimble enough to respond to the demand. Forbes, August 26, 2013
The IT Summit would like to thank Citadel Information Group for allowing us to provide this information to you.