Monday, November 21, 2011
Cyber Security News of the Week, November 21, 2011
From our friends at Citadel Informaiton Group
Securing Androids and Other Smart Devices
Two stories this week illustrate the challenge of securing mobile apps. In Android malware infections skyrocket, Juniper Networks reports skyrocketing rates of Android malware infection while App Freedom Vs. Corporate Security illustrates the challenges organizations have in helping users keep their Androids [and their iPhones and other smart devices] free of malware.
The situation with Androids has become so serious that Citadel now recommends to our clients that they "white list" acceptable Android applications while prohibiting staff from accessing sensitive corporate information from Android devices running unapproved apps.
The Android malware risk impacts the phone owner as well as the organization. We are seeing reports of users getting stiffed for thousand dollar cell phone bills after installing applications containing hidden malware designed to secretly use the phone's text messaging system to send SMS messages to premium rate numbers owned by cyber criminals. Once messages are sent, the money is generally not recoverable.
Information at Risk - Personal Information
Breach exposes data at VCU: Virginia Commonwealth University will hire an outside cybersecurity consultant to examine its information technology system after a computer server containing personal data on 176,567 people was hacked last month. Richmond Times-Dispatch, November 12, 2011
Information at Risk - Anonymous Leaks
Anonymous Leaks Another Computer Expert's Personal Emails: In a typically nasty personal-political combo, Anonymous has leaked thousands of private emails belonging to a retired California cybercrime investigator named Fred Bacalagan, in what they say is payback for the recent Occupy Wall Street crackdown. Gawker, November 18, 2011
Information at Risk - Intellectual Property
Security watchdog: Norwegian energy, defense industries hit by extensive data-theft attack: OSLO, Norway - Data from Norway's oil and defense industries may have been stolen in what is feared to be one of the most extensive data espionage cases in the country's history, security officials said Thursday. The Washington Post, November 17, 2011
Information at Risk - Online Bank Fraud
Title Firm Sues Bank Over $207k Cyberheist: A title insurance firm in Virginia is suing its bank after an eight-day cyber heist involving more than $2 million in thefts and more than $200,000 in losses last year. In an unusual twist, at least some of the Eastern European thieves involved in the attack have already been convicted and imprisoned for their roles in the crime. November 14, 2011
Cyber Security Management - Help for Small Business
FCC Small Biz Cyber Planner: Information technology and high-speed Internet are great enablers of small business success, but with the benefits comes the need to guard against growing cyber threats. As larger companies take steps to secure their systems, less secure small businesses are easier targets for cyber criminals. Use this tool to create and save a custom cyber security plan for your company, choosing from a menu of expert advice to address your specific business needs and concerns. FCC.gov
Cyber Security Management - Mobile Devices
App Freedom Vs. Corporate Security: You can't prevent employees from snapping up iPads and Droid phones, even if you wanted to. Sixty-five percent of respondents to our InformationWeek 2011 Mobile Device Management and Security Survey predict that the number of employee-owned devices accessing company data will increase. What you can do is use your leverage when they want to connect to business systems by asking them to run mobile device management (MDM) software, which can enforce corporate policies and provide features such as device tracking and remote wiping. Information Week, November 18, 2011
Cyber Security Management - IRS Fails to Protect Taxpayer's Data
GAO Rips IRS Taxpayer Data Security: A new report from the Government Accountability Office (GAO) ripped into the IRS once again for insufficient access controls, database maintenance, and monitoring necessary to keep taxpayer information safe. The report's findings echo many of the issues seen in database and application security across many large enterprises today, experts say. Released last week, the GAO's financial audit reported that during the past fiscal year, the IRS still had glaring holes in internal controls over information security, in spite of initiating efforts to address concerns levied by the GAO in past years. Information Week, November 17, 2011
Cyber Security Management - Lessons Learned
Exclusive: Lax security at Nasdaq helped hackers: A federal investigation into last year's cyber attack on Nasdaq OMX Group found surprisingly lax security practices that made the exchange operator an easy target for hackers, people with knowledge of the probe said. The sources did not want to be identified because the matter is classified. Reuters, November 17, 2011
Internet Badlands - Trust
F-Secure Finds Malware Signed With Stolen Digital Certificate: Researchers from security vendor F-Secure have spotted a rare malicious software sample that carried a valid code-signing certificate from a Malaysian governmental institution. PC World, November 14, 2011
Internet Badlands - Android
Android malware infections skyrocket, says Juniper: Juniper Networks has reported skyrocketing rates of Android malware infections on the networks of its mobile customers, with detected malware more than quadrupling in just the last six weeks. That's on top of dramatic increases in the previous two years. The report will put more pressure on Google to tighten up security practices in the Android Market. Ars Technica, November 16, 2011
How to Detect Malicious Android Apps Before They Infect Your Smartphone or Tablet: For millions of people, the first thing to do when they get their new smartphone or tablet is to visit the device's app store and begin downloading games, magazines, utilities and sports apps. Apps are fun, useful and a bit addictive. They can also be dangerous. Malicious apps, especially those for Android devices, are a growing problem for smartphone and tablet users. (Apple devices are protected as long as they're not "jailbroken" to run unauthorized apps.) Security News Daily, October 25, 2011
Internet Badlands - Facebook
Facebook users reel from porn spam attack: After being bombarded with hard-core pornographic and violent images on their news feeds, some Facebook users may change how and if they use the social network, according to industry analysts.Computerworld, November 16, 2011
National Cyber Security - Critical Infrastructure
Foreign hackers targeted U.S. water plant in apparent malicious cyber attack, expert says: Foreign hackers caused a pump at an Illinois water plant to fail last week, according to a preliminary state report. Experts said the cyber-attack, if confirmed, would be the first known to have damaged one of the systems that supply Americans with water, electricity and other essentials of modern life. The Washington Post, November 18, 2011
Water utility hackers destroy pump, expert says: Hackers destroyed a pump used by a US water utility after gaining unauthorized access to the industrial control system it used to operate its machinery, a computer security expert said. The Register, November 17, 2011
National Cyber Security - Combating Cyber Crime
DOJ wants to prosecute cyber criminal activity under racketeering law: The set of laws that has allowed federal prosecutors to bring down traditional organized crime gangs should be applied to international cyber crime rings, a top Department of Justice official told a congressional committee on Nov. 15. GSN, November 16, 2011
Cyber War - Stuxnet & Duqu
New Computer Malware May Presage Another Cyberattack, Potentially on Iran: Roughly a year ago, the era of cyberwar officially began with the revelation that a complex computer worm called Stuxnet, allegedly designed in the U.S and tested in Israel, had sabotaged the Iranian nuclear facility in Natanz. The Daily Beast, November 16, 2011
Iran Admits Nuclear Sites Hit by 'Duqu' Cyberweapon: Iranian officials admitted Sunday that they had uncovered evidence of the Duqu computer virus - labeled "Son of Stuxnet" by cyber experts - at the Islamic Republic's nuclear sites, state-controlled IRNA news agency reported. Fox News, November 14, 2011
Cyber Security Legislation - Pending
Sandia Labs: SOPA will 'negatively impact' U.S. cybersecurity: Add the Sandia National Laboratories, part of the U.S. Department of Energy, to the list of opponents of a controversial Hollywood-backed copyright bill. Cnet, November 17, 2011
SOPA, controversial online piracy bill, gains support as lobbying intensifies: Several lawmakers expressed support Wednesday for a controversial bill aimed at curbing online piracy as lobbying over the issue reached a fever pitch. The Washington Post, November 16, 2011
Cybercrime Watch: Fabricated Dating Profiles: House lawmakers on Tuesday are slated to mull updating a 1986 anti-hacking law that even ideological opponents agree criminalizes innocent Web surfing. However, when a Senate panel discussed the Computer Fraud and Abuse Act in September, Justice Department officials argued that changing the penalties could let legitimate bad guys off the hook. Nextgov, November 14, 2011
Ray of Sunshine
Celeb hacker Christopher Chaney faces fresh charges of identity theft: A US man has been indicted on two additional felony counts for allegedly hacking into an email account belonging to an unnamed actress, according to court documents. AP, November 19, 2011
SecurityRecruiter.com's Security Recruiter Blog
President of SecurityRecruiter.com and JeffSnyderCoaching.com. SecurityRecruiter.com is an executive search firm specialized in information security recruiting, cyber security recruiting, corporate security recruiting, physical security recruiting, converged security recruiting, IT risk management recruiting, enterprise risk management, global compliance recruiting, global privacy recruiting and business intelligence recruiting.
Through JeffSnyderCoaching.com, I provide Resume Writing, LinkedIn Profile Optimization, Personal Branding, Personal Marketing, Strengths Coaching, Emotional Intelligence Coaching, Career Coaching, Leadership Coaching, Executive Coaching, Coaching for Entrepreneurs and aspiring Entrepreneurs, Career Transition Coaching and more.
My clients include Fortune 500 clients crossing many different different industry boundaries including but not limited to Banking, Financial Services, Hospitality, Gaming, Insurance, eCommerce, Oil & Gas, Retail, Entertainment, Media, Software, Consumer Products, Hospitality, Mining, Security Consulting, Telecommunications and more.
My Security Recruiter Blog is home to information that security, risk, compliance, governance and privacy professionals need to grow their security careers and is updated weekly.
My recent public speaking activities include:
- CISO Forum and ISSA of Los Angeles
- CSO Roundtable for ASIS
- North Texas ISACA in Dallas, TX
- Information Security Leadership Forum, Dallas, TX
- ISSA in Denver, CO
- National CISO Forum of ISSA in Las Vegas
- ISSA in Colorado Springs
- EVANTA in Phoenix
- A private training session to train computer sales people in Denver to leverage LinkedIn to drive their sales business opportunities.
- I speak on leadership, career and overcoming adversity topics.
Testimonials of my recruiting work are found on the Security Recruiting Testimonials page of SecurityRecruiter.com. Testimonials for my coaching work are found on the Coaching Testimonials page of JeffSnyderCoaching.com.
I have a rather large and growing LinkedIn network with nearly 30,000 direct connections.