Monday, November 07, 2011

Cyber Security News of the Week, November 7, 2011

Cyber Security Story of the Week 
From our friends at Citadel Information Group 

Our lead story of the week is the breach disclosure from UCLA Health System: U.C.L.A. Health System Warns About Stolen Records. 16,288 medical records were on a computer stolen from a Doctor's home as part of a robbery. The good news was that the hard drive was encrypted. The bad news was that the password was on a piece of paper near the computer and it too went missing.

Rule 1 is never write down passwords. Rule 2 is - if you're going to break rule 1 - do it securely. If you must write a password down, write it on a piece of paper the size of a credit card and keep it in your wallet with your credit cards and your driver's license. And just write the password: write "15Blah-blah-blah" not "my laptop password is 15Blah-blah-blah."

Alerts and Warnings
Microsoft Issues Stopgap Fix for 'Duqu' Flaw: Microsoft has released an advisory and a stopgap fix for the zero-day vulnerability exploited by the "Duqu" Trojan, a highly targeted malware strain that some security experts say could be the most important cyber espionage threat since Stuxnet. KrebsOnSecurity, November 4, 2011

Information at Risk
Massive hack hit 760 companies: NEW YORK (CNNMoney) - A massive cyberattack that led to a vulnerability in RSA's SecurID tags earlier this year also victimized Google, Facebook, Microsoft and many other big-named companies, according to a new analysis released this week. CNN Money, October 28, 2011

U.C.L.A. Health System Warns About Stolen Records: LOS ANGELES (AP) - UCLA's system of hospitals and clinics warned more than 16,000 patients that their personal information was on a computer hard drive stolen in the burglary of a doctor's home, officials said Friday. The New York Times, November 4, 2011

Hackers Hit 29 Chemical Makers in 'Nitro' Attack, Symantec Says: Computer hackers struck 29 chemical companies in attacks this summer aimed at gathering data on formulas and manufacturing processes, according to security provider Symantec Corp. SF Gate, November 2, 2011

Are You on the Pwnedlist?: 2011 has been called the year of the data breach, with hacker groups publishing huge troves of stolen data online almost daily. Now a new site called lets users check to see if their email address or username and associated information may have been compromised. KrebsOnSecurity, November 2, 2011

Cyber Security Management Should you share breach information?: When companies suffer a security breach today they face that core dilemma: Tell the world and hope the honesty helps others, or keep it under wraps to avoid tarnishing the brand and duck possible lawsuits? One thing is clear from the arguments below: It is time for the government to take the guesswork out of the equation. Network World, November 2, 2011

Cyber Security Management - Cloud Security
Ponemon Institute Survey on Cloud Data Security Exposes Gulf between IT Security and Compliance Officers: SAN JOSE, Calif., Nov 01, 2011 (BUSINESS WIRE) - Vormetric, Inc., the leader in enterprise systems encryption and key management, today announced the results from an independent research report conducted by the Ponemon Institute on how organizations manage data security risks in cloud computing environments. The survey of 1,000 IT security practitioners and enterprise compliance officers revealed that less than half of all respondents believe their organizations have adequate technologies to secure their cloud infrastructures. Meanwhile, the two groups sharply disagreed on whether the cloud is as secure as on-premise datacenters, who is responsible for cloud data security, and what security measures should be used. Market Watch, November 1, 2011

Most Execs Don't Feel They Can Secure Cloud Infrastructures: Enterprises are using cloud infrastructures, but they aren't very confident in their ability to secure them, according to a study to be published Wednesday. Dark Reading, November 2, 2011

Poll: 67% Security Fear Factor With Cloud Computing: Computing via the Internet cloud - like renting servers in a far-off data center from Amazon or Rackspace - can save companies money and keep them flexible. But it can be a security challenge., November 4, 2011

Internet Badlands
Lazy Hackers Port Ancient Linux Trojan to Mac OSX: Hackers are testing new Mac malware that they've ported from a nine-year-old Trojan horse originally written for Linux, according to security experts. Computer World, October 31, 2011

Bank Security
Community Bank Focus on Consumer Security Contradicts Regs: Community bankers are strengthening security on consumer accounts, but they are not always extending those protections to business accounts, which regulators say are at a higher risk. American Banker, August 16, 2011

Cyber War
Security Expert Warns of Cyber World War: LONDON - A leading Internet security expert warned Tuesday that a cyber terrorist attack with "catastrophic consequences" looked increasingly likely in a world already in a state of near cyber war. Fox News, November 1, 2011

Cyber War - Stuxnet
Stuxnet Raises 'Blowback' Risk In Cyberwar: The Stuxnet computer worm, arguably the first and only cybersuperweapon ever deployed, continues to rattle security experts around the world, one year after its existence was made public. NPR, November 2, 2011

National Cyber Defense
U.S. report blasts China, Russia for cyberattacks: WASHINGTON (AP) - U.S. intelligence officials accused China and Russia on Thursday of systematically stealing American high-tech data for their own national economic gain. USA Today, November 3, 2011

EU and US cybersecurity experts stress-test defences: EU and US cybersecurity officials have tested how they would co-ordinate their response to a hacking attack. BBC, November 3, 2011

International Cyber Security
Hague lists cyber 'rules of the road': Governments should follow seven cyber 'rules of the road' in deciding how to act and regulate behaviour online, UK foreign secretary William Hague has told a UK government cybersecurity conference. ZDNet, November 1, 2011's Security Recruiter Blog's Security Recruiter Blog