Monday, October 01, 2012

Cyber Security News for the Week of October 1, 2012

From our Friends at Citadel Information Group
Cyber Crime
Chinese Hackers Blamed for Intrusion at Energy Industry Giant Telvent: A company whose software and services are used to remotely administer and monitor large sections of the energy industry began warning customers last week that it is investigating a sophisticated hacker attack spanning its operations in the United States, Canada and Spain. Experts say digital fingerprints left behind by attackers point to a Chinese hacking group tied to repeated cyber-espionage campaigns against key Western interests.
KrebsOnSecurity, September 26, 2012

Cyber Threat
Clues, experts say Microsoft knew of IE zero-day for weeks before patching: Microsoft may have known about last week's Internet Explorer (IE) zero-day bug for some time, according to its security advisory. ComputerWorld, September 23, 2012

Cyber Warning
Hidden web code means hackers can wipe Samsung Galaxy S3: Malicious hackers can hide a code in a web page that will trigger a full factory reset of Samsung's best-selling Galaxy S3 smartphone, deleting contacts, photographs, music, apps and other valuable data, security researchers have discovered. The Telegraph, September 25, 2012

[SE-2012-01] Critical security issue affecting Java SE 5/6/7: We've recently discovered yet another security vulnerability affecting all latest versions of Oracle Java SE software. The impact of this issue is critical - we were able to successfully exploit it and achieve a complete Java security sandbox bypass in the environment of Java SE 5, 6 and 7. So far, we could only claim such an impact with reference to Java 7 environment (the Apple QuickTime attack relying on Issues 15 and 22 is the only exception here). Thus, this post... SecLists.org, September 25, 2012

Hackers compromise Adobe server, use it to digitally sign malicious files: Adobe plans to revoke a code-signing certificate after hackers compromised one of the company's internal servers and used it to digitally sign two malicious utilities. PC World, September 28, 2012

Cyber Security Management
Cyber Attacks on U.S. Banks Expose Computer Vulnerability: Cyber attacks on the biggest U.S. banks, including JPMorgan Chase & Co. (JPM) and Wells Fargo (WFC) & Co., have breached some of the nation's most advanced computer defenses and exposed the vulnerability of its infrastructure, said cybersecurity specialists tracking the assaults. BusinessWeek, September 27, 2012

Cyber Security Management - HIPAA
HHS Alleges Massachusetts Health Care Provider Violated HIPAA: Massachusetts Eye and Ear Infirmary and Massachusetts Eye and Ear Associates Inc. (known collectively as MEEI) has agreed to pay the U.S. Department of Health and Human Services (HHS) $1.5 million to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule. MEEI also agreed to take corrective action to improve policies and procedures to safeguard the privacy and security of its patients' protected health information, according to HHS. SDB, September 27, 2012

Cyber Update
Samsung offers up patch for Galaxy S3 remote wipe vulnerability: Samsung Galaxy S3 owners are subject to a vulnerability that can actually be fixed with an over-the-air update. Cnet, September 26, 2012

Cyber Underworld
Espionage Hackers Target 'Watering Hole' Sites: Security experts are accustomed to direct attacks, but some of today's more insidious incursions succeed in a roundabout way - by planting malware at sites deemed most likely to be visited by the targets of interest. New research suggests these so-called "watering hole" tactics recently have been used as stepping stones to conduct espionage attacks against a host of targets across a variety of industries, including the defense, government, academia, financial services, healthcare and utilities sectors. KrebsOnSecurity, September 25, 2012

Hacktivists
Arab hackers attack Western websites over film: A group of Arab hackers have threated to attack Western websites in retaliation for an anti-Islamic American film that has sparked outrage and violence across the Middle East. CSO, September 25, 2012

Hackers May Have Had Help With Attacks on U.S. Banks, Researchers Say: The hackers claiming responsibility for cyberattacks on American banks over the past week must have had substantial help to disrupt and take down major banking sites, security researchers say. The New York Times, September 27, 2012

Online Bank Fraud
Online bank fraud rises as phishing criminals redouble efforts: A resurgence in phishing attacks has caused a sharp rise in the sums being lost to online credit and debit card fraud, half-year figures from the UK Cards Association have shown. TechWorld, September 28, 2012

National Cyber Security
Rockefeller asks Fortune 500 CEOs to weigh in on cybersecurity debate: Sen. Jay Rockefeller (D-W.Va.) on Wednesday sent letters to every CEO of Fortune's top 500 companies - including Apple, Cisco, Amazon, Oracle and Google - asking them to outline what measures their companies have in place to protect their computer systems from cyberattacks. The Hill, September 19, 2012

RPT-White House said to plan executive order on cybersecurity: The White House is preparing to direct federal agencies to develop voluntary cybersecurity guidelines for owners of power, water and other critical infrastructure facilities, according to people who said they had seen recent drafts of an executive order. Reuters, September 25, 2012

Limits Seen in White House Cybersecurity Executive Order: The White House may have difficulty bolstering U.S. cyber defenses through an executive order unless there's enough public support, according to former National Security Agency director Michael Hayden. Bloomberg, September 28, 2012

Cyber Research
Grant to help computer scientists understand the world of cybercrime: Computer scientists at the University of California, San Diego, the International Computer Science Institute at Berkeley and George Mason University have received a $10 million, five-year grant from the National Science Foundation to map out the illicit activities taking place in the cybersecurity underworld and to understand how the mind of a cybercriminal works. Phys.org, September 25, 2012

Cyber Error
Social Security numbers of military honor winners posted online: The Social Security numbers of Army recipients of the Medal of Honor and Distinguished Service Cross were inadvertently posted online by a Pentagon contractor and were available to the public until they were discovered by a Vietnam veteran who researches military medal awards. LA Times, September 28, 2012

Securing the Village-Events Calendar
Cyber Security Awareness Briefing; Oct 2: Dr. Stan Stahl, Citadel and ISSA-LA President, will speak on cybersecurity at the South Bay Entrepreneurial Center's new facility in Torrance, CA on Tuesday evening, October 2. In this non-technical talk - It Takes the Village to Secure the Village SM - Dr. Stahl discusses the financial implications of cyber crime, illustrates how cyber criminals take control of a user's computer, describes the limitations of technology, summarizes emerging cyber security laws, regulations and practices, and provides practical tips to lower the risk of becoming a victim. More information is available at meetup.com.

Cyber Security Awareness Briefing; Oct 11: Dr. Stan Stahl, Citadel and ISSA-LA President, will speak on cybersecurity at the monthly lunch meeting of the Science and Engineering Council of Santa Barbara. In this non-technical talk - It Takes the Village to Secure the Village SM - Dr. Stahl discusses the financial implications of cyber crime, illustrates how cyber criminals take control of a user's computer, describes the limitations of technology, summarizes emerging cyber security laws, regulations and practices, and provides practical tips to lower the risk of becoming a victim.

NetDiligence Cyber Risk and Privacy Liability Forum, October 11-12,2012: Ritz-Carlton, Marina del Rey. Dr. Stan Stahl, Citadel and ISSA-LA President, will discuss cyber challenges and solutions during a panel discussion at 11:15AM on Friday, October 12. "Why Can't We All Just Stop Breaches?"

2012 ISSA International Conference; Oct 25-26: New opportunities abound in the midst of amazing transformations in technology, business, and culture. Inspired by Disney's innovative vision, the cybersecurity community will gather at the Magic Kingdom on October 25-26 to look at change as a chance to achieve excellence. Dr. Stan Stahl, Citadel and ISSA-LA President, and David Lam, ISSA-LA Vice President, will speak at 11:30AM on Friday. The title of their talk is It takes the village to secure the village. SM

Cyber Security Awareness-Continuing CPA Education; Dec 3: Dr. Stan Stahl, Citadel and ISSA-LA President, will speak on cybersecurity at the lunch meeting of the West San Gabriel Valley (Pasadena) Discussion Group. In this non-technical presentation, Dr. Stahl will discuss cyber security risks and what CPAs need to do to protect themselves and their clients.

Santa Monica Rotary Club; May 3, 2013: Dr. Stan Stahl, Citadel and ISSA-LA President, will speak on cybersecurity at the weekly meeting of the Santa Monica Rotary Club. In this non-technical talk - It Takes the Village to Secure the Village SM - Dr. Stahl discusses the financial implications of cyber crime, illustrates how cyber criminals take control of a user's computer, describes the limitations of technology, summarizes emerging cyber security laws, regulations and practices, and provides practical tips to lower the risk of becoming a victim.

SecurityRecruiter.com's Security Recruiter Blog