Monday, January 14, 2013

Cyber Security News for the Week of January 14, 2013

Cyber Warning

Zero-Day Java Exploit Debuts in Crimeware: The hackers who maintain Blackhole and Nuclear Pack - competing crimeware products that are made to be stitched into hacked sites and use browser flaws to foist malware - say they've added a brand new exploit that attacks a previously unknown and currently unpatched security hole in Java. KrebsOnSecurity, January 10, 2013

Vulnerability Note VU#625617: Java 7 Update 10 and earlier Java 7 versions contain an unspecified vulnerability that can allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.CERT, January 10, 2013

Cyber Underworld
'Value of a Hacked PC' Graphic Goes Global: The Value of a Hacked PC graphic, which I published on this blog a few months ago to explain bad guy uses for your PC, is getting a makeover. I'm honored to say that the SANS Institute, a security training group, has taken the idea and run with it as an educational tool, and is in the process of translating it into 17 different languages. KrebsOnSecurity, January 8, 2013

Crimeware Author Funds Exploit Buying Spree: The author of Blackhole, an exploit kit that booby-traps hacked Web sites to serve malware, has done so well for himself renting his creation to miscreants that the software has emerged as perhaps the most notorious and ubiquitous crimeware product in the Underweb. Recently, however, the author has begun buying up custom exploits to bundle into a far more closely-held and expensive exploit pack, one that appears to be fueling a wave of increasingly destructive online extortion schemes. KrebsOnSecurity, January 7, 2013

Identity Theft
Cybersecurity still at issue for S.C. after hacker exposed personal records: COLUMBIA, S.C. - Months after a foreign hacker broke into the South Carolina Department of Revenue's computer system exposing millions of taxpayers' personal records and causing the state to spend $20 million for added protection, state cabinet agencies are still working on security improvements, an examination by show. ClarionLedger, January 6, 2013

Cyber Update
Adobe, Microsoft Ship Critical Security Updates: Adobe and Microsoft today separately issued updates to fix critical security vulnerabilities in their products. Adobe pushed out fixes for security issues in Acrobat, Adobe Reader and its Flash Player plugin. Microsoft released seven patches addressing at least a dozen security holes in Windows and other software, although it failed to issue an official patch for a dangerous flaw in its Internet Explorer Web browser that attackers are now actively exploiting. KrebsOnSecurity, January 8, 2013

Cyber Security Management
Amazon's Dec. 24th Outage: A Closer Look: On Christmas Eve, Amazon Web services experienced an outage at its Northern Virginia data center. In a prompt follow up, it issued an explanation on Dec. 29, apologized to customers and said it wouldn't happen again. It was the fourth outage of the year in its most heavily trafficked data center complex. InformationWeek, January 4, 2013

Cyber Security Management - HIPAA
HIPAA Healthcare Data Breach Fines Climb With Enforcement Boost: Millions of dollars in fines associated with alleged violations of the Health Insurance Portability and Accountability Act have been doled out over the last six months, a sign, according to experts, that HIPAA enforcement is shedding light on the fact that the industry lags behind others when it comes to information security. CRN, January 8, 2013

First OCR Resolution for Data Breach Involving Less than 500 Patients: No Breach is "Too Small": The Department of Health and Human Services, Office for Civil Rights (OCR) reached its first settlement for a breach involving data regarding less than 500 individuals. Under the December 2013 settlement, the Hospice of North Idaho (HONI) will pay OCR a $50,000 penalty to resolve allegations that it violated the HIPAA Security Rule. The breach occurred in June 2010 with the theft of an unencrypted laptop computer containing the electronic protected health information (ePHI) of 441 HONI patients. OCR investigated the breach after HONI disclosed it in its annual report of breaches that involved less than 500 individuals required under the HITECH Act. JDSupra Law News, January 4, 2013

Cyber Security Management - Critical Infrastructure
Banks seek NSA help amid attacks on their computer systems: Major U.S. banks have turned to the National Security Agency for help protecting their computer systems after a barrage of assaults that have disrupted their Web sites, according to industry officials. Washington Post, January 11, 2013

Bank Hacking Was the Work of Iranians, Officials Say: SAN FRANCISCO - The attackers hit one American bank after the next. As in so many previous attacks, dozens of online banking sites slowed, hiccupped or ground to a halt before recovering several minutes later. The New York Times, January 8, 2013

Cyber Sunshine
Police Arrest Alleged ZeuS Botmaster : A man arrested in Thailand this week on charges of stealing millions from online bank accounts fits the profile of a miscreant nicknamed "bx1," a hacker fingered by Microsoft as a major operator of botnets powered by the ZeuS banking trojan. KrebsOnSecurity, January 10, 2013

Securing the Village-Events Calendar
ISSA-LA January Lunch Meeting; January 16, 2013. Topic: Physical Access for IT Professionals: What you don't know could already be hurting you. Speaker: Terry Gold. Visit ISSA-LA for more information and to register.

OWASP-LA January Dinner Meeting; January 23, 2013. For more information and to register, go to

Cyber Hacking; Special Evening Event, January 24, 2013: Citadel Vice President Ms. Kimberly Pease, CISSP, will speak on cybersecurity at this special evening event hosted by the Dingman Property Group. Kimberly will identify threats to information and computers, review common weaknesses being exploited by the bad guys and offer proactive steps you can take at business and at home to increase your security posture and decrease your exposure. For more information and to register, please email:

ISC2-LA February Dinner Meeting; February 5, 2013: Email Bill Zajac at for more information.

ISSA-LA February Lunch Meeting; February 20, 2013.

ISSA-LA March Dinner Meeting; March 20, 2013.

NAWBO Ventura County March Dinner Meeting, March 22, 2013: Citadel Vice President Ms. Kimberly Pease, CISSP, will speak on cybersecurity at the monthly meeting of the Ventura County Chapter of the National Association of Women Business Owners. In her talk The Growing Cyber Threat: Why the Bad Guys are Winning!, Kimberly will identify threats to information and computers, review common weaknesses being exploited by the bad guys and offer proactive steps you can take at business and at home to increase your security posture and decrease your exposure.

Santa Monica Rotary Club; Lunch Meeting, May 3, 2013: Dr. Stan Stahl, Citadel and ISSA-LA President, will speak on cybersecurity at the weekly meeting of the Santa Monica Rotary Club. In this non-technical talk - It Takes the Village to Secure the Village SM - Dr. Stahl discusses the financial implications of cyber crime, illustrates how cyber criminals take control of a user's computer, describes the limitations of technology, summarizes emerging cyber security laws, regulations and practices, and provides practical tips to lower the risk of becoming a victim.

ISSA-LA Fifth Annual Information Security Summit; May 21, 2013: SAVE THE DATE. Join over 500 of your colleagues and peers at the Universal City Hilton. Special Keynote Speaker: Howard Schmidt, former White House CyberSecurity Coordinator.'s Security Recruiter Blog