Monday, January 28, 2013

Cyber Security News for the Week of January 28, 2013

From our friends at Citadel Information Group

Cyber Underworld

Inside the Gozi Bulletproof Hosting Facility: Nate Anderson at Ars Technica has a good story about how investigators tracked down "Virus," the nickname allegedly used by a Romanian man accused by the U.S. Justice Department of running the Web hosting operations for a group that created and marketed the Gozi banking Trojan. Turns out, I've been sitting on some fascinating details about this hosting provider for many months without fully realizing what I had. KrebsOnSecurity, January 25, 2013

Cyber Privacy

Letter From Forty-Four Digital Rights Groups Demands Skype Detail Its Surveillance Practices: Skype has long been a quintessential bad actor for the privacy community-one that not only refuses to make promises about protecting user data from government surveillance, but won't even reveal basic facts about how and when it hands user conversations over to the government. Now, eight months after the voice-over-IP company was officially integrated into Microsoft, a critical mass of privacy activists are demanding answers. Forbes, January 24, 2013

Two Out Of Three Cases Where Google Gives User Data To Government Don't Involve A Warrant: It may be easier than you think for government entities to demand the private data you've stored on Google's servers. Most of the time, it doesn't even require a judge's signature. Forbes, January 23, 2013

Rossen Reports: Webcam hackers can spy on you in secret: Could predators be spying on you and your kids through your computer's webcam? Authorities say criminals are now able to hack in and watch your every move - without you ever knowing it. Today News, January 22, 2013


Anonymous threatens Justice Department over hacktivist death: In anger over the recent death of an Internet activist who faced federal charges, hackers claiming to be from the group Anonymous threatened early Saturday to release sensitive information about the U.S. Department of Justice. CNN Tech, January 27, 2013

Cyber Warning

Backdoors Found in Barracuda Networks Gear: A variety of the latest firewall, spam filter and VPN appliances sold by Campbell, Calif. based Barracuda Networks Inc. contain undocumented backdoor accounts, the company disclosed today. Worse still, while the backdoor accounts are apparently set up so that they would only be accessible from Internet addresses assigned to Barracuda, they are in fact accessible to potentially hundreds of other companies and network owners. KrebsOnSecurity, January 24, 2013

Researchers Warn: Mega's New Encrypted Cloud Doesn't Keep Its Megasecurity Promises: Kim Dotcom, like every smart founder of a startup in a crisis, is pivoting. Since his Mega empire of filesharing websites and financial assets were seized in an indictment over massive alleged copyright violations last year, he's been working on a relaunch designed to transform the company's reputation from a business focused on piracy to one focused on privacy-specifically, airtight encryption like no other storage site has ever offered. Forbes, January 21, 2013


WordPress Fixes 37 Bugs with Latest Update: WordPress pushed out version 3.5.1 of its open source blogging platform yesterday, fixing 37 bugs including several cross-site scripting (XSS) errors and a vulnerability that could have allowed an attacker to expose information and compromise an unpatched site.ThreatPost, January 25, 2013

Cyber Security Management

What Antivirus Shortcomings Mean For SMBs: Accepting the risks that come with relying solely on AV not only puts data at risk, but also could kill future earning potential. DarkReading, January 23, 2013

Google's Move from Passwords Gets Applause from Leading Security Expert: Dr. Stahl is quoted in this story. Google's efforts to make the Internet more secure by eliminating the use of passwords is drawing praise from one of the nation's leading authorities on digital security. The Biz Coach, January 22, 2013

Cyber Security Management - HIPAA

Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Rules, Federal Register, January 25, 2013

HIPAA omnibus and HITECH civil penalty changes: As healthcare organizations read up on the HIPAA omnibus rule, a significant consideration should be the potential civil penalties tied to the HITECH act that are now associated with the rule. Calculating penalties is no longer just a maximum of $100 per violation and $25,000 per year and can put a far bigger dent in a healthcare organization's budget. HealthIT Security, January 23, 2013

HIPAA Changes Could Create New Bureaucratic Burdens: Changes coming to the HIPAA Privacy and Security Rule mean added administrative work, and they could mean additional reporting, said Lisa Sotto, head of Hunton & Williams' global privacy and data security practice in an interview with InformationWeek Healthcare. Information Week HealthCare, January 23, 2013

Cyber Security Management - Critical Infrastructure

SCADA Security 2.0: Siemens will consider whether to offer a bug bounty program as security experts look at new approaches to tackling SCADA security woes. Dark Reading, January 24, 2013

Supply Chain Uncertainties Complicate Security: Los Alamos National Laboratory's move to oust Chinese hardware without any evidence of backdoors highlights how supply-chain insecurities are difficult to manage. DarkReading, January 23, 2013

Cyber Security Management - Fines & Penalties

Sony Fined £250,000 in UK for 2011 Playstation Hack: A government body in the U.K. has fined Sony APS250,000 (US$396,000) for using lax network security when its PlayStation network was hacked in 2011.CIO, January 24, 2013

National CyberSecurity

Rising cyberthreats set backdrop for latest cybersecurity bill: DHS Secretary Janet Napolitano urges Congress to pass the new legislation, saying it should not wait for a '9/11 in the cyber world.' CSO, January 25, 2013

Securing the Village

White House Announces 'National Day of Civic Hacking': Whether or not you have coding skills, the U.S. government asks you to roll up your sleeves in June and help solve the nation's problems. CIO, January 24, 2013

National Day of Civic Hacking: National Day of Civic Hacking is a national event that will take place June 1-2, 2013, in cities across the nation. The event will bring together citizens, software developers, and entrepreneurs from all over the nation to collaboratively create, build, and invent new solutions using publicly-released data, code and technology to solve challenges relevant to our neighborhoods, our cities, our states and our country. National Day of Civic Hacking will provide citizens an opportunity to do what is most quintessentially American: roll up our sleeves, get involved and work together to improve our society.

O'Malley floats $3 million tax credit pool to bolster cybersecurity in Maryland: Maryland is looking to build on the success of a biotechnology tax credit to bolster another industry here - cyber security. Gov. Martin O'Malley proposed in his fiscal 2014 budget a new cyber security tax credit that would set aside $3 million to encourage cyber security companies to expand or set up shop in Maryland.Washington Business Journal, January 24, 2013

Cyber Sunshine

Three Charged in Connection with 'Gozi' Trojan: Federal prosecutors today announced criminal charges against three men alleged to be responsible for creating and distributing the Gozi Trojan, an extremely sophisticated strain of malicious software that was sold to cyber crooks and was tailor-made to attack specific financial institutions targeted by each buyer. KrebsOnSecurity, January 23, 2013

Securing the Village-Events Calendar

ISC2-LA February Dinner Meeting; February 5, 2013: Email Bill Zajac at for more information.

Cloud Security Alliance - Los Angeles Chapter; February 13, 2013: "Can encryption help alleviate concerns about moving to the cloud?" For more information and to register, go to

ISSA-LA February Lunch Meeting; February 20, 2013. For more information and to register, visit ISSA-LA.

ISSA-LA March Dinner Meeting; March 20, 2013.

NAWBO Ventura County March Dinner Meeting, March 22, 2013: Citadel Vice President Ms. Kimberly Pease, CISSP, will speak on cybersecurity at the monthly meeting of the Ventura County Chapter of the National Association of Women Business Owners. In her talk The Growing Cyber Threat: Why the Bad Guys are Winning!,  Kimberly will identify threats to  information and computers, review common weaknesses being exploited by the bad guys and offer proactive steps you can take at business and at home to increase your security posture and decrease your exposure.

Santa Monica Rotary Club; Lunch Meeting, May 3, 2013: Dr. Stan Stahl, Citadel and ISSA-LA President, will speak on cybersecurity at the weekly meeting of the Santa Monica Rotary Club. In this non-technical talk - It Takes the Village to Secure the Village SM - Dr. Stahl discusses the financial implications of cyber crime, illustrates how cyber criminals take control of a user's computer, describes the limitations of technology, summarizes emerging cyber security laws, regulations and practices, and provides practical tips to lower the risk of becoming a victim.

ISSA-LA Fifth Annual Information Security Summit; May 21, 2013: SAVE THE DATE. Join over 500 of your colleagues and peers at the Universal City Hilton. Special Keynote Speaker: Howard Schmidt, former White House CyberSecurity Coordinator.'s Security Recruiter Blog