Monday, March 11, 2013

Cyber Security News for the Week of March 11, 2013

From our friends at Citadel Information Group

Cyber Crime

Hackers Pull Off $12,000 Bitcoin Heist: A Bitcoin transaction services company says that hackers broke into one of its brokerage accounts last week, nabbing more than $12,000 worth of the digital currency. Wired, March 7, 2013

Cyber Espionage

Warning to Hollywood: Chinese Hackers Want Your Secrets (Guest Column): A top cybersecurity lawyer says the Chinese are after any edge they can get, from financial details that help with negotiations to reading scripts. HollywoodReporter, March 7, 2013

Cyber Privacy

Two Texas Bills Could Shape Mobile Privacy: Two bills introduced in Texas this week could refine mobile privacy in the state and tweak how law enforcement can request sensitive information from cell phones going forward. ThreatPost, March 8, 2013

Managing Your Privacy with Facebook's New News Feed: Facebook started rolling out the new look to its News Feed yesterday - and as a result, a few functions have changed on the site. Wall Street Journal, March 8, 2013

Google Breaks Silence On FBI's National Security Letters That Demand Its Users' Data: National security letters are the Fight Club of government data surveillance. Thanks to the gag orders that accompany those FBI requests for users' private information, the first rule for any company that receives an NSL is that it doesn't talk about receiving an NSL. Now Google is doing its best to blur-if not quite break-that rule. Forbes, March 5, 2013

Identity Theft

Yet Again Consumers Rank Identity Theft As Top Concern: Last week the FTC released their top 10 complaint categories for 2012. You'd be excused if you thought for a moment that someone screwed up and posted the list for 2012, or 2011, or really any year for the past 13. Identity theft has led the consumer concerns in FTC complaints for that entire period, and its not hard to see why. People are most concerned about situations where they have received concrete harm, and ID theft is an area where there is significant harm monetarily as well as stress and time spent fixing the problem after it occurs. Forbes, March 7, 2013

Cyber Threat

The Android Malware Problem is Not Hyped, Researchers Say: IDG News Service - Recent reports from antivirus companies seem to suggest that the number of Android malware threats is growing. However, there are still many skeptics who think that the extent of the problem is exaggerated. CIO, March 8, 2013

Mobile Malcoders Pay to (Google) Play: An explosion in malware targeting Android users is being fueled in part by a budding market for mobile malcode creation kits, as well as a brisk market for hijacked or fraudulent developer accounts at Google Play that can be used to disguise malware as legitimate apps for sale. KrebsOnSecurity, March 6, 2013

Cyber Warning

Size, Funding of Bank DDoS Attacks Grow in Third Phase: The resumption this week of distributed denial of service attacks against major U.S. banks brought not only more cost and disruption to financial institutions trying keep online services available, but it also raised new questions about the funding and true motives behind the attacks. ThreatPost, March 8, 2013

Twitter OAuth API Keys Leaked: The OAuth keys and secrets that official Twitter applications use to access users' Twitter accounts have been leaked in a post to Github this morning. ThreatPost, March 7, 2013

Malware Writers Prefer Android: Owners of Android smartphones have more to worry about than their peers, according to a new security report published Thursday from F-Secure. During the fourth quarter of 2012, 96% of all malware was written for Android, which has become the biggest target for ne'er-do-wells. InformationWeek, March 7, 2013

Malware attack poses as security warning from Microsoft Digital Crimes Unit: Windows users - do you take your computer's security seriously? NakedSecurity, March 7, 2013

Bank Attackers Restart Operation Ababil DDoS Disruptions: Some customers report difficulty accessing banking sites, but officials said DDoS defenses and service provider blocks may be partly to blame. InformationWeek, March 6, 2013

Cyber Defense

Apple Finally Fixes App Store Vulnerabilities: Apple has fixed several App Store security issues that first arose last summer, but it hasn't explained why it took so long to start encrypting communications using public Wi-Fi networks. ThreatPost, March 8, 2013

Deutsche Telekom Unveils Real-time Map of Global Cyberattacks: IDG News Service - Deutsche Telekom launched a Web portal Wednesday that provides a real-time visualization of cyberattacks detected by its network of sensors placed around the world. CIO, March 6, 2013

Cyber Security Management

An Auditor's Thoughts On Access Control: Regardless of whether it's for PCI, HIPAA, SOX, or GLBA, chances are high that if an auditor's bound for your organization, your access control is about to go under the microscope. With so many compliance-driven mandates around separation of duties and user monitoring dependent on strong access control regimes, it's no wonder that this is one of the key areas that auditors will focus their efforts. DarkReading, March 7, 2013

The Great Lie Of Compliance: It happened again: I'm chatting with a gentleman at one of those business social events. He is senior management for a large organization. As we talk about the economy and business, he politely asks a few questions about what my team does to help companies. DarkReading, March 6, 2013

In a Lawsuit, Can Your Cloud Provider Get Key Evidence You Need?: Any business that anticipates using cloud-based services should be asking the question: What can my cloud provider do for me in terms of providing digital forensics data in the event of any legal dispute, civil or criminal case, cyberattack or data breach? CIO, March 6, 2013

Hackers use corporate attacks as staging grounds for other cyber assaults: Network World - Attackers have invaded corporate networks to steal sensitive data and use them as staging grounds to attack other corporate networks - and IT managers detecting these invaders may find yet another surprise: law enforcement lurking in their networks monitoring it all as part of a cyber-sting. NetworkWorld, March 1, 2013

Cyber Update

Mozilla and Google Patch Browser Flaws Used in Pwn2Own: VANCOUVER-Within less than 24 hours of the vulnerabilities being used and disclosed to them, both Mozilla and Google have issued patches for flaws employed by participants in this week's Pwn2Own contest at CanSecWest here. ThreatPost, March 8, 2013

Oracle Issues Emergency Java Update: Oracle today pushed out the third update in less than a month to fix critical vulnerabilities in its Java software. This patch plugs a dangerous security hole in Java that attackers have been exploiting to break into systems. KrebsOnSecurity, March 4, 2013

Securing the Village

COLUMN: Online cyber security video resources for all skill levels: As I speak to audiences across the country and even in my own social circle, it is clear that many people feel overwhelmed and under educated about online safety. The saddest comment I hear after a talk is, "Should I just stay off the Internet?", March 7, 2013

Bit9s Delicate Disclosure Dance A Sign Of The Times: Firsthand breach disclosure is gradually becoming a best practice for security firms, which are increasingly being targeted by the attackers that their products are trying to repel. DarkReading, March 6, 2013

KrebsOnSecurity Wins Awards: I recently returned from San Francisco, which last week hosted the annual RSA Security conference. I had the pleasure of moderating a panel discussion on Raising the Costs of Compromise with some very smart guys, and also shared a stage with several security authors who were recognized for their contributions to infosec media. KrebsOnSecurity, March 4, 2013

National Cyber Security

What's Next for Cybersecurity After White House Order?: Senators renew work on cybersecurity legislation in wake of Obama's executive order. Department of Homeland Secretary reiterates administration's position that a comprehensive bill is needed to expand White House directive. CIO, March 8, 2013

U.S. Cybersecurity Status Weak, Reports Charge: The Department of Defense is "not prepared" to defend against sophisticated international cyber attacks, and government-wide, agencies have failed to meet some White House cybersecurity targets, according to two new reports. InformationWeek, March 7, 2013

Obama's Five-Point Plan To Fight Cyber-Crime: Continued cyber-attacks on the United States may soon be met with trade or diplomatic punishment against the nations of origin. The Obama administration last week listed more than a dozen instances of international assaults against U.S. businesses, resulting in stolen trade secrets, blunted competitive edge and lost American jobs. Forbes, February 25, 2013

Cyber Law

LinkedIn Data Breach Lawsuit Dismissed: The professional networking site LinkedIn won a class-action lawsuit before it even went to trial after a judge this week dismissed claims from two premium users who maintained the company failed to provide the level of data security outlined in its privacy policy. ThreatPost, March 6, 2013

Cyber Career

Demand for IT Security Experts Outstrips Supply: Demand for information security experts in the United States is outstripping the available supply by a widening margin, according to a pair of recently-released reports. CIO, March 7, 2013

Hot security skills of 2013: Most successful CSOs will tell you it was a unique mix of skills that propelled them to their current position. Technical background is important, certainly, but practice in the business and excellence in communication are paramount for any CSO truly worthy of a place in the C-suite. We don't expect that to change any time soon. CSO, March 6, 2013

Securing the Village-Events Calendar

ISSA-LA March Dinner Meeting; March 20, 2013. Garret Grajek, CTO / COO, SecureAuth Corporation will speak on Securing Mobile Apps for the Enterprise. Luminaria's 3500 West Ramona Boulevard. Monterey Park. 6:30 - 8:45. For more information and to register, visit ISSA-LA. 
NAWBO Ventura County March Dinner Meeting, March 28, 2013: Citadel Vice President Ms. Kimberly Pease, CISSP, will speak on cybersecurity at the monthly meeting of the Ventura County Chapter of the National Association of Women Business Owners. In her talk The Growing Cyber Threat: Why the Bad Guys are Winning!,  Kimberly will identify threats to  information and computers, review common weaknesses being exploited by the bad guys and offer proactive steps you can take at business and at home to increase your security posture and decrease your exposure.

SecureIT-2013, March 28, 2013: David Lam, our newest Citadel partner and ISSA Los Angeles VP, will be speaking at SecureIT on 28 March regarding the appropriate use of ISO 27001/2 as an information security framework. David will be showing how the framework is extensible to all different sizes of organizations, and how it helps you achieve both security and compliance. For more information and to register, visit 

ISSA-LA April Lunch Meeting; April 17, 2013. For more information and to register, visit ISSA-LA.

Santa Monica Rotary Club; Lunch Meeting, May 3, 2013: Dr. Stan Stahl, Citadel and ISSA-LA President, will speak on cybersecurity at the weekly meeting of the Santa Monica Rotary Club. In this non-technical talk - It Takes the Village to Secure the Village SM - Dr. Stahl discusses the financial implications of cyber crime, illustrates how cyber criminals take control of a user's computer, describes the limitations of technology, summarizes emerging cyber security laws, regulations and practices, and provides practical tips to lower the risk of becoming a victim.

ISSA-LA Fifth Annual Information Security Summit; May 21, 2013: Join over 500 of your colleagues and peers at the Universal City Hilton. Special Keynote Speaker: Howard Schmidt, former White House CyberSecurity Coordinator. For more information and to register, visit ISSA-LA.'s Security Recruiter Blog