Monday, July 08, 2013

Cyber Security News and Education for the Week of July 8, 2013



Cyber Security News of the Week
 From our friends at Citadel Information Group

ISSA-LA
Summit 5 Videos now on-line at ISSA-LA's YouTube Channel: ISSA4LA. Howard Schmidt Keynote with Sandra Lambert. Ira Winkler Lunch Keynote. Aaron Turner Closing Keynote. Executive Forum with Bill Lewis, James Aquilina, Michael Gold and Stan Stahl. Law Enforcement Panel. Healthcare Panel. BYOD Panel. CISO Panel.  Web Application Defense.

Cyber Crime
Ubisoft Database Hack Exposes Email Addresses, Passwords: Ubisoft today revealed that a hack of its systems exposed user names, email addresses, and encrypted passwords, but not financial data. PC Magazine, July 2, 2013

Cyber Threat
What's It Take To Trust A Digitally Signed Program?: The Opera Software breach that came to light last week after attackers compromised Opera's network in order to steal an expired certificate and use it to sign malware for distribution dredges up some serious concerns from security professionals about the amount of trust that organizations put into legitimately signed programs. Dark Reading, July 3, 2013

Cyber Warning
IPMI Protocol, BMC Vulnerabilities Expose Thousands of Servers to Attack: Baseboard management controllers, embedded computers present in most servers, are vulnerable to a half dozen critical vulnerabilities that could enable an attacker to gain remote control over the host machine. ThreatPost, July 3, 2013

Android Vulnerability Enables Malicious Updates to Bypass Digital Signatures: A vulnerability exists in the Android code base that would allow a hacker to modify a legitimate, digitally signed Android application package file (APK) and not break the app's cryptographic signature-an action that would normally set off a red flag that something is amiss. ThreatPost, July 3, 2013

FBI Warns of Spear-Phishing Attacks: Spear-phishing attacks are up, and they are targeting individuals across all industries, according to a new warning issued by the U.S. Federal Bureau of Investigation. BankInfoSecurity, July 2, 2013

Cyber Privacy
National Intelligence Director Clapper Apologizes For 'Clearly Erroneous' Congressional Testimony On NSA Surveillance: Whistleblower Edward Snowden isn't the only one looking for a safe haven since he began leaking a series of top secret documents on the National Security Agency's surveillance practices. So has Director of National Intelligence James Clapper, whose statements to Congress earlier this year on NSA methods were exposed by Snowden's leaks as being highly misleading. And as many call for Clapper's resignation, he's finally issued a public apology. Forbes, July 2, 2013

What the N.S.A. Knows About You: It's difficult to have an informed opinion about the National Security Agency's collection of "metadata" without understanding what "metadata" is, not that that's stopped anyone. The name suggests that it's data about data, and the Obama administration has gone to some lengths to reassure Americans that "metadata" is definitely not "content," which unlike your "metadata" presumably enjoys Fourth Amendment protections. But Glenn Greenwald, among others, has said that's a distinction without a difference: "In reality, it is hard to distinguish email metadata from email content." The New York Times, July 2, 2013

Cyber Underworld
The Cost of Online Banking Fraud ... for the Perpetrator: A report from McAfee called "Cybercrime Exposed" provides insight into what it costs to operate cyber fraud.American Banker, July 3, 2013

Current cybercrime market is all about Cybercrime-as-a-Service: The cybercrime market is constantly evolving, and it is currently full of knowledgeable individuals who have focused on their core competencies to offer services to those who have not the skills, patience or time to make what they want or need for their criminal exploits.HelpNetSecurity, July 2, 2013

Exploiting the Twitter Underground for Fun and Profit: The underground economy on Twitter is still flourishing, and it appears to be a buyer's market for followers right now, with new research showing that the price for 1,000 followers has dropped nearly 50 percent in the last few months. ThreatPost, July 1, 2013

Criminals sell access to rooted servers via online shop: Researchers have discovered an online store where criminals sell access to hacked servers, another cautionary example of miscreants' commercialization of stolen data. SC Magazine, June 27, 2013

Cyber Security Management
Doing More Than Paying Risk Management Lip Service:While the majority of CISOs may profess a commitment to managing security based on risk management principles, the truth about how they execute on those principles may be a lot more imperfect. The unfortunate reality, say experts, is that many organizations simply pay risk management lip service, but aren't really making security decisions based on risk management metrics. DarkReading, July 5, 2013

California to Focus on Unencrypted Data in Breach Investigations: Data breaches affected more than 2.5 million California residents last year, and the state's attorney general said that the information belonging to more than half of those victims would have been unaffected had the data been encrypted by the companies storing it. In an effort to remedy this situation, Attorney General Kamala Harris is planning to take a close look at data breaches that involve unencrypted data, making them an enforcement priority. ThreatPost, July 3, 2013

Things CEOs Hate To Pay For and How They Can Help You Make Your Case for Security: As a CEO, I hate spending money on things that don't help grow my business or improve the products and services we bring to market. While I know there are necessary evils in business that require funding, the thought of spending money on things that are only used in a worst-case scenario are not attractive options to me when it comes to the allocation of limited and important resources. Having spent the majority of my career in the cyber security business, I am well aware that many of my CEO brethren lump security spending into the same bucket as other less desirable expenditures and believe me, I get it. Security Week, July 2, 2013

Cyber Security Management - Cyber Defense
Surrendering The Endpoint: What if you had to design all of your security and monitoring around the fact that it's not your endpoint any more, and it will never be your endpoint again? Dark Reading, June 28, 2013

Risks of Default Passwords on the Internet: Any system using password authentication accessible from the internet may be affected. Critical infrastructure and other important embedded systems, appliances, and devices are of particular concern. US CERT, June 24, 2013

Cyber Security Management - HIPAA
The Brave New World of HIPAA Breaches: Omnibus Rule Changes the Health Insurance Portability and Accountability Act of 1996 ("HIPAA") and Health Information Technology for Economic and Clinical Health Act ("HITECH") Landscape: Now, more than ever, the health care industry must work diligently to protect privacy and security of health information. The scope of regulation has expanded, the enforcement authority and resources of the U.S. Department of Health and Human Services Office for Civil Rights ("OCR") has grown, and the financial penalties have increased. According to a recent Advisory Board survey, general counsel and compliance professionals indicated that compliance with HIPAA was an area where they had the greatest need for legal guidance or support. National Law Review, July 1, 2013

National Cyber Security
China Plans First Talks With U.S. Under Cybersecurity Dialogue: China and the U.S. will hold the first meeting of a cybersecurity working group set up following accusations that the Chinese government is responsible for hacking attacks against American companies. Bloomberg, July 5, 2013

Résumé Shows Snowden Honed Hacking Skills: In 2010, while working for a National Security Agency contractor, Edward J. Snowden learned to be a hacker. The New York Times, July 4, 2013

Europeans Voice Anger Over Reports of Spying by U.S. on Its Allies: LONDON - European officials and politicians reacted angrily on Sunday to reports that the United States has been spying on its European Union allies, saying the claims could threaten impending talks with Washington on an important trade agreement. The New York Times, June 30, 2013

Critical Infrastructure
Critical infrastructure protection: Are we prepared for a massive cyberattack on U.S. systems?: One expert says the financial system deserves more attention, but others say if the power grid goes down, so does everything else. Is there a cyber 9/11 in our future? If so, what is the plan for defense? CSO, July 1, 2013

Cyber Law
EU increases penalties for cybercriminals and hackers: Looking to deter cyberattacks on national infrastructure and halt the illegal interception of communications, the European Union toughens its laws. Cnet, July 4, 2013

Cyber Career
Back from ISSA-LA's 5th Annual (totally outstanding) Cyber Security Summit: You haven't seen a Security Recruiter Blog in a few days because I've been really busy from early in the morning to late at night for several days. I was invited back to ISSA-LA where I first spoke in September of 2011 to deliver a career development workshop along with a presentation in which I facilitated a very interesting discussion between the members of the Los Angeles CISO forum. Security Recruiter Blog, May 23, 2013

Cyber Research
Machine-Learning Project Sifts Through Big Security Data: As an information-security consultant, Alexandre Pinto spent 12 years helping companies set up difficult-to-configure systems to cull security intelligence from logs and security events.DarkReading, June 28, 2013

Cyber Misc
Here's What It Looks Like When Two Hacker FBI Informants Try To Inform On Each Other: The FBI has so many moles in the hacktivist community, it seems, that at times they've even ended up unwittingly doing their best to get each other arrested. Forbes, June 28, 2013

SecurityRecruiter.com's Security Recruiter Blog