Cyber Security News of the Week, June 26, 2011

Cyber Security Management

Dropbox Left User Accounts Unlocked for 4 Hours Sunday: At a time when hackers are on a tear looting information willy-nilly from insecure sites on the Web, Dropbox did the unthinkable Sunday — it allowed anyone in the world to access any one of its 25 million customers’ online storage lockers — simply by typing in any password. Dropbox, one of the most popular ways to share and sync files online, says the accounts became unlocked at 1:54pm Pacific time Sunday when a programming change introduced a bug. The company closed the hole a little less than 4 hours later. Wired, June 20, 2011
One more reason we strongly recommend users encrypt all sensitive information transferred via Dropbox and similar services.

Online Privacy

Facebook Facial Recognition: Why It’s a Threat to Your Privacy: Facebook facial recognition is more than just creepy. It has enormous potential for dangerous misuse of facial recognition data, and Facebook has a long record of misusing all sorts of data. CIO, June 20, 2011

Securing the Future

Senator: New Cybersecurity Regulations Needed for Banks: Current regulations aren’t enough to warn customers and protect them against data breaches at financial institutions, one U.S. senator said during a hearing Tuesday. PC World, June 21, 2011

Rays of Sunshine

UK police make arrest in hacking attacks: A 19-year-old man has been arrested on suspicion of involvement with cyber attacks on Sony and the CIA website, British police said Tuesday. LA Times, June 21, 2011

FBI Scrubbed 19,000 PCs Snared By Coreflood Botnet: The FBI has scrubbed some 19,000 PCs that were infected with the Coreflood bot malware, the agency told a federal court last week. The effort is part of an ongoing and unprecedented legal campaign to destroy one of the longest-running and most menacing online crime machines ever built. KrebsOnSecurity, June 21, 2011

Suspected LulzSec player arrested, in custody in London: The day the authorities have been waiting for is finally here: A possible LulzSec leader has been arrested. He is 19-years-old and was arrested in Essex, England thanks to a cooperative effort between FBI and Scotland Yard. ZDNet, June 21, 2011

Feds bust ‘scareware’ ring accused of making $72 million by selling phony anti-virus software: There’s big money in scaring people into thinking they have a nasty computer virus. But you might also scare up a visit from international police. On Wednesday the U.S. Department of Justice, the FBI and cooperating overseas agencies said they had indicted two Latvians accused of running a “scareware” ring, infecting the computers of 960,000 users with phony anti-virus software. LA Times, June 22, 2011

Business at Risk

Ponemon Institute Survey Finds 90 Percent of Businesses Fell Victim to Cyber Security Breach at Least Once in the Past 12 Months: A survey of US IT and IT Security professionals, conducted independently by Ponemon Institute and sponsored by Juniper Networks found the threat from cyber attacks today is nearing statistical certainty and businesses of every type and size are vulnerable to attacks. The Wall Street Journal, June 22, 2011

Cyber Defense

Shortage of adequately trained cyber pros puts US at risk: In testimony this year before the Senate Judiciary Committee’s Crime and Terrorism Subcommittee, Gordon Snow, assistant director of the FBI’s Cyber Division, said the number and sophistication of cyberattacks have increased dramatically during the past five years and are expected to continue to grow. Although that paints a pretty bleak picture, what he said next caught the attention of cybersecurity professionals around the world. “The threat has reached the point that given enough time, motivation and funding, a determined adversary will likely be able to penetrate any system that is accessible directly from the Internet,” he said. Defense Systems, June 22, 2011

Information at Risk

LulzSec computer hackers release Arizona state files: WASHINGTON — Computer hackers who have hit the websites of the CIA, US Senate, Sony and others have released hundreds of documents from the Arizona Department of Public Safety (AZDPS) in their latest cyberattack. AFP, June 24, 2011

Cyberattacks Hit Brazil Government Websites; Data Secure: SAO PAULO -(Dow Jones)- Key Brazilian government websites have suffered a series of cyberattacks, with the worst occurring in the early morning hours Friday, but there is no evidence of any data loss, a government spokesman said. NASDAQ, June 24, 2011

Report: IRS databases with taxpayer data vulnerable to hackers: Thousands of Interal Revenue Service databases that hold sensitive taxpayer information use outdated security software, leaving them vulnerable to hackers, according to a government office that monitors the IRS. LA Times, June 23, 2011

EA confirms customer data stolen: Electronic Arts has confirmed that one of its server systems was breached and customer information was stolen and said this week that it’s continuing to investigate the intrusion. Cnet, June 24, 2011

Internet Badlands

$72M Scareware Ring Used Conficker Worm: Authorities seized computers and servers in the United States and seven other countries this week as part of an ongoing investigation of a hacking gang that stole $72 million by tricking people into buying fake anti-virus products. Police in Ukraine said the thieves fleeced unsuspecting consumers with the help of the infamous Conficker worm, although it remains unclear how big a role the fast-spreading worm played in this crime. KrebsOnSecurity, June 23, 2011

Inside LulzSec: Chatroom logs shine a light on the secretive hackers: It was a tight-knit and enigmatic group finding its feet in the febrile world of hacker collectives, where exposing and embarrassing your targets is just as important as protecting your own identity. But leaked logs from LulzSec’s private chatroom – seen, and published today, by the Guardian – provide for the first time a unique, fly-on-the-wall insight into a team of audacious young hackers whose inner workings have until now remained opaque. The Guardian, June 24, 2011

Sega hacked: LulzSec promise to destroy hackers responsible: After games industry titan Sega last week revealed that a recent cyber attack on its network left 1.29 million of its customers personal data compromised, the hacker collective LulzSec has promised to “destroy” those responsible for the hack. International Business Times, June 20, 2011

Hacking Group Lulz Security Says It Is Ending Spree: Lulz Security, a group of hackers who have tormented corporations and government agencies, said Saturday that it would stop its spree, 50 days after it first started attacks. The New York Times, June 25, 2011

LulzSec Strikes Brazil Again; Petrobras Denies Being Hacked: The Brazilian arm of the global computer hacker collective, LulzSec, struck again this weekend, this time invading and accessing data of government controlled oil major Petrobras, according to LulzSec. Forbes, June 25, 2011

Virtual Currency

Inside the Mega-Hack of Bitcoin: the Full Story: The storm had been building for over a week now. Last Monday at around 5 p.m. 25,000 Bitcoins were transferred from 478 accounts on the currency’s largest exchange — Mt. Gox. But that was just the beginning. Now Mt. Gox is admitting to a major breach and has shut down, in an unprecedented action. In all, approximately $8.75M USD worth of Bitcoins appear to have — at least temporarily — been stolen in the intrusion. Daily Tech, June 19, 2011

Bank Security

Banks, Finance Firms Targeted by Europe Union in Crackdown on Data Privacy: Banks will be among companies forced to notify authorities of “serious” leaks of customer data in a crackdown after hackers targeted Sony Corp. (6758) and Sega Sammy Holdings Inc. (6460), the European Union’s top privacy official said. Bloomberg, June 20, 2011