Cyber Security News of the Week, April 8, 2012

Cyber Security Commentary

Myths die hard. This week the death knell sounded for the myth of Macintosh security. Users can no longer naively claim that they don’t need to be concerned with security because they use a Macintosh.

All complex software has vulnerabilities which cybercriminals are only to happy to exploit. This is true of Mac OS X just as it’s true of Windows. It’s cold comfort that this particular vulnerability surfaced in Java—so well known as a source of attack exploits that we recommend users disable it. The lesson we need to take away from the Mac OS X story is humility in the face of software complexity.

In the 1980s I was a staff security engineer at TRW when my manager gave me a piece of wisdom that applies to the myth of Mac security. “There are three kinds of knowledge,” he said. “There’s what you know that you know you know. There’s what you don’t know that you know you don’t know. And there’s what you don’t know that you don’t know that you don’t know.”

It’s this third category that is most dangerous—what we don’t know that we don’t know we don’t know. This—our hidden ignorance—is what gets us into trouble. Believing the myth of Mac security—jumping to the conclusion that Macs are secure because we don’t know about their insecurities—is dangerous because the myth keeps us from taking the actions necessary to protect sensitive information on our Macs.

We run across a lot of myths about cyber security management in our work with clients, in our workshops and in our cyber security briefings. There is the myth that IT can effectively manage cyber security; that senior management doesn’t need to get involved. There is the myth that antivirus and anti-malware solutions provide sufficient security. There is the myth that “we have nothing of interest to a cyber criminal.” And the most dangerous myth of all—that we can be secure if we simply do A, B and C, whatever A, B and C happen to be. It is these and other myths that keep us from being open to what we don’t know that we don’t know we don’t know.

Myths are not always dangerous. As a child I was enthralled with the myths of the Greek and Roman gods; their stories formed the backdrop for a significant part of my moral education.

Myths become dangerous when we inappropriately apply them to real-world circumstances where they don’t apply. They become dangerous when they keep us from exploring that which we don’t know we don’t know.

When it comes to cyber security management, myths are particularly dangerous. Our greatest security weakness—our greatest vulnerability—lies in the security myths we believe.

That’s why this week’s stories of more than 600,000 Macs infected by the Flashback malware is so important, for it serves as a warning about the dangers of all cyber security myths.

Cyber Crime

European hackers suspected in Utah Medicaid files breach: SALT LAKE CITY (Reuters) – A data security breach at the Utah Health Department, believed to be the work of Eastern European hackers, has exposed 24,000 U.S. Medicaid files bearing names, Social Security numbers and other private information, state officials said on Wednesday. The Chicago Tribune, April 4, 2012

Worker error exposes Utah Medicaid clients to hackers: A mistake by a state employee allowed hackers — suspected by state officials to be located in eastern Europe — to gain access to more than 24,000 files submitted to the Utah Department of Health for Medicaid recipients. The Salt Lake Tribune, April 4, 2012

Global Payments: Rumor and Innuendo: Global Payments Inc., the Atlanta-based credit and debit card processor that recently announced a breach that exposed fewer than 1.5 million card accounts, held a conference call this morning to discuss the incident. Unfortunately, that call created more questions than it did answers, at least for me. The purpose of this post is to provide some information that I have gathered, and a few observations about the reporting on this breach so far. KrebsOnSecurity, April 2, 2012

Global Payments Data Breach Exposes Card Payments Vulnerability: Cardholders around the world received a shock late last week when Global Payments Inc. announced a breach in its card data processing system. [1] After all, the company is one of the biggest processors of Visa and MasterCard card transactions, and also processes a sizable number of transactions for Discover Financial and American Express. Forbes, April 3, 2012

Cyber Threats — Mac OS X Java

How to remove the Flashback malware from OS X: While OS X was relatively void of malware for the first 10 years of use, recently malware scares have cropped up that have affected a significant number of Mac systems. Cnet, April 5, 2012

Widespread Virus Proves Macs Are No Longer Safe From Hackers: For years, Mac users have been told that not only are they cooler than their PC counterparts, they are safer too. Apple has always held that computer viruses and malware only dogged its competitors. That is no longer the case. The New York Times, April 6, 2012

Urgent Fix for Zero-Day Mac Java Flaw: Apple on Monday released a critical update to its version of Java for Mac OS X that plugs at least a dozen security holes in the program. More importantly, the patch mends a flaw that attackers have recently pounced on to broadly deploy malicious software, both on Windows and Mac systems. KrebsOnSecurity, April 4, 2012

Over 600,000 Macs infected with Flashback Trojan: Summary: The Flashback Trojan botnet reportedly controls over 600,000 Macs. Thankfully, Apple yesterday released a patch for Java, which the Trojan exploits, so make sure you install it. ZDNet, April 4, 2012

Apple patches 3-month-old Mac OS X security flaw: Days after a serious malware threat to Mac OS X was discovered, Apple finally patched the three-month-old security flaw that made it possible. MSNBC, April 4, 2012

Cyber Threats

Security hole exposes Android, iOS to Facebook identity theft: A new security vulnerability discovered in Facebook for Android and Facebook for iOS means your Facebook identity can be stolen if you use an Android phone, Android tablet, iPhone, and/or iPad. ZDNet, April 5, 2012

Cyber Criminals Targeting High-Profile Brands and Keywords to Undermine Users: GFI Software recently released its VIPRE® Report for March 2012, a collection of the 10 most prevalent threat detections encountered during the last month. GFI Labs documented several spam attacks and malware-laden email campaigns infiltrating users’ systems under the guise of communications purporting to be from well-known companies and promotions for popular products and services. Google™, LinkedIn®, Skype™ and the video game Mass Effect™ 3 were among the brands exploited by cyber criminals in order to attract more victims. IT BusinessEdge, April 2012

Ice IX Malware Tricks Facebook Users Into Exposing Credit Card Details, Says Trusteer: A new configuration of the Ice IX malware attempts to trick its victims into exposing their credit card details when they try to access their Facebook accounts, according to security firm Trusteer. PC World, April 3, 2012

Cyber-Criminals Change Tactics as Network Security Improves: IBM in its X-Force security report for 2011 said security efforts have cut spam and improved vulnerability patching, but attackers are now targeting mobile devices and the cloud. CIO Insight, March 23, 2012

Social Media Companies Contribute to Cybercrime: Cybercrime is an everyday problem that threatens business operations and causes large out-of-pocket expenses for individual and corporate victims alike. Although statistics regarding the actual cost of cybercrime vary, the incidence of cybercrime has climbed steadily over the past decade. The 2011 Norton Cybercrime Report claims that more than one million people become victims of cybercrime every day, and it estimates the financial cost of cybercrime is larger than the combined global black market for cocaine, heroin, and marijuana. Forbes, March 14, 2012

Cyber Security Management

Encryption in 2012: Now a strategic business issue: In an increasingly digital world, information security and data privacy have become critically important to the enterprise. According to the 2011 Global Encryption Trends Study from Ponemon, encryption use to protect sensitive data is becoming widespread and strongly correlates to the overall strength of organization’s security posture. So much so that encryption is now viewed as a strategic business issue, a far cry from when it was a niche technology and solely the concern of the IT department. ZDNet, April 4, 2012

Grant Thornton survey reveals Chief Audit Executives most worried about cybersecurity risks: CHICAGO, Mar. 19, 2012 – Chief Audit Executives (CAEs) ranked cybersecurity as their #1 concern in emerging risks, according to a new survey by Grant Thornton LLP. Mobile technology was their second biggest concern, followed by business interruption and social media. While more than half (56%) of CAEs report that their organization had 10 or less cybersecurity incidents in the last 12 months, nearly a third (31%) said that they did not know how many incidents their company had. Grant Thornton, March 19, 2012

ISSA-LA — Securing the Village

Alan Paller of SANS Institute Speaks at ISSA-LA Information Security Summit on Cybercrime Mr. Alan Paller, director of research at the world renowned SANS Institute, will be the keynote speaker at the Los Angeles Chapter of the Information Systems Security Association’s (ISSA-LA) fourth annual Information Security Summit on Wednesday, May 16, 2012 at Hilton Universal City Hotel in Los Angeles. The theme of the one-day Summit is The Growing Cyber Threat: Protect Your Business. SecurityOrb, March 29, 2012

Cyber Security Management — Securing the Village

Richard Clarke on Who Was Behind the Stuxnet Attack: The story Richard Clarke spins has all the suspense of a postmodern geopolitical thriller. The tale involves a ghostly cyberworm created to attack the nuclear centrifuges of a rogue nation—which then escapes from the target country, replicating itself in thousands of computers throughout the world. It may be lurking in yours right now. Harmlessly inactive…or awaiting further orders. Smithsonian Magazine, April 2012

How China Steals Our Secrets: For the last two months, senior government officials and private-sector experts have paraded before Congress and described in alarming terms a silent threat: cyberattacks carried out by foreign governments. Robert S. Mueller III, the director of the F.B.I., said cyberattacks would soon replace terrorism as the agency’s No. 1 concern as foreign hackers, particularly from China, penetrate American firms’ computers and steal huge amounts of valuable data and intellectual property. New York Times — Richard Clarke Op-Ed, April 2, 2012

Cyber Mercenaries

The Zero-Day Salesmen: At A Google-Run competition in ­Vancouver last month the search giant’s famously secure Chrome Web browser fell to hackers twice. Both of the new methods used a rigged ­website to bypass Chrome’s security protections and completely hijack a target computer. But while those two hacks defeated the company’s defenses, it was only a third one that actually managed to get under Google’s skin. Forbes, March 28, 2012


Anonymous Hackers Deface 500 Chinese Government Websites: The Anonymous movement has pulled off one of its biggest hacktivist coups yet, successfully defacing hundreds of Chinese Government websites in a spectacular protest against Internet censorship. April 6, 2012