Cyber Security News of the Week, May 27, 2012

Cyber Security Commentary

We include three postings this week about a new report from Carnegie Mellon University: The Governance of Enterprise Security: CyLab 2012 Report. According to the report, Boards of Directors are not yet adequately involved in cyber security governance. Despite holding extensive troves of digital assets—and bearing an explicit fiduciary duty to protect those assets—boards and senior management are not exercising appropriate governance over the privacy and security of their digital assets.

Jody Westby, the Report’s author, writes in Forbes: The truth of the matter is that security programs will not get better until management begins to treat cybersecurity as an enterprise risk that must be governed.

Cyber Crime

WHMCS Breach May Be Only Tip of the Trouble: A recent breach at billing and support software provider WHMCS that exposed a half million customer usernames, passwords — and in some cases credit cards — may turn out to be the least of the company’s worries. According to information obtained by KrebsOnSecurity.com, for the past four months hackers have been selling an exclusive zero-day flaw that they claim lets intruders break into Web hosting firms that rely on the software. KrebsOnSecurity, May 24, 2012

Hackers gained access to US Justice Department website: One or more unauthorized users gained access to the inner workings of a website run by the U.S. Justice Department, a department spokeswoman said on Monday after the hacker group Anonymous said they were behind the incident. MSNBC, May 22, 2012

Hackers Impersonate Web Billing Firm’s Staff To Spill 500,000 Users’ Passwords And Credit Cards: British Web billing firm WHMCS is reeling from an attack that spilled its user accounts, deleted reams of data, temporarily took its site offline, and hijacked its Twitter feed–all seemingly the result of a smooth-talking hacker con. Forbes, May 22, 2012

Identity Theft

Identity Theft: ‘Kids Don’t Know They’re Victims': Carter Andrushko is 5 years old, and he knows a few things already: He knows how to spell his name. He knows that Crusty, his hermit crab, has 10 legs. And he knows what he wants to do when he grows up: look for dinosaur bones. According to the Utah Department of Workforce Services, however, Carter already has a job. In fact, according to that office, he’s been working since before he was even born. NPR, May 23, 2012

Consumers Need To Be Aware Of The Risks Of Identity Theft While Traveling: While millions of Americans are making preparations to hit the road as the summer travel season kicks off this weekend, identity thieves are making their own preparations to take advantage of unsuspecting travelers. Whether summer plans include family vacations, business trips, or travelling internationally for the 2012 Olympics, this summer is guaranteed to be a busy travel season, not just for consumers, but for identity thieves. Market Watch, May 23, 2012

Cyber Risk

RSA SecurID software token cloning: a new how-to: A researcher has devised a method that attackers with control over a victim’s computer can use to clone the secret software token that RSA’s SecurID uses to generate one-time passwords. ars technica, May 21, 2012

Veracode Infographic Details Cybersecurity Risks in Public Companies: BURLINGTON, Mass., May 21, 2012 /PRNewswire via COMTEX/ — Over the last few years, some of the most disruptive security breaches occurred at some of the world’s most recognized public corporations, taking advantage of vulnerabilities in software applications that allowed access to customer data and intellectual property. This development led the United States Securities and Exchange Commission to release a guidance in October 2011 that suggest public companies should disclose any potential cybersecurity risks in their public filings as these risks are material to current and potential investors. Market Watch, May 24, 2012

Cyber Threat

Banking Malware Monitors Victims by Hijacking Webcams and Microphones, Researchers Say: A new variant of SpyEye malware allows cybercriminals to monitor potential bank fraud victims by hijacking their webcams and microphones, according to security researchers from antivirus vendor Kaspersky Lab. PC World, May 22, 2012

Malware charges users for free Android apps on Google Play: Android users are being tricked into paying for free apps. The malware is a new variant of the Android.Opfake family that pushes fake versions of popular Android apps to unsuspecting consumers. ZDNet, May 21, 2012

FBI warns about hackers who target hotel guests: The Federal Bureau of Investigation warned travelers to be careful of computer hackers when logging onto the Internet through a hotel connection. LA Times, May 20, 2012

Cyber Vulnerability

Smartphone hijacking vulnerability affects AT&T, 47 other carriers: Computer scientists have identified a vulnerability in the network of AT&T and at least 47 other cellular carriers that allows attackers to surreptitiously hijack the Internet connections of smartphone users and inject malicious content into the traffic passing between them and trusted websites. ars technica, May 21, 2012

Cyber Security Management

Boards Are Still Clueless About Cybersecurity: The Governance of Enterprise Security: CyLab 2012 Report, released today by Carnegie Mellon CyLab and its sponsor, RSA, The Security Division of EMC, examines how boards of directors and senior management are managing privacy and cyber risks. Although two previous reports were conducted in 2008 and 2010, this is the first global survey on these issues and the first to compare responses by industry sector. The cross-sector comparisons in the 2012 report provide a compelling picture that critical infrastructure companies need to put cybersecurity and privacy on their boards’ agendas and place greater emphasis at the executive level on protecting their organizations’ digital assets (data, software programs, and networks). Forbes Magazine, May 16, 2012

Corporate Boards Still In the Dark About Cybersecurity: As the U.S. natural gas pipeline sector and the Department of Homeland Security square off against malicious cyber intrusions aimed at companies, along comes yet another study that highlights serious governance shortcomings of critical infrastructure companies when it comes to cybersecurity. Corporate Counsel, May 22, 2012

‘Clueless’ boards risk lawsuits, threaten national security: For far too many boards of directors and senior management of critical infrastructure industry sectors, cybersecurity and privacy are less than afterthoughts. They are barely even thoughts. Network World, May 23, 2012

Securing the Village

New White House cybersecurity chief largely an unknown: Named late last week to replace Howard Schmidt as the top White House cybersecurity adviser, Michael Daniel is a 17-year veteran of the Office of Management and Budget (OMB) and has been its intelligence branch chief for the past 11 years. But he has stayed largely under the radar, even in the cybersecurity community. Network World, May 22, 2012

Google to Warn 500,000+ of DNS Changer Infections: Google plans today to begin warning Internet users if their computers show telltale signs of being infected with the DNSChanger Trojan. The company estimates that more than 500,000 systems remain infected with the malware, despite a looming deadline that threatens to quarantine the sick computers from the rest of the Internet. KrebsOnSecurity, May 22, 2012

Securing the Village – ISSA-LA

ISSA-LA Annual Information Security Summit Highlights Solutions to Cybercrime Risks: Keynote speakers Alan Paller, Director of Research at the SANS Institute, and Bruce W. McConnell, Senior Counselor for Cybersecurity at the U.S. Department of Homeland Security, described steps businesses are taking to lower the economic risks from cybercrime at the Los Angeles Chapter of the Information Systems Security Association (ISSA-LA) Fourth Annual Information Security Summit held on May 16, 2012 at Hilton Universal City Hotel in Los Angeles. More than 500 business leaders, technology professionals and information security professionals attended the one-day Summit entitled The Growing Cyber Threat: Protect Your Business. PRLog, May 22, 2012

Cyber Defenders

US hackers take cyber war to al-Qaeda sites: WASHINGTON: US cyber experts have hacked into websites being used by al-Qaeda’s affiliate in Yemen and substituted material that bragged about killing Americans with information about civilians killed in terrorist strikes, Hillary Clinton has confirmed. The Sidney Morning Herald, May 25, 2012

Cyber Research

CompSci eggheads to map Android malware genome: Mobile security researchers are teaming up to share samples and data on malware targeting the Android platform. The Register, May 23, 2012

Cyber Error

Yahoo leaks private key, allows anyone to build Yahoo-signed Chrome extensions: IDG News Service – Yahoo was forced to release a new version of its Axis extension for Google Chrome after the original one contained a private key that allowed anyone to digitally sign extensions in Yahoo’s name. ComputerWorld, May 24, 2012

Cyber Sunshine

Georgy Avanesov, Bredolab Botnet Creator, Found Guilty And Sentenced To Four Years In Prison: Russian cybercrime mastermind Georgy Avanesov was found guilty of computer sabotage by an Armenian court on Tuesday and sentenced to four years in prison. The trial is monumental, not only for the sentencing of a criminal who hijacked millions of computers, but also because it is reportedly the country’s first conviction of a computer criminal. Huffington Post, May 24, 2012

Cyber Survey

McAfee Q1 Threats Report Finds Significant Malware Increase Across All Platforms: SANTA CLARA, Calif., May 23, 2012 (BUSINESS WIRE) — McAfee today released the McAfee Threats Report: First Quarter 2012, which exposes an increase in malware across all platforms. The report shows that in Q1, PC malware reached its highest levels in four years, as well as a steep increase in malware targeting the Android platform. Mac malware was also on the rise, indicating that total malware could reach the 100 million mark within the year. Market Watch, May 23, 2012

Cyber Crooks: In It for the Money: Hacktivists steal headlines with their often-audacious attacks against high-profile targets. While it’s easy for IT and security professionals to get caught up and imagine hacktivists will be breaking into their networks next, cyber-criminals intent on making money remain the bigger threat, according to a new Ponemon Institute report. Security Watch, May 22, 2012

2012 DATA BREACH INVESTIGATIONS REPORT: 2011 will almost certainly go down as a year of civil and cultural uprising. Citizens revolted, challenged, and even overthrew their governments in a domino effect that has since been coined the “Arab Spring,” though it stretched beyond a single season. Those disgruntled by what they perceived as the wealth-mongering “1%”, occupied Wall Street along with other cities and venues across the globe. There is no shortage of other examples. Verizon Business, 2012