Cyber Security News of the Week, October 20, 2013

Cyber Attack

Phony Order Faxed To Registrar Leads to Metasploit Defacement: A pro-Palestine hacker collective went old-school in its takedown of the Metasploit and Rapid7 websites today. ThreatPost, October 18, 2013

Cyber Crime

Breach at PR Newswire Tied to Adobe Hack: Earlier this year, hackers broke into the networks of marketing and press release distribution service PR Newswire, making off with usernames and encrypted passwords that customers use to access the company’s service and upload news releases, KrebsOnSecurity has learned. KrebsOnSecurity, October 16, 2013

Cyber Privacy

Verify, then trust: ONE of the many outcomes of Edward Snowden’s leaks was to confirm what security researchers had long nervously joked about—that Western intelligence agencies spend a great deal of time and money trying to undermine the cryptographic software that secures computers all over the world (similar suspicions swirl around the Chinese and Russian spy agencies, too). The documents suggest that the spies lean on firms to build “back doors” into their products, infiltrate those companies with their own employees, and work to nobble cryptographic standards. The Economist, October 18, 2013

Privacy Fears Grow as Cities Increase Surveillance: OAKLAND, Calif. — Federal grants of $7 million awarded to this city were meant largely to help thwart terror attacks at its bustling port. But instead, the money is going to a police initiative that will collect and analyze reams of surveillance data from around town — from gunshot-detection sensors in the barrios of East Oakland to license plate readers mounted on police cars patrolling the city’s upscale hills. The New York Times, October 13, 2013

Cyber Warning

Apple iMessage Open To Man In The Middle, Spoofing Attacks: The Apple iMessage protocol has been shrouded in secrecy for years now, but a pair of security researchers have reverse-engineered the protocol and found that Apple controls the encryption key infrastructure for the system and therefore has the ability to read users’ text messages–or decrypt them and hand them over at the order of a government agency. ThreatPost, October 18, 2013

Facebook ‘stalker’ Tool Uses Graph Search for Powerful Data Mining: IDG News Service — When a high-profile public figure living in Hong Kong hired the security company Trustwave to test if its experts could get his passwords, they turned to Facebook. CIO, October 17, 2013

ISSA-LA Alerts Public to Potential Cybercrime When Microsoft Stops Support of Windows XP in 2014: Los Angeles (I-Newswire) September 23, 2013 – The Los Angeles Chapter of the Information Systems Security Association (ISSA-LA) is launching an awareness campaign to alert the public to an increased exposure to cybercrime when Microsoft stops supporting Windows XP on April 8, 2014. According to Net Applications, 38% of computers still use Windows XP. i-Newswire, September 23, 2013

Backdoor found in D-Link home routers: An easy-to-exploit backdoor has been found in seven different models of domestic routers made by D-Link and Planex. BBC, October 14, 2013

Thousands of Sites Hacked Via vBulletin Hole: Attackers appear to have compromised tens of thousands of Web sites using a security weakness in sites powered by the forum software vBulletin, security experts warn. KrebsOnSecurity, October 14, 2013

Cyber Security Management

Essential considerations when making changes to security: When it comes to security policies and practices, there are rules (both written and unwritten) that need to be adhered to. An organization simply cannot implement changes to security on the fly as it could lead to disaster. Yet, there are times when changes are necessary, or mandated due to an incident response plan. In that instance, what should business leaders be focusing on? CSO, October 17, 2013

Cyber Risk And The Board of Directors – Closing The Gap: The responsibility of corporate directors to address cyber security is commanding more attention and is obviously a significant issue. Yet here is how one writer entitled her Forbes article about the 2012 Carnegie Mellon Cylab Report: “Boards Are Still Clueless About Cybersecurity.” Bloomberg Law

Cyber Security Management – Cyber Defense

10 Pitfalls Of IT Risk Assessment: As IT organizations seek to make better risk-based decisions about security practices, perhaps the No. 1 component for success is the IT risk assessment. However, even when organizations actually conduct a risk assessment, they frequently fall prey to mistakes that can greatly devalue the exercise. Here are some of the most common blunders to avoid. DarkReading, October 17, 2013

Yahoo Mail is switching to default SSL encryption: On the heels of its recent redesign, Yahoo Mail is adding a new feature many users have been requesting for years: encryption. The Washington Post revealed today that Yahoo Mail will begin using default SSL encryption for its webmail interface as of January 8th, 2014. The encryption, which protects messages sent between a user’s computer and Yahoo servers, was only made available earlier this year as an option from Yahoo, although most security professionals view it as crucial for any level of privacy on the web. The move comes nearly four years after Gmail switched over to default SSL in January of 2010. The Verge, October 14, 2013

WordPress Attacks: Time To Wake Up: If I wrote a Security 101 story in light of this news — outdated WordPress sites are used to launch malicious attacks on other websites — it would go something like this: Use strong passwords. Stay current on software updates and patches. Educate employees on security risks and fundamentals. Use anti-malware tools and other technologies. Wash, rinse, repeat. InformationWeek, October 2, 2013

Cyber Security Management – HIPAA

SANS Announces Results of its Inaugural Health Care Information Security Survey: BETHESDA, Md., Oct. 17, 2013 /PRNewswire-USNewswire/ — SANS announces results of its inaugural health care information security survey, in which 373 health care IT professionals answered questions about their digital health initiatives, awareness and concerns over risk, and how they are (or are not) managing this risk. The survey was sponsored by Oracle, Redspin, Tenable Network Security and Trend Micro. DarkReading, October 17, 2013

More HIPAA enforcement coming: When Office for Civil Rights Director Leon Rodriguez took the stage Monday to talk HIPAA at the HIMSS Media and Healthcare IT News Privacy and Security Forum, the timing was perfect. Healthcare IT News, September 24, 2013

Cyber Security Management – Cyber Update

Critical Java Update Plugs 51 Security Holes: Oracle has released a critical security update that fixes at least 51 security vulnerabilities in its Java software. Patches are available for Linux, Mac OS X, Solaris and Windows versions of the software. KrebsOnSecurity, October 16, 2013

Cyber Mercenaries

Hackers Target Town After Dropped Sexual-Assault Case: The international band of Internet activists known as Anonymous has chosen the rural Missouri town of Maryville as the target of its latest campaign, after the Kansas City Star published a powerful examination of a possible rape case that went unprosecuted by local authorities. Time, October 14, 2013

Securing the Village

The 28th Annual 2013 ISSA SoCal Security Symposium: The SoCal Security Symposium features over 30 vendor exhibits and several industry experts discussing current security issues such as eDiscovery, cloud security, threat vectors, mobile security, and much more. There will be lots of give a ways and prizes! This conference will provide tremendous networking opportunities. You’ll come away with advice and knowledge you can start applying to your environment immediately. Your registration will include your breakfast, lunch, ice cream social, CPE credits (8) and entrance into the conference sessions and exhibit area. ISSA of Orange County, Event Date: October 30, 2013

Critical Infrastructure

Many energy companies lagging in cybersecurity efforts, expert says: Energy companies are continuing to be hit by cyberattacks, in large part because of complacency by executives who don’t understand the threat, a Verizon executive said Thursday. FuelFix, October 17, 2013

Cyber Law

When Companies Are Hacked, Customers Bear the Brunt. But Not for Long: For the past two weeks, Security States has been exploring the possibility of liability for software design flaws. It’s a critical issue—and likely the right answer from an economic perspective. But at this point that answer is theoretical. There are many steps between where we are today (no liability for any cyber breach) and there (product liability for software defects). The New Republic, October 15, 2013

Cyber Career

Cybercrime fighters in short supply: Governments and corporations are struggling to find enough recruits to help fight cyber attacks with demand outstripping supply when it comes to the sector. ITProPortal, October 14, 2013

Cyber Sunshine

UPDATE: Man charged in TSYS identity theft violated computer policy at Paragon Benefits: A week after he was placed at Paragon Benefits Inc. by a temporary staffing agency, Drew Johnson appeared to be spending more time on his computer than his duties required before personal information from more than 5,200 TSYS employees was sent to his personal Gmail account, records in U.S. District Court stated Tuesday. Ledger-Enquirer, October 15, 2013

Cyber Misc

Cybersecurity companies attracting huge investment: SEATTLE – It’s clear Wall Street has a love affair going with cybersecurity companies. CyberTruth asked Bob Ackerman, founder and managing director of Allegis Capital, to quantify the scale of investment going into cutting-edge technologies to stop cybercriminals. The metrics he pulled together are staggering. USA Today, October 16, 2013

Landmark Leadership Conferences for IT Executives: The IT Summit is the executive technology conference series returning to Los Angeles for our seventh annual event on October 23, 2013. The purpose of the summit is to provide educational and networking resources for the IT leaders in Southern California. The conference is driven by an Executive Board of regional IT professionals that directs the content of the conference. The IT Summit is designed to address the real-world opportunities and challenges faced by today’s executives. The IT Summit, Event Date: October 23, 2013