Archive: 2012

Lawsuit Asks What Rights You Have to Your Own Social Media Profile

A lawsuit filed recently in federal court begs the question, “Who is permitted to create a social media profile on someone other than himself?” It’s a sticky question but one that hangs out there in legal limbo, for now. As this article in the Pittsburgh Post Gazette indicates, Rick Senft, president and CEO of the Passavant...

Read more

Trending Threats Shape Cybersecurity Landscape for 2013

Predictions, predictions, predictions. Where they worth their weight, we would all have been consumed in the aftermath of the "Mayan apocalypse." So much for predictions... but what about trend analysis? That's a subject worthy of consideration for cybersecurity professionals and the organizations they seek to protect as we move into...

Read more

Trojan.Stabuniq Targeting U.S. Financial Institutions

Malware operations come and go, and typically attackers are playing a numbers game by pursuing techniques for system infections on a large scale through spam campaigns and drive-by attacks via malicious websites. More insidious still are those that employ smaller scale, more targeted attacks. That seems to be the case with the Trojan.Stabuniq,...

Read more

A Look Inside the Business of Organized Cybercrime

Ever consider adding "malware developer" or "botnet master" to your curriculum vitae? With the increasingly sophisticated nature of Crime-as-a-Service (CaaS), there just might be a recruiter out there looking to help you land a new job and put those nefarious skills to use. A new report which delves into the makeup of organized...

Read more

As General David Petraeus Can Attest, There are No Secrets on the Internet

In his famous book 1984, George Orwell wrote, “If you want to keep a secret, you must also keep it from yourself.” With apologies to Orwell, I’m going to rewrite the quote: “If you want to keep a secret, you must also keep it from the Internet.” There’s an interesting story about online privacy – or really...

Read more

DDoS Attack Against Banks to Continue into the New Year

Banking customers can expect that the latest wave of Distributed Denial of Service (DDoS) attacks against select institutions will continue into the new year, according to an announcement by the extremist group Izz ad-Din al-Qassam Cyber Fighters, who renewed operations against the financial sector two weeks ago after having ceased the attacks for...

Read more

Preparing for the Top IT Security Threats of 2013

Many times in their daily jobs, IT operations and information security (infosec) professionals get so immersed in “the trees” (i.e., the hot issues of the day) that they sometimes lose sight of “the forest” (the broader challenges that impact our businesses as a whole). While every organization has its trees, however...

Read more

ISACA's Top Three Security Challenges for 2013 are Refreshingly Realistic

The end of the year always brings a slew of dire predictions and FUD-ridden warnings of the impending menaces IT professionals will likely be faced with over the course of the next calendar cycle. By contrast, ISACA, the not-for-profit global association of IT professionals, has managed to identify three less than dramatic areas of concern for the...

Read more

Santa Got Hacked: The Aftermath of a Breach Event

Last year the world witnessed one of the biggest data breaches in history when networks at the North Pole where compromised by a group of still unidentified hackers which led to the disclosure of highly sensitive data: Santa's naughty list. This year we caught up with the company to see how that breach has affected them and subsequently...

Read more

Defense Report Reveals Spike in State Sponsored Cyber Espionage

It's no secret that foreign countries seek to take developmental shortcuts by stealing technologies that would otherwise take decades to develop, a circumstance which significantly undermines the nation's security posture and overall economic stability. But how prevalent is the problem? According to a new report published by the Defense...

Read more

White House Issues National Information Sharing Strategy

As cybersecurity legislation continues to languish in Congress, the White House is pushing the issue forward with the release of the National Strategy for Information Sharing and Safeguarding strategy this week. The plan seeks to achieve a balance between the need for better processes for the sharing of critical security-related intelligence...

Read more

FCC Unveils Smartphone Security Checker Resource

With more than 120 million Americans using smartphones for everything from online banking to accessing corporate networks in the course of their daily jobs, mobile security has quickly become one of the key elements in protecting against a host of digital threats and the risk presented by the loss or theft of a device. The Federal...

Read more

NIST Issues Guidelines for Cryptographic Key Generation

Cryptographic algorithms are crucial for protecting sensitive data from exposure whether at rest or in transit, and the heart of any good encryption mechanism resides in the generation of keys that provide the confidentiality and integrity for data protection. To that end, the National Institute of Standards and Technology (NIST) has...

Read more

DoE Incident Response Challenges Hold Lessons for the Enterprise

The U.S. Department of Energy's (DoE) Office of the Inspector General issued a report last week detailing the continued shortcomings present in the agency’s cybersecurity incident management capabilities. The report reveals that while some progress has been made since the first such audit was conducted in 2008, the department still has a...

Read more

Banks Bracing for Another Round of DDoS Attacks

Major U.S. banks are in for another round of Distributed Denial of Service (DDoS) attacks at the hands of Muslim extremist group Izz ad-Din al-Qassam Cyber Fighters, who vowed last week to renew their operations against the financial sector after having ceased attacks for nearly a month. "The past week’s attacks, showed our ability...

Read more

Sandbox Evading Malware Just a Mouse Click Away

With millions of new pieces of potentially malicious code to be examined every day, it is impossible for malware researchers to manually analyze every sample that comes their way. Thus, it is necessary to employ automated threat analysis systems to allow more suspicious code to be examined and aid in determining which samples merit inclusion in...

Read more

Don’t Let Employees Think Outside the Box. The Dropbox, That Is...

“Good things come in small packages.” This time of year we think about what those good things might be. Perhaps a nice piece of jewelry in a fancy little box. Or a gift card to a favorite store or restaurant. Maybe it’s a year-end bonus check in a company envelope. Or not. What if that tiny little Dropbox icon at the bottom of...

Read more

HIPAA Privacy, Security, Enforcement, and Breach Notification Rules

The “Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules” Notice of Proposed Rulemaking (NPRM) were initially published in July, 2010. The Office of Management and Budget (OMB) received the much-delayed Department of Health and Human Services (HHS) Office for Civil Rights (OCR) Final Rules that had...

Read more

Governance, Risk, and Compliance in an Age of Uncertainty

Having complete visibility, transparency, and control over the entire IT landscape is next to impossible these days, and CISOs everywhere are finding themselves increasingly under pressure to operate effectively in this age of uncertainty. We are doing business in a complex world where big data, hyper-connectivity, and mobility reign supreme....

Read more

Specially Crafted Email Exposes Apple Users to Attack Upon Opening

Most everyone is aware that one should be wary of the potential for a security breach by way of malicious links or malware-tainted documents sent by an attacker via email. Typically, you open the email, realize it is suspect, and proceed to delete it without falling for the ploy. But what about an email that can expose you to a hack by simply...

Read more

The History of Encryption

We always talk about the latest and greatest (or worst for that matter) of what is happening in our industry. But we don’t ever talk about how it all began. Since encryption is such an important part of infosecurity, let’s take a walk back through history. According to Wikipedia, encryption “has long been used by the military...

Read more

Healthcare Information Security is in Critical Condition

While it's no surprise that the healthcare industry experiences breaches of sensitive information like any other sector, the revelation that on average more than one in ten have experienced serious data loss events recently may come as a shock. A new study found that 94% of the 80 health care organizations surveyed indicated they experienced...

Read more

Butterfly Botnet Crime Ring Members Busted for $850 Million Heist

One botnet down, hundreds or more to go... An international coalition of law enforcement agencies under the direction of the Federal Bureau of Investigation have announced the arrest of 10 members of an international criminal ring that operated the Butterfly Botnet, which was designed to harvest personally identifiable information with total...

Read more

Hacktivists Announce New Wave of DDoS Attacks on Banks

Ugh, they're back... After more than a month long reprieve, Izz ad-Din al-Qassam Cyber Fighters - the Islamic extremist group who had claimed responsibility for the series of Distributed Denial of Service (DDoS) attacks this fall that resulted in intermittent website downtime for ten of the biggest financial institutions - has announced they...

Read more

Two-Factor Authentication is Not What it Used to Be

Banking customers in Europe were recently ripped off for millions of Euros by a very sophisticated series of malicious compromises targeting users' computers and cell phones. In effect, two-factor authentication was defeated for about 30,000 customers at more than 30 different banks. This proves that with persistence,...

Read more

RED DART Initiative Teaches Industry to Protect Trade Secrets

Cybercriminals are making the shift from focusing on the stealing of personal information to the targeting of corporate intellectual property, recognizing that there is tremendous value in the sale of proprietary information and trade secrets. While some high-profile cases where cyber espionage leads to the compromise of classified materials make...

Read more

Advanced Evasion Techniques and Other Dangerous Malware Trends

Like any other business, the continued success of malware depends on innovation in the development of malicious code that can stay one step ahead of detection efforts, and 2013 is sure to see some advances on the part of criminal coders. Analysis by researchers at security provider Trusteer indicates we can expect to see an increase in the...

Read more

AT&T Seeks Industry Cooperation to Combat Dramatic Increase in DDoS Attacks

Distributed Denial of Service (DDoS) attacks, such as those that plagued major American financial organizations in recent months, are growing at an alarming rate - so much so that AT&T's chief security officer has called on it's competitors and the government to better coordinate efforts to combat the dramatic increase before the...

Read more

Enterprise Accounting Systems Vulnerable to Hacker Mayhem

Hackers have long targeted systems that hold sensitive and proprietary enterprise data with the intent to make a buck on the black market, but a new exploit proof-of-concept unveiled at the Black Hat security conference in Abu Dhabi on December 6 reveals how hackers may be able to penetrate the heart and soul of an enterprise by manipulating...

Read more

DDoS-as-a-Service? You Betcha! It’s Cheap, It’s Easy, and It’s Available to Anyone

Pssst! Hey, you there! Come over here and keep your voice down! You say you have a business rival you want to put offline? Yeah, no problem. It’ll only cost you 20 bucks an hour for a short term or long term DDoS attack. You want a little taste of how easy this is? Watch this live demo for a few minutes and see your competitor’s...

Read more

Countdown to Data Privacy Day – Top 10 Recommendations for Protecting Your Privacy

Data Privacy Day takes place annually on January 28 and is sponsored by the National Cyber Security Alliance, an organization focused on cyber security education. The purpose of Data Privacy Day is to serve as a reminder of the importance of protecting people’s privacy and maintaining control of their digital footprints. As stored data...

Read more

The Dutch, the Yanks, the Cloud and YOU

Recently a research project by the Amsterdam University [PDF Alert] revealed that US law allows for the US government to access information stored in the Cloud, by (ab)using the PATRIOT act. Multiple Dutch politicians have started asking questions from state secretary Teeven of the Justice Department as to whether he knew about this before the...

Read more

Programmer Sentenced for Stealing Source Code from Federal Reserve

Insider threats are a uniquely troublesome security challenge for organizations, as the the perpetrators often have been granted access to the most sensitive of information, and breach detection usually only occurs long after the damage is already done. This week, Chinese national Bo Zhang was convicted of stealing proprietary software code from...

Read more

SMS Spoofing Attack Leaves Twitter Users Vulnerable

We've all seen them. The unsolicited Tweet, direct message, or Facebook posting from a reputable colleague or personal contact that is undoubtedly the result of a compromised account, sometimes utilized for by cybercriminals for general spamming purposes and other times part of an insidious attack employing a malicious link designed to infect...

Read more

Malware Infections Dominated by Data Stealing Trojans

Malware developers are in the business of making money from their illicit creations, and the targeting of the confidential and proprietary information that is the core asset of the enterprise continues to be their prime target, analysis of infection agents for the third quarter of 2012 reveals. According to a new report from Panda Security's...

Read more

BYOD, APTs and Applications Top Endpoint Security Concerns

As the information technology landscape changes with the advent of new products and services being adopted by organizations, so do the threat vectors that demand the most attention. According to a new study commissioned by Lumension and conducted by the the Poneman Institute, the mass deployment of mobility solutions for employees along with the...

Read more

December Anointed as Critical Infrastructure Protection and Resilience Month

In an increasingly digital world, information systems pervade nearly every aspect of our daily lives, controlling the function of everything from transportation and communications to the power grid and the financial industry. An event that inhibits the proper function of these networks has the potential to have a devastating impact on the...

Read more

US-CERT Warns Sumsung Printers are Vulnerable to Remote Attacks

Yet another printer vulnerability alert has been issued - but at least this time attackers can't set your office on fire with it. US-CERT issued an advisory that Samsung printers distributed prior to October 31, 2012, including some Dell-branded printers which were manufactured by Samsung, have a vulnerability that could allow attackers to...

Read more

A Comparative Analysis of Browser Security via Phishing Protections

Browsers are no longer just a user's window to the Web, they are quickly becoming a surfer's first line of defense against an array of maladies, most specifically malicious phishing expeditions employing tainted URLs. A new study released by information security research and advisory company NSS Labs examines the four leading browsers -...

Read more

Hacker Highschool Revamps Lesson One on Being a Hacker

Hey kids, wanna get your hack on? The developers of Hacker Highschool, a free cybersecurity awareness and education project, have just issued a newly revamped version of the organization's first lesson plan titled Being a Hacker, and will soon be reissuing updated curricula for all 23 of the course's tutorials. The Hacker Highschool...

Read more

Google Webmaster Bug Provides Lessons for Identity Management in the Cloud

The Internet is ablaze with reports of a major security lapse in the access controls for Google Webmaster Tools. According to multiple reports, users who had previously had access to accounts and websites but subsequently had that access revoked found themselves again able to access tools like Google Analytics for websites they were no longer...

Read more

DDoS Attacks are Increasing While the Majority of Americans are Still in the Dark

Distributed Denial of Service (DDoS) attacks, such as those that have had the financial sector on high alert since September, make the headlines on an almost daily basis. With some of the biggest organizations in the world falling prey to the tactic, one might think that many - if not most of the general public - has at some point been...

Read more

NetWars Tournament of Champions Tests the Skills of the Nation’s Top Cyber Security Practitioners

Sometimes, life imitates art, and vice versa. Consider the Tom Clancy’s Net Force series of novels created by Clancy and Steve Pieczenik, and written by Steve Perry. The storyline of these books centers around a special division within the FBI tasked with combating crime on the Internet and protecting the country from untold cyber threats....

Read more

The Pace of US Cyber-Preparedness is Accelerating

Three recent moves by the Pentagon, State Department and White House indicate that the pace of preparation for engaging in offensive cyber attacks is increasing. The first was the speech given by Leon Panetta, Secretary of Defense on October 12 where he used the term cyber Pearl Harbor. Of course to anyone who follows these developments the term...

Read more

Cyber Monday Spurs Online Cybercrime Smackdown

Whoever coined the phrase "crime doesn't pay" obviously had not foreseen the advent of the Internet, as the sale of counterfeit merchandise online has evolved into a very lucrative venture for cybercriminals. In the third year of a concerted effort to crack down on the illicit sales, a coalition of law enforcement agencies from the...

Read more

SANS Unveils the NetWars CyberCity for Cyberwar Training

Itching to get your cyberwar on, but you just need a targeted city and the associated systems to defend? You're in luck. The SANS Institute today announced the launch of the NetWars CyberCity which will be used to instruct cyber warriors in the techniques required to defend critical networks against Internet-based attacks and secure a...

Read more

Post-Incident Review is Weakest Link in Risk Management

As organizations seek to analyze the return on security investments in an effort to maximize impact in the face of limited budgets, many may be spending valuable resources to address symptoms while altogether missing the opportunity to mitigate the root problems that put systems and sensitive data at risk, according to a recently released report...

Read more

Hacker Convicted for 2010 Breach of AT&T iPad 3G Customer Data

While it can take a hacker mere hours to breach networks and make off with a bounty of sensitive data, the slow-turning wheels of the legal system typically take years to bring the offender to justice. Such is the case of Andrew Auernheimer, the infamous AT&T hacker sentenced last week for his 2010 exploit that exposed the personal information...

Read more

Cybersecurity at DoE Facilities Weak but Improving

With all the hoopla and rhetoric being tossed about regarding the potential for a devastating attack against systems governing critical infrastructure that could result in a "cybergeddon," news that the Department of Energy (DoE) and the National Nuclear Security Administration have successfully addressed more than half of the network...

Read more

Beyond V*I*A*G*R*A - Evil Phishing Scams of 2012

You’ve heard the old saying: A chain is as strong as its weakest link. When it comes to IT security within your organization, the weakest link may well be your own workers. It’s human nature to be trusting of others. Scammers and attackers know this and use social engineering in the form of phishing to get people to reveal information...

Read more

Operation High Roller Adaptation Targeting German Banks

Operation High Roller, which was was first detailed by researchers in mid-2012, was assumed to be waning, but new reports indicate that cyber criminals are once again using automated client and server-side attacks to conduct fund transfers to mule accounts, and in at least one instance attempted a fraudulent transaction for a whopping...

Read more

PCI Risk Assessment Guidelines are No Silver Bullet

Need a leg up on establishing a good risk assessment methodology to comply with the PCI DSS section 12.1.2 regulations? You're in luck, sort of. The Payment Card Industry Security Standards Council's (PCI SSC) has released guidelines for all organizations that store, process, or transmit cardholder data to help in the design and...

Read more

Security Intelligence Enters the Mainstream

If you spend any time with the top banks and defense contractors you will have noticed a dramatic change in their approach to defending their networks from intrusions. Traditional security operations of vulnerability management, configuration management, and policy exceptions are being beefed up dramatically. New teams are being formed to counter...

Read more

DDoS Attacks are Increasing in Frequency and Severity - Study

What’s this? Another bout of website downtime? It could be just a glitch, a hardware component failure, or a pesky case of file corruption, but more than ever it is likely to be the result of a Distributed Denial of Service (DDoS) attack like those that have had the financial sector on high alert since September. A newly released study...

Read more

Follow the Leader: Learn What Makes the Most Effective Security Organizations the Leaders in What They Do

In the early months of 2012, consulting firm PwC joined CIO magazine and CSO magazine to conduct a worldwide survey on the global state of information security. More than 9,300 CEOs, CFOs, CISOs, CIOs, CSOs, vice presidents and directors of IT and information security from 128 countries took part in the survey. The full results are documented in...

Read more

Network Complexity Creates Additional Risks to Security

Managing elaborate enterprise network deployments is difficult enough, and then ensuring those systems are properly configured and secure against a myriad of threats makes the task that much more arduous. The problem for many organizations is that the growing complexity of integrating multiple vendor products and an array of policies is creating...

Read more

When it Comes to Controls and Compliance, Fix Once and Comply with Many

Fix once and comply with many! This is the holy grail of both controls and compliance for organizations that need to comply with multiple regulations and standards. For example, a large enterprise might have to assure that it’s fully in compliance with SOX, HIPAA, COBIT, PCI and ISO 27001. Determining and implementing the proper controls and...

Read more

Leading Antivirus Products Vulnerable to Remote Exploits

While the deployment of antivirus software on systems is of course intended to add a protective layer for systems, sometimes there are bugs present that themselves present a vulnerability that can be exploited by attackers. Such is the case for several of Symantec's products which have been discovered to be improperly handling CAB files, which...

Read more

Researchers Examine Widespread ICS Vulnerabilities and Mitigation Strategies

Vulnerabilities related to Industrial Controls Systems (ICS), which include supervisory control and data acquisition (SCADA) networks that administer operations for critical infrastructure and production, are a very hot topic in security. Joel Langill (SCADAhacker.com) and Eric Byres (Byres Security) have teamed up again to take a look at the...

Read more

Advice for E-Retailers: Don’t Let a DDoS Attack Knock Out your Profits During the Holiday Shopping Season

The holiday shopping season is underway—let the frenzy begin! This is the time of year when retailers make as much as one-third to one-half of their annual profits. If your company conducts sales over the Internet, it’s critically important to keep the website up and operating at maximum efficiency. If consumers coming to your site...

Read more

SEC Encryption Fail: Simple is So Hard

Even in the face of a never ending barrage of headlines about security lapses, it seems that some people must feel they are somehow immune to the threat of data loss and fail to follow basic security best practices. Reuters is reporting that staff members from the Securities and Exchange Commission's Trading and Markets Division brought...

Read more

Black Hat Wannabes Get Training on Underground Hacker Forums

Interested in advanced training opportunities so you can stop just wanting to be a Black Hat and finally turn your skills into a full-time criminal operation? Underground forums are providing education on how to become a better, and more malicious, attacker. Researchers combed one of the largest known hacker forums plus a few smaller ones and...

Read more

Adobe Reader Vulnerable to New Zero-day PDF Exploit

Once again, hackers are proving that the best we can expect to do is stay just one step behind them as they continue to capitalize on previously undisclosed vulnerabilities. The latest is a PDF-based zero-day exploit that defeats the sandbox security features available in Adobe Reader. The exploit is already known to be present in a modified...

Read more

Ransomware is Becoming a Million Dollar Business Venture

Would you be fooled by a popup on your computer that demands immediate payment to restore your device to normal working order? Like most scams, it's all in the numbers - hit enough potential victims and over time realize a profit. That's the name of the game when it comes to the dramatic increase in ransomware, which is estimated to be...

Read more

Lawsuit Alleges Backdoor Present in Ohio Voting Machine Software

The elections may be over, but the politics of security in the process will persist unabated. The latest volley in the controversy over the potential for fraud by way of insecure electronic voting machines comes in the form of a lawsuit filed in Ohio by Green Party candidate Bob Fitrakis which alleges that the software provided by contractor...

Read more

If You Can't Rock the Vote, Just Hack It...

Any information security professional will tell you, there is no way to guarantee absolute security in any system if an attacker is determined enough to breach it. So why would anyone think voting machines would be any different? Researchers at Argonne National Laboratory have shown that not only are the electronic voting machines that will be...

Read more

Study Finds Small Businesses Increasingly Prone to Threats from Malware

Think your company is just too small to be the target of criminal hackers? It's time to change your mindset. According to a recently released study, small to medium-sized businesses (SMBs) are more prone to breaches resulting from viruses, worms, spyware and other forms of malware. Researchers found that a staggering 63% of small businesses...

Read more

NIST Seeks Feedback on Draft Guidelines for Securing Mobile Devices

Sure, you love your razor-thin mobile phone with the extended battery life, but the sacrifice made for size and convenience is the hardware-based security features that we are accustomed to in other devices like desktops and laptops. In order to accelerate the implementation of new technologies for better security in mobile devices, the National...

Read more

How the Presidential Election will Impact Cybersecurity

Cybersecurity is a relatively young discipline, yet it has quickly emerged as one of single most important issues of the day, as information systems touch nearly every aspect of our daily lives in a digital society. Threats to the nation's critical infrastructure, corporate intellectual property, and the identities of the average citizen have...

Read more

Citibank's 'Gone in Sixty Seconds' Heist Should Serve as a Wake Up Call

The Federal Bureau of Investigation announced that fourteen suspects have been charged with stealing more than one million dollars in funds by exploiting a flaw in Citibank's transaction security protocols which allowed for large, simultaneous withdrawals on the same accounts from multiple locations. The heist should serve as a wake up call to...

Read more

Analyzing Network Traffic to Detect Advanced Persistent Threats

One of the most basic tenets in infosec is the fact that there is no such thing as absolute security, and the nature of Advanced Persistent Threats (APT) and their successful application by attackers is a constant reminder. While the rate of network penetration from true APTs is nearly 100% and many infiltrations are not discovered for months or...

Read more

Over Two Million Home Networks Infected with ZeroAccess Botnet

If ghosts and goblins running amok for the Halloween season aren't enough to scare you, how about the continued propagation of malware? Some 13% of home networks in North America are thought to be infected with malicious agents. Of those contaminated systems, half (6.5%) are infected with high-level threats including botnets, rootkits, and a...

Read more

U.S. Army Working to Integrate Cyber Operations Capabilities

The U.S. Army is seeking to transform itself in order to strategically address new challenges presented by the addition of cyberspace as a field of operations, making the shift to a joint-information environment with a focus on both defensive and offensive cyber capabilities, according to Lt. Gen. Rhett A. Hernandez, commanding general for the...

Read more

After a Breach, Be Prepared to Communicate, Communicate, Communicate

I recently wrote about how companies communicate with their customers during and after cyber attacks. Many organizations that suffer a data breach do a poor job of communicating about the incident, leaving people unaware of the level of vulnerability of their personal information. In just the past week, we received reports of two...

Read more

Presidential Debate Moderators Drop the Ball on Cybersecurity

If you give any credence to the headline-making comments being served up by some of our nation's top security officials, like Secretary of Defense Leon Panetta and the NSA's General Keith Alexander, then the country is faced with an imminent threat from a cyber-borne catastrophe of epic proportions, and businesses are losing billions of...

Read more

Is the Internet Broken Today? Major Outages Spur Chatter

Widespread packet loss and downtime for some big players has been the cause of quite a bit of chatter today regarding the possible causes for the widespread disruptions on the Internet. Google App, Tumblr, and Dropbox have all been the subject of reported service interruptions. So far, no one seems to know the cause or if the events are...

Read more

State CISOs Battle Resource Constraints in Face of Escalating Threats

As the budget belts get tightened, CISOs across the country who are charged with protecting vital state-operated networks are expressing a lack of confidence regarding their ability to safeguard data repositories in the face of ever more sophisticated external threats, a new study reveals. According to the 2012 Deloitte-National Association of...

Read more

Would You Tell a Customer “It’s Your Fault”… Even If It Isn’t?

We’ve all been reading about the DDoS attacks that have hit most of the major American banks in the past month or two. Just for a moment, let’s put aside the technical aspects of how these attacks happened and think more about how they have affected the banks’ customers. More specifically, I want to explore how these financial...

Read more

Researchers Find More Widespread SSL Vulnerabilities

What is a critical security feature in an application worth if it doesn't provide any security? Not much, according to researchers who uncovered widespread and very exploitable vulnerabilities in Secure Sockets Layer (SSL) implementations during their examination of a selection of non-browser software offerings available in the...

Read more

Misinformation on Weak Passwords, Poor Authentication Measures and Data Breaches

There is typically a lot of confusion on security issues in the way they are relayed to the general public, especially when the PR folks get involved in trying to take news of major breach events and spin them in an effort to push a vendor's product. Sometimes the level of misinformation just makes you scratch your head and wonder what people...

Read more

FTC Guidelines Take Aim at the Widespread Use of Facial Recognition Technology

Imagine a world where your every move can be tracked via closed circuit video systems, or through seemingly innocuous photos of the crowd at an event you attend that are posted by someone else on social media outlets. Even more disturbing, envision a world where hidden cameras are strategically placed to capture your facial expressions in order to...

Read more

Understanding the Anatomy of Data Breaches Industry-by-Industry

Every industry vertical is faced with the prospect that sensitive data can and will be stolen, and each sector faces unique challenges when it come to protecting information critical to their long term viability, according to a series of newly released reports that examine the anatomy of data breaches on a granular basis for several major industry...

Read more

Financial Services Thinktank Offers Strategies to Combat Cyber Attacks

It appears that the barbarians are at the proverbial gates, and the financial sector is scrambling to shore up their network defenses in an effort to combat the specter of website downtime caused by hacktivists engaged in a spate of attacks targeting American banks. In response to the attacks, BITS - the technology policy division of The...

Read more

Banks May Get Reprieve from Denial of Service Attacks This Week

Even hacktivists need to take a holiday it seems, so American banks may get a much appreciated break this week from the recent onslaught of Distributed Denial of Service (DDoS) attacks that have had the financial sector on high alert since last month. Izz ad-Din al-Qassam Cyber Fighters, the Islamic extremist group who have claimed...

Read more

VA Computers Still Unencrypted More than Half a Decade After Breach

While lawmakers entertain notions of broadening government powers regarding private sector security through an expansion of regulatory mandates, some government agencies continue to demonstrate that they can't even effectively administer their own cybersecurity prescriptions. A report released by the U.S. Department of Veterans Affairs (VA)...

Read more

Fear, Uncertainty, and Doubt Won't Protect Us from the Real Security Threats

Dire warnings of an imminent and catastrophic attack that could take down the power grid or cause domestic water supplies to be interrupted may serve to alarm policy makers and the public, but it does little in the end to draw attention to the real security issues the nation is facing, according to the Internet Security Alliance's Larry...

Read more

Widespread SSL Vulnerabilities Identified in Android Applications

That application you just downloaded uses an encrypted connection, so your sensitive data is protected, right? Not necessarily, according to researchers from two German universities who discovered that thousands of applications are leaving users at risk. The problem resides is in how the application developers improperly implement the Secure...

Read more

Can You Be Shamed Into Casting Your Vote for U.S. President? Let’s Hope this Never Happens

Election campaign season is in full swing, and both major political parties are in a frenzy to get voters to cast their ballot. Technology plays a larger role in this election than any previous year. The campaigns have used blogs, emails and social networking effectively in the past, but this year’s hot technology appears to be business...

Read more

On the Prospect of a U.S. - China Cyber Detente

The United States and the People's Republic of China have been engaged in a mini cold war of sorts for decades, quibbling over issues of military expansion, fair trade policies, and the future of the independent state of Taiwan. In recent years, nowhere has the contention between the two powers been greater than where cybersecurity is...

Read more

Bank DDoS Attacks: Is it the Russian Mob, Iran, or a False Flag?

Open speculation on the source of a series of Distributed Denial of Service (DDoS) attacks targeting U.S. financial institutions continues to make the rounds on the web, with fingers pointing at the Iranian government, Russian crime syndicates, and rumors that the operation may be a false flag event to garner support for another American military...

Read more

IT Supply Chain Integrity to Emerge as Top Security Concern

Sure, vital components that constitute the infrastructure of networks will be exposed to an untold number of threats after deployment - that's the nature of the beast. But how do we defend against threats that are built into those components before they ever reach our doorstep? That's an issue organizations will be increasingly faced with...

Read more

Researcher Demonstrates Lethal Medical Device Exploit

Noted security researcher Barnaby Jack has dealt another blow to medical device insecurity with an exploit that shows how attackers could hack communications terminals for pacemakers and implanted cardioverter-defibrillators (ICDs) to administer potentially lethal jolts. In a shocking presentation at the BreakPoint Security Conference in...

Read more

Senator Warns that Cybersecurity Threats are "Anything But Hype"

As Congress ponders the prospect of taking up cybersecurity legislation again during the post-election lame duck session, Senator Joseph Lieberman has unleashed some trenchant rhetoric in a New York Times Op/Ed piece which chides his colleagues for legislative inaction on what he considers to be a national security priority. Lieberman, who...

Read more

US-CERT Issues Updated Advisory on Destructive Shamoon Malware

What could be worse than than a pesky malware infection on your organization's networks? How about malware that can annihilate systems and the precious data that resides on them. That's the case with the uber-destructive strain of malicious code dubbed Shamoon. The Department of Homeland Security's United States Computer Emergency...

Read more

DHS Engages Private Industry to Secure Critical Infrastructure

In the wake of a series of troublesome Distributed Denial of Service (DDoS) attacks targeting U.S. financial institutions, the Department of Homeland Security is seeking to improve the coordination of cybersecurity efforts with private industry to protect the nation's critical infrastructure, including vital networks in the financial...

Read more

Insider Threats Trump Hackers in Enterprise Data Loss Events

As organizations continue to invest heavily in perimeter security solutions in an effort to protect sensitive data from external compromise, an insidious threat lurks from deep within the confines of the enterprise: Threats from the malicious insider. While the general rate of fraud is down slightly from last year's levels according to a...

Read more

Extremist Group Vows to Continue DDoS Attacks Targeting Banks

After a week of silence, the Islamic extremist group Izz ad-Din al-Qassam Cyber Fighters has vowed to continue a series of Distributed Denial of Service (DDoS) attacks targeting U.S. financial institutions, which are being conducted in protest of a widely denounced YouTube video which scorns the prophet Mohammed. In a new posting on...

Read more

Organizations Moving Email to the Cloud Despite Security Concerns

The rapid pace of migration to managed services by organizations continues to gain momentum despite well-founded concerns over data security and complicated legal issues related to maintaining regulatory compliance. Leading the trend is the adoption of cloud-based communications with a staggering 83% of respondents indicating they intend to...

Read more

Court Rules Email Accounts are Fair Game for Hackers

Did you think your private correspondence stored by email providers like Google and Yahoo is safe from unauthorized access? Think again... In a devastating blow to privacy and the sanctity of proprietary data, the South Carolina Supreme Court has ruled that such data in not protected by the Stored Communications Act (SCA). In a landmark...

Read more

Government Provides $9 Million in Grants for Trusted Identities in Cyberspace

Internet-based transactions such as online banking and retail sales account for an increasing percentage of business activities considered vital to the health of the national economy, yet many consumers indicate they are still reluctant to engage in these activities due to concerns over security. In response to those concerns, the U.S....

Read more

FBI and IC3 Warn of FinFisher and Loozfon Malware Targeting Android Devices

Android's open architecture has made the operating system an increasingly attractive target for malware designers seeking to exploit mobile devices and pilfer sensitive information. Accordingly, the Federal Bureau of Investigation and the Internet Crime Complaint Center (IC3) issued new warnings for Android users regarding the recent uptick in...

Read more

Majority of SMBs Have No Security Policies or Contingency Plans

Small businesses (SMBs) are increasingly becoming the target of cyber criminal operations, as most do not have the resources or expertise at their disposal to protect proprietary information and client data, yet the majority of small businesses in the U.S. are under the assumption they are protected from cybersecurity threats, according to new...

Read more

Panetta Warns Attacks on Critical Infrastructure "Could Paralyze the Nation"

Secretary of Defense Leon Panetta reiterated his concerns over vulnerabilities in systems governing the nation's critical infrastructure that could result in catastrophic events should those networks be targeted my malicious actors. “A cyber attack perpetrated by nation states or violent extremist groups could be as destructive as the...

Read more

Suntrust and Regions Latest Victims in Denial of Service Attacks

Suntrust Bank and Regions Bank are the latest targets in a series of Distributed Denial of Service (DDoS) attacks being claimed by an Islamic extremist group called Izz ad-Din al-Qassam Cyber Fighters, which made good on their October 8th threat to assail the institutions. Earlier this week Capital One had confirmed the bank's website...

Read more

Get a Handle on Implementing Critical Cloud Security Controls with New Guidelines

Cloud computing offers companies the opportunity to cut costs by reducing outlays in hardware and by reducing the number of support staff required for maintenance of in-house data centers. But the move to the Cloud can be daunting for many organizations, who in study after study cite security concerns as the primary obstacle to migrating to...

Read more

Florida College Breach Exposes Education Sector Security Perils

In a recently discovered network intrusion that may have lasted for several months, the personal information of several thousand Florida college employees, and potentially hundreds of thousands of students, are thought to have been exposed in what officials described as "a professional, coordinated attack by one or more...

Read more

Mozilla Warns of Security Vulnerability - Pulls Firefox 16 from Market

Just one day after Mozilla debuted the latest version of the Firefox browser, complete with a nifty new developer's toolbar feature, the release has been pulled due to concerns over a vulnerability that could jeopardize user privacy. "Mozilla is aware of a security vulnerability in the current release version of Firefox (version 16)....

Read more

Capital One Latest Target in Rash of DDoS Attacks

Capital One has confirmed they are the latest victim in a series of Distributed Denial of Service (DDoS) attacks which have been plaguing the financial sector for several weeks, all of which are being claimed by an Islamic extremist group called Izz ad-Din al-Qassam Cyber Fighters . The attacks have caused varying periods of disruption...

Read more

Microsoft Patches Critical Word Vulnerability for Windows and More

Microsoft issued patches Tuesday to mitigate twenty vulnerabilities in a variety of their software products, including a critical patch to remedy a bug in the popular Word application that could be exploited by attackers remotely in targeted attacks. The Word vulnerability is present in all versions of the software for Windows systems (2003,...

Read more

NIST Patch Management Guidelines Overhauled to Reflect Automation Trend

Effective software patch management has long been the bane of security managers, network engineers, and system administrators. The process is often costly, requires significant resources, and can potentially result in unforeseen disruptions to network functionality by interfering with other applications or by causing a system reboot during the...

Read more

Data Breaches Happen Daily - Get Your Detailed Planning Guide for Breach Readiness

It’s Monday morning and you’ve just settled into your office to start your day. Before you can even finish your first cup of coffee, there’s a light knock at your door. You look up and see one of the regional sales managers standing there, looking rather hesitant. You invite him in and ask what’s on his mind. He hems and...

Read more

FTC Takes Action to Quell Tech Support Scam Epidemic

Consumers are being inundated with bogus warnings that their systems are infected with spyware and viruses by "scareware" scammers intent on fraudulently collecting fees and seeking to gain remote access to victim's computers. At the behest of the Federal Trade Commission, a U.S. District Court Judge has issued orders to halt the...

Read more

Risk of Data Loss Tops Mobile Threats for Enterprises

Mobility of the enterprise workforce has quickly become a key element to competing in an increasingly fast paced marketplace, but the advantages are tempered by a new set of risks. The threat of a catastrophic data loss event from mismanagement of mobile devices tops the list of concerns revealed in a new study by the Cloud Security Alliance...

Read more

Clean Up That Network Traffic

Here at IT-Harvest Global Headquarters we have installed a new technology: reverse osmosis water filtering. Our water may have lost some of its tang but it is clean. Even our ice-cubes are clearer now. Reverse-osmosis is an apt metaphor for Corero’s new positioning. Long known for their Denial of Service Defense and Intrusion Prevention...

Read more

Cyber Attacks and Their Financial Costs Hitting Companies Harder

Cyber attacks are on the rise, more than doubling over the last three years while the associated costs to affected organizations has risen a whopping 44 percent during the same period, according to a new study conducted by the Ponemon Institute. The report reveals that while the pace of attacks is steadily increasing, with an average of 102...

Read more

House Intelligence Committee Warns of National Security Threat from Chinese Telecom Giants

A Congressional panel has concluded that Chinese telecom firms Huawei Technologies Ltd. and ZTE Corp. pose a significant risk to U.S. national security, and recommend that American companies avoid any and all business relations with the technology giants. House Intelligence Committee Chairman Mike Rogers and Ranking Member Dutch Ruppersberger...

Read more

Google FUD or State-Sponsored Attack Threat?

Select users of Google’s services are once again receiving warnings regarding the possibility that they may be at risk of falling victim to state-sponsored attacks. Is this just more fear, uncertainty and doubt, or is there a legitimate threat backing up the move by the search engine giant? The cautionary message, which states...

Read more

Adobe's Digital Certificate Hack Highlights Trend

That software you are downloading has a valid digital certificate so it can be trusted to be legitimate, right? Not necessarily. Compromised digital certificates have been key to the successful dissemination of some of the most dangerous malware strains discovered to date, including Stuxnet, Flame, Zeus, Mediyes, and the Lethic botnet. Now...

Read more

Stolen Data Black Market Trade Soaring

Nearly twenty-million "pieces of personal data" changed hands worldwide in the first six months of this year, more than was traded in all of 2011 according to a new study released by the credit monitoring company Experian. The trend will result in a nearly four-hundred percent increase in stolen data sales over the last two year...

Read more

White House Confirms Spear Phishing Attack

White House officials have confirmed reports that U.S. government systems were targeted last month in a spear phishing attack allegedly originating from servers located in China. While details of the attack have not been released, it appears that unclassified systems operated by the White House Military Office were exposed by way of a spoofed...

Read more

Cyber Attacks Targeting Financial Institutions Continue to Escalate

The number of financial institutions whose websites are being targeted by cyber attacks continues to grow in the weeks following a security advisory issued by the Financial Services - Information Sharing and Analysis Center (FS-ISAC) which warned of increased threats. Institutions which experienced significant website downtime in recent...

Read more

Government Issues Recommendations to Improve Implanted Medical Device Security

The Government Accountability Office (GAO) recently issued a report for Congress with a series of recommendations for improving the monitoring of security protocols for implanted medical devices which may be vulnerable to interference that could adversely affect their performance. Specifically, the GAO report suggests that the Department of...

Read more

Who let the data out? Careless workers, that’s who

Frequently we see headlines about high profile data breaches where cyber criminals break into corporate computer systems and steal customer lists, credit card numbers or other sensitive information. These high profile breaches are certainly clear and present dangers to both the companies charged with protecting this data and the consumers whose...

Read more

Keep some links out of LinkedIn to hold onto your intellectual capital

A column by L.M. Sixel in the Houston Chronicle points out that LinkedIn has become a recruiter’s best friend. When a company is looking to hire a qualified professional, what better way to find him or her than by looking through the networking site that provides everyone’s unofficial resumes? Even people who may not be looking for...

Read more

There is no need for a cybersecurity executive order

Since the collapse of the Congressional attempt to pass the Cybersecurity Act of 2012 there has been mounting pressure for the Obama Administration to “do something”, that something being the imposition of a regulatory regime to protect critical infrastructure. But the Cybersecurity Act of 2012 failed because it was fatally...

Read more

Encryption innovations simplify the choice to deploy cloud applications

Security vendors are heeding the siren call to create more useful solutions to protect data going into the cloud. In particular, there is some real innovation in products designed to encrypt or tokenize data before it is sent to cloud based applications. Three of the more significant developments include: Format preservation Operation...

Read more

The PCI Security Standards Council is working on clarifying, enhancing PCI DSS 2.0

The Payment Card Industry Data Security Standard (PCI DSS) was released at the tail end of 2004. The intention of the standard is to create an additional level of protection for card issuers like MasterCard and Visa by ensuring that merchants meet minimum levels of security when they store, process and transmit cardholder data. The Payment Card...

Read more

Can you get a restraining order against Web ads that stalk you?

Have you ever had that feeling that you’re being followed? How about when you’re sitting at your own desk, surfing the Web? A few months ago, I was shopping for a necklace for my daughter. I was looking at some nice choices on Overstock.com and ran out of time for shopping. I closed my session without buying anything. The next day I...

Read more

If you are an enterprise, you must perform malware analysis

Malware analysis is essential for contemporary crime ware analysis in the enterprise. There are too many variants, using too many tricks to obfuscate their real intent out there. There were eight million new variants in the first quarter alone, according to McAfee. Antimalware and IPS can do just so much. It’s up to the organizations to do...

Read more

Getting incident response right: Part 2

Now that we know what to do in advance, what happens when the balloon goes up and the response is not theoretical but right now. The difference between a well thought out, comprehensive plan and a plan that leaves the participants fluttering around for hours trying to assemble the troops can mean the difference of perhaps millions of...

Read more

Getting incident response right: Part 1

Often misunderstood, incident response can be the difference between an uncoordinated reaction to trouble, perhaps misinterpretation, perhaps even hours of misdirection or paralysis, on the one hand, and the prompt, effective and timely action. In other words, the difference in some cases between catastrophe and containment. The most important...

Read more

Verizon: 58% of attack vectors are Web apps. Can you defend them?

Application security represents a major paradigm shift for the security community.  In the past, security was about turning on or off a specific port. Done!  Application security is much more complex today, and for good reason: hackers have concerted tremendous effort to attack applications. According to a recent Verizon Data Breach...

Read more

The online underground in China: Part 2

Last time we looked at how members of the Chinese online underground manipulate and steal real assets and virtual assets, the virtual cash and gear that sell for real dollars on the open market. Today we’ll take a look at the abuse of Internet resources and services, and the Blackhat services, the engine that in effect makes it go, with the...

Read more

The online underground in China: Part 1

China is a source of advance persistent threats, a source of espionage and intrigue. Cloak and dagger stuff. But it is also where there is a burgeoning online underground, which is hard to quantify, harder to control and enjoys a great deal of freedom despite efforts to crack down on it. For the first time, a report analyzes this underground, find...

Read more

If you can’t you afford to do training right, don’t do it

So the debate goes on, should we train our staff not to do stupid things with email, Facebook and Twitter? Should we spend hours teaching and reinforcing the evils of the web? Should we bother training everyone or train just those with access to sensitive information or vital systems. Or is it all a gigantic waste of time, because the bad guys...

Read more

Stupidity and carelessness have metastasized at Texas cancer center

One of the most revered institutions in the state of Texas is the University of Texas M.D. Anderson Cancer Center. It’s one of the most famous hospitals in the world. Depending on which list you check, M.D. Anderson is ranked either #1 or #2 in the country for cancer treatment. People have been known to travel from every corner of the world...

Read more

Small-medium business: You're basically on your own

Online banking continues to rise steadily in popularity, but small and medium businesses aren’t learning the lessons. The good news is that fully a quarter of the banks are reimbursing the full amount of the fraud, according to a joint poll taken by the Ponemon Institute at the behest of anti-fraud vendor Guardian Analytics. So the scale is...

Read more

APT stalks the top firms, but most are in denial

The reality of advance persistent threats (APTs) is a menace to more firms than are aware of it. Chances are good your firm may be a victim and not even know it; maybe for a long time. The fact that most companies surveyed by ResearchNow on behalf of CounterTack only admit to a “slight” vulnerability is a sure sign that many companies...

Read more

Silon reborn: Tilon is tougher, harder to detect banking Trojan

Trusteer has discovered a new malware that is targeting banks. It bears some resemblance to the Silon, a piece of malware that defrauded customers protected by two-factor authentication. It underwent two revisions and continued to do well into last year, then went into decline. Dubbed Tilon, it is a classic Man in the Browser (MitB) software,...

Read more

Ultimate in remote tech support: Updating software on the Mars rover

Don’t you hate it when you buy a new piece of computing gear and the first thing you have to do when you power it up is install an update to the operating system? Well, now you know how the NASA scientists at Jet Propulsion Laboratory feel. Since landing the amazing scientific rover Curiosity on Mars on August 5, the scientists haven’t...

Read more

Microsoft, Adobe to issue critical updates

Microsoft will issue 14 updates on Tuesday, including four in Internet Explorer. That’s the third month in a row Microsoft has patched holes in the browser.  Of the nine updates, five are labeled critical, the highest Microsoft rating, and four will be labeled important. In addition to the update for Explorer, two of the remote code...

Read more

Banking “spyware” opens questions about who is spying on who

The discovery of a variant of from the same family that brought us Flame (and Stuxnet and Duqu), this one focused on Lebanese banks is the latest in a still developing series of disclosures. The revelation of the first-ever banking Trojan of this high-powered pedigree may just be the tip of the iceberg. Here’s what we know and what we...

Read more

Electronic law for the 21st century

Updating the electronic law for the 21st century is long overdue. Two Democratic Congressmen have submitted the Electronic Communications and Privacy Act Modernization Act of 2012 to try to rectify the issue. (I don’t quite understand the need for the word “act” twice when one would do nicely. Perhaps it’s because...

Read more

Bring it on: Companies push sensitive data to the cloud despite doubts

Companies are moving relentlessly towards moving sensitive data to the cloud, although many are skeptical about the cloud providers ability to protect and many do not even know what the providers are doing. Yet the beat goes on to more and more migration to the cloud. About half of the 4,140 companies queried by the Ponemon Institute in a...

Read more

New tool measures your preparation for a DDoS attack: Are You ready?

How does one begin to assess the company’s readiness for distributed denial-of-service attacks> Will it be a bolt from the blue or a well understood attack. Is the company primed and ready for any eventuality that might hit it, or run yelling that the sky is falling? A new tool assesses how well prepared you are for attack – or...

Read more

Security awareness: To train or not to train, that is the question

There’s a spirited debate going on about the value of training employees for security awareness. It started in May 2012 with Joe Ferrara’s article for CSO magazine, Ten commandments for effective security training.  Ferrara is president and CEO of Wombat Security Technologies, a vendor of security training materials....

Read more

Arms dealing in cyberspace: Questions we need to answer

Alex Sanchez, Research Fellow at the Council on Hemispheric Affairs, and participant in the International Cybersecurity Dialogue, introduces the issues surrounding cyber arms dealing, especially as they relate to Latin America in today's Cyber Domain blog on Forbes.com At the last meeting of the ICD Alex introduced the question of cyber...

Read more

Phone fraud picks up dramatically in first half of 2012

Phone fraud is on the rise, but the numbers while significant in a raw sort of way are still very small. While phone fraud increased a whopping 29% in the first six months of 2012, compared to the last six months of 2011, the numbers were relatively small, around 1,300,000 compared with about a million. However, the number bears watching over the...

Read more

Cyber Security Act of 2012: Sound and Fury?

So, at the same time Congress grinds its way to a Cyber Security Act that was designed to please everyone and satisfies no one, no one is quite satisfied and the amendments are flying thick and fast. As one witnesses the flurry of last-minute amendments, one has to wonder why all the fuss? The Cyber Security Act of 2012 is still undergoing a...

Read more

Advanced persistent threats are nothing if not, well, persistent

Advance persistent threats (APT) is a different kind of animal. It just doesn’t let go, even after you kick it off,  and eradicate it from your networks. You’ve got something it wants, and it just keeps going after it. As  SANS APT instructor Rob Lee put it in a recent posting: “We tell this to executives: Once you are...

Read more

Three signs that privacy in the U.S. is dead (or soon will be)

In the United States, we consider personal privacy to be sacrosanct. It is part of what makes us “free.” We don’t like the idea of companies or agencies of any sort knowing too much about our personal lives. We expect that what happens not only in Vegas but practically anywhere will remain private. Alas, the privacy genie is out...

Read more

Phishing industry is alive and well, APWG reports

The phishing industry keeps reeling them in, according to the Anti-Phishing Working Group's (APWG) first quarter report.  More brands, 392, were subverted in Q1 2012 than ever before, eclipsing the previous mark of 362 just last December. That’s an 8% increase in both February and March. The numbers of unique URL phishing sites also...

Read more

Cyber security bill reintroduced: Much ado about nothing?

The latest iteration of a federal cyber security bill removes just about every objection anyone could raise, and puts almost no requirements on the private sector to strengthen security. The bill is designed to win Republican support, but at a price that removes federal control over security in the private sector. The bill is easy to support,...

Read more

Hard lessons learned about online banking security

Network World recently published an article about a small business owner that was a victim of online banking fraud who fought mightily to get her money back—first from the money mules working for the fraudster, and then from the bank whose lax security allowed the fraud to happen. First the highlights, and then we’ll discuss some of...

Read more

Oh, Canada! USB drives with information on 2 million voters are missing

The news is out, nearly three months after the fact, that two unencrypted USB drives containing personal information on some two million voters in Ontario  ̶  the largest data breach in Ontario history  ̶  is missing. Disappeared. Gone. These kinds of cases keep popping up, seemingly without relent. Someone hasn’t...

Read more

Corero adds reputation-based detection to fight the awful numbers on the Interent

The numbers on the Internet are awful: There are so many hijacked zombie computers, so many malicious and compromised websites serving malware and so many malware variations. Security companies have had to go beyond their existing models of detecting attacks and leverage their global intelligence about what sources are currently serving up...

Read more

Court: Banks have some fraud liability — but security is still the SMB's responsibility

A federal appeals court ruling in favor of a small business whose bank failed to stop a series of transfers detected by its anti-fraud service opens the door a crack on just how badly a financial institution’s security program can perform before they have to at least share culpability. The First Court of Appeals in Boston overturned a...

Read more

Encryption solutions for the cloud Part 5: Vaultive

This is the fifth and last in a series of posts on cloud encryption solutions. One of the issues with encrypting data is that the resulting ciphertext is difficult to work with inside of applications. The encrypted data usually can’t be sorted, searched or indexed in any meaningful way. Thus, once you put ciphertext into a SaaS...

Read more

Microsoft to issue nine security bulletins, three critical

Microsoft will issue nine security bulletins, including three critical updates and six characterized as important on Tuesday. Vulnerabilities in two of the critical bulletins could be exploited to allow an attacker to take control of a system running most Windows operating system without user interaction, and thus are the most urgent priority for...

Read more

First-ever smart phone botnet indicates mobile crimeware is coming of age

The discovery of an apparent botnet comprising Android devices opens up yet another chapter in the developing march of mayhem in the smart phone world. More and more, we are seeing cyber criminals taking advantage of profit opportunities on mobile devices. The first-ever mobile device botnet, reported more or less simultaneously by...

Read more

Zemra botnet used for DDoS version of the protection racket

If you are looking for a bot capable of launching a distributed-denial-of-service (DDoS) attack to shake down a website owner who would rather pay ransom than lose hours of lucrative business, Zemra crime ware can be had for €100 ($126.20 on last check of the exchange rate), according to Symantec. Zemra, like most crime ware, hijacks a...

Read more

Encryption solutions for the cloud Part 4: Vormetric

This is the fourth in a series of posts on cloud encryption solutions. Vormetric offers centrally managed encryption, key management and access control for data at rest across distributed heterogeneous environments. Vormetric Encryption supports all of the major platforms – Linux, UNIX and Windows – and can be used in physical,...

Read more

Is it time for treaties governing the use of cyber weapons?

In a New York Times op-ed piece, Misha Glenny raises some interesting arguments about the lack of any international treaties controlling the use of cyber weapons, particularly over their use in peacetime. “It is one thing to write viruses and lock them away safely for future use should circumstances dictate it,” Glenny writes....

Read more

Once more into the breach: Another federal data breach notification bill

The news that Congress has teed up national data breach notification legislation yet again hardly gets the blood stirring. Yet another attempt to replace the mishmash of 40-plus state breach notification laws is, as always, a good idea, but we have been down this route several times over the last decade. The newest version, introduced by...

Read more

Incident response planning: Are you ready for the Big One?

Do you remember the Sony PlayStation Network hacking last spring? An attacker gained access to personal information stored on both the PlayStation Network and the Qriocity online music and video service. The breach affected the accounts of 77 million people worldwide. When the breach was discovered, Sony took both services offline for more than a...

Read more

European Parliament committee rejection may spell the end for ACTA

The controversial Anti-Counterfeiting Trade Agreement (ACTA) may be DOA when the full European Parliament votes on it on July 3, after the Parliament’s International trade committee, INTA, rejected the agreement 19-12 Thursday. ACTA is designed to combat international trade in pirated intellectual property, but much like the currently...

Read more

Building in mobile application security isn't easy: Follow best practices to secure apps up front

Mobile apps have been around for a few years now. We’ve passed the stage when they are just for fun and games  – anyone up for some Angry Birds?  – and are now for serious business use. There are mobile apps for practically every business function you can think of. Lately I’ve been talking to the people at...

Read more

Understanding and defeating APT, Part 2: Fighting the 'forever war' against implacable foes

The SANS Institute has introduced a course to train security personnel to detect and remediate Advance Persistent Threats (APT), sophisticated and surreptitious attacks, generally to conduct industrial/commercial/government espionage. Security Bistro spoke with security, incident response and forensics expert, Rob Lee, instructor for the course,...

Read more

Understanding and defeating APT, Part 1: Waking up to the who and why behind APT

The SANS Institute is introducing a course to train security personnel to detect and remediate Advance Persistent Threats (APT), sophisticated and surreptitious attacks, generally to conduct industrial/commercial/government espionage. Security Bistro spoke with security, incident response and forensics expert, Rob Lee, instructor for the course,...

Read more

Encryption solutions for the cloud, Part 3: PerspecSysoffers encryption, tokenization for SaaS applications

This is the third in a series of posts on cloud encryption solutions. Security vendor PerspecSys is tackling the cloud computing space from the SaaS angle. PerspecSys believes that many organizations want to enjoy the speed and ease of deployment as well as the cost advantages that SaaS solutions such as Salesforce.com provide, but issues like...

Read more

Should patient consent be considered in sharing health info across national network?

The steady migration to electronic health records, mandated by the HITECH Act, may lead to inevitable trade-offs between privacy and security on the one hand, and more efficient and, ultimately, perhaps, better health care on the other. At the heart of the matter are the Regional Health Information Organizations (RHIOs) that are critical to...

Read more

Encryption solutions for the cloud, Part 2: Gazzang is built for “big data” environments

This is the second in a series of posts on cloud encryption solutions. Gazzang is a relatively new company that is building a series of data center tools built for new cloud architectures, and specifically to take advantage of open-source infrastructure. The first product the company has brought to market is zNcrypt. It is a...

Read more

Indian DDoS attacks come against backdrop of serious Internet freedom issues

The wave of DDoS attacks hitting various Indian government websites, as well as those of ISPs, the country’s Supreme Court and a couple of political parties hasn’t gotten all that much play outside that nation, but the themes strike some familiar chords, with Anonymous claiming credit for the attacks in response to court-ordered...

Read more

Microsoft to issue seven security updates, three critical

Microsoft will release seven security updates on Tuesday, June 12, three of them rated critical. The normal monthly “Patch Tuesday” Microsoft Security Bulletin follow the emergency update of a fix to close a vulnerability that the Flame espionage malware toolkit uses to leverage unauthorized digital certificates from a Microsoft...

Read more

Encryption solutions for the cloud, Part 1: Encryption and the cloud data security conundrum

 In my recent conversation with Dr. Eric Cole of the SANS Institute (“Old remedies don’t work on new threats; SANS panel will discuss alternative medicine”), Cole stressed the importance of data encryption, especially in the cloud. His advice: Encrypt the data and manage the keys in such a way that no one but you has access...

Read more

Are there cyber warfare rules of engagement? New techniques, but the old rules may still apply

My former colleague Bill Brenner stirred up some interesting reaction to his recent posting about engaging in cyber warfare,  “Iran deserves the malware, but expect a backlash.” It's the right time for this discussion. Folks in the security industry — and I include myself — tend to get so immersed in the what and...

Read more

Massachusetts hospital data breach settlement shows health care providers are not immune to consequences

Somewhat lost in the conflagration over Flame and other sexy security news this week, South Shore Hospital agreed to a $750,000 settlement with Massachusetts Attorney General’s office over the loss of 473 unencrypted backup tapes containing the names, social security numbers, financial account numbers and medical diagnoses of 800,000...

Read more

As RIM loses money and market share, we lose ground in the effort to secure mobile devices

Kaspersky Lab’s Ryan Naraine had the most eloquent commentary on the news that Research in Motion (RIM) was posting first quarter losses (RIM stock was down more than 7% in trading by late afternoon Wednesday and has been down about 80% in the last 12 months). He simply Tweeted “Damn” with a link to a news article. I think that...

Read more

Flame is the Mother of All Spyware, but while it may raise the stakes, it doesn't change the game

Flame brings us spyware that is truly worthy of the name.  You don’t hear the word “spyware” used much these days, but according to Kaspersky Lab's initial analyses, we’ve never seen malware so adept and stealthy at watching, capturing and stealing in so many ways. Kaspersky’s Alexander Gostev says it...

Read more

App security is the ultimate uphill battle, but CERT's SCALe secure development initiative is a promising weapon

Cyber criminals live off vulnerable software. That’s not exactly a revelation, but we need to bear in mind that if there were no software vulnerabilities, criminals earning a good living off the internet might have to find work elsewhere. Securing software is somewhat like Sisyphus, the Greek king punished by the gods by being compelled to...

Read more

Utah governor's knee-jerk response to health records data breach: 'Off with his head!' And now what?

I’ve been critical of the poor security that allowed the breach of Utah public health records of 780,000 people in Utah in April, so I feel compelled to comment on the firing of the director of technology services. Now that someone has been fired, of course, everything will be OK. Not. I’m not defending Stephen Fletcher, either for...

Read more

Mobile malware spikes in Q1, signed malware climbs, McAfee reports

Mobile malware continues to increase, focused heavily on adware and sending premium-rate SMS services, according to McAfee’s first  quarter Threats Report. In addition to simple SMS malware, McAfee reports increasingly sophisticated backdoor Trojans on Android, which uses a root exploit to take control of the phone and receive commands,...

Read more

Symantec's Vision: on the move and heading for the clouds

My company has sent a representative to the Symantec Vision conference for the past several years, and this year I drew the lucky straw to attend. The conference themes over the years have been some variation of “manage and protect,” but this year’s emphasis was clearly on data security, especially when it comes to data in the...

Read more

Access governance: Identity management gets down to business; NetIQ integrates former Novell IDM tools

From the nuts and bolts IT perspective, identity management has been heavily focused on getting the job of assigning privileges, authentication and access controls efficiently, and simplifying user access across multiple and disparate systems and applications. In large organizations, managing provisioning and de-provisioning, single sign-on, etc....

Read more

Remember Anonymous' call to speak with our feet against CISPA? How's that working out for ya?

I haven’t really had a chance to check in on Anonymous’ planned physical protests against the Cyber Intelligence Sharing and Protection Act (CISPA) announced in a five-minute plus video (but feeling as interminable M. Night Shyamalan film) shortly after the U.S. House of Representatives passed it late last month. The cyber crusaders...

Read more

Energy sector threats keep us up at night; McAfee/Intel unveils multilayer protection plan

Potential threats to the nation’s energy supply, generation and distribution systems attract intense scrutiny not so much because of what has happened but because of what we believe could happen. The specter of an attack that could severely impair, for example, the distribution of electricity in much the same way Stuxnet damaged the Iranian...

Read more

Most states aren't well prepared for cyber attacks: Don't be surprised, don't be alarmed, but be concerned

Cyber security is not a top priority for state governments, and they are not well prepared to deal with cyber threats. In fact, cyber security ranks at the bottom of 31 critical areas in terms of readiness, according to a report issued by the Federal Emergency Management Agency (FEMA). Though we tend (I tend) to see the world in terms of...

Read more

You want some good numbers? Check out the InformationWeek security survey

I've grown to anticipate the annual InformationWeek Strategic Security Survey with some enthusiasm. It's one of the better conceived surveys around, covers a wide range of sectors and organization sizes, and is sufficiently large sample (946 IT and security professionals) to be statistically significant. and it's chock full of...

Read more

BeyondTrust expands security coverage with eEye Digital acquisition

BeyondTrust continues to expand its security portfolio, announcing acquisition of risk management vendor eEye Digital Security, whose menu of enterprise and cloud products have been built out starting with its venerable Retina network vulnerability scanning tool.BeyondTrust's primary play has been privileged identity management, centered...

Read more

Skillz are more important than your degree in security

Two words: “Learn tools.” It’s graduation season and time to address careers in IT security. I can’t help thinking back to May 1982, the month 30 years ago when I graduated from the University of Michigan as an aerospace engineer. I had done the rounds of campus interviews but was not excited about going to work for...

Read more

Old remedies don't work on new threats; SANS panel will discuss alternative medicine

Organizations spend lots of money on a variety of security products but they are frustrated because they are still getting compromised. Why? The threats organizations face have changed in the past year or two, but the way we approach security hasn’t. “When you’re dealing with the common cold, you wait for the first symptom to...

Read more

Panel: Survey suggests healthcare may be talking the talk, but breaches show it isn't walking the walk

Healthcare is data security's poor relation. Despite some evidence of positive effort,data breaches are on the rise, and most healthcare organizations just don't quite get the importance of security, focusing too much on the form of regulatory compliance and too little on substance, according to a panel discussing the recently released...

Read more

Fido exposed through identity verification: “Please provide name, DOB birth and species”

There’s a classic cartoon depicting a dog using a computer, with a caption that says, “On the Internet, no one knows you’re a dog.” It’s funny, but true. When you have any sort of web-based business, you really don’t know who is on the other end of the transaction. Most online businesses address the identity...

Read more

It's time to stop coddling DNS Changer Trojan victims; let them learn the hard way

The last thing we need is the FBI acting as our cyber nanny. Last November, a massive botnet for the DNS Changer Trojan had been taken down thanks to the FBI and law enforcement in Estonia. Six men were arrested for using the botnet of more than 500,000 infected machines, many of them within the U.S. government, to redirect web browsers to...

Read more

The numbers are still awful: Symantec issues annual Internet Security Threat Report

The Symantec Internet Security Report on 2011 Trends is one of those good news/bad news sort of things. Spam was way down. Far fewer vulnerabilities discovered. There were far fewer bot zombies around to spew spam, launch automated attacks against targets of opportunity or overwhelm targets with DDoS attacks.But as my Dad told me, "Work...

Read more

BYOD trend changes face of network access control;Enterasys introduces Mobile IAM, professional services

Mobile security is a hot topic, but although the buzz is about more and increasingly sophisticated mobile malware and malicious applications, the overriding challenge for enterprises today is about management and access control. With all the personally owned smart phones and tablets coming onto the corporate network, how do I manage them and...

Read more

Latest wave of healthcare data breaches symptomatic of sloppy security practices

The rash of recent data breach disclosures in the healthcare industry lays bare some very poor security programs and lax behavior. Whether sensitive data lost through carelessness or weak controls that made it almost impossible for hackers  not to steal it, the impression is that the healthcare industry is still in the Stone Age (say around...

Read more

Spirent acquisition of Mu Dynamics marries heavyweight load-bearing, barrage-level security testing

With its acquisition of Mu Dynamics, Spirent combines industrial-strength load-testing and security torture-testing tools. The complementary combination gives customers one-stop shopping for heavy duty testing of network and security appliances, applications and network infrastructure. The two are among a few high-end testing tool vendors, that...

Read more

If you feel you need big data for security, you are doing something wrong

I have been fighting the same battle for 12 years. It all started with IDS, a passive system for comparing network traffic to a set of signatures and generating alerts every time a match occurred. Because IDS was never put in-line, there was no cost to performance or risk from false positives, so signatures blossomed. Open-source communities...

Read more

Busting someone out of prison? Forget about the hacksaws. Hack the SCADA system

Rocky: “Pass the word, we’re busting out at 2 a.m. Everyone.” Snake: “Everyone? How we gonna’ open all the cells. How about the gates? Hah? Rocky: “We have a brain who is gonna get into the SCADA system and exploit its vulnerabilities Snake: Oh. We all know about the concern about the vulnerability...

Read more

PCI DSS audits can be a nightmare or an opportunity

Move past the debate over whether PCI DSS compliance really makes an organization more secure and focus on how put it to work for you. It comes down to this: If you are a CISO, how can you turn the QSA audit experience to your advantage, rather than a waste of money (six or seven figures if you are a Level One organization). The formula is largely...

Read more

Haste makes waste; out-of-process firewall changes cause system outages, AlgoSec survey reports

Enterprises have change management processes for a reason. When you “just get it done” without appropriate approvals, notification and testing, bad things tend to happen. Firewall configuration and/or rule changes that don’t follow procedure are liable to open up security holes and/or inadvertently shut off access to critical...

Read more

What's wrong with XP? Nothing, but plan to migrate soon or leave your PCs open to attack

The news that Windows XP is on a two-year end of life countdown is worrisome. Microsoft will cease support for the world’s leading OS in two years (April 2014). From a security perspective, that means that organizations and consumers will have to upgrade to Windows 7, or perhaps Windows 8, or live without security updates for newly...

Read more

Utah's "multilayer" security around health records would be a bad joke, if there weren't 800,000 victims

More on the big Utah health records breach: "Medical data on the state's computers aren't encrypted, noting federal rules don't require it," the Salt Lake City Tribune reports, citing technology services director Stephen Fletcher. And the server was breached because a technician used a weak password. Take a couple of moments...

Read more

Flashback Trojan is a wake-up call for Mac Nation: You are now fertile territory for cyber criminals

A few days ago, a friend was hunched over his four-year-old Mac laptop, peering intently with furrowed brow. “Problem?” I asked. “Wondering if I should worry about this Flashback Trojan that’s in the news,” he replied. “I didn’t think Macs got viruses.” Of course, Macs can and do get malware...

Read more

Bad news from Utah: Health records breach is much, much larger than initial reports

A serious breach of health records in Utah — the largest health information breach since breach notification become required under HIPAA in 2009 —  may have slipped under your radar amid the news of Anonymous’ latest DDoS attacks, the Flashback Trojan infected 600,000 Macs and the Global Payments breach involving as many as...

Read more

Going somewhere? Please confirm your online check-in. Oops. Not so fast. New U.S. Air scam has hit your Inbox

I was bombarded with a series of sneaky phishing messages appearing to come from U.S. Airways over the last few days. What made these messages all the more dangerous was I was actually traveling on the days the messages referenced. Fortunately, I wasn’t traveling on U.S. Air, so I wasn’t overly tempted to bite on any nasty links. If I...

Read more

Today's Facebook post may be tomorrow's evidence; Cernam captures ephemeral web info for its day in court

Content posted to social media and found in other online sources is becoming more important in litigation. People are writing things in a casual, unguarded way on the Web, and, increasingly, litigators want that information to help win their cases.The problem with Web content as evidence, however, is that it can be very fluid. Something posted to...

Read more

McAfee introduces agentless virtualization AV management through VMware vShield Endpoint integration

Virtualization brings significant practical advantages to the enterprise, particularly in terms of hardware, network infrastructure and energy savings. It makes data center consolidation feasible, from a business perspective almost mandatory. Virtual desktop interface (VDI) is seeing increasing adoption, as it simplifies management, enables...

Read more

When it comes to data breaches, the words 'payment processor' set off an extra-special alarm

The Global Payments credit card breach is high profile not so much for how many card numbers were stolen — a mere 1.5 million at most according to GPN  — but because the company is a payment processor, sitting in the middle of the transaction chain and on top of millions of records. Three years after the gigantic (130 million...

Read more

Global Payments breach: Understanding the role of processors in the credit card transaction chain

The Global Payments credit card data breach investigation s still in its early stages, and right now the full extent of the situation is yet to be determined. In a press conference this morning, senior executives from GPN did say that the breach is fully contained and the company has a team of security experts and law enforcement professionals on...

Read more

Online shopping is top DDoS attack target, application-layer techniques dominate, Kaspersky reports

Online shopping sites are the leading target of distributed denial of service (DDoS) attacks, according to Kaspersky Labs. An analysis posted on Securelist reports that a quarter of the attacks detected in the second half of 2011 were aimed at online shops, auctions, etc., followed by online trading (20%), online gaming (15%) and banks...

Read more

European Cybercrime Centre holds promise of coordinated effort in a war we are losing

Perhaps the best news to come out of the EU this week was not the proposed legislation to define cyber crime and set minimum sentences across the members national boundaries, but the European Commission announcement establishing a European Cybercrime Centre. Let’s face it, the problem really isn’t defining cyber crime. The proposed...

Read more

Adobe issues two critical Flash Player updates

There's an update two more critical security vulnerabilities for the ubiquitous, popular and so very vulnerable Adobe Flash Player. While Adobe security updates lack the predictability of Microsoft's Patch Tuesday, they crop up with disturbing frequency. Windows user have the option of using the new background updater to automatically...

Read more

It makes sense: U.S. continues to be leading host for malware and phishing, Websense reports

The U.S. continues to lead the world in malware connections and malware hosting — a smart tactical approach for cyber criminals, according to the 2012 Websense Threat Report. The rationale, the web security company explains, is that no one is likely to block a U.S. domain because of the impact on Internet users. And it’s something of a...

Read more

Consolidated view of risk, consolidating and mining data challenge compliance programs, survey finds

Most enterprises feel they are doing a good job keeping up with new regulatory compliance requirements, but they in fact admit they face difficult challenges managing compliance, according to a survey conducted by GRC firm Lockpath. More than three-quarters of the companies said they had taken on new regulatory obligations in the past year and...

Read more

Facebook cautions employers not to ask for passwords; Better idea? Don't give them anything worth reading

Facebook is cautioning employers not to ask job applicants and even current employees  for their passwords to their pages. The ubiquitous social media company raises some good points, but I’d turn it around: Don’t put anything on you Facebook page you wouldn’t want a prospective employer to see. Ever. Demand online privacy,...

Read more

FCC launches anti-bot Code of Conduct

Over the past few years, botnets have become an exceptionally egregious security issue for businesses and home computer users alike. It’s terribly difficult to know when a user’s PC has been usurped for a botnet, and it can be even harder to remove the computer from the unwanted network. By some accounts, more than 10% of U.S....

Read more

Ponemon, Verizon data breach cost, investigations reports show the way to actionable security intelligence

The Verizon Data Breach Investigations Report and Ponemon Institute Cost of Data Breach survey, which I wrote about this week, are rich with guidance and actionable information for enterprises. Let’s be clear: the value of both these annual reports is not as statistically valid samplings from which we can extrapolate broad, general...

Read more

Hacktivists have become big-time data thieves, widely use DDoS diversionary tactics, Verizon breach report shows

The sudden emergence of hacktivists as data thieves on a massive scale, revealed in this year’s Verizon Data Breach Investigations Report, is game-changing news. In 2011, hacktivists were responsible for 100 million of the 174 million records stolen in cases investigated by Verizon and participating international law enforcement agencies. By...

Read more

AlienVault bids for SIEM, MSSP U.S. market share with open source-based multi-tool platform

AlienVault is trying to make a dent in the U.S. security information and event market, leveraging the popular OSSIM open-source SIEM, upon which the company’s founders built the Unified Security Management Platform, SIEM plus several other security capabilities. AlienVault is making its pitch as a relatively low-cost alternative to high-end,...

Read more

Fighting back: Is it OK to 'Unfriend' a C & C server?

It seems that illegal computer hacking has become so commonplace these days that events only make the news when they are significant. Last week’s headline was the hacking of Syrian President Bashar Assad’s email account. The group Anonymous claims credit for the attack. On the Daily Show,  Jon Stewart remarked, “Finally! A...

Read more

Average data breach costs declines sharply,as customers remain loyal, 2012 Ponemon study shows

The annual Ponemon Institute Cost of Data Breach Study shows a drop in the average cost — direct and indirect — of a breach for the first time in the seven-year history of the study. The likely explanation? More customers are sticking by victim companies. My first instinct is not to draw any sweeping conclusions from the findings,...

Read more

A year after SecureWorks acquisition, SonicWall deal strengthens Dell position as security provider

Dell appears to be doing a nice job playing catch-up in the security market with the acquisition of firewall/UTM vendor SonicWall, following its purchase of SecureWorks, a leading MSSP, just over a year ago. Competitors IBM and HP have been actively acquiring and integrating security products and services into their portfolios, but Dell was...

Read more

Cyber crime, drug trafficking: Analogies to be drawn and lessons learned

Over more than a decade covering the information security beat, I’m repeatedly struck by the parallels between international cyber crime and the international drug trade. You can stretch the analogy thin by carrying it too far, but there are common conclusions to be drawn and lessons to be learned. Both are often cast in terms of law...

Read more

Don't depend on trust to protect data in cloud: Startup Porticor addresses key management

In one survey after another, we see that security concerns are a top inhibitor to cloud adoption. Companies want to get the flexibility and cost advantages of cloud computing, but there’s often trepidation about putting data on servers that are outside a company’s own data center. Cloud security is an issue of trust and...

Read more

Wither Anonymous after the latest arrests?

It’s impossible to predict where loosely organized, pseudo-movement hacktivism goes from here, following the arrests of five people associated with LulzSec and Anonymous and a sixth person charged in the hack of intelligence services company Stratfor. These actions follow the arrests of 25 people associated with Anonymous in an Interpol...

Read more

Is security growing up? Business intelligence is a key; Sensage extends connectors to BI tools

Enterprises “get” the value of information. They understand that they receive, generate and store staggering volumes of data, which has the potential to be leveraged as actionable intelligence. The company that does the best job of correlating and analyzing their data and putting it to work has a leg up over the competition. It can be...

Read more

Heart-stopping research: Hacking from pacemakers to autos

Technology has become so pervasive in our lives today that we are almost completely dependent on it. It makes you wonder, how easily can these technologies that control everything from pacemakers to cars be hacked? The answer to that question is surprising and even scary. Avi Rubin, professor of computer science at Johns Hopkins University and...

Read more

More than half of U.S. DDoS victims blame unscrupulous competitors, Corero survey reveals

Anonymous is not the biggest threat to launch a distributed denial-of-service (DDoS ) attack against your organization. Ideologically and politically inspired (aka hacktivist) DDoS attacks have gained wide notoriety, with some justification. The victim sites are highly prominent, very public companies, government agencies and industry groups...

Read more

Embracing (or being bear-hugged by) BYOD? Learn from those who are making it work

Mobile device security sessions are drawing crowds at the RSA Conference. Unlike THE hot topic in some other years (remember when everyone was so keen on NAC?), the explosive increase in the use of smart phones and tablets, and the move to cloud services are changing the way companies do business, changing the role of IT to more of a service...

Read more

Symantec unveils first stage of cloud security initiative, broad VMware integration

The fundamental requirements of information security may not change dramatically as organizations migrate to cloud-based services, but implementing the policies and controls governing security are another matter. Symantec has unveiled the first of a three-stage cloud security initiative, the 03 Information Protection gateway, which it...

Read more

Mobile security market reflects growing urgency; McAfee release blacklists apps, segregates email accounts

Although it can be argued there’s still some FUD (fear, uncertainty and doubt) around the rise of mobile device malware, there is no doubt as McAfee releases its latest mobile device management and security software that several factors are responsible for the perceived risk around mobile devices: They have become powerful computing...

Read more

Mobile device adoption is highest-risk computing initiative;Symantec upgrades mobile security on heels of survey

Mobile device security is hot. In Symantec’s new survey of 6725 organization in 43 countries identified it as the top computing initiative risk (41%) — a greater area of concern than public cloud computing (35%). Symantec has followed up the survey with announcement of several enhancements to its mobile device management and security...

Read more

Mobile Device Security Expert Q&A Part II: Start treating phones as computers

This is the second of a two-part Q&A on mobile device security with Kevin Johnson, a security consultant and founder of Secure Ideas. The first part dealt with mobile device security policy. As a SANS instructor, he teaches courses in Mobile Device Security, as well as penetration testing. Kevin is on the Advisory Council of the first...

Read more

Mobile Device Security Expert Q&A Part I: Where BYOD (bring your own device) policy goes wrong

This is the first of a two-part Q&A on mobile device security with Kevin Johnson, a security consultant and founder of Secure Ideas. As a SANS instructor, he teaches courses in Mobile Device Security, as well as penetration testing. Kevin is on the Advisory Council of the first Mobile Device Security Summit, to be held March 12-13 in...

Read more

Up against the wall? Automated firewall change management work flow introduced by Tufin

Firewall audit tools are maturing in their ability to meet the requirements of large, complex, enterprise environments. Tufin Technologies’ latest release of its Tufin Security Suite (TSS) addresses automation to scale and streamline the firewall provisioning process and network visualization and risk assessment to get a handle on both local...

Read more

Exploiting the exploitable: New software vulnerabilities down, but risk remains high, Secunia reports

“If the Rebels have obtained a complete technical reading of this station, it is possible, however unlikely, they might find a weakness and exploit it.” The geek in me couldn’t resist the Star Wars quote to kick off a post on software vulnerabilities and exploits. If the Empire had designed the Death Star the way most software...

Read more

A peek into the underground economy and the market for stolen credit cards

There’s a great article from Bloomberg (Stolen credit cards for $3.50 online) in which author Michael Riley explores the depths of the underground market for stolen credit card data. Reading this is enough to make you want to stuff all your money in a mattress for safe keeping. By some estimates, the underground digital economy has now...

Read more

Firewall audit tools automate the impossible; AlgoSec adds next generation firewall support

The growing firewall audit market is rapidly adjusting to the phenomena of  next generation firewalls (NGFW), which introduce the context of highly granular application and user ID controls and additional complexity to an already complex and difficult network firewall environment. AlgoSec, one of a handful of firewall audit vendors, has added...

Read more

Translating IT risk to business risk: Symantec adds Risk Manager to IT GRC suite

IT governance, risk and compliance (GRC) is a challenge to every large organization struggling with the complexity of IT policies and controls and communicating IT risk to management in terms of actual risk to the business. The IT GRC market has appeared and grown in recent years as enterprises try to manage this almost unmanageable task across...

Read more

DDoS in defense of (insert cause) is still criminal

Are hacktivists protesters or criminals? The question is not a matter of semantics; it has real bearing on how we respond, not as members of the security community, who are responsible for protecting IT information and services against attack, but as a society, particularly in the realm of criminal prosecution. My take is that...

Read more

Trusteer identifies “factory outlet sales” of stolen login credentials in the underground economy

I love factory outlet sales. Just last week I bought a brand name mattress for pennies on the dollar. Of course, I had to travel to a dingy part of town and wander through a cavernous old warehouse with mattresses stacked to the ceiling to find my great bargain. Last night I enjoyed a great night of sleep on my plush new pillow-top mattress, and...

Read more

Second half of 2011 reflects shifting trends in cyber crime business, M86 reports

The percentage of email messages containing malicious links or attachments is high, even as the volume of spam has dropped sharply in the last year, according to a report by web security company M86. The report provides some good insight into the techniques and, if you will, the shifting business trends in the cyber criminal community. Those...

Read more

Implement user security awareness training — or don't

“Users. Can’t live with them, can’t live without them.” I heard that line more than once in my stint as the non-IT guy in the IT department at a newspaper company (I liked to think of myself as the poet laureate of the IT department). None of us, neither hardcore techniks nor geekish dilettante, were thinking much about...

Read more

Does polymorphic Android malware signal escalating mobile security war?

We don’t want to overplay the rise of mobile device malware — Security Bistro bloggers have been posting on mobile security issues quite a bit. That being said, new Symantec research that reveals the use of server-side polymorphism in malicious Android applications is yet another indication cyber criminals are getting more serious...

Read more

Sharing BYOD (bring your own device) experience from the trenches

I recently wrote about the business social networking site Wisegate, which brings together high -evel security and IT professionals to discuss and collaborate on their top-of-mind issues. Wisegate just released a report that summarizes what members are doing about creating and implementing mobile device management (MDM) policies for personally...

Read more

The first thing we do, is hack all the lawyers

It was 1994 and I was presenting at a conference on security and privacy on that new fangled Internet thing.  As founder of an ISP (Rust.net) in the Midwest, I did a lot of such events.  One of the other speakers was an attorney from the US Justice Department. He fielded a question from the audience regarding email security. His response...

Read more

VeriSign breach revelation raises questions of SSL cert, DNS compromise

Joseph Menn of Reuters reported Thursday on an attack on VeriSign in 2010. He had picked up on a brief notice in VeriSign’s 10-Q SEC quarterly report. On page 33 of this 43 page document we find: “In 2010, the Company faced several successful attacks against its corporate network in which access was gained to information on a small...

Read more

The hacktivist threat: Brazilian bank sites continue to fall victim to DDoS attacks

Distributed denial-of-service (DDoS) attacks against Brazilian financial institutions continued today, as the HSBC Brazil was knocked offline, the latest victim of the hacktivist group Anonoymous OpWeeksPayment# campaign, demonstrating again the serious concern posed by the hacktivist factor. The group took credit for taking down the Banco do...

Read more

Banking fraud malware trick helps criminals evade detection

Perpetrators of online banking fraud are using new techniques to misdirect bank verification and make discovery of fraudulent activity more difficult. Criminals are attempting to divert calls from banks to attacker numbers, using stolen information, to allow them to cover and possibly even continue to pillage accounts. The techniques have been...

Read more

PwC survey: Preparation, not prediction, is key to weathering security storm

At the beginning of every year, experts  feel compelled to make predictions about the kinds of security threats we’ll see in IT in the year ahead. While predictions can be interesting, they typically are little more than an extension of recent security threat trends. As long as the trends continue, the prognosticators look pretty...

Read more

Smart phones getting out of control? SANS hosts first Mobile Device Security Summit

Mobile security and application development is new territory for a lot of companies. If your organization is struggling with how to develop and implement a set of policies for managing and securing mobile devices, especially the thorny BYOD (bring your own device) issues around employee-owned smart phones and tablets, you aren’t alone. A...

Read more

McAfee Mobile Security vets users' Droid applications

A lot of the buzz about mobile security whirls around the wild and wooly Android application market. Android smart phone app development, unlike Apple and Microsoft,  is wide open. Google had to pull score of malicious applications last year. McAfee has taken a first swipe at protecting mobile users from dangerous applications with Mobile...

Read more

Drive-by email malware alert: Plain text is just plain common sense

Just when I thought I was too smart to be fooled by malicious email, a report from German researchers made me start thinking about it again. The researchers, from the email security firm eleven, have identified drive-by download spam, which means that your computer will be infected if you simply open the message. No link or attachment to be wary...

Read more

Teaching a dead dog new tricks about stronger passwords

Some time ago I enjoyed a cartoon where a family was eulogizing their recently deceased pet. The caption was something like, “Rex, you were a good dog, and though you may be gone from this life, you will live on forever as our computer password.” The cartoon amused me, but it also made me uneasy because I realized I was guilty of...

Read more

Securing communications to reduce online fraud

The last decade has seen huge growth in the number of U.S. households that use online banking and online bill paying services. Some  72.5 million households participate in online banking, with 36.4 million using the Internet to pay bills, according to the Fiserv 2010 Consumer Billing and Payment Trends Survey. Those numbers represent a an 84%...

Read more

Better secure your code: Web application attacks are on the rise

Web attacks are on the rise, up 30% in six months, according to security vendor Imperva. The second edition of Imperva's Web Application Attack Report (the first report was issued in July) identifies cross-site scripting (XSS) as the attack vector of choice (29% of the attacks reported), followed by directory traversal (DT), accounting for...

Read more

Deploy Red Team to root out excess privilege — or end up red-faced

I have been working on fleshing out the duties of an internal Red Team. Many organizations use outside firms to perform periodic attack and penetration tests. Some, like Stratfor, do not — much to their chagrin when they become the target of an attack. While outside pen testing is important, it does not address the bigger problems facing the...

Read more

Twitter acquisition of web security firm Dasient protects its growing ad business

Twitter’s acquisition of Web security company Dasient is good news for the social network giant and its millions of users, though, on the down side, it takes the security vendor off the general market. The acquisition is apparently focused on protecting Twitter’s growing advertising business, leveraging Dasient’s...

Read more

Spotting and, perhaps, stopping the malicious insider

Do you know this person? He is currently employed, between the age of 35 and 40, holds a technical position, and has a new job offer at a competing company. He very well could be working next to you right now. And he’s someone every company should be concerned about. Who is this person? It’s is the “malicious insider,”...

Read more

DDoS attacks bring down Polish government websites over support for international anti-piracy agreement

There was a new wave of distributed denial-of-service attacks in protest of anti-piracy activity over the weekend, this time targeting Polish government websites. The attacks came in advance of the Polish government’s expected signing of ACTA (Anti-Counterfeiting Trade Agreement) on Thursday. The loosely knit hacktivist group Anonymous,...

Read more

Segmenting the IT security market: What you need to know

There are only four segments to the protective IT security space. My detailed list of categories that I use to track the IT security industry has about 85 entries. But I have found it useful to think of IT security in four primary buckets. In my analysis, I focus a great deal on countering attacks so these categories leave out the products that...

Read more

From SOPA to Megaupload (What a week!): Let the legal system decide

The Megaupload takedown and arrests and subsequent wave of retaliatory Distributed Denial of Service (DDoS) attacks that have followed raises a some interesting points in the wake of the apparently temporary shelving of the copyright infringement piracy legislation SOPA (Stop Online Piracy Act) and PIPA (Protect IP Act) earlier in the week....

Read more

EMV – a security standard coming soon (?) to a credit card near you

In my last post , “U.S. clings to insecure magnetic stripe cards — what’s the attraction?” I talked about a security standard for credit and debit cards that is used virtually everywhere in the world except the United States. This standard, called EMV, uses a smart chip embedded in the plastic card or token to securely...

Read more

Money for nothin': Play dumb, join the online fraud network

I've been offered extra work  ̶  as a money mule. A chance to get the household budget in line and our retirement plans back on track after paying the balance on our new roof. Maybe the difference between my daughter going to her first college choice and a state school. There it was, sitting in my Inbox, an opportunity...

Read more

Top-down cyber defense is an upside-down approach

Wired’s Danger Room has reported (http://www.wired.com/dangerroom/2012/01/nsa-cant-defend/) that General Keith Alexander is throwing in the towel. In an address to the FBI-sponsored International Conference on Cyber Security he is quoted: “15,000 enclaves: You can’t see ‘em all. You cannot defend them all,”...

Read more

Compromise next for SOPA? Why not just let it just die?

The Obama Administration’s statement opposing SOPA (Stop Online Piracy Act) is a little like Denver Bronco exec John Elway’s pronouncement that Tim Tebow would be the team’s starting quarterback going into training camp. In other words, “We’ll put this thing aside until we can do better.” Well, no. I...

Read more

U.S. clings to insecure magnetic stripe cards — what’s the attraction?

The next time you dine out and hand your credit card to the waiter to cover the check, think of this story. In November 2011, the Manhattan District Attorney’s Office announced that law enforcement agencies had broken up a ring of 28 people, most of them waiters, who were using handheld card skimmers to steal credit card data from customers...

Read more

Tomcat DoS vulnerability addressed

Bugtraq has released information about a vulnerability in Apache Tomcat (CVE-2012-0022 Apache Tomcat Denial of Service) that could enable an attacker to launch a denial-of-service attack by using specially crafted requests exhaust CPU capacity. This type of attack involves a specially crafted packet or packets, possibly sent from a single attacker...

Read more

Zappos shows that big breaches are still part of the cyber crime outlook

We tend first to get blown away by data breach numbers: RECORDS OF 24 MILLION ZAPPOS.COM CUSTOMERS BREACHED. Then we sort of glaze over and shrug: <Just another big data breach.> Let’s face it, the “big” makes news, but the “big” isn’t what it’s all about. The last Verizon Data Breach...

Read more

From SSAE 16 to SAS 70 (Part II): SOC reporting and certification

In my previous post (From SAS 70 to SSAE 16, what does it mean?), I outlined the similarities and differences between SAS 70 and SSAE 16 audits. Now, I will go into more detail about the reporting options available with SSAE 16 and the additional auditing/reporting facilities the American Institute of CPAs (AICPA) has developed for the world of IT...

Read more

Mideast cyber spat ups the hacktivist ante

We have to assume that the kinds of cyber attacks taking place in the Mideast, most recently attacks against Tel Aviv Stock Exchange, Israeli national airline El Al, and several Israeli bank website, augur more and more ideological cyber warfare. I don’t believe that this means we’ll see a wave of government-on-government attacks...

Read more

What should we draw from AV detection rate test findings?

Testing desktop antivirus products has always been tricky, attempting to simulate the real-world possibilities of all the type of malware and all the interesting and exciting ways it can be introduced onto a client system in a test lab. Today, I think, even well-crafted tests can at best offer some basic guidance for enterprises, rather than clear...

Read more

Slow app layer DoS attacks can bring your servers down quickly

To paraphrase Alice (with apologies to Lewis Carroll and all my high school and college English teachers), denial-of-service attacks are getting “insidiouser and insidiouser.” The latest proof-of-concept “slow” application layer DoS attack is yet another demonstration that attackers don’t need huge botnet armies...

Read more

Feeling isolated? Wisegate social network connects senior-level security professionals

Sara Gates, founder of the social networking service Wisegate, is creating an invitation-only private community of security and IT professionals. Gates believes that senior executives, such as CIOs and CISOs, need other people at their peer level to share war stories and get firsthand feedback on what works and...

Read more

Bad business: LinkedIn criminals get connected

We have been down this road before. A popular interactive service passes over a peak on its way to universality and the spammers pile on. Sometimes the service fails — remember network news? Sometimes it recovers — think email. Sometimes, there is a constant battle to keep spam down, as in SMS spam in Japan. LinkedIn is a target...

Read more

RIM's 'long, slow death spiral' is bad news for security

It’s ironic that Research in Motion (RIM), makers of the BlackBerry smartphone and its impressive supporting enterprise architecture, is apparently circling the drain at a time that mobile phone security is moving to the forefront. Until really quite recently, even in IT years (which are like dog years) “Blackberry” and...

Read more

Microsoft patches tame the SSL Beast

Microsoft's January security updates, released today (Patch Tuesday) are mainly a collection of fixes designed to stop the "SSL Beast" attack, which could exploit a weakness in the web encryption protocol to launch man-in-the-middle attacks to decrypt authentication tokens. The attack was demonstrated by two researchers in...

Read more

DigiNotar breach – 2011’s most important attack

DigiNotar was the most important security event of 2011, with profound implications for 2012 and beyond. I know that may be an overly dramatic statement in a year that saw the RSA hack, the Sony PlayStation Network DDoS and breach, and the rise and fall of LulzSec. But those other events were mere escalations of existing threat levels. The RSA...

Read more

Firewall managers lack confidence in their security posture

The majority of firewall managers are concerned their change management practices put their companies at risk, according to a recent survey. How does this happen? Firewalls are generally considered the first line of defense for most networks. A firewall is the first decision point that uses a set of rules to determine whether or not outside...

Read more

From SAS 70 to SSAE 16 (Part I): What does it mean?

(This is the first of two reports on SSAE 16, which replaces SAS 70 as the audit standard for service providers) I’m an old IT audit guy. I spent over a dozen years digging into enterprise data centers and business processes to find the weaknesses in controls and pointing out vulnerabilities so my clients could mitigate the risks before...

Read more

Is 2012 finally THE YEAR of mobile security threats?

I’m conditioned to ignore the torrent of annual New Year’s information security predictions, most of which are blatantly self-serving vendor pitches (an encryption vendor predicting a rise in big data breaches, an AV company wringing hands over the explosive growth and increased sophistication of malware, yadda, yadda). Year-of themes...

Read more