SCADA, a network-enabled setup for controlling infrastructure, is hitting the headlines in force for falling victim to cyber scammers. There have been several incidents of unauthorized access to Supervisory Control and Data Acquisition (SCADA) systems recently, from guessing simple passwords, to full-on spear phishing attacks against a hardware vendor, which were then used to access
Well, okay, if you happen to be an extremely fast reader. The Association of Anti Virus Asia Researcher’s (AVAR) 14th AVAR Conference just wrapped up in Hong Kong on Friday. This year, the focus was on security issues in and around the emerging Asian security market, and how to rise to the challenge. As one
David Harley is taking part in the keynote session (11.00-12.00 EST) on "APT: Real Threat or Just Hype" at US Infosecurity's Virtual Conference on November 8th.
Citing weaknesses in security controls at 24 major agencies, a new report by the U.S. Government Accountability Office (GAO) charts the stellar rise in incidents, and tries to highlight what went wrong. Just today my colleague Stephen Cobb also posted a government-related incident in the health care sector. The timeframe of the study, starting in
Since 2010 that is, following a law enacted in 2007 that requires all companies doing business in Massachusetts to inform consumers and state regulators about security breaches that might result in identity theft. Attorney General Martha Coakley’s office released the information, including a breakdown of the data. It seems her office received 1,166 data breach
Is that possible? Well, a researcher with Identity Finder, Aaron Titus, believes so, since he says he managed to use internet searches to unearth a trove of unsecured private health records on a website, around 300,000 of them. He notified the company, Southern California Medical-Legal Consultants, which represents doctors and hospitals seeking payment from patients
This is an impressive looking certificate isn’t it? You might think it means something significant, but then you might be wrong. How hard is it to pass the Internet and Child Safety Advocate certification test? Ask Hanna, a 9 year old (10 this weekend) girl who I met with her father at a local coffee
Facebook recently launched a facial recognition feature that allows you and others to “tag” photos with your name. As has been the norm for Facebook, this “feature” is turned on by default and users must take their own initiative to limit, or turn it off. The implications are wide-ranging, so if you or anyone in
Or so the current legislation being proposed in a U.S. House of Representative subcommittee would like it. A hearing scheduled for today at the House Energy and Commerce Committee’s Commerce, Manufacturing, and Trade Subcommittee centered around draft legislation proposed by Rep. Mary Bono Mack (R-Calif.) hoping to accomplish a security baseline companies must adhere to,
Security companies in general and, unfortunately, anti-malware companies in particular, are often accused of ‘hyping’ threats because of a perceived self-interest. However, in the main, legitimate vendors and researchers like those at ESET typically try to resist overhyping or playing up threats where possible, in favor of more balanced discussion that can help customers take
You don't need more advice from me on avoiding phishing following the Epsilon fiasco: Randy, among others has posted plenty of sound advice, and I put some links to relevant articles here, though I don't know of anyone who's published a list of the whole 2,500 or so companies that are apparently Epsilon's customers, though comment threads
My latest blog for SC Magazine's Cybercrime Corner looked at the recent APT (Advanced Persistent Threat) attack on RSA, in the light of Uri Rivner's blog on the implementation of the attack. Unfortunately, the exact nature of the target and damage remains somewhat obscure, so while I certainly consider Rivner's blog worth reading, I also found myself
Surprised to find annual cybercrime damage spread somewhere between 300 million and 54 BILLION? So is the Director of National Intelligence. Today Brian Krebs of the Washington Post and Krebsonsecurity.com detailed a strong push for mandatory disclosure of cyber intrusion to include account hijacking and online identity theft.
For the Best Local/Community Plan, Securing Our eCity San Diego and MyMainePrivacy were both selected as winners. Both proposals offered innovated strategies for grassroots collaborative approaches with state and local government, public and private sector, and the academic community through their online classroom style trainings. The National Cybersecurity Awareness Challenge, which Secretary Napolitano announced in
I’m not always in alignment with Jeffrey Carr’s point of view but in this he is spot on. Succinct and to the point, Jeffrey Carr addresses cybercrime, cyberwarfare rules of engagement and forecasts the United States’ rapid decline: Should these trends continue unabated, we will have no one to blame but ourselves as the economical
Forbes contributor Richard Stennion doesn’t like the Cybersecurity Act of 2010 very much. We know it around here as S. 773 and have been tracking it for some time. Mr. Stennion and I disagree on some key points. He says that S. 773: “…contains some pretty drastic measures that are going to be very disruptive,
While the jury’s still out about whether the intent of the past month’s mass webserver breaches are fully criminal, Dancho reports new developments which also link Koobface activity into this command and control structure: Yet another mass sites compromise is currently taking place, this time targeting DreamHost customers, courtesy of the same gang behind the U.S Treasury/GoDaddy/NetworkSolutions mass compromise campaigns.
This week there have been several major malware injection campaigns against WordPress blogs and other php-based content management systems. This malware injection battle began last week with Network Solutions and GoDaddy. Recently researcher Dancho Danchev has found evidence linking two US Treasury sites into the malware injection campaign: What's particularly interesting about this campaign is
Got a kick out of this Verizon Business Risk Intelligence post: “Problem-makers and Solution-makers should no more have the same label as terrorists and engineers. Sure, they both interact with explosives in their daily business but they put their skills to vastly different uses. Is there a reason we must continue to label people by
it’s anyone’s guess whether 24’s Jack Bauer would win in a faceoff against the new FBI Cyber Crimes Top Cop, Gordon Snow. Give this guy the data from the malware and he’s sharp enough to take the information and form a counterintelligence strategy and also reach into the black bag for which snake-eating team he
