Cyber Weaknesses Should Deter US from Waging War
America’s critical computer networks are so vulnerable to attack that it should deter U.S. leaders from going to war with other nations, a former top U.S. cybersecurity official said Monday. Richard Clarke, a top adviser to three presidents, joined a number of U.S. military and civilian experts in offering a dire assessment of America’s cybersecurity at a conference, saying the country simply can’t protect its critical networks. Clarke said if he was advising the president he would warn against attacking other countries because so many of them — including China, North Korea, Iran and Russia — could retaliate by launching devastating cyberattacks that could destroy power grids, banking networks or transportation systems. Read the full AP story here.

Hackers Hijack Millions of Computers in ‘Massive’ Fraud Case
The U.S. charged seven people with a “massive” computer intrusion scheme that used malicious software to manipulate online advertising, diverted users to rogue servers and infected more than 4 million computers in more than 100 countries. One Russian and six Estonians were charged with wire fraud and conspiracy in a 27-count indictment unsealed today by Manhattan U.S. Attorney Preet Bharara. The cyber-hijacking victims included at least a half million individuals, businesses in the U.S. and government agencies, including the National Aeronautics and Space Administration, Bharara said. Read the full Bloomberg News story here.

Hackers May Have Spent Years Crafting Duqu
The hacker group behind Duqu may have been working on its attack code for more than four years, new analysis of the Trojan revealed Friday. Moscow-based Kaspersky Lab published some findings today from a recent rooting through Duqu samples provided by researchers in the Sudan, saying that one driver included with the attack payload was compiled in August 2007, extending the timeline of the gang’s work. “We can’t be 100% sure [of that date], but all the compiled dates of other files seem to match to attacks,” said Roel Schouwenberg, a senior researcher with Kaspersky, in an interview today. “So we’re leaning towards that date as correct.” Read the full Computerworld story here.

Steam Web Sites Hacked, Gamer Data Exposed
Hackers broke into a database with customer information at the Steam online gaming site, accessed user forum accounts and defaced a forum site, the company said. “Our Steam forums were defaced on the evening of Sunday, November 6. We began investigating and found that the intrusion goes beyond the Steam forums,” Gabe Newell, co-founder of Steam developer Valve Corp., said in a statement posted to the Steam site. “We learned that intruders obtained access to a Steam database in addition to the forums,” he added. “This database contained information including user names, hashed and salted passwords, game purchases, email addresses, billing addresses and encrypted credit card information.” Read the full CNET article here.

Breach Exposes Data at Virginia Commonwealth University
Virginia Commonwealth University will hire an outside cybersecurity consultant to examine its information technology system after a computer server containing personal data on 176,567 people was hacked last month. The university has “very good forensic evidence” that the information was not accessed or targeted for identity theft, said Mark D. Willis, VCU’s chief information officer. “But you can never be 100 percent certain.” Read the full Richmond Times Dispatch article here.

Senators Hold Hearing on Protections Against Health Data Breaches
Electronic medical records, which the Obama administration would like to see widely used, are rarely encrypted so a data breach could be triggered by the simple theft of a laptop or misplaced thumb drive, a privacy expert told lawmakers last week. Regulations require healthcare providers to report data breaches unless the data lost had been encrypted. Read the full Reuters story here.

Data Security: Breaches Can Result in Huge Costs
This year, Marks and Spencer had to contact its customers, warning them their email addresses had been stolen, after Epsilon, a US-based email marketing supplier, was attacked by computer hackers. The incident laid bare risks to businesses ranging from retailers to banks when they hold customer data. According to Paul Bantick, a senior underwriter in insurer Beazley’s technology, media and business services team, retailers are among the most exposed to this type of risk. Read the full Financial Times article here.

Bill to Plug Data Breaches Still Stalled
Months of staff work and multiple headline-making data breaches later, the Senate Commerce Committee is still at the drawing board on data security legislation. Committee Chairman Jay Rockefeller (D-W.Va.) and Sen. Mark Pryor (D-Ark.) have been unable to forge consensus on a bill much discussed in tech circles that would force companies to bolster their data security practices and notify consumers whose information has been stolen. Read the full Politico story here.

For those of us who cover cyber security issues on a regular basis, October is a pretty special month.  The National Cyber Security Alliance (NCSA) is hosting the 8th annual National Cyber Security Awareness Month to be held throughout the month of  October.   In case you weren’t ware of it, National Cyber Security Awareness Month is a coordinated national effort focusing on the need for improved online safety and security for all Americans. This year’s theme, “Our Shared Responsibility,” emphasizes that everyone has a role in securing their part of cyberspace, including the myriad of devices, such as smart phones and tablets, and the networks they use.

NCSA, along with the U.S. Department of Homeland Security and the Multi-State Information Sharing and Analysis Center, are the key sponsors National Cyber Security Awareness Month every October since its founding in 2003. Together, these three organizations strive to empower consumers, schools, businesses and government agencies to stay safe online, devoting the full month of October to public awareness and education.

The month-long calendar features a diverse array of NCSA sponsored flagship events as well as other events throughout the nation, beginning October 7th in Ypsilanti, Michigan with Governor Rick Snyder, leaders from the U.S. Department of Homeland Security and other officials. This official launch event for the month will take place during the Michigan Cyber Summit and will draw highly regarded cyber security experts from around the world. NCSA will also share findings from its annual national survey on the state of security and online safety.

Click here to learn more about National Cyber Security Awareness Month, and stay tuned for more podcasts and updates.

Sega Reveals Data breach Affecting 1.3 Million Users
Sega says personal data from 1.3 million members of its online network were swiped in a breach, Reuters reports. Although the video game publisher says credit card data is safe, information such as names, birthdates, e-mail addresses and encrypted passwords were compromised. The online network Sega Pass has been shut down to bolster security. “We are deeply sorry for causing trouble to our customers. We want to work on strengthening security,” said Yoko Nagasawa, a Sega spokeswoman, in the Reuters report. Check out the full USA Today story here.

Lulzsec and Anonymous Declare Open War Against All Governments and Fat Cats
Lulzsec and Anonymous have just declared full open war against all governments, banks and big corporations in the world. They are calling all hackers in the world to unite. Their objective is to fully expose all corruption and dark secrets: Salutations Lulz Lizards…As we’re aware, the government and whitehat security terrorists across the world continue to dominate and control our Internet ocean. Sitting pretty on cargo bays full of corrupt booty, they think it’s acceptable to condition and enslave all vessels in sight. Our Lulz Lizard battle fleet is now declaring immediate and unremitting war on the freedom-snatching moderators of 2011. Wow. Check out the full Gizmodo post here.

In Sony’s 20th Breach In Two Months, Hackers Claim 177,000 Sony Emails Compromised
Sony’s unprecedented spree of security breaches in the last two months may be finally cooling off, as profit- and attention-seeking hackers move on to other vulnerable targets. But it’s not quite over yet. Over the weekend the Lebanese hacker Idahc announced that he had gained access to 177,000 emails through a SQL injection vulnerability on Sony Pictures’ French website. Read the full Forbes.com story here.

Password Security Remains the Weakest Link Even After Big Data Breaches
Organizations should be implementing several measures to prevent cyber-attackers from stealing sensitive, confidential data. Despite repeated reminders to select strong passwords and not to reuse them across Websites and services, online users continue to be frighteningly lax in their password security, according to a recent analysis of leaked passwords. Security experts recommend taking a multilayered approach to security. Instead of relying on a single point of failure, organizations should be implementing several mechanisms to make it harder for cyber-attackers to steal sensitive, confidential data, said Mike Yaffe, government security strategist at Core Security. Read the full eWeek story here.

Netflix Outage Not Caused by Hackers
Netflix, the Web’s top video rental service but one with a history of suffering outages, saw another multihour blackout last night. The site seems to have gone down for about three or four hours last night, according to reports from those posting to Twitter. Netflix is traditionally tight-lipped about the causes of its malfunctions and this time is no exception. “Good morning,” wrote Steve Swasey, Netflix’s spokesman. “It was a technical issue that we fixed.”The good news is that Netflix wasn’t taken out by marauding hackers. Sony, Sega, and a number of other business and government sites have been hit by hackers in a high-profile spate of cyberattacks this spring, and some in the blogosphere speculated that Netflix may have succumbed to a similar attack. Read the full CNET story here.

Free App Protects Facebook Accounts from Hackers
Two University of California, Riverside graduate students and a company run by an alumnus of the school have partnered to develop a free Facebook application that detects spam and malware posted on users’ walls and news feeds. Md Sazzadur Rahman and Ting-Kai Huang, both Ph.D. students in computer science at the Bourns College of Engineering, created MyPageKeeper.org to provide real-time protection from viruses and phishing and spam campaigns for the 700 million users of Facebook. Read the full UCR Newsroom story here.

String of Cyber Attacks Threat to U.S. Security?
Japanese video game developer Sega announced Sunday that hackers broke into its database and stole the personal information of more than one million customers. The breach, CBS News Correspondent Elaine Quijano reports, is just the latest in a string of cyber-attacks on corporations, government contractors, and even the CIA. Last week, computer hackers forced a shutdown of the CIA’s public website for more than two hours. It claims no sensitive information was at risk, but Internet security experts say it was still a huge embarrassment for the for the government’s top spy agency. Read the full CBS News story here.

Ari Schwartz, an Internet policy adviser at the Commerce Department, had this to say to Bloomberg News:  “The goal is to focus more cybersecurity attention for the non-critical infrastructure.  This is a space where we’re saying regulation isn’t needed, but that doesn’t mean these companies are absolved from taking action on cybersecurity.”

As the Bloomberg article noted, the plan is part of a broader effort by President Obama to fight cybercrime.  Last month, the administration sent an outline for cybersecurity legislation to House and Senate lawmakers recommending tighter oversight of critical infrastructure, including financial networks and power grids. The Commerce plan aims to take this to the next level by focusing on businesses that do not qualify as critical infrastructure.  These include  online retailers and social- networking sites.

Here’s what Commerce Secretary Gary Locke had to say in a prepared statement:  “Our economy depends on the ability of companies to provide trusted, secure services online.  By increasing the adoption of standards and best practices, we are working with the private sector to promote innovation and business growth, while at the same time better protecting companies and consumers from hackers and cyber theft.”

Mr. Locke is correct.  Consumers need to trust that the services they pay for online are secure.  Though this trust is eroding at a lightening fast pace.  And, the season of the data breach, unlike the hurricane season, will most likely not end anytime soon.

Defendant in Fraud, Identity-Theft Ring in N.Y., N.J. is Sentenced to Probation
A woman who was a minor player in a major identity theft and fraud ring has been sentenced to probation. Song-Ja Park is among 53 defendants in a case federal authorities say stretched from Korean communities in New York and New Jersey to U.S. territories in the Pacific. Park pleaded guilty to conspiracy and fraud charges and volunteered to return to her native Korea. She was sentenced last week in federal court in Newark. Read the full NJ.com story here.

Companies Pick and Choose Which Data Breaches to Report
One in 7 information technology companies have not reported data breaches or losses to outside government agencies, authorities or stockholders. In addition, only 3 out of 10 said they report all data breaches and losses suffered related to intellectual property, while 1 in 10 organizations will only report data breaches and losses that they are legally obliged to report, and no more. Six in 10 said they currently “pick and choose” the breaches and losses of sensitive data they decide to report, “depending on how they feel about them. Those were some of the key findings from a McAfee and Science Applications International Corp. (SAIC) survey that queried 1,000 technology managers in the U.S., United Kingdom, Japan, China, India, Brazil and the Middle East on questions about intellectual property and security. Read the full Network World story here.

DOD Revises Cyber Budget Upward By $1 Billion
Protecting the nation’s security networks from cyber bandits and hackers will cost $1 billion more than the Defense Department previously thought, bringing the total to $3.2 billion, writes Aliya Sternstein in Nextgov. The first request, announced in mid-February, included funding for department information assurance programs such as public-key infrastructure, digital certificates and projects such as the Comprehensive National Cybersecurity Initiative. Read the full Washington Technology story here.

DHS Seeks Cybersecurity Interns
For cybersecurity students who are attending or have just completed college and graduate school, the Department of Homeland Security has launched its first cybersecurity internship programs, aimed at hiring qualified IT security professionals. “We are looking to build a cybersecurity workforce from the ground up, rather than hire those already trained,” says Nicole Dean, Deputy Director of the National Cyber Security Division at DHS. “We are looking to hire the best and the brightest and provide them the opportunity to grow professionally.” Read the full GovInfoSecurity.com story here.

Cyber Attacks on Fed Networks up 40 Percent
Cyber attacks against the federal government increased almost 40 percent last year, according to government data. Federal agencies suffered 41,776 cyber attacks in 2010, up from 30,000 the previous year, according to the Department of Homeland Security’s U.S. Computer Emergency Readiness Team (US-CERT), which is tasked with defending the dot-gov domain and sharing information with industry and local governments. The data is included in an annual report on federal cybersecurity efforts by the Office of Management Budget. Of the attacks reported last year, 12,864 — or 31 percent — were classified as malicious code. Another 11,336 (27 percent) are under investigation or labeled as “other.” Unauthorized access, denial of service, improper usage and scans probes and attempted access made up the remaining incidents. Read the full Federal Times article here.

Law Protects Hackers’ Ability To Screen DUI Checkpoints
Want to avoid DUI checkpoints? There are apps for that. And while lawmakers called on smart phone companies last week to ban the programs that could enable drunk drivers to steer clear of police traps, legal experts say the law protects hackers who install unapproved software onto their phones. So far Research in Motion, the company that makes Blackberry, is the only company that has complied with the request from four Democratic Senators. But even if companies were to ban all DUI dodging apps from their online store, customers would still have a legal right to bypass security software independently. Read the full ABC News story here.

The notorious hacker group that goes by name ‘Anonymous’ is certainly winning the PR war. Everywhere you turn, there is a story about the group battling Visa, HBGary, the jailers of Private Bradley Manning and even good old corporate America. Well, now the group is going for the big time by declaring a ‘cyber war’ against the U.S. government.

Here’s what the group’s founder had to say according to this Fox News story:

“It’s a guerrila cyberwar — that’s what I call it,” Barret Brown, 29, said in an interview with MSNBC Tuesday. Brown, a college dropout, claims to be a senior strategist and “propagandist” for the hacker group, which calls itself “Anonymous.” He considers this new “war” a reactionary response: “It’s sort of an unconventional asymmetrical act of warfare that we’re involved in, and we didn’t necessarily start it. I mean, this fire has been burning.”

Check out this MSNBC inteview with Barrett Brown:

Visit msnbc.com for breaking news, world news, and news about the economy

What do you think? is Anonymous a group of hacker vigilantes?

Welcome to the Monday Morning News Kick Off post from the ITAC blog. As our dedicated readers know, today officially kicks off RSA 2011. And after about four weeks of running our “Countdown to RSA” podcast series, we are very excited that the most significant event in cybersecurity is finally happening. So, we have dedicated this week’s Monday post to all RSA 2011 news happening. Think of the ITAC blog as your “one-stop destination” for all things RSA.

RSA Conference 2011 Opens Today in San Francisco
Information security professionals and business leaders from around the world convened today for the opening of the annual RSA Conference being held at San Francisco’s Moscone Center. Taking place February 14-18, RSA Conference 2011 proudly brings together the information security industry’s best and brightest, providing unparalleled educational opportunities and insight into the most important issues. Through interactions with peers, industry luminaries and emerging and established companies, RSA Conference is the place for security experts to gather for a discussion on current and emerging threats. Read the full RSA press release here.

Deputy Secretary of Defense William Lynn to Speak at Pentagon RSA Conference 2011
RSA Conference, an information security conferences and expositions, has announced that Deputy Secretary of Defense William J. Lynn III will present the keynote “Defending a New Domain: The Pentagon’s Cyber Strategy” on Feb. 15 at RSA Conference 2011 in San Francisco, CA. The RSA Conference noted that Deputy Secretary Lynn’s address will close the keynote sessions, following an exciting series of presentations that include Art Coviello, President, RSA, The Security Division of EMC, and Executive VP, EMC Corp.; Enrique Salem, President & CEO Symantec Corp.; and, the annual Cryptographers’ panel featuring leaders in cryptography including Ronald Rivest, Viterbi Professor of Electrical Engineering and Computer Science, MIT, and Adi Shamir, Professor, Computer Science Department, Weizmann Institute of Science, Israel. Read the full press release here.

Unresolved Security Issues On RSA 2011 Agenda
This year’s RSA security conference suggests that IT vendors are still struggling to find solutions to problems that were highlighted in RSA 2010. The RSA 2011 conference, which is taking place this week in San Francisco, brings together enterprise IT experts and software vendors on a single platform to discuss the latest problems plaguing the industry and their possible solutions. However, according to V3, the schedule for RSA 2011 has striking similarities to last year’s conference, indicating that most of the problems voiced during RSA 2010 remain unsolved. Cloud computing was one of the main focus points for RSA 2010. Enterprises are still hesitant about hosting their sensitive company data along with private customer information on servers that are usually located outside the country they are operating in. Read the full IT Portal post here.

A Personal Preview of RSA
For those interested in government IT security, there’s no shortage of fare on the menu at RSA 2011, the information security conference being held in San Francisco this week. Personally, the highlight of the conference will be on Thursday, when GovInfoSecurity.com unveils the findings from the premiere Government Information Security Today survey, our poll of those in local, state and federal governments charged with safeguarding IT. I’ll be joined by David Matthews, deputy chief information security officer for the city of Seattle, who will add his interpretation to the results. I’m pleased that David’s joining me in this presentation because part of our survey addresses secure cloud computing, and he’s a recognized expert in the use of cloud computing in government. Read Eric Chabrow’s full GovInfoSecurity post here.

RSA 2011 Shows Familiar Problems Elude Solutions
This week the security world descends on San Francisco for the annual RSA conference. Arguably the biggest show of the year for enterprise IT, the conference brings vendors from all over the world to discuss the latest developments in the security space and the best methods for dealing with emerging threats and new challenges. In theory, the topics at RSA are always evolving. New challenges are met and every year new breakthroughs are made to deal with the problems of the previous year. Issues are addressed and new challenges arise in their place. This year, however, the rhetoric at RSA may sound awfully familiar. Read the full V3 post here.

RSA Conference Adds Focus on Cloud Computing Security
The buzzword for this year’s RSA Conference—cloud. The conference, which will run from Feb. 14 to Feb. 18 at the Moscone Center in San Francisco, has an entire track focused on cloud security. It is one of 17 class tracks available at this year’s conference, which typically draws a large crowd of vendors, researchers and security pros to the city. “Security is a rapidly evolving industry, and we’ve made some substantive changes to the tracks this year to help attendees get to the information they need,” said Hugh Thompson, RSA Conference program committee chair and advisory board member. “Cloud Security is a new track, and here you’ll find some of the best practitioners in the industry sharing information about operational cloud security, and how to manage identity, privacy and data security in the cloud.” Read the full eWeek article here.

Welcome to the ongoing “Countdown to RSA” podcast series hosted by the ITAC blog. Today, we are speaking with Robert Shiflet, the Fraud Executive of the Consumer Card and Small Business Operations Group at Bank of America. Robert is also the Chairman of the Board of ITAC. Robert is participating in an RSA panel called Security, Fraud Mitigation and Customer Retention: Three Bankers Compare Notes.

If you are a high-profile person, you may want to change your Facebook password on a regular basis?  Why?  Well, a hacker recently took over French President Nicolas Sarkozy’s Facebook account and posted a fake announcement that he was abandoning plans to run for re-election.   And, now the wunderkind of the Internet, Mr. Mark Zuckerberg, just had has personal Facebook account hacked.

An unknown person who posted a status update suggesting that the site should let people invest in it rather than going to the banks.  Here’s the actual messge from the hacker:

“Let the hacking begin: If facebook needs money, instead of going to the banks, why doesn’t Facebook let its users invest in Facebook in a social way? Why not transform Facebook into a ’social business’ the way Nobel Prize winner Muhammad Yunus described it? What do you think? #hackercup2011.”

Invest in Facebook in a social way?  Hmmm…not a bad idea actually. And, this person is suggesting that we cut out the middle-man: banks.  What this is really all about is irony.  Mr. Zuckerberg has made a vast amount of wealth off of pilfering our private data for profit.  It is the core of Facebook’s business model.  What we say and post on Facebook provides deep insights into what motivates us — and is perfect information for advertisers (note the irony)!

So, Mr. Zuckerberg just experienced a breach of his privacy on Facebook.   Although it was not advertisers watching his every move who violated his privacy, it was a hacker offering an interesting investment idea.