Corporate IT security

Pennsylvania cybersecurity group takes down international criminal network
Over the past month, a coalition of cybersecurity forces in Pittsburgh, Pennsylvania made of regional FBI officers and members of Carnegie Mellon University’s CERT cyberteam, took down the Gameover Zeus cyber theft network, which had employed data ransom and theft schemes. The criminal group was able to snatch funds up to seven figures from owners’ bank accounts.
- Read more
Six more bugs found in popular OpenSSL security tool
OpenSSL is a security tool that provides facilities to other computer programs to communicate securely over the public Internet. OpenSSL is also used in some common consumer applications, such as software in Google’s Android smartphones. So when the Heartbleed vulnerability in OpenSSL was discovered and widely publicized in April this year, system administrators had to rush to update their systems to protect against it. Computer system administrators around the world are groaning again as six new security problems have been found in the OpenSSL security library.
- Read more

Squiggly lines may be the future of password security
As more people use smart phones or tablets to pay bills, make purchases, store personal information, and even control access to their houses, the need for robust password security has become more critical than ever. A new study shows that free-form gestures — sweeping fingers in shapes across the screen of a smart phone or tablet — can be used to unlock phones and grant access to apps. These gestures are less likely than traditional typed passwords or newer “connect-the-dots” grid exercises to be observed and reproduced by “shoulder surfers” who spy on users to gain unauthorized access.
- Read more
Adm. Michael Rogers: Businesses must “own” cybersecurity threats
Cybersecurity threats are a vital issue for the nation, and like the Defense Department, businesses must own the problem to successfully carry out their missions, DOD’s top cybersecurity expert told a forum of businesspeople.
- Read more

Researchers crack supposedly impregnable encryption algorithm in two hours
Without cryptography, no one would dare to type their credit card number on the Internet. Security systems developed to protect the communication privacy between the seller and the buyer are the prime targets for hackers of all kinds, hence making it necessary for encryption algorithms to be regularly strengthened. A protocol based on “discrete logarithms,” deemed as one of the candidates for the Internet’s future security systems, was decrypted by École polytechnique fédérale de Lausann (EPFL) researchers. Allegedly tamper-proof, it could only stand up to the school machines’ decryption attempts for two hours.
- Read more
States lack expertise, staff to deal with cyberthreats to utilities
The vulnerability of national electric grids to cyberattacks has caught the attention of federal utility regulators and industry safety groups, but state commissions tasked with regulating local distribution utilities are slow to respond to emerging cybersecurity risks. The annual membership directory of state utility regulators lists hundreds of key staff members of state commissions throughout the country, but not a single staff position had “cybersecurity” in the title.
- Read more

Attackers exploited Microsoft security hole before company’s announcement
Before Microsoft alerted its customers of a security flaw in Windows XP over a week ago, a group of advanced hackers had already discovered and used the vulnerability against targeted financial, energy, and defense companies.
- Read more
FBI warns healthcare providers about cybersecurity
The FBI has issued a private industry notification (PIN), warning healthcare providers that their cybersecurity networks are not sufficiently secure compared to the networks of the financial and retail sectors, making healthcare systems even more vulnerable to attacks by hackers seeking Americans’ personal medical records and health insurance data. Healthcare data are as valuable on the black market than credit card numbers because the data contain information that can be used to access bank accounts or obtain prescription for controlled substances.
- Read more

Sandia offers free classes to high school students at the Lab’s Cyber Technologies Academy
In the rapidly changing world of cybersecurity, who better to learn from than the professionals who live in that world every day? High school students are getting just that opportunity through Sandia National Laboratories’ Cyber Technologies Academy, free classes for high school students interested in computer science and cybersecurity.
- Read more
Russia may launch crippling cyberattacks on U.S. in retaliation for Ukraine sanctions
U.S. officials and security experts are warning that Russian hackers may attack the computer networks of U.S. banks and critical infrastructure firms in retaliation for new sanctions by the Obama administration, imposed in response to Russia’s actions in Ukraine. Cybersecurity specialists consider Russian hackers among the best at infiltrating networks and some say that they have already inserted malicious software on computer systems in the United States.
- Read more

Innovative U.S. cybersecurity initiative to address cyberthreats
Cyberattacks on computer networks around the world reached 1.7 billion in 2013, up from 1.6 billion in 2012. The administration’s 2012 Enhanced Cybersecurity Services(ECS) program, launched to protect the private sector from hackers by letting approved companies access classified information on cyber threats and sell cybersecurity services to critical infrastructure targets, is still in its early stages fourteen months after its launch.
- Read more
Heartbleed bug: insider trading may have taken place as shares slid ahead of breaking story
Here is a puzzle for you. Why did shares in Yahoo! slide by nearly 10 percent in the days before Heartbleed was announced and then recover after the main news items broke? It has long been the case that security vulnerabilities can have a negative effect on the public’s perception of tech companies and the value of their stock. All chief executives need to understand this and take action to reduce the exposure and associated risks. The evidence suggests that in the Heartbleed case, there could have been some insider trading taking place in the days before the story became big news. In theory the companies should have announced the problem to the stock market as soon as they became aware, but this series of events probably illustrates the limits of the duty on companies to disclose: when matters of national security are at stake, the rules may not be so rigorously applied.
- Read more

SEC to examine robustness of Wall Street’s cyber defenses
The Security and Exchange Commission (SEC) announced plans last week to inspect the cyber defenses of fifty Wall Street investment advisers, brokers, and dealers to determine whether the financial sector is prepared for pinpointed cyberattacks. This is the first time the cybersecurity has made the list of the SEC’s annual investigations.
- Read more
Businesses looking to bolster cybersecurity
Since the recent data breaches at retailers Target and Neiman Marcus, in which hackers stole millions of customers’ credit and debit card information, consumers have been urging card providers to offer better secure payment processors. Legislators have introduced the Data Security Act of 2014 to establish uniform requirements for businesses to protect and secure consumers’ electronic data. The bill will replace the many different, and often conflicting, state laws that govern data security and notification standards in the event of a data breach.
- Read more
How the Heartbleed bug reveals a flaw in online security
The Heartbleed bug – which infects an extremely widespread piece of software called OpenSSL — has potentially exposed the personal and financial data of millions of people stored online has also exposed a hole in the way some security software is developed and used. The Heartbleed bug represents a massive failure of risk analysis. OpenSSL’s design prioritizes performance over security, which probably no longer makes sense. But the bigger failure in risk analysis lies with the organizations which use OpenSSL and other software like it. A huge array of businesses, including very large IT businesses with the resources to act, did not take any steps in advance to mitigate the losses. They could have chosen to fund a replacement using more secure technologies, and they could have chosen to fund better auditing and testing of OpenSSL so that bugs such as this are caught before deployment. They didn’t do either, so they — and now we — wear the consequences, which likely far exceed the costs of mitigation.
- Read more

The long view

U.S. contemplates responses to a cyber-Pearl Harbor attack on critical infrastructure
Cybersecurity experts often contemplate how U.S. security agencies would react to a cyber-9/11 or a digital Pearl Harbor, in which a computer attack would unplug the power grid, disable communications lines, empty bank accounts, and result in loss of life. “Ultimately, it absolutely could happen,” says one expert. “Yeah, that thought keeps me up at night, in terms of what portion of our critical infrastructure could be really brought to its knees.”
- Read more
To bolster the world’s inadequate cyber governance framework, a “Cyber WHO” is needed
A new report on cyber governance commissioned by Zurich Insurance Group highlights challenges to digital security and identifies new opportunities for business. It calls for the establishment of guiding principles to build resilience and the establishment of supranational governance bodies such as a Cyber Stability Board and a “Cyber WHO.”
- Read more
U.S. adopts a more assertive cyber defense posture
Recent cyberattacks and intrusions by hackers, operating alone or backed by nation-states, have prompted the Pentagon and DHS to reaffirm their commitment to upholding the reliability and integrity of America’s cyber network and the systems connected to it. Americans rely on the connected Web to deliver critical services such as water and electricity, and should the Web be breached by bad actors, the consequences could threaten national security. “If we look at cyberspace as a hostile environment and there are bad people out there who want to do bad things to us, it may cause a wholesale re-examination of the way we build our systems in the first place,” noted one expert.
- Read more

Pennsylvania cybersecurity group takes down international criminal network

Six more bugs found in popular OpenSSL security tool

Squiggly lines may be the future of password security

Adm. Michael Rogers: Businesses must “own” cybersecurity threats

Researchers crack supposedly impregnable encryption algorithm in two hours

States lack expertise, staff to deal with cyberthreats to utilities

Attackers exploited Microsoft security hole before company’s announcement

FBI warns healthcare providers about cybersecurity

Sandia offers free classes to high school students at the Lab’s Cyber Technologies Academy

Russia may launch crippling cyberattacks on U.S. in retaliation for Ukraine sanctions

Innovative U.S. cybersecurity initiative to address cyberthreats

Heartbleed bug: insider trading may have taken place as shares slid ahead of breaking story

SEC to examine robustness of Wall Street’s cyber defenses

Businesses looking to bolster cybersecurity

How the Heartbleed bug reveals a flaw in online security

More headlines

Who's online

The long view

U.S. contemplates responses to a cyber-Pearl Harbor attack on critical infrastructure

To bolster the world’s inadequate cyber governance framework, a “Cyber WHO” is needed

U.S. adopts a more assertive cyber defense posture