Cybersecurity Update, 20.12.2013.


High security risk found after launch

A top security officer told Congress there have been two, serious high-risk findings since the website’s launch, including one on Monday of this week, CBS News has learned.

Teresa Fryer, the chief information security officer for the Centers for Medicare and Medicaid Services (CMS), revealed the findings when she was interviewed Tuesday behind closed doors by House Oversight Committee officials. The security risks were not previously disclosed to members of Congress or the public. Obama administration officials have firmly insisted there’s no reason for any concern regarding the website’s security.

Privacy appendix of draft NIST cybersecurity framework under fire

Some major Internet companies say the proposed privacy approach of the cybersecurity framework under development by the National Institute of Standards and Technology would be potentially burdensome, something that could discourage organizations from adopting it.

NIST is due to release a final draft of the framework in February, 12 months after President Obama called for its creation in executive order 13636.

Federal Prison System, Cybersecurity Pose Top Challenges for Justice Department

This increase of funding for federal prisons could result in less money being available for other department priorities that were identified as top challenges by the Inspector General’s report, including cybersecurity as Internet access across the globe continues to increase.

The Director of National Intelligence’s March 2013 “Worldwide Threat Assessment of the U.S. Intelligence Community” emphasized the cybersecurity threat and the increased pace of attacks, with the Government Accountability Office reporting that federal agencies reported an average of more than 130 incidents per day during 2012. DOJ recognized this top challenge prior to the Inspector General’s report and made it a priority by requesting $668 million specifically for cybersecurity in 2014, an increase of 16 percent from 2013.

(ISC)² Issues Federal Cybersecurity Recommendations

(ISC)² has issued a series of recommendations for the US government to consider in order to more effectively solve the cybersecurity workforce skills gap challenge.

The recommendations were delivered early this month directly to government officials at the White House, US Department of Homeland Security, US Department of Defense and National Institute of Standards and Technology, as well as members of academia and other influencers within the federal workforce community.

U.S. military needs capabilities developed by NSA

Even if a recommendation by the White House panel on electronic surveillance to have separate directors for the National Security Agency and the military’s Cyber Command is approved, the two agencies must still work closely together, intelligence analysts said Wednesday.

Currently both organizations are under an Army general, Keith Alexander, and are located together at Fort Meade, Md. In military parlance, Alexander is “dual-hatted.”

The two have separate missions, but the capabilities they need to do their jobs are similar. “Neither one can be successful without the other,” said Dickie George, a former NSA official.

FTC pushes to become regulating body of cybersecurity

With no overarching regulations or laws governing the cybersecurity practices of organizations, it can often be unclear what consumers should expect from those in possession of their data. Likewise, making sure technologies and policies adhere to the best practices of the industry can be difficult for businesses without experience in cybersecurity.

However in recent years, the Federal Trade Commission (FTC) has stepped up as an enforcement entity, holding corporations accountable when they are negligent with customer information. Now the FTC is hoping to become the official regulatory body for data security.

House Homeland Security Leaders Introduce Cybersecurity Legislation

Dec. 11 –Leaders of the House Homeland Security Committee Dec. 11 introduced a bipartisan bill (H.R. 3696) to address cyberattacks on the nation’s banking system, energy pipelines, telecommunications networks and other “critical infrastructure.”

Information Sharing Programs

The National Cybersecurity and Critical Infrastructure Protection Act of 2013 would codify the Department of Homeland Security’s role as a central point for cyberthreat information sharing between the federal government and private sector, while prohibiting any new regulations from the agency.

NSA Says It Foiled Plot To Destroy Our Economy By Bricking Computers Across The US

The National Security Agency described for the first time a cataclysmic cyber threat it claims to have stopped On Sunday’s “60 Minutes.”

Called a BIOS attack, the exploit would have ruined, or “bricked,” computers across the country, causing untold damage to the national and even global economy.

Even more shocking, CBS goes as far as to point a finger directly at China for the plot — “While the NSA would not name the country behind it, cyber security experts briefed on the operation told us it was China.”

americas-private sector

Target data theft fuels new worries on cybersecurity

As millions of bargain-crazed customers swarmed through Target stores on Black Friday, one of the most audacious heists in retail history was quietly underway.

A band of cyberthieves pilfered credit and debit card information from the giant retailer’s customers with pinpoint efficiency as shoppers bought discounted sweaters and electronic gear on the unofficial launch of the holiday shopping season.

By the time the scheme was discovered, the unidentified hackers had made off with financial data of 40 million Target customers over a 21/2-week period. It ranks as one of the nation’s biggest retail cybercrimes on record.

A Third Hack In Three Years For The Washington Post News Group

The Washington Post announced that hackers had once again breached its network. This is at least the third intrusion into the newspaper’s network in the past three years, company officials said on Wednesday. In this latest cyber-attack the hackers were able to hack into the company’s servers and gain access to employee user names and passwords.

“This is an ongoing investigation, but we believe it was a few days at most,” said Post spokeswoman Kris Coratti.

The actual extent of the damage is unknown but the company has planned to ask all employees to change their usernames and passwords on the assumption that many or even all of them may have been compromised in this most recent attack, said the Post.

AIG Says Companies Massively Under-Insured for Cyber Risk

Peter Hancock, the chief executive officer of American International Group Inc. (AIG)’s property-casualty unit, says businesses have too little coverage to guard against costs tied to cyber attacks and data breaches.

“It’s a very real risk, and one that’s massively under-insured,” Hancock, 55, said today at a conference in New York held by National Underwriter. “Without greater awareness, there’s not much customer demand. Without much customer demand, the industry’s capacity is rather small. And without the large capacity, the customers say, ‘Why buy it?’”

Zurich Insurance Group AG (ZURN) and New York-based AIG are among carriers offering protection that helps pay for damage caused by hacking as well as fines and repair costs. Attacks against U.S. banks have knocked their websites offline and prevented customer access, and the Associated Press’s Twitter account was hacked this year to falsely report an explosion near the White House, temporarily triggering a plunge in U.S. stocks.

AHA Urges NIST To Make Cybersecurity Rules Flexible, Voluntary

Last week, the American Hospital Association sent a letter to the National Institute of Standards and Technology urging the agency to ensure that its cybersecurity framework remains flexible and voluntary within the health care industry’s private sector, FierceHealthIT reports.

On Oct. 29, NIST opened a comment period on a proposed cybersecurity framework


2013 computer crime blotter

Prisons around the world this year made way for techie criminals alongside the more garden variety murderers, thieves and schemers.

Here’s a rundown of those who got sent to the slammer this year for tech-related crimes (based on a compilation of reports from the IDG News Service and Network World’s other sister sites):

Iran-linked hackers claim to have infiltrated IDF, Saudi databases

Group calling itself the Islamic Cyber Resistance says it stole the personal details of more than 2,000 top Israeli officers and Defense Ministry personnel; details of 1,000 Saudi officers also said to be taken.

An Iran-linked hacker group calling itself the Islamic Cyber Resistance claims it infiltrated the servers of the Israel Defense Forces earlier this week and extracted the personal details of top army officers.

Hackers Jailed For Casino Blackmail Attack

Two Polish computer hackers who unleashed a cyber attack to blackmail an online casino business out of millions of pounds have been jailed.

Piotr Smirnow, 31 and Patryk Surmacki, 35, were described by their own defence has having embarked on a “bizarre, misconceived, naive and brazen attempt of blackmail”.

The pair pleaded guilty at a previous hearing to two charges each of blackmail and unauthorised acts on computers.

DoS attacks get more complex – are networks prepared?

The threat of cyber attacks from both external and internal sources is growing daily. A denial of service, or DoS, attack is one of the most common. DoS have plagued defense, civilian and commercial networks over the years, but the way they are carried out is growing in complexity. If you thought your systems were engineered to defend against a DoS attack, you may want to take another look.

Denial of service attack evolution

A denial of service attack is a battle for computing resources between legitimate requests that a network and application infrastructure were designed for and illegitimate requests coming in solely to hinder the service provided or shut down the service altogether.

Chinese Hackers Attacked FEC During Government Shutdown

The Federal Election Commission was hit by a massive cyberattack hours after the government shutdown began, according to a report from the Center for Public Integrity. The CPI report claimed the Chinese were behind “the worst act of sabotage” in the agency’s 38-year history.

Three government officials involved in the investigation confirmed the attack to CPI, and the FEC acknowledged the incident in a statement. However, the CPI report did not explain why the officials believed China was involved, or provide any details of the network intrusion beyond the fact that attackers crashed several FEC computer systems. When asked for a statement, FEC referred Security Watch to the Department of Homeland Security and did not provide any information.

UK to give spy agency greater role at Huawei cyber centre

British Prime Minister David Cameron said on Tuesday an internal review had shown the government needed to enhance its oversight of a cyber security centre in southern England run by Chinese telecoms firm Huawei.

Huawei supplies software and equipment which channels phone calls and data around Britain, but has found itself at the centre of a debate, particularly in the United States, over whether it is a risk for governments to allow foreign suppliers access to their networks.

The British government ordered a review of Huawei’s cyber security centre in July after parliament’s intelligence committee said UK security checks were “insufficiently robust” when Huawei began working on the country’s network through contracts with companies such as BT in 2005.

This entry was posted in Weekly Brief. Bookmark the permalink.

Comments are closed.