In Today’s News (09/29/2011)

By | September 29, 2011

Source: Internet Security Alliance Daily Brief

For Hackers, the Next Lock to PickSeptember 27, The New York Times – Hackers have broken into the cellphones of celebrities like Scarlett Johansson and Prince William. But what about the rest of us, who might not have particularly salacious photos or voice messages stored in our phones, but nonetheless have e-mails, credit card numbers and records of our locations? A growing number of companies, including start-ups and big names in computer security like McAfee, Symantec, Sophos and AVG, see a business opportunity in mobile security — protecting cellphones from hacks and malware that could read text messages, store location information or add charges directly to mobile phone bills. On Tuesday, McAfee introduced a service for consumers to protect their smartphones, tablets and computers at once, and last week the company introduced a mobile security system for businesses. Last month, AT&T partnered with Juniper Networks to build mobile security apps for consumers and businesses. The Defense Department has called for companies and universities to come up with ways to protectAndroid devices from malware. Source:

Businesses are failing to maintain data security. September 28, Infoworld – The Payment Card Industry’s Data Security Standard (PCI DSS) has matured in the 6 years since it was enacted, but businesses are failing to maintain their compliance with the security standard, according to a report released by Verizon Business September 28. In the report, Verizon Business analyzed more than 100 PCI compliance cases conducted in the last year. Its basic finding: The vast majority of firms are unable to remain compliant with the 12 requirements of the standard over the course of a year. Only 21 percent of firms stayed compliant with the Data Security Standards between their last successful assessment and their checkup a year later, the report found. The director of global PCI services for Verizon Business said, “We see many organizations do successful implementations, but we see a backslide as the year progresses, and then they end out of compliance for the rest of the year.” Firms had problems with protecting card holder data, tracking and monitoring access to sensitive data, and regularly testing system security and processes, the report states. Source:

Java, Adobe vulns blamed for Windows malware mayhem. September 28, The Register – Failure to patch third-party applications has become the main reason Windows machines get infected with malware, according to a report released by CSIS September 27. Systems running vulnerable versions of Java JRE, Adobe Reader and Acrobat, and Adobe Flash were particularly at risk of attack. Up to 85 percent of all virus infections happen as the result of drive-by attacks served up via commercial exploit kits, with 31.3 percent of users that were exposed to the exploit kits being secretly fed malware. CSIS concluded that “99.8 percent of all virus/malware infections caused by commercial exploit kits are a direct result of the lack of updating five specific software packages.” Source:

Microsoft takes down Kelihos botnet. September 28, Help Net Security – After having disrupted the operation of the Waledac and Rustock botnets, Microsoft set its sights on a smaller one that is thought to be an attempt to rebuild the Waledac botnet, Help Net Security reported September 28. Microsoft used the same tactics it employed in the previous cases — it asked a U.S. court for permission to shut down the Internet domains/command-and-control servers for the botnet. But what makes this case unique is the fact that for the first time a defendant was named in the suit and was notified of the action. In the complaint, Microsoft alleged that 23 individuals own a domain used to register other subdomains that were used to operate and control the Kelihos botnet. The Kelihos botnet is rather small. Nevertheless, it is capable of sending out nearly 4 billion spam e-mails per day from approximately 41,000 computers located worldwide. Source:

Cyber security evaluation tool released by DHS. September 28, Softpedia – The DHS launched a product called Cyber Security Evaluation Tool (CSET) in the effort of aiding organizations in properly securing digital property, Softpedia reported September 28. The tool allows users to know the weak links in their systems and what needs to be improved so cybercriminal activities can be prevented and combated. The CSET application compares the network infrastructure of the user with industry rules. It then lists recommendations that should help enhance the safeguarding of the enterprises cyber structure. According to the product’s fact sheet, it incorporates many standards from different organizations such as National Institute of Standards and Technology, North American Electric Reliability Corporation, International Organization for Standardization, and U.S. Department of Defense. When the operator selects one or more of the standards, the CSET will require her to answer a few questions. Based on these answers, a full report will be generated to show what can be improved. Source:

Leave a Reply