Many fake antivirus businesses that paid hackers to foist junk security software on PC users have closed up shop in recent weeks. The wave of closures comes amid heightened scrutiny by the industry from security experts and a host of international law enforcement officials. But it’s probably too soon to break out the bubbly: The inordinate profits that drive fake AV peddlers guarantee the market will soon rebound.

During the past few weeks, some top fake AV promotion programs either disappeared or complained of difficulty in processing credit card transactions for would-be scareware victims: Fake AV brands such as Gagarincash, Gizmo, Nailcash, Best AV, Blacksoftware and Sevantivir.com either ceased operating or alerted affiliates that they may not be paid for current and future installations.

On July 2, BestAV, one of the larger fake AV distribution networks, told affiliates that unforeseen circumstances had conspired to ruin the moneymaking program for everyone.

For the full article, see here.

In a letter to Mr. Rod Beckstrom, President, Internet Corporation for Assigned Names and Numbers (ICANN), the Association of National Advertisers (ANA) has expressed major flaws in ICANN’s program for introducing new generic Top-Level Domains. A program which ANA warns would allow as many as 1,000 new Top-Level Domains in the first year and the same cap every year thereafter.

“By introducing confusion into the marketplace and increasing the likelihood of cybersquatting and other malicious conduct, the ICANN top-level domain program diminishes the power of trademarks to serve as strong, accurate and reliable symbols of source and quality in the marketplace,” says Bob Liodice, President and CEO, ANA

For the full original article, see here.

You’ve heard it all before: If you’re a Mac, then you’re immune from most of the latest security threats. That has led some organizations worried about cyberespionage-type attacks to consider ditching their target-prone Windows machines for their Mac iOS counterparts, according to a team of researchers who spoke at Black Hat USA last week in Las Vegas.

Mac OS X might have little or no exploits aimed at it right now, but security worry-free Mac users are still susceptible to targeted attacks — especially ones like advanced persistent threat (APT) that use social engineering, according to the researchers. A recent report by ESET found that while 52 percent of Windows users feel “extremely” or “very” vulnerable to cybercrime, only 20 percent of Mac users feel that way.

“Mac users are trained to feel safe, and they have a long history of not being exploited by attackers. They get used to clicking through unsigned apps,” said Paul Youn, a researcher with iSec Partners.

And that’s where the Mac’s downfall could be when it comes to a targeted attack like an APT.

For the full article, see here.

In the real world, you only have to worry about the criminals who live in your city. But in the online world, you have to worry about criminals who could be on the other side of the planet. Online crime is always international because the Internet has no borders.

Today computer viruses and other malicious software are no longer written by hobbyist hackers seeking fame and glory among their peers, but by professional criminals who are making millions with their attacks. These criminals want access to your computer, your Paypal passwords and your credit card numbers.

Criminal online gangs recruit people with high level computing skills but no job opportunities in the real-world economy. There is now a global market for sinister crimeware — viruses, worms, trojans, spyware — that is produced and sold on underground market sites on the Web.

For the full article, see here.

The Pentagon has plans to tap social networking websites to secure information, to detect and track the spread of ideas, enabling them to counter any upcoming threats.

According to the Washington Post, The Defense Advanced Research Projects Agency (DARPA), part of the Pentagon, has announced that the authorities are looking for people proficient in social networking that could help them research and build strategic programs accordingly.

The DARPA has revealed that the organisation is willing to spend $42 million on the research and development program, as the US defense agency is looking to reach a new level with its intelligence division by keeping a track on the millions using social media.

A hypothetical situation was put forward in its solicitation by the DARPA to illustrate the sort of situation which might arise: “Rumors about the location of a certain individual began to spread in social media space and calls for storming the rumored location reached a fever pitch. By chance, responsible authorities were monitoring the social media, detected the crisis building, sent out effective messaging to dispel the rumors and averted a physical attack on the rumored location.”

…

For full original article, see here

International security experts have raised the red flag over the rising vulnerability of Kenya’s mobile money transfer platform to international cyber criminals.

Consequently, the Kenyan Government has announced plans to put up security infrastructure to stem the emerging risks of cyber crime on the platform.

Speaking at an international Cyberspace security workshop in the Kenyan capital Nairobi, cyber security experts warned last week that hackers had started encroaching on the mobile money platform and it is therefore imperative for Kenya to build adequate capacity to shield itself against the emerging cyber security risks.

“Kenya has been the leader in terms of the online banking issues. Criminals are smart and they know where the money is and they look to where the technology is moving. As we try to move very quickly to be on top of this and make sure that we are taking precautions and legal measures, criminals are very sophisticated and are moving to these platform,” said Christopher Painter coordinator for Cyber issues in the US state Department.

Close to 25 million Kenyans have access to banking services through their mobile phones.

…

For full original article, see here

Expectedly, questions are being raised about the nature of the cyber-attacks, their scope, and the means and motives of those behind them.  And, perhaps most importantly, people are raising privacy concerns about the massive amounts of personal and financial information that these, and other, companies hold, and about the data safeguards – or lack thereof – rendering that data vulnerable to theft and exploitation.

Despite these real public concerns, a troubling trend is emerging – a tendency for companies to sit on information about hacks and data breaches, sometimes for weeks, before going public, and to, even then, downplay the severity and scope of the breach.

Sony was the victim of a massive data breach in early April, and, later that month, its PlayStation network was hacked a second time. However, the second time around, Sony delayed disclosing the fact that it had been hacked, and even misrepresented the timeline for when the company had found out about the second hack. Similarly, Citigroup sat on a data security breach for almost a month before disclosing information about it, and still understated the seriousness of the attack: At first, Citigroup said data was stolen from 200,000 bank accounts. Then it said data was stolen from 360,000 accounts. Tomorrow, who knows?

Lack of timely and frank public disclosure is a serious problem. To begin with, it puts consumers and the general public at continuing risk. Without warning or notice of such cyber-attacks or data hacks, customers continue to use potentially compromised sites and networks, making misappropriation of their personal and financial data even more likely. In the process, people are unable to make informed decisions about consumer goods and financial services; including the amount of data they wish to confer and the companies or banks with which they choose to do business.

And, without the public scrutiny that disclosure attracts, there is little incentive for companies to take network security seriously, or to take the necessary, often costly, steps to prevent later attacks. According to a recent study from the Ponemon Institute, 79 per cent of internet cloud-computing companies dedicate less than 10 per cent of their resources to cyber-security.

What should we do about this in Canada? A few ideas have been floated. Some have pushed for more American-style class-action lawsuits based on such privacy breaches. In fact, Honda Canada was recently served a $200 million class-action lawsuit arising from its own data breach. Some, like Canada’s Privacy Commissioner Jennifer Stoddart, have suggested imposing large fines on companies for cyber-security and data breaches.

These are not bad ideas, but without transparency they achieve little. Litigation is costly and time consuming, and often leads to secretive settlement without public benefit. Furthermore, after-the-fact punitive measures, either through litigation or government fines, can encourage companies to bury information about data breaches, or to downplay their scope.

Besides, no fine can be imposed, or investigation or lawsuit launched, if no one knows about a data security breach in the first place.

So, a strong data security breach disclosure law is an essential first step. In fact, the Canadian government’s own Bill C-29, which died in the last Parliament, proposed making disclosure of “material” data breaches mandatory. That legislation, however, was seriously flawed.

To begin with, it gave companies too much discretion in deciding what they had to report, as they were only required to report “material” data breaches that caused “systemic” issues. Under this law, then, Citigroup could arguably have concluded that its breach – the theft of data from 300,000 accounts – was not a “material” breach, as it was a single breach and the vulnerability was subsequently patched. In other words, it was not a “systemic” issue, and so, under Bill C-29, Citigroup would not be required to report it.

Bill C-29 also gave companies too much discretion with regard to the timing of security-breach reports, as it only required them to file a report once they had decided that a material breach had, in fact, occurred. This meant reporting could be delayed until a lengthy internal investigation had been carried out in order to make that determination.

Finally, other than court orders, Bill C-29 offered no additional penalties or new mechanisms to enforce disclosure rules.

A tougher approach is being debated in the United States. One bill called the “Safe Data Act”, which the Republicans recently tabled, would require companies to notify law enforcement within 48 hours of a data breach. If the breach was serious enough, the FTC, and any people affected, would also be notified. An even stronger Democratic bill, the “Personal Data Privacy and Security Act”, would require that all of the people whose information may have been stolen in a data breach be notified.

Unlike Canada’s Bill C-29, each of these proposals in the U.S. have separate sections creating new enforcement powers, including assigning large statutory fines for violations (even up to $5,000,000) and in the Democratic legislation, even jail terms for those convicted of intentionally conceal a data breach.

The last Canadian proposals, which died with Bill C-29, lacked teeth, and gave companies too much discretion in deciding what situations required security-breach reports, as well as the timing of those reports. Now, the Canadian government has a clean slate, and knowledge of these tougher alternatives, with which to forge a more robust disclosure regime.

Cyber-security challenges, and the privacy, transparency, and data-retention issues they raise, are not going away, and the ideas offered here are far from comprehensive. But full disclosure, public scrutiny, and transparency are, without question, the foundation upon which more intelligent and comprehensive solutions will be built.

A version of this article previously appeared in The Mark News

The House Science, Space and Technology Committee last week approved the Cybersecurity Enhancement Act of 2011, which mirrors legislation passed last year by the House, but that never made it to the Senate, according to a report by the National Journal.

The bill is sponsored by Texas Republican representative Michael McCaul, who believes that the cyber threat is an issue that will unite people across the political spectrum.

McCaul, who also sits on the House Homeland Security Committee, expects the bill to be debated by the full House after the August recess.

If enacted, the bill will authorize research, education and the development of standards at the National Science Foundation and the National Institute of Standards and Technology (NIST). It also gives NIST the authority to set standards for federal agencies.
…

For full original article, see here

Lawmakers on Capitol Hill have delivered a stark warning to the Pentagon: its failure to address key questions surrounding how the United States military would respond to a cyberattack – and what precisely constitutes an act of war in cyberspace, for that matter – remains a “significant gap” in US national security policy.

Senior Pentagon officials for their part are griping, too, that the current Defense Department approach to cyberwarfare is “way too predictable.” Gen. James Cartwright, vice chairman of the Joint Chiefs of Staff, recently lamented that, in cyberspace, “there is no penalty for attacking [the US] right now. We’ve got to figure out a way to change that.”

To that end, some senior defense officials are increasingly pushing for the US to retaliate against cyber-sieges with counterstrikes – that could ultimately include launching a “land-based attack” on the perpetrator.

…

For full original article, see here

With terrorists increasingly resorting to hacking and using internet for communications, India and the US Tuesday inked an agreement to promote increased collaboration in cyber security.

The memorandum of understanding on cyber security was signed by R. Chandrashekhar, secretary, India Department of Information Technology, and Jane Holl Lute, deputy secretary for the US Department of Homeland Security (DHS).

The agreement entails closer cooperation and the timely exchange of information on cyber security.

The pact was signed on a day US Secretary of State Hillary Clinton and External Affairs Minister held the second India-US strategic dialogue that focused on expanding counter-terror cooperation.
…

For full original article, see here