• Adm. Michael Rogers: Businesses must “own” cybersecurity threats

    Cybersecurity threats are a vital issue for the nation, and like the Defense Department, businesses must own the problem to successfully carry out their missions, DOD’s top cybersecurity expert told a forum of businesspeople.

  • Researchers crack supposedly impregnable encryption algorithm in two hours

    Without cryptography, no one would dare to type their credit card number on the Internet. Security systems developed to protect the communication privacy between the seller and the buyer are the prime targets for hackers of all kinds, hence making it necessary for encryption algorithms to be regularly strengthened. A protocol based on “discrete logarithms,” deemed as one of the candidates for the Internet’s future security systems, was decrypted by École polytechnique fédérale de Lausann (EPFL) researchers. Allegedly tamper-proof, it could only stand up to the school machines’ decryption attempts for two hours.

  • States lack expertise, staff to deal with cyberthreats to utilities

    The vulnerability of national electric grids to cyberattacks has caught the attention of federal utility regulators and industry safety groups, but state commissions tasked with regulating local distribution utilities are slow to respond to emerging cybersecurity risks. The annual membership directory of state utility regulators lists hundreds of key staff members of state commissions throughout the country, but not a single staff position had “cybersecurity” in the title.

  • Attackers exploited Microsoft security hole before company’s announcement

    Before Microsoft alerted its customers of a security flaw in Windows XP over a week ago, a group of advanced hackers had already discovered and used the vulnerability against targeted financial, energy, and defense companies.

  • FBI warns healthcare providers about cybersecurity

    The FBI has issued a private industry notification (PIN), warning healthcare providers that their cybersecurity networks are not sufficiently secure compared to the networks of the financial and retail sectors, making healthcare systems even more vulnerable to attacks by hackers seeking Americans’ personal medical records and health insurance data. Healthcare data are as valuable on the black market than credit card numbers because the data contain information that can be used to access bank accounts or obtain prescription for controlled substances.

  • Sandia offers free classes to high school students at the Lab’s Cyber Technologies Academy

    In the rapidly changing world of cybersecurity, who better to learn from than the professionals who live in that world every day? High school students are getting just that opportunity through Sandia National Laboratories’ Cyber Technologies Academy, free classes for high school students interested in computer science and cybersecurity.

  • Russia may launch crippling cyberattacks on U.S. in retaliation for Ukraine sanctions

    U.S. officials and security experts are warning that Russian hackers may attack the computer networks of U.S. banks and critical infrastructure firms in retaliation for new sanctions by the Obama administration, imposed in response to Russia’s actions in Ukraine. Cybersecurity specialists consider Russian hackers among the best at infiltrating networks and some say that they have already inserted malicious software on computer systems in the United States.

  • Innovative U.S. cybersecurity initiative to address cyberthreats

    Cyberattacks on computer networks around the world reached 1.7 billion in 2013, up from 1.6 billion in 2012. The administration’s 2012 Enhanced Cybersecurity Services(ECS) program, launched to protect the private sector from hackers by letting approved companies access classified information on cyber threats and sell cybersecurity services to critical infrastructure targets, is still in its early stages fourteen months after its launch.

  • Heartbleed bug: insider trading may have taken place as shares slid ahead of breaking story

    By Bill Buchanan

    Here is a puzzle for you. Why did shares in Yahoo! slide by nearly 10 percent in the days before Heartbleed was announced and then recover after the main news items broke? It has long been the case that security vulnerabilities can have a negative effect on the public’s perception of tech companies and the value of their stock. All chief executives need to understand this and take action to reduce the exposure and associated risks. The evidence suggests that in the Heartbleed case, there could have been some insider trading taking place in the days before the story became big news. In theory the companies should have announced the problem to the stock market as soon as they became aware, but this series of events probably illustrates the limits of the duty on companies to disclose: when matters of national security are at stake, the rules may not be so rigorously applied.

  • SEC to examine robustness of Wall Street’s cyber defenses

    The Security and Exchange Commission (SEC) announced plans last week to inspect the cyber defenses of fifty Wall Street investment advisers, brokers, and dealers to determine whether the financial sector is prepared for pinpointed cyberattacks. This is the first time the cybersecurity has made the list of the SEC’s annual investigations.

  • Businesses looking to bolster cybersecurity

    Since the recent data breaches at retailers Target and Neiman Marcus, in which hackers stole millions of customers’ credit and debit card information, consumers have been urging card providers to offer better secure payment processors. Legislators have introduced the Data Security Act of 2014 to establish uniform requirements for businesses to protect and secure consumers’ electronic data. The bill will replace the many different, and often conflicting, state laws that govern data security and notification standards in the event of a data breach.

  • How the Heartbleed bug reveals a flaw in online security

    By Robert Merkel

    The Heartbleed bug – which infects an extremely widespread piece of software called OpenSSL  — has potentially exposed the personal and financial data of millions of people stored online has also exposed a hole in the way some security software is developed and used. The Heartbleed bug represents a massive failure of risk analysis. OpenSSL’s design prioritizes performance over security, which probably no longer makes sense. But the bigger failure in risk analysis lies with the organizations which use OpenSSL and other software like it. A huge array of businesses, including very large IT businesses with the resources to act, did not take any steps in advance to mitigate the losses. They could have chosen to fund a replacement using more secure technologies, and they could have chosen to fund better auditing and testing of OpenSSL so that bugs such as this are caught before deployment. They didn’t do either, so they — and now we — wear the consequences, which likely far exceed the costs of mitigation.

  • Measuring smartphone malware infection rates

    Researchers show that infection rates in Android devices at around 0.25 percent are significantly higher than the previous independent estimate. They also developed a technique to identify devices infected with previously unknown malware.

  • Capabilities-based – rather than actuarial -- risk analysis would make businesses safer

    Many businesses and organizations, when applying cost-benefit analysis and a risk-management analysis to measure cyber risk, are relying on the assumption that the likelihood of a future attack depends heavily on how many attacks have occurred in the past. Since there has yet to be a full-scale attack on critical infrastructure in the United States, it is simple to conclude that the risk of a cyberattack on critical infrastructure is low, therefore justifying low investment in additional security initiatives. An actuarial risk analysis may conclude that there is little likelihood of such as attack occurring, but a capabilities-based risk analysis recognizes that since adversaries are capable of such an attack, it is in an organization’s best interest to secure against it.

  • “Hacker schools” grow to meet growing demand for programmers

    The increasing demand for computer programmers in the job market has led to the growth of “hacker schools,” an alternative to traditional education that offers students a quicker, cheaper, and effective way to learn computer programing. Hacker schools do not offer certificates or diplomas, instead they target students who currently have degrees in other fields but who want a career change.