The latest vulnerabilities and updates (the hack and patch) from the FBI’s Computer Emergency Readiness Team:

Oracle Releases Security Alert for WebLogic Server Vulnerability

Microsoft Releases Advance Notification for February Security Bulletin

Apple Releases iPhone OS 3.1.3 and iPhone OS 3.1.3 for iPod touch

The latest cybersecurity alert bulletins from the FBI:

SB10-018: Vulnerability Summary for the Week of January 11, 2010

SB10-011: Vulnerability Summary for the Week of January 4, 2010

SB10-004: Vulnerability Summary for the Week of December 28, 2009

US-CERT Cyber Security Alerts:

TECHNICAL

TA10-021A: Microsoft Internet Explorer Vulnerabilities

TA10-013A: Adobe Reader and Acrobat Vulnerabilities

TA10-012B: Microsoft Windows EOT Font and Adobe Flash Player 6 Vulnerabilities

US-CERT Recently Published Vulnerability Notes:

VU#144233: Rockwell Automation Allen-Bradley MicroLogix PLC authentication and authorization vulnerabilities

VU#360341: BIND 9 DNSSEC validation code could cause fake NXDOMAIN responses

VU#492515: Microsoft Internet Explorer HTML object memory corruption vulnerability

Debunking the Growing Use of Misleading Claims and False Truisms in Cybersecurity: Wind River and Google Android Examples (Release)

Cyber Secure Institute Calls Wired Magazine’s “2009 Smart List” Idea “Forget Medical Privacy” Profoundly Stupid (Release)

Cyber Secure Institute Releases Preliminary Analysis of the National Institute of Standards and Technology’s Newly Announced Recommended Security Controls for Federal Information Systems and Organizations

2/1/10
Cyberwar and Cyberterrorism
by Gen. Eugene Habiger

Today, the Cyber Secure Institute published a whitepaper, entitled “Cyberwar and Cyberterrorism: The Need for a New U.S. Strategic Approach,” written by Gen. Eugene Habiger USAF (ret.), who formerly served as Commander in Chief of United States Strategic Command. He also served as the Department of Energy's “Security Czar.”

General Habiger’s whitepaper draws a number of important conclusions, including these five points:

1. America is routinely the victim of nation-state driven cyber intrusions that can be seen as low-grade cyber-border conflicts.

2. Some of these attacks have crossed a critical line: they have compromised critical systems supporting our troops engaged in combat.

3. Our failure to proactively address these threats risks a digital Pearl Harbor or 9-11.

4. Deterrence by retribution and preemption, our nation’s core national security strategies, are of limited value against cyberwar and cyberterror threats—“these rotary-phone-era strategies are not well suited for today’s digital world.”

5. A new approach based upon deterrence by denial is needed, which will require nothing short of a total paradigm shift from both government and the private sector.

The White House, the Pentagon, power grids, all have been compromised. If these systems can be hacked no system is secure. You, your family, your company could be next.

Why? Because, the technologies we depend on to secure our nation, drive our economy, run our companies and live our lives are all fundamentally insecure.

In fact, these technologies, despite claims of security, are actually certified by the federal government as insecure; the National Security Agency and the National Institute for Standards and Technology have certified that these technologies are only secure against inadvertent and non-hostile threats. But the cyber attackers we face today are serious, sophisticated, technologically-advanced bad actors with hostile intent—the Chinese Military, the Russian mafia, corporate espionage spies, and disgruntled IT insiders.

We are in constant race between the hackers and the patchers (the IT staffers who run behind the hackers trying to fill the gaps as they learn of them). And, we are losing:

Every year cyber attacks cost the U.S. economy $226 billion.¹
Every month identity theft affects more than 33,333 American children.²
Every day up to 5 million fraudulent phishing emails are sent.³
Every three seconds someone’s identify is stolen.⁴

This needs to change.

The goal of the Cyber Secure Institute is to help bring about that change. We will do so by raising awareness of the cyber threats we face; raising the bar for cybersecurity technologies, and driving the development and deployment of truly effective—cyber secure—technologies.

¹CRS, The Economic Impact of Cyber-Attacks, April 1, 2004.

²http://www.cbsnews.com/stories/2007/05/26/scitech/pcanswer/main2855324.shtml

³http://www.antiphishing.org

⁴Cybersecurity and Consumer Data, Hearing Before the Subcommittee on Commerce, Trade and Consumer Protection, Committee on Energy and Commerce, Nov. 19, 2003.

One of the primary purposes of the Cyber Secure Institute is to drive the development of inherently secure technologies and to push the deployment of these technologies. The Institute is looking to identify technologies that qualify for certification as Cyber Secure. Technology providers are encouraged to submit technologies to us for consideration.

Membership Page

2/1/10

CSI Whitepaper by Gen. Eugene Habiger Released

Cyberwarfare and Cyberterrorism: The Need for a New U.S. Strategic Approach

Click HERE to download.

LATEST NEWS

02.05.10

PC World: Kaspersky: Google Hack Takes Spotlight From Russia

Kaspersky Lab may not be a household name in the United States, but in some parts of the world, it's the most popular consumer antivirus software. In China the company boasts 100 million users, and the software is also popular in Germany, and, of course, Russia, where Kaspersky got its start in 1997.

02.04.10

Washington Post: Google to enlist NSA to help it ward off cyberattacks

Under an agreement that is still being finalized, the National Security Agency would help Google analyze a major corporate espionage attack that the firm said originated in China and targeted its computer networks, according to cybersecurity experts familiar with the matter. The objective is to better defend Google -- and its users -- from future attack.

02.03.10

Forbes: Cybercrime Checks Into The Hotel Industry

Over the past year America's hotels have had some uninvited guests: a wave of increasingly sophisticated invasions by organized cybercriminals.

Fox: Intel Chief: U.S. at Risk of Crippling Cyber Attack

The United States is at risk of a crippling cyber attack that could "wreak havoc" on the country because the "technological balance" makes it much easier to launch a cyber strike than defend against it, Director of National Intelligence Dennis Blair said Tuesday.

SF Chronicle: Cybersecurity needs duck-and-cover campaign to boost national awareness

Shoring up U.S. cyberdefense should include educational programs that motivate private citizens to fight cyber threats through safer Web practices, much as school children were taught in the 1950s to hide under their desks and cover their heads in case of nuclear attacks, researchers say.

02.02.10

IT Business: Hackers peddling stolen Twitter accounts for $1,000

According to researchers at Kaspersky Lab, cybercriminals are trying to sell hacked Twitter user names and passwords on-line for hundreds of dollars.

SC Magazine: Report says U.S. needs new approach for security

The United States needs a new approach to secure cyberspace and prevent a “digital Pearl Harbor or 9/11,” concludes a new report issued Monday by the Cyber Secure Institute, a nonprofit cybersecurity analysis and advocacy organization.

VIDEO

Staged cyber attack reveals vulnerability in power grid

Watch video of the DHS Aurora Project showing the vulnerability of power generators and grids through SCADA systems.

View