The latest vulnerabilities and updates (the hack and patch) from the FBI’s Computer Emergency Readiness Team:

Microsoft Windows .LNK Vulnerability

Apple Releases Safari 5.0.1 and Safari 4.1.1

Google Releases Chrome 5.0.375.125

The latest cybersecurity alert bulletins from the FBI:

SB10-207: Vulnerability Summary for the Week of July 19, 2010

SB10-200: Vulnerability Summary for the Week of July 12, 2010

SB10-193: Vulnerability Summary for the Week of July 5, 2010

US-CERT Cyber Security Alerts:

TECHNICAL

TA10-194B: Oracle Updates for Multiple Vulnerabilities

TA10-194A: Microsoft Updates for Multiple Vulnerabilities

TA10-162A: Adobe Flash and AIR Vulnerabilities

US-CERT Recently Published Vulnerability Notes:

VU#940193: Microsoft Windows automatically executes code specified in shortcut files

VU#541921: ISC DHCP server fails to handle zero-length client identifier

VU#732671: Cisco Industrial Ethernet 3000 Series switches have hardcoded SNMP community strings

Big Changes Afoot at the Institute - 5/13/2010

Debunking the Growing Use of Misleading Claims and False Truisms in Cybersecurity: Wind River and Google Android Examples (Release)

Cyber Secure Institute Calls Wired Magazine’s “2009 Smart List” Idea “Forget Medical Privacy” Profoundly Stupid (Release)

2/17/10
Cybersecurity: The Challenge of Political and Corporate Will

by Hon. C. Thomas McMillen

2nd in the series, Provoking Cybersecurity Change.

2/1/10
Cyberwar and Cyberterrorism

by Gen. Eugene Habiger

Today, the Cyber Secure Institute published a whitepaper, entitled “Cyberwar and Cyberterrorism: The Need for a New U.S. Strategic Approach,” written by Gen. Eugene Habiger USAF (ret.), who formerly served as Commander in Chief of United States Strategic Command. He also served as the Department of Energy's “Security Czar.”

General Habiger’s whitepaper draws a number of important conclusions, including these five points:

1. America is routinely the victim of nation-state driven cyber intrusions that can be seen as low-grade cyber-border conflicts.

2. Some of these attacks have crossed a critical line: they have compromised critical systems supporting our troops engaged in combat.

3. Our failure to proactively address these threats risks a digital Pearl Harbor or 9-11.

4. Deterrence by retribution and preemption, our nation’s core national security strategies, are of limited value against cyberwar and cyberterror threats—“these rotary-phone-era strategies are not well suited for today’s digital world.”

5. A new approach based upon deterrence by denial is needed, which will require nothing short of a total paradigm shift from both government and the private sector.

The White House, the Pentagon, power grids, all have been compromised. If these systems can be hacked no system is secure. You, your family, your company could be next.

Why? Because, the technologies we depend on to secure our nation, drive our economy, run our companies and live our lives are all fundamentally insecure.

In fact, these technologies, despite claims of security, are actually certified by the federal government as insecure; the National Security Agency and the National Institute for Standards and Technology have certified that these technologies are only secure against inadvertent and non-hostile threats. But the cyber attackers we face today are serious, sophisticated, technologically-advanced bad actors with hostile intent—the Chinese Military, the Russian mafia, corporate espionage spies, and disgruntled IT insiders.

We are in constant race between the hackers and the patchers (the IT staffers who run behind the hackers trying to fill the gaps as they learn of them). And, we are losing:

Every year cyber attacks cost the U.S. economy $226 billion.¹
Every month identity theft affects more than 33,333 American children.²
Every day up to 5 million fraudulent phishing emails are sent.³
Every three seconds someone’s identify is stolen.⁴

This needs to change.

The goal of the Cyber Secure Institute is to help bring about that change. We will do so by raising awareness of the cyber threats we face; raising the bar for cybersecurity technologies, and driving the development and deployment of truly effective—cyber secure—technologies.

¹CRS, The Economic Impact of Cyber-Attacks, April 1, 2004.

²http://www.cbsnews.com/stories/2007/05/26/scitech/pcanswer/main2855324.shtml

³http://www.antiphishing.org

⁴Cybersecurity and Consumer Data, Hearing Before the Subcommittee on Commerce, Trade and Consumer Protection, Committee on Energy and Commerce, Nov. 19, 2003.

One of the primary purposes of the Cyber Secure Institute is to drive the development of inherently secure technologies and to push the deployment of these technologies. The Institute is looking to identify technologies that qualify for certification as Cyber Secure. Technology providers are encouraged to submit technologies to us for consideration.

Membership Page

2/17/10

CSI Whitepaper by Hon. C. Thomas McMillen

Cybersecurity: The Challenge of Political and Corporate Will

Click HERE to download.

2/1/10

CSI Whitepaper by Gen. Eugene Habiger Released

Cyberwarfare and Cyberterrorism: The Need for a New U.S. Strategic Approach

Click HERE to download.

LATEST NEWS

06.16.10

PC World: Hacker: Apple iPad Simply Not a Safe Platform

Apple's reputation for security continues to take hits as hacker group Goatse Security this week accused the company of failing to patch a flaw in Safari -- known since March -- and rendering iPads susceptible to active exploits in the hundreds, if not thousands.

PC World: Hacker: Apple iPad Simply Not a Safe Platform

Sac Bee: Famous hacker suddenly finds himself infamous, in some quarters

On Thursday afternoon, Adrian Lamo sat quietly in the corner of a Starbucks inside the Carmichael Safeway, tapping on a laptop that requires his thumbprint to turn on and answering his cell phone.

06.11.10

FCW: DHS would be cyber power center under Lieberman/Collins proposal

Three senior senators on the Senate Homeland Security and Governmental Affairs Committee today introduced comprehensive cybersecurity legislation that would establish a center in the Homeland Security Department to protect the country’s computer networks, power grid and critical infrastructure from cyberattacks.

06.09.10

ValleyWag: Apple's Worst Security Breach: 114,000 iPad Owners Exposed

Apple has suffered another embarrassment. A security breach has exposed iPad owners including dozens of CEOs, military officials, and top politicians. They—and every other buyer of the wireless-enabled tablet—could be vulnerable to spam marketing and malicious hacking.

06.08.10

Korea Times: Military Leaders Warn of North Korea Cyber Attack

Military leaders called North Korea's cyber threat "real," Tuesday, and said there was a high possibility it will conduct an attack on South Korean communication networks during the G-20 Summit to be held in Seoul in November.

Krebs On Security: ATM Skimmers: Separating Cruft from Craft

ATM skimmers –or fraud devices that criminals attach to cash machines in a bid to steal and ultimately clone customer bank card data — are marketed on a surprisingly large number of open forums and Web sites. For example, ATMbrakers operates a forum that claims to sell or even rent ATM skimmers. Tradekey.com, a place where you can find truly anything for sale, also markets these devices on the cheap

Times Online: Nato warns of strike against cyber attackers

NATO is considering the use of military force against enemies who launch cyber attacks on its member states. The move follows a series of Russian-linked hacking against Nato members and warnings from intelligence services of the growing threat from China.

VIDEO

Staged cyber attack reveals vulnerability in power grid

Watch video of the DHS Aurora Project showing the vulnerability of power generators and grids through SCADA systems.

View