Cyber  Security
 
 
HeartBleed "Open - SSL" Vulnerability
 
The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).
 
The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.
 
 
 
 
 
 
The Top 5 Security Threats to Watch for in 2014
The year's barely started, and we've already had enough data breaches at major retailers to make a barter economy seem like a good idea.  Unfortunately, there are yet more security threats to look forward to in 2014. Below are some of the primary predictions from industry experts:
 
Mobile malware: 
The absence of any notoriously successful mobile exploit has lulled users into a false sense of confidence about the level of danger they face.
 
The Internet of things:  
Connected devices can make life more convenient, but they also create additional opportunities for the bad guys.
 
Virtual currencies under siege:  
Though they remain a fringe phenomenon, virtual currencies like “Bitcoin” have achieved a level of success and growth that can't be ignored.
 
Windows XP:  
The ancient operating system retains significant market share in the desktop OS category, and it powers a wide spectrum of kiosks and embedded devices. As of April 2014, Microsoft will no longer support Windows XP, which means no more patches and no more security updates.
 
More data breaches:  
The data breaches keep coming, and there's no reason to believe they will subside anytime soon. The Target debacle that closed out 2013 continues to grow in scope as the investigation continues. The original estimate of 40 million has been revised to 110 million, and now additional retailers such as Neiman Marcus are discovering that their customer data storage systems have been breached.
 
 
 
 
 
 
Hottest Security Stories of 2013
 
Data loss, privacy violations, stolen source code, malware development, and more. In hindsight, 2013 was busy year for security professionals, as well as a costly one for the organizations and individuals targeted by criminals.
 
As mentioned, 2013 was a busy year with regard to security incidents with over one-hundred forty million (140,000,000) plus records having been compromised during the past twelve months. The sources of these losses have been blamed on everything from nation state attacks and activists, to hackers with an agenda.
 
1.  Eric Snowden – NSA classified security leaks
2.  Target Corporation – 40 Million credit cards compromised
3.  Adobe – 38 Million Users accounts compromised
4.  Bit9 – Digital certificates, digital signatures compromised
5.  Digital Activism – DDOS attacks, business slowdowns
6.  The Syrian Electronic Army – Media Attacks
7.  Watering Hole Attacks –Facebook, Twitter, Apple compromises
8.  China’s APT1 – State sponsored cyber attacks
9.  South Korea – Banking and television attacks (shut down)
 
 
  
 
 
 
Are you still running Windows XP at home?
 
On 08 Apr 2014, Microsoft will stop providing any type of security updates for Windows XP, possibly leaving your home system vulnerable, and potentially any of your on-line personal information (such as: medical records, on-line banking, on-line shopping, on-line taxes, pictures and music collections) could become at risk.
 
Mr. Frank Hunt, of the PWC Planning Department, has put together some very valuable information for the PWC Home users to consider as the Windows XP operating system reaches end of life. 
 
 
 
 
 
 

 

 

 

Click on image to view poster 
 
 
 
  
 
 
 
Contacts: Chief Information Security Officer
Phone:  703-792-7956;   703-792-7179
 

 Tip of the Day

 
 

 Current Threats

 
 
HeartBleed "Open-SSL" is a bug that allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software.  This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users
 
 
 
CryptoLocker Ransomware is Trojan horse malware which surfaced in late 2013, a form of ransomware targeting computers running Microsoft Windows. CryptoLocker disguises itself as a legitimate attachment; when activated, the malware encrypts certain types of files stored on local and mounted network drives. The malware then displays a message which offers to decrypt the data if a payment (through either Bitcoin or a pre-paid voucher) is made by a stated deadline.

CryptoLocker Ransomware Infections _ US-CERT

Internet Crime Complaint Center (IC3) _ CryptoLocker Ransomware Encrypts Use 

 

 Breaches & Incidents

 
30 DEC 2013
Affected Users: 3,500
How: Stolen Laptop
 
South Carolina Health Insurance Pool  nearly 3,500 members may have had personal information compromised after a laptop was stolen from an independent auditor's car.
 
 
18 Dec 2013
Affected Users: 40 Million (updated to 70 million - 110+ million)
How: Malware on POS system
 
Target Corp. says that about 40 million credit and debit card accounts may have been affected by a data breach that occurred just as the holiday shopping season shifted into high gear.
 
 
16 Dec 2013
Affected Users: 18,800
How: Lost USB drive
 
State of Colorado: Nearly 19,000 Colorado state workers—both current and former—could have identity protection concerns after a state worker lost a USB or thumb drive containing their personal data including Social Security Numbers.
 
 
13 Dec 2013
Affected Users: 1,500
How: Unsecured access
 
The Fairfax County Health Department in Virginia is sending notification letters to roughly 1,500 individuals after Bailey's Health Center – one of the county's health care clinics – inadvertently left private pharmaceutical records on an unsecured computer server.