When Is a Cybercrime an Act of Cyberwar?

There is growing talk of cyberwar, as opposed to run-of-the-mill cybercrime. There are also terms that lie somewhere in the middle like cyber espionage, and cyber hacktivism--which is sort of like cyber terrorism for good guys. At the heart of the debate is an attempt to define the scope of an appropriate response to each type of threat.

Former U.S. cyber-security tsar Richard Clarke describes scenarios in his book Cyber War: The Next Threat to National Security and What to Do About It of nationwide power blackouts, poison gas clouds and burning oil refineries, aircraft dropping from the sky and crashing subways. Those are the types of attacks that would seem to clearly indicate an act of cyberwar, but there are also many nuanced attacks in between that muddy the waters.

What is the goal of the attack: profit, information, or inflicting damage?
What Is In a Name?

Read more »


Microsoft Says 'Happy Valentine's Day' with Nine Security Bulletins

While you struggle to figure out whether your significant other would rather have jewelry, chocolate, flowers, or all of the above, Microsoft has an entirely different view on what to give for Valentine’s Day. Although we’re nearly half way through the month, it just so happens that today is the second Tuesday of February--and that means it’s Patch Tuesday.

As predicted in its Patch Tuesday preview last week, Microsoft released a total of nine new security bulletins today. Four of them are rated as Critical, and the remaining five are Important. I got some input from security experts to help you understand which updates are most urgent, and enable you to prioritize your patch management resources accordingly.

Microsoft wishes IT admins everywhere a 'Happy Valentine's Day' with nine security bulletins.
Andrew Storms, director of security operations for nCircle, doesn’t appreciate the show of love from Microsoft. He laments the lack of candy hearts, and stresses that users should pay particular attention to the Internet Explorer update—which applies to all versions of IE this month. “Typically, we expect newer versions of IE to be a little safer but that’s not the case this month.”

Read more »


Microsoft Ruining Valentine's Day with Nine Security Bulletins

Next Tuesday is a big deal. Yes, it is Valentine’s Day, but that’s not what I’m talking about. It is also the second Tuesday in the month of February which makes it Patch Tuesday. Microsoft revealed today that there are nine new security bulletins slated for next Tuesday. Happy Valentine’s Day?

Of the nine security bulletins, four are rated as Critical and the remaining five are all Important. Based on the limited information Microsoft shares in the Patch Tuesday preview, the security updates impact Windows, Internet Explorer, Microsoft Office, the .NET framework, Silverlight, and Microsoft Server software.

Instead of chocolate or roses, Microsoft is giving us nine security bulletins for Valentine's Day.
Qualys CTO Wolfgang Kandek declares in a blog post that the Internet Explorer update should get urgent attention. “There is the expected critical update to Internet Explorer which should be highest priority. After all, we saw last month how quickly attackers are incorporating browser based attacks into their toolkits; an exploit for MS12-004 was detected a mere 15 days after Patch Tuesday.”

Read more »


Hackers Ask 'Will You Be My Valentine?'

There are only five days to Valentine’s Day. Those of you who are shocked by that revelation are prime targets for Valentine’s Day related spam and phishing attacks as hackers hope to catch you with your guard down for this day of romance.

Messages targeting Valentine’s Day are expected to quadruple globally in the coming days – in part because cyber criminals are adept at targeting holidays and current events as bait for attacks. An offer for a dozen roses for $5 might get some traction any time of the year, but with the clock quickly counting down to Valentine’s Day it has much higher odds of duping frantic lovers in search of a last minute gift.

This McAfee chart depicts the rise in messages targeting the word "Valentine".
A blog post from McAfee warns, “Many consumers look for a little romance on Valentine’s Day, whether it is a thoughtful gift, a romantic getaway, or a heartfelt e-card, but if you’re looking for these things online, beware.”

Read more »


'Do Not Track' Tool Promises Page Loads Up to Four Times Faster

Do Not Track” technologies have become an increasingly standard part of the Internet today, offering users a variety of ways to protect their privacy as they surf the Web.

Yet while there are numerous anti-tracking tools out there to help users avoid being tracked--both within the leading browsers and as extra add-ons--many of them are browser-specific, confusing, or just plain difficult to use, according to a Carnegie Mellon University report from last fall.

A free new tool released on Thursday was built specifically to address many of the concerns raised in that study and to go well beyond what standard private browsing modes can do. It's called Do Not Track Plus, and it works seamlessly with Internet Explorer, Firefox, Chrome, and Safari; not only that, but it can increase page load speeds by up to four times, its maker says.

Read more »


Google's New 'Bouncer' Targets Android Market Malware

Hard on the heels of the controversy that arose recently around Symantec and its claims that numerous apps on the Android Market were actually malware in disguise, Google on Thursday unveiled a new tool to help it identify malicious apps.

android malware
Symantec subsequently recanted its assertions, of course, but in the meantime there's now a service called “Bouncer” that aims to keep the Android Market free of malware by quietly and automatically scanning it for questionable apps.

“Today we’re revealing a service we’ve developed, codenamed Bouncer, which provides automated scanning of Android Market for potentially malicious software without disrupting the user experience of Android Market or requiring developers to go through an application approval process,” wrote Hiroshi Lockheimer, vice president of engineering for Android, in a Thursday post on the Google Mobile Blog.

Read more »


VeriSign Hacked: What We Don't Know Might Hurt Us

VeriSign – the company behind the root DNS servers that provide the foundation for the Web, and formerly the largest encryption certificate authority – has revealed that it was repeatedly hacked in 2010. Details are sparse thus far, but the revelation calls into question the security of the Internet itself.

Let’s start with what (little) we know. The disclosure did not happen as a result of VeriSign discovering the breach and taking responsible, proactive action to alert customers and address the situation. No, VeriSign buried the information in a quarterly Securities and Exchange Commission (SEC) filing as if it was just another mundane tidbit.

Depending on what was hacked or compromised, much of the Internet could be at risk.
IT staff at VeriSign allegedly discovered the compromise in 2010, but hid the incident from upper management until sometime in 2011. VeriSign itself may not be at fault for the initial delay in disclosure, but it appears that a significant amount of time has passed since VeriSign executives learned of the breach, and yet the company still tried to sneak the information covertly in an SEC filing.

Read more »