Travel, education sectors most vulnerable to phishing

Researchers at KnowBe4 sent simulated phishing messages to more than 3,500 small and midsized enterprises and found that recipients at nearly 500 companies clicked on a link contained in the message.

Best practices for security awareness training

Security awareness training programs should be an essential part of information security endeavors, a security professional said Thursday at SC World Congress in New York.

Strained budgets cause severe security cutbacks

Due to strained budgets, some IT departments are cutting funding for technologies that would help mitigate threats they are most concerned about, according to a survey from RSA Conference, released Wednesday.

Black Hat topics include hacking parking meters, social networks

Researchers are set to discuss a wide range of topics at the annual Black Hat conference.

Security expert wants feds to recruit volunteer pen testers

One respected security researcher wants to legalize the hacking of federal government and military websites -- and he wants everyone to hear him out.

List of U.S. nuclear facilities inadvertently posted on website

In an inadvertent security breach, a document that detailed information on nuclear sites was posted on the Government Printing Office's website.

GAO report finds security lagging at federal agencies

Federal agencies continue to be lax in their implementation of information security programs, according to a new report from the Government Accountability Office.

RSA: Ramifications of converging physical and IT security

Companies should consider merging physical and information security into a converged program -- it might be challenging but it will be worth it.

RSA: Cybercriminals keeping up with banking safeguards

Customer education and a holistic security strategy are the best approaches to fight fraud within the financial services community, a panel of experts said Wednesday at the RSA Conference in San Francisco.

Children's online safety initiative announced

A new program is encouraging information security experts to educate school children about how to protect themselves online.

Despite downturn, IT security spending to increase

Management increasingly is recognizing security as a top business priority, which is resulting in higher budgets for some organizations despite the economic slowdown, according to a new survey.

Survey finds that SMBs often lack basic security

Despite being aware of the importance of security, small-to-medium-size businesses (SMBs) generally are not protecting their networks, according to a survey released Thursday by Symantec.

OWASP Security Spending Benchmarks Report published

Web application security spending is expected to either stay flat or increase, according to the first quarterly Security Spending Benchmarks Report published Thursday by the Open Web Application Security Project.

Web apps account for 80 percent of internet vulnerabilities

Vulnerabilities in web applications made up 80 percent of all web-related flaws in the second half of 2008 and rose in prevalence by about eight percent from the first half of the year.

InfoSec: Cybersecurity expert says preparation key to business survival

InfoSec: Cybersecurity expert says preparation key to business survival

The world is more interconnected than ever before, so security pros have opportunities to make a difference in their enterprises, a former White House cybersecurity adviser told a group of CSOs.

Senate report calls for new U.S. cybersecurity effort

A new report released this week by the U.S. Senate's Homeland Security and Governmental Affairs Committee calls for a concerted national effort to overcome cybersecurity threats to the United States.

Data Privacy Day celebrates the safeguarding of information

Companies around the globe are recognizing the second annual Data Privacy Day on Wednesday with seminars and other events aimed at educating users and generating discussion around the topic.

NIST releases draft guidelines for data protection

NIST this month released draft recommendations that federal agencies -- and their contractors -- should follow to protect the confidentially of personally identifiable information.

Public and private sectors join in cyberattack simulation

A simulation this week demonstrated the need for better collaboration among public and private security groups.

Amero will not face new trial in teacher porn case

The former Connecticut substitute teacher who was accused of exposing middle-school students to internet pornography has avoided prison time and a new trial.

French President Sarkozy's bank account hacked

Security professionals weigh in on what may have caused the most recent high-profile personal account breach -- this one involving French President Nicolas Sarkozy.

Study: Hotel network security lacking

Hotel guests across the country could be connecting their laptops to an insecure connection, a new study concludes.

New certification to stress software lifecycle safety

The movement to create secure software received a boost with the launch of a new certification from (ISC)2, called the Certified Secure Software Lifecycle Professional, designed to validate secure software development practices.

Floods, tornadoes may encourage internet trickery

The deadly twisters that ripped through Kansas this week and the historic floods sweeping across the Upper Midwest will soon give rise to donation scams and malicious attacks, the SANS Storm Center warned on Friday.

Bank of New York Mellon loses data on 4.5 million

Three months after an unencrypted backup tape goes missing, 4.5 million Bank of New York Mellon customers are notified their identities may be at risk.

NSA's website outage due to lack of topological "diversity"'

An easy-to-fix -- but often overlooked -- problem most likely took the National Security Agency's website and its mail services down for six or seven hours on Thursday.

Ten universities join information assurance program

The National Security Agency (NSA) on Thursday announced that 10 new colleges have been designated National Centers of Academic Excellence in information assurance.

From Interop: Be mindful of vendors' motives

IT security vendors' sole purpose is to generate revenue -- not offer complete security -- and they will only create solutions to stop dangerous threats when they are incentivized to do so, the principal security strategist for IBM Internet Security Systems said Wednesday at Interop in Las Vegas.

From RSA: Criminal underground is flourishing

An underground economy has emerged in which cybercrooks are leveraging freely available tools, sophisticated methods and a chain of specialization that resembles a real corporation to pull off massive digital heists, according to an RSA Conference panel on Wednesday that examined the modern online criminal ecosystem.

From RSA: Forensics tools, techniques aid e-discovery investigations

E-discovery investigations can look into the alleged wrong-doings of a terminated employee and/or provide electronic records for use in corporate litigation, a lead forensics investigator told RSA Conference attendees on Wednesday.

Americans feel safe online, says poll

An overwhelming majority of Americans claim to feel safe online, according to a recent poll.

Facebook privacy flap should spark concern for business

A security and privacy breach that made personal Facebook photos available to unwelcome visitors could have had real consequences for businesses, experts said.

Breach of Britney Spears patient data reported

Reports this week that the UCLA Medical Center has moved to fire 13 employees and suspended six others for unauthorized access to confidential medical records of pop star Britney Spears is a sign that training and regulations may not be working in some hospitals, experts told SCMagazineUS.com.

Cyber Storm II exercise shows improvement in preparedness

The Department of Homeland Security's second massive cybersecurity exercise has revealed improved preparedness across IT infrastructures and government agencies, compared to the first "Cyber Storm" in 2006, according to the acting director of DHS's National Cybersecurity Division.

Student loan company settles with FTC over data mishandling

A student loan company has settled with the Federal Trade Commission over charges it did not offer reliable security for its customers' personal information.

Survey: IT security employees in demand, but skills lack

There is a wide gap between IT security skills that organizations need and the skills IT professionals bring to the job, according to a new survey by the Computing Technology Industry Association (CompTIA).

FrSIRT finds flaws in MySQL

Researchers at a French security organization have uncovered a number of security vulnerabilities in the MySQL database application, the open source software used to support many Web 2.0 applications.

Mac OS X attacks to become more common, say 93 percent of survey respondents

An overwhelming majority of end-users surveyed believe Apple's Mac platform will be more widely targeted by cybercriminals in the future.

Attacks on health care organizations up 85 percent

Attempted cyberattacks on health care organizations have increased 85 percent in the past year, according to SecureWorks, a software-as-a-service vendor.

Microsoft releases 11 patches, six critical

Microsoft on Tuesday released 11 patches fixing 17 vulnerabilities - six of them "critical" - but failed to patch an exploited flaw in Microsoft Excel revealed last month.

Cyberattackers may have personal information of MLSgear.com shoppers

The personal information of an unknown number of customers of Major League Soccer's (MLS) online clothing store may have been accessed by cyberattackers last year.

Technology, media firms overconfident, unprepared for breaches: Deloitte survey

Media, technology and telecommunications industries are overconfident in their security postures and ill-prepared to handle breaches, according to a survey conducted by consulting firm Deloitte Touche Tohmatsu.

News Briefs: Bhutto death exploited

Malware authors exploited the assassination of former Pakistani Prime Minister Benazir Bhutto to spread malware. Attackers set up fake blogs and webpages, which claimed to have rare video of Bhutto's death.

Company news: Cohen named Steelbox president and CEO

Company news: Cohen named Steelbox president and CEO

Brian Cohen has been named president and chief executive officer of Steelbox Networks

Rogue trader conceals fraud costing French bank $7 billion

A rogue trader at Societe Generale used his knowledge of the French bank's computer security system to conceal fraudulent transactions that resulted in losses of more than $7 billion, the bank has confirmed.

Microsoft: Vista safer in first year than other operating systems

Microsoft defended the security posture of its Vista operating system (OS) this week, claiming the platform has had a safer first year in terms of vulnerability management than any of its competitors.

FERC approves cybersecurity standards for power grid

The Federal Energy Regulatory Commission (FERC) today approved eight mandatory cybersecurity standards that extend to all entities connected to the nation's power grid.

Malware up 800 percent in 2007, says Panda

The amount of malware captured last year increased by 800 percent over 2006, researchers said this week.

House Oversight panel slams TSA for lax website security

A Congressional committee has slammed the Transportation Security Administration (TSA) for giving a no-bid contract to a website developer that failed to implement cybersecurity procedures to protect the personal information of travelers.

Former Cox employee who shut down 911 gets jail time

A former Cox Communications employee has been sentenced to five months in federal prison for remotely shutting down portions of the company's system -- including 911 emergency services -- after being asked to resign his position.

GAO: Lax IRS cybersecurity puts taxpayer data in danger

Government auditors this week slammed the Internal Revenue Service's (IRS) cybersecurity infrastructure, saying the agency's lax response to previous recommendations has left taxpayer data at "increased risk of unauthorized disclosure, modification or destruction."

Former New Jersey systems administrator gets 30 months in prison for 'logic bomb'

A New Jersey man this week was sentenced to more than two years in prison for planting a "logic bomb" on the network of his former employer in a failed attempt to destroy sensitive health care data.

News Briefs: MySpace celebs' pages hacked

News Briefs: MySpace celebs' pages hacked

The latest IT security news events.

NIST: Fed agencies should mount penetration attacks

In the final draft of its upcoming security guidelines for protecting federal information systems, the National Institute of Standards and Technology (NIST) is recommending that federal agencies conduct regular penetration tests to determine whether their networks can be breached.

Cisco says criminals may buy Storm botnet use in 2008

In its inaugural report on the overall state of internet security, Cisco is predicting bigger attacks in 2008 from the Storm botnet as its creators let criminals buy the use of Storm's millions of zombie computers to launch massive spam or DoS attacks.

Finalists for 2008 SC Magazine Awards announced

Finalists for 2008 SC Magazine Awards announced

SC Magazine has announced the finalists for the 2008 SC Awards. The awards presentation dinner will be held April 8, 2008, in San Francisco, Calif.

Attackers hack into Oak Ridge National Laboratory

A targeted assault of phishing emails opened the door for hackers to glean the sensitive information of up to 12,000 visitors to the Oak Ridge National Laboratory, officials said Thursday.

SC Magazine launches IT Security and Finance microsite

Several other industry-specific microsites are scheduled to follow the financial vertical page.

Steelbox Networks names former SPI Dynamics leader new CEO; LogLogic taps former SurfControl chief to lead

Vendors LogLogic and Steelbox Networks today announced the appointment of new chief executives -- both former leaders of recently acquired security providers.

Microsoft releases advisory for Web Proxy Auto-Discovery flaw

Microsoft today warned PC users of a flaw in Windows that occurs when the operating system or Internet Explorer (IE) tries to find a Web Proxy Automatic Discovery (WAPD) server.

Company news

The latest from the boardrooms of the IT security industry.

News briefs: Rockies rocked

The Colorado Rockies baseball club blamed a cyberattack for downing its online ticket sales operation before the World Series in October. The Rockies lost to the Boston Red Sox in four games, but their website was back up and running before the event. Both home games in Denver sold out. Experts said the incident resembled a distributed denial-of-service attack.

McAfee report: Cyberespionage to be a top 2008 national security threat

A rise in international cyberspying will pose the most significant threat to the national security of the United States in 2008, according to a report from anti-virus vendor McAfee.

TJX agrees to $41 million settlement with Visa

Embattled retailer TJX Companies - the parent of TJ Maxx, Marshalls and other well-known outlets - has agreed to a nearly $41 million settlement with Visa.

Gartner analyst: identity theft a bigger problem than FTC study indicates

A Federal Trade Commission (FTC) report, which indicates that identity theft among Americans is down, is flawed, according to a Gartner analyst who reported significantly different findings earlier this year.

Webroot acquires U.K.-based SaaS vendor Email Systems

Webroot Software, best known for its Spy Sweeper anti-spyware product, is moving into the software as a service (SaaS) market via the acquisition of U.K.-based Email Systems.

Attackers use search-engine optimization to hijack prominent terms

Cyberattackers have hijacked thousands of search terms on Google, leading end-users to unexpected malware installations.

Cyber Monday: the heaviest online shopping day on record

This year's Cyber Monday -- called the largest online shopping day on record by experts -- passed without a major incident.

SANS Institute Top 20 highlights client-side risks

This week's news that Apple's QuickTime media player contains a new and "extremely dangerous" flaw served as a perfect lead-in to the release of the latest SANS Top 20, which lists client-side vulnerabilities among the most dangerous threats facing end-users.

Mozilla fixes three Firefox bugs

Mozilla on Tuesday patched three security holes in its Firefox web browser and SeaMonkey cross-platform suite.

Online shopping season promises convenience...and cybercrooks

Monday marks the unofficial start to the online holiday shopping season, and while experts are predicting record-breaking internet sales this year, security researchers are warning that criminals will be prowling cyberspace more than ever before.

Reports show October spam increase

October was a scary month for IT administrators in charge of filtering spam, according to a pair of reports from messaging security firms.

Apple distributes Leopard update

Apple this week released three patches for OS X version 10.5 -- widely known as Leopard -- fixing issues in Application Firewall.

Windows Live OneCare 2.0 available for download today

Microsoft has made the second generation of its desktop anti-virus suite available for download today; CD-issued copies of the program will be available next week.

Apple releases monster patch bulletin for OS X

Apple on Wednesday released security updates for Mac OS X and Safari Beta 3, patching nearly 50 vulnerabilities.

Computer Economics survey: 2008 IT spending to be 'anemic'

An uncertain economy is likely to negatively impact IT spending next year, especially within large enterprises, according to a new report from Computer Economics.

Cisco survey: Spyware, bots top security issues for government IT professionals

Day-to-day worries about spyware and bots are the No. 1 security concern of IT professionals working for the agencies of the federal government, according to a study released today by Cisco Systems.

Former DuPont scientist gets 18 months in jail to close out $400 million corporate espionage case

Gary Min, the former DuPont scientist who admitted stealing more than $400 million in trade secrets, has been sentenced to 18 months in prison.

Al Qaeda cyber-jihad threat dismissed by researchers

McAfee told organizations not to lose any sleep over reports that al Qaeda would target Western websites in a mass-cyberattack this Sunday.

Trojan targets Mac users

Apple users, your days of worry-free web surfing could be numbered. A Mac internet security and privacy software maker has discovered what is believed to be the first professionally crafted in-the-wild malware targeting the Mac operating system.

2 minutes on...ethical hacker kits on sale

The "ethical hacker toolkits" recently posted for sale on eBay appear to point to a dangerous trend: selling these types of tools — used primarily for penetration testing of applications and servers — on mainstream auction sites increases everyone's security risks.

Company news

The latest happenings in the boardrooms of the IT security world.

News briefs

Clothing retailer Gap Inc. revealed that a laptop containing the Social Security numbers of 800,000 job applicants was stolen from a third-party vendor. The laptop contained info of job applicants who applied to the company's Old Navy, Banana Republic, Gap and Outlet stores. The vendor, not identified by Gap, contacted law enforcement authorities about the breach. The data was not encrypted.

Microsoft warns of attacks on Windows URI, URL handling flaw

Microsoft warned Thursday of limited attacks using third-party applications to exploit a Windows flaw.

Trend Micro acquires Provilla

Anti-virus provider Trend Micro today announced the acquisition of Provilla, a data-loss prevention vendor.

SC Magazine survey - Preventing a data breach

A legion of data exposures have occurred over the past year, with many affected companies not only being forced to address customer and investor concerns, but also pay fines and adhere to prolonged sets of requirements administered by the Federal Trade Commission. So just how is news of such breaches, exposures and possible thefts affecting the way organizations -- large and small -- focus on information security plans?

WhiteHat: 90 percent of websites vulnerable to attack

Nine out of 10 websites have vulnerabilities open to attack, according to a new report by WhiteHat Security.

Information Security Forum releases free best practices standard

A nonprofit IT security group today announced the availability of its updated Standard of Good Practice, a free benchmark that organizations can use to assess and reduce risks related to information systems.

CompTIA: Security spending to consume more of the IT budget pie

Spending on security technology, training, assessments and certification, which accounted for a fifth of IT budgets last year, will eat up an increasingly large part of IT spending, according to a report from the Computing Technology Industry Association (CompTIA).

SecureWorks: 90 percent increase in attackers targeting utilities since May

Researchers at SecureWorks have reported a 90 percent increase in attackers caught targeting utilities during the past five months.

Homeland Security newsletter error leads to flood of unwanted emails

An error in the distribution process of one of the U.S. Department of Homeland Security’s (DHS) newsletters led to a flood of unwanted email messages this week.

California man arrested for botnet attacks on CastleCops, KillaNet

A California man was arrested this week on charges that he attacked organizations, including the anti-phishing community CastleCops, with botnets.

Former Homeland Security Secretary Ridge launches security consultancy

Former U.S. Secretary of Homeland Security Tom Ridge has formed his own private security consulting firm.

Much work to be done as National Cyber Security Awareness Month begins

A joint McAfee and National Cyber Security Alliance study, released today to kick off National Cyber Security Awareness Month, reports that while 98 percent of 378 respondents believe keeping security software up to date is important, less than half - 48 percent - of their computers had not been updated in the past month.

Company news

Company news

The latest happenings in IT security's boardrooms.

Former Cox Communications employee pleads guilty to hacking company network

A Georgia man, asked to resign from his job at Cox Communications, pleaded guilty on Wednesday to hacking into his former employers network and shutting down telecommunications services, including 911 numbers in major U.S. cities.

nCircle: Few punish security policy violators

Despite growing concern about data breaches, 51 percent of IT professionals surveyed by network security vendor nCircle said their organizations do not have clear consequences for policy violations.

ABN Amro suffers p2p data breach

A former employee of Citis ABN Amro Mortgage group leaked the personal information, including Social Security numbers, of more than 5,000 customers via a peer-to-peer (p2p) file-sharing network.

Ethical hacking courses for sale on eBay

Ethical hacking kits, which provide a variety of tools for penetration testing, password theft and guides to virus development, are being sold on eBay.

Sign up to our newsletters

POLL