Think Information. Think Security.
While hacking is often seen as an outlet for criminality, terrorism and protest in equal measures, perhaps 2012 saw teenage angst join the list of reasons to scan for network exploits and vulnerabilities. Just ask the 15-year-old Austrian boy who broke down in front of police this April when asked why he’d hacked into 259 company websites in the space of 90 days earlier this year.

His efforts – which saw him stealing masses of company data from businesses around the globe – were an attempt to impress friends in an online hacking forum. To be fair, the fact that Europol was investigating his activities before he’s even legally allowed to have a drink should reward him with a reasonable amount of respect among his peers.

Security experts have long prescribed to the idea that good security comes from “Defense in Depth”.  This principal describes ways in which layers of protection or security controls are placed on top of each other to provide different levels of protection for sensitive information.  Unfortunately, most experts would agree that the weakest link in the information security chain is ‘people’.  One of the vectors of attacking this ‘human layer’ of security is through Social Engineering.

Social Engineering is defined as “any act that influences a person to take an action that may or may not be against their best interest” (source “The Definitive Guide to Complying with the HIPAA/HITECH Privacy and Security Rules”, CRC Press, 2012).  We see Social Engineering in multiple areas of our daily lives such as through advertisements, marketing, parenting, teaching, mentoring, etc.  In most cases, attempting to influence behavior in a positive way is a good thing; however, when this influence is done in a negative manner or with malicious intent, it can lead to a compromise or other devastating consequences.

IT and information security is a business enabler, said Peter Wenham, a committee member of the BCS Security Forum strategic panel and director of information assurance consultancy Trusted Management. However this seems not to be a generally held view, but why would this be so?

For Peter, the information security professional in a company is not getting this message across to those that matter, partly because those individuals are not seen as professionals in the way accountants or lawyers are; and partly because those in the infosec role are not able to effectively communicate with the board and senior management. This line of thinking leads to infosec being treated as a secondary issue and not staffed as a full-time function or even defined as a unique role. It would help a great deal if infosec were covered in management training in the first place.

Information security has never been so important, with cybercrime, industrial espionage and denial of service attacks, not to mention employees losing laptops containing customer details and intellectual property. However, there is an in-built tension between the corporation and its employees.

IT managers should always be careful to ensure that the technology they provide to their users is efficient, effective, robust and secure. These are all important attributes that take time to evaluate, implement and test. As a result, the evolution of corporate computing and mobility has necessarily been slow.

The problem is that computers and mobile devices have evolved more rapidly, increasing in functionality and ease-of-use, and coming down in cost. Workers bought them for their own use, realised how much more productive they were than the office devices and demanded to use them for work.

It’s been fashionable in military circles to talk about cyberspace as a “fifth domain” for warfare, along with land, space, air and sea. But there’s a sixth and arguably more important warfighting domain emerging: the human brain.

This new battlespace is not just about influencing hearts and minds with people seeking information. It’s about involuntarily penetrating, shaping, and coercing the mind in the ultimate realization of Clausewitz’s definition of war: compelling an adversary to submit to one’s will. And the most powerful tool in this war is brain-computer interface (BCI) technologies, which connect the human brain to devices.

Outside the body, recent experiments have proven that the brain can control and maneuver quadcopter drones and metal exoskeletons. How long before we harness the power of mind-controlled weaponized drones – or use BCIs to enhance the power, efficiency, and sheer lethality of our soldiers?

With increasing reliance on collaboration tools to improve information management in regulated industries -- such as financial services, healthcare and construction -- organizations must demand the highest levels of security from their external service providers in order to avoid data breaches and other incidents. Focusing on the physical data center that hosts the online collaboration service provider’s application isn’t enough.

When you become a service provider’s client, your proprietary information can be found not only in the hosted infrastructure, but also across multiple areas within the provider’s business. CRM applications, development environments, helpdesk applications, and other domains may move your information to users in multiple office locations. All of this sensitive information may be at risk without robust security management processes and procedures -- not only in the data center, but also within the service provider’s business.

Hackers who used the Shamoon worm to attack oil giant Saudi Aramco were bent on halting its fuel production, according to the company and Saudi government officials.

The attack on Saudi Aramco — which supplies a tenth of the world’s oil — failed to disrupt oil or gas output even though it infected 30,000 computers and crippled the national oil company's electronic networks. In a press conference on Sunday, Saudi officials blamed unnamed foreign groups for orchestrating the digital assault. Interior ministry spokesman General Mansour al-Turki said a joint investigation between the government and the oil giant concluded that an "organised group launched the attack from outside the kingdom and from different countries", Saudi news agency Al Arabiya reported.

Hacking group Team Ghostshell Monday announced its latest string of exploits, as well as the release of 1.6 million accounts and records gathered as part of what it has dubbed Project WhiteFox. The hacked organizations allegedly include everyone from the European Space Agency (ESA) and the Japan Aerospace Exploration Agency (JAXA), to the Department of Defense and defense contractor L-3 Communications.

The resulting data that was copied and released by Team Ghostshell, and which largely appears to be in the form of server database tables, spans over 140 separate uploads -- all mirrored to multiple sites. Seventeen of those uploads relate to data grabs allegedly obtained from the Credit Union National Association (CUNA), which bills itself as "the premier national trade association serving credit unions." Team Ghostshell said the related data dump puts "over 85 mil. people at risk," while noting that "we've keep (sic) the leak to as little as possible." As of press time, CUNA's website was offline

A new wave of spam campaigns are dispensing "Gameover,” the only banking trojan in the Zeus family to use peer-to-peer (P2P) communications to hide its activities. 

The threat of the malware has become even more pervasive now that criminals are using Cutwail, the world's largest spam botnet, to deliver malicious emails containing Gameover. The spam is made to look like messages from top U.S. banks, researchers at Dell SecureWorks Counter Threat Unit (CTU) found, with the hopes of luring users into clicking attached PDF files.

Brett Stone-Gross, a senior security researcher, told Wednesday that the botnet consists of about 200,000 compromised PCs distributing Gameover, which has resulted in more than half a million infections.

Twitter users who post tweets to their feeds via SMS could be vulnerable to a security flaw, according to a security consultant. Jonathan Rudenberg yesterday posted to his blog an SMS vulnerability he discovered in Twitter that allows anyone who has knowledge of someone's mobile number to post tweets to that person's feed.

In order for the vulnerability to be exploited, victims must have SMS tweeting authorized on their accounts. From there, the would-be poster needs only to spoof their actual mobile number through an SMS gateway -- something Rudenberg says can be done very easily -- and then post a message. Twitter also lets folks change profile settings through SMS, leaving that information open to hacking as well.