Five-Year Cyber-Spying Campaign, Black Hat, Lead Week's Security News

The past week's top IT security news stories include the Black Hat security conference in Las Vegas, Microsoft's BlueHat contest, Patch Tuesday preview, and a five-year international cyber-attack that security experts suspect was directed by China.

McAfee researchers announced it had uncovered a massive phishing and information-stealing operation that affected more than 72 international organizations over the past five years. Dubbed Operation Shady RAT, the attackers launched phishing attacks and, once an employee was compromised, piggy-backed through the corporate network to steal information, McAfee said.

Even though McAfee identified 72 victims, it expects the number of victims to be in the "thousands." The announcement echoed a different report from Cisco which found that attackers were increasingly using malware as advanced persistent threats against enterprises.

The research presented at the Black Hat security conference over the years has gone a long way towards making organizations and government agencies more aware of cyber-threats, Jeff Moss, founder and director of Black Hat, said as he kicked off the conference. Calling Black Hat a "a crystal ball," Moss said organizations could get a good idea of what kinds of threats would be coming in the future.

A former U.S. Central Intelligence Agency counter-terrorism official warned Black Hat attendees that a major cyber-attack on the scale of 9/11 was imminent. He said security experts have to warn "top government decision makers" of the threat, but they may not be believed or taken seriously at first. He compared the current threat climate to the mid-1990s when al-Qaida was gaining strength and all of the top government officials dismissed the warnings.

Black Hat attendees in Las Vegas saw hackers demonstrating various exploits and vulnerabilities, including how off-the-shelf facial recognition technology could be used to identify people against a database of photos pulled from Facebook profiles. Carnegie Mellon University researcher Alessandro Acquisti downloaded compared photos from anonymous dating sites against Facebook profiles, as well.

An official from the Defense Advanced Research Projects Agency announced the new Cyber-Fast Track project which will fund 20 to 100 new cyber-security projects. The projects should be small, quick to execute and ideally something that would benefit the military, Peiter Zatko, currently a program manager for the agency's information innovation office, said in his keynote speech. The goal was to fund independent security researchers to channel their energies towards ways that would make the Internet safer, Zatko said.

Microsoft was thinking along the same lines when it unveiled the BlueHat prize, a contest with $250,000 in cash prizes, for researchers with new runtime mitigation technologies. Microsoft hoped to encourage security researchers to work on defensive projects that would help protect users from exploits targeting memory vulnerabilities. The grand prize winner would receive $200,000 and the second prize was for $50,000.

Microsoft also announced that next week it would send out a medium-size Patch Tuesday, with 22 vulnerabilities fixed across 13 bulletins. Flaws in Internet Explorer, Windows, Visio and Visual Studio will be fixed.

"Spam king" Sanford Wallace, indicted in July for phishing half a million accounts on Facebook and sending 27 million spam messages in 2008 and 2009,voluntarily surrendered to the Federal Bureau of Investigation Aug. 4. Charged with multiple counts of fraud, three counts of intentional damages to a protected computer and two counts of criminal contempt, Wallace was released on $100,000 bail. If convicted on all counts Wallace could serve anywhere from 16 to 40 years in prison and pay $2 million in fines.

Citigroup's Japanese credit card unit reported that personal information belonging to about 92,400 customers was stolen and sold to a third-party. Unlike the previous data breach where hackers attacked Citigroup through a Website vulnerability, this incident involved an employee of a company Citigroup outsourced business to. Stolen information included account numbers, names, addresses, phone numbers, dates of birth, gender and the date the account was opened.