Anonymous, DOD Strategy, Microsoft Patch Tuesday Lead Week's Security News
In case anyone was getting a little complacent thinking that perhaps the worst of the attacks by the "hacktivist" collective Anonymous were behind us, the group had a small surprise for members of the United States military.
Anonymous breached consulting firm Booz Allen Hamilton and dumped log-in information for 90,000 military and government personnel, including US CENTCOM, SOCOM, the Marine Corps, Air Force facilities, Department of Homeland Security, Department of State and private-sector contractors. The attack, dubbed Military Meltdown Monday by Anonymous, also compromised some source code and other files.
That wasn't the only Anonymous activity, as the group released personal information belonging to biotechnology seed company Monsanto to protest its "evil business practices." Anonymous promised a wiki-like format to make it easier to sift through all the documents they stole.
In response to Anonymous' attacks and to add greater urgency to work on federal cyber-security legislation, Sen. John McCain (R-Ariz.) requested a new temporary subcommittee be established to specifically focus on data breaches against federal agencies and contractors, data leaks of sensitive government data and to reconcile various drafts of cyber-security legislation. Congressional lawmakers also heard testimony that revealed some foreign suppliers were embedding backdoors or malware in the various hardware used in consumer electronics sold in the U.S.
The Department of Defense officially unveiled its strategy for operating in cyber-space this week. The unclassified version of the strategy document listed various defensive measures the DOD would take to keep its systems and key infrastructure safe from cyber-attackers.
Some elements had already appeared in speeches by various government officials over the past few months. However, at least one high-ranking military officer, Marine General James Cartwright, vice president of the Joint Chiefs of Staff, criticized the plan for being too defensive and not having enough offensive elements.
Microsoft fixed a critical Bluetooth vulnerability and various Windows kernel bugs as part of its July Patch Tuesday update. The company released four patches-one critical and three important-fixing 22 issues in the update release. Microsoft also officially ended support for Vista Service Pack 1 and Office XP.
A PDF flaw in iOS, which allowed users of iPhones, iPads and iPod Touches to visit the JailbreakMe Website and jailbreak the device, has been closed. Apple issued a patch to close the issue, which security experts warned could have been exploited by malicious developers to compromise mobile devices by tricking users with specially-crafted PDF files.
The next major update on the radar is from Oracle as part of its quarterly CPU (critical patch update) release, which will fix 78 vulnerabilities. Oracle's CPU will be on July 19.
Cisco updated its IronPort Security products to specifically combat spear-phishing and targeted email attacks, as more cyber-criminals are increasingly relying on these tactics to compromise users. Criminals are also using the attacks to compromise user Webmail accounts such as Gmail, Hotmail and Yahoo Mail to send out spam, a report found. Instead of trying to fight back by building up botnets, attackers are finding alternative methods to send out spam, according to the report.
Verizon enhanced its cloud-based identity-management service with multiple two-factor authentication systems and digital-signing capabilities for customers to secure internal Web applications and external facing portals.