"Software can be written that will allow only authorized users to open files containing valuable information," the report said. "If an unauthorized person accesses the information, a range of actions might then occur. For example, the file could be rendered inaccessible and the unauthorized user's computer could be locked down, with instructions on how to contact law enforcement to get the password needed to unlock the account."

The reason this is controversial is because it is essentially an inversion of scareware and ransomware attacks that scammers have been using against unassuming consumers and businesses for some time. The commission propose these messages appear to be from law enforcement, which scareware does as well, according to Keizer. 

That recommendation drew some ire from critics such as Lauren Weinstein, the co-founder of People For Internet Responsibility, who said that she didn't know what the panel was thinking. She added that such rogue tactics could do a lot of collateral damage to innocents, as many would no longer be able to tell the difference between this and the scareware already in the wild. 

"I could get into a lot of technical details about this, but we can just cut to the chase for now: the whole concept is utterly insane, and frankly calls into question the competency of the commission in general," she wrote. "With our own commissions coming up with idiotic, dangerous nonsense like this, we may have more to worry about from their kind of thinking than from the 'cyber-crooks' themselves."

Christian Mairoll, CEO of Austrian anti-malware firm Emsisoft, told InformationWeek that there is no such thing as good malware, and this is no exception. While government and corporate IP theft is a serious problem, Mairoll said state-sponsored malware would lead to even greater international issues. In fact, he said his firm would never whitelist any malware, whether it is sanctioned by the government, the entertainment industry or any other legitimate sources.

Security News from SimplySecurity.com by Trend Micro.

According to the governor's website, 308 letters were sent to the state's largest insurance providers. The letters let these organizations know how important it was to keep the information safeguarded.

"The extraordinarily sensitive health, personal, and financial information that New Yorkers entrust to their insurance companies is a virtual treasure trove for hackers," Cuomo said. "We're intensely focused on making sure that banks have the protections in place they need, but we always have to keep at least one eye on the lookout for the next big threat. It's vital that we stay ahead of the curve on cyber security because we know hackers aren't going to give us any breathing room."

Letters sent out to these companies ask for information on any attacks the company has experienced in the past three years, the security safeguards the organization has in place, data governance policies in effect, amount budgeted for security tools and internal reporting procedures. Benjamin M. Lawsky, superintendent of financial services and co-chair of the Governor's Cyber Security Advisory Board, said the security at these companies gets overlooked far too often and there needs to be work done to ensure residents are protected from any hacking or attack that might take place.

Companies that received inquiries included AIG, Allstate, Guardian Life, Humana, Nationwide and many more.

The potential for a giant security breach was showcased by the 1.1 million individuals that fell victim to an October hacking of Nationwide Mutual Insurance Company. Even some who had simply looked for an insurance quote had their information stolen, according to NBC News, as names, Social Security numbers, drivers license numbers and birth dates were stolen from the company's network.

"At this time, we have no evidence that any medical information or credit card account information was stolen in the attack," the company explained to customers after the breach. "We promptly reported this criminal attack to law enforcement authorities, who are actively investigating the incident."

To avoid future instances of cyber security breaches, New York's initiative can be a positive step. 

Security News from SimplySecurity.com by Trend Micro.

"We know our customers want and expect strong privacy protections to be built into our products, devices and services, and for companies to be responsible stewards of their data," a representative for the company told Kotaku. "Microsoft has more than ten years of experience making privacy a top priority. Kinect for Xbox 360 was designed and built with strong privacy protections in place and the new Kinect will continue this commitment. We'll share more details later."

Thus far, the privacy and security details have not been shared, so users and security experts alike will be left to guess how safe this machine will be for those who want a larger level of privacy with their video gaming.

Microsoft must answer privacy concerns
Venturebeat community writer Ethan Gach said the Xbox One prompts several questions that users will need to ask prior to purchase. This is the first time a company will essentially have a camera and microphone into user's homes, something that may put many off if their concerns are not addressed. This is something that will likely be an issue with other technology of this ilk, Gach said, as Nintendo and Valve have also discussed implementing technology like this in the future.

The first question Gach said users must ask is what the machine can record while it is on.

"Yes, Microsoft has confirmed that the new console can be turned off. Unfortunately, that tells us nothing about what the console will be capable of recording through the Kinect during the rest of the time," he said, echoing the concerns of many who know the tribulations big data can bring if not properly protected. "Will there be a settings menu where users can go to decide precisely which parts of the Kinect's functionality will be left on at any given moment? Will it be possible to use the device's sound and movement capabilities without that information being 'live' and accessible by Microsoft?"

Microsoft cannot claim there will simply be adjustable privacy settings, as Gach said it is too fresh in the minds of users that devices like iPhone was storing a lot of user data unbeknownst to those who own the device. Users must know what kind of information will be collected about them and what it will be use for, as depending on the data, the company has a lot to gain and its customers have a lot to lose.

Other questions Gach had included:
- Is information linked to specific Xbox One accounts or will it be incorporated into broader Microsoft profiles? Microsoft accounts?
- What will the privacy setting defaults be? How can they be altered?
- Will privacy and lawsuits be affected due to to Xbox One's terms of service?

"If data gathered by the Kinect, both visual and aural, must be on some level shared as part of the Xbox One's terms of use, Microsoft should let potential customers know that ahead of time rather than waiting as long as possible to do so," he wrote on Venturebeat. "Furthermore, if terms of use dictate that customer complaints regarding privacy must be solved through binding arbitration via Microsoft …, then the company should likewise also disclose that in the weeks and months before launch."

Users obviously want to own a device like this for the purpose of fun and games, but data security worries could bring that for a halt to many in an increasingly safety-conscious cyber world.

Consumerization News from SimplySecurity.com by Trend Micro

Emile Monette, senior adviser for GSA's Office of Acquisition Management, told the Post that companies are spending millions on cybersecurity but the government has to be able to share these costs in a way that makes sense.

"There's already a significant cost to doing business with the federal government, and we don't want to unduly increase that," Monette said. "Any time you increase the requirements on a company just to do business with the government, you create barriers to entry."

GSA is also looking at commercial requirements and whether they may apply to federal purchase. The body would also like to figure out a better way to resolve conflicts in various regulations, contracts and policies. Officials want to figure out if there are conflicting or redundant standards that businesses will face when doing business.

Alan Chvotkin, executive vice president of the Professional Services Council, told the Post that their organization will submit comments and ask for requirements that will focus on outcomes and attributes instead of specific designs. This will allow organizations to approach issues based on the size of the company and the amount of business they are doing with the government, as well as what kind of work they are doing. Every organization will need something, he said, but not all will need the same thing.

Many see an update in this line of thinking as a positive, including Raymond Aghaian, a partner at McKenna Long & Aldridge who specializes in cybersecurity, who told the Washington Post that this will allow contractors to have their voices heard on this matter.

"The train is essentially leaving the station, and so [companies] should get on board," he said. "It would be difficult if … the government was to dictate what the standards [will] be without considering the practical effects … It's important to try to strike the right balance, and it would be difficult to do so if it's just a one-sided conversation."

An 'insidious' threat
In a speech at the Shangri-La Security Dialogue in Singapore recently, Defense Secretary Chuck Hagel said that threats to the cybersecurity pose a "quiet, stealthy, insidious" danger to the U.S., as well as other nations, and said there needs to be a better guide to defusing cyberwarfare in its earliest stages, according to Insurance Journal.

"Cyber threats are real, they're terribly dangerous," Hagel said. "They're probably as insidious and real a threat (as there is) to the United States, as well as China, by the way, and every nation. … That's not a unique threat to the United States, (it affects) everybody, so we've got to find ways here … working with the Chinese, working with everybody, (to develop) rules of the road, some international understandings, some responsibility that governments have to take."

Although Hagel hopes there will be some private conversation about the issue between countries, he believes much of it will be solved by the public, as it is a "very real" threat to everyone, no matter what nation of affiliation. In fact, NATO Secretary-General Anders Fogh Rasmussen, said their organization faces regular attacks, particularly to a system used to coordinate the military activity and actions among the 28 allied countries.

Security News from SimplySecurity.com by Trend Micro

"There are no universal solutions to prevent being infiltrated," said James Holley, leader for Ernst & Young LLP's Information Security Incident Response services and co-author of the book. "If sophisticated and well-funded attackers target a specific environment, they will get in. In this rapidly evolving threat landscape, information security professionals need to adopt the mindset that their network is already compromised or soon will be."

A few things that organizations must know about these APTs include: 

• Specific individuals are now heavily targeted, so educating employees can be key to stopping some threats from infiltrating a network
• Cyberattacks are now a business problem instead of simply a technology issue
• Prevention strategies, such as antivirus and firewalls, are no longer strong enough to stop the more serious threats that will go after a business

Some new capabilities that are available to fortify data security efforts include the ability to inspect network memory to detect malicious code, sweeping the organization for indicators they have been compromised, log aggregation and the ability to conduct forensic analysis of the entire company, according to Ernst & Young and ISACA.

The ISACA surveyed more than 1,500 security professionals and found that 94 percent believe that APT is a treat to economic stability, as well as national security. Sixty-three percent told the company that it is only a matter of time before they are attacked by an APT, while one out of five has already experienced one.

Defining what these attacks are
In order to stop an APT, organizations should first identify what this attack may be and get beyond the buzzword. IT professional Brian Laing wrote on SC Magazine that these attacks use higher technological capabilities over a long period of time with a motivation to either bring an organization's operations to a halt or steal privileged information.

There are usually many stages these attacks will sequentially navigate, including first identifying and researching targets, intruding their network with a spear phishing email or spoofed message, establishing its way into the network with a backdoor. After this, the APT does the dirty deed of obtaining user assets and may even install utilities of its own and try to latch onto the network for as long as it possibly can.

"Targeted attacks represent a very special type of threat – one that is silent, very difficult to trace and potentially devastating in the damage it can do, which ranges from stealing an organization's intellectual property or stealing passwords from systems so they have unlimited network access," he wrote. "It's essential that enterprise organizations protect themselves against these threats, and do so cost effectively, without placing an inappropriate burden on end-users or interrupting daily operations."

Spear phishing triggers most APTs
The main threat companies will have to watch out for when it comes to guarding against these threats is spear phishing, according to an article by CSO Online's John Mello. He said one company said these APTs have more than doubled from 2010 to 2011, with 91 percent of the attacks involving spear phishing. These messages pretend to be from a  trusted source, such as a company the user works with, but instead are looking for credit card numbers, usernames, passwords and more.

"Spear phishing is by far the most prevalent way that target systems are compromised by APTs," said Paul Ferguson, vice president for threat intelligence at Internet Identity, according to the website. "It's because it's not that hard to social engineer their victims into clicking on the wrong link or opening the wrong attachment by masquerading as someone they know or something they're expecting,"

JD Sherry, director of public technology and solutions for Trend Micro, said these attacks are used to get something of a foothold within an organization's network. Once the sequence is started, they can gain access into a network and bypass data security tools to start stealing information, installing threats on the network or other measures that could eventually harm an organization. Sherry said spear phishing likely will not be the first way hackers attack for long,as they could likely have more success via social media. With phishing attacks usually coming via email, criminals will notice the number of users on websites like Twitter and Facebook when they start to attack users in this way. Data security should be employed across all areas and organizations must educate employees as to how to protect themselves on social media websites, emails and other areas of business.

These cyberattacks were carried out by Hammond in affiliation with Anonymous, a notorious global hacking group that looks to steal information, harass businesses and deface websites standing in opposition to its expressed ideals. The news source said Hector Xavier Monsegur, a famous hacker known as Sabu, helped law enforcement catch Hammond and infiltrate Anonymous.

As part of these crimes, Hammond allegedly stole data from more than 850,000 people in his attack on Stratfor. He also was accused of using credit card numbers from this company for upwards of $700,000 in illicit purchases and apparently even stole personal data from a former CIA director and vice president of the United States.

There are supporters of the hacktivist as well, according to the AP, as several sympathetic blogs and websites describe him as an "electronic Robin Hood." Hammond will be sentenced later this year and faces up to a decade in jail.

The Chicago Reader previously wrote a profile of Hammond, who had discussed a point where he felt he was discouraged from becoming a white hat hacker for the good of data security rather than for his own cause. During his freshman year at the University of Illinois, he found a flaw in the school's security system.

"I had found this vulnerability, and I had notified them," Hammond told the Chicago alternative weekly. "'Here's how it's vulnerable, here's how you go about fixing it, here's where I put the back door. You guys can talk with me, and maybe I can work with the webmaster.' They didn't take too kindly to that at all. In fact I was called before the department chair. He said they almost went to the FBI. I'm pretty sure the guy who developed the website, one of the professors there, took it personally. This was a slap in the face. Some punk kid was able to get into the site. So they disciplined me instead of hiring me."

Security News from SimplySecurity.com by Trend Micro

With the help of independent security researcher Ashkan Soltani, Ars Technica used the Skype service to send four links created for the purpose of the investigation of the security within the program. While two of the links were never clicked on, the other two beginning in HTTP and HTTPS individually, were viewed by a machine at an IP address belonging to Microsoft. This proves that the company has the ability to read plain text within encryption and regularly uses that ability, according to the website.

On one hand, Skype's security policy clearly notes that it may use automated scanning to identify spam and other forms of fraudulent messaging, Ars Technica points out. However, there is still a belief among many that Skype offers across-the-board encryption, meaning they would protect communications against unauthorized viewing. If the company is able to reach URLs transmitted between users, this is not the case and could lead down some dangerous paths as far as data security is concerned.

"The problem right now is that there's a mismatch between the privacy people expect and what Microsoft is actually delivering," Matt Green, a professor specializing in encryption at Johns Hopkins University, told Ars. "Even if Microsoft is only scanning links for 'good' purposes, say detecting malicious URLs, this indicates that they can intercept some of your text messages. And that means they could potentially intercept a lot more of them."

The scanning may happen as these messages are sent through supernodes, Ars said, but either way, Solanti noted that this confirms that the company and program can read content. Even if it is not known where this information is read, the privacy policy of the program is quite clear that it is allowed to do this.

"Skype will retain your information for as long as is necessary to: (1) fulfill any of the Purposes (as defined in article 2 of this Privacy Policy) or (2) comply with applicable legislation, regulatory requests and relevant orders from competent courts," the company's website said.

It will be up to each individual user and company as to whether they want to risk sending sensitive information over Skype's services.

Consumerization News from SimplySecurity.com by Trend Micro.

Making sure security is a priority in the starting point of development can lead to fewer holes for hackers to take advantage of, according to what experts have said. This means fewer patches and higher quality software, something Jeremiah Grossman, chief technology officer for consulting firm WhiteHat Security, said is necessary.

Over the years, developers have seemed to avoid the additional costs and resources of making sure security is implemented from the start, as Gonsalves said there has a prioritization of performance over security. Now, more threats exist in the cyber world than ever before and there must be more protection for companies, as they have a greater amount of sensitive information online. Matthew Neely, director of research and development for consulting firm SecureState, said especially for larger businesses, there is more demand than ever for the applications and software used to be secured from the start. However, it may still take a bit of time to have the same level of security for smaller organizations.

"Getting it past the medium to the small companies is going to be hard, because of the resources required to put people in to do the security testing and to train the people," he told CSO Online.

Ensuring apps are built stronger
A recent report from HP found that 69 percent of web applications scanned have at least one SQL injection error and 42 percent had a cross-site scripting vulnerability. Matthew Schwartz, editor of InformationWeek, wrote that it is time for companies to start taking the security in development of applications far more seriously and said it should begin from the birth of the app itself.

Schwartz spoke with Jerry Hoff, VP of the static code analysis division at WhiteHat Security, who gave some tips for having more secure apps and started by saying that user input is not going to be a friend of business when developing apps. He added that organizations need to know which vulnerabilities are out there that have the potential to harm a company and have controls in place in the language the business and its IT department uses.

"If you're working in a particular language – even if you're a manager – you should know the security controls for that platform," said Hoff. "That should be like a seatbelt or airbag that's already built into cars. They should just have that as part of their toolkit."

Other tips from Hoff printed by Schwartz for developing a secure app include:
- Do not write in the security controls within the company unless there is a stated security expert in place
- Be sure to have a security resources that can be used to ensure the app is being secured in the best way possible
- Continuously apply new security controls, as the best way to prevent attacks is to always be on top of the new technology and information that is available

Hoff said every company will have different ways of controlling data security but each needs to figure out its methods and keep up with them as often as possible.

Data Security News from SimplySecurity.com by Trend Micro.

"Today we're introducing a new security feature to better protect your Twitter account: login verification," said Jim O'Leary, a member of the social site's product security team, in a blog post. "This is a form of two-factor authentication. When you sign in to twitter.com, there's a second check to make sure it's really you. You'll be asked to register a verified phone number and a confirmed email address."

The feature will be gradually rolled out, according to Twitter, and will look to stop the email phishing schemes which have affected multiple brand-name businesses across the social media giant's website. They will also prevent breaches of password data from across the web, which InformationWeek said happens when attackers can access an account if passwords have been reused elsewhere.

Data security professionals believe that this development has been a long time coming for the microblogging site. Mark Risher, CEO of Impermium, told the news source that this "significantly raises the bar" of security for many of the attacks the website has been experiencing. However, since this is an optional feature, he said Twitter must inform users that it will only be useful if it is configured in advance. To do this, users of the website can go to the account settings page, check "Require a verification code when I sign in," and receive a six digit number via SMS message on every attempted log-in.

Why now?
The attacks are being claimed by the Syrian Electronic Army (SEA), which has also included The Onion and Reuters, among others, have forced Twitter's hand in evolving security for its users. With this large string of attacks, something had to be done to make sure people are safer online than they have been in past days, but some security professionals are already critiquing the way it is being done, according to InformationWeek. Sean Sullivan, an adviser at F-Secure Labs, said on Twitter that he believes that the company should be using authenticator apps instead of SMS messaging. Risher also questions if Twitter will be monitoring for unusual login patterns.

"We hope that Twitter has incorporated proactive monitoring in addition to this authentication feature," said Risher. "Locking the front door is important, but without intelligent systems determining when, how and whether to allow access – even for people with the 'key' – account hijacking vulnerabilities will persist."

Back on Twitter's blog, O'Leary said this is only the first step toward improving security, as they will need users to enroll in the SMS program to have login verification. The engineering work will allow them to deliver better security enhancements in the future, he wrote. However, there may still be impending threats, as one member of the SEA told Vice Magazine that there are still security holes they know of in Twitter's model that could make the company and its users uncomfortable, adding "we are not going to give up."

Even with vague threats, everyone is happy to see Twitter taking steps to protect the security of its users. Barmak Meftah, chief executive officer of security company AlienVault, told Bloomberg that it is necessary to have in place as social media websites are big targets for hackers. Any effort to make sure these websites are safe is a big one, he said, and believes it is great that Twitter is trying what they can to ensure the data security of users.

Security News from SimplySecurity.com by Trend Micro.

Reuters reported that DHS Secretary Janet Napolitano will direct the agency to share classified data on vulnerabilities that may be unknown to application developers. These indicators would then be shared with security partners who can detect and block the exploit from taking advantage of companies and their infrastructure. Jeff Jacoby, director of information systems, operations and services at Raytheon, told CSO​ Online that this privileged information will never leave the service provider at any point.

This move toward a greater level of information sharing is something many security experts have been waiting for years to see, but limiting the data flow is something that many experts would not like to see, the website said.

"While it is understandable that the government is starting slowly, I would like to see much broader sharing of information," said Wolfgang Kandek, chief technology officer for vulnerability management company Qualys. "From an offensive point of view, it is certainly valuable to maintain a certain number of exploits in private, but for defense the best option is to share the vulnerability information with the software vendor as quickly as possible."

House of Representatives Intelligence Committee Chairman Mike Rogers told Reuters that he was glad to share this information with companies but said it needed to be kept in check to help avoid tipping off cybercriminals or rival organizations. Michael Daniel, the White House cybersecurity policy coordinator, recently told a summit that the program was still evolving with what kind of information would be shared and said this would continue to evolve in step with the threats themselves.

One problem with how this information sharing program will work, according to Andrew Braunberg, research director for NSS Labs, is that the government wants to have its own access to zero-day threat vulnerabilities. It has been recently revealed that the U.S. government is one of the top buyers of these types of threats for their own purposes, leading Braunberg to say that the government wants the situation to go both ways.

"They don't really want these vulnerabilities to disappear because they want to use them offensively, but they don't want the same vulnerabilities to allow hacking of U.S. assets," he told CSO.

Security News from SimplySecurity.com by Trend Micro.