Wednesday, September 30, 2009

New Trojan Gives Criminals Full-service Bank Theft



Security experts agree that cyber-criminals are getting better, but a new Trojan takes things to a whole new level.

The URLzone Trojan, identified by researchers at Web filtering vendor Finjan Software earlier this month, represents "the next generation of bank Trojans," said Yuval Ben-Itzhak, Finjan's chief technology officer.

After it infected about 6,400 computer users last month, the Trojan was clearing about €12,000 (US$1,750) per day. That puts it on track to rake in as much as €7.3 million annually.

Criminals installed the Trojan by luring visitors to infected Web sites and leveraging a variety of PC software flaws. They managed to infect about 7.5 percent of the 90,000 computers they attacked before Finjan got access to their command-and-control server, the company said.

More widespread Trojans such as Zeus and Clampi have been siphoning millions of dollars per day out of banks by stealing victim's online credentials and then moving money to unsuspecting "money mules" who then transfer the cash offshore. These mules are often recruited from job sites such as Monster.com and they typically believe they're doing legitimate payroll work for overseas companies, and not organized criminal enterprises. Once they send the stolen money offshore, they can be the ones who are held accountable for the loss.

But URLzone is even more sophisticated than its predecessors, Ben-Itzhak said.

Its sophisticated user interface lets the bad guys set some controls that help keep fraud detection systems at bay. From a central server, they can, for example, set the system to ensure that the account's balance never drops below zero; they can pre-set the system to make a series of small withdrawals that will appear unsuspicious; and the software will change the way the victim's banking page is displayed so the true transactions don't get displayed.

"Basically they say, 'I will steal from you €5,000, but I want to make sure at least 5 percent will remain in your balance,'" Ben-Itzhak said.

PC World



Tuesday, September 29, 2009

Update on Federal Trade Commission Red Flag Rules relating to identity theft


The Red Flag Rules, issued by the Federal Trade Commission (“FTC”) and other regulatory bodies, become effective November 1, 2009, and require certain entities to establish programs that facilitate the detection, prevention and mitigation of identity theft.

What entities are subject to the Red Flag Rules?

The Red Flag Rules apply to financial institutions and creditors that create and maintain covered accounts (defined below). At first blush, an entity may think that it is not subject to the Red Flag Rules because it is not a credit card company or financial institution. However, although the Red Flag Rules certainly apply to financial institutions, they also apply to any “creditor.” The definition of “creditor” is broad. It includes any entity that regularly (1) extends or renews credit (or arranges for others to do so); and (2) provides goods and services to others and allows the consumer to defer payment. The ultimate consumer need not be an individual.

The FTC has provided a list of entities to which it believes the Red Flag Rules apply; however, the FTC cautions that its list is not exhaustive. Briefly, the FTC considers the following groups as prime candidates for Red Flag Rule compliance:

• Doctors, dentists, and other health care providers;

• Accountants and lawyers;

• Utilities;

• Telecommunications companies;

• Debt collectors;

• Retailers; and

• Employee benefit plans sponsoring flexible spending account arrangements when the arrangement utilizes a debit card.

Entities falling into these categories will need to evaluate their obligation to comply with the Red Flag Rules. As described below, the determination will be based in part upon the risk of identity theft among the accounts the entity holds.

The formal obligation to comply with the Red Flag Rules apply to entities with covered accounts. Therefore, all entities should, as an initial matter examine their internal operations to make sure that they do not create or maintain covered accounts. The definition of a covered account, like the definition of creditor, is also broad. A covered account can be (1) consumer accounts designed to permit multiple payments or transactions; or (2) any other account that presents a reasonably foreseeable risk from identity theft. However, even businesses that have determined they do not have covered accounts still must conduct periodic risk assessments to ascertain whether any changes to that determination have occurred.

 Summary of Guidelines for Compiance.

WTN News

University data breach exposes 163,000 women to identity theft




University of North Carolina at Chapel Hill has disclosed a data breach of one of its servers that exposed the identities of 163,000 women.

The women were participating in a mammography study conducted by the UNC School of Medicine. The breach could date as far back as 2007, and has exposed Social Security numbers, dates of birth and other sensitive information on the study participants, according to a report in the Charlotte, NC-based The News & Observer.

Matthew Mauro, chairman of the UNC-CH Department of Radiology said computer forensics experts detected the breach in July. The exposed information was on one of two servers that housed data on more than 662,000 women. The data was being collected as part of the Carolina Mammography Registry, a project that compiles and analyzes mammography results submitted by radiologists in North Carolina.

UNC officials are sending out breach notification letters to all 236,000 study participants. The university began phasing out Social Security numbers as patient identification codes several years ago, according to the report. The university said it has also "tightened" its reporting system for the project.

Search Security

Monday, September 28, 2009

Pressure on Microsoft, as Windows Attack Now Public

Hackers have publicly released new attack code that exploits a critical bug in the Windows operating system, putting pressure on Microsoft to fix the flaw before it leads to a worm outbreak.

The vulnerability has been known since Sept. 7, but until today the publicly available programs that leverage it to attack PCs haven't been able to do more than crash the operating system. A new attack, developed by Harmony Security Senior Researcher Stephen Fewer, lets the attacker run unauthorized software on the computer, in theory making it a much more serious problem. Fewer's code was added to the open-source Metasploit penetration testing kit on Monday.

Two weeks ago, a small software company called Immunity developed its own attack code for the bug, but that code is available only to the company's paying subscribers. Metasploit, by contrast, can be downloaded by anyone, meaning the attack code is now much more widely available.

Metasploit developer HD Moore said Monday that the exploit works on Windows Vista Service Pack 1 and 2 as well as Windows 2008 SP1 server. It should also work on Windows 2008 Service Pack 2, he added in a Twitter message.

But the code may not be completely reliable. Immunity Senior Researcher Kostya Kortchinsky said that he could get the Metasploit attack to work only on the Windows Vista operating system running within a VMware virtual machine session.

When he ran it on native Windows systems, it simply caused the machines to crash.

The attack "definitely works on at least some physical machines, but looks like it could use more testing," Moore said.

Either way, the public release of this code should put Windows users on alert. Security experts worry that this code could be adapting to create a self-copying worm attack, much like last year's Conficker outbreak.

Unlike Conficker, however, this attack would not affect Windows XP, Windows Server 2003, or Windows 2000 systems.

That's because the underlying flaw that all of these programs exploit lies in the SMB (server message block) version 2 system, introduced in Vista. Microsoft has confirmed that Immunity's attack works on 32-bit versions of Vista and Windows Server 2008, but did not have any immediate comment on the Metasploit code.

The flaw has been patched in Windows 7, Kortchinsky said.

On Sept. 18, Microsoft released a Fix It tool that disables SMB 2, and the company said that it is working on a fix for the software.

Whether that patch will be ready in time for Microsoft's next set of security patches, due Oct. 13, remains to be seen.

PC World

Outlook dim for international cooperation to fight cyber attacks


Protecting sensitive computer systems and networks from cyberattack requires international standards, but limited experience with Internet crime in developing countries and a reluctance from some nations to participate have stalled cooperation, said a panel of security experts on Monday.

"It's one grid, one global network, and we're all stuck in the same boat," said James Lewis, director of the technology and public policy program at the Center for Strategic and International Studies. "We need to establish some rules."

President Obama's cybersecurity plan, released in May, stated that "the United States needs to develop a strategy . . . to shape the international environment and bring like-minded nations together on a host of issues, including acceptable norms regarding territorial jurisdiction, sovereign responsibility and use of force." The plan also included among its 10 near-term priorities the development of a framework for international cybersecurity policy.

The obstacle, however, is convincing countries to cooperate with the international effort, including the prosecution of cybercriminals.
NextGov

Sunday, September 27, 2009

PCI Compliance Could Have Stopped Gonzalez


Speaking of PCI Compliance, I've been Tracking this Gonzalez guy and I came accross this very interesting article by David Taylor over at StoreFrontBacktalk.com --enjoy.

Call me a contrarian (or a Visa suck up), but I actually believe that the PCI DSS controls, implemented in an “above average” way, could have stopped the Gonzalez-led criminal masterminds from breaking into a company. Not all companies, but a company with above average security. Allow me to explain before you get too ticked off at me.

 Recently, Evan Schuman wrote a piece on the Gonzalez breaches, where he quoted a security specialist who argued that these breaches constituted evidence of the failure of the PCI data security standards. (She even kept score: Hackers, 12; PCI, 0. I guess 12 is a winning score in some game with which I’m not familiar.) Anyway, I’m no apologist for PCI, as anyone who has read my columns or our research in the PCI Knowledge Base knows. But I think that position is wrong because it lays all the blame on the standards and ignores the responsibilities of the merchants. Here are the arguments for my position:

•Who Didn’t Get Breached?

Since Albert Gonzalez has now agreed to plead guilty to what is clearly the largest data theft conspiracy to date (that we know about), we now know the names of virtually all the companies that Gonzalez and his cohorts stole from. What we don’t know are the names of the companies the criminals did not gain access to, and why. The conspirators (according to the indictment) started with a list of Fortune 500 companies.

David.Taylor@KnowPCI.com
  StoreFrontBackTalk

What does PCI mean to you?


This week my attention has been dominated by one word, well six officially, but often narrowed down to six or even three letters – PCI.

To give it its full title it is the ‘Payment Card Industry Data Security Standard', and in my meetings this week at Gartner and other panel debates, the subject arose on several occasions. Now I will be the first to acknowledge that I do not know the ins and outs of PCI (as we will now call it), but thanks to the PCI DSS user group (see link) I do know that it is a set of complex regulations that all businesses taking credit card payments must adhere to.

The first debate over PCI is generally in regard to how much of a point the standard has, and how much it is enforced. An article published back in June gave the opinion that the PCI Council had ‘failed to adequately address consumer risk by not mandating end-to-end encryption as part of its requirement, allowing the use of compensating controls in lieu of encryption in order to spare those under PCI requirements from the expense of properly securing the data they were entrusted to protect'.

Paul Henry, security and forensic analyst at Lumension, who gave the opinion, claimed that the amount of data breaches witnessed had become all too commonplace, and that the bar should be raised to increase the minimum acceptable standards to become compliant in light of these many failures.

SC Magazine UK

Cyber-crime: Something’s Got to be Done, But By Whom?


When one considers some of the hotly debated issues of this Obama era, they often boil down to a single, overriding question: How far should the government go in regulating things such as health care, privacy, free speech, etc.? In other words, where does personal responsibility end and government responsibility begin?

This question was particularly brought to my mind by a recent Associated Press article, which noted that cyber criminals are increasingly targeting small and medium-sized businesses. These companies don't have the same resources as larger ones, which continually update their computer security and have more sophisticated systems, according to an official of the U.S. Secret Service's office of investigations.

According to AP, organized cyber groups based abroad are waging many of the attacks. They are stealing not only credit card numbers, but also personal information—including Social Security numbers—of the cardholders.

The article adds that lawmakers working on cyber security legislation are pressing for the Obama administration to do more to prevent such attacks. But just what do these people want the government to do? If a smaller company—say a Tier III insurer or and independent agency—doesn’t spend money on basic protections, does that mean the taxpayer has to step in and buy a security software suite or firewall device for the company or agency?

The very idea is ridiculous. In this Internet age, virtually no one is unaware of the basic need to protect systems and data. In the insurance industry in particular, where customer data is our very lifeblood, it is sheer lunacy to leave such information and systems vulnerable to attack. But more importantly, whose responsibility is it to protect customer data that resides on company systems? The answer—unless you are GM or Chrysler—is that the buck stops with the company. Believe it or not, Big Brother is not always watching us, and the safety of business systems would likely not be his No. 1 priority if he were doing so.

Are we seriously suggesting that the federal government should take responsibility for the security of business data and systems? Remember, this is the same federal government whose own systems have been repeatedly hacked by foreign governments and by technologically gifted slackers who seem to have nothing more constructive to contribute to society. This is also the same administration that, despite much bombast, has not appointed a cyber-security czar.
Insurance Networking


Ara C. Trembly (www.aratremblytechnology.com) is the founder of Ara Trembly, The Tech Consultant and a longtime observer of technology in insurance and financial services. He can be reached at ara@aratremblytechnology.com.

Recession prompts shift in cybercrime tactics




Rates of all but one type of online crime have increased over the past year, with a crime being committed on the internet every 10 seconds, according to the latest report from security vendor Garlik.

And losses due to banking fraud have more than doubled since last year.

The report details how cyber criminals have adapted their methods to take into account the effects of the recession. Instead of opening new accounts with stolen identities now more difficult because of tighter credit checks criminals are taking over existing accounts.

Tom Ilube, chief executive of Garlik, said that fraud cases involving hijacking legitimate accounts have increased 207 per cent in the past year.

We fear that account-takeover fraud will continue to increase in 2009 due to the decline of available credit and tighter credit-checking by the banks,” he said.

“Consumers must be extra vigilant of all their online and financial accounts as well as avoiding increasingly convincing phishing scams.”

The report predicts the activity is likely to continue into 2009 in line with the continued restrictions on credit.

The report also highlights that online banking fraud has increased by 132 per cent, with losses totalling £52.5m, compared with £22.6m in the previous year.

Garlik detected nearly 44,000 phishing web sites specifically targeting banks and building societies in the UK.

Zikkir

Saturday, September 26, 2009

Identity Theft Protection Tips For the Digital Age


As a small business owner, can you honestly say that your workplace is as safe from exposure to identity theft as possible? It’s a fact that the issue of identity theft is an increasing problem that is already quite widespread. It’s a good idea to periodically do a checkup on your business security policies and procedures to ensure that you have taken every possible step to keep your company’s data safe from identity thieves, as well as personally identifiable information that belongs to your employees and your customers.

1. Be Careful What You Throw Away

Identity thieves are skilled dumpster divers. If you or your employees throw away papers that include bank account numbers, social security numbers, and other information that can be used to perpetuate fraud, there’s a good chance that the data could end up in the hands of unscrupulous characters. Make it a firm policy to shred all waste paper that has any information that could possibly be used by people who might be looking to steal someone else’s identity.

If you only have a small quantity of this type of documentation, it will probably be feasible to handle shredding in-house, with shredders placed in strategic locations around your place of business. If your business generates a large quantity of documentation that contains protected information, it may be better for you to hire a document shredding company to take care of destroying throw away documents that may contain sensitive information.

2. Take Steps to Protect Data Stored on Company Computers

Verify that the virus protection and firewall software installed on your computer system remains current at all times. Make sure that you are using a quality virus protection program and set it up to run daily scans so that you can be as safe from computer viruses as possible. It’s also important to check for updates to your virus software and install them as soon as they become available.

It’s also a good idea to set up every desktop computer and laptop so that a password is required for login. This can help protect stored data in the event that the equipment is lost or stolen and ends up in the wrong hands. This is not a foolproof protection, of course, because skilled hackers can find their way around password protection in many cases. However, it’s certainly better than leaving computer equipment unprotected.

When your company upgrades computer equipment, it’s essential to dispose of your old equipment responsibly. Simply deleting files from your old hard drive is not sufficient to keep identity thieves from stealing your confidential data if the equipment is not properly disposed of. The only truly safe way to get rid of data from your old computer is to shred the hard drives. The same companies that provide document shredding services typically also offer hard drive recycling.

American Banking News

Ohio Police uncover credit fraud: Three arrested in Brimfield



BRIMFIELD — Township police arrested three men Wednesday, charging them with stealing the identities and credit card numbers of more than 70 people nationwide. The trio also were in possession of equipment police believe can overwrite credit card information.

“The magnetic strip allowed them to turn anyone’s credit or debit card to another number,” said Brimfield Police Chief David Blough. “This is a very interesting case. It’s complex, and there are so many victims.”

Blough said officers did not know what they were getting themselves into when they responded to the Circle K on Tallmadge Road on Tuesday afternoon for a report of a “suspicious” credit card transaction.

They met with suspects 28-year-old Lorinzo Sampson and 26-year-old Richard Barringer III, both of Cleveland; and 27-year-old Alfred Woodall, of Canton, who were purchasing debit cards.

A clerk at the store called because the numbers on the front of the credit cards did not match the numbers being debited.

Sampson, Barringer and Woodall were taken to the Portage County jail. Each face four charges of identity fraud, a fourth-degree felony; four counts of criminal simulation, two counts of possession of tools and one count of telecommunications fraud — all fifth-degree felonies.

All of the about 70 stolen accounts were from out of state, Blough said.

He said the department is tracking down other fraudulent purchases possibly made by the men in other area businesses.

Record Pub

Update on Federal Trade Commission Red Flag Rules relating to identity theft


The Red Flag Rules, issued by the Federal Trade Commission (“FTC”) and other regulatory bodies, become effective November 1, 2009, and require certain entities to establish programs that facilitate the detection, prevention and mitigation of identity theft.

What entities are subject to the Red Flag Rules?

The Red Flag Rules apply to financial institutions and creditors that create and maintain covered accounts (defined below). At first blush, an entity may think that it is not subject to the Red Flag Rules because it is not a credit card company or financial institution. However, although the Red Flag Rules certainly apply to financial institutions, they also apply to any “creditor.” The definition of “creditor” is broad. It includes any entity that regularly (1) extends or renews credit (or arranges for others to do so); and (2) provides goods and services to others and allows the consumer to defer payment. The ultimate consumer need not be an individual.

The FTC has provided a list of entities to which it believes the Red Flag Rules apply; however, the FTC cautions that its list is not exhaustive. Briefly, the FTC considers the following groups as prime candidates for Red Flag Rule compliance:

• Doctors, dentists, and other health care providers;

• Accountants and lawyers;

• Utilities;

• Telecommunications companies;

• Debt collectors;

• Retailers; and

• Employee benefit plans sponsoring flexible spending account arrangements when the arrangement utilizes a debit card.

Entities falling into these categories will need to evaluate their obligation to comply with the Red Flag Rules. As described below, the determination will be based in part upon the risk of identity theft among the accounts the entity holds.

The formal obligation to comply with the Red Flag Rules apply to entities with covered accounts. Therefore, all entities should, as an initial matter examine their internal operations to make sure that they do not create or maintain covered accounts. The definition of a covered account, like the definition of creditor, is also broad. A covered account can be (1) consumer accounts designed to permit multiple payments or transactions; or (2) any other account that presents a reasonably foreseeable risk from identity theft. However, even businesses that have determined they do not have covered accounts still must conduct periodic risk assessments to ascertain whether any changes to that determination have occurred.

Summary of Guidelines for Compliance

The regulations provide guidelines for the development of an identity theft plan. These guidelines are summarized below:

1. Identify relevant red flags. The relevant red flags will likely vary from business to business. It is important to identify red flags based on past experiences, especially any past experience with identity theft. It will be important to evaluate the type of consumer credit accounts that the organization holds. If the organization already has an identity theft policy that policy, should be analyzed and incorporated, as appropriate, into the new program. After an internal review, the organization should evaluate the list of red flags identified in the regulations. The regulations list 26 potential red flags which are organized into the following categories:

• Alerts, notifications or warnings from a consumer reporting agency;

• Suspicious documents;

• Suspicious personal identifying information;

• Unusual use of, or suspicious activity related to, the covered account; and

• Notice from customers, victims of identity theft, law enforcement authorities, or other persons regarding possible identity theft.

2. Detect red flags. The organization should implement the appropriate policies and procedures to ensure that the potential red flags previously identified are indeed detected. Generally this will consist of requiring appropriate identification when opening new accounts and verifying identification on existing accounts. Change of address requests should be appropriately verified. Further, accounts should be monitored to ensure that suspicious usage patterns are detected. Detection techniques will largely depend upon the types of red flags the organization has identified as potential problems.

3. Prevent and mitigate identity theft. If a red flag is identified then the organization must take appropriate steps to prevent any loss or breach or, at the least, mitigate any damage. Appropriate responses may include:

• Monitor an account for evidence of identity theft;

• Contact the customer;

• Change passwords, codes or other security devices that permit access to the account;

• Reopen an account with a new number;

• Refuse to open a new account;

• Close an existing account;

• Refrain from collecting on an account;

• Notify law enforcement; or

• After evaluating the situation, determine that no response is warranted.

4. Update your identity theft policy. Methods of identity theft, the technology used in the detection of identity theft, the types of business relationships (for example, the type of accounts maintained) and the experiences of the organization will invariably change over time. Thus, the policy should be updated annually. It is recommended that the board, a committee of the board or a senior, high-level manager be assigned direct oversight of the entity’s identity theft program. This person or group should receive regular reports including an evaluation of the effectiveness of the policy, a description of any significant incidents of identity theft and any recommended changes to the policy.

Google Urges Cooperation Against Bad Ads, Malware


A malicious ad surfaced in Google search results just as Google called for a more concerted industry effort against such scams...

As if to underscore its call for greater industry cooperation to fight malicious online ads and content, Google allowed a scam ad to appear briefly atop search results on Tuesday for the term "Firefox."

The sponsored link purported to take Google (NSDQ: GOOG) searchers to the official Firefox Web site, but in fact took them to a different domain, firefox.mozilla-now.com, according to Sophos, a computer security company.

More Security InsightsWhite PapersPop Goes the Trademark?: Competitive Advertising on the InternetNeutralizing the Spyware ThreatWebcastsGone in 6.0 Seconds: Protecting Laptops and Data from TheftSharePoint and Compliance Regulations- The Rules and How to Avoid Violating ThemReportsCybersecurity Balancing Act3G Safeguards: Incomplete, Getting BetterVideos

InformationWeek editor, John Foley, spoke with Calvin Lui, CEO of Tumri, about their interactive ad platform. With their new technology, ads dynamically change based on geography, demographics, psychographics, media type, sites, etc.Google appears to have removed the ad as a violation of the company's advertising policies.

A company spokesperson declined to comment on the Firefox ad in question, but acknowledged that the company does look for and remove ads that violate its policies.

"Google's advertising policy requires that the Web site address displayed in the ad must match the domain of the landing page for that ad in order to ensure that users clearly understand the destination Web site being advertised," the spokesperson said in an e-mailed statement. "We use a combination of manual and automated processes to detect and enforce these policies."

But the incident underscores the problem that Google and other online companies face in trying to thwart malicious advertising, or malvertising.

Malicious ads have also been spotted this year at nytimes.com. eweek.com, mlb.com, and foxnews.com, among other Web sites and such incidents are becoming more common.

ScanSafe, a security company, on Wednesday said that a large scale malvertising attack had hit popular Web sites, including drudgereport.com, horoscope.com and lyrics.com, over the weekend.

The company said that the ads were delivered by the several advertising networks, including DoubleClick, YieldManager and FastClick.

On Wednesday at the Virus Bulletin conference in Geneva, Switzerland, Eric Davis, head of Google's anti-malvertising team, part of the company's broader anti-malware team, urged ISPs and security companies to work together to fight malicious ads and content. He pointed to the Australian government's Australian Internet Security Initiative, a program to help ISPs identify hijacked PCs (bots) and regain control over them, as an example of cooperative security.

Along those lines, Google earlier this year introduced a custom service engine for conducting background research on online advertisers. In June, the company launched anti-malvertising.com as a home for its custom search engine and as a resource for those fighting malvertising.

 Information Week

Hackers Paid to Hijack Macs


A network of Russian malware writers and spammers paid hackers 43 cents for each Mac machine they infected with bogus video software, a sign that Macs have become attack targets, a security researcher said yesterday.

In a presentation last week at the Virus Bulletin 2009 security conference in Geneva, Switzerland, Sophos researcher Dmitry Samosseiko discussed his investigation of the Russian "Partnerka," a tangled collection of Web affiliates who rake in hundreds of thousands of dollars from spam and malware, most of the former related to phony drug sites, and much of the latter targeting Windows users with fake security software, or "scareware."

But Samosseiko also said he had uncovered affiliates, which he dubbed "codec-partnerka," that aim for Macs. "Mac users are not immune to the scareware threat," said Samosseiko in the research paper he released at the conference to accompany his presentation. "In fact, there are 'codec-partnerka' dedicated to the sale and promotion of fake Mac software."

One example, which has since gone offline, was Mac-codec.com , said Samosseiko. "Just a few months ago it was offering [43 cents] for each install and offered various promo materials in the form of Mac OS 'video players,'" he said.

Another Sophos researcher argued that Samosseiko's evidence shows Mac users, who often dismiss security as a problem only for people running Microsoft's Windows, are increasingly at risk on the Web.

"The growing evidence of financially-motivated criminals looking at Apple Macs as well as Windows as a market for their activities, is not good news -- especially as so many Mac users currently have no anti-malware protection in place at all," said Graham Cluley , a senior technology consultant at U.K-based Sophos, in a blog entry Thursday.

Mac threats may be rare, but they do pop up from time to time. In June 2008, for example, Mac security vendor Intego warned of an active Trojan horse that exploited a vulnerability in Apple's Mac OS X. Last January, a different Trojan was found piggybacking on pirated copies of Apple's iWork '09 application suite circulating on file-sharing sites.

Mac OS X's security has been roundly criticized by vulnerability researchers , but even the most critical have acknowledged that the Mac's low market share -- it accounted for just 5% of all operating systems running machines that connected to the Internet last month -- is probably enough protection from cyber criminals for the moment.
PC World

Phishing Scam Steals Twitter Passwords


Twitter users beware: This scam will not leave you ROFL...

A phishing scam is circulating on Twitter that aims to steal users' log-in credentials and then forward scam messages to all their friends in the hope of tricking them too.

The scam begins with a direct message -- one sent directly between two Twitter users -- that reads "ROFL this you on here?" and appears to link to a video site. When the victim clicks on the link, however, they are sent to a fake Twitter page and asked to log in. The scammers use that log-in information to automatically message the victim's contacts with the same direct message.

The phishing activity was reported earlier Wednesday on the Mashable blog, which says it received "multiple reports" of the scam.

It's a classic phishing scam, and one more reason for users to be cautious about messages that take them to a site where they're asked to log in or download something, security experts say.

Twitter warned of the scam Wednesday, saying in a Twitter message, "A bit o' phishing going on -- if you get a weird direct message, don't click on it and certainly don't give your login creds!"

This is just the latest of several scams making the rounds on the popular microblogging site as criminals look for new ways to cash in on its popularity.
PC World

Ethical hackers gathered this week in Miami to talk about the latest cyber terrorism threats.


The world of hackers is kind of like the Star Wars universe: There's a light side and a dark side of cracking computers.

Hundreds of hackers on the side of good -- or ethical hackers -- gathered at the 14th Hacker Halted global conference this week, held for the first time in Miami, to talk about strategies to thwart cyber terrorists.

Ethical hackers understand how to hack a system in order to better protect against attacks, or to know where the vulnerabilities are in a program.

``A good defense is a good offense,'' said Sean Arries, a security engineer at Terremark Worldwide. ``If you understand your opponent and you understand how the attacker is going to attack you, then it makes it a lot easier for you to defend yourself.''

Arries gave a cautionary presentation detailing how hackers can take advantage of a vulnerability in Windows Vista and Windows Server 2008 -- a gateway for hackers that Microsoft hasn't yet patched.

Arries did a scan of 43,000 domains and found 110 of those sites were vulnerable to that exploit.

``Now 110 is quite a lot, because that becomes a staging process for an attacker to launch against other sites and internal networks,'' he added.

Bloggers have been writing about this flaw for two weeks, so it wasn't exactly news to the audience. But while going through slides filled with programming code, he warned attendees that hackers will likely launch a worm to take advantage of this flaw any day now.

``We are in a scramble state to secure our clients and customers and secure ourselves interally before this worm shows up -- and it will be coming,'' Arries said in an interview afterward.

Not everyone who comes to events like this is a good guy, so to speak. Talk to anyone at that conference and they believe at least some ``black hat'' hackers were among them in anonymity -- or more likely, programmers who work in a morally gray area.

``The same techniques that you learn to protect a system are the same things people look at to break into systems,'' said Howard A. Schmidt, president of the Information Security Forum. ``You have the good guys trying to out-thwart the bad guys, and the bad guys going to learn from the good guys. ''

BLACK HATS

In the world of hacker conferences, Hacker Halted, which ended Friday, is pretty tame compared to the DefCon and Black Hat conferences in Las Vegas.

``That's where you get more of the black hat subculture to learn what's going on and extract information that maybe you should or shouldn't be privy to,'' said Solutient technical trainer Ernie Campbell, who flew in from Cleveland to attend.

Malicious hackers are usually grouped into subsets.

There are the ``script kiddies,'' a derogatory term given to hackers who use programs to cause trouble because they don't have the skills to write their own code. There's also the typical movie stereotype of pale guys pounding down energy drinks in a basement full of computer screens as they wreak havoc.

``That certainly exists, but it is a small, small subculture,'' said Erik Laykin, managing director of Duff & Phelps in Los Angeles and honorary chairman of the Electronic Commerce Council, which organized the conference.

The hackers that Laykin and other investigators focus on are the criminal hackers -- many working out of the country -- who keep coming up with ways to steal financial information.

CONSTANT JOB

And while these criminals work 24/7, it's a constant job of playing catch up for the ethical hacker who is trying to stay on top of the latest exploits. And as people become more attached to mobile devices, cellphones will be the target down the road.

But it could be worse than that.

``Defibrillators that are implanted in people's chests today have electronic remote sensors so they can be reprogrammed using wireless technology. That's an early technology that's potentially susceptible to hacking,'' Laykin said.

``Now if I can hack a computer, why can't I hack somebody's defibrillator or pacemaker? Scary stuff.''
Miami Herald

How much government control of Web in cybercrisis?


WASHINGTON — There's no kill switch for the Internet, no secret on-off button in an Oval Office drawer.

Yet when a Senate committee was exploring ways to secure computer networks, a provision to give the president the power to shut down Internet traffic to compromised Web sites in an emergency set off alarms.

Corporate leaders and privacy advocates quickly objected, saying the government must not seize control of the Internet.

Lawmakers dropped it, but the debate rages on. How much control should federal authorities have over the Web in a crisis? How much should be left to the private sector? It does own and operate at least 80 percent of the Internet and argues it can do a better job.

"We need to prepare for that digital disaster," said Melissa Hathaway, the former White House cybersecurity adviser. "We need a system to identify, isolate and respond to cyberattacks at the speed of light."

So far at least 18 bills have been introduced as Congress works carefully to give federal authorities the power to protect the country in the event of a massive cyberattack. Lawmakers do not want to violate personal and corporate privacy or squelching innovation. All involved acknowledge it isn't going to be easy.

For most people, the Internet is a public haven for free thought and enterprise. Over time it has become the electronic control panel for much of the world's critical infrastructure. Computer networks today hold government secrets, military weapons specifications, sensitive corporate data, and vast amounts of personal information.

Millions of times a day, hackers, cybercriminals and mercenaries working for governments and private entities are scanning those networks, looking to defraud, disrupt or even destroy.

Just eight years ago, the government ordered planes from the sky in the hours after the Sept. 11 terrorist attacks.

Could or should the president have the same power over the Internet in a digital disaster?

If hackers take over a nuclear plant's control system, should the president order the computer networks shut down? If there's a terrorist attack, should the government knock users off other computer networks to ensure that critical systems stay online? And should the government be able to dictate who companies can hire and what they must do to secure the networks that affect Americans' daily life.

Government officials say the U.S. must improve efforts to share information about cyberthreats with private industry. They also want companies to ensure they are using secure software and hiring qualified workers to run critical systems.

Much like the creation of the Department of Homeland Security, cybersecurity has attracted the interest of a number of House and Senate committees, all hoping to get a piece of the oversight power:

_Bills in the House Homeland Security Committee bills would protect the electric grid and require the department to secure its networks.

_The Senate Homeland Security and Government Reform Committee is writing legislation aimed largely at federal agencies.

_The Senate Commerce, Science and Transportation Committee is working on a bill that promotes public awareness and technical education, raises the planned White House cyberadviser to a Cabinet-level position and calls for professional cyberstandards. An early draft would have given the president the power to shut down compromised federal or critical networks in an emergency.

Bloggers howled that the government was taking over the Internet. Business leaders protested, and Senate aides reworked the bill. Early versions of the second draft are more vague, giving the president only the authority to "direct the national response" to a cyberthreat.

Committee spokeswoman Jena Longo said the bill "will not empower a government shutdown or takeover of the Internet and any suggestion otherwise is misleading and false."

She said the president has the constitutional authority to protect the American people and direct the response to a crisis — including "securing our national cyberinfrastructure from attack."

Privacy advocates say the government has not proven it can do a better job securing networks than the private sector.

"The government needs to get its own cybersecurity house in order first before it tries to tell the private sector what to do," said Gregory T. Nojeim, senior counsel for the Center for Democracy and Technology.

Nojeim said the Senate Commerce Committee bill appears to leave "tough questions to the president, and that isn't comforting because some presidents will answer those questions in troubling ways."

U.S. officials acknowledge that their networks are scanned or attacked millions of times a day. Spies have breached the electrical grid. In July, hackers simultaneously brought down several U.S. government Web sites and sites in South Korea.

Home computers are targets, too. A study by security software provider McAfee Inc. says as many as 4 million computers are newly infected each month and turned into "botnets" — armies of computers used by someone without their owners' knowledge. As many as 10 percent of the world's computers might be unknowingly infected.

Shutting down a compromised system may sound like a good idea, but "it's not like the Internet has an on-off switch somewhere you can press," said Franck Journoud, manager of information security policy for the Business Software Alliance.

Most industries are federally regulated, so the government should work within those systems to plan for disasters, said Journoud, whose group has met with lawmakers and the White House on cyberpolicies.

Rather than setting minimum standards, business groups say the U.S. should endorse existing voluntary industry ones.

Cyberexperts also argue that when hackers infiltrate a critical network, the solution is not to shut down the system, but to isolate and filter out the offending computer codes.

Private companies are willing and able to protect their systems without government mandates, said Tom Reilly, president of ArcSight, a cybersecurity software company. He said the government should concentrate on protecting critical infrastructure and data privacy, and promote education on cybersecurity.

"People want to know if they are one of the 10 percent of the computers that are infected," he said. "They just don't know what to do. Most people just hope they're one of the other nine."
AP

Woman sentenced in ID theft


BALTIMORE — Federal prosecutors say a woman who worked as a claims clerk for medical insurance adjuster has been sentenced to five years in prison on an identity theft charge.

Thirty-year-old Shanell Bowser of Baltimore was also ordered at sentencing on Friday to pay more than $200,000 in restitution to the victims of the scheme.

Prosecutors say Bowser, in her job, got access to names, Social Security numbers and other personal information from clients of her employer and a local health care provider. According to court documents, Bowser and her conspirators fraudulently obtained credit and withdrew cash from ATM machines and bought clothes, electronics and phone service.

Prosecutors say at least 125 fraudulent accounts were opened and used to make purchases in the names of 89 people during the three-year scheme.
SF Examiner

Shred-a-Thon in Orange Park to Prevent Identity Theft


FL -- The Orange Park Kennel Club was the setting for a Shred-a-Thon to protect from identity theft.

Around 9 this morning, Sheriff Rick Beseler, Public Defender Matt Shirk and Crime Stoppers Representative Wylie Hodges hosted the Shred-a-Thon, which ended with five truckloads of shredded documents that weighed 14 tons.

Also on hand: McGruff the Crime Dog.

Residents also got the chance to speak with community leaders and local law enforcement about how their community could help in the fight against identity theft.

First Coast News

Friday, September 25, 2009

IRS Scam Now World's Biggest E-mail Virus Problem



Criminals are waging a nasty online campaign right now, hoping that their victims' fears of the tax collecter will lead them to inadvertently install malicious software.

The spam campaign, entering its third week now, is showing no signs of slowing down, according to Gary Warner, director of research in computer forensics with the University of Alabama at Birmingham. This one campaign accounts for about 10 percent of the spam e-mail that his group is presently tracking, he said. "This is the most prominent spam-delivered virus in the world right now," he said.

Since first spotting the spam on Sept. 9, antispam vendor Cloudmark has counted 11 million messages sent to the company's nearly 2 million desktop customers, said Jamie Tomasello, abuse operations manager with Cloudmark. That number is "very high," she noted.

The messages typically have a subject line that reads, "Notice of Underreported Income," and they encourage victims to either install the Trojan attachment or click on a Web link in order to view their "tax statement." In fact, that link takes the victim to a malicious Web site.

The IRS says not to open attachments or click on links included in e-mail that claims to come from the tax-collection agency.

What makes this campaign particularly ugly is that the malware that accompanies the fake IRS messages is a variant of the hard-to-detect Zeus Trojan. This software hacks into bank accounts and drains them of money as part of a widespread financial fraud scheme. Researchers estimate that the Zeus criminals are emptying more than a million dollars per day out of victims' bank accounts with the software. Small businesses have been particularly hard-hit by this fraud, because banks have sometimes held them accountable for the losses.

Testing a recent variant of Zeus on the VirusTotal Web site, Warner found that only five of the 41 antivirus detection systems used by VirusTotal managed to spot it.

Although antivirus vendors have other techniques for blocking the malware -- they can stop people from visiting the malicious Web sites, for example -- the spam is giving the companies a run for their money.

"It's difficult to stay ahead of it via antivirus because the Zeus binaries are changing a few times a day to evade detection," said Paul Ferguson, a researcher with Trend Micro, via instant message. "It's definitely a problem."

Computer World

Attack E-mails Use Fake Shipping Confirmation Ruse

A triple-payload e-mail attack that uses a fake shipping confirmation notice with a supposed attached label is making the rounds, according to Webroot.

A write-up from the company describes a social engineering ruse designed to nail someone who wasn't paying close attention, with a .zip file attachment that contains an executable disguised with an Excel file icon. The text of the e-mail tells the recipient to open the attachment to print a shipping label (one big clue that this is a scam).

Andrew Brandt makes the good point that changing the default Windows behavior to show file extensions can help thwart the common trick of using a fake document icon to disguise an executable file, assuming that the attached file made it through your anti-spam and antivirus programs. You'd have the chance to see that the supposed Excel file ended in .exe.

In XP, as Brandt describes, change that by opening Explorer, clicking Tools up top, and then unchecking "Hide extensions for known file types." In Vista, start with Organize, then choose Folder and Search options. For either Vista or XP, be sure to click the "Apply to Folders" button to apply the change to all folder, not just the one you're looking at.

Another good idea not mentioned in the Webroot post is to upload any even remotely suspicious attachment or download to Virustotal.com for a malware scan (a free uploader utility makes it especially simple). The attachment in this attack jams three different pieces of malware into the .zip file, which makes for good odds that at least some of the antivirus scanning engines used at Virustotal would catch them.
PC World

To Fight Worms, Use Ants


To combat worms, Trojans and other malware, a team of security researchers wants to use ants.

Not the actual live insects, of course, but computer programs modeled to act like ants in the way they roam a network and search for anomalies. "Ants aren't intelligent," says Glenn Fink, a senior research scientist at the Pacific Northwest National Laboratory who came up with the idea for the project, "but as a colony ants exert some very intelligent behavior."

According to Fink and one of his project partners, associate professor Errin Fulp of Wake Forest University, their in-the-works project uses distributed data-collecting sensors that are modeled after the six-legged natural creatures. But where ants may leave scent trails to guide other ants to a discovered threat or food source, Fink's sensors pass along collected data to other sensors in an attempt to identify anomalous behavior that may signal a malware infection in a large-scale network.

As information is collected, different varieties of ants may be activated to collect different types of data, Fink says. One might look for a higher-than-normal cpu usage, while another may check out network traffic.

And as with actual ant colonies, the system uses a hierarchy of programs. The sensor ants report to host-based sentinels that sit still and collect data from the ants, and the sentinels in turn are below sergeants, which are tasked with presenting data to humans and passing down their orders to the digital colony.

While early-stage tests of the system have successfully identified computer worms, "a lot of the higher-level reasoning has yet to be done," Fulp says. It's one thing to collect data from the insect-simulating sensors, and another to accurately interpret and process it.

The challenge, as Fink puts it, is, "How do you talk to an ant?"

PC World

What does PCI mean to you?


This week my attention has been dominated by one word, well six officially, but often narrowed down to six or even three letters – PCI.

To give it its full title it is the ‘Payment Card Industry Data Security Standard', and in my meetings this week at Gartner and other panel debates, the subject arose on several occasions. Now I will be the first to acknowledge that I do not know the ins and outs of PCI (as we will now call it), but thanks to the PCI DSS user group (see link) I do know that it is a set of complex regulations that all businesses taking credit card payments must adhere to.

The first debate over PCI is generally in regard to how much of a point the standard has, and how much it is enforced. An article published back in June gave the opinion that the PCI Council had ‘failed to adequately address consumer risk by not mandating end-to-end encryption as part of its requirement, allowing the use of compensating controls in lieu of encryption in order to spare those under PCI requirements from the expense of properly securing the data they were entrusted to protect'.

Paul Henry, security and forensic analyst at Lumension, who gave the opinion, claimed that the amount of data breaches witnessed had become all too commonplace, and that the bar should be raised to increase the minimum acceptable standards to become compliant in light of these many failures.

Coincidentally, Lumension announced the launch of its Compliance and IT Risk Management tool earlier this week, perhaps to encourage others into their stricter way of thinking.

Another company to make a significant PCI-related launch was Qualys. I met chief marketing officer Amer Deeba earlier this week to discuss the launch of the new QualysGuard platform.

Deeba claimed that Qualys was seeing more focus on PCI in the UK as more customers became interested, yet he claimed that ‘a couple of years ago this was not the case'.

He also commented that with the PCI Council meeting soon, current challenges, such as virtualisation and pre-authorisation, will need to be clarified and addressed.

Deeba said: “We think PCI is great but needs regulations, but as a regulation it is the best possible for security. It is the common sense of security and companies should do it if they are not already.”

Another company to discuss PCI was Imperva. Its CTO is Amichai Shulman, and he was passionate about both the compliance to it and its enforcement.

Shulman said: “PCI enforcement is very interesting. You are compliant or pay more commission, or the regulators will sue if it doesn't come out. It is not perfect but it does work, as an organisation it makes risk management sensible.”

Imperva's own research found that 71 per cent of companies are not taking security seriously. Shulman claimed that he saw three times the amount of organisations who had a bad attitude towards security to begin with, and did not bother to go through the process, while some went through the compliance process to do the bare minimum to be compliant.

He further claimed that the regulatory enforcement should be balanced against the size of a company, and not be a ‘one size fits all' situation. Shulman said: “Smaller companies should have smaller regulations, not be half compliant but have different layers to affect different deadlines. The remaining fact is that potential change is smaller, so there should be fewer requirements.

“The Heartland CEO said the assessors did not know what they were doing and there are variants and it is understandable as long as you have direct and simple criteria, then the bare minimum is done. Use a firewall, anti-virus, small businesses do this, the council need to sit up and make more clear guidelines.”

He also claimed that there should be a certificate or logo, which regulated companies can display to show that they are controlled and have passed the evaluation. This, Shulman claimed, would raise awareness in the public too.

Shulman said: “This is an issue for the council to take care of, having a certificate saying that you are compliant would help the public make a decision and will show that you care about the safety of your data. Also as a business you will have the incentive to be compliant.”

However Jan Fry, head of PCI at Pro Check Up Labs, had some differing views. He claimed that a company displaying a PCI logo would allow an attacker to ‘determine that a company is probably processing enough credit cards to make an attack worthwhile'.

Fry said: “The attacker will also be able to make assumptions about what is likely not to be in place (network encryption) and has been used successfully before in PCI attacks (still not fixed), and fine tune his attack to take advantage of this - possibly SQL command injection to install listening malware to capture card details.”

He also questioned what benefits it would bring, as it could be replicated by a fraudulent website, and asked: “Is PCI compliance really something to be proud of? What exactly were organisations doing with credit card data before PCI came along?

"The standard in many areas provides a very basic level of security and is not without its flaws. So achieving compliance is not some holy grail of security. Not even close.”

The opinion from Shulman, which was backed up by Shavlik Technologies, seems to not be universally agreed upon, and it is fair to understand Fry's point about it being used indiscriminately, something that was raised by comments left on the story.

SC Magazine UK

Russian Cybergangs Make the Web a Dangerous Place



Russian cybergangs have established a robust system for promoting Web sites that sell fake antivirus software, pharmaceuticals and counterfeit luxury products, according to a new report from security vendor Sophos.

To sell bogus goods, many of those sites rely on hundreds of "affiliate networks," which are essentially contractors that find ways to direct Web users to the bad sites, wrote Dmitry Samosseiko, a Sophos analyst. He made a presentation this week at the Virus Bulletin security conference in Geneva.

Affiliate networks have been around for a long time and there are many legitimate ones. But "the majority of the most powerful and controversial affiliate networks are based in Russia," Samosseiko wrote.

In Russian, the networks are known as "partnerka" and focus exclusively on promoting the dark corners of the Web. Essentially, someone who wants to become part of an affiliate signs up on a password-protected forum, most of which now are low profile and require an invitation. Once vetted, the new contractor is given a set of Web sites to promote.

One way to do so is to infect computers with malware either through spam or other means. The malware can tamper with a computer's DNS (Domain Name Server) settings in order to direct the user to a fake Google search engine site, which meshes real search results with ones that lead to, for example, a site selling fake antivirus software.

Another trick is called black hat SEO (search engine optimization). It involves creating a Web site, then using a variety of tricks mostly forbidden by search engines to get those Web sites high in search rankings. Methods include incorporating the most recently used search terms, often listed by search engines such as Google's Trends, into a Web site.

These affiliated "doorway" Web sites will redirect users to a dodgy Web page. A referring site can earn a commission if, for example, a person buys something.

The trick for someone selling a product is to "choose a partnerka with a high conversion rate to ensure that the generated revenue will be greater than the cost of traffic itself," Samosseiko wrote.

It's an insidious, yet profitable, scheme. Sophos was able to get a peek at one of the more popular partnerka called RefreshStats. That Web site enlists partners to create Web sites that implore people to download a codec, or a piece of software required to play video. Inevitably, the codec is a fake, and the PC is usually infected with fake antivirus software.

Samosseiko wrote that Sophos was able to see an administrator interface for RefreshStats that showed how much different contractors were making from the scheme. One particular contractor earned US$6,456 in August 2008. Another affiliate, called Topsale, offers up to a $25 commission for every sale of a fake antivirus product.

Samosseiko writes in his conclusion that there are hopeful signs that law enforcement and researchers can take down the rogue affiliates. But by all measures it doesn't seem that the industry is slowing down.

A recent report from security vendor Panda Security said that as many as 35 million computers worldwide may be infected with fake antivirus programs each month.

The company has collected an astounding 200,000 samples of different rogue antivirus products, about 80 percent of which are copies or are slight alterations of 10 basic families of fake products, said Luis Corrons, director of PandaLabs.

"We were seeing more and more users were being infected," Corrons said.

PC World

Debit Or Credit? Neither


I stopped using my debit card altogether a couple of years ago out of an intense fear that I would never recoup the losses if my card was skimmed in the grocery-store line or compromised at TJ Maxx.

Now I casually slide my checkbook onto the card reader stand and perform that rare act of putting pen to paper while trying to avoid the annoyed stares of shoppers behind me in line who may lose a few seconds off their shopping time because I didn't use plastic.

But my check apparently isn't any safer. The Ponemon-Imperva study on PCI compliance report

released this week found that 55 percent of retailers and organizations who take credit cards don't bother securing their customers' Social Security numbers, driver's license numbers, and bank account details. And 79 percent of retailers surveyed had suffered at least one data breach.

Those aren't great odds.

Sure, even if you swipe your credit card at a retailer that's PCI-compliant, there's no guarantee your credit card won't get breached anyway. But more worrisome is the attitude of many of the retailers in the survey: most look at PCI as more of a "check-box" item than part of a strategic security initiative. If they're playing to the auditors, who's really minding the store and its customer data?

Then there are the opportunistic retailers. These companies are using PCI to parlay some other IT security purchases that they may not previously have had the funds for: "There's almost a dark side to this: they're putting things in the PCI basket that are really not PCI-critical and leveraging PCI for other security projects," says Brian Contos, chief security strategist at Imperva.

Dark Reading

Scareware And Bots Require Layered Defenses


Defense in depth is not a new idea in security, but the importance of taking a layered approach is more important than ever. The current rise in infections by bots and scareware, along with recent reports on anti-malware endpoint protection, demonstrate how we need to be doing more at every layer.

Maybe you're one of the lucky ones, but nearly every IT person I know has seen a considerable increase in malware infections. The majority of the infections are bots and scareware that have come through a Web-based infection vector -- sometimes exploits against the browser, and sometimes taking advantage of users through social engineering. So what's going on?

I think the first problem is an increase in the number of bad guys out there looking to make money using malware. Unfortunately, there's not much we can do about that, so we have to focus on both proactive measures to prevent the infections and reactive measures to deal with the infections as they occur.

Why both? If we put in preventive measures, then why do we need reactive ones? It's simple. Security controls fail. Something will get through. As I've said before, when it comes to security, failure is inevitable so you must plan for it.

The recent testing by NSS Labs of anti-malware products for consumers and enterprises is pretty disheartening -- especially if you're one of those folks still clutching your antivirus under the covers and whispering to yourself that it's all going to be OK. It's not. Take off the blinders because the report clearly shows the products we are paying to protect our users are not completely effective.

Dark Reading

Thursday, September 24, 2009

Spammers Like Idaho Best of All

No one is quite sure why, but Idaho now gets spammed a little more heavily than any other state in the U.S.

"Looking at the e-mail traffic that's being sent to business users in that particular state, 93.8 percent of all their e-mail traffic will be spam," said Paul Wood, a senior analyst with Symantec's MessageLabs group, which released research on the topic Thursday. "That's actually higher than the global spam average."

So far this month, the average spam rate, globally, is 86.4 percent, meaning that of every 100 messages that arrive at a company's e-mail server, 86 of them will be spam. The average business gets about 60 spam messages per employee per day, Wood said.

Other states that seem to be spam magnets are Kentucky, New Jersey, Alabama and Illinois. On the other end of the scale, Puerto Rico, Montana, Alaska, Kansas and South Dakota are now the least-spammed regions of the country. In Puerto Rico, 83.1 percent of messages are spam.

Spammers aren't targeting certain states, Wood said, but he noted that a couple of factors can make getting higher volumes of spam more likely. States with a lot of small businesses tend to get more spam per capita, he said. And workers in some industries, including marketing, recreation, engineering and real estate, are a lot more likely to be spammed than farm workers or public-sector employees.

Science and technology happen to be big businesses in Idaho, but the state may also just be a victim of bad luck when it comes to spam.

A year ago it was the 44th-most-spammed state. Asked to explain the jump to number one, Wood said, "The honest answer to that is, I don't know what would have changed specifically within Idaho."

The MessageLabs data is culled from Symantec's business customers and doesn't necessarily reflect the experience of home users.

If the amount of spam people receive really is just a matter of luck, it's starting to be spread around a little more evenly. Last year there was a 15.1 percent margin between the least-spammed and most-spammed states. This year, the margin is just 10.7 percent.

PC World