Saturday, October 31, 2009

Where Did I Go? What Did I Do? (A personal tale of Identity theft)

A great friend of mine has written down an account of her brush with Identity theft, This being Halloween I could think of nothing more frightening!

I never want to go to jail. In fact, I behaved myself as a youngster so my parents wouldn’t hold to their promise of sending me to the dreaded REFORM school. So why was I being put into the back seat of a police cruiser suspected of armed robbery. Hey, I was just going to pick up my pizza!

Hold on…hold on, I’ll tell you the rest, but every tale has a beginning. And so…

It was the 70s; people were cool, laid back, yes? I stuck my purse into the bottom of the filing cabinet/desk just like every other woman in the world. Due to the nature of the office, it was often left unlocked and empty for a short time, no big deal. That’s when someone walked in, got into my purse, stole my wallet and I didn’t even know it until I was involved in a minor car accident (on the way to pick up that pizza) and was held on suspicion of armed robbery. Luckily, the identity of the robber wasn’t even close to my real description. In addition to all the hassle and time of closing credit cards, opening new bank account, notifying social security, notifying my payroll department etc., I had to relate this story every time I applied for a job, or credit or renewed my driver’s licenses for years! And this was before computers were an everyday item. Ding 1.

An unbeknownst-to-me pick-pocket bumped into be at the newsstand. I said “excuse me” and smiled. He put his head down and kept walking. The next day I couldn’t find my wallet. I then realized that bump-into at the newsstand was a distraction and he was a thief. Same hassle. Ding 2.

The enormously large metropolitan hospital I worked for twice “froze” our credit because a disgruntled and fired employee breached our personnel files, including personal and “confidential” data. This time, every time I tried to use my debit or credit card, I had to be stuck in line while they verified that the freeze on my credit was not really a report of a stolen credit or debit card. My best moment standing in line, in public while I felt humiliated and embarrassed while some kid said, “Gee, Mom, what’s the bad lady done?” Ding 3, times 2.

The real kicker came when I got a letter from the IRS asking me when I thought I’d like to pay that 30K in back taxes I owed…if it wasn’t too much trouble…or would I rather face a vacation at the federal penitentiary! This one almost gave me a heart attack, really. This one took a very astute lawyer, lots of time, lots of money and plenty of downright fear. I truly was facing some serious consequences because the problem also involved tax evasion. In every other jurisdiction you are innocent until proven guilty. With the IRS, the fact is, you are guilty until proven innocent in a court of law. In the final outcome I was able to prove my investment account was used for money laundering by someone who had stolen my identity. That person was known by me and is the one now sitting in the federal penitentiary. Ding 10, no less!

If you think you’re safe, please reconsider. These event happened to me during a time when Internet access was limited and small, comparatively speaking. You cannot imagine the number of people out there, who you may even know, that would love to use you as bait. It’s up to you and will cost you a lot less than that wonderful lawyer cost (and saved) me.

Frances Gollahon

To contact Fran:

US cyber center opens to battle computer attacks

WASHINGTON — The United States is well behind the curve in the fight against computer criminals, Sen. Joe Lieberman said Friday, as Homeland Security officials opened a $9 million operations center to better coordinate the government's response to cyberattacks.

Lieberman, chairman of the Senate Homeland Security and Government Affairs Committee, said legislation being drafted by his committee will require federal agencies and private companies to set up a system to share information on cyber threats.

And Lieberman, a Connecticut independent, said the Homeland Security Department must identify weaknesses in the systems that run power plants and other critical infrastructure.

As Lieberman laid out his proposal to Chamber of Commerce executives, Homeland Security Secretary Janet Napolitano unveiled the new National Cybersecurity and Communications Integration Center in northern Virginia.

Standing in front of a wall of broad video screens, that displayed vivid charts and maps of possible cyber threats and suspicious internet traffic, Napolitano said the watch center will allow the high-tech teams that monitor government networks to work better together.

With 61 computer stations spread across the room, the center will merge the U.S. Computer Emergency Readiness Team and the National Coordinating Center for Telecommunications. AP

After One Year, Conficker Infects 7 Million Computers

The Conficker worm has passed a dubious milestone. It has now infected more than 7 million [m] computers, security experts estimate.

On Thursday, researchers at the volunteer-run Shadowserver Foundation logged computers from more than 7 million unique IP addresses, all infected by the known variants of Conficker.

They have been able to keep track of Conficker infections by cracking the algorithm the worm uses to look for instructions on the Internet and placing their own "sinkhole" servers on the Internet domains it is programmed to visit. Conficker has several ways of receiving instructions, so the bad guys have still been able to control PCs, but the sinkhole servers give researchers a good idea how many machines are infected.

Although Conficker is probably the computer worm most known about, PCs continue to get infected by it, said Andre DiMino, co-founder of The Shadowserver Foundation. "The trend is definitely increasing and breaking 7 million is pretty much of a landmark event," he said.

Conficker first caught the attention of security experts in November 2008 and received widespread media attention in early 2009. It has proved remarkably resilient and adept at re-infecting systems even after being removed.
PC World

Friday, October 30, 2009

Blackberry phones get eavesdropping spyware

BLACKBERRY USERS are being warned that a freely available spyware program will turn their crackberry into a listening device.

The application is called Phonesnoop and allows remote users to listen in on a Blackberry user's surroundings. The spyware app uses standard Blackberry APIs to intercept incoming calls. Once the software is installed, a call from a trigger phone number will activate the listening feature through the phone's built-in speakerphone feature to listen to everything that's going on around the phone.

The program's developer, Sheran Gunasekera, says on his blog that he only wanted to point out the dangers of using Blackberry phones carelessly.

The Phonesnoop app doesn't try to be stealthy, though. After it's installed it is clearly visible in the downloads section of the device's user interface. When the listening feature is activated the screen looks as though it is on a call. This is not hard to detect. The Inquirer

FTC Red Flags identity theft protection rules to hit Nov. 1

Baring a last minute delay, the Federal Trade Commission is set to enforce its identity theft rules known as Red Flags on Nov. 1.

The rules have been delayed three times already and were originally set to become practice Nov. 1, 2008.

NetworkWorld Extra: 12 mad science projects that could shake the world

Under the Red Flags rules all companies or services that regularly permit deferred payments for goods or services, including entities such as health care providers, attorneys, and other professionals, as well as retailers and a wide range of businesses that invoice their customers must develop a written program that identifies and detects the relevant warning signs - or "red flags" - of identity theft. These may include, for example, unusual account activity, fraud alerts on a consumer report, or attempted use of suspicious account application documents. The program must also describe appropriate responses that would prevent and mitigate the crime and detail a plan to update the program.
Computer World

Keyloggers Could Be Responsible for Leaked Webmail Credentials

More likely than phishing argues security researcher

A security researcher rebuts Microsoft and Google's claims that a massive industry-wide phishing operation was responsible for stealing the recently leaked webmail credentials. New arguments point to the discovered lists being the work of keyloggers.

A few days ago, Microsoft confirmed the authenticity of a list containing over 10,000 Hotmail usernames and passwords, which was discovered in plain sight on Pastebin. A Windows Live Hotmail team member noted that the document is likely the result of a phishing attack, a theory reinforced by the findings of Acunetix's Chief Technology Officer, who analyzed the leaked data.

A second list was discovered by BBC News reporters and contained similar data pertaining to Gmail, Yahoo! Mail and AOL accounts, as well as mailboxes provided by several ISPs. A Google spokesperson noted that the company independently found a third list and also invoked the same attack scenario.

However, the phishing theory doesn't fit well with Mary Landesman, a senior security researcher at Web security company ScanSafe, who argues that some form of malware with keylogging capabilities is more likely to be the culprit. "I believe a data theft trojan might have been involved," she says.

Ms. Landesman notes that ScanSafe researchers came across a cache of stolen credentials gathered by such a trojan a few months ago. "The stolen data was organized by the victim's Windows Live ID (where applicable), followed by usernames and passwords (and the URL) for secure websites the victims visited. This was listed by browser type (either Firefox or Internet Explorer) and included any FTP usernames and passwords," she explains and goes on to speculate that the Hotmail list might have been extracted from such a master document.

The leaked document contains only usernames beginning with A and B, suggesting that it’s only a sample probably used by the attacker to advertise the whole list for sale to spammers. The security researchers have found several signs that are not consistent with a phishing scheme. SoftPedia

Tough identity theft law passed

The federal government has passed tough new legislation to give police and courts added powers to fight identity theft.

"This legislation … will better address identity theft and provide police with the tools they need to help stop these crimes before they are committed," Justice Minister Rob Nicholson said in a statement released Tuesday in Ottawa.

Bill S-4 creates three new Criminal Code offences related to identity theft, including:

Obtaining and possessing identity information with the intent to use the information deceptively, dishonestly or fraudulently in the commission of a crime.

Trafficking in identity information, an offence that targets those who transfer or sell information to another person with knowledge of, or recklessness as to, the possible criminal use of the information.

Unlawfully possessing or trafficking in government-issued identity documents that contain the information of another person.CBC

Thursday, October 29, 2009

Scareware on the rise

How do you get a jaded computer user to fork over money when he's already wise to spam come-ons and other digital scams?

Scare him into it.

That's the lesson learned from the latest round of malware attacks: So-called "scareware" which tricks an infected user into thinking he has a virus or some other infestation on his computer, then extorts money from the user in exchange for "fixing" the issue.

Scareware is nothing new -- readers regular send me questions about it, all convinced they have some kind of infection that can't be remedied unless they send $30 to a Bulgarian company -- but its virulence is now becoming severe. Symantec says that 43 million people have been hit by scareware scams in the last year, and it's now a million-dollar-a-year business for some 250 practitioners of the art of selling phony security software.

Why is scareware so popular? The linked BBC article mentions two ways victims can be impacted, but there are actually three. First, the attacker gets cash from you in exchange for the "fix," so that's money straight off the top. Next comes the identity theft problem: By giving up your personal information you open yourself up to an ID theft risk, and your data can be resold to another crook, netting the original attacker a little bonus cash and victimizing the user further.
Yahoo Tech

Wednesday, October 28, 2009

FBI: National Data-breach Law Would Help Fight Cybercrime

A U.S. law that would require businesses to report data breaches to potential victims could help law enforcement agencies fight the growth of cybercrime, a U.S. Federal Bureau of Investigation official said Wednesday.

If U.S. businesses were required to share information about their data breaches, law enforcement agencies could link those attacks to others and potentially stop similar attacks at other organizations, said Jeffrey Troy, chief of the FBI's Cyber Criminal Section.

A data-breach notification bill "would help us tremendously, particularly in terms of efficiency in conducting investigations," Troy said during a cybersecurity discussion in Washington, D.C.

Companies need to think beyond their walls when dealing with cybersecurity issues, Troy said. "They have to recognize that the Internet has become a global platform for commerce," he said. "The people that are stealing information from you ... are going after the money."

PC World

Internet Phone Systems Become the Fraudster's Tool

Cybercriminals have found a new launching pad for their scams: the phone systems of small and medium-sized businesses across the U.S.

In recent weeks, they have hacked into dozens of telephone systems across the country, using them as a way to contact unsuspecting bank customers and trick them into divulging their bank account numbers and passwords.

The victims typically bank with smaller regional institutions, which typically have fewer resources to detect scams. Scammers hack into phone systems and then call victims, playing prerecorded messages that say there has been a billing error or warn them that the bank account has been suspended because of suspicious activity. If the worried customer enters his account number and ATM password, the bad guys use that information to make fake debit cards and empty their victim's bank accounts.

Hackers made headlines for breaking into phone company systems more than 20 years ago -- a practice that was known as phreaking -- but as the traditional telephone system has become integrated with the Internet, it's creating new opportunities for fraud that are only just beginning to be understood.

VoIP (voice over Internet Protocol) hacking is "a new frontier in the crossover world of telecom and cyber [crime]," said Erez Liebermann, assistant U.S. attorney for the district of New Jersey. "It is an ongoing threat and a serious threat that companies need to be worried about."

PC World

Congress likely to modify Red Flags Rule

Some jewelry companies might be excluded

New York--In response to the concerns of small-business owners, the U.S. House of Representatives passed a bill on Oct. 22 allowing some companies to apply for an exclusion from the Red Flags Rule, according to the Jewelers Vigilance Committee (JVC).

The rule, to be enforced beginning Nov. 1, 2009, requires a business to establish an Identity Theft Prevention Program to detect "red flags" that might indicate a criminal's attempt to steal identity information, and to put in place a program to prevent such thefts.

According to the pending legislation, a company applying for an exclusion will qualify if it knows all of its customers or clients individually, or has not experienced incidents of identity theft and identity theft is rare for businesses of that type.


Tuesday, October 27, 2009

Scareware launched from tech blog

40 million people have fallen victim to scareware in last year. Visitors to technology blog Gizmodo are being warned that they could have picked up more than tips about the latest must-have gadget.

According to security firm Sophos, the website was delivering advertisements "laced with malware" last week.

A statement on the Gizmodo website admits that it was tricked into running Suzuki adverts which were in fact from hackers.

It follows a similar problem on the New York Times website.

Last month the New York Times' website was targeted by a gang of hackers who purchased ad space on the site by posing as internet telephone company, Vonage.

In both cases the adverts served up fake anti-virus software - known as scareware.

Scareware attempts to convince users that their computer is infected with viruses and trojans, and tricks them into downloading "remedies" which are harmful and can be used by criminals to get at information such as credit card details.

Really sorry

Gizmodo gets a huge amount of traffic with more than 3.1 million page views per day.

It has issued an apology to readers.

"I'm really sorry but we had some malware running on our site in ad boxes for a little while last week on Suzuki ads. They somehow fooled our ad sales team through an elaborate scam.

BBC News

Monday, October 26, 2009

SecurityMetrics Services Over 100,000 PCI Compliance Calls Each Month

SecurityMetrics, a world leader in PCI security, today revealed that they service over One Hundred Thousand (100,000) retail merchant calls each month, counseling merchants worldwide on achieving PCI compliance. SecurityMetrics' PCI Site Certification Services for Merchants provides bank acquirers and ISOs (Independent Sales Organization) with a scalable program to accelerate PCI compliance among their strategic accounts and merchant portfolios.

SecurityMetrics' PCI programs give merchants simplified systems and free personalized technical assistance so that retail merchants, with little to no IT security experience, can quickly and easily validate and report
their PCI compliance status according to the Payment Card Industry (PCI) Data Security Standard (DSS).

"Consumers rely on retailers to secure their credit card information," said Brad Caldwell, CEO of SecurityMetrics. "As one of the first companies in the industry to deploy a successful mass merchant PCI program, we now have acquiring bank and ISO customers realize more than 90% enrollment levels across their merchant portfolio.

Our programs personally assist small business owners with little to no security backgrounds and scale to accommodate multi-national corporations that generate millions of transactions annually. All SecurityMetrics' security programs have one goal in mind: to simplify and accelerate PCI DSS
compliance and ensure sensitive credit card information is secure." Reuters

Swiss foreign ministry hit by computer attack

GENEVA — Unidentified hackers have penetrated the Swiss foreign ministry's computer system to seize data, forcing parts of it to be shut down for several days, the ministry revealed Monday.

The "professional virus attack" allowed outsiders to gain access to the computer system to obtain unspecified information, the ministry said in a statement.

It said the extent of the data mining was unknown.

"Unknown perpetrators used special software in this attack to reach the ministry's IT infrastructure and to acquire specific information," the statement said.

Government computer technicians and specialists from software giant Microsoft discovered the "well hidden" software on October 22.AFP

Be cautious about giving info to census workers

Be on the lookout for e-mail scams impersonating the Census, the census will NEVER contact you through email!

With the U.S. Census process beginning, the Better Business Bureau, or BBB, advises people to be cooperative, but cautious, so as not to become a victim of fraud or identity theft.

The first phase of the 2010 U.S. Census is under way, as workers have begun verifying the addresses of households across the country. Eventually, more than 140,000 U.S. Census workers will count every person in the United States and gather information about every person living at each address including name, age, gender, race and other relevant data. The big question is - how do you tell the difference between a U.S. Census worker and a con artist? The BBB offers the following advice:

If a U.S. Census worker knocks on your door, they will have a badge, handheld device, Census Bureau canvas bag and confidentiality notice. Ask to see their identification and their badge before answering their questions. However, you should never invite anyone you do not know into your home.

Saturday, October 24, 2009

Trend Micro CEO: Hackers Hitting AV Infrastructure

It's become an all-too-common scam: A legitimate Web site pops up a window that looks just like a real security warning. It says there's something wrong with the computer, and click here to fix it. A few clicks later, the victim is paying out US$40 for some bogus software, called rogue antivirus.

Rogue AV scams have become a big problem in recent months, but according to Trend Micro CEO Eva Chen, it's part of a more sinister, strategic attack on the antivirus industry in general. Criminals "can fake any other application. Why do they fake AV?" she asks.

According to her, a lot of today's security problems are designed not only to steal information from victims, but to undermine the credibility of companies like Trend Micro itself.

One way hackers have done this is by changing the way their software is put together each time they attack, forcing the AV vendors to bloat up their products with hundreds of thousands of new detection signatures.

In response, Trend was one of the first companies to push reputation-based technology into its antivirus products, developing its Smart Protection Network to identify and block not just viruses themselves, but also the malicious Web sites that are used to distribute malware.

PC World

Friday, October 23, 2009

Phishers Dangle Some Brand-New Bait

Just when you thought it was safe to shop or bank online, criminals have invented new ways to steal your personal information.

In September 2009, some unlucky visitors at the New York Times Web site clicked on an ad that attempted to install malware. The advertisement displayed a popup window informing readers that their computer might be infected with a virus; only by purchasing a new antivirus product could they be sure of having a clean system.

The Times later acknowledged the scam in a posting on its Web site: "Some readers have seen a pop-up box warning them about a virus and directing them to a site that claims to offer antivirus software....If you see such a warning, we suggest that you not click on it. Instead, quit and restart your Web browser." Phishers and scammers use this and other new tactics to deceive unsuspecting victims.

Phishing 2.0

Phishing refers to an attempt to collect usernames, passwords, and credit card data by posing as a legitimate, trusted party. Often the deception in­­volves using e-mail sent from a trusted address. Originally, phishing applied to the banking and payment industry only, but now it also covers theft of log-in credentials to games, and personal passwords to social networks such as Facebook and Twitter.

Most people wouldn't reveal their social security number or mother's maiden name at a strange site. Modern browsers and security software flag such content and ask you whether you're sure you want to send it; some block it with a red-and-black warning label. So phishers have adopted new tactics.

Fake Antivirus Software an Emerging Problem

Rogue antivirus products are among the latest phishing in­­struments to appear, and many are quite convincing. Bearing names like Antivirus 2009, AntiVirmin 2009, and AntiSpyware 2009, they have interfaces similar to those of real antivirus apps. Some rogue antivirus products have their own keywords on search engines and cite fake reviews recommending them (including one that I supposedly wrote).

The rogue antivirus product that showed up on the New York Times site installed malware that, if executed, would have lowered the security settings in Internet Explorer, run executable files, and altered the system Registry. Such ac­­tions by phishing malware are fairly common. The real security apps knew it, too: Legitimate antivirus vendors AVG, Comodo, Kaspersky, McAfee, Microsoft, Nod32, and Sophos, (among others) detected this particular piece of malware within the first few hours.

PC World

Companies must inform customers of data breach

Although losses of personal data on paper aren’t covered under the law, Zachary Hammerman suggests firms should handle it the same way.

Businesses are now required by state law to tell Missouri customers when personal information is compromised and their identity is at risk of being stolen by hackers.

Fines up to $150,000 can be levied against businesses for willful noncompliance. Zachary Hammerman, an attorney in the intellectual property and technology transactions practice groups of Greensfelder, Hemker & Gale PC in St. Louis, has been advising business clients on how to comply with the new law, which went into effect at the end of August.

Why Most PCI Self-Assessments Are Wrong

Another fantastic article I found in the archives of Even Shcuman's StorefrontBackTalk on PCI compliance written by David Taylor... it gives me the willies!

Written by David Taylor

The reason that so many PCI self-assessments are wrong is that they focus on the mainstream business processes of the company. They often ignore a lot of “back-channel” or “just-in-case” practices that result in card data coming into the company not protected by the various PCI and other data security measures to protect more mainstream applications, data repositories and processes.

Here are 3 examples, all of which come from personal experience:  StoreFrontBackTalk

Thursday, October 22, 2009

Report: China building cyberwarfare capabilities

WASHINGTON – China is building its cyberwarfare capabilities and appears to be using the growing technical abilities to collect U.S. intelligence through a sophisticated and long-term computer attack campaign, according to an independent report.

Released Thursday by a congressional advisory panel, the study found cases suggesting that China's elite hacker community has ties to the Beijing government, although there is little hard evidence.

The commission report details a cyberattack against a U.S. company several years ago that appeared to either originate in or come through China and was similar to other incidents also believed to be connected to the country.

Nigeria's anti graft police shuts 800 scam websites

LAGOS — Nigeria's anti-corruption police said Friday they had shut down some 800 scam websites and busted 18 syndicates of email fraudsters in a drive to curb cyber-crime the country is notorious for.

"Over 800 fraudulent e-mail addresses have been identified and shut down," Economic and Financial Crimes Commission (EFCC) boss Farida Waziri said.

"There have been 18 arrests of high profile syndicates operating cyber-crime organisations," she added.


Wednesday, October 21, 2009

Coffins in the Mail Are a Trick of the Cybercrime Trade

There's never been a better time to get involved in cybercrime.

That's the tongue-in-cheek assessment of Uri Rivner, RSA's head of new technologies for identity protection and verification, who gave a presentation at the RSA security conference in London on Wednesday.

But there is truth in his quip -- the poor economy is driving people to find other work and it has become much easier for cybercriminals to recruit people, known as "mules," to carry out crucial duties for scams.

Seduced by promises of extremely high weekly pay while working only a few hours, people agree to do tasks such as reship goods or allow their bank accounts to receive funds for transfers elsewhere.

The problem is, the goods are stolen, and their addresses are being used as drops, allowing the cybercriminals the luxury of not receiving the stolen goods directly that have been bought with stolen credit card data. Mules are also duped into allowing money to be transferred into their own bank accounts and then ordered to transfer the money elsewhere, a type of money laundering.

PC World

Experts See Forecast Worsen for Cybercrime

Law enforcement agencies can count a few recent victories against cybercriminals, but agents say the battle against them isn't getting any easier.

Highly organized cybercriminals are using increasingly sophisticated tools and methods that make them hard to trace, said Keith Mularski, supervisory special agent with the U.S. Federal Bureau of Investigation's Cyber Division.

"They have evolved over the years," Mularkski said. "It really is organized crime."

Mularski, who spoke at the RSA conference in London on Wednesday, has had great success in infiltrating organized cybercrime rings. He successfully infiltrated a ring known as DarkMarket, an online forum where criminals bought and sold personal data, such as credit card numbers. DarkMarket was shut down about a year ago and 59 people were arrested, with the help of authorities in the U.K., Germany, Turkey and other countries.

While the DarkMarket bust was a big win, there are still such forums operating today and they're hard to infiltrate. New members must be vetted for reliability and to ensure they're not agents like Mularski.

The malicious software programs used to collect the data have become insidiously complicated and hard to detect. Financial organizations now are in a "raging battle" against "high-grade" weaponry, said Uri Rivner, RSA's head of new technologies for identity protection and verification, who gave a presentation earlier in the day at RSA.

Those programs go by names such as Sinowal -- also known as Mebroot and Torpig -- which is a nasty rootkit that burrows in a computer's master boot record below the OS. It may not even be removed by reinstalling the operating system. It can steal data and even modify the HTML of Web pages requested by a user.
PC World

Monday, October 19, 2009

Defending virtual borders

The risk to government networks and major financial institutions from cyber warfare is increasing every day but what is being done to defend national borders?

Estonia is an online savvy state and champion of so called 'e-government,' a paperless system with many government services online. The population can even vote via the web.

In 2007 a large number of Estonian government and financial websites were brought to a standstill as they came under sustained online attack.

On 4 July 2009, US and South Korean government websites and those of certain banks and businesses ground to a halt as they came under denial of service assaults. In the United States, the Pentagon and the White House were also targeted.

These cyber attacks were all initially thought to be orchestrated by countries unfriendly to Estonia, South Korea and the US and to date have been the highest profile examples of so-called cyber warfare.

Digital battlefield

Conventional warfare relies on tanks, troops, artillery, aircraft and a whole gamut of weapons systems. Cyber warfare requires a computer and an internet connection.

Professor Sommer claims that most of the attacks are over the internet

Rather than sending in the marines, the act of typing a command on a keyboard can have a devastating effect on computer systems and networks.

According to Clive Room of Portcullis Computer Security: "It is possible to bring an entire state to a standstill theoretically and we've seen it done on a small scale practically, so the threat ahead of us is very big indeed."

From criminal gangs trying to steal cash, to foreign intelligence services trying to steal secrets, the threat of cyber warfare is now very real.

Nato suspects that along with the tanks and troops involved in the conflict in Georgia in 2008, Russian forces also engaged in cyber attacks against Georgian government computer systems.

Professor Peter Sommer of the London School of Economics explained that cyber warfare should just be seen as a part of modern warfare in general:

"[Carl Von] Clausewitz said war is diplomacy conducted by other means. What cyber warfare gives you is a whole range of new types of technologies which you can apply."

Zombie machines

These international attacks are not isolated instances. Everyday government and corporate websites fend off thousands of attempts to infiltrate hack and cause disruption.
BBC News

Millions tricked by 'scareware'

Online criminals are making millions of pounds by convincing computer users to download fake anti-virus software, internet security experts claim.

Symantec says more than 40 million people have fallen victim to the "scareware" scam in the past 12 months.

The download is usually harmful and criminals can sometimes use it to get the victim's credit card details.

The firm has identified 250 versions of scareware, and criminals are thought to earn more than £750,000 each a year.

Franchised out

Scareware sellers use pop-up adverts deliberately designed to look legitimate, for example, using the same typefaces as Microsoft and other well-known software providers.

They appear, often when the user is switching between websites, and falsely warn that a computer's security has been compromised.

If the user then clicks on the message they are directed towards another site where they can download the fake anti-virus software they supposedly need to clean up their computer - for a fee of up to £60.

Con Mallon, from Symantec, told the BBC the apparent fix could have a double impact on victims.
It is very prevalent and it's growing very quickly out there on the internet

"Obviously, you're losing your own hard-earned cash up front, but at the back end of that, if you're transacting with these guys online you're offering them credit card details, debit card details and other personal information," he said.

"That's obviously very valuable because these cyber criminals can try to raid those accounts themselves or they can then pass them on or sell them to others who ultimately will try to use that information to their benefit not yours."
The findings were revealed in a report written following Symantec analysis of data collected from July 2008 to June 2009. Symantec said 43 million people fell for such scams during that period.

It has become so popular that the rogue software has been franchised out.

Fake reviews help build the credibility of bogus anti-virus software.

Mr Mallon said some scareware took the scam a step further.

"[They] could hold your computer to ransom where they will stop your computer working or lock up some of your personal information, your photographs or some of your Word documents.

"They will extort money from you at that point. They will ask you to pay some additional money and they will then release your machine back to you."

The scam is hard for police or other agencies to investigate because the individual sums of money involved are very small.

Therefore, experts say users must protect themselves with common sense and legitimate security software.

BBC News

Data losses in Snow Leopard bug

Users of the new Apple operating system Snow Leopard are experiencing massive data losses when logging into their machines under a guest account.

The problem appears to affect those who had a guest account enabled before upgrading to Snow Leopard.

Users have in some cases lost their entire main profile, including sites, pictures, videos and documents.

The problem, reported by more than 100 users on discussion forums, surfaced shortly after the OS's August release.

The issue follows closely on the heels of vast data losses by the Sidekick handset in the US, whose software was designed by Microsoft subsidiary Danger.

Unwelcome guest

Indications are that the Snow Leopard bug simply treats the principal account like a guest account - meaning that the account profile is wiped clean when logging out.

Users who first log into a guest account and then into their normal account have found it to be completely reset to factory default settings, with none of their personal data or files visible.

"I've been using Macs for decades...what the heck have I done here?" wrote user Wingrove on the Apple discussion forums on Monday.

BBC News

Fake security software in millions of computers: Symantec

WASHINGTON (Reuters) - Tens of millions of U.S. computers are loaded with scam security software that their owners may have paid for but which only makes the machines more vulnerable, according to a new Symantec report on cybercrime.

Cyberthieves are increasingly planting fake security alerts that pop up when computer users access a legitimate website. The "alert" warns them of a virus and offers security software, sometimes for free and sometimes for a fee.

"Lots of times, in fact they're a conduit for attackers to take over your machine," said Vincent Weafer, Symantec's vice president for security response.

"They'll take your credit card information, any personal information you've entered there and they've got your machine," he said, referring to some rogue software's ability to rope a users' machine into a botnet, a network of machines taken over to send spam or worse.


Saturday, October 17, 2009

WAKE UP! Red Flags Rule Is Here…

Can I Have Your Attention Please?

Ahem, down here guys...OK, here we go. Identity theft is a monolithic problem in the world today. Anyone from the savviest of business CEO’s to youngest babes in our society are at risk; this includes any entity such as a government or non profit agency. Not even the deceased are safe (so to speak) from this crime.

In fact ID theft it is the fastest growing white collar crime in America, and why not, most of the bad guys never get caught and nearly all consumers continue to go about their daily lives as unwary as sheep to a sheering only to find out to late that they have been misled to a financial slaughterhouse in the aftermath of having their Identity stolen.

More than ten million victims fall prey to identity theft in the United States each year and the number of victims who report this crime continues to explode every year. The reported lost or stolen personal data since 2005 is now more than 339,674,601, this estimated to be only 20% of what the actual number truly is!

What this really breaks down to is more than half of all U.S. citizens (including small children) have had their personal information stolen. And the FTC says that Every Credit Card ever issued (including Bankcards) has been compromised…Yikes, each and every one!

Is it no wonder then that the Payment Card Industry (PCI) has decided it has had enough of covering the financial losses for credit fraud (in the billions) or that the Federal Trade Commission has decided to finally step in and take action in order help stop the devastating effects of this crime by putting the liability for these breaches onto businesses through the Red Flags Rule?

Now keep in mind that credit fraud is only 33% of the problem. The other 67% is due to other nefarious practices not the least of which are data breaches from within a company i.e. a disgruntled employee or negligent security practices or (heaven forbid) no security at all, or outside breaches from cybercriminals known as black hat hackers who take advantage of the low hanging fruit due to poor security . This brings us back to the new federal laws and regulations known as the Red Flags Rule.

To whom do these laws and regulations apply?
The General Rule of thumb is that if your business or entity collects, uses, transmits or stores any identifiable information about your customers and or employees you must comply with the laws and regulations. This includes: name, address, phone number, SS#, driver’s license, birth dates, medical information, Tax ID# etc.

Not every law or regulation is applicable to every business but every business must meet minimum standards of information security or face heavy fines or even civil action should a breach occur.

What is a Red Flag?
A Red Flag is potential sign that Identity Theft may be occurring and businesses are required by the FTC to spot and act upon any red flags that may be a telltale sign of identity theft. Some of the requirements for compliance include:

• Developing a written red flags program to include: identifying potential red flags, detecting red flags, and a protocol to respond to red flags.

• Educating your employees on these protocols.

• Maintaining and updating your company red flags plan (this is a living law and is subject to changes, it is up to you to know what these are).

Enforcement of the Red Flag Rules begins November 1st 2009, and ignorance of this law is no excuse. Be aware that States can enforce these laws as well and many states have put their own special spin on what is required for a business to be compliant.

Who is a Candidates for Red Flag Rule?

• Doctors, dentists, acupuncturist, chiropractors, massage therapists, nutritionists, mental health providers etc.




• Utilities

• Retailers

• Online merchants

• Telecommunications companies

• Debt collectors

• Employee benefit plans that sponsor a flexible spending account when the arranged using a debit card.

What if I don’t comply?
Businesses subject to Red Flags Rule must comply by Nov. 1, 2009 or face the possibility of enforcement action by the FTC in the form of fines or other legal actions. The penalty alone per name stolen or leaked is a staggering $3,500! Your business will come to a halt while the forensic investigators are looking into the cause of the data breach. And here’s a fun stat for you - 50% of businesses that lose their critical data for 10 days or more have to file for bankruptcy immediately…fun stuff!

Moving right along, your business name by this time is more than likely “Mud” and in most states you are required to inform each and every customer that your company’s data breach has put their good names in jeopardy (ouch); and if that isn’t enough, the law also allows the consumer/victim the right to recoup their losses from you... I’m talking civil and in some cases even criminal suits here I have your attention now?

So what can a business owner do to protect their business data from being harvested by a cyber crook out on the take?

1. Education. Go to the FTC’s website at: FTC Red Flags Rule and learn the facts straight from the horse’s mouth and how they apply to your businesses.

2. Get the best internet protection you can for all of your company’s computers along with a cracker jack team of IT professionals: Safe PC Solution

3. Develop and start implementing your Company’s Red Flags Rules protocol.

4. A simpler way to do this is to have a team of experts work hand in hand with you to certify that your business is following all of the Best Practices so that your company’s important personal information doesn’t fall prey to bad guys looking to sell it for a nickel a name! InfoSafe

In conclusion:
The US Dept of Homeland Security released a statement in September of 2009 that says that “87% of breaches could be thwarted by simple to intermediate preventative measures.”…WOW! Is that all?

Tracy Lund
Computer Security & Identity theft

(831) 661-0598

Why Don't Companies Make Security a Priority -- Six Tips for Garnering Executive Buy-In

Survey Shows Nearly Half of IT Professionals Polled Feel Their Web Sites Are Not Secure, but Only 40 Percent of Them Test Sites on a Regular Basis...

Great article fromTami Casey & Kulesa Faul from Cenzic on Marketwire-

NEW YORK, NY--(Marketwire - October 13, 2009) - SC World Congress -- Web application security and hackers are a key business issue, and in some cases the biggest threat for organizations. With intellectual property, critical client data and trade secrets being housed on internal and external Web applications, a security breach has the potential to destroy company reputation, brand and the business itself.

So in spite of the fact that the majority of IT professionals polled think their Web sites might not be secure, why are 63 percent of companies only testing their Web applications on a quarterly basis or less often? How are only 28 percent of respondents unaware of a security breach ever occurring at their company?

This data, culled from nearly 400 IT professionals, almost 50 percent of whom had annual corporate revenue of $100 million or more, comes from a survey on Web application security conducted by eMedia and sponsored by Cenzic. These results are surprising given recent high profile cybercrime headlines and an industry statistic those in the security trenches live by -- that according to Gartner 75 percent of all deployed Web applications are vulnerable to attack.

If management doesn't understand the seriousness of Web application security, how can the company's security professionals possibly get the support and financial backing they need to protect corporate assets? Buy-in from various levels of an organization is key, garner support by following these best practices:

Read more: Marketwire

Friday, October 16, 2009

Hacked Facebook Apps Lead to Fake Antivirus Software

New applications are turning up on Facebook. Unfortunately, some of them are fake antivirus programs.

While researching Web sites that host malicious software, Roger Thompson, chief research officer of software security company AVG, noticed something funny. A Russian Web site known for hosting malware was getting lots of referrals from Facebook.

On further investigation, Thompson found the referrals were coming from a Facebook application called "City Fire Department," a game where multiple players respond to emergency calls. The application had been modified to deliver an iframe, which is a way to bring content from one Web site into another.

PC World

A Rogue Demands A Ransom

Rogue antivirus pushers have made big bucks by tricking people into paying for worthless software, but the ever-greedy scammers have added a new evil trick.

One strain of the rogue AV, currently called Total Security 2009, will now block access to anything on your PC until you pay for a serial number for the rogue program. Attempts to open anything will instead pop-up a message claiming that the file is infected, and that you should "activate your antivirus software." Paying $79.95 for a serial number and "activating" the program allows you to use your PC once more, according to a post from antivirus maker Panda Security, but doesn't get rid of the scamming software.

Why Small Companies Should Think Outside Box for Protecting Endpoints: Download nowRansomware that holds files hostage has been around for years, but it has been a relatively small niche in the online black market. But where previous extortion attempts were obvious, even clumsy, this new twist uses yet another layer of social engineering to disguise the ransom demand as a supposed safety measure.

If you or someone you know is unlucky enough to fall victim to this rogue, Panda has posted a batch of serial numbers that will activate the fake app and unlock your files (next step would be to run all the real AV scans you can). However, scammers constantly change their rogue apps in an attempt to stay ahead of the real security software, so these numbers may not remain useful for long. Panda also has a demonstration video in its post.

PC World

Thursday, October 15, 2009

New iPhone 3GS May Be Jailbreak-Proof

The cat-and-mouse game between Apple and a cadre of hackers continues, as Apple is reportedly now shipping iPhone 3GS units that are jailbreak-proof. Several hackers specializing in iPhone 3GS jailbreaks are saying that the well-known 24kpwn exploit is no longer viable, because Apple is now shipping iPhone 3GS models with a new bootrom that can resist the hacking technique, according to iClarified.

If you think that last sentence sounded like a bunch of technical nonsense, you're not alone. So let's break this jailbreaking jargon down:

Death of the Hackable Bootrom

A bootrom is a computer chip used in mobile phones to check the device's software when you turn it on, and makes sure the device hasn't been tampered with. I'm not clear on what the iPhone bootrom can do if it detects a problem, but a Blackberry bootrom can shut down the device if a problem arises. To use the jailbreaking metaphor, think of the bootrom as the prison guard who checks that all the inmates are where they should be, before letting the prisoners go about their day.

Hackers used to get by the bootrom using the 24kpwn exploit that would make the guard think nothing was wrong, and everything was running normally within the iPrison. Before the iPhone 3GS came out, some hackers were worried the 24kpwn exploit wouldn't work. Fortunately for these computer rogues, Apple was not able to change the bootrom within its supply chain before the 3GS was launched.

But all that may have changed, since iPhone 3GS devices reportedly began shipping last week with an updated bootrom. Nicknamed iBoot-359.3.2, it is believed the new chip is not susceptible to the 24kpwn hack. Basically, the iPhone 3GS now has a smarter prison guard.

So what does this mean?

PC World

With Botnets Everywhere, DDoS Attacks Get Cheaper

Cyber-crime just doesn't pay like it used to...

Security researchers say the cost of criminal services such as distributed denial of service, or DDoS, attacks has dropped in recent months. The reason? Market economics. "The barriers to entry in that marketplace are so low you have people basically flooding the market," said Jose Nazario, a security researcher with Arbor Networks. "The way you differentiate yourself is on price."

Criminals have gotten better at hacking into unsuspecting computers and linking them together into so-called botnet networks, which can then be centrally controlled. Botnets are used to send spam, steal passwords, and sometimes to launch DDoS attacks, which flood victims' servers with unwanted information. Often these networks are rented out as a kind of criminal software-as-a-service to third parties, who are typically recruited in online discussion boards.

DDoS attacks have been used to censor critics, take down rivals, wipe out online competitors and even extort money from legitimate businesses. Earlier this year a highly publicized DDoS attack targeted U.S. and South Korean servers, knocking a number of Web sites offline.

Are botnet operators having to cut costs like other businesses in these troubled economic times? Security researchers don't know if that's been a factor, but they do say that the supply of infected machines has been growing. In 2008, Symantec's Internet sensors counted an average of 75,158 active bot-infected computers per day, a 31 percent jump from the previous year.

DDoS attacks may have cost hundreds or even thousands of dollars per day a few years ago, but in recent months researchers have seen them going for bargain-basement prices.

Nazario has seen DDoS attacks offered in the US$100-per-day range, but according to SecureWorks Security Researcher Kevin Stevens, prices have dropped to $30 to $50 on some Russian forums.

And DDoS attacks aren't the only thing getting cheaper. Stevens says the cost of stolen credit card numbers and other kinds of identity information has dropped too. "Prices are dropping on almost everything," he said.

While $100 per day might cover a garden-variety 100MB/second to 400MB/second attack, it might also procure something much weaker, depending on the seller. "There's a lot of crap out there where you don't really know what you're getting," said Zulfikar Ramzan, a technical director with Symantec Security Response. "Even though we are seeing some lower prices, it doesn't mean that you're going to get the same quality of goods."

In general, prices for access to botnet computers have dropped dramatically since 2007, he said. But with the influx of generic and often untrustworthy services, players at the high end can now charge more, Ramzan said.

PC World

Tuesday, October 13, 2009

Some PCI Compliance Facts

What is PCI DSS? The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements designed to ensure that ALL companies that process, store or transmit credit card information maintain a secure environment. Essentially any merchant that has a Merchant ID (MID). It is important to note, the payment brands and acquirers are responsible for enforcing compliance, not the PCI council.

To whom does PCI apply? PCI applies to ALL organizations or merchants, regardless of size or number of transactions, that accepts, transmits or stores any cardholder data (including non profits).

PCI compliance deadline? All merchants that store, processes or transmit cardholder data must be compliant now.

What are the PCI compliance ‘levels’? All merchants will fall into one of the four merchant levels based on Visa transaction volume over a 12-month period.

Merchant Level Description

1 Any merchant -- regardless of acceptance channel -- processing over 6M Visa transactions per year. Any merchant that Visa, at its sole discretion, determines should meet the Level 1 merchant requirements to minimize risk to the Visa system.

2 Any merchant -- regardless of acceptance channel -- processing 1M to 6M Visa transactions per year.

3 Any merchant processing 20,000 to 1M Visa e-commerce transactions per year.

4 Any merchant processing fewer than 20,000 Visa e-commerce transactions per year, and all other merchants -- regardless of acceptance channel -- processing up to 1M Visa transactions per year.

Level 4 merchant: You will have to refer to your merchant bank for their specific validation requirements and deadlines. All deadline enforcement will come from your merchant bank

Does PCI apply if I only accept credit cards over the phone? Yes. All business that store, process or transmit payment cardholder data must be PCI Compliant.

I’m in Canada do I have to worry about it? Canada’s deadline has come and gone. Both Canadian and UK merchants are required to be PCI compliant.

Is PCI compliance expensive? No, but non-compliance can be catastrophic. Non-compliance doesn’t just result in lofty fines, credit card replacement and audit fees. Consider the loss of business reputation and revenue.

70% of the cost of non-compliance was due to the loss of revenue!

What are the PCI Compliance Fines?

  • $3 to $10 per card for replacement costs
  • $5,000 to $50,000 (or more) in compliance fines
  • The payment brands may, at their discretion, fine an acquiring bank $5,000 to $100,000 per month for PCI compliance violations. The banks then pass the fines down to the merchant. The bank is likely to either terminate your business relationship or increase your transaction fees.

The average cost of a data breach for a Level 4 merchant averages $36,000 and can be as high as $50,000 (or more) for failure to meet PCI compliance.

Red Flags Rule Facts

What is Red Flags Rule? Identity theft is the fastest growing crime in the 21st century. The Federal Trade Commission now requires all businesses (large or tiny) that collect and/or store personal information from customers to protect their customer’s identity.

Candidates for Red Flag Rule compliance:

• Doctors, dentists, accupuncturist, chyropractors, massage therepists, nutritionists, mental health providers etc.


• Accountants



• Utilities

• Retailers

• Telecommunications companies

• Deb collectors

• Employee benefit plans that sponsor a flexible spending account when the arranged using a debit card.

What if I don’t comply? Firms that are subject to the Rule must comply by Nov. 1, 2009 or face the possibility of enforcement action by the Federal Trade Commission (FTC).

What is the penalty? A $3,500 fine per customer whose data is stolen or leaked.

Cybercrime is the fastest growing white collar crime in the world. Cybercriminals generate more profit now than the illegal drug trade.

50% of businesses that lose their critical data for 10 days or more have to file for bankruptcy immediately!

Cyber Criminals Find New Ways to Attack

Cyber criminals are finding new ways to steal information, including infecting legitimate Web sites with Trojans and creating rogue software packages that look legitimate but contain malware, cybersecurity experts warned.

Recent months have seen a rise in sophisticated attacks, also including so-called spear phishing, an e-mail scam targeted at a small group of people, a group of cybersecurity professionals said Tuesday at a TechAmerica cybersecurity forum in Washington, D.C. Spear phishing is a form of the common phishing scam, but instead of a fake e-mail that looks like it comes from a bank or e-commerce site, it instead looks like it comes from someone you know, such as an executive at your company.

Cyber criminals are now focusing on compromising trusted sources of information, by installing Trojans on legitimate Web sites or faking e-mail messages from people known to would-be victims, asking them for personal information, said Eric Cole, cybersecurity senior fellow at Lockheed Martin. In early 2007, two Web sites affiliated with the Miami Dolphins football team were compromised with malicious code, and earlier this year a site affiliated with rock star Paul McCartney contained malicious code.

There are tens of thousands of other legitimate Web sites infected with malware, said Uri Rivner, head of new technologies for consumer identity protection at RSA Security, a cybersecurity vendor. RSA is seeing a recent spike in compromises from the password-stealing Torpig or Sinowal Trojan, around since mid-2007, largely due to infected legitimate sites, he said.

The rule "used to be, 'don't go to the bad part of the Internet,'" Cole said. "'Don't go to those evil parts where bad things are happening.' I don't think most of us ... consider Paul McCartney a bad site."

Microsoft has seen a "tremendous rise" in rogue software being downloaded in the past year, said Vinny Gullotto, general manager of the Microsoft Malware Protection Center. In many cases, the rogue software is disguised as antivirus software and tricks people into downloading it by telling them they have viruses on their computers, he said.

Web users should only download cybersecurity software from a trusted source, he said.

PC World

Saturday, October 10, 2009


Another great article sent in by my good bud Eric Cissorsky on the Red Tape Blog by Bob Sullivan...

Would you sign up for a discount with your power company in exchange for surrendering control of your thermostat? What if it means that, one day, your auto insurance company will know that you regularly arrive home on weekends at 2:15 a.m., just after the bars close?

Welcome to the complex world of the Smart Grid, which may very well pit environmental concerns against thorny privacy issues. If you think such debates are purely philosophical, you’re behind the times.

Maryland residents this month received fliers offering annual discounts of up to $100 in exchange for allowing their power company, Pepco, to occasionally shut off their air conditioning units during hot days, when demand is high. Pepco says consumers will hardly notice the change, and the two-way communication between utility and appliances will go a long way toward preventing brownouts.

Pepco’s discount plan is among the first signs that the futuristic “Smart Grid” has already arrived. Up to three-fourths of the homes in the United States are expected to be placed on the “Smart Grid” in the next decade, collecting and storing data on the habits of their residents by the petabyte. And while there’s no reason to believe Pepco or other utilities will share the data with outside firms, some experts are already asking the question: Will saving the planet mean inviting Big Brother into the home? Or at least, as Commerce Secretary Gary Locke recently warned, will privacy concerns be the “Achilles’ heel” of the Smart Grid?

To advocates, the Smart Grid means appliances will work in electric harmony: Icemakers will operate only when the washing machine isn't, TVs will shut off when viewers leave the room, and so on. All of these gadgets will be wirelessly connected to the Internet. Households with solar panels will actually be able to sell their excess energy back to the power company. The result: lower power consumption, lower power bills, people and planet happier. That's the grand vision of the Smart Grid, a plan to upgrade power meters and electronic devices so they all constantly communicate.

 Continue article: Red Tape Blog

Friday, October 9, 2009

Comcast tries pop-up alerts to warn of infections

PHILADELPHIA — Comcast Corp. wants to enlist its customers in a fight against a huge problem for Internet providers — the armies of infected personal computers, known as "botnets," that suck up bandwidth by sending spam and facilitating cybercrime.

The country's largest provider of high-speed Internet to homes started testing a service this week in Denver in which Comcast sends customers a pop-up message in their Web browsers if their computers seem to have been co-opted by a botnet. One botnet can have tens of thousands or even millions of PCs.

The message points to a Comcast site with tips for cleaning infected computers. It reads: "Comcast has detected that there may be a virus on your computer(s). For information on how to clean your computer(s), please visit the Comcast Anti-Virus Center."

Comcast said users can close the warning banners if they wish, but they cannot opt out of receiving them. A reminder will return every seven days while a computer appears to be infected.

The program, which Comcast hopes to roll out nationally, is one of the most aggressive moves yet by a major Internet provider to curb what's become a scourge on the Internet.

Botnets are a part of most serious cybercrime. They're used to steal credit card numbers, carry out so-called "denial-of-service" attacks that bring down Web sites and send spam by hijacking e-mail accounts and Internet connections.

A computer can fall into the sway of a botnet when it is infected with malicious software that puts the machine under the control of criminals, who use the anonymity provided by having so many zombie machines at their disposal to cover their tracks.

Thursday, October 8, 2009

Air Force activates new cyberspace defense unit

The Air Force has activated a new communications organization that will support the Air Force's Space Command, a new command that combines space and cyber-space operations under one organization. The new 689th Combat Communications Wing, headquartered at Robins Air Force Base in Georgia, specializes in deployed communications.

The wing will play a support role in combat theaters where resources are sparse, such as Afghanistan, and in humanitarian aid operations, according to the Air Force. The dedicated cyber command, the 24th Air Force, reports to the Air Force Space Command. The Air Force created the cyber command this year, and it became operational Aug. 18.

“As we activate the Combat Communications Wing, that fills in a critical niche,” Maj. Gen. Richard Webber, commanding general of the 24th Air Force, said at a commemorative ceremony Oct. 5, according to a report from local news service Webber added that the “cyber warriors” would have a “high rate of deployment,” the report said.

The 24th Air Force's integration under Space Command represents a landmark in Air Force operations, combining space and cyberspace under a single organization. Like traditional Air Force units, the 24th is set to provide forces for combat -- but unlike traditional units, these forces can also conduct cyber warfare.


Thanks again to my bud Eric Cissorsky for this chestnut!

Wednesday, October 7, 2009

Scammers Exploit Public Lists of Hijacked Hotmail Passwords

Scammers have grabbed the Hotmail passwords that leaked to the Web and are using them in a plot involving a fake Chinese electronics seller to bilk users out of cash and their credit card information, a security researcher said today.

"We've seen a 30% to 40% increase in these types of spam messages in the last several days," said Patrik Runald, senior manager of Websense's security research team. "By 'these types of spam,' I mean messages that are advertising great consumer electronics bargains, such as cameras and computers."

The messages shill for a fake electronics retailer in China, and provide a link to its site, said Runald, who added that the ensuing domain looks legitimate enough but is simply a front. "They're offering great deals -- MacBook Pros going for $700, when they really cost $1,200 or $1,500," he said of the bogus retailer.

Consumers duped by the scam have reported on Web forums that they never received the goods they ordered. "There are tons of people posting this," claimed Runald. "But it's just a scam. Not only are they out the money they paid [for the non-existing items], but the scammers have their credit card number, their mailing address and everything else they need to make other purchases with the card."

The link to the Hotmail passwords is circumstantial, admitted Runald, but still credible.

"The increase in spam started as these lists became public knowledge," said Runald, who speculated that the scammers had simply taken advantage of the work of other criminals, grabbing the account information from the Web and then using those compromised accounts to send spam. "Since the lists made it into the public domain, they've been piggybacking," he said, of the scammers.

Another clue that hints at a connection between the spam spike and the hijacked Hotmail passwords is the claim consumers have made that they bit on the bogus China retailer scam because they'd received the messages from friends.

"They're saying that they received these messages from friends," said Runald, "but when they get in touch with that friend, he says 'I lost my account details' in the recent phishing attack. So it makes perfect sense that there's a connection."

New York Times

Citing cybercrime, FBI director doesn't bank online

IDG News Service - The head of the U.S. Federal Bureau of Investigation has stopped banking online after nearly falling for a phishing attempt.

FBI Director Robert Mueller said he recently came "just a few clicks away from falling into a classic Internet phishing scam" after receiving an e-mail that appeared to be from his bank.

"It looked pretty legitimate," Mueller said Wednesday in a speech at San Francisco's Commonwealth Club. "They had mimicked the e-mails that the bank would ordinarily send out to its customers; they'd mimicked them very well."

In phishing scams, criminals send spam e-mails to their victims, hoping to trick them into entering sensitive information such as usernames and passwords at fake Web sites.

Though he stopped before handing over any sensitive information, the incident put an end to Mueller's online banking.

"After changing our passwords, I tried to pass the incident off to my wife ... as a teachable moment," he said. "To which she deftly replied, 'Well, it is not my teachable moment. However, it is our money. No more Internet banking for you."

Mueller said he considers online banking "very safe" but that "just in my household, we don't use it."

Phishing has evolved into a big problem, not just for banks, but for online retailers and even providers of consumer Web applications such as Facebook and Yahoo.

In June -- the latest month for which figures are available -- the Anti-Phishing Working Group counted nearly 50,000 active phishing Web sites, the second-highest number it has ever recorded.

Late last week, criminals posted tens of thousands of passwords belonging to Microsoft Live Hotmail, Gmail, and Yahoo accounts online. They are all thought to have been stolen via phishing.

Computer World

FBI smashes US-Egypt cyber 'phishing' ring

LOS ANGELES — Investigators in the United States and Egypt have smashed a computer "phishing" identity theft scam described as the biggest cyber-crime investigation in US history, officials said Wednesday.

The Federal Bureau of Investigation said 33 people were arrested across the United States early Wednesday while authorities in Egypt charged 47 more people linked to the scam.

A total of 53 suspects were named in connection with the scam in a federal grand jury indictment, the FBI said.

Authorities said the sophisticated identity theft network had gathered information from thousands of victims which was used to defraud American banks.

Wednesday's arrests were the culmination of a two-year probe involving US and Egyptian officials dubbed "Operation Phish Phry."

The investigation was described in statement as the largest cybercrime investigation to date in the United States.

A series of raids early Wednesday resulted in arrests in California, Nevada and North Carolina.

A 51-count US indictment accuses all defendants with conspiracy to commit wire fraud and bank fraud while various defendants are charged with aggravated identity theft and conspiracy to commit computer fraud.

"The sophistication with which Phish Phry defendants operated represents an evolving and troubling paradigm in the way identity theft is now committed," FBI Los Angeles acting assistant director Keith Bolcar said.

"Criminally savvy groups recruit here and abroad to pool tactics and skills necessary to commit organized theft facilitated by the computer, including hacking, fraud and identity theft, with a common greed and shared willingness to victimize Americans."

According to an unsealed indictment, Egyptian-based hackers obtained bank account numbers and personal information from bank customers through phishing, and then hacked into accounts at two unidentified banks.

Once compromised accounts had been accessed, hackers in Egypt contacted conspirators based in the United States via text messages, phone calls and Internet chatrooms to arrange transfer of cash to fraudulent accounts.

"This international phishing ring had a significant impact on two banks and caused huge headaches for hundreds, perhaps thousands, of bank customers," acting US Attorney George Cardona said in a statement.

The investigation comes hard on the heels of a security breach targeting thousands of Microsoft Hotmail accounts.

Cyber-crooks evidently used "phishing" tactics to dupe users of Microsoft's free Web-based email service into revealing account and access information, according to the US technology giant.


Tuesday, October 6, 2009

Windows Attack Code Out, but Not Being Used

It has been a week since hackers released software that could be used to attack a flaw in Windows Vista and Server 2008, but Microsoft and security companies say that criminals haven't done much with the attack.

Late Monday, Microsoft said it hadn't seen any attacks that used the vulnerability, an analysis that was echoed by security companies such as SecureWorks, Symantec and Verisign's iDefense unit.

While criminals jumped on a similar flaw a year ago, using it in widespread attacks that ultimately forced Microsoft to rush out a security patch ahead of its monthly set of security updates, that hasn't happened with this latest bug, which lies in the SMB v2 software used by Vista and Server 2008 to do file-and-printer sharing.

SecureWorks researcher Bow Sineath said today that there are several reasons why this latest attack has not been picked up. The main reason is probably that the Metasploit code doesn't work as reliably as last year's MS08-067 attack, and often causes the computer to simply crash instead of running the hacker's software.

SMB v2 is typically blocked at the firewall, and it does not ship with Windows XP, meaning that the Metasploit attack will not work on the majority of PCs. Vista, the only Windows client that is vulnerable to the attack, is used on about 19% of computers that surf the Web, according to Web analytics firm Net Applications. Windows XP runs on 72% of PCs.

Because of these factors, the SMB v2 flaw is simply not "all that popular of a target," Sineath said.

Last week, Dave Aitel, CEO of security tool vendor Immunity, predicted that Microsoft would not need to patch the bug ahead of its scheduled Oct. 13 security patch date.

The Metasploit attack makes certain assumptions about the computer's memory that allow it to work in certain hardware configurations, but in many situations, it simply doesn't work, Aitel said.

"I asked the Immunity team to take a look into the new exploit to assess whether Microsoft would patch the SMB v2 bug early, and our initial assessment is 'No, they will not,'" he wrote in a discussion list post last Tuesday. "Working around this issue in the current public exploit is probably two weeks of work. At that point, we're nearing Microsoft Tuesday and the need for an out-of-band patch is moot."

The Metasploit team is still working on its attack, however. On Sunday, Metasploit posted details of a new way of exploiting the bug and said it was working on a module that takes advantage of this so-called trampoline technique.

If the trampoline method works and makes the Metasploit attack more reliable, criminals are likely to start using it, SecureWorks said.

Computer World