Monday, November 30, 2009
Experts say EHR systems might actually facilitate identity theft because the tools make patient medical information more easily accessible.
Hackers who steal patient data might file false medical bills to obtain money from insurance companies, Medicare and other payers. As a result, individuals who experience identity theft might face mounting medical bills and could exhaust their lifetime coverage benefits. In addition, insurance companies might label such individuals as uninsurable because of their perceived high medical costs.
Medical identity theft also could alter crucial information contained in a patient's EHR, such as allergies, blood type and medical history. Such data manipulation could have serious consequences if physicians use the faulty information when treating the patient. ihealthbeat
Along with an embossing machine, police seized scanners, printers and four computers at the Buena Vista Avenue apartment, where officers also said they found 11 ounces of cocaine.
Personal information belonging to about 25 people was discovered at the apartment, police said.
Suspect Vandale Sims, 36, began renting the unit in September, but investigators think he was actually living in Oakland and that he used the apartment as a workshop. Contra Costa Times
Sunday, November 29, 2009
Blumenthal said Health Net lost the information in May, but never informed consumers, the police or his office about the loss of information until today.
He said the six-month delay in giving notice to consumers and the state could be a violation of the law.
"I am outraged and appalled by Health Net's huge loss of personal, financial and medical information and its failure to swiftly inform authorities and consumers," Blumenthal said. "This information vanished six months ago, but Health Net is only now informing authorities and consumers, an inexcusable and inexplicable delay."
Blumenthal said the information was on a hard drive that disappeared from Health Net's Shelton office. The hard drive included all data on 446,000 Connecticut patients, including health information, as well as financial and personal data such as social security and bank account numbers. The data was compressed, but not encrypted, although a specialized computer program is required to read it.
Alice Ferreira, a spokeswoman for Health Net, said they were initially unable to determine what information was on the lost drive, forcing the company conduct a lengthy investigation, which included a detailed forensic review by computer experts. Hartford Business
Health Net Inc. announced Wednesday that it is investigating a healthcare data security breach that resulted in the loss of patient data, affecting 1.5 million customers.
The Woodland Hills, Calif.-based managed healthcare provider said the lost files, a mixture of medical data, Social Security numbers and other personally identifiable information, were collected over the past seven years and contained on a portable external hard drive, which was lost six months ago. The company said the healthcare data was not encrypted, but was formatted as images and required a specific software application to be viewed. The hard drive contained data on 446,000 Connecticut patients.
The company reported the breach Wednesday to State Attorneys Generals offices in Arizona, Connecticut, New Jersey and New York. Health Net said it was beginning the data security breach notification process of sending out letters to its customers. The company said it expects to send notification letters the week of Nov. 30. Search Security
Cybrhost has alerted its subscriber base to the July 1, 2010 deadline for shopping carts to become PA-DSS compliant and Whitted has fielded numerous inquiries from merchants regarding the mandate.
Whitted says he recognizes that many of the more than 350 shopping carts, by Practical eCommerce's count, available to merchants have not been PA-DSS certified. “I do think this [the mandate] is going to push some of those smaller carts out. It’s a major investment to get your application certified. And then it’s a recurring process,” he says.
Three Options for Users of Non-compliant Shopping Carts
If an ecommerce merchant’s shopping cart provider is not PA-DSS compliant or in the process of becoming certified, Whitted says there are three options.
1.Outsource to an alternative payment solution.
Alternative payment solutions such as Google Checkout and PayPal Express Checkout allow merchants to outsource the checkout process. Payment information is not handled by the merchant. As a result, the merchant’s shopping cart is not considered a payment application and doesn’t fall under the PA-DSS mandate.
Whitted notes, however, that there are several downsides to this option: Outsourcing is generally a more expensive proposition, there are occasional technical glitches involved with the handoff between the shopping cart and the alternative payment system, and you’re giving some control of your business’ information to “Paypal or Checkout by Amazon or whoever you choose.”
2.Switch to a different shopping cart provider.
There are a variety of shopping carts that have applied for and received certification.
“Some of the ecommerce applications that are ahead of the curve and are going through the certification process proactively are going to benefit from people who make this decision (to switch),” Whitted says.
3.Do nothing and see if PA-DSS compliance is enforced.
Acquiring banks or processors are responsible for enforcement of PCI compliance. “Who knows how Visa or MasterCard will handle it?” questions Whitted. “They may be understanding or more extreme.” He notes however, “ Most businesses are not going to want to live by the seat of their pants.” Summing It Up - Practical Ecommerce
The organization says the old rule of thumb plays a big role here; if the price is too good to be true, there is probably a catch.
You should avoid web sites with spelling or grammar errors.
Also, you might want to avoid businesses that accept wire transfer payments only.
The group says even if you see a seal from certifying organizations, be wary.
When you click on the seal, you should be directed to the certifier's web site.
If not, the Better Business Bureau says it's most likely a scam. ABC
Jemesa Lave of the police cyber crime unit said in these two years, it was anticipated that more complicated technological crimes would be perpetrated in Fiji.
Coupled with this, he said was the anticipated shift from conventional criminal operations to cybercrime.
"We need legislation, we need to ensure that standards are put in place to address computer crime issues," Mr Lave said.
He said people needed to be aware that computer crimes knew no borders. Fiji Times
Friday, November 27, 2009
The original Panda worm, also known as Fujacks, caused widespread damage at a time when public knowledge about online security was low, and led to the country's first arrests for virus-writing in 2007. The new worm variant, one of many that have appeared since late 2006, adds a malicious component meant to make infection harder to detect, said Vu Nguyen, a McAfee Labs researcher.
"It has gotten more complex with the addition of a rootkit," said Nguyen. "It definitely makes it more challenging for users to clean up and even to know that their systems have been compromised."
A rootkit burrows into a system to try to hide the existence of malware.
The first Panda worm gained fame in China for switching the icons of infected files with an image of a panda holding three incense sticks. The same image would also flash across a victim's screen, but the worm's final goal was to install password-stealing Trojan horses. The worm infected millions of PCs, according to Chinese state media. Its author was ordered to write a removal tool for the worm and later sentenced to four years in prison. Tech Shout
Wednesday, November 25, 2009
The code exploits an Internet Explorer bug that was disclosed last Friday in a proof-of-concept attack posted to the Bugtraq mailing list. That first code was unreliable, but security experts worried that someone would soon develop a better version that would be adopted by cyber-criminals.
The original attack used a "heap-spray" technique to exploit the vulnerability in IE. But for a while Wednesday, it looked as though the Metasploit team had released a more reliable exploit. Computer World
"The Metasploit exploit that was released last night will be more reliable against certain attacks than the initial exploit," said Ben Greenbaum, senior research manager with Symantec, in an interview Wednesday.
As of Wednesday morning, Symantec had not seen the exploit used in Internet-based attacks, but security experts say this type of code is for a very popular hacking technique called a drive-by attack. Victims are tricked into visiting Web sites that contain malicious code where they are then infected via the browser vulnerability. Criminals also place this type of code on hacked Web sites in order to spread their attacks. PC World
This Friday is Black Friday--officially kicking off the 2009 holiday shopping season. Online attackers and malware developers know how to capitalize on current events, and the rush to find great holiday bargains offers a prime opportunity to exploit eager shoppers. Here are five tips to help you shop online securely. Continue tips PC World
Secret Service Investigation, Class Action Lawsuit, Cast Shadow Over Radiant Systems and Distributor
The restaurants are seeking millions of dollars in damages from Radiant and Computer World.
“Our clients are restaurants. They are food experts, not technologists. When major players in the hospitality industry such as Radiant Systems and its distributors say their software and business practices are PCI-DSS compliant, our clients trust them,” said Charles Hoff of the Law Offices of Charles Y. Hoff, PC, general counsel for the Georgia Restaurant Association and one of the attorneys acting as a legal advisor to the restaurants in the lawsuit.
Hoff continued: “When those claims of compliance and proper security practices turn out to be false, the restaurants are left to suffer huge financial losses due to financial penalties imposed by the credit card companies. Their reputations are tarnished. We’re determined not to let Radiant and Computer World simply walk away from their responsibilities.”
PCI-DSS is a comprehensive set of technological requirements and consumer protections created by the major credit card companies to safeguard point of sale (POS) systems from hackers and protect consumers from identify theft. POS system vendors must follow these standards, and any business accepting credit cards for payments (such as restaurants) are contractually obligated to use equipment and software from PCI-DSS compliant vendors. The penalties for retailers that have their systems breached can be massive, even if the problems are the fault of the hardware and software vendors. PRLog
Internet security and climate change had a surprising run-in last week, as thousands of emails from the University of East Anglia's Climate Research Unit wound up on climate-skeptic web sites. The University says it is cooperating with police and launching its own investigation into how the emails wound up online.
While many universities have suffered data breaches by cybercriminals, the fact that this data was released to anti-climate change sites strongly suggests the breach was politically motivated, said Andrew Storms, director of security operations at nCircle Security. "There is no doubt in my mind that the break-in was a targeted attack," Storms said.
"Cybercriminals seek assets worth value on the black market -- private and personal information primarily. Large amounts of emails about climate research aren't worth much when it comes to identity theft," Storms said. "Further, if the attackers felt there was monetary value in this information, they would not have leaked it so readily." Top Ttech News
Tuesday, November 24, 2009
Anyone who used a Visa or Mastercard credit card when in Spain may have had their card data compromised.
In Germany, as many as 100,000 cards are reportedly being recalled. UK customers will be contacted directly if they are thought to be at risk.
Card holders are being assured that they will be protected against this type of fraud, but are being advised to check their statements. BBC News
The sentences, ranging from 32 to 51 months in prison, were handed down by US District Judge Marianne Battani in federal court in Detroit, the department said in a statement.
How Wai John Hui, 51, a resident of Hong Kong and Canada, was sentenced to 51 months in prison for wire fraud, money laundering and conspiring to commit wire fraud, mail fraud and to violate the Spam Act, it said.
Hui, the former chief executive of a company called China World Trade, was sentenced to three years of supervised release following his prison term and agreed to forfeit 500,000 dollars to the United States, it said.
Alan Ralsky, 64, of West Bloomfield, Michigan, and his son-in-law, Scott Bradley, 48, also of West Bloomfield, were sentenced to 51 months and 40 months in prison respectively on the same charges. AFP
The danger of corporate computers becoming infected by worms has risen dramatically recently, according to a new study by Microsoft .
The study showed that, globally, the chances of infection by a computer worm had increased by almost 100 percent when comparing the first half of 2009 with the same six-month period in 2008.
The threat is focused mainly on business computers. Private users get off lightly, by comparison, partially because they are more likely than corporate customers to make sure their computers have the newest security software installed.
Germany and Austria both have PC infection rates significantly below the global average of 0.87 percent: 0.3 and 0.21 percent, respectively.
Germany usually performs well in such tests, said Microsoft spokesman and security expert Thomas Baumgaertner. That lies partially in the fact that Germany has a wide degree of penetration for fast DSL lines. That solid infrastructure insures that computer users regularly update their security software.
Despite the higher risk of worm attacks, the study say worms only make up about 6.7 percent of all attacks, meaning they are only the fourth most predominant threat. Trojan horse attacks claim first place in Germany, with 39.5 percent of all attacks. Enterprise Security Today
Kevin Trenberth, head of the climate analysis section of the U.S. National Center for Atmospheric Research in Boulder, said the hackers' intentions may have been to influence discussions in an upcoming global climate change summit in Denmark.
"It comes down to politics at sort of all levels, and some of it's nasty and some of it is trying to destroy the message or even kill the messenger so to speak," Trenberth said Monday in an interview with The Associated Press.
The University of East Anglia, in eastern England, said hackers last week stole about a decade's worth of data from a computer server at the university's Climatic Research Unit, a leading global research center on climate change.
About 1,000 e-mails and 3,000 documents have been posted on Web sites and seized on by climate change skeptics, who claim correspondence shows collusion between scientists to overstate the case for global warming, and evidence that some have manipulated evidence. Washington Post
Monday, November 23, 2009
It is specifically targeting people in the Netherlands who are using their iPhones for internet banking with Dutch online bank ING.
It redirects the bank's customers to a lookalike site with a log-in screen.
The worm attacks "jail-broken" phones - a modification which enables the user to run non-Apple approved software on their handset.
The handsets at risk also have SSH (secure shell) installed.
Many people use SSH so other programs can remotely connect to an iPhone and, among other things, transfer files. It comes with a default password, "alpine" which should be changed.
Users who have installed SSH and not changed the password are especially at risk.
The new worm is more serious than the first because it can behave like a botnet, warns F-Secure.
This enables the phone to be accessed or controlled remotely without the permission of its owner. BBC News
A source who’s seen the worm in the wild tells Macworld that, after compromising the phone, the worm goes on to replace the phone’s copy of the SSH remote login software, changes the root password (so you can’t stop the worm without wiping the phone), skims your SMS database, checks in with its Lithuania-based overlords via the network, and then starts running a piece of software that searches for other vulnerable phones on both the local network and known IP address ranges of specific Internet Service Providers (mostly European). Somebody should have told the worm that nobody likes overachievers.
The Payment Card Industry Data Security Standard (PCI DSS) has been a world-changing experience for many midmarket businesses, retailers and credit card processors that previously had little or no regulatory oversight for security.
Breaking Down PCI for the Midmarket
PCI DSS: Building and maintaining a secure network: The first PCI focus area requires a set of documented configuration standards, perimeter and endpoint protection.
PCI DSS: Protect Cardholder Data: The second PCI DSS focus area spells out how organizations must secure cardholder data they store and transmit.
"PCI has been their baptism," said Steve Alameda, principal consultant of Data SafeGuard of San Francisco. "It's one heck of a way to get baptized."
Consultants who devote part or most of their activities helping smaller organizations -- mostly those with Level 3, 4 and some Level 2 requirements for self-assessment -- share some of the difficult lessons learned in the trenches.
Lesson 1: Don't Underestimate PCI
Astonishingly, there's anecdotal evidence that some smaller companies are still unaware they must comply with PCI. Level 4 merchants, those processing fewer than 20,000 transactions annually, are slower to get the word.
Assuming your business is not in that situation, you're facing requirements that are growing increasingly demanding. Self-Assessment Questionnaire D, which most covered organizations are required to complete, is far more detailed than what the questionnaire originally required in 2007. Most companies often turn to consulting help for a variety of reasons:
Lack of knowledge about their own environment. Small companies are wrapped up in doing business, not doing security. Once they realize what they have to protect and all the ways they might be exposed, light bulbs go off.
Inability to comprehend the requirements. Few small companies have security people and most have, at most, a small IT staff that lacks the time and/or expertise to understand and complete the assessment.
The requirements sink in. Organizations start out doing a self-assessment, then realize as they proceed they may have bitten off more than they can chew.
Nobody wants to get it wrong. No one wants to go to the president and tell him/her that after all the time and money spent, the company is still not compliant.
Companies think they have adequate security to meet the requirements. To most small businesses, that's desktop AV and a firewall.
his may also mean underestimating cost. Companies that do their homework, either internally or in combination with outside help, will have a realistic expectation of what they'll need to spend in terms of manpower, technology and services. For example, while they have AV and a firewall, chances are they have never given a thought to purchasing log management, IDS or file integrity-monitoring tools, let alone a Web application firewall.
Also, small companies, unlike enterprises or smaller organizations in heavily regulated industries, are not accustomed to refreshing equipment, such as point-of-sale systems, every few years. In many cases, they need to either upgrade or replace older equipment to become or remain compliant.
Companies do not, typically, anticipate they will have to make some fundamental changes in the way they do business. It's not a matter of tacking on security, even for the little guys. You may, for example, store credit card information in Excel spreadsheets. Now you need to convert all that information into databases and protect them.
"It's one of the hidden costs of PCI. I can't tell you how many businesses we walk into where they have paper records -- a warehouse of credit card receipts that's intermixed with invoices, etc." said Seth Peter, CTO of Minneapolis-based consultancy NetSPI. "One big area where companies underestimate costs is how do you stop doing that and how do you go back and clean it up?"
"They feel their environment is in pretty good shape, and don't think they'll need to make many changes," said Data SafeGuard's Alameda. "Then the reality hits that there will be a lot of changes." TechTarget
New York – October 6, 2009 – Kaplan Fox & Kilsheimer LLP has been investigating Ada, Oklahoma-based Pre-Paid Legal Services Inc. (“Pre-Paid Legal” or the “Company”) (NYSE: PPD) for potential violations of the federal securities laws. Investors who purchased Company securities may be affected.
On October 6, 2009, Pre-Paid Legal reported the receipt of a subpoena from the Division of Enforcement of the Securities and Exchange Commission (“SEC”) in connection with a “fact-finding inquiry”. The Company’s October 6, 2009 press release stated as follows regarding the investigation: Kaplan Fox
Sunday, November 22, 2009
Whether you think PCI is a useful standard that makes our credit card data safer or a credit card industry whitewash that merely creates the illusion of security, PCI compliance is a fact of life.
As part of PCI compliance, companies that process a high volume of credit card transactions must submit to an annual assessment by a qualified security assessor, or QSA. For example, Visa requires it of merchants that process 6 million or more transactions. Assessors work for third-party organizations and generally visit companies to examine their processes and determine whether they comply with PCI rules.
More Security InsightsWhitepapersThe How and Why of PCIIDC Report: Complex Event Processing Opportunity Analysis and Assessment of Key ProductsWebcastsTapping into the Information Pipeline in Real-Time: Creating new levels of visibility and control for the Oil and Gas IndustryLessons From the "2009 Data Breach Investigations Report"ReportsHTML 5 Starts Looking Real (Dr. Dobbs)Hybrid CloudsVideos
Forbes CIO Mykolas Rambus talks about managing cost cutting, the changing role of the CIO, building leadership within, and his company's high priority on mining intelligence from vast amounts of data.
To help companies get ready for a an evaluation, we asked QSAs to describe common problems they encounter when working with IT groups on PCI compliance. What follows are five best practices to help companies better prepare for an assessment and maintain compliance. Information Week
The code was posted Friday to the Bugtraq mailing list by an unidentified hacker. According to security vendor Symantec, the code does not always work properly, but it could be used to install unauthorized software on a victim's computer.
"Symantec has conducted further tests and confirmed that it affects Internet Explorer versions 6 and 7," the company wrote on its Web site Saturday. "We expect that a fully-functional reliable exploit will be available in the near future."
Security consultancy Vupen Security has also confirmed that the attack works, saying it worked on a Windows XP Service Pack 3 system running IE 6 or IE7. Neither company was able to confirm that the attack worked on Microsoft's latest browser, IE 8.
Symantec did not report that the attack is being used by cyber-criminals, but because Internet Explorer is so popular, this type of code is highly coveted by hackers. If the software does pop up in online attacks, it will put pressure on Microsoft to rush out an emergency patch, ahead of its regularly scheduled Dec. 8 security update. Microsoft could not be reached Saturday for a comment on the issue.
Together, IE 6 and IE 7 command close to 40 percent of the browser market. PC World
Saturday, November 21, 2009
Nov 20 (Reuters) - Pre-Paid Legal Services Inc (PPD.N) said a proposed draft complaint it received on Thursday from the U.S. Federal Trade Commission seeking permanent injunctive relief and disgorgement of proceeds pertained only to one of its marketing programs. "The proposed draft complaint narrowly focuses on our Affirmative Defense Response System (ADRS) marketing program and specific representations regarding identity theft and data privacy issues," the company said in a statement.
The ADRS program, which represents a relatively small percentage of the company's revenue, was introduced in 2006 as a complimentary program for businesses to learn more about its identity theft and data security services, the company said.
On Thursday, the company said it had received a proposed draft complaint from the FTC alleging that its ADRS program and related materials violated the FTC Act regarding asserted misleading representations.
Friday, November 20, 2009
Frank Heidt, CEO of Leviathan Security Group, says his "generic" proof-of-concept code could be used to attack a variety of Web sites. While the attack is extremely difficult to pull off -- the hacker would first have to first pull off a man-in-the-middle attack, running code that compromises the victim's network -- it could have devastating consequences.
The attack exploits the SSL (Secure Sockets Layer) Authentication Gap bug, first disclosed on Nov. 5. One of the SSL bug's discoverers, Marsh Ray at PhoneFactor, says he's seen a demonstration of Heidt's attack, and he's convinced it could work. "He did show it to me and it's the real deal," Ray said.
The SSL Authentication flaw gives the attacker a way to change data being sent to the SSL server, but there's still no way to read the information coming back. Heidt sends data that causes the SSL server to return a redirect message that then sends the Web browser to another page. He then uses that redirect message to move the victim to an insecure connection where the Web pages can be rewritten by Heidt's computer before they are sent to the victim. PC World
Thursday, November 19, 2009
The news sent the stock plummeting 19 percent to close at $33.27.
The identity theft program offers regular monitoring of credit reports, sending alerts if new accounts are opened in a customer's name or if negative items are added to credit reports. It also offers to help a customer restore their credit rating if they are a victim of identity theft.AP
Protect your Social Security number. Don't carry your card if you don't need it. Ask why someone needs it if it is requested.
Handle mail with care. Shred documents that contain credit card numbers, banking information and credit card offers. Limit credit card offers: Call 888-5-OPT-OUT (888-567-8688).
Don't give out personal information on the phone, via mail or the Internet, unless you initiated contact and are sure of whom you're dealing with. Miami Herald
Despite increased cooperation among agencies charged with protecting the government’s information infrastructure, federal cybersecurity is failing to keep pace with the growing threat of attack from hackers, criminals and other nations, a Senate panel has been told.
The Government Accountability Office has identified weaknesses in security controls in almost all agencies for years, Gregory Wilshusen, GAO's director of information security issues, and David Powner, the agency's director of information technology management issues, told the Senate Judiciary Committee's Terrorism and Homeland Security Subcommittee Nov. 17. Agencies are falling short in their use of strong authentication, encryption, and network monitoring, they said.
“An underlying cause of these weaknesses is agencies’ failure to fully or effectively implement information security programs, which entails assessing and managing risk, developing and implementing security policies and procedures, promoting security awareness and training, monitoring the adequacy of security controls, and implementing appropriate remedial actions,” they testified. GNC
Wednesday, November 18, 2009
The GAO audited key parts of the nuclear weapons lab's classified computers from November 2008 to July 2009. The classified computer network consists of more than 3,900 computers and devices for about 3,800 users, the report said.
Preventing leaks of sensitive information on the northern New Mexico lab's classified computer network is "critical to national security," the report stated.
"While the laboratory has taken steps to protect information on its classified computer network, a number of security weaknesses remain," the report said.
Lab spokesman Kevin Roark said Tuesday the vast majority of the issues raised by the report already have been resolved.
"All classified data at Los Alamos is extremely well protected and isolated from the Internet and all indications -- including other external audits -- confirm that this most important of information continues to be safe," Roark said. SF Gate
A man and woman, both 20 years old, were arrested in Manchester, England, on Nov. 3, said the Metropolitan Police's Central e-Crime Unit (PCeU). The pair, who have been released on bail, will face charges under the 1990 Computer Misuse Act and the 2006 Fraud Act.
Zeus is an advanced piece of malicious software. If installed on a PC, it can send spam, steal financial or other data or conduct a distributed denial-of-service attack against other computers. Machines infected with Zeus are essentially a botnet. PC World
Tuesday, November 17, 2009
The research examines "controversial e-commerce business practices that have generated high volumes of consumer complaints" and focused on sales tactics that "charge millions of American consumers for services the consumers do not want and do not understand they have purchased," according to the Staff Report.
A controversial practice known as "post-transaction marketing" was at the center of the research into the e-commerce business practices.
TechCrunch offers context on how "post-transaction marketing" works:
Background: hundreds of well known ecommerce companies add post transaction marketing offers to consumers immediately after something is purchased on the site. Consumers are usually offered cash back if they just hit a confirmation button. But when they do, their credit card information is automatically passed through to a marketing company that signs them up for a credit card subscription to a package of useless services. The "rebate" is rarely paid. Huffington Post
The infected computers are part of a botnet called Ozdok or Mega-D, which at one time was sending out around 4 percent of the world's spam messages.
Last week, security vendor FireEyelaunched a drive to dismantle the botnet. The infected computers receive instructions and information for new spam campaigns through command-and-control servers. FireEye contacted network providers which hosted those servers, and most were shut down.
That meant that the people controlling the hacked PCs, known as botnet herders, couldn't contact most of their bots anymore. Spam from Mega-D almost stopped entirely. FireEye also cut off a second redundancy mechanism the herders programmed into Mega-D.
If the infected machines can't contact a command-and-control server, they're programmed with an algorithm that will generate a random domain name and try to contact that domain daily. The herders know what this domain will be and can upload new instructions there. PC World
Gisele Da Silva Craveiro from the University of Sao Paolo in Brazil said the broad nature of cyberlegislation leaves it open to abuse by authorities.
"Definitions for cybercrimes can be so broad as to fit everything... leaving the laws open to inappropriate use by authorities such as monitoring citizens," Craveiro told AFP on the sidelines of the Fourth Meeting of the Internet Governance Forum in Egypt.
"Technicians need to communicate with lawyers to come up with more efficient legislation so that society doesn't end up paying the price for too broad a legislation," she said.
Craveiro was speaking at a session entitled Developing Comprehensive Cybercrime Legislation organised by the Council of Europe at the Red Sea meeting.
"Legal frameworks should take into acount the rights of users and the role of the private sector on the one hand, and security concerns on the other," the Council of Europe said in a statement. Kioskea
The FBI has issued an advisory that warns companies of "noticeable increases" in efforts to hack into the law firms' computer systems — a trend that cyber experts say began as far back as two years ago but has grown dramatically.
In many cases, the intrusions are what cyber security experts describe as "spear phishing," attacks that come through personalized spam e-mails that can slip through common defenses and appear harmless because they have subject lines appropriate to a person's business and appear to come from a trusted source.
"Law firms have a tremendous concentration of really critical, private information," said Bradford Bleier, unit chief with the FBI's cyber division. Infiltrating those computer systems, he said, "is a really optimal way to obtain economic, personal and personal security related information." AP
Monday, November 16, 2009
U.K. police are hailing the sentencing of four people who used a sophisticated Trojan horse program to siphon money out of online bank accounts and send it to Eastern European countries and Russia.
The case marks the first collaboration between the financial industry and the Police Central e-Crime Unit (PCeU), which was established earlier this year after accusations the U.K. government wasn't doing enough about cybercrime.
The men used a Trojan horse program called PSP2-BBB that executed a so-called man-in-the-browser attack when potential victims logged into online bank accounts. The Trojan would insert a special page within the customer's browsing session asking for more personal information, according to police. The Trojan would then set up a transfer to another account, according to police. PC World
On Nov. 1, several computers and small digital devices were stolen from offices in Centennial Hall. One of the missing devices is a laptop used by Kontos, interim dean of the College of Liberal Arts. University police are investigating the theft.
On Nov. 4, it was determined the laptop's hard drive contained student rosters for psychology classes Kontos taught from spring 2004 through summer 2006. The rosters included student grades and Social Security numbers which, at that time, were used as student identification numbers. The university replaced Social Security numbers with alternate student ID numbers in fall 2006.
"We have identified and are in the process of contacting all of the 574 students who were enrolled in Professor Kontos' classes during that time period and alerting them to what has taken place," said Wayne Mohr, assistant vice president for technology. "We are encouraging them to sign up for free credit monitoring with one of the three major credit bureaus to watch for any suspicious activity." Citizens Voice
Fifty years ago, The Coasters had a top-10 hit with the song "Charlie Brown." The song is best known for the phrase "Why's everybody always pickin' on me?" Charlie Brown was a loveable character who was often beat up and picked on for no reason.
A Guide to Practical PCI Compliance
Far too many in the industry similarly see PCI as such a loser and criticize it relentlessly. In our article PCI Shrugged: Debunking Criticisms of PCI DSS from April 2009, we wrote that the PCI DSS is a valuable standard. We did not then, and do not now, feel that the PCI DSS is perfect, but it is in the best interest of the industry and consumers that it be maintained, developed and expanded as well as adapted to today's threats.
However, let's briefly step away from this debate and consider this: imagine a large distributed retailer that has somehow survived without investing in information security. Yes, they've updated antivirus subscriptions on their desktops and have added a firewall, but they haven't gone beyond that (it goes without saying that this said organization was consistently compromised by malicious hackers).
The advent of PCI worried this retailer and now they have to take security actions like encrypt, log, monitor, educate employees, and more. However, this retailer is now fighting PCI with all their strength since they believe that "PCI is too much security." Their worldview of security is that "no security" is "just enough security." CIO IT News
Sunday, November 15, 2009
But have you – as business owners – seriously considered the implications of non-compliance? The massive fines and potential sentences? Or do you just take your chances?
Then consider this alternative. Have you ever viewed compliance as an opportunity, a USP, a differentiator, a competitive advantage? Or used it as a marketing tool, or to leverage loyalty and build trust?
I suspect not. The current information about compliance and data security legislation is all negative. It's about promoting fear of the consequences of not doing what you are told, but I suggest the opportunities could outweigh the disadvantages. Scotland On Sunday
Saturday, November 14, 2009
The e-mail messages, which look like they come from Verizon Wireless, are fakes; the balance checker is actually a malicious Trojan horse program.
"If you run the tool, obviously, your computer is toast," said Nick Bilogorskiy, manager of antivirus research at SonicWall. "You get infected with a Trojan that SonicWall catches under the name Regrun." PC World
Friday, November 13, 2009
Internet security experts say that misconfigured DSL and cable modems are worsening a well-known problem with the Internet's DNS (domain name system), making it easier for hackers to launch distributed denial-of-service (DDoS) attacks against their victims.
According to research set to be released in the next few days, part of the problem is blamed on the growing number of consumer devices on the Internet that are configured to accept DNS queries from anywhere, what networking experts call an "open recursive" or "open resolver" system. As more consumers demand broadband Internet, service providers are rolling out modems configured this way to their customers said Cricket Liu, vice president of architecture with Infoblox, the DNS appliance company that sponsored the research. "The two leading culprits we found were Telefonica and France Telecom," he said.
In fact, the percentage of DNS systems on the Internet that are configured this way has jumped from around 50 percent in 2007, to nearly 80 percent this year, according to Liu. PC World
The tug-of-war over a little-known federal privacy rule--which has drawn in Congress, regulators and an array of interest groups--highlights the behind-the-scenes activity touched off by the government's effort to spend some $45 billion in economic stimulus funds to push medical data online. Federal regulators are working against tight deadlines to write all kinds of rules governing the digital system, one that the Obama administration hopes most health care providers will adopt in the next five years.
As with many Washington initiatives, the way the rules are written may have more of an effect on consumers than the original law passed by Congress.
One of the most contentious questions so far is when--and how--health care providers will have to notify patients if their privacy is breached.
Some lawmakers, consumer groups and industry analysts argue that hospitals and insurance companies should be required to let patients know about any unauthorized disclosure of their health data. However, under a provisional rule released by regulators from the Department of Health and Human Services, a health care provider only would have to notify patients if the provider determines the breach "poses a significant risk of financial, reputational, or other harm to the individual.'' Huffington Post
Thursday, November 12, 2009
The report contains data collected between January 1, 2006 and October 1, 2009, and finds that the percentage of high, critical or urgent issues continue to slowly increase. 83 percent of websites have had a high, critical or urgent issue over their lifetime and 64 percent of websites currently have a high, critical or urgent issue. Of the 22,000 vulnerabilities identified, almost 9,000 remain open, which means encouragingly that the majority – over 13,000 – have been closed. Help Net Security
Wednesday, November 11, 2009
The Health Information Technology for Economic and Clinical Health Act (HITECH) provisions of the U.S. American Recovery and Reinvestment Act (ARRA) of 2009 includes new regulations for maintaining privacy and security of patient health data, but healthcare providers aren't ready, according to the results of the 2009 Security Survey from the Healthcare Information and Management Systems Society, sponsored by Symantec (NSDQ: SYMC). Information Week.
Mac security vendor Intego calls the code "iPhone/Privacy.A." It is a malicious tool hackers install on Windows, Mac, Unix or Linux systems, and even on iPhones, using those devices to scan for "jailbroken" iPhones, some of which are vulnerable to the malware.
If it finds a vulnerable iPhone within its range, the malware copies e-mail, contacts, SMS (Short Message Service) messages, calendar entries, photos, music, videos and any data recorded by an iPhone application, according to an advisory from Intego.
"This hacker tool could easily be installed, for example, on a computer on display in a retail store, which could then scan all iPhones that pass within the reach of its network," Intego said. "Or, a hacker could sit in an Internet café and let his computer scan all iPhones that come within the range of the Wi-Fi network in search of data. "
However, the tool can only attack jailbroken iPhones, or ones that have been modified to run unapproved software, that are running SSH (Secure Shell), a Unix utility with the default password enabled. PC World
Tuesday, November 10, 2009
Ashley Towns, 21, who lives with his family near Sydney, said he was trying to raise security awareness with his cheeky but harmless "Ikee" worm, which spreads from phone to phone along wireless networks.
"This virus pretty much exploits people's laziness to change their password," he said, according to public broadcaster ABC.
"Somebody with more malicious intent could have done anything -- read your SMSs, go through your emails, view your contacts, photos -- anything," he added.
The virus swaps the smartphone's wallpaper with an image of Astley and the words "Ikee is never gonna give you up" -- a reference to the British star Astley's 1987 chart-topper: "Never Gonna Give You Up".
It affects only phones that have been modified, or jail-broken, to install applications not approved by manufacturer Apple, and can easily be deleted.
But experts warned Towns, among the first in the world to hack into the popular iPhone, may have caught the attention of cyber-criminals wanting to steal personal information such as bank details. AFP
"This investigation has broken the back of one of the most sophisticated computer hacking rings in the world," said acting US attorney Sally Quillian Yates of the Northern District of Georgia.
Sergei Tsurikov, 25, of Tallinn, Estonia, Viktor Pleshchuk, 28, of St. Petersburg, Russia, and Oleg Covelin, 28, of Chisinau, Moldova, have been indicted by a federal grand jury in Atlanta, Georgia, the department said.
It said a fourth person known only as "Hacker 3" was also indicted on charges of hacking into a computer network operated by Atlanta-based credit card processing company RBS WorldPay, part of the Royal Bank of Scotland.
Tsurikov, Pleshchuk, Covelin and "Hacker 3" were charged with conspiracy to commit wire fraud, wire fraud, conspiracy to commit computer fraud, computer fraud, access device fraud and aggravated identity theft.
They were accused of compromising the data encryption on payroll debit cards, which are used by some companies to allow employees to withdraw their salaries directly from a cash dispenser, or ATM. AFP
FireEye, a California company that makes security appliances, had been tracking a botnet called Mega-D or Ozdok. Mega-D, which is a network of hacked computers, has been responsible for sending more than 4 percent of the world's spam, according to M86 Security. Many of the computers that make up Mega-D are infected home PCs.
Mega-D is one of several botnets that have implemented advanced technical measures to ensure its owners don't lose control of the hacked PCs. The hackers use command-and-control servers to issue instructions to the zombie PCs, such as when to run a spam campaign.
In the case of Mega-D, the hacked PCs will look for certain domain names in order to download instructions, wrote Atiq Mushtaq of FireEye on the company's blog. If those domains aren't active -- they are often shut down by ISPs if they're associated with abuse -- Mega-D machines will look for custom DNS (Domain Name System) servers to find live domains.
If that also fails, Mega-D is programmed to generate a random domain name based on the current date and time, Mushtaq wrote. When the hackers register the domain name, the infected machines can visit there to get new instructions. PC World
Increase Customer Sales with VerticalResponse Email Marketing! Quickly and easily send email newsletters, coupons & sales announcements to your customers – no technical expertise needed. Sign up for your Free Trial today and send 100 emails on us!
The FBI official in charge of major cybercrime investigations told a international gathering of computer security experts last week that financial services companies have suffered massive thefts due to hackers.