Thursday, December 31, 2009

.Van Morrison: Birth report 'utter fiction'


Reclusive Irish singer Van Morrison said Thursday that a computer hacker planted a false report on his Web site claiming he had fathered a fourth child at the age of 64 with a new partner.

The false report was disseminated Monday by a Los Angeles-based publicist for Morrison, Phil Lobel. The publicist was quoted by an unidentified associate on Thursday as getting the report from the Morrison site.

The false report was picked up by several news agencies, including The Associated Press, as well as celebrity sites and British newspapers. The false report on the Morrison Web site claimed that a woman identified as Gigi had just borne a son with Morrison.

The singer issued a statement Thursday through an international public-relations agency stressing that the report was completely false and the malicious product of a hacker's attack on his official Web site, /http://www.vanmorrison.com.

It appeared to be the latest in a rapidly growing string of hoaxes in the Internet age. Digital tricksters increasingly place phony footage, facts and press releases on Web sites and video-sharing sites to see how quickly the falsehoods will spread through traditional and new media alike.

John Saunders, president of the European arm of the U.S. public-relations firm Fleishman-Hillard Inc., said he contacted Morrison and his wife, Michelle, after seeing the reports and finding them hard to believe. He said the couple wasn't aware of them and initially didn't want to respond. yahoo news

Attorney Warns CPAs of Lawsuits in 2010


A prominent securities attorney told a group of CPAs that they will face a rising tide of enforcement actions and litigation next year.

Richard A. Roth of the New York-based Roth Law Firm delivered the warning during a speech at the New York State Society of CPAs’ recent Investment Companies Conference. He believes the large business losses and frauds of 2009 will leave audit firms vulnerable to investors eager to pin the blame on accountants. Roth advised CPAs to review their client relationship practices and make sure they reflect recent court decisions.

“Investors will go after whoever still has money that could satisfy a legal judgment,” he said. “This creates tremendous risk for accountants.”

Roth noted that audit firms could be susceptible to additional SEC enforcement: “Because of situations like the Madoff debacle, regulators — and particularly the SEC — are under pressure to widen the net of businesses and entities under regulation.”

Court decisions also shifted the rules for audit firms’ best practices, clarifying the laws in some cases against CPAs, and in other cases in their favor. He advised accountants to follow the motto of “Be F.I.T.” in 2010:

F - Fee Agreement: Audit firms’ engagement letters should clearly limit the representation to specific services or a limited time frame, at most annually, he said. While it may be convenient for a firm to have ongoing engagements, clients have a statutorily limited time to sue directly, if you have not engaged in “continuous representation,” which courts have recently construed against the CPA firm when engagement letters are ambiguous.
I - Independence: Auditors can’t have a financial interest in the subject company, Roth reminded the CPAs. “While this has always been a basic tenet, courts, regulators and particularly plaintiffs’ lawyers are digging deeper to find any accountant/client interrelationship to pin that tail,” he said.

T - Thoroughness: “Meticulously analyze each and every transaction,” Roth said. “In this financial and political climate, you do not want to leave a jury or a regulator with any doubt as to whether you were dotting every ‘I’ and crossing every ‘T’.”

In addition, Roth recommended that CPAs continue putting in place programs to comply with the FTC’s “Red Flags” rule and generally ensure protection of client files and data. Although enforcement of the “Red Flags” rule was delayed by Congress to June 1, 2010, the American Institute of CPAs is still recommending on its Web site that CPAs be prepared for its eventual implementation. “If you lose your client’s data or it is misappropriated due to your negligence, you are going to have a problem regardless of the ‘Red Flag’ rule,” Roth said. webcpa

Hackers To Hit Apple iPhone, Google Android Handsets Next Year


Print Email Subscribe Free Newsletter Follow us on Twitter 24/7 Wall St Real Time 500 Roel Schouwenberg of Kaspersky Lab Americas made a number of either intemperate or prescient comments to USA Today. It may take a year to find out if he is a fool or a profit.

Schouwenberg predicts that hackers will make major assaults on the Apple (NASDAQ:AAPL) iPhone and handsets running the Google (NASDAQ:GOOG) Android operating system beginning in 2010. “The first malicious programs for these mobile platforms appeared in 2009, a sure sign that they have aroused the interest of cybercriminals,” he commented to the national newspaper. Google is scheduled to launch its own handset, the Nexus One, early next year.

The most often hacked and often attacked software products in history are certainly Microsoft (NASDAQ:MSFT) Windows and Office, although some versions of the software have proven more vulnerable than others. Microsoft regularly issues “patches” and in July went so far as to release a statement saying that its Office desktop applications suite, which has already been hit by cybercriminals, could still be vulnerable to attacks unless users take proper precautions.

Software security has become a multi-billion industry, particularly protecting Microsoft products. McAfee (NYSE:MFE) and Symantec (NASDAQ:SYMC), the two largest software security companies, had $8 billion in revenue between them last year. But, the PC and server worlds are still awash in spam, phishing attacks, and malware problems. The best that can be said about the two software security firms and their competitors is that the problems are not worse than they are already.

The mobile operating system and software businesses are not as mature as they are in the PC industry. The iPhone and its OSX operating system were only introduced two and a half years ago. Android-powered handsets have been widely available in the market for less than a year. Each platform has tens of millions of users and that figure is rising rapidly. Some experts expect another 40 million iPhones to be sold in 2010. 247wallst

Hacker rattles 21,000 iPhone unlockers


Hackers have mailed 21,000 customers of iPhoneUnlockUK to remind them the company uses unlicensed software, and that their details have been compromised.

E-mails were sent out to customers of the iPhone unlocking service, with claims that iPhoneUnlockUK is guilty of stealing software and selling it illegally. The mail goes on to recommend that customers demand their money back from the company.

iPhoneUnlockUK did have its servers hacked back in February, at which time customer details including e-mail and physical addresses were copied and the website was defaced. Since then the company has changed hosts (from Fasthosts to Rackspace) and tells us that it hasn't suffered any further breaches. theregister

Hackers Break GSM Cell Phone Code


Financial Times: German Encryption Expert Publishes Code to Force 80% of Cell Phone Operators to Upgrade Security

(CBS) A group of hackers trying to force the cell phone industry into upgrading their security claims to have broken and published the code that keeps calls made on billions of phones secret.

According to a report in the Financial Times, German computer engineer and encryption expert Karsten Nohl told a hackers' convention in Berlin this week he had made public the encryption code protecting GSM phones in more than 212 countries - estimated at 80 percent of all the world's cell phones.

Nohl, 28, told the Chaos Communication Congress that a team of 24 hackers had managed to reproduce the code keeping GSM calls safe, proving that "existing GSM security is inadequate".

"We have given up hope that network operators will move to improve security on their own, but we are hoping that with this added attention, there will be increased demand from customers for them to do this," he the FT.

Wednesday, December 30, 2009

Adobe to be Prime Target for Malware in 2010


2009 is drawing to a close, and 2010 is almost upon us. The Chinese calendar says 2010 is the Year of the Tiger, but a report released from McAfee claims it could be the year of Adobe malware.

Traditionally, the most common target for malware is Microsoft. Microsoft holds a dominant stake of the operating system, office productivity, and Web browser markets, so it's only logical that malware developers would want to fish in the pool with the most targets.

However, Mac OS X is creeping up in operating system market share and Firefox and Chrome are nibbling away at the Web browser market share, making them more attractive targets for attack as well. Adobe, with Flash and Acrobat Reader, is virtually ubiquitous across all operating system platforms and Web browsers, which makes it a one-stop-shopping target.

The McAfee report says "Cybercriminals have long picked on Microsoft products due to their popularity. In 2010, we anticipate Adobe software, especially Acrobat Reader and Flash, will take the top spot."

I spoke with McAfee chief technology officer George Kurtz, who explained that "Adobe has added so much functionality to their software they are suffering the same fate as Microsoft with Internet Explorer." pcworld

Monday, December 28, 2009

Hackers Hit OpenX Ad Server in Adobe Attack


Hackers have exploited flaws in a popular open-source advertising software to place malicious code on advertisements on several popular Web sites over the past week.

The attackers are taking advantage of a pair of bugs in the OpenX advertising software to login to advertising servers and then place malicious code on ads being served on the sites. On Monday, cartoon syndicator King Features said that it had been hacked last week, because of the OpenX bugs. The company's Comics Kingdom product, which delivers comics and ads to about 50 Web sites, was affected.

After being notified of the problem Thursday morning, King Features determined that "through a security exploit in the ad server application, hackers had injected a malicious code into our ad database," the company said in a note posted to its Web site. King Features said that the malicious code used a new, unpatched Adobe attack to install malicious software on victims' computers, but that could not immediately be verified.

Another OpenX user, the Ain't It Cool News Web site was reportedly hit with a similar attack last week.

Web based attacks are a favorite way for cyber-criminals to install their malicious software and this latest round of hacks shows how ad server networks can become useful conduits for attack. In September, scammers placed malicious software on The New York Times' Web site by posing as legitimate ad buyers. pcworld

Good Guys Bring Down the Mega-D Botnet



Chalk up one for the defenders. Here’s how a trio of security researchers used a three-step attack to defeat a 250,000-pronged botnet.

For two years as a researcher with security company FireEye, Atif Mushtaq worked to keep Mega-D bot malware from infecting clients' networks. In the process, he learned how its controllers operated it. Last June, he began publishing his findings online. In November, he suddenly switched from de­­fense to offense. And Mega-D--a powerful, resilient botnet that had forced 250,000 PCs to do its bidding--went down.

Targeting Controllers

Mushtaq and two FireEye colleagues went after Mega-D's command infrastructure. A botnet's first wave of attack uses e-mail attachments, Web-based offensives, and other distribution methods to infect huge numbers of PCs with malicious bot programs.

The bots receive marching orders from online command and control (C&C) servers, but those servers are the botnet's Achilles' heel: Isolate them, and the undirected bots will sit idle. Mega-D's controllers used a far-flung array of C&C servers, however, and every bot in its army had been assigned a list of additional destinations to try if it couldn't reach its primary command server. So taking down Mega-D would require a carefully coordinated attack. pcworld

Sunday, December 27, 2009

Hijacked Facebook accounts pose threat of ID theft


Most maddening, says Selena Schmidt: Facebook officials helped the hacker, and not her.

A cyber criminal took over her Facebook account during the summer and, posing as Schmidt, began instant-messaging a lie to her friends.

"He was telling them that I'd gotten mugged in London and had lost everything," said Schmidt, 40, of the North Side, a project director at a nonprofit agency. "He was asking my friends to wire the cost of the ticket, $600, and I'd pay them back when I got home."

As people increasingly rely on online social media sites to connect with friends and family -- or even to do their jobs -- the need to protect the security of sites is crucial. Some say the companies that run the sites need to step up. Others say each individual ultimately bears the responsibility to safeguard sensitive information.

Schmidt said Facebook officials did not respond for hours to her attempts to alert them about what was happening. Instead, Facebook shut down some of her friends "for spamming" as they tried to warn others about the hacker.

When it was over, Schmidt e-mailed Facebook a list of ways company officials could have handled the situation better.

"All I got was standard form feedback that said, 'Thank you for your input,' " Schmidt said.

Facebook officials do not comment on individual user accounts, said Simon Axten, a Facebook spokesman, in an e-mail.

"Only a very small fraction of our total user base has ever experienced a security issue on Facebook," Axten said. "Because of the systems we've built to help protect our users, this percentage hasn't increased even as the number of people using Facebook has more than doubled over the last year." pittsburghlive

Saturday, December 26, 2009


Woman faces ID theft charges on Christmas EveIn Court: Police say they found 25 stolen licenses, in her purse; she was trying to open bank account


A 25-year-old Olympia woman appeared in court on Christmas Eve after she was arrested Wednesday on suspicion of 25 counts of identity theft and one count each of forgery, marijuana possession and possession of methamphetamine.

Amy Denae Moore was arrested at the Tumwater branch of the TwinStar Credit Union after she tried to open an account using fraudulent identification, court papers state.

Tumwater police arrived and arrested Moore. A police officer called a woman whose driver’s license and Social Security card were being used by Moore to open the account, and the woman told the officer that “she had been the victim of a theft in which her personal identification was stolen, and she had recently been the victim of a fraud in Lacey,” court papers state. The Olympian

Last-minute Amazon, Wal-Mart shoppers delayed by DDoS attack


The DNS provider for Amazon, Wal-Mart, and others went down on Wednesday evening thanks to a DDoS attack, giving a big "bah humbug!" to shoppers trying to make last-minute Christmas purchases.

Last updated December 24, 2009 10:26 AMText Size Print this articleLeave a commentIf you were one of the many Internet users trying to beat the clock with holiday shopping on Wednesday, a DNS attack may have tried to spoil your plans. Users found themselves unable to access several major websites, including Amazon.com and Wal-Mart.com, during part of the day yesterday, which Amazon's DNS provider reported was a result of a DDoS attack.

The DNS attack started late in the day on Wednesday and took place against UltraDNS, the company that provides DNS services to the aforementioned sites. UltraDNS' parent company, Neustar, said that the attack affected the company's facilities in San Jose and Palo Alto, and the effects were largely limited to California users trying to access those sites. The company confirmed that an "abnormal spike in queries" took place and that it was identified as a DDoS attack.

The outage affected other parts of Amazon's Web Services in the US, but apparently not overseas. This, according to a retweet from Amazon Web "Strategist" Jeff Bar, included S3 and EC2. Luckily for Amazon and other e-commerce sites, they were only down for about an hour, but some shoppers still found themselves out of luck as a result of the outage. arstechnica

Wednesday, December 23, 2009

Heartland Pays Amex $3.6 Million Over 2008 Data Breach


Heartland Payment Systems will pay American Express US$3.6 million to settle charges relating to the 2008 hacking of its payment system network.

This is the first settlement Heartland has reached with a card brand since disclosing the incident in January of this year.

The U.S. Department of Justice has charged Albert Gonzalez and several other accomplices with the hack, saying that Heartland was one of several companies that the hackers managed to break into using SQL injection attacks.

Other alleged victims include 7-Eleven and Hannaford Brothers. In total, the gang managed to steal more than 130 million credit card numbers from Heartland and about 4.2 million from Hannaford, prosecutors allege.

Card-issuing banks such as American Express have had to pay the costs of re-issuing credit cards, following the breach, and many banks have sued Heartland to recover these costs. American Express operates its own credit card brand as well, and the settlement may also cover fines incurred there. pcworld

Tuesday, December 22, 2009

National cybersecurity coordinator choice widely applauded


Former industry and government cybersecurity official Howard Schmidt will be a good national cybersecurity coordinator, according to many in the information technology industry. President Obama appointed Schmidt to the post today, seven months after first announcing the creation of the position.

“I couldn’t be happier,” said Roger Thornton, chief technology officer of Fortify Software, where Schmidt sits on the board of directors.

In the months since Obama first announced the position, rumors have circulated about a number of public- and private-sector officials as potential candidates for the job, including several powerful corporate chief executives and lawmakers, incuding former Rep. Tom Davis, a Virginia Republican who chaired the House Government Reform Committee during much of the George W. Bush administration.

“But the thing that Howard brings is that he has been in government on the [Defense Department] side and in the executive branch for years, and he has had some high-profile security jobs in industry and headed up industry associations,” Thornton said. “You need someone with enough government experience to be trusted, but enough industry experience to understand the problems.”

Schmidt was cybersecurity adviser during the Bush administration, and before that was chief information security officer (CISO) at Microsoft and at eBay. He also served in the Air Force and has worked with the FBI, and currently is president of the Information Security Forum. GNC

Report: Russian Gang Linked to Big Citibank Hack


U.S. authorities are investigating the theft of an estimated tens of millions of dollars from Citibank by hackers partly using Russian software tailored for the attack, according to a news report.

The security breach at the major U.S. bank was detected mid-year based on traffic from Internet addresses formerly used by the Russian Business Network gang, The Wall Street Journal said Tuesday, citing unnamed government sources. The Russian Business Network is a well-known group linked to malicious software, hacking, child pornography and spam. The Federal Bureau of Investigation is probing the case, the report said.

It was not known whether the money had been recovered and a Citibank representative said the company had not had any system breach or losses, according to the report. pcworld

Sunday, December 20, 2009

Drone incident serves up data encryption lesson


The disclosure that Iraqi insurgents were able to intercept live video feeds from U.S. drones has focused the spotlight on a familiar IT security issue: data encryption.

In a story that's receiving widespread attention, the Wall Street Journal yesterday reported that Iranian-backed groups in Iraq and Afghanistan were tapping into live feeds from Predator drones using a $26 software tool called SkyGrabber from Russian company SkySoftware.

The hitherto largely unknown software product doesn't require Internet connectivity and is designed to intercept music, photos, video and TV satellite programming for free. Insurgents in Iraq, however, were able to use SkyGrabber to grab live video feeds from unmanned Predator drones because the transmissions were being sent unencrypted to ground control stations.

The fact that a sophisticated, multi-million-dollar aerial surveillance system could be compromised so easily because of a fundamental security oversight is stunning, several security analysts said.

"Frankly, this is shocking to me," said Ira Winkler, president of the Internet Security Advisors Group. (Winkler is also the author of Spies Among Us and a Computerworld columnist.) "You have one of the most critical weapon systems in the most critical regions transmitting intelligence data unencrypted," Winkler said. Computerworld

The 2009 data breach hall of shame


If there was anything even vaguely comforting about the data breaches that were announced this year, it was that many of them stemmed from familiar and downright mundane security failures.

Companies continued to be felled more by usual issues such as lost laptops, un-patched or poorly coded software, inadvertent disclosures and rogue insiders, rather than by sneaky new attack techniques or devastating new hacker tools.

Here's a look back at five of the more notable breaches of the year:

TSA: Lessons in redaction
In what must arguably rank as one of the biggest security gaffes of this year, the Transportation Security Administration (TSA) accidentally posted on a public Web site a manual that contained complete details on its airport screening procedures.

The TSA manual included details for screening passengers, checking for explosives devices, special rules for handling the CIA, diplomats and law enforcement officials, and the technical settings and tolerances used by metal and explosive detectors used at airports.

The leak occurred when an improperly redacted TSA Standard Operations Procedures manual was posted on a federal Web site as part of a a contract bid solicitation process. Lawmakers called the gaffe "shocking" and "reckless," as wells as a threat to national security.

Heartland Payment Systems: 2009's breach poster child
Heartland makes the list simply by virtue of the spectacular size and scope of the data breach it disclosed in January.

The compromise stemmed from SQL injection errors that allowed hackers to break into the payment processor's networks and steal data on approximately 130 million credit and debit cards over several months.

That number easily eclipsed the 94 million or so cards that were believed to have been compromised in the hack at TJX Companies Inc in 2007. It gave Heartland the dubious distinction of having announced the largest ever data breach in history.

Health Net: Delayed disclosure
It was bad enough that Health Net of the Northeast Inc. lost a hard drive containing seven years worth of unencrypted personal, financial and medical information on about 1.5 million customers. What made the loss worse was that the company did not disclose it for nearly six months after the drive went missing.

Along with medical records, the hard drive contained names, addresses and Social Security numbers of Health Net customers from Arizona, Connecticut, New Jersey and New York.

A new healthcare breach notification law that went into effect in November is designed to force companies to disclose such breaches sooner. But few are likely to do so because of a controversial "harm threshold" clause entered into the bill at the last moment. Continue article -> Computerworld

Saturday, December 19, 2009

Twitter hacked, attacker claims Iran link


A computer hacker briefly hijacked Twitter.com on Thursday, redirecting users to a website and claiming to represent a group calling itself the Iranian Cyber Army.

Twitter, which in June became a key communication channel for Iranian protesters disputing the country's election results, said it was disrupted for a little more than an hour.

Twitter's home page was replaced with one whose headline read "This site has been hacked by Iranian Cyber Army" and an anti-American message.

"The motive for this attack appears to have been focused on defacing our site, not aimed at users," Twitter said on its blog. "We don't believe any accounts were compromised."moneycontrol

Security experts said it was the first time attackers have succeeded in hijacking a major social-networking website.

It was unlikely that the Iranian government was involved, despite its dislike of social networking sites and years of discord with the United States over its nuclear program, experts said.

A screen shot posted in a number of websites, including TechCrunch, shows the message written in red, set above a green flag. An e-mail sent to the address on the redirected Web page was returned.

The hacker or hackers got credentials to redirect Twitter's traffic to a bogus site, according to Dyn Inc, a company based in New Hampshire that directs that traffic for Twitter.

The attackers did not hijack accounts of the company's other customers, Dyn Vice President Kyle York said. "This was an isolated incident," he said.

Researcher Cures Poisoned BlackBerry With Kisses


A security researcher in Asia has braved Internet worms and poisoned applets to rid BlackBerry smartphones of spyware with Kisses, a free software application.

 Kisses detects spyware and hidden programs on BlackBerry devices to show users exactly what's going on inside their mobile phone. Why use it? Because spyware can be purchased by anyone from vendors such as FlexiSPY and Retina-X Studios
For US$50, just about anyone can travel with you and your mobile phone and listen to your conversations, read your texts and even track your location via GPS (global positioning system). The tricky part is installation. Someone, your boss, spouse, business rival or thief, needs physical contact with your handset to plant spyware from these vendors, one reason password protection is so important. It hurts that spyware vendors offer tricks-of-the-trade advice, including the simple act of giving you a new smartphone, with their spyware inside, as a gift. Makes you wonder if Santa was generous with the new iPhone this year or just really wants to know if you've been naughty or nice.

This is where Sheran Gunasekera comes to the rescue with Kisses. The software detects and removes FlexiSPY and Mobile Spy software on BlackBerry devices. It may not necessarily be able to remove all available spyware (there's a lot) but it will at least show you any hidden applications so you can seek help.
pcworld

Friday, December 18, 2009

Scoring Big in a Dumpster Dive!


So you think data security is all about your IT department? Think again...



Video:

Steve Hunt reveals how easy it is to find sensitive information while Dumpster Diving!

Twitter Hacked, Defaced By “Iranian Cyber Army”




Twitter is down again but this time it may be the result of an explicit attack similar to the one that took down Facebook and Twitter a few months ago. Has a group of Iranian hackers dubbed the ‘Iranian Cyber Army’ waged war on Twitter? Techcrunch reports…

We’ve received multiple tips right around 10 pm that Twitter was hacked and defaced with the message below. The site is currently offline. We’re looking into this and waiting on a response from Twitter.

The message reads:

Iranian Cyber Army

THIS SITE HAS BEEN HACKED BY IRANIAN CYBER ARMY


U.S.A. Think They Controlling And Managing Internet By Their Access, But THey Don’t, We Control And Manage Internet By Our Power, So Do Not Try To Stimulation Iranian Peoples To….

NOW WHICH COUNTRY IN EMBARGO LIST? IRAN? USA?

WE PUSH THEM IN EMBARGO LIST

Take Care.

TechCrunch

Thursday, December 17, 2009

SkyGrabber: the $26 software used by insurgents to hack into US drones


"SkyGrabber is offline satellite internet downloader," the page begins confidently, at once informing the native English speaker that the page wasn't written by one. In fact SkyGrabber is a Russian programme – the site is apparently run by Cherkashyn Vyacheslav in Nab Podeba, Ukraine.

SkyGrabber is a simple enough concept: grab the signals that spill from a satellite broadcast (or even narrowcast), aimed from a satellite towards a specific location, and turn them into TV feeds you can look at. Or as the website puts it: "You don't have to keep an online internet connection. Just customise your satellite dish to selected satellite provider and start grabbing."

The US drones would send their video up to a US military satellite (the "uplink") that cannot be intercepted. The signal would then be beamed by that satellite or a linked one down to the controllers – who might be in Afghanistan or Iraq. Because that signal was unencrypted, anyone who tuned their satellite dish to the correct frequency and location in the sky could pick up the signal, and decode it. And because any satellite downlink signal spreads a little, the area where it can be picked up is potentially huge.

The weakness has been known for a very long time. In February this year Adam Laurie, an "ethical hacker" who has spent a lot of time looking at satellite feed hacking, told the BlackHat conference that "anyone with a [satellite] dish can see data being broadcast" and that "things you would expect to be secure turn out not to be secure. The most worrying thing is you can just see all this data going by." He has been at it since the 1990s – and in 1997 could see French TV reporters beaming back closed circuit coverage of Princess Diana's death to the UK over unsecured feeds. guardian

Hacker seeks reduced sentence, citing Asperger's


A computer hacker who was a force behind one of the largest cases of credit card theft in U.S. history says he has a developmental disorder and is asking for a reduced sentence.

Albert Gonzalez, of Miami, admitted invading the computer systems of such retailers as TJX Cos., BJ's Wholesale Club and Sports Authority. Federal authorities say tens of millions of credit and debit card numbers were stolen.

His lawyers have submitted a report from a psychiatrist who concluded his behavior was consistent with Asperger's syndrome. That's a form of autism. AP

China Jails Trojan Virus Authors in Cybercrime Crackdown


A Chinese court Wednesday sentenced 11 members of a malware ring for writing and distributing Trojan horse viruses meant to steal online game account passwords, according to state media.

The people, who stole login information for more than 5 million game accounts, were given prison sentences of up to three years and were fined a total of 830,000 Chinese yuan (US$120,000), China's Xinhua news agency said. Dozens of other members of the ring, which is suspected of 30 million yuan ($4.4 million) in crime, are expected to be sentenced soon, Xinhua said.

Reports of arrests and court sentences for cybercriminals have become increasingly common in China after the country has strengthened its laws governing the activity. The government action has come in response to increasing signs of organization among cybercriminals, including division of the labor needed to design, distribute and profit from information-stealing malware. pcworld

Wednesday, December 16, 2009

Firms failing on PCI DSS


A huge 81% of organizations that are subject to the Payment Card Industry’s Data Security Standard (PCI DSS) were found to be non-compliant prior to a data breach, according to a new study.

But according to telco Verizon Business’ Risk team, which published the findings, a “fairly new” threat in the shape of RAM scrapers is increasingly being used by online thieves to bypass PCI DSS rules requiring credit card data to be encrypted anyway.

The company’s 2009 Data Breach Investigations Report found that 74% of security incidents were the result of external attacks. Such events resulted in a huge 285 million records being compromised over the last year - mainly via online systems.

Only 20% of data breaches were caused by insiders, 32% by business partners and 39% by multiple parties. Some 67% of the incidents occurred because the attacker exploited errors made by the victim, while a further 64% were the result of hacking and 38% of malware.

But in its 2009 Supplemental Report called Anatomy of a Data Breach, Verizon Business also pointed to the rising threat of RAM scrapers. infosecurity



Rogue Antivirus Lurks Behind Google Doodle Searches


In Esperanto the word is "malica." It means malicious and it's the best way of describing many of the search results Google visitors got Tuesday when the clicked on Google's front-page Doodle sketch, dedicated to Esperanto's creator.

It's the latest example of just how good scammers have become at manipulating Google search results. For months now, they've followed Google's Trending Topics section and then used search engine optimization techniques to push hacked Web pages up to the top of Google's search results, security experts say.

They do this by flooding hacked pages with keywords that are then recorded by Google's search engine.

Hackers have several ways of getting their code on legitimate Web sites -- lately they've focused on stealing FTP login credentials, according to Dave Michmerhuizen, a research scientist with Barracuda Labs.

The hacked sites that pop up when one clicks on Tuesday's Google Doodle include a hair salon in New Jersey, an Texas tree company, and a science fiction group.

On Tuesday, clicking on the illustration on Google's front page commemorating the 150th anniversary of the birth of Esperanto's creator L. L. Zamenhof, generated an awful lot of malicious search results -- taking visitors to dodgy advertisements or pages that tried to trick visitors into thinking their computers were infected and paying for fake antivirus software. pcworld

Tuesday, December 15, 2009

ID Theft Threats to Watch in 2010


Interview with Jay Foley of the Identity Theft Resource
Financial scams and incidents of medical identity theft are on the rise - and they're among the main threats to business and consumers in 2010.

This is the warning from Jay Foley, executive director of the Identity Theft Resource Center. In an exclusive interview, Foley discusses:

•The major ID theft threats and trends for 2010;
•The industries most at risk;
•What information security professionals can do to help prevent ID theft. Listen To Podcast

govinfosecurity

And Now For A Bit Of Levity: Octopus steals the identity of a coconut!!!!




Monday, December 14, 2009

11 Reasons Why Privacy Helps the Bottom Line


In dire economic times such as these, companies are scouring their internal functionalities seeking ways to run "leaner and meaner." Operations and personnel that do not ostensibly contribute to profit are at risk. And nowhere are employees more vulnerable than in New York City, the nation's center for financial services, an industry particularly devastated.

Because the influence of privacy on profit is not immediately apparent, managers searching for excisable fat will doubtless be attracted to the privacy function, concluding that it makes no contribution to the bottom line. But although many view privacy solely as a legal concept, it often provides important commercial benefits. Where privacy does indeed contribute to profit, chopping away at privacy will be counterproductive, slicing off meat and bone, rather than fat. If management is not educated to this fact, the privacy function will be at unnecessary risk.

There are 11 reasons why privacy may benefit the bottom line, which should be raised with management.

1.) Reduced risk of sanctions. The most obvious result of good privacy is that it helps keep the company "out of trouble." Regulatory authorities, domestic and foreign, are increasingly enforcing privacy laws. The Federal Trade Commission, the state attorneys general, the data protection authorities of the European Union and other regulators are seeking out privacy violations at an increasingly energetic pace.

The adverse ramifications of alleged violations include counsel fees and a major diversion of management and other employee effort, even if the organization is ultimately exonerated.

In the event a violation is found, monetary sanctions may run as high as $1 million or more. And some sanctions require a costly modification of practices (even though it might not have been costly if adopted initially).

In the United States and some other nations, disclosure of a major data security breach will likely result in private litigation, including class actions, greatly increasing the level of counsel fees and potential damages. And even if the company is successful in its defense, the mere governmental, or even private, allegation of impropriety will have an adverse effect on some existing and prospective customers, as discused below in connection with customer churn and damage to brands.

 Read the 10 other reasons -> LTN

U.S. Reported Ready To Join U.N. Cyberattack Talks


The U.S. will reportedly participate in U.N. talks on cybercrime and cyberwar that it avoided for several years. President Barack Obama's administration wants to tackle rising attacks on U.S. institutions, many of them from China and Russia. Russia wants to keep cyberattack investigations internal, but the U.S. needs international cooperation.

The Obama administration has decided to join United Nations talks on cyberwar and Internet crime. After several years of staying out of talks between the U.N. and other countries, the U.S. will participate in discussions with Russia and the U.N.'s Arms Control Committee, sources told The New York Times.

The committee has been leading the talks between nations that wish to tackle cybercrimes. The U.S. is interested in reducing cybercrimes and limiting military use of cyberspace, while other countries such as Russia are interested in talks on cyberterrorism. newsfactor

Sunday, December 13, 2009

PCI-Compliant Stores a Minority


Companies cite encryption, security-event logging, and data in transit issues as the most challenging compliance elements.

A new survey revealed that less than 50 percent of businesses that process 20,000 or more credit or debit card purchase transactions a year are compliant with the Payment Card Industry Data Security Standards, American Banker reports.

Computerworld Inc., a Massachusetts provider of technology information, surveyed 123 businesses on behalf of nuBridges Inc., a company that provides data security products, and 57% of respondents reporting that they had a PCI initiative in place, yet only 37 percent of those were PCI compliant. Twenty-eight percent of respondents said that they were planning a PCI strategy while a remarkable 15 percent indicated that they had no plans to address PCI compliance.

Respondents said that the most difficult compliance component is encryption (cited by 41 percent of respondents), followed by security-event logging (40%) and data in transit (38%).  NACS

US, Russia talks on cyberspace security: report


WASHINGTON (AFP) – The United States has begun talks with Russia and a UN arms control committee about strengthening Internet security and limiting military use of cyberspace, The New York Times reported.

Citing officials familiar with the talks, the newspaper said US and Russian officials have different interpretations of the talks, but the mere fact that the Washington is participating represents a significant policy shift after years of rejecting Russia?s overtures.

Officials argue the administration of President Barack Obama realized that more nations were developing cyberweapons and that a new approach was needed to blunt an international arms race, the report said.

Viktor Sokolov, deputy director of the Institute of Information Security in Moscow, said the Russian view was that the US position on Internet security had shifted perceptibly in recent months, according to the paper.

Sokolov characterized this new round of discussions as the opening of negotiations between Russia and the United States on a possible disarmament treaty for cyberspace, something Russia has long sought but the United States has resisted, the report said. AFP

Saturday, December 12, 2009

Facebook and Google: Contrasts in Privacy


The headlines recently have been dominated with news of online privacy. Facebook has implemented changes that affect the privacy of status updates, and Google made headlines for its apparent disregard for privacy.

The difference between how Facebook and Google have addressed privacy issues offers a stark contrast. While Facebook has quickly responded to criticism and backlash, and has implemented additional changes to try and accommodate concerns, Google CEO Eric Schmidt dismissed privacy concerns entirely.

Facebook has faced challenges with privacy and what sorts of controls it has in place to ensure that users can exert some control over who is able to view their status updates, photos, events, and other Facebook entries. The Canadian government pressed the issue and succeeded in pressuring Facebook into changing a handful of practices to address privacy concerns.

As Facebook implemented changes this week, which were previously announced and anticipated--a change of pace for Facebook changes, there was immediate backlash. Facebook is struggling to figure out how to capitalize on member status updates for real-time search to be more like Twitter, and it is going through some growing pains to establish the right mix of sharing and security.

Google is also faced with constant criticism and concern from privacy advocates. Google is the monolithic Big Brother of the Internet, crawling and indexing every last byte of data that exists and presenting it to the general public in a matter of milliseconds through its various search offerings.

The difference between Facebook and Google as it relates to privacy is that Facebook appears to listen to concerns and respond by implementing changes to try and address issues, while Google seems to be dismissive. The Google response is to just stress why you should trust it, or why you shouldn't care about privacy.

In a CNBC interview, Google CEO Eric Schmidt explained his stance on online privacy "If you have something that you don't want anyone to know, maybe you shouldn't be doing it in the first place. If you really need that kind of privacy, the reality is that search engines --including Google --do retain this information for some time and it's important, for example, that we are all subject in the United States to the Patriot Act and it is possible that all that information could be made available to the authorities." PCWorld

Get back to me immediately!!!!!


Never respond to an email that looks like this...

Dear Friend,

I am Ms Victoria Ugbaja. A computer scientist with central bank of Nigeria. I am 26 years old, just started work with C.B.N. I came across your file which was marked X and your released disk painted RED, I took time to study it and found out that you have paid VIRTUALLY all fees and certificate but the fund has not been release to you. The most annoying thing is that they cannot tell you the truth that on no account wills they ever release the fund to you; instead they let you spend money unnecessarily. I do not intend to work here all the days of my life, I can release this fund to you if you can certify me of my security, and how I can run away from this Nigeria if I do this, because if I don't run away from this country after I made the transfer, I will be Seriously in trouble and my life will be in danger.

Please this is like a Mafia setting in Nigeria; you may not understand it because you are not a Nigerian. The only thing I will need to release this fund is a special HARD DISK we call it HD120 GIG. I will buy two of it, recopy your information, destroy the previous one, and punch the computer to reflect in your bank within 24 banking hours. I will clean up the tracer and destroy your file, after which I will run away from Nigeria to meet with you. If you are interested. Do get in touch with me immediately, You should send to me your convenient tell/fax numbers for easy communications and also re confirm your banking details, so that there won't be any mistake.

for phone converstion,please call me on +234-807-676-6856

Regards,

Ms Victoria Ugbaja
 
The old Nigerian E-mail Scam at work...STILL!

Bank firewalls cracked by cyberhackers


For more than a decade the common currency among cybercriminals has been pilfered credit card numbers, but some underground hackers have learned how to drain money directly from corporate bank accounts.

There has been a big rise in such frauds, raising the stakes in the war between financial institutions and criminals and costing some bank clients half a million dollars – or more.

Facebook backtracks on privacy - Dec-11Facebook must be weary of changing the rules - Dec-11Tech blog - Dec-01The cyberhackers “are clearly ahead of the defence in terms of antivirus solutions, firewall solutions, etc,” Jeffrey Troy, chief of the FBI’s cybercrime section, told the Financial Times. Online bank thefts in 2009 had seen “a very dramatic increase from past years”.

Law enforcement warnings, recent reports from private security experts and lawsuits are focusing attention on the issue. Some professionals, citing the ongoing boom in virus infections through such social networks as Facebook and Twitter, fear the trends could combine in 2010.

Mr Troy estimated that criminals took about $40m from bank accounts this year, primarily targeting the small and mid-sized businesses that are themselves customers of small and mid-sized banks.

Such banks and their clients were less likely than their biggest competitors to have the highest-grade security procedures.

Targets have fallen victim to “spear phishing” and other tricks. In spear phishing, a misleading e-mail, instant message or social networking communication is aimed at one company or even a single person within that company, frequently a top executive. The message can be tailored convincingly with details of interest to that individual. FT.COM

Friday, December 11, 2009

Web Scams Employed against Health Reform


(AP) Internet users looking for gift cards and other free merchandise are being steered to Web pages inviting them to send e-mails to Congress expressing their views on President Barack Obama's push to reshape the country's health system.

In one instance, people looking for rewards are taken to a Web page run by Get Health Reform Right, a coalition of 10 insurance industry groups that opposes Obama's health overhaul effort. That page lets opponents of the Democratic drive quickly generate a letter to their member of Congress expressing their view.

In another, those applying for gifts can end up on the Web page of the American Medical Association's Patients' Action Network, where they can express support to lawmakers for expanding health care coverage.

The ads could give the impression that someone has to send an e-mail to Congress to get free goods. But based on fine print appearing in the ads, it appears sending the e-mails is optional and would not affect whether people receive the gifts they are seeking.

Nonetheless, officials of the Blue Cross-Blue Shield Association, which runs the insurance coalition, expressed surprise over the ads and said they had nothing to do with them and that the coalition had temporarily suspended its operations "until the source of these ads can be determined." They said the coalition has a contract with an Internet advertising firm to run online ads promoting their views that specifically prohibits ads that would give letter writers financial rewards.

"They're not from the coalition," Alissa Fox, senior vice president and lobbyist for the association, said of the ads. "We don't know who did it."

Spokesman John Ardis of Webclients Affiliate Network, the Harrisburg, Pa.-based online marketing company that has been doing Internet advertising for the insurance coalition, said his firm has placed no ads for the insurers that provide rewards in exchange for writing letters.

Spokespeople for the American Medical Association did not immediately respond to e-mails Thursday evening seeking comment.

Jeff Smokler, executive director of external affairs for the Blue Cross-Blue Shield group, said the coalition has generated nearly 2 million e-mails and letters to Congress since early summer. He said he did not know how many letters, if any, came from the ads that lured letter writers with incentives.

Insurers have been a chief critic of the Democratic effort to overhaul the health care system. They have said the bills emerging in Congress don't do enough to hold down rising health care costs, and have attacked a Senate plan to impose new taxes on the industry and the most expensive policies. They have also complained that a government-run insurance program, which the House bill would create, would drive private insurers out of business.

The ads attracting letter writers with incentives, first reported by Gawker.com, were provided to a reporter by Dan Porter, CEO of OMGPOP, a company that runs a Web site that combines multiplayer Internet games with social networking.

The ads are aimed at people seeking a reward, such as a gift certificate to a retail chain, that they would receive after providing their e-mail addresses and other information. Such ads could also be aimed at people who play online games and would like to earn virtual currency they can use to purchase items they can use in games, Porter said. CBS

FBI: Rogue antivirus scammers have made $150M


They're the scourge of the Internet right now and the U.S. Federal Bureau of Investigation says they've also raked in more than US$150 million for scammers. Security experts call them rogue antivirus programs.

The FBI's Internet Crime Complaint Center issued a warning over this fake antivirus software Friday, saying that Web surfers should be wary of sudden pop-up windows that report security problems on their computers.

This software can appear almost anywhere on the Web. Typically, the scam starts with an aggressive pop-up advertisement that looks like some sort of virus scan. Often it's nearly impossible to get rid of the pop-up windows. Of course, the scan turns up problems, and the pop-up windows say the only way to get rid of them is to pull out a credit card and pay.

This is always a bad idea. At best, the software is subpar. At worst, it "could result in viruses, Trojans and/or keyloggers being installed on the user's computer," the IC3 said in its warning. The IC3 is run in partnership with the National White Collar Crime Center. computerworld

Thursday, December 10, 2009

Facebook rolls out new privacy tool



SAN FRANCISCO — Facebook on Wednesday began calling on users to get a better grip on their online privacy by dictating who sees what in profiles at the world's leading social networking service.

All of Facebook's more than 350 million members will be required to refine settings with a new software tool that lets them specify who gets to be privy to each photo, video, update or other piece of content uploaded to the website.

"We care so much about this that we will require people to go through it to get access to the service," Facebook vice president of global communications, marketing and public policy Elliot Schrage told AFP.

"The idea is to evolve, to give users better control of with whom they share when they share."

The change promises to help Facebook users prevent embarrassing images or overly revealing updates from being seen by business acquaintances, bosses or others not part of inner circles of online friends.

"You will have the opportunity to customize even individual pieces of content when you upload a picture or a video," Schrage said.

"If you want to share a photo with just your family, you could do that as well. It is much more straightforward."

The new privacy tools let Facebook members pre-determine accessibility to profile content in categories designated "Friends," "Friends of Friends," "Everyone" and "Customized."AFP

Unu hits Kaspersky a second time with SQL Injection disclosure


Unu who has gained a good deal of attention lately, is known for his vulnerability disclosures that center on SQL Injection. In his latest adventures, he returns to a vendor he has targeted in the past, security software specialist Kaspersky.

In February, Unu went public on HackersBlog and disclosed the SQL Injection flaws he had discovered on Kaspersky’s USA portal. The flaws, which led to complete access to users, activation codes, lists of bugs, admins, shopping, etc., were quickly patched, and Kaspersky was quick to point out that, “despite their attempts, the hackers were unable to gain access to restricted information stored on the website. Claims by the hackers responsible for the attack that they had managed to gain access to user data are untrue.”

In response to those claims, we interviewed Unu shortly after Kaspersky issued them.

“First of all, it starts from a negative premise. It was not about any kind of attack. [This was not] my intention. I am not a thief. I'm just a guy who likes to do security testing, penetration. It’s like any other hobby,” Unu wrote in the e-mail.

“I do not break, I do not delete, I do not change, and I NEVER save anything. In the data that I can access in this way, I just show that it is possible, that the site is vulnerable. That is all. The same thing happened [in the] Kaspersky case. It was about a banal parameter that was not good or not [sanitized enough].”

Now, Unu has disclosed SQL Injection problems in two other Kaspersky portals, which were being hosted by channel partners in Malaysia and in Singapore. According to what was discovered, Unu commented that the vulnerability affected all databases in Southeast Asia. However, Unu told The Tech Herald that the flaws have been patched.

Yet, while the vulnerabilities were fixed, the point is the same. The SQL Injection only worked because user input was not checked. In detailing what he discovered on the two Kaspersky portals, Unu noted that several of the administrator passwords, while encrypted, were weak, and in several cases identical. (In one example he listed an administrator with a password of abc123.) the tech herald

Attempted break-ins are, almost, an everyday thing

Fixing One Wall Street Scandal, Forgetting the Last


In 2001, the sudden collapse of corporate giants like Enron and WorldCom wiped out the retirement funds of millions of Americans and badly damaged investor confidence in our capital markets. As it became clear that these companies had "cooked the books" - willfully misleading shareholders about their true value - leaders in Congress began crafting what eventually became known as the Sarbanes-Oxley Act.

After months of hearings and bipartisan compromise, Sarbanes-Oxley passed the House of Representatives by a margin of 423 to 3 and the Senate by a unanimous vote of 99 to 0. Signing the bill into law on July 30th 2002, President Bush said "Corporate corruption has struck at investor confidence, offending the conscience of our nation. Yet, in the aftermath of September the 11th, we refused to allow fear to undermine our economy, and we will not allow fraud to undermine it, either." He called the new law "the most far-reaching reforms of American business practices since the time of Franklin Delano Roosevelt."

Today, some in Congress want to roll back Sarbanes-Oxley. They are seeking to exempt certain firms from the transparency standards created by that law. Apparently, less than ten years later, some have already forgotten what we learned from the Enron and WorldCom debacle. huffingtonpost.

Wednesday, December 9, 2009

Computer of alleged Sarah Palin hacker had spyware


The 21-year-old college student charged with hacking former Alaska Gov. Sarah Palin's Yahoo e-mail account was using a compromised computer that was secretly logging and reporting information without his knowledge, his lawyers say.

In court filings, attorneys for David Kernell say that the Acer notebooks that FBI agents seized from Kernell's Knoxville, Tenn., apartment last year apparently contained spyware.

"The program, which was installed by an unknown method before the computer ever came into Mr. Kernell's possession, uses sophisticated technology to record and report personal information without the user's knowledge," his attorneys state, in a Nov. 30 motion.

Although the court documents do not identify the program, they indicate that the software was reverse-engineered and analyzed within the five forensic reports the U.S. government produced for this case. Those reports have been filed under seal because they contain personal information.

Kernell is facing a possible five-year prison sentence on a one-count felony computer hacking charge. Prosecutors say that he accessed Palin's personal e-mail account in September 2008, while she was running as a vice presidential candidate, and used Yahoo's password reset feature to gain access to her mail. The e-mails were posted online and an anonymous member of the 4chan discussion board named Rubico claimed responsibility for the act. computerworld

Feds go global to fight cybercriminals overseas


The tip came from another country's law enforcement officials: Eight major banks in the U.S. were being targeted by cybercriminals operating there.

FBI agents fanned out that night to warn the branches that hackers were aiming to break into their computer systems. The banks were able to spot the attempted breaches, and block them, FBI officials said.

Concerned about the rise in this type of sophisticated computer attack from abroad, the FBI and the U.S. Secret Service are beefing up their international cybercrime enforcement, sending agents who specialize in the threats overseas to specifically deal with digital perils.

Their growing coordination with other nations, however, faces legal and political challenges posed by conflicting laws and the lack of broadly accepted international guidelines for Internet oversight.

"With the increased connectivity in countries that heretofore didn't have that amount of access, and the technological advances made in corporate America that have put vulnerable financial information online, it's been the perfect storm," said Shawn Henry, assistant director of the FBI's cyber division.

So far, Henry said, the FBI has set up new cybercrime offices in four countries, including Romania, Estonia and the Netherlands, and is hoping to add two or three more over the next year. Henry would not name the fourth country.

The cybercrime specialists operate in addition to the 61 legal attache offices the FBI has overseas.

Tuesday, December 8, 2009

Microsoft Patch Tuesday: Critical Update for IE


Today was Microsoft's final Patch Tuesday of 2009. Microsoft released a total of six new security bulletins, the most urgent one affecting a zero-day flaw in Internet Explorer for which exploit code already exists.

Barring any urgent security issues or exploits circulating in the wild to force an out-of-band update, the total number of security bulletins for 2009 is 74--a 5 percent drop from the 78 security bulletins released in 2008.

Deal with MS09-072 First

Experts are unanimous that the MS09-072 security bulletin, which includes the cumulative security update for Internet Explorer, is by far the most urgent patch released by Microsoft today.

Andrew Storms, director of security operations for nCircle, said in an email "Topping today's news from Microsoft is the fix for a critical zero-day bug in Internet Explorer. The vulnerability became a top security concern for users when exploit code became publicly available. In recognition of the critical nature of the problem, Microsoft made the fix a top priority and delivered it in about two weeks."

Another nCircle security expert, senior security engineer Tyler Reguly, agreed "Number one on everyone's hit list today should be MS09-072, the IE patch, as this includes a patch for the current IE 0-day vulnerability. Patching IE is always crucial but given the public exploit, this should be patched as quickly as possible.

I spoke with Amol Sarwate, manager of Qualys Vulnerabilities Research Lab, who summed it up "MS09-072 is definitely the most urgent. The vulnerability was made public three weeks ago. Attackers have had three weeks to work with the proof-of-concept and develop a workable exploit. If you can only do one patch, do that one."

Reguly said that beyond MS09-072 the rest of today's security bulletins are sort of a random mash-up of fixes. They involve a most of the alphabet and a number of acronyms, affecting LSASS, ADFS, and IAS for starters.

In the grand scheme of things, though, there is nothing very urgent once you patch Internet Explorer. Reguly recommends that organizations take the time to properly test the remaining patches before deploying. PCWorld

How fake sites trick search engines to hit the top


With a little sleight of hand, con artists can dupe them into giving top billing to fraudulent Web sites that prey on consumers, making unwitting accomplices of companies such as Google, Yahoo and Microsoft.

Online charlatans typically try to lure people into giving away their personal or financial information by posing as legitimate companies in "phishing" e-mails or through messages in forums such as Twitter and Facebook. But a new study by security researcher Jim Stickley shows how search engines also can turn into funnels for shady schemes.

Stickley created a Web site purporting to belong to the Credit Union of Southern California, a real business that agreed to be part of the experiment. He then used his knowledge of how search engines rank Web sites to achieve something that shocked him: His phony site got a No. 2 ranking on Yahoo Inc.'s search engine and landed in the top slot on Microsoft Corp.'s Bing, ahead of even the credit union's real site.

Google Inc., which handles two-thirds of U.S. search requests, didn't fall into Stickley's trap. His fake site never got higher than Google's sixth page of results, too far back to be seen by most people. The company also places a warning alongside sites that its system suspects might be malicious.

But even Google acknowledges it isn't foolproof. AP