Growth of EHRs Could Lead to Rise in Medical Identity Theft

Although some people have touted electronic health records as a strategy to improve health care efficiency, others are expressing concern that EHRs could make patients more vulnerable to medical identity theft, the Wall Street Journal reports.

Experts say EHR systems might actually facilitate identity theft because the tools make patient medical information more easily accessible.

Hackers who steal patient data might file false medical bills to obtain money from insurance companies, Medicare and other payers. As a result, individuals who experience identity theft might face mounting medical bills and could exhaust their lifetime coverage benefits. In addition, insurance companies might label such individuals as uninsurable because of their perceived high medical costs.

Medical identity theft also could alter crucial information contained in a patient's EHR, such as allergies, blood type and medical history. Such data manipulation could have serious consequences if physicians use the faulty information when treating the patient. ihealthbeat

Identity theft equipment, cocaine found at apartment, Alameda police say

ALAMEDA — Equipment linked to identity theft, including a machine for embossing names and numbers on blank credit cards, was seized when investigators searched an apartment in the city's West End.

Along with an embossing machine, police seized scanners, printers and four computers at the Buena Vista Avenue apartment, where officers also said they found 11 ounces of cocaine.

Personal information belonging to about 25 people was discovered at the apartment, police said.

Suspect Vandale Sims, 36, began renting the unit in September, but investigators think he was actually living in Oakland and that he used the apartment as a workshop. Contra Costa Times

Blumenthal to investigate Health Net data breach

Attorney General Richard Blumenthal said today his office is investigating a data breach by health insurer Health Net, which led to the loss of almost 450,000 Connecticut residents' health, personal and financial information.

Blumenthal said Health Net lost the information in May, but never informed consumers, the police or his office about the loss of information until today.

He said the six-month delay in giving notice to consumers and the state could be a violation of the law.

"I am outraged and appalled by Health Net's huge loss of personal, financial and medical information and its failure to swiftly inform authorities and consumers," Blumenthal said. "This information vanished six months ago, but Health Net is only now informing authorities and consumers, an inexcusable and inexplicable delay."

Blumenthal said the information was on a hard drive that disappeared from Health Net's Shelton office. The hard drive included all data on 446,000 Connecticut patients, including health information, as well as financial and personal data such as social security and bank account numbers. The data was compressed, but not encrypted, although a specialized computer program is required to read it.

Alice Ferreira, a spokeswoman for Health Net, said they were initially unable to determine what information was on the lost drive, forcing the company conduct a lengthy investigation, which included a detailed forensic review by computer experts. Hartford Business

Health Net healthcare data breach affects1.5 million

To get security news and tips delivered to your inbox, click here to sign up for our free newsletter.

Health Net Inc. announced Wednesday that it is investigating a healthcare data security breach that resulted in the loss of patient data, affecting 1.5 million customers.

The Woodland Hills, Calif.-based managed healthcare provider said the lost files, a mixture of medical data, Social Security numbers and other personally identifiable information, were collected over the past seven years and contained on a portable external hard drive, which was lost six months ago. The company said the healthcare data was not encrypted, but was formatted as images and required a specific software application to be viewed. The hard drive contained data on 446,000 Connecticut patients.

The company reported the breach Wednesday to State Attorneys Generals offices in Arizona, Connecticut, New Jersey and New York. Health Net said it was beginning the data security breach notification process of sending out letters to its customers. The company said it expects to send notification letters the week of Nov. 30. Search Security

When a Shopping Cart is Not PCI Compliant: Three Options for Merchants

Earlier this week, Practical eCommerce shared three important questions to ask about your shopping cart. Today, as part of our ongoing PCI compliance series, I’ll take a look at options for ecommerce merchants currently using a shopping cart that is not PA-DSS (payment application data security standard) validated. More specifically, I’ll share the insights of hosting director Matt Whitted of Cybrhost, a web hosting provider specializing in ecommerce.

Cybrhost has alerted its subscriber base to the July 1, 2010 deadline for shopping carts to become PA-DSS compliant and Whitted has fielded numerous inquiries from merchants regarding the mandate.

Whitted says he recognizes that many of the more than 350 shopping carts, by Practical eCommerce's count, available to merchants have not been PA-DSS certified. “I do think this [the mandate] is going to push some of those smaller carts out. It’s a major investment to get your application certified. And then it’s a recurring process,” he says.

Three Options for Users of Non-compliant Shopping Carts

If an ecommerce merchant’s shopping cart provider is not PA-DSS compliant or in the process of becoming certified, Whitted says there are three options.

1.Outsource to an alternative payment solution.

Alternative payment solutions such as Google Checkout and PayPal Express Checkout allow merchants to outsource the checkout process. Payment information is not handled by the merchant. As a result, the merchant’s shopping cart is not considered a payment application and doesn’t fall under the PA-DSS mandate.

Whitted notes, however, that there are several downsides to this option: Outsourcing is generally a more expensive proposition, there are occasional technical glitches involved with the handoff between the shopping cart and the alternative payment system, and you’re giving some control of your business’ information to “Paypal or Checkout by Amazon or whoever you choose.”

2.Switch to a different shopping cart provider.

There are a variety of shopping carts that have applied for and received certification.

“Some of the ecommerce applications that are ahead of the curve and are going through the certification process proactively are going to benefit from people who make this decision (to switch),” Whitted says.

3.Do nothing and see if PA-DSS compliance is enforced.

Acquiring banks or processors are responsible for enforcement of PCI compliance. “Who knows how Visa or MasterCard will handle it?” questions Whitted. “They may be understanding or more extreme.” He notes however, “ Most businesses are not going to want to live by the seat of their pants.” Summing It Up - Practical Ecommerce

Consumers warned about shopping online

The Better Business Bureau is reminding consumers who are shopping for electronics deals online to watch out for certain red flags.

The organization says the old rule of thumb plays a big role here; if the price is too good to be true, there is probably a catch.

You should avoid web sites with spelling or grammar errors.

Also, you might want to avoid businesses that accept wire transfer payments only.

The group says even if you see a seal from certifying organizations, be wary.

When you click on the seal, you should be directed to the certifier's web site.

If not, the Better Business Bureau says it's most likely a scam. ABC

Cyber crime danger

THE Police Force has forecast cyber crimes to increase by 40 to 50 per cent from 2010 to 2012.

Jemesa Lave of the police cyber crime unit said in these two years, it was anticipated that more complicated technological crimes would be perpetrated in Fiji.

Coupled with this, he said was the anticipated shift from conventional criminal operations to cybercrime.

"We need legislation, we need to ensure that standards are put in place to address computer crime issues," Mr Lave said.

He said people needed to be aware that computer crimes knew no borders. Fiji Times

China Warns About Return of Destructive Panda Virus

A computer worm that China warned Internet users against is an updated version of the Panda Burning Incense virus, which infected millions of PCs in the country three years ago, according to McAfee.

The original Panda worm, also known as Fujacks, caused widespread damage at a time when public knowledge about online security was low, and led to the country's first arrests for virus-writing in 2007. The new worm variant, one of many that have appeared since late 2006, adds a malicious component meant to make infection harder to detect, said Vu Nguyen, a McAfee Labs researcher.

"It has gotten more complex with the addition of a rootkit," said Nguyen. "It definitely makes it more challenging for users to clean up and even to know that their systems have been compromised."

A rootkit burrows into a system to try to hide the existence of malware.

The first Panda worm gained fame in China for switching the icons of infected files with an image of a panda holding three incense sticks. The same image would also flash across a victim's screen, but the worm's final goal was to install password-stealing Trojan horses. The worm infected millions of PCs, according to Chinese state media. Its author was ordered to write a removal tool for the worm and later sentenced to four years in prison. Tech Shout

Metasploit releases IE attack, but it's unreliable

Developers of the open-source Metasploit penetration testing toolkit have released code that can compromise Microsoft's Internet Explorer browser, but the software is not as reliable as first thought.

The code exploits an Internet Explorer bug that was disclosed last Friday in a proof-of-concept attack posted to the Bugtraq mailing list. That first code was unreliable, but security experts worried that someone would soon develop a better version that would be adopted by cyber-criminals.

The original attack used a "heap-spray" technique to exploit the vulnerability in IE. But for a while Wednesday, it looked as though the Metasploit team had released a more reliable exploit. Computer World

Attacks Appear Imminent as IE Exploit Is Improved

Hackers working on the open-source Metasploit project have spiffed up a zero-day attack on Microsoft's Internet Explorer, making it more reliable -- and more likely to be used by criminals.

Security experts have been worried about the flaw since it was first disclosed on the Bugtraq mailing list Friday. But the original demonstration code was unreliable and has not been used in real-world attacks.

"The Metasploit exploit that was released last night will be more reliable against certain attacks than the initial exploit," said Ben Greenbaum, senior research manager with Symantec, in an interview Wednesday.

As of Wednesday morning, Symantec had not seen the exploit used in Internet-based attacks, but security experts say this type of code is for a very popular hacking technique called a drive-by attack. Victims are tricked into visiting Web sites that contain malicious code where they are then infected via the browser vulnerability. Criminals also place this type of code on hacked Web sites in order to spread their attacks. PC World

Five Tips to Shop Black Friday and Cyber Monday Securely

Bargain shoppers eager to find the best holiday shopping deals are often easy prey for online scams. Here are five tips to protect yourself while shopping online this holiday season.

This Friday is Black Friday--officially kicking off the 2009 holiday shopping season. Online attackers and malware developers know how to capitalize on current events, and the rush to find great holiday bargains offers a prime opportunity to exploit eager shoppers. Here are five tips to help you shop online securely. Continue tips PC World

Secret Service Investigation, Class Action Lawsuit, Cast Shadow Over Radiant Systems and Distributor

Atlanta Company and Distributor Accused of Negligence in Widespread Identity Theft at Restaurants

Forensic audit investigations conducted by credit company-approved experts concluded that the Louisiana-based distributor for Radiant Systems, Inc. (http://www.radiantsystems.com/) products violated data protocols that directly contributed to security breaches at restaurants in Louisiana and Mississippi. This finding of alleged negligence is at the heart of a collective action lawsuit filed by seven restaurants claiming that hundreds of customers had their identities stolen as a result of poor business practices and faulty software from Radiant and Computer World (the distributor).

The restaurants are seeking millions of dollars in damages from Radiant and Computer World.

“Our clients are restaurants. They are food experts, not technologists. When major players in the hospitality industry such as Radiant Systems and its distributors say their software and business practices are PCI-DSS compliant, our clients trust them,” said Charles Hoff of the Law Offices of Charles Y. Hoff, PC, general counsel for the Georgia Restaurant Association and one of the attorneys acting as a legal advisor to the restaurants in the lawsuit.

Hoff continued: “When those claims of compliance and proper security practices turn out to be false, the restaurants are left to suffer huge financial losses due to financial penalties imposed by the credit card companies. Their reputations are tarnished. We’re determined not to let Radiant and Computer World simply walk away from their responsibilities.”

PCI-DSS is a comprehensive set of technological requirements and consumer protections created by the major credit card companies to safeguard point of sale (POS) systems from hackers and protect consumers from identify theft. POS system vendors must follow these standards, and any business accepting credit cards for payments (such as restaurants) are contractually obligated to use equipment and software from PCI-DSS compliant vendors. The penalties for retailers that have their systems breached can be massive, even if the problems are the fault of the hardware and software vendors. PRLog

Hacked Climate Change Emails Set Off Political Storm

Regardless of the merits of the climate change debate, one expert warns that any data breach should put organizations on alert to shore up their defenses -- and employees to watch what they say in email. Climate change debate aside, "If you think you might be doing something shady, don't blab about it in email."

Internet security and climate change had a surprising run-in last week, as thousands of emails from the University of East Anglia's Climate Research Unit wound up on climate-skeptic web sites. The University says it is cooperating with police and launching its own investigation into how the emails wound up online.

While many universities have suffered data breaches by cybercriminals, the fact that this data was released to anti-climate change sites strongly suggests the breach was politically motivated, said Andrew Storms, director of security operations at nCircle Security. "There is no doubt in my mind that the break-in was a targeted attack," Storms said.

"Cybercriminals seek assets worth value on the black market -- private and personal information primarily. Large amounts of emails about climate research aren't worth much when it comes to identity theft," Storms said. "Further, if the attackers felt there was monetary value in this information, they would not have leaked it so readily."  Top Ttech News

Credit card security breach fear

Reports are being investigated of a major credit card scam in Spain.

Anyone who used a Visa or Mastercard credit card when in Spain may have had their card data compromised.

In Germany, as many as 100,000 cards are reportedly being recalled. UK customers will be contacted directly if they are thought to be at risk.

Card holders are being assured that they will be protected against this type of fraud, but are being advised to check their statements. BBC News

Hong Kong man, three others jailed for spam scheme

A Hong Kong resident and three other men, including the self-proclaimed "Godfather of Spam," were sentenced to prison on Monday for their roles in an email stock fraud scheme, the Justice Department said.

The sentences, ranging from 32 to 51 months in prison, were handed down by US District Judge Marianne Battani in federal court in Detroit, the department said in a statement.

How Wai John Hui, 51, a resident of Hong Kong and Canada, was sentenced to 51 months in prison for wire fraud, money laundering and conspiring to commit wire fraud, mail fraud and to violate the Spam Act, it said.

Hui, the former chief executive of a company called China World Trade, was sentenced to three years of supervised release following his prison term and agreed to forfeit 500,000 dollars to the United States, it said.

Alan Ralsky, 64, of West Bloomfield, Michigan, and his son-in-law, Scott Bradley, 48, also of West Bloomfield, were sentenced to 51 months and 40 months in prison respectively on the same charges. AFP

Microsoft Study Sees Growing Threat of Computer Worms

Worldwide, the greatest threat remained attacks via fake security software. More than 13 million such attacks were blocked by computers with the help of Microsoft software in the first half of 2009. Nonetheless, a year ago, that figure was 16.8 million. Despite the higher risk of worm attacks, worms only make up about 6.7 percent of all attacks.

The danger of corporate computers becoming infected by worms has risen dramatically recently, according to a new study by Microsoft .

The study showed that, globally, the chances of infection by a computer worm had increased by almost 100 percent when comparing the first half of 2009 with the same six-month period in 2008.

The threat is focused mainly on business computers. Private users get off lightly, by comparison, partially because they are more likely than corporate customers to make sure their computers have the newest security software installed.

Germany and Austria both have PC infection rates significantly below the global average of 0.87 percent: 0.3 and 0.21 percent, respectively.

Germany usually performs well in such tests, said Microsoft spokesman and security expert Thomas Baumgaertner. That lies partially in the fact that Germany has a wide degree of penetration for fast DSL lines. That solid infrastructure insures that computer users regularly update their security software.

Despite the higher risk of worm attacks, the study say worms only make up about 6.7 percent of all attacks, meaning they are only the fourth most predominant threat. Trojan horse attacks claim first place in Germany, with 39.5 percent of all attacks. Enterprise Security Today

Key scientist says politics behind stolen e-mails

BOULDER, Colo. – A leading climate change scientist said hackers breaking into a university's computer server and then posting documents online show the nasty politics of global warming.

Kevin Trenberth, head of the climate analysis section of the U.S. National Center for Atmospheric Research in Boulder, said the hackers' intentions may have been to influence discussions in an upcoming global climate change summit in Denmark.

"It comes down to politics at sort of all levels, and some of it's nasty and some of it is trying to destroy the message or even kill the messenger so to speak," Trenberth said Monday in an interview with The Associated Press.

The University of East Anglia, in eastern England, said hackers last week stole about a decade's worth of data from a computer server at the university's Climatic Research Unit, a leading global research center on climate change.

About 1,000 e-mails and 3,000 documents have been posted on Web sites and seized on by climate change skeptics, who claim correspondence shows collusion between scientists to overstate the case for global warming, and evidence that some have manipulated evidence. Washington Post

New iPhone worm can act like botnet say experts

A second worm to hit the iPhone has been unearthed by security company F-Secure.

It is specifically targeting people in the Netherlands who are using their iPhones for internet banking with Dutch online bank ING.
It redirects the bank's customers to a lookalike site with a log-in screen.

The worm attacks "jail-broken" phones - a modification which enables the user to run non-Apple approved software on their handset.

The handsets at risk also have SSH (secure shell) installed.

Many people use SSH so other programs can remotely connect to an iPhone and, among other things, transfer files. It comes with a default password, "alpine" which should be changed.

Users who have installed SSH and not changed the password are especially at risk.

The new worm is more serious than the first because it can behave like a botnet, warns F-Secure.

This enables the phone to be accessed or controlled remotely without the permission of its owner. BBC News

Third iPhone worm targets jailbroken iPhones in Europe, Australia

Another week, another worm hitting jailbroken iPhones. As with the previous exploits, which Rickrolled your phone’s wallpaper and stole your data, this nasty piece of work burrows its way into your jailbroken device if you haven’t changed the password for the iPhone’s root account—you have changed your root password, right? Right?

A source who’s seen the worm in the wild tells Macworld that, after compromising the phone, the worm goes on to replace the phone’s copy of the SSH remote login software, changes the root password (so you can’t stop the worm without wiping the phone), skims your SMS database, checks in with its Lithuania-based overlords via the network, and then starts running a piece of software that searches for other vulnerable phones on both the local network and known IP address ranges of specific Internet Service Providers (mostly European). Somebody should have told the worm that nobody likes overachievers.
MacWorld

PCI DSS checklist: Mistakes and problem areas to avoid

"I can't tell you how many businesses we walk into where they have paper records -- a warehouse of credit card receipts that's intermixed with invoices, etc." Seth Peter CTO, NetSPI

The Payment Card Industry Data Security Standard (PCI DSS) has been a world-changing experience for many midmarket businesses, retailers and credit card processors that previously had little or no regulatory oversight for security.

Breaking Down PCI for the Midmarket

PCI DSS: Building and maintaining a secure network: The first PCI focus area requires a set of documented configuration standards, perimeter and endpoint protection.

PCI DSS: Protect Cardholder Data: The second PCI DSS focus area spells out how organizations must secure cardholder data they store and transmit.

"PCI has been their baptism," said Steve Alameda, principal consultant of Data SafeGuard of San Francisco. "It's one heck of a way to get baptized."

Consultants who devote part or most of their activities helping smaller organizations -- mostly those with Level 3, 4 and some Level 2 requirements for self-assessment -- share some of the difficult lessons learned in the trenches.

Lesson 1: Don't Underestimate PCI

Astonishingly, there's anecdotal evidence that some smaller companies are still unaware they must comply with PCI. Level 4 merchants, those processing fewer than 20,000 transactions annually, are slower to get the word.

Assuming your business is not in that situation, you're facing requirements that are growing increasingly demanding. Self-Assessment Questionnaire D, which most covered organizations are required to complete, is far more detailed than what the questionnaire originally required in 2007. Most companies often turn to consulting help for a variety of reasons:

Lack of knowledge about their own environment. Small companies are wrapped up in doing business, not doing security. Once they realize what they have to protect and all the ways they might be exposed, light bulbs go off.

Inability to comprehend the requirements. Few small companies have security people and most have, at most, a small IT staff that lacks the time and/or expertise to understand and complete the assessment.

The requirements sink in. Organizations start out doing a self-assessment, then realize as they proceed they may have bitten off more than they can chew.

Nobody wants to get it wrong. No one wants to go to the president and tell him/her that after all the time and money spent, the company is still not compliant.

Companies think they have adequate security to meet the requirements. To most small businesses, that's desktop AV and a firewall.

his may also mean underestimating cost. Companies that do their homework, either internally or in combination with outside help, will have a realistic expectation of what they'll need to spend in terms of manpower, technology and services. For example, while they have AV and a firewall, chances are they have never given a thought to purchasing log management, IDS or file integrity-monitoring tools, let alone a Web application firewall.

Also, small companies, unlike enterprises or smaller organizations in heavily regulated industries, are not accustomed to refreshing equipment, such as point-of-sale systems, every few years. In many cases, they need to either upgrade or replace older equipment to become or remain compliant.

Companies do not, typically, anticipate they will have to make some fundamental changes in the way they do business. It's not a matter of tacking on security, even for the little guys. You may, for example, store credit card information in Excel spreadsheets. Now you need to convert all that information into databases and protect them.

"It's one of the hidden costs of PCI. I can't tell you how many businesses we walk into where they have paper records -- a warehouse of credit card receipts that's intermixed with invoices, etc." said Seth Peter, CTO of Minneapolis-based consultancy NetSPI. "One big area where companies underestimate costs is how do you stop doing that and how do you go back and clean it up?"

"They feel their environment is in pretty good shape, and don't think they'll need to make many changes," said Data SafeGuard's Alameda. "Then the reality hits that there will be a lot of changes." TechTarget

Kaplan Fox Investigates Possible Securities Laws Violations by Pre-Paid Legal Services Inc.

Kaplan Fox Investigates Possible Securities Laws Violations by Pre-Paid Legal Services Inc.

New York – October 6, 2009 – Kaplan Fox & Kilsheimer LLP has been investigating Ada, Oklahoma-based Pre-Paid Legal Services Inc. (“Pre-Paid Legal” or the “Company”) (NYSE: PPD) for potential violations of the federal securities laws. Investors who purchased Company securities may be affected.

On October 6, 2009, Pre-Paid Legal reported the receipt of a subpoena from the Division of Enforcement of the Securities and Exchange Commission (“SEC”) in connection with a “fact-finding inquiry”. The Company’s October 6, 2009 press release stated as follows regarding the investigation: Kaplan Fox

Lessons Learned From PCI Compliance

Assessors reveal mistakes companies make with data security standard.
Whether you think PCI is a useful standard that makes our credit card data safer or a credit card industry whitewash that merely creates the illusion of security, PCI compliance is a fact of life.

As part of PCI compliance, companies that process a high volume of credit card transactions must submit to an annual assessment by a qualified security assessor, or QSA. For example, Visa requires it of merchants that process 6 million or more transactions. Assessors work for third-party organizations and generally visit companies to examine their processes and determine whether they comply with PCI rules.

More Security InsightsWhitepapersThe How and Why of PCIIDC Report: Complex Event Processing Opportunity Analysis and Assessment of Key ProductsWebcastsTapping into the Information Pipeline in Real-Time: Creating new levels of visibility and control for the Oil and Gas IndustryLessons From the "2009 Data Breach Investigations Report"ReportsHTML 5 Starts Looking Real (Dr. Dobbs)Hybrid CloudsVideos

Forbes CIO Mykolas Rambus talks about managing cost cutting, the changing role of the CIO, building leadership within, and his company's high priority on mining intelligence from vast amounts of data.

To help companies get ready for a an evaluation, we asked QSAs to describe common problems they encounter when working with IT groups on PCI compliance. What follows are five best practices to help companies better prepare for an assessment and maintain compliance. Information Week

New Attack Fells Internet Explorer

A hacker has posted attack code that could be used to break into a PC running older versions of Microsoft's Internet Explorer browser.

The code was posted Friday to the Bugtraq mailing list by an unidentified hacker. According to security vendor Symantec, the code does not always work properly, but it could be used to install unauthorized software on a victim's computer.

"Symantec has conducted further tests and confirmed that it affects Internet Explorer versions 6 and 7," the company wrote on its Web site Saturday. "We expect that a fully-functional reliable exploit will be available in the near future."

Security consultancy Vupen Security has also confirmed that the attack works, saying it worked on a Windows XP Service Pack 3 system running IE 6 or IE7. Neither company was able to confirm that the attack worked on Microsoft's latest browser, IE 8.

Symantec did not report that the attack is being used by cyber-criminals, but because Internet Explorer is so popular, this type of code is highly coveted by hackers. If the software does pop up in online attacks, it will put pressure on Microsoft to rush out an emergency patch, ahead of its regularly scheduled Dec. 8 security update. Microsoft could not be reached Saturday for a comment on the issue.

Together, IE 6 and IE 7 command close to 40 percent of the browser market. PC World

UPDATE 1-Pre-Paid Legal clarifies on US FTC's draft complaint

Says FTC draft complaint pertains only to ADRS program * Says will continue to cooperate with FTC * Believes no fees at issue subject to disgorgement.

Nov 20 (Reuters) - Pre-Paid Legal Services Inc (PPD.N) said a proposed draft complaint it received on Thursday from the U.S. Federal Trade Commission seeking permanent injunctive relief and disgorgement of proceeds pertained only to one of its marketing programs. "The proposed draft complaint narrowly focuses on our Affirmative Defense Response System (ADRS) marketing program and specific representations regarding identity theft and data privacy issues," the company said in a statement.

The ADRS program, which represents a relatively small percentage of the company's revenue, was introduced in 2006 as a complimentary program for businesses to learn more about its identity theft and data security services, the company said.

On Thursday, the company said it had received a proposed draft complaint from the FTC alleging that its ADRS program and related materials violated the FTC Act regarding asserted misleading representations.
Reuters

Security Pro Says New SSL Attack Can Hit Many Sites

A Seattle computer security consultant says he's developed a new way to exploit a recently disclosed bug in the SSL protocol, used to secure communications on the Internet. The attack, while difficult to execute, could give attackers a very powerful phishing attack.

Frank Heidt, CEO of Leviathan Security Group, says his "generic" proof-of-concept code could be used to attack a variety of Web sites. While the attack is extremely difficult to pull off -- the hacker would first have to first pull off a man-in-the-middle attack, running code that compromises the victim's network -- it could have devastating consequences.

The attack exploits the SSL (Secure Sockets Layer) Authentication Gap bug, first disclosed on Nov. 5. One of the SSL bug's discoverers, Marsh Ray at PhoneFactor, says he's seen a demonstration of Heidt's attack, and he's convinced it could work. "He did show it to me and it's the real deal," Ray said.

The SSL Authentication flaw gives the attacker a way to change data being sent to the SSL server, but there's still no way to read the information coming back. Heidt sends data that causes the SSL server to return a redirect message that then sends the Web browser to another page. He then uses that redirect message to move the victim to an insecure connection where the Web pages can be rewritten by Heidt's computer before they are sent to the victim. PC World

Pre-Paid Legal Services says FTC may sue

ADA, Okla. — Pre-Paid Legal Services Inc., a network of independent law firms, said Thursday that the Federal Trade Commission may sue the company over allegedly misleading representations made by its identity theft prevention program.

The news sent the stock plummeting 19 percent to close at $33.27.

The identity theft program offers regular monitoring of credit reports, sending alerts if new accounts are opened in a customer's name or if negative items are added to credit reports. It also offers to help a customer restore their credit rating if they are a victim of identity theft.AP

Red flags rule to curb ID theft

The red flags rule is supposed to help curb identity theft, by shifting some of the burden from consumers to businesses. Learn more at www.ftc.gov/redflagsrule. But you should still keep a close watch on your personal information. Here are some suggestions from the Federal Trade Commission:

Protect your Social Security number. Don't carry your card if you don't need it. Ask why someone needs it if it is requested.

Handle mail with care. Shred documents that contain credit card numbers, banking information and credit card offers. Limit credit card offers: Call 888-5-OPT-OUT (888-567-8688).

Don't give out personal information on the phone, via mail or the Internet, unless you initiated contact and are sure of whom you're dealing with. Miami Herald

Feds falling behind in the race against cyber threats, GAO says

Despite increased cooperation among agencies charged with protecting the government’s information infrastructure, federal cybersecurity is failing to keep pace with the growing threat of attack from hackers, criminals and other nations, a Senate panel has been told.

The Government Accountability Office has identified weaknesses in security controls in almost all agencies for years, Gregory Wilshusen, GAO's director of information security issues, and David Powner, the agency's director of information technology management issues, told the Senate Judiciary Committee's Terrorism and Homeland Security Subcommittee Nov. 17. Agencies are falling short in their use of strong authentication, encryption, and network monitoring, they said.

“An underlying cause of these weaknesses is agencies’ failure to fully or effectively implement information security programs, which entails assessing and managing risk, developing and implementing security policies and procedures, promoting security awareness and training, monitoring the adequacy of security controls, and implementing appropriate remedial actions,” they testified. GNC

GAO: Los Alamos computer security has weaknesses

ALBUQUERQUE, N.M.—Security weaknesses uncovered in Los Alamos National Laboratory's classified computer network could increase the risk of a breach of classified information, the U.S. Government Accountability Office said in a new report.


The GAO audited key parts of the nuclear weapons lab's classified computers from November 2008 to July 2009. The classified computer network consists of more than 3,900 computers and devices for about 3,800 users, the report said.

Preventing leaks of sensitive information on the northern New Mexico lab's classified computer network is "critical to national security," the report stated.

"While the laboratory has taken steps to protect information on its classified computer network, a number of security weaknesses remain," the report said.

Lab spokesman Kevin Roark said Tuesday the vast majority of the issues raised by the report already have been resolved.

"All classified data at Los Alamos is extremely well protected and isolated from the Internet and all indications -- including other external audits -- confirm that this most important of information continues to be safe," Roark said. SF Gate

UK Police Reveal Arrests Over Zeus Banking Malware

British police said Wednesday they've made the first arrests in Europe of two people for using Zeus, a sophisticated malicious software program that can scoop up any sensitive information on a PC.

A man and woman, both 20 years old, were arrested in Manchester, England, on Nov. 3, said the Metropolitan Police's Central e-Crime Unit (PCeU). The pair, who have been released on bail, will face charges under the 1990 Computer Misuse Act and the 2006 Fraud Act.

Zeus is an advanced piece of malicious software. If installed on a PC, it can send spam, steal financial or other data or conduct a distributed denial-of-service attack against other computers. Machines infected with Zeus are essentially a botnet. PC World

Ecommerce Scams: Hundreds Of Well-Known Sites Scam Customers, Report Shows

Senator Rockefeller released the results of an investigative report into "Aggressive Sales Tactics on the Internet and Their Impact on American Consumers" in advance of a hearing on the subject by the US Senate Committee on Commerce, Science, and Transportation.

The research examines "controversial e-commerce business practices that have generated high volumes of consumer complaints" and focused on sales tactics that "charge millions of American consumers for services the consumers do not want and do not understand they have purchased," according to the Staff Report.

A controversial practice known as "post-transaction marketing" was at the center of the research into the e-commerce business practices.

TechCrunch offers context on how "post-transaction marketing" works:

Background: hundreds of well known ecommerce companies add post transaction marketing offers to consumers immediately after something is purchased on the site. Consumers are usually offered cash back if they just hit a confirmation button. But when they do, their credit card information is automatically passed through to a marketing company that signs them up for a credit card subscription to a package of useless services. The "rebate" is rarely paid. Huffington Post

Shadowserver to Take Over as Mega-D Botnet Herder

An effort is underway to clean up tens of thousands of computers infected with malicious software known for churning out thousands of spam messages per hour.

The infected computers are part of a botnet called Ozdok or Mega-D, which at one time was sending out around 4 percent of the world's spam messages.

Last week, security vendor FireEyelaunched a drive to dismantle the botnet. The infected computers receive instructions and information for new spam campaigns through command-and-control servers. FireEye contacted network providers which hosted those servers, and most were shut down.

That meant that the people controlling the hacked PCs, known as botnet herders, couldn't contact most of their bots anymore. Spam from Mega-D almost stopped entirely. FireEye also cut off a second redundancy mechanism the herders programmed into Mega-D.

If the infected machines can't contact a command-and-control server, they're programmed with an algorithm that will generate a random domain name and try to contact that domain daily. The herders know what this domain will be and can upload new instructions there. PC World

Cyber laws must punish individuals not society: specialist

SHARM EL-SHEIKH, Egypt (AFP) - Laws regulating cybercrimes must target individuals and not society as a whole, an IT specialist told an Internet governance forum at the Egyptian resort of Sharm el-Sheikh on Tuesday.

Gisele Da Silva Craveiro from the University of Sao Paolo in Brazil said the broad nature of cyberlegislation leaves it open to abuse by authorities.

"Definitions for cybercrimes can be so broad as to fit everything... leaving the laws open to inappropriate use by authorities such as monitoring citizens," Craveiro told AFP on the sidelines of the Fourth Meeting of the Internet Governance Forum in Egypt.

"Technicians need to communicate with lawyers to come up with more efficient legislation so that society doesn't end up paying the price for too broad a legislation," she said.

Craveiro was speaking at a session entitled Developing Comprehensive Cybercrime Legislation organised by the Council of Europe at the Red Sea meeting.

"Legal frameworks should take into acount the rights of users and the role of the private sector on the one hand, and security concerns on the other," the Council of Europe said in a statement. Kioskea

FBI says hackers targeting law firms, PR companies

WASHINGTON - Hackers are increasingly targeting law firms and public relations companies with a sophisticated e-mail scheme that breaks into their computer networks to steal sensitive data, often linked to large corporate clients doing business overseas.

The FBI has issued an advisory that warns companies of "noticeable increases" in efforts to hack into the law firms' computer systems — a trend that cyber experts say began as far back as two years ago but has grown dramatically.

In many cases, the intrusions are what cyber security experts describe as "spear phishing," attacks that come through personalized spam e-mails that can slip through common defenses and appear harmless because they have subject lines appropriate to a person's business and appear to come from a trusted source.

"Law firms have a tremendous concentration of really critical, private information," said Bradford Bleier, unit chief with the FBI's cyber division. Infiltrating those computer systems, he said, "is a really optimal way to obtain economic, personal and personal security related information." AP

UK Hails First Cybercrime Cooperation With Banks

UK police are hailing the sentencing of four people who used a Trojan horse program to siphon money out of online bank accounts. Jeremy Kirk, IDG News Service
U.K. police are hailing the sentencing of four people who used a sophisticated Trojan horse program to siphon money out of online bank accounts and send it to Eastern European countries and Russia.

The case marks the first collaboration between the financial industry and the Police Central e-Crime Unit (PCeU), which was established earlier this year after accusations the U.K. government wasn't doing enough about cybercrime.

The men used a Trojan horse program called PSP2-BBB that executed a so-called man-in-the-browser attack when potential victims logged into online bank accounts. The Trojan would insert a special page within the customer's browsing session asking for more personal information, according to police. The Trojan would then set up a transfer to another account, according to police. PC World

Computer containing students' Social Security numbers taken from Bloomsburg University office

Bloomsburg University is notifying students and alumni who were enrolled in Julie Kontos' psychology classes from 2004 to 2006 about the possible theft of their Social Security numbers after a laptop was stolen from a campus office.

On Nov. 1, several computers and small digital devices were stolen from offices in Centennial Hall. One of the missing devices is a laptop used by Kontos, interim dean of the College of Liberal Arts. University police are investigating the theft.

On Nov. 4, it was determined the laptop's hard drive contained student rosters for psychology classes Kontos taught from spring 2004 through summer 2006. The rosters included student grades and Social Security numbers which, at that time, were used as student identification numbers. The university replaced Social Security numbers with alternate student ID numbers in fall 2006.

"We have identified and are in the process of contacting all of the 574 students who were enrolled in Professor Kontos' classes during that time period and alerting them to what has taken place," said Wayne Mohr, assistant vice president for technology. "We are encouraging them to sign up for free credit monitoring with one of the three major credit bureaus to watch for any suspicious activity." Citizens Voice

PCI DSS: No Angel, but Certainly Not the Devil

Security luminaries Anton Chuvakin and Ben Rothke explain why 451 Group analyst Josh Corman is off his rocker when he compares PCI security to a devil and "No Child Left Behind."

 Fifty years ago, The Coasters had a top-10 hit with the song "Charlie Brown." The song is best known for the phrase "Why's everybody always pickin' on me?" Charlie Brown was a loveable character who was often beat up and picked on for no reason.

A Guide to Practical PCI Compliance

Far too many in the industry similarly see PCI as such a loser and criticize it relentlessly. In our article PCI Shrugged: Debunking Criticisms of PCI DSS from April 2009, we wrote that the PCI DSS is a valuable standard. We did not then, and do not now, feel that the PCI DSS is perfect, but it is in the best interest of the industry and consumers that it be maintained, developed and expanded as well as adapted to today's threats.

However, let's briefly step away from this debate and consider this: imagine a large distributed retailer that has somehow survived without investing in information security. Yes, they've updated antivirus subscriptions on their desktops and have added a firewall, but they haven't gone beyond that (it goes without saying that this said organization was consistently compromised by malicious hackers).

The advent of PCI worried this retailer and now they have to take security actions like encrypt, log, monitor, educate employees, and more. However, this retailer is now fighting PCI with all their strength since they believe that "PCI is too much security." Their worldview of security is that "no security" is "just enough security." CIO IT News

Michelle Rodger: Informed choices on compliance can pay big rewards

COMPLIANCE is a bureaucratic nightmare. Business hates it because it costs money and not only is it time consuming, it's Big Brother sticking his neb into our business.

But have you – as business owners – seriously considered the implications of non-compliance? The massive fines and potential sentences? Or do you just take your chances?

Then consider this alternative. Have you ever viewed compliance as an opportunity, a USP, a differentiator, a competitive advantage? Or used it as a marketing tool, or to leverage loyalty and build trust?

I suspect not. The current information about compliance and data security legislation is all negative. It's about promoting fear of the consequences of not doing what you are told, but I suggest the opportunities could outweigh the disadvantages. Scotland On Sunday

Fake Verizon 'balance-checker' Is a Trojan

Cyber-criminals have started preying on Verizon Wireless customers, sending out spam e-mail messages that say their accounts are over the limit and offering them a "balance checker" program to review their payments.

The e-mail messages, which look like they come from Verizon Wireless, are fakes; the balance checker is actually a malicious Trojan horse program.

"If you run the tool, obviously, your computer is toast," said Nick Bilogorskiy, manager of antivirus research at SonicWall. "You get infected with a Trojan that SonicWall catches under the name Regrun." PC World

DNS Problem Linked to DDoS Attacks Gets Worse

ISPs are distributing consumer modems that could be used in DDoS attacks, researchers say. Robert McMillan, IDG News Service

Internet security experts say that misconfigured DSL and cable modems are worsening a well-known problem with the Internet's DNS (domain name system), making it easier for hackers to launch distributed denial-of-service (DDoS) attacks against their victims.

According to research set to be released in the next few days, part of the problem is blamed on the growing number of consumer devices on the Internet that are configured to accept DNS queries from anywhere, what networking experts call an "open recursive" or "open resolver" system. As more consumers demand broadband Internet, service providers are rolling out modems configured this way to their customers said Cricket Liu, vice president of architecture with Infoblox, the DNS appliance company that sponsored the research. "The two leading culprits we found were Telefonica and France Telecom," he said.

In fact, the percentage of DNS systems on the Internet that are configured this way has jumped from around 50 percent in 2007, to nearly 80 percent this year, according to Liu. PC World

Health Industry Winning Round On Privacy Of Digital Health Records

Lobbyists for the health industry are close to a victory over consumer groups in a dispute about when patients should be told their digital medical records have been lost, stolen or mishandled.

The tug-of-war over a little-known federal privacy rule--which has drawn in Congress, regulators and an array of interest groups--highlights the behind-the-scenes activity touched off by the government's effort to spend some $45 billion in economic stimulus funds to push medical data online. Federal regulators are working against tight deadlines to write all kinds of rules governing the digital system, one that the Obama administration hopes most health care providers will adopt in the next five years.

As with many Washington initiatives, the way the rules are written may have more of an effect on consumers than the original law passed by Congress.

One of the most contentious questions so far is when--and how--health care providers will have to notify patients if their privacy is breached.

Some lawmakers, consumer groups and industry analysts argue that hospitals and insurance companies should be required to let patients know about any unauthorized disclosure of their health data. However, under a provisional rule released by regulators from the Department of Health and Human Services, a health care provider only would have to notify patients if the provider determines the breach "poses a significant risk of financial, reputational, or other harm to the individual.'' Huffington Post

Biggest website security weaknesses

Posted on 12 November 2009. WhiteHat Security released a report assembled from real-world website security data, is a high-level perspective on major website security issues that continue to compromise corporate data across all industries.

The report contains data collected between January 1, 2006 and October 1, 2009, and finds that the percentage of high, critical or urgent issues continue to slowly increase. 83 percent of websites have had a high, critical or urgent issue over their lifetime and 64 percent of websites currently have a high, critical or urgent issue. Of the 22,000 vulnerabilities identified, almost 9,000 remain open, which means encouragingly that the majority – over 13,000 – have been closed.  Help Net Security

Early Impact Co-founder on PCI Compliance

Found a great Pod Cost interview on the Practical Ecomerce site done by Kevin Patrick Allen of Massimo Arrigoni who is the co-owner of Early Impact, a developer of the licensed shopping cart ProductCart. Here is his perspective on PCI compliance.  Listen to interview

FTC delays Red Flag Rules implementation

November 9, 2009 — The Federal Trade Commission (FTC) has delayed implementation of the Red Flag Rules until June 1, 2010. Last month, the House passed legislation (H.R. 3763) that would exempt healthcare practices with 20 or fewer employees from the Red Flags Rule. chiropractic News

Healthcare Providers Face Security Challenges

Many healthcare organizations are unprepared for new federal regulations and other security challenges, according to a study. Security budgets are low, organizations don't have response plans for threats or a security breach, and a designated chief security officer isn't in place.

The Health Information Technology for Economic and Clinical Health Act (HITECH) provisions of the U.S. American Recovery and Reinvestment Act (ARRA) of 2009 includes new regulations for maintaining privacy and security of patient health data, but healthcare providers aren't ready, according to the results of the 2009 Security Survey from the Healthcare Information and Management Systems Society, sponsored by Symantec (NSDQ: SYMC). Information Week.

New IPhone Malware Steals Data From Jailbroken Phones

Another piece of dangerous code that attacks iPhones has been found, although it puts at risk only a very small subset of the smartphone's users.

Mac security vendor Intego calls the code "iPhone/Privacy.A." It is a malicious tool hackers install on Windows, Mac, Unix or Linux systems, and even on iPhones, using those devices to scan for "jailbroken" iPhones, some of which are vulnerable to the malware.

If it finds a vulnerable iPhone within its range, the malware copies e-mail, contacts, SMS (Short Message Service) messages, calendar entries, photos, music, videos and any data recorded by an iPhone application, according to an advisory from Intego.

"This hacker tool could easily be installed, for example, on a computer on display in a retail store, which could then scan all iPhones that pass within the reach of its network," Intego said. "Or, a hacker could sit in an Internet café and let his computer scan all iPhones that come within the range of the Wi-Fi network in search of data. "

However, the tool can only attack jailbroken iPhones, or ones that have been modified to run unapproved software, that are running SSH (Secure Shell), a Unix utility with the default password enabled. PC World

iPhone fear as 'Rick Astley' worm spreads

SYDNEY — An Australian student sparked fears of a new era of computer viruses on Tuesday after creating a worm which infects Apple's iconic iPhone with pictures of 1980s pop star Rick Astley.

Ashley Towns, 21, who lives with his family near Sydney, said he was trying to raise security awareness with his cheeky but harmless "Ikee" worm, which spreads from phone to phone along wireless networks.

"This virus pretty much exploits people's laziness to change their password," he said, according to public broadcaster ABC.

"Somebody with more malicious intent could have done anything -- read your SMSs, go through your emails, view your contacts, photos -- anything," he added.

The virus swaps the smartphone's wallpaper with an image of Astley and the words "Ikee is never gonna give you up" -- a reference to the British star Astley's 1987 chart-topper: "Never Gonna Give You Up".

It affects only phones that have been modified, or jail-broken, to install applications not approved by manufacturer Apple, and can easily be deleted.

But experts warned Towns, among the first in the world to hack into the popular iPhone, may have caught the attention of cyber-criminals wanting to steal personal information such as bank details. AFP

Estonians, Russian, Moldovan charged in credit card hack

WASHINGTON — Alleged computer hackers from Estonia, Russia and Moldova have been indicted in a scheme that netted nine million dollars from cash dispensers, the US Justice Department said on Tuesday.

"This investigation has broken the back of one of the most sophisticated computer hacking rings in the world," said acting US attorney Sally Quillian Yates of the Northern District of Georgia.

Sergei Tsurikov, 25, of Tallinn, Estonia, Viktor Pleshchuk, 28, of St. Petersburg, Russia, and Oleg Covelin, 28, of Chisinau, Moldova, have been indicted by a federal grand jury in Atlanta, Georgia, the department said.

It said a fourth person known only as "Hacker 3" was also indicted on charges of hacking into a computer network operated by Atlanta-based credit card processing company RBS WorldPay, part of the Royal Bank of Scotland.

Tsurikov, Pleshchuk, Covelin and "Hacker 3" were charged with conspiracy to commit wire fraud, wire fraud, conspiracy to commit computer fraud, computer fraud, access device fraud and aggravated identity theft.

They were accused of compromising the data encryption on payroll debit cards, which are used by some companies to allow employees to withdraw their salaries directly from a cash dispenser, or ATM.  AFP

FireEye Moves Quickly to Quash Mega-D Botnet

A computer security company known for battling botnets moved last week to try to shut down a persistent spam player.

FireEye, a California company that makes security appliances, had been tracking a botnet called Mega-D or Ozdok. Mega-D, which is a network of hacked computers, has been responsible for sending more than 4 percent of the world's spam, according to M86 Security. Many of the computers that make up Mega-D are infected home PCs.

Mega-D is one of several botnets that have implemented advanced technical measures to ensure its owners don't lose control of the hacked PCs. The hackers use command-and-control servers to issue instructions to the zombie PCs, such as when to run a spam campaign.

In the case of Mega-D, the hacked PCs will look for certain domain names in order to download instructions, wrote Atiq Mushtaq of FireEye on the company's blog. If those domains aren't active -- they are often shut down by ISPs if they're associated with abuse -- Mega-D machines will look for custom DNS (Domain Name System) servers to find live domains.

If that also fails, Mega-D is programmed to generate a random domain name based on the current date and time, Mushtaq wrote. When the hackers register the domain name, the infected machines can visit there to get new instructions. PC World

An FBI Cybercrime Agent's Tales From the Trenches

The stories that FBI Assistant Director of Cybersecurity Shawn Henry can tell are enough to keep any network security administrator up at night. The methods of criminal hackers are becoming disturbingly effective, he says, and changing attitudes on the nature of online privacy are giving rise to additional risks. On the bright side, he also sees a growing degree of cooperation among law enforcement groups.

Increase Customer Sales with VerticalResponse Email Marketing! Quickly and easily send email newsletters, coupons & sales announcements to your customers – no technical expertise needed. Sign up for your Free Trial today and send 100 emails on us!

The FBI official in charge of major cybercrime investigations told a international gathering of computer security experts last week that financial services companies have suffered massive thefts due to hackers.
Ecommerce Times