Sunday, February 28, 2010

British politicians fall victim to Twitter scam

British politicians were among those caught up Friday in the latest Twitter-based scam which hijacks users' accounts to send out sexually explicit messages to friends and followers.

The micro-blogging Web site has been hit by a wave of so-called "phishing scams," which lure users to a bogus Web site where they're enticed to part with their passwords. The compromised accounts are then used to distribute rogue messages to other users.

Those tracking the Twitter account of Ed Miliband, the British energy minister, were surprised by a message carrying an unusually direct reference to the politician's sex life.

"Oh dear it seems like I've fallen victim to twitter's latest 'phishing' scam," Miliband said in a message posted shortly afterward.

He wasn't alone.

On Thursday, House of Commons leader Harriet Harman told lawmakers her account had sent a bogus message to opposition lawmaker Alan Duncan.

She didn't say exactly what the content of the message was, but she left British lawmakers wondering when she told them: "I wouldn't ever send a tweet like that."

Other prominent politicians and journalists were among those who received the rogue messages.

Even tech-savvy Twitter users have been hit. AP

Saturday, February 27, 2010

Cybersecurity bill to give president new emergency powers

The president would have the power to safeguard essential federal and private Web resources under draft Senate cybersecurity legislation.

According to an aide familiar with the proposal, the bill includes a mandate for federal agencies to prepare emergency response plans in the event of a massive, nationwide cyberattack.

The president would then have the ability to initiate those network contingency plans to ensure key federal or private services did not go offline during a cyberattack of unprecedented scope, the aide said.

Ultimately, the legislation is chiefly the brainchild of Sens. Jay Rockefeller (D-W.Va.) and Olympia Snowe (R-Maine), the chairman and ranking member of the Senate Commerce Committee, respectively. Both lawmakers have long clamored for a federal cybersecurity bill, charging that current measures — including the legislation passed by the House last year — are too piecemeal to protect the country’s Web infrastructure.

Their renewed focus arrives on the heels of two, high-profile cyberattacks last month: A strike on Google, believed to have originated in China, and a separate, more disjointed attack that affected thousands of businesses worldwide.

Rockefeller and Snowe’s forthcoming bill would establish a host of heretofore absent cybersecurity prevention and response measures, an aide close to the process said. The bill will “significantly [raise] the profile of cybersecurity within the federal government,” while incentivizing private companies to do the same, according to the aide.

Additionally, it will “promote public awareness” of Internet security issues, while outlining key protections of Americans’ civil liberties on the Web, the aide continued.

Privacy groups are nonetheless likely to take some umbrage at Rockefeller and Snowe’s latest effort, an early draft of which leaked late last year.

When early reports predicted the cybersecurity measure would allow the president to “declare a cybersecurity emergency,” online privacy groups said they felt that would endow the White House with overly ambiguous and far-reaching powers to regulate the Internet.

The bill will still contain most of those powers, and a “vast majority” of its other components “remain unchanged,” an aide with knowledge of the legislation told The Hill. But both the aide and a handful of tech insiders who support the bill have nonetheless tried to dampen skeptics’ concerns, reminding them the president already has vast — albeit lesser-known — powers to regulate the Internet during emergencies. dprogram.net

Wyndham Hotels Hacked Again

Hackers broke into computer systems at Wyndham Hotels & Resorts recently, stealing sensitive customer data.

The break-in occurred between late October 2009 and January 2010, when it was finally discovered. It affected an undisclosed number of company franchisees and hotel properties that Wyndham manages. Wyndham has acknowledged the incident in a note posted to its Web site.

"A hacker intruded on our systems and accessed customers information from a limited number of franchised and managed properties," the company said. "The hacker was able to move some information to an off-site URL before we discovered the intrusion."

Hackers were able to steal data required for credit card fraud, the company said, including "guest names and card numbers, expiration dates and other data from the card's magnetic stripe."

Wyndham did not say how many hotels were hacked or how many customers were affected. The company did not return messages seeking comment Friday.

This is the third data breach reported by Wyndham in the past year. Last February, Wyndham said that hackers stole tens of thousands of credit card numbers between July and August 2008. pcworld

Thursday, February 25, 2010

Microsoft uses law to cripple hacker spam network

Microsoft on Thursday said it combined technology with an "extraordinary" legal maneuver to cripple a massive network of hacked computers that had been flooding the Internet with spam.

The software titan's Digital Crime Unit got clearance from a US judge to virtually sever the cyber criminals' command computers from hundreds of thousands of machines worldwide infected with a Waledac virus.

"We decided the best tactic would be to literally build a wall between the bot-herder, the command computer, and all of the other computers -- effectively cutting the umbilical cord," said Microsoft attorney Richard Boscovich.

Microsoft got a US judge to grant an ex parte temporary restraining order that let the firm erect the cyber blockade without warning bot-herders, masters of the "botnet."

"It was of crucial importance that when we went out to sever the connection between the bot herder and the bots, that severing had to be done without him knowing," said Boscovich, who works in the digital crime unit.

Microsoft drafted a complaint that made a case to the court that the damage to computer owners worldwide, and to the software firm, was major enough to warrant "this rather extraordinary order," Boscovich said.

The mission to take down one of the ten largest botnets in the United States was referred to internally at Microsoft as "Operation b49."

Waledac is estimated to have infected hundreds of thousands of computers worldwide, letting its masters mine machines for information or secretly use them to fire off spam email.

Hackers typically infect computers with malicious codes by tricking owners into clicking on booby-trapped email messages or Internet links that plant viruses.

Bot-herders are then free to hire out botnets for nefarious tasks such as spewing spam or overwhelming legitimate websites with myriad simultaneously requests in what are known as distributed-denial-of-service attacks.

The Waledac botnet was believed to be capable of sending more than 1.5 billion spam email messages daily.

During a three week period in December, Waledac-infected machines sent approximately 651 million spam email messages to users of Microsoft's free Hotmail service, according to the software firm.

The spam included messages pitching online pharmacies, knock-off goods, and penny stocks. smh.com

Mean Girls: Cyberbullying Blamed for Teen Suicides

Massachusetts Girl, 15, Was Reportedly Bullied Online Before Taking Her life

Font Size PrintRSSE-mailShare this story with friendsFacebookTwitterRedditStumbleUponMore

Parents in a western Massachusetts town are trying to understand the horrific bullying that apparently led a pretty 15-year-old to kill herself -- and they are furious.

Internet privacy expert Parry Aftab gives tips on how to talk to your kids."That could have easily been my daughter and I am angry," South Hadley, Mass., parent Dave Leonard told school officials at a crowded meeting this week.

"You have failed," parent Luke Gelinas added, as the audience applauded. "Until someone admits there's been failure here, complete failure, you have nowhere to go."

But who exactly failed Phoebe Prince? Friends say the Irish immigrant, who moved to South Hadley just last year, had been the recipient of nasty online messages and e-mails. She was found dead in her home two weeks ago. 

"Someone told her to go hang herself, and I don't really know who that was," student Jessica Chapdelaine said. "But she was getting bullied by some people, because there were people talking about her and I guess she just didn't like being hated."

Prince's friend Sergio Loubriel said he'll miss "just being around her."

"I didn't want to believe it," he said referring to her death.

Experts say Prince's story is not unique.

Internet safety expert and privacy lawyer Parry Aftab told "Good Morning America" today that this type of bullying amounts to torture for some kids.

"The schoolyard bullies beat you up and then go home," she said. "The cyberbullies beat you up at home, at grandma's house, whereever you're connected to technology."

Aftab said most of the cyberbullies are "mean girls" that target young teenagers through e-mail and social media sites. Signs that cyberbullying is happening can include a child's sudden hesitation to use the technology they had always been enthusiastic about like online gaming, Facebook or e-mail.

She said those being bullied in cyber space need to "stop, block and tell" -- stop reading the insulting messages, block them from your computer and tell someone. abcnews.go.com

Microsoft wins court approval to topple "botnet": report

Software giant Microsoft Corp has won a U.S. court approval to deactivate a global network of computers that the company accused of spreading spam and harmful computer codes, the Wall Street Journal said.

A federal judge in Alexandria, Virginia, granted a request by Microsoft to deactivate 277 Internet domains, which the software maker said is linked to a "botnet," the paper said.

A botnet is an army of infected computers that hackers can control from a central machine.

The company aims to secretly sever communications channels to the botnet before its operators can re-establish links to the network, the paper said.

Microsoft on Monday filed a suit that targets a botnet identified as Waledac, the paper said.

Judge Brinkema's order required VeriSign Inc, an Internet security and naming services provider, to temporarily turn off the suspect Internet addresses, the paper said. reuters.com

Wednesday, February 24, 2010

Ecommerce Businesses Under Gun To Become PCI DSS Compliant

Banks are pushing hard for ecommerce businesses to get your websites PCI DSS Compliant.

So if you are an ecommerce business owner don't be surprised by a letter from your bank stating that it is now a requirement for you to signup for their compliance management program.

If you think this doesn't apply to you because you are just a small business, think again, hackers are targeting small businesses precisely because they are ripe for the picking and quite frankly they can get in and out of your unprotected data quicker than you can say "Bob's your Uncle!"

So don't get caught with your pants down around your ankles, tighten the belt and get your business PCI DSS Compliance certified.

Not doing so will not only put you and your business at serious risk for some very nastey fines, but you can expect to lose 65% of your business due to a data breach when the word gets out that you were negligent.

Oh, and the word will get out...

Seeing red: FTC to begin enforcement of identity theft 'Red Flag' Rules June 1, 2010

After multiple delays, the Federal Trade Commission (FTC) will begin enforcement of the Red Flag Rules starting on June 1, 2010. The purpose of the Red Flag Rules is to prevent, identify, and report identity theft. In general, most healthcare organizations will be considered “creditors” that manage “covered accounts” under these rules and will be required to enact formal, written policies and procedures to comply with the new law. The Red Flag Rules define “creditor” broadly to include entities that regularly defer payment on goods or services or provide goods or services and bill for them later. Many healthcare providers will fall into the category of “creditor.”

If the Red Flag Rules apply to an organization as described above, the organization is required to implement written policies and procedures to identify and address the “red flags” that indicate identity theft. For healthcare organizations, the key is developing a list of red flags that may indicate that a person presenting for services is not who they say they are. In practice, organizations may already have procedures that cover much of what is required, but the new rules require formalized processes in written policies and procedures.
lexology.com

Twitter Phishing Plus: Social Media Attacks on Rise

Twitter has been hit with large-scale phishing attacks in recent days, and today prominent online security firms say such social media hacking is becoming more sophisticated and widespread.

And it can take a serious toll on identity theft victims who may use the same password for multiple websites.

The cyber criminals are getting more precise – instead of relying on “blanket” tactics – with the help of Twitter, Facebook and other sites that can serve as goldmines of personal information, according to Cyveillance, the Arlington, VA.-based firm which provides online security services to Fortune 500 companies.

And new such social media sites are springing up regularly. Case in point, Blippy, a Twitter-like site that tracks credit card purchases at certain retailers once a user links up a card of choice to the service.

“Cyber criminals are focusing their efforts on developing more sophisticated and targeted attacks rather than using a far reaching blanket approach, in order to reap greater financial rewards,” said Panos Anastassiadis, chief operating officer at Cyveillance.

Phishing attacks is when online fraudsters send emails appearing personal, but are actually fishing expeditions for your log-in information that might get them credit card or bank account numbers, or other vital pieces of identification.

The recent Twitter attacks are good examples of the troubling trend.

Direct messages to Twitter users are asking “This you????” — followed by a link. Once you click on the link, you are taken to a fake Twitter login page.

If you make it that far, “hackers are just waiting for you to hand over your credentials,” writes Graham Cluley, senior technology consultant at Sophos.com, a leader in network security solutions for organizations. “In fact, they can automatically post the phishing message from your account as soon as you hand over your details.”

But hacking into your Twitter account is not the worst part, Cluley said. A third of social media users have the same password on other websites, which could include sites with financial information, such as PayPal, the leading payments processor for online purchases.

“It’s bad enough if hackers gain control of your Twitter account, but if you also use that same password on other websites (and our research shows that 33 percent of people do that all of the time) then they could access your Gmail, Hotmail, Facebook, eBay, Paypal, and so forth,” Cluley said. ecreditdaily

Tuesday, February 23, 2010

Identity Theft Study Shows Increase In Problem

An annual study shows identity theft is getting worse with more victims losing more money. But at the same time, ID theft is being discovered faster.

The study by Javelin Strategy & Research shows that ID theft cases jumped by 12 percent last year to 11 million adults.

The total amount of fraud also increased by 12 percent, or $6 billion.

Technology is helping to detect fraud faster, but scammers are taking advantage of it to commit crimes. When consumers discover fraud through electronic monitoring -- checking their statements online every few days -- they catch the fraud much quicker.

When consumers wait to find fraud on paper statements, they lose more money and it takes longer to detect. If consumers wait for their monthly paper statement, the average monthly loss is almost $275. If they catch it electronically, it's just over $115.

The study found that people between the ages of 18 and 24 suffered the highest account misuse through social networking. They also took the longest time to detect fraud, 132 days, and were victims for the longest period of time, 149 days. wgal

Monday, February 22, 2010

U.S. pinpoints code writer behind Google attack: report

U.S. government analysts believe a Chinese man with government links wrote the key part of a spyware program used in hacker attacks on Google last year, the Financial Times reported on Monday.

The man, a security consultant in his 30s, posted sections of the program to a hacking forum where he described it as something he was "working on," the paper said, quoting an unidentified researcher working for the U.S. government.

The spyware creator works as a freelancer and did not launch the attack, but Chinese officials had "special access" to his programming, the report said.

"If he wants to do the research he's good at, he has to toe the line now and again," the paper quoted the unnamed U.S. government researcher saying.

"He would rather not have uniformed guys looking over his shoulder, but there is no way anyone of his skill level can get away from that kind of thing. The state has privileged access to these researchers' work."

The report did not say how analysts knew about the man's government ties. ctv.ca

Even More Phishing...

Here is yet another phishing email that you must ignore!!!


Subject: Please update your Firewall as soon as possible

Sunday, February 21, 2010 5:46 PMFrom: This sender is DomainKeys verified"Firewall Update Notification" Add sender to ContactsTo: somepoorsucker@yahoo.com Firewall Gold Message Center: You may need to update your Firewall security settings as soon as possible:


Press here to update your Firewall security settings or read below for more information:
http://desaket.com/tr.php?86299+somepoorsucker@yahoo.com


There is a high possibility that your PC's Firewall security settings may become exploited by malicious websites without your knowledge. This could easily lead to the following attacks on your PC's hard drive:

- Unwanted Virus Downloads

- Uncontrollable Trojan horse attacks

- The running of unwanted script programs

- The installation of malicious spyware

If your PC is not protected correctly then these attacks could allow hackers to track your movements across the Internet. It also means that your information, ranging from passwords to credit card numbers, can be stored by sites that you visit. A successful hacker could examine this information and extract it, setting the stage for identity theft, credit card fraud, or worse.


Press here for more information on how to make certain you are protected:

http://desaket.com/tr.php?86299+somepoorsucker@yahoo.com


Some unknown or untrusted websites use script programs to change your home page, modify your web history, display advertisements, disable your back button, or redirect you to different websites without your consent. Such scripts have also been recently used by Russian hackers to silently install viruses on end-user's computers.


One way to protect your PC is to download this new FIREWALL software program.


Press here to run the Firewall system scan now:

http://desaket.com/tr.php?xxxxxx+somepoorsucker@yahoo.


If you feel that you are receiving this email in error or are not interested in receiving future "FIREWALLGOLD" offers please go to this page:

http://desaket.com/tr.php?xxxxx+somepoorsucker@yahoo.com



or contact us via regular mail at:

Firewall Gold Promotions
6965 El Camino Real
Site 105 - 698
La Costa, CA 92009



You will not get anymore of our emails if you go here

http://desaket.com/unsub.php?client=PureModern&msgid=18021000013 and enter your email address (somepoorsucker@yahoo.com)



or write to:

6420 Congress Avenue

Suite 1800

Boca Raton, FL 33487

New Report Examines Malware's Origins, Motivations

Another great article from Tim Wilson over at DarkReading ...

Nearly every day, industry analysts and security researchers warn IT professionals about the skyrocketing proliferation of malware. A simple Web search turns up many reports that dissect the technical nature of malicious software, how it works, and how it affects its victims.

But who develops malware, and who distributes it? Who buys it, and what do they hope to achieve? Ask these questions in a Web search, and you'll find far fewer results.

In a report issued last week, ScanSafe security researcher Mary Landesman offers some thoughts on the genesis and spread of malware -- this time from a business perspective, rather than a technical point of view. While Landesman's report -- part of ScanSafe's "Annual Global Threat Report" -- is far from the first to offer insight on the business of malware, it does offer a snapshot of the current state of the malware business and a clear categorization of the players.

While many outside of the security industry still perceive "hackers" as teenagers or isolated geeks who work alone, Landesman's report encourages security professionals -- and the general public -- to see malware as a cooperative industry that supports specialists, economies, and supply chains. "Malware is every bit as layered as any other industry," she says. "There are mom-and-pop shops. There are big giants. There are suppliers and developers and a global market."

Many business executives " and even some IT pros " are too focused on the group of cybercriminals that can be categorized as "sole proprietors," Landesman says. "These are the ones we hear the most about " the phishers, the carders, the people repackaging scareware to drive users to malicious sites," she observes. "These are the equivalent of the street seller in the drug trade " they're looking to make a quick score, either for their own benefit or feeding up to a kingpin of some sort."

But as with street sellers of drugs, most "sole proprietors" don't make the product that they're dealing with, Landesman explains. "It's pretty unusual these days to see a [cybercriminal] who does everything " someone who writes the software, distributes it, harvests the data, and then uses it to make money. More and more now, those jobs are being done by different people, operating in a true market."

Today's malware is usually created by the "developer" category of individuals -- those who are creative and skilled in writing code, Landesman says. "For many of them, in their minds, they're not doing anything wrong," she says. "They're finding ways around security, developing new tools, and they feel they aren't responsible for what is done with the tools they develop. It's sort of like making guns -- the notion that malware doesn't do crime, it's the people who use it that do the crime."

Developers sometimes make extra cash by selling their exploits, but they seldom get rich doing so, Landesman says. Often, the tools are purchased, refined, and repackaged by a group of individuals who Landesman calls "middlemen" -- those who attempt to bridge the gap between the attacker and the victim.

"Again, the middleman is not usually somebody who developed the malware, but they are sort of the 'public face' of it," Landesman explains. "They're like a manufacturer's representative: They advertise the exploit kits, they sell them, many of them offer tech support, even on a 24/7 basis. They even publish bug reports and offer patches and updates."

The success of the "middleman" sales and distribution model is a key reason why malware is proliferating so quickly across the globe, Landesman postulates. As more and more middlemen get into the business -- selling exploit packages as cheaply as $100 -- they help to speed the availability of the latest malware across the globe, bringing new exploits to bear at a pace that often cannot be matched by traditional security tools, which require constant updates. "The success of the [middleman] business model is being proven by the growth of malware," she says.

Working in a fast-growing, highly competitive market, however, most middlemen are not getting rich, either, Landesman says. "They may make a decent living for the country they live in, but it's not a lot," she states.

There are other players in the malware chain, such as "mules," who help distribute malware or launder stolen money, and botnet operators, who provide the infrastructure for mass malware distribution. But the most mysterious category is the malware buyer -- those who pay to put it out there.

"The sole proprietor, middleman, and developer all have something to gain by publicly advertising their offerings," Landesman writes in the report. "Conversely, there will be no such public displays from the buyer, particularly those criminals engaged in hardcore cyber-espionage, such as the attacks leveraged against Google, Adobe, oil companies, and multiple other firms over the past year." darkreading.com

Sunday, February 21, 2010

New phishing scams attack with precision

When TippingPoint's president and chief technology officer, Marc Willebeek-Lemair, received an e-mail from the Federal Trade Commission informing him that a client was filing a complaint against his network security company for overcharges, he was directed to download the complaint - a Microsoft Word file - from an FTC Web page and return the attached form with any questions about the process.

The message, sent in 2008, was an elaborate scam targeting top-level executives.

TippingPoint researchers discovered the sender's address had been "spoofed" (faked) and the link didn't lead to the FTC's Web site. In fact, the document - which looked like an FTC complaint - was infected with a data-stealing Trojan horse. Because the message referred to Willebeek-Lemair by name and no one else in TippingPoint received the message, the company concluded that criminals studied its chain of command and selected their target.

"It specifically said something that a C-level executive would get immediately alarmed about," said Rohit Dhamankar, director of security research at TippingPoint's DVLabs.

The message is an example of an increasingly common hacker technique known as spear-phishing, a much more effective and carefully crafted variation of the phishing lures that seek to trick victims into surrendering their private data.

Researchers believe that as spam-filtering technology has improved and people have become savvier at recognizing phishing ploys (such as the classic Nigerian e-mail scam), criminals are now dedicating more time and resources to going after specific groups of individuals. They often trick users into downloading malicious software from infected Web pages or e-mail attachments like Adobe Reader PDFs and Microsoft Office documents.

Carefully planned

In these attacks, the hackers identify specific individuals or groups of people with something in common. To make their attacks more effective, criminals take pains to impersonate credible sources, adorning messages with professional graphics and composing well-written stories to hook their targets.

To personalize the messages and make them more convincing, security researchers believe criminals run simple search queries to find biographical information, including a person's position within an organization and their responsibilities. Hackers can also learn names of friends.

"This is very easy to do. Google, Facebook, LinkedIn and other sites can provide valuable information about anybody," Dhamankar said. sfgate

Reports: Internet Attacks Traced to Chinese Schools

Computer security experts investigating Internet attacks on Google and other U.S. companies say computers at Chinese educational institutions may have been involved, according to U.S. media reports.

The attacks may have started as early as April, unnamed sources involved in the investigation told The New York Times, according to a report on its Web site late Thursday. When Google revealed in January that its systems had been attacked, it put the start of the events no earlier than December.

Shanghai Jiaotong University and Lanxiang Vocational School are the two institutions said to be involved in the attacks, the New York Times said, citing several unnamed persons with knowledge of the

Investigators had previously tracked the attacks back to servers in Taiwan.

However, hackers often disguise their identity by sending commands through a number of computers on their way to a target. Even if further investigation backs up the findings cited in the latest news reports, that may not point to Chinese involvement in the attacks, as the real trail could go back further still. Investigators are still pursuing a number of theories, according to a report on Web site of The Wall Street Journal on Friday. pcworld

Saturday, February 20, 2010

And Even More Phishing...

Do Not Reply To An Email That Looks Like This!!!
A legitimate email will never, ever, ever ask for this kind of  info for any reason at all...EVER! (I'm not kidding)

From: YAHOO ACCOUNT SERVICE maescott053025@sbcglobal.net

Date: February 20, 2010 8:46:07 AM PST
To: undisclosed recipients: ;
Subject: Dear Yahoo account users please respond urgent this account is about to close
Reply-To: yahaccountservice92@rocketmail.com



















Yahoo account users,


All yahoo free account owners,We are having congestions due to the anonymous registration of yahoo accounts so we are shutting down some yahoo accounts and your account was among those to be deleted.We are sending you this email so that you can verify and let us know if you still want to use this account.If you are still interested please confirm your account by filling the space below.

User name;...................................

password;.....................................

date of bith;..................................

country;.........................................

all this information would be needed to verify your account.

Due to the congestion in all Yahoo users and removal of all unused Yahoo Accounts, Yahoo would be shutting down all unused Accounts, You will have to confirm your E-mail by filling out your Login Information below after clicking the reply button, or your account will be suspended within 48 hours for security reasons.


* Username: .......................... ....

* Password: ....................................

* Date of Birth: .............................

* Country Or Territory:...............


After following the instructions in the sheet, your account will not be interrupted and will continue as normal. Thanks for your attention to this request. We apologize for any inconveniences. Warning!!! Account owner that refuses to update his/her account after two days of receiving this warning stands the risk of lossing his or her account permanently.


The Yahoo Management

Yet Another Phishing Trip...

If you get one of these and you know for a fact you did not order anything of the sort from Amazon or anyone else DO NOT open the attachment that comes with it!


Subject: Your order has been paid! Parcel NR.9510.

Friday, February 19, 2010 7:20 PM
From: "Your Manager Bernardo Pitts" mailto:shop.order@amazon.com%20To 
To: somepoorsucker@xyz.com


Hi!

Thank you for shopping at Amazon.com
We have successfully received your payment.

Your order has been shipped to your billing address.

You have ordered " Nokia E51 "

You can find your tracking number in attached to the e-mail document.

Print the postal label to get your package.

We hope you enjoy your order!

Amazon.com

Friday, February 19, 2010

Experts highlight growing cyber-jihad threat

An Al-Qaeda cyber-offensive is a real and growing threat, even though Osama bin Laden's shadowy group has yet to show a true capability, experts said.

"A co-ordinated cyber-attack made in Al-Qaeda? This has not happened yet, but it is not just fantasy," Dominique Thomas, a specialist in Islamic networks at Paris's School for Advanced Studies in the Social Sciences, told AFP.

"We can envisage it: they have the brains, and the advantage is they don't have to be many to be effective", Thomas added.

Al-Qaeda has so far stuck to classic, if spectacular, attack methods -- the hijackings in the September 11, 2001 attacks and machine gun and bombs.

But on Tuesday top US officials participated in the "Cyber ShockWave" exercise testing responses to a coordinated attack on the Internet, transport, telephone and electricity networks.

And this month US Director of National Intelligence Dennis Blair told the US Senate "terrorist groups and their sympathisers have expressed interest in using cyber means to target the United States and its citizens".

The US defence establishment is also discussing when a cyber-attack on facilities such as the American electricity grid could be considered an act of war.

Online offensives against official websites have already been recorded, including in Saudi Arabia, and the necessary expertise is available on some forums.

"On jihadist websites there are all sorts of manuals explaining how to make an e-bomb, how to create a virus, how to use encryption techniques", Thomas said. "They are very up to date. The Saudis especially are very strong."

Among militants indicted for terrorist acts, there are more students from pure sciences such as mathematics or information technology than there are from the social sciences, according to numerous studies.

Nigerian, Umar Farouk Abdulmutallab, who is accused of trying to blow up a US bound jet on December 25 studied mechanical engineering at a top London university.

James Lewis from the Center for Strategic and International Studies who co-authored the "Security in cyberspace in the 44th presidency", said a cyber-attack was only a matter of time.

"Al-Qaeda doesn't yet have the kind of capabilities to pull off the kind of big disruptive attack that they really want," he said.

"But over the next few years, they will develop these capabilities."

"We have to expect something big to happen within a decade", he said.
afp

Thursday, February 18, 2010

More than 75,000 computer systems hacked in one of largest cyber attacks

More than 75,000 computer systems at nearly 2,500 companies in the United States and around the world have been hacked in what appears to be one of the largest and most sophisticated attacks by cyber criminals discovered to date, according to a northern Virginia security firm.

The attack, which began in late 2008 and was discovered last month, targeted proprietary corporate data, e-mails, credit-card transaction data and login credentials at companies in the health and technology industries in 196 countries, according to Herndon-based NetWitness.

News of the attack follows reports last month that the computer networks at Google and more than 30 other large financial, energy, defense, technology and media firms had been compromised. Google said the attack on its system originated in China.

This latest attack does not appear to be linked to the Google intrusion, said Amit Yoran, NetWitness's chief executive. But it is significant, he said, in its scale and in its apparent demonstration that the criminal groups' sophistication in cyberattacks is approaching that of nation states such as China and Russia.

The attack also highlights the inability of the private sector -- including industries that would be expected to employ the most sophisticated cyber defenses -- to protect itself.

"The traditional security approaches of intrusion-detection systems and anti-virus software are by definition inadequate for these types of sophisticated threats," Yoran said. "The things that we -- industry -- have been doing for the past 20 years are ineffective with attacks like this. That's the story."

The intrusion, first reported on the Wall Street Journal's Web site, was detected Jan. 26 by NetWitness engineer Alex Cox. He discovered the intrusion, dubbed the Kneber bot, being run by a ring based in Eastern Europe operating through at least 20 command and control servers worldwide.

The hackers lured unsuspecting employees at targeted firms to download infected software from sites controlled by the hackers, or baited them into opening e-mails containing the infected attachments, Yoran said. The malicious software, or "bots," enabled the attackers to commandeer users' computers, scrape them for log-in credentials and passwords -- including to online banking and social networking sites -- and then exploit that data to hack into the systems of other users, Yoran said. The number of penetrated systems grew exponentially, he said.

"Because they're using multiple bots and very sophisticated command and control methods, once they're in the system, even if you whack the command and control servers, it's difficult to rid them of the ability to control the users' computers," Yoran said.

The malware had the ability to target any information the attackers wanted, including file-sharing sites for sensitive corporate documents, according to NetWitness.

Login credentials have monetary value in the criminal underground, experts said. A damage assessment for the firms is underway, Yoran said. NetWitness has been working with firms to help them mitigate the damage. washingtonpost



Wednesday, February 17, 2010

PCI compliance: What it is and why it matters (Q&A)

"And if you're a merchant you really have to be careful because consumers are getting smarter and smarter and if they find out you are not protecting their data, credit card data or personal data, they're going to walk away. And that's going to be the downfall of your business." ~ Bob Russo, general manager of the PCI Security Standards Council.

Found this Gem of an article on CNET, if you are a merchant I urge you to read it in its entirety...C.S.G.

If you own a bank account or use credit cards, chances are you've heard the term "PCI compliant." But you probably don't know what it means.

The term is heard more and more frequently these days as data breaches at merchants like TJX, parent of TJMaxx, and payment processors Heartland Payment Systems and RBS WorldPay land millions of card records in the hands of hackers. Criminals are using the data to make purchases and withdraw money from accounts of unsuspecting victims who did nothing wrong; they just owned a card.

It's a huge and growing problem. More than 80 percent of data stolen in breaches is payment card data, according to the 2009 Verizon Business Data Breach Report.

CNET asked Bob Russo, general manager of the PCI Security Standards Council, to explain what is being done to keep criminals from accessing consumer payment card data.

Q: So, what does the PCI Security Standards Council do?

Russo: The council was formed in September 2006 by the five major credit card brands, Visa, MasterCard, American Express, Discover, and JCB [Japanese Credit Bureau]. It was formed because each one of the brands has their own compliance programs and they still do, but they all use this standard as the foundation for their programs. There was a time when you could pick up the phone and call one brand and ask a security question and get one answer and call another brand and ask the same question and get a different answer. They all now use these standards that we manage as the foundation for those compliance questions.

What is the standard exactly?

Russo: It's the PCI, which stands for Payment Card Industry, data security standard. It's a set of 12 specific requirements that cover six different goals. It's very prescriptive. It says not only that you need to be secure but it tells you how to become secure. It's more about security than compliance. The goals are things like build and maintain a secure network, protect card holder data and regularly monitor and test the networks. That's the main standard. We manage three different standards. The first one covers everything from the physical security to logical security.

The second standard is PADSS, Payment Application Data Security Standard. These are for payment applications a merchant would buy off the shelf. For example, if you went to a restaurant and you ordered your meal and the waiter used a touch-screen terminal, that puts the order in the kitchen and it's tied to an ordering database. The application also takes the credit card at the end of the meal. We make sure these applications aren't storing prohibitive data, such as data on the magnetic strip on the card. If they stored that data and someone got a hold of it then they would be able to clone credit cards. There are literally thousands of applications out there and when it's compliant with the standard it gets listed on our Web site.

The last piece we manage is called PTS, PIN Transaction System. Anytime you enter a PIN number, for example, this standard would take effect. It looks at those PIN entry devices so when you go to a large department store and you buy something and you use a debit card they'll hand you a PIN pad and you key in your number. We certify those devices as well as unattended payment terminals, such as those used at gas station [islands], ticket kiosks, and transit systems, like the Boston underground. Complete article at cnet

More ID Theft Cases Tied To Beauty Queen

Shaw Accused Of Scamming People Out Of Thousands Of Dollars

A former beauty queen, who prosecutors said led a double life through identity theft, Tuesday was indicted on more charges of ID theft.

Susan Shaw is accused of a dozen new counts of theft on top of 122 counts of identity theft, forgery and money laundering she was arrested and charged with in May.

"In general, the police found that the defendant had the credit reports of all of these individuals and at least for some of them had already ordered credit cards received credit cards used credit cards to obtain merchandise," Deputy Prosecutor Chris Van Marter said.

The Kailua woman is accused of scamming about $160,000 from at least 11 people in an identity theft scheme that lasted 16 months.

During that time, she fooled friends and loved ones by living two lives with boyfriends in Los Angeles and a husband and two children in Honolulu, prosecutors said. kitv

Cybersecurity battle needs ‘sense of urgency,' expert says

Print this page E-mail this article The federal government is losing "the sense of urgency" in the cybersecurity battle, says the author of the Obama administration's 2009 cybersecurity report.

Melissa Hathaway, former acting cybersecurity chief, said private and public organizations must work together and take "bold steps forward" to protect vital computer systems and restore that sense of urgency. The discussions over how best to secure the government's networks can't take place just in Washington but should be a national dialogue, she said.

"We need to have a lot more people outside the Beltway talking about what's happening and what they're going to do about it. We need to tell simple stories [about cybersecurity] so everyone can talk about them at the water cooler and dinner table, and relate to them," she said.

Hathaway, now a cybersecurity consultant, received the Internet Security Alliance's Dave McCurdy Internet Security Award on Tuesday, honoring her work in conducting the administration's cyberspace policy review. The review, released last spring, called cyberspace a "strategic national asset" and said more investments in education and technology are needed to protect critical systems.

The review also called for the creation of a White House cybersecurity coordinator, or "czar." Obama named Howard Schmidt, the Bush administration's cybersecurity chief, as the cybersecurity czar in December.

Schmidt is well-qualified for the job, Hathaway said at the award presentation in Washington. She called the cybersecurity czar the "quarterback" harnessing the government's abilities to respond to cyber attacks. Schmidt will need to make himself known around the White House in order to build his influence and secure needed funding, she said.

"The strongest ally that person needs is within the Office of Management and Budget. That's an important partnership to have because that is where all things begin and end with the budget," she said.

Hathaway said interagency communication is crucial to sharing best cybersecurity practices and recognizing possible cyber attack patterns, but some officials may be hesitant to share information for fear of bad publicity.

"How can we be sure sharing vulnerable data from one agency to another will be kept confidential and not appear in news outlets the next day?" she asked. federaltimes

Smartphones under growing threat from hackers

BARCELONA, Spain — Smartphones are under a growing menace from cyber-criminals seeking to hack into web-connected handsets, but the mobile industry has contained the threat so far, security experts said.

Software security firms warned at the Mobile World Congress in Barcelona, Spain, that the increasingly popular smartphones could face an explosion of virus attacks in the coming years.

"Tomorrow we could see a worm on phones which would go around the world in five minutes," said Mikko Hyppoenen, chief research officer at F-Secure, which makes anti-virus software for mobile phones.

"It could have happened already. It hasn't, but it could happen. And I do think that sooner or later it will happen, but when? Well that I cannot tell you," he told AFP.

But security companies, mobile operators and makers of operating systems have found solutions to limit the attacks so far and delay an onslaught of spam and viruses, he said.

"It won't work forever, eventually we will see the first global outbreak. But we have been able to delay it by more than five years, at least," he said.

The first mobile virus appeared six years ago, and so far F-Secure has detected only 430 mobile worms. This compares to millions of computer viruses.

Much like the first computer hackers of two decades ago, the people attacking mobile phones have been doing it as a hobby, Hyppoenen said.

"It seems that on any new platform, the first years, the first viruses are done by hobbyists just to show off and then later more professional money-making criminals move in," he said.

One of the first viruses was called Skulls. Spreading through wireless bluetooth systems, a skull would appear on a phone's screen and delete all its data, Hyppoenen said.

The few money-making "trojan" viruses that have been seen infiltrate a person's phone and send text messages to premium numbers controlled by the hacker, he said.


Security companies have developped anti-spam and anti-virus software for mobile phones as well as anti-theft features that allow a phone's owner to remotely block the device and even map its location.


But smartphones, with their email and Internet capabilities, will invite more break-ins, especially with the growth of mobile banking -- financial transactions that can be done through applications, experts said.

Security companies have developped anti-spam and anti-virus software for mobile phones as well as anti-theft features that allow a phone's owner to remotely block the device and even map its location.

But smartphones, with their email and Internet capabilities, will invite more break-ins, especially with the growth of mobile banking -- financial transactions that can be done through applications, experts said. afp

Apple's App Store Blocks Known iPhone Hackers

Apple, Inc. has banned known hackers from its App Store, including jailbreaker Sherif Hashim. Hashim was even blocked from opening a new account. Apple has usually foiled jailbreakers by updating the iPhone OS, but the App Store ban appears to be a new method. Some app developers are applauding Apple's blocking of hackers.

Apple has been accused of approving poor-quality applications, taking too long to approve an app, and rejecting apps similar to its own offerings, but never has Apple been accused of blocking hackers from its App Store -- until now. A small number of self-proclaimed iPhone hackers have reported being denied access into the App Store, including Sherif Hashim.

Hashim may have been targeted because of his jailbreaking of Apple's iPhone, a process that allows iPhone and iPod touch users to run any code on their devices versus only code authorized by Apple. Once a device is jailbroken, users are able to download applications that were previously unavailable through the App Store.

Banned for Security Reasons

Hashim reported receiving a message after attempting to log in to his App Store account. "'Your Apple ID was banned for security reasons,' that's what I get when I try to go to the App Store; they must be really angry and, guess what, my apple ID was sherif_hashim@yahoo.com, what a fool was me not to notice, can't help laughing, they are babies."

After attempting to log in again, Hashim received the same message and tweeted "I wonder if this was an Apple act or someone messing with my account."

After failing to successfully log into the App Store, Hashim used his wife's credit-card information to create a new account and received the same message yet again.

"This Visa rejection is very weird and doesn't seem like an Apple act, but the timing is also weird," he added.

Hashim isn't alone. The iPhone hacker and developer behind the jailbreaking tool SnowBreeze, ih8sn0w, also tweeted about his App Store trouble on Twitter.
sci-tech-today

Monday, February 15, 2010

A New Kind of Security Threat

A new kind of warfare, cyber warfare, is a true threat to security, not just for governments, but also businesses and individuals.

Just about everyone has received one of those bogus E-Mails that appear to come from a friend in trouble in, say, London—please send me $2,000! The clumsy handiwork of petty cyber-swindlers is easy to spot, but more creative cyber-crimes against individuals, businesses and governments are perpetrated every day. And cyber-war is already a threat against which national security experts must plan.

In August 2008, Russia’s invading Soviet vintage tanks were backed by a 21st Century cyber attack on Georgia. Maintaining our security and stability suddenly became more complex than fending off the tanks and fighter jets of our gigantic neighbor. Cyber attacks can be the equivalent of special operations or air strikes against critical infrastructure.

In contrast to the time and money required to train and equip spetsnaz or air forces, high technology and online skills are now available for rent to malevolent governments, organized crime and terrorist organizations. Such skills can be used to destabilize a country’s economy and degrade its critical infrastructure. Operating along the seam between crime and war, cyber-criminals have sparked a debate among experts about whether cyber attacks should be treated as criminal acts or acts of war.

However, these are not the clowns who hijack your friend’s electronic address list to look for someone dumb enough to send them $2,000 or even more intelligent hackers seeking to vandalize your PC or steal money from your bank account. They are sophisticated criminals operating networks that can threaten global security and stability. Moreover, some states not only tolerate them but hire them.

A stark reality emerged from Russia’s August 2008 war on Georgia. After a year of study, the U.S. Cyber Consequences Unit (USCCU), an independent research institute, concluded that cyber attacks were an integral part of Russia’s armed attack on Georgia.

Most of the attacks were of a type called Distributed Denial of Service attacks—DDOS. Cyber criminals take over bits of perhaps thousands of privately owned computers and lash them together into so-called botnets that then blast information at a target, rendering it unable to perform its intended service.

Twitter 'is a weapon in cyber warfare'

Head of the RAF says armed forces must embrace internet technology

Britain needs to learn from the actions of the Israeli military in the Gaza in using YouTube and tweets to engage in 21st-century cyber-warfare, the head of the Royal Air force said yesterday.

Air Chief Marshal Sir Stephen Dalton highlighted how the Israeli Air Force used the internet in the battle over international public opinion during last year's conflict as an example of harnessing new technology.

"Accurate and timely information has always been critical to the military but its importance is increasing as societies become more networked," he stated. "This is intimately linked to developments in space and cyber-space; as we saw in the conflict in Gaza in early 2009, operations on the ground were paralleled by operations in cyber-space and an 'info ops' campaign that was fought across the internet: the Israeli Air Force downloaded sensor imagery onto YouTube, tweets warned of rocket attacks and the 'help-us-win.com' blog was used to mobilise public support."

The Israeli attack on Gaza, with its large number of civilian casualties, led to widespread international criticism. However, the use of the internet by the Israeli forces attempting to show Hamas fighters employing local people as cover and the supposedly "surgical" nature of some of the bombing is thought to have countered some of the adverse publicity.

The emotive impact of civilian casualties has been graphically shown during the current offensive in Afghanistan to capture the Marjah region from Taliban forces. Twelve civilians, 10 of them from one family, were killed when two Nato missiles overshot their targets and hit a family home.

General Stanley McChrystal, the US commander of Nato forces in Afghanistan, immediately issued a public apology and the use of the missile system involved in the deaths has been suspended. The Afghan president, Hamid Karzai, who had warned Western forces about civilian casualties before the mission was launched, has demanded an inquiry.

As well as the propaganda campaign, cyber-warfare can be used to target vital strategic communications and defence systems. Both Russia and China have been accused of using the new technology as offensive weapons to hack into targeted computer systems.

In a keynote speech at the International Institute for Strategic Defences, Sir Stephen urged military planners to focus on the "operational environment that is increasingly becoming the 'vital ground' in 21st-century conflict". independent

Friday, February 12, 2010

Hackers Break Into Ceridian's Payroll System

Payroll processing firm Ceridian this week is advising more than 1,900 customer companies that a hacker managed to access the company's Internet payroll system in late December, potentially compromising the sensitive data of more than 27,000 workers.

Minneapolis-based Ceridian, which dealt with a similar breach of its Internet system in 2007, said this attack impacted less than one-tenth of one percent of the employees for whom it provides payroll services.

The data exposed included the employees' names, Social Security numbers, and in some cases, bank account information and birth dates.

Ceridian officials said they immediately notified the FBI and local law enforcement once the breach was discovered. The company is now notifying affected individuals.

"We took immediate preventive steps to ensure no further incident of this type would occur," Keith Peterson, spokesman for Ceridian, said in a statement. "While the total number of employees affected is small, in our minds one is too many, and we are handling this incident according to our established protocol."

Ceridian joins a long list of businesses who have reported a variety of hacking attacks and security lapses in the past year that have put millions of people's personal information at risk.

According to the nonprofit Open Security Foundation, there were more than 400 major data breach incidents last year at hospitals, universities, military bases, and private-sector companies. esecurityplanet

Rogue Antivirus Program Comes With Tech Support

In an effort to boost sales, sellers of a fake antivirus product known as Live PC Care are offering their victims live technical support.

 According to researchers at Symantec, once users have installed the program, they see a screen, falsely informing them that their PC is infected with several types of malware. That's typical of this type of program. What's unusual, however, is the fact that the free trial version of Live PC Care includes a big yellow "online support" button.

Clicking on the button connects the victim with an agent, who will answer questions about the product via instant message.

Symantec says the agent is no automated script, but in fact a live person. This lends an "air of legitimacy" to the program, said Marc Fossi, a manager of development with Symantec Security Response. "Obviously if they've got live tech support, it must be real," he joked.

The tech support doesn't help much, though. According to Symantec, the support staff simply try to convince victims to shell out between US$30 and $100 for the product.

This isn't the first time a fake security product has been spotted offering tech support. Another company called Innovative Marketing operated a call center to support its security products, including a program called WinFixer. According to security experts, Innovative Marketing's tech support technicians acted in the same way as Live PC Care's, trying to reassure victims that they were buying a legitimate product.

These so-called rogue antivirus products can sometimes lower security settings on a victim's computer. At best, they offer a false sense of security because the products never protect computers from the latest security threats.  pcworld

Microsoft Warns of Record Patch Tuesday

Microsoft issued its Microsoft Security Bulletin Advance Notification for February 2010 yesterday. The notice warns that Patch Tuesday next week will see 13 security bulletins, tying October 2009 for the most security bulletins released in a single month.

January was an exceptionally light month for Microsoft security bulletins, with only one released on schedule on Patch Tuesday. However, revelations about an Internet Explorer zero-day exploit being used to launch attacks against Google and other companies in China led Microsoft to also issue an out-of-band update addressing the vulnerability in the Web browser.

Tyler Reguly, senior security engineer for nCircle expressed some "sticker shock". "As an information security professional, the first word that comes to mind when I see this advanced notice is "yikes!". nCircle VERT works all night to deliver local and remote detection to customers and this many bulletins means a long night requiring plenty of caffeine."

Reguly added "I'm most intrigued by bulletin number nine in the advanced notification. I'm curious to know what issue it is that plagues only Server 2008 and Server 2008 R2 in x64 configurations."

Jerry Bryant, senior security communications manager for Microsoft, described the upcoming Patch Tuesday in a blog post. "This month, we will be releasing 13 bulletins--five rated Critical, seven rated Important, and one rated Moderate--addressing 26 vulnerabilities. Eleven of the bulletins affect Windows and the remaining two affect Office."

Bryant's blog post also contains a table which lays out a grid describing Microsoft's guidance for urgency of deployment based on platform. Windows 2000 and Windows XP, the oldest operating systems tracked on the grid, are impacted the most by security issues rated as Critical.

Microsoft is scheduled to end all support for Windows 2000 and for Windows XP SP2 effective July 13, 2010. Bryant says "We encourage customers to upgrade to the latest versions of both Windows and Office. As this bulletin release shows, the latest versions are less impacted overall due to the improved security protections built in to these products."

Businesses still on Windows 2000 will be forced to upgrade to some other version of Windows, or an alternate operating system, or simply continue to rely on the archaic platform with the knowledge that Microsoft will no longer support or update it. pcworld

Microsoft Says Malware Causing Blue Screen Crashes

A hard-to-detect rootkit may be causing Windows XP systems to crash following Microsoft's latest security updates.

Windows users began flooding Windows support forums this week, saying that their computers had been rendered unusable with a blue-screen-of-death (BSOD) error after installing Microsoft's February security updates, released Tuesday. On Thursday, Microsoft stopped shipping the MS10-015 update, which had been linked to the issue, and said it was investigating.

On Friday, Microsoft offered a preliminary conclusion, saying that malicious software may be to blame. "Malware on the system can cause the behavior," wrote Microsoft spokesman Jerry Bryant on a company blog. "We are not yet ruling out other potential causes at this time and are still investigating."

"We have confirmed cases where removing malware allows the system to boot," Bryant said in a Twitter message.

Windows XP user Patrick Barnes said he'd traced the issue to a malicious rootkit program known as TDSS that he found on one of his systems.

In a post to the Internet Storm Center, Barnes said that he'd identified a nonworking file on his system called atapi.sys. When he submitted the file for analysis it turned out to be the TDSS rootkit.

It may not be the only cause of the problem, however.

"From the reports I have been receiving, the infected atapi.sys is the most common cause of this blue screen," Barnes wrote in his post. "However, any driver that references the updated kernel bits incorrectly can also cause this blue screen."

Barnes posted repair instructions to his blog Friday, but the site was unavailable Friday morning Pacific Time. Security vendor Kaspersky Lab has released a standalone utility that removes the TDSS infection, however. pcworld

"Unhackable" Infineon Chip Physically Cracked

Former U.S. military security specialist Christopher Tarnovsky found a weakness in Infineon's SLE66 CL PE and presented the results of his hack at the Black Hat 2010 computer security conference. The Infineon chip is used in PCs, satellite TV hardware, and gaming consoles to protect secure data.

Tarnovsky, who works for security firm Flylogic, said that cracking the Infineon chip, which has a Trusted Platform Module (TPM) designation, was a long process involving an electronic microscope (which retails for around $70,000). The attack on the chip took six months to plan and execute, and it involved dissolving the outer part of the chip with acid and using tiny needles to intercept the chip's programming instructions.

After gaining physical access to the chip, Tarnovsky still had to navigate the chip's software defenses. According to the Associated Press, Tarnovsky remarked that "This chip is mean, man--it's like a ticking time bomb if you don't do something right." pcworld

Consumers Fighting Back Against Identity Fraud, Study Says

Better detection, reporting results in more arrests and prosecution, Javelin reports Feb 11, 2010

Consumers are more aware of identity theft than ever, and they aren't taking it lying down, according to a new study.

According to Javelin Strategy & Research's "2010 Identity Fraud Survey Report," the number of identity fraud victims in the United States increased 12 percent to 11.1 million adults in 2009, while the total annual fraud amount increased by 12.5 percent to $54 billion.

Yet while fraud is up, consumers are fighting back, the study says. Nearly half of all victims now file police reports, resulting in double the reported arrests, triple the prosecutions, and double the percentage of convictions in 2009, according to the data.

"People are becoming frustrated with [the identity fraud] situation, and they want to do something about it," says James Van Dyke, Javelin's president and founder. "They're taking action. They're getting more educated."

The numbers are encouraging, but they aren't necessarily a sign that identity fraud is getting under control, according to Michael Stanfield, chairman and CEO of identity theft service provider Intersections, which co-sponsored the study.

"The numbers show that more fires are being put out quicker, but I'm not sure that's a good thing," Stanfield says. "What we really need is fewer fires."

The increase in arrests and prosecutions is a reflection of the increased incidence of identity theft, Stanfield observes. "The criminals are at an advantage," he says. "Malware is increasing by an order of magnitude. I don't see that police resources are increasing at a rate that justifies the massive leap in prosecutions that's indicated in this report. We're not winning this battle yet."

The study shows there is more work to be done, Van Dyke says. "Roughly half of all identity fraud victims don't know how their data was accessed in the first place," he states. "The majority of victims don't know the perpetrator. It's really an education problem."

Criminals are evolving in their online attacks, the study says. While previous attacks focused on grabbing existing credit cards, for example, one of the most popular attacks today is using keyloggers to grab data that enables the bad guys to fraudulently create new accounts.

The number of fraudulent new credit card accounts increased to 39 percent of all identity fraud victims, up from 33 percent in 2008, the study says. New online accounts opened fraudulently more than doubled compared to the previous year, and the number of new email payment accounts increased 12 percent. Twenty-nine percent of victims reported new mobile phone accounts were fraudulently opened.

Small-business owners experience identity fraud at a rate one-and-a-half times greater than average adults, Stanfield notes. "One of the big mistakes that small businesses make is to use their personal accounts for the business," he warns. "That can create problems for both the individual and the business." darkreading

Number of identity fraud victims jumps

The number of identity fraud victims in the U.S. rose 12% to 11.1 million last year, according to a report released Wednesday by Javelin Strategy & Research.

"Overall identity fraud continues to rise and has never been higher in terms of victims," James Van Dyke, president and founder of the Pleasanton, Calif.-based research firm, said in an interview.

Total losses from identity fraud in 2009 were $54 billion, up from $48 billion in 2008, according to Javelin's identity fraud report, which surveyed about 5,000 adults. The mean fraud amount per victim dipped slightly to $4,841, but out-of-pocket consumer losses were $373, down from $498 in 2008.

"The average consumer cost is actually dropping because businesses are shouldering more of that actual fraud amount in order to protect individuals," Van Dyke said.

Javelin defines identity fraud as unauthorized use of a person's personal information for financial gain, such as fraudulent bank account or credit card transactions and opening of fraudulent mobile phone or credit card accounts. This year's identity fraud report is the seventh such study.

Rapidly evolving technology, the fact that people are spending more time online and the increase in information available on the Web are all contributing to the increase in identity fraud, Van Dyke said.

"Identity fraud is a multi-channel crime, but there's no question in our minds that the most rapidly evolving crimes are occurring online," he said.

Survey respondents reported more credit card fraud (75%, up from 63% in 2008) than debit card fraud (33%, down from 35%). The survey also showed an increase in stolen checking account numbers and health insurance documents

Another survey finding: Criminals are adding registered users on an existing account to take it over more than changing the address on the account to hijack it. That's a switch from last year. Also, small business owners suffer ID fraud at a rate one-and-a-half times higher than other adults, according to the study.

The Red Flags Rule is starting to show some positive impact for consumers, "but the bottom line is that there's just more criminal activity," Van Dyke said. The Red Flags Rule requires financial institutions and certain other organizations to implement a program to protect consumers from identity theft.

"When consumers go into a marketplace, they look for location, convenience and value. Unfortunately, criminals are the same way: They look for easy access, convenience and value," said Michael Stanfield, chairman and CEO of Intersections Inc., a Chantilly, Va.-based identity risk management services firm and a sponsor of the survey.
techtarget

Tuesday, February 9, 2010

Consumers also responsible for credit card security

Credit card users need not do anything wrong to fall victim to security breaches like those at Heartland Payment Systems and TJMaxx parent company TJX; they simply need to have a card.

Their credit card information is protected by the Payment Card Industry (PCI) Security Standards Council, which was formed in 2006. The council sets 12 specific goals to build and maintain secure networks, but those may not always be enough, according to general manager Bob Russo.

"Consumers need to take a little bit of responsibility now. You can watch your credit card activity online," Russo said in an interview with CNET News. "You really should be monitoring your credit card statements. If you have to, do it when the statement comes in the mail."

Payment card data was stolen in 84 percent of the 285 million security breaches recorded last year, according to the 2009 Verizon Business Data Breach Report. Medical information was targeted least often, accounting for 3 percent of breaches.

Compliance with PCI standards is mandatory for all companies storing or processing payment card identification. Heartland executives originally said they were compliant, but later disclosed that assessors incorrectly informed the company. Breaches like this may drive myriad consumers away from merchants involved, Russo said.

"If you're a merchant you really have to be careful because consumers are getting smarter and smarter and if they find out you are not protecting their data, credit card data or personal data, they're going to walk away," he said. "And that's going to be the downfall of your business." creditnews

The Technical Side of PCI DSS

Print Email 0 Comments Comments RSS ShareThis What merchants don't know about the technical side of protecting customer data can be costly.

The Payment Card Industry Data Security Standard (PCI DSS) describes 12 system and procedural requirements for securing customer credit card data that is transmitted, processed, or stored by an online merchant.

In order to accept credit cards as a form of online payment, merchants are expected to comply with the PCI DSS standard. In an effort to meet this requirement, online stores dutifully encrypt data transmissions with a secure socket layer (SSL) or even extended validation SSL, which is great, and implement a policy of not storing credit card data, which is also important. What is often overlooked, however, is that an online store is responsible for every credit card number that passes through (touches, if you will) its web servers.

So, some stores are failing to comply simply by not recognizing that some credit card data may be in log files or could have been hacked during the transaction, even if the merchant did not realize that his or her website was handling that number.

While you don't need to be a web developer to understand PCI DSS, it can help to be familiar with the technical side of PCI DSS to ensure that your business is doing all that it can and should do to protect customer credit card data. practicalecommerce

Medical Groups Ask for Exemption From FTC's 'Red Flags' Regulations

The American Medical Association, American Dental Association and American Veterinary Medical Association in a joint letter to members of the Federal Trade Commission requested that health professionals be excluded from the "Red Flags" rules, which require many businesses to take specific steps to minimize identity theft, Health Data Management reports (Health Data Management, 1/29).

The Fair and Accurate Credit Transactions Act of 2003 mandated the Red Flags rule, which requires creditors and financial institutions to enact procedures to identify, detect and respond to indicators of identity theft. FTC classifies hospitals and physicians as creditors because they accept deferred payment for services (iHealthBeat, 7/30/09).

In the letter to FTC Chair Jon Leibowitz, the medical groups state that the Red Flags rule "imposes an unjustified, unfunded mandate on health professionals for detecting and responding to identity theft." ihealthbeat

Security chip that does encryption in PCs hacked

Deep inside millions of computers is a digital Fort Knox, a special chip with the locks to highly guarded secrets, including classified government reports and confidential business plans. Now a former U.S. Army computer-security specialist has devised a way to break those locks.

The attack can force heavily secured computers to spill documents that likely were presumed to be safe. This discovery shows one way that spies and other richly financed attackers can acquire military and trade secrets, and comes as worries about state-sponsored computer espionage intensify, underscored by recent hacking attacks on Google Inc.

The new attack discovered by Christopher Tarnovsky is difficult to pull off, partly because it requires physical access to a computer. But laptops and smart phones get lost and stolen all the time. And the data that the most dangerous computer criminals would seek likely would be worth the expense of an elaborate espionage operation.

Jeff Moss, founder of the Black Hat security conference and a member of the U.S. Department of Homeland Security's advisory council, called Tarnovsky's finding "amazing."

"It's sort of doing the impossible," Moss said. "This is a lock on Pandora's box. And now that he's pried open the lock, it's like, ooh, where does it lead you?" newsmeat

Monday, February 8, 2010

Cyberwar With China: Former Intelligence Chief Says It Is Aiming at America's "Soft Underbelly"

 Google and the National Security Agency are engaging in a cooperative investigation to determine who exactly from China was trolling through Google's proprietary networks, including e-mail exchanges of Chinese dissidents. They are also joining together to develop new defenses against malicious intrusion and attacks on America's cyber-infrastructure.

Though America's cyber-vulnerability has long been a concern of the intelligence agencies, the Google episode has catapulted it to a national security priority.

No one knows more about China's cyberwar capacities than Mike McConnell, who was director of National Intelligence, the supreme authority over all U.S. intelligence agencies, from Feb. 2007 to Jan. 2009, and director of the National Security Agency from 1992 to 1996.

After attacks last Spring on the Pentagon and the New York Stock Exchange, I sat down with him to discuss the chief suspect, then also China, and to get the lay of the cyberwar battlefield.

Some defense analysts say that 90 percent of the probes and scans of American defense systems as well as commercial computer networks come from China. So I asked McConnell what he thought about that estimate.

"I don't know if it is 90 percent," McConnell hedged, "but they are determined to be the best. Probably the best in the world in the cyber realm are the United States, then the Russians, the British, the Israelis and the French. The next tier is the Chinese.

"The Chinese," he continued, "are exploiting our systems for information advantage -- looking for the characteristics of a weapons system by a defense contractor or academic research on plasma physics, for example -- not in order to destroy data and do damage. But, for now, I believe they are deterred from destroying data both by the need to export to the U.S. and by the need to maintain a stable currency and stable global markets.

"But what happens if we have a war? A capability for information exploitation could quickly be used for information attack to destroy systems on which the U.S. depends."

Surely, though, I suggested, China is not the only one trolling around for information and probing security vulnerabilities in cyberspace?

"Every nation with advanced technology is exploring options to establish policy and rules for how to use this new capability to wage war. Everyone. All the time," McConnell acknowledged.

China is on the screen now because of Google. But, I asked, what about the terror threat?

"Terrorists groups today are ranked near the bottom of cyberwar capability. Criminal organizations are more sophisticated. There is a hierarchy. You go from nation-states, who can destroy things, to criminals, who can steal things, to aggravating but sophisticated hackers.

"At some point, however, the terrorists will get a couple of graduates from one of the best universities with skills in cyber capabilities.

"Sooner or later, terror groups will achieve cyber-sophistication. It's like nuclear proliferation, only far easier. Once you have the knowledge, you don't have to spend years enriching uranium and testing long-range missiles. It wouldn't take long to obtain a sophisticated attack capability. Unlike nation-states that have an interest in a stable globe with stable markets, the terrorists will not be deterred from damaging our data to achieve their goals." huffingtonpost