Computers belonging to the UK's National Health Service have been hit with data-stealing malware, although it doesn't appear patient information was stolen, according to security vendor Symantec.
The computers were infected with Qakbot, a type of malicious software that can steal credit card information, passwords, Internet search histories and other data from machines, wrote Patrick Fitzgerald, senior security response manager at Symantec, in a blog.
The Register reported early Friday that the infection affected "the National Health Service (NHS) network," taking a direct quote from the blog. It appears the blog was revised at some point on Friday morning to take out the reference to the NHS.
When contacted, Symantec said it usually gives organizations eight hours ahead notice of a problem before they will blog on the subject, according to a spokeswoman for the company. The blog post was changed and will stay changed, the spokeswoman said, but confirmed it was the NHS that had been hit.
"Logs show that there is a significant Qakbot infection on a major national health organization network in the UK," Fitzgerald's post now reads. "This threat has managed to infect over 1,100 separate computers that are spread across multiple subnets within their network. We have attempted to contact the affected parties and have no evidence to show that any customer or patient data has been stolen."
The NHS did not have an immediate comment.
pcworld
Friday, April 23, 2010
Thursday, April 22, 2010
McAfee Error: Little Relief in Sight?
McAfee is scrambling to undo the damage done by a faulty antivirus update that brought down Windows XP computers around the world, but the situation looks grim according to other vendors.
Amrit Williams, CTO of security management system company Big Fix, told USA Today that there's no way to automate the process of fixing affected computers. Every machine will need to be repaired individually, he said, noting the process could take days or weeks.
McAfee's antivirus upgrade causes computers running Windows XP Service Pack 3 to shut down within a minute of starting up. The problem was caused by virus definition file 5958, which quarantined svchost.exe, a vital system file. McAfee says the update only hit 0.5 percent of its customers' computers, but the damage is widespread, hitting hospitals and municipal services along with countless companies large and small. There's a significant backlash on Twitter.
Few of McAfee's competitors are willing to rub salt in the wounds, though. Mel Morris, chief executive at Prevx, told SC Magazine that false positives like the one plaguing McAfee will continue to escalate over time, as malware makers aim to mimic core operating system components.
Ashar Aziz, founder and CEO of network security firm FireEye, told USA Today that the signature-based approach to virus scanning, which identifies malicious files based on hash marks or algorithms, is "broken." He said that anti-virus software can't keep up with the tens of thousands of threats generated every day.
As for the current problems for McAfee customers, there are a couple things to watch out for: Graham Cluley, senior technology consultant for Sophos, noted to SC Magazine that hackers are taking advantage of the situation by putting malicious content on search engine-optimized Web pages, so when people hunt for a fix with Google or Bing, they could wind up on a page that does more damage (see this McAfee blog post for the proper solutions).
pcworld
Wednesday, April 21, 2010
Drug-dealing Spammers Hit Gmail Accounts
Google is investigating a growing number of reports that hackers are breaking into legitimate Gmail accounts and then using them to send spam messages.
The problem started about a week ago but seems to have escalated over the past few days.
"The Gmail team takes security very seriously and is investigating the reports we've seen in our user forums over the past few days," Google said Tuesday in an e-mailed statement. "We encourage users who suspect their accounts have been compromised to immediately change their passwords and to follow the advice at the following page: http://www.google.com/help/security/."
Gmail accounts are often compromised after phishing attempts or via malicious programs, which can seek out and log online credentials from a hacked computer.
It isn't clear what's behind this wave of Gmail compromises. But in forum posts, Gmail users note that the hackers appear to be sending spam via Gmail's mobile interface -- which gives mobile-phone users a way to check their Gmail accounts -- and wonder if there may be a bug in the mobile interface that is allowing criminals to send the spam.
Most of the victims are reporting that their accounts were accessed via the mobile interface when the spam was sent. They are reporting any security problems on their machines. Gmail users can check to see how their accounts were accessed at a given time by clicking on a "Details" button at the bottom of the Gmail page.
Google says there's no Gmail bug. "Our investigation has not given any indication of a bug in Gmail, either in the mobile interface or otherwise," the company said. "Spammers may sometimes use a mobile interface to access accounts they have already compromised because it's simpler for bots to use this method at large scale."
The New York Times reported Monday that Google's centralized login system, code-named Gaia, was compromised by hackers in late December. But this seems unrelated to the Gmail problem because of the different nature of the two incidents -- the December attack was a sophisticated attempt to steal data and intellectual property from Google; the Gmail spam is hardly sophisticated. It's being used to flog Canadian pharmaceutical Web sites that promise to send cheap drugs to U.S. customers.
Antispam vendor CloudMark noticed an uptick in Gmail-based pharmaceutical spam just a few days ago, according to Jamie Tomasello, the company's abuse operations manager. "We really saw this activity pick up on Friday and Saturday," she said via instant message.
Cassandra Robertson walked into a Gmail spam mess on Monday morning. "I noticed I had all these returned messages from people who were vaguely irate that I had sent them something that appeared to be spam," she said. pcworld
The problem started about a week ago but seems to have escalated over the past few days.
"The Gmail team takes security very seriously and is investigating the reports we've seen in our user forums over the past few days," Google said Tuesday in an e-mailed statement. "We encourage users who suspect their accounts have been compromised to immediately change their passwords and to follow the advice at the following page: http://www.google.com/help/security/."
Gmail accounts are often compromised after phishing attempts or via malicious programs, which can seek out and log online credentials from a hacked computer.
It isn't clear what's behind this wave of Gmail compromises. But in forum posts, Gmail users note that the hackers appear to be sending spam via Gmail's mobile interface -- which gives mobile-phone users a way to check their Gmail accounts -- and wonder if there may be a bug in the mobile interface that is allowing criminals to send the spam.
Most of the victims are reporting that their accounts were accessed via the mobile interface when the spam was sent. They are reporting any security problems on their machines. Gmail users can check to see how their accounts were accessed at a given time by clicking on a "Details" button at the bottom of the Gmail page.
Google says there's no Gmail bug. "Our investigation has not given any indication of a bug in Gmail, either in the mobile interface or otherwise," the company said. "Spammers may sometimes use a mobile interface to access accounts they have already compromised because it's simpler for bots to use this method at large scale."
The New York Times reported Monday that Google's centralized login system, code-named Gaia, was compromised by hackers in late December. But this seems unrelated to the Gmail problem because of the different nature of the two incidents -- the December attack was a sophisticated attempt to steal data and intellectual property from Google; the Gmail spam is hardly sophisticated. It's being used to flog Canadian pharmaceutical Web sites that promise to send cheap drugs to U.S. customers.
Antispam vendor CloudMark noticed an uptick in Gmail-based pharmaceutical spam just a few days ago, according to Jamie Tomasello, the company's abuse operations manager. "We really saw this activity pick up on Friday and Saturday," she said via instant message.
Cassandra Robertson walked into a Gmail spam mess on Monday morning. "I noticed I had all these returned messages from people who were vaguely irate that I had sent them something that appeared to be spam," she said. pcworld
McAfee antivirus program goes berserk, freezes PCs
Computers in companies, hospitals and schools around the world got stuck repeatedly rebooting themselves Wednesday after an antivirus program identified a normal Windows file as a virus.
McAfee Inc. confirmed that a software update it posted at 9 a.m. Eastern time caused its antivirus program for corporate customers to misidentify a harmless file. It has posted a replacement update for download.
McAfee could not say how many computers were affected, but judging by online postings, the number was at least in the thousands and possibly in the hundreds of thousands.
McAfee said it did not appear that consumer versions of its software caused similar problems. It is investigating how the error happened "and will take measures" to prevent it from recurring, the company said in a statement.
The computer problem forced about a third of the hospitals in Rhode Island to postpone elective surgeries and stop treating patients without traumas in emergency rooms, said Nancy Jean, a spokeswoman for the Lifespan system of hospitals. The system includes Rhode Island Hospital, the state's largest, and Newport Hospital. Jean said patients who required treatment for gunshot wounds, car accidents, blunt trauma and other potentially fatal injuries were still being admitted to the emergency rooms.
In Kentucky, state police were told to shut down the computers in their patrol cars as technicians tried to fix the problem. The National Science Foundation headquarters in Arlington, Va., also lost computer access.
Intel Corp. appeared to be among the victims, according to employee posts on Twitter. Intel did not immediately return calls for comment.
Peter Juvinall, systems administrator at Illinois State University in Normal, said that when the first computer started rebooting it quickly became evident that it was a major problem, affecting dozens of computers at the College of Business alone.
"I originally thought it was a virus," he said. When the tech support people concluded McAfee's update was to blame, they stopped further downloads of the faulty software update and started shuttling from computer to computer to get the machines working again. AP
McAfee Inc. confirmed that a software update it posted at 9 a.m. Eastern time caused its antivirus program for corporate customers to misidentify a harmless file. It has posted a replacement update for download.
McAfee could not say how many computers were affected, but judging by online postings, the number was at least in the thousands and possibly in the hundreds of thousands.
McAfee said it did not appear that consumer versions of its software caused similar problems. It is investigating how the error happened "and will take measures" to prevent it from recurring, the company said in a statement.
The computer problem forced about a third of the hospitals in Rhode Island to postpone elective surgeries and stop treating patients without traumas in emergency rooms, said Nancy Jean, a spokeswoman for the Lifespan system of hospitals. The system includes Rhode Island Hospital, the state's largest, and Newport Hospital. Jean said patients who required treatment for gunshot wounds, car accidents, blunt trauma and other potentially fatal injuries were still being admitted to the emergency rooms.
In Kentucky, state police were told to shut down the computers in their patrol cars as technicians tried to fix the problem. The National Science Foundation headquarters in Arlington, Va., also lost computer access.
Intel Corp. appeared to be among the victims, according to employee posts on Twitter. Intel did not immediately return calls for comment.
Peter Juvinall, systems administrator at Illinois State University in Normal, said that when the first computer started rebooting it quickly became evident that it was a major problem, affecting dozens of computers at the College of Business alone.
"I originally thought it was a virus," he said. When the tech support people concluded McAfee's update was to blame, they stopped further downloads of the faulty software update and started shuttling from computer to computer to get the machines working again. AP
Blood donor ID data stolen
Missing laptop computer contained information on nearly 40,000 people
The Blood Bank of Hawaii has sent letters to nearly 40,000 blood donors and deferred donors, telling them that a laptop computer containing confidential personal information was stolen in a burglary last month at the agency's Dillingham Boulevard headquarters.
In an April 16 letter to potential donors, chief operating officer Wendy Abe said the data includes names, birth dates, partial Social Security numbers and "minimal donation information."
The letter advises those who receive it to check their financial and credit card records "for any unauthorized charges or actions" and to consider registering with the Federal Trade Commission to participate in a free annual credit monitoring service.
Randall Kusaka, communications assistant for the Blood Bank, said that so far no one whose personal information was stored in the stolen laptop has reported any irregularities with their bank accounts or credit cards.
"We urge anyone who notices a discrepancy to report it immediately to the police," Kusaka said.
He said the laptop contained information on 39,780 donors and "deferred donors," including people who can never donate blood because of medical conditions; those who are temporarily prohibited from donating because of new tattoos or travel to certain locales with malaria activity; or those who recently gave blood and haven't waited long enough to give again.
The laptop, stolen March 29, requires two separate passwords to access the personal information.
"We're required by federal law to make sure every donor is eligible to give blood," Kusaka said, explaining why certain information was stored on a computer.
Using the last four digits of a Social Security number was one of the most effective ways of keeping track of donors, but because of the break-in, that information will no longer be kept on laptops, Kusaka said. honoluluadvertiser
The Blood Bank of Hawaii has sent letters to nearly 40,000 blood donors and deferred donors, telling them that a laptop computer containing confidential personal information was stolen in a burglary last month at the agency's Dillingham Boulevard headquarters.
In an April 16 letter to potential donors, chief operating officer Wendy Abe said the data includes names, birth dates, partial Social Security numbers and "minimal donation information."
The letter advises those who receive it to check their financial and credit card records "for any unauthorized charges or actions" and to consider registering with the Federal Trade Commission to participate in a free annual credit monitoring service.
Randall Kusaka, communications assistant for the Blood Bank, said that so far no one whose personal information was stored in the stolen laptop has reported any irregularities with their bank accounts or credit cards.
"We urge anyone who notices a discrepancy to report it immediately to the police," Kusaka said.
He said the laptop contained information on 39,780 donors and "deferred donors," including people who can never donate blood because of medical conditions; those who are temporarily prohibited from donating because of new tattoos or travel to certain locales with malaria activity; or those who recently gave blood and haven't waited long enough to give again.
The laptop, stolen March 29, requires two separate passwords to access the personal information.
"We're required by federal law to make sure every donor is eligible to give blood," Kusaka said, explaining why certain information was stored on a computer.
Using the last four digits of a Social Security number was one of the most effective ways of keeping track of donors, but because of the break-in, that information will no longer be kept on laptops, Kusaka said. honoluluadvertiser
Tuesday, April 20, 2010
Cybercrime Toolkits for Neophytes Pose a Global Threat
Cybercrime toolkits are making it easy for even amateurs to attack computer systems and steal information, according to Symantec's latest security report. Symantec said social-networking sites, online banking, and global havens are boosting the cybercrime threat. Unpatched vulnerabilities remain a favorite target for hackers, with tools available.
The ready availability of attack toolkits is making it easier than ever for even neophyte attackers to compromise computers and steal information, Symantec says in a new Internet security report released Monday. Social-networking sites are also providing cybercriminals with the means to launch attacks on enterprises by leveraging the abundance of personal information available about key corporate executives.
According to Symantec, 75 percent of the enterprises it recently surveyed had experienced some form of cyberattack in 2009. One reason is the increasing popularity of online banking, which Symantec credited with boosting threats to confidential files from 83 percent in 2008 to 98 percent last year.
"Attackers have evolved from simple scams to highly sophisticated espionage campaigns targeting some of the world's largest corporations and government entities," said Symantec Senior Vice President Stephen Trilling. "The scale of these attacks -- and the fact that they originate from across the world -- makes this a truly international problem requiring the cooperation of both the private sector and world governments."
Attack Toolkits
The advent of inexpensive cybercrime attack toolkits has lowered the bar to entry, Trilling noted. For example, a Zeus (Zbot) toolkit priced around $700 -- or in some cases available for free download -- automates the process of creating customized malware capable of stealing personal information.
Variants of the Zeus kit use spam to lure surfers to a web site that uses social engineering or that exploits a browser vulnerability to install the bot on a victim's computer, Symantec said.
"The bot then allows remote access to the computer and can be used to steal information such as the user's online banking credentials," the report noted. "Each bot can then be used to send additional spam runs to compromise new users."
Moreover, attackers have learned to employ social-engineering techniques to lure unsuspecting users to malicious web sites that attack the victim's browser as well as vulnerable plug-ins for viewing videos and documents. During 2009, PDF files accounted for 49 percent of all observed web-based attacks -- up from 11 percent in 2008.
Symantec believes it likely that attackers are targeting browsers and PDF reader plug-ins because the two technologies are among the most widely deployed on the Internet. sci-tech-today
The ready availability of attack toolkits is making it easier than ever for even neophyte attackers to compromise computers and steal information, Symantec says in a new Internet security report released Monday. Social-networking sites are also providing cybercriminals with the means to launch attacks on enterprises by leveraging the abundance of personal information available about key corporate executives.
According to Symantec, 75 percent of the enterprises it recently surveyed had experienced some form of cyberattack in 2009. One reason is the increasing popularity of online banking, which Symantec credited with boosting threats to confidential files from 83 percent in 2008 to 98 percent last year.
"Attackers have evolved from simple scams to highly sophisticated espionage campaigns targeting some of the world's largest corporations and government entities," said Symantec Senior Vice President Stephen Trilling. "The scale of these attacks -- and the fact that they originate from across the world -- makes this a truly international problem requiring the cooperation of both the private sector and world governments."
Attack Toolkits
The advent of inexpensive cybercrime attack toolkits has lowered the bar to entry, Trilling noted. For example, a Zeus (Zbot) toolkit priced around $700 -- or in some cases available for free download -- automates the process of creating customized malware capable of stealing personal information.
Variants of the Zeus kit use spam to lure surfers to a web site that uses social engineering or that exploits a browser vulnerability to install the bot on a victim's computer, Symantec said.
"The bot then allows remote access to the computer and can be used to steal information such as the user's online banking credentials," the report noted. "Each bot can then be used to send additional spam runs to compromise new users."
Moreover, attackers have learned to employ social-engineering techniques to lure unsuspecting users to malicious web sites that attack the victim's browser as well as vulnerable plug-ins for viewing videos and documents. During 2009, PDF files accounted for 49 percent of all observed web-based attacks -- up from 11 percent in 2008.
Symantec believes it likely that attackers are targeting browsers and PDF reader plug-ins because the two technologies are among the most widely deployed on the Internet. sci-tech-today
Friday, April 16, 2010
Porn virus publishes web history of victims on the net
A new type of malware infects PCs using file-share sites and ublishes the user's net history on a public website before demanding a fee for its removal.
The Japanese trojan virus installs itself on computers using a popular file-share service called Winni, used by up to 200m people. It targets those downloading illegal copies of games in the Hentai genre, an explicit form of anime. Website Yomiuri claims that 5500 people have so far admitted to being infected.
The virus, known as Kenzero, is being monitored by web security firm Trend Micro in Japan.
Masquerading as a game installation screen, it requests the PC owner's personal details.
It then takes screengrabs of the user's web history and publishes it online in their name, before sending an e-mail or pop-up screen demanding a credit card payment of 1500 yen (£10) to "settle your violation of copyright law" and remove the webpage.
Held to ransom
The website that the history is published on is owned by a shell company called Romancing Inc. It is registered to a fictitious individual called Shoen Overns.
"We've seen the name before in association with the Zeus and Koobface trojans. It is an established criminal gang that is continuously involved in this sort of activity," said Rik Ferguson, senior security advisor at Trend Micro.
Kenzero is a twist on ransomware, he added, which infects a computer and encrypts the documents, pictures and music stored on it, before demanding a fee for a decryption key.
"Interestingly we've seen a separate incident that focuses on European victims," he said.
A fictitious organization calling itself the ICPP copyright foundation issues threatening pop-ups and letters after a virus searches the computer hard drive for illegal content - regardless of whether it actually finds anything.
It offers a "pretrial settlement" fine of $400 (£258) payable by credit card, and warns of costly court cases and even jail sentences if the victim ignores the notice.
However rather than take the money, the outfit sells on the credit card details, said Mr Ferguson.
"If you find you are getting pop-ups demanding payments to settle copyright infringement lawsuits, ignore them. news.bbc.co.uk
New Malware Can Take Control of Macs, Intego Warns
Batten down the hatches! Better yet, unplug your Mac and run for the hills! Intego, purveyor of internet security and privacy software for the Mac, reports that a new variant of malware--the intimidatingly-named HellRTS--has been spotted in the vast untamed reaches of the Internet.
But here's the good news: I just saved a bunch of money on car insurance. The HellRTS.D variant isn't out in the wild; you can only be infected if you install the rogue software. Obviously, Trojan horse-style trickery could do the trick, but there are no reports that any such Trojans exist just yet. To date, the malware is merely being exchanged on forums frequented by technological evildoers (and the virus-protection software researchers who battle them). pcworld
Thursday, April 15, 2010
Scotts Valley couple suspected in three-county ID theft case
A simple theft report spun out into a spiderweb of illegal activity and led to the arrest of two career criminals suspected of stealing mail to forge checks and steal people's identities, the Sheriff's Office reported.
"They're ID thieves. They rip off the mail to get hopefully checks so they can produce" phoney checks, sheriff's deputy Nick Baldrige said.
He estimated there are at least 30 victims to the couple's three-county crime spree.
The investigation started in February when Baldrige went to a Scotts Valley home because a man thought his roommate, 25-year-old Scott Alan Jackson, had stolen from him.
Baldrige said he searched the bedroom Jackson shared with his girlfriend, who is on parole, and found a flash drive that had been reported stolen from the Boulder Creek Country Club earlier in the month. The deputy also reported finding a trash bag of mail stolen from Carmel Valley in the backyard and a red pickup parked in front that allegedly had been involved in a hit-and-run in front of the county club the night the business was burglarized.
From that evidence, Judge Jeff Almquist issued a warrant for Jackson.
But before local deputies could arrest Jackson, he was picked up in Sunnyvale for allegedly passing a bad check at a business there, according to the Sheriff's Office.
His girlfriend, Brandy Fellows, was waiting for him but fled in her vehicle. She led Santa Clara County Sheriff's deputies on a chase
all the way to San Francisco, where she eventually was stopped and arrested. Fellows, 27, is facing charges in San Francisco County Superior Court, Baldrige said.
Jackson was arraigned in Santa Clara County Superior Court on the bad check charge March 1. Baldrige was there to arrest him for the Santa Cruz County burglary warrant. When Jackson was taken into custody, Baldrige said he had two counterfeit $20 bills, a counterfeit $100 bill, a California driver's license that had been reported stolen in Santa Cruz and a check from a Santa Cruz business made out to the person listed on the driver's license. santacruzsentinel
"They're ID thieves. They rip off the mail to get hopefully checks so they can produce" phoney checks, sheriff's deputy Nick Baldrige said.
He estimated there are at least 30 victims to the couple's three-county crime spree.
The investigation started in February when Baldrige went to a Scotts Valley home because a man thought his roommate, 25-year-old Scott Alan Jackson, had stolen from him.
Baldrige said he searched the bedroom Jackson shared with his girlfriend, who is on parole, and found a flash drive that had been reported stolen from the Boulder Creek Country Club earlier in the month. The deputy also reported finding a trash bag of mail stolen from Carmel Valley in the backyard and a red pickup parked in front that allegedly had been involved in a hit-and-run in front of the county club the night the business was burglarized.
From that evidence, Judge Jeff Almquist issued a warrant for Jackson.
But before local deputies could arrest Jackson, he was picked up in Sunnyvale for allegedly passing a bad check at a business there, according to the Sheriff's Office.
His girlfriend, Brandy Fellows, was waiting for him but fled in her vehicle. She led Santa Clara County Sheriff's deputies on a chase
all the way to San Francisco, where she eventually was stopped and arrested. Fellows, 27, is facing charges in San Francisco County Superior Court, Baldrige said.
Jackson was arraigned in Santa Clara County Superior Court on the bad check charge March 1. Baldrige was there to arrest him for the Santa Cruz County burglary warrant. When Jackson was taken into custody, Baldrige said he had two counterfeit $20 bills, a counterfeit $100 bill, a California driver's license that had been reported stolen in Santa Cruz and a check from a Santa Cruz business made out to the person listed on the driver's license. santacruzsentinel
Wednesday, April 14, 2010
Researcher Shows New Clickjacking Methods
A computer security researcher has released a new browser-based tool that can be used to experiment with next-generation "clickjacking" attacks along with details of the four new techniques.
Clickjacking is a style of attack where a user is tricked into clicking on certain parts of a Web page with hidden buttons that perform malicious actions. The hidden buttons are delivered by an invisible iframe, which is a window that brings other content into the target Web site.
Clickjacking become well-known in 2008 after researchers Robert Hansen and Jeremiah Grossman discovered a kind of attack involving Adobe Systems' Flash application that could give remote access to a victim's Web camera and microphone.
Since that time, many Web sites and browser makers have taken steps to shore up their defenses, but the vast majority of sites are not protected, said Paul Stone, a security consultant with Context Information Security in the U.K. He revealed four new kinds of clickjacking attacks on Wednesday at the Black Hat conference that are effective against most Web sites and browsers.
Stone showed one demonstration that used the drag-and-drop API (application programming interface) implemented in all browsers. With some social engineering, users can be tricked into dragging an item on a Web page, which would cause text to be inserted into fields.
"There are many things that this could be used for," Stone said. "You could send fake e-mails from a user's account. You could also edit documents in some kind of document-editing system."
pcworld
Clickjacking is a style of attack where a user is tricked into clicking on certain parts of a Web page with hidden buttons that perform malicious actions. The hidden buttons are delivered by an invisible iframe, which is a window that brings other content into the target Web site.
Clickjacking become well-known in 2008 after researchers Robert Hansen and Jeremiah Grossman discovered a kind of attack involving Adobe Systems' Flash application that could give remote access to a victim's Web camera and microphone.
Since that time, many Web sites and browser makers have taken steps to shore up their defenses, but the vast majority of sites are not protected, said Paul Stone, a security consultant with Context Information Security in the U.K. He revealed four new kinds of clickjacking attacks on Wednesday at the Black Hat conference that are effective against most Web sites and browsers.
Stone showed one demonstration that used the drag-and-drop API (application programming interface) implemented in all browsers. With some social engineering, users can be tricked into dragging an item on a Web page, which would cause text to be inserted into fields.
"There are many things that this could be used for," Stone said. "You could send fake e-mails from a user's account. You could also edit documents in some kind of document-editing system."
pcworld
Tuesday, April 13, 2010
FTC's Security Check: Reducing Risks to your Computer Systems
When consumers open an account, register to receive information or purchase a product from your business, it’s very likely that they entrust their personal information to you as part of the process. If their information is compromised, the consequences can be far – reaching: consumers can be at risk of identity theft, or they can become less willing – or even unwilling – to continue to do business with you.
These days, it’s just common sense that any business that collects personal information from consumers also would have a security plan to protect the confidentiality and integrity of the information. For financial institutions, it’s an imperative: The Gramm-Leach-Bliley Act and the Safeguards Rule, enforced by the Federal Trade Commission, require financial institutions to have a security plan for just that purpose.
The threats to the security of your information are varied – from computer hackers to disgruntled employees to simple carelessness. While protecting computer systems is an important aspect of information security, it is only part of the process. Here are some points to consider – and resources to help – as you design and implement your information security plan.
Starting Out
Sound security for businesses means regular risk assessment, effective coordination and oversight, and prompt response to new developments.
Basic steps in information security planning include:
Determining Priorities Among Risks: Computer Systems
Although computer systems aren’t your only responsibility related to information security, they are an important one. With new vulnerabilities announced almost weekly, many businesses may feel overwhelmed trying to keep current. Guidance is available from leading security professionals who put together consensus lists of vulnerabilities and defenses so that every organization, regardless of its resources or expertise in information security, can take basic steps to reduce its risks. The lists identify the commonly exploited vulnerabilities that pose the greatest risk of harm to your information systems. Use these lists to help prioritize your efforts so you can tackle the most serious threats first.
The 20 Most Critical Internet Security Vulnerabilities (www.sans.org/top20) was produced by the SANS Institute and the FBI. It describes the 20 most commonly exploited vulnerabilities in Windows and UNIX. Although thousands of security incidents affect these operating systems each year, the majority of successful attacks target one or more of the vulnerabilities on this list. This site also has links to scanning tools and services to help you monitor your own network vulnerabilities at www.sans.org/top20/tools.pdf.
The 10 Most Critical Web Application Security Vulnerabilities (www.owasp.org) was produced by the Open Web Application Security Project (OWASP). It describes common vulnerabilities for web applications and databases and the most effective ways to address them. Attacks on web applications often pass undetected through firewalls and other network defense systems, putting at risk the sensitive information that these applications access. Application vulnerabilities are often neglected, but they are as important to deal with as network issues.
While you are designing and implementing your own safeguards program, don’t forget that you should oversee service providers and business partners that have access to your computer network or consumers’ personal information. Check periodically whether they monitor and defend against common vulnerabilities as part of their regular safeguards program. ftc.gov
These days, it’s just common sense that any business that collects personal information from consumers also would have a security plan to protect the confidentiality and integrity of the information. For financial institutions, it’s an imperative: The Gramm-Leach-Bliley Act and the Safeguards Rule, enforced by the Federal Trade Commission, require financial institutions to have a security plan for just that purpose.
The threats to the security of your information are varied – from computer hackers to disgruntled employees to simple carelessness. While protecting computer systems is an important aspect of information security, it is only part of the process. Here are some points to consider – and resources to help – as you design and implement your information security plan.
Starting Out
Sound security for businesses means regular risk assessment, effective coordination and oversight, and prompt response to new developments.
Basic steps in information security planning include:
- identifying internal and external risks to the security, confidentiality and integrity of your customers’ personal information;
- designing and implementing safeguards to control the risks;
- periodically monitoring and testing the safeguards to be sure they are working effectively;adjusting your security plan according to the results of testing, changes in operations or other circumstances that might impact information security;
- and overseeing the information handling practices of service providers and business partners who have access to the personal information. If you give another organization access to your records or computer network, you should make sure they have good security programs too.
Determining Priorities Among Risks: Computer Systems
Although computer systems aren’t your only responsibility related to information security, they are an important one. With new vulnerabilities announced almost weekly, many businesses may feel overwhelmed trying to keep current. Guidance is available from leading security professionals who put together consensus lists of vulnerabilities and defenses so that every organization, regardless of its resources or expertise in information security, can take basic steps to reduce its risks. The lists identify the commonly exploited vulnerabilities that pose the greatest risk of harm to your information systems. Use these lists to help prioritize your efforts so you can tackle the most serious threats first.
The 20 Most Critical Internet Security Vulnerabilities (www.sans.org/top20) was produced by the SANS Institute and the FBI. It describes the 20 most commonly exploited vulnerabilities in Windows and UNIX. Although thousands of security incidents affect these operating systems each year, the majority of successful attacks target one or more of the vulnerabilities on this list. This site also has links to scanning tools and services to help you monitor your own network vulnerabilities at www.sans.org/top20/tools.pdf.
The 10 Most Critical Web Application Security Vulnerabilities (www.owasp.org) was produced by the Open Web Application Security Project (OWASP). It describes common vulnerabilities for web applications and databases and the most effective ways to address them. Attacks on web applications often pass undetected through firewalls and other network defense systems, putting at risk the sensitive information that these applications access. Application vulnerabilities are often neglected, but they are as important to deal with as network issues.
While you are designing and implementing your own safeguards program, don’t forget that you should oversee service providers and business partners that have access to your computer network or consumers’ personal information. Check periodically whether they monitor and defend against common vulnerabilities as part of their regular safeguards program. ftc.gov
Senate stalls cyber commander to probe digital war
When hackers a continent away attack a military computer system, using computers belonging to unsuspecting private citizens or businesses as cover, what are the rules when the U.S. fights back?
As U.S. officials struggle to put together plans to defend government networks, they are faced with questions about the rippling effects of retaliation. Taking action against a hacker could affect foreign countries, private citizens or businesses -- ranging from hospitals to power plants -- whose computers might get caught up in the electronic battle.
Difficult questions about how and when the U.S. military conducts electronic warfare have stalled the creation of the Pentagon's Cyber Command for months as senators dig into such scenarios involving the rules of the digital battlefield, according to congressional officials.
Government leaders have grown increasingly alarmed as U.S. computer networks face constant attacks, including complex criminal schemes and suspected cyber espionage by other nations, such as China. But the nation's ability to protect its networks and respond to attacks are largely kept secret because of national security concerns and the government's slowly evolving cyber security plans.
Electronic warfare by U.S. forces is not new. For example, in the Iraq war, U.S. forces jammed cellular phone networks in Fallujah in 2004 to disrupt communications between enemy insurgents, and interrupted radio signals designed to trigger roadside bombs.
But U.S. officials refuse to discuss any current offensive cyber operations or monitoring, particularly anything that involves other countries or terror organization. businessweek
As U.S. officials struggle to put together plans to defend government networks, they are faced with questions about the rippling effects of retaliation. Taking action against a hacker could affect foreign countries, private citizens or businesses -- ranging from hospitals to power plants -- whose computers might get caught up in the electronic battle.
Difficult questions about how and when the U.S. military conducts electronic warfare have stalled the creation of the Pentagon's Cyber Command for months as senators dig into such scenarios involving the rules of the digital battlefield, according to congressional officials.
Government leaders have grown increasingly alarmed as U.S. computer networks face constant attacks, including complex criminal schemes and suspected cyber espionage by other nations, such as China. But the nation's ability to protect its networks and respond to attacks are largely kept secret because of national security concerns and the government's slowly evolving cyber security plans.
Electronic warfare by U.S. forces is not new. For example, in the Iraq war, U.S. forces jammed cellular phone networks in Fallujah in 2004 to disrupt communications between enemy insurgents, and interrupted radio signals designed to trigger roadside bombs.
But U.S. officials refuse to discuss any current offensive cyber operations or monitoring, particularly anything that involves other countries or terror organization. businessweek
Monday, April 12, 2010
Online Thieves Take $205,000 Bite Out of Missouri Dental Practice
Organized computer criminals yanked more than $200,000 out of the online bank accounts of a Missouri dental practice this month, in yet another attack that exposes the financial risks that small- to mid-sized organizations face when banking online.
Dentists working at the Smile Zone, a Springfield, Mo. based dental practice that caters specifically to the needs of children, weren’t exactly all smiles on March 22. That was the day unidentified crooks sent at least $205,000 of the practice’s money to nearly a dozen individuals around the country.
Eric Hudkins, the office manager and husband of one of the dentists at Smile Zone, said the money was taken in 11 different transfers, including three large wires. Once again, it seems the attack was carried out with the help of money mules, willing or unwitting individuals hired through work-at-home job schemes over the Internet and lured into helping the attackers launder the stolen money.
“I’ve got the names, account numbers, and phone numbers for most of them, and have even looked some of them up on Facebook,” Hudkins said of the co-conspirators. “The bank talked to two of the [mule] account holders and asked them why they opened the account, who it was for, that kind of thing. Both of them said they’d had their resumes out on careerbuilder.com or monster.com and that someone they’d never met contacted them and offered to help them make some money.” krebsonsecurity
Dentists working at the Smile Zone, a Springfield, Mo. based dental practice that caters specifically to the needs of children, weren’t exactly all smiles on March 22. That was the day unidentified crooks sent at least $205,000 of the practice’s money to nearly a dozen individuals around the country.
Eric Hudkins, the office manager and husband of one of the dentists at Smile Zone, said the money was taken in 11 different transfers, including three large wires. Once again, it seems the attack was carried out with the help of money mules, willing or unwitting individuals hired through work-at-home job schemes over the Internet and lured into helping the attackers launder the stolen money.
“I’ve got the names, account numbers, and phone numbers for most of them, and have even looked some of them up on Facebook,” Hudkins said of the co-conspirators. “The bank talked to two of the [mule] account holders and asked them why they opened the account, who it was for, that kind of thing. Both of them said they’d had their resumes out on careerbuilder.com or monster.com and that someone they’d never met contacted them and offered to help them make some money.” krebsonsecurity
Top execs need to be involved in cybersecurity, study says
Organizations with top executives who aren't involved in cybersecurity decisions face a serious problem -- a major hit to their bottom lines, according to a report released Wednesday.
"Many organizations see cybersecurity as solely an IT problem," said Karen Hughes, director of homeland security standards programs at the American National Standards Institute (ANSI), one of the major sponsors of the new report. "We are directing a wake-up call to executives nationwide. The message is, this is a very serious issue, and it's costing you a lot of money."
The report called "The Financial Management of Cyber Risk," recommends how C-level executives can implement cybersecurity risk management programs at their companies. Part of the goal is to get executives such as chief financial officers directly involved in cybersecurity efforts, said Larry Clinton, president of the Internet Security Alliance (ISA), the other major sponsor of the report.
The report cites a cyberpolicy review released by President Barack Obama's administration last May saying that U.S. businesses lost $1 trillion worth of intellectual property to cyberattacks between 2008 and 2009. That number doesn't include losses due to theft of personal information and loss of customers, the report said.
The total cost of a typical breach of 10,000 personal records held by an organization would be about $2 million, the report said.
"We believe if we can educate American organizations about how much they're actually losing, we can move to the next step, which is solving the problem," Clinton said. Eighty to 90% of cybersecurity problems can be avoided by a combination of best practices, standards and security technology, but some organizations need to understand the financial problems associated with poor security practices before they will make changes, Clinton said.
A small percentage of company CFOs are directly involved in cybersecurity plans at their companies, and at many companies, most employees don't see cybersecurity as part of their jobs, Clinton said. "In American organizations, everybody has data," he said. "Generally, people don't think it's their responsibility to secure their own data. They think that's the job of the IT guys down at the end of the hall."
IT departments at many U.S. companies and organizations are viewed as cost centers, not profit centers, and are "starved for resources," Clinton added. Many employees don't understand, or are intimidated by, the cybersecurity tools their companies have, the report said.
U.S. organizations need to understand that in today's connected world, their lack of security can hurt their customers, their partners and national security, Clinton and other cybersecurity experts said at a press conference. computerworld
"Many organizations see cybersecurity as solely an IT problem," said Karen Hughes, director of homeland security standards programs at the American National Standards Institute (ANSI), one of the major sponsors of the new report. "We are directing a wake-up call to executives nationwide. The message is, this is a very serious issue, and it's costing you a lot of money."
The report called "The Financial Management of Cyber Risk," recommends how C-level executives can implement cybersecurity risk management programs at their companies. Part of the goal is to get executives such as chief financial officers directly involved in cybersecurity efforts, said Larry Clinton, president of the Internet Security Alliance (ISA), the other major sponsor of the report.
The report cites a cyberpolicy review released by President Barack Obama's administration last May saying that U.S. businesses lost $1 trillion worth of intellectual property to cyberattacks between 2008 and 2009. That number doesn't include losses due to theft of personal information and loss of customers, the report said.
The total cost of a typical breach of 10,000 personal records held by an organization would be about $2 million, the report said.
"We believe if we can educate American organizations about how much they're actually losing, we can move to the next step, which is solving the problem," Clinton said. Eighty to 90% of cybersecurity problems can be avoided by a combination of best practices, standards and security technology, but some organizations need to understand the financial problems associated with poor security practices before they will make changes, Clinton said.
A small percentage of company CFOs are directly involved in cybersecurity plans at their companies, and at many companies, most employees don't see cybersecurity as part of their jobs, Clinton said. "In American organizations, everybody has data," he said. "Generally, people don't think it's their responsibility to secure their own data. They think that's the job of the IT guys down at the end of the hall."
IT departments at many U.S. companies and organizations are viewed as cost centers, not profit centers, and are "starved for resources," Clinton added. Many employees don't understand, or are intimidated by, the cybersecurity tools their companies have, the report said.
U.S. organizations need to understand that in today's connected world, their lack of security can hurt their customers, their partners and national security, Clinton and other cybersecurity experts said at a press conference. computerworld
ID theft No. 1 FTC complaint in 2009
A recent Federal Trade Commission report does not surprise Florence police Sgt. Cliff Billingsley.
The report reveals identity theft is again the nation's top consumer complaint.
The recent commission report states the agency received 278,078 complaints of identity theft in 2009.
That represents 21 percent of all complaints to the commission. The next-highest complaint, third-party and creditor-debt collection, was a distant 9 percent.
Billingsley, who used to handle white-collar crime for the police department, still gives talks about identity theft to businesses and other groups.
"I still see the problem from working the streets," he said. "It's definitely still a major problem here."
Christie Yeiser, executive director of the Better Business Bureau of the Shoals, said it's important for consumers to maintain awareness about the problem.
"You need to take a proactive approach to it," Yeiser said. "Minimize the identification information you carry with you. Carry your Social Security card only if you need it that day."
According to 2008 FTC figures, the agency received 4,342 complaints from Alabama residents. The largest percentage of complaints - 32 percent - was fraud involving government documents or benefits.
Most of that 32 percent dealt with a fraudulent tax return that was filed, according to the FTC.
Roughly one-fourth of all complaints in Alabama and nationwide come from the 20- to 29-year-old age group, according to the FTC.
Officials say people are more aware of identity theft these days.
timesdaily
The report reveals identity theft is again the nation's top consumer complaint.
The recent commission report states the agency received 278,078 complaints of identity theft in 2009.
That represents 21 percent of all complaints to the commission. The next-highest complaint, third-party and creditor-debt collection, was a distant 9 percent.
Billingsley, who used to handle white-collar crime for the police department, still gives talks about identity theft to businesses and other groups.
"I still see the problem from working the streets," he said. "It's definitely still a major problem here."
Christie Yeiser, executive director of the Better Business Bureau of the Shoals, said it's important for consumers to maintain awareness about the problem.
"You need to take a proactive approach to it," Yeiser said. "Minimize the identification information you carry with you. Carry your Social Security card only if you need it that day."
According to 2008 FTC figures, the agency received 4,342 complaints from Alabama residents. The largest percentage of complaints - 32 percent - was fraud involving government documents or benefits.
Most of that 32 percent dealt with a fraudulent tax return that was filed, according to the FTC.
Roughly one-fourth of all complaints in Alabama and nationwide come from the 20- to 29-year-old age group, according to the FTC.
Officials say people are more aware of identity theft these days.
timesdaily
Private papers found in trash
Law director not sure how documents got into the recycling Dumpster without being shredded.
For several weeks, a mound of city documents containing Social Security numbers, phone numbers and carbon copies of checks filled a Dumpster at Smith Park, where they were accessible to anyone.
The Journal received a tip that led to the discovery of countless junked records containing personal information for Middletown residents, along with blueprints, contracts and tax papers.
Most appear to have originated in the city’s public works and utilities department, with a few from the police and finance departments.
City Manager Judy Gilleland said normal records policy calls for documents of that nature to be shredded and not simply thrown away.
“We typically ... have the Shred-it company come on site and take care of everything,” Gilleland said. “I don’t know why we would be dumping in Smith Park, other than those are our Dumpsters.”
Law Director Les Landen said he is not sure how confidential documents got into the recycling Dumpster, but he suspects they started in a recycling bin within the city building. Every piece of recycled paper from the city building eventually ends up in the container at Smith Park, according to Landen.
“Somebody made a mistake and threw something away that should have been shredded,” Landen said. “We do have a policy and process for getting rid of confidential and sensitive documents, but that clearly was not followed here.”
While Landen is not sure an incident like this would expose the city to potential legal action, he said it is still “a practice we do not condone.”
“We need to make sure our employees know where the material is going after it leaves their offices,” Landen said. “Sometimes situations like this help us self-check ourselves.” middletownjournal
For several weeks, a mound of city documents containing Social Security numbers, phone numbers and carbon copies of checks filled a Dumpster at Smith Park, where they were accessible to anyone.
The Journal received a tip that led to the discovery of countless junked records containing personal information for Middletown residents, along with blueprints, contracts and tax papers.
Most appear to have originated in the city’s public works and utilities department, with a few from the police and finance departments.
City Manager Judy Gilleland said normal records policy calls for documents of that nature to be shredded and not simply thrown away.
“We typically ... have the Shred-it company come on site and take care of everything,” Gilleland said. “I don’t know why we would be dumping in Smith Park, other than those are our Dumpsters.”
Law Director Les Landen said he is not sure how confidential documents got into the recycling Dumpster, but he suspects they started in a recycling bin within the city building. Every piece of recycled paper from the city building eventually ends up in the container at Smith Park, according to Landen.
“Somebody made a mistake and threw something away that should have been shredded,” Landen said. “We do have a policy and process for getting rid of confidential and sensitive documents, but that clearly was not followed here.”
While Landen is not sure an incident like this would expose the city to potential legal action, he said it is still “a practice we do not condone.”
“We need to make sure our employees know where the material is going after it leaves their offices,” Landen said. “Sometimes situations like this help us self-check ourselves.” middletownjournal
Malicious Facebook Ad Redirects to Fake Antivirus Software
A malicious advertisement has been found within an application for Facebook that redirects users to fake antivirus software, according to a security researcher.
The banner advertisement for greeting cards is intermittently displayed with an application called Farm Town, which has more than 9 million monthly users according to information published on Facebook.
If the bad Shockwave Flash advertisement is displayed, the user is redirected from Facebook through several domains and ends up on a Web site selling fake antivirus software, said Sandi Hardmeier, who studies malicious advertisements and blogged about the issue.(See also "How to Remove Fake AV Software.")
Farm Town's developer, SlashKey, has a notice on its Web site saying it has notified its developers of the problem.
"We believe at this time that it is harmless to your computer and a result of one or more of the ads on the site, but you should not follow any links to any software claiming to 'clean your system,'" the notice reads. "Most good antivirus/malware program will catch and quarantine this malware."
Hardmeier disagrees that it is harmless. "I'm disappointed that they are trying to minimize the perception of risk," she said.
Fake antivirus sites usually tell users their computers are infected and implore them to download the software, which is often completely ineffective. Consumers are charged as much as US$70 for the software, which is also difficult to remove, and have trouble recovering their money.
There are hundreds of fake antivirus programs, and security experts estimate it is a multimillion dollar industry. Panda Security wrote in a report last year that as many as 35 million computers worldwide may be infected with fake antivirus programs each month.
Google's Chrome browser did detect the malicious domains used to redirect the user and blocked the attack. The company has "safe browsing" technology built into its browser that will block users from going to potentially harmful Web sites. Internet Explorer 8, however, did not, Hardmeier said. She was in the process of testing Firefox on Monday morning.
Hackers have been known to figure out ways to slip their malicious advertisements onto ad networks that supply advertisements to innumerable Web sites. Many ad networks have taken steps to ensure malicious ads don't circulate. But there are ways around using the ad networks.
"The bad guys are going straight to site owners and offering them advertising," Hardmeier said via instant message. "The responsible networks are monitoring for the bad stuff and catching it and will suspend the bad campaigns immediately." pcworld.com
The banner advertisement for greeting cards is intermittently displayed with an application called Farm Town, which has more than 9 million monthly users according to information published on Facebook.
If the bad Shockwave Flash advertisement is displayed, the user is redirected from Facebook through several domains and ends up on a Web site selling fake antivirus software, said Sandi Hardmeier, who studies malicious advertisements and blogged about the issue.(See also "How to Remove Fake AV Software.")
Farm Town's developer, SlashKey, has a notice on its Web site saying it has notified its developers of the problem.
"We believe at this time that it is harmless to your computer and a result of one or more of the ads on the site, but you should not follow any links to any software claiming to 'clean your system,'" the notice reads. "Most good antivirus/malware program will catch and quarantine this malware."
Hardmeier disagrees that it is harmless. "I'm disappointed that they are trying to minimize the perception of risk," she said.
Fake antivirus sites usually tell users their computers are infected and implore them to download the software, which is often completely ineffective. Consumers are charged as much as US$70 for the software, which is also difficult to remove, and have trouble recovering their money.
There are hundreds of fake antivirus programs, and security experts estimate it is a multimillion dollar industry. Panda Security wrote in a report last year that as many as 35 million computers worldwide may be infected with fake antivirus programs each month.
Google's Chrome browser did detect the malicious domains used to redirect the user and blocked the attack. The company has "safe browsing" technology built into its browser that will block users from going to potentially harmful Web sites. Internet Explorer 8, however, did not, Hardmeier said. She was in the process of testing Firefox on Monday morning.
Hackers have been known to figure out ways to slip their malicious advertisements onto ad networks that supply advertisements to innumerable Web sites. Many ad networks have taken steps to ensure malicious ads don't circulate. But there are ways around using the ad networks.
"The bad guys are going straight to site owners and offering them advertising," Hardmeier said via instant message. "The responsible networks are monitoring for the bad stuff and catching it and will suspend the bad campaigns immediately." pcworld.com
Six charged in South Bay identity theft scheme
Six people are facing identify theft charges on suspicion of stealing more than $170,000 worth of cash, clothing and jewelry from 20 people.
The state attorney general's office charged five South Bay residents and one Vallejo resident with multiple felony counts of identity theft, conspiracy, possession of stolen property and grand theft.
Charged were Matthew Medlin, 31, of Campbell; Jessica Campos, 30, of Santa Clara; Chev Chan, 31, of San Jose; Quang Le, 32, of Santa Clara; Daniel Lee Lesly, 31, of Los Altos; and Nick Phuong Luu, 29, of Vallejo. They were arraigned Thursday.
In late 2009, the U.S. Postal Inspection Service informed Attorney General Jerry Brown's office that several people reported their Social Security numbers had been used to illegally apply for credit cards. The cards were traced to Chan's home, the attorney general's office said.
Luu and Chan are accused of being the leaders of the ring, which stole most of the identities from clients of a San Jose law office and a Santa Clara dental office, according to Brown's office.
Between June and December of 2009, the suspects are accused of using the Social Security numbers to apply for credit cards and open fraudulent bank accounts. mercurynews.com
Update:
The state Attorney General's Office says the defendants stole the identities of 20 people, most of them clients of a San Jose law office and a Santa Clara dental office where two of the defendants worked. jerrybrown.org
The state attorney general's office charged five South Bay residents and one Vallejo resident with multiple felony counts of identity theft, conspiracy, possession of stolen property and grand theft.
Charged were Matthew Medlin, 31, of Campbell; Jessica Campos, 30, of Santa Clara; Chev Chan, 31, of San Jose; Quang Le, 32, of Santa Clara; Daniel Lee Lesly, 31, of Los Altos; and Nick Phuong Luu, 29, of Vallejo. They were arraigned Thursday.
In late 2009, the U.S. Postal Inspection Service informed Attorney General Jerry Brown's office that several people reported their Social Security numbers had been used to illegally apply for credit cards. The cards were traced to Chan's home, the attorney general's office said.
Luu and Chan are accused of being the leaders of the ring, which stole most of the identities from clients of a San Jose law office and a Santa Clara dental office, according to Brown's office.
Between June and December of 2009, the suspects are accused of using the Social Security numbers to apply for credit cards and open fraudulent bank accounts. mercurynews.com
Update:
The state Attorney General's Office says the defendants stole the identities of 20 people, most of them clients of a San Jose law office and a Santa Clara dental office where two of the defendants worked. jerrybrown.org
Report: Cybersecurity bigger than an IT problem
Companies that confine cybersecurity concerns to the information technology department put their bottom line at risk, according to a report released Wednesday by the Internet Security Alliance and the American National Standards Institute. The groups conducted the report in response to a request in the Obama administration's Cyberspace Policy Review that better financial metrics be placed on cybersecurity hazards.
Highlighting that cyber attacks cost U.S. businesses more than $1 trillion in intellectual property in 2008, the report offers a framework for how companies can better organize themselves to address these threats, which can result in public relations crises and major data breaches.
One of the report's central points is that effective cybersecurity requires effort beyond the IT department, which is not seen as a growth area for companies and is often underfunded. "If anyone still thinks IT is going to solve the problem: ain't gonna happen," said Joe Buonomo, president and CEO of Direct Computer Resources, among the industry and government stakeholders that helped develop the report. The report suggests that cybersecurity concerns should be handled at the top levels of corporate structure, drawing in the board of directors.
The report also urged companies to think of cybersecurity as a financial problem that should be addressed by companies' chief financial officers.nextgov.com
Highlighting that cyber attacks cost U.S. businesses more than $1 trillion in intellectual property in 2008, the report offers a framework for how companies can better organize themselves to address these threats, which can result in public relations crises and major data breaches.
One of the report's central points is that effective cybersecurity requires effort beyond the IT department, which is not seen as a growth area for companies and is often underfunded. "If anyone still thinks IT is going to solve the problem: ain't gonna happen," said Joe Buonomo, president and CEO of Direct Computer Resources, among the industry and government stakeholders that helped develop the report. The report suggests that cybersecurity concerns should be handled at the top levels of corporate structure, drawing in the board of directors.
The report also urged companies to think of cybersecurity as a financial problem that should be addressed by companies' chief financial officers.nextgov.com
6 Key Cybersecurity Bills Before Congress
As Congress returns from its spring break this week, it will have six notable cybersecurity bills - perhaps one more - to consider before summer rolls around and senators and representatives focus more on getting reelected than lawmaking.
Of these cybersecurity measures, only one bill has passed either chamber; in February, the House of Representatives overwhelmingly approved the Cybersecurity Enhancement Act. And just one significant IT security bill has made it to the full Senate, the Cybersecurity Act, which cleared a Senate panel on a voice vote last month. The other bills remain in committee.
Most of the bills have some overlapping provisions, but except for the International Cybercrime Reporting and Cooperation Act that have twin Senate and House versions, none of the bills are identical.
What follows are brief descriptions of each of these cybersecurity bills and their respective status.
H.R. 1051: Cybersecurity Enhancement Act of 2010, sponsored by Rep. Daniel Lipinski, D.-Ill., passed the House on Feb. 4. The measure - assigned to the Senate Commerce, Science and Transportation Committee - promotes the development of a skilled cybersecurity federal workforce, coordinate and prioritize federal cybersecurity research and development, improve the transfer of cybersecurity technologies to the marketplace and promote cybersecurity education and awareness for the public. It also would strengthen the role of the National Institute of Standards and Technology in shaping the way the federal government and the nation address cybersecurity. H.R. 1051 would order NIST to develop and implement a public cybersecurity awareness and education program to encourage the more widespread adoption of best practices.
S 773: Cybersecurity Act of 2010, sponsored by Sens. Jay Rockefeller, D.-W.Va., and Olympia Snowe, R.-Maine, requires the president to work with the private sector to develop a comprehensive national cybersecurity strategy for the nation and establish a cybersecurity advisory panel of outside experts from industry, academia and non-profit advocacy organizations to advise him on cybersecurity related matters. The bill - which cleared the Senate Committee on Commerce, Science and Transportation on March 24 - delegates NIST as the United States' representative in the development of international cybersecurity standards. Other provisions would require periodic appraisals of the nation's cybersecurity posture, promote cybersecurity education, awareness and research and development. It also would establish a board to standardized secure computer products for federal acquisition.
Rockefeller and Snowe have a companion bill - S. 788, assigned to the Committee on Homeland Security and Governmental Affair - that would establish within the Executive Office of the White House the Office of National Cybersecurity Adviser.
S. 921: United States Information and Communications Enhancement Act, or U.S. ICE primarily would update the 8-year-old Federal Information Security Management Act, which provides the blueprint for federal departments and agencies to secure their IT assets. Sen. Tom Carper, the Delaware Democrat who chairs the Senate subcommittee with cybersecurity oversight, is the bill's chief sponsor. The measure was assigned to the Committee on Homeland Security and Governmental Affairs.
The original version of U.S. ICE introduced nearly a year ago, like S. 788, would have established a White House office to oversee cybersecurity, but that provision was excised in a revision approved last summer. The revision gives the Department of Homeland Security more sway in managing cybersecurity among federal executive departments and agencies. Though the Office of Management and Budget would retain final say over agencies' cybersecurity budgets, the revised bill provides for DHS to review all departmental and agency cybersecurity spending plans and forward its recommendation to OMB.
ReadMore: govinfosecurity.com
Of these cybersecurity measures, only one bill has passed either chamber; in February, the House of Representatives overwhelmingly approved the Cybersecurity Enhancement Act. And just one significant IT security bill has made it to the full Senate, the Cybersecurity Act, which cleared a Senate panel on a voice vote last month. The other bills remain in committee.
Most of the bills have some overlapping provisions, but except for the International Cybercrime Reporting and Cooperation Act that have twin Senate and House versions, none of the bills are identical.
What follows are brief descriptions of each of these cybersecurity bills and their respective status.
H.R. 1051: Cybersecurity Enhancement Act of 2010, sponsored by Rep. Daniel Lipinski, D.-Ill., passed the House on Feb. 4. The measure - assigned to the Senate Commerce, Science and Transportation Committee - promotes the development of a skilled cybersecurity federal workforce, coordinate and prioritize federal cybersecurity research and development, improve the transfer of cybersecurity technologies to the marketplace and promote cybersecurity education and awareness for the public. It also would strengthen the role of the National Institute of Standards and Technology in shaping the way the federal government and the nation address cybersecurity. H.R. 1051 would order NIST to develop and implement a public cybersecurity awareness and education program to encourage the more widespread adoption of best practices.
S 773: Cybersecurity Act of 2010, sponsored by Sens. Jay Rockefeller, D.-W.Va., and Olympia Snowe, R.-Maine, requires the president to work with the private sector to develop a comprehensive national cybersecurity strategy for the nation and establish a cybersecurity advisory panel of outside experts from industry, academia and non-profit advocacy organizations to advise him on cybersecurity related matters. The bill - which cleared the Senate Committee on Commerce, Science and Transportation on March 24 - delegates NIST as the United States' representative in the development of international cybersecurity standards. Other provisions would require periodic appraisals of the nation's cybersecurity posture, promote cybersecurity education, awareness and research and development. It also would establish a board to standardized secure computer products for federal acquisition.
Rockefeller and Snowe have a companion bill - S. 788, assigned to the Committee on Homeland Security and Governmental Affair - that would establish within the Executive Office of the White House the Office of National Cybersecurity Adviser.
S. 921: United States Information and Communications Enhancement Act, or U.S. ICE primarily would update the 8-year-old Federal Information Security Management Act, which provides the blueprint for federal departments and agencies to secure their IT assets. Sen. Tom Carper, the Delaware Democrat who chairs the Senate subcommittee with cybersecurity oversight, is the bill's chief sponsor. The measure was assigned to the Committee on Homeland Security and Governmental Affairs.
The original version of U.S. ICE introduced nearly a year ago, like S. 788, would have established a White House office to oversee cybersecurity, but that provision was excised in a revision approved last summer. The revision gives the Department of Homeland Security more sway in managing cybersecurity among federal executive departments and agencies. Though the Office of Management and Budget would retain final say over agencies' cybersecurity budgets, the revised bill provides for DHS to review all departmental and agency cybersecurity spending plans and forward its recommendation to OMB.
ReadMore: govinfosecurity.com
Tuesday, April 6, 2010
Bank expert discusses ATM skimming -- and how to detect it
The ATM skimming scam has resurfaced.
A customer spotted a skimming device on Saturday night at a Wachovia bank in the 1600 block of Rockville Pike at Congressional Lane and alerted a manager.
Rockville police said the device is “identical” to one discovered Feb. 28 at an Alexandria Wachovia branch in the 3600 block of King Street. At least $60,000 was removed from accounts at that bank, Alexandria police have said.
As of the close of business Monday, no losses had been traced to the Rockville incident, according to Wachovia spokeswoman Aimee Worsley. But customers who have used that ATM are being asked to check their accounts for unauthorized withdrawals in the wake of the discovery. Wachovia has policies to make customers whole -- the particulars are discussed below.
The check and fraud section of Montgomery County Police at 240-773-6330 will handle the criminal investigation into the Rockville case.
The resurfacing of the thievery revives the question: What was a customer supposed to have noticed? In the examples of the identical devices, the tipoff was the green flashing light around the card slot where, normally, there were no lights for that particular ATM model. The “face” of the ATMs also protruded slightly. The side-by-side shots released by Alexandria police illustrate the points.
But not all ATMs are alike, so sometimes the tipoff will be the exact opposite and the scammers will have attached a skimming device to the front of the ATM that blocks lights on machines where they are normally visible.
Wachovia’s expert, Jonathan Velline, senior vice president for ATM banking at Wells Fargo (which includes Wachovia), said customers should look closely at the ATMs they use most often. Many customers, he said, have a routine of using the same two or three machines and get a feel for how they appear even if they could not describe them fully.
Does your usual machine have flashing lights? Sit flush in the wall or extend out? Is the slot loose in the wall? Is a wire visible? Does the PIN keypad normally have buttons with colors for “enter” and other prompts or keys that all are the same color? Is there or isn’t there usually a box -- with envelopes for deposits, for example -- mounted on a wall close to the screen and keypad?
Velline said most customers do have an instinct for when something is awry even if they cannot put their finger on exactly what looks suspicious to them. Trust that instinct and notify a branch manager when something at the ATM appears odd, he said.
After the Alexandria case and again Monday, readers immediately began posing questions about skimming.
We posed some of your questions to Velline. Information he shared follows. When there is a direct quote, it is his.
What is skimming?
It is a crime in which thieves attach a device to an authenticate ATM in order to capture the information stored on the magnetic strip on customers’ bank cards. The basic components in skimming are a small magnetic head, like those on old tape recorders, to capture the account information on the bank card as it is inserted and a small camera positioned to view the keypad as the security PIN is entered.
The recorder may have a memory stick to store account information or may be able to transmit digital data over radio waves. Some thieves keep an eye on machines they’ve tampered with and so are nearby to receive transmissions. The digital data is stored and read at the end of the day.
The camera is tiny and may be attached in an overhang above the ATM keyboard or on the wall beside the ATM keyboard, say in the bracket holding deposit envelopes, and either records or transmits the PIN numbers entered.
Thieves who manage to collect the coding from a card’s magnetic strip and score the PIN have what they need to create a duplicate of the card and access an account.
How can I tell by looking that someone is doctoring my ATM?
Thieves often fit their own card readers (think false fronts with a slot) atop the genuine card reader, so look for ATMs where the slots seem to protrude or be out of alignment with the rest of the opening.
In other tactics, a small piece of metal may extend from the slot. In still other schemes, the fake device obscures the flashing lights that are around the slot openings of ATMs, so you won’t see a flashing light where you normally would.
But here is the problem: there are variations in the models and make of ATMs.
Does this crime happen only at banks?
No. It has occurred at gas pumps and other retail (point of sale) machines where you swipe a card and use a PIN.
Why isn’t there a foolproof system to stump these chumps?
“There is a little bit of cat and mouse to it.” Banks improve on their security and thieves connive to outmaneuver the upgrades. And as with so much, Internet access to components and undergound how-to guides make it easier for crooks to get information and the parts they need. But Velline said “we’re making progress and our loss rate in 2009 was half as much as 2008.” And no, he would not say what that means in terms of actual dollars for his bank network.
Are customers out of luck on the losses?
Best bet is to check your bank’s policies on reporting fraud and ask specifically what you to have to do and how quickly in order to be made whole. For example, Wachovia has zero liability for cardholders if their credit card, ATM card or check card is lost, stolen or used without authorization and the cardholder provides prompt notification, which Wachovia’s press office defined as within 60 days, although the sooner the better.
What can customers do to protect their account information?
Look at the ATM before you put in your card -- really look at it.
Shield your PIN as you enter it -- not just from the person over your shoulder in line or from people passing on the street. Shield it right on the keypad as you punch it in with an arm or with a shoulder-think of the positioning you might have used to keep that slacker in fifth grade from copying your math test answers.
Watch your bank statements for banking activity that you didn't do.
ATMs have surveillance cameras so why can’t that equipment catch the would-be thieves as they stand there and put on the skimming equipment?
“Because the camera data usually shows someone with a black cap and hoodie and some sunglasses, so it is not particularly useful.” washingtonpost.com
A customer spotted a skimming device on Saturday night at a Wachovia bank in the 1600 block of Rockville Pike at Congressional Lane and alerted a manager.
Rockville police said the device is “identical” to one discovered Feb. 28 at an Alexandria Wachovia branch in the 3600 block of King Street. At least $60,000 was removed from accounts at that bank, Alexandria police have said.
As of the close of business Monday, no losses had been traced to the Rockville incident, according to Wachovia spokeswoman Aimee Worsley. But customers who have used that ATM are being asked to check their accounts for unauthorized withdrawals in the wake of the discovery. Wachovia has policies to make customers whole -- the particulars are discussed below.
The check and fraud section of Montgomery County Police at 240-773-6330 will handle the criminal investigation into the Rockville case.
The resurfacing of the thievery revives the question: What was a customer supposed to have noticed? In the examples of the identical devices, the tipoff was the green flashing light around the card slot where, normally, there were no lights for that particular ATM model. The “face” of the ATMs also protruded slightly. The side-by-side shots released by Alexandria police illustrate the points.
But not all ATMs are alike, so sometimes the tipoff will be the exact opposite and the scammers will have attached a skimming device to the front of the ATM that blocks lights on machines where they are normally visible.
Wachovia’s expert, Jonathan Velline, senior vice president for ATM banking at Wells Fargo (which includes Wachovia), said customers should look closely at the ATMs they use most often. Many customers, he said, have a routine of using the same two or three machines and get a feel for how they appear even if they could not describe them fully.
Does your usual machine have flashing lights? Sit flush in the wall or extend out? Is the slot loose in the wall? Is a wire visible? Does the PIN keypad normally have buttons with colors for “enter” and other prompts or keys that all are the same color? Is there or isn’t there usually a box -- with envelopes for deposits, for example -- mounted on a wall close to the screen and keypad?
Velline said most customers do have an instinct for when something is awry even if they cannot put their finger on exactly what looks suspicious to them. Trust that instinct and notify a branch manager when something at the ATM appears odd, he said.
After the Alexandria case and again Monday, readers immediately began posing questions about skimming.
We posed some of your questions to Velline. Information he shared follows. When there is a direct quote, it is his.
What is skimming?
It is a crime in which thieves attach a device to an authenticate ATM in order to capture the information stored on the magnetic strip on customers’ bank cards. The basic components in skimming are a small magnetic head, like those on old tape recorders, to capture the account information on the bank card as it is inserted and a small camera positioned to view the keypad as the security PIN is entered.
The recorder may have a memory stick to store account information or may be able to transmit digital data over radio waves. Some thieves keep an eye on machines they’ve tampered with and so are nearby to receive transmissions. The digital data is stored and read at the end of the day.
The camera is tiny and may be attached in an overhang above the ATM keyboard or on the wall beside the ATM keyboard, say in the bracket holding deposit envelopes, and either records or transmits the PIN numbers entered.
Thieves who manage to collect the coding from a card’s magnetic strip and score the PIN have what they need to create a duplicate of the card and access an account.
How can I tell by looking that someone is doctoring my ATM?
Thieves often fit their own card readers (think false fronts with a slot) atop the genuine card reader, so look for ATMs where the slots seem to protrude or be out of alignment with the rest of the opening.
In other tactics, a small piece of metal may extend from the slot. In still other schemes, the fake device obscures the flashing lights that are around the slot openings of ATMs, so you won’t see a flashing light where you normally would.
But here is the problem: there are variations in the models and make of ATMs.
Does this crime happen only at banks?
No. It has occurred at gas pumps and other retail (point of sale) machines where you swipe a card and use a PIN.
Why isn’t there a foolproof system to stump these chumps?
“There is a little bit of cat and mouse to it.” Banks improve on their security and thieves connive to outmaneuver the upgrades. And as with so much, Internet access to components and undergound how-to guides make it easier for crooks to get information and the parts they need. But Velline said “we’re making progress and our loss rate in 2009 was half as much as 2008.” And no, he would not say what that means in terms of actual dollars for his bank network.
Are customers out of luck on the losses?
Best bet is to check your bank’s policies on reporting fraud and ask specifically what you to have to do and how quickly in order to be made whole. For example, Wachovia has zero liability for cardholders if their credit card, ATM card or check card is lost, stolen or used without authorization and the cardholder provides prompt notification, which Wachovia’s press office defined as within 60 days, although the sooner the better.
What can customers do to protect their account information?
Look at the ATM before you put in your card -- really look at it.
Shield your PIN as you enter it -- not just from the person over your shoulder in line or from people passing on the street. Shield it right on the keypad as you punch it in with an arm or with a shoulder-think of the positioning you might have used to keep that slacker in fifth grade from copying your math test answers.
Watch your bank statements for banking activity that you didn't do.
ATMs have surveillance cameras so why can’t that equipment catch the would-be thieves as they stand there and put on the skimming equipment?
“Because the camera data usually shows someone with a black cap and hoodie and some sunglasses, so it is not particularly useful.” washingtonpost.com
Skimming Device Found On ATM At Publix
OCOEE, Fla. -- At a busy Publix store, an identity thief put a skimming device on an ATM. Police aren't even sure how many victims may have had their bank information stolen.
WFTV has been reporting an increasing number of skimming devices set up on ATMs all over Central Florida. The latest was on the machine at the Publix store on South Maguire Road in Ocoee (see map).
A store manager found the device Thursday. Publix told WFTV checking the outside of stores is part of Publix's daily protocol and that would, of course, include checking the ATM on the outside of store like the one on Maguire Road.
Customers at the Ocoee Publix had the green light to use the store ATM Friday, but frequent ATM users might still want to check their statements after a skimming device was removed from the ATM on Thursday.
“I was very concerned,” Publix customer Margaret Cox said. “But I was also very proud of Publix employees for noticing that.”
The skimmer, which collects personal account information, was discovered during a daily check of the ATM. Employees don't believe the device was there the day before and a local security expert told WFTV the devices are usually attached for only a few hours.
Thieves usually install two pieces of equipment, one to steal your ATM number and the other device to steal your pin number.
“Identity theft, I'm aware of that and I'm afraid of it,” Publix customer Steve Chin said, adding that he never uses an ATM.
If you're not ready to swear off ATM use, experts recommend you get familiar with the appearance of your ATM and pay close attention to the card reader. Note if the flashing indicator for the card entry isn’t visible.
Watch video: wftv.com
WFTV has been reporting an increasing number of skimming devices set up on ATMs all over Central Florida. The latest was on the machine at the Publix store on South Maguire Road in Ocoee (see map).
A store manager found the device Thursday. Publix told WFTV checking the outside of stores is part of Publix's daily protocol and that would, of course, include checking the ATM on the outside of store like the one on Maguire Road.
Customers at the Ocoee Publix had the green light to use the store ATM Friday, but frequent ATM users might still want to check their statements after a skimming device was removed from the ATM on Thursday.
“I was very concerned,” Publix customer Margaret Cox said. “But I was also very proud of Publix employees for noticing that.”
The skimmer, which collects personal account information, was discovered during a daily check of the ATM. Employees don't believe the device was there the day before and a local security expert told WFTV the devices are usually attached for only a few hours.
Thieves usually install two pieces of equipment, one to steal your ATM number and the other device to steal your pin number.
“Identity theft, I'm aware of that and I'm afraid of it,” Publix customer Steve Chin said, adding that he never uses an ATM.
If you're not ready to swear off ATM use, experts recommend you get familiar with the appearance of your ATM and pay close attention to the card reader. Note if the flashing indicator for the card entry isn’t visible.
Watch video: wftv.com
Monday, April 5, 2010
Government Stops Shielding Corporate Breach ‘Victims’
For the past few months, national retailer J.C. Penney has been fighting an under-seal court battle to keep you from knowing that its payment card network was breached by U.S. and Eastern European hackers.
The intrusions, by TJX hacker Albert Gonzalez and his overseas accomplices, occurred beginning in October 2007. J.C. Penney admits it was “wholly unaware” of the breach until the Secret Service told the company about it in May 2008, but now says with certitude that no identity or bank-card data was stolen in the breach it failed to detect. That’s why the company didn’t want to be identified to the public, says spokeswoman Darcie Brossart
“Because there was no reason to think that the hackers were successful, there was no need to alarm J.C. Penney customers,” says Brossart, “We believed we had a legitimate interest in not being linked to criminal activity that resulted in major thefts from other companies.”
So in court filings, J.C. Penney argued that it was entitled to anonymity under the 2004 Crime Victims’ Rights Act, a law intended to protect the “dignity and privacy” of victims. A federal judge on Friday ordered the company’s identity unsealed anyway, as well as that of a second breached company, clothing retailer Wet Seal.
It’s a familiar story. Companies have never been eager to have their security slip-ups revealed to consumers. What was different, and remarkable, this time around is that an assistant U.S. attorney argued that J.C. Penney and Wet Seal should be identified. The lead prosecutor in the largest identity-theft hacks in U.S. history argued for disclosure.
Read more: wired.com
The intrusions, by TJX hacker Albert Gonzalez and his overseas accomplices, occurred beginning in October 2007. J.C. Penney admits it was “wholly unaware” of the breach until the Secret Service told the company about it in May 2008, but now says with certitude that no identity or bank-card data was stolen in the breach it failed to detect. That’s why the company didn’t want to be identified to the public, says spokeswoman Darcie Brossart
“Because there was no reason to think that the hackers were successful, there was no need to alarm J.C. Penney customers,” says Brossart, “We believed we had a legitimate interest in not being linked to criminal activity that resulted in major thefts from other companies.”
So in court filings, J.C. Penney argued that it was entitled to anonymity under the 2004 Crime Victims’ Rights Act, a law intended to protect the “dignity and privacy” of victims. A federal judge on Friday ordered the company’s identity unsealed anyway, as well as that of a second breached company, clothing retailer Wet Seal.
It’s a familiar story. Companies have never been eager to have their security slip-ups revealed to consumers. What was different, and remarkable, this time around is that an assistant U.S. attorney argued that J.C. Penney and Wet Seal should be identified. The lead prosecutor in the largest identity-theft hacks in U.S. history argued for disclosure.
Read more: wired.com
Thursday, April 1, 2010
Subscribe to:
Posts (Atom)