Saturday, May 29, 2010

Lifelock worries after employee data leaked to Web

Identity theft protection company posts CEO's SS number, but not OK with employees data being in public

It may be OK for identity theft protection vendor Lifelock to publish its CEO's Social Security number, but when it comes to other company employees, that's another story.

The company has asked the Phoenix New Times to remove a police report from its Web site after discovering that it contained a redacted Social Security number of Lifelock employee Tamika Jones. The number could be read by simply cutting and pasting the PDF document into another word processing program, a common problem with poorly-redacted documents.

Also in the police report: Jones's date of birth, address, phone number, and address.

Internet Identity Workshop reveals OpenID clashesBLOGSophos slams scientist 'infected' with computer virusSymantec readies Norton security, storage apps for Android, iPhone smartphonesFacebook Answers Critics With New Privacy Controls

View more related contentGet Daily News by Email"Yesterday, Christy O'Connor of LifeLock called New Times and asked us to remove the link to the PDF document," the New Times reporter Ray Stein wrote in a Tuesday story. "The smart-ass in us couldn't resist giving O'Connor, LifeLock's associate general counsel, some grief."

After Stein pointed out that Jones works for a company that promises to protect customers from identity theft, before it happens, the newspaper agreed to post a properly redacted version of the document on its Web site.

In an interview, Stein said that the fact that Lifelock had to call and ask for the document to be removed reflected badly on Lifelock's service. "I think this shows clearly that they know that it's got potential problems." networkworld

Thursday, May 27, 2010

Man Infects Himself with (Computer) Virus

We are one step closer to the future: a British scientist has become the first human being to contract a computer virus.

Yep, you heard that right. Dr. Mark Gasson, a cybernetics expert at the University of Reading, deliberately infected himself (by way of an RFID chip implanted in his wrist) with a benign computer virus. This was part of an experiment designed to show how implantable bionic devices are susceptible to computer viruses.

Tuesday, May 25, 2010

Red Flags Rule: Are we there yet? Auto Dealerships need to comply...

June 1, 2010, is just the latest in a series of enforcement deadlines for the Federal Trade Commission's Red Flags Rule.

The rule, which actually took effect Nov. 1, 2008, requires businesses handling credit, like dealerships, to adopt written plans to identify, detect, monitor and respond to potential instances of identity theft.

But the FTC has delayed enforcing the rule four times -- first to May 1, 2009; then to Aug. 1, 2009; then to Nov. 1, 2009; and finally, to June 1, 2010.

I've talked to dealers, vendors, trade association executives and lawyers who aren't really sure the latest enforcement deadline will stick.

But one thing is certain: Dealers better comply with the law.  autonews

Monday, May 24, 2010

Melissa Hathaway's Nine Cybersecurity Bills to Watch

Melissa Hathaway probably knows more about what's going on with cybersecurity legislation before Congress than even the lawmakers who sponsor these bills; heck, she likely understands more about these measure than the key staffers who are the brains behind them.

Since leaving the White House last summer, Hathaway - who led President Obama's 60-day cyberspace review last year - has become involved in a variety of IT security ventures, including becoming a senior adviser at the Belfer Center for Science and International Affair at Harvard University's Kennedy School of Government. There she conducts research and writes about IT security. One of her projects is to track cybersecurity legislation before Congress.

Hathaway this past week completed a 31-page report documenting some 40 IT security bills before Congress. The report provides an analysis on the wide range of topics they address including organizational responsibilities; compliance and accountability; data accountability, personal data privacy, data breach handling and identity theft; cybersecurity education, research and development and grants; critical electric infrastructure protection and vulnerability analysis; international cooperation on cybercrime; and procurement, acquisition and supply-chain integrity.

Here are nine bills Hathaway characterized as "legislation to watch," along with her analysis of them...

Do You Comply With the FTC's Red Flag Rule?

Regulations to help prevent identity theft go into effect June 1, and chances are you've got some work to do to comply with them. Here's what you need to know.

You may not even have heard of the federal government's Red Flag Rule, but there's a good chance by June 1 you'll need to comply with it.

The rule requires businesses that are potential targets for identity thieves to develop plans to spot fraud "red flags" and prevent them.

Think the rule only applies to financial institutions? Think again. It requires all "creditors" to comply with the rules, but the definition of creditor is very broad, and includes "businesses or organizations that regularly provide goods and services first and allow customers to pay later," according to a Frequently Asked Questions guide prepared by the Federal Trade Commission, which will enforce the rule. Translation: If you invoice for goods or services, you're a creditor.

You could be forgiven for hoping the government will change the enforcement deadline, considering it's already been extended several times since the original date of November 2008. But of course that won't excuse you from complying. And just having some rules – written or unwritten – about not leaving customer information lying around won't get you off the hook – you have to have a written policy and procedures specifically to handle identity theft.

"I suspect a lot of small businesses were hoping this ultimately wouldn’t happen," said Tanya Forsheit, co-founder of InformationaLawGroup, a Los Angeles firm that advises businesses on privacy and data security compliance.

The rules – among them, recommendations for data encryption plus regular reviews, annual updates of your policy, and training of staff – can seem onerous, but the FTC has some online do-it-yourself tools and templates to help.

Identity theft has been the number one fraud complaint filed with the FTC for the better part of a decade. So what kind of financial activity constitutes a "red flag" under the new rules? For starters, suspicious documents (like a photo ID that doesn't match the person presenting it), unverifiable addresses and Social Security numbers, and questionable account activity from customers, such as sudden spending on goods that can be resold for cash, frequent requests for cash advances, or failures to make payments on balances after making initial payments.

Friday, May 21, 2010

More Business Banking Victims Speak Out

Since our story about Eastern European cyber crooks targeting small to mid-sized U.S. businesses ran last week, I've heard from a few more victims. Eerie similarities in their descriptions of how they were robbed suggest the bulk of this crime may be the work of one or two gangs.

David Johnston, owner of Sign Designs, Inc., a Modesto, Calif.-based company that makes and installs electric signs, said his company lost nearly $100,000 on July 23, when crooks used the company's credentials to log in to its online banking account and initiate a series of transfers to 17 accomplices at seven banks around the country.

"Our daily limit on these transactions was $100,000, and [the thieves] took just $47 short of that amount," Johnston said. "What we're looking at really is the bank robber of 2009. They don't use a gun, they have lots of helpers, their [profits] are huge, and the likelihood anyone will catch them seems to be extremely slim." washingtonpost

Duo Stole VA. Senator's Identity, Bought Marijuana

 Authorities are currently searching for two people who police say stole the identity of a Virginia State senator, and used his money to buy drugs, a bong and dinner.

After investigating, the Virginia State Police contacted the CHP after they found out the senator's personal information was being used in the Sacramento area.

After further investigation, authorities discovered that Sky Manriquez, 21, and Bernell Bryan Washington, 24, opened several credit cards in the senator's name.

The duo also changed the senator's address to a place located on Fulton Avenue. After serving a search warrant to the address, investigators recovered several items of evidence including receipts which indicated the suspects purchased medical marijuana using the senator's fake accounts.

Thursday, May 20, 2010

FBI Promises Action Against Money Mules

The FBI’s top anti-cyber crime official today said the agency is planning a law enforcement action against so-called “money mules,” individuals willingly or unwittingly roped into helping organized computer crooks launder money stolen through online banking fraud.

Patrick Carney, acting chief of the FBI’s cyber criminal section, said mules are an integral component of an international crime wave that is costing U.S. banks and companies hundreds of millions of dollars. He said the agency hopes the enforcement action will help spread awareness that money mules are helping to perpetrate crimes.

Ten Ways to Protect Your Network From Insider Threats

Insiders -- people who work within your organization -- pose a huge potential security risk. That's because while hackers and other outsiders have to break in to your network and gain access to systems and data, many insiders have valid credentials to log on quite legitimately and access the systems and data they need to carry out their jobs.

Unless appropriate steps are taken, it can be quite trivial for employees to copy your confidential data on to a memory stick and walk out the door, install a logic bomb to destroy data in the future, or set themselves up with login credentials to ensure that they have access to your systems even after they have left your employment.

Here are ten things you can do to protect your network:

Wednesday, May 19, 2010

Valley restaurant dumps years worth of sensitive information in dumpster

“Last name Taylor, first name Gary, social security number 569…“

Tom Rezler is a business owner in this Tempe shopping center and can't believe what he recently found in nearby garbage dumpsters.

Thousands of pages of sensitive information apparently disposed of by a neighboring business called The Vine Tavern and Eatery.

“As a patron of the Vine and having used my credit card hundreds of times in there, I'm a little upset that my information is now privy to anyone that can find this stuff,” Rezler said.

The documents included people's names, social security numbers and dates of birth from restaurant applications.

There were checks with banking information and also credit card receipts from Vine customers, receipts that revealed a person's entire credit card number. azfamily

Privacy expert: It's good PR to say no to the government

A leading privacy researcher is urging companies to say no to government requests for data, arguing that it's good for business.

"Or rather, saying yes can be really bad for business," said Chris Soghoian, an Indiana University PhD candidate and security and privacy researcher.

Speaking on Monday at a Law Seminars International event in Seattle, Soghoian offered companies tips for handling law enforcement requests for data.

Consumers do care about their privacy and their reaction to news about companies that too willingly help the government access their data -- or resist such requests -- proves it, he said.

For instance, in 2005 it was revealed that a few years earlier the National Security Agency had illegally asked telecom providers to install wiretap equipment in their facilities. Qwest said no. "When the news came out, there was widespread praise for that company and the strong position they took, whereas AT&T and the others were criticized," he said.

In 2004 airline JetBlue voluntarily provided customer data to the Department of Defense. The action led to a lawsuit that was ultimately thrown out, "but in the meantime their name was dragged through the mud," he said.

In addition to bad publicity, such incidents aren't cheap. "Not only do government requests lead to loss of reputation but when you get sued by civil liberties groups and your customers, the government won't pick up the tab," he noted.

In another instance, the Department of Justice asked search engines to reveal information about search terms. Most of the big search engines complied but Google declined, not on privacy grounds but citing proprietary information, he said. "If you ever have the fortune to discuss privacy with a Google privacy person barely two minutes will go by before they tell you about the time they said no to the DOJ. They receive thousands of requests a year that they say yes to, but this one instance they've been able to trumpet," he said.

A lawyer who spoke at the conference on Monday agrees that resisting data requests can be good for business. There is increasing scrutiny from consumer groups about privacy issues and companies may be able to maintain competitive differentiation if they are careful about law enforcement requests and if they are open about their policies, said Daniel H. Royalty, a lawyer at K&L Gates in Seattle. "It may be that increasing transparency in this space can lead to differentiation." .computerworld

Research: 1.3 Million Malicious Ads Viewed Daily

The true extent of the malvertizing scourge became much clearer this week with the release of new research by Dasient which shows that about 1.3 million malicious ads are being viewed online everyday, most pushing drive-by downloads and fake security software.

Dancho Danchev sums up the findings from the research:

•The probability of a user getting infected from a malvertisement is twice as likely on a weekend and the average lifetime of a malvertisement is 7.3 days.

•97% of Fortune 500 web sites are at a high risk of getting infected with malware due to external partners (such as javascript widget providers, ad networks, and/or packaged software providers).

•Fortune 500 web sites have such a high risk because 69% of them use external Javascript to render portions of their sites and 64% of them are running outdated web applications.

Malicious ad attacks targeting high-profile websites have been on the rise recently with the New York Times and Gawker media among the victims.


LifeLock CEO said to be victim of identity theft 13 times

Publicly posting SSN resulted in Todd Davis' identity being misused.

A CEO who publicly posted his Social Security number on billboards and in TV commercials as part of a campaign to promote his company's credit monitoring services was the victim of identity theft at least 13 times, a news report says.

LifeLock CEO Todd Davis appears in a TV ad for his company.The Phoenix New Times reported that Todd Davis, CEO of LifeLock Inc. in Tempe, Ariz., was victimized numerous times by identity thieves who apparently used his Social Security number to commit various types of fraud.

Davis previously admitted that he was the victim of identity theft once in 2007, when a man in Texas used his Social Security number to take out a $500 loan that ended up being handled by a collection agency.

The New Times reported that Davis has been a victim of identity theft at least a dozen more times.

Among the examples cited in the report was one involving a thief in Albany, Ga., who opened an AT&T wireless account in Davis' name and used it to rack up more than $2,300 in charges.

In another instance, an individual used Davis' identity to open an account with Centerpoint Energy, a Texas utility, and left behind $122 in unpaid bills, the report said.

It also cited examples in which individuals who had stolen Davis' identity owed more than $573 to a bank and $312 to a gift basket company.

The numerous incidents belie LifeLock's claims that the services it offers protects consumers against identity theft and fraud, the report noted. computerworld

Don't be surprised if more businesses start asking you for identification

It's part of an effort to protect against identity theft.

Be prepared to pull out your driver's license on your next visit to the dentist. And don't be surprised if a retailer asks for a birth date or mother's maiden name if it's giving you credit for your big-ticket purchase.

They're just following federal rules to protect consumers from identity theft. Beginning next month, a wide range of businesses — auto dealers, cell phone companies, real estate agents, mortgage brokers, utilities and health care providers — must start complying with "Red Flag Rules." The rules are meant to stop fraud before it happens by requiring certain businesses to look for signs that customers might be imposters and, if there are signs that they are, to take action. baltimoresun

Tuesday, May 18, 2010

Kaiser worker fired after patient data drive stolen

A Kaiser Permanente employee was fired last month after a computer storage drive, containing information on 4,000 Sacramento-area patients, was stolen from a car parked at her home, hospital officials reported Tuesday.

The external drive contained data on as many as 15,500 Northern California patients, according to a statement from the hospital's vice president for compliance and privacy, Kristin Chambers. She said the patients were notified. She considered the breach "low risk."

Data Breach - CA Department of Health Care Services

In a news release, the department said that letters it mailed a week ago to 49,352 beneficiaries wrongly included those patients' Social Security Number on address labels. The Department said the incident took place February 1, 2010.

Mary's Pizza hit by hackers

Patrons of Mary's Pizza in downtown Sonoma will be alerted this week that their credit card numbers may have been stolen by an international computer hacker.

Vince Albano, chief executive officer for the 18-store chain, expects to receive a report by Friday detailing the breadth and timing of the breach.

Once that is known, Albano plans to take out newspaper ads to warn diners who ate at the Spain Street outlet during that period that they might want to cancel their credit cards and get new ones.

Albano said his company doesn't have the ability to notify potential victims directly because the credit card companies won't release their names.

The breach was first discovered by the restaurant's in-house technology expert on Feb. 10 after friends and customers called to complain about errant charges on their credit cards, Albano said. He hired a Chicago-based high-tech forensics firm, Trustwave, to pinpoint the problem.

“Trustwave said they traced it to Russia but I also heard it may be Luxembourg,” Albano said of the suspected location of the hacker.

Albano said his company immediately notified banks and credit card companies of the breach to stop further illegal charges to his customers. pressdemocrat

Computer theft raises fraud concern at Cal State L.A.

Cal State Los Angeles has notified 232 former students that a computer stolen from the mathematics department office last month may have contained personal information such as their Social Security numbers and grades.

While officials said they did not know whether the information has been used for any attempted fraud or identity theft, they said they told the former students to notify credit bureaus and law enforcement about any suspicious activity. A toll free number, (800) 883-4029, has been established to provide additional information. latimesblogs

California - St. Jude patients' data stolen on computers

Police are investigating the theft at St. Jude Heritage Medical Group.

St. Jude Heritage Healthcare in Fullerton has notified about 22,000 patients that their personal health data might have been accessed after five computers were stolen.

Heritage, which is affiliated with St. Jude Medical Center, sent letters about the theft last week, according to hospital spokeswoman Dru Ann Copping.

The stolen data was password protected but not encrypted. Patient information might have included Social Security numbers, date of birth and diagnosis. Heritage is offering fraud monitoring services to those patients, who are also urged to put fraud alerts on their credit files.

Fullerton police are investigating. In all, 22 computers were stolen, but only five contained patient records. Earlier this year, Heritage started encrypting medical data, but the process hasn't been completed.


Navy took more than a year to announce personal data breach

In case of danger or a natural disaster, the U.S. Navy can rapidly dispatch troops, fighter jets or relief supplies to troubled areas around the world.

So why did it take the Navy 17 months to inform employees at the Naval Facilities Engineering Service Center in Port Hueneme, Calif., that their Social Security numbers had been inadvertently released?

The information was sent in May 2008 to three other employees whose security access had been suspended for reasons unrelated to the information breach.

E-mails obtained by The Washington Post indicate that Navy officials quickly realized employees should be informed. But that was not done until October 2009. The names of those sending and receiving the messages were blocked out, but their offices, and in some cases their positions, were not.

An e-mail dated June 6, 2008, to the chief of naval operations and the Navy's chief information officer, among others, cites a report from a month earlier on personally identifiable information and reads, "A list of employees was generated (128) that reflected the names, social security numbers and perceived security clearance issues relating to each of named employees."

The June 6 e-mail says there was no criminal activity involved, though the Navy's general counsel was notified. It also says that the personal data are confidential and that their use is restricted. A June 9 e-mail from a Navy "privacy team leader" says the employees "must be issued letters stating that they are at increased risk for identity theft due to the high risk nature of PII [personally identifiable information] that was compromised." This note even indicates where a sample letter can be found on the Navy's Web site.

But the 244 employees -- subsequently increased from 128 -- were not notified until much later. washingtonpost

Improper disposal of hundreds of loan applications raises security concerns

A cleaning crew mistakenly tossed the unshredded documents in a garbage bin

PLEASANT HILL — The financial and personal details of about 300 property-loan applicants were compromised when confidential documents were mistakenly tossed into an outdoor waste bin.

The paperwork, belonging to FHG Finance, a home loan business at 548 Contra Costa Blvd., was discarded last week by a cleaning crew hired to clear out a portion of the building where FHG is based, an official at the business said.

The documents, which contained bank account and Social Security numbers, were found by employees at a neighboring store, who alerted FHG. The company secured the trash bin with a padlock until the documents could be shredded.

Broker Walter Rook, vice president of FHG, described it as a close call.

"It definitely could have caused problems "... from any of these people who go bin diving, looking for account information," Rook said.

Rook said his business used to share space with another loan company, which closed more than a year ago.

He had accumulated at least 32 boxes of old documents that he stored in the vacated space, in preparation to shred them.The documents represented about 300 clients from 2003 to 2007. "You have to hold them for three years before you can destroy them," he said.

But Rook was unprepared April 28, when the building's owner hired a crew to clean out the vacated space.
The two cleaners came into Lamps Plus and asked store manager Rachel Rainey if they could throw several boxes of paper into the store's outdoor recycling bin. She gave permission.

After the men left, another employee noticed the recycled documents were loan applications. They included copies of driver's licenses and credit reports, Rainey said.

"The loan applications were very, very detailed," she said. "Every single thing you can think of to start a loan."

Concerned about the apparent mishandling of the documents, Rainey alerted Rook.

"If the Lamps Plus people wouldn't have told me, I would have never known," he said. "Thank God they came over."

Too late in the business day to do anything more, Rook put a padlock on the recycling bin and fretted through the night about the sensitive contents inside.

In the morning, the bin was emptied and a Walnut Creek shredding company destroyed all of the contents.

But later that day, Lamps Plus employees found several more boxes of loan documents in a nearby garbage bin.

"We did the right thing and decided to shred the rest of the papers ourselves," Rainey said.

The activity took eight hours.

The Times could not contact the owner of the property, who Rook said was out of the country. The property management company, Central Real Estate, did not return phone calls seeking comment.

Typically, businesses that share office space are notified by the owner or property management company when entry will be made and cleaning will be done, said Amy Callaghan, a property manager at Colliers International in Walnut Creek.

"To just call someone and say, 'dump whatever you see in there,' it's not a standard procedure," she said. "But every owner handles things differently."

Facebook users warned about 'sexiest video' attack

Lured by the promise of the "sexiest video ever," hundreds of thousands of Facebook users found their PCs infected by adware over the weekend.

More Hardware InsightsWhitepapersEconomizer Fundamentals: Smart Approaches to Energy-Efficient Free-Cooling for Data Centers Stretching the Software Budget: A Practical Guide to Enterprise License Optimization AnalyticsVirtual Servers, Real Risks Private Clouds On The Horizon Videos

Watch demos of Intel's webpad-based Health Guide for seniors, at the New York City launch of Intel's $250-million alliance with GE.Unsuspecting users clicked on a thumbnail showing a miniskirt-clad woman on an exercise bike, apparently posted on their Facebook page by a friend. Instead of seeing the video, users were told they did not have the correct software installed and were directed to download the necessary application. Then, instead of accessing video software, users downloaded popup-spewing adware, according to security software developer Sophos.

The malware uses Hotbar, a toolbar that connects to Internet Explorer and Windows Explorer, and connects users with paid ads and search engines, according to Switched. The toolbar also may gather personal data and download other updates from its server.

"You may want to watch a sexy video, but you're more likely to end up being plagued by pop-up advertising," said Graham Cluley, a senior technology consultant at Sophos, told The Economic Times. "It's no surprise that your friends might click to watch the movie when it looks to all intents and purposes that you are the person who has sent it to them."

In fact, more than 300,000 users reported the problem to AVG Technologies, said Roger Thompson, chief research officer at the developer of free anti-virus software.

"This latest issue really underscores how powerful, while at the same time vulnerable, social networking applications are. This attack was actually stunning in terms of scale,” he said. “Facebook is very responsive to threats when we identify them, and removing these applications as soon as they find them, but they’re still able to generate huge traffic, just because of the viral nature of social networks. It is staggering how many threats were propagated before they were stopped.”

Within 15 hours of the attack, Facebook removed the application, Thompson said. In a "Tip of the Week" on Monday, Facebook cautioned account-holders not to click on suspicious-looking links, even if they'd apparently been sent or posted by a friend.  informationweek

Sunday, May 16, 2010

Many businesses not yet ready for June 1 deadline

Many small businesses have delayed implementing the identity theft “red flags” rules despite the approaching June 1 deadline — not because they don’t know about them, but because there have been so many extensions to the deadline that companies have put them on the back burner.

The enforcement deadline has been extended several times since the original date of November 2008 to give businesses more time to comply.

“The topic has fallen off the radar. When it got extended last year, people thought ‘OK, there’s no rush.’ I would say there are still a lot of businesses not ready for the deadline,” said Craig Strong, a regional director of human resources for the California Employers Association, a non-profit that advises employers on compliance issues.

Law firms, which the Federal Trade Commission said were covered by the rules, have successfully delayed compliance under a court ruling from a U.S. District Court in Washington, D.C., which is currently on appeal.

All other covered businesses, including accountants and doctors who are hoping to win exemptions, should assume they are covered and delay compliance at their peril, lawyers say.

“I suspect a lot of small businesses were hoping this ultimately wouldn’t happen,” said Tanya Forsheit, an attorney who co-founded InformationLawGroup in Los Angeles, Calif., a firm that advises businesses on privacy and data security compliance.

The rules require a written program for spotting and handling red flags that signal identity theft, training of employees and annual review of the policy.

Initially many businesses were confused by the broad definition of “creditor” and it came as a shock that this included not just banks and traditional lenders, but any business that allows customers or clients to defer payment for goods and services.

Although it’s still possible that the deadline will be extended yet again, lawyers are advising businesses to assume the rules will be enforced as of June 1.

“Everything that’s required is a good practice anyway,” said John Seiver, of counsel to Davis Wright Tremaine in Washington, D.C.

Small businesses

All businesses that bill for goods and services, except for those that deal with cash transactions, are covered.

Although most companies already have common sense rules about not leaving customer information lying around, “hardly any of them had a written procedure or policy specifically dealing with identity theft,” said Strong.

Small businesses without extensive in-house resources have found it challenging to comply with the specifics of the rules, such as the recommendations for data encryption, regular review and annual updates of the policy, procedures for responding to red flags, training of staff, and approval of the policy by the company’s board of directors. wislawjournal

Who's The Bigger Threat? Staff Or Cyber Criminals?

Internal staff have traditionally been viewed as a bigger threat to business security than external hackers. AVG (AU/NZ) looks at whether this still holds true given the increasing sophistication of cyber criminals.

Did You Know? A decade ago, viruses and other forms of malware were authored primarily by young, attention-seeking amateur coders Research by Verizon suggests 74 percent of data breaches are generated by external sources Figures cited by the World Economic Forum indicate that online theft alone in 2009 totalled around US$1 trillion

Conventional wisdom indicates that the biggest threat to most companies' IT networks comes from disgruntled employees rather than shadowy cyber criminals. Staff have access to passwords, and, in the case of the IT department, administrator privileges. What's more, they usually know what they are looking for and what it might be worth to a competitor.

The concept of the so-called 'insider threat' has been an enduring one in IT security circles and appears to be based in part on an early-nineties FBI study that concluded that 80 percent of IT security attacks were perpetrated by insiders. However, a lot has changed in 20 years - a millennium in Internet time. While once hackers and virus writers were often kids after kicks, today cyber crime has matured to become a huge business. Figures cited by the World Economic Forum indicate that online theft alone in 2009 totalled around US$1 trillion.

This effective 'industrialisation' of cyber crime may well have had an effect on perceptions of whether the 'insider threat' should still be the main priority when it comes to IT security. Organised criminal gangs intent on cracking into corporate networks in the same way they might target a bank vault may seem to be a more pressing threat than the odd wayward or disgruntled employee.

Lloyd Borrett, Marketing Manager at AVG (AU/NZ), explains why companies might want to reconsider where the bulk of their security resources are allocated. "A decade ago, viruses and other forms of malware were authored primarily by young, attention-seeking amateur coders (script kiddies or script bunnies) seeking to earn notoriety in underground hacker communities.

"The security landscape has, however, changed markedly during recent years. Organised criminal gangs realised that there was money to be made from malware and recruited skilled programmers to create malicious programs. These programs were not designed to cause disruption, but to enable the theft of money or data or both. This has led to the creation of an underground economy in which criminals can buy and sell data and the programs that are used to steal that data."

Why American’s Identities are Easily Stolen

Analysis: Technology exists to bolster security, but Americans and politicians are reluctant to use it.

We can fix this thing, but we won't because we don't want to be inconvenienced. I'm introduced to amazing technologies every week that will stop this. All they need is government support and system-wide adoption. Meanwhile, Chuck Schumer and Ed Markey and the rest of the grand standing poArtwork: Chip Taylorliticians scream about privacy and security issues when they see an opportunity for publicity, but their follow-through is less than satisfactory.

We use easily counterfeited identification, Social Security numbers that are written on the sides of buses and we rely on the anonymity of the phone, fax, internet and snail mail as a means of application. (See also our cybersecurity quiz.)

In other countries they solve problems. They have priorities and don't deal with the rhetoric. They put security first, convenience secnd.

International Solutions

Cedric Pariente from B32Trust tells us that in Paris, France you need to open an account first before a loan is granted by a bank. In order to do so, you need to provide them with a printed copy of your ID card and proof that you still live where you claim to live (last electricity bill usually.) Then they can check your credit history and decide to grant you with a loan or not. Most of the time, they just check that your debt is not over 30% of your income. You have to be a bank client. Doesn't seem they allow phone, fax, internet or snail mail transaction when granting credit.

In the UK, Keith Appleyard echoed something similar to France's system: you have to present yourself in person with a Government-issued Photo ID such as Passport or Drivers License, plus a proof of address less than 3 months old, such as a bank statement or utility bill. Keith further explained the whole UK population had vetting their Identity Credentials and one of the last people to be vetted was the Queen of England, but she is not exempt. So she meets with her Bankers, but she doesn't have a Passport or Birth Certificate or Drivers License. So she asks them to take a Sterling Currency note out of their wallet, points to her picture engraved on the note, and says "yes, that's me". So they officially recorded the Serial Number on the Currency note as being her Identity Document. I think that process may need looking into. pcworld

Cyber Security Must Take Priority Over Facebook

With cyber war being termed a “lead pipe cinch,” it is right on center stage. Representatives of 27 countries have issued a document calling for a European Commission to do a feasibility study on the situation. One of their goals is to gain more ratifications of the Council of Europe’s Cybercrime Convention, the only international treaty covering computer crime.

This treaty requires countries to adopt cybercrime laws, have 24-hour contacts available for fast breaking investigations, and other important messages. Another goal is the revocation of Internet Protocol (IP) addresses. This document doesn’t exactly spell out the ministers’ objectives since it is already the practice for many Internet service providers (ISPs) to shut down Web sites showing bad behavior.

There is also a need for the binding of all of the European law enforcement agencies to deal with cybercrime and to evaluate and monitor preventive investigation measures. The aim, scope, and financial structure must also be considered. This puts them in the drivers seat with the U.S. waiting for the bus.

Facebook made changes to its privacy policies and the privacy advocates are swarming all over them. Sens. Charles Schumer, D-N.Y., Michael Bennet, D-Colo., Al Franken, D-Minn., and Mark Begich, D-Alaska, have taken issue with Facebook and want it to change its newly-asserted privacy policy. “Hundreds of millions of people use social networking sites like Facebook, MySpace, and Twitter 24/7,” Mr. Schumer said in a recent statement. “As these sites become more and more popular, however, it’s vitally important that safeguards are in place which provide users with control over their personal information to ensure they don’t receive unwanted solicitations. At the same time, social networking sites need to provide easy-to-understand disclosures to users on how information they submit is being shared.”

“Easy to understand disclosures?” Really, Senator?

Senators, this is a noble gesture, however, while your concerns regarding Facebook’s privacy policy is laudable, the entire Internet is faced with a Cyberwar. We, the people of the United States of America, are facing total shutdowns of our communication systems while you are considering censoring social site privacy. Without our success in this confrontation, we can end up with depleted American cyberspace and the social networks, per se, may disappear into oblivion. Before long, it won’t be Facebook, as you state, “looking like the Wild West,” it will be the Internet. thebulletin.

Saturday, May 15, 2010

U.S. airport security officers targeted in ID theft

BOSTON (Reuters) – A Massachusetts couple has been charged with stealing the identities of dozens of Transportation Security Administration officers, who screen passengers and baggage at U.S. airports.

A federal grand jury accused Michael Derring, 48, and Tina White, 47, on Wednesday of conspiracy and aggravated identity theft, alleging they stole personal information including the Social Security numbers of dozens of TSA workers at Boston's Logan International Airport.

While there was no indication the information was passed to any militant group that might be planning an attack, the case suggests federal officers are vulnerable to identity theft. The TSA is part of the U.S. Department of Homeland Security.

Caller ID spoofing used for harassment, fraud, critics say

It may seem like a harmless practical joke, but authorities say caller ID spoofing is increasingly being used for more sinister purposes than pretending to call your mother from the White House while disguising your voice.

It's been alleged that socialite Paris Hilton used ID spoofing to hack into actress Lindsay Lohan's voice-mail account.

New York City police say an identity-theft ring used it to obtain bank-account information and steal more than $15 million from 6,000 victims.

And a U.S. congressman has cited the case of a woman who posed as a pharmacist using the technology to trick a romantic rival into taking a drug used to cause abortions.

Launched online five years ago, the original caller ID spoofing service Spoofcard works much like a calling card.

It let users phone a number, and plug in the digits they want to show up on that person's caller ID.

Users also have the option to disguise their voice and record the phone conversation.

The president of TelTech Systems, which patented the technology and has since sold it to other service providers, estimates about 200,000 Canadians have used Spoofcard.

"It's a way that if somebody is avoiding your calls, you can really get them to pick up," said Meir Cohen.

Read more: vancouversun

Friday, May 14, 2010

UPDATE 1-U.S. struggles to ward off evolving cyber threat

WASHINGTON, May 12 (Reuters) - The United States is losing enough data in cyber attacks to fill the Library of Congress many times over, and authorities have failed to stay ahead of the threat, a U.S. defense official said on Wednesday.

More than 100 foreign spy agencies were working to gain access to U.S. computer systems, as were criminal organizations, said James Miller, principal deputy under secretary of defense for policy.

Terrorist groups also had cyber attack capabilities.

"Our systems are probed thousands of times a day and scanned millions of times a day," Miller told a forum sponsored by Ogilvy Washington, a public relations company.

He said the evolving cyber threat had "outpaced our ability to defend against it."

"We are experiencing damaging penetrations -- damaging in the sense of loss of information. And we don't fully understand our vulnerabilities," Miller said.

His comments came as the Obama administration develops a national strategy to secure U.S. digital networks and the Pentagon stands up a new military command for cyber warfare capable of both offensive and defensive operations.

The Senate last week confirmed National Security Agency Director Keith Alexander to lead the new U.S. Cyber Command, which will be located at Ft. Meade, Maryland, the NSA's headquarters.

Miller suggested the new organization, which is expected to be fully operational in October, had its work cut out for it.

Among its challenges are determining what within the spectrum of cyber attacks could constitute an act of war.

Miller said the U.S. government also needed to bolster ties with private industry, given potential vulnerabilities to critical U.S. infrastructure, like power grids and financial markets.


Hackers have already penetrated the U.S. electrical grid and have stolen intellectual property, corporate secrets and money, according to the FBI's cybercrime unit. In one incident, a bank lost $10 million in cash in a day.

"The scale of compromise, including the loss of sensitive and unclassified data, is staggering," Miller said. "We're talking about terabytes of data, equivalent to multiple libraries of Congress." reuters

Car hackers can kill brakes, engine, and more...

University researchers have taken a close look at the computer systems used to run today's cars and discovered new ways to hack into them, sometimes with frightening results.

In a paper set to be presented at a security conference in Oakland, California, next week, the security researchers say that by connecting to a standard diagnostic computer port included in late-model cars, they were able to do some nasty things, such as turning off the brakes, changing the speedometer reading, blasting hot air or music on the radio, and locking passengers in the car.

In a late 2009 demonstration at a decommissioned airfield in Blaine Washington, they hacked into a test car's electronic braking system and prevented a test driver from braking a moving car -- no matter how hard he pressed on the brakes. In other tests, they were able to kill the engine, falsify the speedometer reading, and automatically lock the car's brakes unevenly, a maneuver that could destabilize the car traveling high speeds. They ran their test by plugging a laptop into the car's diagnostic system and then controlling that computer wirelessly, from a laptop in a vehicle riding next to the car.

The point of the research isn't to scare a nation of drivers, already made nervous by stories of software glitches, faulty brakes and massive automotive recalls. It's to warn the car industry that it needs to keep security in mind as it develops more sophisticated automotive computer systems.

"We think this is an industry issue," said Stefan Savage, an associate professor with the University of California, San Diego. businessweek

Thursday, May 13, 2010

Well, These New Zuckerberg IMs Won't Help Facebook's Privacy Problems

Facebook CEO Mark Zuckerberg and his company are suddenly facing a big new round of scrutiny and criticism about their cavalier attitude toward user privacy.

An early instant messenger exchange Mark had with a college friend won't help put these concerns to rest.

According to SAI sources, the following exchange is between a 19-year-old Mark Zuckerberg and a friend shortly after Mark launched The Facebook in his dorm room:

Zuck: Yeah so if you ever need info about anyone at Harvard

Zuck: Just ask.

Zuck: I have over 4,000 emails, pictures, addresses, SNS

[Redacted Friend's Name]: What? How'd you manage that one?

Zuck: People just submitted it.

Zuck: I don't know why.

Zuck: They "trust me"

Zuck: Dumb f***s.


Could Mark have been completely joking? Sure. But the exchange does reveal that Facebook's aggressive attitude toward privacy may have begun early on.

Since Facebook launched, the company has faced one privacy flap after another, usually following changes to the privacy policy or new product releases. To its credit, the company has often modified its products based on such feedback. As the pioneer in a huge new market, Facebook will take heat for everything it does. It has also now grown into a $22 billion company run by adults who know that their future depends on Facebook users trusting the site's privacy policy.

But the company's attitude toward privacy, as reflected in Mark's early emails and IMs, features like Beacon and Instant Personalization, and the frequent changes to the privacy policy, has been consistently aggressive: Do something first, then see how people react.

Read more:


Wednesday, May 12, 2010

Thirty-Five Antivirus Programs Share Common Hole

A new attack technique has been described by (a project of Different Internet Experience Ltd.) which could allow a program to bypass the host intrusion detection and certain other protections provided by common Windows security software. Their report lists 35 security products on which they tested the technique; it worked on all of them.

diggThe technique is unrelated to the actual scanning functions of anti-malware programs. Such programs also attempt to block live attacks by software running on the system. In order to perform this monitoring on Windows security software "hooks" entries in the SSDT (System Service Descriptor Table), a table of handles for operating system calls. Calls to those operating system calls are dispatched to the security software which hooks it; that software examines the caller and parameters, looking for whatever problems it's looking for and dealing with them as need be; then it directly calls the operating system service that the application attempted to call.

By using multiple threads, the matousec technique can modify the parameters to the system call while the hooked process is executing, thus causing it to allow execution of a call with parameters different from those it tested. The nature of the attack is such that it can be executed purely from user-mode code, lowering the bar for getting running the attack on the system.

This sort of bug, not uncommon in multithreaded programming, is called a race condition, in which two threads contend for access to a shared resource and program logic breaks down as a result. Because the attack is sensitive to the execution state of the SSDT hooks, it doesn't work all the time. But the authors say that it often does work the first time and will work after a few tries in any event. They also say it is more reliable on multi-core processors.

The list of products found vulnerable is as follows:

3D EQSecure Professional Edition 4.2

avast! Internet Security 5.0.462

AVG Internet Security 9.0.791

Avira Premium Security Suite

BitDefender Total Security 2010

Blink Professional 4.6.1

CA Internet Security Suite Plus 2010

Comodo Internet Security Free 4.0.138377.779

DefenseWall Personal Firewall 3.00

Dr.Web Security Space Pro

ESET Smart Security

F-Secure Internet Security 2010 10.00 build 246

G DATA TotalCare 2010

Kaspersky Internet Security 2010

KingSoft Personal Firewall 9 Plus 2009.05.07.70

Malware Defender 2.6.0

McAfee Total Protection 2010 10.0.580

Norman Security Suite PRO 8.0

Norton Internet Security 2010

Online Armor Premium

Online Solutions Security Suite 1.5.14905.0

Outpost Security Suite Pro

Outpost Security Suite Pro 7.0.3330.505.1221 BETA VERSION

Panda Internet Security 2010 15.01.00

PC Tools Firewall Plus


Security Shield 2010

Sophos Endpoint Security and Control 9.0.5


Trend Micro Internet Security Pro 2010 17.50.1647.0000

Vba32 Personal

VIPRE Antivirus Premium 4.0.3272

VirusBuster Internet Security Suite 3.2

Webroot Internet Security Essentials

ZoneAlarm Extreme Security 9.1.507.000

Perhaps Microsoft had problems like this in mind when they attempted to ban all kernel patching in 64-bit versions of Windows several years ago. The feature which enforces this rule, called Kernel Patch Protection or PatchGuard, was objected to strongly by security software vendors, so Microsoft developed undocumented APIs to allow ISVs to get past PatchGuard and a policy for releasing the documentation.

Windows 7 'compatibility Checker' Is a Trojan

Scammers are infecting computers with a Trojan horse program disguised as software that determines whether PCs are compatible with Windows 7.

The attack was first spotted by BitDefender on Sunday and is not yet widespread; the antivirus vendor is receiving reports of about three installs per hour from its users in the U.S. But because the scam is novel, it could end up infecting a lot of people, according to Catalin Cosoi, the head of BitDefender's Online Threats Lab. "This actually works because of the interest in Windows 7," he said.

The scammers steal their marketing text directly from Microsoft, which offers a legitimate Windows 7 Upgrade Advisor in its Web site.

"Find out if your PC can run Windows 7," the e-mails read, echoing Microsoft's Web page. "This software scans your PC for potential issues with your hardware, devices, and installed programs, and recommends what to do before you upgrade."

Users who try to install the attached, zipped file end up with a back-door Trojan horse program on their computer. BitDefender identifies the program as Trojan.Generic.3783603, the same one that's being used in a fake Facebook password reset campaign.

Once a victim has installed the software, criminals can pretty much do whatever they want on the PC, Cosoi said. That could mean installing a keylogger to steal banking credentials or even gaining full access to the hacked system. pcworld

Tuesday, May 11, 2010

New malware attack laughs at your antivirus software

How do you get a malware exploit to bypass antivirus protection? By making it work the same way the antivirus software does.

A new exploit outlined this week is so effective, say researchers, that it can slip by “virtually all” antivirus protection undetected.

It works the same way an antivirus app does, by hooking directly into Windows and masquerading as harmless software. It tricks Windows by sending sample code to the OS, like any antivirus app that looks (and in reality is) completely benign, then at the last microsecond it swaps in malicious code, which is then executed.

If an antivirus application uses the traditional method of interacting with Windows — a system called SSDT — then it will be vulnerable to attack via this method. And they all use SSDT. As the researchers at noted during their investigation, “100 percent of the tested products were found vulnerable.” It didn’t matter if the user had administrator rights or not, the exploit was able to sneak through.

The good news is that the attack isn’t completely realistic, since the size of the code required would have to be large to work. A quickie download wouldn’t be possible, so the attack would likely have to find its way onto a target computer by other means. But that also worries researchers, since commonly downloaded software could be intentionally infected with the malware (the story above uses Adobe Reader as an example) and during installation your antivirus software wouldn’t bat an eyelash. The malware could actually uninstall your antivirus application in its initial volley, leaving you wide open to attack.

Sunday, May 2, 2010

Computer-Security Event Seeks to Spur Int'l Talks

As governments around the world amass armies of hackers to protect their countries' computer networks and possibly attack others, the idea of getting officials together to discuss shared threats such as cybercrime is challenging.

"You just don't pick up the phone and call your counterparts in these countries," said retired Lt. Gen. Harry Raduege Jr., former head of the federal agency responsible for securing the military's and the president's communications technologies. "They're always guarded in those areas, and they're always wondering if there's some other motive" behind the outreach.

So the idea behind an international security conference in Dallas this week is to get government officials, industry executives and others talking, informally, about where they might find common ground.

The Worldwide Cybersecurity Summit, organized by the EastWest Institute think tank, is different from some other big security conferences in that the focus isn't on hackers showing off their latest research or security-technology vendors connecting with customers. abcnews