Saturday, July 31, 2010

Smooth-talking hackers test hi-tech titans' skills

By Glenn Chapman (AFP) – 12 hours ago

LAS VEGAS, Nevada — Hackers at an infamous DefCon gathering are proving that old-fashioned smooth talk rivals slick software skills when it comes to pulling off attacks on computer networks.

A first-ever "social engineering" contest here challenges hackers to call workers at 10 companies including technology titans Google, Apple, Cisco, and Microsoft and get them to reveal too much information to strangers.

"Out of all the companies called today, not one company shut us down," said Offensive Security operations manager Christopher Hadnagy, part of the social-engineer.org team behind the competition that kicked off on Friday.

The team kept hackers within the boundaries of the law, but had them coax out enough information to show that workers would have unintentionally made it easier to attack networks.

Workers that unknowingly ended up on calls with hackers ranged from a chief technical officer to IT support personnel and sales people.

One employee was conned into opening programs on a company computer to read off specifications regarding types of software being used, details that would let a hacker tailor viruses to launch at the system.

"You often have to crack through firewalls and burn the perimeter in order to get into the internal organization," said Mati Aharoni of Offensive Security, a company that tests company computer defenses.

"It is much easier to use social engineering techniques to get to the same place."

Other companies targeted were Pepsi, Coca Cola, Shell, BP, Ford, and Proctor & Gamble.

The contest, which continues Saturday at DefCon and promises the winner an Apple iPad tablet computer, is intended to show that hardened computer networks remain vulnerable if people using them are soft touches.

"We didn't want anyone fired or feeling bad at the end of the day," Aharoni said. "We wanted to show that social engineering is a legitimate attack vector."

A saying that long ago made it onto T-shirts at the annual DefCon event is "There is no patch for human stupidity."

"Companies don't think their people will fall for something as simple as someone calling and just asking a few questions," Hadnagy said.

"It doesn't require a very technical level of attacker," Aharoni added. "It requires someone with an ability to schmooze well."

One worker nearly foiled a hacker by insisting he send his questions in an email that would be reviewed and answered if appropriate.

The hacker convinced the worker to change his mind by claiming to be under pressure to finish a report for a boss by that evening.

"As humans, we naturally want to help other people," Hadgagy said. "I'm not advocating not helping people. Just think about what you say before you say it."

Companies that got word of the social engineering contest before DefCon called in the FBI, which was assured by the event organizers that nothing illegal was afoot.

Information about "exploiting human vulnerabilities" was available at the social-engineer.org websit.

Attacking the edges of secure Internet traffic

By JORDAN ROBERTSON (AP)

LAS VEGAS — Researchers have uncovered new ways that criminals can spy on Internet users even if they're using secure connections to banks, online retailers or other sensitive Web sites.

The attacks demonstrated at the Black Hat conference here show how determined hackers can sniff around the edges of encrypted Internet traffic to pick up clues about what their targets are up to.

It's like tapping a telephone conversation and hearing muffled voices that hint at the tone of the conversation.

The problem lies in the way Web browsers handle Secure Sockets Layer, or SSL, encryption technology, according to Robert Hansen and Josh Sokol, who spoke to a packed room of several hundred security experts.

Encryption forms a kind of tunnel between a browser and a website's servers. It scrambles data so it's indecipherable to prying eyes.

SSL is widely used on sites trafficking in sensitive information, such as credit card numbers, and its presence is shown as a padlock in the browser's address bar.

SSL is a widely attacked technology, but the approach by Hansen and Sokol wasn't to break it. They wanted to see instead what they could learn from what are essentially the breadcrumbs from people's secure Internet surfing that browsers leave behind and that skilled hackers can follow.

Their attacks would yield all sorts of information. It could be relatively minor, such as browser settings or the number of Web pages visited. It could be quite substantial, including whether someone is vulnerable to having the "cookies" that store usernames and passwords misappropriated by hackers to log into secure sites.

Hansen said all major browsers are affected by at least some of the issues.

"This points to a larger problem — we need to reconsider how we do electronic commerce," he said in an interview before the conference, an annual gathering devoted to exposing the latest computer-security vulnerabilities.

For the average Internet user, the research reinforces the importance of being careful on public Wi-Fi networks, where an attacker could plant himself in a position to look at your traffic. For the attacks to work, the attacker must first have access to the victim's network.

Hansen and Sokol outlined two dozen problems they found. They acknowledged attacks using those weaknesses would be hard to pull off.

The vulnerabilities arise out of the fact people can surf the Internet with multiple tabs open in their browsers at the same time, and that unsecured traffic in one tab can affect secure traffic in another tab, said Hansen, chief executive of consulting firm SecTheory. Sokol is a security manager at National Instruments Corp.

Their talk isn't the first time researchers have looked at ways to scour secure Internet traffic for clues about what's happening behind the curtain of encryption. It does expand on existing research in key ways, though.

"Nobody's getting hacked with this tomorrow, but it's innovative research," said Jon Miller, an SSL expert who wasn't involved in the research.

Miller, director of Accuvant Labs, praised Hansen and Sokol for taking a different approach to attacking SSL.

"Everybody's knocking on the front door, and this is, 'let's take a look at the windows,'" he said. "I never would have thought about doing something like this in a million years. I would have thought it would be a waste of time. It's neat because it's a little different."

Another popular talk at Black Hat concerned a new attack affecting potentially millions of home routers. The attack could be used to launch the kinds of attacks described by Hansen and Sokol.

Researcher Craig Heffner examined 30 different types of home routers from companies including Actiontec Electronics Inc. and Cisco Systems Inc.'s Linksys and found that more than half of them were vulnerable to his attack.

He tricked Web browsers that use those routers into letting him access administrative menus that only the routers' owners should be able to see. Heffner said the vulnerability is in the browsers and illustrates a larger security problem involving how browsers determine that the sites they visit are trustworthy.

The caveat is he has to first trick someone into visiting a malicious site, and it helps if the victim hasn't changed the router's default password.

Still: "Once you're on the router, you're invisible — you can do all kinds of things," such as controlling where the victim goes on the Internet, Heffner said.

Tuesday, July 27, 2010

Preserving Innovation While Ensuring Security, Confidence in System

The Commerce Department's Internet Policy Taskforce on Wednesday will formally seek viewpoints from stakeholders on how best the public and private sector can preserve innovation in an Internet economy while ensuring security and confidence in the system.

Commerce Secretary Gary Locke unveiled the notice of inquiry at a symposium Tuesday on Internet security sponsored by the taskforce, where he also addressed departmental efforts to help build confidence in the Internet so that identity and personal information will be secured for consumers; intellectual property won't be stolen for businesses; and trade, technology and military secrets will be safe from adversaries for government.

"Let's be blunt - because the Internet was initially designed for convenience and reliability, instead of with security as a top priority - we are fighting an uphill battle," he said.

Citing a recent study published by IT security vendor Symantec, Locke painted a gloomy picture of Internet security, noting that malicious activity is increasingly flowing out of countries where broadband and information technology penetration is growing the fastest, advanced persistent threats focused on large enterprises are becoming more common as thieves seek customer data, financial information and intellectual property assets; and, mass-market attacks - those that small businesses and consumers usually fall prey to - continue to evolve in their sophistication.

Saturday, July 24, 2010

Santa Cruz, Calif. Mayor Has Laptop Stolen From Office

Posted: Monday, February 1, 2010

A burglar broke into Santa Cruz Mayor Mike Rotkin's office and took his city-issued laptop computer.
Police said the thief used a rock to break an office window and then took the computer.

Rotkin said he doesn't think anyone was specifically targeting him, and that there was nothing of importance kept on the computer.

"I think it was close to a window and somebody desperate saw it and decided to break the window and take the computer," Rotkin said. "I never used the computer. I had nothing on it."

The cost of the computer and the damage done to the office is about $1,500.

City Hall does have security cameras but there aren't any aimed on the mayor's office.

Monday, July 19, 2010

VeriSign 'Trusted' Service Now Scans Sites for Malware

VeriSign said Monday that it has begun to add a "VeriSign Trust Seal" logo to search results and on Web sites, that can be used to verify that a site does not harbor malware.

VeriSign already places a logo on some sites that tells the user that it has secured the site via an SSL certificate. The "VeriSign Trusted" logo now also means that the site is checked on a daily basis to see if an attacker was able to penetrate its security and inject malware that would then be downloaded by the site's customers.

A related "Seal-in-Search" technology will place a VeriSign logo next to search results, including Google, alerting users that VeriSign has certified the site as safe to visit, where malware is concerned.

"In the face of increasingly elaborate attacks and fraud schemes, web sites need solutions that do more than data encryption," said Tim Callan, vice president of product marketing at VeriSign. "By enhancing our SSL Certificate services with new features that instill trust at every step of the online experience—at no additional charge to our customers—we're delivering a more robust and value-driven solution. In the process, we're redefining what web sites should expect from online security."

Saturday, July 17, 2010

.94 charged in Medicare scams totaling $251M

MIAMI – Elderly Russian immigrants lined up to take kickbacks from the backroom of a Brooklyn clinic. Claims flooded in from Miami for HIV treatments that never occurred. One professional patient was named in nearly 4,000 false Medicare claims.

Authorities said busts carried out this week in Miami, New York City, Detroit, Houston and Baton Rouge, La., were the largest Medicare fraud takedown in history — part of a massive overhaul in the way federal officials are preventing and prosecuting the crimes.

In all, 94 people — including several doctors and nurses — were charged Friday in scams totaling $251 million. Federal authorities, while touting the operation, cautioned the cases represent only a fraction of the estimated $60 billion to $90 billion in Medicare fraud absorbed by taxpayers each year.

For the first time federal officials have the power to overhaul the system under Obama's Affordable Care Act, which gives them authority to stop paying a provider they suspect is fraudulent. Critics have complained the current process did nothing more than rubber-stamp payments to fraudulent providers.

"That world is coming to an end," Health and Human Services Secretary Kathleen Sebelius told The Associated Press after speaking at a health care fraud prevention summit in Miami. "We've got new ways to go after folks that we've never had before."

Officials said they chose Miami because it is ground zero for Medicare fraud, generating roughly $3 billion a year. Authorities indicted 33 suspects in the Miami area, accused of charging Medicare for about $140 million in various scams.

Suspects across the country were accused of billing Medicare for unnecessary equipment, physical therapy and other treatments that patients never received. In one $72 million scam at Bay Medical in Brooklyn, clinic owners submitted bogus physical therapy claims for elderly Russian immigrants.

Patients, including undercover agents, were paid $50 to $100 a visit in exchange for using their Medicare numbers and got bonuses for recruiting new patients. Wiretaps captured hundreds of kickback payments doled out in a backroom by a man who did nothing but pay patients all day, authorities said.

The so-called "kickback" room had a Soviet-era propaganda poster on the wall, showing a woman with a finger to her lips and two warnings in Russian: "Don't Gossip" and "Be on the lookout: In these days, the walls talk."

With the surveillance, the walls "had ears and they had eyes," U.S. Attorney Loretta Lynch said at a news conference in Brooklyn.

Wednesday, July 14, 2010

Mercury News editorial: California should outlaw online impersonation

Impersonating someone with the intent to harm, intimidate, threaten or defraud is illegal in California — except when it's done online. Existing state law, written in 1872, didn't anticipate the existence of Facebook, MySpace or a host of other Internet sites that unintentionally created new ways to harm innocent victims.

State Sen. Joe Simitian has a solution. His SB 1411 would make it a misdemeanor to maliciously impersonate another person online. The Legislature should pass the Palo Alto Democrat's bill, and Gov. Arnold Schwarzenegger should sign into law legal protections against online abuse.

It's sad that Simitian's law is necessary. But online abuses are a growing problem for students, teachers, businesspeople, politicians and people of all ages who are in relationships that have gone amiss.

Facebook and MySpace accounts can be shut down when a problem arises. But when they are created with the intent to do damage, there should be a price. Simitian's law, which includes provisions to protect legitimate forms of free speech, would carry up to a $1,000 fine and/or up to a year in jail.

Sacramento can't legislate good behavior. But it can and should protect Californians from being further damaged by impersonators who are up to no good.

Puerto Rico Birth Certificates Reissued

The Government of Puerto Rico has extended the validity of current Puerto Rico birth certificates for three months, through Sept. 30, 2010. Puerto Rico is reissuing all birth certificates because of identity theft problems starting on July 1st.

There is a huge problem with Puerto Rico-issued birth certificates being used to unlawfully obtain U.S. passports, Social Security benefits, and other federal services.

The government admits that hundreds of thousands of original birth certificates were stored without adequate protection, making them easy targets for theft.

About 40 percent of the passport fraud cases involve birth certificates of people born in Puerto Rico.

The Vital Statistics Record Office will begin issuing new birth certificates incorporating what it calls "state-of-the-art" technology to limit the possibility of forgery.

The government of Puerto Rico recommends that only people who have a specific need for their birth certificate request a new birth certificate.

People who want a copy of the new birth certificates for their records are asked to wait to avoid a rush of applications.

The new birth certificates will cost $5.

Identity Theft Cases Up 23% 2005-7; 3% Of Households Hit

The number of U.S. households with at least one member who experienced one or more types of identity theft increased 23 percent from 2005 to 2007, says the U.S. Bureau of Justice Statistics. A new compilation from the agency says that in the period studied, the number of households that experienced credit card theft increased by 31 percent and the number that experienced multiple types of theft during the same episode increased by 37 percent.

BJS said that during a six month period in 2008 which identity theft victimization data was collected as part of the regular nationa crime victimization survey, 3.3 percent of households discovered that at least one member had been a victim of one or more types of identity theft. Households with incomes of $75,000 or more experienced a higher rate of identity theft than did households in lower income brackets.

E-Verify law

The Utah Legislature passed a law this year requiring employers to use the federal E-Verify system to confirm the eligibility of new employees to work in the United States legally. But because the law does not include any penalties, businesses have been slow to use it, essentially ignoring the law. However, before Utah imposes penalties, the Legislature should look much more deeply into this system.

E-Verify is an Internet-based system operated by U.S. Citizenship and Immigration Services. It compares information that an employee provides on a Form I-9 ( Employment Eligibility Verification) to records from the U.S. Department of Homeland Security and Social Security Administration. It confirms whether the information provided by the employee, such as name, date of birth and Social Security number, matches government data.

In most cases, E-Verify will instantly confirm the employee’s work authorization, according to USCIS. Sometimes, however, a manual search is required. If the employee information does not match government records, the employer must make sure he has not made a mistake in entering the information, and he must inform the employee of how to contact the agency to clear up or appeal the result.

At the time the bill was being debated, we argued that it made little sense to require employers to use a system whose accuracy was questionable. According to one study, E-Verify fails to identify illegal status about 54 percent of the time. But reliable statistics about the system’s accuracy are hard to find. Some reports suggest that E-Verify correctly identifies people who are eligible to work about 96 percent of the time. The 3.5 percent who fail happens to roughly correspond with the 5 percent of the work force that some studies estimate are in the country illegally. Identity theft also skews any statistics on reliability. In fact, E-Verify may actually encourage identity theft, since a person who presents himself for employment as someone else with valid government data would not be caught by the system.

Prediction: Obamacare 1099 Provisions Will Lead To Identity Theft Explosion

Public Law 111-148, the Health Care Reform Act, contains a number of revenue raising provisions buried in the back of the legislation. In my judgment, the new IRS Form 1099 requirements found in Section 9006 of this law will have the unintended consequence of leading to an explosion of identity theft!

The basic changes to Form 1099 requirements incorporated in this law take effect at the beginning of 2012. They require that all businesses tabulate payments for goods and services from non-governmental agencies and send a 1099 Form to the recipient if the total exceeds $600 for the entire calendar year.

Current 1099 law exempts sending of 1099 Forms to most corporations, but the new law requires accumulating and reporting payments to corporations as well. Further, current law is largely limited to the reporting of payments for services, not goods. The new law expands coverage to all goods and services. It appears that 1099 Forms will now be required to report the same information provided on W-2 Forms that report employee compensation.

What this means for the millions of businesses in the US is that they will have to obtain confidential tax information from almost anyone who provides a good or service, even if the first transaction in a calendar year is under $600, in order to avoid paying a penalty if a 1099 Form is eventually required. Once this information is obtained, each of the businesses must follow the legal requirements for protecting this confidential information in order to avoid a penalty for violating these regulations.

Senators try again on identity theft bill

Senators Tom Carper (D-Del.) and Bob Bennett (R-Utah) re-introduced a bill Wednesday that would require companies to notify consumers when their personal information has been stolen.

“At the very least, identity fraud can cause worry and confusion, and at the very most it can cause serious financial harm,” Carper said. “We need to replace the current patchwork of state and federal regulations for identity theft with a national law that provides uniform protections across the country.”

The bill would replace a system of state data breach notification laws with a national framework clarifying what constitutes personal or sensitive information — any information that can be used to steal from a consumer, commit identity theft, or be used for other criminal activities. The bill also requires organizations to notify consumers within a reasonable timeframe if their information has been breached.

Carper and Bennett have introduced similar legislation in previous sessions, but a senior Senate aide said the current focus on cybersecurity makes this their best chance of getting the bill passed. The aide also said the Obama administration recognizes the severity of the identity theft problem and is anxious to find a solution.

The legislation would apply to any organization that collects private or sensitive information from the public, including businesses, schools and government institutions. The bill requires that the organizations disclose all breaches but does not introduce any new penalties if they fail to do so.

Instead the lawmakers rely on existing regulations that require companies to adequately protect consumer information or face fines, public notification, or other regulatory penalties. Enforcement will fall to various regulatory agencies, depending on the sector in which the breach occurs; financial institutions that lose customer information must notify the Securities and Exchange Commission or Federal Deposit Insurance Corporation, while other groups may report to the Federal Trade Commission.

“We live in an Information Age where technology provides greater ease and business opportunities for Americans, but also increases the ability for criminals to exploit any weak link in the cyber-world,” Bennett said. “In the event that protection is violated, putting victims of identity theft or account fraud at risk, [the bill] provides a much needed uniform national standard for data security and breach notification.”

Malware Support Even Better than Security Vendors

Is your rogue antimalware product not meeting your expectations? Perhaps you should contact support.

Nicolas Brulez of Kaspersky recently blogged about how some of these gangs are offering tech support with their products that has live chat, e-mail, phone, and even multiple languages.

We've truly stepped through the looking glass now, especially when you consider all the legitimate products that don't offer support this good. It says something about how much money is still being made by rogue products. It also says something about how affordable outsourced support using scripted response is.

And according to Kaspersky the support, including the live chat, really is with real people, not a bot. If you have trouble with English, the chat tells you (in English) to send your support request to a particular e-mail address, and then you receive support in your native language. Some of the rogues have native language support based on the language of your Windows version. No word on which languages are supported, but put your money on Russian.

Utah agencies probe alleged illegal immigrant list

SALT LAKE CITY -- State agencies are investigating whether any of their employees leaked Social Security numbers and other personal information after a list of 1,300 people who an anonymous group claims are illegal immigrants was circulated around Utah.

The anonymous group mailed the list to several media outlets, law enforcement agencies and others this week, frightening the state's Hispanic community. A letter accompanying the list demanded that those on it be deported immediately.

Yahoo! BuzzThe list also contains highly detailed personal information such as Social Security numbers, birth dates, workplaces, addresses and phone numbers. Names of children are included, along with due dates of pregnant women on the list.

Republican Gov. Gary Herbert wrote in a tweet Tuesday that he has asked state agencies to investigate the list's origin.

"We've got some people in our technology department looking at it right now," said Dave Lewis, communication for the state Department of Workforce Services. "It's a high priority. We want to figure out the how's and why's."

Monday, July 12, 2010

Personal Documents Found In Dumpster,Sacramento Parks Department: This Shouldn't Have Happened

6-25-2010
About 100 people's personal information was thrown out along with unused, unopened books and learning materials, a KCRA 3 investigation revealed.

A KCRA 3 insider watched Sacramento Department of Parks and Recreation employees putting the materials in a Dumpster outside a parks building.

KCRA 3 found several folders with important documents. One contained names, Social Security numbers, phone numbers, birth dates, addresses, monthly incomes and even copies of driver's licenses dating back to 2005.

The documents themselves indicated the information provided would be kept confidential.

Instead, the KCRA 3 insider said he watched employees dumping the documents into an easily accessible bin. He has asked not to be identified.

"They didn't even check what was in it," he said. "I know a lot of people get cardboard from those bins. So, anybody really could have found it."

City Parks and Recreation spokesman Hindolo Brima said, by policy, the papers should have been shredded.

"This was not supposed to happen. Staff has been taught how to handle confidential material," Brima said. "We will be investigating. We will make sure this doesn't occur again."

In the same Dumpster were also boxes filled with learning materials for children's programs operated by Parks and Recreation. Other people who work in the area said they see waste frequently.