tag:blogger.com,1999:blog-33669104148145356452024-03-10T20:24:25.272-07:00Cyber Security Girl Strikes Again!Identity Theft is the #1 fastest growing white collar crime. The ftc has mandated a law called the red flags rule for businesses to keep customer and employee info protected from ID theft. The Enforcement date is January 1, 2011. the fines for non compliance are crippling...Tracyhttp://www.blogger.com/profile/01073923326458752780noreply@blogger.comBlogger594125tag:blogger.com,1999:blog-3366910414814535645.post-79153543004640784932011-03-26T07:45:00.000-07:002011-03-26T07:45:53.108-07:00Spoiled Rotten Spa Owner Arrested, Charged With Fraud<div dir="ltr" style="text-align: left;" trbidi="on">Woman Made Fraudulent Credit Card Charges, Police Say<br />
<br />
<br />
APTOS, Calif. -- The former owner of Spoiled Rotten Day Spa in Aptos was arrested Friday after several clients reported several thousand dollars in fraudulent credit card charges paid to the spa appeared on their credit card statements.<br />
<br />
One victim reported that his credit card had been fraudulently used four times for a total of $9,600.<br />
<br />
Spa owner Sonya Harting, 35, was arrested and charged with credit card fraud.<br />
<br />
Police said Harting was evicted on Jan. 5 by the building owner, but continued selling gift certificates for spa services throughout the holiday season.<br />
<br />
Anyone who purchased a gift certificate from Spoiled Rotten Day Spa during the month of December that could not be redeemed due to business closure is encouraged to call the Santa Cruz Property Crimes Unit at 454-2311.</div>Tracyhttp://www.blogger.com/profile/01073923326458752780noreply@blogger.com3tag:blogger.com,1999:blog-3366910414814535645.post-24005159112210504212011-03-25T18:23:00.000-07:002011-03-25T19:12:49.355-07:00Top 5 Online 2011 Tax Scams<div dir="ltr" style="text-align: left;" trbidi="on">Online scammers are already plotting to separate you from your tax refund and your identity. Scams for the 2011 tax season include promises of tax credits for charitable donations to disaster relief in Japan, malware-laden Websites optimized for search engines, dangerous e-mail, and so-called 'likejacking' techniques found on the social network Facebook.<br />
<br />
About 19 million people have already filed their taxes at home in 2011, an increase of almost 6 percent from the year previous, according to the Internal Revenue Service. Consequently, this time of year is ripe for tax-related online scams. Crooks know that taxpayers are looking for information on deductions and tax laws. They know that this is the time of year when taxpayers submit personal information online and store sensitive financial documents on their hard drives.<br />
<br />
Jennifer Torode, a spokesperson for the security firm Sophos, says that most of us wait until the last minute to file our tax forms. Scammers know this and "take advantage over the next few weeks to find ways to lure frantic filers into their webs," she says.<br />
<br />
<strong>Here are five tips to help you avoid getting ensnared by tax scammers this tax season:</strong><br />
<br />
<strong>1. Japan Quake Scam</strong><br />
Among the newest scams for 2011 are bogus e-mail messages promising a tax credit applicable to your 2010 tax return if you make a charitable donation to Japan earthquake relief, according to McAfee consultant and identity theft expert Robert Siciliano. "The scam is based on the ruse being similar to a real law passed last year regarding Haiti," Siciliano said. In January 2010, Congress passed the Haiti Assistance Income Tax Incentive Act that allowed taxpayers to contribute to Haiti relief from January 11 to March 1, 2010 and claim it on their 2009 tax return. So far, the government has not established any retroactive tax rules involving this year's relief effort for Japan.<br />
<br />
<strong>Tip:</strong> You can find many earthquake relief scams online; however, it's not clear how prevalent this particular scam is. For more information on how to make tax-deductible donations safely and effectively, consult this notice on IRS.gov.<br />
<br />
<strong>2. Gone Phishing</strong><br />
One of the most popular ways to scam people during tax season is to set up Websites that look as if they are an official IRS site or a legitimate tax preparation service. "We have seen some scammers pretending to be tax preparation services, abusing brand names such as TurboTax, to obtain people's personal details," said Richard Wang, manager for Sophos Labs.<br />
<br />
Other sites are designed to trick you into downloading a PDF file laden with malware, according to Jeff Horne, director of threat research for the security company Webroot. Horne also warns that sites may try to sneak malware onto your machine using a technique called a "drive-by download." Such sites contain code looking for exploits in your browser that will enable them to download malware onto your system without your knowledge. Merely by using a vulnerable browser to visit a site, you can be victimized with bad guys wielding this technique.<br />
<br />
Once tax-related malware is loaded on your machine, it can set up a keylogger to track everything you type into your computer, or it can search your saved documents for keywords related to tax season such as "social security" or "1040."<br />
<br />
<strong>Tip:</strong> The best defense against drive-by downloads is to make sure that you always use the latest version of a modern Web browser, such as Google Chrome or Mozilla Firefox.<br />
<br />
<strong>3. Black Hat SEO</strong><br />
One of the tricks that crooks use to lure victims into a scam is to optimize their sites for Google searches, a technique known as "black hat SEO" (the acronym stands for "search engine optimization"). Horne suspects that these sites use resources such as Google Trends and Google Insights to discover the types of tax-related searches people are requesting. Once criminals have figured out some of the more popular keywords for this year's tax searches it's not difficult for them to optimize their bogus sites for search engines.<br />
<br />
<strong>Tip:</strong> "Never use search engines to search for tax documents," Horne said. Instead, go directly to the government site (such as IRS.gov, USA.gov, or an individual state government site ending in '.gov') to look for tax forms and other tax information.<br />
<br />
<strong>4. Likejacking</strong><br />
Facebook and other social networking sites are major targets for online scammers looking to make a quick buck off tax season. Horne says that Webroot has seen some examples of 'likejacking' in which scammers try to trick you into 'liking' their scam site on Facebook. Achieving this objective may involve hiding a Facebook "Like" button under another button on a third-party Website or exploiting a weakness in your browser by using a few snippets of JavaScript to press the Like button for you.<br />
<br />
Once you "like" the site, an external link will show up in your Facebook news feed with a scam message such as, "I just got $500 by using this free tax preparation service." Friends who see that message may be tempted to click the link leading them to a phishing site or a spam site looking to increase its ad revenue by generating Web traffic.Note, however, that some legitimate tax preparation services are promoted on Facebook by institutions such as universities as well by individual friends. <br />
<br />
<strong>Tip: </strong>Don't choose a tax preparation service on the basis of Facebook message attributed to a friend. At the very least, talk to the friend directly to confirm that he or she endorses the service. <br />
<br />
<br />
<em>Three percent of online Americans still using Internet Explorer 6, dump it for the latest version of IE available for your operating system--or use a different popular browser such as Chrome or Firefox. </em><br />
<br />
<ul style="text-align: left;"><li><em>Never use a search engine to look for government documents. Instead, go directly to sites such as IRS.gov, USA.gov, or individual state government sites ending in .gov, and search for forms there. </em></li>
<li><em>Never open or download attachments included with messages claiming to be from the IRS. The wisest course may be to refrain from opening any unsolicited tax-related e-mail message, as some poisoned messages use HTML to exploit weaknesses in your browser and initiate a drive-by download. </em><em><br />
</em></li>
<li><em>Never do your taxes over an unencrypted wireless connection such as free Wi-Fi at Starbucks. At home, even if you use the latest wireless security encryption standards such as WPA2 there, you are better off breaking out the LAN cable and using a wired connection when dealing with sensitive financial information. </em><em><br />
</em></li>
<li><em>Once you're finished filing your taxes for this year, make sure that you move all of your tax-related files for safe keeping to a USB key, an external hard drive, or some other form of removable storage. Then wipe all tax files off your computer's hard drive. Tax-related malware may lurk online long after tax season is over, according to Horne. If you happen to get infected, and you've stored your tax forms in a special folder on your PC, it won't take much for a scammer to steal your identity. </em></li>
</li>
</li>
</li>
</ul><br />
<strong>IRS Advice </strong><br />
The IRS also has a lot of helpful information to help keep you safe from phishing and other e-mail scams. The IRS emphasizes that it never asks taxpayers for their passwords, PINs, or other secret data relating to bank accounts and credit cards. Furthermore, never initiates taxpayer communication through e-mail. If you receive a dubious e-mail message claiming to be from the IRS, you can report it by forwarding the message without altering it to phishing@irs.gov. For more online tax security tips, check out the IRS's page on how to protect your personal information. <br />
<br />
<br />
<br />
</div>Tracyhttp://www.blogger.com/profile/01073923326458752780noreply@blogger.com1tag:blogger.com,1999:blog-3366910414814535645.post-71430696915050343942011-03-25T18:15:00.000-07:002011-03-25T18:15:21.738-07:00Report: Mysterious Facebook Web Search Box Could Be Malware<div dir="ltr" style="text-align: left;" trbidi="on">A Web search box some users are seeing on their Facebook interface wasn't inserted by Facebook and could be the result of malware or a rogue browser plug-in or application.<br />
<br />
AllFacebook, a blog devoted to Facebook-related news, first reported that a second search box had begun to appear on Facebook interfaces, right next to the legitimate site search bar.<br />
<br />
The mysterious Web search box appeared perfectly integrated into the Facebook page layout, as if it were a native Facebook feature. However, Facebook is now saying that it didn't put that second search box there and that it could be a sign of malware infection.<br />
<br />
"We are not testing the placement of a separate web search field and have no plans to do so. We believe the second search field or 'Search the Web" box appeared on peoples' accounts as the result of unknown actions by a third party targeting the browser -- potentially a browser plugin or malware -- unrelated to Facebook," a Facebook official told technology news blog Search Engine Land.<br />
<br />
As Facebook members, users who think they might be affected by this situation have access to a free, browser-based virus scanning tool from McAfee, according to the company.<br />
<br />
As the most popular social network and one of the world's largest sites, Facebook is in a constant battle against malicious hackers and online scammers who want to take advantage of its massive user base to commit fraud and spread malware.<br />
<br />
At this point, it's not clear whether the sinister search box is the result of an external malware exploit or the work of a rogue Facebook application.<br />
<br />
<br />
<br />
<br />
<br />
</div>Tracyhttp://www.blogger.com/profile/01073923326458752780noreply@blogger.com1tag:blogger.com,1999:blog-3366910414814535645.post-86382685010525491512011-03-17T14:11:00.000-07:002011-03-17T14:11:02.157-07:00Mobile Visability Limitation? There's an App for that.<div dir="ltr" style="text-align: left;" trbidi="on"><br />
Last July myself and Christian Papathanasiou presented a DEF CON 18 talk entitled "This is not the droid your looking for…". The topic of Android rootkits was widely picked up by the media, but the talk was designed around the security implication that exist when a piece a malware makes its way to a mobile device.<br />
<br />
During our research we were successfully able to remotely obtain shell access on the device over the GSM network, read the users contacts, email, and SMS messages. Locating the device using its GPS coordinates and making a phantom phone call from the device where also demonstrated. As we noted other areas of functionality could include taking photos from the phones camera, recording from the phones mic and man-in-the-middle of apps and browser activity.<br />
<br />
Last week, it was announced that over 50 apps in the Google Android Market were found to have malware imbedded in them. This malware is capable of data exfiltration off the victims phone. In the business world, this has major implications. How many CEO's of publically traded companies where running these apps? Maybe none, but if the malware had the capabilities that we demonstrated last summer, the implications are huge. Imagine a CEO sitting in business meetings with major clients, business partners, and even investors. The malware on that device could have the capabilities of tracking his/her physical location, and recordning the conversatons.<br />
<br />
In the not so distant future, there will be confirmed reports of two companies are in possible merger talks, not because data “leaks” out of the corporate environment, but because there is a recording of the conversation and GPS data pinning the two CEO's at the same restaurant. Neither of the CEOs is knowling recording and disclosing these conversations, but one of their mobile phones has malware on it.<br />
<br />
With all the news today around the weakness of the Android Market submission process, it is important to understand that this problem is just limited to the Android platform, but also impacts the iOS platform as well. Last fall SpiderLabs' Eric Monti demonstrated at ToorCon 12 that you could apply these same techniques to an iPhone and install a backdoor or other piece of malware. This is accomplished by using a technique used to jailbreak a device. In the case of malware, the jailbreak turned against the end user as an exploit to gain the attacker root privileges on the device. The window of exposure on "jailbreak-able" iOS devices is very large. Seemly hours after a new version of the iOS is released, a jailbreak is available, not to be "fixed" until the next release several months later. It is important to note that a “jailbreak” is equal to a root compromise. In Eric’s research, he showed it as a silent drive-by installation requiring no user interaction.<br />
<br />
The Android Market isn't the only mobile app shop where there is no security or content validation occurs. Many users jailbreak their iOS devices so they can install and run apps that have not been approved by Apple. Once a user has jailbroken their iOS devices, they can download apps from a marketplace called Cydia. What has recently happened in the Android Market can easily happen in Cydia, if it hasn't already. (Is anyone searching there?) This would allow a malicious developer to publish an application with malware, botnet or rootkit functionality to the jailbreak community. Given, I have run into CTO’s of security vendors that have jailbroken iPhones, this threat isn’t just limited to the tech hobbyist.<br />
<br />
By design mobile devices place a strong layer of abstraction between the end user's interface and the underlying Operating Systems. This means that there could be a rootkit, backdoor or botnet running at the OS layer and the end user would have both no indication of its presence nor would they be able to detect its activity with the limited aid of the various security software applications on the market.<br />
<br />
<br />
<br />
</div>Tracyhttp://www.blogger.com/profile/01073923326458752780noreply@blogger.com1tag:blogger.com,1999:blog-3366910414814535645.post-25395537326102124822011-03-09T03:09:00.000-08:002011-03-09T03:09:25.309-08:00Hacking: 'An unconventional, asymmetrical act of warfare'<div dir="ltr" style="text-align: left;" trbidi="on"><object classid="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=10,0,0,0" height="245" id="msnbc4f7c48" width="420"><param name="movie" value="http://www.msnbc.msn.com/id/32545640" /><param name="FlashVars" value="launch=41975564&width=420&height=245" /><param name="allowScriptAccess" value="always" /><param name="allowFullScreen" value="true" /><param name="wmode" value="transparent" /><embed name="msnbc4f7c48" src="http://www.msnbc.msn.com/id/32545640" width="420" height="245" FlashVars="launch=41975564&width=420&height=245" allowscriptaccess="always" allowFullScreen="true" wmode="transparent" type="application/x-shockwave-flash" pluginspage="http://www.adobe.com/shockwave/download/download.cgi?P1_Prod_Version=ShockwaveFlash"></embed></object><div style="background: none transparent scroll repeat 0% 0%; color: #999999; font-family: Arial, Helvetica, sans-serif; font-size: 11px; margin-top: 5px; text-align: center; width: 420px;">Visit msnbc.com for <a href="http://www.msnbc.msn.com/" style="border-bottom: #999 1px dotted; color: #5799db !important; font-weight: normal !important; height: 13px; text-decoration: none !important;">breaking news</a>, <a href="http://www.msnbc.msn.com/id/3032507" style="border-bottom: #999 1px dotted; color: #5799db !important; font-weight: normal !important; height: 13px; text-decoration: none !important;">world news</a>, and <a href="http://www.msnbc.msn.com/id/3032072" style="border-bottom: #999 1px dotted; color: #5799db !important; font-weight: normal !important; height: 13px; text-decoration: none !important;">news about the economy</a></div></div>Tracyhttp://www.blogger.com/profile/01073923326458752780noreply@blogger.com0tag:blogger.com,1999:blog-3366910414814535645.post-81184410342932415972011-03-04T11:28:00.000-08:002011-03-04T11:28:28.552-08:00Rules of PCI DSS Compliance<div dir="ltr" style="text-align: left;" trbidi="on">Pointers and considerations to make the compliance journey a smoother ride for your organization.<br />
<br />
Data breaches have made news often in the past few years. When credit cardholder data is compromised, merchants face bad publicity, lasting damage to their reputations, lost business and possible fines. The global average cost of a single data-loss incident was $3.43 million in 2009, or $142 per compromised record, according to a report from the Ponemon Institute. <br />
<br />
That’s why American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa developed the PCI DSS (Payment Card Industry Data Security Standard). Businesses with merchant identification that takes credit card payments—whether online, over the phone, or using credit card machines or paper forms—need to comply with these standards, even if they use a payment service provider. <br />
<br />
Here are some pointers and considerations to make the compliance journey a smoother ride for your organization: <br />
<br />
• Don’t think PCI DSS is going away. Nevada, Minnesota and Washington have incorporated all or part of PCI DSS into their laws. These states are forerunners of a movement similar to the one that led to the adoption of data-breach notification laws, which have so far been enacted by 46 states. Additionally, many banks are now asking their merchants to comply; some are even imposing fines for noncompliance. <br />
<br />
• Don’t hide behind the fact that your payment service provider is PCI DSS-compliant. Remember that all “actors” in the credit card payment chain must comply: merchants, payment service providers, banks and hosting providers (if applicable). <br />
<br />
• Don’t pick and choose requirements. Merchants need to comply with all the requirements applicable to their credit card payments structure, regardless of any compliance-validation mechanisms they may use. This involves having the appropriate technical and physical security safeguards, policies and procedures in place, and performing quarterly scans of the CHD (cardholder data) environment if it is connected to public networks. Merchants need to train their employees—both when they are hired and again once each year—in matters concerning credit card security. It is also important to be aware that at the highest level, if a merchant makes more than 6 million transactions per year, a qualified security assessor must come on-site to verify compliance. <br />
<br />
• Don’t underestimate the time, cost and effort involved in PCI DSS compliance. Get C-level support to make it happen. <br />
<br />
<strong><a href="http://www.baselinemag.com/c/a/Compliance/Rules-of-PCI-DSS-Compliance-185477/?kc=BLBLBEMNL03042011STR4">Steps to Compliance</a></strong><br />
<br />
<br />
<br />
</div>Tracyhttp://www.blogger.com/profile/01073923326458752780noreply@blogger.com0tag:blogger.com,1999:blog-3366910414814535645.post-25713712952528864782011-02-26T07:48:00.000-08:002011-02-26T07:49:17.440-08:00What Health Care providers need to know<div dir="ltr" style="text-align: left;" trbidi="on"><div style="margin-left: 1em; margin-right: 1em;"><img height="212" src="http://www.zpicaudit.com/wp-content/uploads/2010/03/Confused-Doctor.jpg" width="320" /></div><div style="margin-left: 1em; margin-right: 1em;">Yes, if you do not know there are New Requirements for Fighting with Identity Theft that Health Care Providers must know about “Red Flag Rules”.</div><br />
“The Red Flags Rule”, a law the FTC will begin to enforce on August 1, 2009, requires certain businesses and organizations — including many doctors’ offices, hospitals, and other health care providers — to develop a written program to spot the warning signs — or “red flags” — of identity theft” as stated by the FTC.<br />
<br />
Basically when a person seeks health care services using someone else’s name and insurance info, is what is called identity theft.<br />
<br />
“Every health care organization and practice must review its billing and payment procedures to determine if it’s covered by the Red Flags Rule. Whether the law applies to you isn’t based on your status as a health care provider, but rather on whether your activities fall within the law’s definition of two key terms: “creditor” and “covered account.”<br />
<br />
Health care providers may be subject to the Rule if they are “creditors.” Although you may not think of your practice as a “creditor” in the traditional sense of a bank or mortgage company, the law defines “creditor” to include any entity that regularly defers payments for goods or services or arranges for the extension of credit. For example, you are a creditor if you regularly bill patients after the completion of services, including for the remainder of medical fees not reimbursed by insurance. Similarly, health care providers who regularly allow patients to set up payment plans after services have been rendered are creditors under the Rule. Health care providers are also considered creditors if they help patients get credit from other sources — for example, if they distribute and process applications for credit accounts tailored to the health care industry.<br />
<br />
On the other hand, health care providers who require payment before or at the time of service are not creditors under the Red Flags Rule. In addition, if you accept only direct payment from Medicaid or similar programs where the patient has no responsibility for the fees, you are not a creditor. Simply accepting credit cards as a form of payment at the time of service does not make you a creditor under the Rule.<br />
<br />
The second key term — “covered account” — is defined as a consumer account that allows multiple payments or transactions or any other account with a reasonably foreseeable risk of identity theft. The accounts you open and maintain for your patients are generally “covered accounts” under the law. If your organization or practice is a “creditor” with “covered accounts,” you must develop a written Identity Theft Prevention Program to identify and address the red flags that could indicate identity theft in those accounts.” as stated by the FTC.<br />
<br />
<br />
<br />
</div>Tracyhttp://www.blogger.com/profile/01073923326458752780noreply@blogger.com0tag:blogger.com,1999:blog-3366910414814535645.post-4237713792266798022011-02-26T07:23:00.000-08:002011-02-26T07:52:26.103-08:00Seattle: Capitol Hill credit card fraud wave tied to Broadway Grill<div dir="ltr" style="text-align: left;" trbidi="on"><br />
<div class="separator" style="clear: both; text-align: center;"></div><div style="margin-left: 1em; margin-right: 1em;"><img height="400" src="http://www.capitolhillseattle.com/media/news/2010/11/3/VMhXvAwAOuxloR78qq28nvgVn0-medium.jpg" width="356" /></div><br />
<div style="clear: left; cssfloat: left; float: left; margin-bottom: 1em; margin-right: 1em;"></div><br />
<br />
The investigation into more than 100 reported cases of credit card fraud across Capitol Hill has identified a Broadway restaurant as one "point of interest." Like the victims who have had their bank and credit accounts hit for fraudulent charges in the thousands of dollars, Capitol Hill's Broadway Grill is also a victim in this wave as personal and business accounts related to the restaurant have been compromised along with accounts of a not-yet-known number of customers who ate and drank at the popular eatery.<br />
<br />
We received the following statement from one of the partners behind the Broadway Grill, Matthew Walsh:<br />
<br />
We take this issue very seriously and are working with both the Seattle Police Department as well as the Secret Service to find the people who have done this to everyone and have them stopped.<br />
<br />
We have gone above and beyond to make sure that our network is completely secure and that this sort of thing can't happen to any of our customers, there has been no decline in credit/debit card use because of our actions to ensure safety. Not only were our personal accounts compromised but our business savings and operating accounts have also been compromised.<br />
<br />
We are a tiny little company trying to manage this huge monster of a restaurant and for someone to swoop in and try to completely wipe our accounts is a really scary thing. I am seriously worried about the future of our business without the support of our community. We have been growing by leaps and bounds since I took over in June, not only in our new menu and food quality but also in our day to day operation. It is my hope that we have touched enough lives over the years to be able to count on our beloved customers for their support and continued patronage in this difficult time.<br />
<br />
We do not know yet if Broadway Grill represents the only breached business on the Hill or if investigators have identified others in the area. On Monday, CHS reported that the Secret Service's Electronic Crimes Task Force had identified and "reduced" the threat from what the lead agent called a "point of interest" in the Capitol Hill area.<br />
<br />
We have checked with Kroger, the parent company for QFC, about any involvement in the investigation. A QFC spokesperson told CHS he ws not aware of any contact between investigators and either of the Broadway stores. "To my knowledge, we have not been contacted by police. When we are, we will work with them," the spokesperson said earlier this week.<br />
<br />
Meanwhile, the situation is widespread enough and people are so wary that large area institutions are dealing with relatively sizable numbers of victims. We talked to Seattle University about a a growing number of Seattle University students and employees who have experience problems with financial accounts in recent days. But Mike Sletten director of public safety for the campus, told us that the cases he is aware of all appear to be part of the Capitol Hill wave. "They all reflect that Capitol Hill theme," Sletten said.<br />
<br />
<br />
<br />
</div>Tracyhttp://www.blogger.com/profile/01073923326458752780noreply@blogger.com0tag:blogger.com,1999:blog-3366910414814535645.post-5935640920248358832011-02-13T08:53:00.000-08:002011-02-13T08:53:32.705-08:00Data leak: Human Services Agency of San Francisco<div dir="ltr" style="text-align: left;" trbidi="on">February 5, 2011 2,400 Records Exposed.<br />
<br />
A former city employee emailed the information of her caseload to her personal computer, two attorneys and two union representatives. The former employee wanted proof that she was fired for low performance because she had been given an unusually high number of cases. Certain MediCal recipients in San Francisco had their names, Social Security numbers and other personal information exposed.<br />
<br />
<br />
<br />
</div>Tracyhttp://www.blogger.com/profile/01073923326458752780noreply@blogger.com0tag:blogger.com,1999:blog-3366910414814535645.post-38523827853095640272011-02-13T08:32:00.000-08:002011-02-13T08:32:05.722-08:00Is Your Business Vulnerable to Cybercrime?<div dir="ltr" style="text-align: left;" trbidi="on">It only happens to the big companies, right? While that may have been the conventional thinking in the past, cybercrime is finding large businesses, government institutions, and even individuals as its victims and as the Internet becomes increasingly integrated in to our daily lives, cybercrime continues to become more widespread.<br />
<br />
Business is often about timing. Each day you have deadlines and if they aren’t met, you lose money. If you can’t get to your data for any reason, your day and the future of your business may be at risk. With data being so important to businesses of all sizes, it would be reasonable to believe that much like liability insurance, businesses are protected but that’s far from a true.<br />
<br />
A recent survey concluded that 52% of all business don’t have an IT security policy. Their data simply isn’t held under cyber lock and key like it should be and their employees are free to practice internet usage while at work in any way that they see fit.<br />
<br />
If your business is in the 52% crowd, something has to change and it has to change today. What can you do to decrease your risk of cyber attack?<br />
<br />
Back Up Your Data<br />
<br />
Just like in our real lives, not being a victim of theft often starts with common sense. Your data is too important to only be in one place and you should never trust somebody else to back it up. Copy your data and place it some place secure. If you can fit it all on to a portable hard drive or some other piece of hardware that isn’t connected to the internet, do that once per week. If you can’t, find an online backup service that will automatically do this for you<br />
<br />
</div>Tracyhttp://www.blogger.com/profile/01073923326458752780noreply@blogger.com0tag:blogger.com,1999:blog-3366910414814535645.post-16714102122976679542011-02-13T08:28:00.000-08:002011-02-13T08:28:19.603-08:00Cyber crooks targeting smartphones: McAfee<div dir="ltr" style="text-align: left;" trbidi="on">Smartphones have become prime targets for hackers and spammers, computer security firm McAfee said.<br />
<br />
The number of pieces of malicious software, referred to as "malware," surged 46 percent last year as compared with 2009, according to a McAfee Threats Report for the final three months of 2010.<br />
<br />
"Cybercriminals are keeping tabs on what's popular, and what will have the biggest impact from the smallest effort," said McAfee Labs senior vice president Vincent Weafer.<br />
<br />
"We've seen a significant shift in various regions, showing that cybercriminals are tapped in to trends worldwide," he continued. "McAfee Labs also sees the direct correlation between device popularity and cybercriminal activity, a trend we expect to surge in 2011."<br />
<br />
McAfee has seen software threats to mobile devices steadily increase in recent years as the popularity of smartphones and tablet computers has climbed.<br />
<br />
"Threats to mobile platforms are not new," McAfee said in the report. "However, as more consumers use mobile devices and tablets in their daily lives and at work, cybercriminals have taken note."<br />
<br />
Geinimi malware slipped into legitimate games and other applications for Android-based mobile phones was listed by McAfee as "one of the most important threats of the quarter."<br />
<br />
As greater varieties of smartphones, tablets, televisions, and computers link to the Internet, hackers are likely to resort to "poisoning" Internet search results with links to websites booby-trapped with malware, according to McAfee.<br />
<br />
"Web-based threats will continue to grow in size and sophistication," McAfee said.<br />
<br />
</div>Tracyhttp://www.blogger.com/profile/01073923326458752780noreply@blogger.com3tag:blogger.com,1999:blog-3366910414814535645.post-21937855469447459492011-02-12T09:48:00.000-08:002011-02-12T09:48:16.409-08:00Malware Aimed at Iran Hit Five Sites, Report Says<div dir="ltr" style="text-align: left;" trbidi="on">The Stuxnet software worm repeatedly sought to infect five industrial facilities in Iran over a 10-month period, a new report says, in what could be a clue into how it might have infected the Iranian uranium enrichment complex at Natanz. <br />
<br />
The report, released Friday by Symantec, a computer security software firm, said there were three waves of attacks. Liam O Murchu, a security researcher at the firm, said his team was able to chart the path of the infection because of an unusual feature of the malware: Stuxnet recorded information on the location and type of each computer it infected. <br />
<br />
Such information would allow the authors of Stuxnet to determine if they had successfully reached their intended target. By taking samples of Stuxnet they had collected from various computers, the researchers were able to build a model of the spread of the infection. They determined that 12,000 infections could be traced back to just five initial infection points. <br />
<br />
Between June 2009 and May 2010, the program took aim at specific organizations in Iran on three occasions, Symantec research noted in an update of a research report the company published last year. <br />
<br />
The Symantec team said it had collected five Internet domains that were linked to industrial organizations within Iran. They said because of the company’s privacy policies, they would not disclose the domain names. <br />
<br />
“All of the domains are involved in industrial processing,” Mr. O Murchu said in an interview. <br />
<br />
It is likely that a classified site like Natanz is not connected directly to the Internet. Therefore, an attacker might try to infect industrial organizations that would be likely to share information, and the malware, with Natanz. <br />
<br />
At least three and possibly four versions of the program were probably written, and the researchers discovered that the first version had been completed just 12 hours before the first successful infection in June 2009. The researchers speculated that the first step in the infection was either an infected e-mail sent to an intended victim or a hand-carried USB device that carried the attack code. <br />
<br />
When international inspectors visited Natanz in late 2009, they found that almost 1,000 gas centrifuges had been taken offline, leading to speculation that the attack may have disabled a portion of the complex. <br />
<br />
In April 2010, the attackers again tried to distribute the program. This time they found a new vulnerability in Windows-based computers to be infected with a USB device and most likely successfully inserted the program that way at an unknown location inside Iran. <br />
<br />
The Symantec researchers also said they had determined that the malware program carried two different attack modules aimed at different centrifuge arrays, but that one of them had been disabled. <br />
<br />
Stuxnet first infected Windows-based industrial control computers while it hunted for particular types of equipment made by the Siemens Corporation. It was programmed to then damage a uranium centrifuge array by repeatedly speeding it up, while at the same time hiding its attack from the control computers by sending false information to displays that monitored the system. <br />
<br />
</div>Tracyhttp://www.blogger.com/profile/01073923326458752780noreply@blogger.com0tag:blogger.com,1999:blog-3366910414814535645.post-37575796361945002492011-02-08T17:41:00.000-08:002011-02-08T17:42:18.048-08:00Red Flags Rule Compliance: The Feds May Be The Least Of Your Concerns<div dir="ltr" style="text-align: left;" trbidi="on">By <a href="http://ezinearticles.com/?expert=Larry_M._White">Larry M. White</a> <br />
<br />
After several false starts, the FTC has finally initiated enforcement of the Fair and Accurate Credit Transactions Act's, Red Flags Rule, and has placed the burden of policing identity theft activity squarely on the shoulders of both big and small businesses. <br />
<br />
However, the FTC may be the least of your concerns if you originate credit for an identity thief because attorneys across the country have been eagerly awaiting this dangerous and virtually impossible regulation. Your problem? Verifying the identity of your customer. <br />
<br />
If you don't have required and accepted procedures in place to do so, it could cost you everything you've ever worked for. Your Required Red Flags Rule Policy & Program. First, your operation must develop and implement a Red Flags Rule Policy which must include four required key elements in addition to other regulations and issues that must be addressed. <br />
<br />
To demonstrate the importance the FTC places on the Rule, your operation's Board of Directors is required to approve your Red Flags Rule Policy and Program. For those operations without a board, a committee of senior management must approve the initial Program and monitor it on an annual basis.<br />
<br />
But don't be misled! <br />
<br />
Simply downloading a "template" from the internet might possibly get you off the hook with the feds, but it probably won't suffice in litigation with an identity theft victim's lawyer. Attorneys already view this regulation as a "cash cow", and if one of your customers points the finger at your company because someone was using their identity unchallenged, rest assured the victim's attorney will request your written Red Flags Rule Policy and documentation of required staff training. <br />
<br />
If you don't have a Policy, or it is poorly written, the plaintiff will most likely allege a breach of duty to protect a consumer's identity information, or in other words, "wilful non-compliance", which is as bad as it sounds. <a href="http://read%20more.../">Read more...</a><br />
<br />
</div>Tracyhttp://www.blogger.com/profile/01073923326458752780noreply@blogger.com0tag:blogger.com,1999:blog-3366910414814535645.post-59641806638619730902011-02-05T21:27:00.000-08:002011-02-05T21:28:29.982-08:00A Blind Eye to Cyber Crime?<div dir="ltr" style="text-align: left;" trbidi="on"><strong>Small Businesses Think It Won't Happen To Them</strong><br />
<br />
It's almost like it was written to be a movie script. The victims blindly walk into a huge trap plotted by the villains. The crime? Fraud -- lots of it. In the end, the villains get away with the proceeds, leaving the hapless victims penniless. <br />
<br />
Problem is: This crime is not just playing out on the movie screen; it is happening in real life. Recent ACH fraud victims can attest to this fact. Ask Village View Escrow, PATCO construction or Choice Escrow. <br />
<br />
<strong>"Doing right by educating your customers is a great start. If you're already doing it, do more."</strong> <br />
<br />
Yet, despite these high-profile incidents, the results of a recent survey from the National Cyber Security Alliance say that small businesses are oblivious to the dangers they face from cybercrime. This statement should be a real wake-up call for not just the small businesses, but also the institutions that serve them. <br />
<br />
Small business owners polled by Visa and the NCSA say they increasingly believe investments in cybersecurity are not justified by actual online threats, and the majority of cybercrime is focused on attacking large companies. <br />
<br />
This attitude is manifested in practice, as 75 percent of owners say their employees have received less than three hours of network and mobile device security training in the past year, with 47 percent saying their employees received zero hours of training. <br />
<br />
According to the Visa survey, more than 85 percent of small business owners believe that they are less of a cybercrime target than large companies, and 54 percent believe they are more prepared to secure sensitive customer and corporate data than large businesses. In addition, 84 percent agree that they have the policies and procedures in place for keeping data and computer systems secure. <br />
<br />
The findings are surprising in light of growing concern from security experts and law enforcement that hackers and cybercriminals are honing in on small businesses as their new targets. In October, Ukraine authorities arrested a number of individuals who allegedly stole $70 million from U.S. bank accounts in an elaborate scheme targeted at U.S. small and medium-sized businesses. <br />
<br />
What can financial institutions do to help raise awareness among their business customers? For a start, institutions of every size need to do much more to reach out and talk to their commercial account holders, educate them about the need for cybersecurity and sound security policies. Think of holding a "security 101" class for your small businesses to help them get up to speed on what they need to do to protect themselves and their customers. Along with creating some goodwill among your small business account holders, you'll be doing double duty in protecting your interests as well. Imagine having to tell the same businesses that their commercial accounts were hit in a corporate account takeover scheme and they're out thousands of dollars, or that their point of sale terminal shows that it has been swapped and a hacker has taken hundreds of their customers' credit card numbers. Doing right by educating your customers is a great start. If you're already doing it, do more. <br />
<br />
</div>Tracyhttp://www.blogger.com/profile/01073923326458752780noreply@blogger.com1tag:blogger.com,1999:blog-3366910414814535645.post-13923340067363409382011-02-05T21:22:00.000-08:002011-02-05T21:28:55.191-08:00Small businesses underestimate their cybercrime risk<div dir="ltr" style="text-align: left;" trbidi="on">Most small-business owners say they don't think cybercrime will happen to them, data show. While 84% of small-business owners say they have procedures in place to keep their data safe, about the same percentage say they think bigger companies are more of a target, according to a survey sponsored by Visa and the National Cyber Security Alliance.</div>Tracyhttp://www.blogger.com/profile/01073923326458752780noreply@blogger.com1tag:blogger.com,1999:blog-3366910414814535645.post-86454773007624727692011-02-05T21:20:00.000-08:002011-02-05T21:29:15.047-08:00Rising Number of Information Security Breaches in U.S. Authorities Consider Mandatory Reporting<div dir="ltr" style="text-align: left;" trbidi="on">Recently, identity theft center revealed 662 instances of data breach in U.S over the last year. However, there are no accurate figures on the number of records breached. Data breach may be caused by hacking, human error, phishing, employee theft and other forms of malicious attacks. Data breach results in disclosure of sensitive personal, financial and business information. The information may include names, addresses, social security numbers, protected health information (PHI), credit card number, bank account details, company strategies and confidential reports. Offenders may use the collected information for identity theft or to steal money. Offenders may also sell the information to their underground peers or to the competitors of an organization. Majority of the reported breaches were related to disclosure of social security numbers and, credit and debit card details. Therefore, individuals and organizations must place high emphasis on information security. <br />
<br />
However, several data breaches go unreported. Negligence, lack of awareness on the consequences of data breach and reluctance to initiate legal action are some of the reasons that prevent affected individuals from reporting data breach incidents. In some cases, data breach reports by public authorities and organization do not contain specific details on the type of data breach, number of records compromised and number of individuals affected. Only 51% of the data reported breaches indicated the number of records compromised. Proper reporting of data breach is crucial to understand the threat pattern, severity of threats, consequences of the data breach and mitigating measures required. <br />
<br />
Organizations must educate their employees on safe computing practices to avoid data disclosure and theft. Regular vulnerability assessment tests and use of ethical hacking may aid the organization in understanding the threats and initiating counteractive measures. </div>Tracyhttp://www.blogger.com/profile/01073923326458752780noreply@blogger.com1tag:blogger.com,1999:blog-3366910414814535645.post-84650355334471307922011-02-05T21:05:00.000-08:002011-02-05T21:05:57.353-08:00Identity Theft “Red Flag Rules” Raise Ire of AMA<div dir="ltr" style="text-align: left;" trbidi="on">Nο one wаntѕ tο bе thе target οf identity theft, аnd уеt, despite consumer awareness аnd prevention practices, іn 2008 ten million people wеrе victimized. It seems lіkе everyone ѕhουld bе overjoyed аt programs tο curb thіѕ threat frοm thе creditor’s side.<br />
<br />
Nοt ѕο. Sοmе organizations, such аѕ thе American Medical Association, feel thаt thеіr members ѕhουld bе exempt frοm developing аnd implementing written identity theft prevention аnd detection measures.<br />
<br />
Resistance frοm thе AMA hаѕ bееn ѕο strong thаt thе deadline fοr putting thе Red Flag Rules іntο practice hаѕ bееn delayed 3 times ѕіnсе іt’s inception іn November 2007. Thе nеw deadline іѕ November 2009.<br />
<br />
Banks аnd οthеr credit issuing entities аlѕο object tο monitoring thе 26 red flags designed tο prevent anyone frοm using another person’s identity – fοr gaining credit, fοr getting a job, fοr renting аn apartment, οr fοr obtaining medical care under another’s insurance policy.<br />
<br />
Whу? Thеу feel thаt thе nеw rules аrе “excessive аnd overly burdensome.” Hυgе banks wіll probably hаνе nο trουblе wіth compliance, bυt smaller organizations without a large staff mау hаνе tο hire 3rd party companies tο carry out thіѕ function. Eіthеr way, implementing thе Red Flag rules wіll сυt іntο profits.<br />
<br />
One objection frοm thе AMA іѕ thаt physicians ѕhουld nοt bе classified аѕ “creditors,” even though thеу grant credit whеn thеу accept payments fοr care, οr whеn thеу wait fοr payment until аn insurance company responds tο billings.<br />
<br />
Lawmakers аrе nοt heeding thіѕ argument, bесаυѕе thеу аrе particularly concerned wіth “medical identity theft.” Nοt οnlу саn thieves obtain medical care using someone еlѕе’s insurance, thе resultant medical records сουld bе medically dаngеrουѕ tο thе person whose identity wаѕ stolen.<br />
<br />
</div>Tracyhttp://www.blogger.com/profile/01073923326458752780noreply@blogger.com1tag:blogger.com,1999:blog-3366910414814535645.post-75781017947452471652010-12-10T07:06:00.000-08:002010-12-10T07:06:58.291-08:00Exclusive: “Anonymous” speaks out about WikiLeaks paybackA group who refers to itself as Anonymous has as taken credit for a recent string of high-profile cyber attacks against the websites of businesses, banks and politicians that have either spoken out against or stopped doing business with WikiLeaks. <br />
<br />
<br />
Cyber attacks, dubbed Operation Payback, targets those who have caved into US government pressure to shun the whistleblower website that recently released thousands of classified US diplomatic cables. <br />
<br />
The activist hackers have attacked MasterCard.com, PostFinace, Visa, Paypal.com, and others.<br />
<br />
For the first time, in an exclusive interview with RT’s Alyona Minkovski, an unidentified representative of the group explained they will always have technology on their side and be one step ahead to continue to fight challenges to free speech. <br />
<br />
The goals are to show these companies that people are willing to fight for the vindication of WikiLeaks. <br />
<br />
“We have been DDoS’ing sites,” he explained. “We have been flooding them with traffic so other people cannot use them and they have been taken down like this and they cannot operate like this anymore. We’ve been attacking them, we’ve been DDoS’ing them so people can’t buy things, people can’t make transactions.”<br />
<br />
He explained the relation is to send a message to these companies and individuals who are taking money from WikiLeaks and refusing service, specifically citing Paypal.com. <br />
<br />
“Anyone can do it. Anyone has a voice that can stand up and do it,” the representative said. “They can just load up a browser, type in the details; they can volunteer for this, and have a voice of their own.”<br />
<br />
However, to do so would be illegal in most countries. But, he pointed out the chances of getting caught are practically zero. His organization coordinates attacks, but the attacks themselves are carried out by a team of massive volunteers globally who are well aware of the risk.<br />
<br />
Since the attacks began, “Anonymous’” Facebook and Twitter accounts have been suspended, but the representative explained that action has had little impact on their efforts.<br />
<br />
The attacks and actions by the group are a protest, a revolution, he explained.<br />
<br />
Although the media had reported the group planned coordinated attacks on Amazon.com, the groups representative said they do not have any malicious plans to take on Amazon nor had they attempted to. He also said the group was not responsible for any coordinated attacks or hacks on Sarah Palin, although she claims to have been a target. <br />
<br />
“We don’t really care about Sarah Palin that much, to be honest. I don’t really know what she’s trying to accomplish or what attention she is trying to gain. We personally don’t care about Sarah Palin,” he added.Tracyhttp://www.blogger.com/profile/01073923326458752780noreply@blogger.com1tag:blogger.com,1999:blog-3366910414814535645.post-82516552091655264372010-12-03T07:56:00.000-08:002010-12-03T07:56:05.202-08:00Congress Considers Change to 'Red Flags RuleThe American Bar Association has been battling for more than a year to exempt lawyers from new regulations designed to fight identity theft. Now, Congress has decided to step in.<br />
<br />
<br />
With no fanfare and no recorded vote late Tuesday, the Senate approved legislation that could accomplish what the ABA was hoping to achieve. The bill would narrow the definition of “creditor” under the Fair and Accurate Credit Transition Act of 2003, likely ensuring that lawyers would not meet the new definition.<br />
<br />
An ABA spokeswoman said the group is optimistic about House passage, possibly this week.<br />
<br />
The regulations over identity theft were written by the Federal Trade Commission, and they’re popularly known as the “Red Flags Rule.” FTC regulators have interpreted the term “creditor” to include those who perform services and get paid at a later date, as many lawyers do. Other professional groups, including accountants and physicians, have protested their inclusion, too.<br />
<br />
The bill, S. 3987, would define a creditor largely as someone who uses credit reports, furnishes information to credit reporting agencies or “advances funds…based on an obligation of the person to repay the funds or repayable from specific property pledges by or on behalf of the person.”<br />
<br />
Sen. John Thune (R-S.D.) introduced the bill Tuesday with Sen. Mark Begich (D-Alaska) as a co-sponsor. In a prepared statement, they said the FTC was threatening small businesses.<br />
<br />
“Small businesses in South Dakota and across our country are the engines of job growth for America,” Thune said. “Forcing them to comply with misdirected and costly federal regulations included in the FTC Red Flags Rule will hurt their ability to create jobs and continue growing our economy.”<br />
<br />
ABA President Stephen Zack said in a prepared statement: “Last night’s Senate vote to clarify the rule so that lawyers are clearly not included was a critical step in ending a bureaucratic effort to solve a non-existent problem with paper-pushing regulations that would have increased legal costs.”<br />
<br />
The fight over the Red Flags Rule has also played out in court after the ABA sued the FTC. In October 2009, U.S. District Judge Reggie Walton of the District of Columbia ruled in favor of the ABA. The U.S. Court of Appeals for the D.C. Circuit heard the FTC’s appeal last month.Tracyhttp://www.blogger.com/profile/01073923326458752780noreply@blogger.com1tag:blogger.com,1999:blog-3366910414814535645.post-70334346708796756452010-11-23T07:08:00.000-08:002010-11-23T07:08:20.853-08:00After FTC Settlement, LifeLock Refund Checks Going out<div align="center"><img src="http://blogs.pcworld.com/staffblog/archives/lifelock-pic.jpg" /></div>The check is in the mail for nearly a million LifeLock customers, after the provider of identity-theft protection services settled accusations of deceptive advertising.<br />
<br />
The checks, for US$10.87, started going out Wednesday, according to the U.S. Federal Trade Commission, which is managing part of the $12 million settlement.<br />
<br />
LifeLock drew attention after CEO Todd Davis published his Social Security number in company advertisements, saying he was so confident in his company's services that he was making it public. It was later discovered that Davis had become the victim in at least 13 cases of identity theft.<br />
<br />
The FTC and 35 state attorneys general accused LifeLock of making false claims, saying it didn't protect against some of the most common types of identity theft, such as theft from existing bank accounts. They reached a little settlement with LifeLock in March and the checks are being mailed as part of that settlement.<br />
<br />
In March, LifeLock said it was pleased with this agreement because it set advertising guidelines for the entire identity-theft protection industry. <br />
<br />
The checks are being sent to 957,928 people who signed up for LifeLock's $10-per-month identity-theft protection service. Customers will have 60 days to cash their checks. The refund's administrator has set up a toll-free number for people with questions at 1-888-288-0783Tracyhttp://www.blogger.com/profile/01073923326458752780noreply@blogger.com0tag:blogger.com,1999:blog-3366910414814535645.post-88557231120938457362010-10-14T09:38:00.000-07:002010-10-14T09:38:34.472-07:00Dozens charged with largest Medicare scam everA vast network of Armenian gangsters and their associates used phantom health care clinics and other means to try to cheat Medicare out of $163 million, the largest fraud by one criminal enterprise in the program's history, U.S. authorities said Wednesday.<br />
<br />
<br />
Federal prosecutors in New York and elsewhere charged 73 people. Most of the defendants were captured during raids Wednesday morning in New York City and Los Angeles, but there also were arrests in New Mexico, Georgia and Ohio.<br />
<br />
The scheme's scope and sophistication "puts the traditional Mafia to shame," U.S. Attorney Preet Bharara said at a Manhattan news conference. "They ran a veritable fraud franchise."<br />
<br />
Unlike other cases involving crooked medical clinics bribing people to sign up for unneeded treatments, the operation was "completely notional," Janice Fedarcyk, head of the FBI's New York office, said in a statement. "The whole doctor-patient interaction was a mirage."<br />
<br />
The operation was under the protection of an Armenian crime boss, known in the former Soviet Union as a "vor," prosecutors said. The reputed boss, Armen Kazarian, was in custody in Los Angeles.<br />
<br />
Bharara said it was the first time a vor — "the rough equivalent of a traditional godfather" — had been charged in a U.S. racketeering case.<br />
<br />
Kazarian, 46, of Glendale, Calif., and two alleged ringleaders — Davit Mirzoyan, 34, also of Glendale, and Robert Terdjanian, 35, of Brooklyn — were named in an indictment charging racketeering conspiracy, bank fraud, money laundering and identity theft.<br />
<br />
The indictment accused Terdjanian and others of hatching other schemes involving stolen credit cards, untaxed cigarettes and counterfeit Viagra. It also alleges that during a meeting last year at a Brighton Beach restaurant, Terdjanian pulled a knife on someone who owed him money "and threatened to disembowel the individual if the debt was not paid."<br />
<br />
A judge jailed Terdjanian without bail on Wednesday at a brief hearing. Afterward, his attorney said his client denies the charges.<br />
<br />
Kazarian and Mirzoyan were scheduled to appear in court Wednesday in Los Angeles.<br />
<br />
Authorities began the New York-based investigation after information on 2,900 Medicare patients in upstate New York — including Social Security numbers and dates of birth — were reported stolen.<br />
<br />
The defendants in the New York case also had stolen the identities of doctors and set up 118 phantom clinics in 25 states, authorities said. The names were used to submit fake bills for care that was never given, they said.<br />
<br />
Some of the phony paperwork was a giveaway: It showed eye doctors doing bladder tests; ear, nose and throat specialists performing pregnancy ultrasounds; obstetricians testing for skin allergies; and dermatologists billing for heart exams.Tracyhttp://www.blogger.com/profile/01073923326458752780noreply@blogger.com0tag:blogger.com,1999:blog-3366910414814535645.post-43712625482961648142010-10-05T19:35:00.000-07:002010-10-05T19:35:34.801-07:00Sacremento credit-card fraud traced to one restaurantRoseville police are warning people eating out in Roseville to avoid using their debit cards and to pay with cash or use credit cards. Police said hackers have stolen well over 200 people’s information after they ate out at various restaurants and eateries. “We believe the breach is not actually at the restaurant but a third party vendor that's in the process between using your credit card at the restaurant and actually billing the bank,” said Capt. Stefan Moore.Tracyhttp://www.blogger.com/profile/01073923326458752780noreply@blogger.com2tag:blogger.com,1999:blog-3366910414814535645.post-31236819169267214192010-10-05T19:27:00.000-07:002010-10-05T19:27:12.284-07:00Latest Zeus attack propagated via fake iTunes receiptU.S. and international authorities may have just made a serious dent in the manpower behind the Zeus botnet, but dozens of arrests aren't stopping the data-stealing trojan from spreading.<br />
<br />
The latest Zeus spam campaign targeted iTunes users and attempted to trick them into installing the insidious malware, designed to hijack online banking credentials from its victims, security firms warned this week. <br />
<br />
The messages, which appeared to have been sent from Apple's iTunes Store with the address donotreply@itunes[dot]com, arrived with the subject "Your receipt #" followed by a random number, Fred Touchette, senior security analyst at email protection vendor AppRiver, wrote in a blog post Tuesday. The fake receipts claimed the recipient's iTunes order cost hundreds of dollars. <br />
<br />
“People buying music from iTunes are getting used to seeing these receipts in their inboxes,” Touchette told SCMagazineUS.com on Tuesday. “If [attackers] can get them nervous about the amount of the receipt, they can get them to click on a link.” <br />
<br />
Links in the bogus receipt lead to one of approximately 100 domains ending in .info, all of which were registered with GoDaddy. Once clicked, the links redirected users to another site where the Zeus trojan is waiting to infect victims.<br />
<br />
The final site that users landed on attempted to automatically download a file claiming to be Adobe Flash Player, but it actually was the malicious payload, Touchette said. <br />
<br />
The messages began cropping up on Friday, not long after a separate spam run spoofing the social networking site LinkedIn aimed to foist Zeus on victim PCs. The iTunes campaign is no longer active, and all the domains that attackers were using have been blacklisted, Touchette said. <br />
<br />
In the past, attackers have used fake iTunes receipts to lure users to websites selling pharmaceuticals, as well as phishing sites that try to trick users into logging into fake web pages to dupe them into handing over account credentials, researchers at Mac security firm Intego, wrote in a blog post Tuesday. <br />
<br />
U.S. and foreign authorities last week announced a series of arrests disrupting an international cybercrime operation linked to Zeus. <br />
<br />
The latest attacks indicate that even in spite of last week's arrests, the cyber gangs that use Zeus have not been phased and do not plan on stopping, Touchette said. <br />
<br />
“Zeus hasn't shown any signs of letting up,” he said. “Zeus has been so readily available on the underground forums as a kit that many people have their hands on it. It's going to be difficult to put a dent on its output.”Tracyhttp://www.blogger.com/profile/01073923326458752780noreply@blogger.com2tag:blogger.com,1999:blog-3366910414814535645.post-61885286296314613542010-10-04T18:50:00.000-07:002010-10-04T18:50:26.791-07:00Cyber-criminals steal identity of one of the world's top security chiefs using FacebookThe head of Interpol has warned that cyber-crime is the 'most dangerous criminal threat we will ever face' after fraudsters stole his identity on Facebook.<br />
<br />
Security chief Ronald K. Noble revealed that two fake accounts were created in his name and used to find the details of highly-dangerous criminals.<br />
<br />
The embarrassing security breach saw one of the impersonators used the false profile to obtain information on fugitives convicted of serious crimes including rape and murder.<br />
<br />
Victim: The head of Interpol Ronald K. Noble has warned about the threats of cyber-crime after his identity was stolen on Facebook<br />
<br />
The police chief has now warned that there could be devastating consequences of a terrorist cyber attack as he addressed officials at the first Interpol Information Security Conference in Hong Kong. <br />
<br />
He said: ' Just recently Interpol's Information Security Incident Response Team discovered two Facebook profiles attempting to assume my identity as Interpol's secretary general.<br />
<br />
'One of the impersonators was using this profile to obtain information on fugitives targeted during our recent Operation Infra Red.<br />
<br />
'Cyber-crime is emerging as a very concrete threat. Considering the anonymity of cyberspace, it may in fact be one of the most dangerous criminal threats we will ever face.'<br />
<br />
As the world's leading cross-border police agency Interpol, is responsible for working with international police forces.<br />
But the details were stolen during Operation Infra Red in which senior investigators from 29 countries targeted criminals on the run from crimes including murder, paedophilia, drug trafficking and money laundering. It led to more than 130 arrests<br />
<br />
It is believed the cyber-criminals created Facebook profiles claiming to be Mr Noble. From there they gathered sensitive information about the suspects.<br />
<br />
Mr Noble spoke publicly about the scam for the fist time to hundreds of top security chiefs from 56 countries who were gathered at the conference last Friday.<br />
<br />
He warned that terrorist could use methods similar to cyber-criminals who hack into victims' to steal financial details.<br />
<br />
Mr Noble added: 'Just imagine the dramatic consequences of an attack, let's say, on a country's electricity grid or banking system," he said.<br />
<br />
'We have been lucky so far that terrorists did not -- at least successfully or at least of which we are aware - launch cyber-attacks.<br />
'One may wonder if this is a matter of style. Terrorists may prefer the mass media coverage of destroyed commuter trains, buildings brought down, to the anonymous collapse of the banking system. But until when?'<br />
<br />
A recent study found that almost two thirds of all adult web users globally have fallen victim to some sort of cyber-crime from spam email scams to having their credit card details stolen.<br />
<br />
China had the most cyber-crime victims, at 83 percent of web users, followed by India and Brazil, at 76 percent each, and then the US, at 73 percent, according to the 2011Norton Cyber-crime Report: The Human Impact.<br />
<br />
The study of more 7,000 Internet users, also found that 80 percent of people believed the perpetrators would never be brought to justice. Fewer than half ever bother to report the crime to police.<br />
<br />
Stacey Wu from internet security firm Symantec said: 'Identity and personal information theft is a big problem. It is no longer just high school kids in their bedrooms sending out malicious emails. It's organised criminals.'Tracyhttp://www.blogger.com/profile/01073923326458752780noreply@blogger.com1tag:blogger.com,1999:blog-3366910414814535645.post-51450859413745602702010-10-04T18:15:00.000-07:002010-10-04T18:17:31.405-07:00FBI says cyber-thieves stole $70 millionMore suspects arrested Friday in what appears to be global crime ring.<br />
<br />
The FBI and law enforcement agencies in Ukraine, the Netherlands and Britain are tracking down international cyber criminals who stole $70 million by using malicious software that captured passwords and account numbers to log onto online bank accounts. <br />
<br />
At a press briefing Friday, the FBI said Operation Trident Breach began in May 2009 when agents in Omaha, Nebraska, were alerted to some of the stolen money, which was flowing in bulk payments to 46 bank accounts around the United States.<br />
<br />
Ukrainian authorities have detained five people thought to have participated in some of the thefts and Ukraine has executed eight search warrants in the ongoing investigation.<br />
<br />
Gordon Snow, the FBI's assistant director in charge of the cyber division, said police agencies overseas were instrumental in finding criminals who designed the malicious software, others who used it and still others called "money mules," who transferred the stolen funds to havens as distant as Hong Kong, Singapore and Cyprus.<br />
<br />
<span style="background-color: yellow;">Many of the victims were small- and medium-sized businesses that do not have the money to invest in high-level computer security.</span><br />
<br />
On Thursday, 37 people were charged in papers unsealed in federal court in Manhattan with conspiracy to commit bank fraud, money laundering, false identification use and passport fraud for their roles in the invasion of dozens of victims' accounts. Fifty-five have been charged in state court in Manhattan.Tracyhttp://www.blogger.com/profile/01073923326458752780noreply@blogger.com0