Cyber Security Girl Strikes Again!

Spoiled Rotten Spa Owner Arrested, Charged With Fraud

2011-03-26T07:45:00.000-07:00

Woman Made Fraudulent Credit Card Charges, Police Say

APTOS, Calif. -- The former owner of Spoiled Rotten Day Spa in Aptos was arrested Friday after several clients reported several thousand dollars in fraudulent credit card charges paid to the spa appeared on their credit card statements.

One victim reported that his credit card had been fraudulently used four times for a total of $9,600.

Spa owner Sonya Harting, 35, was arrested and charged with credit card fraud.

Police said Harting was evicted on Jan. 5 by the building owner, but continued selling gift certificates for spa services throughout the holiday season.

Anyone who purchased a gift certificate from Spoiled Rotten Day Spa during the month of December that could not be redeemed due to business closure is encouraged to call the Santa Cruz Property Crimes Unit at 454-2311.

Top 5 Online 2011 Tax Scams

2011-03-25T18:23:00.000-07:00

Online scammers are already plotting to separate you from your tax refund and your identity. Scams for the 2011 tax season include promises of tax credits for charitable donations to disaster relief in Japan, malware-laden Websites optimized for search engines, dangerous e-mail, and so-called 'likejacking' techniques found on the social network Facebook.

About 19 million people have already filed their taxes at home in 2011, an increase of almost 6 percent from the year previous, according to the Internal Revenue Service. Consequently, this time of year is ripe for tax-related online scams. Crooks know that taxpayers are looking for information on deductions and tax laws. They know that this is the time of year when taxpayers submit personal information online and store sensitive financial documents on their hard drives.

Jennifer Torode, a spokesperson for the security firm Sophos, says that most of us wait until the last minute to file our tax forms. Scammers know this and "take advantage over the next few weeks to find ways to lure frantic filers into their webs," she says.

Here are five tips to help you avoid getting ensnared by tax scammers this tax season:

1. Japan Quake Scam
Among the newest scams for 2011 are bogus e-mail messages promising a tax credit applicable to your 2010 tax return if you make a charitable donation to Japan earthquake relief, according to McAfee consultant and identity theft expert Robert Siciliano. "The scam is based on the ruse being similar to a real law passed last year regarding Haiti," Siciliano said. In January 2010, Congress passed the Haiti Assistance Income Tax Incentive Act that allowed taxpayers to contribute to Haiti relief from January 11 to March 1, 2010 and claim it on their 2009 tax return. So far, the government has not established any retroactive tax rules involving this year's relief effort for Japan.

Tip: You can find many earthquake relief scams online; however, it's not clear how prevalent this particular scam is. For more information on how to make tax-deductible donations safely and effectively, consult this notice on IRS.gov.

2. Gone Phishing
One of the most popular ways to scam people during tax season is to set up Websites that look as if they are an official IRS site or a legitimate tax preparation service. "We have seen some scammers pretending to be tax preparation services, abusing brand names such as TurboTax, to obtain people's personal details," said Richard Wang, manager for Sophos Labs.

Other sites are designed to trick you into downloading a PDF file laden with malware, according to Jeff Horne, director of threat research for the security company Webroot. Horne also warns that sites may try to sneak malware onto your machine using a technique called a "drive-by download." Such sites contain code looking for exploits in your browser that will enable them to download malware onto your system without your knowledge. Merely by using a vulnerable browser to visit a site, you can be victimized with bad guys wielding this technique.

Once tax-related malware is loaded on your machine, it can set up a keylogger to track everything you type into your computer, or it can search your saved documents for keywords related to tax season such as "social security" or "1040."

Tip: The best defense against drive-by downloads is to make sure that you always use the latest version of a modern Web browser, such as Google Chrome or Mozilla Firefox.

3. Black Hat SEO
One of the tricks that crooks use to lure victims into a scam is to optimize their sites for Google searches, a technique known as "black hat SEO" (the acronym stands for "search engine optimization"). Horne suspects that these sites use resources such as Google Trends and Google Insights to discover the types of tax-related searches people are requesting. Once criminals have figured out some of the more popular keywords for this year's tax searches it's not difficult for them to optimize their bogus sites for search engines.

Tip: "Never use search engines to search for tax documents," Horne said. Instead, go directly to the government site (such as IRS.gov, USA.gov, or an individual state government site ending in '.gov') to look for tax forms and other tax information.

4. Likejacking
Facebook and other social networking sites are major targets for online scammers looking to make a quick buck off tax season. Horne says that Webroot has seen some examples of 'likejacking' in which scammers try to trick you into 'liking' their scam site on Facebook. Achieving this objective may involve hiding a Facebook "Like" button under another button on a third-party Website or exploiting a weakness in your browser by using a few snippets of JavaScript to press the Like button for you.

Once you "like" the site, an external link will show up in your Facebook news feed with a scam message such as, "I just got $500 by using this free tax preparation service." Friends who see that message may be tempted to click the link leading them to a phishing site or a spam site looking to increase its ad revenue by generating Web traffic.Note, however, that some legitimate tax preparation services are promoted on Facebook by institutions such as universities as well by individual friends.

Tip: Don't choose a tax preparation service on the basis of Facebook message attributed to a friend. At the very least, talk to the friend directly to confirm that he or she endorses the service.

Three percent of online Americans still using Internet Explorer 6, dump it for the latest version of IE available for your operating system--or use a different popular browser such as Chrome or Firefox.

Never use a search engine to look for government documents. Instead, go directly to sites such as IRS.gov, USA.gov, or individual state government sites ending in .gov, and search for forms there.
Never open or download attachments included with messages claiming to be from the IRS. The wisest course may be to refrain from opening any unsolicited tax-related e-mail message, as some poisoned messages use HTML to exploit weaknesses in your browser and initiate a drive-by download.
Never do your taxes over an unencrypted wireless connection such as free Wi-Fi at Starbucks. At home, even if you use the latest wireless security encryption standards such as WPA2 there, you are better off breaking out the LAN cable and using a wired connection when dealing with sensitive financial information.
Once you're finished filing your taxes for this year, make sure that you move all of your tax-related files for safe keeping to a USB key, an external hard drive, or some other form of removable storage. Then wipe all tax files off your computer's hard drive. Tax-related malware may lurk online long after tax season is over, according to Horne. If you happen to get infected, and you've stored your tax forms in a special folder on your PC, it won't take much for a scammer to steal your identity.

IRS Advice
The IRS also has a lot of helpful information to help keep you safe from phishing and other e-mail scams. The IRS emphasizes that it never asks taxpayers for their passwords, PINs, or other secret data relating to bank accounts and credit cards. Furthermore, never initiates taxpayer communication through e-mail. If you receive a dubious e-mail message claiming to be from the IRS, you can report it by forwarding the message without altering it to phishing@irs.gov. For more online tax security tips, check out the IRS's page on how to protect your personal information.

Report: Mysterious Facebook Web Search Box Could Be Malware

2011-03-25T18:15:00.000-07:00

A Web search box some users are seeing on their Facebook interface wasn't inserted by Facebook and could be the result of malware or a rogue browser plug-in or application.

AllFacebook, a blog devoted to Facebook-related news, first reported that a second search box had begun to appear on Facebook interfaces, right next to the legitimate site search bar.

The mysterious Web search box appeared perfectly integrated into the Facebook page layout, as if it were a native Facebook feature. However, Facebook is now saying that it didn't put that second search box there and that it could be a sign of malware infection.

"We are not testing the placement of a separate web search field and have no plans to do so. We believe the second search field or 'Search the Web" box appeared on peoples' accounts as the result of unknown actions by a third party targeting the browser -- potentially a browser plugin or malware -- unrelated to Facebook," a Facebook official told technology news blog Search Engine Land.

As Facebook members, users who think they might be affected by this situation have access to a free, browser-based virus scanning tool from McAfee, according to the company.

As the most popular social network and one of the world's largest sites, Facebook is in a constant battle against malicious hackers and online scammers who want to take advantage of its massive user base to commit fraud and spread malware.

At this point, it's not clear whether the sinister search box is the result of an external malware exploit or the work of a rogue Facebook application.

Mobile Visability Limitation? There's an App for that.

2011-03-17T14:11:00.000-07:00

Last July myself and Christian Papathanasiou presented a DEF CON 18 talk entitled "This is not the droid your looking for…". The topic of Android rootkits was widely picked up by the media, but the talk was designed around the security implication that exist when a piece a malware makes its way to a mobile device.

During our research we were successfully able to remotely obtain shell access on the device over the GSM network, read the users contacts, email, and SMS messages. Locating the device using its GPS coordinates and making a phantom phone call from the device where also demonstrated. As we noted other areas of functionality could include taking photos from the phones camera, recording from the phones mic and man-in-the-middle of apps and browser activity.

Last week, it was announced that over 50 apps in the Google Android Market were found to have malware imbedded in them. This malware is capable of data exfiltration off the victims phone. In the business world, this has major implications. How many CEO's of publically traded companies where running these apps? Maybe none, but if the malware had the capabilities that we demonstrated last summer, the implications are huge. Imagine a CEO sitting in business meetings with major clients, business partners, and even investors. The malware on that device could have the capabilities of tracking his/her physical location, and recordning the conversatons.

In the not so distant future, there will be confirmed reports of two companies are in possible merger talks, not because data “leaks” out of the corporate environment, but because there is a recording of the conversation and GPS data pinning the two CEO's at the same restaurant. Neither of the CEOs is knowling recording and disclosing these conversations, but one of their mobile phones has malware on it.

With all the news today around the weakness of the Android Market submission process, it is important to understand that this problem is just limited to the Android platform, but also impacts the iOS platform as well. Last fall SpiderLabs' Eric Monti demonstrated at ToorCon 12 that you could apply these same techniques to an iPhone and install a backdoor or other piece of malware. This is accomplished by using a technique used to jailbreak a device. In the case of malware, the jailbreak turned against the end user as an exploit to gain the attacker root privileges on the device. The window of exposure on "jailbreak-able" iOS devices is very large. Seemly hours after a new version of the iOS is released, a jailbreak is available, not to be "fixed" until the next release several months later. It is important to note that a “jailbreak” is equal to a root compromise. In Eric’s research, he showed it as a silent drive-by installation requiring no user interaction.

The Android Market isn't the only mobile app shop where there is no security or content validation occurs. Many users jailbreak their iOS devices so they can install and run apps that have not been approved by Apple. Once a user has jailbroken their iOS devices, they can download apps from a marketplace called Cydia. What has recently happened in the Android Market can easily happen in Cydia, if it hasn't already. (Is anyone searching there?) This would allow a malicious developer to publish an application with malware, botnet or rootkit functionality to the jailbreak community. Given, I have run into CTO’s of security vendors that have jailbroken iPhones, this threat isn’t just limited to the tech hobbyist.

By design mobile devices place a strong layer of abstraction between the end user's interface and the underlying Operating Systems. This means that there could be a rootkit, backdoor or botnet running at the OS layer and the end user would have both no indication of its presence nor would they be able to detect its activity with the limited aid of the various security software applications on the market.

Hacking: 'An unconventional, asymmetrical act of warfare'

2011-03-09T03:09:00.000-08:00

Visit msnbc.com for breaking news, world news, and news about the economy

Rules of PCI DSS Compliance

2011-03-04T11:28:00.000-08:00

Pointers and considerations to make the compliance journey a smoother ride for your organization.

Data breaches have made news often in the past few years. When credit cardholder data is compromised, merchants face bad publicity, lasting damage to their reputations, lost business and possible fines. The global average cost of a single data-loss incident was $3.43 million in 2009, or $142 per compromised record, according to a report from the Ponemon Institute.

That’s why American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa developed the PCI DSS (Payment Card Industry Data Security Standard). Businesses with merchant identification that takes credit card payments—whether online, over the phone, or using credit card machines or paper forms—need to comply with these standards, even if they use a payment service provider.

Here are some pointers and considerations to make the compliance journey a smoother ride for your organization:

• Don’t think PCI DSS is going away. Nevada, Minnesota and Washington have incorporated all or part of PCI DSS into their laws. These states are forerunners of a movement similar to the one that led to the adoption of data-breach notification laws, which have so far been enacted by 46 states. Additionally, many banks are now asking their merchants to comply; some are even imposing fines for noncompliance.

• Don’t hide behind the fact that your payment service provider is PCI DSS-compliant. Remember that all “actors” in the credit card payment chain must comply: merchants, payment service providers, banks and hosting providers (if applicable).

• Don’t pick and choose requirements. Merchants need to comply with all the requirements applicable to their credit card payments structure, regardless of any compliance-validation mechanisms they may use. This involves having the appropriate technical and physical security safeguards, policies and procedures in place, and performing quarterly scans of the CHD (cardholder data) environment if it is connected to public networks. Merchants need to train their employees—both when they are hired and again once each year—in matters concerning credit card security. It is also important to be aware that at the highest level, if a merchant makes more than 6 million transactions per year, a qualified security assessor must come on-site to verify compliance.

• Don’t underestimate the time, cost and effort involved in PCI DSS compliance. Get C-level support to make it happen.

Steps to Compliance

What Health Care providers need to know

2011-02-26T07:48:00.000-08:00

Yes, if you do not know there are New Requirements for Fighting with Identity Theft that Health Care Providers must know about “Red Flag Rules”.

“The Red Flags Rule”, a law the FTC will begin to enforce on August 1, 2009, requires certain businesses and organizations — including many doctors’ offices, hospitals, and other health care providers — to develop a written program to spot the warning signs — or “red flags” — of identity theft” as stated by the FTC.

Basically when a person seeks health care services using someone else’s name and insurance info, is what is called identity theft.

“Every health care organization and practice must review its billing and payment procedures to determine if it’s covered by the Red Flags Rule. Whether the law applies to you isn’t based on your status as a health care provider, but rather on whether your activities fall within the law’s definition of two key terms: “creditor” and “covered account.”

Health care providers may be subject to the Rule if they are “creditors.” Although you may not think of your practice as a “creditor” in the traditional sense of a bank or mortgage company, the law defines “creditor” to include any entity that regularly defers payments for goods or services or arranges for the extension of credit. For example, you are a creditor if you regularly bill patients after the completion of services, including for the remainder of medical fees not reimbursed by insurance. Similarly, health care providers who regularly allow patients to set up payment plans after services have been rendered are creditors under the Rule. Health care providers are also considered creditors if they help patients get credit from other sources — for example, if they distribute and process applications for credit accounts tailored to the health care industry.

On the other hand, health care providers who require payment before or at the time of service are not creditors under the Red Flags Rule. In addition, if you accept only direct payment from Medicaid or similar programs where the patient has no responsibility for the fees, you are not a creditor. Simply accepting credit cards as a form of payment at the time of service does not make you a creditor under the Rule.

The second key term — “covered account” — is defined as a consumer account that allows multiple payments or transactions or any other account with a reasonably foreseeable risk of identity theft. The accounts you open and maintain for your patients are generally “covered accounts” under the law. If your organization or practice is a “creditor” with “covered accounts,” you must develop a written Identity Theft Prevention Program to identify and address the red flags that could indicate identity theft in those accounts.” as stated by the FTC.

Seattle: Capitol Hill credit card fraud wave tied to Broadway Grill

2011-02-26T07:23:00.000-08:00

The investigation into more than 100 reported cases of credit card fraud across Capitol Hill has identified a Broadway restaurant as one "point of interest." Like the victims who have had their bank and credit accounts hit for fraudulent charges in the thousands of dollars, Capitol Hill's Broadway Grill is also a victim in this wave as personal and business accounts related to the restaurant have been compromised along with accounts of a not-yet-known number of customers who ate and drank at the popular eatery.

We received the following statement from one of the partners behind the Broadway Grill, Matthew Walsh:

We take this issue very seriously and are working with both the Seattle Police Department as well as the Secret Service to find the people who have done this to everyone and have them stopped.

We have gone above and beyond to make sure that our network is completely secure and that this sort of thing can't happen to any of our customers, there has been no decline in credit/debit card use because of our actions to ensure safety. Not only were our personal accounts compromised but our business savings and operating accounts have also been compromised.

We are a tiny little company trying to manage this huge monster of a restaurant and for someone to swoop in and try to completely wipe our accounts is a really scary thing. I am seriously worried about the future of our business without the support of our community. We have been growing by leaps and bounds since I took over in June, not only in our new menu and food quality but also in our day to day operation. It is my hope that we have touched enough lives over the years to be able to count on our beloved customers for their support and continued patronage in this difficult time.

We do not know yet if Broadway Grill represents the only breached business on the Hill or if investigators have identified others in the area. On Monday, CHS reported that the Secret Service's Electronic Crimes Task Force had identified and "reduced" the threat from what the lead agent called a "point of interest" in the Capitol Hill area.

We have checked with Kroger, the parent company for QFC, about any involvement in the investigation. A QFC spokesperson told CHS he ws not aware of any contact between investigators and either of the Broadway stores. "To my knowledge, we have not been contacted by police. When we are, we will work with them," the spokesperson said earlier this week.

Meanwhile, the situation is widespread enough and people are so wary that large area institutions are dealing with relatively sizable numbers of victims. We talked to Seattle University about a a growing number of Seattle University students and employees who have experience problems with financial accounts in recent days. But Mike Sletten director of public safety for the campus, told us that the cases he is aware of all appear to be part of the Capitol Hill wave. "They all reflect that Capitol Hill theme," Sletten said.

Data leak: Human Services Agency of San Francisco

2011-02-13T08:53:00.000-08:00

February 5, 2011 2,400 Records Exposed.

A former city employee emailed the information of her caseload to her personal computer, two attorneys and two union representatives. The former employee wanted proof that she was fired for low performance because she had been given an unusually high number of cases. Certain MediCal recipients in San Francisco had their names, Social Security numbers and other personal information exposed.

Is Your Business Vulnerable to Cybercrime?

2011-02-13T08:32:00.000-08:00

It only happens to the big companies, right? While that may have been the conventional thinking in the past, cybercrime is finding large businesses, government institutions, and even individuals as its victims and as the Internet becomes increasingly integrated in to our daily lives, cybercrime continues to become more widespread.

Business is often about timing. Each day you have deadlines and if they aren’t met, you lose money. If you can’t get to your data for any reason, your day and the future of your business may be at risk. With data being so important to businesses of all sizes, it would be reasonable to believe that much like liability insurance, businesses are protected but that’s far from a true.

A recent survey concluded that 52% of all business don’t have an IT security policy. Their data simply isn’t held under cyber lock and key like it should be and their employees are free to practice internet usage while at work in any way that they see fit.

If your business is in the 52% crowd, something has to change and it has to change today. What can you do to decrease your risk of cyber attack?

Back Up Your Data

Just like in our real lives, not being a victim of theft often starts with common sense. Your data is too important to only be in one place and you should never trust somebody else to back it up. Copy your data and place it some place secure. If you can fit it all on to a portable hard drive or some other piece of hardware that isn’t connected to the internet, do that once per week. If you can’t, find an online backup service that will automatically do this for you

Cyber crooks targeting smartphones: McAfee

2011-02-13T08:28:00.000-08:00

Smartphones have become prime targets for hackers and spammers, computer security firm McAfee said.

The number of pieces of malicious software, referred to as "malware," surged 46 percent last year as compared with 2009, according to a McAfee Threats Report for the final three months of 2010.

"Cybercriminals are keeping tabs on what's popular, and what will have the biggest impact from the smallest effort," said McAfee Labs senior vice president Vincent Weafer.

"We've seen a significant shift in various regions, showing that cybercriminals are tapped in to trends worldwide," he continued. "McAfee Labs also sees the direct correlation between device popularity and cybercriminal activity, a trend we expect to surge in 2011."

McAfee has seen software threats to mobile devices steadily increase in recent years as the popularity of smartphones and tablet computers has climbed.

"Threats to mobile platforms are not new," McAfee said in the report. "However, as more consumers use mobile devices and tablets in their daily lives and at work, cybercriminals have taken note."

Geinimi malware slipped into legitimate games and other applications for Android-based mobile phones was listed by McAfee as "one of the most important threats of the quarter."

As greater varieties of smartphones, tablets, televisions, and computers link to the Internet, hackers are likely to resort to "poisoning" Internet search results with links to websites booby-trapped with malware, according to McAfee.

"Web-based threats will continue to grow in size and sophistication," McAfee said.

Malware Aimed at Iran Hit Five Sites, Report Says

2011-02-12T09:48:00.000-08:00

The Stuxnet software worm repeatedly sought to infect five industrial facilities in Iran over a 10-month period, a new report says, in what could be a clue into how it might have infected the Iranian uranium enrichment complex at Natanz.

The report, released Friday by Symantec, a computer security software firm, said there were three waves of attacks. Liam O Murchu, a security researcher at the firm, said his team was able to chart the path of the infection because of an unusual feature of the malware: Stuxnet recorded information on the location and type of each computer it infected.

Such information would allow the authors of Stuxnet to determine if they had successfully reached their intended target. By taking samples of Stuxnet they had collected from various computers, the researchers were able to build a model of the spread of the infection. They determined that 12,000 infections could be traced back to just five initial infection points.

Between June 2009 and May 2010, the program took aim at specific organizations in Iran on three occasions, Symantec research noted in an update of a research report the company published last year.

The Symantec team said it had collected five Internet domains that were linked to industrial organizations within Iran. They said because of the company’s privacy policies, they would not disclose the domain names.

“All of the domains are involved in industrial processing,” Mr. O Murchu said in an interview.

It is likely that a classified site like Natanz is not connected directly to the Internet. Therefore, an attacker might try to infect industrial organizations that would be likely to share information, and the malware, with Natanz.

At least three and possibly four versions of the program were probably written, and the researchers discovered that the first version had been completed just 12 hours before the first successful infection in June 2009. The researchers speculated that the first step in the infection was either an infected e-mail sent to an intended victim or a hand-carried USB device that carried the attack code.

When international inspectors visited Natanz in late 2009, they found that almost 1,000 gas centrifuges had been taken offline, leading to speculation that the attack may have disabled a portion of the complex.

In April 2010, the attackers again tried to distribute the program. This time they found a new vulnerability in Windows-based computers to be infected with a USB device and most likely successfully inserted the program that way at an unknown location inside Iran.

The Symantec researchers also said they had determined that the malware program carried two different attack modules aimed at different centrifuge arrays, but that one of them had been disabled.

Stuxnet first infected Windows-based industrial control computers while it hunted for particular types of equipment made by the Siemens Corporation. It was programmed to then damage a uranium centrifuge array by repeatedly speeding it up, while at the same time hiding its attack from the control computers by sending false information to displays that monitored the system.

Red Flags Rule Compliance: The Feds May Be The Least Of Your Concerns

2011-02-08T17:41:00.000-08:00

By Larry M. White

After several false starts, the FTC has finally initiated enforcement of the Fair and Accurate Credit Transactions Act's, Red Flags Rule, and has placed the burden of policing identity theft activity squarely on the shoulders of both big and small businesses.

However, the FTC may be the least of your concerns if you originate credit for an identity thief because attorneys across the country have been eagerly awaiting this dangerous and virtually impossible regulation. Your problem? Verifying the identity of your customer.

If you don't have required and accepted procedures in place to do so, it could cost you everything you've ever worked for. Your Required Red Flags Rule Policy & Program. First, your operation must develop and implement a Red Flags Rule Policy which must include four required key elements in addition to other regulations and issues that must be addressed.

To demonstrate the importance the FTC places on the Rule, your operation's Board of Directors is required to approve your Red Flags Rule Policy and Program. For those operations without a board, a committee of senior management must approve the initial Program and monitor it on an annual basis.

But don't be misled!

Simply downloading a "template" from the internet might possibly get you off the hook with the feds, but it probably won't suffice in litigation with an identity theft victim's lawyer. Attorneys already view this regulation as a "cash cow", and if one of your customers points the finger at your company because someone was using their identity unchallenged, rest assured the victim's attorney will request your written Red Flags Rule Policy and documentation of required staff training.

If you don't have a Policy, or it is poorly written, the plaintiff will most likely allege a breach of duty to protect a consumer's identity information, or in other words, "wilful non-compliance", which is as bad as it sounds. Read more...

A Blind Eye to Cyber Crime?

2011-02-05T21:27:00.000-08:00

Small Businesses Think It Won't Happen To Them

It's almost like it was written to be a movie script. The victims blindly walk into a huge trap plotted by the villains. The crime? Fraud -- lots of it. In the end, the villains get away with the proceeds, leaving the hapless victims penniless.

Problem is: This crime is not just playing out on the movie screen; it is happening in real life. Recent ACH fraud victims can attest to this fact. Ask Village View Escrow, PATCO construction or Choice Escrow.

"Doing right by educating your customers is a great start. If you're already doing it, do more."

Yet, despite these high-profile incidents, the results of a recent survey from the National Cyber Security Alliance say that small businesses are oblivious to the dangers they face from cybercrime. This statement should be a real wake-up call for not just the small businesses, but also the institutions that serve them.

Small business owners polled by Visa and the NCSA say they increasingly believe investments in cybersecurity are not justified by actual online threats, and the majority of cybercrime is focused on attacking large companies.

This attitude is manifested in practice, as 75 percent of owners say their employees have received less than three hours of network and mobile device security training in the past year, with 47 percent saying their employees received zero hours of training.

According to the Visa survey, more than 85 percent of small business owners believe that they are less of a cybercrime target than large companies, and 54 percent believe they are more prepared to secure sensitive customer and corporate data than large businesses. In addition, 84 percent agree that they have the policies and procedures in place for keeping data and computer systems secure.

The findings are surprising in light of growing concern from security experts and law enforcement that hackers and cybercriminals are honing in on small businesses as their new targets. In October, Ukraine authorities arrested a number of individuals who allegedly stole $70 million from U.S. bank accounts in an elaborate scheme targeted at U.S. small and medium-sized businesses.

What can financial institutions do to help raise awareness among their business customers? For a start, institutions of every size need to do much more to reach out and talk to their commercial account holders, educate them about the need for cybersecurity and sound security policies. Think of holding a "security 101" class for your small businesses to help them get up to speed on what they need to do to protect themselves and their customers. Along with creating some goodwill among your small business account holders, you'll be doing double duty in protecting your interests as well. Imagine having to tell the same businesses that their commercial accounts were hit in a corporate account takeover scheme and they're out thousands of dollars, or that their point of sale terminal shows that it has been swapped and a hacker has taken hundreds of their customers' credit card numbers. Doing right by educating your customers is a great start. If you're already doing it, do more.

Small businesses underestimate their cybercrime risk

2011-02-05T21:22:00.000-08:00

Most small-business owners say they don't think cybercrime will happen to them, data show. While 84% of small-business owners say they have procedures in place to keep their data safe, about the same percentage say they think bigger companies are more of a target, according to a survey sponsored by Visa and the National Cyber Security Alliance.

Rising Number of Information Security Breaches in U.S. Authorities Consider Mandatory Reporting

2011-02-05T21:20:00.000-08:00

Recently, identity theft center revealed 662 instances of data breach in U.S over the last year. However, there are no accurate figures on the number of records breached. Data breach may be caused by hacking, human error, phishing, employee theft and other forms of malicious attacks. Data breach results in disclosure of sensitive personal, financial and business information. The information may include names, addresses, social security numbers, protected health information (PHI), credit card number, bank account details, company strategies and confidential reports. Offenders may use the collected information for identity theft or to steal money. Offenders may also sell the information to their underground peers or to the competitors of an organization. Majority of the reported breaches were related to disclosure of social security numbers and, credit and debit card details. Therefore, individuals and organizations must place high emphasis on information security.

However, several data breaches go unreported. Negligence, lack of awareness on the consequences of data breach and reluctance to initiate legal action are some of the reasons that prevent affected individuals from reporting data breach incidents. In some cases, data breach reports by public authorities and organization do not contain specific details on the type of data breach, number of records compromised and number of individuals affected. Only 51% of the data reported breaches indicated the number of records compromised. Proper reporting of data breach is crucial to understand the threat pattern, severity of threats, consequences of the data breach and mitigating measures required.

Organizations must educate their employees on safe computing practices to avoid data disclosure and theft. Regular vulnerability assessment tests and use of ethical hacking may aid the organization in understanding the threats and initiating counteractive measures.

Identity Theft “Red Flag Rules” Raise Ire of AMA

2011-02-05T21:05:00.000-08:00

Nο one wаntѕ tο bе thе target οf identity theft, аnd уеt, despite consumer awareness аnd prevention practices, іn 2008 ten million people wеrе victimized. It seems lіkе everyone ѕhουld bе overjoyed аt programs tο curb thіѕ threat frοm thе creditor’s side.

Nοt ѕο. Sοmе organizations, such аѕ thе American Medical Association, feel thаt thеіr members ѕhουld bе exempt frοm developing аnd implementing written identity theft prevention аnd detection measures.

Resistance frοm thе AMA hаѕ bееn ѕο strong thаt thе deadline fοr putting thе Red Flag Rules іntο practice hаѕ bееn delayed 3 times ѕіnсе іt’s inception іn November 2007. Thе nеw deadline іѕ November 2009.

Banks аnd οthеr credit issuing entities аlѕο object tο monitoring thе 26 red flags designed tο prevent anyone frοm using another person’s identity – fοr gaining credit, fοr getting a job, fοr renting аn apartment, οr fοr obtaining medical care under another’s insurance policy.

Whу? Thеу feel thаt thе nеw rules аrе “excessive аnd overly burdensome.” Hυgе banks wіll probably hаνе nο trουblе wіth compliance, bυt smaller organizations without a large staff mау hаνе tο hire 3rd party companies tο carry out thіѕ function. Eіthеr way, implementing thе Red Flag rules wіll сυt іntο profits.

One objection frοm thе AMA іѕ thаt physicians ѕhουld nοt bе classified аѕ “creditors,” even though thеу grant credit whеn thеу accept payments fοr care, οr whеn thеу wait fοr payment until аn insurance company responds tο billings.

Lawmakers аrе nοt heeding thіѕ argument, bесаυѕе thеу аrе particularly concerned wіth “medical identity theft.” Nοt οnlу саn thieves obtain medical care using someone еlѕе’s insurance, thе resultant medical records сουld bе medically dаngеrουѕ tο thе person whose identity wаѕ stolen.

Exclusive: “Anonymous” speaks out about WikiLeaks payback

2010-12-10T07:06:00.000-08:00

A group who refers to itself as Anonymous has as taken credit for a recent string of high-profile cyber attacks against the websites of businesses, banks and politicians that have either spoken out against or stopped doing business with WikiLeaks.

Cyber attacks, dubbed Operation Payback, targets those who have caved into US government pressure to shun the whistleblower website that recently released thousands of classified US diplomatic cables.

The activist hackers have attacked MasterCard.com, PostFinace, Visa, Paypal.com, and others.

For the first time, in an exclusive interview with RT’s Alyona Minkovski, an unidentified representative of the group explained they will always have technology on their side and be one step ahead to continue to fight challenges to free speech.

The goals are to show these companies that people are willing to fight for the vindication of WikiLeaks.

“We have been DDoS’ing sites,” he explained. “We have been flooding them with traffic so other people cannot use them and they have been taken down like this and they cannot operate like this anymore. We’ve been attacking them, we’ve been DDoS’ing them so people can’t buy things, people can’t make transactions.”

He explained the relation is to send a message to these companies and individuals who are taking money from WikiLeaks and refusing service, specifically citing Paypal.com.

“Anyone can do it. Anyone has a voice that can stand up and do it,” the representative said. “They can just load up a browser, type in the details; they can volunteer for this, and have a voice of their own.”

However, to do so would be illegal in most countries. But, he pointed out the chances of getting caught are practically zero. His organization coordinates attacks, but the attacks themselves are carried out by a team of massive volunteers globally who are well aware of the risk.

Since the attacks began, “Anonymous’” Facebook and Twitter accounts have been suspended, but the representative explained that action has had little impact on their efforts.

The attacks and actions by the group are a protest, a revolution, he explained.

Although the media had reported the group planned coordinated attacks on Amazon.com, the groups representative said they do not have any malicious plans to take on Amazon nor had they attempted to. He also said the group was not responsible for any coordinated attacks or hacks on Sarah Palin, although she claims to have been a target.

“We don’t really care about Sarah Palin that much, to be honest. I don’t really know what she’s trying to accomplish or what attention she is trying to gain. We personally don’t care about Sarah Palin,” he added.

Congress Considers Change to 'Red Flags Rule

2010-12-03T07:56:00.000-08:00

The American Bar Association has been battling for more than a year to exempt lawyers from new regulations designed to fight identity theft. Now, Congress has decided to step in.

With no fanfare and no recorded vote late Tuesday, the Senate approved legislation that could accomplish what the ABA was hoping to achieve. The bill would narrow the definition of “creditor” under the Fair and Accurate Credit Transition Act of 2003, likely ensuring that lawyers would not meet the new definition.

An ABA spokeswoman said the group is optimistic about House passage, possibly this week.

The regulations over identity theft were written by the Federal Trade Commission, and they’re popularly known as the “Red Flags Rule.” FTC regulators have interpreted the term “creditor” to include those who perform services and get paid at a later date, as many lawyers do. Other professional groups, including accountants and physicians, have protested their inclusion, too.

The bill, S. 3987, would define a creditor largely as someone who uses credit reports, furnishes information to credit reporting agencies or “advances funds…based on an obligation of the person to repay the funds or repayable from specific property pledges by or on behalf of the person.”

Sen. John Thune (R-S.D.) introduced the bill Tuesday with Sen. Mark Begich (D-Alaska) as a co-sponsor. In a prepared statement, they said the FTC was threatening small businesses.

“Small businesses in South Dakota and across our country are the engines of job growth for America,” Thune said. “Forcing them to comply with misdirected and costly federal regulations included in the FTC Red Flags Rule will hurt their ability to create jobs and continue growing our economy.”

ABA President Stephen Zack said in a prepared statement: “Last night’s Senate vote to clarify the rule so that lawyers are clearly not included was a critical step in ending a bureaucratic effort to solve a non-existent problem with paper-pushing regulations that would have increased legal costs.”

The fight over the Red Flags Rule has also played out in court after the ABA sued the FTC. In October 2009, U.S. District Judge Reggie Walton of the District of Columbia ruled in favor of the ABA. The U.S. Court of Appeals for the D.C. Circuit heard the FTC’s appeal last month.

After FTC Settlement, LifeLock Refund Checks Going out

2010-11-23T07:08:00.000-08:00

The check is in the mail for nearly a million LifeLock customers, after the provider of identity-theft protection services settled accusations of deceptive advertising.

The checks, for US$10.87, started going out Wednesday, according to the U.S. Federal Trade Commission, which is managing part of the $12 million settlement.

LifeLock drew attention after CEO Todd Davis published his Social Security number in company advertisements, saying he was so confident in his company's services that he was making it public. It was later discovered that Davis had become the victim in at least 13 cases of identity theft.

The FTC and 35 state attorneys general accused LifeLock of making false claims, saying it didn't protect against some of the most common types of identity theft, such as theft from existing bank accounts. They reached a little settlement with LifeLock in March and the checks are being mailed as part of that settlement.

In March, LifeLock said it was pleased with this agreement because it set advertising guidelines for the entire identity-theft protection industry.

The checks are being sent to 957,928 people who signed up for LifeLock's $10-per-month identity-theft protection service. Customers will have 60 days to cash their checks. The refund's administrator has set up a toll-free number for people with questions at 1-888-288-0783

Dozens charged with largest Medicare scam ever

2010-10-14T09:38:00.000-07:00

A vast network of Armenian gangsters and their associates used phantom health care clinics and other means to try to cheat Medicare out of $163 million, the largest fraud by one criminal enterprise in the program's history, U.S. authorities said Wednesday.

Federal prosecutors in New York and elsewhere charged 73 people. Most of the defendants were captured during raids Wednesday morning in New York City and Los Angeles, but there also were arrests in New Mexico, Georgia and Ohio.

The scheme's scope and sophistication "puts the traditional Mafia to shame," U.S. Attorney Preet Bharara said at a Manhattan news conference. "They ran a veritable fraud franchise."

Unlike other cases involving crooked medical clinics bribing people to sign up for unneeded treatments, the operation was "completely notional," Janice Fedarcyk, head of the FBI's New York office, said in a statement. "The whole doctor-patient interaction was a mirage."

The operation was under the protection of an Armenian crime boss, known in the former Soviet Union as a "vor," prosecutors said. The reputed boss, Armen Kazarian, was in custody in Los Angeles.

Bharara said it was the first time a vor — "the rough equivalent of a traditional godfather" — had been charged in a U.S. racketeering case.

Kazarian, 46, of Glendale, Calif., and two alleged ringleaders — Davit Mirzoyan, 34, also of Glendale, and Robert Terdjanian, 35, of Brooklyn — were named in an indictment charging racketeering conspiracy, bank fraud, money laundering and identity theft.

The indictment accused Terdjanian and others of hatching other schemes involving stolen credit cards, untaxed cigarettes and counterfeit Viagra. It also alleges that during a meeting last year at a Brighton Beach restaurant, Terdjanian pulled a knife on someone who owed him money "and threatened to disembowel the individual if the debt was not paid."

A judge jailed Terdjanian without bail on Wednesday at a brief hearing. Afterward, his attorney said his client denies the charges.

Kazarian and Mirzoyan were scheduled to appear in court Wednesday in Los Angeles.

Authorities began the New York-based investigation after information on 2,900 Medicare patients in upstate New York — including Social Security numbers and dates of birth — were reported stolen.

The defendants in the New York case also had stolen the identities of doctors and set up 118 phantom clinics in 25 states, authorities said. The names were used to submit fake bills for care that was never given, they said.

Some of the phony paperwork was a giveaway: It showed eye doctors doing bladder tests; ear, nose and throat specialists performing pregnancy ultrasounds; obstetricians testing for skin allergies; and dermatologists billing for heart exams.

Sacremento credit-card fraud traced to one restaurant

2010-10-05T19:35:00.000-07:00

Roseville police are warning people eating out in Roseville to avoid using their debit cards and to pay with cash or use credit cards. Police said hackers have stolen well over 200 people’s information after they ate out at various restaurants and eateries. “We believe the breach is not actually at the restaurant but a third party vendor that's in the process between using your credit card at the restaurant and actually billing the bank,” said Capt. Stefan Moore.

Latest Zeus attack propagated via fake iTunes receipt

2010-10-05T19:27:00.000-07:00

U.S. and international authorities may have just made a serious dent in the manpower behind the Zeus botnet, but dozens of arrests aren't stopping the data-stealing trojan from spreading.

The latest Zeus spam campaign targeted iTunes users and attempted to trick them into installing the insidious malware, designed to hijack online banking credentials from its victims, security firms warned this week.

The messages, which appeared to have been sent from Apple's iTunes Store with the address donotreply@itunes[dot]com, arrived with the subject "Your receipt #" followed by a random number, Fred Touchette, senior security analyst at email protection vendor AppRiver, wrote in a blog post Tuesday. The fake receipts claimed the recipient's iTunes order cost hundreds of dollars.

“People buying music from iTunes are getting used to seeing these receipts in their inboxes,” Touchette told SCMagazineUS.com on Tuesday. “If [attackers] can get them nervous about the amount of the receipt, they can get them to click on a link.”

Links in the bogus receipt lead to one of approximately 100 domains ending in .info, all of which were registered with GoDaddy. Once clicked, the links redirected users to another site where the Zeus trojan is waiting to infect victims.

The final site that users landed on attempted to automatically download a file claiming to be Adobe Flash Player, but it actually was the malicious payload, Touchette said.

The messages began cropping up on Friday, not long after a separate spam run spoofing the social networking site LinkedIn aimed to foist Zeus on victim PCs. The iTunes campaign is no longer active, and all the domains that attackers were using have been blacklisted, Touchette said.

In the past, attackers have used fake iTunes receipts to lure users to websites selling pharmaceuticals, as well as phishing sites that try to trick users into logging into fake web pages to dupe them into handing over account credentials, researchers at Mac security firm Intego, wrote in a blog post Tuesday.

U.S. and foreign authorities last week announced a series of arrests disrupting an international cybercrime operation linked to Zeus.

The latest attacks indicate that even in spite of last week's arrests, the cyber gangs that use Zeus have not been phased and do not plan on stopping, Touchette said.

“Zeus hasn't shown any signs of letting up,” he said. “Zeus has been so readily available on the underground forums as a kit that many people have their hands on it. It's going to be difficult to put a dent on its output.”

Cyber-criminals steal identity of one of the world's top security chiefs using Facebook

2010-10-04T18:50:00.000-07:00

The head of Interpol has warned that cyber-crime is the 'most dangerous criminal threat we will ever face' after fraudsters stole his identity on Facebook.

Security chief Ronald K. Noble revealed that two fake accounts were created in his name and used to find the details of highly-dangerous criminals.

The embarrassing security breach saw one of the impersonators used the false profile to obtain information on fugitives convicted of serious crimes including rape and murder.

Victim: The head of Interpol Ronald K. Noble has warned about the threats of cyber-crime after his identity was stolen on Facebook

The police chief has now warned that there could be devastating consequences of a terrorist cyber attack as he addressed officials at the first Interpol Information Security Conference in Hong Kong.

He said: ' Just recently Interpol's Information Security Incident Response Team discovered two Facebook profiles attempting to assume my identity as Interpol's secretary general.

'One of the impersonators was using this profile to obtain information on fugitives targeted during our recent Operation Infra Red.

'Cyber-crime is emerging as a very concrete threat. Considering the anonymity of cyberspace, it may in fact be one of the most dangerous criminal threats we will ever face.'

As the world's leading cross-border police agency Interpol, is responsible for working with international police forces.
But the details were stolen during Operation Infra Red in which senior investigators from 29 countries targeted criminals on the run from crimes including murder, paedophilia, drug trafficking and money laundering. It led to more than 130 arrests

It is believed the cyber-criminals created Facebook profiles claiming to be Mr Noble. From there they gathered sensitive information about the suspects.

Mr Noble spoke publicly about the scam for the fist time to hundreds of top security chiefs from 56 countries who were gathered at the conference last Friday.

He warned that terrorist could use methods similar to cyber-criminals who hack into victims' to steal financial details.

Mr Noble added: 'Just imagine the dramatic consequences of an attack, let's say, on a country's electricity grid or banking system," he said.

'We have been lucky so far that terrorists did not -- at least successfully or at least of which we are aware - launch cyber-attacks.
'One may wonder if this is a matter of style. Terrorists may prefer the mass media coverage of destroyed commuter trains, buildings brought down, to the anonymous collapse of the banking system. But until when?'

A recent study found that almost two thirds of all adult web users globally have fallen victim to some sort of cyber-crime from spam email scams to having their credit card details stolen.

China had the most cyber-crime victims, at 83 percent of web users, followed by India and Brazil, at 76 percent each, and then the US, at 73 percent, according to the 2011Norton Cyber-crime Report: The Human Impact.

The study of more 7,000 Internet users, also found that 80 percent of people believed the perpetrators would never be brought to justice. Fewer than half ever bother to report the crime to police.

Stacey Wu from internet security firm Symantec said: 'Identity and personal information theft is a big problem. It is no longer just high school kids in their bedrooms sending out malicious emails. It's organised criminals.'

FBI says cyber-thieves stole $70 million

2010-10-04T18:15:00.000-07:00

More suspects arrested Friday in what appears to be global crime ring.

The FBI and law enforcement agencies in Ukraine, the Netherlands and Britain are tracking down international cyber criminals who stole $70 million by using malicious software that captured passwords and account numbers to log onto online bank accounts.

At a press briefing Friday, the FBI said Operation Trident Breach began in May 2009 when agents in Omaha, Nebraska, were alerted to some of the stolen money, which was flowing in bulk payments to 46 bank accounts around the United States.

Ukrainian authorities have detained five people thought to have participated in some of the thefts and Ukraine has executed eight search warrants in the ongoing investigation.

Gordon Snow, the FBI's assistant director in charge of the cyber division, said police agencies overseas were instrumental in finding criminals who designed the malicious software, others who used it and still others called "money mules," who transferred the stolen funds to havens as distant as Hong Kong, Singapore and Cyprus.

Many of the victims were small- and medium-sized businesses that do not have the money to invest in high-level computer security.

On Thursday, 37 people were charged in papers unsealed in federal court in Manhattan with conspiracy to commit bank fraud, money laundering, false identification use and passport fraud for their roles in the invasion of dozens of victims' accounts. Fifty-five have been charged in state court in Manhattan.

The Achilles Heel of PCI Compliance

2010-10-04T14:56:00.000-07:00

The payments industry has made significant improvements toward complying with the Payment Card Industry Data Security Standard. But, as Verizon Business' Wade Baker explains, it's the maintenance of PCI DSS compliance that seems to pose the biggest challenges.

This week, Verizon Business releases its 2010 Payment Card Industry Compliance Report, a study that analyzes 200 selected PCI assessments conducted in 2008 and 2009 by Verizon's Qualified Security Assessors. The report reviews how companies are attaining and maintaining PCI compliance. Among the key findings this year: Businesses and organizations struggled most with PCI requirements regarding tracking and monitoring access, as well as meeting the demands for system and process testing and the protection of stored cardholder data.

"Companies struggle with anything they have to maintain over time that requires constant attention," says Baker, director of risk intelligence for Verizon and one of the PCI report's authors. "Just because you were validated at a point in time does not mean that's going to remain static all year."

Lack of Diligence

What often leads to breaches at once-PCI-compliant companies, Baker says, is a lack of consistency and diligence. Companies are not maintaining PCI compliance. "If you don't maintain compliance by constantly reevaluating and upgrading systems, that compliance will erode over time. It erodes down to the point where they are weak, and that's when a breach occurs," he says.

Of organizations Verizon reviewed or assessed for the report, only 22 percent were consistently compliant with PCI requirements from one year to the next. "They gain compliance and they're validated in year one, and then by year two they've lost a little bit," Baker says. "That's a very interesting trend."

Baker is quick to point out that the companies Verizon found that had been breached were not PCI compliant at the time, but had been PCI compliant at some point in the past.

Most payments companies, he says, are doing a better job at staying compliant, but improvements in corporate mindsets are needed. "Certain attacks are going down, and I think a lot has to do with the PCI DSS. But other types of attacks are going up," Baker says.

In Verizon's Data Breach Investigations Report, which also was recently released, Verizon notes that while the number of data base breaches has dropped, the compromise of records has increased. "Personal information in records, like medical records, has value to criminals," Baker says. "But there is a lot of positive momentum in that range, as well," to better protect consumer information.

PCI Common Sense

The vast majority of breaches are preventable, Baker says. Only a small percentage of breaches require sophisticated controls. "Following the security basics, Security 101 and 102, consistently and comprehensively across the organization is rule No. 1," Baker says. "And that would knock out many of these breaches."

Verizon notes that 90 percent of all breaches could have been prevented with something simple, like changing a password. Chris Novak, who works in Verizon's forensics unit, said during his presentation at the PCI Community Meeting in September, that only 15 percent of breaches are high-tech. "The majority of the breaches we see are of moderate complexity," he said. SQL injections top the list and are the most easily prevented, Novak says.

Baker also points to the exploitation of default credentials or stolen credentials as ranking high on the compromise list. "An attacker just goes and starts hammering away at an application and tries 'admin' and 'password' and other combinations that are set at the factory on certain devices and systems," Baker says. "All too often, just trying that a few times allows the attacker in, and then he can do whatever he wants to do from that point on."

Iran's nuclear agency trying to stop computer worm

2010-09-25T14:49:00.000-07:00

TEHRAN, Iran – Iranian media reports say the country's nuclear agency is trying to combat a complex computer worm that has affected industrial sites in Iran and is capable of taking over power plants.

The semi-official ISNA news agency says Iranian nuclear experts met this week to discuss how to remove the malicious computer code, dubbed Stuxnet, which can take over systems that control the inner workings of industrial plants.

Experts in Germany discovered the worm in July. It has since shown up in attacks in Iran, Indonesia, India and the U.S.

IRS Letters to Citizens Still Ripe for Identity Theft

2010-09-23T15:52:00.000-07:00

The Internal Revenue Service (IRS) has yet to comply with a May 2007 federal order to remove the unnecessary use of Social Security numbers from correspondence with citizens, which can lead to identity theft, according to a recent report by the Treasury Inspector General for Tax Administration.

According to the report, the Office of Management and Budget (OMB) gave federal agencies 120 days to develop a plan to eliminate the unnecessary collection and use of social security numbers and 18 months to implement the plan.

Although the IRS has a plan in place, it has yet to draft detailed implementation and compliance management milestones, and target dates have not yet been established to eliminate or reduce taxpayer Social Security numbers from its correspondence with the public, according to the Inspector General’s report.

“Taxpayers need to be assured that the IRS is taking every precaution to protect their private information from inadvertent disclosure,” according to the Inspector General.

The number one consumer complaint during 2009 was identity theft, which often requires identity thieves to use victims’ Social Security numbers, according to a 2010 Federal Trade Commission report.

In 2010, the IRS mailed more than 42 million notices and letters to individual taxpayers for various reasons, including balance due notices. Most of those notices and letters included taxpayers’ Social Security numbers because they required the taxpayers to respond to the IRS.

The IRS submitted the first release of its plan to reduce or eliminate the use of Social Security numbers to the Department of the Treasury in November 2007 and has provided three releases of its plan since then, the last in February 2009.

However, to date it has only redacted or shortened taxpayers’ Social Security

numbers from only a small number of systems, notices, and forms, and there are no target dates for decisions on whether taxpayers’ Social Security numbers can be removed from notices and letters, according to the Inspector General’s report.

Senators Introduce Federal Data Breach Notification Bill

2010-08-28T08:02:00.000-07:00

On August 5, 2010, the Chairman of the Senate Commerce Subcommittee on Consumer Protection, Product Safety, and Insurance Mark Pryor (D-AR) and Full Committee Chairman John Rockefeller (D-WV) introduced the “Data Security and Breach Notification Act of 2010,” S. 3742, which would require businesses to protect personal information in their possession, to notify residents if that information is breached, and to adopt a data security policy.

Currently, there is no federal notification requirement for a data breach in most industries, although the vast majority of states have enacted data breach notification laws. The proposed bill requires entities to notify consumers within 60 days of a breach and to provide consumers with two years of credit monitoring services.

The proposed bill would authorize the FTC to set national standards for safeguarding personal information and to seek up to $5 million in civil penalties for failure to comply.

If enacted, the bill would preempt all state data breach notification and data security laws and regulations. Only companies covered by the Fair Credit Reporting Act and in compliance with that act would be exempt from the proposed law. Last month, Sens. Tom Carper, D-DE, and Robert Bennett, R-UT, reintroduced a similar bill, S. 3579.

False Sense of Computer Security

2010-08-26T13:00:00.000-07:00

A team of security analysts found that most leading anti-spyware and anti-virus software fail to detect commonly used keyloggers.

Keyloggers are designed to silently record all of one's computer activity. They are commonly used for parents to monitor their children's computer activity. Now they are being used for criminal activity ranging from spying on individuals, identity theft and data theft.

The security team at SpyReveal tested the leading anti-spyware and anti-virus software against ten of the most popular keyloggers. The results were astonishing! Most of the leading security software used to combat viruses and spyware failed to detect 70% of the keyloggers. While most failed to detect any keyloggers at all, SpyReveal successfully detected all keyloggers.

Computer users are receiving a false sense of security when installing various security applications. With the explosion in online banking, the proliferation of identity theft is greater than ever. Many users install an anti-spyware solution with the expectation of being safe from identity theft. Unfortunately, they are still at an extremely high risk for identity theft and data logging.

"More and more news stories are being published of hackers who have obtained credit card records by using keyloggers", said Mr. Hankinson, SpyReveal's co-founder. "Yet, we still see major players in the security industry continue to fail at this specific type of problem."

Still don't think you or your business is at risk? Take for example Verizon's 2009 Data Breach Investigations Supplemental Report which states "Keyloggers and spyware.... played a crucial role in larger breach scenarios in which hundreds of millions of records were compromised."

"Consumers and businesses should not rely on a single solution for security. Each has a specific purpose. We want consumers to realize that even though their anti-spyware software says 'Nothing Found', that any keylogger could still be present, recording credit card information or business intellectual property," Mr. Hankinson added.

It is important for users to purchase security solutions that are designed for a dedicated purpose to receive the highest degree of protection, without being too narrow. With software like SpyReveal, you can rest assured that you are protected from most keyloggers available on the open market.

Jennifer Aniston named as victim of salon fraud

2010-08-19T14:21:00.000-07:00

The owner of a Beverly Hills beauty salon was arrested on Wednesday on charges of stealing credit card information from Jennifer Aniston, Anne Hathaway and Liv Tyler and running up tens of thousands of fraudulent payments on their accounts.

According to court documents in the case, a witness claimed that Cher, Melanie Griffith and former "Felicity" television star Scott Speedman were also victims of the fraud.

The owner of Chez Gabriela Studio is accused of swindling $214,000 from Tyler alone in a five-month period last year, according to a court affidavit.

The U.S. Attorney's office in Los Angeles said salon owner Maria Gabriella Perez, 51, is accused of making at least $280,000 of fraudulent charges in a one-year period.

Perez is alleged to have used credit card information provided by celebrities and other clients for legitimate services, and later entered the details manually to run up unauthorized charges.

Aniston, Hathaway, Cher, Tyler, Griffith and Speedman were named in the court papers as among those who saw unauthorized charges on their credit cards.

Representatives for Cher, however, told celebrity website TMZ.com that the singer and actress was not a victim and did not know why she had been named in the court papers.

Rogue AV: A wolf in sheep's clothing

2010-08-08T09:33:00.000-07:00

Rogue anti-malware, also known as rogue AV, has become the delivery vehicle of choice for the cybercriminals seeking to infect endpoints with their payloads. Those endpoints consist of both the consumer and enterprise. The ESET Global Threat Trends Report for April 2010 contains a short article called “Free but Fake.” Better yet, one of our most active researchers, Cristian Borghello from our Latin American office, wrote an excellent paper on rogue anti-malware.

If you haven't had a chance to view the convincingly crafted fake scans from our various rogue AV pages, here's one that I took off of one of my testing workstations prior to the infection. The first stage requires the user to take a particular action. In this case – and many others – it can't infect the system without human assistance.

According to a recent paper on large-scale exploits and emergent threats that Google released in late April at the Usenix Workshop, rogue AV accounts for more than 15 percent of all malware Google detects. In the report, Google outlines that from January 2009 until February 2010, more than 11,000 domains were involved in rogue AV distribution.

I have also had recent discussions with colleagues over fake/rogue anti-malware that didn't break the law by infecting endpoints. This isn't actually fake security software, just highly substandard with disproportionately strong messaging.

This aligns strongly with an article from Bruce Schneier that I recall reading entitled “A Security Market For Lemons” (Wired, April 2007). In his article Bruce states:

““Of course, it's more expensive to make an actually secure USB drive. Good security design takes time, and necessarily means limiting functionality. Good security testing takes even more time, especially if the product is any good. This means the less-secure product will be cheaper, sooner to market and have more features. In this market, the more-secure USB drive is going to lose out.”

Bruce closes the article with:

““With so many mediocre security products on the market, and the difficulty of coming up with a strong quality signal, vendors don't have strong incentives to invest in developing good products. And the vendors that do tend to die a quiet and lonely death.”

I agree that a new tactic that's not illegal, such as a deluge of confusing messages and products (more than our customers currently experience), has the potential to impact the revenue of legitimate companies and leads the end-user into having a false sense of security with a highly inert product.

So what do we do about blatantly rogue anti-malware? Below are four points to consider:

■The executable itself shouldn't be allowed to touch or run on the endpoint. While possible, this is easier said than done due to the myriad permutations of endpoint configurations.

■Rogue software, like other malware, may be detectable via behavioral analysis. Implement a highly regarded anti-malware product with excellent static and/or dynamic detection (i.e., positive user feedback and presale dialog – not marketing hype)

■The distribution of the executable is dependent on very convincing JavaScript and associated graphics. Filtering for these, while tedious, can yield big payoffs.

■If the rogue executable is discovered, send it to the security response team for your anti-malware product. This allows them to add static detection and update their dynamic detection algorithms.

Attacks are cyclical, so once there is a much more effective means for dealing with rogue AV, you can rest assured there will soon be another angle leveraged to gain a foothold in the endpoint. In the meantime, it's an arms race and there are a lot of security vendors working hard to meet the escalating threats head-on. As a security community, keeping the lines of communication open and flowing to share threat intelligence is one of our greatest strengths in this protracted fight.

PCI DSS 1.2: Changes, best practices and tips

2010-08-08T09:25:00.000-07:00

PCI DSS is a global information security standard consisting of 12 different requirements – assembled and released by the Payment Card Industry Security Standards Council (PCI SSC). It was created to assist organizations that hold, process or pass on credit card information to help in preventing credit card fraud.

This particular blog post will detail some of the differences between PCI DSS 1.1 and 1.2, and offer several best practices and four useful tips in consideration of obtaining and maintaining PCI DSS compliance. Changes are in the works for DSS, with a formal announcement coming in the fall,

Below are some of the key changes from PCI DSS v1.1 to v1.2:

■Incorporates existing and new best practices

■Provides further scoping and reporting clarification

■Eliminates overlapping sub-requirements and consolidates documentation

■Enhances the frequently asked questions (FAQ) and glossary to facilitate understanding of the security process.

Wireless network changes from v1.1 to v1.2:

■Requirement 4.1.1.

■In v1.1 there were provisions for WEP (Wired Equivalent Privacy) which is a weak encryption.

■Removing the requirement for disabling SSID broadcasts is new in v1.2.

Anti-virus requirement differences:

■In v1.2, there is a clarification regarding the use of anti-virus software – namely that it applies to all operating system types

■Requirement number 5.1.1 states: “Ensure that all anti-virus programs are capable of detecting, removing, and protecting against all known types of malicious software.”

Best practices:

■Constant vigilance: Knowing that there is no 100% guaranteed “silver-bullet” for network security companies. Instead, they must maintain constant vigilance of their security – from physical security to network configuration/security. A “set it and forget it” attitude in the security world sets false expectations of ongoing security.

■Network traffic anomaly detection

■Log analysis: Using software to correlate various security logs (e.g., firewall, web server, remote access) to spot trends

■Heuristic detection of malicious software: Heuristically detecting malicious software on critical systems that are connected to the vendor's network – not just the systems that handle customer data

■Implementing layered security: If one defense fails, the others have a chance of stopping the attack

■Patch management: Maintaining an effective patch management system, procedures, or both is a key security measure

Four useful tips (going beyond the checklist):

1. Compliance is not a one-time project – it is an ongoing process

a. One of the biggest dangers of the checklist is that it can't be viewed as a one-time project. It is an ongoing process of checking/re-checking the various security controls, as well as enforcing them. Companies should not consider themselves immune to attacks simply because they have achieved compliance.

2. End-to-end encryption (E3)

a. PCI DSS doesn't mention, or require, encrypting the data from the point at which the customer's card was “swiped.” This step will significantly reduce the value of data if it is intercepted.

3. Avoid the low-hanging fruit

a. People tend to go for the path of least resistance. For instance, if their network is unique in its design, and there is a new method of accessing data, and the checklist does not cover the new method, it might be glossed over and compliance would still be achieved. Scheduled reviews of a company's PCI DSS compliance will help ensure that as technology and networks continue to progress, new threat vectors are addressed. For instance, Requirement 5 of the PCI DSS states that for compliance a vendor must use and regularly update anti-virus programs. As there are varying levels in the quality of anti-virus software, a vendor could choose to implement a low detection/high false-positive anti-virus program and have a fairly ineffective anti-virus application running on their systems.

4. “Chain of events” or the “error chain”

a. As in the aviation world, when there is an accident it is referred to as a “chain of events” or the “error chain.” These terms simply mean that multiple factors, rather than a single one, lead to an accident. The same can be said for security incidents, such as data leakage.

Resources:

■PCI Security Standard Council web site: https://www.pcisecuritystandards.org/

■PCI DSS v1.2 Requirements and Security Assessment Procedures: https://www.pcisecuritystandards.org/security_standards/pci_dss_download.html

Do you have additional best practices, tips or observations? You can also share your experiences regarding PCI DSS – experiences, challenges, benefits or any other comments regarding your company and credit card security.

Banking trojans as a weapon of mass destruction

2010-08-08T09:20:00.000-07:00

Part 1

According to FinCEN, between between January 1 and June 30, 2009, depository institution (banking) suspicious activity reports characterized as computer intrusion increased 75 percent, compared to the corresponding six-month reporting period in 2008. These reports are filed by individual banks across the country and I'm currently grappling with the multiple categories in an attempt to determine exactly how large this banking trojan corporate account takeover risk may be.

Tell you what – 75 percent growth year to year is not small. If one Zeus banking trojan-hijacked account equals the $100,000 average loss that experts tell me, that money is easily the payroll of 20 people – employees, vendors, and owners – who won't be paying their mortgages or rent on time. I can't speculate on where the growth comes from yet because so much of it is mislabled and tagged into multiple categories.

The importance of clarifying this threat is simple: All experts are unanimous in the fact that businesses are at greater risk of a show-stopping corporate account hijacking event – consumers have separate rights which protect account takeover losses for a much longer time period. Yet businesses often don't know what lurks online or how they can get phished with a simple email, and often they handle a half million dollars or more with no issue.

Strategic value of small businesses

According to the SBA advocacy site, over 99 percent of the private payroll in the US comes from small and midsize businesses. Without small business steadily providing the fifteen year trend of 64 percent of all net new jobs stateside, the logic is simple: our economy can't continue to grow. No new jobs mean slow economic growth.

And somehow we can't seem to measure all of this quantitatively. The overuse by banking employees of the FinCEN SAR category of ‘Other' mocks any efforts at transparency. I may not be able to access more granular data directly due to the Banking Secrecy Act. My calls and emails are still being automatically handled by FinCEN at the time of this article.

Banking trojans have the potential to become the largest historically destructive threat to our nation's economy short of the Civil War. Business account hijacking has the ability to completely destroy what typically takes strong business teams years of nurturing. All from thousands of miles away or from right across the street.

To the start-ups – willing to take on the gut check of starting a business – it's even worse. The theft of someone's total commitment and investment in their future, their employee's futures – different than merely victimizing a single household more and more this crime victimizes entire communities. Adding longer term impact: the money that's taken is not spent stateside, so our small restaurants, coffee shops, gas stations and others don't even get that money back into circulation.

Banking trojans are a weapon of mass destruction loosed in the heart of the American Dream.

The soul-destroying consequence of losing a business payroll account

2010-08-08T09:17:00.000-07:00

Part 2

There's no Hurricane Katrina fund, no 9/11 trust for business banking victims. Instead of the sudden shocking yet galvanizing crash of a jet into a building, this malware-based attack comes as a slow, stealthy shadow creeping into the already bleak landscape of the jobless.

If a business owner lost their funds overnight, I imagine it might go something like:

■Day one: Shock. Could this really be happening?

■Day two: Fight the bank. And lose. Again, is this really happening?

■Day three: Find a new job so your family can sustain itself. And good luck with that task if you were part of the IT team who missed the malware which stole the banking funds!

Brian Krebs has interviewed many victims whose stories are similar:

“Since the incident, [Michelle Marsico] has had to take out a $395,000 loan at 12 percent to cover the loss (she managed to get $70,000 in wires reversed).

“I'm working for nothing right now, and can't afford to pay myself,” Marisco / [Marsico] said in a phone interview.

Without small business providing new job growth it's arguably a nuclear winter for our economy.

This must stop

1.Business owners are completely in the dark about this threat.

2.The critical priority must become identifying the threat of cybercrimes that soul-kill our communities: FinCEN and other aggregators of financial crime reporting need to step it up and show the data more transparently.

3.There are no laws which require protection for payroll accounts and the ABA, after saying how safe online banking has been for years now doesn't seem to want to budge from their position of the business' sole responsibility for compromise.

A recent interview was held with American Banking Association Vice President and Senior Advisor of Risk Management Policy Doug Johnson who, after agreeing that the threat of corporate account takeover was “very large”, pushes responsibility right back at the business, not with the banking community for prevention and risk.

““Banks have a tremendous responsibility to protect their small businesses and municipal customers just as they have that responsibility to protect their retail customers.

But the retail customer protections of Reg E would essentially absolve the small businesses of any responsibility or liability for not properly protecting themselves, and you can certainly appreciate that in a community bank market it is very difficult for a financial institution, through no fault of its own, to really make a corporate customer whole for a loss which could be upwards toward a half of million dollars.

“And there would be less incentive on the part of the corporate customer to protect themselves if they knew that they were going to be made whole in that fashion, even if they didn't protect themselves.”

Five years ago, Doug Johnson was saying something very different:

“"Online banking is safe and getting safer," says Doug Johnson, senior policy analyst at the American Bankers Association.” (USA Today, 2005)

2009 APWG Thought Leader Dr. Laura Mather states that dual control for small business accounts is a good practice for businesses to follow since it raises the bar for criminals, however she feels that it is unlikely that all businesses will implement dual controls and worse, that the tactic has a limited shelf life against faster cybercriminals.

““Banks should be educating their business customers to use this technique,” Dr. Mather adds, “and possibly implement measures that enforce the requirements for dual control. The next obvious step for cybercriminals will be multiple infections within a business such that the criminal has access to both of the dual control accounts.”

“As for the ABA party line – I think with the litigation that is moving forward there will soon be legislation around the SMB accounts. Of course, when that happens, all banking organizations will likely have to change their stance on these issues.”

Her words are prophetic: I found a story about the banking trojan compromise of the ABA-recommended dual control method right in our own SoCal backyard which Brian Krebs wrote about a few weeks ago:

http://krebsonsecurity.com/2010/06/e-banking-bandits-stole-465000-from-calif-escrow-firm/

““Owner Michelle Marisco said her financial institution at the time — Professional Business Bank of Pasadena, Calif. – normally notified her by email each time a new wire was sent out of the company's escrow account. But the attackers apparently disabled that feature before initiating the fraudulent wires.”

“The thieves also defeated another anti-fraud measure: A requirement that two employees sign off on any wire requests. Marisco said that a few days before the theft, she opened an email informing her that a UPS package she had been sent was lost, and urging her to open the attached invoice. Nothing happened when she opened the attached file, so she forwarded it on to her assistant who also tried to view it. The invoice was in fact a trojan horse program that let the thieves break in and set up shop and plant a password-stealing virus on both Marisco's computer and the PC belonging to her assistant, the second person needed to approve transfers.”

Steps you can take:

In keeping with how to protect yourselves and your business here are the top things to do today to harden your business target:

1.Update your endpoint malware protection and ensure you have an antispam solution which will block phishing attacks which use spam tactics to reach their victims.

2.Plan and complete a US-CERT risk assessment,

3.Plan to audit your business accounts DAILY from a secure computer. Don't rely too heavily on email alerts – the latest malware disables them.

4.Raise awareness in your own back yard. Start the discussion.

One final step would be to sit down and have a formal review with your bank of the responsibilities involved with an account hijacking and quite frankly, if you don't like what you hear, vote with your feet and consider changing your approach to online banking or changing your bank.

We're still on the search for definative bank account hijacking statistics. Once we get them, you'll be the first to know.

Once more unto the (data) breach

2010-08-08T09:13:00.000-07:00

While going through some FAA manuals, I was reminded of a particular term that is highly applicable in the world of cybercrime. It is referred to as the “chain of events” or the “error chain.” These terms simply mean that multiple factors, rather than a single one, lead to an accident. The same can be said for security incidents, such as data leakage. Take, for instance, some of the largest data breaches to date – such as the those experienced by TJX Companies or Heartland Payment Systems (which I've written about in the past here and here).

When the chain of events is unraveled, interesting details begin to unfold – one after another. These are obviously valuable lessons so that the majority of companies can take steps to protect themselves from these severe incidents in the future. But there will always be another way to “get to the goods.”

What are “the goods”? They are, primarily, the unencrypted customer information that resides deep within the core of organizations. In August 2008, I read a Yankee Group analyst research paper by Phil Hochmuth entitled, “Anywhere Data is Powerful, Data Everywhere is Dangerous.” In this paper, Phil discusses the challenge of data security and an increasingly untethered workforce. While that particular paper's focus covered the mobile workforce, it also conveys the key point applicable to all businesses: Customer data is essential to running a business and supporting our customers, but it can also be considered a dangerous liability that must be well-protected.

Three proposed solutions to securing customer data.

■End-to-end encryption (E3). In this context it is from where data is captured, through all intermediaries to the final credit issuer or debit gateway endpoint (http://www.e3secure.com/pdf/E3Security_Model.pdf);

■Mandatory encryption of personally identifiable information (PII) at rest and in motion (this brings up painful key management issues);

■Heartland is requesting the Accredited Standards Committee X9 (ASC X9) develop a standard to protect cardholder data.

Data breach consequences. There are a slew of consequences that can impact companies after a breach occurs. Some of them bandied about by industry experts are noted below:

Financially catastrophic:

■According to the Ponemon Institute's 2009 Annual Study “U.S. Cost of a Data Breach,” the average cost of a data breach (per record) is $204;

■Loss of sales;

■Investigation and notification costs;

■Fines and litigation;

■Cost of credit monitoring service;

■Interruption of operations;

■Last, but definitely not least, brand erosion (reputation, customer trust).

Regulatory compliance mandates that may impact breached organizations. Of course, many organizations began really paying attention to protecting data as a result not only of some of the consequences noted above, but also because of various industry and government compliance mandates. A sampling includes:

■Health Insurance Portability and Accounting Act (HIPAA);

■Sarbanes-Oxley (SARBOX);

■Graham-Leach-Bliley Act (GLBA);

■Payment Card Industry Data Security Standard (PCI DSS);

■Federal Information Security Management Act (FISMA).

These are but a few points that are relevant to data breaches of all sizes – not only those that potentially revealed more than 100 million customer records in one incident. Keep in mind that at the time of the breaches, the companies I mentioned were PCI compliant. This should reinforce the point that we still have a long way to go to secure our data and reduce the severity of data breaches.

Data security risk is as unlimited as human intelligence, ingenuity and ignorance.

Rampant hotel data theft

2010-08-08T09:08:00.000-07:00

For the past several years, hotels have been hit hard by data thieves. Experts say that despite an increased awareness within the hospitality industry, data theft is still prevalent.

In the most recent incident, disclosed in late June, remote attackers installed a malicious program into the card processing system of Englewood, Colo.-based hotel chain Destination Hotels & Resorts. Guests at 21 Destination properties may have been subjected to credit card theft.

Cybercriminals last year targeted hotels more than any other industry for credit card theft, according to a recent report by data security company Trustwave. Hotels are being targeted because they have large amounts of credit card data and frequently neglect to implement the most basic security precautions, such as changing default passwords or ensuring programs are up to date, said Nicholas Percoco, senior vice president of Trustwave's SpiderLabs.

As a result, attackers commonly gain entry into a hotel's network by exploiting default passwords on point-of-sale (POS) applications, added Dave Ostertag, manager of investigative response at Verizon Business. From there, customized malware is loaded onto the hotel's transaction server that steals credit card information as a transaction occurs.

In March, the Westin Bonaventure Hotel & Suites in Los Angeles disclosed a possible data breach of its POS systems dating back to 2009. Also, between November 2008 and May 2009, the computer systems of some Radisson hotels in the United States and Canada were illegally accessed. And the computer systems of Wyndham Hotels & Resorts were accessed on two separate occasions by cybercriminals who stole customers' card numbers, expiration dates and other data.

Part of the problem is that many hotels are not compliant with the Payment Card Industry (PCI) Data Security Standards (DSS), said Gary Palgon, vice president of product management at encryption firm nuBridges. While retailers have faced increasing pressure over the past few years to get into compliance with the mandate, few from the hotel industry have been paying attention.

However, some members of the hospitality industry are working to deal with this problem, experts said. The Hotel Technology Next Generation (HTNG), a nonprofit hotel trade association, recently issued a security standard which defines how card data should securely flow between a hotel's various systems. Additionally, large, brand-name organizations are beginning to take data security seriously, experts said. But many others are lagging.

“We are still seeing cases on a weekly basis of hotels getting breached,” Percoco said.

Microsoft readies record 14 fixes, eight critical

2010-08-08T09:05:00.000-07:00

Microsoft on Thursday announced that next week it plans to deliver a record 14 patches to resolve 34 vulnerabilities across its product line.

The 34 flaws expected to be fixed, which ties a record with the number of holes plugged in June's update, reside in Windows, Office, Internet Explorer, SQL Server and Silverlight, according to the advance notification. Eight of the 14 bulletins earned a "critical" rating, while the others are designated as "important."

Of the critical bulletins, seven impact Windows. Joshua Abraham, a security researcher at Rapid7, which provides vulnerability management and penetration testing services, said he'd expect a few working exploits to come out of the security update, launching attacks such as drive-by downloads.

Abraham added that administrators should not necessarily be concerned by the high number of vulnerabilities receiving updates. He said this is not uncommon following security conferences such as Black Hat and DEFCON.
"In the past, there has been a rather high volume around the summer months," Abraham told SCMagazineUS.com on Thursday. "It's something we've seen before. It doesn't really shock me."

August's update appears to match a recent trend in which a light month of bulletins precedes a busier month.

Administrators should review Microsoft's advisories and use its exploit grades to determine which patches deserve priority, Abraham said.

Rockefeller, Pryor introduce federal data security law

2010-08-08T08:58:00.000-07:00

Two senators on Thursday introduced a national data breach notification bill that also would force businesses to create measures to protect sensitive information under their control, according to a news report.

The legislation, introduced Thursday by Sens. Mark Pryor, D-Ark., and John Rockefeller, D-W.Va., would require organizations to alert victims of a breach within 60 days and provide them with two years of credit monitoring services, according to the National Journal's Tech Daily Dose blog.

In addition, businesses and nonprofits would have to implement policies and procedures to protect their data, the blog post said.

Representatives for Pryor and Rockefeller did not immediately respond to requests for comment by SCMagazineUS.com.

Last month, Sens. Tom Carper, D-Del., and Bob Bennett, R-Utah, reintroduced a similar bill

"The Data Security Act of 2010 would require entities such as financial establishments, retailers, and federal agencies to safeguard sensitive information, investigate security breaches, and notify consumers when there is a substantial risk of identity theft or account fraud," said a news release. "These new requirements would apply to retailers who take credit card information, data brokers who compile private information and government agencies that possess nonpublic personal information."

A national data breach notification law has been in the works for a number of years. Several versions have made the rounds, but nothing ever has cleared both chambers.

This mainly has been due to other Congressional priorities and, more specific to the bills, disagreement over what constitutes a suitable threshold to report a breach. The lack of a federal measure has given way to a hodgepodge of state laws, 46 to be exact.

Hack attack hits ATM jackpots

2010-08-01T07:56:00.000-07:00

LAS VEGAS — Computer security researcher Barnaby Jack jokes that he has resorted to hiding cash under his bed since figuring out how to crack automated teller machines remotely using the Internet.

The New Zealand native on Saturday demonstrated his "ATM jackpotting" discovery for an overflow crowd of hackers during a presentation at the infamous DefCon gathering in Las Vegas.

"You don't have to go to the ATM at all," Jack told AFP after briefing fellow software savants. "You can do it from the comfort of your own bedroom."

Jack proved his findings using two kinds of ATMs typically found in corner stores, bars or other "stand-alone" venues in the United States but said the flaw likely exists in machines at banks.

Banks use "remote management" software to monitor and control their ATMs, and Jack used a weakness in that kind of code to take control of machines by way of the Internet.

He found a way to bypass having to submit passwords and serial numbers to access ATMs remotely. Once in the machines, he could command them to spit out cash or transfer funds.

He could also capture account data from magnetic strips on credit or bank cards as well as passwords punched in by ATM users.

"When you think about ATM security you generally think about the hardware side; is it bolted down and are the cameras in position," Jack said.

"This is the first time anyone has taken the approach of trying to attack the underlying software. It is time to find software defenses rather than hardware defenses."

Jack did his research on ATMs he bought on the Internet. He also found master keys for stand-alone machines available for purchase online, meaning hackers could walk up and tinker with ATM software, he added.

"We shouldn't dwell on the walk-up attack, because no physical access is required," Jack said. "They have a flaw that lets me bypass all authentication on the device on the Internet, and I am the ATM at that stage."

He didn't reveal specifics of the attack to hackers even though the ATM makers were told of the flaw and have bolstered machine defenses.

"I might get my butt in hot water if I released the code," said the IO Active software security researcher who did the ATM hack 'as a hobby.'

"I was careful not to release the keys to the kingdom."

Jack said he doesn't know if criminals have exploited the software flaw "in the wild" but that it is tough to be certain.

"It is not an easy attack to replicate but I am not naive enough to think I am the only one who can do it," Jack said, admitting he has grown wary of ATMs. "I just keep my cash under the bed now, mate."

Smooth-talking hackers test hi-tech titans' skills

2010-07-31T10:56:00.000-07:00

By Glenn Chapman (AFP) – 12 hours ago

LAS VEGAS, Nevada — Hackers at an infamous DefCon gathering are proving that old-fashioned smooth talk rivals slick software skills when it comes to pulling off attacks on computer networks.

A first-ever "social engineering" contest here challenges hackers to call workers at 10 companies including technology titans Google, Apple, Cisco, and Microsoft and get them to reveal too much information to strangers.

"Out of all the companies called today, not one company shut us down," said Offensive Security operations manager Christopher Hadnagy, part of the social-engineer.org team behind the competition that kicked off on Friday.

The team kept hackers within the boundaries of the law, but had them coax out enough information to show that workers would have unintentionally made it easier to attack networks.

Workers that unknowingly ended up on calls with hackers ranged from a chief technical officer to IT support personnel and sales people.

One employee was conned into opening programs on a company computer to read off specifications regarding types of software being used, details that would let a hacker tailor viruses to launch at the system.

"You often have to crack through firewalls and burn the perimeter in order to get into the internal organization," said Mati Aharoni of Offensive Security, a company that tests company computer defenses.

"It is much easier to use social engineering techniques to get to the same place."

Other companies targeted were Pepsi, Coca Cola, Shell, BP, Ford, and Proctor & Gamble.

The contest, which continues Saturday at DefCon and promises the winner an Apple iPad tablet computer, is intended to show that hardened computer networks remain vulnerable if people using them are soft touches.

"We didn't want anyone fired or feeling bad at the end of the day," Aharoni said. "We wanted to show that social engineering is a legitimate attack vector."

A saying that long ago made it onto T-shirts at the annual DefCon event is "There is no patch for human stupidity."

"Companies don't think their people will fall for something as simple as someone calling and just asking a few questions," Hadnagy said.

"It doesn't require a very technical level of attacker," Aharoni added. "It requires someone with an ability to schmooze well."

One worker nearly foiled a hacker by insisting he send his questions in an email that would be reviewed and answered if appropriate.

The hacker convinced the worker to change his mind by claiming to be under pressure to finish a report for a boss by that evening.

"As humans, we naturally want to help other people," Hadgagy said. "I'm not advocating not helping people. Just think about what you say before you say it."

Companies that got word of the social engineering contest before DefCon called in the FBI, which was assured by the event organizers that nothing illegal was afoot.

Information about "exploiting human vulnerabilities" was available at the social-engineer.org websit.

Attacking the edges of secure Internet traffic

2010-07-31T10:49:00.000-07:00

By JORDAN ROBERTSON (AP)

LAS VEGAS — Researchers have uncovered new ways that criminals can spy on Internet users even if they're using secure connections to banks, online retailers or other sensitive Web sites.

The attacks demonstrated at the Black Hat conference here show how determined hackers can sniff around the edges of encrypted Internet traffic to pick up clues about what their targets are up to.

It's like tapping a telephone conversation and hearing muffled voices that hint at the tone of the conversation.

The problem lies in the way Web browsers handle Secure Sockets Layer, or SSL, encryption technology, according to Robert Hansen and Josh Sokol, who spoke to a packed room of several hundred security experts.

Encryption forms a kind of tunnel between a browser and a website's servers. It scrambles data so it's indecipherable to prying eyes.

SSL is widely used on sites trafficking in sensitive information, such as credit card numbers, and its presence is shown as a padlock in the browser's address bar.

SSL is a widely attacked technology, but the approach by Hansen and Sokol wasn't to break it. They wanted to see instead what they could learn from what are essentially the breadcrumbs from people's secure Internet surfing that browsers leave behind and that skilled hackers can follow.

Their attacks would yield all sorts of information. It could be relatively minor, such as browser settings or the number of Web pages visited. It could be quite substantial, including whether someone is vulnerable to having the "cookies" that store usernames and passwords misappropriated by hackers to log into secure sites.

Hansen said all major browsers are affected by at least some of the issues.

"This points to a larger problem — we need to reconsider how we do electronic commerce," he said in an interview before the conference, an annual gathering devoted to exposing the latest computer-security vulnerabilities.

For the average Internet user, the research reinforces the importance of being careful on public Wi-Fi networks, where an attacker could plant himself in a position to look at your traffic. For the attacks to work, the attacker must first have access to the victim's network.

Hansen and Sokol outlined two dozen problems they found. They acknowledged attacks using those weaknesses would be hard to pull off.

The vulnerabilities arise out of the fact people can surf the Internet with multiple tabs open in their browsers at the same time, and that unsecured traffic in one tab can affect secure traffic in another tab, said Hansen, chief executive of consulting firm SecTheory. Sokol is a security manager at National Instruments Corp.

Their talk isn't the first time researchers have looked at ways to scour secure Internet traffic for clues about what's happening behind the curtain of encryption. It does expand on existing research in key ways, though.

"Nobody's getting hacked with this tomorrow, but it's innovative research," said Jon Miller, an SSL expert who wasn't involved in the research.

Miller, director of Accuvant Labs, praised Hansen and Sokol for taking a different approach to attacking SSL.

"Everybody's knocking on the front door, and this is, 'let's take a look at the windows,'" he said. "I never would have thought about doing something like this in a million years. I would have thought it would be a waste of time. It's neat because it's a little different."

Another popular talk at Black Hat concerned a new attack affecting potentially millions of home routers. The attack could be used to launch the kinds of attacks described by Hansen and Sokol.

Researcher Craig Heffner examined 30 different types of home routers from companies including Actiontec Electronics Inc. and Cisco Systems Inc.'s Linksys and found that more than half of them were vulnerable to his attack.

He tricked Web browsers that use those routers into letting him access administrative menus that only the routers' owners should be able to see. Heffner said the vulnerability is in the browsers and illustrates a larger security problem involving how browsers determine that the sites they visit are trustworthy.

The caveat is he has to first trick someone into visiting a malicious site, and it helps if the victim hasn't changed the router's default password.

Still: "Once you're on the router, you're invisible — you can do all kinds of things," such as controlling where the victim goes on the Internet, Heffner said.

Preserving Innovation While Ensuring Security, Confidence in System

2010-07-27T13:12:00.000-07:00

The Commerce Department's Internet Policy Taskforce on Wednesday will formally seek viewpoints from stakeholders on how best the public and private sector can preserve innovation in an Internet economy while ensuring security and confidence in the system.

Commerce Secretary Gary Locke unveiled the notice of inquiry at a symposium Tuesday on Internet security sponsored by the taskforce, where he also addressed departmental efforts to help build confidence in the Internet so that identity and personal information will be secured for consumers; intellectual property won't be stolen for businesses; and trade, technology and military secrets will be safe from adversaries for government.

"Let's be blunt - because the Internet was initially designed for convenience and reliability, instead of with security as a top priority - we are fighting an uphill battle," he said.

Citing a recent study published by IT security vendor Symantec, Locke painted a gloomy picture of Internet security, noting that malicious activity is increasingly flowing out of countries where broadband and information technology penetration is growing the fastest, advanced persistent threats focused on large enterprises are becoming more common as thieves seek customer data, financial information and intellectual property assets; and, mass-market attacks - those that small businesses and consumers usually fall prey to - continue to evolve in their sophistication.

Santa Cruz, Calif. Mayor Has Laptop Stolen From Office

2010-07-24T11:42:00.000-07:00

Posted: Monday, February 1, 2010

A burglar broke into Santa Cruz Mayor Mike Rotkin's office and took his city-issued laptop computer.
Police said the thief used a rock to break an office window and then took the computer.

Rotkin said he doesn't think anyone was specifically targeting him, and that there was nothing of importance kept on the computer.

"I think it was close to a window and somebody desperate saw it and decided to break the window and take the computer," Rotkin said. "I never used the computer. I had nothing on it."

The cost of the computer and the damage done to the office is about $1,500.

City Hall does have security cameras but there aren't any aimed on the mayor's office.

VeriSign 'Trusted' Service Now Scans Sites for Malware

2010-07-19T20:00:00.000-07:00

VeriSign said Monday that it has begun to add a "VeriSign Trust Seal" logo to search results and on Web sites, that can be used to verify that a site does not harbor malware.

VeriSign already places a logo on some sites that tells the user that it has secured the site via an SSL certificate. The "VeriSign Trusted" logo now also means that the site is checked on a daily basis to see if an attacker was able to penetrate its security and inject malware that would then be downloaded by the site's customers.

A related "Seal-in-Search" technology will place a VeriSign logo next to search results, including Google, alerting users that VeriSign has certified the site as safe to visit, where malware is concerned.

"In the face of increasingly elaborate attacks and fraud schemes, web sites need solutions that do more than data encryption," said Tim Callan, vice president of product marketing at VeriSign. "By enhancing our SSL Certificate services with new features that instill trust at every step of the online experience—at no additional charge to our customers—we're delivering a more robust and value-driven solution. In the process, we're redefining what web sites should expect from online security."

.94 charged in Medicare scams totaling $251M

2010-07-17T09:12:00.000-07:00

MIAMI – Elderly Russian immigrants lined up to take kickbacks from the backroom of a Brooklyn clinic. Claims flooded in from Miami for HIV treatments that never occurred. One professional patient was named in nearly 4,000 false Medicare claims.

Authorities said busts carried out this week in Miami, New York City, Detroit, Houston and Baton Rouge, La., were the largest Medicare fraud takedown in history — part of a massive overhaul in the way federal officials are preventing and prosecuting the crimes.

In all, 94 people — including several doctors and nurses — were charged Friday in scams totaling $251 million. Federal authorities, while touting the operation, cautioned the cases represent only a fraction of the estimated $60 billion to $90 billion in Medicare fraud absorbed by taxpayers each year.

For the first time federal officials have the power to overhaul the system under Obama's Affordable Care Act, which gives them authority to stop paying a provider they suspect is fraudulent. Critics have complained the current process did nothing more than rubber-stamp payments to fraudulent providers.

"That world is coming to an end," Health and Human Services Secretary Kathleen Sebelius told The Associated Press after speaking at a health care fraud prevention summit in Miami. "We've got new ways to go after folks that we've never had before."

Officials said they chose Miami because it is ground zero for Medicare fraud, generating roughly $3 billion a year. Authorities indicted 33 suspects in the Miami area, accused of charging Medicare for about $140 million in various scams.

Suspects across the country were accused of billing Medicare for unnecessary equipment, physical therapy and other treatments that patients never received. In one $72 million scam at Bay Medical in Brooklyn, clinic owners submitted bogus physical therapy claims for elderly Russian immigrants.

Patients, including undercover agents, were paid $50 to $100 a visit in exchange for using their Medicare numbers and got bonuses for recruiting new patients. Wiretaps captured hundreds of kickback payments doled out in a backroom by a man who did nothing but pay patients all day, authorities said.

The so-called "kickback" room had a Soviet-era propaganda poster on the wall, showing a woman with a finger to her lips and two warnings in Russian: "Don't Gossip" and "Be on the lookout: In these days, the walls talk."

With the surveillance, the walls "had ears and they had eyes," U.S. Attorney Loretta Lynch said at a news conference in Brooklyn.

Mercury News editorial: California should outlaw online impersonation

2010-07-14T21:19:00.000-07:00

Impersonating someone with the intent to harm, intimidate, threaten or defraud is illegal in California — except when it's done online. Existing state law, written in 1872, didn't anticipate the existence of Facebook, MySpace or a host of other Internet sites that unintentionally created new ways to harm innocent victims.

State Sen. Joe Simitian has a solution. His SB 1411 would make it a misdemeanor to maliciously impersonate another person online. The Legislature should pass the Palo Alto Democrat's bill, and Gov. Arnold Schwarzenegger should sign into law legal protections against online abuse.

It's sad that Simitian's law is necessary. But online abuses are a growing problem for students, teachers, businesspeople, politicians and people of all ages who are in relationships that have gone amiss.

Facebook and MySpace accounts can be shut down when a problem arises. But when they are created with the intent to do damage, there should be a price. Simitian's law, which includes provisions to protect legitimate forms of free speech, would carry up to a $1,000 fine and/or up to a year in jail.

Sacramento can't legislate good behavior. But it can and should protect Californians from being further damaged by impersonators who are up to no good.

Puerto Rico Birth Certificates Reissued

2010-07-14T11:45:00.000-07:00

The Government of Puerto Rico has extended the validity of current Puerto Rico birth certificates for three months, through Sept. 30, 2010. Puerto Rico is reissuing all birth certificates because of identity theft problems starting on July 1st.

There is a huge problem with Puerto Rico-issued birth certificates being used to unlawfully obtain U.S. passports, Social Security benefits, and other federal services.

The government admits that hundreds of thousands of original birth certificates were stored without adequate protection, making them easy targets for theft.

About 40 percent of the passport fraud cases involve birth certificates of people born in Puerto Rico.

The Vital Statistics Record Office will begin issuing new birth certificates incorporating what it calls "state-of-the-art" technology to limit the possibility of forgery.

The government of Puerto Rico recommends that only people who have a specific need for their birth certificate request a new birth certificate.

People who want a copy of the new birth certificates for their records are asked to wait to avoid a rush of applications.

The new birth certificates will cost $5.

Identity Theft Cases Up 23% 2005-7; 3% Of Households Hit

2010-07-14T11:29:00.000-07:00

The number of U.S. households with at least one member who experienced one or more types of identity theft increased 23 percent from 2005 to 2007, says the U.S. Bureau of Justice Statistics. A new compilation from the agency says that in the period studied, the number of households that experienced credit card theft increased by 31 percent and the number that experienced multiple types of theft during the same episode increased by 37 percent.

BJS said that during a six month period in 2008 which identity theft victimization data was collected as part of the regular nationa crime victimization survey, 3.3 percent of households discovered that at least one member had been a victim of one or more types of identity theft. Households with incomes of $75,000 or more experienced a higher rate of identity theft than did households in lower income brackets.

E-Verify law

2010-07-14T11:26:00.000-07:00

The Utah Legislature passed a law this year requiring employers to use the federal E-Verify system to confirm the eligibility of new employees to work in the United States legally. But because the law does not include any penalties, businesses have been slow to use it, essentially ignoring the law. However, before Utah imposes penalties, the Legislature should look much more deeply into this system.

E-Verify is an Internet-based system operated by U.S. Citizenship and Immigration Services. It compares information that an employee provides on a Form I-9 ( Employment Eligibility Verification) to records from the U.S. Department of Homeland Security and Social Security Administration. It confirms whether the information provided by the employee, such as name, date of birth and Social Security number, matches government data.

In most cases, E-Verify will instantly confirm the employee’s work authorization, according to USCIS. Sometimes, however, a manual search is required. If the employee information does not match government records, the employer must make sure he has not made a mistake in entering the information, and he must inform the employee of how to contact the agency to clear up or appeal the result.

At the time the bill was being debated, we argued that it made little sense to require employers to use a system whose accuracy was questionable. According to one study, E-Verify fails to identify illegal status about 54 percent of the time. But reliable statistics about the system’s accuracy are hard to find. Some reports suggest that E-Verify correctly identifies people who are eligible to work about 96 percent of the time. The 3.5 percent who fail happens to roughly correspond with the 5 percent of the work force that some studies estimate are in the country illegally. Identity theft also skews any statistics on reliability. In fact, E-Verify may actually encourage identity theft, since a person who presents himself for employment as someone else with valid government data would not be caught by the system.

Prediction: Obamacare 1099 Provisions Will Lead To Identity Theft Explosion

2010-07-14T11:22:00.002-07:00

Public Law 111-148, the Health Care Reform Act, contains a number of revenue raising provisions buried in the back of the legislation. In my judgment, the new IRS Form 1099 requirements found in Section 9006 of this law will have the unintended consequence of leading to an explosion of identity theft!

The basic changes to Form 1099 requirements incorporated in this law take effect at the beginning of 2012. They require that all businesses tabulate payments for goods and services from non-governmental agencies and send a 1099 Form to the recipient if the total exceeds $600 for the entire calendar year.

Current 1099 law exempts sending of 1099 Forms to most corporations, but the new law requires accumulating and reporting payments to corporations as well. Further, current law is largely limited to the reporting of payments for services, not goods. The new law expands coverage to all goods and services. It appears that 1099 Forms will now be required to report the same information provided on W-2 Forms that report employee compensation.

What this means for the millions of businesses in the US is that they will have to obtain confidential tax information from almost anyone who provides a good or service, even if the first transaction in a calendar year is under $600, in order to avoid paying a penalty if a 1099 Form is eventually required. Once this information is obtained, each of the businesses must follow the legal requirements for protecting this confidential information in order to avoid a penalty for violating these regulations.

Senators try again on identity theft bill

2010-07-14T11:22:00.000-07:00

Senators Tom Carper (D-Del.) and Bob Bennett (R-Utah) re-introduced a bill Wednesday that would require companies to notify consumers when their personal information has been stolen.

“At the very least, identity fraud can cause worry and confusion, and at the very most it can cause serious financial harm,” Carper said. “We need to replace the current patchwork of state and federal regulations for identity theft with a national law that provides uniform protections across the country.”

The bill would replace a system of state data breach notification laws with a national framework clarifying what constitutes personal or sensitive information — any information that can be used to steal from a consumer, commit identity theft, or be used for other criminal activities. The bill also requires organizations to notify consumers within a reasonable timeframe if their information has been breached.

Carper and Bennett have introduced similar legislation in previous sessions, but a senior Senate aide said the current focus on cybersecurity makes this their best chance of getting the bill passed. The aide also said the Obama administration recognizes the severity of the identity theft problem and is anxious to find a solution.

The legislation would apply to any organization that collects private or sensitive information from the public, including businesses, schools and government institutions. The bill requires that the organizations disclose all breaches but does not introduce any new penalties if they fail to do so.

Instead the lawmakers rely on existing regulations that require companies to adequately protect consumer information or face fines, public notification, or other regulatory penalties. Enforcement will fall to various regulatory agencies, depending on the sector in which the breach occurs; financial institutions that lose customer information must notify the Securities and Exchange Commission or Federal Deposit Insurance Corporation, while other groups may report to the Federal Trade Commission.

“We live in an Information Age where technology provides greater ease and business opportunities for Americans, but also increases the ability for criminals to exploit any weak link in the cyber-world,” Bennett said. “In the event that protection is violated, putting victims of identity theft or account fraud at risk, [the bill] provides a much needed uniform national standard for data security and breach notification.”

Malware Support Even Better than Security Vendors

2010-07-14T10:52:00.000-07:00

Is your rogue antimalware product not meeting your expectations? Perhaps you should contact support.

Nicolas Brulez of Kaspersky recently blogged about how some of these gangs are offering tech support with their products that has live chat, e-mail, phone, and even multiple languages.

We've truly stepped through the looking glass now, especially when you consider all the legitimate products that don't offer support this good. It says something about how much money is still being made by rogue products. It also says something about how affordable outsourced support using scripted response is.

And according to Kaspersky the support, including the live chat, really is with real people, not a bot. If you have trouble with English, the chat tells you (in English) to send your support request to a particular e-mail address, and then you receive support in your native language. Some of the rogues have native language support based on the language of your Windows version. No word on which languages are supported, but put your money on Russian.

Utah agencies probe alleged illegal immigrant list

2010-07-14T09:20:00.000-07:00

SALT LAKE CITY -- State agencies are investigating whether any of their employees leaked Social Security numbers and other personal information after a list of 1,300 people who an anonymous group claims are illegal immigrants was circulated around Utah.

The anonymous group mailed the list to several media outlets, law enforcement agencies and others this week, frightening the state's Hispanic community. A letter accompanying the list demanded that those on it be deported immediately.

Yahoo! BuzzThe list also contains highly detailed personal information such as Social Security numbers, birth dates, workplaces, addresses and phone numbers. Names of children are included, along with due dates of pregnant women on the list.

Republican Gov. Gary Herbert wrote in a tweet Tuesday that he has asked state agencies to investigate the list's origin.

"We've got some people in our technology department looking at it right now," said Dave Lewis, communication for the state Department of Workforce Services. "It's a high priority. We want to figure out the how's and why's."

Personal Documents Found In Dumpster,Sacramento Parks Department: This Shouldn't Have Happened

2010-07-12T11:27:00.000-07:00

6-25-2010
About 100 people's personal information was thrown out along with unused, unopened books and learning materials, a KCRA 3 investigation revealed.

A KCRA 3 insider watched Sacramento Department of Parks and Recreation employees putting the materials in a Dumpster outside a parks building.

KCRA 3 found several folders with important documents. One contained names, Social Security numbers, phone numbers, birth dates, addresses, monthly incomes and even copies of driver's licenses dating back to 2005.

The documents themselves indicated the information provided would be kept confidential.

Instead, the KCRA 3 insider said he watched employees dumping the documents into an easily accessible bin. He has asked not to be identified.

"They didn't even check what was in it," he said. "I know a lot of people get cardboard from those bins. So, anybody really could have found it."

City Parks and Recreation spokesman Hindolo Brima said, by policy, the papers should have been shredded.

"This was not supposed to happen. Staff has been taught how to handle confidential material," Brima said. "We will be investigating. We will make sure this doesn't occur again."

In the same Dumpster were also boxes filled with learning materials for children's programs operated by Parks and Recreation. Other people who work in the area said they see waste frequently.

FTC: Scammers Stole Millions Using Micro Charges To Credit Cards

2010-06-28T17:33:00.000-07:00

A gang of unknown thieves has stolen nearly $10 million using micro charges made to more than a million credit and debit cards in an elaborate multiyear scam, according to a lawsuit filed by the Federal Trade Commission in March.

Have any of these company names appeared on your bank card statement? The FTC says they were front companies used by scammers to make nearly $10 million in charges to consumer credit and debit card accounts. (FTC v. API Trade, LLC)

The fraudulent charges went unnoticed by the majority of card owners because they were made in small amounts — ranging from 20 cents to $10 — that bypassed fraud detection algorithms, and because the scammers typically made only one fraudulent charge per card.

The sophisticated scam, which was first reported by IDG News Service, began in 2006 and was stifled only recently after the FTC succeeded to shut down merchant accounts the scammers were using and halt the activities of at least 14 money mules who were laundering illegal proceeds for the gang.

According to court documents filed (.pdf) in the U.S. District Court for the Northern District of Illinois, the scammers — identified only as “John Does” in the complaint — recruited money mules through a spam campaign that sought to hire a U.S.-based financial manager for an international financial services company.

Mules who responded to the ad and were chosen for the task opened multiple bank accounts and about 100 limited liability companies for the scammers, which were then used to make the fraudulent charges and launder money to bank accounts in Cyprus and several Eastern European countries, including Estonia and Lithuania.

Front companies set up by the mules included Albion Group, API Trade, ARA Auto Parts Trading, Data Services, New York Enterprizes, and SMI Imports, among others.

The scammers then purchased domain names and set up phone numbers and virtual office addresses for the front companies through services such as Regus. They used this information — along with federal tax ID numbers stolen from legitimate companies with similar names — to apply for more than 100 merchant accounts with credit card processors, such as First Data.

According to IDG,

They used another legitimate virtual business service — United World Telecom’s CallMe800 — to have phone calls forwarded overseas. To further make it seem as though their companies were legitimate, the scammers would set up fake retail Web sites. And when credit card processors asked them to provide information about company executives, they handed over legitimate names and social security numbers, stolen from ID theft victims.

When they had to log into payment processor Web sites, they would do this from IP addresses that were located near their virtual offices, again evading payment processor fraud detection services.

Once approved by the card processors, the front companies were able to charge consumer credit and debit cards. Money charged to the cards was directed into the bank accounts set up by the money mules, who then transferred it to accounts overseas.

The charges showed up on consumer credit and debit card statements with a merchant name and toll-free phone number. But consumers who called the numbers to question the charges generally encountered an automated voicemail recording saying the number had been disconnected or instructing them to leave a detailed message. The calls, of course, were never returned.

More than 1.35 million cards were used to make fraudulent charges, according to IDG, but 90 percent of the charges went uncontested by consumers.

Protect your business from the cybercrime wave

2010-06-24T18:32:00.000-07:00

Fantastic article from Steve Straus at USA Today...

Q: I really think you should warn people about the increasing dangers coming from scam artists who are targeting small business. Our business had several thousand dollars illegally transferred out of our bank account recently and my banker says this is becoming more and more common. – Paul

A: As with everything else it has touched, the Internet has changed financial fraud, too. And the problem with that is that e-scammers are more difficult to detect. But make no mistake about it – being the victim of financial fraud of any sort can put you out of business in a hurry.

Maybe the worst case of financial fraud that I have been associated with was an old client who ran a very successful, seven-figure construction company. But after his bookkeeper embezzled several hundred thousand dollars, the company had to file two separate bankruptcies before eventually going out of business anyway.

And as I said, today's bad guys have gone high-tech and have unfortunately devised new and better ways to steal your money.

Consider the recent story about a dental group in Missouri that discovered one morning that more than $200,000 had been illegally transferred out of its bank account. To make matters worse, the dentists also found out that, unlike consumers, small businesses do not get the same protections afforded consumers who are the victim of online fraud. If your credit card is stolen, and you report it promptly, your out-of-pocket loss is capped at $50.

Such is not the case with illegal commercial wire transfers.

According to Brian Krebs, a journalist who has covered this issue extensively, "Most companies that get hit with this type of fraud quickly figure out that their banks are under no legal obligation to reimburse them."

So how does this type of fraud occur, and what can you do to protect yourself? Typically, the bad guys are able to plant malware on the victim's computer and then use that to access the company's online banking profile. They then use that information to transfer huge sums of money out of the targeted accounts.

Estimates of losses to business from these types of cyberscams run from the hundreds of millions annually, to the billions.

So what do you do? To answer that question, I recently spoke with Bill Conner, the dynamic president and CEO of Entrust. Conner is one of the world's leading experts on cybersecurity, and his company provides security for everything from Homeland Security, to all U.S. and British passports.

According to Conner, cybercrooks are now targeting small business: "We are in an arms race with sophisticated, high tech enemies who are now concentrating on smaller business bank accounts in addition to their continued efforts to steal from large corporations." To combat the risk, Conner suggests that small businesses employ a "triple threat" security package that would include

• Authentication

• Fraud detection, and

• "Out-of-band transaction verification and signing for high-risk transactions"

Authentication and fraud detection intuitively make sense – these sorts of products look at your transaction, and transaction history, and check for suspicious activity. Conner explained that while Entrust already offers the first two types of protection, to better serve its customers, it is adding that third, necessary layer, of protection with a new product being launched this week.

"IdentityGuard Mobile" is an app for your smartphone. When a potentially suspicious activity begins to hit your account, this product sends you a text of the transaction details and asks you to authenticate and approve it before the bank can approve it.

With the challenges to small business coming from all sides – decreased lending, tighter budgets, wary consumers – the last thing we need is to take a financial hit due to cybercrime, so we must be vigilant. Keep your security patches up to date. Make sure you have a robust antivirus suite. Change your pass codes frequently. Use the triple threat.

You will be glad you did.

How Much Should You Spend On Security? Gartner Offers Some Answers

2010-06-24T18:26:00.000-07:00

Security drops to No. 9 on the list of IT priorities, research firm says Jun 24, 2010

NATIONAL HARBOR, MD. -- Gartner Security Summit 2010 -- Security is not as big a priority for enterprises as it was in 2008, but it's still grabbing a healthy chunk of the IT budget, a major research firm said Tuesday.

Speaking at the annual Gartner Security Summit here, senior analyst Vic Wheatman said that although security has dropped to ninth place on CIOs' lists of top priorities, spending is still strong.

After placing eighth on the 2009 priority list and fifth in 2008, security is continuing to drop on the hit parade, Wheatman said. But security still accounts for an average of 5 percent of total IT spending, he says.

Interestingly, the IT industry spends the most on security -- 11.3 percent of their total IT budget, Wheatman said. Banking and finance companies spend about 8.3 percent of their IT budgets on security; educational institutions spend less than 4 percent.

The average business spends about $525 per employee annually on security, Wheatman continued. The insurance industry spends the most: about $886 per employee. The transportation industry spends only about $155 per employee on security.

Loma Linda University Medical Center

2010-06-23T08:20:00.000-07:00

Loma Linda, CA May 3, 2010 - A thief has stolen personal information regarding more than 500 surgical patients of Loma Linda University Medical Center, according to hospital officials. A desktop computer containing the information disappeared April 5 from the department of surgery's administrative office on Campus Street. The missing information includes each patient's name, medical record number, diagnosis, surgery date, and the type of procedure.

Safe Harbor Medical (Not so safe after all)

2010-06-23T08:16:00.000-07:00

Santa Cruz, CA June 3, 2010 - Burglars stole client records, a suitcase and two bags of cookies from a medicinal marijuana referral office. Burglars also stole a computer hard drive that contained a client database, including Social Security numbers, ID numbers and other sensitive information. The burglars apparently cut power to the building — so the alarm didn't go off — and shattered a window to get into the office.

Calif man accused of extortion through hacking

2010-06-23T07:48:00.000-07:00

A hacker took over more than 100 computers and used them to extort sexually explicit videos from women and teenage girls by threatening to release their personal data, federal prosecutors charged Tuesday.

Luis Mijangos, 31, of Santa Ana, was arrested at his home by FBI agents on a charge of extortion that carries a maximum federal prison sentence of two years, according to a statement from the U.S. attorney's office.

Mijangos made his first court appearance in downtown Los Angeles Tuesday morning where he was released on a $10,000 unsecured appearance bond on condition of home detention with no computers, his attorney Sylvia Torres-Guillen said.

U.S. Immigration and Customs Enforcement put a detainer on Mijangos and will take him into custody because he is an illegal alien, U.S. attorney's spokesman Thom Mrozek said.

A telephone listing for Mijangos could not be immediately located.

The scheme was sophisticated, Mrozek said.

Mijangos told FBI agents he was a consultant and studied Java and C++, two computer programming languages.

"He did have technical proficiency," Mrozek said.

Mrozek said that federal extortion cases are relatively rare but this case is unique because it "doesn't involve demands for money but for demands of sexually explicit videos."

Hackers and Apple make for a dangerous pair

2010-06-19T11:24:00.000-07:00

Raise your hand if you’ve ever heard the argument “If you want a virus-free computer, get a Mac.”

Raise your other hand if, in response to a story I’ve blogged about regarding Windows security breaches, you’ve left a comment like that on Yahoo!

Now put your hands down, because, as CNN puts it bluntly, “Those days are over.”

It used to be that the Mac had a small share of the market, and its architecture was fundamentally different from its PC competition. No one wrote malware for the Mac because there just weren’t that many Macs around, and the way a modern malware creator works is through the law of large numbers: You infect a lot of computers to harvest a useful number of passwords, send a significant amount of spam, or otherwise wreak a substantial amount of chaos. This is why no one writes viruses for, say, the Amiga. What would be the point? There’s no money in it.

Now the world has changed. While Mac computers are still relatively rare (though not as rare as they once were), the iPhone and iPad have changed the game, and Apple — worth more on the market than Microsoft now — is a major player in the computer industry once again. And so the hackers have come out to play.

Last week’s headline-grabbing iPad hack is probably just the start.

Security will be a growing headache for Apple as the months wear on. The perception has always been that the Mac is a “safer” operating system by design, but in reality that is not the case. Plenty of exploits have been found for Mac security holes over the years, but the lack of hacks in the wild has kept users safe while the company patched the problems. In fact, Apple releases security patches just as often as Microsoft does, according to CNN; it just doesn’t make headlines when it does.

Reporting Data Loss: Tough Choices, One Answer

2010-06-18T21:24:00.000-07:00

When military data is lost, stolen or compromised, the potential dangers are obvious. Lost personal data can lead to identity theft, lost operational data can lead to mission cancellation or failure and lost technical data can lead to other compromised systems and even further damage. While loss of data is bad enough, sometimes the loss is not mitigated in a timely fashion. When this happens, it is often not because of a stealthy hacker or a missing hardware audit. It is because somebody did not report the incident out a fear of potential personal consequences. We need to change that mindset. Not accepting responsibility and warning others of a network or data breach can put missions and lives at risk.

So if you are the cause or you discover a loss of data or a hacked network, it’s decision time. Report it or cover it up. What’s worse? A chewing out from your CO or knowing that letting your error go unreported resulted in an ambush or the identities of fellow soldiers and their families being stolen? Even if the person that discovers the loss is not personally responsible for the incident, they might be reluctant to report it because it would reflect badly on friends or the unit.

Military personnel tend to have the “not on my watch” mindset. This is a great attribute when it comes to the defense of a position or ensuring that everyone makes it back from a patrol. However, when such dedication to that statement means that fellow soldiers are at risk because of an unreported breach of network security, it is unacceptable. Neither is taking a “not my problem” attitude. Loss or compromise of military data is everyone’s problem.

Most soldiers will take responsibility if they are at fault. But many of these same soldiers will cover for a buddy’s mistake. Covering for someone is often considered being a team player. That’s fine, if you help Bill get ready for inspection after a tough night of leave or taking on more work because Ed needs to deal with a family matter. However, covering for someone in the case of data loss is as risky as not reporting your own error.

Fear is often the motivation for not reporting an incident. Nobody wants to get chewed out or written up. But think about what could happen if data has been compromised and nobody that can do something to eliminate or reduce the problem is ever told. The punishment for not reporting a network security problem that is found out later will be much greater than reporting it in the first place. It’s like when you were a kid. Do you tell your parents? It’s basically the choice between a scolding and being grounded for a month. In the military, grounding can take the form of docking your pay or sending you to someplace you really don’t want to be. But the real issue is not a personal one. The fact is that delay in reporting lost or stolen data can result in lost identities, compromised missions and possibly risk to soldiers in theater. afcea

Hackers plant viruses in Windows smartphone games

2010-06-06T08:57:00.000-07:00

Hackers have planted viruses in video games for smartphones running on Microsoft Corp's Windows operating system, according to a firm that specializes in securing mobile devices.

The games -- 3D Anti-Terrorist and PDA Poker Art -- are available on sites that provide legitimate software for mobile devices, according to John Hering, CEO of San Francisco-based security firm Lookout.

Those games are bundled with malicious software that automatically dials premium-rate telephone services in Somalia, Italy and other countries, sometimes ringing up hundreds of dollars in charges in a single month.

Those services are run by the programmers who built the tainted software, Hering said on Friday.

Victims generally do not realize they have been infected until they get their phone bill and see hundreds of dollars of unexpected charges for those premium-rate services, he said.

Hackers are increasingly targeting smartphone users as sales of the sophisticated mobile devices have soared with the success of Apple Inc's iPhone and Google Inc's Android operating system. reuters

Facebook users warned of 'likejacking' scam

2010-06-02T19:19:00.000-07:00

Internet security firm Sophos has warned Facebook users to be on the alert for a scam which sends a spam message to all of their friends on the social network.

Sophos, in a pair of blog posts late Monday, said "hundreds of thousands" of Facebook users have fallen for the scam which it dubbed "likejacking."

It said some Facebook users had received a message such as "This man takes a picture of himself EVERYDAY for 8 YEARS!!" and were encouraged to click on a link.

Sophos said clicking on the link takes a Facebook user to what appears to be a blank page with a "Click here to continue" message.

Sophos said clicking on the page publishes the original message on their own Facebook page with a "like" notation and recommends it to all of their Facebook friends.

"This of course posts a message to your newsfeed, your friends see it and click on it, and so it spreads," Sophos said.

Sophos warned last week about a Facebook scam designed to trick users into installing adware, a software package that automatically plays, displays or downloads advertisements to their computer.
afp

Computer Security Is Good Business

2010-06-01T10:32:00.000-07:00

What do a business's invoices have in common with e-mail? If both are done on the same computer, the business owner may want to think more about computer security.

Information-payroll records, proprietary information, client or employee data-is essential to a business's success. A computer failure or other system breach could cost a business anything from its reputation to damages and recovery costs. The small business owner who recognizes the threat of computer crime and takes steps to deter inappropriate activities is less likely to become a victim.

The vulnerability of any one small business may not seem significant to many other than the owner and employees of that business. However, over 27 million U.S. businesses-over 95 percent of all U.S. businesses-are small and medium-size businesses (SMBs) of 500 employees or less. Therefore, a vulnerability common to a large percentage of all SMBs could pose a threat to the Nation's economic base.

In the special arena of information security, vulnerable SMBs also run the risk of being compromised for use in crimes against governmental or large industrial systems upon which everyone relies. SMBs frequently cannot justify an extensive security program or a full-time expert. Nonetheless, they confront serious security challenges and must address security requirements based on identified needs. nist.gov/

$100 Million 'scareware' CEO Was Already a Fugitive

2010-06-01T09:49:00.000-07:00

The CEO of a company accused of making more than US$100 million selling harmful "scareware" antivirus products was already a fugitive from U.S. authorities, following his arrest in 2008 on criminal counterfeiting charges.

Shaileshkumar "Sam" Jain is one of three men who were charged by the U.S. Department of Justice on Wednesday for allegedly operating a massive scareware distribution ring.

He's now thought to reside in Ukraine, but arrived there only after giving authorities the slip after being arrested by federal agents in 2008 on charges that his company sold counterfeit versions of Symantec antivirus products. Jain has been considered a fugitive by U.S. authorities since early 2009, when he skipped out on a $250,000 bond and failed to show up for a Jan. 12 California court appearance.

Jain ran a Ukrainian company called Innovative Marketing, which prosecutors say sold an astounding 1 million copies of fake antivirus products such as WinFixer, Antivirus 2008 and VirusRemover 2008.

According to court filings, Innovative Marketing was one of several companies that Jain operated, first selling counterfeit Symantec products and later moving into the scareware business with products such as WinFixer.

Symantec had already gone after Jain in the courts, winning a $3.1 million judgment against him in 2005.

Three years later, the U.S. Federal Trade Commission filed suit against Jain and the two other men charged Wednesday: Innovative Marketing Chief Technology Officer Bjorn Daniel Sundin and the man whose call center provided technical support for the products, James Reno of Amelia, Ohio.

The FTC won its court case, effectively putting Innovative Marketing and Reno's company, Byte Hosting Internet Services, out of business.

The scareware products that the three men are accused of selling are perhaps the most annoying problems on the Internet, and a constant source of complaints to security companies and federal regulators. They not only fail to protect computers, they often also bog down systems with spyware and malware.

Innovative Marketing allegedly pioneered the trade.

The company would set up fake advertising agencies with names such as BurnAds and NetMediaGroup, and then buy online advertising, pretending that it was for legitimate buyers, prosecutors say. These ads would be programmed to deliver scary-looking pop-up windows straight to users' desktops. The windows would typically look like Windows error messages or security alerts. To dismiss them, the victim would have to pull out a credit card and pay between $30 and $70 to buy Innovative Marketing's dubious products, prosecutors say.

Before the scareware came the fake Symantec software. Prosecutors allege that in 2003 and 2004, Jain operated a handful of Web sites -- Discountbob.com, shopenter.com, winantivirus.com and others -- that all sold fake Symantec products.

Jain allegedly drummed up new business by spamming victims or using pop-up ads to flog the fake software, which was then mailed out by someone identified in court documents as "J.R." of Amelia, Ohio -- presumably James Reno.

In a September 2009 e-mail to the IDG News Service, Reno said he was a young and naïve businessmen who was taken advantage of by Innovative Marketing. "I made some mistakes, of course," he said, "however they kept us in the dark on a lot of their operation."

Profits from the businesses -- which took in more than $100 million from victims in 60 countries -- were funneled offshore, prosecutors say. pcworld

Cyber Thieves Rob Treasury Credit Union

2010-06-01T08:38:00.000-07:00

Organized cyber thieves stole more than $100,000 from a small credit union in Salt Lake City last week, in a brazen online robbery that involved dozens of co-conspirators, KrebsOnSecurity has learned.

In most of the e-banking robberies I’ve written about to date, the victims have been small to mid-sized businesses that had their online bank accounts cleaned out after cyber thieves compromised the organization’s computers. This incident is notable because the entity that was both compromised and robbed was a bank.
The attack began Thursday, May 20, when the unidentified perpetrators started transferring funds out of an internal account at Treasury Credit Union, a financial institution that primarily serves employees of the U.S. Treasury Department in the state of Utah and their families. Treasury Credit Union President Steve Melgar said the thieves made at least 70 transfers before the fraud was stopped.

Melgar declined to say how much money was stolen, stating only that the total amount was likely to be in the “low six-figures.”

“We’re still trying to find out what net [loss] is, because some of the money came back or for whatever reason the transfers were rejected by the recipient bank,” Melgar said, adding that the FBI also is currently investigating the case. A spokeswoman for the Salt Lake City field office of the FBI declined to comment, saying the agency does not confirm or deny investigations.

Many of the transfers were in the sub-$5,000 range and went to so-called “money mules,” willing or unwitting individuals recruited over the Internet through work-at-home job schemes. Melgar said other, larger, transfers appear to have been sent to commercial bank accounts tied to various small businesses.

Melgar said some of the money mules apparently had a change of heart, but only after they’d withdrawn the stolen cash from their bank accounts and wired the money overseas to Ukraine as instructed.

“Some of the money mules went back to their banks after they’d Western Unioned the money, went back and talk to their branch manager or whoever and say they felt they may have committed fraud,” he said. “I guess something must have clicked in their head at that point.”

Melgar said it wasn’t clear whether any of the mules who reported the fraud to their banks had returned the “commissions” they make for helping thieves launder the money. In previous attacks I have written about, the mules were permitted to keep roughly 8 percent of the transfer amount, with any wire fees to be taken out of the commission. Earlier this month, the FBI said it is planning a law enforcement action against money mules in a bid to raise public awareness about the damage from these types of work-at-home employment schemes. krebsonsecurity

Lifelock worries after employee data leaked to Web

2010-05-29T15:18:00.000-07:00

Identity theft protection company posts CEO's SS number, but not OK with employees data being in public

It may be OK for identity theft protection vendor Lifelock to publish its CEO's Social Security number, but when it comes to other company employees, that's another story.

The company has asked the Phoenix New Times to remove a police report from its Web site after discovering that it contained a redacted Social Security number of Lifelock employee Tamika Jones. The number could be read by simply cutting and pasting the PDF document into another word processing program, a common problem with poorly-redacted documents.

Also in the police report: Jones's date of birth, address, phone number, and address.

Internet Identity Workshop reveals OpenID clashesBLOGSophos slams scientist 'infected' with computer virusSymantec readies Norton security, storage apps for Android, iPhone smartphonesFacebook Answers Critics With New Privacy Controls

View more related contentGet Daily News by Email"Yesterday, Christy O'Connor of LifeLock called New Times and asked us to remove the link to the PDF document," the New Times reporter Ray Stein wrote in a Tuesday story. "The smart-ass in us couldn't resist giving O'Connor, LifeLock's associate general counsel, some grief."

After Stein pointed out that Jones works for a company that promises to protect customers from identity theft, before it happens, the newspaper agreed to post a properly redacted version of the document on its Web site.

In an interview, Stein said that the fact that Lifelock had to call and ask for the document to be removed reflected badly on Lifelock's service. "I think this shows clearly that they know that it's got potential problems." networkworld

Man Infects Himself with (Computer) Virus

2010-05-27T07:34:00.000-07:00

We are one step closer to the future: a British scientist has become the first human being to contract a computer virus.

Yep, you heard that right. Dr. Mark Gasson, a cybernetics expert at the University of Reading, deliberately infected himself (by way of an RFID chip implanted in his wrist) with a benign computer virus. This was part of an experiment designed to show how implantable bionic devices are susceptible to computer viruses.

Red Flags Rule: Are we there yet? Auto Dealerships need to comply...

2010-05-25T14:23:00.000-07:00

June 1, 2010, is just the latest in a series of enforcement deadlines for the Federal Trade Commission's Red Flags Rule.

The rule, which actually took effect Nov. 1, 2008, requires businesses handling credit, like dealerships, to adopt written plans to identify, detect, monitor and respond to potential instances of identity theft.

But the FTC has delayed enforcing the rule four times -- first to May 1, 2009; then to Aug. 1, 2009; then to Nov. 1, 2009; and finally, to June 1, 2010.

I've talked to dealers, vendors, trade association executives and lawyers who aren't really sure the latest enforcement deadline will stick.

But one thing is certain: Dealers better comply with the law. autonews

Melissa Hathaway's Nine Cybersecurity Bills to Watch

2010-05-24T13:22:00.000-07:00

Melissa Hathaway probably knows more about what's going on with cybersecurity legislation before Congress than even the lawmakers who sponsor these bills; heck, she likely understands more about these measure than the key staffers who are the brains behind them.

Since leaving the White House last summer, Hathaway - who led President Obama's 60-day cyberspace review last year - has become involved in a variety of IT security ventures, including becoming a senior adviser at the Belfer Center for Science and International Affair at Harvard University's Kennedy School of Government. There she conducts research and writes about IT security. One of her projects is to track cybersecurity legislation before Congress.

Hathaway this past week completed a 31-page report documenting some 40 IT security bills before Congress. The report provides an analysis on the wide range of topics they address including organizational responsibilities; compliance and accountability; data accountability, personal data privacy, data breach handling and identity theft; cybersecurity education, research and development and grants; critical electric infrastructure protection and vulnerability analysis; international cooperation on cybercrime; and procurement, acquisition and supply-chain integrity.

Here are nine bills Hathaway characterized as "legislation to watch," along with her analysis of them...

Do You Comply With the FTC's Red Flag Rule?

2010-05-24T12:37:00.000-07:00

Regulations to help prevent identity theft go into effect June 1, and chances are you've got some work to do to comply with them. Here's what you need to know.

You may not even have heard of the federal government's Red Flag Rule, but there's a good chance by June 1 you'll need to comply with it.

The rule requires businesses that are potential targets for identity thieves to develop plans to spot fraud "red flags" and prevent them.

Think the rule only applies to financial institutions? Think again. It requires all "creditors" to comply with the rules, but the definition of creditor is very broad, and includes "businesses or organizations that regularly provide goods and services first and allow customers to pay later," according to a Frequently Asked Questions guide prepared by the Federal Trade Commission, which will enforce the rule. Translation: If you invoice for goods or services, you're a creditor.

You could be forgiven for hoping the government will change the enforcement deadline, considering it's already been extended several times since the original date of November 2008. But of course that won't excuse you from complying. And just having some rules – written or unwritten – about not leaving customer information lying around won't get you off the hook – you have to have a written policy and procedures specifically to handle identity theft.

"I suspect a lot of small businesses were hoping this ultimately wouldn’t happen," said Tanya Forsheit, co-founder of InformationaLawGroup, a Los Angeles firm that advises businesses on privacy and data security compliance.

The rules – among them, recommendations for data encryption plus regular reviews, annual updates of your policy, and training of staff – can seem onerous, but the FTC has some online do-it-yourself tools and templates to help.

Identity theft has been the number one fraud complaint filed with the FTC for the better part of a decade. So what kind of financial activity constitutes a "red flag" under the new rules? For starters, suspicious documents (like a photo ID that doesn't match the person presenting it), unverifiable addresses and Social Security numbers, and questionable account activity from customers, such as sudden spending on goods that can be resold for cash, frequent requests for cash advances, or failures to make payments on balances after making initial payments. inc.com/news

More Business Banking Victims Speak Out

2010-05-21T10:56:00.000-07:00

Since our story about Eastern European cyber crooks targeting small to mid-sized U.S. businesses ran last week, I've heard from a few more victims. Eerie similarities in their descriptions of how they were robbed suggest the bulk of this crime may be the work of one or two gangs.

David Johnston, owner of Sign Designs, Inc., a Modesto, Calif.-based company that makes and installs electric signs, said his company lost nearly $100,000 on July 23, when crooks used the company's credentials to log in to its online banking account and initiate a series of transfers to 17 accomplices at seven banks around the country.

"Our daily limit on these transactions was $100,000, and [the thieves] took just $47 short of that amount," Johnston said. "What we're looking at really is the bank robber of 2009. They don't use a gun, they have lots of helpers, their [profits] are huge, and the likelihood anyone will catch them seems to be extremely slim." washingtonpost

Duo Stole VA. Senator's Identity, Bought Marijuana

2010-05-21T06:18:00.000-07:00

Authorities are currently searching for two people who police say stole the identity of a Virginia State senator, and used his money to buy drugs, a bong and dinner.

After investigating, the Virginia State Police contacted the CHP after they found out the senator's personal information was being used in the Sacramento area.

After further investigation, authorities discovered that Sky Manriquez, 21, and Bernell Bryan Washington, 24, opened several credit cards in the senator's name.

The duo also changed the senator's address to a place located on Fulton Avenue. After serving a search warrant to the address, investigators recovered several items of evidence including receipts which indicated the suspects purchased medical marijuana using the senator's fake accounts. cbs13.com/

FBI Promises Action Against Money Mules

2010-05-20T19:28:00.000-07:00

The FBI’s top anti-cyber crime official today said the agency is planning a law enforcement action against so-called “money mules,” individuals willingly or unwittingly roped into helping organized computer crooks launder money stolen through online banking fraud.

Patrick Carney, acting chief of the FBI’s cyber criminal section, said mules are an integral component of an international crime wave that is costing U.S. banks and companies hundreds of millions of dollars. He said the agency hopes the enforcement action will help spread awareness that money mules are helping to perpetrate crimes. krebsonsecurity.com

Ten Ways to Protect Your Network From Insider Threats

2010-05-20T09:50:00.000-07:00

Insiders -- people who work within your organization -- pose a huge potential security risk. That's because while hackers and other outsiders have to break in to your network and gain access to systems and data, many insiders have valid credentials to log on quite legitimately and access the systems and data they need to carry out their jobs.

Unless appropriate steps are taken, it can be quite trivial for employees to copy your confidential data on to a memory stick and walk out the door, install a logic bomb to destroy data in the future, or set themselves up with login credentials to ensure that they have access to your systems even after they have left your employment.

Here are ten things you can do to protect your network:

Valley restaurant dumps years worth of sensitive information in dumpster

2010-05-19T21:35:00.000-07:00

“Last name Taylor, first name Gary, social security number 569…“

Tom Rezler is a business owner in this Tempe shopping center and can't believe what he recently found in nearby garbage dumpsters.

Thousands of pages of sensitive information apparently disposed of by a neighboring business called The Vine Tavern and Eatery.

“As a patron of the Vine and having used my credit card hundreds of times in there, I'm a little upset that my information is now privy to anyone that can find this stuff,” Rezler said.

The documents included people's names, social security numbers and dates of birth from restaurant applications.

There were checks with banking information and also credit card receipts from Vine customers, receipts that revealed a person's entire credit card number. azfamily

Privacy expert: It's good PR to say no to the government

2010-05-19T19:27:00.000-07:00

A leading privacy researcher is urging companies to say no to government requests for data, arguing that it's good for business.

"Or rather, saying yes can be really bad for business," said Chris Soghoian, an Indiana University PhD candidate and security and privacy researcher.

Speaking on Monday at a Law Seminars International event in Seattle, Soghoian offered companies tips for handling law enforcement requests for data.

Consumers do care about their privacy and their reaction to news about companies that too willingly help the government access their data -- or resist such requests -- proves it, he said.

For instance, in 2005 it was revealed that a few years earlier the National Security Agency had illegally asked telecom providers to install wiretap equipment in their facilities. Qwest said no. "When the news came out, there was widespread praise for that company and the strong position they took, whereas AT&T and the others were criticized," he said.

In 2004 airline JetBlue voluntarily provided customer data to the Department of Defense. The action led to a lawsuit that was ultimately thrown out, "but in the meantime their name was dragged through the mud," he said.

In addition to bad publicity, such incidents aren't cheap. "Not only do government requests lead to loss of reputation but when you get sued by civil liberties groups and your customers, the government won't pick up the tab," he noted.

In another instance, the Department of Justice asked search engines to reveal information about search terms. Most of the big search engines complied but Google declined, not on privacy grounds but citing proprietary information, he said. "If you ever have the fortune to discuss privacy with a Google privacy person barely two minutes will go by before they tell you about the time they said no to the DOJ. They receive thousands of requests a year that they say yes to, but this one instance they've been able to trumpet," he said.

A lawyer who spoke at the conference on Monday agrees that resisting data requests can be good for business. There is increasing scrutiny from consumer groups about privacy issues and companies may be able to maintain competitive differentiation if they are careful about law enforcement requests and if they are open about their policies, said Daniel H. Royalty, a lawyer at K&L Gates in Seattle. "It may be that increasing transparency in this space can lead to differentiation." .computerworld

Research: 1.3 Million Malicious Ads Viewed Daily

2010-05-19T19:19:00.000-07:00

The true extent of the malvertizing scourge became much clearer this week with the release of new research by Dasient which shows that about 1.3 million malicious ads are being viewed online everyday, most pushing drive-by downloads and fake security software.

Dancho Danchev sums up the findings from the research:

•The probability of a user getting infected from a malvertisement is twice as likely on a weekend and the average lifetime of a malvertisement is 7.3 days.

•97% of Fortune 500 web sites are at a high risk of getting infected with malware due to external partners (such as javascript widget providers, ad networks, and/or packaged software providers).

•Fortune 500 web sites have such a high risk because 69% of them use external Javascript to render portions of their sites and 64% of them are running outdated web applications.

Malicious ad attacks targeting high-profile websites have been on the rise recently with the New York Times and Gawker media among the victims.

threatpost

LifeLock CEO said to be victim of identity theft 13 times

2010-05-19T19:12:00.000-07:00

Publicly posting SSN resulted in Todd Davis' identity being misused.

A CEO who publicly posted his Social Security number on billboards and in TV commercials as part of a campaign to promote his company's credit monitoring services was the victim of identity theft at least 13 times, a news report says.

LifeLock CEO Todd Davis appears in a TV ad for his company.The Phoenix New Times reported that Todd Davis, CEO of LifeLock Inc. in Tempe, Ariz., was victimized numerous times by identity thieves who apparently used his Social Security number to commit various types of fraud.

Davis previously admitted that he was the victim of identity theft once in 2007, when a man in Texas used his Social Security number to take out a $500 loan that ended up being handled by a collection agency.

The New Times reported that Davis has been a victim of identity theft at least a dozen more times.

Among the examples cited in the report was one involving a thief in Albany, Ga., who opened an AT&T wireless account in Davis' name and used it to rack up more than $2,300 in charges.

In another instance, an individual used Davis' identity to open an account with Centerpoint Energy, a Texas utility, and left behind $122 in unpaid bills, the report said.

It also cited examples in which individuals who had stolen Davis' identity owed more than $573 to a bank and $312 to a gift basket company.

The numerous incidents belie LifeLock's claims that the services it offers protects consumers against identity theft and fraud, the report noted. computerworld

Don't be surprised if more businesses start asking you for identification

2010-05-19T09:50:00.000-07:00

It's part of an effort to protect against identity theft.

Be prepared to pull out your driver's license on your next visit to the dentist. And don't be surprised if a retailer asks for a birth date or mother's maiden name if it's giving you credit for your big-ticket purchase.

They're just following federal rules to protect consumers from identity theft. Beginning next month, a wide range of businesses — auto dealers, cell phone companies, real estate agents, mortgage brokers, utilities and health care providers — must start complying with "Red Flag Rules." The rules are meant to stop fraud before it happens by requiring certain businesses to look for signs that customers might be imposters and, if there are signs that they are, to take action. baltimoresun

Kaiser worker fired after patient data drive stolen

2010-05-18T15:35:00.000-07:00

A Kaiser Permanente employee was fired last month after a computer storage drive, containing information on 4,000 Sacramento-area patients, was stolen from a car parked at her home, hospital officials reported Tuesday.

The external drive contained data on as many as 15,500 Northern California patients, according to a statement from the hospital's vice president for compliance and privacy, Kristin Chambers. She said the patients were notified. She considered the breach "low risk."
sacbee

Data Breach - CA Department of Health Care Services

2010-05-18T15:29:00.000-07:00

In a news release, the department said that letters it mailed a week ago to 49,352 beneficiaries wrongly included those patients' Social Security Number on address labels. The Department said the incident took place February 1, 2010.
Oops!
dhcs.ca.gov/

Mary's Pizza hit by hackers

2010-05-18T15:15:00.000-07:00

Patrons of Mary's Pizza in downtown Sonoma will be alerted this week that their credit card numbers may have been stolen by an international computer hacker.

Vince Albano, chief executive officer for the 18-store chain, expects to receive a report by Friday detailing the breadth and timing of the breach.

Once that is known, Albano plans to take out newspaper ads to warn diners who ate at the Spain Street outlet during that period that they might want to cancel their credit cards and get new ones.

Albano said his company doesn't have the ability to notify potential victims directly because the credit card companies won't release their names.

The breach was first discovered by the restaurant's in-house technology expert on Feb. 10 after friends and customers called to complain about errant charges on their credit cards, Albano said. He hired a Chicago-based high-tech forensics firm, Trustwave, to pinpoint the problem.

“Trustwave said they traced it to Russia but I also heard it may be Luxembourg,” Albano said of the suspected location of the hacker.

Albano said his company immediately notified banks and credit card companies of the breach to stop further illegal charges to his customers. pressdemocrat

Computer theft raises fraud concern at Cal State L.A.

2010-05-18T15:01:00.000-07:00

Cal State Los Angeles has notified 232 former students that a computer stolen from the mathematics department office last month may have contained personal information such as their Social Security numbers and grades.

While officials said they did not know whether the information has been used for any attempted fraud or identity theft, they said they told the former students to notify credit bureaus and law enforcement about any suspicious activity. A toll free number, (800) 883-4029, has been established to provide additional information. latimesblogs

California - St. Jude patients' data stolen on computers

2010-05-18T14:48:00.000-07:00

Police are investigating the theft at St. Jude Heritage Medical Group.

St. Jude Heritage Healthcare in Fullerton has notified about 22,000 patients that their personal health data might have been accessed after five computers were stolen.

Heritage, which is affiliated with St. Jude Medical Center, sent letters about the theft last week, according to hospital spokeswoman Dru Ann Copping.

The stolen data was password protected but not encrypted. Patient information might have included Social Security numbers, date of birth and diagnosis. Heritage is offering fraud monitoring services to those patients, who are also urged to put fraud alerts on their credit files.

Fullerton police are investigating. In all, 22 computers were stolen, but only five contained patient records. Earlier this year, Heritage started encrypting medical data, but the process hasn't been completed.

ocregister

Navy took more than a year to announce personal data breach

2010-05-18T14:40:00.000-07:00

In case of danger or a natural disaster, the U.S. Navy can rapidly dispatch troops, fighter jets or relief supplies to troubled areas around the world.

So why did it take the Navy 17 months to inform employees at the Naval Facilities Engineering Service Center in Port Hueneme, Calif., that their Social Security numbers had been inadvertently released?

The information was sent in May 2008 to three other employees whose security access had been suspended for reasons unrelated to the information breach.

E-mails obtained by The Washington Post indicate that Navy officials quickly realized employees should be informed. But that was not done until October 2009. The names of those sending and receiving the messages were blocked out, but their offices, and in some cases their positions, were not.

An e-mail dated June 6, 2008, to the chief of naval operations and the Navy's chief information officer, among others, cites a report from a month earlier on personally identifiable information and reads, "A list of employees was generated (128) that reflected the names, social security numbers and perceived security clearance issues relating to each of named employees."

The June 6 e-mail says there was no criminal activity involved, though the Navy's general counsel was notified. It also says that the personal data are confidential and that their use is restricted. A June 9 e-mail from a Navy "privacy team leader" says the employees "must be issued letters stating that they are at increased risk for identity theft due to the high risk nature of PII [personally identifiable information] that was compromised." This note even indicates where a sample letter can be found on the Navy's Web site.

But the 244 employees -- subsequently increased from 128 -- were not notified until much later. washingtonpost

Improper disposal of hundreds of loan applications raises security concerns

2010-05-18T14:14:00.000-07:00

A cleaning crew mistakenly tossed the unshredded documents in a garbage bin

PLEASANT HILL — The financial and personal details of about 300 property-loan applicants were compromised when confidential documents were mistakenly tossed into an outdoor waste bin.

The paperwork, belonging to FHG Finance, a home loan business at 548 Contra Costa Blvd., was discarded last week by a cleaning crew hired to clear out a portion of the building where FHG is based, an official at the business said.

The documents, which contained bank account and Social Security numbers, were found by employees at a neighboring store, who alerted FHG. The company secured the trash bin with a padlock until the documents could be shredded.

Broker Walter Rook, vice president of FHG, described it as a close call.

"It definitely could have caused problems "... from any of these people who go bin diving, looking for account information," Rook said.

Rook said his business used to share space with another loan company, which closed more than a year ago.

He had accumulated at least 32 boxes of old documents that he stored in the vacated space, in preparation to shred them.The documents represented about 300 clients from 2003 to 2007. "You have to hold them for three years before you can destroy them," he said.

But Rook was unprepared April 28, when the building's owner hired a crew to clean out the vacated space.
The two cleaners came into Lamps Plus and asked store manager Rachel Rainey if they could throw several boxes of paper into the store's outdoor recycling bin. She gave permission.

After the men left, another employee noticed the recycled documents were loan applications. They included copies of driver's licenses and credit reports, Rainey said.

"The loan applications were very, very detailed," she said. "Every single thing you can think of to start a loan."

Concerned about the apparent mishandling of the documents, Rainey alerted Rook.

"If the Lamps Plus people wouldn't have told me, I would have never known," he said. "Thank God they came over."

Too late in the business day to do anything more, Rook put a padlock on the recycling bin and fretted through the night about the sensitive contents inside.

In the morning, the bin was emptied and a Walnut Creek shredding company destroyed all of the contents.

But later that day, Lamps Plus employees found several more boxes of loan documents in a nearby garbage bin.

"We did the right thing and decided to shred the rest of the papers ourselves," Rainey said.

The activity took eight hours.

The Times could not contact the owner of the property, who Rook said was out of the country. The property management company, Central Real Estate, did not return phone calls seeking comment.

Typically, businesses that share office space are notified by the owner or property management company when entry will be made and cleaning will be done, said Amy Callaghan, a property manager at Colliers International in Walnut Creek.

"To just call someone and say, 'dump whatever you see in there,' it's not a standard procedure," she said. "But every owner handles things differently."
insidebayarea.com

Facebook users warned about 'sexiest video' attack

2010-05-18T13:14:00.000-07:00

Lured by the promise of the "sexiest video ever," hundreds of thousands of Facebook users found their PCs infected by adware over the weekend.

More Hardware InsightsWhitepapersEconomizer Fundamentals: Smart Approaches to Energy-Efficient Free-Cooling for Data Centers Stretching the Software Budget: A Practical Guide to Enterprise License Optimization AnalyticsVirtual Servers, Real Risks Private Clouds On The Horizon Videos

Watch demos of Intel's webpad-based Health Guide for seniors, at the New York City launch of Intel's $250-million alliance with GE.Unsuspecting users clicked on a thumbnail showing a miniskirt-clad woman on an exercise bike, apparently posted on their Facebook page by a friend. Instead of seeing the video, users were told they did not have the correct software installed and were directed to download the necessary application. Then, instead of accessing video software, users downloaded popup-spewing adware, according to security software developer Sophos.

The malware uses Hotbar, a toolbar that connects to Internet Explorer and Windows Explorer, and connects users with paid ads and search engines, according to Switched. The toolbar also may gather personal data and download other updates from its server.

"You may want to watch a sexy video, but you're more likely to end up being plagued by pop-up advertising," said Graham Cluley, a senior technology consultant at Sophos, told The Economic Times. "It's no surprise that your friends might click to watch the movie when it looks to all intents and purposes that you are the person who has sent it to them."

In fact, more than 300,000 users reported the problem to AVG Technologies, said Roger Thompson, chief research officer at the developer of free anti-virus software.

"This latest issue really underscores how powerful, while at the same time vulnerable, social networking applications are. This attack was actually stunning in terms of scale,” he said. “Facebook is very responsive to threats when we identify them, and removing these applications as soon as they find them, but they’re still able to generate huge traffic, just because of the viral nature of social networks. It is staggering how many threats were propagated before they were stopped.”

Within 15 hours of the attack, Facebook removed the application, Thompson said. In a "Tip of the Week" on Monday, Facebook cautioned account-holders not to click on suspicious-looking links, even if they'd apparently been sent or posted by a friend. informationweek

Many businesses not yet ready for June 1 deadline

2010-05-16T16:28:00.000-07:00

Many small businesses have delayed implementing the identity theft “red flags” rules despite the approaching June 1 deadline — not because they don’t know about them, but because there have been so many extensions to the deadline that companies have put them on the back burner.

The enforcement deadline has been extended several times since the original date of November 2008 to give businesses more time to comply.

“The topic has fallen off the radar. When it got extended last year, people thought ‘OK, there’s no rush.’ I would say there are still a lot of businesses not ready for the deadline,” said Craig Strong, a regional director of human resources for the California Employers Association, a non-profit that advises employers on compliance issues.

Law firms, which the Federal Trade Commission said were covered by the rules, have successfully delayed compliance under a court ruling from a U.S. District Court in Washington, D.C., which is currently on appeal.

All other covered businesses, including accountants and doctors who are hoping to win exemptions, should assume they are covered and delay compliance at their peril, lawyers say.

“I suspect a lot of small businesses were hoping this ultimately wouldn’t happen,” said Tanya Forsheit, an attorney who co-founded InformationLawGroup in Los Angeles, Calif., a firm that advises businesses on privacy and data security compliance.

The rules require a written program for spotting and handling red flags that signal identity theft, training of employees and annual review of the policy.

Initially many businesses were confused by the broad definition of “creditor” and it came as a shock that this included not just banks and traditional lenders, but any business that allows customers or clients to defer payment for goods and services.

Although it’s still possible that the deadline will be extended yet again, lawyers are advising businesses to assume the rules will be enforced as of June 1.

“Everything that’s required is a good practice anyway,” said John Seiver, of counsel to Davis Wright Tremaine in Washington, D.C.

Small businesses

All businesses that bill for goods and services, except for those that deal with cash transactions, are covered.

Although most companies already have common sense rules about not leaving customer information lying around, “hardly any of them had a written procedure or policy specifically dealing with identity theft,” said Strong.

Small businesses without extensive in-house resources have found it challenging to comply with the specifics of the rules, such as the recommendations for data encryption, regular review and annual updates of the policy, procedures for responding to red flags, training of staff, and approval of the policy by the company’s board of directors. wislawjournal

Who's The Bigger Threat? Staff Or Cyber Criminals?

2010-05-16T16:15:00.000-07:00

Internal staff have traditionally been viewed as a bigger threat to business security than external hackers. AVG (AU/NZ) looks at whether this still holds true given the increasing sophistication of cyber criminals.

Did You Know? A decade ago, viruses and other forms of malware were authored primarily by young, attention-seeking amateur coders Research by Verizon suggests 74 percent of data breaches are generated by external sources Figures cited by the World Economic Forum indicate that online theft alone in 2009 totalled around US$1 trillion

Conventional wisdom indicates that the biggest threat to most companies' IT networks comes from disgruntled employees rather than shadowy cyber criminals. Staff have access to passwords, and, in the case of the IT department, administrator privileges. What's more, they usually know what they are looking for and what it might be worth to a competitor.

The concept of the so-called 'insider threat' has been an enduring one in IT security circles and appears to be based in part on an early-nineties FBI study that concluded that 80 percent of IT security attacks were perpetrated by insiders. However, a lot has changed in 20 years - a millennium in Internet time. While once hackers and virus writers were often kids after kicks, today cyber crime has matured to become a huge business. Figures cited by the World Economic Forum indicate that online theft alone in 2009 totalled around US$1 trillion.

This effective 'industrialisation' of cyber crime may well have had an effect on perceptions of whether the 'insider threat' should still be the main priority when it comes to IT security. Organised criminal gangs intent on cracking into corporate networks in the same way they might target a bank vault may seem to be a more pressing threat than the odd wayward or disgruntled employee.

Lloyd Borrett, Marketing Manager at AVG (AU/NZ), explains why companies might want to reconsider where the bulk of their security resources are allocated. "A decade ago, viruses and other forms of malware were authored primarily by young, attention-seeking amateur coders (script kiddies or script bunnies) seeking to earn notoriety in underground hacker communities.

"The security landscape has, however, changed markedly during recent years. Organised criminal gangs realised that there was money to be made from malware and recruited skilled programmers to create malicious programs. These programs were not designed to cause disruption, but to enable the theft of money or data or both. This has led to the creation of an underground economy in which criminals can buy and sell data and the programs that are used to steal that data." voxy.co.nz

Why American’s Identities are Easily Stolen

2010-05-16T10:00:00.000-07:00

Analysis: Technology exists to bolster security, but Americans and politicians are reluctant to use it.

We can fix this thing, but we won't because we don't want to be inconvenienced. I'm introduced to amazing technologies every week that will stop this. All they need is government support and system-wide adoption. Meanwhile, Chuck Schumer and Ed Markey and the rest of the grand standing poArtwork: Chip Taylorliticians scream about privacy and security issues when they see an opportunity for publicity, but their follow-through is less than satisfactory.

We use easily counterfeited identification, Social Security numbers that are written on the sides of buses and we rely on the anonymity of the phone, fax, internet and snail mail as a means of application. (See also our cybersecurity quiz.)

In other countries they solve problems. They have priorities and don't deal with the rhetoric. They put security first, convenience secnd.

International Solutions

Cedric Pariente from B32Trust tells us that in Paris, France you need to open an account first before a loan is granted by a bank. In order to do so, you need to provide them with a printed copy of your ID card and proof that you still live where you claim to live (last electricity bill usually.) Then they can check your credit history and decide to grant you with a loan or not. Most of the time, they just check that your debt is not over 30% of your income. You have to be a bank client. Doesn't seem they allow phone, fax, internet or snail mail transaction when granting credit.

In the UK, Keith Appleyard echoed something similar to France's system: you have to present yourself in person with a Government-issued Photo ID such as Passport or Drivers License, plus a proof of address less than 3 months old, such as a bank statement or utility bill. Keith further explained the whole UK population had vetting their Identity Credentials and one of the last people to be vetted was the Queen of England, but she is not exempt. So she meets with her Bankers, but she doesn't have a Passport or Birth Certificate or Drivers License. So she asks them to take a Sterling Currency note out of their wallet, points to her picture engraved on the note, and says "yes, that's me". So they officially recorded the Serial Number on the Currency note as being her Identity Document. I think that process may need looking into. pcworld

Cyber Security Must Take Priority Over Facebook

2010-05-16T09:36:00.000-07:00

With cyber war being termed a “lead pipe cinch,” it is right on center stage. Representatives of 27 countries have issued a document calling for a European Commission to do a feasibility study on the situation. One of their goals is to gain more ratifications of the Council of Europe’s Cybercrime Convention, the only international treaty covering computer crime.

This treaty requires countries to adopt cybercrime laws, have 24-hour contacts available for fast breaking investigations, and other important messages. Another goal is the revocation of Internet Protocol (IP) addresses. This document doesn’t exactly spell out the ministers’ objectives since it is already the practice for many Internet service providers (ISPs) to shut down Web sites showing bad behavior.

There is also a need for the binding of all of the European law enforcement agencies to deal with cybercrime and to evaluate and monitor preventive investigation measures. The aim, scope, and financial structure must also be considered. This puts them in the drivers seat with the U.S. waiting for the bus.

Facebook made changes to its privacy policies and the privacy advocates are swarming all over them. Sens. Charles Schumer, D-N.Y., Michael Bennet, D-Colo., Al Franken, D-Minn., and Mark Begich, D-Alaska, have taken issue with Facebook and want it to change its newly-asserted privacy policy. “Hundreds of millions of people use social networking sites like Facebook, MySpace, and Twitter 24/7,” Mr. Schumer said in a recent statement. “As these sites become more and more popular, however, it’s vitally important that safeguards are in place which provide users with control over their personal information to ensure they don’t receive unwanted solicitations. At the same time, social networking sites need to provide easy-to-understand disclosures to users on how information they submit is being shared.”

“Easy to understand disclosures?” Really, Senator?

Senators, this is a noble gesture, however, while your concerns regarding Facebook’s privacy policy is laudable, the entire Internet is faced with a Cyberwar. We, the people of the United States of America, are facing total shutdowns of our communication systems while you are considering censoring social site privacy. Without our success in this confrontation, we can end up with depleted American cyberspace and the social networks, per se, may disappear into oblivion. Before long, it won’t be Facebook, as you state, “looking like the Wild West,” it will be the Internet. thebulletin.

U.S. airport security officers targeted in ID theft

2010-05-15T16:28:00.000-07:00

BOSTON (Reuters) – A Massachusetts couple has been charged with stealing the identities of dozens of Transportation Security Administration officers, who screen passengers and baggage at U.S. airports.

A federal grand jury accused Michael Derring, 48, and Tina White, 47, on Wednesday of conspiracy and aggravated identity theft, alleging they stole personal information including the Social Security numbers of dozens of TSA workers at Boston's Logan International Airport.

While there was no indication the information was passed to any militant group that might be planning an attack, the case suggests federal officers are vulnerable to identity theft. The TSA is part of the U.S. Department of Homeland Security. news.yahoo.com

Caller ID spoofing used for harassment, fraud, critics say

2010-05-15T15:49:00.000-07:00

It may seem like a harmless practical joke, but authorities say caller ID spoofing is increasingly being used for more sinister purposes than pretending to call your mother from the White House while disguising your voice.

It's been alleged that socialite Paris Hilton used ID spoofing to hack into actress Lindsay Lohan's voice-mail account.

New York City police say an identity-theft ring used it to obtain bank-account information and steal more than $15 million from 6,000 victims.

And a U.S. congressman has cited the case of a woman who posed as a pharmacist using the technology to trick a romantic rival into taking a drug used to cause abortions.

Launched online five years ago, the original caller ID spoofing service Spoofcard works much like a calling card.

It let users phone a number, and plug in the digits they want to show up on that person's caller ID.

Users also have the option to disguise their voice and record the phone conversation.

The president of TelTech Systems, which patented the technology and has since sold it to other service providers, estimates about 200,000 Canadians have used Spoofcard.

"It's a way that if somebody is avoiding your calls, you can really get them to pick up," said Meir Cohen.

Read more: vancouversun

UPDATE 1-U.S. struggles to ward off evolving cyber threat

2010-05-14T20:53:00.000-07:00

WASHINGTON, May 12 (Reuters) - The United States is losing enough data in cyber attacks to fill the Library of Congress many times over, and authorities have failed to stay ahead of the threat, a U.S. defense official said on Wednesday.

More than 100 foreign spy agencies were working to gain access to U.S. computer systems, as were criminal organizations, said James Miller, principal deputy under secretary of defense for policy.

Terrorist groups also had cyber attack capabilities.

"Our systems are probed thousands of times a day and scanned millions of times a day," Miller told a forum sponsored by Ogilvy Washington, a public relations company.

He said the evolving cyber threat had "outpaced our ability to defend against it."

"We are experiencing damaging penetrations -- damaging in the sense of loss of information. And we don't fully understand our vulnerabilities," Miller said.

His comments came as the Obama administration develops a national strategy to secure U.S. digital networks and the Pentagon stands up a new military command for cyber warfare capable of both offensive and defensive operations.

The Senate last week confirmed National Security Agency Director Keith Alexander to lead the new U.S. Cyber Command, which will be located at Ft. Meade, Maryland, the NSA's headquarters.

Miller suggested the new organization, which is expected to be fully operational in October, had its work cut out for it.

Among its challenges are determining what within the spectrum of cyber attacks could constitute an act of war.

Miller said the U.S. government also needed to bolster ties with private industry, given potential vulnerabilities to critical U.S. infrastructure, like power grids and financial markets.

STAGGERING LOSS

Hackers have already penetrated the U.S. electrical grid and have stolen intellectual property, corporate secrets and money, according to the FBI's cybercrime unit. In one incident, a bank lost $10 million in cash in a day.

"The scale of compromise, including the loss of sensitive and unclassified data, is staggering," Miller said. "We're talking about terabytes of data, equivalent to multiple libraries of Congress." reuters

Car hackers can kill brakes, engine, and more...

2010-05-14T17:12:00.000-07:00

University researchers have taken a close look at the computer systems used to run today's cars and discovered new ways to hack into them, sometimes with frightening results.

In a paper set to be presented at a security conference in Oakland, California, next week, the security researchers say that by connecting to a standard diagnostic computer port included in late-model cars, they were able to do some nasty things, such as turning off the brakes, changing the speedometer reading, blasting hot air or music on the radio, and locking passengers in the car.

In a late 2009 demonstration at a decommissioned airfield in Blaine Washington, they hacked into a test car's electronic braking system and prevented a test driver from braking a moving car -- no matter how hard he pressed on the brakes. In other tests, they were able to kill the engine, falsify the speedometer reading, and automatically lock the car's brakes unevenly, a maneuver that could destabilize the car traveling high speeds. They ran their test by plugging a laptop into the car's diagnostic system and then controlling that computer wirelessly, from a laptop in a vehicle riding next to the car.

The point of the research isn't to scare a nation of drivers, already made nervous by stories of software glitches, faulty brakes and massive automotive recalls. It's to warn the car industry that it needs to keep security in mind as it develops more sophisticated automotive computer systems.

"We think this is an industry issue," said Stefan Savage, an associate professor with the University of California, San Diego. businessweek

Well, These New Zuckerberg IMs Won't Help Facebook's Privacy Problems

2010-05-13T15:09:00.000-07:00

Facebook CEO Mark Zuckerberg and his company are suddenly facing a big new round of scrutiny and criticism about their cavalier attitude toward user privacy.

An early instant messenger exchange Mark had with a college friend won't help put these concerns to rest.

According to SAI sources, the following exchange is between a 19-year-old Mark Zuckerberg and a friend shortly after Mark launched The Facebook in his dorm room:

Zuck: Yeah so if you ever need info about anyone at Harvard

Zuck: Just ask.

Zuck: I have over 4,000 emails, pictures, addresses, SNS

[Redacted Friend's Name]: What? How'd you manage that one?

Zuck: People just submitted it.

Zuck: I don't know why.

Zuck: They "trust me"

Zuck: Dumb f***s.

Brutal.

Could Mark have been completely joking? Sure. But the exchange does reveal that Facebook's aggressive attitude toward privacy may have begun early on.

Since Facebook launched, the company has faced one privacy flap after another, usually following changes to the privacy policy or new product releases. To its credit, the company has often modified its products based on such feedback. As the pioneer in a huge new market, Facebook will take heat for everything it does. It has also now grown into a $22 billion company run by adults who know that their future depends on Facebook users trusting the site's privacy policy.

But the company's attitude toward privacy, as reflected in Mark's early emails and IMs, features like Beacon and Instant Personalization, and the frequent changes to the privacy policy, has been consistently aggressive: Do something first, then see how people react.

Read more: http://www.businessinsider.com/well-these-new-zuckerberg-ims-wont-help-facebooks-privacy-problems-2010-5#ixzz0nqkSGrvk

businessinsider

Thirty-Five Antivirus Programs Share Common Hole

2010-05-12T11:56:00.000-07:00

A new attack technique has been described by matousec.com (a project of Different Internet Experience Ltd.) which could allow a program to bypass the host intrusion detection and certain other protections provided by common Windows security software. Their report lists 35 security products on which they tested the technique; it worked on all of them.

diggThe technique is unrelated to the actual scanning functions of anti-malware programs. Such programs also attempt to block live attacks by software running on the system. In order to perform this monitoring on Windows security software "hooks" entries in the SSDT (System Service Descriptor Table), a table of handles for operating system calls. Calls to those operating system calls are dispatched to the security software which hooks it; that software examines the caller and parameters, looking for whatever problems it's looking for and dealing with them as need be; then it directly calls the operating system service that the application attempted to call.

By using multiple threads, the matousec technique can modify the parameters to the system call while the hooked process is executing, thus causing it to allow execution of a call with parameters different from those it tested. The nature of the attack is such that it can be executed purely from user-mode code, lowering the bar for getting running the attack on the system.

This sort of bug, not uncommon in multithreaded programming, is called a race condition, in which two threads contend for access to a shared resource and program logic breaks down as a result. Because the attack is sensitive to the execution state of the SSDT hooks, it doesn't work all the time. But the authors say that it often does work the first time and will work after a few tries in any event. They also say it is more reliable on multi-core processors.

The list of products found vulnerable is as follows:

3D EQSecure Professional Edition 4.2

avast! Internet Security 5.0.462

AVG Internet Security 9.0.791

Avira Premium Security Suite 10.0.0.536

BitDefender Total Security 2010 13.0.20.347

Blink Professional 4.6.1

CA Internet Security Suite Plus 2010 6.0.0.272

Comodo Internet Security Free 4.0.138377.779

DefenseWall Personal Firewall 3.00

Dr.Web Security Space Pro 6.0.0.03100

ESET Smart Security 4.2.35.3

F-Secure Internet Security 2010 10.00 build 246

G DATA TotalCare 2010

Kaspersky Internet Security 2010 9.0.0.736

KingSoft Personal Firewall 9 Plus 2009.05.07.70

Malware Defender 2.6.0

McAfee Total Protection 2010 10.0.580

Norman Security Suite PRO 8.0

Norton Internet Security 2010 17.5.0.127

Online Armor Premium 4.0.0.35

Online Solutions Security Suite 1.5.14905.0

Outpost Security Suite Pro 6.7.3.3063.452.0726

Outpost Security Suite Pro 7.0.3330.505.1221 BETA VERSION

Panda Internet Security 2010 15.01.00

PC Tools Firewall Plus 6.0.0.88

PrivateFirewall 7.0.20.37

Security Shield 2010 13.0.16.313

Sophos Endpoint Security and Control 9.0.5

ThreatFire 4.7.0.17

Trend Micro Internet Security Pro 2010 17.50.1647.0000

Vba32 Personal 3.12.12.4

VIPRE Antivirus Premium 4.0.3272

VirusBuster Internet Security Suite 3.2

Webroot Internet Security Essentials 6.1.0.145

ZoneAlarm Extreme Security 9.1.507.000

Perhaps Microsoft had problems like this in mind when they attempted to ban all kernel patching in 64-bit versions of Windows several years ago. The feature which enforces this rule, called Kernel Patch Protection or PatchGuard, was objected to strongly by security software vendors, so Microsoft developed undocumented APIs to allow ISVs to get past PatchGuard and a policy for releasing the documentation.
pcmag